Mechanical Verification of Interactive Programs Specified by Use Cases

International audienceInteractive programs, like user interfaces, are hard to formally specify and thus to prove correct. Some ideas coming from functional programming languages have been successful to improve the way we write safer programs, compared to traditional imperative languages, but these ideas mostly apply to code fragments without any inputs–outputs. Using the purely functional language Coq, we present a new technique to represent interactive programs and formally verify use cases using the Coq proof engine as a symbolic debugger. To this end we introduce the notion of scenarios, well-typed schema of interactions between an environment and a program. We design and certify a blog system as an illustration. Our approach generalizes unit-testing techniques and outlines a new method for mechanically assisted checking of effectful functional programs. I. Introduction Implementing and proving correct interactive programs is challenging. Indeed, interactive programs are hard to reason about because they communicate with an outer environment (the operating system, the network, the user,. . .) which may be under-specified and non determin-istic. Moreover, the communications between the program and the environment can happen at many points during the execution and may depend on previous interactions. Many techniques have been developed to model, specify and prove correct interactive or concurrent programs[15]. For instance, process algebra and temporal logics are well understood abstract models for such programs. In these abstract models, some interesting behavioral properties can be automatically proved by model-checkers. Yet, these tools usually provide guarantees about the model of the program, not its actual implementation. In another approach, called software-proof co-design, the specification and the verification of a program is not disconnected from its actual implementation. In that case, specifying, implementing and verifying are tightly interleaved in the software development process. This tight integration is possible within the Coq proof assistant which is both a programming language and an assisted prover. Yet, even if a realistic compiler for the C language has already been developed in Coq[12], using Coq as a general purpose programming language may be considere

Des types aux assertions logiques : preuve automatique ou assistée de propriétés sur les programmes fonctionnels.

This work studies two approaches to improve the safety of computer programs using static analysis.The first one is typing which guarantees that the evaluation of program cannot fail. The functionallanguage ML has a very rich type system and also an algorithm that infers automatically the types.We focus on its adaptation to generalized algebraic data types (GADTs). In this setting, efficientcomputation of a most general type is impossible. We propose a stratification of the language thatretain the usual characteristics of the ML fragment and make explicit the use of GADTs. The re-sulting language, MLGX, entails a burden on the programmer who must annotate its programs toomuch. A second stratum, MLGI, offers a mechanism to infer locally, in a predictable and efficient way,incomplete yet, most of the type annotations. The first part concludes on an illustration of the expres-siveness of GADTs to encode the invariants of pushdown automata used in LR parsing. The secondapproach augments the language with logic assertions that enables arbitrarily complex specificationsto be expressed. We check the compliance of the program semantics with respect to these specifica-tions thanks to a method called Hoare logic and thanks to semi-automatic computer-based proofs.The design choices permit to handle first-class functions. They are directed by an implementationwhich is illustrated by the certification of a module of trees that denote finite sets.Cette thèse étudie deux approches fondées sur l’analyse statique pour augmenter la sûreté defonctionnement et la correction des programmes informatiques.La première approche est le typage qui permet de prouver automatiquement qu’un programmes’évalue sans échouer. Le langage fonctionnel ML possède un système de type très riche et un algorithmeeffectuant une synthèse automatique de ces types. On s’intéresse à l’adaptation de cet algorithme auxtypes algébriques généralisés (GADT), une forme restreinte des inductifs de Coq, qui ont été introduitspar Hongwei Xi en 2003.Dans ce cadre, le calcul efficace d’un type plus général est impossible. On propose une stratificationqui maintient les caractéristiques habituelles sur le fragment ML et qui isole le traitement des GADTen explicitant leur utilisation. Le langage obtenu, MLGX, nécessite des annotations de type qui alour-dissent les programmes. Une seconde strate, MLGI, offre au programmeur un mécanisme de synthèselocale, prédictible et efficace bien qu’incomplet, de la plupart de ces annotations. La première parties’achève avec une démonstration de l’expressivité des GADT pour coder les invariants des automatesà pile utilisés par l’analyse syntaxique LR.La seconde approche augmente le langage de programmation par des assertions logiques permettantd’exprimer des spécifications de complexité arbitraire dans la logique d’ordre supérieur polymorphi-quement typée. On vérifie statiquement la conformité de la sémantique du programme vis-à-vis de cesspécifications à l’aide d’une technique appelée logique de Hoare qui consiste à engendrer un ensembled’obligations de preuves à partir d’un programme annoté. Une fois ces obligations de preuve traitées,si un programme est utilisé correctement et si il renvoie une valeur alors il est certain que celle-ci estcorrecte.Habituellement, cette technique est employée sur les langages impératifs. Avec un langage fonc-tionnel pur, les problèmes liés à l’état de la mémoire d’évanouissent tandis que l’ordre supérieur etle polymorphisme en posent de nouveaux. Nos choix de conceptions cherchent à maximiser les op-portunités d’utilisation de prouveurs automatiques en traduisant minutieusement les objets d’ordresupérieur en objets du premier ordre. Une implantation prototype du système en fournit une illustra-tion dans la preuve presque totalement automatique d’un module CAML d’arbres équilibrés dénotantdes ensembles finis

Certifying cost annotations in compilers

We discuss the problem of building a compiler which can lift in a provably correct way pieces of information on the execution cost of the object code to cost annotations on the source code. To this end, we need a clear and flexible picture of: (i) the meaning of cost annotations, (ii) the method to prove them sound and precise, and (iii) the way such proofs can be composed. We propose a so-called labelling approach to these three questions. As a first step, we examine its application to a toy compiler. This formal study suggests that the labelling approach has good compositionality and scalability properties. In order to provide further evidence for this claim, we report our successful experience in implementing and testing the labelling approach on top of a prototype compiler written in OCAML for (a large fragment of) the C language

A Mechanically Checked Generation of Correlating Programs Directed by Structured Syntactic Differences

International audienceWe present a new algorithm for the construction of a correlating program from the syntactic difference between the original and modified versions of a program. This correlating program exhibits the semantics of the two input programs and can then be used to compute their semantic differences, following an approach of Partush and Yahav [12]. We show that Partush and Yahav's correlating program is unsound on loops that include an early exit. Our algorithm is defined on an imperative language with while-loops, break, and continue. To guarantee its correctness, it is formalized and mechanically checked within the Coq proof assistant. On a series of examples, we experimentally find that the static analyzer dizy is at least as precise on our correlating program as on Partush and Yahav's

Towards typed repositories of proofs

International audienceIn this paper, we advocate for an architecture for proof assistants and programming language tools that is closer to the daily workflow of their users. Indeed, most of the mathematician or programmer's time is spent editing, not writing. As a consequence, the usual interaction loop "(edit; compile)*; commit" is an over-approximation that does not scale when compilation is replaced by proof-checking. We propose an enhancement and an adaptation of version control paradigms to the management of proof repositories, to witness with more precision the impact of changes. We sketch a dependently typed language that would be a kernel language to build such a framework upon

Safe Incremental Type Checking

2 pagesWe study the problem of verifying the well-typing of terms, not in a batch fashion, as it is usually the case for typed languages, but incrementally, that is by sequentially modifying a term, and re- verifying each time only a smaller amount of information than the whole term, still ensuring that it is well-typed

OCaml étendu avec du filtrage par comotifs

National audienc

Copattern matching and first-class observations in OCaml, with a macro

International audienceInfinite data structures are elegantly defined by means of copatternmatching, a dual construction to pattern matching that expressesthe outcomes of the observations of an infinite structure. We extendthe OCaml programming language with copatterns, exploiting theduality between pattern matching and copattern matching. Pro-vided that a functional programming language has GADTs, everycopattern matching can be transformed into a pattern matching viaa purely local syntactic transformation, a macro. The developmentof this extension leads us to a generalization of previous calculus ofcopatterns: the introduction of first-class observation queries. Westudy this extension both from a formal and practical point of view

Incremental λ-Calculus in Cache-Transfer Style Static Memoization by Program Transformation

International audienceIncremental computation requires propagating changes and reusing intermediate results of base computations. Derivatives, as produced by static differentiation [7], propagate changes but do not reuse intermediate results, leading to wasteful recomputation. As a solution, we introduce conversion to Cache-Transfer-Style, an additional program transformations producing purely incremental functional programs that create and maintain nested tuples of intermediate results. To prove CTS conversion correct, we extend the correctness proof of static differentiation from STLC to untyped λ-calculus via step-indexed logical relations, and prove sound the additional transformation via simulation theorems. To show ILC-based languages can improve performance relative to from-scratch recomputation, and that CTS conversion can extend its applicability , we perform an initial performance case study. We provide derivatives of primitives for operations on collections and incrementalize selected example programs using those primitives, confirming expected asymptotic speedups

Certifying and reasoning on cost annotations in C programs

International audienceWe present a so-called labelling method to enrich a compiler in order to turn it into a ''cost annotating compiler'', that is, a compiler which can {\em lift} pieces of information on the execution cost of the object code as cost annotations on the source code. These cost annotations characterize the execution costs of code fragments of constant complexity. The first contribution of this paper is a proof methodology that extends standard simulation proofs of compiler correctness to ensure that the cost annotations on the source code are sound and precise with respect to an execution cost model of the object code. As a second contribution, we demonstrate that our label-based instrumentation is scalable because it consists in a modular extension of the compilation chain. To that end, we report our successful experience in implementing and testing the labelling approach on top of a prototype compiler written in \ocaml for (a large fragment of) the {\sc C} language. As a third and last contribution, we provide evidence for the usability of the generated cost annotations as a mean to reason on the concrete complexity of programs written in {\sc C}. For this purpose, we present a {\sc Frama-C} plugin that uses our cost annotating compiler to automatically infer trustworthy logic assertions about the concrete worst case execution cost of programs written in a fragment of the {\sc C} language. These logic assertions are synthetic in the sense that they characterize the cost of executing the entire program, not only constant-time fragments. (These bounds may depend on the size of the input data.) We report our experimentations on some {\sc C} programs, especially programs generated by a compiler for the synchronous programming language {\sc Lustre} used in critical embedded software