Deductive Program Verification with Why3,
Past and Future
Claude Marché
ProofInUse Kick-Off Day
February 2nd, 2015
A bit of history
I
1999: Jean-Christophe Filliâtre’s PhD Thesis
I
Proof of imperative programs, using Coq
A bit of history
I
1999: Jean-Christophe Filliâtre’s PhD Thesis
I
I
Proof of imperative programs, using Coq
2001: standalone Why tool
I
produces proof goals for Coq or for PVS
A bit of history
I
1999: Jean-Christophe Filliâtre’s PhD Thesis
I
Proof of imperative programs, using Coq
I
2001: standalone Why tool
I
2002: EU project VerifiCard
I
I
I
produces proof goals for Coq or for PVS
JavaCard, Krakatoa tool, compiling Java/JML to Why
Inspired by ESC/Java: we produce goals for the Simplify
theorem prover
A bit of history
I
1999: Jean-Christophe Filliâtre’s PhD Thesis
I
Proof of imperative programs, using Coq
I
2001: standalone Why tool
I
2002: EU project VerifiCard
I
I
I
I
produces proof goals for Coq or for PVS
JavaCard, Krakatoa tool, compiling Java/JML to Why
Inspired by ESC/Java: we produce goals for the Simplify
theorem prover
2004: Caduceus tool
I
Like Krakatoa for C (In French: pour traiter le cas du C)
A bit of history
I
1999: Jean-Christophe Filliâtre’s PhD Thesis
I
Proof of imperative programs, using Coq
I
2001: standalone Why tool
I
2002: EU project VerifiCard
I
I
I
I
JavaCard, Krakatoa tool, compiling Java/JML to Why
Inspired by ESC/Java: we produce goals for the Simplify
theorem prover
2004: Caduceus tool
I
I
produces proof goals for Coq or for PVS
Like Krakatoa for C (In French: pour traiter le cas du C)
2005-2008, ANR CAT project, beginning of Frama-C
I
I
Lead by CEA (B. Monate)
Caduceus replaced by the Jessie plug-in
A bit of history
I
1999: Jean-Christophe Filliâtre’s PhD Thesis
I
Proof of imperative programs, using Coq
I
2001: standalone Why tool
I
2002: EU project VerifiCard
I
I
I
I
JavaCard, Krakatoa tool, compiling Java/JML to Why
Inspired by ESC/Java: we produce goals for the Simplify
theorem prover
2004: Caduceus tool
I
I
produces proof goals for Coq or for PVS
Like Krakatoa for C (In French: pour traiter le cas du C)
2005-2008, ANR CAT project, beginning of Frama-C
I
I
Lead by CEA (B. Monate)
Caduceus replaced by the Jessie plug-in
I
2009-2012, ANR U3CAT project
I
2010-2013, FUI Hi-Lite Project
I
I
I
Support for floating-point within Jessie
2011, birth of Why3
Used as intermediate language for SPARK2014
Birth of Why3
I
I
2011, full re-implementation of Why: Why3
Many new features
I
Richer specification language
I
I
I
I
Richer programming language
I
I
I
I
I
records with mutable fields
More generic interface with theorem provers
I
I
algebraic data types
inductive predicates
since 2013, higher-order functions
notion of proof task, transformations
driver for each prover
Proof sessions
OCaml API
etc.
Why3 kernel: a Simple Example
theory T
use import int.Int
goal g: forall x:int. (x+7)*(x+6) = x*x + 13*x + 42
end
Why3 theories
Alt-Ergo driver
Alt-Ergo goal
Coq driver
Coq goal
Alt-Ergo
Proof tasks
Transformations
Coq
Why3 graphical interface
> why3 ide simple.why
Provers supported by Why3
How many provers supported?
Provers supported by Why3
How many provers supported?
I
SMT solvers: Alt-Ergo CVC3 CVC4 Z3
Provers supported by Why3
How many provers supported?
I
SMT solvers: Alt-Ergo CVC3 CVC4 Z3
I
Interactive proof assistants: Coq Isabelle PVS
Provers supported by Why3
How many provers supported?
I
SMT solvers: Alt-Ergo CVC3 CVC4 Z3
I
Interactive proof assistants: Coq Isabelle PVS
I
TPTP provers: Eprover Metis Vampire Princess Beagle
Zenon iProver SPASS
Provers supported by Why3
How many provers supported?
I
SMT solvers: Alt-Ergo CVC3 CVC4 Z3
I
Interactive proof assistants: Coq Isabelle PVS
I
TPTP provers: Eprover Metis Vampire Princess Beagle
Zenon iProver SPASS
I
more SMT solvers: Simplify Yices veriT MathSAT5
Provers supported by Why3
How many provers supported?
I
SMT solvers: Alt-Ergo CVC3 CVC4 Z3
I
Interactive proof assistants: Coq Isabelle PVS
I
TPTP provers: Eprover Metis Vampire Princess Beagle
Zenon iProver SPASS
I
more SMT solvers: Simplify Yices veriT MathSAT5
I
Solvers for arithmetic: Gappa Mathematica MetiTarski
Provers supported by Why3
How many provers supported?
I
SMT solvers: Alt-Ergo CVC3 CVC4 Z3
I
Interactive proof assistants: Coq Isabelle PVS
I
TPTP provers: Eprover Metis Vampire Princess Beagle
Zenon iProver SPASS
I
more SMT solvers: Simplify Yices veriT MathSAT5
I
Solvers for arithmetic: Gappa Mathematica MetiTarski
currently 22 supported provers, constantly increasing
Why3 programming language
ML-style functional language with
I
Mutable references, aliasing control by static typing
I
Annotations: contracts, loop invariants, etc.
I
VC generator: weakest preconditions calculus
let isqrt (x:int) : int
requires { x >= 0 }
ensures { result >= 0 }
ensures { sqr result <= x < sqr (result + 1) }
= let count = ref 0 in let sum = ref 1 in
while !sum <= x do
invariant { !count >= 0 }
invariant { x >= sqr !count }
invariant { !sum = sqr (!count+1) }
variant
{ x - !count }
count := !count + 1; sum := !sum + 2 * !count + 1
done;
!count
Why3 as a development environment
I
Proof replay in batch
I
Documentation generator
Execution by
I
I
I
internal interpreter
Extraction to OCaml
Programs developed with Why3
I
Gallery of verified programs:
I
I
I
109 examples today
mainly small but smart algorithms proved formally
various domains:
I
I
I
I
data-structures: lists, arrays, trees, graphs, matrices. . .
various algorithms e.g. searching, sorting. . .
arithmetic (integer, floating-point), mathematical puzzles
solutions to past verification competitions
I
increasing use of Why3 for teaching
I
largest example so far: a certified prover
Example: a certified prover
[Clochard, Marché, Paskevich, PLPV 2014]
I
I
Initial concern: Formalisation of binders
Solution: a small tool on top of Why3
I
I
input: declaration of algebraic data types with binders
outputs a Why3 source providing
I
I
I
I
types for specifications and for code
functions for opening/closing binder, for substitution
general lemmas on fresh variables, substitution, etc.
Applications
I
I
An interpreter for pure lambda-calculus, various strategies
A first-order theorem prover, tableau-based
A general issue: automation of proofs
I
Terms, formulas: inductive types
I
Substitution: recursive definition
I
Proofs require reasoning by induction
Induction
is out of reach of automated provers
Possible solutions:
I
Use interactive proof assistants: Coq, Isabelle, PVS
I
Use SMT solvers inside PA: Isabelle’s sledgehammer,
why3 tactic of Coq
I
Use lemma functions
The why3 tactic of Coq
Alt-Ergo driver
Why3 Theories
Alt-Ergo goal
Proof tasks
why3
Coq driver
Transformations
Typical form of a proof
Require Import Why3.
Ltac altergo := why3 "alt-ergo" timelimit 5
intros x1 x2 h1 h2 h3.
induction h2; altergo.
Alt-Ergo
Coq goal
tactic
Coq
Lemma functions
A program without side-effects of the form
let rec lemma f (arguments) : unit
requires { p }
ensures { q }
variant { v }
= ...
is a proof (by induction) of the lemma
lemma f : forall arguments. p -> q
Lemma functions: example
Pigeon-hole principle [team ProofInUse, VScomp 2014]
predicate range (f: int -> int) (n: int) (m:int) =
forall i: int. 0 <= i < n -> 0 <= f i < m
(** [range f n m] true when [f] maps [(0..n-1)] into [(0..m-1)] *)
predicate injective (f: int -> int) (n: int) (m:int) =
forall i j: int. 0 <= i < j < n -> f i <> f j
(** [injective f n m] true when [f] is an injection from [(0..n-1)] to [(0..
let rec lemma pigeon_hole (n m:int) (f: int -> int)
requires { range f n m }
requires { n > m >= 0 }
variant
{ m }
ensures
{ not (injective f n m) }
= try
for i = 0 to n-1 do
invariant { forall k. 0 <= k < i -> f k <> m-1 }
if f i = m-1 then
begin
(* we have found index i such that f i = m-1 *)
for j = i+1 to n-1 do
...
Tableau-based prover: summary
I
data types with binders for first-order logic
I
I
I
Formalisation of the semantics
Implementation of a proof engine, including
I
I
I
automatically generated
Skolemization
Unification
Proof of soundness
val prove_unsat (l:formula_list) : unit
requires { formula_list_ok l }
ensures { forall rho:interpretation fsymb psymb varsymb.
not(formula_list_conjunction l rho) }
generated
manual
Why3 loc
' 16.000
' 6.000
verification conditions
3.051
4.303
Provers needed: Alt-Ergo, CVC3, CVC4, Eprover, Spass, Z3
(time limit: 20s)
Prover performance
Compiled to binary via extraction to OCaml
Family of examples:
(∀x.R x ∨ R(f x)) → ∃x.R x ∧ R (f 2n x)
n
time (sec.)
nb of nodes
generated
sec.
per
3
0.02
502
25,134
4
0.55
9,506
17,316
5
3.36
42,898
12,779
6
19.67
197,244
10,028
Why3 as a development environment
Why3 is becoming mature enough
to be used as an environment for developing certified code
Perspectives on the core language:
I
Better integration of logic specification and code
I
Improve the module system (refinement)
I
Improve support for higher-order functions
I
Improve support for machine integers
I
...
Other perspectives:
I
Improve extraction, extraction to other languages (C, Ada)
I
Develop more reusable certified libraries
I
Certification of transformations, drivers
I
Provide feedback from provers’ counter-examples
I
...
Why3 as an intermediate language
Why3 should become
easier to use/more powerful as an intermediate language for
Ada, C, Java
I
provide support for bit-wise arithmetic
I
Interpret counter-examples feedback into the source
language
Allow the use of Why3 libraries as specification libraries for
front-end language
I
I
on-going experiment within Frama-C/WP