deductive program verification
play

Deductive Program Verification Jean-Christophe Filli atre CNRS - PowerPoint PPT Presentation

Feb 27, 2024 •174 likes •991 views

Deductive Program Verification Jean-Christophe Filli atre CNRS ITP 2018 Oxford, UK July 12, 2018 1 / 32 joint work with Fran cois Bobot Claude March e Guillaume Melquiond Andrei Paskevich 2 / 32 a question for programmers

  1. Deductive Program Verification Jean-Christophe Filliˆ atre CNRS ITP 2018 Oxford, UK July 12, 2018 1 / 32

  2. joint work with Fran¸ cois Bobot Claude March´ e Guillaume Melquiond Andrei Paskevich 2 / 32

  3. a question for programmers shall I be pure or impure? 3 / 32

  4. a question for program verifiers shall I be pure or impure? 4 / 32

  5. a question for program verifiers shall I be pure or impure? mutability FP feast

  6. a question for program verifiers shall I be pure or impure? the While language mutability FP feast

  7. a question for program verifiers shall I be pure or impure? the While language WhyML mutability FP feast 4 / 32

  8. WhyML goal no model of the heap to get simpler VCs solution records with mutable fields + static control of aliases 5 / 32

  9. mutable variables aka references type ref ’a = { mutable contents: ’a; } 6 / 32

  10. we can model some data structures e.g. arrays type array ’a = private { mutable ghost elts: int -> ’a; length: int; } 7 / 32

  11. we can nest mutable types e.g. a heap in a resizeable array type heap = { mutable data: array elt; mutable size: int; mutable ghost view: bag elt; } the type checker is powerful enough to let you replace the data field while keeping track of aliases [ESOP 2013] 8 / 32

  12. the key is abstraction there are mutable DS you cannot implement (e.g. linked lists, mutable trees) yet you can model them easily then you can verify client code, thanks to proof modularity 9 / 32

  13. example: union-find type elem val make : unit -> elem val union: elem -> elem -> unit val find : elem -> elem val same : elem -> elem -> bool 10 / 32

  14. example: union-find type elem val make : unit -> elem val union: elem -> elem -> unit val find : elem -> elem val same : elem -> elem -> bool x 10 / 32

  15. example: union-find type elem val make : unit -> elem val union: elem -> elem -> unit val find : elem -> elem val same : elem -> elem -> bool x y 10 / 32

  16. example: union-find type elem val make : unit -> elem val union: elem -> elem -> unit val find : elem -> elem val same : elem -> elem -> bool x y z 10 / 32

  17. example: union-find type elem val make : unit -> elem val union: elem -> elem -> unit val find : elem -> elem val same : elem -> elem -> bool z x y 10 / 32

  18. example: union-find type elem val make : unit -> elem val union: elem -> elem -> unit val find : elem -> elem val same : elem -> elem -> bool z u x y 10 / 32

  19. example: union-find type elem val make : unit -> elem val union: elem -> elem -> unit val find : elem -> elem val same : elem -> elem -> bool x y u z 10 / 32

  20. example: union-find type elem val make : unit -> elem val union: elem -> elem -> unit val find : elem -> elem val same : elem -> elem -> bool v x y u z 10 / 32

  21. example: union-find type elem val make : unit -> elem val union: elem -> elem -> unit val find : elem -> elem val same : elem -> elem -> bool x y v u z 10 / 32

  22. example: union-find type elem val make : unit -> elem val union: elem -> elem -> unit val find : elem -> elem val same : elem -> elem -> bool w x y v u z 10 / 32

  23. example: union-find type elem val make : unit -> elem val union: elem -> elem -> unit val find : elem -> elem val same : elem -> elem -> bool x y z w v u 10 / 32

  24. example: union-find type elem type uf = { mutable dom: set elem; mutable rep: elem -> elem; } val ghost create () : uf val make (ghost uf: uf) () : elem val union (ghost uf: uf) (x y: elem) : unit val find (ghost uf: uf) (x : elem) : elem val same (ghost uf: uf) (x y: elem) : bool 11 / 32

  25. what else WhyML features • polymorphism • algebraic data types, pattern matching • exceptions, break , continue , return • ghost code and ghost data [CAV 2014] • contracts, loop and type invariants • VCGen = either traditional or Flanagan/Saxe style WP 12 / 32

  26. a logic for program verification goal rich enough to make your life easier, simple enough to be sent to ATPs 13 / 32

  27. a logic for program verification goal rich enough to make your life easier, simple enough to be sent to ATPs our solution a total, polymorphic first-order logic with • algebraic types & pattern matching • recursive definitions • (co)inductive predicates • mapping type α → β , λ -notation, application [FroCos 2011, CADE 2013, VSTTE 2014] 13 / 32

  28. Why3 WhyML Why3 logic

  29. Why3 WhyML Why3 logic ... ... Alt-Ergo Z3 CVC4

  30. Why3 WhyML OCaml C Why3 logic ... ... Alt-Ergo Z3 CVC4

  31. Why3 Java C Ada WhyML OCaml C Why3 logic ... ... Alt-Ergo Z3 CVC4

  32. Why3 your language Java C Ada WhyML OCaml C Why3 logic ... ... Alt-Ergo Z3 CVC4

  33. Why3 your language Java C Ada WhyML OCaml C your VCs Why3 logic ... ... Alt-Ergo Z3 CVC4 14 / 32

  34. using off-the-shelf provers Why3 currently supports 25+ ITPs and ATPs for each prover, a special “driver” file controls [Boogie 2011] • logical transformations to apply • input/output format • predefined symbols, axioms to be removed 15 / 32

  35. example: Z3 driver printer "smtv2" valid "^unsat" invalid "^sat" transformation "inline trivial" transformation "eliminate builtin" transformation "eliminate definition" transformation "eliminate inductive" transformation "eliminate algebraic" transformation "simplify formula" transformation "discriminate" transformation "encoding smt" prelude "(set-logic AUFNIRA)" theory BuiltIn syntax type int "Int" syntax type real "Real" syntax predicate (=) "(= %1 %2)" end ... 16 / 32

  36. demo union-find joint work with S. Melo de Sousa, M. Pereira, and M. Clochard 17 / 32

  37. API type elem type uf = ... val ghost create () : uf val make (ghost uf: uf) () : elem val union (ghost uf: uf) (x y: elem) : unit val find (ghost uf: uf) (x : elem) : elem val same (ghost uf: uf) (x y: elem) : bool 18 / 32

  38. specification type elem type uf = { mutable dom: set elem; mutable rep: elem -> elem; } invariant { forall x. mem x dom -> mem (rep x) dom && rep (rep x) = rep x } val ghost create () : uf ensures { result.dom = empty } 19 / 32

  39. specification val make (ghost uf: uf) () : elem writes { uf.dom, uf.rep } ensures { not (mem result (old uf.dom)) } ensures { uf.dom = add result (old uf.dom) } ensures { uf.rep = (old uf.rep)[result <- result] } val find (ghost uf: uf) (x: elem) : elem requires { mem x uf.dom } ensures { result = uf.rep x } 20 / 32

  40. specification val union (ghost uf: uf) (x y: elem) : ghost elem requires { mem x uf.dom } requires { mem y uf.dom } writes { uf.rep } ensures { result = old (uf.rep x) || result = old (uf.rep y) } ensures { forall z. mem z uf.dom -> uf.rep z = if old (uf.rep z = uf.rep x || uf.rep z = uf.rep y) then result else old (uf.rep z) } 21 / 32

  41. implementation type elem = content ref and content = | Link of elem | Root of int 22 / 32

  42. implementation type elem = content ref x 0 and content = | Link of elem | Root of int 22 / 32

  43. implementation type elem = content ref y 0 x 0 and content = | Link of elem | Root of int 22 / 32

  44. implementation type elem = content ref y 0 x 0 z 0 and content = | Link of elem | Root of int 22 / 32

  45. implementation type elem = content ref x 1 z 0 and content = y | Link of elem | Root of int 22 / 32

  46. implementation type elem = content ref x 1 z 0 u 0 and content = y | Link of elem | Root of int 22 / 32

  47. implementation type elem = content ref x 1 u 0 and content = y z | Link of elem | Root of int 22 / 32

  48. implementation type elem = content ref x 1 u 0 v 0 and content = y z | Link of elem | Root of int 22 / 32

  49. implementation type elem = content ref x 1 v 1 and content = y z u | Link of elem | Root of int 22 / 32

  50. implementation type elem = content ref x 1 v 1 w 0 and content = y z u | Link of elem | Root of int 22 / 32

  51. implementation type elem = x 2 w 0 content ref y z v and content = | Link of elem u | Root of int 22 / 32

  52. implementation type elem = x 2 w 0 content ref y z v and content = | Link of elem u | Root of int let’s verify this with Why3 22 / 32

  53. Why3 implementation too complex for Why3’s type checker; let’s model the heap type loc type elem = type elem = loc content ref and content = type content = | Link loc | Link of elem | Root of int | Root Peano.t type heap = { ghost mutable refs: loc -> option content; } 23 / 32

  54. termination 24 / 32

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Why3 What is why3? A platform for deductive program verification What is why3? A platform

Why3 What is why3? A platform for deductive program verification What is why3? A platform

Why3 What is why3? A platform for deductive program verification What is why3? A platform for deductive program verification Made by: Franois Bobot Martin Clochard Lon Gondelman Jean-Christophe Fillitre Claude

98 views • 9 slides
Deductive Program Verification with W HY 3 Andrei Paskevich LRI, Universit Paris-Sud

Deductive Program Verification with W HY 3 Andrei Paskevich LRI, Universit Paris-Sud

Deductive Program Verification with W HY 3 Andrei Paskevich LRI, Universit Paris-Sud Toccata, Inria Saclay JCP 2016 1. A short look back 2 / 100 Introduction Software is hard. D ONALD K NUTH ... 1996: Ariane 5 explosion an

1.13k views • 100 slides
Deductive Program Verification with W HY 3 Andrei Paskevich LRI, Universit Paris-Sud

Deductive Program Verification with W HY 3 Andrei Paskevich LRI, Universit Paris-Sud

Deductive Program Verification with W HY 3 Andrei Paskevich LRI, Universit Paris-Sud Toccata, Inria Saclay http://why3.lri.fr/ejcp-2019 JCP 2019 Software is hard. D ONALD K NUTH 2 / 171 Ensure the absence of bugs Several

2k views • 171 slides
Deductive Program Verification Jean-Christophe Filli atre STOP r = 1 v = u s = 1 u

Deductive Program Verification Jean-Christophe Filli atre STOP r = 1 v = u s = 1 u

Deductive Program Verification Jean-Christophe Filli atre STOP r = 1 v = u s = 1 u = u + v s = s + 1 TEST r n u = 1 r = r + 1 TEST s r A Definition program mathematical + proof statement correctness

823 views • 56 slides
An Introduction to Deductive Program Verification Jean-Christophe Filli atre CNRS Sixth

An Introduction to Deductive Program Verification Jean-Christophe Filli atre CNRS Sixth

An Introduction to Deductive Program Verification Jean-Christophe Filli atre CNRS Sixth Summer School on Formal Techniques May 2016 http://why3.lri.fr/ssft-16/ 1 / 145 Software is hard. Don Knuth why? wrong interpretation of

1.97k views • 145 slides
Deductive Program Verification with Why3 Jean-Christophe Filli atre CNRS Tallinn January 15,

Deductive Program Verification with Why3 Jean-Christophe Filli atre CNRS Tallinn January 15,

Deductive Program Verification with Why3 Jean-Christophe Filli atre CNRS Tallinn January 15, 2013 http://why3.lri.fr/tallinn-2013/ 1 / 101 definition program verification + proof conditions specification 2 / 101 this is not new

1.18k views • 101 slides
Design Verification: Deductive Verification Virendra Singh Associate Professor C omputer A

Design Verification: Deductive Verification Virendra Singh Associate Professor C omputer A

Design Verification: Deductive Verification Virendra Singh Associate Professor C omputer A rchitecture and D ependable S ystems L ab Department of Electrical Engineering Indian Institute of Technology Bombay http://www.ee.iitb.ac.in/~viren/

627 views • 27 slides
Deductive Program Verification with Why3 Jean-Christophe Filli atre CNRS Digicosme Spring

Deductive Program Verification with Why3 Jean-Christophe Filli atre CNRS Digicosme Spring

Deductive Program Verification with Why3 Jean-Christophe Filli atre CNRS Digicosme Spring School April 22, 2013 http://why3.lri.fr/digicosme-spring-school-2013/ 1 / 101 definition program verification + proof conditions specification

1.18k views • 101 slides
Enhancing Automated Program Repair With Deductive Verification Xuan Bach D. Le 1 , Quang-Loc Le 2

Enhancing Automated Program Repair With Deductive Verification Xuan Bach D. Le 1 , Quang-Loc Le 2

Enhancing Automated Program Repair With Deductive Verification Xuan Bach D. Le 1 , Quang-Loc Le 2 , David Lo 1 , Claire Le Goues 3 1 Singapore Management University 2 Singapore University of Technology and Design 3 Carnegie Mellon University 1

368 views • 20 slides
An Improved Rule for While Loops in Deductive Program Verification Bernhard Beckert 1 Steffen

An Improved Rule for While Loops in Deductive Program Verification Bernhard Beckert 1 Steffen

An Improved Rule for While Loops in Deductive Program Verification Bernhard Beckert 1 Steffen Schlager 2 Peter H. Schmitt 2 1 Universit at Koblenz-Landau 2 Universit at Karlsruhe ICFEM 2005, Manchester Beckert, Schlager, Schmitt (

989 views • 56 slides
Challenges In Deductive Software Verification Reiner Hhnle (with Marieke Huisman, U Twente)

Challenges In Deductive Software Verification Reiner Hhnle (with Marieke Huisman, U Twente)

Challenges In Deductive Software Verification Reiner Hhnle (with Marieke Huisman, U Twente) www.se.tu-darmstadt.de TU Darmstadt, Software Engineering Group Many challenges apply to AD in general Deductive Software Verification

165 views • 15 slides
Towards Deductive Compilation: Implementing a Partial Evaluator Via a Software Verification Tool

Towards Deductive Compilation: Implementing a Partial Evaluator Via a Software Verification Tool

Towards Deductive Compilation: Implementing a Partial Evaluator Via a Software Verification Tool Reiner H ahnle (joint work with Richard Bubel and Ran Ji) Chalmers University of Technology Department of Computer Science and Engineering 10

1.11k views • 82 slides
The Why/Krakatoa/Caduceus Platform for Deductive Program Verification Jean-Christophe Filli

The Why/Krakatoa/Caduceus Platform for Deductive Program Verification Jean-Christophe Filli

The Why/Krakatoa/Caduceus Platform for Deductive Program Verification Jean-Christophe Filli atre CNRS Universit e Paris Sud TYPES Summer School August 30th, 2007 TYPES Summer School August 30th, 2007 Jean-Christophe Filli

2.04k views • 181 slides
1 Deductive Verification Extremely powerful Extremely hard One proof can cover very

1 Deductive Verification Extremely powerful Extremely hard One proof can cover very

Methods of Assessing Model Behavior Testing spot checks aspects of real system Simulation spot checks aspects of abstract (model) system Deductive verification Uses axioms and proofs on a mathematical model of

596 views • 21 slides
Deductive Verification of Object-Oriented Software Part A Bernhard Beckert | VTSA,

Deductive Verification of Object-Oriented Software Part A Bernhard Beckert | VTSA,

Deductive Verification of Object-Oriented Software Part A Bernhard Beckert | VTSA, 24.28.08.2015 KIT I NSTITUTE FOR T HEORETICAL C OMPUTER S CIENCE www.kit.edu KIT University of the State of Baden-Wuerttemberg and National Laboratory

1.29k views • 106 slides
Deductive Verification of Object-Oriented Software Part B Bernhard Beckert | VTSA,

Deductive Verification of Object-Oriented Software Part B Bernhard Beckert | VTSA,

Deductive Verification of Object-Oriented Software Part B Bernhard Beckert | VTSA, 24.28.08.2015 KIT I NSTITUTE FOR T HEORETICAL C OMPUTER S CIENCE www.kit.edu KIT University of the State of Baden-Wuerttemberg and National Laboratory

1.82k views • 158 slides
MoSeL: A General, Extensible Modal Framework for Interactive Proofs in Separation Logic Robbert

MoSeL: A General, Extensible Modal Framework for Interactive Proofs in Separation Logic Robbert

MoSeL: A General, Extensible Modal Framework for Interactive Proofs in Separation Logic Robbert Krebbers 1 Jacques-Henri Jourdan 2 Ralf Jung 3 Joseph Tassarotti 4 Jan-Oliver Kaiser 3 Amin Timany 5 eraud 6 Derek Dreyer 3 Arthur Chargu 1 Delft

710 views • 49 slides
Chicagoland CFUG 10 April 2013 Steve Withington Director of Education &amp; Events /

Chicagoland CFUG 10 April 2013 Steve Withington Director of Education &amp; Events /

Chicagoland CFUG 10 April 2013 Steve Withington Director of Education &amp; Events / Application Engineer at Blue River Interactive Group CFML Developer &amp; cf.Objective() Steering Committee Member ...but Im also a Front-End

644 views • 21 slides
Cloud Computing - Starting Points for Privacy and Transparency Ina Schiering Ostfalia

Cloud Computing - Starting Points for Privacy and Transparency Ina Schiering Ostfalia

Cloud Computing - Starting Points for Privacy and Transparency Ina Schiering Ostfalia University of Applied Science Wolfenbttel, Germany IFIP Summerschool: Privacy and Identity Management for Life, Helsingborg, August 2nd, 2010 Cloud

775 views • 43 slides
The Security Theme: an introduction School of Computer Science The University of Manchester 1

The Security Theme: an introduction School of Computer Science The University of Manchester 1

Advanced Computer Science Security Theme The Security Theme: an introduction School of Computer Science The University of Manchester 1 Advanced Computer Science Security Theme Outline Ratio of hackers to security professionals Why

784 views • 22 slides
Machine-checked correctness and complexity of a Union-Find implementation Arthur Charguraud

Machine-checked correctness and complexity of a Union-Find implementation Arthur Charguraud

Machine-checked correctness and complexity of a Union-Find implementation Arthur Charguraud Franois Pottier September 8, 2015 1 / 32 The Union-Find data structure: OCaml interface type elem val make : unit -&gt; elem val find : elem

481 views • 37 slides
A Gentle Introduction to Mathematical Fuzzy Logic 6. Further lines of research and open problems

A Gentle Introduction to Mathematical Fuzzy Logic 6. Further lines of research and open problems

A Gentle Introduction to Mathematical Fuzzy Logic 6. Further lines of research and open problems Petr Cintula 1 and Carles Noguera 2 1 Institute of Computer Science, Czech Academy of Sciences, Prague, Czech Republic 2 Institute of Information

861 views • 58 slides
Stat 5102 Lecture Slides: Deck 8 Bootstrap Charles J. Geyer School of Statistics University of

Stat 5102 Lecture Slides: Deck 8 Bootstrap Charles J. Geyer School of Statistics University of

Stat 5102 Lecture Slides: Deck 8 Bootstrap Charles J. Geyer School of Statistics University of Minnesota 1 Plug-In and the Bootstrap The worst mistake one can make in statistics is to confuse the sample and the population or to confuse

360 views • 14 slides
Developing a Food Procurement Policy or Profile With Healthcare Without Harm, Inova Center for

Developing a Food Procurement Policy or Profile With Healthcare Without Harm, Inova Center for

Developing a Food Procurement Policy or Profile With Healthcare Without Harm, Inova Center for Personalized Health Virginia Department of Education Cancer Centers of America www.ChesapeakeFoodshed.net | Twitter: @chesfoodshed | Facebook:

180 views • 4 slides

More recommend