deductive program verification with w hy 3
play

Deductive Program Verification with W HY 3 Andrei Paskevich LRI, - PowerPoint PPT Presentation

Jun 12, 2023 •120 likes •1.13k views

Deductive Program Verification with W HY 3 Andrei Paskevich LRI, Universit Paris-Sud Toccata, Inria Saclay JCP 2016 1. A short look back 2 / 100 Introduction Software is hard. D ONALD K NUTH ... 1996: Ariane 5 explosion an

  1. Deductive Program Verification with W HY 3 Andrei Paskevich LRI, Université Paris-Sud — Toccata, Inria Saclay ÉJCP 2016

  2. 1. A short look back 2 / 100

  3. Introduction Software is hard. — D ONALD K NUTH ... • 1996: Ariane 5 explosion — an erroneous float-to-int conversion • 1997: Pathfinder reset loop — priority inversion • 1999: Mars Climate Orbiter explosion — a unit error ... 3 / 100

  4. Introduction Software is hard. — D ONALD K NUTH ... • 1996: Ariane 5 explosion — an erroneous float-to-int conversion • 1997: Pathfinder reset loop — priority inversion • 1999: Mars Climate Orbiter explosion — a unit error ... • 2006: Debian SSH bug — predictable RNG (fixed in 2008) • 2012: Heartbleed — buffer over-read (fixed in 2014) • 1989: Shellshock — insufficient input control (fixed in 2014) ... 4 / 100

  5. A simple algorithm: Binary search Goal: find a value in a sorted array. First algorithm published in 1946. First correct algorithm published in 1962. 5 / 100

  6. A simple algorithm: Binary search Goal: find a value in a sorted array. First algorithm published in 1946. First correct algorithm published in 1962. 2006: Nearly All Binary Searches and Mergesorts are Broken (Joshua Bloch, Google, a blog post) The code in JDK: int mid = (low + high) / 2; int midVal = a[mid]; 6 / 100

  7. A simple algorithm: Binary search Goal: find a value in a sorted array. First algorithm published in 1946. First correct algorithm published in 1962. 2006: Nearly All Binary Searches and Mergesorts are Broken (Joshua Bloch, Google, a blog post) The code in JDK: int mid = (low + high) / 2; int midVal = a[mid]; Bug: addition may exceed 2 31 − 1, the maximum int in Java. One possible solution: int mid = low + (high - low) / 2; 7 / 100

  8. Ensure the absence of bugs Several approaches exist: model checking, abstract interpretation, etc. In this lecture: deductive verification 1. provide a program with a specification: a mathematical model 2. build a formal proof showing that the code respects the specification 8 / 100

  9. Ensure the absence of bugs Several approaches exist: model checking, abstract interpretation, etc. In this lecture: deductive verification 1. provide a program with a specification: a mathematical model 2. build a formal proof showing that the code respects the specification First proof of a program: Alan Turing, 1949 u := 1 for r = 0 to n - 1 do v := u for s = 1 to r do u := u + v 9 / 100

  10. Ensure the absence of bugs Several approaches exist: model checking, abstract interpretation, etc. In this lecture: deductive verification 1. provide a program with a specification: a mathematical model 2. build a formal proof showing that the code respects the specification First proof of a program: Alan Turing, 1949 First theoretical foundation: Floyd-Hoare logic, 1969 10 / 100

  11. Ensure the absence of bugs Several approaches exist: model checking, abstract interpretation, etc. In this lecture: deductive verification 1. provide a program with a specification: a mathematical model 2. build a formal proof showing that the code respects the specification First proof of a program: Alan Turing, 1949 First theoretical foundation: Floyd-Hoare logic, 1969 First grand success in practice: metro line 14, 1998 tool: Atelier B, proof by refinement 11 / 100

  12. Other major success stories • Flight control software in A380, 2005 safety proof: the absence of execution errors tool: Astrée, abstract interpretation • Hyper-V — a native hypervisor, 2008 tools: VCC + automated prover Z3, deductive verification • CompCert — certified C compiler, 2009 tool: Coq, generation of the correct-by-construction code • seL4 — an OS micro-kernel, 2009 tool: Isabelle/HOL, deductive verification 12 / 100

  13. 2. Tool of the day 13 / 100

  14. W HY 3 in a nutshell file.mlw WhyML VCgen file.why Why transform/translate print/run Coq Alt-Ergo CVC4 Z3 etc. 14 / 100

  15. W HY 3 in a nutshell W HY ML, a programming language • type polymorphism • variants • limited support for higher order • pattern matching • exceptions • ghost code and ghost data (CAV 2014) • mutable data with controlled aliasing file.mlw • contracts • loop and type invariants WhyML VCgen file.why Why transform/translate print/run Coq Alt-Ergo CVC4 Z3 etc. 15 / 100

  16. W HY 3 in a nutshell W HY ML, a programming language W HY ML, a specification language • type polymorphism • variants • polymorphic & algebraic types • limited support for higher order • limited support for higher order • pattern matching • exceptions • inductive predicates • ghost code and ghost data (CAV 2014) (FroCos 2011) (CADE 2013) • mutable data with controlled aliasing file.mlw • contracts • loop and type invariants WhyML VCgen file.why Why transform/translate print/run Coq Alt-Ergo CVC4 Z3 etc. 16 / 100

  17. W HY 3 in a nutshell W HY ML, a programming language W HY ML, a specification language • type polymorphism • variants • polymorphic & algebraic types • limited support for higher order • limited support for higher order • pattern matching • exceptions • inductive predicates • ghost code and ghost data (CAV 2014) (FroCos 2011) (CADE 2013) • mutable data with controlled aliasing file.mlw • contracts • loop and type invariants WhyML VCgen file.why W HY 3, a program verification tool • VC generation using WP or fast WP Why • 70+ VC transformations ( ≈ tactics) transform/translate • support for 25+ ATP and ITP systems print/run (Boogie 2011) (ESOP 2013) (VSTTE 2013) Coq Alt-Ergo CVC4 Z3 etc. 17 / 100

  18. W HY 3 out of a nutshell three different ways of using W HY 3 • as a logical language • a convenient front-end to many theorem provers • as a programming language to prove algorithms • see examples in our gallery http://toccata.lri.fr/gallery/why3.en.html • as an intermediate verification language • Java programs: Krakatoa (Marché Paulin Urbain) • C programs: Frama-C (Marché Moy) • Ada programs: SPARK 2014 (Adacore) • probabilistic programs: EasyCrypt (Barthe et al.) 18 / 100

  19. Example: maximum subarray problem let maximum_subarray (a: array int): int ensures { forall l h: int. 0 <= l <= h <= length a -> sum a l h <= result } ensures { exists l h: int. 0 <= l <= h <= length a /\ sum a l h = result } 19 / 100

  20. Kadane’s algorithm (* | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | *) (* ......|######## max ########|.............. *) (* ..............................|### cur #### *) let maximum_subarray (a: array int): int ensures { forall l h: int. 0 <= l <= h <= length a -> sum a l h <= result } ensures { exists l h: int. 0 <= l <= h <= length a /\ sum a l h = result } = let max = ref 0 in let cur = ref 0 in for i = 0 to length a - 1 do cur += a[i]; if !cur < 0 then cur := 0; if !cur > !max then max := !cur done; !max 20 / 100

  21. Kadane’s algorithm (* | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | *) (* ......|######## max ########|.............. *) (* ..............................|### cur #### *) let maximum_subarray (a: array int): int ensures { forall l h: int. 0 <= l <= h <= length a -> sum a l h <= result } ensures { exists l h: int. 0 <= l <= h <= length a /\ sum a l h = result } = let max = ref 0 in let cur = ref 0 in let ghost cl = ref 0 in for i = 0 to length a - 1 do invariant { forall l: int. 0 <= l <= i -> sum a l i <= !cur } invariant { 0 <= !cl <= i /\ sum a !cl i = !cur } cur += a[i]; if !cur < 0 then begin cur := 0; cl := i+1 end; if !cur > !max then max := !cur done; !max 21 / 100

  22. Kadane’s algorithm (* | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | *) (* ......|######## max ########|.............. *) (* ..............................|### cur #### *) let maximum_subarray (a: array int): int ensures { forall l h: int. 0 <= l <= h <= length a -> sum a l h <= result } ensures { exists l h: int. 0 <= l <= h <= length a /\ sum a l h = result } = let max = ref 0 in let cur = ref 0 in let ghost cl = ref 0 in let ghost lo = ref 0 in let ghost hi = ref 0 in for i = 0 to length a - 1 do invariant { forall l: int. 0 <= l <= i -> sum a l i <= !cur } invariant { 0 <= !cl <= i /\ sum a !cl i = !cur } invariant { forall l h: int. 0 <= l <= h <= i -> sum a l h <= !max } invariant { 0 <= !lo <= !hi <= i /\ sum a !lo !hi = !max } cur += a[i]; if !cur < 0 then begin cur := 0; cl := i+1 end; if !cur > !max then begin max := !cur; lo := !cl; hi := i+1 end done; !max 22 / 100

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Why3 What is why3? A platform for deductive program verification What is why3? A platform

Why3 What is why3? A platform for deductive program verification What is why3? A platform

Why3 What is why3? A platform for deductive program verification What is why3? A platform for deductive program verification Made by: Franois Bobot Martin Clochard Lon Gondelman Jean-Christophe Fillitre Claude

98 views • 9 slides
Deductive Program Verification with W HY 3 Andrei Paskevich LRI, Universit Paris-Sud

Deductive Program Verification with W HY 3 Andrei Paskevich LRI, Universit Paris-Sud

Deductive Program Verification with W HY 3 Andrei Paskevich LRI, Universit Paris-Sud Toccata, Inria Saclay http://why3.lri.fr/ejcp-2019 JCP 2019 Software is hard. D ONALD K NUTH 2 / 171 Ensure the absence of bugs Several

2k views • 171 slides
Deductive Program Verification Jean-Christophe Filli atre STOP r = 1 v = u s = 1 u

Deductive Program Verification Jean-Christophe Filli atre STOP r = 1 v = u s = 1 u

Deductive Program Verification Jean-Christophe Filli atre STOP r = 1 v = u s = 1 u = u + v s = s + 1 TEST r n u = 1 r = r + 1 TEST s r A Definition program mathematical + proof statement correctness

823 views • 56 slides
An Introduction to Deductive Program Verification Jean-Christophe Filli atre CNRS Sixth

An Introduction to Deductive Program Verification Jean-Christophe Filli atre CNRS Sixth

An Introduction to Deductive Program Verification Jean-Christophe Filli atre CNRS Sixth Summer School on Formal Techniques May 2016 http://why3.lri.fr/ssft-16/ 1 / 145 Software is hard. Don Knuth why? wrong interpretation of

1.97k views • 145 slides
Deductive Program Verification with Why3 Jean-Christophe Filli atre CNRS Tallinn January 15,

Deductive Program Verification with Why3 Jean-Christophe Filli atre CNRS Tallinn January 15,

Deductive Program Verification with Why3 Jean-Christophe Filli atre CNRS Tallinn January 15, 2013 http://why3.lri.fr/tallinn-2013/ 1 / 101 definition program verification + proof conditions specification 2 / 101 this is not new

1.18k views • 101 slides
Deductive Program Verification Jean-Christophe Filli atre CNRS ITP 2018 Oxford, UK July 12,

Deductive Program Verification Jean-Christophe Filli atre CNRS ITP 2018 Oxford, UK July 12,

Deductive Program Verification Jean-Christophe Filli atre CNRS ITP 2018 Oxford, UK July 12, 2018 1 / 32 joint work with Fran cois Bobot Claude March e Guillaume Melquiond Andrei Paskevich 2 / 32 a question for programmers

991 views • 80 slides
Design Verification: Deductive Verification Virendra Singh Associate Professor C omputer A

Design Verification: Deductive Verification Virendra Singh Associate Professor C omputer A

Design Verification: Deductive Verification Virendra Singh Associate Professor C omputer A rchitecture and D ependable S ystems L ab Department of Electrical Engineering Indian Institute of Technology Bombay http://www.ee.iitb.ac.in/~viren/

627 views • 27 slides
Deductive Program Verification with Why3 Jean-Christophe Filli atre CNRS Digicosme Spring

Deductive Program Verification with Why3 Jean-Christophe Filli atre CNRS Digicosme Spring

Deductive Program Verification with Why3 Jean-Christophe Filli atre CNRS Digicosme Spring School April 22, 2013 http://why3.lri.fr/digicosme-spring-school-2013/ 1 / 101 definition program verification + proof conditions specification

1.18k views • 101 slides
Enhancing Automated Program Repair With Deductive Verification Xuan Bach D. Le 1 , Quang-Loc Le 2

Enhancing Automated Program Repair With Deductive Verification Xuan Bach D. Le 1 , Quang-Loc Le 2

Enhancing Automated Program Repair With Deductive Verification Xuan Bach D. Le 1 , Quang-Loc Le 2 , David Lo 1 , Claire Le Goues 3 1 Singapore Management University 2 Singapore University of Technology and Design 3 Carnegie Mellon University 1

368 views • 20 slides
An Improved Rule for While Loops in Deductive Program Verification Bernhard Beckert 1 Steffen

An Improved Rule for While Loops in Deductive Program Verification Bernhard Beckert 1 Steffen

An Improved Rule for While Loops in Deductive Program Verification Bernhard Beckert 1 Steffen Schlager 2 Peter H. Schmitt 2 1 Universit at Koblenz-Landau 2 Universit at Karlsruhe ICFEM 2005, Manchester Beckert, Schlager, Schmitt (

989 views • 56 slides
Challenges In Deductive Software Verification Reiner Hhnle (with Marieke Huisman, U Twente)

Challenges In Deductive Software Verification Reiner Hhnle (with Marieke Huisman, U Twente)

Challenges In Deductive Software Verification Reiner Hhnle (with Marieke Huisman, U Twente) www.se.tu-darmstadt.de TU Darmstadt, Software Engineering Group Many challenges apply to AD in general Deductive Software Verification

165 views • 15 slides
Towards Deductive Compilation: Implementing a Partial Evaluator Via a Software Verification Tool

Towards Deductive Compilation: Implementing a Partial Evaluator Via a Software Verification Tool

Towards Deductive Compilation: Implementing a Partial Evaluator Via a Software Verification Tool Reiner H ahnle (joint work with Richard Bubel and Ran Ji) Chalmers University of Technology Department of Computer Science and Engineering 10

1.11k views • 82 slides
The Why/Krakatoa/Caduceus Platform for Deductive Program Verification Jean-Christophe Filli

The Why/Krakatoa/Caduceus Platform for Deductive Program Verification Jean-Christophe Filli

The Why/Krakatoa/Caduceus Platform for Deductive Program Verification Jean-Christophe Filli atre CNRS Universit e Paris Sud TYPES Summer School August 30th, 2007 TYPES Summer School August 30th, 2007 Jean-Christophe Filli

2.04k views • 181 slides
1 Deductive Verification Extremely powerful Extremely hard One proof can cover very

1 Deductive Verification Extremely powerful Extremely hard One proof can cover very

Methods of Assessing Model Behavior Testing spot checks aspects of real system Simulation spot checks aspects of abstract (model) system Deductive verification Uses axioms and proofs on a mathematical model of

596 views • 21 slides
Deductive Verification of Object-Oriented Software Part A Bernhard Beckert | VTSA,

Deductive Verification of Object-Oriented Software Part A Bernhard Beckert | VTSA,

Deductive Verification of Object-Oriented Software Part A Bernhard Beckert | VTSA, 24.28.08.2015 KIT I NSTITUTE FOR T HEORETICAL C OMPUTER S CIENCE www.kit.edu KIT University of the State of Baden-Wuerttemberg and National Laboratory

1.29k views • 106 slides
Deductive Verification of Object-Oriented Software Part B Bernhard Beckert | VTSA,

Deductive Verification of Object-Oriented Software Part B Bernhard Beckert | VTSA,

Deductive Verification of Object-Oriented Software Part B Bernhard Beckert | VTSA, 24.28.08.2015 KIT I NSTITUTE FOR T HEORETICAL C OMPUTER S CIENCE www.kit.edu KIT University of the State of Baden-Wuerttemberg and National Laboratory

1.82k views • 158 slides
Algorithms R OBERT S EDGEWICK | K EVIN W AYNE 5.1 S TRING S ORTS strings in Java

Algorithms R OBERT S EDGEWICK | K EVIN W AYNE 5.1 S TRING S ORTS strings in Java

Algorithms R OBERT S EDGEWICK | K EVIN W AYNE 5.1 S TRING S ORTS strings in Java key-indexed counting LSD radix sort Algorithms MSD radix sort F O U R T H E D I T I O N 3-way radix quicksort R OBERT S EDGEWICK | K EVIN W AYNE

998 views • 66 slides
2.83 / 2.813 Figure from Hendrickson, Lave and Matthews, 2006 T. Gutowski 1 Why is Mfg Energy

2.83 / 2.813 Figure from Hendrickson, Lave and Matthews, 2006 T. Gutowski 1 Why is Mfg Energy

Manufacturing 2.83 / 2.813 Figure from Hendrickson, Lave and Matthews, 2006 T. Gutowski 1 Why is Mfg Energy Important? 1/3 direct energy Much of the indirect - use phase is in the service of manufacturing Manufacturing

1.33k views • 98 slides
Auxiliaries and the -calculus Robert Levine Ohio State University levine.1@osu.edu Robert

Auxiliaries and the -calculus Robert Levine Ohio State University levine.1@osu.edu Robert

Auxiliaries and the -calculus Robert Levine Ohio State University levine.1@osu.edu Robert Levine 2019 5201 Auxiliaries and the -calculus 1 / 25 Where we left off. . . We can draw a couple of general conclusions at this point. The

791 views • 25 slides
Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from

Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from

Motivation Research Question Results Conclusion Notes Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from Standard Signatures Siamak Shahandashti 1 Rei Safavi-Naini 2 1 SCSSE &amp; CCISR, Uni

465 views • 46 slides
PSI from PaXoS: Fast, Malicious Private Set Intersection ia.cr/2020/193 Benny Pinkas Bar-Ilan

PSI from PaXoS: Fast, Malicious Private Set Intersection ia.cr/2020/193 Benny Pinkas Bar-Ilan

PSI from PaXoS: Fast, Malicious Private Set Intersection ia.cr/2020/193 Benny Pinkas Bar-Ilan University Mike Rosulek Oregon State University Ni Trieu UC Berkeley Avishay Yanai VMware Eurocrypt 2020, COVID-19 edition what is private set

1.04k views • 102 slides
Binary Factorization Models for Statistical Relational Learning Guillaume Bouchard Collaborators

Binary Factorization Models for Statistical Relational Learning Guillaume Bouchard Collaborators

Binary Factorization Models for Statistical Relational Learning Guillaume Bouchard Collaborators Machine Learning for Services Beyza Ermis Xerox Research Centre Europe Behrouz Behmardi Cedric Archambeau Dawei Yin Ehsan Abbasnejad Julien

988 views • 87 slides
ENERGY STAR Connected Thermostats Stakeholder Working Meeting April 26, 2019 1 Attendees

ENERGY STAR Connected Thermostats Stakeholder Working Meeting April 26, 2019 1 Attendees

ENERGY STAR Connected Thermostats Stakeholder Working Meeting April 26, 2019 1 Attendees Abigail Daken, EPA Charles Kim, SCE Dan Baldewicz, ICF for EPA Michael Fournier, Hydro Quebec Alan Meier, LBNL Ed Pike, Energy Solutions for CA IOUs

489 views • 29 slides
FOSDEM 2020 HashDNS and FQDNDHCP IPv6 DNS configuration made easy Renzo Davoli All what you

FOSDEM 2020 HashDNS and FQDNDHCP IPv6 DNS configuration made easy Renzo Davoli All what you

FOSDEM 2020 HashDNS and FQDNDHCP IPv6 DNS configuration made easy Renzo Davoli All what you need is: $ cat /etc/network/interfaces.d/eth0 iface tap0 inet6 manual fqdndhcp &quot;this.is.my.name.org&quot; This configures: IPv6 address

317 views • 16 slides

More recommend