Section: Software

The Why platform

Participants : Jean-Christophe Filliâtre [ contact ] , Romain Bardou, Claude Marché, Guillaume Melquiond, Yannick Moy, Christine Paulin-Mohring.

The Why platform is a set of tools for deductive verification of Java and C source code. In both cases, the requirements are specified as annotations in the source, in a special style of comments. For Java (and Java Card), these specifications are given in JML and are interpreted by the Krakatoa tool. For C, we designed our own specification language, largely inspired from JML. Those are interpreted by the Caduceus tool.

The platform is distributed as open source, under GPL Licence, at http://why.lri.fr/ .

A back-end tool also called Why serves as the VCG. It differs from other systems in that it outputs conditions for several existing provers: interactive ones (Coq , Isabelle/HOL, PVS, HOL-light, Mizar) and automatic ones (Simplify, Alt-Ergo , Gappa, and SMT provers Yices, CVC3, Z3, haRVey, etc.). The Why VCG alone has been used by external researchers in published verifications of non-trivial algorithms (Efficient square root used in GMP  [53] , Knuth's algorithm for prime numbers  [108] ).

Verification of Java Card applets using Krakatoa is under experimentation at Gemalto company. Krakatoa is also used for teaching (University of Evry, Ecole Polytechnique).

Caduceus is currently under experimentation at Gemalto company, at Dassault Aviation company, and at CEA (Saclay). It is also used for teaching at Ecole Polytechnique (2006/2007, 1st year master ISIC, projet de verification ) and at University of Evry (2005-2006 and 2006-2007, proofs using Coq ).

In 2007 and 2008, an Eclipse plugin for the platform has been developed (http://www.lri.fr/~oudot/ ).