Section: New Results

Proof of imperative and object-oriented programs

Participants : Romain Bardou, François Bobot, Sylvie Boldo, Jean-Christophe Filliâtre, Paolo Herms, Johannes Kanig, Kalyan Krishnamani, Claude Marché, Yannick Moy, Thi-Minh-Tuyen Nguyen, Christine Paulin-Mohring, Asma Tafat Bouzid, Wendi Urribarrí.

The Why and Frama-C tools

J.-C. Filliâtre gave an invited talk at AFM'09 (a CAV'09 workshop in Grenoble, France) [17] . This talk was a tutorial on the Why tool, showing how to use it to prove algorithms and as an intermediate language in the process of verifying programs written in languages such as C. J.-C. Filliâtre was later invited at the National Institute of Aerospace (Hampton, USA) and at AdaCore (France) to give the same tutorial.

The cooperation with CEA List around the design of the Frama-C leads us to the description of a proposal for a general-purpose specification language called ACSL (ANSI/ISO C Specification Language). The fourth version, numbered 1.4, is published as a technical report [32] with significant contributions from C. Marché, Y. Moy and J.-C. Filliâtre.

The Jessie intermediate language serves as a new target language of translation from C and Java, and is itself translated in a second stage into the input language of the Why VCG.

Y. Moy developed a plugin to connect Jessie to the Frama-C platform, and this plugin is distributed since the “Lithium” release of Frama-C in October 2008. Since the “Beryllium-2” release of Frama-C in October 2009, Jessie is distributed independently of Frama-C, as a dynamic plugin [33] . The Jessie plugin is now the main tool for adding new experimental features coming from new theoretical studies as described below.

A. Paskevich augmented the input logical language of Why with algebraic polymorphic types and pattern matching expressions [34] . For automated SMT provers that do not support algebraic types and match expressions, translation into first-order language is implemented. An immediate application of this work is to facilitate handling of enumerated types which are particularly useful in verification of floating-point computations.

Floating-Point C Programs

S. Boldo and J.-C. Filliâtre introduced in 2007 [1] annotations specific to floating-point arithmetic, that have been successfully applied to several floating-point programs. C. Marché and A. Ayad continued this work [31] , [37] by developing a floating-point extension of the Jessie plugin of the Frama-C platform in order to handle numerical C programs. With respect to the former approach of Boldo-Filliâtre, first it supports full floating-point arithmetic, that is involving special values for infinity and Nan (not-a-number); and second it allows to call automatic provers for discharging proof obligations. It has been applied to a formal verification of a C library for interval arithmetic [37] .

Professor William Kahan proposed in November 2004 a program for a precise discriminant for quadratic equations. Proofs were described as “far longer and trickier” than the algorithms and programs and the author deferred their publication. S. Boldo has done a full formal proof of the program, including the fact that the main test in the program can be wrong due to floating-point errors. This is published in IEEE Transactions on Computers [13] .

As part of the FOST project, S. Boldo and J.-C. Filliâtre study a real-life program computing the discretization of the spread of acoustic waves on a rope. S. Boldo has moreover developed an appropriate technique to bound the rounding error when computing a sequence of values. In our case, a naive approach would give an error proportional to the exponential of the number of steps. The idea is to give an analytical expression of the rounding error. This technique was successfully applied to a second order linear recurrence where the error was proved proportional to the square of the number of steps and the same result is expected for a function part of the computation of the gradient. An article describing this application and this technique has been published in ICALP [19] .

S. Boldo and T. Nguyen designed an approach that states the rounding error whatever the execution hardware and the compilation. The goal is to formally prove, in the Frama-C platform, properties about numerical programs that are true for multiple architectures and compilers. A submitted article describes this technique and an avionics application.

Automatic generation of annotations

When applying deductive verification techniques to industrial programs, a key issue identified was the need of an automatic synthesis of annotations.

A general and systematic approach has been studied by Moy, based on the known successful techniques based on abstract interpretation. Classically, forward abstract interpretation can be used to discover programs invariants, in particular on integer variables, by analyzing a program as a whole. We proposed new techniques in order to analyze program procedures independently, by a contextual analysis. Moy proposed to combine abstract interpretation, weakest precondition calculus and quantifier elimination. This is part of Moy's PhD thesis [11] ; submitted to a journal.

Y. Moy worked on providing guarantees about the memory safety of real C programs used in embedded devices. This originated in a need expressed at France Télécom R&D that no available tool could fulfill. He focused on designing modular, contextual and idiomatic approaches to memory safety for C pointer programs. He showed how memory safety can be reduced to checking assertions and how the automatic generation of annotations presented above can be used to propagate backward those assertions in function preconditions. Experiments have been performed on several libraries of C code, and results are successful in two ways: first, a significant number of bugs have been discovered (reported back to the authors, with patches, all patches have been accepted), and patched code has almost been proved correct (99% of the VCs). This is reported in Y. Moy's PhD thesis [11] .

Y. Moy also proposed a new approach for supporting the union types and the pointer casts of C programs, in the Why platform. It consists of a global analysis of the C source code to detect all possible pointer casts and generate accordingly an intermediate Jessie program. This is implemented in the Jessie plugin of the Frama-C platform, and is described in a chapter of Y. Moy PhD thesis.

In his post-doc started in Sep. 09, K. Krishnamani investigates the possible use of predicate abstraction techniques for automatically generating annotations. He continued to study the combination of BDDs and SMT for predicate abstraction: traditionally, quantifier elimination techniques within automated abstraction-refinement frameworks (CEGAR ) work by employing SAT solvers for performing quantifier elimination. It is a well known fact that BDDs are very efficient for performing the same, when we are in the domain of Boolean-encoded systems. When we move to the more challenging domains of Hybrid systems (which have Boolean control - discrete transitions, as well as continuous transitions) quantifier elimination using pure BDD algorithms becomes infeasible. In order to accomplish this, BDD algorithms are integrated in SMT reasoning that handles various theories of interest (reals in the case of hybrid systems). In a joint work with A. Cimatti, A. Franzen, A. Griggio and M. Roveri  [63] , K. Krishnamani improves on  [61] by making use of various features of SMT solvers (backjumping, early pruning, and several other optimizations); and on the BDD side, an array of BDDs (conjunctively partitioned BDD) instead of a monolithic BDD, and look-ahead mechanisms to identify inconsistencies earlier during the search.

Modularity, Abstraction, Separation and Refinement

When dealing with large programs, it is essential to provide mechanisms for modularity and abstraction of data-types. We have started several directions of research around the Why platform, to provide appropriate abstraction mechanisms at different levels.

Wendi Urribarrí in her thesis supervised by Christine Paulin-Mohring proposed a module system for the input language of the Why VCG. She defined notions of modules and interfaces, including functors and she proposed refinement rules between interfaces. She proved a general principle of state variables hiding. She is currently implementing these results in the Why platform. This work is presented in a submitted paper [44] .

R. Bardou's PhD thesis is aimed at the support of structure invariants in reasoning on pointer programs. He designed a new type system for this purpose, inspired on one hand by memory-management techniques based on regions   [107] , [109] and on permissions   [83] , and on the other hand techniques to guarantee invariant preservation based on ownership  [64] , [49] . The resulting language and type system allows to guarantee invariant preservation by static typing, whereas former approaches required theorem proving  [49] or dynamic checking  [48] . This is reported in an article under submission [38] .

F. Bobot started a PhD thesis on September 2008 on the combination of traditional separation logic and Burstall-Bornat memory models such as the ones used in the Why platform for the verification of C and Java programs. The idea is to combine the benefits of both techniques: separation for free when it is statically known from the code that two pointers cannot be aliased, possibly using static analysis as described above; and ability for the user to express pointer separation in other cases with the connectives of separation logic, possibly combined with inductive predicates to tackle tree-like data structures. An implementation has been done in the Jessie tool. It allows to generate automatically separation predicates from inductive predicates. Afterward, the user can use them in his specifications. This work have been presented at the COST meeting at Eindhoven.

With C. Hurlin (INRIA Sophia Antipolis) and A. J. Summers (Imperial College London), F. Bobot proposed techniques to disprove entailment of intuitionistic and classical separation logic. These techniques have been certified in Coq [24] .

With E. Tushkanova, A. Giorgetti and O. Kouchnarenko at LIFC Besançon, C. Marché proposed extensions to specification languages in order to specify modularly generic Java programs [35] . Such programs make use of type parametricity and higher-order constructions, and specifying such programs need to add new notions in specification languages: notion of parametric theory, notion of theory instantiation.

In her Master's internship [43] , A. Tafat proposed a new refinement technique for object-oriented programs. The main idea was to combine the Spec# ownership system  [49] with refinement techniques of the B method  [58] . Furthermore, the approach allows to hide side-effects on private data of classes. An article currently submitted [42] has been written with C. Marché and S. Boulmé (VERIMAG, Grenoble).

Higher-order programs

We are also interested in tackling ML programs, in particular within the ARC CeProMi. One of the key difficulties of proving ML programs is the mix of higher-order features and side effects. J. Kanig and J.-C. Filliâtre proposed an extension of the Why system in which one can specify higher order programs and obtain proof obligations, expressed in Higher-Order Logics. They also presented an implementation of this development [25] . A number of case studies have been realized using this tool, in particular a proof of an implementation of the Koda-Ruskey algorithm  [90] , a program which heavily relies on both side effects and higher-order features. This is the first time this particular algorithm has been proved correct.