## Section: New Results

### Proof of imperative and object-oriented programs

Participants : Romain Bardou, François Bobot, Sylvie Boldo, Jean-Christophe Filliâtre, Paolo Herms, Johannes Kanig, Kalyan Krishnamani, Claude Marché, Yannick Moy, Thi-Minh-Tuyen Nguyen, Christine Paulin-Mohring, Asma Tafat Bouzid, Wendi Urribarrí.

#### The *Why* and Frama-C tools

J.-C. Filliâtre gave an invited talk at AFM'09 (a CAV'09 workshop in
Grenoble, France) [17] . This talk was a tutorial on
the *Why* tool, showing how to use it to prove algorithms and as an
intermediate language in the process of verifying programs written in
languages such as C. J.-C. Filliâtre was later invited at the
National Institute of Aerospace (Hampton, USA) and at AdaCore (France)
to give the same tutorial.

The cooperation with CEA List around the design of the Frama-C leads us to the description of a proposal for a general-purpose specification language called ACSL (ANSI/ISO C Specification Language). The fourth version, numbered 1.4, is published as a technical report [32] with significant contributions from C. Marché, Y. Moy and J.-C. Filliâtre.

The *Jessie* intermediate language serves as a new target language of
translation from C and Java, and is itself translated in a second
stage into the input language of the *Why* VCG.

Y. Moy developed a plugin to connect *Jessie* to the *Frama-C*
platform, and this plugin is distributed since the “Lithium” release
of Frama-C in October 2008. Since the “Beryllium-2” release of
Frama-C in October 2009, *Jessie* is distributed independently of
Frama-C, as a dynamic plugin [33] . The *Jessie*
plugin is now the main tool for adding new experimental features coming
from new theoretical studies as described below.

A. Paskevich augmented the input logical language of *Why* with
algebraic polymorphic types and pattern matching
expressions [34] . For automated SMT provers that do
not support algebraic types and match expressions, translation into
first-order language is implemented. An immediate application of this
work is to facilitate handling of enumerated types which are
particularly useful in verification of floating-point computations.

#### Floating-Point C Programs

S. Boldo and J.-C. Filliâtre introduced in 2007 [1] annotations specific to floating-point arithmetic, that have been successfully applied to several floating-point programs. C. Marché and A. Ayad continued this work [31] , [37] by developing a floating-point extension of the Jessie plugin of the Frama-C platform in order to handle numerical C programs. With respect to the former approach of Boldo-Filliâtre, first it supports full floating-point arithmetic, that is involving special values for infinity and Nan (not-a-number); and second it allows to call automatic provers for discharging proof obligations. It has been applied to a formal verification of a C library for interval arithmetic [37] .

Professor William Kahan proposed in November 2004 a program for a precise discriminant for quadratic equations. Proofs were described as “far longer and trickier” than the algorithms and programs and the author deferred their publication. S. Boldo has done a full formal proof of the program, including the fact that the main test in the program can be wrong due to floating-point errors. This is published in IEEE Transactions on Computers [13] .

As part of the FOST project, S. Boldo and J.-C. Filliâtre study a real-life program computing the discretization of the spread of acoustic waves on a rope. S. Boldo has moreover developed an appropriate technique to bound the rounding error when computing a sequence of values. In our case, a naive approach would give an error proportional to the exponential of the number of steps. The idea is to give an analytical expression of the rounding error. This technique was successfully applied to a second order linear recurrence where the error was proved proportional to the square of the number of steps and the same result is expected for a function part of the computation of the gradient. An article describing this application and this technique has been published in ICALP [19] .

S. Boldo and T. Nguyen designed an approach that states the rounding error whatever the execution hardware and the compilation. The goal is to formally prove, in the Frama-C platform, properties about numerical programs that are true for multiple architectures and compilers. A submitted article describes this technique and an avionics application.

#### Automatic generation of annotations

When applying deductive verification techniques to industrial programs, a key issue identified was the need of an automatic synthesis of annotations.

A general and systematic approach has been studied by Moy, based on the known successful techniques based on abstract interpretation. Classically, forward abstract interpretation can be used to discover programs invariants, in particular on integer variables, by analyzing a program as a whole. We proposed new techniques in order to analyze program procedures independently, by a contextual analysis. Moy proposed to combine abstract interpretation, weakest precondition calculus and quantifier elimination. This is part of Moy's PhD thesis [11] ; submitted to a journal.

Y. Moy worked on providing guarantees about the memory safety of real C programs used in embedded devices. This originated in a need expressed at France Télécom R&D that no available tool could fulfill. He focused on designing modular, contextual and idiomatic approaches to memory safety for C pointer programs. He showed how memory safety can be reduced to checking assertions and how the automatic generation of annotations presented above can be used to propagate backward those assertions in function preconditions. Experiments have been performed on several libraries of C code, and results are successful in two ways: first, a significant number of bugs have been discovered (reported back to the authors, with patches, all patches have been accepted), and patched code has almost been proved correct (99% of the VCs). This is reported in Y. Moy's PhD thesis [11] .

Y. Moy also proposed a new approach for supporting the union types and
the pointer casts of C programs, in the *Why* platform. It consists of
a global analysis of the C source code to detect all possible pointer
casts and generate accordingly an intermediate *Jessie* program. This
is implemented in the *Jessie* plugin of the *Frama-C* platform, and
is described in a chapter of Y. Moy PhD thesis.

In his post-doc started in Sep. 09, K. Krishnamani investigates the
possible use of predicate abstraction techniques for automatically
generating annotations. He continued to study the combination of BDDs
and SMT for predicate abstraction: traditionally, quantifier
elimination techniques within automated abstraction-refinement
frameworks (*CEGAR* ) work by employing SAT
solvers for performing quantifier elimination. It is a well known fact
that BDDs are very efficient for performing the same, when we are in
the domain of Boolean-encoded systems. When we move to the more
challenging domains of Hybrid systems (which have Boolean control -
discrete transitions, as well as continuous transitions) quantifier
elimination using pure BDD algorithms becomes infeasible. In order to
accomplish this, BDD algorithms are integrated in SMT reasoning that
handles various theories of interest (reals in the case of hybrid
systems). In a joint work with A. Cimatti, A. Franzen, A. Griggio and
M. Roveri [63] , K. Krishnamani improves
on [61] by making use of various features of SMT
solvers (backjumping, early pruning, and several other optimizations);
and on the BDD side, an array of BDDs (conjunctively partitioned
BDD) instead of a monolithic BDD, and look-ahead mechanisms to
identify inconsistencies earlier during the search.

#### Modularity, Abstraction, Separation and Refinement

When dealing with large programs, it is essential to provide
mechanisms for modularity and abstraction of data-types. We have
started several directions of research around the *Why* platform, to
provide appropriate abstraction mechanisms at different levels.

Wendi Urribarrí in her thesis supervised by Christine
Paulin-Mohring proposed a module system for the input language
of the *Why* VCG. She defined notions of modules and interfaces,
including functors and she proposed refinement rules between interfaces.
She proved a general principle of state variables hiding.
She is currently implementing these results in the *Why* platform.
This work is presented in a submitted paper [44] .

R. Bardou's PhD thesis is aimed at the support of structure invariants
in reasoning on pointer programs. He designed a new type system for
this purpose, inspired on one hand by memory-management techniques
based on *regions* [107] , [109] and on
*permissions* [83] , and on the other hand
techniques to guarantee invariant preservation based on
ownership [64] , [49] . The resulting
language and type system allows to guarantee invariant preservation by
static typing, whereas former approaches required theorem
proving [49] or dynamic
checking [48] . This is reported in an article
under submission [38] .

F. Bobot started a PhD thesis on September 2008 on the combination of
traditional separation logic and Burstall-Bornat memory models such as
the ones used in the *Why* platform for the verification of C and Java
programs. The idea is to combine the benefits of both techniques:
separation for free when it is statically known from the code that two
pointers cannot be aliased, possibly using static analysis as
described above; and ability for the user to express pointer
separation in other cases with the connectives of separation logic,
possibly combined with inductive predicates to tackle tree-like data
structures. An implementation has been done in the *Jessie* tool. It
allows to generate automatically separation predicates from inductive
predicates. Afterward, the user can use them in his specifications.
This work have been presented at the COST meeting at Eindhoven.

With C. Hurlin (INRIA Sophia Antipolis) and A. J. Summers (Imperial College London), F. Bobot proposed techniques to disprove entailment of intuitionistic and classical separation logic. These techniques have been certified in Coq [24] .

With E. Tushkanova, A. Giorgetti and O. Kouchnarenko at LIFC
Besançon, C. Marché proposed extensions to specification
languages in order to specify modularly *generic* Java
programs [35] . Such programs make use of type
parametricity and higher-order constructions, and specifying such
programs need to add new notions in specification languages: notion of
parametric theory, notion of theory instantiation.

In her Master's internship [43] , A. Tafat proposed a new refinement technique for object-oriented programs. The main idea was to combine the Spec# ownership system [49] with refinement techniques of the B method [58] . Furthermore, the approach allows to hide side-effects on private data of classes. An article currently submitted [42] has been written with C. Marché and S. Boulmé (VERIMAG, Grenoble).

#### Higher-order programs

We are also interested in tackling ML programs, in particular within
the ARC CeProMi. One of the key difficulties of proving ML programs is
the mix of higher-order features and side effects. J. Kanig and
J.-C. Filliâtre proposed an extension of the *Why* system in which
one can specify higher order programs and obtain proof obligations,
expressed in Higher-Order Logics. They also presented an
implementation of this development [25] . A
number of case studies have been realized using this tool, in
particular a proof of an implementation of the Koda-Ruskey
algorithm [90] , a program which heavily relies on
both side effects and higher-order features. This is the first time
this particular algorithm has been proved correct.