Section: New Results

Automated Reasoning

A Why3 Framework for Reflection Proofs and its Application to GMP's Algorithms

Earlier works using Why3 showed that automatically verifying the algorithms of the arbitrary-precision integer library GMP exceeds the current capabilities of automatic solvers. To complete this verification, numerous cut indications had to be supplied by the user, slowing the project to a crawl. G. Melquiond and R. Rieu-Helf extended Why3 with a framework for proofs by reflection, with minimal impact on the trusted computing base. This framework makes it easy to write dedicated decision procedures that make full use of Why3's imperative features and are formally verified. This approach opens the way to efficiently tackling the further verification of GMP's algorithms [20], [27].

Expressive and extensible automated reasoning tactics for Coq

Proof assistants based on Type Theory, such as Coq, allow implementing effective automatic tactics based on computational reasoning (e.g. lia for linear integer arithmetic, or ring for ring theory). Unfortunately, these are usually limited to one particular domain. In contrast, SMTCoq is a modular and extensible tool, using external provers, which generalizes these computational approaches to combine multiple theories. It relies on a high-level interface, which offers a greater expressiveness, at the cost of more complex automation. Q. Garchery, in collaboration with C. Keller and V .Blot, designed two improvements to increase expressiveness of SMTCoq without impeding its modularity and its efficiency: the first adds some support for universally quantified hypotheses, while the second generalizes the support for integer arithmetic to the different representations of natural numbers and integers in Coq. This work will be presented in the next JFLA [30]

Non-linear Arithmetic Reasoning for Control-Command Software

State-of-the-art (semi-)decision procedures for non-linear real arithmetic address polynomial inequalities by mean of symbolic methods, such as quantifier elimination, or numerical approaches such as interval arithmetic. Although (some of) these methods offer nice completeness properties, their high complexity remains a limit, despite the impressive efficiency of modern implementations. This appears to be an obstacle to the use of SMT solvers when verifying, for instance, functional properties of control-command programs. Using off-the-shelf convex optimization solvers is known to constitute an appealing alternative. However, these solvers only deliver approximate solutions, which means they do not readily provide the soundness expected for applications such as software verification. S. Conchon, together with P. Roux and M. Iguernelala [21], investigated a-posteriori validation methods and their integration in the SMT framework. Although their early prototype, implemented in the Alt-Ergo SMT solver, often does not prove competitive with state of the art solvers, it already gives some interesting results, particularly on control-command programs.

Lightweight Interactive Proving for Automated Program Verification

Deductive verification approach allows establishing the strongest possible formal guarantees on critical software. The downside is the cost in terms of human effort required to design adequate formal specifications and to successfully discharge the required proof obligations. To popularize deductive verification in an industrial software development environment, it is essential to provide means to progressively transition from simple and automated approaches to deductive verification. The SPARK environment, for development of critical software written in Ada, goes towards this goal by providing automated tools for formally proving that some code fulfills the requirements expressed in Ada contracts.

In a program verifier that makes use of automatic provers to discharge the proof obligations, a need for some additional user interaction with proof tasks shows up: either to help analyzing the reason of a proof failure or, ultimately, to discharge the verification conditions that are out-of-reach of state-of-the-art automatic provers. Adding interactive proof features in SPARK appears to be complicated by the fact that the proof toolchain makes use of the independent, intermediate verification tool Why3, which is generic enough to accept multiple front-ends for different input languages. S. Dailler, C. Marché and Y. Moy proposed an approach to extend Why3 with interactive proof features and also with a generic client-server infrastructure allowing integration of proof interaction into an external, front-end graphical user interface such as the one of SPARK. This was presented at the F-IDE symposium [18].