VIDE Integrated Environment for Development and Verification of Programs

Program Correctness Programs; in a general sense: –statements, expressions, procedures and functions, modules, classes, etc.; Specifications; in a general sense: – properties that programs should satisfy type-correctness absence of common errors full functional correctness performance properties Ways of establishing that a program satisfies a specification.

Programs and Specifications Flowcharts and inductive assertions (Floyd) While-programs and pre-/post-conditions (Hoare/Dijkstra) Cyclic/reactive programs and intermittent assertions Concurrent programs –safety (deadlock freedom, mutual exclusion) –liveness (termination, non-starvation) Functional programs and predicates Lambda terms and types Logic programs And many more …

Correctness Problems Main correctness problems: Synthesis: Given a specification S, make a program P satisfying S. Analysis: Given a program P, find a specification S satisfied by P. Verification: Given a program P and a specification S, prove that P satisfies S. Construction: Given a specification S, make a program P according to a method that guarantees that P satisfies S.

Some Approaches and Methods Decomposition: Given a specification S, decompose it into one or more more sub-specifications S1, …, Sn Composition: Given a specification S and subprograms P1,…, Pn satisfying specifications S1,…, Sn respectively, compose P1,…,Pn to a program P satisfying S. Transformation: Given a program P satisfying a specification S, transform P into a "better" program P0 by means of correctness preserving transformations. Refinement: This is usually divided into –Refinement of specification: Given a specification S, construct a more restrictive specification S0. –Refinement of code: Given a program P satisfying a specification S, construct a more restrictive program P0 (also satisfying S). –Refinement of data: Given a program P operating on data D, construct an equivalent program P0 operating on more concrete data D0. Correction: Given a specification S and a program P not satisfying S, find a program P0 which is "close" to P and which satisfies S. Extraction: Given a specification S and a constructive proof that S can be satisfied, extract a program P (the "witness") from the proof.

Hoare/Dijkstra Small imperative programs S ::= skip x := E S 1 ; S 2 if B then S 1 else S 2 fi while B do S od

Hoare logic (SKIP){P} S {P} (ASSN){P x E } x := E {Q} (SEQ){P} S 1 {R} {R} S 2 {Q} {P} S 1 ;S 2 {Q} (IF){P⋀B} S 1 {Q} {P ⋀ ¬ B} S 2 {Q} {P} if B then S1 else S2 fi {Q} (WHILE) {P ⋀ B} S {P} {P} while B do S od {P ⋀ ¬ B} (CONS)P ⇒ P1 {P1} S {Q1} Q1 ⇒ Q {P} S {Q}

Correctness problems, related to Hoare logic Synthesis –Given P and Q, make an S such that {P} S {Q} Analysis –Given S, find P and Q such that {P} S {Q} Verification –Given S, P and Q, check whether {P} S {Q} Construction –Given P and Q, construct S and proof such that {P} S {Q} …

Example of Analysis Problem Given the following program, determine P and Q: |[ con N: nat, var f: nat | {P} |[ var i: nat | i, f := 0, 1; while i ≠ N do f := f * (i + 1); i := i+1 od ]| {Q} ]|

Example of Verification Problem Given the following partially annotated program, check whether it satisfies its specification. |[ con N: nat, var f: nat | {true} |[ var i: nat | i, f := 0, 1; {(0 ≤ i ≤ N) ⋀ f = i!} while i ≠ N do f := f * (i + 1); i := i+1 od ]| {f = N!} ]|

Example of Program Construction Given the following program specification, construct a program on the red dots. |[ con N: nat, var f: nat | {true} {f = N!} ]|

Annotated Program |[ con N: nat, var f: nat | {true} {f = N!} ]| |[ con N: nat, var f: nat Verification Conditions

Annotated Program |[ con N: nat, var f: nat | {true} |[ var i: nat | {true} {f = N!} ]| {f = N!} ]| |[ con N: nat, var f: nat |[ var i: nat; Verification Conditions

Annotated Program |[ con N: nat, var f: nat | {true} |[ var i: nat | {true} {(0 ≤ i ≤ N) ⋀ f = i!} while i ≠ N do {i ≠ N ⋀ (0 ≤ i ≤ N) ⋀ f = i!} {(0 <= i <= N) ⋀ f = i!} od {(0 <= i <= N) ⋀ f = i! ⋀ ¬ (i ≠ N)} {f = N!} ]| {f = N!} ]| |[ con N: nat, var f: nat |[ var i: nat; Verification Conditions

Annotated Program |[ con N: nat, var f: nat | {true} |[ var i: nat | {true} {(0 ≤ i ≤ N) ⋀ f = i!} while i ≠ N do {i ≠ N ⋀ (0 ≤ i ≤ N) ⋀ f = i!} {(0 <= i <= N) ⋀ f = i!} od {(0 <= i <= N) ⋀ f = i! ⋀ ¬ (i ≠ N)} (Note 2) {f = N!} ]| {f = N!} ]| |[ con N: nat, var f: nat |[ var i: nat; (Note 2) = : (0 <= i <= N) ⋀ f = i! ⋀ ¬ (i ≠ N) ⇒ f = N! Verification Conditions

Annotated Program |[ con N: nat, var f: nat | {true} |[ var i: nat | {true} {(0 ≤ 0 ≤ N) ⋀ 1 = 0!} i, f := 0, 1; {(0 ≤ i ≤ N) ⋀ f = i!} while i ≠ N do {i ≠ N ⋀ (0 ≤ i ≤ N) ⋀ f = i!} {(0 <= i <= N) ⋀ f = i!} od {(0 <= i <= N) ⋀ f = i! ⋀ ¬ (i ≠ N)} (Note 2) {f = N!} ]| {f = N!} ]| |[ con N: nat, var f: nat |[ var i: nat; (Note 2) = : (0 <= i <= N) ⋀ f = i! ⋀ ¬ (i ≠ N) ⇒ f = N! Verification Conditions

Annotated Program |[ con N: nat, var f: nat | {true} |[ var i: nat | {true} (Note 0) {(0 ≤ 0 ≤ N) ⋀ 1 = 0!} i, f := 0, 1; {(0 ≤ i ≤ N) ⋀ f = i!} while i ≠ N do {i ≠ N ⋀ (0 ≤ i ≤ N) ⋀ f = i!} {(0 <= i <= N) ⋀ f = i!} od {(0 <= i <= N) ⋀ f = i! ⋀ ¬ (i ≠ N)} (Note 2) {f = N!} ]| {f = N!} ]| |[ con N: nat, var f: nat |[ var i: nat; (Note 0) = : true ⇒ (0 ≤ 0 ≤ N) ⋀ 1 = 0! (Note 2) = : (0 <= i <= N) ⋀ f = i! ⋀ ¬ (i ≠ N) ⇒ f = N! Verification Conditions

Annotated Program |[ con N: nat, var f: nat | {true} |[ var i: nat | {true} (Note 0) {(0 ≤ 0 ≤ N) ⋀ 1 = 0!} i, f := 0, 1; {(0 ≤ i ≤ N) ⋀ f = i!} while i ≠ N do {i ≠ N ⋀ (0 ≤ i ≤ N) ⋀ f = i!} { (0 <= i + 1 <= N) ⋀ f = (i+1)!} i := i+1 {(0 <= i <= N) ⋀ f = i!} od {(0 <= i <= N) ⋀ f = i! ⋀ ¬ (i ≠ N)} (Note 2) {f = N!} ]| {f = N!} ]| |[ con N: nat, var f: nat |[ var i: nat; (Note 0) = : true ⇒ (0 ≤ 0 ≤ N) ⋀ 1 = 0! (Note 2) = : (0 <= i <= N) ⋀ f = i! ⋀ ¬ (i ≠ N) ⇒ f = N! Verification Conditions

Annotated Program |[ con N: nat, var f: nat | {true} |[ var i: nat | {true} (Note 0) {(0 ≤ 0 ≤ N) ⋀ 1 = 0!} i, f := 0, 1; {(0 ≤ i ≤ N) ⋀ f = i!} while i ≠ N do {i ≠ N ⋀ (0 ≤ i ≤ N) ⋀ f = i!} { (0 <= i + 1 <= N) ⋀ f * (i + 1) = (i+1)!} f := f * (i + 1); { (0 <= i + 1 <= N) ⋀ f = (i+1)!} i := i+1 {(0 <= i <= N) ⋀ f = i!} od {(0 <= i <= N) ⋀ f = i! ⋀ ¬ (i ≠ N)} (Note 2) {f = N!} ]| {f = N!} ]| |[ con N: nat, var f: nat |[ var i: nat; (Note 0) = : true ⇒ (0 ≤ 0 ≤ N) ⋀ 1 = 0! (Note 2) = : (0 <= i <= N) ⋀ f = i! ⋀ ¬ (i ≠ N) ⇒ f = N! Verification Conditions

Annotated Program |[ con N: nat, var f: nat | {true} |[ var i: nat | {true} (Note 0) {(0 ≤ 0 ≤ N) ⋀ 1 = 0!} i, f := 0, 1; {(0 ≤ i ≤ N) ⋀ f = i!} while i ≠ N do {i ≠ N ⋀ (0 ≤ i ≤ N) ⋀ f = i!} (Note 1) { (0 <= i + 1 <= N) ⋀ f * (i + 1) = (i+1)!} f := f * (i + 1); { (0 <= i + 1 <= N) ⋀ f = (i+1)!} i := i+1 {(0 <= i <= N) ⋀ f = i!} od {(0 <= i <= N) ⋀ f = i! ⋀ ¬ (i ≠ N)} (Note 2) {f = N!} ]| {f = N!} ]| |[ con N: nat, var f: nat |[ var i: nat; (Note 0) = : true ⇒ (0 ≤ 0 ≤ N) ⋀ 1 = 0! (Note 1) = : i ≠ N ⋀ (0 ≤ i ≤ N) ⋀ f = i! ⇒ (0 <= i + 1 <= N) ⋀ f * (i + 1) = (i+1)! (Note 2) = : (0 <= i <= N) ⋀ f = i! ⋀ ¬ (i ≠ N) ⇒ f = N! Verification Conditions

IDE (Integrated Development Environment) Helps in constructing and analyzing source code Maintains consistency in various stages of development Integrates several development tools, e.g.: –language specific code editor –type checking / code completion during editing –compiler –debugger / monitor of execution –browser for properties of procedures / classes /... –make/build facilities –project manager –... IDE supports several development modes, but does not enforce them. Extensible using plug ins

VIDE (Verifying IDE) Helps in constructing and analyzing code that satisfies specifications Maintains consistency between code and specifications in various stages of development Integrates several development and verification tools: –Some which are also offered by a normal IDE, e.g.: editor, compiler –Some which reappear in a more general form, e.g.: type checker, browser,... –Some specific for verification: verification condition generator, runtime assertion checker, proof assistant, automatic prover, invariant generator,... VIDE supports several development and verification modes, but does not enforce them Extensible using plug-ins

Some Scenarios Level: single block of code Given P and Q, construct S such that {P}S{Q} holds: –plain coding, runtime checking of P and Q –informal stepwise refinement, intermediate assertions, runtime assertion checking (“Eiffel style”) –plain coding, intermediate assertions, post hoc verification (“Perfect Developer style”) –formal stepwise refinement with complete formal verification ("Cocktail style") Formal development with congruence and refinement calculi Sandbox execution –monitor values of variables –check whether assertions hold Invariant reconstruction

Required machinery Program editor(s) –text, structure, hybrid, (also for specs), … Language tooling –scanning, parsing, tree building, annotation, flattening,... Context manager –available definitions, assumptions, theories,... Verification tools –verification condition generator, proof assistant, automatic prover,...

Existing Tools Cocktail PD Perfect Developer (Demo) …

Research problems Architecture of a VIDE –Independent but cooperating tools? –Closely integrated components? Integrated language –What kind of program constructs? –What kind of specification constructs? –What kind of logic? Context management –Theory –Tools Development styles and methods