Instrumenting a weakest precondition calculus for counterexample generation

A major issue in the activity of deductive program verification is to understand why automated provers fail to discharge a proof obligation. To help the user understand the problem and decide what needs to be fixed in the code or the specification, it is essential to provide means to investigate such a failure. We present our approach for the design and the implementation of counterexample generation, exhibiting values for the variables of the program where a given part of the specification fails to be validated. To produce a counterexample, we exploit the ability of SMT solvers to propose, when a proof of a formula is not found, a counter-model. Turning such a counter-model into a counterexample for the initial program is not trivial because of the many transformations leading from a particular piece of code and its specification to a set of proof goals given to external provers.

[1]  Reiner Hähnle,et al.  Debugging and Visualization , 2016, Deductive Software Verification.

[2]  David R. Cok,et al.  Improved usability and performance of SMT solvers for debugging specifications , 2010, International Journal on Software Tools for Technology Transfer.

[3]  François Bobot,et al.  Let’s verify this with Why3 , 2014, International Journal on Software Tools for Technology Transfer.

[4]  Roderick Chapman,et al.  Are We There Yet? 20 Years of Industrial Theorem Proving with SPARK , 2014, ITP.

[5]  Nikolai Kosmatov,et al.  Your Proof Fails? Testing Helps to Find the Reason , 2015, TAP@STAF.

[6]  K. Rustan M. Leino,et al.  Integrated Environment for Diagnosing Verification Errors , 2016, TACAS.

[7]  Yannick Moy,et al.  Counterexamples from Proof Failures in SPARK , 2016, IEEE International Conference on Software Engineering and Formal Methods.

[8]  K. Rustan M. Leino,et al.  The boogie verification debugger , 2011, ICSE 2011.

[9]  David R. Cok,et al.  OpenJML: Software verification for Java 7 using JML, OpenJDK, and Eclipse , 2014, F-IDE.

[10]  Claude Marché,et al.  The Why/Krakatoa/Caduceus Platform for Deductive Program Verification , 2007, CAV.

[11]  Jorge Sousa Pinto,et al.  Formalizing Single-Assignment Program Verification: An Adaptation-Complete Approach , 2016, ESOP.

[12]  Peter Müller,et al.  Using Debuggers to Understand Failed Verification Attempts , 2011 .

[13]  Jean-Christophe Filliâtre,et al.  Why3 - Where Programs Meet Provers , 2013, ESOP.

[14]  Sylvain Conchon,et al.  Adding Decision Procedures to SMT Solvers Using Axioms with Triggers , 2016, Journal of Automated Reasoning.

[15]  Mark A. Hillebrand,et al.  VCC: A Practical System for Verifying Concurrent C , 2009, TPHOLs.

[16]  Tobias Nipkow,et al.  Nitpick: A Counterexample Generator for Higher-Order Logic Based on a Relational Model Finder , 2010, ITP.

[17]  K. Rustan M. Leino,et al.  The Dafny Integrated Development Environment , 2014, F-IDE.

[18]  Martin Brain,et al.  Using Answer Set Programming in the Development of Verified Software , 2012, ICLP.

[19]  Cormac Flanagan,et al.  Avoiding exponential explosion: generating compact verification conditions , 2001, POPL '01.

[20]  John Barnes,et al.  Programming in Ada 2012 , 2014 .

[21]  Frank Piessens,et al.  VeriFast: A Powerful, Sound, Predictable, Fast Verifier for C and Java , 2011, NASA Formal Methods.

[22]  Bor-Yuh Evan Chang,et al.  Boogie: A Modular Reusable Verifier for Object-Oriented Programs , 2005, FMCO.

[23]  Clark W. Barrett,et al.  The SMT-LIB Standard Version 2.0 , 2010 .

[24]  Edsger W. Dijkstra,et al.  A Discipline of Programming , 1976 .

[25]  François Bobot,et al.  Why3: Shepherd Your Herd of Provers , 2011 .

[26]  Alex Groce,et al.  Understanding Counterexamples with explain , 2004, CAV.

[27]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[28]  K. Rustan M. Leino,et al.  Efficient weakest preconditions , 2005, Inf. Process. Lett..

[29]  Bernhard Beckert,et al.  Deductive Software Verification – The KeY Book , 2016, Lecture Notes in Computer Science.

[30]  Yannick Moy,et al.  Static versus Dynamic Verification in Why3, Frama-C and SPARK 2014 , 2016, ISoLA.

[31]  Todd D. Millstein,et al.  Generating error traces from verification-condition counterexamples , 2005, Sci. Comput. Program..