Designing complex systems that provide strong safety and security guarantees is challenging (e.g. programming languages, language compilers and runtimes, reference monitors, operating systems, hardware, etc). Proof assistants such as Coq (The Coq team, 1984-now) are invaluable for showing formally that such systems indeed satisfy the properties intended by their designers. However, carrying out formal proofs while designing even a relatively simple system can be an exercise in frustration, with a great deal of time spent attempting to prove things about broken definitions, and countless iterations for discovering the correct lemmas and strengthening inductive invariants. The long-term goal of this project1 is to reduce the cost of producing formally verified systems by integrating property-based testing (PBT) with the Coq proof assistant. Ideally, our solution will achieve the best of testing and proving, by producing easily understandable counterexamples and guiding users towards correct system designs and corresponding formal evidence of their correctness. The use of PBT will dramatically decrease the number of failed proof attempts in Coq developments by allowing users to find errors in definitions and conjectured properties early in the design process, and to postpone verification attempts until they are reasonably confident that their system is correct. PBT will also help during the verification process by quickly validating proof goals, potential lemmas, and inductive invariants. Our solution will provide automation of common patterns, yet keep the user fully in control. These improvements will lower the barrier to entry and increase adoption of the Coq proof assistant. Moreover, integrating PBT with Coq will provide an easier path going from systematic testing to formal verification, by encouraging developers to write specifications that can be only tested at first and later formally verified. It will also allow PBT users to verify that they are testing the right properties and to evaluate the thoroughness of their testing. Achieving all this requires improvements to the state-of-the-art both in PBT and formal verification research, which we discuss in the next section. While property-based testing has already been integrated with relative success into other proof assistants such as Isabelle (Bulwahn, 2013) and ACL2 (Chamarthi et al., 2011), the logic of Coq is much richer, which raises additional challenges. Also, these previous efforts were aimed at full automation, leaving no space for user customization or interaction, which is, in our experience, crucial for thorough testing that finds interesting bugs and drives the design and verification of nontrivial systems. As a necessary first step towards the final goal of this project we have ported the QuickCheck framework (Claessen and Hughes, 2000; Hughes, 2007) from Haskell to Coq, producing an prototype Coq plugin
[1]
Tobias Nipkow,et al.
Executing Higher Order Logic
,
2000,
TYPES.
[2]
John Hughes,et al.
QuickCheck Testing for Fun and Profit
,
2007,
PADL.
[3]
David Delahaye,et al.
Extracting Purely Functional Contents from Logical Inductive Types
,
2007,
TPHOLs.
[4]
Enrico Tassi,et al.
A Small Scale Reflection Extension for the Coq system
,
2008
.
[5]
Benjamin Grégoire,et al.
Formal certification of code-based cryptographic proofs
,
2009,
POPL '09.
[6]
K. Claessen,et al.
QuickCheck: a lightweight tool for random testing of Haskell programs
,
2000,
SIGP.
[7]
Panagiotis Manolios,et al.
Integrating Testing and Interactive Theorem Proving
,
2011,
ACL2.
[8]
Xuejun Yang,et al.
Finding and understanding bugs in C compilers
,
2011,
PLDI '11.
[9]
Sean Wilson,et al.
Supporting dependently typed functional programming with proof automation and testing
,
2011
.
[10]
P. H..
Testing an Optimising Compiler by Generating Random Lambda Terms
,
2012
.
[11]
Lukas Bulwahn,et al.
The New Quickcheck for Isabelle - Random, Exhaustive and Symbolic Testing under One Roof
,
2012,
CPP.
[12]
Lukas Bulwahn,et al.
Counterexample generation for higher-order logic using functional and logic programming
,
2012
.
[13]
Vincent Siles,et al.
A Refinement-Based Approach to Computational Algebra in Coq
,
2012,
ITP.
[14]
David Delahaye,et al.
Producing Certified Functional Code from Inductive Specifications
,
2012,
CPP.
[15]
Chantal Keller.
A Matter of Trust: Skeptical Communication Between Coq and External Provers. (Question de confiance : communication sceptique entre Coq et des prouveurs externes)
,
2013
.
[16]
Koen Claessen,et al.
Splittable pseudorandom number generators using cryptographic hashing
,
2013,
Haskell '13.
[17]
Juan Chen,et al.
Secure distributed programming with value-dependent types
,
2013,
J. Funct. Program..
[18]
Cyril Cohen,et al.
Refinements for Free!
,
2013,
CPP.
[19]
Paris-Rocquencourt,et al.
Micro-Policies : A Framework for Verified , Tag-Based Security Monitors
,
2014
.
[20]
Koen Claessen,et al.
Generating constrained random data with uniform distribution
,
2014,
Journal of Functional Programming.
[21]
Benjamin C. Pierce,et al.
A verified information-flow architecture
,
2014,
J. Comput. Secur..
[22]
Benjamin C. Pierce,et al.
Testing noninterference, quickly
,
2016,
Journal of Functional Programming.