Your Proof Fails? Testing Helps to Find the Reason - Nikolai Kosmatov
Jul 6, 2016 - A proof failure can be due to various reasons! For convenience, we say: A subcontract of f is the contract of a called function or loop in f . 3 / 26 ...
Your Proof Fails? Testing Helps to Find the Reason Nikolai Kosmatov1 joint work with Bernard Botella1 , Alain Giorgetti2 , Jacques Julliand2 , Guillaume Petiot1,2 1 CEA 2 FEMTO-ST,
List Univ. of Franche-Comté
TAP 2016, Vienna, July 6, 2016
Global Motivation: Facilitate Software Verification
Informal Specification Formal Specification
Code
Bob, Software Engineer
Alice, Validation Engineer
Deductive Verification
Proof Failure
Why does my proof fail? Analysis of proof failures is costly and often requires I
deep knowledge of provers
I
careful review of code / specification
I
interactive proof in a proof assistant 2 / 26
Modular Deductive Verification in a Nutshell
// Pref assumed f(){ code1; // Preg to be proved g(); // Postg assumed code2; } // Postf to be proved
// Pref assumed f(){ code1; // I to be proved while(C ){ // I ∧ C assumed code3; // I to be proved } // I ∧ ¬C assumed code2; } // Postf to be proved
A proof failure can be due to various reasons! For convenience, we say: A subcontract of f is the contract of a called function or loop in f . 3 / 26
Example: Several reasons for the same proof failure /* @ r e q u i r e s n >=0 && \valid ( t +(0.. n -1) ) ; assigns \ n o t h i n g ; ensures \result != 0 ( \forall integer j ; 0 t [ j ] == 0) ; */ int all_zeros ( int t [] , int n ) { int k ; /* @ loop i n v a r i a n t 0
check the specification, or suspect a prover incapacity, give up automatic ..... Proof failures for different versions of the integer square root example given in Fig. 3.
PathCrawler-online structural testing tool, the user must pro- vide not only the full source code, but also must set the test parameters and program the oracle.
Aug 27, 2012 - 3 (not a triangle), 2 (equilateral), 1 (isosceles), 0 (other). Robust : validity of inputs is tested ..... go looking for bugs by sub-dividing the paths ...
sometimes very tricky methods. The intelligence of ..... turn, the operation swap is called regularly to move the active process into waiting and, if there are some ...
Jun 28, 2018 - can easily encode a large class of criteria .... A Proof-friendly View of Advanced Test Coverage Criteria. 9/ 67 ...... no practical solution.
Nicky Williams. CEA LIST, Software Reliability Laboratory ... Email: [email protected] ..... addresses that can change with each execution; they cannot.
CEA, LIST, Software Reliability Laboratory, PC 174, 91191 Gif-sur-Yvette, France ... programs, and discusses various issues encountered in our .... Cryptography: use of protected channels (such as https) ... Finally, PathCrawler-online deactivates ne
relational properties in C programs in the FRAMA-C platform. We consider ... case study on verification of software using hardware-provided cryptographic primi-.
Dec 18, 2017 - Motivation: Relational Properties. Specification and Proof of Relational Propserties with RPP. Demo with Relational Property Prover (RPP).
In current software engineering practice, testing [27, 25, 34, 3] is the primary approach ..... Two ways to instrument a label: direct and tight instrumentation. Fig. 6.
trial-size programs written in C. Frama-C offers combined formal methods ..... Gladisch, C., Tyszberowicz, S.S.: Specifying linked data structures in JML for.
LIST, Dassault, Search Lab, FOKUS,...) â· Taint analysis to identify ..... VALUE exports computed variable domains in the form of. WP-assumptions. S.Bardin, N.
all these techniques are combined within one tool for verification of C pro- grams. ...... N = 8 (with 110 paths), while PathCrawler covers 100% paths within ...... guages â C (2007). http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1256.pdf.
5.5 Example of a finite trajectory ending without error using program p of Figure 5.4 . ..... errors in the original program and in its slices, and thus answer the two questions asked above. To ensure ...... Strictly speaking, the results ...... 240.
1 Introduction. Research work ... The decidability of word equations with an addi- ... The general constraint solving problem for sequences is even more compli-.
Jun 26, 2017 - Global goal : bridge the gap between criteria and testing tools ... many tools and many successful case-studies since mid 2000's arguably one ...
generation, runtime errors, alarm-guided test generation. 1. INTRODUCTION. Recent research ... (1) new optimized and adaptive usages of program slicing, ..... 5a) calls DA on k .... answers (Ex. 2, 4) and without the waste of time of each.
Sep 30, 2018 - low-power radio, some sensors and actuators, ... Note for security: there ... IoT scenarios: smart cities, building automation, ... â· Multiple hops to ...
Google's Pregel [11] is a new paradigm for large-graph processing. It is graph oriented: .... at the implementation of the Thread class of Java API reveals that this ...
signature for declaring the type of non-predefined constants and constructors,. â axioms for ..... The Inductive Approach to Verifying Cryptographic Protocols.
Concolic testing is an advanced technique of structural unit testing, that ... in the cloud whose limited evaluation version is available at (Kosmatov, 2010b). ..... long execution traces with billions of instructions, for symbolic execution at ....
We use Frama-C [6,7], an open-source platform dedicated to analysis of. C programs ... Among them, automatic theorem provers, like Simplify [12], ALT-ERGO ..... provide a mechanism for virtual memory translation, that translates the address.
