Xavier Urbain

The KRAKATOA tool for certificationof JAVA/JAVACARD programs annotated in JML

Abstract We describe the basic structure of an environment for proving Java programs annotated with JML specifications. Our method is generic with respect to the API, and thus well suited for JavaCard applets certification. It involves three distinct components: the Why tool, which computes proof obligations for a core imperative language annotated with pre- and post-conditions, the Coq proof assistant for modeling the program semantics and conducting the development of proofs, and finally the Krakatoa tool, a translator of our own, which reads the Java files and produces specifications for Coq and a representation of the semantics of the Java program into Why ’s input language.

Mechanically Proving Termination Using Polynomial Interpretations

For a long time, term orderings defined by polynomial interpretations were scarcely used in computer-aided termination proof of TRSs. But recently, the introduction of the dependency pairs approach achieved considerable progress w.r.t. automated termination proof, in particular by requiring from the underlying ordering much weaker properties than the classical approach. As a consequence, the noticeable power of a combination dependency pairs/polynomial orderings yielded a regain of interest for these interpretations. We describe criteria on polynomial interpretations for them to define weakly monotonic orderings. From these criteria, we obtain new techniques both for mechanically checking termination using a given polynomial interpretation and for finding such interpretations with full automation. With regard to automated search, we propose an original method for solving Diophantine constraints. We implemented these techniques into the CiME rewrite tool, and we provide some experimental results that show how useful polynomial orderings actually are in practice.

Proving operational termination of membership equational programs

Reasoning about the termination of equational programs in sophisticated equational languages such as Elan, Maude, OBJ, CafeOBJ, Haskell, and so on, requires support for advanced features such as evaluation strategies, rewriting modulo, use of extra variables in conditions, partiality, and expressive type systems (possibly including polymorphism and higher-order). However, many of those features are, at best, only partially supported by current term rewriting termination tools (for instance mu-term, CiME, AProVE, TTT, Termptation, etc.) while they may be essential to ensure termination. We present a sequence of theory transformations that can be used to bridge the gap between expressive membership equational programs and such termination tools, and prove the correctness of such transformations. We also discuss a prototype tool performing the transformations on Maude equational programs and sending the resulting transformed theories to some of the aforementioned standard termination tools.

Modular and Incremental Automated Termination Proofs

We propose a modular approach of term rewriting systems, making the best of their hierarchical structure. We definerewriting modules and then provide a new method to prove termination incrementally. We obtain new and powerful termination criteria for standard rewriting, thanks to the combination of dependency pairs and. Taking benefit of the generality of the module approach while restraining the notion of termination itself (thus relaxing constraints over hierarchies components), we can easily express previous results and methods the premises of which either include restrictions over unions or make a particular reduction strategy compulsory. We describe our implementation of the modular approach. Proofs are fully automated and performed incrementally. Since convenient orderings are simpler, we observe a dramatic speedup in the finding of the proof.

Proving termination of membership equational programs

Advanced typing, matching, and evaluation strategy features, as well as very general conditional rules, are routinely used in equational programming languages such as, for example, <sc>ASF+SDF</sc>, <sc>OBJ</sc>, <sc>CafeOBJ</sc>, <sc>Maude</sc>, and equational subsets of <sc>ELAN</sc> and <sc>CASL</sc>. Proving termination of equational programs having such expressive features is important but nontrivial, because some of those features may not be supported by standard termination methods and tools, such as <sc>muterm</sc>, <sc>C<i>i</i>ME</sc>, <sc>AProVE</sc>, <sc>TTT</sc>, <sc>Termptation</sc>, etc. Yet, use of the features may be essential to ensure termination. We present a sequence of theory transformations that can be used to bridge the gap between expressive equational programs and termination tools, prove the correctness of such transformations, and discuss a prototype tool performing the transformations on <sc>Maude</sc> equational programs and sending the resulting transformed theories to some of the aforementioned tools.

Certification of Automated Termination Proofs

Nowadays, formal methods rely on tools of different kinds: proof assistants with which the user interacts to discover a proof step by step; and fully automated tools which make use of (intricate) decision procedures. But while some proof assistants can checkthe soundness of a proof, they lack automation. Regarding automated tools, one still has to be satisfied with their answers Yes / No / Do not know , the validity of which can be subject to question, in particular because of the increasing size and complexity of these tools. In the context of rewriting techniques, we aim at bridging the gap between proof assistants that yield formal guarantees of reliability and highly automated tools one has to trust. We present an approach making use of both shallow and deep embeddings. We illustrate this approach with a prototype based on the CiME rewriting toolbox, which can discover involved termination proofs that can be certified by the Coq proof assistant, using the Coccinelle library for rewriting.

Automated Certified Proofs with CiME3

We present the rewriting toolkit CiME3. Amongst other original features, this version enjoys two kinds of engines: to handle and discover proofs of various properties of rewriting systems, and to generate Coq scripts from proof traces given in certification problem format in order to certify them with a skeptical proof assistant like Coq. Thus, these features open the way for using CiME3 to add automation to proofs of termination or confluence in a formal development in the Coq proof assistant.

Modular and incremental proofs of AC-termination

Abstract Termination is a non-modular property of rewriting systems, thus it is a difficult task to discover termination proofs for rewriting systems of a large number of rules. Recently, new modular and incremental termination criteria, suitable for automation, were proposed, using an approach based on notions of termination under non-deterministic collapse and dependency pairs , which apply to hierarchical combinations of rewriting systems. We extend this approach and corresponding results to the important case of rewriting modulo associativity and commutativity.

Certified Impossibility Results for Byzantine-Tolerant Mobile Robots

We present a formailzation of impossibility results in a robot framework. Extended version in SSS 2013.

A3PAT, an approach for certified automated termination proofs

Software engineering, automated reasoning, rule-based programming or specifications often use rewriting systems for which termination, among other properties, may have to be ensured.This paper presents the approach developed in Project A3PAT to discover and moreover certify, with full automation, termination proofs for term rewriting systems. It consists of two developments: the Coccinelle library formalises numerous rewriting techniques and termination criteria for the Coq proof assistant; the CiME3 rewriting tool translates termination proofs (discovered by itself or other tools) into traces that are certified by Coq assisted by Coccinelle. The abstraction level of our formalisation allowed us to weaken premises of some theorems known in the literature, thus yielding new termination criteria, such as an extension of the powerful subterm criterion (for which we propose the first full Coq formalisation). Techniques employed in CiME3 also improve on previous works on formalisation and analysis of dependency graphs.