Towards Full Proof Automation in Frama-C Using Auto-active Verification

  • Allan BlanchardEmail author
  • Frédéric Loulergue
  • Nikolai Kosmatov
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11460)


While deductive verification is increasingly used on real-life code, making it fully automatic remains difficult. The development of powerful SMT solvers has improved the situation, but some proofs still require interactive theorem provers in order to achieve full formal verification. Auto-active verification relies on additional guiding annotations (assertions, ghost code, lemma functions, etc.) and provides an important step towards a greater automation of the proof. However, the support of this methodology often remains partial and depends on the verification tool. This paper presents an experience report on a complete functional verification of several C programs from the literature and real-life code using auto-active verification with the C software analysis platform Frama-C and its deductive verification plugin Wp. The goal is to use automatic solvers to verify properties that are classically verified with interactive provers. Based on our experience, we discuss the benefits of this methodology and the current limitations of the tool, as well as proposals of new features to overcome them.



This work was partially supported by a grant from CPER DATA and the project VESSEDIA, which has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No. 731453. The authors thank the Frama-C team for providing the tools and support, as well as Patrick Baudin, François Bobot and Loïc Correnson for fruitful discussions and advice. Many thanks to David Cok, Denis Efremov, Marieke Huisman and the anonymous referees for their helpful comments.


  1. 1.
    Barnett, M., Fähndrich, M., Leino, K.R.M., Müller, P., Schulte, W., Venter, H.: Specification and verification: the Spec# experience. Commun. ACM 54(6), 81–91 (2011)CrossRefGoogle Scholar
  2. 2.
    Barrett, C., et al.: CVC4. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806, pp. 171–177. Springer, Heidelberg (2011). Scholar
  3. 3.
    Baudin, P., et al.: ACSL: ANSI/ISO C specification language.
  4. 4.
    Blanc, R., Kuncak, V., Kneuss, E., Suter, P.: An overview of the Leon verification system: verification by translation to recursive functions. In: Proceedings of the 4th Workshop on Scala, SCALA@ECOOP 2013, pp. 1:1–1:10 (2013)Google Scholar
  5. 5.
    Blanchard, A., Kosmatov, N., Loulergue, F.: Ghosts for lists: a critical module of Contiki verified in Frama-C. In: Dutle, A., Muñoz, C., Narkawicz, A. (eds.) NFM 2018. LNCS, vol. 10811, pp. 37–53. Springer, Cham (2018). Scholar
  6. 6.
    Blanchard, A., Kosmatov, N., Loulergue, F.: Logic against ghosts: comparison of two proof approaches for a list module. In: Proceedings of the 34th Annual ACM Symposium on Applied Computing, SAC 2019. ACM (2019, to appear)Google Scholar
  7. 7.
    Burghardt, J., Gerlach, J., Lapawczyk, T.: ACSL by example (2016).
  8. 8.
    Cohen, E., et al.: VCC: a practical system for verifying concurrent C. In: Berghofer, S., Nipkow, T., Urban, C., Wenzel, M. (eds.) TPHOLs 2009. LNCS, vol. 5674, pp. 23–42. Springer, Heidelberg (2009). Scholar
  9. 9.
    Cok, D.R.: OpenJML: software verification for Java 7 using JML, OpenJDK, and Eclipse. In: F-IDE (2014)Google Scholar
  10. 10.
    Conchon, S., Contejean, E., Iguernelala, M.: Canonized rewriting and ground AC completion modulo Shostak theories: design and implementation. Logical Methods in Computer Science (2012)Google Scholar
  11. 11.
    Dijkstra, E.W.: A constructive approach to program correctness. BIT Numer. Math. 8(3), 174–186 (1968). Scholar
  12. 12.
    Dross, C., Moy, Y.: Auto-active proof of red-black trees in SPARK. In: Barrett, C., Davies, M., Kahsai, T. (eds.) NFM 2017. LNCS, vol. 10227, pp. 68–83. Springer, Cham (2017). Scholar
  13. 13.
    Dunkels, A., Gronvall, B., Voigt, T.: Contiki - a lightweight and flexible operating system for tiny networked sensors. In: LCN 2014. IEEE (2004)Google Scholar
  14. 14.
    Filliâtre, J.-C., Paskevich, A.: Why3—where programs meet provers. In: Felleisen, M., Gardner, P. (eds.) ESOP 2013. LNCS, vol. 7792, pp. 125–128. Springer, Heidelberg (2013). Scholar
  15. 15.
    Furia, C.A., Nordio, M., Polikarpova, N., Tschannen, J.: AutoProof: auto-active functional verification of object-oriented programs. STTT 19(6), 697–716 (2017)CrossRefGoogle Scholar
  16. 16.
    Hawblitzel, C., et al.: Ironclad apps: end-to-end security via automated full-system verification. In: 11th USENIX Symposium on Operating Systems Design and Implementation, OSDI 2014, pp. 165–181 (2014)Google Scholar
  17. 17.
    Hoang, D., Moy, Y., Wallenburg, A., Chapman, R.: SPARK 2014 and GNATprove - a competition report from builders of an industrial-strength verifying compiler. STTT 17(6), 695–707 (2015)CrossRefGoogle Scholar
  18. 18.
    Jacobs, B., Piessens, F.: The VeriFast program verifier. Technical report. CW-520, KU Leuven (2008)Google Scholar
  19. 19.
    Kirchner, F., Kosmatov, N., Prevosto, V., Signoles, J., Yakobowski, B.: Frama-C: a software analysis perspective. Formal Asp. Comput. 27(3), 573–609 (2015). http://frama-c.comMathSciNetCrossRefGoogle Scholar
  20. 20.
    Leino, K.R.M.: Dafny: an automatic program verifier for functional correctness. In: Clarke, E.M., Voronkov, A. (eds.) LPAR 2010. LNCS (LNAI), vol. 6355, pp. 348–370. Springer, Heidelberg (2010). Scholar
  21. 21.
    Leino, K.R.M., Moskal, M.: Usable auto-active verification (2010).
  22. 22.
    Mangano, F., Duquennoy, S., Kosmatov, N.: Formal verification of a memory allocation module of Contiki with Frama-C: a case study. In: Cuppens, F., Cuppens, N., Lanet, J.-L., Legay, A. (eds.) CRiSIS 2016. LNCS, vol. 10158, pp. 114–120. Springer, Cham (2017). Scholar
  23. 23.
    McCormick, J., Chapin, P.: Building High Integrity Applications with SPARK. Cambridge University Press, Cambridge (2015). Scholar
  24. 24.
    de Moura, L., Bjørner, N.: Z3: an efficient SMT solver. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 337–340. Springer, Heidelberg (2008). Scholar
  25. 25.
    Polikarpova, N., Tschannen, J., Furia, C.A.: A fully verified container library. Formal Asp. Comput. 30(5), 495–523 (2018)MathSciNetCrossRefGoogle Scholar
  26. 26.
    Reynolds, A., Kuncak, V.: Induction for SMT solvers. In: D’Souza, D., Lal, A., Larsen, K.G. (eds.) VMCAI 2015. LNCS, vol. 8931, pp. 80–98. Springer, Heidelberg (2015). Scholar
  27. 27.
    Tafat, A., Marché, C.: Binary heaps formally verified in Why3. Research report RR-7780, INRIA (2011).
  28. 28.
    The Coq Development Team: The Coq proof assistant.
  29. 29.
    The Imandra Team: The Imandra verification tool.
  30. 30.
    Volkov, G., Mandrykin, M., Efremov, D.: Lemma functions for Frama-C: C programs as proofs. In: Proceedings of the 2018 Ivannikov ISPRAS Open Conference (ISPRAS-2018), pp. 31–38 (2018)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Inria Lille—Nord EuropeVilleneuve d’AscqFrance
  2. 2.School of Informatics Computing and Cyber SystemsNorthern Arizona UniversityFlagstaffUSA
  3. 3.CEA, List, Software Reliability and Security LabGif-sur-YvetteFrance

Personalised recommendations