Advertisement

GOSPEL—Providing OCaml with a Formal Specification Language

  • Arthur Charguéraud
  • Jean-Christophe Filliâtre
  • Cláudio Lourenço
  • Mário PereiraEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11800)

Abstract

This paper introduces GOSPEL, a behavioral specification language for OCaml. It is designed to enable modular verification of data structures and algorithms. GOSPEL is a contract-based, strongly typed language, with a formal semantics defined by means of translation into Separation Logic. Compared with writing specifications directly in Separation Logic, GOSPEL provides a high-level syntax that greatly improves conciseness and makes it accessible to programmers with no familiarity with Separation Logic. Although GOSPEL has been developed for specifying OCaml code, we believe that many aspects of its design could apply to other programming languages. This paper presents the design and semantics of GOSPEL, and reports on its application for the development of a formally verified library of general-purpose OCaml data structures.

Notes

Acknowledgments

We are grateful to X. Leroy, F. Pottier, A. Guéneau, and A. Paskevich for discussions and comments during the preparation of this paper.

References

  1. 1.
    Baudin, P., Filliâtre, J.C., Marché, C., Monate, B., Moy, Y.,Prevosto, V.: ACSL: ANSI/ISO C Specification Language, version 1.4 (2009). http://frama-c.cea.fr/acsl.html
  2. 2.
    Bobot, F., Conchon, S., Contejean, E., Iguernelala, M., Lescuyer, S., Mebsout, A.: The Alt-Ergo automated theorem prover (2008). http://alt-ergo.lri.fr/
  3. 3.
    Carré, B., Garnsworthy, J.: SPARK–an annotated Ada subset for safety-critical programming. In: Proceedings of the Conference on TRI-Ada 1990, New York, NY, USA, pp. 392–402. ACM Press (1990)Google Scholar
  4. 4.
    Cauderlier, R., Sighireanu, M.: A verified implementation of the bounded list container. In: Beyer, D., Huisman, M. (eds.) TACAS 2018. LNCS, vol. 10805, pp. 172–189. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-89960-2_10CrossRefGoogle Scholar
  5. 5.
    Charguéraud, A.: Characteristic Formulae for Mechanized Program Verification. PhD thesis, Université Paris (2010). http://www.chargueraud.org/arthur/research/2010/thesis/
  6. 6.
    Charguéraud, A.: Characteristic formulae for the verification of imperative programs. In: Manuel, M.T., Chakravarty, Hu, Z., Danvy, O. (eds.) Proceeding of the 16th ACM SIGPLAN International Conference on Functional Programming (ICFP), Tokyo, Japan, pp. 418–430. ACM, September 2011Google Scholar
  7. 7.
    Charguéraud, A., Pottier, F.: Verifying the correctness and amortized complexity of a union-find implementation in separation logic with time credits. J. Autom. Reasoning (2017)Google Scholar
  8. 8.
    Charguéraud, A., Pottier, F.: Temporary read-only permissions for separation logic. In: Yang, H. (ed.) ESOP 2017. LNCS, vol. 10201, pp. 260–286. Springer, Heidelberg (2017).  https://doi.org/10.1007/978-3-662-54434-1_10CrossRefGoogle Scholar
  9. 9.
    Cousot, P.,Cousot, R., Feret, J., Mauborgne, L., Miné, A., Monniaux, D., Rival, X.: The ASTRÉE analyzer. In: ESOP, number 3444 in Lecture Notes in Computer Science, pp. 21–30 (2005)Google Scholar
  10. 10.
    Cruanes, S., Grinberg, R., Deplaix, J.-P., Midtgaard, J.: Qcheck (2019). https://github.com/c-cube/qcheck
  11. 11.
    de Gouw, S., de Boer, F.S., Bubel, R., Hähnle, R., Rot, J., Steinhöfel, D.: Verifying OpenJDK’s sort method for generic collections. J. Autom. Reasoning (2017)Google Scholar
  12. 12.
    Filliâtre, J.-C.: One logic to use them all. In: Bonacina, M.P. (ed.) CADE 2013. LNCS (LNAI), vol. 7898, pp. 1–20. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-38574-2_1CrossRefGoogle Scholar
  13. 13.
    Filliâtre, J.-C., Paskevich, A.: Why3 — where programs meet provers. In: Felleisen, M., Gardner, P. (eds.) ESOP 2013. LNCS, vol. 7792, pp. 125–128. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-37036-6_8CrossRefGoogle Scholar
  14. 14.
    Guéneau, A., Charguéraud, A., Pottier, F.: A fistful of dollars: formalizing asymptotic complexity claims via deductive program verification. In: Ahmed, A. (ed.) ESOP 2018. LNCS, vol. 10801, pp. 533–560. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-89884-1_19CrossRefGoogle Scholar
  15. 15.
    Hatcliff, J., Leavens, G.T., Leino, K.R.M., Müller, P., Parkinson, M.: Behavioral interface specification languages. ACM Comput. Surv. 44(3), 16:1–16:58 (2012)CrossRefGoogle Scholar
  16. 16.
    Hoare, C.A.R.: An axiomatic basis for computer programming. Commun. ACM 12(10), 576–580, 583 (1969)CrossRefGoogle Scholar
  17. 17.
    Jacobs, B., Smans, J., Philippaerts, P., Vogels, F., Penninckx, W., Piessens, F.: VeriFast: a powerful, sound, predictable, fast verifier for C and java. In: Bobaru, M., Havelund, K., Holzmann, G.J., Joshi, R. (eds.) NFM 2011. LNCS, vol. 6617, pp. 41–55. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-20398-5_4CrossRefGoogle Scholar
  18. 18.
    Kassios, I.T.: Dynamic frames and automated verification (2011). Tutorial for the 2nd COST Action IC0701 Training School, Limerick 6/11, IrelandGoogle Scholar
  19. 19.
    Kassios, I.T.: The dynamic frames theory. Formal Aspects Comput. 23(3), 267–288 (2011)MathSciNetCrossRefGoogle Scholar
  20. 20.
    Kirchner, F., Kosmatov, N., Prevosto, V., Signoles, J., Yakobowski, B.: Frama-c: a software analysis perspective. Formal Aspects Comput. 27(3), 573–609 (2015)MathSciNetCrossRefGoogle Scholar
  21. 21.
    Klein, G., et al.: seL4: formal verification of an OS kernel. Commun. ACM 53(6), 107–115 (2010)CrossRefGoogle Scholar
  22. 22.
    Kosmatov, N., Marché, C., Moy, Y., Signoles, J.: Static versus dynamic verification in Why3, Frama-C and SPARK 2014. In: Margaria, T., Steffen, B. (eds.) ISoLA 2016. LNCS, vol. 9952, pp. 461–478. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-47166-2_32CrossRefGoogle Scholar
  23. 23.
    Leavens, G.T., Baker, A.L., Ruby, C.: Preliminary design of JML: A behavioral interface specification language for Java. Technical Report 98–06i, Iowa State University (2000)Google Scholar
  24. 24.
    Leino, K.R.M.: Dafny: an automatic program verifier for functional correctness. In: Clarke, E.M., Voronkov, A. (eds.) LPAR 2010. LNCS (LNAI), vol. 6355, pp. 348–370. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-17511-4_20CrossRefzbMATHGoogle Scholar
  25. 25.
    Leino, K.R.M., Müller, P.: A basis for verifying multi-threaded programs. In: Castagna, G. (ed.) ESOP 2009. LNCS, vol. 5502, pp. 378–393. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-00590-9_27CrossRefGoogle Scholar
  26. 26.
    Leroy, X.: A formally verified compiler back-end. J. Autom. Reasoning 43(4), 363–446 (2009)MathSciNetCrossRefGoogle Scholar
  27. 27.
    Müller, P., Schwerhoff, M., Summers, A.J.: Viper: a verification infrastructure for permission-based reasoning. In: Jobstmann, B., Leino, K.R.M. (eds.) VMCAI 2016. LNCS, vol. 9583, pp. 41–62. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-49122-5_2CrossRefzbMATHGoogle Scholar
  28. 28.
    Mével, G., Jourdan, J.-H., Pottier, F.: Time credits and time receipts in iris. In: Caires, L. (ed.) ESOP 2019. LNCS, vol. 11423, pp. 3–29. Springer, Cham (2019).  https://doi.org/10.1007/978-3-030-17184-1_1CrossRefGoogle Scholar
  29. 29.
    Parkinson, M.J., Summers, A.J.: The relationship between separation logic and implicit dynamic frames. Log. Methods Comput. Sci. 8(3) (2012)Google Scholar
  30. 30.
    Pereira, M.J.P.: Tools and Techniques for the Verification of Modular Stateful Code. PhD thesis, Université Paris-Saclay (2018)Google Scholar
  31. 31.
    Polikarpova, N., Tschannen, J., Furia, C.A.: A fully verified container library. Formal Aspects Comput. 30(5), 495–523 (2018)MathSciNetCrossRefGoogle Scholar
  32. 32.
    Reynolds, J.C.: Separation logic: a logic for shared mutable data structures. In: 17th Annual IEEE Symposium on Logic in Computer Science. IEEE (2002)Google Scholar
  33. 33.
    Signoles, J., Kosmatov, N., Vorobyov, K.: E-ACSL, a Runtime Verification Tool for Safety and Security of C Programs (Tool Paper). In: International Workshop on Competitions, Usability, Benchmarks, Evaluation, and Standardisation for Runtime Verification Tools (RV-CuBES 2017), September 2017Google Scholar
  34. 34.
    Smans, J., Jacobs, B., Piessens, F.: Implicit dynamic frames: combining dynamic frames and separation logic. In: Drossopoulou, S. (ed.) ECOOP 2009. LNCS, vol. 5653, pp. 148–172. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-03013-0_8CrossRefGoogle Scholar
  35. 35.
    The Coq Development Team. The Coq Proof Assistant Reference Manual - Version V8.9 (2019). http://coq.inria.fr

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Arthur Charguéraud
    • 1
  • Jean-Christophe Filliâtre
    • 2
  • Cláudio Lourenço
    • 2
  • Mário Pereira
    • 3
    Email author
  1. 1.Inria Nancy - Grand EstStrasbourgFrance
  2. 2.Inria Saclay - Île de FrancePalaiseauFrance
  3. 3.NOVA LINCS & DI, FCTUniversidade Nova de LisboaLisbonPortugal

Personalised recommendations