Why Just Boogie?

Translating Between Intermediate Verification Languages
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9681)


The verification systems Boogie and Why3 use their respective intermediate languages to generate verification conditions from high-level programs. Since the two systems support different back-end provers (such as Z3 and Alt-Ergo) and are used to encode different high-level languages (such as C# and Java), being able to translate between their intermediate languages would provide a way to reuse one system’s features to verify programs meant for the other. This paper describes a translation of Boogie into WhyML (Why3’s intermediate language) that preserves semantics, verifiability, and program structure to a large degree. We implemented the translation as a tool and applied it to 194 Boogie-verified programs of various sources and sizes; Why3 verified 83 % of the translated programs with the same outcome as Boogie. These results indicate that the translation is often effective and practically applicable.


  1. 1.
    Ameri, M., Furia, C.A.: Why just Boogie? Translating between intermediate verification languages, January 2016. http://arxiv.org/abs/1601.00516
  2. 2.
    Arlt, S., Schäf, M.: Joogie: infeasible code detection for Java. In: Madhusudan, P., Seshia, S.A. (eds.) CAV 2012. LNCS, vol. 7358, pp. 767–773. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  3. 3.
    Barnett, M., Chang, B.-Y.E., DeLine, R., Jacobs, B., Leino, K.R.M.: Boogie: a modular reusable verifier for object-oriented programs. In: de Boer, F.S., Bonsangue, M.M., Graf, S., de Roever, W.-P. (eds.) FMCO 2005. LNCS, vol. 4111, pp. 364–387. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  4. 4.
    Barnett, M., Fähndrich, M., Leino, K.R.M., Müller, P., Schulte, W., Venter, H.: Specification and verification: the Spec# experience. Commun. ACM 54(6), 81–91 (2011)CrossRefGoogle Scholar
  5. 5.
    Cheng, Z., Monahan, R., Power, J.F.: A sound execution semantics for ATL via translation validation. In: Kolovos, D., Wimmer, M. (eds.) ICMT 2015. LNCS, vol. 9152, pp. 133–148. Springer, Heidelberg (2015)CrossRefGoogle Scholar
  6. 6.
    Filliâtre, J.-C., Paskevich, A.: Why3 — where programs meet provers. In: Felleisen, M., Gardner, P. (eds.) ESOP 2013. LNCS, vol. 7792, pp. 125–128. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  7. 7.
    Furia, C.A.: Rotation of sequences: Algorithms and proofs. http://arxiv.org/abs/1406.5453
  8. 8.
    Furia, C.A., Meyer, B., Velder, S.: Loop invariants: Analysis, classification, and examples. ACM Comput. Surv. 46(3), Article 34 (2014)Google Scholar
  9. 9.
    Harel, D.: On folk theorems. Commun. ACM 23(7), 379–389 (1980)CrossRefMATHGoogle Scholar
  10. 10.
    Heule, S., Kassios, I.T., Müller, P., Summers, A.J.: Verification condition generation for permission logics with abstract predicates and abstraction functions. In: Castagna, G. (ed.) ECOOP 2013. LNCS, vol. 7920, pp. 451–476. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  11. 11.
    Klein, G., Andronick, J., Elphinstone, K., Heiser, G., Cock, D., Derrin, P., Elkaduwe, D., Engelhardt, K., Kolanski, R., Norrish, M., Sewell, T., Tuch, H., Winwood, S.: seL4: formal verification of an operating-system kernel. Commun. ACM 53(6), 107–115 (2010)CrossRefGoogle Scholar
  12. 12.
    Kumar, R., Myreen, M.O., Norrish, M., Owens, S.: CakeML: a verified implementation of ML. In: Proceedings of POPL, pp. 179–192. ACM (2014)Google Scholar
  13. 13.
    Leino, K.R.M.: Developing verified programs with Dafny. In: Proceedings of ICSE, pp. 1488–1490. ACM (2013)Google Scholar
  14. 14.
    Leroy, X.: Formal verification of a realistic compiler. Commun. ACM 52(7), 107–115 (2009)CrossRefGoogle Scholar
  15. 15.
    Mens, T., Van Gorp, P.: A taxonomy of model transformation. Electr. Notes Theor. Comput. Sci. 152, 125–142 (2006)CrossRefGoogle Scholar
  16. 16.
    Schmitt, P.H., Ulbrich, M., Weiß, B.: Dynamic frames in Java dynamic logic. In: Beckert, B., Marché, C. (eds.) FoVeOOS 2010. LNCS, vol. 6528, pp. 138–152. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  17. 17.
    Segal, L., Chalin, P.: A comparison of intermediate verification languages: Boogie and Sireum/Pilar. In: Joshi, R., Müller, P., Podelski, A. (eds.) VSTTE 2012. LNCS, vol. 7152, pp. 130–145. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  18. 18.
    Stevens, P.: A landscape of bidirectional model transformations. In: Lämmel, R., Visser, J., Saraiva, J. (eds.) GTTSE 2007. LNCS, vol. 5235, pp. 408–424. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  19. 19.
    Trudel, M., Furia, C.A., Nordio, M., Meyer, B.: Really automatic scalable object-oriented reengineering. In: Castagna, G. (ed.) ECOOP 2013. LNCS, vol. 7920, pp. 477–501. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  20. 20.
    Trudel, M., Furia, C.A., Nordio, M., Meyer, B., Oriol, M.: C to O-O translation: beyond the easy stuff. In: Proceedings of WCRE, pp. 19–28. IEEE Computer Society, October 2012Google Scholar
  21. 21.
    Tschannen, J., Furia, C.A., Nordio, M., Polikarpova, N.: AutoProof: auto-active functional verification of object-oriented programs. In: Baier, C., Tinelli, C. (eds.) TACAS 2015. LNCS, vol. 9035, pp. 566–580. Springer, Heidelberg (2015)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  1. 1.Chair of Software Engineering, Department of Computer ScienceETH ZurichZurichSwitzerland
  2. 2.Department of Computer Science and EngineeringChalmers University of TechnologyGothenburgSweden

Personalised recommendations