How to Get an Efficient yet Verified Arbitrary-Precision Integer Library

  • Raphaël Rieu-Helft
  • Claude MarchéEmail author
  • Guillaume Melquiond
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10712)


The GNU Multi-Precision library is a widely used, safety-critical, library for arbitrary-precision arithmetic. Its source code is written in C and assembly, and includes intricate state-of-the-art algorithms for the sake of high performance. Formally verifying the functional behavior of such highly optimized code, not designed with verification in mind, is challenging. We present a fully verified library designed using the Why3 program verifier. The use of a dedicated memory model makes it possible to have the Why3 code be very similar to the original GMP code. This library is extracted to C and is compatible and performance-competitive with GMP.


Arbitrary-precision arithmetic Deductive program verification C language Why3 program verifier 



We gratefully thank Pascal Cuoq, Jean-Christophe Filliâtre and Mário Pereira for their comments on preliminary versions of this article.


  1. 1.
    Abrial, J.R.: The B-Book, Assigning Programs to Meaning. Cambridge University Press, Cambridge (1996)CrossRefzbMATHGoogle Scholar
  2. 2.
    Affeldt, R.: On construction of a library of formally verified low-level arithmetic functions. Innov. Syst. Softw. Eng. 9(2), 59–77 (2013)CrossRefGoogle Scholar
  3. 3.
    Berghofer, S.: Verification of dependable software using SPARK and Isabelle. In: Brauer, J., Roveri, M., Tews, H. (eds.) 6th International Workshop on Systems Software Verification. OpenAccess Series in Informatics (OASIcs), Dagstuhl, Germany, vol. 24, pp. 15–31 (2012)Google Scholar
  4. 4.
    Bertot, Y., Magaud, N., Zimmermann, P.: A proof of GMP square root. J. Autom. Reason. 29(3–4), 225–252 (2002)MathSciNetCrossRefzbMATHGoogle Scholar
  5. 5.
    Bobot, F., Filliâtre, J.-C., Marché, C., Paskevich, A.: Why3: Shepherd your herd of provers. In: Boogie 2011: First International Workshop on Intermediate Verification Languages, Wrocław, Poland, pp. 53–64, August 2011.
  6. 6.
    Bobot, F., Filliâtre, J.-C., Marché, C., Paskevich, A.: Let’s verify this with Why3. Int. J. Softw. Tools Technol. Transf. (STTT) 17(6), 709–727 (2015). See also CrossRefGoogle Scholar
  7. 7.
    Bornat, R.: Proving pointer programs in Hoare logic. In: Backhouse, R., Oliveira, J.N. (eds.) MPC 2000. LNCS, vol. 1837, pp. 102–126. Springer, Heidelberg (2000). CrossRefGoogle Scholar
  8. 8.
    Cuoq, P., Kirchner, F., Kosmatov, N., Prevosto, V., Signoles, J., Yakobowski, B.: Frama-C: a software analysis perspective. In: Eleftherakis, G., Hinchey, M., Holcombe, M. (eds.) SEFM 2012. LNCS, vol. 7504, pp. 233–247. Springer, Heidelberg (2012). CrossRefGoogle Scholar
  9. 9.
    Filliâtre, J.-C.: One logic to use them all. In: Bonacina, M.P. (ed.) CADE 2013. LNCS (LNAI), vol. 7898, pp. 1–20. Springer, Heidelberg (2013). CrossRefGoogle Scholar
  10. 10.
    Filliâtre, J.-C., Gondelman, L., Paskevich, A.: A pragmatic type system for deductive verification. Research report, Université Paris Sud (2016).
  11. 11.
    Filliâtre, J.-C., Gondelman, L., Paskevich, A.: The spirit of ghost code. Formal Methods Syst. Des. 48(3), 152–174 (2016)CrossRefzbMATHGoogle Scholar
  12. 12.
    Filliâtre, J.-C., Marché, C.: The Why/Krakatoa/Caduceus platform for deductive program verification. In: Damm, W., Hermanns, H. (eds.) CAV 2007. LNCS, vol. 4590, pp. 173–177. Springer, Heidelberg (2007). CrossRefGoogle Scholar
  13. 13.
    Filliâtre, J.-C., Paskevich, A.: Why3 — where programs meet provers. In: Felleisen, M., Gardner, P. (eds.) ESOP 2013. LNCS, vol. 7792, pp. 125–128. Springer, Heidelberg (2013). CrossRefGoogle Scholar
  14. 14.
    Fischer, S.: Formal verification of a big integer library. In: DATE Workshop on Dependable Software Systems (2008).
  15. 15.
    Fumex, C., Dross, C., Gerlach, J., Marché, C.: Specification and proof of high-level functional properties of bit-level programs. In: Rayadurgam, S., Tkachuk, O. (eds.) NFM 2016. LNCS, vol. 9690, pp. 291–306. Springer, Cham (2016). CrossRefGoogle Scholar
  16. 16.
    International Organization for Standardization: ISO/IEC 9899:1999: Programming Languages - C (2000)Google Scholar
  17. 17.
    Klein, G., Andronick, J., Elphinstone, K., Heiser, G., Cock, D., Derrin, P., Elkaduwe, D., Engelhardt, K., Kolanski, R., Norrish, M., Sewell, T., Tuch, H., Winwood, S.: seL4: formal verification of an OS kernel. Commun. ACM 53(6), 107–115 (2010)CrossRefGoogle Scholar
  18. 18.
    Kosmatov, N., Marché, C., Moy, Y., Signoles, J.: Static versus dynamic verification in Why3, Frama-C and SPARK 2014. In: Margaria, T., Steffen, B. (eds.) ISoLA 2016. LNCS, vol. 9952, pp. 461–478. Springer, Cham (2016). CrossRefGoogle Scholar
  19. 19.
    Leino, K.R.M., Moskal, M.: Usable auto-active verification. In: Usable Verification Workshop, Redmond, WA, USA, November 2010.
  20. 20.
    Moller, N., Granlund, T.: Improved division by invariant integers. IEEE Trans. Comput. 60(2), 165–175 (2011)MathSciNetCrossRefzbMATHGoogle Scholar
  21. 21.
    Myreen, M.O., Curello, G.: Proof pearl: a verified bignum implementation in x86-64 machine code. In: Gonthier, G., Norrish, M. (eds.) CPP 2013. LNCS, vol. 8307, pp. 66–81. Springer, Cham (2013). CrossRefGoogle Scholar
  22. 22.
    Zinzindohoué, J.K., Bartzia, E.I., Bhargavan, K.: A verified extensible library of elliptic curves. In: Hicks, M., Köpf, B. (eds.) 29th IEEE Computer Security Foundations Symposium (CSF), Lisbon, Portugal, pp. 296–309, June 2016Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Raphaël Rieu-Helft
    • 1
    • 2
    • 3
  • Claude Marché
    • 2
    • 3
    Email author
  • Guillaume Melquiond
    • 2
    • 3
  1. 1.École Normale SupérieureParisFrance
  2. 2.Inria, Université Paris-SaclayPalaiseauFrance
  3. 3.LRI (CNRS & Univ. Paris-Sud), Université Paris-SaclayOrsayFrance

Personalised recommendations