Automating formal proofs for reactive systems

D Ricketts, V Robert, D Jang, Z Tatlock… - Proceedings of the 35th …, 2014 - dl.acm.org
Proceedings of the 35th ACM SIGPLAN Conference on Programming Language …, 2014dl.acm.org
Implementing systems in proof assistants like Coq and proving their correctness in full formal
detail has consistently demonstrated promise for making extremely strong guarantees about
critical software, ranging from compilers and operating systems to databases and web
browsers. Unfortunately, these verifications demand such heroic manual proof effort, even
for a single system, that the approach has not been widely adopted. We demonstrate a
technique to eliminate the manual proof burden for verifying many properties within an entire …
Implementing systems in proof assistants like Coq and proving their correctness in full formal detail has consistently demonstrated promise for making extremely strong guarantees about critical software, ranging from compilers and operating systems to databases and web browsers. Unfortunately, these verifications demand such heroic manual proof effort, even for a single system, that the approach has not been widely adopted.
We demonstrate a technique to eliminate the manual proof burden for verifying many properties within an entire class of applications, in our case reactive systems, while only expending effort comparable to the manual verification of a single system. A crucial insight of our approach is simultaneously designing both (1) a domain-specific language (DSL) for expressing reactive systems and their correctness properties and (2) proof automation which exploits the constrained language of both programs and properties to enable fully automatic, pushbutton verification. We apply this insight in a deeply embedded Coq DSL, dubbed Reflex, and illustrate Reflex's expressiveness by implementing and automatically verifying realistic systems including a modern web browser, an SSH server, and a web server. Using Reflex radically reduced the proof burden: in previous, similar versions of our benchmarks written in Coq by experts, proofs accounted for over 80% of the code base; our versions require no manual proofs.
ACM Digital Library