Lecture

Proving programs : why, when and how ?

from to

This year's lecture inaugurates a multi-year cycle dedicated to the formal development of programs and circuits. Its main focus will be the study of formal verification methods and tools, which seek to establish mathematical proofs of total correctness (the realization implements the whole specification and nothing but it) or partial correctness (certain types of bugs cannot occur). The associated techniques are based on a variety of mathematical and algorithmic approaches. They are implemented in verification systems ranging from research prototypes to industrial tools actually used routinely in specific industrial fields.

The development of software or circuits is traditionally based on a top-down working model, from design to implementation, then moving upwards from unit testing of software components to integration testing. Application validation is thus based exclusively on test sets, often developed by hand according to informal specifications. This method is reasonably effective for programs that take fairly uniform data at the start of execution and return results at the end of execution. But it often proves inadequate for programs where bugs can have formidable direct or indirect consequences: those with highly varied inputs, such as compilers which have to reject or correctly translate all possible programs; programs which act in permanent interaction with their environment, such as operating systems and web-based distributed applications; reactive programs used to control cyber-physical systems which interact in real time with a complex physical environment (transport, robots, etc.); subtle protocols which ensure the correct operation of a program; and, last but not least, programs which are used to control a complex physical environment.), the subtle protocols that ensure computer security, electronic voting systems and so on. The conditions of execution can then be extremely numerous and completely untestable. What's more, while testing can validate behavior or detect bugs in the execution conditions actually examined, it says absolutely nothing about the others.

Program