Verification by Reduction to Functional Programs THÈSE NO 7636 (2017) PRÉSENTÉE LE 25 AOÛT 2017 À LA FACULTÉ INFORMATIQUE ET COMMUNICATIONS LABORATOIRE D'ANALYSE ET DE RAISONNEMENT AUTOMATISÉS PROGRAMME DOCTORAL EN INFORMATIQUE ET COMMUNICATIONS ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE POUR L'OBTENTION DU GRADE DE DOCTEUR ÈS SCIENCES PAR Régis William BLANC acceptée sur proposition du jury: Prof. P. Ienne, président du jury Prof. V. Kuncak, directeur de thèse Prof. Ph. Rümmer, rapporteur Dr N. Bjørner, rapporteur Prof. M. Odersky, rapporteur Suisse 2017 "The best way to predict the future is to invent it." — Alan Kay To the memory of my father Acknowledgements First, I would like to thank my advisor, Viktor Kuncak, for guiding me through my PhD studies. He trusted me when I had no clue about which research direction to take, and I am grateful he let me explore projects in this way. He always showed an enthusiasm for research, which was naturally motivating. I also thank the members of my thesis jury, Nikolaj Bjørjner, Philipp Rümmer, Martin Odersky, and Paolo Ienne, for taking the time to review and judge my thesis. Their questions and constructive comments helped me improve the final version of my thesis. Although it is true that only the PhD student types in the content of this manuscript, the results presented were made possible only through the help of several co-authors. I want to thank each of my co-authors throughout my short scientific career: Etienne Kneuss, Philippe Suter, Laura Kovács, Ashutosh Gupta, Bernhard Kragl, Thibaud Hottelier, and Thomas Henzinger. In particular, Laura Kovács was my first adviser on a research project, and her guidance has was valuable in convincing me to start my PhD research. She also hosted me at TU Wien for the Summer before beginning my PhD work, which led to productive research and ultimately a publication. Philippe Suter suggested the original idea for tackling verification of imperative programming, which is the seed that led to the work presented in my thesis. Finally, although not a co-author, David Novo gave me the possibility to work on a cool and interesting research project, and I thank him for that. The LARA group has always been an enjoyable environment to work in, mostly thanks to the members’ relaxed attitude that would transpire through our irregular group meetings. I thank all the present and past members of the lab, as they helped create this nice atmosphere: Ali, Andrej, Andrew, Etienne, Eva, Filip, Georg, Giulano, Hossein, Ivan, Jad, Manos, Marco, Mikaël, Nicolas, Pierre-Emmanuel, Philippe, Ravi, Romain, Ruzica, Sumith, Tihomir. I am especially grateful to Philippe and Etienne who built most of the original infrastructure on which my research is based, to Nicolas who created a better and faster infrastructure and ported my work to it, and to Marco who seriously experimented with the language’s extensions I was building and who provided valuable feedback. I also want to thank an often forgotten member of the lab, Leon, for his hard and repetitive work, which has been essential in putting this thesis together. I also thank the members of the LAMP lab, for building this awesome language that is Scala and for being generally cool. If I was able to focus on research work, it is also due to the help of Yvette Gallay and Sylvie Jankow who, both, protected me from the complex administrative layers of EPFL. I am very thankful to them. I also thank Fabien Salvi, who shared my love for Microsoft Windows and i Acknowledgements was always able to fix unexpected issues. I thank Holly, who had the courage to read through my entire thesis and dig out each and every mistake related to my usage of English. Because EPFL would be pretty boring without people to hang out with, I want to thank the friends I met there: Alevtina, for introducing me to The Americans. Alexandre, for playing my games and for helping me distill my ideas (and for being at EPFL for a longer time than me). Alina, for organizing nice hikes. Ana, for always caring about my side projects and for the many discussions. Gilles, for chatting about hockey and playing football. Hông-Ân, for passing on her apartment to me in Zurich. Laurent, for sharing startup tips. Lucas, for cool tech discussions over lunch and coffee. Manohar, for being a fan of Roger. Marina, for hiking with me and for supporting Stan. Miji, for being always happy to visit places. Sonia, for sharing classic Swiss food and for the many nice coffee breaks. Stefan, for sharing my passion for coffee. I also thank all my friends outside EPFL, they helped me disconnect from work. In particular, I thank Mani, my long-time and dearest friend. Finalement, bien sûr, je remercie ma famille. Mon frère, qui ne m’a dérangé de mon travail que pour organiser des matchs de foot. Mon chat, qui m’a montré son affection par ses griffures et morsures dont le but était, j’en suis sûr, de me retenir vers lui. Mon père, qui m’a fait découvrir le plus beau sport du monde, sport qui m’a bien aidé pour décompresser du travail. Et surtout ma mère, qui a fait tellement de sacrifices pour me permettre d’arriver où je suis aujourd’hui. Merci. Lausanne, April 2017 R. B. ii Preface Thus, I continued development creating Pascal in 1970. From then on, my goal was to create a language that was scientifically clean, i.e. defined not in terms of a mechanism (or even a specific computer), but in terms of a mathematical structure of axioms and derivation rules. This turned out to be an elusive goal. Niklaus Wirth, 2014 The potential of software to transform our society is virtually limitless. But this potential comes at the cost of limitless complexity and the difficulty of building the software that is right. Given this complexity, the potential of software to transform our lives turns into a threat to transform our lives. We increasingly rely on software for life critical tasks to transport us to see our loved ones, to diagnose diseases and to predict critical events in the near future. Yet each of these software services might simply crash in a bizarre way and stop delivering a time-critical service, or cause us to make a wrong decision, with disastrous consequences. Astonishingly, the predominant methodology for constructing software leaves many potential errors behind. There is belief that efficiency dictates the use of low-level languages, for which the application of formal methods is difficult. Ambitious researchers have set to demonstrate that it is possible to verify low-level C code as is written. This has resulted in impressive achievements, yet the effort that was needed provides evidence that existing languages are not the most efficient way to construct software with strong correctness guarantees. On the other side of the spectrum, first-order functional programming languages have been shown suitable for reasoning about programs but tempt the developers into writing complex higher-order code for which efficient execution and reasoning can be also difficult to achieve. The thesis of Régis Blanc points in the direction of a more productive approach for constructing software with strong correctness guarantees. The approach includes a language, which is a fragment of Scala that includes both higher-order and imperative constructs, and is designed to avoid constructs that are difficult to verify. The language prevents many errors by construction: it is memory safe, and it does not automatically include null in the space of possible values of data structures. Crucially, the language also permits efficient translation into a functional iii Preface form, to which verification techniques can be applied. The translation is kept manageable thanks to the use of unique mutable fields for data structures. The translation has been used successfully to verify programs in this language. At the same time, the programs in this fragment execute using efficient in-place updates and can use the familiar syntax of mutable variables, assignments, and loops. Verifying the resulting functional code is a non-trivial task to which the thesis also contributes. It sets a high standard for formal models of code by representing machine integers correctly using bitvectors and requiring the developers to use unbounded integers in source code to obtain properties of mathematical integers. An entire range of run-time errors and undesired behaviors can be checked using the tool, including overflows, array bounds, pattern matching errors. Most interestingly, the developers can specify and verify correctness properties using preconditions, postconditions, and invariants. A crucial component in verification is the constraint solving of certain formulas describing possible executions of programs. The work of Régis shows how to keep an architecture of such tool maintainable by building a layer that communicates with multiple SMT solvers. What is more, he shows that future SMT solvers could be written in high-level languages: he writes a full-fledged SAT solver in Scala, starting from a simple version and refining it to a solver incorporating most techniques used in production quality SAT solvers. The case studies in the thesis show that the approach holds a promise for constructing verified applications, and illustrates the practical benefit of Scala that can deploy applications on a number of platforms, including JVM, JavaScript, and, most recently, native code. The thesis thus brings us a step closer towards an elusive goal of building software that we can reason about and execute efficiently. Lausanne, April 2017 Viktor Kunˇcak iv Abstract In this thesis, we explore techniques for the development and verification of programs in a high-level, expressive, and safe programming language.