Skip to Content.
Sympa Menu

coq-club - Re: [Coq-Club] VST release 1.6

coq-club AT inria.fr

Subject: The Coq mailing list

List archive

Re: [Coq-Club] VST release 1.6


Chronological Thread 
  • From: Chan Ngo <chan.ngo2203 AT gmail.com>
  • To: coq-club AT inria.fr
  • Subject: Re: [Coq-Club] VST release 1.6
  • Date: Mon, 4 Jan 2016 16:21:50 +0100
  • Authentication-results: mail3-smtp-sop.national.inria.fr; spf=None smtp.pra=chan.ngo2203 AT gmail.com; spf=Pass smtp.mailfrom=chan.ngo2203 AT gmail.com; spf=None smtp.helo=postmaster AT mail-wm0-f50.google.com
  • Ironport-phdr: 9a23:6fD2iRW4sBgBazflCnYBvCSJAzHV8LGtZVwlr6E/grcLSJyIuqrYZhaPt8tkgFKBZ4jH8fUM07OQ6PC+HzRYqb+681k8M7V0HycfjssXmwFySOWkMmbcaMDQUiohAc5ZX0Vk9XzoeWJcGcL5ekGA6ibqtW1aJBzzOEJPK/jvHcaK1oLsh770o8WbSj4LrQT+SIs6FA+xowTVu5teqqpZAYF19CH0pGBVcf9d32JiKAHbtR/94sCt4MwrqHwI6Lpyv/JHBK79ZuEzSaFSJDUgKWE8osPx5jfZSg7azXsVVC0wnR0AVwPF5Re8WJj26HGi7cJy3SCbOYv9SrViCmfq1LtiVBK90HRPDDU+6myC0sE=

> On Jan 4, 2016, at 4:03 PM, Adam Chlipala
> <adamc AT csail.mit.edu>
> wrote:
>
> On 01/04/2016 04:23 AM, Chan Ngo wrote:
>>> On Jan 4, 2016, at 9:55 AM, Claude Marché
>>> <Claude.Marche AT inria.fr>
>>> wrote:
>>>
>>> So, in short:
>>>
>>> VST: specification language = Coq, back-end prover = Coq
>>> Frama-C/Why3: specification language = ACSL, back-end provers = SMT
>>> solvers
>>>
>>> VST provides a much higher level of trust than the latter, thanks to the
>>> use of CompCert. There was an attempt to design a Frama-C deductive
>>> verification plugin of Frama-C through CompCert (PhD thesis of Paolo
>>> Hemrs, https://tel.archives-ouvertes.fr/tel-00789543) but it did not
>>> make its way to a robust, distributed plug-in.
>>>
>> I think that if we can certify the automated provers used in that tools,
>> we can obtain the same formal level of trust as providing by VST. It is
>> the same as some additional parts of the CompCert compiler which use
>> translation validation approach (produce a validator), meaning that if we
>> certify the validator formally then the result validated compiler is the
>> same level of trust as the formal verified compiler.
>
> I'm afraid that description is rather far from accurate, if by "automated
> provers" you mean "SMT solvers." Frama-C has much trusted code having to
> do with the C language and associated verification methodologies. All of
> that code would need to be certified/certifying, too, not just the SMT
> solvers. Compared to proof witnesses from SMT solvers, which are
> relatively well-understood today, it's not as obvious how to use
> proof-generating translations to handle the semantics of C or the
> application of a verification methodology.

Yes, thanks for reminding that. Somehow I assumed that the correctness of the
tool’s development (i.e., Frama-C). Since I want to emphasize the use of
external libs. Consider a deductive verification proof from VST and the proof
from tools like Why3, Frama-C for a same specification, how we can say that
these two proofs are the same level of trust? I would like to say if the can
prove the correctness of the later tools development (including the tool
itself and the external libs), we can guarantee the same level of trust,
please correct me if it is not so (As the example of the validator in
complier validation does so according the claims in some work of Leroy in
CompCert project)..


Chan


Archive powered by MHonArc 2.6.18.

Top of Page