Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Correct sorting with Frama-C
1. Correct sorting with Frama-C
Pedro Pereira Ulisses Costa
Formal Methods in Software Engineering
July 2, 2009
Pedro Pereira, Ulisses Costa Correct sorting with Frama-C
2. Algorithm implementation
Implementation
void bubbleSort ( int * vector , int tam ) {
int j , i ;
j = i = 0;
for ( i =0; i < tam ; i ++) {
for ( j =0; j < tam -i -1; j ++) {
if ( vector [ j ] > vector [ j +1]) {
swap (& vector [ j ] ,& vector [ j +1]) ;
}
}
}
}
Pedro Pereira, Ulisses Costa Correct sorting with Frama-C
3. Contract
pre-conditions
tam > 0
valid range(vector , 0, tam − 1)
post-conditions
sorted(vector , 0, tam − 1)
∀a : 0 ≤ a < tam : (∃b : 0 ≤ b < tam : old(vector (b)) ≡ vector (a))
Pedro Pereira, Ulisses Costa Correct sorting with Frama-C
4. Annotations
requires tam > 0;
requires valid_range ( vector ,0 , tam -1) ;
ensures ( forall integer a ; 0 <= a < tam
== > ( exists integer b ; 0 <= b < tam
== > at ( vector [ b ] , Old ) == at ( vector [ a ] , Here ) ) ) ;
ensures Sorted { Here }( vector , 0 , tam -1) ;
Pedro Pereira, Ulisses Costa Correct sorting with Frama-C
5. Inner-loop
Example
i = 0, [8, 5, 2, 6, 9, 3, 0, 4, 1]
j = 0, [5, 8, 2, 6, 9, 3, 0, 4, 1]
j = 1, [5, 2, 8, 6, 9, 3, 0, 4, 1]
j = 2, [5, 2, 6, 8, 9, 3, 0, 4, 1]
j = 3, [5, 2, 6, 8, 9, 3, 0, 4, 1]
j = 4, [5, 2, 6, 8, 3, 9, 0, 4, 1]
j = 5, [5, 2, 6, 8, 3, 0, 9, 4, 1]
j = 6, [5, 2, 6, 8, 3, 0, 4, 9, 1]
j = 7, [5, 2, 6, 8, 3, 0, 4, 1, 9]
The j th + 1 element of sequence is greater or equal to the first
j + 1 elements of sequence.
Pedro Pereira, Ulisses Costa Correct sorting with Frama-C
6. Inner-loop
Example
i = 0, [8, 5, 2, 6, 9, 3, 0, 4, 1]
j = 0, [5, 8, 2, 6, 9, 3, 0, 4, 1]
j = 1, [5, 2, 8, 6, 9, 3, 0, 4, 1]
j = 2, [5, 2, 6, 8, 9, 3, 0, 4, 1]
j = 3, [5, 2, 6, 8, 9, 3, 0, 4, 1]
j = 4, [5, 2, 6, 8, 3, 9, 0, 4, 1]
j = 5, [5, 2, 6, 8, 3, 0, 9, 4, 1]
j = 6, [5, 2, 6, 8, 3, 0, 4, 9, 1]
j = 7, [5, 2, 6, 8, 3, 0, 4, 1, 9]
The j th + 1 element of sequence is greater or equal to the first
j + 1 elements of sequence.
Pedro Pereira, Ulisses Costa Correct sorting with Frama-C
7. Inner-loop
Example
i = 0, [8, 5, 2, 6, 9, 3, 0, 4, 1]
j = 0, [5, 8, 2, 6, 9, 3, 0, 4, 1]
j = 1, [5, 2, 8, 6, 9, 3, 0, 4, 1]
j = 2, [5, 2, 6, 8, 9, 3, 0, 4, 1]
j = 3, [5, 2, 6, 8, 9, 3, 0, 4, 1]
j = 4, [5, 2, 6, 8, 3, 9, 0, 4, 1]
j = 5, [5, 2, 6, 8, 3, 0, 9, 4, 1]
j = 6, [5, 2, 6, 8, 3, 0, 4, 9, 1]
j = 7, [5, 2, 6, 8, 3, 0, 4, 1, 9]
The j th + 1 element of sequence is greater or equal to the first
j + 1 elements of sequence.
Pedro Pereira, Ulisses Costa Correct sorting with Frama-C
8. Inner-loop
Example
i = 0, [8, 5, 2, 6, 9, 3, 0, 4, 1]
j = 0, [5, 8, 2, 6, 9, 3, 0, 4, 1]
j = 1, [5, 2, 8, 6, 9, 3, 0, 4, 1]
j = 2, [5, 2, 6, 8, 9, 3, 0, 4, 1]
j = 3, [5, 2, 6, 8, 9, 3, 0, 4, 1]
j = 4, [5, 2, 6, 8, 3, 9, 0, 4, 1]
j = 5, [5, 2, 6, 8, 3, 0, 9, 4, 1]
j = 6, [5, 2, 6, 8, 3, 0, 4, 9, 1]
j = 7, [5, 2, 6, 8, 3, 0, 4, 1, 9]
The j th + 1 element of sequence is greater or equal to the first
j + 1 elements of sequence.
Pedro Pereira, Ulisses Costa Correct sorting with Frama-C
9. Inner-loop
Example
i = 0, [8, 5, 2, 6, 9, 3, 0, 4, 1]
j = 0, [5, 8, 2, 6, 9, 3, 0, 4, 1]
j = 1, [5, 2, 8, 6, 9, 3, 0, 4, 1]
j = 2, [5, 2, 6, 8, 9, 3, 0, 4, 1]
j = 3, [5, 2, 6, 8, 9, 3, 0, 4, 1]
j = 4, [5, 2, 6, 8, 3, 9, 0, 4, 1]
j = 5, [5, 2, 6, 8, 3, 0, 9, 4, 1]
j = 6, [5, 2, 6, 8, 3, 0, 4, 9, 1]
j = 7, [5, 2, 6, 8, 3, 0, 4, 1, 9]
The j th + 1 element of sequence is greater or equal to the first
j + 1 elements of sequence.
Pedro Pereira, Ulisses Costa Correct sorting with Frama-C
10. Inner-loop
Example
i = 0, [8, 5, 2, 6, 9, 3, 0, 4, 1]
j = 0, [5, 8, 2, 6, 9, 3, 0, 4, 1]
j = 1, [5, 2, 8, 6, 9, 3, 0, 4, 1]
j = 2, [5, 2, 6, 8, 9, 3, 0, 4, 1]
j = 3, [5, 2, 6, 8, 9, 3, 0, 4, 1]
j = 4, [5, 2, 6, 8, 3, 9, 0, 4, 1]
j = 5, [5, 2, 6, 8, 3, 0, 9, 4, 1]
j = 6, [5, 2, 6, 8, 3, 0, 4, 9, 1]
j = 7, [5, 2, 6, 8, 3, 0, 4, 1, 9]
The j th + 1 element of sequence is greater or equal to the first
j + 1 elements of sequence.
Pedro Pereira, Ulisses Costa Correct sorting with Frama-C
11. Inner-loop
Example
i = 0, [8, 5, 2, 6, 9, 3, 0, 4, 1]
j = 0, [5, 8, 2, 6, 9, 3, 0, 4, 1]
j = 1, [5, 2, 8, 6, 9, 3, 0, 4, 1]
j = 2, [5, 2, 6, 8, 9, 3, 0, 4, 1]
j = 3, [5, 2, 6, 8, 9, 3, 0, 4, 1]
j = 4, [5, 2, 6, 8, 3, 9, 0, 4, 1]
j = 5, [5, 2, 6, 8, 3, 0, 9, 4, 1]
j = 6, [5, 2, 6, 8, 3, 0, 4, 9, 1]
j = 7, [5, 2, 6, 8, 3, 0, 4, 1, 9]
The j th + 1 element of sequence is greater or equal to the first
j + 1 elements of sequence.
Pedro Pereira, Ulisses Costa Correct sorting with Frama-C
12. Inner-loop
Example
i = 0, [8, 5, 2, 6, 9, 3, 0, 4, 1]
j = 0, [5, 8, 2, 6, 9, 3, 0, 4, 1]
j = 1, [5, 2, 8, 6, 9, 3, 0, 4, 1]
j = 2, [5, 2, 6, 8, 9, 3, 0, 4, 1]
j = 3, [5, 2, 6, 8, 9, 3, 0, 4, 1]
j = 4, [5, 2, 6, 8, 3, 9, 0, 4, 1]
j = 5, [5, 2, 6, 8, 3, 0, 9, 4, 1]
j = 6, [5, 2, 6, 8, 3, 0, 4, 9, 1]
j = 7, [5, 2, 6, 8, 3, 0, 4, 1, 9]
The j th + 1 element of sequence is greater or equal to the first
j + 1 elements of sequence.
Pedro Pereira, Ulisses Costa Correct sorting with Frama-C
13. Inner-loop
Example
i = 0, [8, 5, 2, 6, 9, 3, 0, 4, 1]
j = 0, [5, 8, 2, 6, 9, 3, 0, 4, 1]
j = 1, [5, 2, 8, 6, 9, 3, 0, 4, 1]
j = 2, [5, 2, 6, 8, 9, 3, 0, 4, 1]
j = 3, [5, 2, 6, 8, 9, 3, 0, 4, 1]
j = 4, [5, 2, 6, 8, 3, 9, 0, 4, 1]
j = 5, [5, 2, 6, 8, 3, 0, 9, 4, 1]
j = 6, [5, 2, 6, 8, 3, 0, 4, 9, 1]
j = 7, [5, 2, 6, 8, 3, 0, 4, 1, 9]
The j th + 1 element of sequence is greater or equal to the first
j + 1 elements of sequence.
Pedro Pereira, Ulisses Costa Correct sorting with Frama-C
14. Inner-loop
Example
i = 0, [8, 5, 2, 6, 9, 3, 0, 4, 1]
j = 0, [5, 8, 2, 6, 9, 3, 0, 4, 1]
j = 1, [5, 2, 8, 6, 9, 3, 0, 4, 1]
j = 2, [5, 2, 6, 8, 9, 3, 0, 4, 1]
j = 3, [5, 2, 6, 8, 9, 3, 0, 4, 1]
j = 4, [5, 2, 6, 8, 3, 9, 0, 4, 1]
j = 5, [5, 2, 6, 8, 3, 0, 9, 4, 1]
j = 6, [5, 2, 6, 8, 3, 0, 4, 9, 1]
j = 7, [5, 2, 6, 8, 3, 0, 4, 1, 9]
The j th + 1 element of sequence is greater or equal to the first
j + 1 elements of sequence.
Pedro Pereira, Ulisses Costa Correct sorting with Frama-C
15. Inner-loop (cont.)
Loop invariants
0 ≤ j < tam − i
0 < j < tam − i ⇒ (∀a : 0 ≤ a ≤ j : vector (a) ≤ vector (j + 1))
Loop variants
tam − i − j − 1
Pedro Pereira, Ulisses Costa Correct sorting with Frama-C
16. Inner-loop invariants & variant
loop invariant 0 <= j < tam - i ;
loop invariant 0 < j < tam - i
== > forall int a ; 0 <= a <= j
== > vector [ a ] <= vector [ j +1];
loop variant tam -i -j -1;
Pedro Pereira, Ulisses Costa Correct sorting with Frama-C
17. Outer-loop
Example
antes, [8, 5, 2, 6, 9, 3, 0, 4, 1]
i = 0, [5, 2, 6, 8, 3, 0, 4, 1, 9]
i = 1, [2, 5, 6, 3, 0, 4, 1, 8, 9]
i = 2, [2, 5, 3, 0, 4, 1, 6, 8, 9]
i = 3, [2, 3, 0, 4, 1, 5, 6, 8, 9]
i = 4, [2, 0, 3, 1, 4, 5, 6, 8, 9]
i = 5, [0, 2, 1, 3, 4, 5, 6, 8, 9]
i = 6, [0, 1, 2, 3, 4, 5, 6, 8, 9]
i = 7, [0, 1, 2, 3, 4, 5, 6, 8, 9]
i = 8, [0, 1, 2, 3, 4, 5, 6, 8, 9]
Last i + 1 elements of sequence are sorted
Last i + 1 are all greater or equal to the other elements of the
sequence.
Pedro Pereira, Ulisses Costa Correct sorting with Frama-C
18. Outer-loop
Example
antes, [8, 5, 2, 6, 9, 3, 0, 4, 1]
i = 0, [5, 2, 6, 8, 3, 0, 4, 1, 9]
i = 1, [2, 5, 6, 3, 0, 4, 1, 8, 9]
i = 2, [2, 5, 3, 0, 4, 1, 6, 8, 9]
i = 3, [2, 3, 0, 4, 1, 5, 6, 8, 9]
i = 4, [2, 0, 3, 1, 4, 5, 6, 8, 9]
i = 5, [0, 2, 1, 3, 4, 5, 6, 8, 9]
i = 6, [0, 1, 2, 3, 4, 5, 6, 8, 9]
i = 7, [0, 1, 2, 3, 4, 5, 6, 8, 9]
i = 8, [0, 1, 2, 3, 4, 5, 6, 8, 9]
Last i + 1 elements of sequence are sorted
Last i + 1 are all greater or equal to the other elements of the
sequence.
Pedro Pereira, Ulisses Costa Correct sorting with Frama-C
19. Outer-loop
Example
antes, [8, 5, 2, 6, 9, 3, 0, 4, 1]
i = 0, [5, 2, 6, 8, 3, 0, 4, 1, 9]
i = 1, [2, 5, 6, 3, 0, 4, 1, 8, 9]
i = 2, [2, 5, 3, 0, 4, 1, 6, 8, 9]
i = 3, [2, 3, 0, 4, 1, 5, 6, 8, 9]
i = 4, [2, 0, 3, 1, 4, 5, 6, 8, 9]
i = 5, [0, 2, 1, 3, 4, 5, 6, 8, 9]
i = 6, [0, 1, 2, 3, 4, 5, 6, 8, 9]
i = 7, [0, 1, 2, 3, 4, 5, 6, 8, 9]
i = 8, [0, 1, 2, 3, 4, 5, 6, 8, 9]
Last i + 1 elements of sequence are sorted
Last i + 1 are all greater or equal to the other elements of the
sequence.
Pedro Pereira, Ulisses Costa Correct sorting with Frama-C
20. Outer-loop
Example
antes, [8, 5, 2, 6, 9, 3, 0, 4, 1]
i = 0, [5, 2, 6, 8, 3, 0, 4, 1, 9]
i = 1, [2, 5, 6, 3, 0, 4, 1, 8, 9]
i = 2, [2, 5, 3, 0, 4, 1, 6, 8, 9]
i = 3, [2, 3, 0, 4, 1, 5, 6, 8, 9]
i = 4, [2, 0, 3, 1, 4, 5, 6, 8, 9]
i = 5, [0, 2, 1, 3, 4, 5, 6, 8, 9]
i = 6, [0, 1, 2, 3, 4, 5, 6, 8, 9]
i = 7, [0, 1, 2, 3, 4, 5, 6, 8, 9]
i = 8, [0, 1, 2, 3, 4, 5, 6, 8, 9]
Last i + 1 elements of sequence are sorted
Last i + 1 are all greater or equal to the other elements of the
sequence.
Pedro Pereira, Ulisses Costa Correct sorting with Frama-C
21. Outer-loop
Example
antes, [8, 5, 2, 6, 9, 3, 0, 4, 1]
i = 0, [5, 2, 6, 8, 3, 0, 4, 1, 9]
i = 1, [2, 5, 6, 3, 0, 4, 1, 8, 9]
i = 2, [2, 5, 3, 0, 4, 1, 6, 8, 9]
i = 3, [2, 3, 0, 4, 1, 5, 6, 8, 9]
i = 4, [2, 0, 3, 1, 4, 5, 6, 8, 9]
i = 5, [0, 2, 1, 3, 4, 5, 6, 8, 9]
i = 6, [0, 1, 2, 3, 4, 5, 6, 8, 9]
i = 7, [0, 1, 2, 3, 4, 5, 6, 8, 9]
i = 8, [0, 1, 2, 3, 4, 5, 6, 8, 9]
Last i + 1 elements of sequence are sorted
Last i + 1 are all greater or equal to the other elements of the
sequence.
Pedro Pereira, Ulisses Costa Correct sorting with Frama-C
22. Outer-loop
Example
antes, [8, 5, 2, 6, 9, 3, 0, 4, 1]
i = 0, [5, 2, 6, 8, 3, 0, 4, 1, 9]
i = 1, [2, 5, 6, 3, 0, 4, 1, 8, 9]
i = 2, [2, 5, 3, 0, 4, 1, 6, 8, 9]
i = 3, [2, 3, 0, 4, 1, 5, 6, 8, 9]
i = 4, [2, 0, 3, 1, 4, 5, 6, 8, 9]
i = 5, [0, 2, 1, 3, 4, 5, 6, 8, 9]
i = 6, [0, 1, 2, 3, 4, 5, 6, 8, 9]
i = 7, [0, 1, 2, 3, 4, 5, 6, 8, 9]
i = 8, [0, 1, 2, 3, 4, 5, 6, 8, 9]
Last i + 1 elements of sequence are sorted
Last i + 1 are all greater or equal to the other elements of the
sequence.
Pedro Pereira, Ulisses Costa Correct sorting with Frama-C
23. Outer-loop
Example
antes, [8, 5, 2, 6, 9, 3, 0, 4, 1]
i = 0, [5, 2, 6, 8, 3, 0, 4, 1, 9]
i = 1, [2, 5, 6, 3, 0, 4, 1, 8, 9]
i = 2, [2, 5, 3, 0, 4, 1, 6, 8, 9]
i = 3, [2, 3, 0, 4, 1, 5, 6, 8, 9]
i = 4, [2, 0, 3, 1, 4, 5, 6, 8, 9]
i = 5, [0, 2, 1, 3, 4, 5, 6, 8, 9]
i = 6, [0, 1, 2, 3, 4, 5, 6, 8, 9]
i = 7, [0, 1, 2, 3, 4, 5, 6, 8, 9]
i = 8, [0, 1, 2, 3, 4, 5, 6, 8, 9]
Last i + 1 elements of sequence are sorted
Last i + 1 are all greater or equal to the other elements of the
sequence.
Pedro Pereira, Ulisses Costa Correct sorting with Frama-C
24. Outer-loop
Example
antes, [8, 5, 2, 6, 9, 3, 0, 4, 1]
i = 0, [5, 2, 6, 8, 3, 0, 4, 1, 9]
i = 1, [2, 5, 6, 3, 0, 4, 1, 8, 9]
i = 2, [2, 5, 3, 0, 4, 1, 6, 8, 9]
i = 3, [2, 3, 0, 4, 1, 5, 6, 8, 9]
i = 4, [2, 0, 3, 1, 4, 5, 6, 8, 9]
i = 5, [0, 2, 1, 3, 4, 5, 6, 8, 9]
i = 6, [0, 1, 2, 3, 4, 5, 6, 8, 9]
i = 7, [0, 1, 2, 3, 4, 5, 6, 8, 9]
i = 8, [0, 1, 2, 3, 4, 5, 6, 8, 9]
Last i + 1 elements of sequence are sorted
Last i + 1 are all greater or equal to the other elements of the
sequence.
Pedro Pereira, Ulisses Costa Correct sorting with Frama-C
25. Outer-loop
Example
antes, [8, 5, 2, 6, 9, 3, 0, 4, 1]
i = 0, [5, 2, 6, 8, 3, 0, 4, 1, 9]
i = 1, [2, 5, 6, 3, 0, 4, 1, 8, 9]
i = 2, [2, 5, 3, 0, 4, 1, 6, 8, 9]
i = 3, [2, 3, 0, 4, 1, 5, 6, 8, 9]
i = 4, [2, 0, 3, 1, 4, 5, 6, 8, 9]
i = 5, [0, 2, 1, 3, 4, 5, 6, 8, 9]
i = 6, [0, 1, 2, 3, 4, 5, 6, 8, 9]
i = 7, [0, 1, 2, 3, 4, 5, 6, 8, 9]
i = 8, [0, 1, 2, 3, 4, 5, 6, 8, 9]
Last i + 1 elements of sequence are sorted
Last i + 1 are all greater or equal to the other elements of the
sequence.
Pedro Pereira, Ulisses Costa Correct sorting with Frama-C
26. Outer-loop
Example
antes, [8, 5, 2, 6, 9, 3, 0, 4, 1]
i = 0, [5, 2, 6, 8, 3, 0, 4, 1, 9]
i = 1, [2, 5, 6, 3, 0, 4, 1, 8, 9]
i = 2, [2, 5, 3, 0, 4, 1, 6, 8, 9]
i = 3, [2, 3, 0, 4, 1, 5, 6, 8, 9]
i = 4, [2, 0, 3, 1, 4, 5, 6, 8, 9]
i = 5, [0, 2, 1, 3, 4, 5, 6, 8, 9]
i = 6, [0, 1, 2, 3, 4, 5, 6, 8, 9]
i = 7, [0, 1, 2, 3, 4, 5, 6, 8, 9]
i = 8, [0, 1, 2, 3, 4, 5, 6, 8, 9]
Last i + 1 elements of sequence are sorted
Last i + 1 are all greater or equal to the other elements of the
sequence.
Pedro Pereira, Ulisses Costa Correct sorting with Frama-C
27. Outer-loop
Example
antes, [8, 5, 2, 6, 9, 3, 0, 4, 1]
i = 0, [5, 2, 6, 8, 3, 0, 4, 1, 9]
i = 1, [2, 5, 6, 3, 0, 4, 1, 8, 9]
i = 2, [2, 5, 3, 0, 4, 1, 6, 8, 9]
i = 3, [2, 3, 0, 4, 1, 5, 6, 8, 9]
i = 4, [2, 0, 3, 1, 4, 5, 6, 8, 9]
i = 5, [0, 2, 1, 3, 4, 5, 6, 8, 9]
i = 6, [0, 1, 2, 3, 4, 5, 6, 8, 9]
i = 7, [0, 1, 2, 3, 4, 5, 6, 8, 9]
i = 8, [0, 1, 2, 3, 4, 5, 6, 8, 9]
Last i + 1 elements of sequence are sorted
Last i + 1 are all greater or equal to the other elements of the
sequence.
Pedro Pereira, Ulisses Costa Correct sorting with Frama-C
28. Outer-loop (cont.)
Loop invariants
0 ≤ i < tam
sorted(vector , tam − i − 1, tam − 1)
0 < i < tam ⇒
(∀{a,b} : 0 ≤ b ≤ tam − i − 1 ≤ a < tam : vector (a) ≥ vector (b))
Loop variants
tam − i
Pedro Pereira, Ulisses Costa Correct sorting with Frama-C
29. Outer-loop invariants & variant
loop invariant 0 <= i < tam ;
loop invariant Sorted { Here }( vector , tam -i -1 , tam -1) ;
loop invariant 0 < i < tam
== > forall int a , b ; 0 <= b <= tam -i -1 <= a < tam
== > vector [ a ] >= vector [ b ];
loop variant tam - i ;
Pedro Pereira, Ulisses Costa Correct sorting with Frama-C
30. Conclusions
Fast and powerful
Possible to prove bubble-sort’s correctness with just 16
annotations
Constantly updated
Although extensive, the documentation lacks detail x
Complex programs may require advanced knowledge in Logic x
Pedro Pereira, Ulisses Costa Correct sorting with Frama-C
31. Questions
?
Pedro Pereira, Ulisses Costa Correct sorting with Frama-C
32. Resources - rest of the code
/* @ predicate Sorted { L }( int a [] , integer l , integer h ) =
@ forall integer i ; l <= i < h
@ == > at ( a [ i ] , L ) <= at ( a [ i +1] , L ) ;
@ */
/* @ requires valid ( i ) && valid ( j ) ;
@ // BUG 0000080: Assertion failed in jc_int erp_misc . ml
@ // assigns *i , * j ;
@ ensures at (* i , Old )
@ == at (* j , Here ) && at (* j , Old )
@ == at (* i , Here ) ;
@ */
void swap ( int *i , int * j ) {
int tmp = * i ;
*i = *j;
* j = tmp ;
}
Pedro Pereira, Ulisses Costa Correct sorting with Frama-C
33. Resources - images
Pedro Pereira, Ulisses Costa Correct sorting with Frama-C
34. Resources - images (cont.)
Pedro Pereira, Ulisses Costa Correct sorting with Frama-C