1. Why3 Platform
Fran¸cois Bobot, Jean-Christophe Filliˆatre, Claude March´e,
Guillaume Melquiond, Andrei Paskevich
Universit´e Paris-Sud / CNRS / INRIA
OWF RII — 4 octobre 2013
1 / 5

2. deductive program verification
program
+
specification
verification
conditions
proof
specifications:
• safety, i.e. the program does not crash
• absence of arithmetic overflow
• complex behavioral property, e.g. “sorts an array”
• termination
proofs:
• SMT solvers: CVC4, CVC3, Z3, Alt-Ergo, veriT, Yices, etc.
• ATP systems: Vampire, Eprover, SPASS, iProver, etc.
• proof assistants: Coq, PVS, Isabelle, etc.
2 / 5

3. in a nutshell
Why3 implements
• polymorphic first-order logic
algebraic datatypes, recursive definitions, inductive predicates
• ML-style programming language
polymorphism, pattern matching, exceptions, mutable state
• deductive program verification
based on weakest precondition calculus
Why3 provides
• back-end for several program verification frameworks
• translation chains to talk to a large range of provers
• OCaml API to ease integration in third-party projects
open-source software http://why3.lri.fr/
3 / 5

4. applications
three ways of using Why3
• as a logical language
a convenient front-end to theorem provers
• as a programming language to prove algorithms
Bellman-Ford, Knuth-Morris-Pratt, 80+ other examples
• as an intermediate language
• Java programs: Krakatoa (March´e Paulin Urbain)
• C programs: Frama-C / Jessie (March´e Moy)
• Ada programs: Hi-Lite / GNATprove (Adacore)
• B Method proof obligations: BWare (ANR BWare)
• probabilistic programs: EasyCrypt (Barthe et al.)
4 / 5

5. big picture
KML-annotated
Java program
ACSL-annotated
C program
ALFA-annotated
ADA program
Krakatoa Frama-C Hi-Lite
Jessie
VC generator Theories
Verification
Conditions Transformations
Encodings Why3
Interactive provers
(Coq, PVS, etc.)
Automated provers
(Alt-Ergo, CVC4, Z3,
Simplify, Yices, etc.)
More automated provers
(Eprover, SPASS,
Vampire, Gappa, etc.)
5 / 5