"I reject beauty, I want formalism!" Kevin Buzzard about the future of mathematics with Proof assistants.

Nobody wants to bring out bad software, even though it results in a lot of complexity. But in real-life, this is a cost-benefit trade-off between going into the market and proof-making time [4]. Maybe your killer dating app doesn’t need it, but nuclear power plants have to.

Since your software must be free of defects and compilers have shown like a tool that sheds out static and dynamic bugs from program analysis, your modern compiler plays a critical role in automatic program verification and correctness in order to be free of defects [1].

Debugger, unit testing, and similar techniques have been helpful techniques. However, they are not enough, instead one should prove it by specifications and it checked by a computer program.

Compiler verification

You have to prove your high-level system works but who verifies your compiler? must you trust it?

This was set out by Jonh McCarthy and James Painter, so it is an old problem [9]. Today, applied research is about using Proof assistants such as Coq or Lean Prover in order to check semantics preservation, equivalence preservation, and full abstraction by two approaches: logical relations and bisimulation [10]. For instance, the closed-world project CompCert is a particular subset of C and was entirely proved within the Coq proof assistant based on constructive type theory from axiomatic semantics [8]. Others used the interactive theorem prover Lean and Concrete Semantics [11].

On the other hand, security concerns about compiler correctness, have you asked yourself if your compiler is secure? In other words, is your compiler introducing security errors by optimizations?. This situation is called the correctness-security gap, which formally means that a compiler optimization introduces security errors, indeed not by source code, but compiler itself [3].

Frama-C [12]

Assuming your compiler has been proven and is secure, can your compiler verify your critical software?

We introduce you to an open-source C compiler called Frama-C that makes your software safer analyzing your code by Why3; it helps you to prove your software’s correctness.

Frama-C is contract-based, has functional properties, and allows extension with plugins. You’re going to test both of them: eva and wp.


Because installing software is hard, you set out framac/frama-c by Docker.

docker run framac/frama-c:25.0 frama-c --help

Hello world

And now write down example from docs:

int i, t[10];void main(void) {
for (i=0; i<=8+2; i++)
t[i] = i;

Run it

docker run -v $(pwd):/working -w /working framac/frama-c:25.0 frama-c -eva rte.c

You must see:

compiler analysis

Dijkstra’s Weakest Precondition Calculus

And now write down example from docs:

#include <stddef.h>
requires \valid(a+(0..n-1));
assigns a[0..n-1];ensures
\forall integer i;
0 <= i < n ==> a[i] == 0;
void set_to_0(int* a, size_t n){
size_t i;
loop invariant 0 <= i <= n;
loop invariant
\forall integer j;
0 <= j < i ==> a[j] == 0;
loop assigns i, a[0..n-1];
loop variant n-i;
for(i = 0; i < n; ++i)
a[i] = 0;
int main() {
int x[5] = {1, 1, 1, 1, 1};
set_to_0(x, 5);
return 0;

Run wp:

docker run -v $(pwd):/working -w /working framac/frama-c:25.0 frama-c -wp introduction_acsl.c

