## About

66

Publications

7,542

Reads

**How we measure 'reads'**

A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more

1,801

Citations

Introduction

Virgile Prevosto works at the List Institute of CEA Tech, in the Paris-Saclay research cluster. Their main research interests are in Programming Languages, Software Engineering and Software Verification. Their work mostly occur within the development of the Frama-C software analysis framework (https://frama-c.com/)

## Publications

Publications (66)

One of the key features of Frama-C is its extensibility. More precisely, the platform is based on a kernel, which provides the core services and datastructures that are needed for analyzing C programs, including in particular parsing C and ACSL code. Analyses themselves are then implemented by plug-ins, that use the kernel’s API to, among other thi...

The ACSL specification language allows the verification engineer to specify almost any property they might want to verify at any given point in a given C program. For some complex properties, it can sometimes be done at the price of an extremely complex encoding, which could quickly become error-prone if written manually. To facilitate this task, a...

This chapter presents ACSL, the ANSI/ISO C Specification Language, focusing on its current implementation within the Frama-C framework. As its name suggests, ACSL is meant to express precisely and unambiguously the expected behavior of a piece of C code. It plays a central role in Frama-C, as nearly all plug-ins eventually manipulate ACSL specifica...

This chapter provides an overview of the Frama-C distribution, including its main plugins that are covered in depth by other chapters. It mainly focuses on the Frama-C kernel and the main services that it offers to the user. This includes notably passing proper arguments to launch Frama-C and drive an analysis, controlling the parsing and code norm...

Deductive verification typically relies on function contracts that specify the behavior of each function for a single function call. Relational properties link several function calls together within a single specification. They can express more advanced properties of a given function or relate calls to different functions, possibly run in parallel....

The use of function contracts to specify the behavior of functions often remains limited to the scope of a single function call. Relational properties link several function calls together within a single specification. They can express more advanced properties of a given function, such as non-interference, continuity, or monotonicity. They can also...

A panoramic view of a popular platform for C program analysis and verification.

Dataflow test coverage criteria, such as all-defs and all-uses, belong to the most advanced coverage criteria. These criteria are defined by complex artifacts combining variable definitions, uses and program paths. Detection of polluting (i.e. inapplicable, infeasible and equivalent) test objectives for such criteria is a particularly challenging t...

International Conference on Integrated Formal Methods 2020-11-16/20, Lugano, Suisse

This volume contains the proceedings of F-IDE 2019, the fifth international workshop on Formal Integrated Development Environment, which was held on October 7, 2019 in Porto, Portugal, as part of FM'19, the 3rd World Congress on Formal Methods. High levels of safety, security and privacy standards require the use of formal methods to specify and de...

Formal methods provide systematic and rigorous techniques for software development. We are convinced that they must be taught in Software Engineering curricula. In this paper, we present a set of formal methods courses included in a Software Engineering & Security track of ENSIIE, École Nationale Supérieure d’Informatique pour l’Industrie et l’Entr...

A common way to specify software properties is to associate a contract to each function, allowing the use of various techniques to assess (e.g. to prove or to test) that the implementation is valid with respect to these contracts. However, in practice, high-level properties are not always easily expressible through function contracts. Furthermore,...

Modular deductive verification is a powerful technique capable to show that each function in a program satisfies its contract. However, function contracts do not provide a global view of which high-level (e.g. security-related) properties of a whole software module are actually established, making it very difficult to assess them. To address this i...

Modular deductive verification is a powerful technique capable to show that each function in a program satisfies its specified contract. However, not all high-level (e.g. security-related) properties of a software module can be easily expressed through function contracts. To address this issue, this tool demo paper proposes a new specification mech...

This volume contains the proceedings of F-IDE 2018, the fourth international workshop on Formal Integrated Development Environment, which was held as a FLoC 2018 satellite event, on July 14, 2018, in Oxford, England. High levels of safety, security and also privacy standards require the use of formal methods to specify and develop compliant softwar...

This paper investigates the connection between the Kannan-Lipton Orbit Problem and the polynomial invariant generator algorithm PILA based on eigenvectors computation. Namely, we reduce the problem of generating linear and polynomial certificates of non-reachability for the Orbit Problem for linear transformations with coefficients in to the genera...

Function contracts are a well-established way of formally specifying the intended behavior of a function. However, they usually only describe what should happen during a single call. Relational properties, on the other hand, link several function calls. They include such properties as non-interference, continuity and monotonicity. Other examples re...

Testing is the primary approach for detecting software defects. A major challenge faced by testers lies in crafting efficient test suites, able to detect a maximum number of bugs with manageable effort. To do so, they rely on coverage criteria, which define some precise test objectives to be covered. However, many common criteria specify a signific...

This paper investigates the connexion between the Kannan-Lipton Orbit Problem and the polynomial invariant generator algorithm PILA based on eigenvectors computation. Namely, we reduce the problem of generating linear and polynomial certificates of non-reachability for the Orbit Problem for linear transformations with rational coefficients to the g...

Deductive verification provides a powerful tool to show functional properties of a given program. However, in practice, many properties of interest link several program calls. This is for instance the case for non-interference, continuity and monotony. Other examples relate sequences of function calls, for instance to show that decrypting an encryp...

Formal program verification faces two problems. The first problem is related to the necessity of having automated solvers that are powerful enough to decide whether a formula holds for a set of proof obligations as large as possible, whereas the second manifests in the need of finding sufficiently strong invariants to obtain correct proof obligatio...

Testing is the primary approach for detecting software defects. A major challenge faced by testers lies in crafting efficient test suites, able to detect a maximum number of bugs with manageable effort. To do so, they rely on coverage criteria, which define some precise test objectives to be covered. However, many common criteria specify a signific...

Contexte. Automatiser le test en boˆıteboˆıte blanche est un sujet majeur en ingénierie du logiciel. Au cours des années, de nombreux outils ont ainsí eté développés pour supporter les différentes parties du processus de test. Ces outils se basent implici-tement ou explicitement sur un critère de couverture de code pour guider l'automa-tisation. Le...

Reactive systems can be modeled with various kinds of automata, such as Input Output Symbolic Transition Systems (IOSTS). Symbolic execution (SE) applied to IOSTS allows computing constraints associated to IOSTS path executions (path conditions). In this context, generating test cases amounts to finding numerical input values satisfying such constr...

A large amount of research has been carried out to automate white-box testing. While a wide range of different and sometimes heterogeneous code-coverage criteria have been proposed, there exists no generic formalism to describe them all, and available test automation tools usually support only a small subset of them. We introduce a new specificatio...

Automated white-box testing is a major issue in software engineering. In previous work, we introduced LTest, a generic and integrated toolkit for automated white-box testing of C programs. LTest supports a broad class of coverage criteria in a unified way (through the label specification mechanism) and covers most major parts of the testing process...

Self-composition provides a powerful theoretical approach to prove relational properties, i.e. properties relating several program executions, that has been applied to compare two runs of one or similar programs (in secure dataflow properties, code transformations, etc.). This tool demo paper presents RPP, an original implementation of self-composi...

Conference of 23rd International Conference on Tools and Algorithms for the Construction and Analysis of Systems, TACAS 2017 held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2017 ; Conference Date: 22 April 2017 Through 29 April 2017; Conference Code:190569

Conference of 11th International Conference on Tests and Proofs, TAP 2017, held as part of STAF 2017 ; Conference Date: 19 July 2017 Through 20 July 2017; Conference Code:194199

When proving invariance properties of a program, we face two problems. The first problem is related to the necessity of proving tautologies of considered assertion language, whereas the second manifests in the need of finding sufficiently strong invariants. This paper focuses on the second problem and describes a new method for the automatic genera...

We present in this paper a new technique for generating polynomial invariants, divided in two independent parts : a procedure that reduces polynomial assignments composed loops analysis to linear loops under certain hypotheses and a procedure for generating inductive invariants for linear loops. Both of these techniques have a polynomial complexity...

While a wide range of different, sometimes heterogeneous test coverage criteria have been proposed, there exists no generic formalism to describe them, and available test automation tools usually support only a small subset of them. We introduce a unified specification language, called HTOL, providing a powerful generic mechanism to define test obj...

Modular deductive verification provides a sound and powerful technique to establish that any call to a given function respects its given specification. However, relational properties, i.e. properties relating several function calls, are not supported. This short paper presents an original automated technique for specification and verification of su...

As the development of ship software systems has followed the growth curve of digital technologies, Marine & Offshore assessors like BUREAU VERITAS, are lacking dedicated software standards and tools which are available to other industrial sectors like railways or aeronautics. Indeed, in this field of Marine & Offshore, software systems are seen as...

Conference of 14th International Symposium on Automated Technology for Verification and Analysis, ATVA 2016 ; Conference Date: 17 October 2016 Through 20 October 2016; Conference Code:185289

An Input Output Symbolic Transition System (IOSTS) specifies all expected sequences of input and output messages of a reactive system. Symbolic execution over this IOSTS then allows to generate a set of test cases that can exercise the various possible behaviors of the system it represents. In this paper, we extend the IOSTS framework with explicit...

An Input Output Symbolic Transition System (IOSTS) specifies all expected sequences of input and output messages of a reactive system. Symbolic execution over this IOSTS then allows to generate a set of test cases that can exercise the various possible behaviors of the system it represents. In this paper, we extend the IOSTS framework with explicit...

This paper presents the use of the Frama-C toolkit for the formal verification of a model of train-controlling software against the requirements of the CENELEC norm EN 50128. We also compare our formal approach with traditional unit testing.

To help formal verification tools to make their way into industry, they ought to be more widely used in software engineering classes. This tutorial pa-per serves this purpose and provides a lesson on formal specification and proof of programs with FRAMA-C, an open-source platform dedicated to analysis of C programs, and ACSL, a specification langua...

Frama-C is a source code analysis platform that aims at conducting verification of industrial-size C programs. It provides its users with a collection of plug-ins that perform static analysis, deductive verification, and testing, for safety- and security-critical software. Collaborative verification across cooperating plug-ins is enabled by their i...

Frama-C is a source code analysis platform that aims at conducting verification of industrial-size C programs. It provides its users with a collection of plug-ins that perform static analysis, deductive verification, and testing, for safety- and security-critical software. Collaborative verification across cooperating plug-ins is enabled by their i...

Static analyzers should be correct. We used the random C-program generator Csmith, initially intended to test C compilers, to test parts of the Frama-C static analysis platform. Although Frama-C was already relatively mature at that point, fifty bugs were found and fixed during the process, in the front-end (AST elaboration and type-checking) and i...

We present functional dependencies, a convenient, formal, but high-level, specification format for a piece of procedural software (function). Functional dependencies
specify the set of memory locations, which may be modified by the function, and for each modified location, the set of memory
locations that influence its final value. Verifying that a...

This experience report describes the choice of OCaml as the implementation language for Frama-C, a framework for the static analysis of C programs. OCaml became the implementation language for Frama-C because it is expressive. Most of the reasons listed in the remaining of this article are secondary reasons, features which are not specific to OCaml...

This experience report describes the choice of OCaml as the implementation language for Frama-C, a framework for the static analysis of C programs. OCaml became the implementation language for Frama-C because it is expressive. Most of the reasons listed in the remaining of this article are secondary reasons, features which are not specific to OCaml...

SPASS+T is an extension of the superposition-based theorem prover SPASS that allows us to enlarge the reasoning capabilities of SPASS using an arbitrary SMT procedure for arithmetic and free function symbols as a black-box. We discuss the architecture of SPASS+T and the capabilities, limitations, and applications of such a combination.

Cet article presente l'emploi de l'outil d'aide a la preuve Coq aupres d'etudiants de DESS (3e cycle universitaire). D'abord, dans le cadre d'un cours de semantique des langages, Coq facilite l'appropriation par les etudiants de notions souvent jugees abstraites en leur permettant de les relier a des termes plus concrets. Ensuite, un projet informa...

The focal language (formerly Foc) allows one to incrementally build modules and to prove formally their correctness. focal encourages a development process by refinement, deriving step-by-step implementations from specifications. This refinement process is realized using an inheritance mechanism on structures which can mix primitive operations, axi...

In this article, we present the use of the Coq proof assistant with DESS (Master thesis) students. First, in the framework of a course of programming language semantics, Coq greatly helps the students to understand formal and abstract notions, such as induction, by binding them to more concrete terms. Next, a computer science project shows that Coq...

The focal language (formerly Foc) allows a programmer to incrementally build mathematical structures and to formally prove their correctness. focal encourages a development process by refinement, de- riving step-by-step implementations from specifications. This refinement process is realized using an inheritance mechanism on structures which can mi...

This thesis describes the construction of an environment to develop certified computer algebra libraries. First, we present species, the structures used to describe specifications, by multiple inheritance, refinement and parameterization. Collections are built by encapsulation of species and form the user library. We also define the static analyses...

In this paper, we present the FOC langugage, dedicated to the development of certified computer algebra libraries (that is sets of programs). These libraries are based on a hierarchy of implementations of mathematical structures. After presenting the core set of features of our language, we describe the static analyses, which reject inconsistent pr...

In mathematics, algebraic structures are defined according to a rather strict hierarchy: rings come up after groups, which
rely themselves on monoids, and so on. In the Foc project, we represent these structures by species. A species is made up of algorithms as well as proofs that these algorithms meet their specifications, and it can be built
from...

In this article, we present the use of the Coq proof assistant with DESS (Master thesis) students. First, in the framework of a course of programming language semantics, Coq greatly helps the students to understand formal and abstract notions, such as induction, by binding them to more concrete terms. Next, a computer science project shows that Coq...