Why3

Where Programs Meet Provers

• Overview
• Contact
• Download
• Documentation
• Publications
• Examples
• External Provers

Overview

Why3 is a platform for deductive program verification. It provides a rich language for specification and programming, called WhyML, and relies on external theorem provers, both automated and interactive, to discharge verification conditions. Why3 comes with a standard library of logical theories (integer and real arithmetic, Boolean operations, sets and maps, etc.) and basic programming data structures (arrays, queues, hash tables, etc.). A user can write WhyML programs directly and get correct-by-construction OCaml programs through an automated extraction mechanism. WhyML is also used as an intermediate language for the verification of C, Java, or Ada programs.

Why3 is a complete reimplementation of the former Why platform. Among the new features are: numerous extensions to the input language, a new architecture for calling external provers, and a well-designed API, allowing to use Why3 as a software library. An important emphasis is put on modularity and genericity, giving the end user a possibility to easily reuse Why3 formalizations or to add support for a new external prover if wanted.

See the specific section below for the list of supported provers.

Why3 is developed in the team-project Toccata (formerly ProVal) at INRIA Saclay-Île-de-France / LRI Univ Paris-Sud 11 / CNRS.

Contact User mailing list Bug tracking system Project page on INRIA GForge

Download Current release 0.81 Former releases Git source repository

People François Bobot Jean-Christophe Filliâtre Claude Marché Guillaume Melquiond Andrei Paskevich

Documentation and Examples

• PDF manual (version 0.81)
• Online manual (version 0.81)
• Standard library (version 0.81)
• Online API reference (version 0.81)
• Quick migration guide from Why 2.xx to Why3

Related Publications

• Logic
  • Why3: Shepherd Your Herd of Provers (BOOGIE 2011) [bib]
  • Expressing Polymorphic Types in a Many-Sorted Language (FroCos 2011) [bib]
  • Discharging Proof Obligations from Atelier B using Multiple Automated Provers [bib]
  • One Logic To Use Them All (forthcoming talk at CADE-24) [bib]
• Programming language
  • Verifying Two Lines of C with Why3: an Exercise in Program Verification (VSTTE 2012) [bib]
  • Binary heaps formally verified in Why3 [bib]
  • Why3 -- Where Programs Meet Provers (ESOP 2013) [bib]

Examples

• Visit our gallery of verified programs, as part of a larger gallery on the website of Toccata.

Lecture Notes

• Deductive Program Verification with Why3 (lecture at Digicosme Spring School 2013)
• (in French) Vérification déductive de programmes avec Why3 (JFLA, France, 2012)

Other Student Lectures using Why3

• Course Proofs of Programs at the Master Parisien de Recherche en Informatique
• (in Portuguese) Courses Formal methods and Certified Programming at the Universidade da Beira Interior, Portugal
• (in french) course Méthodes formelles et développement de logiciels sûrs at the Master Informatique de l'Université de Rennes

Projects using Why3

• EasyCrypt: toolset for reasoning about relational properties of probabilistic computations with adversarial code
• Frama-C: extensible and collaborative platform dedicated to source-code analysis of C software ; and its WP plug-in for deductive verification
• GNATprove: formal verification tool for Ada
• Krakatoa: verification tool for Java ; and the Jessie plug-in of Frama-C, distributed as part of the former Why tool.
• BWare project: discharging proof obligations generated by Atelier B using multiple provers

External Provers

This section gives a few tips to download, install and/or configure external provers. Each time a new prover is installed, you must rerun the command why3config --detect. Using the latest version is recommended (except for Yices, see below) and the config tool above will tell you if the version detected is supported or not.

For beginners with Why3, we recommend to install Alt-Ergo, CVC3, and Z3. They are open-source, available for many architectures, and together provide a fairly efficient prover support.

For more advanced use, installing Coq is also good to discharge complex VCs, such as when induction is required. It is also useful to understand why VCs are not proved, that is to debug the input program or its specification. In case of using Coq, we recommend to give a try to the why3 Coq tactic.

Automatic provers

Alt-Ergo

available under binary form for Unix and Windows, or under source form to be compiled using the OCaml compiler, from this page.

CVC3

available under source form and as a Linux binary from this page

CVC4

available under source form and as a Linux binary from this page

E-prover

available under source form as well as some binary format from this page

Gappa

a prover specialized on verification of numeric formulas, including floating-point numbers, available under source form from this page

Simplify

available under binary form for various architectures from this page or directly here

SPASS

available under source form as well as some binary format from this page

Vampire

available under binary form from this page

veriT

available under source form from this page

Yices

available under binary form for various platform from this page. (Note that Yices version 2 which participated to the SMT-COMP 2009 has no support for quantifiers; thus you should not use it with Why.)

Z3

available under source form from this page

Interactive provers, a.k.a. Proof assistants

The Coq proof assistant

The PVS specification and verification system