Introduction

The Stainless verification framework aims to help developers build verified Scala software. It encourages using a small set of core Scala features and provides unique verification functionality. In particular, Stainless can

  • verify statically that your program conforms to a given specification and that it cannot crash at run-time

  • provide useful counterexamples when an implementation does not satisfy its specification

  • verify that your program will terminate on all inputs

Stainless and Scala

Stainless attempts to strike a delicate balance between the convenience of use on the one hand and the simplicity of reasoning on the other hand. Stainless supports verification of Scala programs by applying a succession of semantic-preserving transformations to the Pure Scala fragment until it fits into the fragment supported by Inox. The Pure Scala fragment is at the core of the functional programming paradigm and should sound familiar to users of Scala, Haskell, ML, and fragments present in interactive theorem provers such as Isabelle and Coq. Thus, if you do not already know Scala, learning the Stainless subset should be easier as it is a smaller language. Moreover, thanks to the use of a Scala front end, Stainless supports implicits and for comprehensions (which also serve as a syntax for monads in Scala). Stainless also comes with a simple library of useful data types, which are designed to work well with automated reasoning and Stainless’s language fragment.

In addition to this pure fragment, Stainless supports certain imperative features. Features thus introduced are handled by a translation into Pure Scala concepts. They are often more than just syntactic sugar, because some of them require significant modification of the original program, such as introducing additional parameters to a set of functions. As an intended aspect of its current design, Stainless’s language currently does not provide a default encoding of e.g. concurrency with a shared mutable heap, though it might support more manageable forms of concurrency in the future.

If you would like to use Stainless now, check the Installing Stainless section and follow Verifying and Compiling Examples and Tutorial. To learn more about the functionality that Stainless provides, read on below.

Software Verification

The Stainless program verifier collects a list of top-level functions, and verifies the validity of their contracts. Essentially, for each function, it will (try to) prove that the postcondition always holds, assuming a given precondition does hold. A simple example:

 def factorial(n: BigInt): BigInt = {
   require(n >= 0)
   if(n == 0) {
     BigInt(1)
   } else {
     n * factorial(n - 1)
   }
}.ensuring(res => res >= 0)

Stainless generates a postcondition verification condition for the above function, corresponding to the predicate parameter to the ensuring expression. It attempts to prove it using a combination of an internal algorithm and external automated theorem proving. Stainless will return one of the following:

  • The postcondition is valid. In that case, Stainless was able to prove that for any input to the function satisfying the precondition, the postcondition will always hold.

  • The postcondition is invalid. It means that Stainless disproved the postcondition and that there exists at least one input satisfying the precondition such that the postcondition does not hold. Stainless will always return a concrete counterexample, very useful when trying to understand why a function is not satisfying its contract.

  • The postcondition is unknown. It means Stainless is unable to prove or find a counterexample. It usually happens after a timeout or an internal error occurring in the external theorem prover.

Stainless will also verify for each call site that the precondition of the invoked function cannot be violated.

Stainless supports verification of a significant part of the Scala language, described in Pure Scala and Imperative.

Program Termination

A “verified” function in stainless is guaranteed to never crash, however, it can still lead to an infinite evaluation. Stainless therefore provides a termination checker that complements the verification of safety properties.

For each function in the program, Stainless will try to automatically infer a decreasing metric associated with this function to prove termination. The termination checker will then report one of the following:

  • The function terminates. In this case, Stainless was able to prove that for all inputs (satisfying the function’s precondition), evaluation of the function under those inputs is guaranteed to terminate.

  • The function loops. In this case, Stainless was able to construct an input to the function such that evaluation under that input will be looping.

  • The function maybe loops. In the case where recursive functions are passed around as first-class functions, Stainless will sometimes over-approximate the potential call sites and report loops that may never occur.

  • Termination of the function is unknown. In this case, Stainless was neither able to prove nor disprove termination of the relevant function. Automated termination proving is a hard problem and such cases are thus to be expected.

In cases where automated termination checking fails, Stainless provides the user with the ability to manually specify a measure under which termination should occur through the decreases construct. For example, the McCarthy 91 function can be shown terminating as follows:

 def M(n: BigInt): BigInt = {
   decreases(stainless.math.max(101 - n, 0))
   if (n > 100) n - 10 else M(M(n + 11))
}.ensuring(_ == (if (n > 100) n - 10 else BigInt(91)))

It is also possible to add a pre-condition (require(...)) before decreases.