Applying deductive verification to formally prove that a program respects its formal specification is a very complex and time-consuming task due in particular to the lack of feedback in case of proof failures. Along with a non-compliance between the code and its specification (due to an error in at least one of them), possible reasons of a proof failure include a missing or too weak specification for a called function or a loop, and lack of time or simply incapacity of the prover to finish a particular proof. This work proposes a methodology where test generation helps to identify the reason of a proof failure and to exhibit a counterexample clearly illustrating the issue. We define the categories of proof failures, introduce two subcategories of contract weaknesses (single and global ones), and examine their properties. We describe how to transform a C program formally specified in an executable specification language into C code suitable for testing, and illustrate the benefits of the method on comprehensive examples. The method has been implemented in StaDy , a plugin of the software analysis platform Frama -C. Initial experiments show that detecting non-compliances and contract weaknesses allows to precisely diagnose most proof failures.

中文翻译：

---

测试如何帮助诊断证明失败

应用演绎验证来正式证明程序尊重其正式规范是一项非常复杂且耗时的任务，特别是由于在证明失败的情况下缺乏反馈。除了代码与其规范之间的不合规性（由于至少其中一个错误）之外，证明失败的可能原因包括调用函数或循环的规范缺失或太弱，以及时间不足或者只是证明者没有能力完成特定的证明。这项工作提出了一种方法，其中测试生成有助于识别证明失败的原因并展示一个清楚地说明问题的反例。我们定义了证明失败的类别，引入了合约弱点的两个子类别（单个和全局弱点），并检查了它们的属性。我们描述了如何将一个以可执行规范语言正式指定的 C 程序转换为适合测试的 C 代码，并通过综合示例说明该方法的好处。该方法已在站台, 软件分析平台的插件框架-C。初步实验表明，检测不合规和合同漏洞可以准确诊断大多数证明失败。