In [1]:
#load "DotNetInteractive.csx"

Added formatter for AGL graphs using VisJS to .NET Interactive kernel csharp.

Added formatter for Mermaid language to .NET Interactive kernel csharp.

Added formatter for DOT language to .NET Interactive kernel csharp.

Added formatter for VisJS networks to .NET Interactive kernel csharp.

Added formatter for jsTree diagrams to .NET Interactive kernel csharp.

Added formatter for TextMate highlighted code using Shiki to .NET Interactive kernel csharp.

In [13]:
#!html
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.0.0/css/font-awesome.min.css">
<script async src="https://cdn.jsdelivr.net/npm/mathjax@2/MathJax.js?config=TeX-AMS-MML_CHTML"></script>

In [2]:
using Silver;
using Silver.Notebooks;

In [None]:
Verifier.VerifyCode("foo() {}")

In [3]:
using Silver.Drawing;
var t = new TreeNode("foo");
t

Data,Attributes,Children
foo,[ ],[ ]


In [4]:
var td = new TreeDiagram(new [] {t});
td

In [5]:
td

In [6]:
var gg = new TmHighlightedCode("boogie", "function {:bvbuiltin} bv8st(bv8,bv8) returns(bool);");
gg

# Formal verification

## Formal Verification - Key Questions
-----------
### <i class="fa fa-question-circle" style="font-size:48px;color:black"></i>  How do we *reason* about programs?
e.g. consider the simple C# program below
````csharp
static bool Main(string [] args)
{
    for (int i = 0; i < 10; i++)
    {
        if (i < 5)
        {
            return true;
        }
    }
    return false;
}
````
Can we say logically that this method will never return false?

## Formal Verification - Key Questions
-----------
 
### <i class="fa fa-question-circle" style="font-size:48px;color:black"></i> How do we *prove* statements about programs?
* A *logic* is a set of symbols, operators, rules, and axioms for composing and manipulating logical *formulae*
* e.g a *propositional logic* formula is $X \lor P \implies X = P$
* A *formal proof* uses the rules and axioms of a logic to demonstrate the logical validity of a formula


## Formal Verification - Key Questions
-----------
 
### <i class="fa fa-question-circle" style="font-size:48px;color:black"></i> How can we *automate* proving statements about programs?
* Many tools to automate
* 
* Satisfiability Modulo Theory (SMT) solvers like Z3 can prove a wide range of first-order logic formulae in the context of theories like integer arithmetic or arraya


## Formal Verification - Key Questions
-----------
 
### <i class="fa fa-question-circle" style="font-size:48px;color:black"></i> How can we *integrate* proving statements about programs into a languag ?
* Several approaches to formal verificaion
* 
* Z3 - Satisfiability Modulo Theory solvers
*

## Formal Verification - Hoare Logic
-----------
 
### <i class="fa fa-check-circle" style="font-size:48px;color:black"></i> How can we *integrate* proving statements about programs into a languag ?
* Several approaches to formal verificaion
* 
* Z3 - Satisfiability Modulo Theory solvers
*

## Formal Verification - Hoare Logic
-----------
 
### <i class="fa fa-check-circle" style="font-size:48px;color:black"></i> How can we *integrate* proofs of properties and statements about programs into a language ?
* Use an entirely new language
* Use a separate language for specification
* Extend existing language

## Smart Contract Formal Verification - Approaches
-----------
 
### <i class="fa fa-check-circle" style="font-size:48px;color:black"></i> Extending the existing langaguage
* Add constructs or keywords or functions to express specifications
* Use a compiler module or extension
* Extend existing language

## Smart Contract Formal Verification - Approaches
-----------
 
### <i class="fa fa-star" style="font-size:48px;color:black"></i> SMTChecker
* https://docs.soliditylang.org/en/v0.8.17/smtchecker.html
* Solidity compiler module
* Enable with CLI flag `--model-checker-engine` or JSON option `settings.modelChecker.engine`
* Add `require` and `assert` functions
* Statically verify method preconditions and asserts in Solidity code

## Smart Contract Formal Verification - Approaches
-----------
 
### <i class="fa fa-star" style="font-size:48px;color:black"></i>SMTChecker
```javascript
// SPDX-License-Identifier: GPL-3.0
pragma solidity >=0.8.0;

contract Max {
    function max(uint[] memory _a) public pure returns (uint) {
        require(_a.length >= 5);
        uint m = 0;
        for (uint i = 0; i < _a.length; ++i)
            if (_a[i] > m)
                m = _a[i];

        for (uint i = 0; i < _a.length; ++i)
            assert(m > _a[i]);

        return m;
    }
}
````

## Smart Contract Formal Verification - Approaches
-----------
 
### <i class="fa fa-star" style="font-size:48px;color:black"></i> solc-verify
* https://github.com/SRI-CSL/solidity
* Solidity compiler fork
* Translates Solidity code to Boogie IVL
* Add support for verifying preconditions, postconditions, invariants

## Smart Contract Formal Verification - Approaches
-----------
 
### <i class="fa fa-star" style="font-size:48px;color:black"></i> solc-verify
```javascript
pragma solidity >=0.5.0;

/// @notice invariant x == y
contract C {
    int x;
    int y;

    /// @notice precondition x == y
    /// @notice postcondition x == (y + n)
    /// @notice modifies x
    function add_to_x(int n) internal {
        x = x + n;
        require(x >= y); // Ensures that there is no overflow
    }

    /// @notice modifies x if n > 0
    /// @notice modifies y if n > 0
    function add(int n) public {
        require(n >= 0);
        add_to_x(n);
        /// @notice invariant y <= x
        while (y < x) {
            y = y + 1;
        }
    }
}
````

## Smart Contract Formal Verification - Approaches
-----------
 
### <i class="fa fa-star" style="font-size:48px;color:black"></i> Act
* https://github.com/ethereum/act
* Ethereum smart contract spec
* Translates Solidity code to Boogie IVL
* Add support for verifying preconditions, postconditions, invariants

## Smart Contract Formal Verification - Approaches
-----------
 
### <i class="fa fa-star" style="font-size:48px;color:black"></i> solc-verify
```javascript
pragma solidity >=0.5.0;

/// @notice invariant x == y
contract C {
    int x;
    int y;

    /// @notice precondition x == y
    /// @notice postcondition x == (y + n)
    /// @notice modifies x
    function add_to_x(int n) internal {
        x = x + n;
        require(x >= y); // Ensures that there is no overflow
    }

    /// @notice modifies x if n > 0
    /// @notice modifies y if n > 0
    function add(int n) public {
        require(n >= 0);
        add_to_x(n);
        /// @notice invariant y <= x
        while (y < x) {
            y = y + 1;
        }
    }
}
````