Flexible Correct-by-Construction Programming
Tobias Runge, Tabea Bordis, Alex Potanin, Thomas Thüm, Ina Schaefer
TL;DR
This work revisits Correctness-by-Construction (CbC) and identifies a rigidity barrier due to fixed refinement rules and tool dependencies. It introduces two flexible successors, CbC-Block and TraitCbC: CbC-Block lets a refiner replace an abstract statement with a verifiable block of code, while TraitCbC uses trait-based method composition to guarantee correctness without refinement steps. The paper formalizes TraitCbC with a core calculus (syntax, typing, reduction, flattening) and proves soundness, and it details a CorC-based implementation for both CbC-Block and TraitCbC, including a user study for CbC-Block and a feasibility evaluation for TraitCbC. Together, these approaches broaden the practical applicability of constructive program verification, enabling incremental development and reuse in more scalable or language-diverse settings, while preserving correctness guarantees through structured verification.
Abstract
Correctness-by-Construction (CbC) is an incremental program construction process to construct functionally correct programs. The programs are constructed stepwise along with a specification that is inherently guaranteed to be satisfied. CbC is complex to use without specialized tool support, since it needs a set of predefined refinement rules of fixed granularity which are additional rules on top of the programming language. Each refinement rule introduces a specific programming statement and developers cannot depart from these rules to construct programs. CbC allows to develop software in a structured and incremental way to ensure correctness, but the limited flexibility is a disadvantage of CbC. In this work, we compare classic CbC with CbC-Block and TraitCbC. Both approaches CbC-Block and TraitCbC, are related to CbC, but they have new language constructs that enable a more flexible software construction approach. We provide for both approaches a programming guideline, which similar to CbC, leads to well-structured programs. CbC-Block extends CbC by adding a refinement rule to insert any block of statements. Therefore, we introduce CbC-Block as an extension of CbC. TraitCbC implements correctness-by-construction on the basis of traits with specified methods. We formally introduce TraitCbC and prove soundness of the construction strategy. All three development approaches are qualitatively compared regarding their programming constructs, tool support, and usability to assess which is best suited for certain tasks and developers.