Why

Why aims at being a verification conditions generator (VCG) back-end for other verification tools. It provides a powerful input language including higher-order functions, polymorphism, references, arrays and exceptions. It generates proof obligations for many systems: the proof assistants Coq, PVS, HOL Light, Mizar and the decision procedures haRVey and Simplify.

Currently, Why is used by the tools Krakatoa (verification of Java programs) and Caduceus (verification of C programs).

Note that the Why language can be used directly to verify programs; see for instance these examples.

Documentation

Examples of programs certified with Why are collected on this page.

Why is presented in this article. Theoretical foundations are described in this paper.

Download

• Source: why-1.55.tar.gz (contains Caduceus)

Previous versions:

• Source: why-1.42.tar.gz
• Linux-Intel: why-1.42-linux.tar.gz
• Windows: why-1.42.zip

You can access the FTP zone directly. Here are the recent changes.

Related tools

• Krakatoa, a tool on top of Why and Coq to certify JML-annotated Java programs, by Claude Marché, Christine Paulin and Xavier Urbain
• Caduceus, a tool on top of Why to certify C programs, by Jean-Christophe Filliâtre and Claude Marché
• The Coq proof assistant
• The PVS specification and verification system
• HOL Light
• Mizar
• haRVey, a decision procedure developped at LORIA by David Déharbe and Silvio Ranise
• Simplify, the decision procedure from ESC/Java

Credits

• Why is developed by Jean-Christophe Filliâtre
• Useful feedback was provided by M. Levy, N. Magaud, C. Marché, C. Paulin, S. Ranise, L. Théry, X. Urbain, F. Wiedijk
• Michel Levy contributed to Why's PVS library