Abstract. We present a comprehensive set of tactics that make it practical to use separation logic in a proof assistant. These tactics enable the verification of partial correctness properties of complex pointer-intensive programs. Our goal is to make separation logic as easy to use as the standard logic of a proof assistant. We have developed tactics for the simplification, rearranging, splitting, matching and rewriting of separation logic assertions as well as the discharging of a program verification condition using a separation logic description of the machine state. We have implemented our tactics in the Coq proof assistant, applying them to a deep embedding of Cminor, a C-like intermediate language used by Leroy’s verified CompCert compiler. We have used our tactics to verify the safety and completeness of a Cheney copying garbage collector written in Cminor. Our ideas should be applicable to other substructural logics and imperative languages. 1

Abstract. The Isabelle Collections Framework (ICF) provides a unified framework for using verified collection data structures in Isabelle/HOL formalizations and generating efficient functional code in ML, Haskell, and OCaml. Thanks to its modularity, it is easily extensible and supports switching to different data structures any time. For good integration with applications, a data refinement approach separates the correctness proofs from implementation details. The generated code based on the ICF lies in better complexity classes than the one that uses Isabelle’s default setup (logarithmic vs. linear time). In a case study with tree automata, we demonstrate that the ICF is easy to use and efficient: An ICF based, verified tree automata library outperforms the unverified Timbuk/Taml library by a factor of 14. 1

In this paper we demonstrate how to prove the correctness of systems implemented using lowlevel imperative features like pointers, files, and socket I/O with respect to high level I/O protocol descriptions by using the Coq proof assistant. We present a web-based course gradebook application developed with Ynot, a Coq library for verified imperative programming. We add a dialog-based I/O system to Ynot, and we extend Ynot’s underlying Hoare logic with event traces to reason about I/O and protocol behavior. Expressive abstractions allow the modular verification of both high level specifications like privacy guarantees and low level properties like data structure pointer invariants.

We present a formalization and a formal total correctness proof of a MiniSATlike SAT solver within the system Isabelle/HOL. The solver is based on the DPLL procedure and employs most state-of-the art SAT solving techniques, including the conflict-guided backjumping, clause learning, and the two-watch unit propagation scheme. A shallow embedding into HOL is used and the solver is expressed as a set of recursive HOL functions. Based on this specification, the Isabelle’s built-in code generator can be used to generate executable code in several supported functional languages (Haskell, SML, and OCaml). The SAT solver implemented in this way is, to our knowledge, the first fully formally and mechanically verified modern SAT solver.

This development provides an efficient, extensible, machine checked collections framework for use in Isabelle/HOL. The library adopts the concepts of interface, implementation and generic algorithm from object-oriented programming and implements them in Isabelle/HOL. The framework features the use of data refinement techniques to refine an abstract specification (using high-level concepts like sets) to a more concrete implementation (using collection datastructures, like red-black-trees). The code-generator of Isabelle/HOL can be used to generate efficient code in all supported target languages, i.e. Haskell,

Imperative HOL is a leightweight framework for reasoning about imperative data structures in Isabelle/HOL [2]. Its basic ideas are described in [1]. However their concrete realisation has changed since, due to both extensions and refinements. Therefore this overview wants to present the framework “as it is ” by now. It focusses on the user-view, less on matters of construction. For details study of the theory sources is encouraged. 1 A polymorphic heap inside a monad Heaps (heap) can be populated by values of class heap; HOL’s default types are already instantiated to class heap. Class heap is a subclass of countable; see theory Countable for ways to instantiate types as countable. The heap is wrapped up in a monad ′ a Heap by means of the following specification: datatype ′ a Heap = Heap.Heap (heap ⇒ ( ′ a × heap) option) Unwrapping of this monad type happens through execute:: ′ a Heap ⇒ heap ⇒ ( ′ a × heap) option execute (Heap.Heap f) = f This allows for equational reasoning about monadic expressions; the fact collection execute-simps contains appropriate rewrites for all fundamental operations. Primitive fine-granular control over heaps is available through rule Heap-cases: ( ∧ x h ′. execute f h = Some (x, h ′ ) = ⇒ P) = ⇒ (execute f h = None = ⇒ P) = ⇒ P

2011 Imperative HOL is a leightweight framework for reasoning about imperative data structures in Isabelle/HOL [2]. Its basic ideas are described in [1]. However their concrete realisation has changed since, due to both extensions and refinements. Therefore this overview wants to present the framework “as it is ” by now. It focusses on the user-view, less on matters of construction. For details study of the theory sources is encouraged. 1 A polymorphic heap inside a monad Heaps (heap) can be populated by values of class heap; HOL’s default types are already instantiated to class heap. Class heap is a subclass of countable; see theory Countable for ways to instantiate types as countable. The heap is wrapped up in a monad ′ a Heap by means of the following specification: datatype ′ a Heap = Heap.Heap (heap ⇒ ( ′ a × heap) option) Unwrapping of this monad type happens through execute:: ′ a Heap ⇒ heap ⇒ ( ′ a × heap) option execute (Heap.Heap f) = f This allows for equational reasoning about monadic expressions; the fact collection execute-simps contains appropriate rewrites for all fundamental operations. Primitive fine-granular control over heaps is available through rule Heap-cases: ( ∧ x h ′. execute f h = Some (x, h ′ ) = ⇒ P) = ⇒ (execute f h = None = ⇒ P) = ⇒ P Monadic expression involve the usual combinators:

Bluespec SystemVerilog (BSV) is a Hardware Description Language based on the guarded action model of concurrency. It has an elegant semantics, which makes it well suited for formal reasoning. To date, a number of BSV designs have been verified with hand proofs, but little work has been conducted on the application of automated reasoning. We present a prototype shallow embedding of BSV in the PVS theorem prover. Our embedding is compatible with the PVS model checker, which can automatically prove an important class of theorems, and can also be used in conjunction with the powerful proof strategies of PVS to verify a broader class of properties than can be achieved with model checking alone. 1

Abstract. Considerable effort has gone into the techniques of extracting executable code from formal specifications and animating them. We show how to apply these techniques to the large JinjaThreads formalisation. It models a substantial subset of multithreaded Java source and bytecode in Isabelle/HOL and focuses on proofs and modularity whereas code generation was of little concern in its design. Employing Isabelle’s code generation facilities, we obtain a verified Java interpreter that is sufficiently efficient for running small Java programs. To this end, we present refined implementations for common notions such as the reflexive transitive closure and Russell’s definite description operator. From our experience, we distill simple guidelines on how to develop future formalisations with executability in mind. 1

Abstract. Formal verification of complex algorithms is challenging. Verifying their implementations goes beyond the state of the art of current verification tools and proving their correctness usually involves non-trivial mathematical theorems. Certifying algorithms compute in addition to each output a witness certifying that the output is correct. A checker for such a witness is usually much simpler than the original algorithm – yet it is all the user has to trust. Verification of checkers is feasible with current tools and leads to computations that can be completely trusted. In this paper we develop a framework to seamlessly verify certifying computations. The automatic verifier VCC is used for checking code correctness, and the interactive theorem prover Isabelle/HOL targets high-level mathematical properties of algorithms. We demonstrate the effectiveness of our approach by applying it to the verification of the algorithmic library LEDA. 1