Spec# is the latest in a long line of work on programming languages and systems aimed at improving the development of correct software. This paper describes the goals and architecture of the Spec# programming system, consisting of the object-oriented Spec# programming language, the Spec# compiler, and the Boogie static program verifier. The language includes constructs for writing specifications that capture programmer intentions about how methods and data are to be used, the compiler emits run-time checks to enforce these specifications, and the verifier can check the consistency between a program and its specifications. The Spec#

Abstract not found

this paper is organized as follows. Section 2 presents some related work. Section 3 describes the organization of the system. Section 4 briefly describes the specification language, including some interesting issues that arise when multiple levels of abstraction are present in the system. Section 5 describes the theorem prover. Section 6 describes some of the uses to which ESC has been put. Finally, section 7 presents conclusions and future directions.

Decision procedures are increasingly being employed for deciding or simplifying propositional combinations of ground equalities involving uninterpreted function symbols, linear arithmetic, arrays, and other theories. Two approaches for constructing decision procedures for combinations of ground theories were pioneered in the late seventies. In the approach of Nelson and Oppen, decision procedures for two disjoint theories are combined by introducing variables to name subterms and iteratively propagating any deduced equalities between variables from one theory to another. Shostak employs a different approach that works far more efficiently in practice. He uses an optimized implementation of the congruence closure procedure for ground equality over uninterpreted function symbols to combine theories that are canonizable and algebraically solvable. Many useful theories have these properties. Shostak's algorithm is subtle and complex and his description of this procedure is lacking in ri...

. The attractiveness of using theorem provers for system design verification lies in their generality. The major practical challenge confronting theorem proving technology is in combining this generality with an acceptable degree of automation. We describe an approach for enhancing the effectiveness of theorem provers for hardware verification through the use of efficient automatic procedures for rewriting, arithmetic and equality reasoning, and an off-the-shelf BDD-based propositional simplifier. These automatic procedures can be combined into general-purpose proof strategies that can efficiently automate a number of proofs including those of hardware correctness. The inference procedures and proof strategies have been implemented in the PVS verification system. They are applied to several examples including an N-bit adder, the Saxe pipelined processor, and the benchmark Tamarack microprocessor design. These examples illustrate the basic design philosophy underlying PVS where powerful...

Interface specifications should express program properties in a formal, declarative, and implementation-independent way. To achieve implementation-independency, interface specifications have to support data abstraction. Program verification should enable to prove implementations correct w.r.t. such interface specifications. The presented work bridges the gap between existing specification and verification techniques for object-oriented programs. The integration is done within a formal framework for interface specifications and programming language semantics. Interface specification techniques are enhanced to support the specification of data structure sharing and destructive updating of shared variables. These extensions are necessary for the specification of real life software libraries. Moreover this generalization is needed for intermediate steps in correctness proofs. For verification, Hoare logic is extended to capture recursive classes and subtyping. Based on this extended logic, techniques are presented for proving typing properties, class and method invariants. The new

This paper contributes a technique that expands the set of object invariants that one can reason about in modular verification. The technique uses history invariants, two-state invariants that describe the evolution of data values. The technique enables a flexible new way to specify and verify variations of the observer pattern, including iterators. The paper details history invariants and the new kind of object invariants, and proves a soundness theorem.

An investigation was made of the characteristics of computer programming languages intended for the implementation of provably correct programs and of the characteristics of programs written in these languages. It was discovered that potential run time exceptions and the necessity of providing a rigorously correct implementation of exception handlers so dominate the potential control paths of programs written in verifiable languages that the usual code optimization techniques are ineffective. It was further discovered that the call intensive control structures of these programs, necessitated by verification constraints, also thwart optimization and lead to inefficient code. It is shown that theorems can be derived at potential exception sites which, if true, guarantee that the exception condition will never arise permitting removal of the exception path from the program’s flow graph. These theorems are proved using the automatic theorem prover which is part of the program verification system. Is is also shown that many of the routine calls contained in verifiable programs may be reduced in expense by converting parameters to global variables or eliminated completely by expanding the called routines at their call sites. Both the exception suppression and call reduction techniques reduce the complexity of the program’s call graph and facilitate conventional optimizations. Several examples are presented and the potential improvements in code size resulting from the application of these techniques are discussed.

The role of decision procedures is often essential in theorem proving. Decision procedures can reduce the search space of heuristic components of a prover and increase its abilities. However, in some applications only a small number of conjectures fall within the scope of the available decision procedures. Some of these conjectures could in an informal sense fall ‘just outside’ that scope. In these situations a problem arises because lemmas have to be invoked or the decision procedure has to communicate with the heuristic component of a theorem prover. This problem is also related to the general problem of how to exibly integrate decision procedures into heuristic theorem provers. In this paper we address such problems and describe a framework for the exible integration of decision procedures into other proof methods. The proposed framework can be used in different theorem provers, for different theories and for different decision procedures. New decision procedures can be simply ‘plugged-in’ to the system. As an illustration, we describe an instantiation of this framework within the Clam proof-planning system, to which it is well suited. We report on some results using this implementation.

Theorem proving allows the formal verification of the correctness of very large systems. In order to increase the acceptance of theorem proving systems during the design process, we implemented higher order logic proof systems for ANSI-C and Verilog within a framework for application specific proof systems. Furthermore, we implement the language of the PVS theorem prover as well-established higher order specification language. The tool allows the verification of the design languages using a PVS specification and the verification of hardware designs using a C program as specification. We implement powerful decision procedures using Model Checkers and satisfiability checkers. We provide experimental results that compare the performance of our tool with PVS on large industrial scale hardware examples.