Results 1  10
of
17
Mechanized metatheory for the masses: The POPLmark challenge
 In Theorem Proving in Higher Order Logics: 18th International Conference, number 3603 in LNCS
, 2005
"... Abstract. How close are we to a world where every paper on programming languages is accompanied by an electronic appendix with machinechecked proofs? We propose an initial set of benchmarks for measuring progress in this area. Based on the metatheory of System F<:, a typed lambdacalculus with secon ..."
Abstract

Cited by 136 (15 self)
 Add to MetaCart
Abstract. How close are we to a world where every paper on programming languages is accompanied by an electronic appendix with machinechecked proofs? We propose an initial set of benchmarks for measuring progress in this area. Based on the metatheory of System F<:, a typed lambdacalculus with secondorder polymorphism, subtyping, and records, these benchmarks embody many aspects of programming languages that are challenging to formalize: variable binding at both the term and type levels, syntactic forms with variable numbers of components (including binders), and proofs demanding complex induction principles. We hope that these benchmarks will help clarify the current state of the art, provide a basis for comparing competing technologies, and motivate further research. 1
Inductive assertions and operational semantics
 CHARME 2003. Volume 2860 of LNCS., SpringerVerlag
, 2003
"... Abstract. This paper shows how classic inductive assertions can be used in conjunction with an operational semantics to prove partial correctness properties of programs. The method imposes only the proof obligations that would be produced by a verification condition generator but does not require th ..."
Abstract

Cited by 25 (7 self)
 Add to MetaCart
Abstract. This paper shows how classic inductive assertions can be used in conjunction with an operational semantics to prove partial correctness properties of programs. The method imposes only the proof obligations that would be produced by a verification condition generator but does not require the definition of a verification condition generation. The paper focuses on iterative programs but recursive programs are briefly discussed. Assertions are attached to the program by defining a predicate on states. This predicate is then “completed ” to an alleged invariant by the definition of a partial function defined in terms of the state transition function of the operational semantics. If this alleged invariant can be proved to be an invariant under the state transition function, it follows that the assertions are true every time they are encountered in execution and thus that the postcondition is true if reached from a state satisfying the precondition. But because of the manner in which the alleged invariant is defined, the verification conditions are sufficient to prove invariance. Indeed, the “natural ” proof generates the classical verification conditions as subgoals. The invariant function may be thought of as a statebased verification condition generator for the annotated program. The method allows standard inductive assertion style proofs to be constructed directly in an operational semantics setting. The technique is demonstrated by proving the partial correctness of simple bytecode programs with respect to a preexisting operational model of the Java Virtual Machine. 1
Executable JVM Model for Analytical Reasoning: A Study
, 2003
"... To study the properties of the Java Virtual Machine(JVM) and Java programs, our research group has produced a series of JVM models written in a functional subset of Common Lisp. In this paper, we present our most complete JVM model from this series, namely, M6, which is derived from a careful study ..."
Abstract

Cited by 20 (5 self)
 Add to MetaCart
To study the properties of the Java Virtual Machine(JVM) and Java programs, our research group has produced a series of JVM models written in a functional subset of Common Lisp. In this paper, we present our most complete JVM model from this series, namely, M6, which is derived from a careful study of the J2ME KVM[16] implementation. On the one hand, our JVM model is a conventional machine emulator. M6 models accurately almost all aspects of the KVM implementation, including the dynamic class loading, class initialization and synchronization via monitors. It executes most J2ME Java programs that do not use any I/O or floating point operations. Engineers may consider M6 an implementation of the JVM. It is implemented with around 10K lines in 20+ modules. On the other hand, M6 is a novel model that allows for analytical reasoning besides conventional testing. M6 is written in an applicative (sideeffect free) subset of Common Lisp, for which we have given precise meaning in terms of axioms and inference rules. A property of M6 can be expressed as a formula. Rules of interference can be used analytically to derive properties of M6 and the Java programs that run on the model, using a mechanical theorem prover. We argue
Proving theorems about Java and the JVM with ACL2
 Models, Algebras and Logic of Engineering Software
, 2003
"... We describe a methodology for proving theorems mechanically about Java methods. The theorem prover used is the ACL2 system, an industrialstrength version of the BoyerMoore theorem prover. An operational semantics for a substantial subset of the Java Virtual Machine (JVM) has been defined in ACL2. ..."
Abstract

Cited by 18 (9 self)
 Add to MetaCart
We describe a methodology for proving theorems mechanically about Java methods. The theorem prover used is the ACL2 system, an industrialstrength version of the BoyerMoore theorem prover. An operational semantics for a substantial subset of the Java Virtual Machine (JVM) has been defined in ACL2. Theorems are proved about Java methods and classes by compiling them with javac and then proving the corresponding theorem about the JVM. Certain automatically applied strategies are implemented with rewrite rules (and other proofguiding pragmas) in ACL2 “books” to control the theorem prover when operating on problems involving the JVM model. The Java Virtual Machine or JVM [27] is the basic abstraction Java [17] implementors are expected to respect. We speculate that the JVM is an appropriate level of abstraction at which to model Java programs with the intention of mechanically verifying their properties. The most complex features of the Java subset we handle – construction and initialization of new objects, synchronization, thread management, and virtual method invocation – are all supported directly and with full abstraction as single atomic instructions in the JVM. The complexity of verifying JVM bytecode program stems from the complexity of Java’s semantics, not
Formalising java’s data race free guarantee
 In 20th International Conference on Theorem Proving in Higher Order Logics (TPHOLs 2007
, 2007
"... Abstract. We formalise the data race free (DRF) guarantee provided by Java, as captured by the semiformal Java Memory Model (JMM) [1] and published in the Java Language Specification [2]. The DRF guarantee says that all programs which are correctly synchronised (i.e., free of data races) can only h ..."
Abstract

Cited by 18 (1 self)
 Add to MetaCart
Abstract. We formalise the data race free (DRF) guarantee provided by Java, as captured by the semiformal Java Memory Model (JMM) [1] and published in the Java Language Specification [2]. The DRF guarantee says that all programs which are correctly synchronised (i.e., free of data races) can only have sequentially consistent behaviours. Such programs can be understood intuitively by programmers. Formalisation has achieved three aims. First, we made definitions and proofs precise, leading to a better understanding; our analysis found several hidden inconsistencies and missing details. Second, the formalisation lets us explore variations and investigate their impact in the proof with the aim of simplifying the model; we found that not all of the anticipated conditions in the JMM definition were actually necessary for the DRF guarantee. This allows us to suggest a quick fix to a recently discovered serious bug [3] without invalidating the DRF guarantee. Finally, the formal definition provides a basis to test concrete examples, and opens the way for future work on JMMaware logics for concurrent programs. 1
Model checking the Java MetaLocking algorithm
 In IEEE International Conference on the Engineering of Computer Based Systems. IEEE
, 2000
"... We report on our efforts to use the XMC model checker to model and verify the Java metalocking algorithm. XMC [Ramakrishna et al. 1997] is a versatile and efficient model checker for systems specified in XL, a highly expressive valuepassing language. Metalocking [Agesen et al. 1999] is a highlyopt ..."
Abstract

Cited by 16 (6 self)
 Add to MetaCart
We report on our efforts to use the XMC model checker to model and verify the Java metalocking algorithm. XMC [Ramakrishna et al. 1997] is a versatile and efficient model checker for systems specified in XL, a highly expressive valuepassing language. Metalocking [Agesen et al. 1999] is a highlyoptimized technique for ensuring mutually exclusive access by threads to object monitor queues and, therefore; plays an essential role in allowing Java to offer concurrent access to objects. Metalocking can be viewed as a twotiered scheme. At the upper level, the metalock level, a thread waits until it can enqueue itself on an object’s monitor queue in a mutually exclusive manner. At the lower level, the monitorlock level, enqueued threads race to obtain exclusive access to the object. Our abstract XL specification of the metalocking algorithm is fully parameterized, both on the number of threads M, and the number of objects N. It also captures a sophisticated optimization of the basic metalocking algorithm known as extrafast locking and unlocking of uncontended objects. Using XMC, we show that for a variety of values of M and N, the algorithm indeed provides mutual exclusion and freedom from deadlock and lockout at the metalock level. We also show that, while the monitorlock level of the protocol preserves mutual exclusion and deadlockfreedom, it is not lockoutfree because the protocol’s designers chose to give equal preference to awaiting threads and newly arrived threads.
Using Eternity Variables to Specify and Prove a Serializable Database Interface
 Sci. Comput. Program
, 2003
"... Eternity variables are introduced to specify and verify serializability of transactions of a distributed database. Eternity variables are a new kind of auxiliary variables. They do not occur in the implementation but are used in specification and verification. Elsewhere it has been proved that et ..."
Abstract

Cited by 5 (4 self)
 Add to MetaCart
Eternity variables are introduced to specify and verify serializability of transactions of a distributed database. Eternity variables are a new kind of auxiliary variables. They do not occur in the implementation but are used in specification and verification. Elsewhere it has been proved that eternity variables in combination with history variables are semantically complete for proving refinement relations.
A mechanized program verifier
 In IFIP Working Conference on the Program Verifier Challenge
, 2005
"... Abstract. In my view, the “verification problem ” is the theorem proving problem, restricted to a computational logic. My approach is: adopt a functional programming language, build a general purpose formal reasoning engine around it, integrate it into a program and proof development environment, an ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
Abstract. In my view, the “verification problem ” is the theorem proving problem, restricted to a computational logic. My approach is: adopt a functional programming language, build a general purpose formal reasoning engine around it, integrate it into a program and proof development environment, and apply it to model and verify a wide variety of computing artifacts, usually modeled operationally within the functional programming language. Everything done in this approach is software verification since the models are runnable programs in a subset of an ANSI standard programming language (Common Lisp). But this approach is of interest to proponents of other approaches (e.g., verification of procedural programs or synthesis) because of the nature of the mathematics of computing. I summarize the progress so far using this approach, sketch the key research challenges ahead and describe my vision of the role and shape of a useful verification system. 1
Reasoning about safety properties in a JVMlike environment
, 2006
"... Typebased protection mechanisms in a JVMlike environment must be administrated by the code consumer at the bytecode level. Unfortunately, formulating a sound static type system for the full JVM bytecode language can be a daunting task. It is therefore counterproductive for the designer of a bytec ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
Typebased protection mechanisms in a JVMlike environment must be administrated by the code consumer at the bytecode level. Unfortunately, formulating a sound static type system for the full JVM bytecode language can be a daunting task. It is therefore counterproductive for the designer of a bytecodelevel type system to address the full complexity of the VM environment in the early stage of design. In this work, a lightweight modeling tool, Featherweight JVM, is proposed to facilitate the early evaluation of bytecodelevel, typebased protection mechanisms. In the style of Security Automata, Featherweight JVM is an event model that tracks interprocedural access events generated by a JVMlike environment. The effect of deploying a typebased protection mechanism can be modeled by a safety policy that restricts the event sequences produced by the VM model. To evaluate the effectiveness of the protection mechanism, security theorems in the form of state invariants can then be proven in the policyguarded VM model. This paper provides first evidence on the utility of this approach in providing early feedback to the designer of typebased protection mechanisms for JVMlike environments. 1.
Deductive Mechanical Verification of Concurrent Systems
, 2005
"... In the tenure of a graduate student, one often has the distinct pleasure to interact and work with a number of different colleagues with different perspectives in general and on research problems in particular. This has certainly been the case with my time as a fulltime and parttime graduate stude ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
In the tenure of a graduate student, one often has the distinct pleasure to interact and work with a number of different colleagues with different perspectives in general and on research problems in particular. This has certainly been the case with my time as a fulltime and parttime graduate student. Unfortunately, while the length of my tenure has thankfully increased the number of colleagues whom I have had the opportunity to work with, it has also increased the likelihood that I will forget to acknowledge those whom I truly should. To those individuals whom I do not include here, I offer my apology. I wish to first acknowledge the members of my committee: Don Fussell, Adnan Aziz, Warren Hunt, J Strother Moore, and Jacob Abraham. I am thankful to each of the committee members for their consideration and examination of my work and in general, for their time and patience. I wish to thank J Moore for his continued interest and support. I have been truly inspired by J’s focus, energy, and standards in the his work on ACL2. I also wish to thank my supervisor Jacob Abraham. Jacob has demonstrated an impressive amount of patience and allowed me the freedom to explore areas which we may not have otherwise considered. I have always been impressed with Jacob’s imagination and he has provided keen insights and constructive advice on my work which have proven very useful over the years.