Results 1  10
of
29
Formal Verification of Probabilistic Algorithms
, 2002
"... This thesis shows how probabilistic algorithms can be formally verified using a mechanical theorem prover. We begin with an extensive foundational development of probability, creating a higherorder logic formalization of mathematical measure theory. This allows the definition of the probability spac ..."
Abstract

Cited by 37 (3 self)
 Add to MetaCart
This thesis shows how probabilistic algorithms can be formally verified using a mechanical theorem prover. We begin with an extensive foundational development of probability, creating a higherorder logic formalization of mathematical measure theory. This allows the definition of the probability space we use to model a random bit generator, which informally is a stream of coinflips, or technically an infinite sequence of IID Bernoulli ( 1) random variables. 2 Probabilistic programs are modelled using the statetransformer monad familiar from functional programming, where the random bit generator is passed around in the computation. Functions remove random bits from the generator to perform their calculation, and then pass back the changed random bit generator with the result. Our probability space modelling the random bit generator allows us to give precise probabilistic specifications of such programs, and then verify them in the theorem prover. We also develop technical support designed to expedite verification: probabilistic quantifiers; a compositional property subsuming measurability and independence; a probabilistic while loop together with a formal concept of termination with probability 1. We also introduce a technique for reducing properties of a probabilistic while loop to properties of programs that are guaranteed to terminate: these can then be established using induction and standard methods of program correctness. We demonstrate the formal framework with some example probabilistic programs: sampling algorithms for four probability distributions; some optimal procedures for generating dice rolls from coin flips; the symmetric simple random walk. In addition, we verify the MillerRabin primality test, a wellknown and commercially used probabilistic algorithm. Our fundamental perspective allows us to define a version with strong properties, which we can execute in the logic to prove compositeness of numbers. 3 4
Automated Correctness Proofs of Machine Code Programs for a Commercial Microprocessor
, 1991
"... We have formally specified a substantial subset of the MC68020, a widely used microprocessor built by Motorola, within the mathematical logic of the automated reasoning system Nqthm, i.e., the BoyerMoore Theorem Prover [4]. Using this MC68020 specification, we have mechanically checked the correctn ..."
Abstract

Cited by 32 (2 self)
 Add to MetaCart
We have formally specified a substantial subset of the MC68020, a widely used microprocessor built by Motorola, within the mathematical logic of the automated reasoning system Nqthm, i.e., the BoyerMoore Theorem Prover [4]. Using this MC68020 specification, we have mechanically checked the correctness of MC68020 machine code programs for Euclid's GCD, Hoare's Quick Sort, binary search, and other wellknown algorithms. The machine code for these examples was generated using the Gnu C and the Verdix Ada compilers. We have developed an extensive library of proven lemmas to facilitate automated reasoning about machine code programs. We describe a two stage methodology we use to do our machine code proofs.
Inductive assertions and operational semantics
 CHARME 2003. Volume 2860 of LNCS., SpringerVerlag
, 2003
"... Abstract. This paper shows how classic inductive assertions can be used in conjunction with an operational semantics to prove partial correctness properties of programs. The method imposes only the proof obligations that would be produced by a verification condition generator but does not require th ..."
Abstract

Cited by 25 (7 self)
 Add to MetaCart
Abstract. This paper shows how classic inductive assertions can be used in conjunction with an operational semantics to prove partial correctness properties of programs. The method imposes only the proof obligations that would be produced by a verification condition generator but does not require the definition of a verification condition generation. The paper focuses on iterative programs but recursive programs are briefly discussed. Assertions are attached to the program by defining a predicate on states. This predicate is then “completed ” to an alleged invariant by the definition of a partial function defined in terms of the state transition function of the operational semantics. If this alleged invariant can be proved to be an invariant under the state transition function, it follows that the assertions are true every time they are encountered in execution and thus that the postcondition is true if reached from a state satisfying the precondition. But because of the manner in which the alleged invariant is defined, the verification conditions are sufficient to prove invariance. Indeed, the “natural ” proof generates the classical verification conditions as subgoals. The invariant function may be thought of as a statebased verification condition generator for the annotated program. The method allows standard inductive assertion style proofs to be constructed directly in an operational semantics setting. The technique is demonstrated by proving the partial correctness of simple bytecode programs with respect to a preexisting operational model of the Java Virtual Machine. 1
Facing up to faults
 The Computer Journal
, 2000
"... As individuals, organisations and indeed the world at large have become more dependent on computerbased systems, so there has been an evergrowing amount of research into means for improving the dependability of these systems. In particular there has been much work on trying to gain increased under ..."
Abstract

Cited by 17 (0 self)
 Add to MetaCart
As individuals, organisations and indeed the world at large have become more dependent on computerbased systems, so there has been an evergrowing amount of research into means for improving the dependability of these systems. In particular there has been much work on trying to gain increased understanding of the many and varied types of faults that need to be prevented or tolerated in order to reduce the probability and severity of system failures. In this talk I discuss the assumptions that are often made by computing system designers regarding faults, survey a number of continuing issues related to fault tolerance, and identify some of the latest challenges facing researchers in this arena. In The Beginning It is a great honour and privilege to be asked to give this, the second, Turing Lecture. Let me start by mentioning that, to my great regret, I never met Alan Turing, whose tragic death occurred just a few years before I became involved with computing. His character and achievements have however always fascinated me at one time I spent much effort trying to investigate his wartime work on cryptanalysis and codebreaking devices. As a result I managed to uncover and help to gain belated
ConSIT: A Fully Automated Conditioned Program Slicer
, 2003
"... This paper describes the first fully automated conditioned slicing system, C##SIT, detailing the theory that underlies it, its architecture and the way it combines symbolic execution, theorem proving and slicing technologies. The use of C##SIT is illustrated with respect to the applications of testi ..."
Abstract

Cited by 16 (3 self)
 Add to MetaCart
This paper describes the first fully automated conditioned slicing system, C##SIT, detailing the theory that underlies it, its architecture and the way it combines symbolic execution, theorem proving and slicing technologies. The use of C##SIT is illustrated with respect to the applications of testing and comprehension. ### #####: Conditioned Slicing, program conditioning, slicing, symbolic execution, path analysis
A numerical abstract domain based on expression abstraction and max operator with application in timing analysis
 In CAV
, 2008
"... Abstract. This paper describes a precise numerical abstract domain for use in timing analysis. The numerical abstract domain is parameterized by a linear abstract domain and is constructed by means of two domain lifting operations. One domain lifting operation is based on the principle of expression ..."
Abstract

Cited by 14 (4 self)
 Add to MetaCart
Abstract. This paper describes a precise numerical abstract domain for use in timing analysis. The numerical abstract domain is parameterized by a linear abstract domain and is constructed by means of two domain lifting operations. One domain lifting operation is based on the principle of expression abstraction (which involves defining a set of expressions and specifying their semantics using a collection of directed inference rules) and has a more general applicability. It lifts any given abstract domain to include reasoning about a given set of expressions whose semantics is abstracted using a set of axioms. The other domain lifting operation domain via introduction of max expressions. We present experimental results demonstrating the potential of the new numerical abstract domain to discover a wide variety of timing bounds (including polynomial, disjunctive, logarithmic, exponential, etc.) for small C programs. 1
Efficiently Solving Quantified BitVector Formulas
"... Abstract—In recent years, bitprecise reasoning has gained importance in hardware and software verification. Of renewed interest is the use of symbolic reasoning for synthesising loop invariants, ranking functions, or whole program fragments and hardware circuits. Solvers for the quantifierfree fra ..."
Abstract

Cited by 13 (4 self)
 Add to MetaCart
Abstract—In recent years, bitprecise reasoning has gained importance in hardware and software verification. Of renewed interest is the use of symbolic reasoning for synthesising loop invariants, ranking functions, or whole program fragments and hardware circuits. Solvers for the quantifierfree fragment of bitvector logic exist and often rely on SAT solvers for efficiency. However, many techniques require quantifiers in bitvector formulas to avoid an exponential blowup during construction. Solvers for quantified formulas usually flatten the input to obtain a quantified Boolean formula, losing much of the wordlevel information in the formula. We present a new approach based on a set of effective wordlevel simplifications that are traditionally employed in automated theorem proving, heuristic quantifier instantiation methods used in SMT solvers, and model finding techniques based on skeletons/templates. Experimental results on two different types of benchmarks indicate that our method outperforms the traditional flattening approach by multiple orders of magnitude of runtime. I.
Topological Dualities in Semantics
 Vrije Universiteit Amsterdam
, 1996
"... No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior permission of the author. The work in this thesis has been carried out under the auspices of the resea ..."
Abstract

Cited by 11 (2 self)
 Add to MetaCart
No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior permission of the author. The work in this thesis has been carried out under the auspices of the research
Formal verification of machinecode programs
, 2009
"... Formal program verification provides mathematical means of increasing assurance for the correctness of software. Most approaches to program verification are either fully automatic and prove only weak properties, or alternatively are manual and labour intensive to apply; few target realistically mode ..."
Abstract

Cited by 7 (4 self)
 Add to MetaCart
Formal program verification provides mathematical means of increasing assurance for the correctness of software. Most approaches to program verification are either fully automatic and prove only weak properties, or alternatively are manual and labour intensive to apply; few target realistically modelled machine code. The work presented in this dissertation aims to ease the effort required in proving properties of programs on top of detailed models of machine code. The contributions are novel approaches for both verification of existing programs and methods for automatically constructing correct code. For program verification, this thesis presents a new approach based on translation: the problem of proving properties of programs is reduced, via fullyautomatic deduction, to a problem of proving properties of recursive functions. The translation from programs to recursive functions is shown to be implementable in a theorem prover both for simple whileprograms as well as real machine code. This verificationaftertranslation approach has several advantages over established approaches of verification condition generation. In particular, the new approach does not require annotating the program with assertions. More