Results 1  10
of
16
Modular Data Structure Verification
 EECS DEPARTMENT, MASSACHUSETTS INSTITUTE OF TECHNOLOGY
, 2007
"... This dissertation describes an approach for automatically verifying data structures, focusing on techniques for automatically proving formulas that arise in such verification. I have implemented this approach with my colleagues in a verification system called Jahob. Jahob verifies properties of Java ..."
Abstract

Cited by 36 (21 self)
 Add to MetaCart
This dissertation describes an approach for automatically verifying data structures, focusing on techniques for automatically proving formulas that arise in such verification. I have implemented this approach with my colleagues in a verification system called Jahob. Jahob verifies properties of Java programs with dynamically allocated data structures. Developers write Jahob specifications in classical higherorder logic (HOL); Jahob reduces the verification problem to deciding the validity of HOL formulas. I present a new method for proving HOL formulas by combining automated reasoning techniques. My method consists of 1) splitting formulas into individual HOL conjuncts, 2) soundly approximating each HOL conjunct with a formula in a more tractable fragment and 3) proving the resulting approximation using a decision procedure or a theorem prover. I present three concrete logics; for each logic I show how to use it to approximate HOL formulas, and how to decide the validity of formulas in this logic. First, I present an approximation of HOL based on a translation to firstorder logic, which enables the use of existing resolutionbased theorem provers. Second, I present an approximation of HOL based on field constraint analysis, a new technique that enables
Nitpick: A counterexample generator for higherorder logic based on a relational model finder (Extended Abstract)
 IN TAP 2009: SHORT PAPERS, ETH
, 2009
"... ..."
A theory for feature models in alloy
 In: Proceedings of the 1st Alloy Workshop
, 2006
"... Feature models are used to state the instances of a software productline. However, there is a limited tool support for automatically checking properties of feature models. In this paper, we propose a theory of feature models in Alloy. This theory can be used to check a number of properties in the A ..."
Abstract

Cited by 12 (2 self)
 Add to MetaCart
Feature models are used to state the instances of a software productline. However, there is a limited tool support for automatically checking properties of feature models. In this paper, we propose a theory of feature models in Alloy. This theory can be used to check a number of properties in the Alloy Analyzer. For instance, we show how to check whether general feature model transformations preserve the wellformedness rules of feature models. This theory is compared with an alternative theory in Alloy for checking feature model refactorings.
Monotonicity Inference for HigherOrder Formulas
, 2010
"... Formulas are often monotonic in the sense that if the formula is satisfiable for given domains of discourse, it is also satisfiable for all larger domains. Monotonicity is undecidable in general, but we devised two calculi that infer it in many cases for higherorder logic. The stronger calculus has ..."
Abstract

Cited by 9 (8 self)
 Add to MetaCart
Formulas are often monotonic in the sense that if the formula is satisfiable for given domains of discourse, it is also satisfiable for all larger domains. Monotonicity is undecidable in general, but we devised two calculi that infer it in many cases for higherorder logic. The stronger calculus has been implemented in Isabelle’s model finder Nitpick, where it is used to prune the search space, leading to dramatic speed improvements for formulas involving many atomic types.
Nitpicking C++ Concurrency
, 2011
"... Previous work formalized the C++ memory model in Isabelle/HOL in an effort to clarify the proposed standard’s semantics. Here we employ the model finder Nitpick to check litmus test programs that exercise the memory model, including a simple locking algorithm. Nitpick is built on Kodkod (Alloy’s bac ..."
Abstract

Cited by 3 (2 self)
 Add to MetaCart
Previous work formalized the C++ memory model in Isabelle/HOL in an effort to clarify the proposed standard’s semantics. Here we employ the model finder Nitpick to check litmus test programs that exercise the memory model, including a simple locking algorithm. Nitpick is built on Kodkod (Alloy’s backend) but understands Isabelle’s richer logic; hence it can be applied directly to the C++ memory model. We only need to give it a few hints, and thanks to the underlying SAT solver it scales much better than the CPPMEM explicitstate model checker. This case study inspired optimizations in Nitpick from which other formalizations can now benefit.
Automatic Proof and Disproof in Isabelle/HOL
, 2011
"... Isabelle/HOL is a popular interactive theorem prover based on higherorder logic. It owes its success to its ease of use and powerful automation. Much of the automation is performed by external tools: The metaprover Sledgehammer relies on resolution provers and SMT solvers for its proof search, the c ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
Isabelle/HOL is a popular interactive theorem prover based on higherorder logic. It owes its success to its ease of use and powerful automation. Much of the automation is performed by external tools: The metaprover Sledgehammer relies on resolution provers and SMT solvers for its proof search, the counterexample generator Quickcheck uses the ML compiler as a fast evaluator for ground formulas, and its rival Nitpick is based on the model finder Kodkod, which performs a reduction to SAT. Together with the Isar structured proof format and a new asynchronous user interface, these tools have radically transformed the Isabelle user experience. This paper provides an overview of the main automatic proof and disproof tools.
W.: Bounded Relational Analysis of Free Data Types
, 2008
"... Abstract. In this paper we report on our first experiences using the relational analysis provided by the Alloy tool with the theorem prover KIV in the context of specifications of freely generated data types. The presented approach aims at improving KIV’s performance on firstorder theories. In theo ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
Abstract. In this paper we report on our first experiences using the relational analysis provided by the Alloy tool with the theorem prover KIV in the context of specifications of freely generated data types. The presented approach aims at improving KIV’s performance on firstorder theories. In theorem proving practice a significant amount of time is spent on unsuccessful proof attempts. An automatic method that exhibits counter examples for unprovable theorems would offer an extremely valuable support for a proof engineer by saving his time and effort. In practice, such counterexamples tend to be small, so usually there is no need to search for big instances. The paper defines a translation from KIV’s recursive definitions to Alloy, discusses its correctness and gives some examples. data types, model checking, verification, formal methods.
Toward a Formal Evaluation of Refactorings
"... Refactoring is a software development strategy that characteristically alters the syntactic structure of a program without changing its external behavior [2]. In this talk we present a methodology for extracting formal models from programs in order to evaluate how incremental refactorings affect the ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Refactoring is a software development strategy that characteristically alters the syntactic structure of a program without changing its external behavior [2]. In this talk we present a methodology for extracting formal models from programs in order to evaluate how incremental refactorings affect the verifiability of their structural specifications.
On Deciding Functional Lists with Sublist Sets
"... Abstract. Motivated by the problem of deciding verification conditions for the verification of functional programs, we present new decision procedures for automated reasoning about functional lists. We first show how to decide in NP the satisfiability problem for logical constraints containing equal ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Abstract. Motivated by the problem of deciding verification conditions for the verification of functional programs, we present new decision procedures for automated reasoning about functional lists. We first show how to decide in NP the satisfiability problem for logical constraints containing equality, constructor, selectors, as well as the transitive sublist relation. We then extend this class of constraints with operators to compute the set of all sublists, and the set of objects stored in a list. Finally, we support constraints on sizes of sets, which gives us the ability to compute list length as well as the number of distinct list elements. We show that the extended theory is reducible to the theory of sets with linear cardinality constraints, and therefore still in NP. This reduction enables us to combine our theory with other decidable theories that impose constraints on sets of objects, which further increases the potential of our decidability result in verification of functional and imperative software. 1
TestEra: A Tool for Testing Java Programs Using Alloy Specifications
"... Abstract—This tool paper presents an embodiment of TestEra – a framework developed in previous work for specificationbased testing of Java programs. To test a Java method, TestEra uses the method’s precondition specification to generate test inputs and the postcondition to check correctness of ou ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Abstract—This tool paper presents an embodiment of TestEra – a framework developed in previous work for specificationbased testing of Java programs. To test a Java method, TestEra uses the method’s precondition specification to generate test inputs and the postcondition to check correctness of outputs. TestEra supports specifications written in Alloy – a firstorder, declarative language based on relations – and uses the SATbased backend of the Alloy toolset for systematic generation of test suites. Each test case is a JUnit test method, which performs three key steps: (1) initialization of prestate, i.e., creation of inputs to the method under test; (2) invocation of the method; and (3) checking the correctness of poststate, i.e., checking the method output. The tool supports visualization of inputs and outputs as object graphs for graphical illustration of method behavior. TestEra is available for download to be used as a library or as an Eclipse plugin. I.