Results 1  10
of
10
Formal Verification of the Heap Manager of an Operating System using Separation Logic
 In 8th Int. Conf. on Formal Engineering Methods (ICFEM 2006), LNCS
"... nicolas at yl.is.s.utokyo.ac.jp reynald.affeldt at aist.go.jp yonezawa at yl.is.s.utokyo.ac.jp ..."
Abstract

Cited by 24 (7 self)
 Add to MetaCart
nicolas at yl.is.s.utokyo.ac.jp reynald.affeldt at aist.go.jp yonezawa at yl.is.s.utokyo.ac.jp
An abstract domain for analyzing heapmanipulating lowlevel software
 In CAV
, 2007
"... Abstract. We describe an abstract domain for representing useful invariants of heapmanipulating programs (in presence of recursive data structures and pointer arithmetic) written in languages like C or lowlevel code. This abstract domain allows representation of must and may equalities among point ..."
Abstract

Cited by 17 (0 self)
 Add to MetaCart
Abstract. We describe an abstract domain for representing useful invariants of heapmanipulating programs (in presence of recursive data structures and pointer arithmetic) written in languages like C or lowlevel code. This abstract domain allows representation of must and may equalities among pointer expressions. Pointer expressions contain existentially or universally quantified integer variables guarded by some base domain constraint. We allow quantification of a special form, namely ∃ ∀ quantification, to balance expressiveness with efficient automated deduction. The existential quantification is over some dummy nonprogram variables, which are automatically made explicit by our analysis to express useful program invariants. The universal quantifier is used to express properties of collections of memory locations. Our abstract interpreter domain. We present initial experimental results demonstrating the effectiveness of this abstract domain on some common coding patterns. 1
Matching logic: An alternative to Hoare/Floyd logic
 In AMAST’10, volume 6486 of LNCS
, 2010
"... Abstract. This paper introduces matching logic, a novel framework for defining axiomatic semantics for programming languages, inspired from operational semantics. Matching logic specifications are particular firstorder formulae with constrained algebraic structure, called patterns. Program configur ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
Abstract. This paper introduces matching logic, a novel framework for defining axiomatic semantics for programming languages, inspired from operational semantics. Matching logic specifications are particular firstorder formulae with constrained algebraic structure, called patterns. Program configurations satisfy patterns iff they match their algebraic structure and satisfy their constraints. Using a simple imperative language (IMP), it is shown that a restricted use of the matching logic proof system is equivalent to IMP’s Hoare logic proof system, in that any proof derived using either can be turned into a proof using the other. Extensions to IMP including a heap with dynamic memory allocation and pointer arithmetic are given, requiring no extension of the underlying firstorder logic; moreover, heap patterns such as lists, trees, queues, graphs, etc., are given algebraically using fistorder constraints over patterns. 1
Faithful mapping of model classes to mathematical structures’, Int. Workshop Specification and Verification of ComponentBased Systems
, 2007
"... Abstraction techniques are indispensable for the specification and verification of the functional behavior of programs. In objectoriented specification languages like JML, a powerful abstraction technique is the use of model classes, that is, classes that are only used for specification purposes an ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
Abstraction techniques are indispensable for the specification and verification of the functional behavior of programs. In objectoriented specification languages like JML, a powerful abstraction technique is the use of model classes, that is, classes that are only used for specification purposes and that provide objectoriented interfaces for essential mathematical concepts such as sets or relations. While the use of model classes in specifications is natural and powerful, they pose problems for verification. Program verifiers map model classes to their underlying logics. Flaws in a model class or the mapping can easily lead to unsoundness and incompleteness. This article proposes an approach for the faithful mapping of model classes to mathematical structures provided by the theorem prover of the program verifier at hand. Faithfulness means that a given model class semantically corresponds to the mathematical structure it is mapped to. Our approach enables reasoning about programs specified in terms of model classes. It also helps in writing consistent and complete modelclass specifications as well as in identifying and checking redundant specifications. 1
Certification of Transformation Algorithms in ModelDriven Software Development
"... Abstract: The increasing reliance on ModelDriven Software Development calls for model compilers to assume the role of today’s compilers, i.e., reliability of these components is of utmost importance. We describe how to certify model transformations in this context by bridging the gap between the la ..."
Abstract

Cited by 3 (2 self)
 Add to MetaCart
Abstract: The increasing reliance on ModelDriven Software Development calls for model compilers to assume the role of today’s compilers, i.e., reliability of these components is of utmost importance. We describe how to certify model transformations in this context by bridging the gap between the languages in which such transformations are specified (e.g., Essential MOF, OCL, OO programs) and the decision procedures needed to verify properties expected of such transformations. Two major aspects are investigated in this paper: (i) valid output is obtained for each valid input, (ii) the output satisfies certain properties. Results from application projects validate our approach, which internally applies modeldriven techniques to the certification process itself by mapping transformation specifications into the + CAL modelchecking language. 1
Explicit information flow properties in JML
"... Abstract This paper considers how explicit information flow properties can be expressed and verified in a traditional program logic, using pre and postconditions. As concrete specification language for expressing these properties we use the specification language JML for Java. For this we propose a ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Abstract This paper considers how explicit information flow properties can be expressed and verified in a traditional program logic, using pre and postconditions. As concrete specification language for expressing these properties we use the specification language JML for Java. For this we propose a new classification of information flow properties, namely positive and negative properties, where the former are easier to describe. This also leads us to reconsider the duality between integrity and confidentiality in the light of the difference between explicit and implicit information flows. 1
Specification Predicates with Explicit Dependency Information
"... Abstract. Specifications of programs use auxiliary symbols to encapsulate concepts for a variety of reasons: readability, reusability, structuring and, in particular, for writing recursive definitions. The definition of these symbols often depends implicitly on the value of other locations such as f ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
Abstract. Specifications of programs use auxiliary symbols to encapsulate concepts for a variety of reasons: readability, reusability, structuring and, in particular, for writing recursive definitions. The definition of these symbols often depends implicitly on the value of other locations such as fields that are not stated explicitly as arguments. These hidden dependencies make the verification process substantially more difficult. In this paper we develop a framework that makes dependency on locations explicit. This allows to define general simplification rules that avoid unfolding of predicate definitions in many cases. A number of nontrivial case studies show the usefulness of the concept. 1
Natural Proofs for Structure, Data, and Separation
"... We propose natural proofs for reasoning with programs that manipulate datastructures against specifications that describe the structure of the heap, the data stored within it, and separation and framing of substructures. Natural proofs are a subclass of proofs that are amenable to completely autom ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
We propose natural proofs for reasoning with programs that manipulate datastructures against specifications that describe the structure of the heap, the data stored within it, and separation and framing of substructures. Natural proofs are a subclass of proofs that are amenable to completely automated reasoning, that provide sound but incomplete procedures, and that capture common reasoning tactics in program verification. We develop a dialect of separation logic over heaps, called Dryad, with recursive definitions that avoids explicit quantification. We develop ways to reason with heaplets using classical logic over the theory of sets, and develop natural proofs for reasoning using proof tactics involving disciplined unfoldings and formula abstractions. Natural proofs are encoded into decidable theories of firstorder logic so as to be discharged using SMT solvers. We also implement the technique and show that a large class of more than 100 correct programs that manipulate datastructures are amenable to full functional correctness using the proposed natural proof method. These programs are drawn from a variety of sources including standard datastructures, the SchorrWaite algorithm for garbage collection, a large number of lowlevel C routines from the Glib library and OpenBSD library, the Linux kernel, and routines from a secure verified OSbrowser project. Our work is the first that we know of that can handle such a wide range of full functional verification properties of heaps automatically, given pre/post and loop invariant annotations. We believe that this work paves the way for deductive verification technology to be used by programmers who do not (and need not) understand the internals of the underlying logic solvers, significantly increasing their applicability in building reliable systems.
Reasoning about Pointer Structures in Java
, 2006
"... Java programs often use pointer structures for normal computations. A verification system for Java should have good proof support for reasoning about those structures. However, the literature for pointer verification almost always uses specifications and definitions that are tailored to the problem ..."
Abstract
 Add to MetaCart
Java programs often use pointer structures for normal computations. A verification system for Java should have good proof support for reasoning about those structures. However, the literature for pointer verification almost always uses specifications and definitions that are tailored to the problem under consideration. We propose a generic specification for Java pointer structures that allows to express many important properties, and is easy to use in proofs. The specification is part of the Java calculus [22] in the KIV [15] prover.