Results 1  10
of
91
Full functional verification of linked data structures
 In ACM Conf. Programming Language Design and Implementation (PLDI
, 2008
"... We present the first verification of full functional correctness for a range of linked data structure implementations, including mutable lists, trees, graphs, and hash tables. Specifically, we present the use of the Jahob verification system to verify formal specifications, written in classical high ..."
Abstract

Cited by 79 (17 self)
 Add to MetaCart
We present the first verification of full functional correctness for a range of linked data structure implementations, including mutable lists, trees, graphs, and hash tables. Specifically, we present the use of the Jahob verification system to verify formal specifications, written in classical higherorder logic, that completely capture the desired behavior of the Java data structure implementations (with the exception of properties involving execution time and/or memory consumption). Given that the desired correctness properties include intractable constructs such as quantifiers, transitive closure, and lambda abstraction, it is a challenge to successfully prove the generated verification conditions. Our Jahob verification system uses integrated reasoning to split each verification condition into a conjunction of simpler subformulas, then apply a diverse collection of specialized decision procedures,
MONA Implementation Secrets
, 2000
"... The MONA tool provides an implementation of the decision procedures for the logics WS1S and WS2S. It has been used for numerous applications, and it is remarkably efficient in practice, even though it faces a theoretically nonelementary worstcase complexity. The implementation has matured over a p ..."
Abstract

Cited by 70 (6 self)
 Add to MetaCart
The MONA tool provides an implementation of the decision procedures for the logics WS1S and WS2S. It has been used for numerous applications, and it is remarkably efficient in practice, even though it faces a theoretically nonelementary worstcase complexity. The implementation has matured over a period of six years. Compared to the first naive version, the present tool is faster by several orders of magnitude. This speedup is obtained from many different contributions working on all levels of the compilation and execution of formulas. We present a selection of implementation "secrets" that have been discovered and tested over the years, including formula reductions, DAGification, guided tree automata, threevalued logic, eager minimization, BDDbased automata representations, and cacheconscious data structures. We describe these techniques and quantify their respective effects by experimenting with separate versions of the MONA tool that in turn omit each of them.
Automatic Verification of Pointer Programs using Monadic SecondOrder Logic
 In Proc. ACM PLDI, Las Vegas, NV
, 1997
"... We present a technique for automatic verification of pointer programs based on a decision procedure for the monadic secondorder logic on finite strings. We are concerned with a whilefragment of Pascal, which includes recursivelydefined pointer structures but excludes pointer arithmetic. We define ..."
Abstract

Cited by 56 (8 self)
 Add to MetaCart
We present a technique for automatic verification of pointer programs based on a decision procedure for the monadic secondorder logic on finite strings. We are concerned with a whilefragment of Pascal, which includes recursivelydefined pointer structures but excludes pointer arithmetic. We define a logic of stores with interesting basic predicates such as pointer equality, tests for nil pointers, and garbage cells, as well as reachability along pointers. We present a complete decision procedure for Hoare triples based on this logic over loopfree code. Combined with explicit loop invariants, the decision procedure allows us to answer surprisingly detailed questions about small but nontrivial programs. If a program fails to satisfy a certain property, then we can automatically supply an initial store that provides a counterexample. Our technique has been fully and e#ciently implemented for linear linked lists, and extends in principle to tree structures. The resulting system can be used to verify extensive properties of smaller pointer programs and could be particularly useful in a teaching environment. # detex paper.tex  wc  cutd' ' f2 = 4821 1 1
Mona Fido: The LogicAutomaton Connection in Practice
, 1998
"... We discuss in this paper how connections, discovered almost forty years ago, between logics and automata can be used in practice. For such logics expressing regular sets, we have developed tools that allow efficient symbolic reasoning not attainable by theorem proving or symbolic model checking. ..."
Abstract

Cited by 53 (10 self)
 Add to MetaCart
We discuss in this paper how connections, discovered almost forty years ago, between logics and automata can be used in practice. For such logics expressing regular sets, we have developed tools that allow efficient symbolic reasoning not attainable by theorem proving or symbolic model checking. We explain how the logicautomaton connection is already exploited in a limited way for the case of Quantified Boolean Logic, where Binary Decision Diagrams act as automata. Next, we indicate how BDD data structures and algorithms can be extended to yield a practical decision procedure for a more general logic, namely WS1S, the Weak Secondorder theory of One Successor. Finally, we mention applications of the automatonlogic connection to software engineering and program verification. 1
Symbolic Model Checking the Knowledge of the Dining Cryptographers
, 2002
"... This paper describes how symbolic techniques (in particular, OBDD's) may be used to to implement an algorithm for model checking specifications in the logic of knowledge for a single agent operating with synchronous perfect recall in an environment of which it has incomplete knowledge. As an illustr ..."
Abstract

Cited by 52 (9 self)
 Add to MetaCart
This paper describes how symbolic techniques (in particular, OBDD's) may be used to to implement an algorithm for model checking specifications in the logic of knowledge for a single agent operating with synchronous perfect recall in an environment of which it has incomplete knowledge. As an illustration of the utility...
Symbolically computing mostprecise abstract operations for shape analysis
 In 10th TACAS
, 2004
"... Abstract. Shape analysis concerns the problem of determining “shape invariants” for programs that perform destructive updating on dynamically allocated storage. This paper presents a new algorithm that takes as input an abstract value (a 3valued logical structure describing some set of concrete sto ..."
Abstract

Cited by 51 (19 self)
 Add to MetaCart
Abstract. Shape analysis concerns the problem of determining “shape invariants” for programs that perform destructive updating on dynamically allocated storage. This paper presents a new algorithm that takes as input an abstract value (a 3valued logical structure describing some set of concrete stores X) and a precondition p, and computes the mostprecise abstract value for the stores in X that satisfy p. This algorithm solves several open problems in shape analysis: (i) computing the mostprecise abstract value of a set of concrete stores specified by a logical formula; (ii) computing best transformers for atomic program statements and conditions; (iii) computing best transformers for loopfree code fragments (i.e., blocks of atomic program statements and conditions); (iv) performing interprocedural shape analysis using procedure specifications and assumeguarantee reasoning; and (v) computing the mostprecise overapproximation of the meet of two abstract values. The algorithm employs a decision procedure for the logic used to express properties of data structures. A decidable logic for expressing such properties is described in a companion submission [6]. The algorithm can also be used with an undecidable logic and a theorem prover; termination can be assured by using standard techniques (e.g., having the theorem prover return a safe answer if a timeout threshold is exceeded) at the cost of losing the ability to guarantee that a mostprecise result is obtained. A prototype has been implemented in TVLA, using the SPASS theorem prover. 1
Saturation Unbound
 Proc. TACAS
, 2003
"... In previous work, we proposed a "saturation" algorithm for symbolic statespace generation characterized by the use of multivalued decision diagrams, boolean Kronecker operators, event locality, and a special iteration strategy. This approach outperforms traditional BDDbased techniques by several o ..."
Abstract

Cited by 43 (22 self)
 Add to MetaCart
In previous work, we proposed a "saturation" algorithm for symbolic statespace generation characterized by the use of multivalued decision diagrams, boolean Kronecker operators, event locality, and a special iteration strategy. This approach outperforms traditional BDDbased techniques by several orders of magnitude in both space and time but, like them, assumes a priori knowledge of each submodel's state space. We introduce a new algorithm that merges explicit local statespace discovery with symbolic global statespace generation. This relieves the modeler from worrying about the behavior of submodels in isolation.
Modular Data Structure Verification
 EECS DEPARTMENT, MASSACHUSETTS INSTITUTE OF TECHNOLOGY
, 2007
"... This dissertation describes an approach for automatically verifying data structures, focusing on techniques for automatically proving formulas that arise in such verification. I have implemented this approach with my colleagues in a verification system called Jahob. Jahob verifies properties of Java ..."
Abstract

Cited by 36 (21 self)
 Add to MetaCart
This dissertation describes an approach for automatically verifying data structures, focusing on techniques for automatically proving formulas that arise in such verification. I have implemented this approach with my colleagues in a verification system called Jahob. Jahob verifies properties of Java programs with dynamically allocated data structures. Developers write Jahob specifications in classical higherorder logic (HOL); Jahob reduces the verification problem to deciding the validity of HOL formulas. I present a new method for proving HOL formulas by combining automated reasoning techniques. My method consists of 1) splitting formulas into individual HOL conjuncts, 2) soundly approximating each HOL conjunct with a formula in a more tractable fragment and 3) proving the resulting approximation using a decision procedure or a theorem prover. I present three concrete logics; for each logic I show how to use it to approximate HOL formulas, and how to decide the validity of formulas in this logic. First, I present an approximation of HOL based on a translation to firstorder logic, which enables the use of existing resolutionbased theorem provers. Second, I present an approximation of HOL based on field constraint analysis, a new technique that enables
The Boundary between Decidability and Undecidability for TransitiveClosure Logics
 In Computer Science Logic (CSL
, 2004
"... To reason effectively about programs, it is important to have some version of a transitiveclosure operator so that we can describe such notions as the set of nodes reachable from a program's variables. On the other hand, with a few notable exceptions, adding transitive closure to even very tame log ..."
Abstract

Cited by 31 (5 self)
 Add to MetaCart
To reason effectively about programs, it is important to have some version of a transitiveclosure operator so that we can describe such notions as the set of nodes reachable from a program's variables. On the other hand, with a few notable exceptions, adding transitive closure to even very tame logics makes them undecidable. In this paper, we explore...
Logical characterizations of heap abstractions
, 2003
"... Abstract. Shape analysis concerns the problem of determining “shape invariants” for programs that perform destructive updating on dynamically allocated storage. In recent work, we have shown how shape analysis can be performed, using an abstract interpretation based on 3valued firstorder logic. In ..."
Abstract

Cited by 30 (5 self)
 Add to MetaCart
Abstract. Shape analysis concerns the problem of determining “shape invariants” for programs that perform destructive updating on dynamically allocated storage. In recent work, we have shown how shape analysis can be performed, using an abstract interpretation based on 3valued firstorder logic. In that work, concrete stores are finite 2valued logical structures, and the sets of stores that can possibly arise during execution are represented (conservatively) using a certain family of finite 3valued logical structures. In this paper, we show how 3valued structures that arise in shape analysis can be characterized using formulas in firstorder logic with transitive closure. We also define a nonstandard (“supervaluational”) semantics for 3valued firstorder logic that is more precise than a conventional 3valued semantics, and demonstrate that it can be effectively implemented using existing theorem provers. 1