Results 1  10
of
44
Modeling and Verifying Systems using a Logic of Counter Arithmetic with Lambda Expressions and Uninterpreted Functions
, 2002
"... In this paper, we present the logic of Counter arithmetic with Lambda expressions and Uninterpreted functions (CLU). CLU generalizes the logic of equality with uninterpreted functions (EUF) with constrained lambda expressions, ordering, and successor and predecessor functions. In addition to mod ..."
Abstract

Cited by 142 (43 self)
 Add to MetaCart
In this paper, we present the logic of Counter arithmetic with Lambda expressions and Uninterpreted functions (CLU). CLU generalizes the logic of equality with uninterpreted functions (EUF) with constrained lambda expressions, ordering, and successor and predecessor functions. In addition to modeling pipelined processors that EUF has proved useful for, CLU can be used to model many infinitestate systems including those with infinite memories, finite and infinite queues including lossy channels, and networks of identical processes. Even with this richer expressive power, the validity of a CLU formula can be efficiently decided by translating it to a propositional formula, and then using Boolean methods to check validity. We give theoretical and empirical evidence for the efficiency of our decision procedure. We also describe verification techniques that we have used on a variety of systems, including an outoforder execution unit and the loadstore unit of an industrial microprocessor.
CVC: a Cooperating Validity Checker
 In 14th International Conference on ComputerAided Verification
, 2002
"... Decision procedures for decidable logics and logical theories have proven to be useful tools in verification. This paper describes the CVC ("Cooperating Validity Checker") decision procedure. CVC implements a framework for combining subsidiary decision procedures for certain logical theories into a ..."
Abstract

Cited by 113 (18 self)
 Add to MetaCart
Decision procedures for decidable logics and logical theories have proven to be useful tools in verification. This paper describes the CVC ("Cooperating Validity Checker") decision procedure. CVC implements a framework for combining subsidiary decision procedures for certain logical theories into a decision procedure for the theories' union. Subsidiary decision procedures for theories of arrays, inductive datatypes, and linear real arithmetic are currently implemented. Other notable features of CVC are the incorporation of the highperformance Cha solver for propositional reasoning, and the ability to produce independently checkable proofs for valid formulas.
Lazy theorem proving for bounded model checking over infinite domains
, 2002
"... Abstract. We investigate the combination of propositional SAT checkers with domainspecific theorem provers as a foundation for bounded model checking over infinite domains. Given a program M over an infinite state type, a linear temporal logic formula ' with domainspecific constraints over program ..."
Abstract

Cited by 74 (11 self)
 Add to MetaCart
Abstract. We investigate the combination of propositional SAT checkers with domainspecific theorem provers as a foundation for bounded model checking over infinite domains. Given a program M over an infinite state type, a linear temporal logic formula ' with domainspecific constraints over program states, and an upper bound k, our procedure determines if there is a falsifying path of length k to the hypothesis that M satisfies the specification '. This problem can be reduced to the satisfiability of Boolean constraint formulas. Our verification engine for these kinds of formulas is lazy in that propositional abstractions of Boolean constraint formulas are incrementally refined by generating lemmas on demand from an automated analysis of spurious counterexamples using theorem proving. We exemplify bounded model checking for timed automata and for RTL level descriptions, and investigate the lazy integration of SAT solving and theorem proving. 1 Introduction Model checking decides the problem of whether a system satisfies a temporal logic property by exploring the underlying state space. It applies primarily to finitestate systems but also to certain infinitestate systems, and the state space can be represented in symbolic or explicit form. Symbolic model checking has traditionally employed a boolean representation of state sets using binary decision diagrams (BDD) [4] as a way of checking temporal properties, whereas explicitstate model checkers enumerate the set of reachable states of the system.
Modeling and Verification of OutofOrder Microprocessors in UCLID
, 2002
"... In this paper, we describe the modeling and verification of outoforder microprocessors with unbounded resources using an expressive, yet efficiently decidable, quantifierfree fragment of first order logic. This logic includes uninterpreted functions, equality, ordering, constrained lambda express ..."
Abstract

Cited by 42 (13 self)
 Add to MetaCart
In this paper, we describe the modeling and verification of outoforder microprocessors with unbounded resources using an expressive, yet efficiently decidable, quantifierfree fragment of first order logic. This logic includes uninterpreted functions, equality, ordering, constrained lambda expressions, and counter arithmetic. UCLID is a tool for specifying and verifying systems expressed in this logic. The paper makes two main contributions. First, we show that the logic is expressive enough to model components found in most modern microprocessors, independent of their actual sizes. Second, we demonstrate UCLID's verification capabilities, ranging from full automation for bounded property checking to a high degree of automation in proving restricted classes of invariants. These techniques, coupled with a counterexample generation facility, are useful in establishing correctness of processor designs. We demonstrate UCLID's methods using a case study of a synthetic model of an outoforder processor where all the invariants were proved automatically.
Deconstructing Shostak
, 2002
"... Decision procedures for equality in a combination of theories are at the core of a number of verification systems. Shostak's decision procedure for equality in the combination of solvable and canonizable theories has been around for nearly two decades. Variations of this decision procedure have been ..."
Abstract

Cited by 36 (3 self)
 Add to MetaCart
Decision procedures for equality in a combination of theories are at the core of a number of verification systems. Shostak's decision procedure for equality in the combination of solvable and canonizable theories has been around for nearly two decades. Variations of this decision procedure have been implemented in a number of systems including STP, Ehdm, PVS, STeP, and SVC. The algorithm is quite subtle and a correctness argument for it has remained elusive. Shostak's algorithm and all previously published variants of it yield incomplete decision procedures. We describe a variant of Shostak's algorithm along with proofs of termination, soundness, and completeness.
Theory Interpretation in Simple Type Theory
 HIGHERORDER ALGEBRA, LOGIC, AND TERM REWRITING, VOLUME 816 OF LECTURE NOTES IN COMPUTER SCIENCE
, 1993
"... Theory interpretation is a logical technique for relating one axiomatic theory to another with important applications in mathematics and computer science as well as in logic itself. This paper presents a method for theory interpretation in a version of simple type theory, called lutins, which admit ..."
Abstract

Cited by 36 (17 self)
 Add to MetaCart
Theory interpretation is a logical technique for relating one axiomatic theory to another with important applications in mathematics and computer science as well as in logic itself. This paper presents a method for theory interpretation in a version of simple type theory, called lutins, which admits partial functions and subtypes. The method is patterned on the standard approach to theory interpretation in rstorder logic. Although the method is based on a nonclassical version of simple type theory, it is intended as a guide for theory interpretation in classical simple type theories as well as in predicate logics with partial functions.
ProtocolIndependent Secrecy
 In 2000 IEEE Symposium on Security and Privacy. IEEE Computer Society
, 2000
"... Inductive proofs of secrecy invariants for cryptographic protocols can be facilitated by separating the protocol dependent part from the protocolindependent part. Our secrecy theorem encapsulates the use of induction so that the discharge of protocolspecific proof obligations is reduced to firsto ..."
Abstract

Cited by 29 (0 self)
 Add to MetaCart
Inductive proofs of secrecy invariants for cryptographic protocols can be facilitated by separating the protocol dependent part from the protocolindependent part. Our secrecy theorem encapsulates the use of induction so that the discharge of protocolspecific proof obligations is reduced to firstorder reasoning. Also, the verification conditions are modularly associated with the protocol messages. Secrecy proofs for OtwayRees and the corrected NeedhamSchroeder protocol are given.
Structured Specifications and Interactive Proofs with KIV
, 1998
"... The aim of this chapter is to describe the integrated specification and theorem proving environment of KIV. KIV is an advanced tool for developing high assurance systems. It supports:  hierarchical formal specification of software and system designs  specification of safety/security models  ..."
Abstract

Cited by 27 (23 self)
 Add to MetaCart
The aim of this chapter is to describe the integrated specification and theorem proving environment of KIV. KIV is an advanced tool for developing high assurance systems. It supports:  hierarchical formal specification of software and system designs  specification of safety/security models  proving properties of specifications  modular implementation of specification components  modular verification of implementations  incremental verification and error correction  reuse of specifications, proofs, and verified components KIV supports the entire design process from formal specifications to verified code. It supports functional as well as statebased modeling. KIV is ready for use, and has been tested in a number of indu...
Comparing mathematical provers
 In Mathematical Knowledge Management, 2nd Int’l Conf., Proceedings
, 2003
"... Abstract. We compare fifteen systems for the formalizations of mathematics with the computer. We present several tables that list various properties of these programs. The three main dimensions on which we compare these systems are: the size of their library, the strength of their logic and their le ..."
Abstract

Cited by 23 (0 self)
 Add to MetaCart
Abstract. We compare fifteen systems for the formalizations of mathematics with the computer. We present several tables that list various properties of these programs. The three main dimensions on which we compare these systems are: the size of their library, the strength of their logic and their level of automation. 1