Results 1  10
of
55
Modeling and Verifying Systems using a Logic of Counter Arithmetic with Lambda Expressions and Uninterpreted Functions
, 2002
"... In this paper, we present the logic of Counter arithmetic with Lambda expressions and Uninterpreted functions (CLU). CLU generalizes the logic of equality with uninterpreted functions (EUF) with constrained lambda expressions, ordering, and successor and predecessor functions. In addition to mod ..."
Abstract

Cited by 151 (45 self)
 Add to MetaCart
In this paper, we present the logic of Counter arithmetic with Lambda expressions and Uninterpreted functions (CLU). CLU generalizes the logic of equality with uninterpreted functions (EUF) with constrained lambda expressions, ordering, and successor and predecessor functions. In addition to modeling pipelined processors that EUF has proved useful for, CLU can be used to model many infinitestate systems including those with infinite memories, finite and infinite queues including lossy channels, and networks of identical processes. Even with this richer expressive power, the validity of a CLU formula can be efficiently decided by translating it to a propositional formula, and then using Boolean methods to check validity. We give theoretical and empirical evidence for the efficiency of our decision procedure. We also describe verification techniques that we have used on a variety of systems, including an outoforder execution unit and the loadstore unit of an industrial microprocessor.
CVC: a Cooperating Validity Checker
 In 14th International Conference on ComputerAided Verification
, 2002
"... Decision procedures for decidable logics and logical theories have proven to be useful tools in verification. This paper describes the CVC ("Cooperating Validity Checker") decision procedure. CVC implements a framework for combining subsidiary decision procedures for certain logical theori ..."
Abstract

Cited by 118 (20 self)
 Add to MetaCart
Decision procedures for decidable logics and logical theories have proven to be useful tools in verification. This paper describes the CVC ("Cooperating Validity Checker") decision procedure. CVC implements a framework for combining subsidiary decision procedures for certain logical theories into a decision procedure for the theories' union. Subsidiary decision procedures for theories of arrays, inductive datatypes, and linear real arithmetic are currently implemented. Other notable features of CVC are the incorporation of the highperformance Cha solver for propositional reasoning, and the ability to produce independently checkable proofs for valid formulas.
Lazy theorem proving for bounded model checking over infinite domains
, 2002
"... Abstract. We investigate the combination of propositional SAT checkers with domainspecific theorem provers as a foundation for bounded model checking over infinite domains. Given a program M over an infinite state type, a linear temporal logic formula ' with domainspecific constraints over pr ..."
Abstract

Cited by 81 (11 self)
 Add to MetaCart
Abstract. We investigate the combination of propositional SAT checkers with domainspecific theorem provers as a foundation for bounded model checking over infinite domains. Given a program M over an infinite state type, a linear temporal logic formula ' with domainspecific constraints over program states, and an upper bound k, our procedure determines if there is a falsifying path of length k to the hypothesis that M satisfies the specification '. This problem can be reduced to the satisfiability of Boolean constraint formulas. Our verification engine for these kinds of formulas is lazy in that propositional abstractions of Boolean constraint formulas are incrementally refined by generating lemmas on demand from an automated analysis of spurious counterexamples using theorem proving. We exemplify bounded model checking for timed automata and for RTL level descriptions, and investigate the lazy integration of SAT solving and theorem proving. 1 Introduction Model checking decides the problem of whether a system satisfies a temporal logic property by exploring the underlying state space. It applies primarily to finitestate systems but also to certain infinitestate systems, and the state space can be represented in symbolic or explicit form. Symbolic model checking has traditionally employed a boolean representation of state sets using binary decision diagrams (BDD) [4] as a way of checking temporal properties, whereas explicitstate model checkers enumerate the set of reachable states of the system.
Modeling and Verification of OutofOrder Microprocessors in UCLID
, 2002
"... In this paper, we describe the modeling and verification of outoforder microprocessors with unbounded resources using an expressive, yet efficiently decidable, quantifierfree fragment of first order logic. This logic includes uninterpreted functions, equality, ordering, constrained lambda express ..."
Abstract

Cited by 47 (15 self)
 Add to MetaCart
In this paper, we describe the modeling and verification of outoforder microprocessors with unbounded resources using an expressive, yet efficiently decidable, quantifierfree fragment of first order logic. This logic includes uninterpreted functions, equality, ordering, constrained lambda expressions, and counter arithmetic. UCLID is a tool for specifying and verifying systems expressed in this logic. The paper makes two main contributions. First, we show that the logic is expressive enough to model components found in most modern microprocessors, independent of their actual sizes. Second, we demonstrate UCLID's verification capabilities, ranging from full automation for bounded property checking to a high degree of automation in proving restricted classes of invariants. These techniques, coupled with a counterexample generation facility, are useful in establishing correctness of processor designs. We demonstrate UCLID's methods using a case study of a synthetic model of an outoforder processor where all the invariants were proved automatically.
Theory Interpretation in Simple Type Theory
 HIGHERORDER ALGEBRA, LOGIC, AND TERM REWRITING, VOLUME 816 OF LECTURE NOTES IN COMPUTER SCIENCE
, 1993
"... Theory interpretation is a logical technique for relating one axiomatic theory to another with important applications in mathematics and computer science as well as in logic itself. This paper presents a method for theory interpretation in a version of simple type theory, called lutins, which admit ..."
Abstract

Cited by 36 (16 self)
 Add to MetaCart
Theory interpretation is a logical technique for relating one axiomatic theory to another with important applications in mathematics and computer science as well as in logic itself. This paper presents a method for theory interpretation in a version of simple type theory, called lutins, which admits partial functions and subtypes. The method is patterned on the standard approach to theory interpretation in rstorder logic. Although the method is based on a nonclassical version of simple type theory, it is intended as a guide for theory interpretation in classical simple type theories as well as in predicate logics with partial functions.
Deconstructing Shostak
, 2002
"... Decision procedures for equality in a combination of theories are at the core of a number of verification systems. Shostak's decision procedure for equality in the combination of solvable and canonizable theories has been around for nearly two decades. Variations of this decision procedure have ..."
Abstract

Cited by 35 (3 self)
 Add to MetaCart
Decision procedures for equality in a combination of theories are at the core of a number of verification systems. Shostak's decision procedure for equality in the combination of solvable and canonizable theories has been around for nearly two decades. Variations of this decision procedure have been implemented in a number of systems including STP, Ehdm, PVS, STeP, and SVC. The algorithm is quite subtle and a correctness argument for it has remained elusive. Shostak's algorithm and all previously published variants of it yield incomplete decision procedures. We describe a variant of Shostak's algorithm along with proofs of termination, soundness, and completeness.
A Framework for Cooperating Decision Procedures
 17th International Conference on Computer Aided Deduction, volume 1831 of LNAI
, 2000
"... . We present a flexible framework for cooperating decision procedures. We describe the properties needed to ensure correctness and show how it can be applied to implement an efficient version of Nelson and Oppen's algorithm for combining decision procedures. We also show how a Shostak style ..."
Abstract

Cited by 32 (9 self)
 Add to MetaCart
. We present a flexible framework for cooperating decision procedures. We describe the properties needed to ensure correctness and show how it can be applied to implement an efficient version of Nelson and Oppen's algorithm for combining decision procedures. We also show how a Shostak style decision procedure can be implemented in the framework in such a way that it can be integrated with the NelsonOppen method. 1 Introduction Decision procedures for fragments of firstorder or higherorder logic are potentially of great interest because of their versatility. Many practical problems can be reduced to problems in some decidable theory. The availability of robust decision procedures that can solve these problem within reasonable time and memory could save a great deal of effort that would otherwise go into implementing special cases of these procedures. Indeed, there are several publicly distributed prototype implementations of decision procedures, such as Presburger arithmetic...
ProtocolIndependent Secrecy
 In 2000 IEEE Symposium on Security and Privacy. IEEE Computer Society
, 2000
"... Inductive proofs of secrecy invariants for cryptographic protocols can be facilitated by separating the protocol dependent part from the protocolindependent part. Our secrecy theorem encapsulates the use of induction so that the discharge of protocolspecific proof obligations is reduced to firsto ..."
Abstract

Cited by 30 (0 self)
 Add to MetaCart
Inductive proofs of secrecy invariants for cryptographic protocols can be facilitated by separating the protocol dependent part from the protocolindependent part. Our secrecy theorem encapsulates the use of induction so that the discharge of protocolspecific proof obligations is reduced to firstorder reasoning. Also, the verification conditions are modularly associated with the protocol messages. Secrecy proofs for OtwayRees and the corrected NeedhamSchroeder protocol are given.
2002b. A generalization of Shostak’s method for combining decision procedures
 In Proc. 4th FroCoS
"... Abstract. Consider the problem of determining whether a quantifierfree formula OE is satisfiable in some firstorder theory T. Shostak's algorithm decides this problem for a certain class of theories with both interpreted and uninterpreted functions. We present two new algorithms based on Shost ..."
Abstract

Cited by 29 (4 self)
 Add to MetaCart
Abstract. Consider the problem of determining whether a quantifierfree formula OE is satisfiable in some firstorder theory T. Shostak's algorithm decides this problem for a certain class of theories with both interpreted and uninterpreted functions. We present two new algorithms based on Shostak's method. The first is a simple subset of Shostak's algorithm for the same class of theories but without uninterpreted functions. This simplified algorithm is easy to understand and prove correct, providing insight into how and why Shostak's algorithm works. The simplified algorithm is then used as the foundation for a generalization of Shostak's method based on the NelsonOppen method for combining theories. 1 Introduction In 1984, Shostak introduced a clever and subtle algorithm for deciding the satisfiability of quantifierfree formulas in a combined theory which includes a firstorder theory with certain properties and the pure theory of equality with uninterpreted functions [10]. The method has proved to be popular for automated reasoning applications, having been used as the basis for decision procedures found in several tools including PVS [8] STeP [3, 5], and SVC [1, 2, 6]. Unfortunately, the original paper is difficult to follow, due in part to the fact that it contains several errors. As a result, there has been an ongoing effort to understand and clarify the method [4, 9, 12]. The presentation that is most faithful to Shostak while correcting his errors is that recently produced by Shankar and Ruess [9].