Results 1  10
of
28
Java Program Verification via a Hoare Logic with Abrupt Termination
 Fundamental Approaches to Software Engineering (FASE 2000), number 1783 in LNCS
, 2000
"... This paper formalises a semantics for statements and expressions (in sequential imperative languages) which includes nontermination, normal termination and abrupt termination (e.g. because of an exception, break, return or continue). This extends the traditional semantics underlying e.g. Hoare logi ..."
Abstract

Cited by 63 (6 self)
 Add to MetaCart
This paper formalises a semantics for statements and expressions (in sequential imperative languages) which includes nontermination, normal termination and abrupt termination (e.g. because of an exception, break, return or continue). This extends the traditional semantics underlying e.g. Hoare logic, which only distinguishes termination and nontermination. An extension of Hoare logic is elaborated that includes means for reasoning about abrupt termination (and sideeffects). It prominently involves rules for reasoning about while loops, which may contain exceptions, breaks, continues and returns. This extension applies in particular to Java. As an example, a standard pattern search algorithm in Java (involving a while loop with returns) is proven correct using the prooftool PVS.
The ICS Decision Procedures for Embedded Deduction
, 2004
"... Automated theorem proving... linear arithmetic, and lists. The ground (i.e., quantifierfree) fragment of many combinations is decidable when the fully quantified combination is not, and practical experience indicates that automation of the ground case is adequate for most applications. Practical ex ..."
Abstract

Cited by 32 (6 self)
 Add to MetaCart
Automated theorem proving... linear arithmetic, and lists. The ground (i.e., quantifierfree) fragment of many combinations is decidable when the fully quantified combination is not, and practical experience indicates that automation of the ground case is adequate for most applications. Practical experience also suggests several other desiderata for an effective deductive service. Some applications (e.g., construction of abstractions) invoke their deductive service a huge number of times in the course of a single calculation, so that performance of the service must be very good. Other applications such as proof search explore many variations on a formula (i.e., alternately asserting and denying various combinations of its premises), so the deductive service should not examine individual formulas in isolation, but should provide a rich application programming interface that supports incremental assertion, retraction, and querying of formulas. Other applications such as test case generation...
Verification of a leader election protocol  formal methods applied to IEEE 1394
 IEEE 1394. Formal Methods in System Design
, 1997
"... The IEEE 1394 high performance serial multimedia bus protocol allows several components to communicate with each other at high speed. In this paper we present a formal model and verification of a leader election algorithm that forms the core of the tree identify phase of the physical layer of the 13 ..."
Abstract

Cited by 28 (7 self)
 Add to MetaCart
The IEEE 1394 high performance serial multimedia bus protocol allows several components to communicate with each other at high speed. In this paper we present a formal model and verification of a leader election algorithm that forms the core of the tree identify phase of the physical layer of the 1394 protocol. We describe the algorithm formally in the I/O automata model of Lynch and Tuttle, and verify that for an arbitrary tree topology exactly one leader is elected. A large part of our verification has been checked mechanically with PVS, a verification system for higherorder logic.
A Case Study in Class Library Verification: Java's Vector Class
, 1999
"... One of the reasons for the popularity of objectoriented programming is the possibility it offers for reuse of code. Usually, the distribution of an objectoriented programming language comes together with a collection of readytouse classes, in a class library. Typically, these classes contain gen ..."
Abstract

Cited by 20 (6 self)
 Add to MetaCart
One of the reasons for the popularity of objectoriented programming is the possibility it offers for reuse of code. Usually, the distribution of an objectoriented programming language comes together with a collection of readytouse classes, in a class library. Typically, these classes contain general purpose code, which can be used in many applications. Before using such classes, a programmer usually wants to know how they behave and when their methods throw exceptions. One way to do this, is to study the actual code, but since this is timeconsuming and requires understanding all particular ins and outs of the implementation, this is often not the most efficient way. Another approach is to study the documentation provided. As long as the documentation is clear and concise, this works well, but otherwise one still is forced to look at the actual code.
A TypeTheoretic Memory Model for Verification of Sequential Java Programs
, 1999
"... This paper explains the details of the memory model underlying the verification of sequential Java programs in the "LOOP" project ([14, 20]). The building blocks of this memory are cells, which are untyped in the sense that they can store the contents of the fields of an arbitrary Java object. The m ..."
Abstract

Cited by 20 (9 self)
 Add to MetaCart
This paper explains the details of the memory model underlying the verification of sequential Java programs in the "LOOP" project ([14, 20]). The building blocks of this memory are cells, which are untyped in the sense that they can store the contents of the fields of an arbitrary Java object. The main memory is modeled as three infinite series of such cells, one for storing instance variables on a heap, one for local variables and parameters on a stack, and and one for static (or class) variables. Verification on the basis of this memory model is illustrated both in PVS and in Isabelle/HOL, via several examples of Java programs, involving various subtleties of the language (wrt. memory storage).
A Discipline of Multiprogramming: A Programming Theory for Distributed Applications
, 1999
"... data types and the development of data structures. Communications of the ACM, 20(6):396404, June 1977. [82] A. Nico Habermann. Synchronization of communicating processes. Communications of the ACM, 15(3):171176, March 1972. [83] J.Y. Halpern and Y. Moses. Knowledge and common knowledge in a dis ..."
Abstract

Cited by 18 (0 self)
 Add to MetaCart
data types and the development of data structures. Communications of the ACM, 20(6):396404, June 1977. [82] A. Nico Habermann. Synchronization of communicating processes. Communications of the ACM, 15(3):171176, March 1972. [83] J.Y. Halpern and Y. Moses. Knowledge and common knowledge in a distributed environment. Journal of the ACM, 37(3):549587, 1990. A preliminary version appeared in Proc. 3rd ACM Symposium on Principles of Distributed Computing, 1984. [84] David Harel and Michal Politi. Modeling Reactive Systems with Statecharts. McGrawHill, 1998. [85] E.C.R. Hehner. Another look at communicating processes. Technical Report CSRG134, University of Toronto, September 1981. [86] E.C.R. Hehner and C.A.R. Hoare. A more complete model of communicating processes. Theoretical Computer Science, 26, September 1983. [87] Eric C.R. Hehner. A Practical Theory of Programming. SpringerVerlag, 1993. [88] B. Heyd and P. Cregut. A modular coding of UNITY in COQ. In J. Grundy and J. Ha...
Weakest Precondition Reasoning for Java Programs with JML Annotations
 Journal of Logic and Algebraic Programming
, 2002
"... This paper distinguishes several different approaches to organising a Weakest Precondition (WP) calculus in a theorem prover. The implementation of two of these approaches for Java within the LOOP project is described. This involves the WPinfrastructures in the higher order logic of the theorem pro ..."
Abstract

Cited by 17 (2 self)
 Add to MetaCart
This paper distinguishes several different approaches to organising a Weakest Precondition (WP) calculus in a theorem prover. The implementation of two of these approaches for Java within the LOOP project is described. This involves the WPinfrastructures in the higher order logic of the theorem prover PVS, together with some associated rules and strategies for automatically proving JML specifications for Java implementations. The soundness of all WPrules has been proven on the basis of the underlying Java semantics. These WPcalculi are integrated with the existing Hoare logic, and together form a verification toolkit in PVS: typically one uses Hoare logic rules to break a large verification task up into smaller parts that can be handled automatically by one of the WPstrategies.
Exercises in Coalgebraic Specification
, 1999
"... An introduction to coalgebraic specification is presented via examples. A coalgebraic specification describes a collection of coalgebras satisfying certain assertions. It is thus an axiomatic description of a particular class of mathematical structures. Such specifications are especially suitable fo ..."
Abstract

Cited by 16 (2 self)
 Add to MetaCart
An introduction to coalgebraic specification is presented via examples. A coalgebraic specification describes a collection of coalgebras satisfying certain assertions. It is thus an axiomatic description of a particular class of mathematical structures. Such specifications are especially suitable for statebased dynamical systems in general, and for classes in objectoriented programming languages in particular. This paper will gradually introduce the notions of bisimilarity, invariance, component classes, temporal logic and refinement in a coalgebraic setting. Besides the running example of the coalgebraic specification of (possibly infinite) binary trees, a specification of Peterson's mutual exclusion algorithm is elaborated in detail.
Canonization for Disjoint Unions of Theories
, 2003
"... If there exist ecient procedures (canonizers) for reducing terms of two rstorder theories to canonical form, can one use them to construct such a procedure for terms of the disjoint union of the two theories? We prove this is possible whenever the original theories are convex. As an application, w ..."
Abstract

Cited by 15 (4 self)
 Add to MetaCart
If there exist ecient procedures (canonizers) for reducing terms of two rstorder theories to canonical form, can one use them to construct such a procedure for terms of the disjoint union of the two theories? We prove this is possible whenever the original theories are convex. As an application, we prove that algorithms for solving equations in the two theories (solvers) cannot be combined in a similar fashion. These results are relevant to the widely used Shostak's method for combining decision procedures for theories. They provide the rst rigorous answers to the questions about the possibility of directly combining canonizers and solvers.