Results 1  10
of
81
Full functional verification of linked data structures
 In ACM Conf. Programming Language Design and Implementation (PLDI
, 2008
"... We present the first verification of full functional correctness for a range of linked data structure implementations, including mutable lists, trees, graphs, and hash tables. Specifically, we present the use of the Jahob verification system to verify formal specifications, written in classical high ..."
Abstract

Cited by 100 (19 self)
 Add to MetaCart
(Show Context)
We present the first verification of full functional correctness for a range of linked data structure implementations, including mutable lists, trees, graphs, and hash tables. Specifically, we present the use of the Jahob verification system to verify formal specifications, written in classical higherorder logic, that completely capture the desired behavior of the Java data structure implementations (with the exception of properties involving execution time and/or memory consumption). Given that the desired correctness properties include intractable constructs such as quantifiers, transitive closure, and lambda abstraction, it is a challenge to successfully prove the generated verification conditions. Our Jahob verification system uses integrated reasoning to split each verification condition into a conjunction of simpler subformulas, then apply a diverse collection of specialized decision procedures,
Types, Bytes and Separation Logic
, 2007
"... We present a formal model of memory that both captures the lowlevel features of C’s pointers and memory, and that forms the basis for an expressive implementation of separation logic. At the low level, we do not commit common oversimplifications, but correctly deal with C’s model of programming lan ..."
Abstract

Cited by 84 (24 self)
 Add to MetaCart
We present a formal model of memory that both captures the lowlevel features of C’s pointers and memory, and that forms the basis for an expressive implementation of separation logic. At the low level, we do not commit common oversimplifications, but correctly deal with C’s model of programming language values and the heap. At the level of separation logic, we are still able to reason abstractly and efficiently. We implement this framework in the theorem prover Isabelle/HOL and demonstrate it on two case studies. We show that the divide between detailed and abstract does not impose undue verification overhead, and that simple programs remain easy to verify. We also show that the framework is applicable to real, security and safetycritical code by formally verifying the memory allocator of the L4 microkernel.
The Krakatoa Tool for Certification of Java/JavaCard Programs Annotated in JML
, 2003
"... We describe the basic structure of an environment for proving Java programs annotated with JML specications. Our method is generic with respect to the API, and thus well suited for JavaCard applets certication. It involves three distinct components: the Why tool, which computes proof obligations for ..."
Abstract

Cited by 79 (2 self)
 Add to MetaCart
We describe the basic structure of an environment for proving Java programs annotated with JML specications. Our method is generic with respect to the API, and thus well suited for JavaCard applets certication. It involves three distinct components: the Why tool, which computes proof obligations for a core imperative language annotated with pre and postconditions, the Coq proof assistant for modeling the program semantics and conducting the development of proofs, and nally the Krakatoa tool, a translator of our own, which reads the Java les and produces specications for Coq and a representation of the semantics of the Java program into Why's input language.
Local Reasoning about a Copying Garbage Collector
 In 31st ACM POPL
, 2004
"... We present a programming language, model, and logic appropriate for implementing and reasoning about a memory management system. We then state what is meant by correctness of a copying garbage collector, and employ a variant of the novel separation logics [18, 23] to formally specify partial correct ..."
Abstract

Cited by 72 (8 self)
 Add to MetaCart
(Show Context)
We present a programming language, model, and logic appropriate for implementing and reasoning about a memory management system. We then state what is meant by correctness of a copying garbage collector, and employ a variant of the novel separation logics [18, 23] to formally specify partial correctness of Cheney's copying garbage collector [8]. Finally, we prove that our implementation of Cheney's algorithm meets its specification, using the logic we have given, and auxiliary variables [19].
Toward the Formal Verification of a C0 Compiler: Code Generation and Implementation Correctness
 Proceedings of the Third IEEE International Conference on Software Engineering and Formal Methods (SEFM’05). IEEE Computer Society. ISBN
, 2005
"... c©2005 IEEE. Personal use of this material is permitted. However, permission to reprint / republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other ..."
Abstract

Cited by 52 (5 self)
 Add to MetaCart
(Show Context)
c©2005 IEEE. Personal use of this material is permitted. However, permission to reprint / republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be obtained from the IEEE.
A languagebased approach to functionally correct imperative programming
 IN PROCEEDINGS OF THE 10TH INTERNATIONAL CONFERENCE ON FUNCTIONAL PROGRAMMING (ICFP05
, 2005
"... In this paper a languagebased approach to functionally correct imperative programming is proposed. The approach is based on a programming language called RSP1, which combines dependent types, general recursion, and imperative features in a typesafe way, while preserving decidability of type checki ..."
Abstract

Cited by 35 (8 self)
 Add to MetaCart
In this paper a languagebased approach to functionally correct imperative programming is proposed. The approach is based on a programming language called RSP1, which combines dependent types, general recursion, and imperative features in a typesafe way, while preserving decidability of type checking. The methodology used is that of internal verification, where programs manipulate programmersupplied proofs explicitly as data. The fundamental technical idea of RSP1 is to identify problematic operations as impure, and keep them out of dependent types. The resulting language is powerful enough to verify statically nontrivial properties of imperative and functional programs. The paper presents the ideas through the examples of statically verified merge sort, statically verified imperative binary search trees, and statically verified directed acyclic graphs. This paper is an extended version of [30].
Formal verification of a Clike memory model and its uses for verifying program transformations
 JOURNAL OF AUTOMATED REASONING
"... ..."
Automatic Certification of Heap Consumption
 In LPAR’04, LNAI 3452
, 2005
"... Abstract. We present a program logic for verifying the heap consumption of lowlevel programs. The proof rules employ a uniform assertion format and have been derived from a general purpose program logic [1]. In a proofcarrying code scenario, the inference of invariants is delegated to the code pro ..."
Abstract

Cited by 28 (15 self)
 Add to MetaCart
(Show Context)
Abstract. We present a program logic for verifying the heap consumption of lowlevel programs. The proof rules employ a uniform assertion format and have been derived from a general purpose program logic [1]. In a proofcarrying code scenario, the inference of invariants is delegated to the code provider, who employs a certifying compiler that generates a certificate from program annotations and analysis. The granularity of the proof rules matches that of the linear type system presented in [6], which enables us to perform verification by replaying typing derivations in a theorem prover, given the specifications of individual methods. The resulting verification conditions are of limited complexity, and are automatically discharged. We also outline a proof system that relaxes the linearity restrictions and relates to the type system of usage aspects presented in [2]. 1
A verification environment for sequential imperative programs in Isabelle/HOL
 Logic for Programming, AI, and Reasoning, volume 3452 of LNAI
, 2005
"... Abstract. We develop a general language model for sequential imperative programs together with a Hoare logic. We instantiate the framework with common programming language constructs and integrate it into Isabelle/HOL, to gain a usable and sound verification environment. 1 ..."
Abstract

Cited by 25 (3 self)
 Add to MetaCart
(Show Context)
Abstract. We develop a general language model for sequential imperative programs together with a Hoare logic. We instantiate the framework with common programming language constructs and integrate it into Isabelle/HOL, to gain a usable and sound verification environment. 1
A Hoare Logic for CallbyValue Functional Programs
"... Abstract. We present a Hoare logic for a callbyvalue programming language equipped with recursive, higherorder functions, algebraic data types, and a polymorphic type system in the style of Hindley and Milner. It is the theoretical basis for a tool that extracts proof obligations out of programs ..."
Abstract

Cited by 22 (1 self)
 Add to MetaCart
(Show Context)
Abstract. We present a Hoare logic for a callbyvalue programming language equipped with recursive, higherorder functions, algebraic data types, and a polymorphic type system in the style of Hindley and Milner. It is the theoretical basis for a tool that extracts proof obligations out of programs annotated with logical assertions. These proof obligations, expressed in a typed, higherorder logic, are discharged using offtheshelf automated or interactive theorem provers. Although the technical apparatus that we exploit is by now standard, its application to callbyvalue functional programming languages appears to be new, and (we claim) deserves attention. As a sample application, we check the partial correctness of a balanced binary search tree implementation. 1