Nitpick: A counterexample generator for higher-order logic based on a relational model finder (Extended Abstract) (2009)

by Jasmin Christian Blanchette, Tobias Nipkow
Venue:IN TAP 2009: SHORT PAPERS, ETH
Add To MetaCart
Results 1 - 10 of 46

Mathematizing C++ Concurrency

by Mark Batty, Scott Owens, Susmit Sarkar, Peter Sewell, Tjark Weber
"... Shared-memory concurrency in C and C++ is pervasive in systems programming, but has long been poorly defined. This motivated an ongoing shared effort by the standards committees to specify concurrent behaviour in the next versions of both languages. They aim to provide strong guarantees for race-fre ..."
Abstract - Cited by 57 (11 self) - Add to MetaCart
Shared-memory concurrency in C and C++ is pervasive in systems programming, but has long been poorly defined. This motivated an ongoing shared effort by the standards committees to specify concurrent behaviour in the next versions of both languages. They aim to provide strong guarantees for race-free programs, together with new (but subtle) relaxed-memory atomic primitives for highperformance concurrent code. However, the current draft standards, while the result of careful deliberation, are not yet clear and rigorous definitions, and harbour substantial problems in their details. In this paper we establish a mathematical (yet readable) semantics for C++ concurrency. We aim to capture the intent of the current (‘Final Committee’) Draft as closely as possible, but discuss changes that fix many of its problems. We prove that a proposed x86 implementation of the concurrency primitives is correct with respect to the x86-TSO model, and describe our CPPMEM tool for exploring the semantics of examples, using code generated from our Isabelle/HOL definitions. Having already motivated changes to the draft standard, this work will aid discussion of any further changes, provide a correctness condition for compilers, and give a much-needed basis for analysis and verification of concurrent C and C++ programs.
(Show Context)

Satisfiability modulo recursive programs

by Ali Sinan Köksal, Viktor Kuncak - In Static Analysis Symposium (SAS , 2011
"... Abstract. We present a semi-decision procedure for checking satisfiability of expressive correctness properties of recursive first-order functional programs. In our approach, both properties and programs are expressed in the same language, a subset of Scala. We implemented our procedure and integrat ..."
Abstract - Cited by 31 (15 self) - Add to MetaCart
Abstract. We present a semi-decision procedure for checking satisfiability of expressive correctness properties of recursive first-order functional programs. In our approach, both properties and programs are expressed in the same language, a subset of Scala. We implemented our procedure and integrated it with the Z3 SMT solver and the Scala compiler. Our procedure is sound for counterexamples and for proofs of terminating functions. It is terminating and thus complete for many important classes of specifications, including all satisfiable formulas and all formulas where recursive functions satisfy certain syntactic restrictions. Using our system, Leon, we verified detailed correctness properties for functional data structure implementations, as well as syntax tree manipulations. We have found our system to be fast for both finding counterexamples and finding correctness proofs, and to scale to larger programs than alternative techniques. 1
(Show Context)

Quantified multimodal logics in simple type theory

by Christoph Benzmüller, Lawrence C. Paulson , 2009
"... We present a straightforward embedding of quantified multimodal logic in simple type theory and prove its soundness and completeness. Modal operators are replaced by quantification over a type of possible worlds. We present simple experiments, using existing higher-order theorem provers, to demonstr ..."
Abstract - Cited by 27 (16 self) - Add to MetaCart
We present a straightforward embedding of quantified multimodal logic in simple type theory and prove its soundness and completeness. Modal operators are replaced by quantification over a type of possible worlds. We present simple experiments, using existing higher-order theorem provers, to demonstrate that the embedding allows automated proofs of statements in these logics, as well as meta properties of them.
(Show Context)

Monotonicity Inference for Higher-Order Formulas

by Jasmin Christian Blanchette, Alexander Krauss , 2010
"... Formulas are often monotonic in the sense that if the formula is satisfiable for given domains of discourse, it is also satisfiable for all larger domains. Monotonicity is undecidable in general, but we devised two calculi that infer it in many cases for higher-order logic. The stronger calculus has ..."
Abstract - Cited by 12 (9 self) - Add to MetaCart
Formulas are often monotonic in the sense that if the formula is satisfiable for given domains of discourse, it is also satisfiable for all larger domains. Monotonicity is undecidable in general, but we devised two calculi that infer it in many cases for higher-order logic. The stronger calculus has been implemented in Isabelle’s model finder Nitpick, where it is used to prune the search space, leading to dramatic speed improvements for formulas involving many atomic types.
(Show Context)

Automatic Proof and Disproof in Isabelle/HOL

by Jasmin Christian Blanchette, Lukas Bulwahn, Tobias Nipkow , 2011
"... Isabelle/HOL is a popular interactive theorem prover based on higherorder logic. It owes its success to its ease of use and powerful automation. Much of the automation is performed by external tools: The metaprover Sledgehammer relies on resolution provers and SMT solvers for its proof search, the c ..."
Abstract - Cited by 11 (0 self) - Add to MetaCart
Isabelle/HOL is a popular interactive theorem prover based on higherorder logic. It owes its success to its ease of use and powerful automation. Much of the automation is performed by external tools: The metaprover Sledgehammer relies on resolution provers and SMT solvers for its proof search, the counterexample generator Quickcheck uses the ML compiler as a fast evaluator for ground formulas, and its rival Nitpick is based on the model finder Kodkod, which performs a reduction to SAT. Together with the Isar structured proof format and a new asynchronous user interface, these tools have radically transformed the Isabelle user experience. This paper provides an overview of the main automatic proof and disproof tools.
(Show Context)

From UML and OCL to Relational Logic and Back

by Mirco Kuhlmann, Martin Gogolla
"... Abstract. Languages like UML and OCL are used to precisely model systems. Complex UML and OCL models therefore represent a crucial part of model-driven development, as they formally specify the main system properties. Consequently, creating complete and correct models is a critical concern. For this ..."
Abstract - Cited by 10 (1 self) - Add to MetaCart
Abstract. Languages like UML and OCL are used to precisely model systems. Complex UML and OCL models therefore represent a crucial part of model-driven development, as they formally specify the main system properties. Consequently, creating complete and correct models is a critical concern. For this purpose, we provide a lightweight model validation method based on efficient SAT solving techniques. In this paper, we present a transformation from UML class diagram and OCL concepts into relational logic. Relational logic in turn represents the source for advanced SAT-based model instance finders like Kodkod. This paper focuses on a natural transformation approach which aims to exploit the features of relational logic as directly as possible through straitening the handling of main UML and OCL features. This approach allows us to explicitly benefit from the efficient handling of relational logic in Kodkod and to interpret found results backwards in terms of UML and OCL. 1
(Show Context)

Nitpicking C++ Concurrency

by Jasmin Christian Blanchette, Tjark Weber, Mark Batty, Scott Owens, Susmit Sarkar , 2011
"... Previous work formalized the C++ memory model in Isabelle/HOL in an effort to clarify the proposed standard’s semantics. Here we employ the model finder Nitpick to check litmus test programs that exercise the memory model, including a simple locking algorithm. Nitpick is built on Kodkod (Alloy’s bac ..."
Abstract - Cited by 9 (4 self) - Add to MetaCart
Previous work formalized the C++ memory model in Isabelle/HOL in an effort to clarify the proposed standard’s semantics. Here we employ the model finder Nitpick to check litmus test programs that exercise the memory model, including a simple locking algorithm. Nitpick is built on Kodkod (Alloy’s backend) but understands Isabelle’s richer logic; hence it can be applied directly to the C++ memory model. We only need to give it a few hints, and thanks to the underlying SAT solver it scales much better than the CPPMEM explicit-state model checker. This case study inspired optimizations in Nitpick from which other formalizations can now benefit.
(Show Context)

Integrating Testing and Interactive Theorem Proving

by Harsh Raju Chamarthi, Peter Dillinger, Matt Kaufmann - In: ACL2 ’11: Proceedings of the ninth international workshop on the ACL2 theorem
"... Abstract. Using an interactive theorem prover to reason about pro-grams involves a sequence of interactions where the user challenges the theorem prover with conjectures. Invariably, many of the conjectures posed are in fact false, and users often spend considerable effort examin-ing the theorem pro ..."
Abstract - Cited by 9 (2 self) - Add to MetaCart
Abstract. Using an interactive theorem prover to reason about pro-grams involves a sequence of interactions where the user challenges the theorem prover with conjectures. Invariably, many of the conjectures posed are in fact false, and users often spend considerable effort examin-ing the theorem prover’s output before realizing this. We present a syn-ergistic integration of testing with theorem proving, implemented in the ACL2 Sedan (ACL2s), for automatically generating concrete counterex-amples. Our method uses the full power of the theorem prover and asso-ciated libraries to simplify conjectures; this simplification can transform conjectures for which finding counterexamples is hard into conjectures where finding counterexamples is trivial. In fact, our approach even leads to better theorem proving, e.g., if testing shows that a generalization step leads to a false conjecture, we force the theorem prover to backtrack, al-lowing it to pursue more fruitful options that may yield a proof. The focus of the paper is on the engineering of a synergistic integration of testing with interactive theorem proving; this includes extending ACL2 with new functionality that we expect to be of general interest. We also discuss our experience in using ACL2s to teach freshman students how to reason about their programs. 1
(Show Context)

The New Quickcheck for Isabelle -- Random, Exhaustive and Symbolic Testing Living Under One Roof

by Lukas Bulwahn
"... The new Quickcheck is a counterexample generator for Isabelle/HOL that uncovers faulty specifications and invalid conjectures using various testing strategies. The previous Quickcheck only tested conjectures by random testing. The new Quickcheck extends the previous one and integrates two novel te ..."
Abstract - Cited by 7 (0 self) - Add to MetaCart
The new Quickcheck is a counterexample generator for Isabelle/HOL that uncovers faulty specifications and invalid conjectures using various testing strategies. The previous Quickcheck only tested conjectures by random testing. The new Quickcheck extends the previous one and integrates two novel testing strategies: exhaustive testing with concrete values; and symbolic testing, evaluating conjectures with a narrowing strategy. Orthogonally to the strategies, we address two general issues: First, we extend the class of executable conjectures and specifications, and second, we present techniques to deal with conditional conjectures, i.e., conjectures with restrictive premises. We evaluate the testing strategies and techniques on a number of specifications, functional data structures and a hotel key card system.

Finding strategyproof social choice functions via SAT solving

by Felix Brandt, Christian Geist - IN PROCEEDINGS OF THE 13TH INTERNATIONAL CONFERENCE ON AUTONOMOUS AGENTS AND MULTI-AGENT SYSTEMS (AAMAS). IFAAMAS, 2014. FORTHCOMING , 2014
"... A promising direction in computational social choice is to address open research problems using computer-aided prov-ing techniques. In conjunction with SAT solving, this ap-proach has been shown to be viable in the context of classic impossibility theorems such as Arrow’s impossibility as well as ax ..."
Abstract - Cited by 7 (6 self) - Add to MetaCart
A promising direction in computational social choice is to address open research problems using computer-aided prov-ing techniques. In conjunction with SAT solving, this ap-proach has been shown to be viable in the context of classic impossibility theorems such as Arrow’s impossibility as well as axiomatizations of preference extensions. In this paper, we demonstrate that it can also be applied to the more com-plex notion of strategyproofness for irresolute social choice functions. These types of problems, however, require a more evolved encoding as otherwise the search space rapidly be-comes much too large. We present an efficient encoding for translating such problems to SAT and leverage this encoding to prove new results about strategyproofness with respect to Kelly’s and Fishburn’s preference extensions. For example, we show that no Pareto-optimal majoritarian social choice function satisfies Fishburn-strategyproofness.