Results 1  10
of
31
Inductive assertions and operational semantics
 CHARME 2003. Volume 2860 of LNCS., SpringerVerlag
, 2003
"... Abstract. This paper shows how classic inductive assertions can be used in conjunction with an operational semantics to prove partial correctness properties of programs. The method imposes only the proof obligations that would be produced by a verification condition generator but does not require th ..."
Abstract

Cited by 26 (8 self)
 Add to MetaCart
Abstract. This paper shows how classic inductive assertions can be used in conjunction with an operational semantics to prove partial correctness properties of programs. The method imposes only the proof obligations that would be produced by a verification condition generator but does not require the definition of a verification condition generation. The paper focuses on iterative programs but recursive programs are briefly discussed. Assertions are attached to the program by defining a predicate on states. This predicate is then “completed ” to an alleged invariant by the definition of a partial function defined in terms of the state transition function of the operational semantics. If this alleged invariant can be proved to be an invariant under the state transition function, it follows that the assertions are true every time they are encountered in execution and thus that the postcondition is true if reached from a state satisfying the precondition. But because of the manner in which the alleged invariant is defined, the verification conditions are sufficient to prove invariance. Indeed, the “natural ” proof generates the classical verification conditions as subgoals. The invariant function may be thought of as a statebased verification condition generator for the annotated program. The method allows standard inductive assertion style proofs to be constructed directly in an operational semantics setting. The technique is demonstrated by proving the partial correctness of simple bytecode programs with respect to a preexisting operational model of the Java Virtual Machine. 1
Proving theorems about Java and the JVM with ACL2
 Models, Algebras and Logic of Engineering Software
, 2003
"... We describe a methodology for proving theorems mechanically about Java methods. The theorem prover used is the ACL2 system, an industrialstrength version of the BoyerMoore theorem prover. An operational semantics for a substantial subset of the Java Virtual Machine (JVM) has been defined in ACL2. ..."
Abstract

Cited by 19 (10 self)
 Add to MetaCart
We describe a methodology for proving theorems mechanically about Java methods. The theorem prover used is the ACL2 system, an industrialstrength version of the BoyerMoore theorem prover. An operational semantics for a substantial subset of the Java Virtual Machine (JVM) has been defined in ACL2. Theorems are proved about Java methods and classes by compiling them with javac and then proving the corresponding theorem about the JVM. Certain automatically applied strategies are implemented with rewrite rules (and other proofguiding pragmas) in ACL2 “books” to control the theorem prover when operating on problems involving the JVM model. The Java Virtual Machine or JVM [27] is the basic abstraction Java [17] implementors are expected to respect. We speculate that the JVM is an appropriate level of abstraction at which to model Java programs with the intention of mechanically verifying their properties. The most complex features of the Java subset we handle – construction and initialization of new objects, synchronization, thread management, and virtual method invocation – are all supported directly and with full abstraction as single atomic instructions in the JVM. The complexity of verifying JVM bytecode program stems from the complexity of Java’s semantics, not
Machinecode verification for multiple architectures: An application of decompilation into logic
 In Formal Methods in Computer Aided Design (FMCAD
, 2008
"... Abstract — Realistic formal specifications of machine languages for commercial processors consist of thousands of lines of definitions. Current methods support trustworthy proofs of the correctness of programs for one such specification. However, these methods provide little or no support for reusin ..."
Abstract

Cited by 16 (9 self)
 Add to MetaCart
Abstract — Realistic formal specifications of machine languages for commercial processors consist of thousands of lines of definitions. Current methods support trustworthy proofs of the correctness of programs for one such specification. However, these methods provide little or no support for reusing proofs of the same algorithm implemented in different machine languages. We describe an approach, based on proofproducing decompilation, which both makes machinecode verification tractable and supports proof reuse between different languages. We briefly present examples based on detailed models of machine code for ARM, PowerPC and x86. The theories and tools have been implemented in the HOL4 system. I.
Formal Models of Java at the JVM Level A Survey from the ACL2 Perspective
 In Proc. Workshop on Formal Techniques for Java Programs, in association with ECOOP
, 2001
"... We argue that a practical way to apply formal methods to Java is to apply formal methods to the Java Virtual Machine (JVM) instead. A Java system can be proved correct by analyzing the bytecode produced for it. We believe that this clari es the semantic issues without introducing inappropriate compl ..."
Abstract

Cited by 14 (1 self)
 Add to MetaCart
We argue that a practical way to apply formal methods to Java is to apply formal methods to the Java Virtual Machine (JVM) instead. A Java system can be proved correct by analyzing the bytecode produced for it. We believe that this clari es the semantic issues without introducing inappropriate complexity. We say \inappropriate" because we believe the complexity present in the JVM view of a Java class is inherent in the Java, when accurately modeled. If it is desired to model a subset of Java or to model \Java" with a slightly simpler semantics, that can be done by formalizing a suitable abstraction of the JVM. In this paper we support these contentions by surveying recent applications of the ACL2 theorem proving system to the JVM. In particular, we describe how ACL2 is used to formalize operational semantics, we describe several models of the JVM, and we describe proofs of theorems involving these models. We are using these models to explore a variety of Java issues from a formal perspective, including Java's bounded arithmetic, object manipulation via the heap, class inheritance, method resolution, singleand multithreaded programming, synchronization via monitors in the heap, and properties of the bytecode veri er.
Verification Condition Generation via Theorem Proving
 Proceedings of the 13th International Conference on Logic for Programming, Artificial Intelligence, and Reasoning (LPAR 2006), Vol. 4246 of LNCS
, 2006
"... Abstract. We present a method to convert (i) an operational semantics for a given machine language, and (ii) an offtheshelf theorem prover, into a high assurance verification condition generator (VCG). Given a program annotated with assertions at cutpoints, we show how to use the theorem prover di ..."
Abstract

Cited by 13 (3 self)
 Add to MetaCart
Abstract. We present a method to convert (i) an operational semantics for a given machine language, and (ii) an offtheshelf theorem prover, into a high assurance verification condition generator (VCG). Given a program annotated with assertions at cutpoints, we show how to use the theorem prover directly on the operational semantics to generate verification conditions analogous to those produced by a custombuilt VCG. Thus no separate VCG is necessary, and the theorem prover can be employed both to generate and to discharge the verification conditions. The method handles both partial and total correctness. It is also compositional in that the correctness of a subroutine needs to be proved once, rather than at each call site. The method has been used to verify several machinelevel programs using the ACL2 theorem prover. 1
Partial recursive functions in higherorder logic
 Int. Joint Conference on Automated Reasoning (IJCAR 2006), LNCS
, 2006
"... Abstract. Based on inductive definitions, we develop an automated tool for defining partial recursive functions in HigherOrder Logic and providing appropriate reasoning tools for them. Our method expresses termination in a uniform manner and includes a very general form of pattern matching, where p ..."
Abstract

Cited by 12 (2 self)
 Add to MetaCart
Abstract. Based on inductive definitions, we develop an automated tool for defining partial recursive functions in HigherOrder Logic and providing appropriate reasoning tools for them. Our method expresses termination in a uniform manner and includes a very general form of pattern matching, where patterns can be arbitrary expressions. Termination proofs can be deferred, restricted to subsets of arguments and are interchangeable with other proofs about the function. We show that this approach can also facilitate termination arguments for total functions, in particular for nested recursions. We implemented our tool as a definitional specification mechanism for Isabelle/HOL. 1
Ordinal arithmetic: Algorithms and mechanization
 Journal of Automated Reasoning
, 2006
"... Abstract. Termination proofs are of critical importance for establishing the correct behavior of both transformational and reactive computing systems. A general setting for establishing termination proofs involves the use of the ordinal numbers, an extension of the natural numbers into the transfini ..."
Abstract

Cited by 5 (3 self)
 Add to MetaCart
Abstract. Termination proofs are of critical importance for establishing the correct behavior of both transformational and reactive computing systems. A general setting for establishing termination proofs involves the use of the ordinal numbers, an extension of the natural numbers into the transfinite which were introduced by Cantor in the nineteenth century and are at the core of modern set theory. We present the first comprehensive treatment of ordinal arithmetic on compact ordinal notations and give efficient algorithms for various operations, including addition, subtraction, multiplication, and exponentiation. Using the ACL2 theorem proving system, we implemented our ordinal arithmetic algorithms, mechanically verified their correctness, and developed a library of theorems that can be used to significantly automate reasoning involving the ordinals. To enable users of the ACL2 system to fully utilize our work required that we modify ACL2, e.g., we replaced the underlying representation of the ordinals and added a large library of definitions and theorems. Our modifications are available starting with ACL2 version 2.8. 1.
Adapting Functional Programs to HigherOrder Logic
"... Abstract. Higherorder logic proof systems combine functional programming with logic, providing functional programmers with a comfortable setting for the formalization of programs, specifications, and proofs. However, a possibly unfamiliar aspect of working in such an environment is that formally es ..."
Abstract

Cited by 4 (2 self)
 Add to MetaCart
Abstract. Higherorder logic proof systems combine functional programming with logic, providing functional programmers with a comfortable setting for the formalization of programs, specifications, and proofs. However, a possibly unfamiliar aspect of working in such an environment is that formally establishing program termination is necessary. In many cases, termination can be automatically proved, but there are useful programs that diverge and others that always terminate but have difficult termination proofs. We discuss techniques that support the expression of such programs as logical functions. 1.
D.: Partial Clock Functions in ACL2
 5th ACL2 Workshop. (2004
, 2004
"... Abstract J Moore has discovered an elegant approach for verifying state invariants of imperative programs without having to write a verification condition generator (VCG) or clock function. Users need only make assertions about selected cutpoint instructions of a program, such as loop tests and subr ..."
Abstract

Cited by 4 (3 self)
 Add to MetaCart
Abstract J Moore has discovered an elegant approach for verifying state invariants of imperative programs without having to write a verification condition generator (VCG) or clock function. Users need only make assertions about selected cutpoint instructions of a program, such as loop tests and subroutine entry and exit points. ACL2's rewriter is then used to automatically propagate these assertions through the intervening instructions.