Results 1  10
of
24
Full functional verification of linked data structures
 In ACM Conf. Programming Language Design and Implementation (PLDI
, 2008
"... We present the first verification of full functional correctness for a range of linked data structure implementations, including mutable lists, trees, graphs, and hash tables. Specifically, we present the use of the Jahob verification system to verify formal specifications, written in classical high ..."
Abstract

Cited by 84 (17 self)
 Add to MetaCart
(Show Context)
We present the first verification of full functional correctness for a range of linked data structure implementations, including mutable lists, trees, graphs, and hash tables. Specifically, we present the use of the Jahob verification system to verify formal specifications, written in classical higherorder logic, that completely capture the desired behavior of the Java data structure implementations (with the exception of properties involving execution time and/or memory consumption). Given that the desired correctness properties include intractable constructs such as quantifiers, transitive closure, and lambda abstraction, it is a challenge to successfully prove the generated verification conditions. Our Jahob verification system uses integrated reasoning to split each verification condition into a conjunction of simpler subformulas, then apply a diverse collection of specialized decision procedures,
Modular Data Structure Verification
 EECS DEPARTMENT, MASSACHUSETTS INSTITUTE OF TECHNOLOGY
, 2007
"... This dissertation describes an approach for automatically verifying data structures, focusing on techniques for automatically proving formulas that arise in such verification. I have implemented this approach with my colleagues in a verification system called Jahob. Jahob verifies properties of Java ..."
Abstract

Cited by 38 (21 self)
 Add to MetaCart
This dissertation describes an approach for automatically verifying data structures, focusing on techniques for automatically proving formulas that arise in such verification. I have implemented this approach with my colleagues in a verification system called Jahob. Jahob verifies properties of Java programs with dynamically allocated data structures. Developers write Jahob specifications in classical higherorder logic (HOL); Jahob reduces the verification problem to deciding the validity of HOL formulas. I present a new method for proving HOL formulas by combining automated reasoning techniques. My method consists of 1) splitting formulas into individual HOL conjuncts, 2) soundly approximating each HOL conjunct with a formula in a more tractable fragment and 3) proving the resulting approximation using a decision procedure or a theorem prover. I present three concrete logics; for each logic I show how to use it to approximate HOL formulas, and how to decide the validity of formulas in this logic. First, I present an approximation of HOL based on a translation to firstorder logic, which enables the use of existing resolutionbased theorem provers. Second, I present an approximation of HOL based on field constraint analysis, a new technique that enables
Extending Sledgehammer with SMT Solvers
"... Abstract. Sledgehammer is a component of Isabelle/HOL that employs firstorder automatic theorem provers (ATPs) to discharge goals arising in interactive proofs. It heuristically selects relevant facts and, if an ATP is successful, produces a snippet that replays the proof in Isabelle. We extended Sl ..."
Abstract

Cited by 18 (7 self)
 Add to MetaCart
(Show Context)
Abstract. Sledgehammer is a component of Isabelle/HOL that employs firstorder automatic theorem provers (ATPs) to discharge goals arising in interactive proofs. It heuristically selects relevant facts and, if an ATP is successful, produces a snippet that replays the proof in Isabelle. We extended Sledgehammer to invoke satisfiability modulo theories (SMT) solvers as well, exploiting its relevance filter and parallel architecture. Isabelle users are now pleasantly surprised by SMT proofs for problems beyond the ATPs ’ reach. Remarkably, the best SMT solver performs better than the best ATP on most of our benchmarks. 1
On Combining Theories with Shared Set Operations
"... Abstract. We explore the problem of automated reasoning about the nondisjoint combination of theories that share set variables and operations. We prove a combination theorem and apply it to show the decidability of the satisfiability problem for a class of formulas obtained by applying propositional ..."
Abstract

Cited by 13 (6 self)
 Add to MetaCart
(Show Context)
Abstract. We explore the problem of automated reasoning about the nondisjoint combination of theories that share set variables and operations. We prove a combination theorem and apply it to show the decidability of the satisfiability problem for a class of formulas obtained by applying propositional operations to quantified formulas belonging to several expressive decidable logics. 1
On Linear Arithmetic with Stars
"... Abstract. We consider an extension of integer linear arithmetic with a star operator that takes closure under vector addition of the set of solutions of linear arithmetic subformula. We show that the satisfiability problem for this language is in NP (and therefore NPcomplete). Our proof uses a gene ..."
Abstract

Cited by 10 (7 self)
 Add to MetaCart
(Show Context)
Abstract. We consider an extension of integer linear arithmetic with a star operator that takes closure under vector addition of the set of solutions of linear arithmetic subformula. We show that the satisfiability problem for this language is in NP (and therefore NPcomplete). Our proof uses a generalization of a recent result on sparse solutions of integer linear programming problems. We present two consequences of our result. The first one is an optimal decision procedure for a logic of sets, multisets, and cardinalities that has applications in verification, interactive theorem proving, and description logics. The second is NPcompleteness of the reachability problem for a class of “homogeneous ” transition systems whose transitions are defined using integer linear arithmetic formulas. 1
Modular SMT Proofs for Fast Reflexive Checking inside Coq
 FIRST INTERNATIONAL CONFERENCE ON CERTIFIED PROGRAMS AND PROOFS
, 2011
"... We present a new methodology for exchanging unsatisfiability proofs between an untrusted SMT solver and a sceptical proof assistant with computation capabilities like Coq. We advocate modular SMT proofs that separate boolean reasoning and theory reasoning; and structure the communication between th ..."
Abstract

Cited by 8 (2 self)
 Add to MetaCart
(Show Context)
We present a new methodology for exchanging unsatisfiability proofs between an untrusted SMT solver and a sceptical proof assistant with computation capabilities like Coq. We advocate modular SMT proofs that separate boolean reasoning and theory reasoning; and structure the communication between theories using NelsonOppen combination scheme. We present the design and implementation of a Coq reflexive verifier that is modular and allows for finetuned theoryspecific verifiers. The current verifier is able to verify proofs for quantifierfree formulae mixing linear arithmetic and uninterpreted functions. Our proof generation scheme benefits from the efficiency of stateoftheart SMT solvers while being independent from a specific SMT solver proof format. Our only requirement for the SMT solver is the ability to extract unsat cores and generate boolean models. In practice, unsat cores are relatively small and their proof is obtained with a modest overhead by our proofproducing prover. We present experiments assessing the feasibility of the approach for benchmarks obtained from the SMT competition.
HOLBoogie  An interactive proverbackend for the Verifiying C Compiler
"... Boogie is a verification condition generator for an imperative core language. It has frontends for the programming languages C# and C enriched by annotations in firstorder logic, i. e. pre and postconditions, assertions, and loop invariants. Moreover, concepts like ghost fields, ghost variables, ..."
Abstract

Cited by 8 (4 self)
 Add to MetaCart
(Show Context)
Boogie is a verification condition generator for an imperative core language. It has frontends for the programming languages C# and C enriched by annotations in firstorder logic, i. e. pre and postconditions, assertions, and loop invariants. Moreover, concepts like ghost fields, ghost variables, ghost code and specification functions have been introduced to support a specific modeling methodology. Boogie’s verification conditions — constructed via a wp calculus from annotated programs — are usually transferred to automated theorem provers such as Simplify or Z3. This also comprises the expansion of languagespecific modeling constructs in terms of a theory describing memory and elementary operations on it; this theory is called a machine/memory model. In this paper, we present a proof environment, HOLBoogie, that combines Boogie with the interactive theorem prover Isabelle/HOL, for a specific C frontend and a machine/memory model. In particular, we present specific techniques combining automated and interactive proof methods for code verification. The main goal of our environment is to help program verification engineers in their task to “debug” annotations and to find combined proofs where purely automatic proof attempts fail.
Combinations of theories and the BernaysSchönfinkelRamsey class
 4th International Verification Workshop  VERIFY’07, Bremen
, 2007
"... Abstract. The BernaysSchönfinkelRamsey (BSR) class of formulas is the class of formulas that, when written in prenex normal form, have an ∃ ∗ ∀ ∗ quantifier prefix and do not contain any function symbols. This class is decidable. We show here that BSR theories can furthermore be combined with a ..."
Abstract

Cited by 7 (2 self)
 Add to MetaCart
(Show Context)
Abstract. The BernaysSchönfinkelRamsey (BSR) class of formulas is the class of formulas that, when written in prenex normal form, have an ∃ ∗ ∀ ∗ quantifier prefix and do not contain any function symbols. This class is decidable. We show here that BSR theories can furthermore be combined with another disjoint decidable theory, so that we obtain a decision procedure for quantifierfree formulas in the combination of the BSR theory and another decidable theory. The classical NelsonOppen combination scheme requires theories to be stablyinfinite, ensuring that, if a model is found for both theories in the combination, models agree on cardinalities and a global model can be built. We show that combinations with BSR theories can be much more permissive, even though BSR theories are not always stablyinfinite. We state that it is possible to describe exactly all the (finite or infinite) cardinalities of the models of a given BSR theory. For the other theory, it is thus only required to be able to decide if there exists a model of a given cardinality. With this result, it is notably possible to use some set operators, operators on relations, orders — any operator that can be expressed by a set of BSR formulas — together with the usual objects of SMT solvers, notably integers, reals, uninterpreted symbols, enumerated types. 1
L.: A flexible proof format for SMT: A proposal
, 2011
"... The standard input format for Satisfiability Modulo Theories (SMT) solvers has now reached its second version and integrates many of the features useful for users to interact with their favourite SMT solver. However, although many SMT solvers do output proofs, no standardised proof format exists. We ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
(Show Context)
The standard input format for Satisfiability Modulo Theories (SMT) solvers has now reached its second version and integrates many of the features useful for users to interact with their favourite SMT solver. However, although many SMT solvers do output proofs, no standardised proof format exists. We, here, propose for discussion at the PxTP Workshop a generic proof format in the SMTLIB philosophy that is flexible enough to be easily recast for any SMT solver. The format is configurable so that the proof can be provided by the solver at the desired level of detail. 1
Proof Translation and SMTLIB Benchmark Certification: A Preliminary Report
 In 6’th International Workshop on SMT
, 2008
"... Satisfiability Modulo Theories (SMT) solvers are large and complicated pieces of code. As a result, ensuring their correctness is challenging. In this paper, we discuss a technique for ensuring soundness by producing and checking proofs. We give details of our implementation using CVC3 and HOL Light ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
(Show Context)
Satisfiability Modulo Theories (SMT) solvers are large and complicated pieces of code. As a result, ensuring their correctness is challenging. In this paper, we discuss a technique for ensuring soundness by producing and checking proofs. We give details of our implementation using CVC3 and HOL Light and provide initial results from our effort to certify the SMTLIB benchmarks. 1