## Using first-order theorem provers in the Jahob data structure verification system (2007)

### Cached

### Download Links

Venue: | In Byron Cook and Andreas Podelski, editors, Verification, Model Checking, and Abstract Interpretation, LNCS 4349 |

Citations: | 21 - 1 self |

### BibTeX

@INPROCEEDINGS{Bouillaguet07usingfirst-order,

author = {Charles Bouillaguet and Viktor Kuncak and Thomas Wies and Karen Zee and Martin Rinard},

title = {Using first-order theorem provers in the Jahob data structure verification system},

booktitle = {In Byron Cook and Andreas Podelski, editors, Verification, Model Checking, and Abstract Interpretation, LNCS 4349},

year = {2007},

pages = {74--88},

publisher = {Springer}

}

### OpenURL

### Abstract

Abstract. This paper presents our integration of efficient resolution-based theorem provers into the Jahob data structure verification system. Our experimental results show that this approach enables Jahob to automatically verify the correctness of a range of complex dynamically instantiable data structures, including data structures such as hash tables and search trees, without the need for interactive theorem proving or techniques tailored to individual data structures. Our primary technical results include: (1) a translation from higher-order logic to first-order logic that enables the application of resolution-based theorem provers and (2) a proof that eliminating type (sort) information in formulas is both sound and complete, even in the presence of a generic equality operator. Moreover, our experimental results show that the elimination of this type information dramatically decreases the time required to prove the resulting formulas. These techniques enabled us to verify complex correctness properties of Java programs such as a mutable set implemented as an imperative linked list, a finite map implemented as a functional ordered tree, a hash table with a mutable array, and a simple library system example that uses these container data structures. Our system verifies (in a matter of minutes) that data structure operations correctly update the finite map, that they preserve data structure invariants (such as ordering of elements, membership in appropriate hash table buckets, or relationships between sets and relations), and that there are no run-time errors such as null dereferences or array out of bounds accesses. 1

### Citations

717 |
Isabelle/HOL — A Proof Assistant for Higher-Order Logic, volume 2283 of LNCS
- Nipkow, Paulson, et al.
- 2002
(Show Context)
Citation Context ...ons such as procedure contracts in special comments /*: ... */ that begin with a colon. The formulas in annotations belong to an expressive subset of the language used by the Isabelle proof assistant =-=[16]-=-. This language supports set comprehensions and 4stuples, which makes the specification of procedure contracts in this example very natural. Single dot . informally means “such that”, both for quantif... |

538 | Parametric shape analysis via 3-valued logic
- Sagiv, Reps, et al.
(Show Context)
Citation Context ... of any results on noninteractive verification that data structures such as trees and hash tables meet their specifications expressed in terms of model fields. Abstract interpretation. Shape analyses =-=[18,19]-=- typically verify weaker properties than in our examples. In [10] the authors use the TVLA system to verify insertion sort and bubble sort. In [17, Page 35], the author uses TVLA to verify implementat... |

518 | Lambda calculi with types
- Barendregt
- 1992
(Show Context)
Citation Context ... our setup, note that the verification condition generator in Jahob produces proof obligations in higher-order logic notation whose type system essentially corresponds to simply typed lambda calculus =-=[2]-=- (we allow some simple forms of parametric polymorphism but expect each occurrence of a symbol to have a ground type). The type system in our proof obligations therefore has no subtyping, so all Java ... |

446 | The Spec# programming system: An overview
- Barnett, Rustan, et al.
- 2004
(Show Context)
Citation Context ...22.7 22.7 14 HashTable SPASS lookup 20.8 20.3 9 remove 57.1 56.3 12 update 1.4 0.8 2 entire class 119 113.8 75 Fig.6. Benchmarks Characteristics and Verification Times 13sVerification systems. Boogie =-=[3]-=- is a sound verification system for the Spec# language, which extends C# with specification constructs and introduces a particular methodology for ensuring sound modular reasoning in the presence of a... |

352 | Simplify: A theorem prover for program checking
- Detlefs, Nelson, et al.
- 2003
(Show Context)
Citation Context ...tion language. It supports a large set of Java features and sacrifices soundness to achieve higher usability for common verification tasks. Boogie and ESC/Java2 use Nelson-Oppen style theorem provers =-=[4, 7, 13]-=-, which have potentially better support for arithmetic, but have more difficulties dealing with quantified invariants. Jahob also supports a prototype SMT-LIB interface to NelsonOppen style theorem pr... |

204 |
CVC Lite: A new implementation of the cooperating validity checker
- Barrett, Berezin
- 2004
(Show Context)
Citation Context ...tion language. It supports a large set of Java features and sacrifices soundness to achieve higher usability for common verification tasks. Boogie and ESC/Java2 use Nelson-Oppen style theorem provers =-=[4, 7, 13]-=-, which have potentially better support for arithmetic, but have more difficulties dealing with quantified invariants. Jahob also supports a prototype SMT-LIB interface to NelsonOppen style theorem pr... |

169 | Eliminating array bound checking through dependent types
- Xi, Pfenning
- 1998
(Show Context)
Citation Context ...found no need to limit the precision of the translation by restricting ourselves to the universal fragment. Type systems. Type systems have been used to verify algebraic data types [10], array bounds =-=[46]-=-, and mutable structures [48], usually enforcing weaker properties than in our case. Recently, researchers have developed a promising approach [34] based on separation logic [17] that can verify shape... |

154 | Resolution theorem proving
- BACHMAIR, GANZINGER
(Show Context)
Citation Context ...er, the two sorts considered (int and obj) are disjoint. Moreover, there is no overloading of predicate or function symbols. If we consider a standard resolution proof procedure for first-order logic =-=[3]-=- (without paramodulation) under these conditions, we can observe the following. 4 We encountered an example of a formula ϕ1 ∧ ϕ2 where a theorem prover proves each of ϕ1 and ϕ2 independently in a few ... |

149 |
Data refinement: model-oriented proof methods and their comparison
- WP, Engelhardt
- 1998
(Show Context)
Citation Context ...anges only in response to specification assignment statements, such as the one in the penultimate line of Figure 4. The use of ghost variables is sound and can be explained using simulation relations =-=[5]-=-. For example, if the developer incorrectly specifies specification assignments, Jahob will detect the violation of the representation invariants such as contentDefinition. If the developer specifies ... |

149 | BI as an assertion language for mutable data structures
- Ishtiaq, O’Hearn
- 2001
(Show Context)
Citation Context ...es [10], array bounds [46], and mutable structures [48], usually enforcing weaker properties than in our case. Recently, researchers have developed a promising approach [34] based on separation logic =-=[17]-=- that can verify shape and content properties of imperative recursive data structures (although it has not been applied to hash tables yet). Our approach uses standard higher-order and first-order log... |

127 |
The TPTP Problem Library: CNF Release v1.2.1
- G, Suttner
- 1998
(Show Context)
Citation Context ...mulas from our examples. 5 Experimental Results We implemented our translation to first-order logic and the interfaces to the firstorder provers E [20] (using the TPTP format for first-order formulas =-=[21]-=-) and 11sSPASS [22] (using its native format). We also implemented filtering described in [4, Appendix A] to automate the selection of assumptions in proof obligations. We evaluated our approach by im... |

125 | E – A Brainiac Theorem Prover
- Schulz
(Show Context)
Citation Context ...xpressed in higher-order logic [16]. In the rest of this paper we show how we translate such verification conditions to first-order logic and prove them using theorem provers such as SPASS [22] and E =-=[20]-=-. 6spublic static FuncTree update(int k, Object v, FuncTree t) /*: requires "v ~= null" ensures "result..content = t..content - {(x,y). x=k} + {(k,v)}" */ { FuncTree new_left, new_right; Object new_da... |

111 | Paramodulation-based theorem proving
- Nieuwenhuis, Rubio
- 2001
(Show Context)
Citation Context ...der have a built-in support only for one privileged equality symbol. Using user-defined predicates and supplying congruence axioms would fail to take advantage of the support for paramodulation rules =-=[35]-=- in these provers. What if, continuing our brave attempt at omitting sorts, we merge translation of all equalities, using the special equality symbol regardless of the sorts to which it applies? The r... |

88 | Combining superposition, sorts and splitting
- Weidenbach
- 2001
(Show Context)
Citation Context ...Jahob are expressed in higher-order logic [16]. In the rest of this paper we show how we translate such verification conditions to first-order logic and prove them using theorem provers such as SPASS =-=[22]-=- and E [20]. 6spublic static FuncTree update(int k, Object v, FuncTree t) /*: requires "v ~= null" ensures "result..content = t..content - {(x,y). x=k} + {(k,v)}" */ { FuncTree new_left, new_right; Ob... |

79 | Putting static analysis to work for verification: A case study
- Lev-Ami, Reps, et al.
- 2000
(Show Context)
Citation Context ...such as trees and hash tables meet their specifications expressed in terms of model fields. Abstract interpretation. Shape analyses [18,19] typically verify weaker properties than in our examples. In =-=[10]-=- the authors use the TVLA system to verify insertion sort and bubble sort. In [17, Page 35], the author uses TVLA to verify implementations of insertion and removal operations on sets implemented as m... |

72 |
ESC/Java2: Uniting ESC/Java and JML
- Kiniry, Cok
- 2005
(Show Context)
Citation Context ...creates potentially more difficult frame conditions when analyzing procedure calls compared to the ones created in Jahob, but the correctness of this methodology seems easier to establish. ESC/Java 2 =-=[9]-=- is a verification system for Java that uses JML [24] as a specification language. It supports a large set of Java features and sacrifices soundness to achieve higher usability for common verification... |

67 |
A rewriting approach to satisfiability procedures
- Armando, Ranise, et al.
(Show Context)
Citation Context ...es described in this paper, resolution-based theorem provers are no worse than current Nelson-Oppen style theorem provers. Combining these two theorem proving approaches is an active area of research =-=[2, 37]-=-, and our system could also take advantage of these ideas, potentially resulting in more robust support for arithmetic reasoning. Specification variables are present in Boogie [26] and ESC/Java2 [8] u... |

66 | The Krakatoa tool for certification of Java/JavaCard programs annotated with JML annotations
- Marché, Paulin-Mohring, et al.
(Show Context)
Citation Context ...s and hash tables meet their specifications expressed in terms of model fields. The properties we are reporting on have previously been verified only interactively [14, 15, 19, 47]. The Krakatoa tool =-=[29]-=- can verify JML specifications of Java code. We are not aware of its use to verify data structures in an automated way. Abstract interpretation. Shape analyses [25, 39, 40] typically verify weaker pro... |

60 |
Abstract Data Types and Software Validation
- Guttag, Horowitz, et al.
- 1978
(Show Context)
Citation Context ...on that data structures such as trees and hash tables meet their specifications expressed in terms of model fields. The properties we are reporting on have previously been verified only interactively =-=[14, 15, 19, 47]-=-. The Krakatoa tool [29] can verify JML specifications of Java code. We are not aware of its use to verify data structures in an automated way. Abstract interpretation. Shape analyses [25, 39, 40] typ... |

42 | Automatic verification of pointer programs using grammar-based shape analysis
- Lee, Yang, et al.
- 2005
(Show Context)
Citation Context ...[14, 15, 19, 47]. The Krakatoa tool [29] can verify JML specifications of Java code. We are not aware of its use to verify data structures in an automated way. Abstract interpretation. Shape analyses =-=[25, 39, 40]-=- typically verify weaker properties than in our examples. In [27] the authors use the TVLA system to verify insertion sort and bubble sort. In [38, Page 35], the author uses TVLA to verify implementat... |

39 | TestEra: Specification-based testing of Java programs using SAT
- Khurshid, Marinov
- 2004
(Show Context)
Citation Context ...scope. They apply the technique to analysis of real-world implementations of linked lists. Another approach for finding bugs is exhaustive testing by generating tests that satisfy given preconditions =-=[18, 30]-=-. These techniques are very effective at finding bugs, but do not guarantee the absence of errors. 7 Conclusions We presented a technique for verifying complex data structure properties using resoluti... |

36 | Verifying a file system implementation
- Arkoudas, Zee, et al.
- 2004
(Show Context)
Citation Context ...s. The authors therefore omit type information and then check the resulting proofs for soundness. A similar approach was adopted to encoding multi-sorted logic in the Athena theorem proving framework =-=[1]-=-. In contrast, we were able to prove that omitting sort information preserves soundness and completeness when sorts are disjoint and have the same cardinality. Type systems and separation logic. Recen... |

36 | Modular Data Structure Verification
- Kuncak
- 2007
(Show Context)
Citation Context ...tion need not deal with transitive closure present in the implementation of recursive data structures. The context of this work is the Jahob system for verifying data structure consistency properties =-=[7]-=-. Our initial goal was to incorporate first-order theorem provers into Jahob to verify data structure clients. While we have indeed successfully verified data structure clients, we also discovered tha... |

36 | A verification methodology for model fields
- Leino, Müller
- 2006
(Show Context)
Citation Context ...ication constructs and introduces a particular methodology for ensuring sound modular reasoning in the presence of aliasing and object-oriented features. Specification variables are present in Boogie =-=[9]-=- under the name model fields. We are not aware of any results on noninteractive verification that data structures such as trees and hash tables meet their specifications expressed in terms of model fi... |

34 | Field constraint analysis
- Wies, Kuncak, et al.
- 2006
(Show Context)
Citation Context ...he starting formula. Moreover, splitting enables Jahob to prove different conjuncts using different techniques, allowing the translation described in this paper to be combined with other translations =-=[8, 23]-=-. After splitting, the resulting formulas have the form of implications A1 ∧. . .∧An ⇒ G, which we call sequents. We call A1, . . .,An the assumptions and G the goal of the sequent. The assumptions ty... |

34 | Practical refinement-type checking
- Davies
- 2005
(Show Context)
Citation Context ...perience so far we found no need to limit the precision of the translation by restricting ourselves to the universal fragment. Type systems. Type systems have been used to verify algebraic data types =-=[10]-=-, array bounds [46], and mutable structures [48], usually enforcing weaker properties than in our case. Recently, researchers have developed a promising approach [34] based on separation logic [17] th... |

32 | An LCF-style interface between HOL and first-order logic
- Hurd
- 2002
(Show Context)
Citation Context ...cture operations; if the developer incorrectly specifies an invariant or an update to a specification variable, the system will detect an error. Translation from higher-order to first-order logic. In =-=[6,12,14]-=- the authors also address the process of proving higher-order formulas using first-order theorem provers. Our work differs in that we do not aim to provide automation to a general-purpose higher-order... |

32 | Lightweight relevance filtering for machine-generated resolution problems
- Meng, Paulson
(Show Context)
Citation Context ...ues are the main contribution of this paper; the use of the third technique confirms previous observations about the usefulness of assumption filtering in automatically generated first-order formulas =-=[13]-=-. Verified data structures and properties. Together, these techniques enabled us to verify, for example, that binary search trees and hash tables correctly implement their relational interfaces, inclu... |

32 | Automatic Testing of Software with Structurally Complex Inputs
- Marinov
- 2004
(Show Context)
Citation Context ...scope. They apply the technique to analysis of real-world implementations of linked lists. Another approach for finding bugs is exhaustive testing by generating tests that satisfy given preconditions =-=[18, 30]-=-. These techniques are very effective at finding bugs, but do not guarantee the absence of errors. 7 Conclusions We presented a technique for verifying complex data structure properties using resoluti... |

31 | Deciding Boolean Algebra with Presburger Arithmetic
- Kuncak, Nguyen, et al.
(Show Context)
Citation Context ...he starting formula. Moreover, splitting enables Jahob to prove different conjuncts using different techniques, allowing the translation described in this paper to be combined with other translations =-=[8, 23]-=-. After splitting, the resulting formulas have the form of implications A1 ∧. . .∧An ⇒ G, which we call sequents. We call A1, . . .,An the assumptions and G the goal of the sequent. The assumptions ty... |

28 | Experiments on supporting interactive proof using resolution
- Meng, Paulson
(Show Context)
Citation Context ...cture operations; if the developer incorrectly specifies an invariant or an update to a specification variable, the system will detect an error. Translation from higher-order to first-order logic. In =-=[6,12,14]-=- the authors also address the process of proving higher-order formulas using first-order theorem provers. Our work differs in that we do not aim to provide automation to a general-purpose higher-order... |

26 | An algorithm for deciding BAPA: Boolean Algebra with Presburger Arithmetic
- Kuncak, Nguyen, et al.
- 2005
(Show Context)
Citation Context ...structs that it cannot translate exactly. Examples include transitive closure (which can often be translated into monadic second-order logic [44, 45]) and symbolic cardinality constraints (as in BAPA =-=[21]-=-). Our first-order translation approximates such subformulas in a sound way, by replacing them with True orFalse depending on the polarity of the subformula occurrence. The result of the approximation... |

26 | Safe Programming with Pointers through Stateful Views
- Zhu, Xi
- 2005
(Show Context)
Citation Context ...ecision of the translation by restricting ourselves to the universal fragment. Type systems. Type systems have been used to verify algebraic data types [10], array bounds [46], and mutable structures =-=[48]-=-, usually enforcing weaker properties than in our case. Recently, researchers have developed a promising approach [34] based on separation logic [17] that can verify shape and content properties of im... |

25 | Quantitative Shape Analysis
- Rugina
- 2004
(Show Context)
Citation Context ... of any results on noninteractive verification that data structures such as trees and hash tables meet their specifications expressed in terms of model fields. Abstract interpretation. Shape analyses =-=[18,19]-=- typically verify weaker properties than in our examples. In [10] the authors use the TVLA system to verify insertion sort and bubble sort. In [17, Page 35], the author uses TVLA to verify implementat... |

22 | Combining theorem proving with static analysis for data structure consistency
- Zee, Lam, et al.
- 2004
(Show Context)
Citation Context ...on that data structures such as trees and hash tables meet their specifications expressed in terms of model fields. The properties we are reporting on have previously been verified only interactively =-=[14, 15, 19, 47]-=-. The Krakatoa tool [29] can verify JML specifications of Java code. We are not aware of its use to verify data structures in an automated way. Abstract interpretation. Shape analyses [25, 39, 40] typ... |

20 |
Automated verification of shape, size and bag properties
- Chin, David, et al.
- 2007
(Show Context)
Citation Context ...rt information preserves soundness and completeness when sorts are disjoint and have the same cardinality. Type systems and separation logic. Recently, researchers have developed a promising approach =-=[15]-=- that can verify shape and content properties of imperative recursive data structures (although it has not been applied to hash tables yet). Our approach uses standard higher-order and first-order log... |

19 | Reasoning with specifications containing method calls and model fields
- Cok
- 2005
(Show Context)
Citation Context ..., 37], and our system could also take advantage of these ideas, potentially resulting in more robust support for arithmetic reasoning. Specification variables are present in Boogie [26] and ESC/Java2 =-=[8]-=- under the name model fields. We are not aware of any results on non-interactive verification that data structures such as trees and hash tables meet their specifications expressed in terms of model f... |

19 | Decision procedures for set-valued fields
- Kuncak, Rinard
- 2005
(Show Context)
Citation Context ...ion for using first-order provers is the observation that quantifier-free constraints on sets and relations that represent data structures can be translated to first-order logic or even its fragments =-=[23]-=-. This approach is suitable for verifying clients of data structures, becausessuch verification need not deal with transitive closure present in the implementation of data structures. The context of t... |

18 | Modular verification of code with SAT
- Dennis, Chang, et al.
- 2006
(Show Context)
Citation Context ...tandard higher-order and first-order logic and seems conceptually simpler, but generates proof obligations that have potentially more quantifiers and case analyses. Constraint solving and testing. In =-=[12]-=- the authors use a constraint solver based on translation to propositional logic to identify all errors within a given scope. They apply the technique to analysis of real-world implementations of link... |

17 | Translating higher-order problems to first-order clauses
- Meng, Paulson
- 2008
(Show Context)
Citation Context ...cture operations; if the developer incorrectly specifies an invariant or an update to a specification variable, the system will detect an error. Translation from higher-order to first-order logic. In =-=[6,12,14]-=- the authors also address the process of proving higher-order formulas using first-order theorem provers. Our work differs in that we do not aim to provide automation to a general-purpose higher-order... |

16 | M.: Zap: Automated theorem proving for software analysis
- Ball, Lahiri, et al.
- 2005
(Show Context)
Citation Context ...tion language. It supports a large set of Java features and sacrifices soundness to achieve higher usability for common verification tasks. Boogie and ESC/Java2 use Nelson-Oppen style theorem provers =-=[4, 7, 13]-=-, which have potentially better support for arithmetic, but have more difficulties dealing with quantified invariants. Jahob also supports a prototype SMT-LIB interface to NelsonOppen style theorem pr... |

11 | On Verifying Complex Properties using Symbolic Shape Analysis
- Wies, Kuncak, et al.
(Show Context)
Citation Context ...he starting formula. Moreover, splitting enables Jahob to prove different conjuncts using different techniques, allowing the translation described in this paper to be combined with other translations =-=[22,44,45]-=-. After splitting, the resulting formulas have the form of implications A1 ∧. . . ∧An ⇒ G, which we call sequents. We call A1, . . . , An the assumptions and G the goal of the sequent. The assumptions... |

10 | Shape analysis of sets
- Reineke
- 2006
(Show Context)
Citation Context ...n sort and bubble sort. In [17, Page 35], the author uses TVLA to verify implementations of insertion and removal operations on sets implemented as mutable lists and binary search trees. The approach =-=[17]-=- uses manually supplied predicates and transfer functions and axioms for the analysis, but is able to infer loop invariants in an imperative implementation of trees. Our implementation of trees is fun... |

9 | Extensions of first-order logic - Manzano - 2005 |

9 |
Java program verification in higher order logic with PVS and Isabelle
- Huisman
- 2001
(Show Context)
Citation Context ...on that data structures such as trees and hash tables meet their specifications expressed in terms of model fields. The properties we are reporting on have previously been verified only interactively =-=[14, 15, 19, 47]-=-. The Krakatoa tool [29] can verify JML specifications of Java code. We are not aware of its use to verify data structures in an automated way. Abstract interpretation. Shape analyses [25, 39, 40] typ... |

8 |
Preliminary design of JML
- Leavens, Baker, et al.
- 2000
(Show Context)
Citation Context ...when analyzing procedure calls compared to the ones created in Jahob, but the correctness of this methodology seems easier to establish. ESC/Java 2 [9] is a verification system for Java that uses JML =-=[24]-=- as a specification language. It supports a large set of Java features and sacrifices soundness to achieve higher usability for common verification tasks. Boogie and ESC/Java2 use Nelson-Oppen style t... |

7 |
Using first-order theorem provers in a data structure verification system
- Bouillaguet, Kuncak, et al.
- 2007
(Show Context)
Citation Context ...oval. This paper exploressthe verification of programs with such data structures using resolution-based theorem provers for first-order logic with equality. We only summarize the main ideas here; see =-=[4]-=- for details. Initial goal and the effectiveness of the approach. The initial motivation for using first-order provers is the observation that quantifier-free constraints on sets and relations that re... |

3 |
Binary search trees. The Archive of Formal Proofs
- Kuncak
- 2004
(Show Context)
Citation Context |