## A verification environment for sequential imperative programs in Isabelle/HOL (2005)

### Cached

### Download Links

- [www4.in.tum.de]
- [www-wjp.cs.uni-saarland.de]
- [www4.in.tum.de]
- DBLP

### Other Repositories/Bibliography

Venue: | Logic for Programming, AI, and Reasoning, volume 3452 of LNAI |

Citations: | 24 - 2 self |

### BibTeX

@INPROCEEDINGS{Schirmer05averification,

author = {Norbert Schirmer},

title = {A verification environment for sequential imperative programs in Isabelle/HOL},

booktitle = {Logic for Programming, AI, and Reasoning, volume 3452 of LNAI},

year = {2005},

pages = {398--414},

publisher = {Springer}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. We develop a general language model for sequential imperative programs together with a Hoare logic. We instantiate the framework with common programming language constructs and integrate it into Isabelle/HOL, to gain a usable and sound verification environment. 1

### Citations

1347 | Imperative functional programming
- Jones, Wadler
- 1993
(Show Context)
Citation Context ...In contrast to Oheimb [16] we do not have to invent a special kind of postcondition that explicitely depends on the result value of an expression. Similar to the state monad in functional programming =-=[22]-=- we introduce the command bind e c, which binds the value of expression e (of type ′ s ⇒ ′ v) at the current program state and feeds it into the following command c (of type ′ v ⇒ ( ′ s, ′ p) com): bi... |

779 |
Isabelle/HOL — A Proof Assistant for Higher-Order Logic
- Nipkow, Paulson, et al.
- 2002
(Show Context)
Citation Context ...on 5 concludes. 2 Preliminary Notes on Isabelle/HOL Isabelle is a generic logical framework which allows one to encode different object logics. In this article we are only concerned with Isabelle/HOL =-=[14]-=-, an encoding of higher order logic augmented with facilities for defining data types, records, inductive sets as well as primitive and total general recursive functions. The syntax of Isabelle is rem... |

745 | Separation logic: a logic for shared mutable data structures, 2002
- Reynolds
(Show Context)
Citation Context ...ies-clause we can lift separation of heap components, which are directly expressible in the split heap model, to the level of procedures, without having to introduce a new logic like separation logic =-=[19]-=-. Crucial parts of the frame problem can then already be handled during verification condition generation. The calculus is developed, verified and integrated in the theorem prover Isabelle and the res... |

107 | Proving pointer programs in hoare logic
- Bornat
- 2000
(Show Context)
Citation Context ...ction results in the proof obligation N − 1 < N in the verification condition. Heap The heap can contain structured values like structs in C or records in Pascal. Our model of the heap follows Bornat =-=[2]-=-. We have one heap variable f of type ref ⇒ value for each component f of type value of the struct. A typical structure to represent a linked list in the heap is struct {int cont; list *next} list. Th... |

81 |
Some techniques for proving correctness of programs which alter data structures
- Burstall
- 1972
(Show Context)
Citation Context ...Z ),(A p Z ) wf r P ⊆ dom Γ ∀ p∈P. ∀ Z . Γ ,Θ⊢t (P p Z ) Call p (Q p Z ),(A p Z ) The heap can contain structured values like structs in C or records in Pascal. Our model of the heap follows Burstall =-=[2]-=-. We have one heap variable f of type ref ⇒ value for each component f of type value of the struct. References ref are isomorphic to the natural numbers and contain Null. 13sA typical structure to rep... |

73 | Proving pointer programs in higher-order logic
- Mehta, Nipkow
(Show Context)
Citation Context ... cont of type ref ⇒ int and next of type ref ⇒ ref in our state-space record: record heap = next::ref ⇒ ref cont::ref ⇒ int record state = globals::heap p::ref q::ref r::ref We follow the approach of =-=[10]-=-, and abstract the pointer structure in the heap to HOL lists of references. Then we can specify further properties on the level of HOL lists, rather than on the heap: List x h [] = (x = Null) List x ... |

73 | Isabelle/Isar — a versatile environment for human-readable formal proof documents
- Wenzel
- 2002
(Show Context)
Citation Context ...ults in quite sizable proof obligations. But since they closely resemble the control flow the connection to the input program is not lost. To prove them, we used the structured proof language of Isar =-=[24]-=- that allows us to focus and keep track of the various different aspects, so that we can conduct the proof in a sensible order. Moreover it turned out that the Isar proofs are quite robust with regard... |

67 | C Formalised in HOL
- Norrish
- 1998
(Show Context)
Citation Context ... verify parallel programs [18]. Still procedures were not present. Homeier [6] introduces procedures, but the variables are again limited to numbers. Later on detailed semantics for Java [16,7] and C =-=[15]-=- were embedded in a theorem prover. But verification of even simple programs suffers from the complex models. The Why tool [4] implements a program logics for annotated functional programs (with refer... |

57 | Verication of Non-Functional Programs using Interpretations in Type Theory
- Filliâtre
- 2003
(Show Context)
Citation Context ...t for our needs. Moreover our entire development, the calculus together with its soundness and completeness proof, is carried out in Isabelle/HOL, in contrast to the pen and paper proofs of Filliâtre =-=[3]-=-. The rest of the paper is structured as follows. We start with a brief introduction to Isabelle/HOL in Section 2; in Section 3 we introduce the programming language model and the Hoare logics; Sectio... |

42 | Why: a multi-language multi-prover verification tool, http://www.lri.fr/∼filliatr/ftp/publis/why-tool.ps.gz
- Filliâtre
- 2003
(Show Context)
Citation Context ...in limited to numbers. Later on detailed semantics for Java [16,7] and C [15] were embedded in a theorem prover. But verification of even simple programs suffers from the complex models. The Why tool =-=[4]-=- implements a program logics for annotated functional programs (with references) and produces verification conditions for an external theorem prover. It can handle uninterpreted parts of annotations t... |

40 | Locales and locale expressions in Isabelle/Isar
- Ballarin
- 2004
(Show Context)
Citation Context ...ntax, the command procedures also defines a constant for the procedure body (named Fac-body) and creates two locales. The purpose of locales is to set up logical contexts to support modular reasoning =-=[1]-=-. One locale is named like the specification, in our case Fac-spec. This locale contains the procedure specification. The second locale is named Fac-impl and contains the assumption Γ ′′ Fac ′′ = Some... |

38 | Hoare logic and auxiliary variables
- Kleymann
- 1998
(Show Context)
Citation Context ...le n plays the role of the auxiliary variable Z. It transports state information from the pre- to the postcondition. A detailed discussion of consequence rules and auxiliary variables can be found in =-=[9,13]-=-. P ⊆ {s. ∃ Z . ini s ∈ P ′ Z ∧ (∀ t∈Q ′ Z . ret s t ∈ R s t) ∧ (∀ t∈A ′ Z . ret s t ∈ A)} ∀ s t. Γ ,Θ⊢ (R s t) res s t Q,A ∀ Z . Γ ,Θ⊢ (P ′ Z ) Call p (Q ′ Z ),(A ′ Z ) Γ ,Θ⊢ P call ini p ret res Q,A... |

38 | Object-oriented verification based on record subtyping in higher-order logic
- Naraschewski, Wenzel
- 1998
(Show Context)
Citation Context ...e semantics is defined for polymorphic state spaces we introduce the state space representation which we will use later on to give some illustrative examples. We represent the state space as a record =-=[14,12]-=- in Isabelle/HOL. This idea goes back to Wenzel [19]. A simple state space with three local variables B, N and M can be modelled with the following record definition: record vars = B::bool N ::int M :... |

34 |
An architecture for interactive program provers
- Meyer, Poetzsch-Heffter
- 2000
(Show Context)
Citation Context ...map imperative languages like Java to the tool by representing the heap in a reference variable. Splitting up verification condition generation and their proofs to different tools is also followed in =-=[10,17]-=-. 2 Preliminary Notes on Isabelle/HOL Isabelle is a generic logical framework which allows one to encode different object logics. In this article we are only concerned with Isabelle/HOL [14], an encod... |

33 |
Mechanizing programming logics in higher-order logic
- Gordon
(Show Context)
Citation Context ...www.verisoft.de) under grant 01 IS C38. The responsibility for this article lies with the author.sRelated Work The tradition of embedding a programming language in HOL goes back to the work of Gordon =-=[12]-=-, where a while language with variables ranging over natural numbers is introduced. A polymorphic state space was already used by Wright et. al. [21] in their machnisation of refinement concepts, by H... |

22 | Trustworthy tools for trustworthy programs: A verified verification condition generator
- Homeier, Martin
- 1994
(Show Context)
Citation Context ... et. al. [21] in their machnisation of refinement concepts, by Harrison in his formalisation of Dijkstra [5] and by Prensa to verify parallel programs [18]. Still procedures were not present. Homeier =-=[6]-=- introduces procedures, but the variables are again limited to numbers. Later on detailed semantics for Java [16,7] and C [15] were embedded in a theorem prover. But verification of even simple progra... |

20 | Weakest precondition reasoning for Java programs with JML annotations
- Jacobs
- 2004
(Show Context)
Citation Context ...he proof rules do not complicate the verification of programs where abrupt termination is not present. The approach to split up the postcondition for normal and abrupt termination is also followed by =-=[4,8]-=-. The rules for the basic language constructs are standard: Γ ,Θ⊢ Q Skip Q,A Γ ,Θ⊢ {s. f s ∈ Q} Basic f Q,A Γ ,Θ⊢ P c1 R,A Γ ,Θ⊢ R c2 Q,A Γ ,Θ⊢ P Seq c1 c2 Q,A Γ ,Θ⊢ P c Q,A Γ ,Θ⊢ (g ∩ P) Guard g c Q,... |

20 | Hoare logics in Isabelle/HOL
- Nipkow
- 2002
(Show Context)
Citation Context ...le n plays the role of the auxiliary variable Z. It transports state information from the pre- to the postcondition. A detailed discussion of consequence rules and auxiliary variables can be found in =-=[9,13]-=-. P ⊆ {s. ∃ Z . ini s ∈ P ′ Z ∧ (∀ t∈Q ′ Z . ret s t ∈ R s t) ∧ (∀ t∈A ′ Z . ret s t ∈ A)} ∀ s t. Γ ,Θ⊢ (R s t) res s t Q,A ∀ Z . Γ ,Θ⊢ (P ′ Z ) Call p (Q ′ Z ),(A ′ Z ) Γ ,Θ⊢ P call ini p ret res Q,A... |

17 |
Computer-aided specification and verification of annotated object-oriented programs
- Boer, Pierik
- 2002
(Show Context)
Citation Context ...map imperative languages like Java to the tool by representing the heap in a reference variable. Splitting up verification condition generation and their proofs to different tools is also followed in =-=[10,17]-=-. 2 Preliminary Notes on Isabelle/HOL Isabelle is a generic logical framework which allows one to encode different object logics. In this article we are only concerned with Isabelle/HOL [14], an encod... |

9 |
Java program verification in higher order logic with PVS and Isabelle
- Huisman
- 2001
(Show Context)
Citation Context ... by Prensa to verify parallel programs [18]. Still procedures were not present. Homeier [6] introduces procedures, but the variables are again limited to numbers. Later on detailed semantics for Java =-=[16,7]-=- and C [15] were embedded in a theorem prover. But verification of even simple programs suffers from the complex models. The Why tool [4] implements a program logics for annotated functional programs ... |

9 |
Verification of Parallel Programs with the Owicki-Gries and Rely-Guarantee
- Nieto
- 2002
(Show Context)
Citation Context ...olymorphic state space was already used by Wright et. al. [21] in their machnisation of refinement concepts, by Harrison in his formalisation of Dijkstra [5] and by Prensa to verify parallel programs =-=[18]-=-. Still procedures were not present. Homeier [6] introduces procedures, but the variables are again limited to numbers. Later on detailed semantics for Java [16,7] and C [15] were embedded in a theore... |

9 | Mechanizing some advanced refinement concepts
- Wright, Hekanaho, et al.
- 1993
(Show Context)
Citation Context ...ng language in HOL goes back to the work of Gordon [12], where a while language with variables ranging over natural numbers is introduced. A polymorphic state space was already used by Wright et. al. =-=[21]-=- in their machnisation of refinement concepts, by Harrison in his formalisation of Dijkstra [5] and by Prensa to verify parallel programs [18]. Still procedures were not present. Homeier [6] introduce... |

7 |
Analyzing Java in Isabelle/HOL: Formalization, Type Safety and Hoare Logic
- Oheimb
- 2001
(Show Context)
Citation Context ... by Prensa to verify parallel programs [18]. Still procedures were not present. Homeier [6] introduces procedures, but the variables are again limited to numbers. Later on detailed semantics for Java =-=[16,7]-=- and C [15] were embedded in a theorem prover. But verification of even simple programs suffers from the complex models. The Why tool [4] implements a program logics for annotated functional programs ... |

6 |
Formalizing Dijkstra
- Harrison
- 1998
(Show Context)
Citation Context ...anging over natural numbers is introduced. A polymorphic state space was already used by Wright et. al. [21] in their machnisation of refinement concepts, by Harrison in his formalisation of Dijkstra =-=[5]-=- and by Prensa to verify parallel programs [18]. Still procedures were not present. Homeier [6] introduces procedures, but the variables are again limited to numbers. Later on detailed semantics for J... |

5 | Miscellaneous Isabelle/Isar examples for higher-order logic. Part of the Isabelle distribution, http://isabelle.in.tum.de/library/ HOL/Isar examples/document.pdf
- Wenzel
- 2001
(Show Context)
Citation Context ...aces we introduce the state space representation which we will use later on to give some illustrative examples. We represent the state space as a record in Isabelle/HOL. This idea goes back to Wenzel =-=[23]-=-. A simple state space with three variables B, N and M can be modelled with the following record definition: record vars = B::bool N ::int M ::int Records of type vars have three fields, named B, N an... |

2 |
Verification of BDD Algorithms
- Ortner
- 2004
(Show Context)
Citation Context ...nvironment. Moreover we validated the feasibility of our approach by verifying algorithms for binary decision diagrams, involving a high degree of side effects due to sharing in the pointer structure =-=[17]-=-. Applying the verification condition generator to the annotated programs results in quite sizable proof obligations. But since they closely resemble the control flow the connection to the input progr... |