## Large Experimental Program Verification in the Theorema System (2004)

Venue: | In Proceedings ISOLA 2004, Cyprus |

Citations: | 10 - 8 self |

### BibTeX

@INPROCEEDINGS{Jebelean04largeexperimental,

author = {Tudor Jebelean and Laura Kovács and Nikolaj Popov},

title = {Large Experimental Program Verification in the Theorema System},

booktitle = {In Proceedings ISOLA 2004, Cyprus},

year = {2004},

pages = {92--99}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract We describe practical experiments of program verification in the frame of the Theorema system. This includes both imperative programs (using Hoare logic), as well as functional programs (using fixpoint theory). For a certain class of imperative programs we are able to generate automatically the loop invariants and then verification conditions, by using combinatorial and algebraic techniques. Verification conditions for functional recursive programs are derived and soundness theorem is proven. The verification conditions in both cases are generated as natural-style predicate logic formulae, which can be then proven by Theorema, by issuing naturalstyle proofs which are human–readable.

### Citations

1404 |
A Discipline of Programming
- Dijkstra
- 1976
(Show Context)
Citation Context ...ng a predicate transformer such that at the end the result is a list of verification conditions in the Theorema syntax. This process is relatively straightforward and implements a wellknown technique =-=[16,10]-=-, thus we will concentrate in this paper on the challenging problem of finding loop invariants and termination terms. The automatically generated invariants (and termination terms), together with othe... |

1369 | An axiomatic basis for computer programming
- Hoare
- 1969
(Show Context)
Citation Context ...ng a predicate transformer such that at the end the result is a list of verification conditions in the Theorema syntax. This process is relatively straightforward and implements a wellknown technique =-=[16,10]-=-, thus we will concentrate in this paper on the challenging problem of finding loop invariants and termination terms. The automatically generated invariants (and termination terms), together with othe... |

683 |
The Art of Computer Programming, Volume 2: Seminumerical Algorithms, third ed
- Knuth
- 1998
(Show Context)
Citation Context ...uok+1 = quok + 1 rem0 = x; remk+1 = remk − y. where quo and rem are the critical variables and k is the index of the loop. For each recursive equation we use the Gosper-Zeilberger algorithm (see e.g. =-=[19]-=-,[14]). Namely, we use the Paule-Schorn implementation in Mathematica [26] which is already embedded in the Theorema system, in order to produce a closed–form for the expressions of quok and remk. quo... |

575 | Automatic discovery of linear restraints among variables of a program
- Cousot, Halbwachs
- 1978
(Show Context)
Citation Context ...rms). These annotations are the key to deductive verification of imperative programs. Although several techniques have been considered for automated invariant generation (e.g. abstract interpretation =-=[8]-=-, constraint solving [7], polynomial algebra [32,25,29]), stillsExperimental Program Verification in the Theorema System 3 in most verification systems these annotations are given by the user. It is g... |

193 |
Introduction to Mathematical Theory of Computation
- Manna
- 1974
(Show Context)
Citation Context ...construct a detailed proof, however, we skip the details here. Secondly, using Scott induction, we will show that (2) is partially correct: (∀x : IF [x])(F [x] ↓ ⇒ OF [x, F [x]]). (13) As it is known =-=[22,23]-=-, not every property is admissible and may be proven by Scott induction. However, properties which express partial correctness (13) are known to be admissible. A property φ is said to be partial corre... |

143 |
Decision procedure for indefinite hypergeometric summation
- Gosper
- 1978
(Show Context)
Citation Context ... = quok + 1 rem0 = x; remk+1 = remk − y. where quo and rem are the critical variables and k is the index of the loop. For each recursive equation we use the Gosper-Zeilberger algorithm (see e.g. [19],=-=[14]-=-). Namely, we use the Paule-Schorn implementation in Mathematica [26] which is already embedded in the Theorema system, in order to produce a closed–form for the expressions of quok and remk. quok = 0... |

127 |
Differentiably finite power series
- Stanley
- 1980
(Show Context)
Citation Context ...2.3 Mutual Recurrences The technique presented above does not work if the loop body contains mutually dependent variables. In this case we use the technique of generating functions from combinatorics =-=[33,31]-=-. We demonstrate it on a concrete example: Specification[”F ibonacci”, F ibonacci[↓ n, ↑ F ], P re → (n ≥ 0), P ost → (F = F ibExp[n])] P rogram[”F ibonacci”, F ibonacci[↓ n, ↑ F ], MODULE[{H, i}, i :... |

116 | A mathematica version of zeilberger’s algorithm for proving binomial coefficient identities
- PAULE, SCHORN
- 1994
(Show Context)
Citation Context ...itical variables and k is the index of the loop. For each recursive equation we use the Gosper-Zeilberger algorithm (see e.g. [19],[14]). Namely, we use the Paule-Schorn implementation in Mathematica =-=[26]-=- which is already embedded in the Theorema system, in order to produce a closed–form for the expressions of quok and remk. quok = 0 + k remk = x − k ∗ y (Note that in the above example the closed form... |

66 | Linear invariant generation using non-linear constraint solving
- Colón, Sankaranarayanan, et al.
- 2003
(Show Context)
Citation Context ...are the key to deductive verification of imperative programs. Although several techniques have been considered for automated invariant generation (e.g. abstract interpretation [8], constraint solving =-=[7]-=-, polynomial algebra [32,25,29]), stillsExperimental Program Verification in the Theorema System 3 in most verification systems these annotations are given by the user. It is generally agreed [11] tha... |

60 |
Theorema: Towards Computer-Aided Mathematical Theory Exploration
- Buchberger, Craciun, et al.
(Show Context)
Citation Context ...ogram Verification · Invariant Generation · Theorem Proving 1 Introduction We describe the theoretical basis and practical experiments of program verification in the frame of the Theorema system (see =-=[4]-=- and also www.theorema.org, which has links to our papers cited below). This work (in progress) is built on previous theoretical results and practical experiments regarding verification of functional ... |

53 |
The Theorema Project: A Progress Report
- Buchberger, Dupre, et al.
- 2000
(Show Context)
Citation Context ...uo ∗ y = 0) ∧ 0 ≤ rem ∧ 0 < y ∧ y ≤ rem =⇒ rem ≥ 0 (Init) 0 ≤ x ∧ 0 < y =⇒ (0 = 0) ∧ 0 ≤ x ∧ 0 < y The proof of the above lemma is automatically produced by the the P CS prover of the Theorema system =-=[5]-=-, that uses quantifier elimination. Thus, we proved (total) correctness of the “Division” program. In the case of a FOR loop, the generation of the loop invariant is done in the same manner, but we us... |

32 |
Algorithm Synthesis by Lazy Thinking: Examples and Implementation in Theorema
- Buchberger, Craciun
(Show Context)
Citation Context ...to our papers cited below). This work (in progress) is built on previous theoretical results and practical experiments regarding verification of functional programs, as well as of imperative programs =-=[3,28,21]-=-. We follow two main approaches: The program verification project is supported by BMBWK (Austrian Ministry of Education, Science, and Culture), BMWA (Austrian Ministry of Economy and Work) and by MEC ... |

31 |
Gfun: A package for the manipulation of generating and holonomic functions in one variable
- Salvy, Zimmermann
- 1994
(Show Context)
Citation Context ...2.3 Mutual Recurrences The technique presented above does not work if the loop body contains mutually dependent variables. In this case we use the technique of generating functions from combinatorics =-=[33,31]-=-. We demonstrate it on a concrete example: Specification[”F ibonacci”, F ibonacci[↓ n, ↑ F ], P re → (n ≥ 0), P ost → (F = F ibExp[n])] P rogram[”F ibonacci”, F ibonacci[↓ n, ↑ F ], MODULE[{H, i}, i :... |

29 | Automatic Generation of Polynomial Loop Invariants: Algebraic Foundations
- Rodríguez-Carbonell, Kapur
- 2004
(Show Context)
Citation Context ... verification of imperative programs. Although several techniques have been considered for automated invariant generation (e.g. abstract interpretation [8], constraint solving [7], polynomial algebra =-=[32,25,29]-=-), stillsExperimental Program Verification in the Theorema System 3 in most verification systems these annotations are given by the user. It is generally agreed [11] that finding automatically such an... |

27 |
Introduction to Gröbner bases
- Buchberger
- 1998
(Show Context)
Citation Context ...atorial and algebraic methods, invariant properties for loops that contain also conditional statements (IF-THEN-ELSE). An efficient method for solving this problem is the application of Gröbner Bases =-=[1]-=-, namely to generate the Gröbner bases of the obtained polynomial relations from several possible program-traces (this approach has also been investigated in [29,25,32]). 3 Functional Programs While p... |

23 | Polynomial Constants are Decidable
- Müller-Olm, Seidl
- 2002
(Show Context)
Citation Context ... verification of imperative programs. Although several techniques have been considered for automated invariant generation (e.g. abstract interpretation [8], constraint solving [7], polynomial algebra =-=[32,25,29]-=-), stillsExperimental Program Verification in the Theorema System 3 in most verification systems these annotations are given by the user. It is generally agreed [11] that finding automatically such an... |

16 |
Mathematics for Computer Science I - The Method of Mathematics (in German
- Buchberger, Lichtenberger
- 1981
(Show Context)
Citation Context ...h has also been investigated in [29,25,32]). 3 Functional Programs While proving [partial] correctness of non-recursive procedural programs is quite well understood, for instance by using Hoare Logic =-=[16,6]-=-, there are relatively few approaches to recursive procedures (see e.g. [27] Chap. 2). We discuss here a practical approach, based on the fixpoint theory of programs and including implementation, for ... |

16 |
Program verification with the mathematical software system Theorema
- Kirchner
- 1999
(Show Context)
Citation Context ...sible errors) is avoided. However, for users which are more comfortable with the imperative style, we have implemented in Theorema a procedural language, as well as a verification condition generator =-=[18]-=- based on Hoare–Logic and using the Weakest Precondition Strategy. This verification tool provides readable arguments for the correctness of programs, with useful hints for debugging. The user interfa... |

14 |
Programmentwicklung und Verifikation
- Futschek
- 1989
(Show Context)
Citation Context ...ving [7], polynomial algebra [32,25,29]), stillsExperimental Program Verification in the Theorema System 3 in most verification systems these annotations are given by the user. It is generally agreed =-=[11]-=- that finding automatically such annotations is in general very difficult. However, in most of the practical situations finding the expression – or at least giving some useful hints – is quite feasibl... |

13 |
Non-linear loop invariant generation using Gröbner
- Sankaranaryanan, Henry, et al.
- 2004
(Show Context)
Citation Context ... verification of imperative programs. Although several techniques have been considered for automated invariant generation (e.g. abstract interpretation [8], constraint solving [7], polynomial algebra =-=[32,25,29]-=-), stillsExperimental Program Verification in the Theorema System 3 in most verification systems these annotations are given by the user. It is generally agreed [11] that finding automatically such an... |

12 |
Algorithm design: a recursion transformation framework
- Paull
- 1988
(Show Context)
Citation Context ...ng [partial] correctness of non-recursive procedural programs is quite well understood, for instance by using Hoare Logic [16,6], there are relatively few approaches to recursive procedures (see e.g. =-=[27]-=- Chap. 2). We discuss here a practical approach, based on the fixpoint theory of programs and including implementation, for automatic generation of verification conditions for functional recursive pro... |

9 | Interprocedurally analyzing polynomial identities
- Müller-Olm, Petter, et al.
- 2006
(Show Context)
Citation Context ...the work presented in [21]. Driven by practical reasons, the invariants that we are able to obtain automatically are equational (mostly polynomial) relations among the program variables. As stated in =-=[24]-=-, generating valid polynomial identities have many applications, such as: constant propagation, discovery of symbolic constants, finding definite equalities among variables, etc. Obtaining automatical... |

9 |
The Mathematica Book. Version 5.0
- Wolfram
- 2003
(Show Context)
Citation Context ...ze a practical verification engine in the frame of the Theorema system. The Theorema system is a computer mathematical assistant which is implemented on top of the computer algebra system Mathematica =-=[34]-=-. The system supports the activities of defining and organizing mathematical theories (including the description of algorithms) in the language of higher–order predicate logic, and also offers the nec... |

7 |
Program schemes, recursion schemes, and formal languages
- Garland, Luckham
- 1973
(Show Context)
Citation Context ...r the automatic verification, because any additional theory present in the system will significantly increase the proving effort. The study of recursive schemes starts its traditions in the seventies =-=[12]-=- and is still alive [30] where equivalence between different schemes have been proven. However, we are interested on particular schemes for deriving verification conditions which will then be used for... |

6 |
Verified algorithm development by lazy thinking
- Buchberger
- 2003
(Show Context)
Citation Context ...grams. The implementation is part of the Theorema system, and complements the research performed in the Theorema group on verification and synthesis of functional algorithms based on logic principles =-=[9,2,17]-=-. We consider the correctness problem expressed as follows: given the program (by its source text) which computes the function F and given its specification by a � precondition on the input IF [x] and... |

6 |
Verification of imperative programs in Theorema
- Jebelean, Kovacs, et al.
(Show Context)
Citation Context ...grams. The implementation is part of the Theorema system, and complements the research performed in the Theorema group on verification and synthesis of functional algorithms based on logic principles =-=[9,2,17]-=-. We consider the correctness problem expressed as follows: given the program (by its source text) which computes the function F and given its specification by a � precondition on the input IF [x] and... |

5 |
Functional Program Verification with Theorema
- Craciun, Buchberger
- 2003
(Show Context)
Citation Context ...grams. The implementation is part of the Theorema system, and complements the research performed in the Theorema group on verification and synthesis of functional algorithms based on logic principles =-=[9,2,17]-=-. We consider the correctness problem expressed as follows: given the program (by its source text) which computes the function F and given its specification by a � precondition on the input IF [x] and... |

5 |
Using combinatorial and algebraic techniques for automatic generation of loop invariants
- Kovacs
- 2005
(Show Context)
Citation Context ...n, inequalities, etc.), are finally used to prove correctness by calling the appropriate provers from the Theorema systems. We successfully applied this approach to numerous interesting examples (see =-=[20]-=-), some of them being presented also in this paper. 2.1 Generation of Loop Invariants Verification of correctness of loops needs additional information, so-called annotations (invariants and terminati... |

4 | A practical approach to verification of recursive programs in theorema
- Popov
- 2003
(Show Context)
Citation Context ...to our papers cited below). This work (in progress) is built on previous theoretical results and practical experiments regarding verification of functional programs, as well as of imperative programs =-=[3,28,21]-=-. We follow two main approaches: The program verification project is supported by BMBWK (Austrian Ministry of Education, Science, and Culture), BMWA (Austrian Ministry of Economy and Work) and by MEC ... |

1 | T.: Practical Aspects of Imperative Program Verification in Theorema
- Kovacs, Jebelean
- 2003
(Show Context)
Citation Context ...to our papers cited below). This work (in progress) is built on previous theoretical results and practical experiments regarding verification of functional programs, as well as of imperative programs =-=[3,28,21]-=-. We follow two main approaches: The program verification project is supported by BMBWK (Austrian Ministry of Education, Science, and Culture), BMWA (Austrian Ministry of Economy and Work) and by MEC ... |

1 |
K.: The Foundations of Program Verification, 2nd edn. Teubner
- Loeckx, Sieber
- 1987
(Show Context)
Citation Context ...construct a detailed proof, however, we skip the details here. Secondly, using Scott induction, we will show that (2) is partially correct: (∀x : IF [x])(F [x] ↓ ⇒ OF [x, F [x]]). (13) As it is known =-=[22,23]-=-, not every property is admissible and may be proven by Scott induction. However, properties which express partial correctness (13) are known to be admissible. A property φ is said to be partial corre... |

1 | The tree equivalence of linear recursion schemes
- Sabelfeld
- 2000
(Show Context)
Citation Context ...tion, because any additional theory present in the system will significantly increase the proving effort. The study of recursive schemes starts its traditions in the seventies [12] and is still alive =-=[30]-=- where equivalence between different schemes have been proven. However, we are interested on particular schemes for deriving verification conditions which will then be used for verification of program... |