## Customised induction rules for proving correctness of imperative programs (2004)

### Cached

### Download Links

- [www.cs.chalmers.se]
- [www.cs.chalmers.se]
- [www.cse.chalmers.se]
- DBLP

### Other Repositories/Bibliography

Citations: | 9 - 1 self |

### BibTeX

@MISC{Wallenburg04customisedinduction,

author = {Angela Wallenburg},

title = {Customised induction rules for proving correctness of imperative programs},

year = {2004}

}

### OpenURL

### Abstract

This thesis is aimed at simplifying the user-interaction in semi-interactive theorem proving for imperative programs. More specifically, we describe the creation of customised induction rules that are tailor-made for the specific program to verify and thus make the resulting proof simpler. The concern is in user interaction, rather than in proof strength. To achieve this, two different verification techniques are used. In the first approach, we develop an idea where a software testing technique, partition analysis, is used to compute a partition of the domain of the induction variable, based on the branch predicates in the program we wish to prove correct. Based on this partition we derive mechanically a partitioned induction rule, which then inherits the divide-and-conquer style of partition analysis, and (hopefully) is easier to use than the standard (Peano) induction rule. The second part of the thesis continues with a more thorough development of the method. Here the connection to software testing is completely removed

### Citations

830 |
The B-Book: Assigning Programs to Meanings
- Abrial
- 1996
(Show Context)
Citation Context ... interaction that is achieved by separating the concerns of control and data correctness parts of proof goals has been noticed in the hardware community [18, 13], and can also be seen in the B method =-=[2]-=- where five different proof obligations are introduced for loop correctness. In the B method, the user always has to annotate the program with an invariant and a variant. This effort is comparable to ... |

548 |
A Computational Logic
- Boyer, Moore
- 1979
(Show Context)
Citation Context ...esign, pages 275–293. Springer-Verlag, 1996. [BKR95] Adel Bouhoula, Emmanuel Kounalis, and Michael Rusinowitch. Automated mathematical induction. Journal of Logic and Computation, 5(5):631–668, 1995. =-=[BM79]-=- R. S. Boyer and J S. Moore. A Computational Logic. Academic Press, New York, NY, 1979. [BM88] Robert Boyer and J. Strother Moore. A Computational Logic Handbook. Number 23 in Perspectives in Computin... |

409 |
A Computational Logic Handbook
- Boyer, Moore
(Show Context)
Citation Context ...es are incorporated in the proof. For background references see [22, 7, 19, 20]. Whereas some of the mature techniques for explicit induction are quite powerful (having proved many difficult theorems =-=[6, 8]-=-), they are often restricted to proving properties about programs written in tiny functional programming languages. In this paper we merely scratch on the surface of automating induction proving, but ... |

163 | Rippling: A heuristic for guiding inductive proofs - Bundy, Stevens, et al. - 1993 |

130 |
The oyster-clam system
- Bundy, Harmelen, et al.
- 1990
(Show Context)
Citation Context ...es are incorporated in the proof. For background references see [22, 7, 19, 20]. Whereas some of the mature techniques for explicit induction are quite powerful (having proved many difficult theorems =-=[6, 8]-=-), they are often restricted to proving properties about programs written in tiny functional programming languages. In this paper we merely scratch on the surface of automating induction proving, but ... |

110 | An industrial strength theorem prover for a logic based on common lisp
- KAUFMAN, MOORE
- 1997
(Show Context)
Citation Context ... Other pieces of work to ease the user interaction in proving loop correctness are the automatic generation of loop invariants [17], interactive proof critics [15] and rippling [1]. Furthermore, ACL2 =-=[16]-=- constitutes a big effort to create an industrial-strength user-guided automated theorem prover, however we find no particular concern for simplifying proofs by induction there. 10 Summary and Conclus... |

101 |
Java Card Technology for Smart Cards: Architecture and Programmer's Guide. Java Series
- Chen
- 2000
(Show Context)
Citation Context ...n created with the outspoken aim of being a software-engineer-friendly tool for formal methods. As the programming language the system currently uses a singlethreaded subset of JAVA, called JAVA CARD =-=[9]-=-. The verification paradigm is to execute programs with symbolic values, which then are checked (symbolically) against the formal specification. For a background reference to symbolic execution, see [... |

101 | Productive use of failure in inductive proof
- Ireland, Bundy
- 1996
(Show Context)
Citation Context ...anch predicates, for the step cases, and 3) construct the base case from the information we have. The basic idea we use is similar in spirit to what has been termed “the productive use of failure” in =-=[14]-=-. The trick is that by first running a proof attempt until it gets stuck, we can learn something about the problem, and then try again with a better idea (in our case a better induction rule). In orde... |

93 | Proving properties of programs by structural induction
- Burstall
- 1968
(Show Context)
Citation Context ...01] A. Bundy. The automation of proof by mathematical induction. In A. Robinson and A. Voronkov, editors, Handbook of Automated Reasoning, volume I, chapter 13, pages 845–911. Elsevier Science, 2001. =-=[Bur69]-=- R.M. Burstall. Proving properties of programs by structural induction. Computer Journal, 12:41–48, 1969. [BvHHS90] A. Bundy, F. van Harmelen, C. Horn, and A. Smaill. The oysterclam system. In M. E. S... |

68 | ACL2 theorems about commercial microprocessors
- Brock, Kaufmann, et al.
- 1996
(Show Context)
Citation Context ...ams. In I. Attali and T. Jensen, editors, Java on Smart Cards: Programming and Security. Revised Papers, Java Card 2000, International Workshop, Cannes, France, LNCS 2041, pages 6–24. Springer, 2001. =-=[BKM96]-=- Bishop Brock, Matt Kaufmann, and J. Strother Moore. Acl2 theorems about commercial microprocessors. In FMCAD ’96: Proceedings of the First International Conference on Formal Methods in Computer-Aided... |

66 | A Dynamic Logic for the formal verification of Java Card programs
- Beckert
- 2000
(Show Context)
Citation Context ... with symbolic values, which then are checked (symbolically) against the formal specification. For a background reference to symbolic execution, see [11]. The logic used in the prover is JAVA CARD DL =-=[4]-=-, an extension of Dynamic Logic [12] (abbreviated DL) for the use of JAVA CARD. DL is a first-order logic with modalities for partial, �Ô℄, and total correctness, �Ô�, whereÔ is a JAVA CARD sequence. ... |

48 | The automation of proof by mathematical induction
- Bundy
- 2001
(Show Context)
Citation Context ... induction as usual, but start “one step earlier”. If we consider the step � � � � Ô � and replace � with � everywhere we end up with the formula � � � � � , and the need for square roots is gone! In =-=[7]-=- this style of induction step is termed destructor style. With the change to destructor style, the deduction rule we are trying to derive takes the form presented below.s� �� � � ¡ � �s� �� � × ¡ � Ô ... |

47 |
Rippling: Meta-Level Guidance for Mathematical Reasoning
- Bundy, Basin, et al.
- 2005
(Show Context)
Citation Context ... may still be required. Other pieces of work to ease the user interaction in proving loop correctness are the automatic generation of loop invariants [17], interactive proof critics [15] and rippling =-=[1]-=-. Furthermore, ACL2 [16] constitutes a big effort to create an industrial-strength user-guided automated theorem prover, however we find no particular concern for simplifying proofs by induction there... |

46 |
Proof by Consistency
- Kapur, Musser
- 1987
(Show Context)
Citation Context ...ransactions on Software Engineering, 16(12):1402–1411, dec 1990. [IJR99] Andrew Ireland, Michael Jackson, and Gordon Reid. Interactive proof critics. Formal Aspects of Computing, 11(3):302–325, 1999. =-=[KM87]-=- Deepak Kapur and David R. Musser. Proof by consistency. Artif. Intell., 31(2):125–157, 1987.sReferences 15 [KM97] Matt Kaufmann and J. Strother Moore. An industrial strength theorem prover for a logi... |

46 |
Term rewriting induction
- Reddy
- 1990
(Show Context)
Citation Context ...d D. Kapur. Automatic Generation of Polynomial Loop Invariants: Algebraic Foundations. In International Symposium on Symbolic and Algebraic Computation 2004 (ISSAC04), pages 266–273. ACM Press, 2004. =-=[Red90]-=- U. S. Reddy. Term rewriting induction. In M. E. Stickel, editor, 10th International Conference on Automated Deduction, pages 162–178. Springer, Berlin, Heidelberg, 1990. [SKK94] K. Schneider, T. Krop... |

40 | Mechanizing Structural Induction
- Aubin
- 1979
(Show Context)
Citation Context ...ONCUR’02, Brno, Czech Republic, pages 105–120. INRIA, Technical Report, August 2002. [Abr96] Jean-Raymond Abrial. The B Book - Assigning Programs to Meanings. Cambridge University Press, August 1996. =-=[Aub79]-=- Raymond Aubin. Mechanizing structural induction. Theor. Comput. Sci., 9:329–362, 1979. [Bec01] Bernhard Beckert. A dynamic logic for the formal verification of Java Card programs. In I. Attali and T.... |

38 | Automated boundary testing from Z and B
- Legeard, Peureux, et al.
- 2002
(Show Context)
Citation Context ...oftware Engineering, 23(4):203–213, 1997. [Kni98] John C. Knight. Challenges in the utilization of formal methods. In Fault-Tolerant Systems: 5th International Symposium, FTRTFT’98, pages 1–17, 1998. =-=[LPU02]-=- Bruno Legeard, Fabien Peureux, and Mark Utting. Automated boundary testing from Z and B. In Lars-Henrik Eriksson and Peter Alexander Lindsay, editors, Formal Methods—Getting IT Right, volume 2391 of ... |

38 |
Partition analysis: a method combining testing and verification
- Richardson, Clarke
- 1985
(Show Context)
Citation Context ...g, Third International Workshop on Formal Approaches to Testing of Software, FATES 2003, Montreal, Quebec, Canada, October 6th, 2003, volume 2931 of Lecture Notes in Computer Science. Springer, 2004. =-=[RC85]-=- D.J. Richardson and L.A Clarke. Partition Analysis: A Method Combining Testing and Verification. IEEE Transactions on Software Engineering, 11(12):1477–1490, 1985. [RCK04a] E. Rodríguez-Carbonell and... |

37 |
Mathematical Induction
- Walther
- 1994
(Show Context)
Citation Context ...aper we deal with explicit induction only. In explicit induction, proofs are built using an induction principle for which (explicit) rules are incorporated in the proof. For background references see =-=[22, 7, 19, 20]-=-. Whereas some of the mature techniques for explicit induction are quite powerful (having proved many difficult theorems [6, 8]), they are often restricted to proving properties about programs written... |

37 |
Extensions to the rippling-out tactic for guiding inductive proofs
- Bundy, Harmelen, et al.
- 1990
(Show Context)
Citation Context ...ndy, F. van Harmelen, C. Horn, and A. Smaill. The oysterclam system. In M. E. Stickel, editor, 10th International Conference on Automated Deduction, pages 647–648. Springer, Berlin, Heidelberg, 1990. =-=[BvHSI90]-=- A. Bundy, F. van Harmelen, A. Smaill, and A. Ireland. Extensions to the rippling-out tactic for guiding inductive proofs. In M. E. Stickel, editor, 10th International Conference on Automated Deductio... |

32 |
Automatic datapath abstraction in hardware systems
- Hojati, Brayton
- 1995
(Show Context)
Citation Context ...towards user-interaction. The reduction of user interaction that is achieved by separating the concerns of control and data correctness parts of proof goals has been noticed in the hardware community =-=[18, 13]-=-, and can also be seen in the B method [2] where five different proof obligations are introduced for loop correctness. In the B method, the user always has to annotate the program with an invariant an... |

30 | Automatic generation of polynomial loop invariants: Algebraic foundations
- Rodriguez-Carbonell, Kapur
- 2004
(Show Context)
Citation Context ...pproach the need for generalisation is reduced but may still be required. Other pieces of work to ease the user interaction in proving loop correctness are the automatic generation of loop invariants =-=[17]-=-, interactive proof critics [15] and rippling [1]. Furthermore, ACL2 [16] constitutes a big effort to create an industrial-strength user-guided automated theorem prover, however we find no particular ... |

26 | A program logic for handling Java Card's transaction mechanism
- Beckert, Mostowski
- 2003
(Show Context)
Citation Context ...re. A Computational Logic. Academic Press, New York, NY, 1979. [BM88] Robert Boyer and J. Strother Moore. A Computational Logic Handbook. Number 23 in Perspectives in Computing. Academic Press, 1988. =-=[BM03]-=- Bernhard Beckert and Wojciech Mostowski. A program logic for handling Java Card’s transaction mechanism. In Proceedings, Fundamental Approaches to Software Engineering (FASE), Warsaw, Poland, LNCS 26... |

25 | Automated mathematical induction
- Bouhoula, Kounalis, et al.
- 1995
(Show Context)
Citation Context ...oore. Acl2 theorems about commercial microprocessors. In FMCAD ’96: Proceedings of the First International Conference on Formal Methods in Computer-Aided Design, pages 275–293. Springer-Verlag, 1996. =-=[BKR95]-=- Adel Bouhoula, Emmanuel Kounalis, and Michael Rusinowitch. Automated mathematical induction. Journal of Logic and Computation, 5(5):631–668, 1995. [BM79] R. S. Boyer and J S. Moore. A Computational L... |

20 |
Derivation and use of induction schemes in higher-order logic
- Slind
- 1997
(Show Context)
Citation Context ...aper we deal with explicit induction only. In explicit induction, proofs are built using an induction principle for which (explicit) rules are incorporated in the proof. For background references see =-=[22, 7, 19, 20]-=-. Whereas some of the mature techniques for explicit induction are quite powerful (having proved many difficult theorems [6, 8]), they are often restricted to proving properties about programs written... |

20 | M.: On the structure of inductive reasoning: circular and treeshaped proofs in the µ-calculus
- Sprenger, Dam
- 2003
(Show Context)
Citation Context ...aper we deal with explicit induction only. In explicit induction, proofs are built using an induction principle for which (explicit) rules are incorporated in the proof. For background references see =-=[22, 7, 19, 20]-=-. Whereas some of the mature techniques for explicit induction are quite powerful (having proved many difficult theorems [6, 8]), they are often restricted to proving properties about programs written... |

17 | An Abstract Interpretation Approach for Automatic Generation of Polynomial Invariants
- Rodrguez-Carbonell, Kapur, et al.
- 2004
(Show Context)
Citation Context ...ter Science. Springer, 2004. [RC85] D.J. Richardson and L.A Clarke. Partition Analysis: A Method Combining Testing and Verification. IEEE Transactions on Software Engineering, 11(12):1477–1490, 1985. =-=[RCK04a]-=- E. Rodríguez-Carbonell and D. Kapur. An Abstract Interpretation Approach for Automatic Generation of Polynomial Invariants. In International Symposium on Static Analysis (SAS 2004), volume 3148 of Le... |

16 | Software verification with integrated data type refinement for integer arithmetic
- Beckert, Schlager
- 2004
(Show Context)
Citation Context ... consider are natural numbers (Æ) and integers (�). With integers we mean the ordinary mathematical integers of infinite range. There are facilities in the prover to deal with real JAVA CARD integers =-=[5]-=-, but we will not use them here. The programs we consider in this paper are focused to the while loop construct, and as a simplification we did not treat nested loops. Regarding modalities, only total... |

16 |
An introduction to proving the correctness of programs
- Hantler, King
- 1976
(Show Context)
Citation Context ...s, the verification paradigm is to execute programs with symbolic values, which then are checked (symbolically) against the formal specification. For a background reference to symbolic execution, see =-=[HK76]-=-. The logic used in the prover is JAVA CARD Dynamic Logic [HKT00], abbreviated DL. This DL has been extended specifically for the use of JAVA CARD, to a logic called Java Card DL [Bec01, BS01a]. Dynam... |

15 | A sequent calculus for first-order dynamic logic with trace modalities
- Beckert, Schlager
- 2001
(Show Context)
Citation Context ...tion for Object-oriented Software Development, Siena, Italy, pages 5–14. Technical Report DII 07/01, Dipartimento di Ingegneria dell’Informazione, Università degli Studi di Siena, 2001.sReferences 13 =-=[BS01b]-=- Bernhard Beckert and Steffen Schlager. A sequent calculus for firstorder dynamic logic with trace modalities. In R. Gorè, A. Leitsch, and T. Nipkow, editors, Proceedings, International Joint Conferen... |

13 |
Jerzy Tiuryn. Dynamic Logic. Foundations of Computing
- Harel, Kozen
- 2000
(Show Context)
Citation Context ...re checked (symbolically) against the formal specification. For a background reference to symbolic execution, see [11]. The logic used in the prover is JAVA CARD DL [4], an extension of Dynamic Logic =-=[12]-=- (abbreviated DL) for the use of JAVA CARD. DL is a first-order logic with modalities for partial, �Ô℄, and total correctness, �Ô�, whereÔ is a JAVA CARD sequence. For instance, the formula � ��Ô�� is... |

8 | Online First issue - Ahrendt, Baar, et al. - 2004 |

8 | Handling Java’s abrupt termination in a sequent calculus for Dynamic Logic
- Beckert, Sasse
- 2001
(Show Context)
Citation Context ...owski. A program logic for handling Java Card’s transaction mechanism. In Proceedings, Fundamental Approaches to Software Engineering (FASE), Warsaw, Poland, LNCS 2621, pages 246–260. Springer, 2003. =-=[BS01a]-=- Bernhard Beckert and Bettina Sasse. Handling JAVA’s abrupt termination in a sequent calculus for Dynamic Logic. In B. Beckert, R. France, R. Hähnle, and B. Jacobs, editors, Proceedings, IJCAR Worksho... |

7 | Interactive proof critics
- Ireland, Jackson, et al.
- 1999
(Show Context)
Citation Context ...ion is reduced but may still be required. Other pieces of work to ease the user interaction in proving loop correctness are the automatic generation of loop invariants [17], interactive proof critics =-=[15]-=- and rippling [1]. Furthermore, ACL2 [16] constitutes a big effort to create an industrial-strength user-guided automated theorem prover, however we find no particular concern for simplifying proofs b... |

7 | Using a program verification calculus for constructing specifications from implementations
- Platzer
- 2004
(Show Context)
Citation Context ...ripping an object into its constituent parts to figure out how it works and then putting it back together to be able to work better with it. This is in many ways similar to what is used in the thesis =-=[Pla04]-=- to construct strongest specifications, although our needs are simpler. 6.1 Finding Predecessor Functions Our logical framework (Java Card DL) keeps track of assignments to variables (or program locat... |

5 | Using a software testing technique to improve theorem proving
- Hähnle, Wallenburg
- 2004
(Show Context)
Citation Context ...rating simpler inductive proofs. The main thrust is to make use of information from the program code to be able to devise better induction steps. The starting point is the idea presented in the paper =-=[10]-=- where the domain of the induction variable is partitioned into subdomains and an induction step is created for each of them. Here we extend that work by letting a theorem prover (using symbolic execu... |

5 |
Discrete Structures, Logic and Computability
- Hein
- 1994
(Show Context)
Citation Context ...wn as first order Peanoinduction. Here is the rule in Dynamic Logic: Γ ⊢ φ(0) Γ ⊢ ∀i ∈ N · φ(i) → φ(i + 1) Γ ⊢ ∀i ∈ N · φ(i) A proof of the soundness of this rule can be found for example in the book =-=[Hei95]-=-. This form of induction allows us to prove a formula valid for all natural numbers. For instance, together with the precondition i ≥ 0, the following formula is very well suited to be proved totally ... |

4 | Control-path oriented verification of sequential generic circuits with control and data path
- Schneider, Kropf, et al.
- 1994
(Show Context)
Citation Context ...towards user-interaction. The reduction of user interaction that is achieved by separating the concerns of control and data correctness parts of proof goals has been noticed in the hardware community =-=[18, 13]-=-, and can also be seen in the B method [2] where five different proof obligations are introduced for loop correctness. In the B method, the user always has to annotate the program with an invariant an... |

2 | Automatic derivation of Loop Termination Conditions to Support Verification
- Powell
- 2004
(Show Context)
Citation Context ...nates then we could remove the restrictive tests on the induction variable(s). It would be interesting to exploit practical techniques specialized in this field, for instance in static analysis tools =-=[Pow04]-=-.s54 Ola Olsson and Angela Wallenburg – Nested Loops and Multiple Induction Variables: In proving total correctness of nested loops or induction with multiple variables, we expect no particular differ... |