## Nitpick: A counterexample generator for higher-order logic based on a relational model finder (Extended Abstract) (2009)

Venue: | IN TAP 2009: SHORT PAPERS, ETH |

Citations: | 25 - 8 self |

### BibTeX

@TECHREPORT{Blanchette09nitpick:a,

author = {Jasmin Christian Blanchette and Tobias Nipkow},

title = { Nitpick: A counterexample generator for higher-order logic based on a relational model finder (Extended Abstract)},

institution = {IN TAP 2009: SHORT PAPERS, ETH},

year = {2009}

}

### OpenURL

### Abstract

### Citations

752 |
Isabelle/HOL — A Proof Assistant for Higher-Order Logic
- Nipkow, Paulson, et al.
- 2002
(Show Context)
Citation Context ...istants often include counterexample generators that can be run on putative theorems or on specific subgoals in a proof to spare users the Sisyphean task of trying to prove non-theorems. Isabelle/HOL =-=[17]-=- includes two such tools: Quickcheck [4] generates functional code for the higher-order logic (HOL) formula and evaluates it for random values of the free variables, and Refute [23] searches for finit... |

735 | Symbolic model checking without bdds
- Biere, Cimatti, et al.
- 1999
(Show Context)
Citation Context ...’s optimizations (notably its symmetry breaking) and its richer logic. Inductive datatypes are handled following an Alloy idiom [3], and inductive predicates are unrolled as in bounded model checking =-=[2]-=-. Infinite datatypes are approximated by a finite fragment augmented with an undefined value, embedded in a three-valued logic. The current prototype outperforms Refute in nearly all benchmarks while ... |

431 | A sound type system for secure flow analysis
- Volpano, Smith, et al.
- 1996
(Show Context)
Citation Context ...ated calculus achieved 65% to 100% [6]. 6 Case Studies 6.1 Volpano–Smith–Irvine Security Type System Assuming a partition of program variables into public and private ones, Volpano, Smith, and Irvine =-=[22]-=- provide typing rules guaranteeing that the contents of private variables stay private. They define two types, High (private) and Low (public). An expression is High if it involves private variables; ... |

316 |
Software Abstractions: Logic, Language, and Analysis
- Jackson
- 2006
(Show Context)
Citation Context ...ductive predicates. Refute copes well with logical symbols, but inductive datatypes and predicates are mostly out of reach due to combinatorial explosion. In the first-order world, the Alloy Analyzer =-=[13]-=-, a testing tool for first-order relational logic (FORL), has enjoyed considerable success lately. Alloy’s backend, the relational model finder Kodkod [21], is available as a stand-alone Java library ... |

96 | A Davis-Putnam program and its application to finite first-order model search: quasigroup existence problems
- McCune
- 1994
(Show Context)
Citation Context ...is restricted to executable formulas. – SAT solving. The formula is translated to propositional logic and handed to a SAT solver. This procedure was pioneered by McCune in his first-order finder MACE =-=[15]-=-. Other first-order MACE-style finders include Paradox [8] and Kodkod [21]. The higher-order finders Refute [23] and Nitpick also belong to this category. – Direct search. The search for a model is pe... |

72 | Sem: a system for enumerating models
- Zhang, Zhang
- 1995
(Show Context)
Citation Context ...and Nitpick also belong to this category. – Direct search. The search for a model is performed directly on the formula, without translation to propositional logic. This approach was introduced by SEM =-=[24]-=-. Some proof methods deliver sound or unsound counterexamples upon failure, notably model checking, semantic tableaux, and satisfiability modulo theory (SMT) solving. Also worth of mention is the Dyna... |

62 | Kodkod: A Relational Model Finder
- Torlak, Jackson
- 2007
(Show Context)
Citation Context ...each due to the state space explosion. Our new tool, Nitpick [6], is designed to bridge this gap. Instead of using a SAT solver directly, it builds upon the Kodkod first-order relational model finder =-=[4]-=-. 1 As a result, it benefits from Kodkod’s optimizations (notably its symmetry breaking) and its richer logic. Inductive datatypes are handled following an Alloy idiom [3], and inductive predicates ar... |

58 |
eds.): Introduction to HOL: a theorem proving environment for higher order logic
- Gordon, Melham
- 1993
(Show Context)
Citation Context ...itpick is integrated with the TPTP benchmark suite [20] and exposed three bugs in the higher-order provers TPS [1] and LEO-II [3]. 2 Background 2.1 Higher-Order Logic (HOL) The types and terms of HOL =-=[12]-=- are that of the simply typed λ-calculus extended with type constructors and constants: Types: Terms: σ ::= α (type variable) t ::= xσ (variable) | (σ,...,σ) κ (type construction) | cσ (constant) | t ... |

41 | Random testing in Isabelle/HOL
- Berghofer, Nipkow
- 2004
(Show Context)
Citation Context ... generators that can be run on putative theorems or on specific subgoals in a proof to spare users the Sisyphean task of trying to prove non-theorems. Isabelle/HOL includes two such tools: Quickcheck =-=[1]-=- generates functional code for the HOL formula and evaluates it for random values of the free variables, and Refute [5] searches for finite countermodels of a formula through a reduction to SAT (Boole... |

33 | Type-driven defunctionalization
- Bell, Bellegarde, et al.
- 1997
(Show Context)
Citation Context ...ation for map would then become map f (nat→nat) box (x · xs) ≃ get1Box f x · map f xs, with map (Box Suc) ns at the call site. Notice that for function types, boxing is similar to defunctionalization =-=[2]-=-, with selectors playing the role of “apply” functions. Further opportunities for boxing are created by uncurrying high-arity constants beforehand. Quantifier Massaging. (Co)inductive definitions are ... |

27 |
The TPTP Problem Library for Automated Theorem Proving. URL: http:// www.tptp.org (visited on
- Sutcliffe, Suttner
(Show Context)
Citation Context ...es more formulas than Quickcheck and Refute (Section 7), to a large extent because it imposes no syntactic restrictions on the formulas to falsify. Nitpick is integrated with the TPTP benchmark suite =-=[20]-=- and exposed three bugs in the higher-order provers TPS [1] and LEO-II [3]. 2 Background 2.1 Higher-Order Logic (HOL) The types and terms of HOL [12] are that of the simply typed λ-calculus extended w... |

26 |
New techniques that improve MACE-style model finding
- Claessen, Sörensson
- 2003
(Show Context)
Citation Context ...riables that have pi in their binding range, and size(pi) is a rough syntactic measure of pi’s size; for larger clusters, it falls back on a heuristic inspired by Paradox’s clause splitting procedure =-=[8]-=-. Thus, the formula ∃x α yα . p x ∧ q x y ∧ r y ( f y y) is transformed into ∃yα . r y ( f y y) ∧ (∃x α . p x ∧ q x y). Processing y before x in qfy would instead give ∃x α . p x ∧ (∃yα. q x y ∧ r y (... |

26 | Automated Theorem Proving in Software Engineering - Schumann - 2001 |

20 | Relational analysis of algebraic datatypes
- Kuncak, Jackson
- 2005
(Show Context)
Citation Context ...rder relational model finder [4]. 1 As a result, it benefits from Kodkod’s optimizations (notably its symmetry breaking) and its richer logic. Inductive datatypes are handled following an Alloy idiom =-=[3]-=-, and inductive predicates are unrolled as in bounded model checking [2]. Infinite datatypes are approximated by a finite fragment augmented with an undefined value, embedded in a three-valued logic. ... |

17 | SAT-based Finite Model Generation for Higher-Order Logic
- Weber
(Show Context)
Citation Context ...f trying to prove non-theorems. Isabelle/HOL includes two such tools: Quickcheck [1] generates functional code for the HOL formula and evaluates it for random values of the free variables, and Refute =-=[5]-=- searches for finite countermodels of a formula through a reduction to SAT (Boolean satisfiability). Their areas of applicability are almost disjoint: Quickcheck excels at inductive datatypes but is r... |

17 | TPS: A Theorem-Proving System for Classical Type Theory
- Andrews, Bishop, et al.
- 1996
(Show Context)
Citation Context ...a large extent because it imposes no syntactic restrictions on the formulas to falsify. Nitpick is integrated with the TPTP benchmark suite [20] and exposed three bugs in the higher-order provers TPS =-=[1]-=- and LEO-II [3]. 2 Background 2.1 Higher-Order Logic (HOL) The types and terms of HOL [12] are that of the simply typed λ-calculus extended with type constructors and constants: Types: Terms: σ ::= α ... |

16 | Finding lexicographic orders for termination proofs in isabelle/hol
- Bulwahn, Krauss, et al.
- 2007
(Show Context)
Citation Context ...e occurrences become q, and unpolarized occurrences become q ∪ rk. To determine whether a predicate is well-founded, Nitpick generates a wellfoundedness goal and invokes Isabelle’s termination prover =-=[7]-=- with a time limit. Given introduction rules of the form p ¯ti1 ··· p ¯tini Qi p ūi for i ∈ {1,...,m}, the termination prover must exhibit a well-founded relation R such that ∧m ∧ni i=1 j=1 Qi −→ 〈 〉 ... |

11 | Progress report on LEO-II – an automatic theorem prover for higher-order logic
- Benzmüller, Paulson, et al.
- 2007
(Show Context)
Citation Context ...because it imposes no syntactic restrictions on the formulas to falsify. Nitpick is integrated with the TPTP benchmark suite [20] and exposed three bugs in the higher-order provers TPS [1] and LEO-II =-=[3]-=-. 2 Background 2.1 Higher-Order Logic (HOL) The types and terms of HOL [12] are that of the simply typed λ-calculus extended with type constructors and constants: Types: Terms: σ ::= α (type variable)... |

9 | Monotonicity inference for higher-order formulas
- Blanchette, Krauss
- 2010
(Show Context)
Citation Context ...d k. With monotonicity, it is sufficient to consider the single scope in which all types have cardinality k. We developed and implemented two calculi for inferring monotonicity, and proved them sound =-=[6]-=-. The first calculus, on which we focus here, has limited support for sets encoded as predicates. The second, more powerful calculus addresses this problem by annotating function arrows and relying on... |

7 | Verifying a hotel key card system
- Nipkow
- 2006
(Show Context)
Citation Context ...g is a missing assumption Γ,σ ⊢ c2 in the typing rule for sequential composition.6.2 Hotel Key Card System We consider a state-based model of a vulnerable hotel key card system with recordable locks =-=[16]-=-, inspired by an Alloy specification due to Jackson [13, pp. 299–306]. The formalization relies on three opaque types, room, guest, and key. A key card, of type card = key × key, combines an old key a... |

3 | M.: Alloy Analyzer+PVS in the analysis and verification of Alloy specifications
- Frias, Pombo, et al.
(Show Context)
Citation Context ...of methods deliver sound or unsound counterexamples upon failure, notably model checking, semantic tableaux, and satisfiability modulo theory (SMT) solving. Also worth of mention is the Dynamite tool =-=[11]-=-, which lets users prove Alloy formulas in the interactive theorem prover PVS. Weber [23, pp. 3–4] provides a more detailed discussion of related work. 9 Conclusion Nitpick is to our knowledge the fir... |

3 |
A correctness proof for the Volpano/Smith security typing system
- Snelting, Wasserrab
- 2008
(Show Context)
Citation Context ...High if it modifies private variables only; commands that could alter public variables are Low. As our first case study, we consider a fragment of the formal soundness proof by Snelting and Wasserrab =-=[19]-=-. Given a variable partition Γ, the inductive predicate Γ ⊢ e : σ tells whether e has type σ, whereas Γ,σ ⊢ c tells whether command c has type σ. Below is a flawed definition of Γ,σ ⊢ c: Γ v ≃ ⌊High⌋ ... |

2 | de Medeiros Santos. Compilation by Transformation in Non-Strict Functional Languages - L - 1995 |

2 |
Bounded relational analysis of free datatypes
- Dunets, Schellhorn, et al.
- 2008
(Show Context)
Citation Context ...of the discriminators isNil α list→o and isCons α list→o and the selectors get1Cons α list→α and get2Cons α list→α list , which give access to a nonempty list’s head and tail. Following Dunets et al. =-=[10]-=-, Nil and Cons x xs are translated as isNil and get1Cons.x ∩ get2Cons.xs, respectively.The following axioms, with N = 1,2, specify a subterm-closed finite universe of lists using the atoms Aα list: D... |