## Integrated Reasoning and Proof Choice Point Selection in the Jahob System (Mechanisms for Program Survival)

### Cached

### Download Links

Citations: | 3 - 0 self |

### BibTeX

@MISC{Rinard_integratedreasoning,

author = {Martin Rinard},

title = {Integrated Reasoning and Proof Choice Point Selection in the Jahob System (Mechanisms for Program Survival)},

year = {}

}

### OpenURL

### Abstract

Abstract. In recent years researchers have developed a wide range of powerful automated reasoning systems. We have leveraged these systems to build Jahob, a program specification, analysis, and verification system. In contrast to many such systems, which use a monolithic reasoning approach, Jahob provides a general integrated reasoning framework, which enables multiple automated reasoning systems to work together to prove the desired program correctness properties. We have used Jahob to prove the full functional correctness of a collection of linked data structure implementations. The automated reasoning systems are able to automatically perform the vast majority of the reasoning steps required for this verification. But there are some complex verification conditions that they fail to prove. We have therefore developed a proof language, integrated into the underlying imperative Java programming language, that developers can use to control key choice points in the proof search space. Once the developer has resolved these choice points, the automated reasoning systems are able to complete the verification. This approach appropriately leverages both the developer’s insight into the high-level structure of the proof and the ability of the automated reasoning systems to perform the mechanical steps required to prove the verification conditions. Building on Jahob’s success with this challenging program verification problem, we contemplate the possibility of verifying the complete absence of fatal errors in large software systems. We envision combining simple techniques that analyze the vast majority of the program with heavyweight techniques that analyze those more sophisticated parts of the program that may require arbitrarily sophisticated reasoning. Modularity mechanisms such as abstract data types enable the sound division of the program for this purpose. The goal is not a completely correct program, but a program that can survive any remaining errors to continue to provide acceptable service. 1

### Citations

731 |
Isabelle/HOL: a proof assistant for higher-order logic, volume 2283
- Nipkow, Paulson, et al.
- 2002
(Show Context)
Citation Context ... interface to SMT provers (CVC3 [13, 14] and Z3 [15, 16]), an interface to MONA [17, 18], an interface to the BAPA decision procedure [19, 20], and interfaces to interactive theorem provers (Isabelle =-=[21]-=- and Coq [22]) (see Figure 1). The interactive theorem prover interfaces make it possible for Jahob to, when necessary, leverage human insight to prove arbitrarily complex formulas requiring arbitrari... |

475 |
Interactive Theorem Proving and Program Development. Coq’Art: The Calculus of Inductive Constructions
- Bertot, Castéran
- 2004
(Show Context)
Citation Context ... SMT provers (CVC3 [13, 14] and Z3 [15, 16]), an interface to MONA [17, 18], an interface to the BAPA decision procedure [19, 20], and interfaces to interactive theorem provers (Isabelle [21] and Coq =-=[22]-=-) (see Figure 1). The interactive theorem prover interfaces make it possible for Jahob to, when necessary, leverage human insight to prove arbitrarily complex formulas requiring arbitrarily sophistica... |

425 | Z3: an efficient SMT solver
- Moura, Bjørner
- 2008
(Show Context)
Citation Context ... systems to complex higher-order logic formulas. Jahob contains a simple syntactic prover, interfaces to first-order provers (SPASS [11] and E [12]), an interface to SMT provers (CVC3 [13, 14] and Z3 =-=[15, 16]-=-), an interface to MONA [17, 18], an interface to the BAPA decision procedure [19, 20], and interfaces to interactive theorem provers (Isabelle [21] and Coq [22]) (see Figure 1). The interactive theor... |

231 | Compositional pointer and escape analysis for Java programs
- Whaley, Rinard
- 1999
(Show Context)
Citation Context ...n classes of leaks in array-based data structure implementations [32]. Modified escape analyses should also be able to find leaks that occur when the program takes certain exceptional execution paths =-=[33]-=-. A key difficulty is that objects may remain reachable in linked data structures with the data structure interface enabling invocation sequences that can cause the computation to access the objects. ... |

135 | Termination proofs for systems code
- Cook, Podelski, et al.
- 2006
(Show Context)
Citation Context ... verification of the consistency of individual data structures.4 Infinite Loops In the last several years researchers have developed a set of techniques for statically verifying that loops terminate =-=[29]-=-. We expect that, in general, researchers will be able to develop techniques that are effective in proving that the vast majority of loops terminate. But we also expect certain kinds of loops to conti... |

132 | Enhancing server availability and security through failure-oblivious computing
- Rinard, Cadar, et al.
- 2004
(Show Context)
Citation Context ...for example, an out of bounds write or write via a null pointer), the program simply discards the write. On read memory errors, the program simply makes up a value to return as the result of the read =-=[4]-=-. In effect, this technique changes the semantics of the underlying programming language to make every memory access that the program can ever execute succeed. Experimental results indicate that, in p... |

128 | E – A Brainiac Theorem Prover
- Schulz
(Show Context)
Citation Context ...vely apply arbitrary collections of specialized reasoning systems to complex higher-order logic formulas. Jahob contains a simple syntactic prover, interfaces to first-order provers (SPASS [11] and E =-=[12]-=-), an interface to SMT provers (CVC3 [13, 14] and Z3 [15, 16]), an interface to MONA [17, 18], an interface to the BAPA decision procedure [19, 20], and interfaces to interactive theorem provers (Isab... |

121 | MONA: Monadic second-order logic in practice
- Henriksen, Jensen, et al.
- 1995
(Show Context)
Citation Context ... logic formulas. Jahob contains a simple syntactic prover, interfaces to first-order provers (SPASS [11] and E [12]), an interface to SMT provers (CVC3 [13, 14] and Z3 [15, 16]), an interface to MONA =-=[17, 18]-=-, an interface to the BAPA decision procedure [19, 20], and interfaces to interactive theorem provers (Isabelle [21] and Coq [22]) (see Figure 1). The interactive theorem prover interfaces make it pos... |

111 | Symbolic bounds analysis of pointers, array indices, and accessed memory regions
- Rugina, Rinard
- 2000
(Show Context)
Citation Context ...yverifying the absence of out of bounds array accesses is a much more challenging and complex task, in large part because of the need to reason about (potentially complex) array indexing expressions =-=[31]-=-. Once again, we expect the most productive approach to involve isolating complex array indexing computations inside abstract data types or similar modules, then using potentially heavyweight sophisti... |

101 | Automatic Detection and Repair of Errors in Data Structures,” Companion to the 18
- Rinard
- 2003
(Show Context)
Citation Context ...ly. Data structure repair, which is designed to restore important consistency properties to damaged data structures, can significantly improve the ability of the program to deliver acceptable results =-=[1, 6, 7]-=-. We have found that this result holds even when the repair is unable to completely reconstruct information originally stored in the data structure (typically because the data structure corruption err... |

90 | Combining superposition, sorts and splitting
- Weidenbach
(Show Context)
Citation Context ...to productively apply arbitrary collections of specialized reasoning systems to complex higher-order logic formulas. Jahob contains a simple syntactic prover, interfaces to first-order provers (SPASS =-=[11]-=- and E [12]), an interface to SMT provers (CVC3 [13, 14] and Z3 [15, 16]), an interface to MONA [17, 18], an interface to the BAPA decision procedure [19, 20], and interfaces to interactive theorem pr... |

79 | Full functional verification of linked data structures
- Zee, Kuncak, et al.
- 2008
(Show Context)
Citation Context ...d, Jahob uses integrated reasoning — it implements a general framework that enables arbitrary reasoning systems to interoperate to prove the complex verification conditions that arise in this context =-=[8, 10]-=-. The success of integrated reasoning depends on two techniques: – Splitting: Jahob splits verification conditions into equivalent conjunctions of subformulas and processes each subformula independent... |

54 | M.: Data structure repair using goal-directed reasoning
- Demsky, Rinard
- 2005
(Show Context)
Citation Context ...ly. Data structure repair, which is designed to restore important consistency properties to damaged data structures, can significantly improve the ability of the program to deliver acceptable results =-=[1, 6, 7]-=-. We have found that this result holds even when the repair is unable to completely reconstruct information originally stored in the data structure (typically because the data structure corruption err... |

47 | Practical pluggable types for Java
- Papi, Ali, et al.
- 2008
(Show Context)
Citation Context ...imitives that terminate the program [3]. 6 Memory Errors Reasonably simple and usable augmented type systems exist that are capable of statically guaranteeing the absence of null pointer dereferences =-=[30]-=-. Staticallyverifying the absence of out of bounds array accesses is a much more challenging and complex task, in large part because of the need to reason about (potentially complex) array indexing e... |

44 | Generalized typestate checking for data structure consistency - Lam, Kuncak, et al. - 2005 |

39 | A Dynamic Technique for Eliminating Buffer Overflow Vulnerabilities (and Other Memory Errors - Rinard, Cadar, et al. - 2004 |

36 | Modular Data Structure Verification
- Kuncak
- 2007
(Show Context)
Citation Context ...d, Jahob uses integrated reasoning — it implements a general framework that enables arbitrary reasoning systems to interoperate to prove the complex verification conditions that arise in this context =-=[8, 10]-=-. The success of integrated reasoning depends on two techniques: – Splitting: Jahob splits verification conditions into equivalent conjunctions of subformulas and processes each subformula independent... |

36 | Efficient e-matching for smt solvers
- Moura, Bjørner
(Show Context)
Citation Context ... systems to complex higher-order logic formulas. Jahob contains a simple syntactic prover, interfaces to first-order provers (SPASS [11] and E [12]), an interface to SMT provers (CVC3 [13, 14] and Z3 =-=[15, 16]-=-), an interface to MONA [17, 18], an interface to the BAPA decision procedure [19, 20], and interfaces to interactive theorem provers (Isabelle [21] and Coq [22]) (see Figure 1). The interactive theor... |

31 | Deciding Boolean Algebra with Presburger Arithmetic
- Kuncak, Nguyen, et al.
(Show Context)
Citation Context ...ver, interfaces to first-order provers (SPASS [11] and E [12]), an interface to SMT provers (CVC3 [13, 14] and Z3 [15, 16]), an interface to MONA [17, 18], an interface to the BAPA decision procedure =-=[19, 20]-=-, and interfaces to interactive theorem provers (Isabelle [21] and Coq [22]) (see Figure 1). The interactive theorem prover interfaces make it possible for Jahob to, when necessary, leverage human ins... |

30 | Solving quantified verification conditions using satisfiability modulo theories
- Ge, Barrett, et al.
(Show Context)
Citation Context ...alized reasoning systems to complex higher-order logic formulas. Jahob contains a simple syntactic prover, interfaces to first-order provers (SPASS [11] and E [12]), an interface to SMT provers (CVC3 =-=[13, 14]-=- and Z3 [15, 16]), an interface to MONA [17, 18], an interface to the BAPA decision procedure [19, 20], and interfaces to interactive theorem provers (Isabelle [21] and Coq [22]) (see Figure 1). The i... |

28 | Towards efficient satisfiability checking for boolean algebra with presburger arithmetic
- Kuncak, Rinard
- 2007
(Show Context)
Citation Context ...ver, interfaces to first-order provers (SPASS [11] and E [12]), an interface to SMT provers (CVC3 [13, 14] and Z3 [15, 16]), an interface to MONA [17, 18], an interface to the BAPA decision procedure =-=[19, 20]-=-, and interfaces to interactive theorem provers (Isabelle [21] and Coq [22]) (see Figure 1). The interactive theorem prover interfaces make it possible for Jahob to, when necessary, leverage human ins... |

26 | Modular pluggable analyses for data structure consistency - Kuncak, Lam, et al. |

24 | Mondrix: Memory isolation for Linux using Mondriaan memory protection
- Witchel, Rhee, et al.
- 2005
(Show Context)
Citation Context ... way to apply failure-oblivious computing is to use a compiler to introduce the memory error checks (although it is, in principle, possible to apply the technique at the binary or even hardware level =-=[23]-=-). Note that throwing exceptions on memory errors in the hope of invoking a developer-provided exception handler that can recover from the error is usually totally ineffective. In practice, the except... |

22 | Automatic Removal of Array Memory Leaks in Java
- Shaham, Kolodner, et al.
- 2000
(Show Context)
Citation Context ... program analysis and verification technology, the most challenging task we consider in this paper. Techniques exist for finding certain classes of leaks in array-based data structure implementations =-=[32]-=-. Modified escape analyses should also be able to find leaks that occur when the program takes certain exceptional execution paths [33]. A key difficulty is that objects may remain reachable in linked... |

19 | Cross-cutting techniques in program specification and analysis - Lam, Kuncak, et al. - 2005 |

18 | An integrated proof language for imperative programs
- Zee, Kuncak, et al.
- 2009
(Show Context)
Citation Context ...ecompositions) that the reasoning systems are unable to resolve in any relevant amount of time. We have therefore developed a proof language that enables developers to resolve these key choice points =-=[9]-=-. Because this proof language is integrated into the underlying imperative programming language (Java), it enables developers to stay within a familiar conceptual framework as they work with choice po... |

16 | Detecting and eliminating memory leaks using cyclic memory allocation
- Nguyen, Rinard
- 2007
(Show Context)
Citation Context ...ram because they deny parts of the program access to a resource (the program counter) that they need to execute successfully. The following bounded loop technique completely eliminates infinite loops =-=[24]-=-: 1 – Training: Execute the program for several training runs. For each loop, record the observed maximum — i.e., the maximum number of iterations the loop performed during any training run. 1 Of cour... |

15 |
Exploring the acceptability envelope
- Rinard, Cadar, et al.
- 2005
(Show Context)
Citation Context ...ave added to terminate the program in the face of unexpected executing conditions or state changes. One straightforward approach is to simply excise all calls to primitives that terminate the program =-=[3]-=-. 6 Memory Errors Reasonably simple and usable augmented type systems exist that are capable of statically guaranteeing the absence of null pointer dereferences [30]. Staticallyverifying the absence ... |

8 | The Hob system for verifying software design properties - Lam - 2007 |

7 | Static Specification Analysis for Termination of Specification-Based Data Structure Repair
- Demsky, Rinard
- 2003
(Show Context)
Citation Context ...ly. Data structure repair, which is designed to restore important consistency properties to damaged data structures, can significantly improve the ability of the program to deliver acceptable results =-=[1, 6, 7]-=-. We have found that this result holds even when the repair is unable to completely reconstruct information originally stored in the data structure (typically because the data structure corruption err... |