## Deductive Runtime Certification (2004)

### Cached

### Download Links

- [www.cag.lcs.mit.edu]
- [www.cag.csail.mit.edu]
- [people.csail.mit.edu]
- [people.csail.mit.edu]
- DBLP

### Other Repositories/Bibliography

Venue: | In Proceedings of the 2004 Workshop on Runtime Verification |

Citations: | 11 - 8 self |

### BibTeX

@INPROCEEDINGS{Arkoudas04deductiveruntime,

author = {Konstantine Arkoudas and Martin Rinard},

title = {Deductive Runtime Certification},

booktitle = {In Proceedings of the 2004 Workshop on Runtime Verification},

year = {2004},

pages = {39--56}

}

### OpenURL

### Abstract

This paper introduces a notion of certified computation whereby an algorithm not only produces a result r for a given input x, but also proves that r is a correct result for x. This can greatly enhance the credibility of the result: if we trust the axioms and inference rules that are used in the proof, then we can be assured that r is correct. Typically, the reasoning used in a certified computation is much simpler than the computation itself. We present and analyze two examples of certifying algorithms. We have developed...

### Citations

2418 | Computational complexity
- Papadimitriou
- 1994
(Show Context)
Citation Context ...t the latter produces actual Hamiltonian cycles as evidence. However, we cannot efficiently check negative answers from H. Indeed, under the assumption that NP �= co-NP (which is a widely held belie=-=f [25]-=-), it is easily proved that no NP-complete problem can be in co-NP, which means that there are no efficient checkers capable of verifying negative answers to NP-complete problems. Therefore, truly sim... |

1645 |
Distributed Algorithms
- Lynch
- 1997
(Show Context)
Citation Context ...components, such as reactive systems, the important issue is not output correctness but behavioral safety, and in that case other methods and formalisms such as runtime monitoring [8] or I/O automata =-=[18]-=- will be appropriate. Even when correctness has a precise description and is important, certification might not be deemed necessary. For instance, compiler writers are not likely to certify lexical an... |

1535 | Object-oriented software construction
- Meyer
- 1997
(Show Context)
Citation Context ...edible compilation as well as a certifying Prolog system that backs up its answers with extremely simple natural deduction reasoning. The “runtime assertions” of Meyer’s contract-programming par=-=adigm [20]-=- are another related approach. Executable assertions are useful for dynamically performing sanity checks and for ensuring that certain simple pre- and postconditions hold, but are generally too weak t... |

993 |
Term Rewriting and All That
- Baader, Nipkow
- 1998
(Show Context)
Citation Context ...ll mean an ordered pair of terms 〈s, t〉, which will be more suggestively written as s ≈ t; and by “substitution” we will mean a function from variables to terms that is the identity almost e=-=verywhere [2]. We use th-=-e letters x, y, and z as typical variables; f, g, and h as function symbols; s and t for terms; and θ, σ, and τ for substitutions. We write {x1 ↦→ t1, . . . , xn ↦→ tn} for the substitution... |

711 | A framework for defining logics
- Harper, Honsel, et al.
- 1987
(Show Context)
Citation Context ...e. On the issue of deductive technology, we note that a certifying algorithm could in principle be implemented in any language, e.g. in C, as long as it eventually produces a formal proof (say, in LF =-=[12]-=- or Coq [9] or Athena form) which can then be independently checked. But that would obfuscate the use of deduction for documentation purposes, and would also be unduly cumbersome. Algorithm certificat... |

531 |
Introduction to HOL : a theorem proving environment for higher-order logic
- Gordon, Melham
- 1993
(Show Context)
Citation Context ...systems that make provisions for building and managing formal theories, performing proof search, and constructing and validating formal proofs (see Section 3). Thus LCF-style [10] systems such as HOL =-=[11] or Isabel-=-le [27] could certainly be used for certified computation. However, our certifying algorithms are not related to Milner’s seminal “tactics” and “tacticals” [21]. Tactics are a mechanism for ... |

489 |
The Calculus of Constructions
- Coquand, Huet
- 1988
(Show Context)
Citation Context ...sue of deductive technology, we note that a certifying algorithm could in principle be implemented in any language, e.g. in C, as long as it eventually produces a formal proof (say, in LF [12] or Coq =-=[9]-=- or Athena form) which can then be independently checked. But that would obfuscate the use of deduction for documentation purposes, and would also be unduly cumbersome. Algorithm certification is inex... |

477 |
Software Testing Techniques
- Beizer
- 1983
(Show Context)
Citation Context ...c inputs as it is with uncovering errors over as large classes of inputs as possible, with an emphasis on concurrency problems such as deadlocks, critical section violations, etc. In software testing =-=[5]-=- an extensive sample of inputs are presented to the program and the outputs are checked for correctness. While testing remains invaluable in practice, it has serious drawbacks. First, generation of st... |

462 |
The formulae-as-types notion of construction
- Howard
- 1980
(Show Context)
Citation Context ...formalized key notions such as assumption scope and eigenvariable scope in novel ways (most notably, without reducing them to variable scope in the typed λ-calculus as is done in Curry-Howard systems=-= [14]-=-), which has enabled the introduction of syntax forms such as assume, pick-any, and pick-witness, that closely capture the most common and useful idioms of mathematical reasoning. Semantically, the ma... |

410 | Safe kernel extensions without runtime checking
- Necula, Lee
- 1996
(Show Context)
Citation Context ...conjunction with certified computation in order to ensure that software component implementations conform to different aspects of their specifications. The proof-carrying code (PCC) of Lee and Necula =-=[23] is -=-primarily a compilation methodology concerned with producing programs that satisfy some security policy and are thus “safe” to execute. That requires general verification, as the program must be p... |

380 |
Logic for problem solving
- Kowalski
- 1979
(Show Context)
Citation Context ...he original. Here we extend that idea to arbitrary computations. The idea of using deduction for computational purposes is not new. It is the cornerstone of the school of relational logic programming =-=[17]-=-, which dates back at least to the inception of Prolog in the early 1970s. Computation in that setting is described by the well-known slogan of Kowalski: Computation = Logic + Control. The logic part ... |

346 | An Efficient Unification Algorithm
- Martelli, Montanari
- 1982
(Show Context)
Citation Context ...other variable to itself; and we write θ for the unique homomorphic extension of a substitution θ to the corresponding term algebra [34,2]. The Martelli-Montanari (MM for short) unification algorith=-=m [19] dea-=-ls with finite systems of equations rather than with single equations. By a system of equations we will mean a list of the form (3) E = [s1 ≈ t1, . . . , sn ≈ tn]. We write E1, E2 for the list obt... |

313 | Designing programs that check their work
- BLUM, KANNAN
- 1989
(Show Context)
Citation Context ...for problems in NP ∩ co-NP that are also believed to lie outside P, such as integer factorization. Blum’s important contribution was showing that in some cases one may employ probabilistic techniq=-=ues [6] to -=-perform certain checks more efficiently— but we then give up the peace of mind that a complete guarantee would give. For instance, in the sorting example above we can check whether L ′ = [y1, . . ... |

276 | The design and implementation of a certifying compiler
- NECULA, LEE
- 1998
(Show Context)
Citation Context ...on, concerned with ensuring correctness for particular input-output pairs rather than safety properties for all inputs. Of course, a “certifying compiler” that outputs proofs of memory or type saf=-=ety [24,26]-=- can be viewed as a certifying algorithm in our sense. On the issue of deductive technology, we note that a certifying algorithm could in principle be implemented in any language, e.g. in C, as long a... |

151 | Translation validation
- Pnueli, Siegel, et al.
- 1998
(Show Context)
Citation Context ... example; θ here is {x ↦→ a, y ↦→ g(h(a)), z ↦→ h(a)}. 5 Related work Certified computation can be viewed as a generalization of work by Rinard and Marinov at MIT [30] and other researche=-=rs elsewhere [29] on -=-logical validation of compiler transformations. There, an optimization procedure—say, for constant propagation—does not only produce a transformed control flow graph but also proves a bisimulation... |

135 |
Monitoring Java Programs with Java PathExplorer
- Havelund, Roşu
- 2001
(Show Context)
Citation Context ...orrectness checks for arbitrary computations, but the trust issue for the checking code resurfaces intact. We view techniques such as monitor-oriented programming (“MoP” [8]) and runtime verificat=-=ion [16,13]-=- as orthogonal to certified computation. For many problems, guaranteeing output correctness in such frameworks is difficult or impossible due to the same tension between specification simplicity and t... |

114 | Software reliability via run-time resultchecking
- Blum, Wasserman
- 1997
(Show Context)
Citation Context ...s shipped, it starts generating erroneous results for certain combinations of inputs that simply fell through the cracks during testing. To overcome the last of the above problems, Wasserman and Blum =-=[33] sug-=-gest that “checkers” be permanently attached to programs and deployed at runtime, after a result r has been obtained, to check whether r is correct. As the authors concede, this is only viable for... |

80 |
Universal algebra for Computer Scientists
- Wechler
- 1992
(Show Context)
Citation Context ...ach xi to ti (we assume that x1, . . . , xn are distinct) and every other variable to itself; and we write θ for the unique homomorphic extension of a substitution θ to the corresponding term algebr=-=a [34,2]-=-. The Martelli-Montanari (MM for short) unification algorithm [19] deals with finite systems of equations rather than with single equations. By a system of equations we will mean a list of the form (3... |

71 |
Edinburgh LCF: A Mechanized Logic
- Gordon, Milner, et al.
(Show Context)
Citation Context ...s greatly facilitated by systems that make provisions for building and managing formal theories, performing proof search, and constructing and validating formal proofs (see Section 3). Thus LCF-style =-=[10] systems s-=-uch as HOL [11] or Isabelle [27] could certainly be used for certified computation. However, our certifying algorithms are not related to Milner’s seminal “tactics” and “tacticals” [21]. Tac... |

54 | Towards monitoring-oriented programming: A paradigm combining speci and implementation
- Chen, Rosu
- 2003
(Show Context)
Citation Context ...al rigor. For other components, such as reactive systems, the important issue is not output correctness but behavioral safety, and in that case other methods and formalisms such as runtime monitoring =-=[8]-=- or I/O automata [18] will be appropriate. Even when correctness has a precise description and is important, certification might not be deemed necessary. For instance, compiler writers are not likely ... |

51 | Credible compilation with pointers
- Rinard, Marinov
- 1999
(Show Context)
Citation Context ...wise, of unify applied to the running example; θ here is {x ↦→ a, y ↦→ g(h(a)), z ↦→ h(a)}. 5 Related work Certified computation can be viewed as a generalization of work by Rinard and Ma=-=rinov at MIT [30] and-=- other researchers elsewhere [29] on logical validation of compiler transformations. There, an optimization procedure—say, for constant propagation—does not only produce a transformed control flow... |

34 | Certification of compiler optimizations using kleene algebra with tests
- Kozen, Patron
- 2000
(Show Context)
Citation Context ...on, concerned with ensuring correctness for particular input-output pairs rather than safety properties for all inputs. Of course, a “certifying compiler” that outputs proofs of memory or type saf=-=ety [24,26]-=- can be viewed as a certifying algorithm in our sense. On the issue of deductive technology, we note that a certifying algorithm could in principle be implemented in any language, e.g. in C, as long a... |

30 | Spying on Components: A Runtime Verification Technique
- Barnett, Schulte
- 2001
(Show Context)
Citation Context ...frameworks is difficult or impossible due to the same tension between specification simplicity and trust that we discussed in the preceding paragraph. For instance, the preand post-conditions of ASML =-=[3]-=- and JML [7] are simple and easy to trust, but use bounded non-deterministic choice and quantification and hence are either unable to express correctness for interesting problems or else are too ineff... |

25 |
Denotational Proof Languages
- Arkoudas
- 2000
(Show Context)
Citation Context ...tations must be able to output certificates, which can then be independently checked. One of our main contributions to certified programming has been the design of DPLs (Denotational Proof Languages) =-=[1]-=-. In particular, we have implemented Athena, a DPL for polymorphic multi-sorted first-order logic that satisfies all of the above criteria. There are two main innovations behind Athena, one syntactic ... |

23 |
Verifying the unification algorithm
- Paulson
- 1985
(Show Context)
Citation Context ...ually it is much more practical than static verification. Consider, for instance, the unification example we give in Section 4. A complete verification of a unification algorithm was given by Paulson =-=[28], -=-where he states that the proof “relies on a substantial theory of substitutions, consisting of twenty-three propositions and corollaries... The project has grown too large to describe in a single pa... |

18 |
a Generic Theorem Prover
- Isabelle
- 1994
(Show Context)
Citation Context ... provisions for building and managing formal theories, performing proof search, and constructing and validating formal proofs (see Section 3). Thus LCF-style [10] systems such as HOL [11] or Isabelle =-=[27] could cer-=-tainly be used for certified computation. However, our certifying algorithms are not related to Milner’s seminal “tactics” and “tacticals” [21]. Tactics are a mechanism for goal decompositio... |

17 | A case study in model checking software systems
- Wing, Vaziri
- 1997
(Show Context)
Citation Context ... justify itself every time it generates a result. Nevertheless, in our experience runtime certification has never strictly increased the asymptotic complexity of an algorithm. Software model checking =-=[22,35]-=- is not so much concerned with establishing output correctness for specific inputs as it is with uncovering errors over as large classes of inputs as possible, with an emphasis on concurrency problems... |

14 |
The use of machines to assist in rigorous proof
- Milner
- 1984
(Show Context)
Citation Context ...tyle [10] systems such as HOL [11] or Isabelle [27] could certainly be used for certified computation. However, our certifying algorithms are not related to Milner’s seminal “tactics” and “tac=-=ticals” [21]-=-. Tactics are a mechanism for goal decomposition in backward proof search (specifically, a tactic is a function that takes a goal and returns a list of subgoals; a tactical is a combinator that compos... |

7 |
et al. The anatomy of Vampire (implementing bottom-up procedures with code trees
- Voronkov
- 1995
(Show Context)
Citation Context ...s ensured by the formal semantics of the language. An automatic theorem prover (e.g., based on resolution) can thus be soundly implemented. Alternatively, a powerful off-the-shelf ATP such as Vampire =-=[32] can-=- be employed as an oracle, and then the proof output by Vampire can be converted into a native deduction using the system’s primitive inference rules. Such outsourcing is preferable to “rolling on... |

5 |
et al. Jass - Java with assertions
- Bartetzko
- 2001
(Show Context)
Citation Context ... whose declarative output specification would take exponential time to check. Of course it is possible to allow specification assertions to contain arbitrary executable code (e.g., assertions in Jass =-=[4]-=- can contain arbitrary side-effectfree Java code). In that case one can perform complete correctness checks for arbitrary computations, but the trust issue for the checking code resurfaces intact. We ... |

5 |
et al.: Java-MaC: a runtime assurance tool for Java programs
- Kim
(Show Context)
Citation Context ...orrectness checks for arbitrary computations, but the trust issue for the checking code resurfaces intact. We view techniques such as monitor-oriented programming (“MoP” [8]) and runtime verificat=-=ion [16,13]-=- as orthogonal to certified computation. For many problems, guaranteeing output correctness in such frameworks is difficult or impossible due to the same tension between specification simplicity and t... |

4 |
Burdy et al., "An Overview of JML Tools and Applications
- Lilian
- 2004
(Show Context)
Citation Context ...s difficult or impossible due to the same tension between specification simplicity and trust that we discussed in the preceding paragraph. For instance, the preand post-conditions of ASML [3] and JML =-=[7]-=- are simple and easy to trust, but use bounded non-deterministic choice and quantification and hence are either unable to express correctness for interesting problems or else are too inefficient to ex... |

3 |
Generating structrually complex tests from declarative constraints
- Khurshid
- 2003
(Show Context)
Citation Context ...gram and the outputs are checked for correctness. While testing remains invaluable in practice, it has serious drawbacks. First, generation of structurally complex input data is difficult to automate =-=[15]-=-, and thus test suites end up being quite limited. Second, how are the outputs to be checked for correctness? Inspection by eye is clearly impractical for large-scale experiments. Hence, software must... |

3 |
Ruiz-Reina et al. Mechanical verification of a rule-based unification algorithm in the Boyer-Moore theorem prover
- L
- 1999
(Show Context)
Citation Context ...surprisingly diverse series of problems appeared.” A more recent correctness proof for a Martelli-Montanari-style unification algorithm using the Boyer-Moore theorem prover runs to thousands of line=-=s [31]-=-. By contrast, expressed as a certifying algorithm, our Martelli-Montanari unification procedure was implemented in less than one page of Athena code. 3 This dramatic difference is an apt illustration... |