## An Overview of the Jahob Analysis System - Project Goals and Current Status (2006)

### Cached

### Download Links

- [www.cecs.uci.edu]
- [www.mit.edu]
- [www.cag.lcs.mit.edu]
- [www.cag.csail.mit.edu]
- [people.csail.mit.edu]
- [people.csail.mit.edu]
- [www.cag.lcs.mit.edu]
- DBLP

### Other Repositories/Bibliography

Venue: | In NSF Next Generation Software Workshop |

Citations: | 8 - 1 self |

### BibTeX

@INPROCEEDINGS{Kuncak06anoverview,

author = {Viktor Kuncak and Martin Rinard},

title = {An Overview of the Jahob Analysis System - Project Goals and Current Status},

booktitle = {In NSF Next Generation Software Workshop},

year = {2006}

}

### OpenURL

### Abstract

We present an overview of the Jahob system for modular analysis of data structure properties. Jahob uses a subset of Java as the implementation language and annotations with formulas in a subset of Isabelle as the specification language. It uses monadic secondorder logic over trees to reason about reachability in linked data structures, the Isabelle theorem prover and Nelson-Oppen style theorem provers to reason about high-level properties and arrays, and a new technique to combine reasoning about constraints on uninterpreted function symbols with other decision procedures. It also incorporates new decision procedures for reasoning about sets with cardinality constraints. The system can infer loop invariants using new symbolic shape analysis. Initial results in the use of our system are promising; we are continuing to develop and evaluate it.

### Citations

719 |
Isabelle/HOL: A Proof Assistant for Higher-Order Logic
- Nipkow, Paulson, et al.
- 2002
(Show Context)
Citation Context ...ted theorem provers [78] to discharge these kinds of verification conditions. 3 Status We have implemented the Jahob framework, populated it with interfaces to the Isabelle interactive theorem prover =-=[63]-=-, the SMT-LIB interface [67] to NelsonOppen style [62] theorem provers, the MONA decision procedure [40], and a decision procedure for Boolean Algebra with Presburger Arithmetic [43] based on reductio... |

639 |
Systematic Software Development using VDM
- Jones
- 1990
(Show Context)
Citation Context ...lly require loop invariants, and additionally either require either interaction with the theorem prover or lemmas specific for the program being verified. Specification frameworks include Z [81], VDM =-=[36]-=-, B [2], RAISE [13]. Many of these frameworks recognize the importance of data abstraction [36], which is an important component of Jahob. Some of these frameworks provide no automation for performing... |

538 | Parametric shape analysis via 3-valued logic
- Sagiv, Reps, et al.
(Show Context)
Citation Context ...ompiler optimizations [37, 27, 26], but subsequently evolved into more precise analyses that have been successfully used to analyze invariants of data structures that are of interest for verification =-=[42, 25, 41, 49, 58, 71]-=-. Most shape analyses that synthesize loop invariants are based on precomputed transfer functions and a fixed set of properties to be tracked; recent approaches enable automation of such computation u... |

534 | PVS: A Prototype Verification System
- Owre, Rushby, et al.
- 1992
(Show Context)
Citation Context ...psy environment [28], Larch [30], ESC/Modula-3 [16], ESC/Java [22], ESC/Java2 [12], Boogie [6], Krakatoa [55], KeY [3], as well as more general frameworks such as ACL2 [38, 59], and STeP [8], and PVS =-=[64]-=-. Traditionally, these systems are based on verification condition generation combined with theorem provers. They typically require loop invariants, and additionally either require either interaction ... |

519 | Extended static checking for Java
- Flanagan, Leino, et al.
(Show Context)
Citation Context ...nd theorem proving include the program verifier [39], the interactive program verifier [17], the Stanford Pascal Verifier [74, 60], the Gypsy environment [28], Larch [30], ESC/Modula-3 [16], ESC/Java =-=[22]-=-, ESC/Java2 [12], Boogie [6], Krakatoa [55], KeY [3], as well as more general frameworks such as ACL2 [38, 59], and STeP [8], and PVS [64]. Traditionally, these systems are based on verification condi... |

463 | model checking programs
- Visser, Havelund, et al.
(Show Context)
Citation Context ... the Alloy Analyzer [34] can be used to find bugs in code that manipulates linked data structures [35, 76]. Explicit state model checking and testing approaches can also be effective for this purpose =-=[20, 56, 72, 77]-=-. Although somewhat orthogonal to verification, bug finding can be combined with verification in productive ways, and we may consider such combinations in the future. 5 Conclusion Software reliability... |

448 | The Spec# Programming System: An Overview
- Barnett, Leino, et al.
- 2004
(Show Context)
Citation Context ...sms for reasoning about data structure representation in the presence of dynamic data structure instantiation, combining the ideas from the Hob project [47] with approaches from systems such as Spec# =-=[6]-=-. We are currently evaluating the practicality of our approach. 4 Related Work Key features of Jahob system are modular reasoning with expressive procedure contracts and support for data abstraction, ... |

448 | The omega test: a fast and practical integer programming algorithm for dependence analysis
- Pugh
- 1993
(Show Context)
Citation Context ...lsonOppen style [62] theorem provers, the MONA decision procedure [40], and a decision procedure for Boolean Algebra with Presburger Arithmetic [43] based on reduction to the Omega decision procedure =-=[66]-=- for Presburger arithmetic. We are using a simple goal decomposition technique to prove different conjuncts in the goal using different decision procedures. In addition, we are using field constraint ... |

393 | S.K.: Automatic predicate abstraction of c programs
- Ball, Majumdar, et al.
- 2001
(Show Context)
Citation Context ...ility in firstorder logic is non-trivial in practice [61, 52] and not possible in general. Software Model Checking. Recent trends indicate the convergence of shape analysis with predicate abstraction =-=[5, 33]-=-, with a spectrum of increasingly complex domains ranging from propositional combinations of predicates [5], through quantified propositional combinations [23], indexed predicates [44], to symbolic sh... |

393 | Simplification by Cooperating Decision Procedures
- Nelson, Oppen
- 1979
(Show Context)
Citation Context ...erification conditions. 3 Status We have implemented the Jahob framework, populated it with interfaces to the Isabelle interactive theorem prover [63], the SMT-LIB interface [67] to NelsonOppen style =-=[62]-=- theorem provers, the MONA decision procedure [40], and a decision procedure for Boolean Algebra with Presburger Arithmetic [43] based on reduction to the Omega decision procedure [66] for Presburger ... |

360 | Enforcing high-level protocols in low-level software
- DeLine, Fähndrich
- 2001
(Show Context)
Citation Context ...ation, which means that scalable analyses must be able to communicate using procedure interfaces. Typestate analyses have emerged as data-flow analyses that take into account user-supplied interfaces =-=[73, 14, 15]-=-. In the Hob project [48, 87, 46] we have demonstrated that a combination of typestate analysis with shape analysis is feasible when interfaces use abstract sets to abstract global data structures. On... |

309 | Larch: languages and tools for formal specification
- Guttag, Horning
- 1993
(Show Context)
Citation Context ...erification-condition generation and theorem proving include the program verifier [39], the interactive program verifier [17], the Stanford Pascal Verifier [74, 60], the Gypsy environment [28], Larch =-=[30]-=-, ESC/Modula-3 [16], ESC/Java [22], ESC/Java2 [12], Boogie [6], Krakatoa [55], KeY [3], as well as more general frameworks such as ACL2 [38, 59], and STeP [8], and PVS [64]. Traditionally, these syste... |

296 | CUTE: a concolic unit testing engine for C
- Sen, Marinov, et al.
- 2005
(Show Context)
Citation Context ... the Alloy Analyzer [34] can be used to find bugs in code that manipulates linked data structures [35, 76]. Explicit state model checking and testing approaches can also be effective for this purpose =-=[20, 56, 72, 77]-=-. Although somewhat orthogonal to verification, bug finding can be combined with verification in productive ways, and we may consider such combinations in the future. 5 Conclusion Software reliability... |

292 | Extended static checking
- Detlefs, Leino, et al.
- 1998
(Show Context)
Citation Context ...on generation and theorem proving include the program verifier [39], the interactive program verifier [17], the Stanford Pascal Verifier [74, 60], the Gypsy environment [28], Larch [30], ESC/Modula-3 =-=[16]-=-, ESC/Java [22], ESC/Java2 [12], Boogie [6], Krakatoa [55], KeY [3], as well as more general frameworks such as ACL2 [38, 59], and STeP [8], and PVS [64]. Traditionally, these systems are based on ver... |

249 | M.: ESP: path-sensitive program verification in polynomial time
- Das, Lerner, et al.
- 2002
(Show Context)
Citation Context ...ation, which means that scalable analyses must be able to communicate using procedure interfaces. Typestate analyses have emerged as data-flow analyses that take into account user-supplied interfaces =-=[73, 14, 15]-=-. In the Hob project [48, 87, 46] we have demonstrated that a combination of typestate analysis with shape analysis is feasible when interfaces use abstract sets to abstract global data structures. On... |

211 | Abstractions from proofs
- Henzinger, Jhala, et al.
- 2004
(Show Context)
Citation Context ...ility in firstorder logic is non-trivial in practice [61, 52] and not possible in general. Software Model Checking. Recent trends indicate the convergence of shape analysis with predicate abstraction =-=[5, 33]-=-, with a spectrum of increasingly complex domains ranging from propositional combinations of predicates [5], through quantified propositional combinations [23], indexed predicates [44], to symbolic sh... |

208 |
Typestate: A programming language concept for enhancing software reliability
- Strom, Yemini
- 1986
(Show Context)
Citation Context ...ation, which means that scalable analyses must be able to communicate using procedure interfaces. Typestate analyses have emerged as data-flow analyses that take into account user-supplied interfaces =-=[73, 14, 15]-=-. In the Hob project [48, 87, 46] we have demonstrated that a combination of typestate analysis with shape analysis is feasible when interfaces use abstract sets to abstract global data structures. On... |

163 |
Raymie Stata. Extended static checking for java
- Flanagan, Leino, et al.
- 2002
(Show Context)
Citation Context ...nd theorem proving include the program verifier [39], the interactive program verifier [17], the Stanford Pascal Verifier [74, 60], the Gypsy environment [28], Larch [30], ESC/Modula-3 [16], ESC/Java =-=[22]-=-, ESC/Java2 [12], Boogie [6], Krakatoa [55], KeY [3], as well as more general frameworks such as ACL2 [38, 59], and STeP [8], and PVS [64]. Traditionally, these systems are based on verification condi... |

145 | The pointer assertion logic engine
- Møller, Schwartzbach
- 2001
(Show Context)
Citation Context ...ompiler optimizations [37, 27, 26], but subsequently evolved into more precise analyses that have been successfully used to analyze invariants of data structures that are of interest for verification =-=[42, 25, 41, 49, 58, 71]-=-. Most shape analyses that synthesize loop invariants are based on precomputed transfer functions and a fixed set of properties to be tracked; recent approaches enable automation of such computation u... |

128 | A local shape analysis based on separation logic
- Distefano, O’Hearn, et al.
- 2006
(Show Context)
Citation Context ...f such computation using decision procedures [86, 84, 85, 65, 80] or finite differencing [69]. Recently there has been a resurgence of decision procedures and analyses for linked list data structures =-=[4, 18, 54, 7, 68]-=-, where the emphasis is on predictability (decision procedures for well-defined classes of properties of linked lists), efficiency (membership in NP), the ability to interoperate with other reasoning ... |

125 | Graph types
- Klarlund, Schwartzbach
(Show Context)
Citation Context ...ompiler optimizations [37, 27, 26], but subsequently evolved into more precise analyses that have been successfully used to analyze invariants of data structures that are of interest for verification =-=[42, 25, 41, 49, 58, 71]-=-. Most shape analyses that synthesize loop invariants are based on precomputed transfer functions and a fixed set of properties to be tracked; recent approaches enable automation of such computation u... |

120 |
an annotation assistant for ESC/Java
- Houdini
- 2001
(Show Context)
Citation Context ...r in terms of automation [36] or in terms of using lighter-weight substitute of specification variables [51]. Recently, verification systems have incorporated techniques for inferring loop invariants =-=[23, 21, 11, 50]-=-. Like more specialized analyses [75, 82, 19, 70, 24], such techniques for loop invariant inference are effective for analyzing simple array data structures and basic memory safety properties, but hav... |

114 |
Finding bugs with a constraint solver
- Jackson, Vaziri
- 2000
(Show Context)
Citation Context ...de, it is useful to supplement verification tools with bug fining tools. Finite model checkers such as the Alloy Analyzer [34] can be used to find bugs in code that manipulates linked data structures =-=[35, 76]-=-. Explicit state model checking and testing approaches can also be effective for this purpose [20, 56, 72, 77]. Although somewhat orthogonal to verification, bug finding can be combined with verificat... |

111 | Symbolic bounds analysis of pointers, array indices, and accessed memory regions
- Rugina, Rinard
- 2000
(Show Context)
Citation Context ...g lighter-weight substitute of specification variables [51]. Recently, verification systems have incorporated techniques for inferring loop invariants [23, 21, 11, 50]. Like more specialized analyses =-=[75, 82, 19, 70, 24]-=-, such techniques for loop invariant inference are effective for analyzing simple array data structures and basic memory safety properties, but have so far been limited in the range of properties that... |

106 |
Techniques for program verification
- Nelson
- 1981
(Show Context)
Citation Context ...s with modular reasoning. Systems based on verification-condition generation and theorem proving include the program verifier [39], the interactive program verifier [17], the Stanford Pascal Verifier =-=[74, 60]-=-, the Gypsy environment [28], Larch [30], ESC/Modula-3 [16], ESC/Java [22], ESC/Java2 [12], Boogie [6], Krakatoa [55], KeY [3], as well as more general frameworks such as ACL2 [38, 59], and STeP [8], ... |

99 | Role analysis
- Kuncak, Lam, et al.
- 2002
(Show Context)
Citation Context |

96 |
A micromodularity mechanism
- Jackson, Shlyakhter, et al.
- 2001
(Show Context)
Citation Context ...Given that many verification attempts demonstrate bugs in specifications or code, it is useful to supplement verification tools with bug fining tools. Finite model checkers such as the Alloy Analyzer =-=[34]-=- can be used to find bugs in code that manipulates linked data structures [35, 76]. Explicit state model checking and testing approaches can also be effective for this purpose [20, 56, 72, 77]. Althou... |

94 |
Predicate abstraction for software verification
- FLANAGAN, S
(Show Context)
Citation Context ...r in terms of automation [36] or in terms of using lighter-weight substitute of specification variables [51]. Recently, verification systems have incorporated techniques for inferring loop invariants =-=[23, 21, 11, 50]-=-. Like more specialized analyses [75, 82, 19, 70, 24], such techniques for loop invariant inference are effective for analyzing simple array data structures and basic memory safety properties, but hav... |

84 | Region-based shape analysis with tracked locations
- Hackett, Rugina
- 2005
(Show Context)
Citation Context ...yses and decision procedures have also been constructed that combine reasoning about reachability and reasoning about quantitative properties such as length of lists and height and balancing of trees =-=[32, 31, 45,s57, 9]-=-. Size constraints can be imposed on set abstractions of data structures, yielding logics that can reason about numbers of data structure elements and support quantifiers [43]. New logics were recentl... |

79 | Putting static analysis to work for verification: A case study
- Lev-Ami, Reps, et al.
- 2000
(Show Context)
Citation Context ... Shape analyses are among the most sophisticated analyses for structural properties of programs; they have also been applied to verify properties such as sorting, by abstracting the ordering relation =-=[53, 58]-=-. Analyses and decision procedures have also been constructed that combine reasoning about reachability and reasoning about quantitative properties such as length of lists and height and balancing of ... |

78 | Data structure specifications via local equality axioms
- McPeak, Necula
- 2005
(Show Context)
Citation Context ...yses and decision procedures have also been constructed that combine reasoning about reachability and reasoning about quantitative properties such as length of lists and height and balancing of trees =-=[32, 31, 45, 57, 9]-=-. Size constraints can be imposed on set abstractions of data structures, yielding logics that can reason about numbers of data structure elements and support quantifiers [43]. New logics were recentl... |

74 | Shape types
- Fradet, Métayer
- 1997
(Show Context)
Citation Context |

73 | Connection analysis: A practical interprocedural heap analysis for C
- Ghiya, Hendren
- 1996
(Show Context)
Citation Context ... developed precise data structure analyses such as shape analysis. Shape analysis. Shape analyses are precise analyses for linked data structures. They were originally used for compiler optimizations =-=[37, 27, 26]-=-, but subsequently evolved into more precise analyses that have been successfully used to analyze invariants of data structures that are of interest for verification [42, 25, 41, 49, 58, 71]. Most sha... |

69 |
Program Flow Analysis, Theory and Applications, chapter 4, Flow Analysis and Optimization of LISP-like Structures
- Jones, Muchnick
- 1983
(Show Context)
Citation Context ... developed precise data structure analyses such as shape analysis. Shape analysis. Shape analyses are precise analyses for linked data structures. They were originally used for compiler optimizations =-=[37, 27, 26]-=-, but subsequently evolved into more precise analyses that have been successfully used to analyze invariants of data structures that are of interest for verification [42, 25, 41, 49, 58, 71]. Most sha... |

69 | MONA implementation secrets
- Klarlund, Møller, et al.
(Show Context)
Citation Context ...ods preserve them. The verification conditions for the data structure implementation could be verified, for example, by a combination of field constraint analysis [80] and the MONA decision procedure =-=[40]-=-. Loop invariants could be provided explicitly or inferred by symbolic shape analysis [80, 65, 79]. The verification conditions for the client could be discharged by a decision procedure specialized f... |

66 | The Krakatoa tool for certification of Java/JavaCard programs annotated with JML annotations
- Marché, Paulin-Mohring, et al.
(Show Context)
Citation Context ...fier [39], the interactive program verifier [17], the Stanford Pascal Verifier [74, 60], the Gypsy environment [28], Larch [30], ESC/Modula-3 [16], ESC/Java [22], ESC/Java2 [12], Boogie [6], Krakatoa =-=[55]-=-, KeY [3], as well as more general frameworks such as ACL2 [38, 59], and STeP [8], and PVS [64]. Traditionally, these systems are based on verification condition generation combined with theorem prove... |

65 |
Implementation of an array bound checker
- Suzuki, Ishihata
- 1977
(Show Context)
Citation Context ...g lighter-weight substitute of specification variables [51]. Recently, verification systems have incorporated techniques for inferring loop invariants [23, 21, 11, 50]. Like more specialized analyses =-=[75, 82, 19, 70, 24]-=-, such techniques for loop invariant inference are effective for analyzing simple array data structures and basic memory safety properties, but have so far been limited in the range of properties that... |

62 |
A program verifier
- King
- 1971
(Show Context)
Citation Context ...ication frameworks based on general-purpose reasoning. Verification systems with modular reasoning. Systems based on verification-condition generation and theorem proving include the program verifier =-=[39]-=-, the interactive program verifier [17], the Stanford Pascal Verifier [74, 60], the Gypsy environment [28], Larch [30], ESC/Modula-3 [16], ESC/Java [22], ESC/Java2 [12], Boogie [6], Krakatoa [55], KeY... |

57 |
Shape analysis by predicate abstraction
- Balaban, Pnueli, et al.
(Show Context)
Citation Context ...f such computation using decision procedures [86, 84, 85, 65, 80] or finite differencing [69]. Recently there has been a resurgence of decision procedures and analyses for linked list data structures =-=[4, 18, 54, 7, 68]-=-, where the emphasis is on predictability (decision procedures for well-defined classes of properties of linked lists), efficiency (membership in NP), the ability to interoperate with other reasoning ... |

55 | Reasoning in expressive description logics with fixpoints based on automata on infinite trees
- Calvanese, Giacomo, et al.
- 1999
(Show Context)
Citation Context ...gics were recently proposed for reasoning about reachability, such as the logic of reachable shapes [83]. Existing logics, such as guarded fixpoint logic [29] and description logics with reachability =-=[10]-=- are attractive because of their expressive power, but so far no decision procedures for these logics have been implemented. Automated theorem provers such as Vampire [78] can be used to reason about ... |

54 | ESC/Java2: Uniting ESC/Java and JML: Progress and issues in building and using ESC/Java2 and a report on a case study involving the use of ESC/Java2 to verify portions of an Internet voting tally system
- Cok, Kiniry
- 2004
(Show Context)
Citation Context ...ng include the program verifier [39], the interactive program verifier [17], the Stanford Pascal Verifier [74, 60], the Gypsy environment [28], Larch [30], ESC/Modula-3 [16], ESC/Java [22], ESC/Java2 =-=[12]-=-, Boogie [6], Krakatoa [55], KeY [3], as well as more general frameworks such as ACL2 [38, 59], and STeP [8], and PVS [64]. Traditionally, these systems are based on verification condition generation ... |

54 | Safety checking of machine code
- Xu, Miller, et al.
- 2000
(Show Context)
Citation Context ...g lighter-weight substitute of specification variables [51]. Recently, verification systems have incorporated techniques for inferring loop invariants [23, 21, 11, 50]. Like more specialized analyses =-=[75, 82, 19, 70, 24]-=-, such techniques for loop invariant inference are effective for analyzing simple array data structures and basic memory safety properties, but have so far been limited in the range of properties that... |

53 |
Verifying reachability invariants of linked structures
- Nelson
- 1983
(Show Context)
Citation Context ...lemented. Automated theorem provers such as Vampire [78] can be used to reason about properties of linked data structures, but axiomatizing reachability in firstorder logic is non-trivial in practice =-=[61, 52]-=- and not possible in general. Software Model Checking. Recent trends indicate the convergence of shape analysis with predicate abstraction [5, 33], with a spectrum of increasingly complex domains rang... |

51 | STeP: Deductive-algorithmic verification of reactive and real-time systems
- Bjørner, Browne, et al.
(Show Context)
Citation Context ..., 60], the Gypsy environment [28], Larch [30], ESC/Modula-3 [16], ESC/Java [22], ESC/Java2 [12], Boogie [6], Krakatoa [55], KeY [3], as well as more general frameworks such as ACL2 [38, 59], and STeP =-=[8]-=-, and PVS [64]. Traditionally, these systems are based on verification condition generation combined with theorem provers. They typically require loop invariants, and additionally either require eithe... |

51 | Predicate abstraction and canonical abstraction for singly-linked lists
- Manevich, Yahav, et al.
- 2005
(Show Context)
Citation Context ...f such computation using decision procedures [86, 84, 85, 65, 80] or finite differencing [69]. Recently there has been a resurgence of decision procedures and analyses for linked list data structures =-=[4, 18, 54, 7, 68]-=-, where the emphasis is on predictability (decision procedures for well-defined classes of properties of linked lists), efficiency (membership in NP), the ability to interoperate with other reasoning ... |

51 | Symbolically computing most-precise abstract operations for shape analysis
- Yorsh, Reps, et al.
- 2004
(Show Context)
Citation Context ...t synthesize loop invariants are based on precomputed transfer functions and a fixed set of properties to be tracked; recent approaches enable automation of such computation using decision procedures =-=[86, 84, 85, 65, 80]-=- or finite differencing [69]. Recently there has been a resurgence of decision procedures and analyses for linked list data structures [4, 18, 54, 7, 68], where the emphasis is on predictability (deci... |

48 | Using data groups to specify and check side effects
- Leino, Poetzsch-Heffter, et al.
- 2002
(Show Context)
Citation Context ...data structures conform to their abstraction; previous approaches have been less ambitious either in terms of automation [36] or in terms of using lighter-weight substitute of specification variables =-=[51]-=-. Recently, verification systems have incorporated techniques for inferring loop invariants [23, 21, 11, 50]. Like more specialized analyses [75, 82, 19, 70, 24], such techniques for loop invariant in... |

45 | Static analysis versus software model checking for bug finding
- Engler, Musuvathi
(Show Context)
Citation Context ... the Alloy Analyzer [34] can be used to find bugs in code that manipulates linked data structures [35, 76]. Explicit state model checking and testing approaches can also be effective for this purpose =-=[20, 56, 72, 77]-=-. Although somewhat orthogonal to verification, bug finding can be combined with verification in productive ways, and we may consider such combinations in the future. 5 Conclusion Software reliability... |

45 | Indexed predicate discovery for unbounded system verification
- Lahiri, Bryant
- 2004
(Show Context)
Citation Context ... abstraction [5, 33], with a spectrum of increasingly complex domains ranging from propositional combinations of predicates [5], through quantified propositional combinations [23], indexed predicates =-=[44]-=-, to symbolic shape analysis [80, 65, 79]. The field remains an active area of research, with different approaches demonstrating different precision/efficiency/automation tradeoffs. Typestate systems.... |

44 | The KeY approach: Integrating object oriented design and formal verification
- Ahrendt, Baar, et al.
- 2000
(Show Context)
Citation Context ... the interactive program verifier [17], the Stanford Pascal Verifier [74, 60], the Gypsy environment [28], Larch [30], ESC/Modula-3 [16], ESC/Java [22], ESC/Java2 [12], Boogie [6], Krakatoa [55], KeY =-=[3]-=-, as well as more general frameworks such as ACL2 [38, 59], and STeP [8], and PVS [64]. Traditionally, these systems are based on verification condition generation combined with theorem provers. They ... |