If you want to have a resume, read conclusion first This document describes the operation of the verification condition generator of escjava2. First we describe how we use the old code, that was designed to produce an unsorted proof (for Simplify), to create a new ast tree, strongly typed, that can

to the creation of these proofs based on specifying an axiomatic semantics for the programming language, and using that semantics to automatically create a Verification Condition Generator, a program that takes a general program written in the language and creates the proof of that program, modulo a set

We propose a framework called configurable proofcarrying code, which allows the untrusted producer of mobile code to provide the bulk of the code verifier used by a code receiver to check the safety of the received code. The resulting system is both more flexible and also more trustworthy than a standard proof-carrying code system, because only a small part of the verifier needs to be trusted, while the remaining part can be configured freely to suit the safety policy on one hand, and the structure of the mobile code on the other hand. In this paper we describe formally the protocol that the untrusted verifier must follow in the interaction with the trusted infrastructure. We present a proof of the soundness of the system, and we give preliminary evidence that the architecture is expressive enough to delegate to the untrusted verifier even the handling of loop invariants, indirect jumps and calling conventions. 1.

verification condition generator. An originality is its genericity with respect to the logical context, which allows us to produce proof obligations for a large class of theorem provers. This implementation is conducted within the Coq proof assistant, and is crafted so that it can be extracted into a

Abstract. We present a method to convert (i) an operational semantics for a given machine language, and (ii) an off-the-shelf theorem prover, into a high assurance verification condition generator (VCG). Given a program annotated with assertions at cutpoints, we show how to use the theorem prover

This paper describes a technique that combines algebraic specifications and monads to build derivative verification condition generators (VCGs) by extending a base VCG. Extensions are compositional and can be stacked while the base VCG is left unchanged. The technique can be used to build a set

Automatic program verifiers typically generate verification conditions from the program and discharge them with an automated theorem prover. An important consideration is the manner in which program code and invariants are expressed. We have developed a bytecode language (similar, in spirit

with verification conditions. To process heap manipulations and while loops, the algorithm must additionally be supplied “object flow invariants ” as well as “loop flow invariants ” which are themselves two-state, and possibly conditional. 1

Abstract not found

iv Acknowledgments In October 2005, Joe Kiniry picked me up from Dublin Airport. The same week, he showed me ESC/Java and asked me to start fixing its bugs. To do so, I had to learn about Hoare triples, guarded commands, and a few other things: He taught me by throwing at me the right problems. He also provided a good environment for research, by building from scratch in UCD a group focused on applied formal methods. Joe helped me as a friend when I had difficulties in my personal life. I tend to spend most of my time learning, rather than doing. However, in the summer of 2007 the reverse was true. The cause was the epidemic enthusiasm of Michał Moskal, who visited our group. For the rest of the four years that I spent in Dublin, Mikoláˇs Janota was the main target of my technical ramblings,