Results 1  10
of
12
Parallel proof checking in Isabelle/Isar
 ACM SIGSAM Workshop on Programming Languages for Mechanized Mathematics Systems (PLMMS 2009). ACM Digital Library, 2009. Parallel Poly/ML and Isabelle 10 2009/9/28
"... We address the “multicore problem ” for mathematical assistants with full proof checking, with special focus on Isabelle/Isar and its main SML platform Poly/ML. On the one hand, working with explicit definitions, statements, and proofs requires significant runtime resources, so the question of paral ..."
Abstract

Cited by 18 (10 self)
 Add to MetaCart
(Show Context)
We address the “multicore problem ” for mathematical assistants with full proof checking, with special focus on Isabelle/Isar and its main SML platform Poly/ML. On the one hand, working with explicit definitions, statements, and proofs requires significant runtime resources, so the question of parallel checking is really relevant. On the other hand, the inherent structure of formal theories provides various possibilities for parallelism (both implicit and explicit), which is in fact an almost ideal situation. Exploiting this potential in practice requires to reconsider various aspects of the ML platform, the inference engine, and some higher prover specific layers. We report on an implementation of all that for Isabelle/Isar, and point out some general considerations for parallelism in functional programming, and other provers like Coq and HOL. Categories and Subject Descriptors D.1.3 [Concurrent Programming]: Parallel programming; I.2.3 [Deduction and Theorem
HOLBoogie  An Interactive Prover for the Boogie ProgramVerifier
"... Boogie is a program verification condition generator for an imperative core language. It has frontends for the programming languages C# and C enriched by annotations in firstorder logic. Its verification conditions — constructed via a wp calculus from these annotations — are usually transferred to ..."
Abstract

Cited by 17 (2 self)
 Add to MetaCart
(Show Context)
Boogie is a program verification condition generator for an imperative core language. It has frontends for the programming languages C# and C enriched by annotations in firstorder logic. Its verification conditions — constructed via a wp calculus from these annotations — are usually transferred to automated theorem provers such as Simplify or Z3. In this paper, however, we present a proofenvironment, HOLBoogie, that combines Boogie with the interactive theorem prover Isabelle/HOL. In particular, we present specific techniques combining automated and interactive proof methods for codeverification. We will exploit our proofenvironment in two ways: First, we present scenarios to "debug" annotations (in particular: invariants) by interactive proofs. Second, we use our environment also to verify "background theories", i.e. theories for datatypes used in annotations as well as memory and machine models underlying the verification method for C.
Foundational, Compositional (Co)datatypes for HigherOrder Logic  Category Theory Applied to Theorem Proving
"... Higherorder logic (HOL) forms the basis of several popular interactive theorem provers. These follow the definitional approach, reducing highlevel specifications to logical primitives. This also applies to the support for datatype definitions. However, the internal datatype construction used in H ..."
Abstract

Cited by 16 (10 self)
 Add to MetaCart
Higherorder logic (HOL) forms the basis of several popular interactive theorem provers. These follow the definitional approach, reducing highlevel specifications to logical primitives. This also applies to the support for datatype definitions. However, the internal datatype construction used in HOL4, HOL Light, and Isabelle/HOL is fundamentally noncompositional, limiting its efficiency and flexibility, and it does not cater for codatatypes. We present a fully modular framework for constructing (co)datatypes in HOL, with support for mixed mutual and nested (co)recursion. Mixed (co)recursion enables type definitions involving both datatypes and codatatypes, such as the type of finitely branching trees of possibly infinite depth. Our framework draws heavily from category theory. The key notion is that of a rich type constructor—a functor satisfying specific properties preserved by interesting categorical operations. Our ideas are formalized in Isabelle and implemented as a new definitional package, answering a longstanding user request.
Local theory specifications in Isabelle/Isar
"... Recent versions of the proof assistant Isabelle have acquired a “local theory” concept that integrates a variety of mechanisms for structured specifications into a common framework. We explicitly separate a local theory “target” from its “body”, i.e. a fixed axiomatic specification (parameters and a ..."
Abstract

Cited by 10 (1 self)
 Add to MetaCart
Recent versions of the proof assistant Isabelle have acquired a “local theory” concept that integrates a variety of mechanisms for structured specifications into a common framework. We explicitly separate a local theory “target” from its “body”, i.e. a fixed axiomatic specification (parameters and assumptions) vs. arbitrary definitional extensions (conclusions) depending on it. Body elements may be added incrementally, and admit local polymorphism according to HindleyMilner. The foundations of our local theories rest firmly on existing Isabelle/Isar principles, without having to invent new logics or module calculi. Particular target contexts and body elements may be implemented within the generic infrastructure. This results in a large combinatorial space of specification idioms available to the enduser. Here we introduce targets for Isabelle locales, typeclasses, and class instantiations. The available selection of body elements covers primitive definitions and theorems, inductive predicates and sets, and recursive functions. Porting such existing definitional packages is reasonably simple, and enables to reuse sophisticated tools in a variety of target contexts without further ado. For example, a recursive function may be defined depending on locale parameters and assumptions, or an inductive predicate definition may provide the witness in a typeclass instantiation.
HOLBoogie  An interactive proverbackend for the Verifiying C Compiler
"... Boogie is a verification condition generator for an imperative core language. It has frontends for the programming languages C# and C enriched by annotations in firstorder logic, i. e. pre and postconditions, assertions, and loop invariants. Moreover, concepts like ghost fields, ghost variables, ..."
Abstract

Cited by 9 (4 self)
 Add to MetaCart
(Show Context)
Boogie is a verification condition generator for an imperative core language. It has frontends for the programming languages C# and C enriched by annotations in firstorder logic, i. e. pre and postconditions, assertions, and loop invariants. Moreover, concepts like ghost fields, ghost variables, ghost code and specification functions have been introduced to support a specific modeling methodology. Boogie’s verification conditions — constructed via a wp calculus from annotated programs — are usually transferred to automated theorem provers such as Simplify or Z3. This also comprises the expansion of languagespecific modeling constructs in terms of a theory describing memory and elementary operations on it; this theory is called a machine/memory model. In this paper, we present a proof environment, HOLBoogie, that combines Boogie with the interactive theorem prover Isabelle/HOL, for a specific C frontend and a machine/memory model. In particular, we present specific techniques combining automated and interactive proof methods for code verification. The main goal of our environment is to help program verification engineers in their task to “debug” annotations and to find combined proofs where purely automatic proof attempts fail.
Integrating Automated and Interactive Protocol Verification (Extended Version)
"... interpretation techniques and other overapproximations of the set of reachable states or traces. The protocol models that these tools employ are shaped by the needs of automated verification and require subtle assumptions. Also, a complex verification tool may suffer from implementation bugs so tha ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
(Show Context)
interpretation techniques and other overapproximations of the set of reachable states or traces. The protocol models that these tools employ are shaped by the needs of automated verification and require subtle assumptions. Also, a complex verification tool may suffer from implementation bugs so that in the worst case the tool could accept some incorrect protocols as being correct. These risks of errors are also present, but considerably smaller, when using an LCFstyle theorem prover like Isabelle. The interactive security proof, however, requires a lot of expertise and time. We combine the advantages of both worlds by using the representation of the overapproximated search space computed by the automated tools as a “proof idea ” in Isabelle. Thus, we devise proof tactics for Isabelle that generate the correctness proof of the protocol from the output of the automated tools. In the worst case, these tactics fail to construct a proof, namely when the representation of the search space is for some reason incorrect. However, when they succeed, the correctness only relies on the basic model and the Isabelle core. 1
Featherweight OCL  A study for the consistent semantics of OCL 2.3 in HOL
, 2012
"... At its origins, OCL was conceived as a strict semantics for undefinedness, with the exception of the logical connectives of type Boolean that constitute a threevalued propositional logic. Recent versions of the OCL standard added a second exception element, which, similar to the null references in ..."
Abstract

Cited by 5 (4 self)
 Add to MetaCart
(Show Context)
At its origins, OCL was conceived as a strict semantics for undefinedness, with the exception of the logical connectives of type Boolean that constitute a threevalued propositional logic. Recent versions of the OCL standard added a second exception element, which, similar to the null references in programming languages, is given a nonstrict semantics. In this paper, we report on our results in formalizing the core of OCL in higherorder logic (HOL). This formalization revealed several inconsistencies and contradictions in the current version of the OCL standard. These inconsistencies and contradictions are reflected in the challenge to define and implement OCL tools (e. g., interpreters, codegenerators, or theorem provers) in a uniform manner.
State Spaces  The Locale Way
 SSV 2009
, 2009
"... Verification of imperative programs means reasoning about modifications of a program state. So proper representation of state spaces is crucial for the usability of a corresponding verification environment. In this paper we discuss various existing state space models under different aspects like str ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
Verification of imperative programs means reasoning about modifications of a program state. So proper representation of state spaces is crucial for the usability of a corresponding verification environment. In this paper we discuss various existing state space models under different aspects like strong typing, modularity and scalability. We also propose a variant based on the locale infrastructure of Isabelle. Thus we manage to combine the advantages of previous formulations (without suffering from their disadvantages), and gain extra flexibility in composing state space components (inherited from the modularity of locales).
A category theory based (co)datatype package . . .
, 2012
"... Higherorder logic (HOL) forms the basis of several popular interactive theorem provers. These follow the definitional approach, reducing highlevel specifications to logical primitives. This also applies to the support for datatype definitions. However, the internal datatype construction used in ..."
Abstract

Cited by 2 (2 self)
 Add to MetaCart
Higherorder logic (HOL) forms the basis of several popular interactive theorem provers. These follow the definitional approach, reducing highlevel specifications to logical primitives. This also applies to the support for datatype definitions. However, the internal datatype construction used in HOL4, HOL Light and Isabelle/HOL is fundamentally noncompositional, limiting its efficiency and flexibility, and it does not cater for codatatypes. We present a fully modular framework for constructing (co)datatypes in HOL, with support for mixed mutual and nested (co)recursion. Mixed (co)recursion enables type definitions involving both datatypes and codatatypes, such as the type of finitely branching trees of possibly infinite depth. Our framework draws heavily from category theory. The key notion is that of a bounded natural functor—a functor satisfying specific properties preserved by interesting categorical operations. Our ideas are formalized in Isabelle and implemented as a new definitional package, answering a longstanding user request.
HOLTestGen/fw An Environment for SpecificationBased Firewall Conformance Testing
"... Abstract. The HOLTestGen environment is conceived as a system for modeling and semiautomated test generation with an emphasis on expressive power and generality. However, its underlying technical framework Isabelle/HOL supports the customization as well as the development of highly automated addo ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
(Show Context)
Abstract. The HOLTestGen environment is conceived as a system for modeling and semiautomated test generation with an emphasis on expressive power and generality. However, its underlying technical framework Isabelle/HOL supports the customization as well as the development of highly automated addons working in specific application domains. In this paper, we present HOLTestGen/fw, an addon for the test framework HOLTestGen, that allows for testing the conformance of firewall implementations to highlevel security policies. Based on generic theories specifying a securitypolicy language, we developed specific theories for network data and firewall policies. On top of these firewall specific theories, we provide mechanisms for policy transformations based on derived rules and adapted codegenerators producing test drivers. Our empirical evaluations shows that HOLTestGen/fw is a competitive environment for testing firewalls or highlevel policies of local networks.