Results 1  10
of
18
Partial Functions in ACL2
 Journal of Automated Reasoning
"... We describe a macro for introducing \partial functions" into ACL2, i.e., functions not dened everywhere. The function \denitions" are actually admitted via the encapsulation principle. We discuss the basic issues surrounding partial functions in ACL2 and illustrate theorems that can be ..."
Abstract

Cited by 37 (7 self)
 Add to MetaCart
(Show Context)
We describe a macro for introducing \partial functions" into ACL2, i.e., functions not dened everywhere. The function \denitions" are actually admitted via the encapsulation principle. We discuss the basic issues surrounding partial functions in ACL2 and illustrate theorems that can be proved about such functions.
Proving theorems about Java and the JVM with ACL2
 Models, Algebras and Logic of Engineering Software
, 2003
"... We describe a methodology for proving theorems mechanically about Java methods. The theorem prover used is the ACL2 system, an industrialstrength version of the BoyerMoore theorem prover. An operational semantics for a substantial subset of the Java Virtual Machine (JVM) has been defined in ACL2. ..."
Abstract

Cited by 22 (10 self)
 Add to MetaCart
(Show Context)
We describe a methodology for proving theorems mechanically about Java methods. The theorem prover used is the ACL2 system, an industrialstrength version of the BoyerMoore theorem prover. An operational semantics for a substantial subset of the Java Virtual Machine (JVM) has been defined in ACL2. Theorems are proved about Java methods and classes by compiling them with javac and then proving the corresponding theorem about the JVM. Certain automatically applied strategies are implemented with rewrite rules (and other proofguiding pragmas) in ACL2 “books” to control the theorem prover when operating on problems involving the JVM model. The Java Virtual Machine or JVM [27] is the basic abstraction Java [17] implementors are expected to respect. We speculate that the JVM is an appropriate level of abstraction at which to model Java programs with the intention of mechanically verifying their properties. The most complex features of the Java subset we handle – construction and initialization of new objects, synchronization, thread management, and virtual method invocation – are all supported directly and with full abstraction as single atomic instructions in the JVM. The complexity of verifying JVM bytecode program stems from the complexity of Java’s semantics, not
A Programming Logic for Java Bytecode Programs
 In Proceedings of the 16th International Conference on Theorem Proving in Higher Order LOglCS, volume 2758 of Lecture Notes in Computer Science
, 2003
"... A copy can be downloaded for personal noncommercial research or study, without prior permission or charge This thesis cannot be reproduced or quoted extensively from without first obtaining permission in writing from the Author The content must not be changed in any way or sold commercially in any ..."
Abstract

Cited by 15 (1 self)
 Add to MetaCart
(Show Context)
A copy can be downloaded for personal noncommercial research or study, without prior permission or charge This thesis cannot be reproduced or quoted extensively from without first obtaining permission in writing from the Author The content must not be changed in any way or sold commercially in any format or medium without the formal permission of the Author When referring to this work, full bibliographic details including the author, title, awarding institution and date of the thesis must be given
Formal Models of Java at the JVM Level A Survey from the ACL2 Perspective
 In Proc. Workshop on Formal Techniques for Java Programs, in association with ECOOP
, 2001
"... We argue that a practical way to apply formal methods to Java is to apply formal methods to the Java Virtual Machine (JVM) instead. A Java system can be proved correct by analyzing the bytecode produced for it. We believe that this clari es the semantic issues without introducing inappropriate compl ..."
Abstract

Cited by 14 (1 self)
 Add to MetaCart
(Show Context)
We argue that a practical way to apply formal methods to Java is to apply formal methods to the Java Virtual Machine (JVM) instead. A Java system can be proved correct by analyzing the bytecode produced for it. We believe that this clari es the semantic issues without introducing inappropriate complexity. We say \inappropriate" because we believe the complexity present in the JVM view of a Java class is inherent in the Java, when accurately modeled. If it is desired to model a subset of Java or to model \Java" with a slightly simpler semantics, that can be done by formalizing a suitable abstraction of the JVM. In this paper we support these contentions by surveying recent applications of the ACL2 theorem proving system to the JVM. In particular, we describe how ACL2 is used to formalize operational semantics, we describe several models of the JVM, and we describe proofs of theorems involving these models. We are using these models to explore a variety of Java issues from a formal perspective, including Java's bounded arithmetic, object manipulation via the heap, class inheritance, method resolution, singleand multithreaded programming, synchronization via monitors in the heap, and properties of the bytecode veri er.
SingleThreaded Objects in ACL2
 Practical Aspects of Declarative Languages (PADL), volume 2257 of LNCS
, 1999
"... ACL2 is a firstorder applicative programming language based on Common Lisp. It is also a mathematical logic for which a mechanical theoremprover has been implemented in the style of the BoyerMoore theorem prover. The ACL2 system is used primarily in the modeling and verification of computer hardwa ..."
Abstract

Cited by 11 (2 self)
 Add to MetaCart
(Show Context)
ACL2 is a firstorder applicative programming language based on Common Lisp. It is also a mathematical logic for which a mechanical theoremprover has been implemented in the style of the BoyerMoore theorem prover. The ACL2 system is used primarily in the modeling and verification of computer hardware and software, where the executability of the language allows models to be used as prototype designs or "simulators." To support efficient execution of certain kinds of models, especially models of microprocessors, ACL2 provides "singlethreaded objects," structures with the usual "copy on write" applicative semantics but for which writes are implemented destructively. Syntactic restrictions insure consistency between the formal semantics and the implementation. The design of singlethreaded objects has been influenced both by the need to make execution efficient and the need to make proofs about them simple. We discuss the issues. 1 Background "ACL2" stands for "A Computational Logic for...
An Executable Formal Java Virtual Machine Thread Model
, 2001
"... We discuss an axiomatic description of a simple abstract machine similar to the Java Virtual Machine (JVM). Our model supports classes, with fields and bytecoded methods, and a representative sampling of JVM bytecodes for basic operations for both data and control. The GETFIELD and PUTFIELD instru ..."
Abstract

Cited by 8 (1 self)
 Add to MetaCart
(Show Context)
We discuss an axiomatic description of a simple abstract machine similar to the Java Virtual Machine (JVM). Our model supports classes, with fields and bytecoded methods, and a representative sampling of JVM bytecodes for basic operations for both data and control. The GETFIELD and PUTFIELD instructions accurately model inheritance, as does the INVOKEVIRTUAL instruction. Our model supports multiple threads, synchronized methods, and monitors. Our current model is inadequate or inaccurate
A Transformational Perspective into the Core of an Abstract Class Loader for the SSP
 ACM Trans. on Embedded Computing Sys
"... The SSP is a hardware implementation of a subset of the JVM for use in high consequence embedded applications. In this context, a majority of the activities belonging to class loading, as it is defined in the specification of the JVM, can be performed statically. Static class loading has the net res ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
The SSP is a hardware implementation of a subset of the JVM for use in high consequence embedded applications. In this context, a majority of the activities belonging to class loading, as it is defined in the specification of the JVM, can be performed statically. Static class loading has the net result of dramatically simplifying the design of the SSP as well as increasing its performance. The functionality of the class loader can be implemented using strategic programming techniques. The incremental nature of strategic programming is amenable to formal verification. This article gives an overview of the core class loading activities for the SSP, their implementation in the strategic programming language TL, and outlines the approach to formal verification of the implementation. 1
Formalising the Safety of Java, the Java Virtual Machine and Java Card
"... State Machine Semantics (ASM), Axiomatic Semantics (AS), Context Rewriting semantics (CR), Continuation or monad Semantics (CS), Denotational Semantics (DS), Natural Semantics (NS), Operational Semantics (OS), Structural Operational Semantics (SOS), or a semantic embedding in a higher odrder logic ( ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
State Machine Semantics (ASM), Axiomatic Semantics (AS), Context Rewriting semantics (CR), Continuation or monad Semantics (CS), Denotational Semantics (DS), Natural Semantics (NS), Operational Semantics (OS), Structural Operational Semantics (SOS), or a semantic embedding in a higher odrder logic (HOL).
Proving Properties of Java Threads
, 2000
"... We describe a mechanically checked proof of a property of a system of small bytecoded programs involving an unbounded number of threads and synchronization via monitors. The bytecode programming language we study is modeled on that for the Java Virtual Machine. The formal semantics of our language i ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
We describe a mechanically checked proof of a property of a system of small bytecoded programs involving an unbounded number of threads and synchronization via monitors. The bytecode programming language we study is modeled on that for the Java Virtual Machine. The formal semantics of our language is given by an operational model expressed in ACL2, a Lispbased logic of recursive functions. Our proofs are checked with the ACL2 theorem prover. The proof involves reasoning about arithmetic, conditionals, infinite loops, the creation and modification of instance objects in the heap, including threads, the inheritance of fields from superclasses, pointer chasing and smashing, the invocation of instance methods (and the concomitant dynamic method resolution), use of the start method on thread objects, the use of monitors to attain synchronization between threads, and consideration of all possible interleavings or scheduling over an unbounded number of threads. This paper develops tech...