Cogent: Accurate Theorem Proving for Program Verification
Natasha Sharygina2005, Lecture Notes in Computer Science
Sign up for access to the world's latest research
checkGet notified about relevant papers
checkSave papers to use in your research
checkJoin the discussion with peers
checkTrack your impact
Abstract
Symbolic software verification engines such as Slam and ESC/Java often use automatic theorem provers to implement forms of symbolic simulation. The theorem provers that are used, such as Simplify, usually combine decision procedures for the theories of uninterpreted functions, linear arithmetic, and sometimes bit vectors using techniques proposed by Nelson-Oppen or Shostak. Programming language constructs such as pointers, structures and unions are not directly supported by the provers, and are often encoded imprecisely using axioms and uninterpreted functions.
Related papers
Accurate Theorem Proving for Program Verification
Lecture Notes in Computer Science, 2006
Symbolic software verification engines such as Slam and ESC/Java often use automatic theorem provers to implement forms of symbolic simulation. The theorem provers that are used, such as Simplify, usually combine decision procedures for the theories of uninterpreted functions, linear arithmetic, and sometimes bit vectors using techniques proposed by Nelson-Oppen or Shostak. Programming language constructs such as pointers, structures and unions are not directly supported by the provers, and are often encoded imprecisely using axioms and uninterpreted functions.
Experimental Program Verification in the Theorema System
2006
We describe practical experiments of program verification in the frame of the Theorema system (www.theorema.org). This includes both functional programs (using fixpoint theory), as well as imperative programs (using Hoare logic). By comparing different approaches we are trying to find general schemes which are useful for practical work. The Theorema system offers facilities for working with higher-order predicate logic formulae (including various general and domain-oriented provers) and also for defining and testing algorithms both in functional and in imperative styles. We generate verification conditions as natural-style predicate logic formulae, which can be then proven by Theorema, by issuing natural-style proofs which are human-readable.
Practical Aspects of Imperative Program Verification in Theorema
2003
Approaching the problem of imperative program verification from a practical point of view has certain implications concerning [4]: the style of specifications, the programming language which is used, the help provided to the user for finding appropriate loop invariants, the theoretical frame used for formal verification, the language used for expressing generated verification theorems as well as the database of necessary mathematical knowledge, and finally the proving power, style and language.
Automatic Program Verification III: A Methodology for Verifying Programs
National Technical Infornation Servici U. S. DEPARTMENT OF COMMERCE ' ■ mim mCLAüüIl IED SECURITY CLASSIFICATION OF THIS PAGEfHT,», D.I. Enl.r.rfJ lhe_paper investigates msthods for applying an on-line interactive vtnlication system derigned to prove properties or PASCAL programs. The methodology is intended to provide techniques for developing a debugged and verified version startin,: from a program, that (a) is possibly unfinished in some respects, (b) may not satisfy the given specmcations, e.g., may contain bugs, (c) may have incomplete documentation, (d) may be written in non-standard ways, e.g.. may depend on user-defined data structures. The methodology involves (i) interactive application of a verification condition generator, an algebraic simplifier and a theorem-prcver; Uij techniques for describing data structures, type constraints, and properties of programs and subprograms (i.e. lower level procedures); [Hi the use of (abstract) data types in structuring programs and proofs. Within each unit (i.e. segment of a problem), the interactive use is aimea at reducing verification conditions to manageable proportions so that the non-trivial factors may be analysed. Analysis of verification conditions attempts to localize errors in the program logic, to extend assertions inside the program, to spotlight additional assumptions on program subfunctions (beyond those already specified oy the programmer), and to generate appropriate lemmas that allow a verification to be completed. Methods for structuring correctness proofs are discussed that are similar to those of "structured programming-, A detailed case study of a pattern matching algorithm illustrating the various aspects of the methodology (including the role played by the user) is given. ii UNCLASSIFIED SECURITY CLASSIFICATION OF THIS PAGEfirh»n Oaf« Km.r.dJ " wmm'*^^*'*
A proof system for correct program development
2000
Much research in computer science, ever since its inception, has been devoted the problem:���How can we be sure that a computer program is correct?��� The general problem is extremely difficult, and the enormous variety of computer software in use demands a corresponding variety of approaches: eg structured design methods [YC86], automated testing [Ber91] and model checking [GL94].
GamaSlicer: an online laboratory for program verification and analysis
Proceedings of the Tenth …, 2010
In this paper we present the GamaSlicer tool, which is primarily a semantics-based program slicer that also offers formal verification (generation of verification conditions) and program visualization functionality. The tool allows users to obtain slices using a number of different families of slicing algorithms (precondition-based, postcondition-based, and specification-based), from a correct software component annotated with pre and postconditions (contracts written in JML-annotated Java). Each family in turn contains algorithms of different precision (with more precise algorithms being asymptotically slower). A novelty of our work at the theoretical level is the inclusion of a new, much more effective algorithm for specification-based slicing, and in fact other current work at this level is being progressively incorporated in the tool.
Verification of C Programs Using Automated Reasoning
Fifth IEEE International Conference on Software Engineering and Formal Methods (SEFM 2007), 2007
Much of the embedded software development market has necessarily tight constraints on program size and processor power, hence developers use handwritten C rather than autocode. They rely primarily on testing to find errors in their code. We have an established software development tool known commercially as Perfect Developer, which uses a powerful automatic theorem prover and inference engine to reason about requirements and specifications. We have found that automated reasoning can be used to discharge a very high proportion of verification conditions arising from the specification and refinement of software components described in our formal specification language, Perfect. The Perfect Developer tool set can also generate code in a C++ subset or in Java, and the output code is then virtually certain to meet the stated specification, reducing the need for exhaustive testing. However, this is not helpful to developers of embedded software who are constrained to write code by hand. We therefore decided to investigate whether automated reasoning could provide a similar degree of success in the verification of annotated C code. We present our preliminary findings.
Verification tools in the development of provably correct compilers
1993
The paper presents a practical verification tool that helps in the development of provably correct compilers. The tool is based on the approach of proving termination of PROLOG-like programs using term-rewriting techniques and a technique of testing whether a given PROLOG program can be soundly executed on PROLOG interpreters without the Occur-check test. The tool has been built on top of the theorem prover, RRL (Rewrite Rule Laboratory).
Why3 — Where Programs Meet Provers
Programming Languages and Systems, 2013
We present Why3, a tool for deductive program verification, and WhyML, its programming and specification language. WhyML is a first-order language with polymorphic types, pattern matching, and inductive predicates. Programs can make use of record types with mutable fields, type invariants, and ghost code. Verification conditions are discharged by Why3 with the help of various existing automated and interactive theorem provers. To keep verification conditions tractable and comprehensible, WhyML imposes a static control of aliases that obviates the use of a memory model. A user can write WhyML programs directly and get correct-by-construction OCaml programs via an automated extraction mechanism. WhyML is also used as an intermediate language for the verification of C, Java, or Ada programs. We demonstrate the benefits of Why3 and WhyML on nontrivial examples of program verification.
Related papers
A light-weight integration of automated and interactive theorem proving
Mathematical Structures in Computer Science, 2014
In this paper, aimed at dependently typed programmers, we present a novel connection between automated and interactive theorem proving paradigms. The novelty is that the connection offers a better trade-off between usability, efficiency and soundness when compared to existing techniques. This technique allows for a powerful interactive proof framework that facilitates efficient verification of finite domain theorems and guided construction of the proof of infinite domain theorems. Such situations typically occur with industrial verification. As a case study, an embedding of SAT and CTL model checking is presented, both of which have been implemented for the dependently typed proof assistant Agda.Finally, an example of a real world railway control system is presented, and shown using our proof framework to be safe with respect to an abstract model of trains not colliding or derailing. We demonstrate how to formulate safety directly and show using interactive theorem proving that sign...
Automated Theorem Prover Assisted Program Calculations
Lecture Notes in Computer Science, 2014
Calculational Style of Programming, while very appealing, has several practical difficulties when done manually. Due to the large number of proofs involved, the derivations can be cumbersome and errorprone. To address these issues, we have developed automated theorem provers assisted program and formula transformation rules, which when coupled with the ability to extract context of a subformula, help in shortening and simplifying the derivations. We have implemented this approach in a Calculational Assistant for Programming from Specifications (CAPS). With the help of simple examples, we show how the calculational assistant helps in taking the drudgery out of the derivation process while ensuring correctness.
T.Y. Chen, T.H. Tse, and Z.Q. Zhou, "Semi-proving: an integrated method for program proving, testing, and debugging"
IEEE Transactions on Software Engineering, 37 (1): 109-125, 2011
We present an integrated method for program proving, testing, and debugging. Using the concept of metamorphic relations, we select necessary properties for target programs. For programs where global symbolic evaluation can be conducted and the constraint expressions involved can be solved, we can either prove that these necessary conditions for program correctness are satisfied, or identify all inputs that violate the conditions. For other programs, our method can be converted into a symbolic testing approach. Our method extrapolates from the correctness of a program for tested inputs to the correctness of the program for related untested inputs. The method supports automatic debugging through the identification of constraint expressions that reveal failures.
HOL-Boogie—An Interactive Prover-Backend for the Verifying C Compiler
Journal of Automated Reasoning, 2010
Boogie is a verification condition generator for an imperative core language. It has front-ends for the programming languages C# and C enriched by annotations in first-order logic, i. e. pre-and postconditions, assertions, and loop invariants. Moreover, concepts like ghost fields, ghost variables, ghost code and specification functions have been introduced to support a specific modeling methodology. Boogie's verification conditions-constructed via a wp calculus from annotated programs-are usually transferred to automated theorem provers such as Simplify or Z3. This also comprises the expansion of language-specific modeling constructs in terms of a theory describing memory and elementary operations on it; this theory is called a machine/memory model. In this paper, we present a proof environment, HOL-Boogie, that combines Boogie with the interactive theorem prover Isabelle/HOL, for a specific C front-end and a machine/memory model. In particular, we present specific techniques combining automated and interactive proof methods for code verification. The main goal of our environment is to help program verification engineers in their task to "debug" annotations and to find combined proofs where purely automatic proof attempts fail.
From Tests to Proofs
2009
We describe the design and implementation of an automatic invariant generator for imperative programs. While automatic invariant generation through constraint solving has been extensively studied from a theoretical viewpoint as a classical means of program verification, in practice existing tools do not scale even to moderately sized programs. This is because the constraints that need to be solved even for small programs are already too difficult for the underlying (non-linear) constraint solving engines. To overcome this obstacle, we propose to strengthen static constraint generation with information obtained from static abstract interpretation and dynamic execution of the program. The strengthening comes in the form of additional linear constraints that trigger a series of simplifications in the solver, and make solving more scalable. We demonstrate the practical applicability of the approach by an experimental evaluation on a collection of challenging benchmark programs and comparisons with related tools based on abstract interpretation and software model checking.
Computer Aided Verification
Lecture Notes in Computer Science, 2000
Large Experimental Program Verification in the Theorema System
We describe practical experiments of program verification in the frame of the Theorema system (www.theorema.org). This includes both functional programs (using fixpoint theory), as well as imperative programs (using Hoare logic). By comparing dierent approaches we are trying to find general schemes which are useful for practical work. The Theorema system oers facilities for working with higher-order predicate logic formulae (including various general and domain-oriented provers) and also for defining and testing algorithms both in functional and in imperative styles. We generate verification conditions as natural-style predicate logic formulae, which can be then proven by Theorema, by issuing natural-style proofs which are human-readable.
An Evaluation Based Theorem Prover
IEEE Transactions on Pattern Analysis and Machine Intelligence, 2000
A noninductive method for mechanical theorem proving is presented, which deals with a recursive class of theorems involving iterative functions and predicates. The method is based on the symbolic evaluation of the formula to be proved and requires no inductive step. Induction is avoided since a metatheorem is proved which establishes the conditions on the evaluation of any formula which are sufficient to assure that the formula actually holds. The proof of a supposed theorem consists in evaluating the formula and checking the conditions. The method applies to assertions that involve element-byelement checking of typed homogeneous sequences which are hierarchically constructed out of the primitive type consisting of the truth values. The sequences can be computed by means of iterative and "accumulator" functions. The paper includes the definition of a simple typed iterative language in which both predicates and functions are expressed. The language precisely defines the scope of the proof method. The method proves a wide variety of theorem$ about iterative functions on sequences, including that which states that REVERSE is its own inverse, and that it can be inversely distributed on APPEND, that FLATTEN can be distributed on APPEND and that each element of any sequence is a MEMBER of the sequence itself. Although the method is not complete, it does provide the basis for an extremely efficient tool to be used in a complete mechanical theorem prover. Index Terms-Function behavior estimate, hierarchical lemma generation, inductionless proofs, iterative functions, mechanical theorem proving, program properties, symbolic computation.
A prototype dedicated theorem prover for clean
1999
This paper examines an approach to computer assisted formalreasoning in relation to functional programming. Instead of usinga generic proof tool which may di# er on some points from the functionallanguage used, a new proof tool is to be developed which is solelyintended for proving properties of programs written in one specific language. This proof tool is intended to be inserted in the Integrated DevelopmentEnvironment of the programming language, which ensures aseamless integration.
HOL-Boogie — An Interactive Prover for the Boogie Program-Verifier
Lecture Notes in Computer Science, 2008
Boogie is a program verification condition generator for an imperative core language. It has front-ends for the programming languages C# and C enriched by annotations in first-order logic. Its verification conditions -constructed via a wp calculus from these annotations -are usually transferred to automated theorem provers such as Simplify or Z3. In this paper, however, we present a proofenvironment, HOL-Boogie, that combines Boogie with the interactive theorem prover Isabelle/HOL. In particular, we present specific techniques combining automated and interactive proof methods for codeverification. We will exploit our proof-environment in two ways: First, we present scenarios to "debug" annotations (in particular: invariants) by interactive proofs. Second, we use our environment also to verify "background theories", i.e. theories for data-types used in annotations as well as memory and machine models underlying the verification method for C.
Loading Preview
Sorry, preview is currently unavailable. You can download the paper by clicking the button above.