Nancy's GECCOO Report
B2-3 Discharging Proof Obligations
Silvio Ranise and Calogero G. Zarba
1 The Problem
The main goal of this subtask is to design and implement decision
procedures which help to automatically discharge a large part of the
proof obligations generated by the verification of various properties
of programs. We consider a wide range of properties going from
safety (such as the absence of null-pointer dereferences) to
full correctness (such as a program implementing quick-sort
returns a vector of integers ordered in ascending or descending
We want to identify theories which allow us to adequately express the
properties of interest. While for certain properties (e.g. all
expressions denoting an index of an array are in its bounds), the
related theories are well-known (the quantifier-free fragment of
Presburger arithmetic), for others (e.g. expressing that a set of
memory locations reachable before a certain manipulation is still
reachable afterwards) this is not clear and constitutes an interesting
research problem. The situation is furtherly complicated by the fact
that certain properties can only be expressed by combining several
theories. This gives rise to the need of designing methods to combine
the decision procedures for the various theories into one reasoning
specialist for the union of the constituent theories.
An orthogonal problem is to handle the control-flow of the program
which can be so large to generate proof obligations with a complex
propositional structure which the automatic tool is required to
exploit in order to scale up to real programs. Given the success of
propositional solvers (such as BDD and SAT), it is common to use them
to handle the Boolean structure of the proof obligations. An
efficient integration between Boolean solvers and decision procedures
is crucial to build reasoning tools for the verification of programs
which scale up significantly.
2 Our Approach
Our approach consists of conducting both experimental and theoretical
investigations, each influencing the other.
2.1 Experimental work
In collaboration with David Déharbe (DIMAp/UFRN, Natal, Brazil), we
are developing a system called haRVey [DR03]. The
system takes as input a theory T and several formulae f1, ...,
fn and returns whether T entails fi for i=1,...,n. The
key features of the system are the integration between Boolean
solving, superposition theorem proving, and linear arithmetic
reasoning, as we all as a pre-processing phase to handle quantifiers
and the theory T.
2.1.1 Integrating Linear Arithmetic [IDR04]
Proof obligations frequently contain quantifiers. Classic combination
methods, such the Nelson-Oppen [NO79], allows to handle only
quantifier-free formulae. We have generalized the Nelson-Oppen method
to combine superposition theorem proving (which handles quantified
formulae) and linear arithmetic reasoning (which only handles
quantifier-free formulae). The resulting procedure is sound but not
complete and it gives good results in practice. Our benchmarks range
from proof obligations obtained from the verification of the
correctness of some sorting algorithms [FM99] to checking
safety properties such as the the absence of ``array-out-of-bounds''
2.1.2 Handling the Background Theory
The theory of a group of proof obligations is usually quite large
since it specifies a lot of details such as the memory model of the
programming language in which programs are written, its type system,
etc. Indeed, each proof obligation only requires a tiny portion of
such a big theory. We have adapted and implemented in haRVey
existing methods [RS97] to identify a subset of the theory which
is sufficient to prove a certain proof obligation. We have also
adapted some techniques to expand definitions [NW01] in order to
ease the task of the superposition prover. Preliminary experimental
results on benchmarks coming from the verification of safety
properties [DFS04], the retrieval of software
components [Fis01], and proof obligations generated from Krakatoa
are quite encouraging.
2.1.3 Automatic Verification of Pointer Programs [MR04]
In collaboration with F. Mehta (Technical University of Munich,
Germany), we have investigated the use of haRVey to
automatically discharge some of the sub-goals obtained while proving
the correctness of an algorithm for garbage collection. The all
verification effort [MN03] has been carried out in Isabelle,
some of the sub-goals derived from a key lemma have been translated
from Isabelle's higher-order syntax to haRVey's first-order
syntax by hand, and then the latter has been invoked. The experience
was positive since haRVey was capable to automatically handle
all the translated sub-goals. Furthermore, after gaining some
experience with the theory necessary to state the key lemma, we have
been able to identify a (decidable) theory capable of expressing
interesting properties about the reachability of certain memory
locations following chains of pointers (see Section
2.2 Theoretical work
In the context of Calogero Zarba's Post-Doc position attached to
GECCOO, we are currently investigating how to decide and combine
together theories that allow us to express interesting properties of
programs. In particular, classic methods [NO79] for combination
require that the component theories to satisfy certain conditions such
as signature disjointness or stable infiniteness. The methods that we
are developing attempt to relax these restrictions.
We devised a decision procedures for the quantifier-free theory of
lists with length constraints. The decision procedure can be combined
with any other decision procedure for the theory of the elements,
regardless of whether or not the theory of the elements is stably
infinite or not.
2.2.2 Container Data structures [RRZ05]
We are devising a new general method for combining a general theory of
container data structures (such as lists, arrays, sets, and
multisets), with a theory of the elements (such as integers, reals, or
booleans). The main contribution of our method is that it works for
any general theory of the elements, even if the theory of the elements
is not stable infinite.
Sets are ubiquitous in automated reasoning and program verification.
For instance, set theory forms the central kernel of the high-level
programming language SETL [SDDS86], as well as of the
specification languages Z [Spi88] and
B [Abr96]. Even for programming and specification
languages that are not entirely based on set theory, sets still play a
crucial role because they can be used either at the meta-level or as a
We are exploring different ways of deciding fragments of set theory
efficiently (this study was started in [CDD+04, CDGR03]). These
methods involve the reduction of a certain fragment of set theory to
other simpler theories for which the research community has already
developed efficient decision methods. Some of the simpler theories
include: a core theory of insertion and membership, decidable by
superposition [ARR03]; the theory of arithmetic (cf.
[HLL03]); and the theory of equality with uninterpreted
functions, decidable with combinations of SAT solving and decision
procedures for equality (see e.g. [GHN+04]).
When verifying programs manipulating pointers, one has often to reason
about the set of memory cells that are reachable from an initial
memory cell. To mechanize this kind of reasoning, we have defined a
basic fragment of set theory, extended with a reachability operator.
We are currently devising a decision procedure based on superposition
that can decide this theory.
The B-Book: Assigning Programs to Meanings.
Cambridge University Press, 1996.
Alessandro Armando, Silvio Ranise, and Michaël Rusinowitch.
A rewriting approach to satisfiability procedures.
Information and Computation, 183(2):140--164, 2003.
J.-F. Couchot, F. Dadeau, D. Déharbe, A. Giorgetti, and S. Ranise.
Proving and debugging set-based specifications.
In A. Cavalcanti and P. Machado, editors, Electronic Notes in
Theoretical Computer Science, proceedings of the Sixth Brazilian Workshop on
Formal Methods (WMF'03), volume 95, pages 189--208, Campina Grande, Brazil,
J.-F. Couchot, D. Déharbe, A. Giorgetti, and S. Ranise.
Scalable automated proving and debugging of set-based specifications.
Journal of the Brazilian Computer Society, 9(2):17--36,
Jean-François Couchot, Alain Giorgetti, Silvio Ranise, and Calogero G.
Verification of set-based specifications.
Ewen Denney, Bernd Fischer, and Johann Schumann.
Using automated theorem provers to certify auto-generated aerospace
In Proc. of the 2nd Int. Joint Conf. on Automated
Reasoning, LNCS. Springer, 2004.
D. Déharbe and S. Ranise.
Light-Weight Theorem Proving for Debugging and Verifying Units of
In Proc. of the International Conference on Software Engineering
and Formal Methods (SEFM03), Brisbane, Australia, September 2003. IEEE
Computer Society Press.
Deduction-Based Software Component Retrieval.
PhD thesis, Universität Passau, 2001.
J.-C. Filliâtre and N. Magaud.
Certification of sorting algorithms in the system Coq.
In Theorem Proving in Higher Order Logics: Emerging Trends,
Pascal Fontaine, Silvio Ranise, and Calogero G. Zarba.
Combining lists with non-stably infinite theories.
In Franz Baader and Andrei Voronkov, editors, Logic Programming
and Automated Reasoning. Springer, 2005.
Harald Ganzinger, George Hagen, Robert Nieuwenhuis, Albert Oliveras, and Cesare
DPLL(T): Fast decision procedures.
In R. Alur and D. Peled, editors, Proceedings of the 16th
International Conference on Computer Aided Verification, CAV'04 (Boston,
Massachusetts), volume 3114 of Lecture Notes in Computer Science,
pages 175--188. Springer, 2004.
Mohamed Hibti, Henri Lombardi, and Bruno Legeard.
Deciding in HFS-theory via linear integer programming.
In Andrei Voronkov, editor, Logic Programming and Automated
Reasoning, volume 698 of Lecture Notes in Computer Science, pages
170--181. Springer, 2003.
A. Imine, D. Déharbe, and S. Ranise.
Abstraction-Driven Verification of Array Programs.
In Proceedings of the 7th International Conference on Artificial
Intelligence and Symbolic Computation (AISC'04), number 3249 in LNCS, pages
271--275, Linz, Austria, September 2004. Springer.
Farhad Mehta and Tobias Nipkow.
Proving pointer programs in higher-order logic.
In F. Baader, editor, Automated Deduction --- CADE-19, volume
2741 of Lecture Notes in Computer Science, pages 121--135, 2003.
F. Mehta and S. Ranise.
Automated provers doing (higher-order) proof search: A case study in
the verification of pointer programs.
In Proc. of the 2nd Workshop on Pragmatics of Decision
Procedures in Automated Reasoning (PDPAR'04), 2004.
Greg Nelson and Derek C. Oppen.
Simplification by cooperating decision procedures.
ACM Transactions on Programming Languages and Systems,
Andreas Nonnengart and Christoph Weidenbach.
Computing small clause normal forms.
In Handbook of Automated Reasoning, pages 335--367. 2001.
Silvio Ranise, Christophe Ringeissen, and Calogero G. Zarba.
Combining data structures with non-stably infinite theories.
Wolfgang Reif and Gerhard Schellhorn.
Theorem proving in large theories.
In Maria Paola Bonacina and Ulrich Furbach, editors, Int.
Workshop on First-Order Theorem Proving, FTP'97, pages 119--124. Johannes
Kepler Universität, Linz (Austria), 1997.
Silvio Ranise and Calogero G. Zarba.
Superposition-based of pointer programs.
Jacob T. Schwartz, Robert B. K. Dewar, Ed Dubinsky, and Edmond Schonberg.
Programming with Sets: An Introduction to SETL.
J. Michael Spivey.
Understanding Z: A Specification Language and its Formal
Semantics, volume 3 of Cambridge Tracts in Theoretical Computer
Cambridge University Press, 1988.
This document was translated from LATEX by