Qi Zhou,David Heath,William Harris

DOI: https://doi.org/10.48550/arXiv.1705.03110

2017-05-09

Abstract:Verifying partial (i.e., termination-insensitive) equivalence of programs has significant practical applications in software development and education. Conventional equivalence verifiers typically rely on a combination of given relational summaries and suggested synchronization points; such information can be extremely difficult for programmers without a background in formal methods to provide for pairs of programs with dissimilar logic. In this work, we propose a completely automated verifier for determining partial equivalence, named Pequod. Pequod automatically synthesizes expressive proofs of equivalence conventionally only achievable via careful, manual constructions of product programs To do so, Pequod syntheses relational proofs for selected pairs of program paths and combines the per-path relational proofs to synthesize relational program invariants. To evaluate Pequod, we implemented it as a tool that targets Java Virtual Machine bytecode and applied it to verify the equivalence of hundreds of pairs of solutions submitted by students for problems hosted on popular online coding platforms, most of which could not be verified by existing techniques.

Programming Languages

Gaurav Parthasarathy,Thibault Dardinier,Benjamin Bonneau,Peter Müller,Alexander J. Summers

2024-05-10

Abstract:Automated program verifiers are typically implemented using an intermediate verification language (IVL), such as Boogie or Why3. A verifier front-end translates the input program and specification into an IVL program, while the back-end generates proof obligations for the IVL program and employs an SMT solver to discharge them. Soundness of such verifiers therefore requires that the front-end translation faithfully captures the semantics of the input program and specification in the IVL program, and that the back-end reports success only if the IVL program is actually correct. For a verification tool to be trustworthy, these soundness conditions must be satisfied by its actual implementation, not just the program logic it uses.

Programming Languages

Cristina Matache

DOI: https://doi.org/10.48550/arXiv.1902.04645

2019-02-12

Programming Languages

Abstract:This dissertation is concerned with the study of program equivalence and algebraic effects as they arise in the theory of programming languages. Algebraic effects represent impure behaviour in a functional programming language, such as input and output, exceptions, nondeterminism etc. all treated in a generic way. Program equivalence aims to identify which programs can be considered equal in some sense. This question has been studied for a long time but has only recently been extended to languages with algebraic effects, which are a newer development. Much work remains to be done in order to understand program equivalence in the presence of algebraic effects. In particular, there is no characterisation of contextual equivalence using a logic. We define a logic whose formulas express properties of higher-order programs with algebraic effects. We then investigate three notions of program equivalence for algebraic effects: logical equivalence induced by the aforementioned logic, applicative bisimilarity and contextual equivalence. For the programming language used in this dissertation, we prove that they all coincide. Therefore, the main novel contribution of the dissertation is defining the first logic for algebraic effects whose induced program equivalence coincides with contextual equivalence.

Andrej Bauer,Gaëtan Gilbert,Philipp G. Haselwarter,Matija Pretnar,Christopher A. Stone

DOI: https://doi.org/10.48550/arXiv.1802.06217

2018-02-17

Abstract:Andromeda is an LCF-style proof assistant where the user builds derivable judgments by writing code in a meta-level programming language AML. The only trusted component of Andromeda is a minimalist nucleus (an implementation of the inference rules of an object-level type theory), which controls construction and decomposition of type-theoretic judgments. Since the nucleus does not perform complex tasks like equality checking beyond syntactic equality, this responsibility is delegated to the user, who implements one or more equality checking procedures in the meta-language. The AML interpreter requests witnesses of equality from user code using the mechanism of algebraic operations and handlers. Dynamic checks in the nucleus guarantee that no invalid object-level derivations can be constructed. %even if the AML code (or interpreter) is untrusted. To demonstrate the flexibility of this system structure, we implemented a nucleus consisting of dependent type theory with equality reflection. Equality reflection provides a very high level of expressiveness, as it allows the user to add new judgmental equalities, but it also destroys desirable meta-theoretic properties of type theory (such as decidability and strong normalization). The power of effects and handlers in AML is demonstrated by a standard library that provides default algorithms for equality checking, computation of normal forms, and implicit argument filling. Users can extend these new algorithms by providing local "hints" or by completely replacing these algorithms for particular developments. We demonstrate the resulting system by showing how to axiomatize and compute with natural numbers, by axiomatizing the untyped $\lambda$-calculus, and by implementing a simple automated system for managing a universe of types.

Logic in Computer Science

Thibault Dardinier,Michael Sammler,Gaurav Parthasarathy,Alexander J. Summers,Peter Müller

2024-07-29

Abstract:Program verification tools are often implemented as front-end translations of an input program into an intermediate verification language (IVL) such as Boogie, GIL, Viper, or Why3. The resulting IVL program is then verified using an existing back-end verifier. A soundness proof for such a translational verifier needs to relate the input program and verification logic to the semantics of the IVL, which in turn needs to be connected with the verification logic implemented in the back-end verifiers. Performing such proofs is challenging due to the large semantic gap between the input and output programs and logics, especially for complex verification logics such as separation logic. This paper presents a formal framework for reasoning about translational separation logic verifiers. At its center is a generic core IVL that captures the essence of different separation logics. We define its operational semantics and formally connect it to two different back-end verifiers, which use symbolic execution and verification condition generation, resp. Crucially, this semantics uses angelic non-determinism to enable the application of different proof search algorithms and heuristics in the back-end verifiers. An axiomatic semantics for the core IVL simplifies reasoning about the front-end translation by performing essential proof steps once and for all in the equivalence proof with the operational semantics rather than for each concrete front-end translation. We illustrate the usefulness of our formal framework by instantiating our core IVL with elements of Viper and connecting it to two Viper back-ends as well as a front-end for concurrent separation logic. All our technical results have been formalized in Isabelle/HOL, including the core IVL and its semantics, the semantics of two back-ends for a subset of Viper, and all proofs.

Programming Languages

Dennis Müller,Colin Rothgang,Yufei Liu,Florian Rabe

DOI: https://doi.org/10.4204/EPTCS.262.7

2017-12-05

Abstract:Translating expressions between different logics and theorem provers is notoriously and often prohibitively difficult, due to the large differences between the logical foundations, the implementations of the systems, and the structure of the respective libraries. Practical solutions for exchanging theorems across theorem provers have remained both weak and brittle. Consequently, libraries are not easily reusable across systems, and substantial effort must be spent on reformalizing and proving basic results in each system. Notably, this problem exists already if we only try to exchange theorem statements and forgo exchanging proofs. In previous work we introduced alignments as a lightweight standard for relating concepts across libraries and conjectured that it would provide a good base for translating expressions. In this paper, we demonstrate the feasibility of this approach. We use a foundationally uncommitted framework to write interface theories that abstract from logical foundation, implementation, and library structure. Then we use alignments to record how the concepts in the interface theories are realized in several major proof assistant libraries, and we use that information to translate expressions across libraries. Concretely, we present exemplary interface theories for several areas of mathematics and - in total - several hundred alignments that were found manually.

Logic in Computer Science

P. Schneider-Kamp,J. Giesl,A. Serebrenik,R. Thiemann

DOI: https://doi.org/10.48550/arXiv.0803.0014

2008-09-01

Abstract:There are two kinds of approaches for termination analysis of logic programs: "transformational" and "direct" ones. Direct approaches prove termination directly on the basis of the logic program. Transformational approaches transform a logic program into a term rewrite system (TRS) and then analyze termination of the resulting TRS instead. Thus, transformational approaches make all methods previously developed for TRSs available for logic programs as well. However, the applicability of most existing transformations is quite restricted, as they can only be used for certain subclasses of logic programs. (Most of them are restricted to well-moded programs.) In this paper we improve these transformations such that they become applicable for any definite logic program. To simulate the behavior of logic programs by TRSs, we slightly modify the notion of rewriting by permitting infinite terms. We show that our transformation results in TRSs which are indeed suitable for automated termination analysis. In contrast to most other methods for termination of logic programs, our technique is also sound for logic programming without occur check, which is typically used in practice. We implemented our approach in the termination prover AProVE and successfully evaluated it on a large collection of examples.

Logic in Computer Science,Artificial Intelligence,Programming Languages

Manny Rayner

DOI: https://doi.org/10.48550/arXiv.cmp-lg/9405024

1994-05-26

Computation and Language

Abstract:The thesis describes a logical formalization of natural-language database interfacing. We assume the existence of a ``natural language engine'' capable of mediating between surface linguistic string and their representations as ``literal'' logical forms: the focus of interest will be the question of relating ``literal'' logical forms to representations in terms of primitives meaningful to the underlying database engine. We begin by describing the nature of the problem, and show how a variety of interface functionalities can be considered as instances of a type of formal inference task which we call ``Abductive Equivalential Translation'' (AET); functionalities which can be reduced to this form include answering questions, responding to commands, reasoning about the completeness of answers, answering meta-questions of type ``Do you know...'', and generating assertions and questions. In each case, a ``linguistic domain theory'' (LDT) $\Gamma$ and an input formula $F$ are given, and the goal is to construct a formula with certain properties which is equivalent to $F$, given $\Gamma$ and a set of permitted assumptions. If the LDT is of a certain specified type, whose formulas are either conditional equivalences or Horn-clauses, we show that the AET problem can be reduced to a goal-directed inference method. We present an abstract description of this method, and sketch its realization in Prolog. The relationship between AET and several problems previously discussed in the literature is discussed. In particular, we show how AET can provide a simple and elegant solution to the so-called ``Doctor on Board'' problem, and in effect allows a ``relativization'' of the Closed World Assumption. The ideas in the thesis have all been implemented concretely within the SRI CLARE project, using a real projects and payments database. The LDT for the example database is described in detail, and examples of the types of functionality that can be achieved within the example domain are presented.

Jesper Amilon,Zafer Esen,Dilian Gurov,Christian Lidström,Philipp Rümmer,Marten Voorberg

2024-12-09

Abstract:In deductive verification and software model checking, dealing with certain specification language constructs can be problematic when the back-end solver is not sufficiently powerful or lacks the required theories. One way to deal with this is to transform, for verification purposes, the program to an equivalent one not using the problematic constructs, and to reason about this equivalent program instead. In this article, we propose program instrumentation as a unifying verification paradigm that subsumes various existing ad-hoc approaches, has a clear formal correctness criterion, can be applied automatically, and can transfer back witnesses and counterexamples. We illustrate our approach on the automated verification of programs that involve quantification and aggregation operations over arrays, such as the maximum value or sum of the elements in a given segment of the array, which are known to be difficult to reason about automatically. We implement our approach in the MonoCera tool, which is tailored to the verification of programs with aggregation, and evaluate it on example programs, including SV-COMP programs.

Logic in Computer Science

Dawn Michaelson

DOI: https://doi.org/10.48550/arXiv.1705.09025

2017-05-25

Abstract:In logical reasoning, it is often the case that only some of a collection of assumptions are needed to reach a conclusion. A strengthening lemma is an assertion that a given conclusion is independent in this sense of a particular assumption. Strengthening lemmas underlie many useful techniques for simplifying proofs in automated and interactive theorem-provers. For example, they underlie a mechanism called subordination that is useful in determining that expressions of a particular type cannot contain objects of another type and in thereby reducing the number of cases to be considered in proving universally quantified statements. This thesis concerns the automation of the proofs of strengthening lemmas in a specification logic called the logic of hereditary Harrop formulas (HOHH). The Abella Proof Assistant embeds this logic in a way that allows it to prove properties of both the logic itself and of specifications written in it. Previous research has articulated a (conservative) algorithm for checking if a claimed strengthening lemma is, in fact, true. We provide here an implementation of this algorithm within the setting of Abella. Moreover, we show how to generate an actual proof of the strengthening lemma in Abella from the information computed by the algorithm; such a proof serves as a more trustworthy certificate of the correctness of the lemma than the algorithm itself. The results of this work have been incorporated into the Abella system in the form of a "tactic command" that can be invoked within the interactive theorem-prover and that will result in an elaboration of a proof of the lemma and its incorporation into the collection of proven facts about a given specification.

Logic in Computer Science

Junyan Qian,Baowen Xu

2007-01-01

Abstract:we present a methodology for automatically verifying programs against safety specifications based on finite state machine. Firstly, computing the abstract transition between abstract states is done by calling a theorem prover, and then an initial abstract model automatically is extracted from concrete program using predicate abstraction. However, the process of abstraction can be exponential in the number of predicates used. Program slicing, predicate inference and partitioning the set of candidate predicates into subsets make abstract model construction effective. By counterexample-guided abstraction refinement scheme, the abstraction refines incrementally until the specification is either satisfied or refuted. Finally, our methods can be extended to verifying concurrency programs by parallel composition.

Bruno Montalto

DOI: https://doi.org/10.3929/ethz-a-010349801

Abstract:Security protocols are distributed programs designed to ensure secure communication in a network controlled by an adversary. They are widely used today for securing on-line services such as personal communication and electronic voting. Their design is notoriously error-prone, and a great deal of research has been devoted to their analysis. In this thesis we provide two main contributions towards the automated analysis of such protocols: algorithms for the symbolic analysis of equivalence properties, and a symbolic probabilistic framework for security protocol analysis. We consider the problem of verifying two equivalence properties relevant in protocol analysis: static equivalence and trace equivalence. Both notions model the property that an attacker cannot distinguish between two protocol executions, and they have been used to model security goals such as off-line guessing, electronic voting anonymity, and RFID untraceability. Static equivalence is concerned with an attacker who passively eavesdrop on a network and then tries to distinguish between possible executions by performing off-line computations. Trace equivalence is used in the analysis of security properties against an attacker who may participate actively in protocol execution. We present an efficient decision procedure for static equivalence under equational theories generated by subterm convergent rewriting systems. This class of theories encompasses the most common cryptographic primitives, including symmetric and asymmetric encryption and decryption, hash functions and digital signatures. Our algorithm achieves a better asymptotic complexity than competing algorithms, albeit with a narrower scope. We discuss its implementation in the FAST tool and show that it indeed performs much more efficiently than other existing tools for the same task. We also present a procedure for deciding the trace equivalence of bounded simple processes under equational theories generated by convergent rewriting systems and for which a finitary unification algorithm exists. Although we do not have a termination result, our procedure is correct for the largest class of equational theories handled by any existing procedure for deciding trace equivalence and, together with the work by Cheval et. al [64], it is the only one to handle non-trivial else branches. Finally, we introduce a symbolic probabilistic framework for the analysis of security protocols. Our framework provides a general method for expressing weak-

Computer Science

Pranjal Aggarwal,Bryan Parno,Sean Welleck

2024-12-09

Abstract:Automated code generation with large language models has gained significant traction, but there remains no guarantee on the correctness of generated code. We aim to use formal verification to provide mathematical guarantees that the generated code is correct. However, generating formally verified code with LLMs is hindered by the scarcity of training data and the complexity of formal proofs. To tackle this challenge, we introduce AlphaVerus, a self-improving framework that bootstraps formally verified code generation by iteratively translating programs from a higher-resource language and leveraging feedback from a verifier. AlphaVerus operates in three phases: exploration of candidate translations, Treefinement -- a novel tree search algorithm for program refinement using verifier feedback, and filtering misaligned specifications and programs to prevent reward hacking. Through this iterative process, AlphaVerus enables a LLaMA-3.1-70B model to generate verified code without human intervention or model finetuning. AlphaVerus shows an ability to generate formally verified solutions for HumanEval and MBPP, laying the groundwork for truly trustworthy code-generation agents.

Machine Learning,Artificial Intelligence

Vincent Cheval,Caroline Fontaine

2024-10-20

Abstract:Computer-aided analysis of security protocols heavily relies on equational theories to model cryptographic primitives. Most automated verifiers for security protocols focus on equational theories that satisfy the Finite Variant Property (FVP), for which solving unification is decidable. However, they either require to prove FVP by hand or at least to provide a representation as an E-convergent rewrite system, usually E being at most the equational theory for an associative and commutative function symbol (AC). The verifier ProVerif is probably the only exception amongst these tools as it automatically proves FVP without requiring a representation, but on a small class of equational theories. In this work, we propose a novel semi-decision procedure for proving FVP, without the need for a specific representation, and for a class of theories that goes beyond the ones expressed by an E-convergent rewrite system. We implemented a prototype and successfully applied it on several theories from the literature.

Cryptography and Security

Danil Annenkov

DOI: https://doi.org/10.48550/arXiv.1811.11317

2018-11-28

Abstract:We present three projects concerned with applications of proof assistants in the area of programming language theory and mathematics. The first project is about a certified compilation technique for a domain-specific programming language for financial contracts (the CL language). The code in CL is translated into a simple expression language well-suited for integration with software components implementing Monte Carlo simulation techniques (pricing engines). The compilation procedure is accompanied with formal proofs of correctness carried out in Coq. The second project presents techniques that allow for formal reasoning with nested and mutually inductive structures built up from finite maps and sets. The techniques, which build on the theory of nominal sets combined with the ability to work with isomorphic representations of finite maps, make it possible to give a formal treatment, in Coq, of a higher-order module system, including the ability to eliminate at compile time abstraction barriers introduced by the module system. The development is based on earlier work on static interpretation of modules and provides the foundation for a higher-order module language for Futhark, an optimising compiler targeting data-parallel architectures. The third project presents an implementation of two-level type theory, a version of Martin-Lof type theory with two equality types: the first acts as the usual equality of homotopy type theory, while the second allows us to reason about strict equality. In this system, we can formalise results of partially meta-theoretic nature. We develop and explore in details how two-level type theory can be implemented in a proof assistant, providing a prototype implementation in the proof assistant Lean. We demonstrate an application of two-level type theory by developing some results on the theory of inverse diagrams using our Lean implementation.

Programming Languages

James Ian Johnson

DOI: https://doi.org/10.48550/arXiv.1504.08033

2015-04-29

Programming Languages

Abstract:Static program analysis is a valuable tool for any programming language that people write programs in. The prevalence of scripting languages in the world suggests programming language interpreters are relatively easy to write. Users of these languages lament their inability to analyze their code, therefore programming language analyzers are not easy to write. This thesis investigates a systematic method of creating abstract interpreters from traditional interpreters, called Abstracting Abstract Machines. Abstract interpreters are difficult to develop due to technical, theoretical, and pragmatic problems. Technical problems include engineering data structures and algorithms. I show that modest and simple changes to the mathematical presentation of abstract machines result in 1000 times better running time - just seconds for moderately sized programs. In the theoretical realm, abstraction can make correctness difficult to ascertain. I provide proof techniques for proving the correctness of regular, pushdown, and stack-inspecting pushdown models of abstract computation by leaving computational power to an external factor: allocation. Even if we don't trust the proof, we can run models concretely against test suites to better trust them. In the pragmatic realm, I show that the systematic process of abstracting abstract machines is automatable. I develop a meta-language for expressing abstract machines similar to other semantics engineering languages. The language's special feature is that it provides an interface to abstract allocation. The semantics guarantees that if allocation is finite, then the semantics is a sound and computable approximation of the concrete semantics.

Thomas Eiter,Michael Fink,Stefan Woltran

DOI: https://doi.org/10.1145/1243996.1244000

2007-07-01

ACM Transactions on Computational Logic

Abstract:In recent research on nonmonotonic logic programming, repeatedly strong equivalence of logic programs P and Q has been considered, which holds if the programs P ∪ R and Q ∪ R have the same answer sets for any other program R . This property strengthens the equivalence of P and Q with respect to answer sets (which is the particular case for R =∅), and has its applications in program optimization, verification, and modular logic programming. In this article, we consider more liberal notions of strong equivalence, in which the actual form of R may be syntactically restricted. On the one hand, we consider uniform equivalence where R is a set of facts, rather than a set of rules. This notion, which is well-known in the area of deductive databases, is particularly useful for assessing whether programs P and Q are equivalent as components of a logic program which is modularly structured. On the other hand, we consider relativized notions of equivalence where R ranges over rules over a fixed alphabet, and thus generalize our results to relativized notions of strong and uniform equivalence. For all these notions, we consider disjunctive logic programs in the propositional (ground) case as well as some restricted classes, providing semantical characterizations and analyzing the computational complexity. Our results, which naturally extend to answer set semantics for programs with strong negation, complement the results on strong equivalence of logic programs and pave the way for optimizations in answer set solvers as a tool for input-based problem solving.

computer science, theory & methods,logic

Tao Liu,Yangjia Li,Shuling Wang,Mingsheng Ying,Naijun Zhan

DOI: https://doi.org/10.48550/arxiv.1601.03835

2016-01-01

Abstract:Quantum Hoare Logic (QHL) was introduced in Ying's work to specify and reason about quantum programs. In this paper, we implement a theorem prover for QHL based on Isabelle/HOL. By applying the theorem prover, verifying a quantum program against a specification is transformed equivalently into an order relation between matrices. Due to the limitation of Isabelle/HOL, the calculation of the order relation is solved by calling an outside oracle written in Python. To the best of our knowledge, this is the first theorem prover for quantum programs. To demonstrate its power, the correctness of two well-known quantum algorithms, i.e., Grover Quantum Search and Quantum Phase Estimation (the key step in Shor's quantum algorithm of factoring in polynomial time) are proved using the theorem prover. These are the first mechanized proofs for both of them.

Peizun Liu,Thomas Wahl

DOI: https://doi.org/10.48550/arXiv.1706.03167

2017-06-10

Software Engineering

Abstract:Exploration algorithms for explicit-state transition systems are a core back-end technology in program verification. They can be applied to programs by generating the transition system on the fly, avoiding an expensive up-front translation. An on-the-fly strategy requires significant modifications to the implementation, into a form that stores states directly as valuations of program variables. Performed manually on a per-algorithm basis, such modifications are laborious and error-prone. In this paper we present the IJIT Application Programming Interface (API), which allows users to automatically transform a given transition system exploration algorithm to one that operates on Boolean programs. The API converts system states temporarily to program states just in time for expansion via image computations, forward or backward. Using our API, we have effortlessly extended various non-trivial (e.g. infinite-state) model checking algorithms to operate on multi-threaded Boolean programs. We demonstrate the ease of use of the API, and present a case study on the impact of the just-in-time translation on these algorithms.

Darius Foo,Yahui Song,Wei-Ngan Chin

2024-07-02

Abstract:Higher-order functions and imperative states are language features supported by many mainstream languages. Their combination is expressive and useful, but complicates specification and reasoning, due to the use of yet-to-be-instantiated function parameters. One inherent limitation of existing specification mechanisms is its reliance on only two stages: an initial stage to denote the precondition at the start of the method and a final stage to capture the postcondition. Such two-stage specifications force abstract properties to be imposed on unknown function parameters, leading to less precise specifications for higher-order methods. To overcome this limitation, we introduce a novel extension to Hoare logic that supports multiple stages for a call-by-value higher-order language with ML-like local references. Multiple stages allow the behavior of unknown function-type parameters to be captured abstractly as uninterpreted relations; and can also model the repetitive behavior of each recursion as a separate stage. In this paper, we define our staged logic with its semantics, prove its soundness and develop a new automated higher-order verifier, called Heifer, for a core ML-like language.

Programming Languages