Using Automated Theorem Provers to Certify Auto-generated Aerospace Software

Denney, Ewen; Fischer, Bernd; Schumann, Johann

doi:10.1007/978-3-540-25984-8_12

Cited by 25 publications

(21 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…These cases are safety obligations automatically generated from annotated programs at NASA. Following their introduction in [6], these benchmarks were made publicly available in TPTP format [17], a format for pure first-order logic. We then undertook the task of translating them into the SMT-LIB format and contributing them to the SMT-LIB library.…”

Section: Benchmarksmentioning

confidence: 99%

“…We used the following rules to infer types: (i) The index of an array is of type of integer; (ii) The return type of functions cos, sin, log, sqrt is real; (iii) The terms on both sides of infix predicates =, <=, >=, < and >, must have the same type; (iv) If the type of a term cannot be deduced by the above rules, it is assumed to be real. According to [6], of the 28065 cases, only 14 are supposed to be satisfiable (the rest are unsatisfiable). However, after running our experiments and carefully examining the benchmarks in their present form in the TPTP library, our best guess is that somewhere around 150 of the cases are actually satisfiable (both in the SMT-LIB format and in the original TPTP format).…”

Section: Benchmarksmentioning

confidence: 99%

“…It is difficult to know for sure since for these cases, no tool we are aware of can reliably distinguish between a truly satisfiable formula and one that is simply too difficult to prove unsatisfiable, and determining this by hand is extremely tedious and error-prone. We suspect that some assumptions present in the benchmarks from [6] were lost somehow before their submission to the TPTP library, but we do not know how this happened. In any case, most of the benchmarks are definitely unsatisfiable and while many are easy, a few of them are very challenging.…”

Section: Benchmarksmentioning

confidence: 99%

“…We chose Vampire and SPASS because Vampire and SPASS are among the best ATP systems: Vampire is a regular winner of the CASC competitions [16], and SPASS was the best prover of those tried in [6]. For easier comparison to [6], the benchmarks are divided as in that paper into seven categories: T ∅ , T ∀,→ , T prop , T eval , T array , T policy , T array * . The first category T ∅ contains the most difficult verification conditions.…”

Section: Comparison With Atp Systemsmentioning

confidence: 99%

“…We conclude with experimental results demonstrating the effectiveness of our heuristics in improving the performance of CVC3 and in solving verification conditions (in particular, several from the NASA suite introduced in [6]) that no previous ATP or SMT system has been able to solve.…”

Section: Introductionmentioning

confidence: 99%

See 4 more Smart Citations

Solving quantified verification conditions using satisfiability modulo theories

Barrett

Tinelli

2009

Ann Math Artif Intell

View full text Add to dashboard Cite

Abstract. First order logic provides a convenient formalism for describing a wide variety of verification conditions. Two main approaches to checking such conditions are pure first order automated theorem proving (ATP) and automated theorem proving based on satisfiability modulo theories (SMT). Traditional ATP systems are designed to handle quantifiers easily, but often have difficulty reasoning with respect to theories. SMT systems, on the other hand, have built-in support for many useful theories, but have a much more difficult time with quantifiers. One clue on how to get the best of both worlds can be found in the legacy system Simplify which combines built-in theory reasoning with quantifier instantiation heuristics. Inspired by Simplify and motivated by a desire to provide a competitive alternative to ATP systems, this paper describes a methodology for reasoning about quantifiers in SMT systems. We present the methodology in the context of the Abstract DPLL Modulo Theories framework. Besides adapting many of Simplify's techniques, we also introduce a number of new heuristics. Most important is the notion of instantiation level which provides an effective mechanism for prioritizing and managing the large search space inherent in quantifier instantiation techniques. These techniques have been implemented in the SMT system CVC3. Experimental results show that our methodology enables CVC3 to solve a significant number of benchmarks that were not solvable with any previous approach.

show abstract

Section: Benchmarksmentioning

confidence: 99%

Section: Benchmarksmentioning

confidence: 99%

Section: Benchmarksmentioning

confidence: 99%

Section: Comparison With Atp Systemsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Solving quantified verification conditions using satisfiability modulo theories

Barrett

Tinelli

2009

Ann Math Artif Intell

View full text Add to dashboard Cite

show abstract

Application Generators

Smaragdakis¹,

Huang²

1999

Wiley Encyclopedia of Electrical and Electronics Engineering

View full text Add to dashboard Cite

When a programming activity is well-understood, it can be automated. Automation transforms software development from activities like rote coding and tedious debugging to that of specification, where the "what" of an application is declared and the "how" is left to a complex, but automatable mapping. Programs that perform such mappings are application generators (or just generators). In the technical sense, application generators are compilers for domain-specific programming languages (DSLs). There is no strict criterion for characterizing a language as "domain-specific" but the term is commonly used to describe programming languages for specialized tasks (as opposed to "general-purpose" programming languages). Examples are languages for implementing communication protocols, partial differential equation solvers, windowing software, etc. Although all compilers can be viewed as generators, generator research and practice has focused on problems different than those usually found in a classical treatment of compilers (e.g., [1]), such as programming language extensibility and program transformations.Before we delve further into generator specifics, it is worth addressing the following question: why are generators needed? Is it not sufficient to employ other programming tools (e.g., traditional software libraries)? One answer is that it is very hard to scale traditional tools to handle code that is highly complex, yet can be decomposed into simpler pieces in systematic ways. In this case, generators can be viewed as compact representations of software libraries of gigantic size-each library encoding all the useful code configurations that a generator can produce. With a generator, the same code is produced in a systematic way that allows a mechanical process to generate desired code configurations. Thus, for practical reasons, generators are the preferred way to represent large families of related applications. Another reason for using generators is that the specification languages that generators implement are much more concise and convenient than the language of the produced program (called the target language). The translation of specifications to target code is done correctly and quickly, thereby substantially increasing programmer productivity. Further, generators can apply domain-specific optimizations (which are tedious and error-prone if done by hand) and can perform advanced error-checking (thereby automating correctness checks performed by domain experts). Compared to traditional software libraries, generators offer a much greater potential for optimization and can provide better error-checking.There are many dimensions of variability among generators, despite their common goal. Some generators implement specification languages that have a sound theoretical basis (e.g., [44][48]) and thus have been used extensively to implement formal specifications. More typically, full axiomatic theories simply do not exist and generator design is based on an informal understanding of a domain.Another important variabilit...

show abstract