Verifying a File System Implementation

Arkoudas, Konstantine; Zee, Karen; Kunčak, Viktor; Rinard, Martin

doi:10.1007/978-3-540-30482-1_32

Cited by 51 publications

(34 citation statements)

References 35 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Therefore, it is important to consider correctness proofs even of existing file system implementations. In this regard, a correctness proof of operations like reading and writing in a Unix based file system is presented in [AZKR04] using Athena, an interactive theorem-proving environment. More recently (December 2009), Taverne et al [TP09], designed a simple robust file store and implemented it in the form of a Promela model.…”

Section: Related Workmentioning

confidence: 99%

Formalizing a hierarchical file system

Hesselink

Lali

2012

Form. Asp. Comput.

View full text Add to dashboard Cite

Abstract. An abstract file system is defined here as a partial function from (absolute) paths to data. Such a file system determines the set of valid paths. It allows the file system to be read and written at a valid path, and it allows the system to be modified by the Unix operations for creation, removal, and moving of files and directories. We present abstract definitions (axioms) for these operations. This specification is refined towards a pointer implementation. The challenge is to have a natural abstraction function from the implementation to the specification, to define operations on the concrete store that behave exactly in the same way as the corresponding functions on the abstract store, and to prove these facts. To mitigate the problems attached to partial functions, we do this in two steps: first a refinement towards a pointer implementation with total functions, followed by one that allows partial functions. These two refinements are proved correct by means of a number of invariants. Indeed, the insights gained consist, on the one hand, of the invariants of the pointer implementation that are needed for the refinement functions, and on the other hand of the precise enabling conditions of the operations on the different levels of abstraction. Each of the three specification levels is enriched with a permission system for reading, writing, or executing, and the refinement relations between these permission systems are explored. Files and directories are distinguished from the outset, but this rarely affects our part of the specifications. All results have been verified with the proof assistant PVS, in particular, that the invariants are preserved by the operations, and that, where the invariants hold, the operations commute with the refinement functions.

show abstract

Section: Related Workmentioning

confidence: 99%

Formalizing a hierarchical file system

Hesselink

Lali

2012

Form. Asp. Comput.

View full text Add to dashboard Cite

show abstract

“…This conjunction F is the assumption base that the provers use when they attempt to prove the consequent G. The translations of the proof language constructs use assume commands to add facts to the assumption base. 4 The soundness of the assume commands in this context is guaranteed by the form of the translation.…”

Section: The Assumption Basementioning

confidence: 99%

An integrated proof language for imperative programs

2009

Self Cite

View full text Add to dashboard Cite

We present an integrated proof language for guiding the actions of multiple reasoning systems as they work together to prove complex correctness properties of imperative programs. The language operates in the context of a program verification system that uses multiple reasoning systems to discharge generated proof obligations. It is designed to 1) enable developers to resolve key choice points in complex program correctness proofs, thereby enabling automated reasoning systems to successfully prove the desired correctness properties; 2) allow developers to identify key lemmas for the reasoning systems to prove, thereby guiding the reasoning systems to find an effective proof decomposition; 3) enable multiple reasoning systems to work together productively to prove a single correctness property by providing a mechanism that developers can use to divide the property into lemmas, each of which is suitable for a different reasoning system; and 4) enable developers to identify specific lemmas that the reasoning systems should use when attempting to prove other lemmas or correctness properties, thereby appropriately confining the search space so that the reasoning systems can find a proof in an acceptable amount of time.The language includes a rich set of declarative proof constructs that enables developers to direct the reasoning systems as little or as much as they desire. Because the declarative proof statements are embedded into the program as specialized comments, they also serve as verified documentation and are a natural extension of the assertion mechanism found in most program verification systems.We have implemented our integrated proof language in the context of a program verification system for Java and used the resulting system to verify a collection of linked data structure implementations. Our experience indicates that our proof language makes it possible to successfully prove complex program correctness properties that are otherwise beyond the reach of automated reasoning systems.

show abstract

“…Among the systems for interactively reasoning about richer theories of sets are Isabelle (Nipkow et al, 2002), HOL (Gordon and Melham, 1993), PVS (Owre et al, 1992). First-order frameworks such as Athena (Arkoudas et al, 2004) can use axiomatizations of sets along with calls to resolution-based theorem provers (Voronkov, 1995;Weidenbach, 2001) to reason about sets. Combinations of Decidable Theories.…”

Section: Related Workmentioning

confidence: 99%

Deciding Boolean Algebra with Presburger Arithmetic

Kunčak¹,

Nguyen

Rinard

2006

J Autom Reasoning

Self Cite

View full text Add to dashboard Cite

Abstract. We describe an algorithm for deciding the first-order multisorted theory BAPA, which combines 1) Boolean algebras of sets of uninterpreted elements (BA) and 2) Presburger arithmetic operations (PA). BAPA can express the relationship between integer variables and cardinalities of unbounded finite sets, and supports arbitrary quantification over sets and integers.Our original motivation for BAPA is deciding verification conditions that arise in the static analysis of data structure consistency properties. Data structures often use an integer variable to keep track of the number of elements they store; an invariant of such a data structure is that the value of the integer variable is equal to the number of elements stored in the data structure. When the data structure content is represented by a set, the resulting constraints can be captured in BAPA. BAPA formulas with quantifier alternations arise when verifying programs with annotations containing quantifiers, or when proving simulation relation conditions for refinement and equivalence of program fragments. Furthermore, BAPA constraints can be used for proving the termination of programs that manipulate data structures, as well as in constraint database query evaluation and loop invariant inference.We give a formal description of an algorithm for deciding BAPA. We analyze our algorithm and show that it has optimal alternating time complexity, and that the complexity of BAPA matches the complexity of PA. Because it works by a reduction to PA, our algorithm yields the decidability of a combination of sets of uninterpreted elements with any decidable extension of PA. When restricted to BA formulas, the algorithm can be used to decide BA in optimal alternating time. Furthermore, the algorithm can eliminate individual quantifiers from a formula with free variables and therefore perform projection onto a desirable set of variables.We have implemented our algorithm and used it to discharge verification conditions in the Jahob system for data structure consistency checking of Java programs; our experience suggest that a straightforward implementation of the algorithm is effective on non-trivial formulas as long as the number of set variables is small. We also report on a new algorithm for solving the quantifier-free fragment of BAPA.

show abstract

Verifying a File System Implementation

Cited by 51 publications

References 35 publications

Formalizing a hierarchical file system

Formalizing a hierarchical file system

An integrated proof language for imperative programs

Deciding Boolean Algebra with Presburger Arithmetic

Contact Info

Product

Resources

About