388 Hits in 1.3 sec

Recursive Data Structures in SPARK [chapter]

Claire Dross, Johannes Kanig
2020 Lecture Notes in Computer Science  
SPARK is both a deductive verification tool for the Ada language and the subset of Ada on which it operates. In this paper, we present a recent extension of the SPARK language and toolset to support pointers. This extension is based on an ownership policy inspired by Rust to enforce non-aliasing through a move semantics of assignment. In particular, we consider pointer-based recursive data structures, and discuss how they are supported in SPARK. We explain how iteration over these structures
more » ... be handled using a restricted form of aliasing called local borrowing. To avoid introducing a memory model and to stay in the first-order logic background of SPARK, the relation between the iterator and the underlying structure is encoded as a predicate which is maintained throughout the program control flow. Special first-order contracts, called pledges, can be used to describe this relation. Finally, we give examples of programs that can be verified using this framework.
doi:10.1007/978-3-030-53291-8_11 fatcat:awiwdmdahfafvl7ksfksnlyj3i

Correct Code Containing Containers [chapter]

Claire Dross, Jean-Christophe Filliâtre, Yannick Moy
2011 Lecture Notes in Computer Science  
For critical software development, containers such as lists, vectors, sets or maps are an attractive alternative to ad-hoc data structures based on pointers. As standards like DO-178C put formal verification and testing on an equal footing, it is important to give users the ability to apply both to the verification of code using containers. In this paper, we present a definition of containers whose aim is to facilitate their use in certified software, using modern proof technology and novel
more » ... ification languages. Correct usage of containers and user-provided correctness properties can be checked either by execution during testing or by formal proof with an automatic prover. We present a formal semantics for containers and an axiomatization of this semantics targeted at automatic provers. We have proved in Coq that the formal semantics is consistent and that the axiomatization thereof is correct.
doi:10.1007/978-3-642-21768-5_9 fatcat:ikzhlgvlmvavpin525xqz6oq2i

Auto-Active Proof of Red-Black Trees in SPARK [chapter]

Claire Dross, Yannick Moy
2017 Lecture Notes in Computer Science  
Formal program verification can guarantee that a program is free from broad classes of errors (like reads of uninitialized data and run-time errors) and that it complies with its specification. Tools such as SPARK make it cost effective to target the former in an industrial context, but the latter is much less common in industry, owing to the cost of specifying the behavior of programs and even more the cost of achieving proof of such specifications. We have chosen in SPARK to rely on the
more » ... ques of auto-active verification for providing cost effective formal verification of functional properties. These techniques consist in providing annotations in the source code that will be used by automatic provers to complete the proof. To demonstrate the potential of this approach, we have chosen to formally specify a library of red-black trees in SPARK, and to prove its functionality using auto-active verification. To the best of our knowledge, this is the most complex use of auto-active verification so far.
doi:10.1007/978-3-319-57288-8_5 fatcat:klwkekpotrdc5l7j7sylanogqy

On the proper interval completion problem within some chordal subclasses [article]

François Dross, Claire Hilaire, Ivo Koch, Valeria Leoni, Nina Pardal, María Inés Lopez Pujato, Vinicius Fernandes dos Santos
2021 arXiv   pre-print
Given a property (graph class) Π, a graph G, and an integer k, the Π-completion problem consists in deciding whether we can turn G into a graph with the property Π by adding at most k edges to G. The Π-completion problem is known to be NP-hard for general graphs when Π is the property of being a proper interval graph (PIG). In this work, we study the PIG-completion problem (PIG) within different subclasses of chordal graphs. We show that the problem remains NP-complete even when restricted to
more » ... lit graphs. We then turn our attention to positive results and present polynomial time algorithms to solve the PIG-completion problem when the input is restricted to caterpillar and threshold graphs. We also present an efficient algorithm for the minimum co-bipartite-completion for quasi-threshold graphs, which provides a lower bound for the PIG-completion problem within this graph class.
arXiv:2110.07706v1 fatcat:dcxkplfd6faylc6rspflwxkgxm

Adding Decision Procedures to SMT Solvers Using Axioms with Triggers

Claire Dross, Sylvain Conchon, Johannes Kanig, Andrei Paskevich
2015 Journal of automated reasoning  
Satisfiability Modulo Theories (SMT) solvers are efficient tools to decide the satisfiability of ground formulas, including a number of built-in theories such as congruence, linear arithmetic, arrays, and bit-vectors. Adding a theory to that list requires delving into the implementation details of a given SMT solver, and is done mainly by the developers of the solver itself. For many useful theories, one can alternatively provide a first-order axiomatization. However, in the presence of
more » ... ers, SMT solvers are incomplete and exhibit unpredictable behavior. Consequently, this approach can not provide us with a complete and terminating treatment of the theory of interest. In this paper, we propose a framework to solve this problem, based on the notion of instantiation patterns, also known as triggers. Triggers are annotations that suggest instances which are more likely to be useful in proof search. They are implemented in all SMT solvers that handle first-order logic and are included in the SMT-LIB format. In our framework, the user provides a theory axiomatization with triggers, along with a proof of completeness and termination properties of this axiomatization, and obtains a sound, complete, and terminating solver for her theory in return. We describe and prove a corresponding extension of the traditional Abstract DPLL Modulo Theory framework. Implementing this mechanism in a given SMT solver requires a one-time development effort. We have implemented the proposed extension in the Alt-Ergo prover and we discuss some implementation details in the paper. To show that our framework can handle complex theories, we prove completeness and termination of a feature-rich axiomatization of doubly-linked lists. Our tests show that our approach results in a better performance of the solver on goals that stem from the verification of programs manipulating doubly-linked lists and sets. (2000) 03B10 · 03B25 · 03B35 · 68T15 Mathematics Subject Classification
doi:10.1007/s10817-015-9352-2 fatcat:ghddutkfh5aopavvsevnjc7hr4

VerifyThis 2019: a program verification competition

Claire Dross, Carlo A Furia, Marieke Huisman, Rosemary Monahan, Peter Müller
2021 International Journal on Software Tools for Technology Transfer (STTT)  
Dross et al.  ...  Dross et al. The Cartesian tree of sequence s = 4 7 8 1 2 3 9 5 6 is given in Fig. 3 .  ... 
doi:10.1007/s10009-021-00619-x fatcat:vmrd4albxjalvcdvfxquywlphi

Specification and Proof of High-Level Functional Properties of Bit-Level Programs [chapter]

Clément Fumex, Claire Dross, Jens Gerlach, Claude Marché
2016 Lecture Notes in Computer Science  
In a computer program, basic functionalities may be implemented using bit-wise operations. To formally specify the expected behavior of such a lowlevel program, it is desirable that the specification should be at a more abstract level. Formally proving that low-level code conforms to a higher-level specification is challenging, because of the gap between the different levels of abstraction. We address this challenge by designing a rich formal theory of fixed-sized bit vectors, which on the one
more » ... and allows a user to write abstract specifications close to the human-or mathematical-level of thinking, while on the other hand permits a close connection to decision procedures and tools for bit vectors, as they exist in the context of the Satisfiability Modulo Theory framework. This approach is implemented in the Why3 environment for deductive program verification, and also in its front-end environment SPARK for the development of safety-critical Ada programs. We report on several case studies used to validate our approach. It is quite common in computer programs that some basic functionality is implemented, for efficiency reasons, using bit-wise operations. There is even a famous book, Hacker's delight [24] , which is dedicated only to this kind of smart and efficient code. An extreme example is the following 2-line C program (a so-called "signature program" designed by Marcel van Kervinc, t(a,b,c){int d=0,e=a&~b&~c,f=1;if(a)for(f=0;d=(e-=d)&-e;f+=t(a-d,(b+d) * 2,( c+d)/2));return f;}main(q){scanf("%d",&q);printf("%d\n",t(~(~0< Stream'First = 0 and then 8 (Pos / 8 ≤ Stream'Last), Ghost; 9
doi:10.1007/978-3-319-40648-0_22 fatcat:koyc45znwjdolf6flchiqlovba

VerifyThis 2019: A Program Verification Competition (Extended Report) [article]

Claire Dross, Carlo A. Furia, Marieke Huisman, Rosemary Monahan, Peter Müller
2021 arXiv   pre-print
VerifyThis is a series of program verification competitions that emphasize the human aspect: participants tackle the verification of detailed behavioral properties -- something that lies beyond the capabilities of fully automatic verification, and requires instead human expertise to suitably encode programs, specifications, and invariants. This paper describes the 8th edition of VerifyThis, which took place at ETAPS 2019 in Prague. Thirteen teams entered the competition, which consisted of
more » ... verification challenges and spanned two days of work. The report analyzes how the participating teams fared on these challenges, reflects on what makes a verification challenge more or less suitable for the typical VerifyThis participants, and outlines the difficulties of comparing the work of teams using wildly different verification approaches in a competition focused on the human aspect.
arXiv:2008.13610v3 fatcat:zf3hegfrq5hdfnt6xp4dkuphy4

Effects of therapeutic vaccination on the control of SIV in rhesus macaques with variable responsiveness to antiretroviral drugs

Hillary Claire Tunggal, Paul Veness Munson, Megan Ashley O'Connor, Nika Hajari, Sandra Elizabeth Dross, Debra Bratt, James Thomas Fuller, Kenneth Bagley, Deborah Heydenburg Fuller, Siddappa N. Byrareddy
2021 PLoS ONE  
A therapeutic vaccine that induces lasting control of HIV infection could eliminate the need for lifelong adherence to antiretroviral therapy. This study investigated a therapeutic DNA vaccine delivered with a single adjuvant or a novel combination of adjuvants to augment T cell immunity in the blood and gut-associated lymphoid tissue in SIV-infected rhesus macaques. Animals that received DNA vaccines expressing SIV proteins, combined with plasmids expressing adjuvants designed to increase
more » ... heral and mucosal T cell responses, including the catalytic subunit of the E. coli heat-labile enterotoxin, IL-12, IL-33, retinaldehyde dehydrogenase 2, soluble PD-1 and soluble CD80, were compared to mock-vaccinated controls. Following treatment interruption, macaques exhibited variable levels of viral rebound, with four animals from the vaccinated groups and one animal from the control group controlling virus at median levels of 103 RNA copies/ml or lower (controllers) and nine animals, among all groups, exhibiting immediate viral rebound and median viral loads greater than 103 RNA copies/ml (non-controllers). Although there was no significant difference between the vaccinated and control groups in protection from viral rebound, the variable virological outcomes during treatment interruption enabled an examination of immune correlates of viral replication in controllers versus non-controllers regardless of vaccination status. Lower viral burden in controllers correlated with increased polyfunctional SIV-specific CD8+ T cells in mesenteric lymph nodes and blood prior to and during treatment interruption. Notably, higher frequencies of colonic CD4+ T cells and lower Th17/Treg ratios prior to infection in controllers correlated with improved responses to ART and control of viral rebound. These results indicate that mucosal immune responses, present prior to infection, can influence efficacy of antiretroviral therapy and the outcome of immunotherapeutic vaccination, suggesting that therapies capable of modulating host mucosal responses may be needed to achieve HIV cure.
doi:10.1371/journal.pone.0253265 pmid:34138927 pmcid:PMC8211199 fatcat:cqnp23b7b5e67mrolckiicps4a

Reasoning with Triggers

Claire Dross, Sylvain Conchon, Johannes Kanig, Andrei Paskevich
SMT solvers can decide the satisfiability of ground formulas modulo a combination ofbuilt-in theories. Adding a built-in theory to a given SMT solver is a complex and time consuming task that requires internal knowledge of the solver. However, many theories can be easily expressed using first-order formulas. Unfortunately, since universal quantifiers are not handled in a complete way by SMT solvers, these axiomatics cannot be used as decision procedures.In this paper, we show how to extend a
more » ... eric SMT solver to accept a custom theory description and behave as a decision procedure for that theory, provided that the described theory is complete and terminating in a precise sense. The description language consists of first-order axioms with triggers, an instantiation mechanism that is found in many SMT solvers. This mechanism, which usually lacks a clear semantics in existing languages and tools, is rigorously defined here; this definition can be used to prove completeness and termination of the theory. We demonstrate using the theory of arrays, how such proofs can be achieved in our formalism.
doi:10.29007/3c1n fatcat:zfascxip7fgoln7jonnzt3rujm

Page 438 of Revue Des Deux Mondes Vol. 138, Issue [page]

1896 Revue Des Deux Mondes  
Depuis deux siècles, les Drosse ont amassé, épargné, et se sont battus avec la mort et le diable, pour toi seul! La maison Drosse, tu la portais sur tes deux épaules, mon fils.  ...  . — Il faisait encore. clair! LE Masor. — Ha! ha! Frirz. — Père, ne ris pas! Aie pitié de moi. LE MAJOR. — As-tu eu pitié de moi, toi ?.. Ou de ta mère?.., Ou de... de.  ... 

Page 339 of La Revue de Paris Vol. , Issue 22 [page]

1929 La Revue de Paris  
Il ne faudrait pas que quelque chose se démolisse dans la drosse. Nous avons assez de diffi- cultés sans cela.  ...  Il m'assura que sur le pont, — autant qu’on pouvait s’en rendre compte au toucher, — toutes les manœuvres étaient claires pour être filées. On n’y voyait pas à deux pas.  ... 

Page 75 of Metal Finishing Vol. 9, Issue 2 [page]

1911 Metal Finishing  
Claire Deville. On pre- senting this to the pawnbroker he asked if it was bar silver. Dr.  ...  The sand should be rammed lightly or the metal will not lie quietly and dross is formed.  ... 

Page 208 of The Hibbert Journal : A Quarterly Review of Religion, Theology and Philosophy Vol. 45, Issue 3 [page]

1946 The Hibbert Journal : A Quarterly Review of Religion, Theology and Philosophy  
A large proportion of these would be willing to go the whole way with him, chiefly 208 equa Fror clair all t Reli; prin direc have Chri been tion stro!  ...  He had a brilliant spark of that divine fire which appears in a multitude of other human martyrs, but was in no way unique, and there was dross in his gold. The Gospel accounts of him are unreliable.  ... 

Page 143 of Yale French Studies Vol. , Issue 32 [page]

1961 Yale French Studies  
Das Dichterische Werk, II, ed. by Friedrich Dross, Miinchen, 1958. Goll, Yvan. Dichtungen, ed. by Claire Goll, Darmstadt, 1960. Heym, Georg. Dichtungen und Schriften, II, ed. by K. L.  ... 
« Previous Showing results 1 — 15 out of 388 results