Filters








202 Hits in 1.7 sec

Data groups

K. Rustan M. Leino
1998 SIGPLAN notices  
For example, if a Sprite subclass declares a variable int k I* member-of position, drawState *!; then k can be modified by any of the methods update, updatePosition, and draw.  ...  An implementation of m in a subclass U of T is allowed to modify those variables listed in the modifies clause of m as given in class T, plus any variable declared in any also-modifies clause for m as  ... 
doi:10.1145/286942.286953 fatcat:6azju4z6xfhttbuv5rsiqahbde

Efficient weakest preconditions

K. Rustan M. Leino
2005 Information Processing Letters  
Desired computer-program properties can be described by logical formulas called verification conditions. Different mathematically-equivalent forms of these verification conditions can have a great impact on the performance of an automatic theorem prover that tries to discharge them. This paper presents a simple weakest-precondition understanding of the ESC/Java technique for generating verification conditions. The new understanding of this technique spotlights the program property that makes
more » ... perty that makes the technique work.
doi:10.1016/j.ipl.2004.10.015 fatcat:tmrdvcj33bb6tkq26xhsxjuqb4

Program extrapolation with jennisys

K. Rustan M. Leino, Aleksandar Milicevic
2012 SIGPLAN notices  
. , e k−1 ] + l, i) ≡ if i < k then e i else apply([], l, i − k) Simplifications of the sequence length and sequence select expressions performed by the apply function.  ... 
doi:10.1145/2398857.2384646 fatcat:3kbn3e6ed5gnfnzp7eyket6yvu

Computing Permutation Encodings

K. Rustan M. Leino
1999 Formal Aspects of Computing  
à c b H £ Q S ¥ 6 d ) e f b W g i h § p q £ ¦ s r u t s © © w v x g y T W X d ) U W e f d ) b S d 6 £ ¦ w e f ' g W i d § s x c f e g b e b W V X Y e d X Y T W X d P g w f e 9 d g Y h W b g f g i r j k  ...  d g w 9 X h W d P W g i à c y « e f b u õ f t W § ö ' X h W d G d ª g d q i e f µ d G V ± c b Ù Ø T r u ) Øw £ l c f i g Y e f X h W y · g U g y % W T W X e f b W i Ò g y A è ¥ e f b X Y e f y d ⤠q m  ... 
doi:10.1007/s001650050036 fatcat:eqy2ohl74rgntcsbyrurwcnjje

Co-induction Simply [chapter]

K. Rustan M. Leino, Michał Moskal
2014 Lecture Notes in Computer Science  
args ) to a co-method by a call M # [_k − 1 ]( args ) to the corresponding prefix method, and then • making the body's execution conditional on _k = 0 .  ...  We first show Pos # [ k ](Up( n )), for any k and n > 0 , and then use the forall statement to show ∀ k • Pos # [k](Up( n )).  ... 
doi:10.1007/978-3-319-06410-9_27 fatcat:knloumszpbc7bb3scqs5acv46i

Developing Verified Programs with Dafny [chapter]

K. Rustan, M. Leino
2012 Lecture Notes in Computer Science  
b := a; if m = 0 { b := new Data[2 * a.Length]; } forall (i | 0 ≤ i < n -m) { b[i] := a[m + i]; } a, m, n := b, 0, n -m; } a[n], n, Contents := d, n + 1, Contents + [d]; } }  ...  = old(Contents)[1..]; { assert a[m] = a[m..n][0]; d, m, Contents := a[m], m + 1, Contents[1..]; } } method Main() { var q := new SimpleQueue();q.Enqueue(5); q.Enqueue(12); var x := q.Dequeue(); assert  ... 
doi:10.1007/978-3-642-27705-4_7 fatcat:fymrexgexvcxzluw536xlwok24

Automating Theorem Proving with SMT [chapter]

K. Rustan M. Leino
2013 Lecture Notes in Computer Science  
A recursive call to M#[K] where K < _k corresponds to obtaining the co-induction hypothesis (for use after _k -K unwindings of the co-predicate in the proof goal), whereas a call to M#[_k] is just  ...  M(E); . . . } is turned into: ghost method M#[_k : nat](x : T) ensures Q#[_k](x); decreases _k, D(x); { if _k = 0 { . . . M#[_k-1](E); . . .  ... 
doi:10.1007/978-3-642-39634-2_2 fatcat:n56eavdz75f6ldiadspg5d36jy

Loop Invariants on Demand [chapter]

K. Rustan M. Leino, Francesco Logozzo
2005 Lecture Notes in Computer Science  
fresh variable tr(S0 S1, m) = let (C 0, n0) = tr(S0, m) in let (C1, n1) = tr(S1, n0) in (C0 ; C1, n1) tr(if (E) {S0} else {S1}, m) = let (C0, n0) = tr(S0, m) in let (C1, n1) = tr(S1, m) in let V = {x ∈  ...  Since loop 's pre-state inflections are (x 0 , m 0 , b, N ), the abstract element d 0 is computed as x 0 = 0 ∧ m 0 = 0 ∧ 0 < N and d thus becomes x 0 = 0 ∧ m 0 = 0 ∧ 0 < N ∧ x 0 = x ∧ m 0 = m ∧ b = b ∧  ... 
doi:10.1007/11575467_9 fatcat:vjwk2f4devasdd55klgcgpkife

Weakest-precondition of unstructured programs

Mike Barnett, K. Rustan M. Leino
2006 Software engineering notes  
Program verification systems typically transform a program into a logical expression which is then fed to a theorem prover. The logical expression represents the weakest precondition of the program relative to its specification; when (and if!) the theorem prover is able to prove the expression, then the program is considered correct. Computing such a logical expression for an imperative, structured program is straightforward, although there are issues having to do with loops and the efficiency
more » ... and the efficiency both of the computation and of the complexity of the formula with respect to the theorem prover. This paper presents a novel approach for computing the weakest precondition of an unstructured program that is sound even in the presence of loops. The computation is efficient and the resulting logical expression provides more leeway for the theorem prover efficiently to attack the proof.
doi:10.1145/1108768.1108813 fatcat:44kkykclgfgybhz5fckbi2qxle

Automating Induction with an SMT Solver [chapter]

K. Rustan M. Leino
2012 Lecture Notes in Computer Science  
Applying the Induction Translation, Dafny thus produces: ∀x , y, z • (∀k , m • (k , m) ≺ (x , z ) =⇒ Q(k , y, m)) =⇒ Q(x , y, z ) where the definition of (k , m) ≺ (x , z ) is the ≺ ordering on lexicographic  ...  pairs: k ≺ x ∨ (k = x ∧ m ≺ z ) Dafny only applies the Induction Translation to quantifiers that appear as positive top-level conjuncts of proof obligations.  ... 
doi:10.1007/978-3-642-27940-9_21 fatcat:jghhbkqa7reknhxopc37vr5a7i

Object Invariants in Dynamic Contexts [chapter]

K. Rustan M. Leino, Peter Müller
2004 Lecture Notes in Computer Science  
The fact that the invariant may not hold at the time m calls procedure P is a central problem in reasoning: if P calls back into m , then m may erroneously divide by 0.  ...  The fact that the invariant may not hold at the time m calls procedure P is a central problem in reasoning: if P calls back into m , then m may erroneously divide by 0. a program's object references.  ... 
doi:10.1007/978-3-540-24851-4_22 fatcat:lycgzv3ka5hmtpk4yvggh4rwde

A Logic of Object-Oriented Programs [chapter]

Martín Abadi, K. Rustan M. Leino
2003 Lecture Notes in Computer Science  
T ] :: Res(x) E x.m : B[x/y] :: T [x/y] Field update for A syn = [f i : A i i∈1..n , m j : ς(z j )B j :: T j j∈1..m ] E x : A :: Res(x) k ∈ 1..n E y : A k :: Res(y) E x.f k := y : A :: r = x ∧σ(x, f k  ...  update for A syn = [f i : A i i∈1..n , m j : B j j∈1..m ] E x : A k ∈ 1..n E y : A k E x.f k := y : A This type system is much like those of common programming languages in that it is independent of verification  ... 
doi:10.1007/978-3-540-39910-0_2 fatcat:gdbzi24b7fdflb72ofjys5wbjq

Dafny Meets the Verification Benchmarks Challenge [chapter]

K. Rustan M. Leino, Rosemary Monahan
2010 Lecture Notes in Computer Science  
A suite of verification benchmarks for software verification tools and techniques, presented at VSTTE 2008 [11], provides an initial catalogue of benchmark challenges for the Verified Software Initiative. This paper presents solutions to these eight benchmarks using the language and verifier Dafny. A Dafny program includes specifications, code, inductive invariants, and termination metrics. Each of the eight programs is fed to the Dafny verifier, which without further user interaction
more » ... teraction automatically performs the verification in a few seconds.
doi:10.1007/978-3-642-15057-9_8 fatcat:bbnuys42ava4jmmt5ru565zhua

A logic of object-oriented programs [chapter]

Martín Abadi, K. Rustan M. Leino
1997 Lecture Notes in Computer Science  
T ] :: Res(x) E x.m : B[x/y] :: T [x/y] Field update for A syn = [f i : A i i∈1..n , m j : ς(z j )B j :: T j j∈1..m ] E x : A :: Res(x) k ∈ 1..n E y : A k :: Res(y) E x.f k := y : A :: r = x ∧σ(x, f k  ...  update for A syn = [f i : A i i∈1..n , m j : B j j∈1..m ] E x : A k ∈ 1..n E y : A k E x.f k := y : A This type system is much like those of common programming languages in that it is independent of verification  ... 
doi:10.1007/bfb0030634 fatcat:wuhcs5cdi5bqxn2ssutwlzt3vm

Fine-Grained Caching of Verification Results [chapter]

K. Rustan M. Leino, Valentin Wüstholz
2015 Lecture Notes in Computer Science  
and M contains a conjunct ov == v for each global variable v in the set V .  ...  Note that M does not depend on global variables that were removed from the callee's modifies clause since the cached snapshot; the statements after the call have already been verified for all possible  ... 
doi:10.1007/978-3-319-21690-4_22 fatcat:kppunm4xdbf3bmhpx2gdnbrye4
« Previous Showing results 1 — 15 out of 202 results