Viktor Kuncak

next x. next. prev == x prev root prev acyclicity of next graph is a tree class Node { Node f 1, f 2; } elements are sorted

node is stored in the bucket given by the hash of node’s key instances do not share array 3 value of size field is the number of stored objects

If a book is loaned to a person, then Can loan a book to at most one person at a time A person can loan at most 4 books at a time relies on internal consistency to be even meaningful

Java source code of a program r data structure properties (Isabelle/HOL) program satisfies the properties error in program (or property)

precision no single approach will work scalability communication with developers

modular verification methodology method to deploy multiple reasoning techniques three complementary reasoning techniques

1. 2. If a person has borrowed a book, then Isolate data structure complexity into separate Java classes Then verify: 1. properties hold for simplified system w/ sets and relations 2. classes correctly implement sets and relations

Key benefits of modular verification

modular verification methodology method to deploy multiple reasoning techniques three complementary reasoning techniques

formula validity checker program satisfies properties valid error in program or property

modular verification methodology method to deploy multiple reasoning techniques formula validity checker

Isabelle checks manually supplied proof Automation limited for larger formulas

S 1 S 2 S 4 multiple reasoning techniques

How can a specialized technique accept Isabelle formulas?

modular verification methodology method to deploy multiple reasoning techniques three complementary reasoning techniques

modular verification methodology method to deploy multiple reasoning techniques three complementary reasoning techniques

Using simple MONA approximation: Can analyze list, tree implementations But not doubly-linked lists or trees with parent pointers

valid invalid soundness completeness

modular verification methodology method to deploy multiple reasoning techniques three complementary reasoning techniques

3 size field is consistent with the number of stored objects

x 8 1 6 5 2 3 4 y z

modular verification methodology method to deploy multiple reasoning techniques three complementary reasoning techniques

precision no single approach will work scalability communication with developers