HOL-Boogie—An Interactive Prover-Backend for the Verifying C Compiler

  • Sascha BöhmeEmail author
  • Michał Moskal
  • Wolfram Schulte
  • Burkhart Wolff


Boogie is a verification condition generator for an imperative core language. It has front-ends for the programming languages C# and C enriched by annotations in first-order logic, i.e. pre- and postconditions, assertions, and loop invariants. Moreover, concepts like ghost fields, ghost variables, ghost code and specification functions have been introduced to support a specific modeling methodology. Boogie’s verification conditions—constructed via a wp calculus from annotated programs—are usually transferred to automated theorem provers such as Simplify or Z3. This also comprises the expansion of language-specific modeling constructs in terms of a theory describing memory and elementary operations on it; this theory is called a machine/memory model. In this paper, we present a proof environment, HOL-Boogie, that combines Boogie with the interactive theorem prover Isabelle/HOL, for a specific C front-end and a machine/memory model. In particular, we present specific techniques combining automated and interactive proof methods for code verification. The main goal of our environment is to help program verification engineers in their task to “debug” annotations and to find combined proofs where purely automatic proof attempts fail.


Isabelle/HOL Theorem proving Program verification Memory models Annotation languages 


  1. 1.
    Alkassar, E., Hillebrand, M.A., Leinenbach, D.C., Schirmer, N.W., Starostin, A., Tsyban, A.: Balancing the load: leveraging semantics stack for systems verification. J. Autom. Reason. 42(2–4), 389–454 (2009)zbMATHCrossRefGoogle Scholar
  2. 2.
    Barnes, J., Barnes, J.G.: High Integrity Software: The SPARK Approach to Safety and Security. Addison-Wesley Longman, Boston (2003)Google Scholar
  3. 3.
    Barnett, M., Chang, B.-Y.E., DeLine, R., Jacobs, B., Leino, K.R.M.: Boogie: a modular reusable verifier for object-oriented programs. In: FMCO 2005. LNCS, vol. 4111, pp. 364–387, Springer (2006)Google Scholar
  4. 4.
    Barnett, M., Fähndrich, M., Leino, K.R.M., Logozzo, F., Müller, P., Schulte, W., Venter, H., Xia, S.: Spec#. Microsoft Research, Redmond. (2008)
  5. 5.
    Barnett, M., Leino, K.R.M.: Weakest-precondition of unstructured programs. In: PASTE ’05, pp. 82–87, ACM, New York (2005)CrossRefGoogle Scholar
  6. 6.
    Barnett, M., Leino, K.R.M., Moskal, M., Rümmer, P.: Boogie program verification. Microsoft Research, Redmond. (2008)
  7. 7.
    Barnett, M., Leino, K.R.M., Schulte, W.: The Spec# programming system: an overview. In: CASSIS 2004. LNCS, vol. 3362, pp. 49–69. Springer, New York (2005)Google Scholar
  8. 8.
    Basin, D., Kuruma, H., Miyazaki, K., Takaragi, K., Wolff, B.: Verifying a signature architecture: a comparative case study. Form. Asp. Comput. 19(1), 63–91 (2007)zbMATHCrossRefGoogle Scholar
  9. 9.
    Beyer, S., Jacobi, C., Kröning, D., Leinenbach, D., Paul, W.J.: Putting it all together: formal verification of the VAMP. Int. J. Softw. Tools Technol. 8(4–5), 411–430 (2006)CrossRefGoogle Scholar
  10. 10.
    Blazy, S., Leroy, X.: Formal verification of a memory model for C-like imperative languages. In: Lau, K.-K., Banach, R. (eds.) ICFEM. Lecture Notes in Computer Science, vol. 3785, pp. 280–299, Springer, New York (2005)Google Scholar
  11. 11.
    Bobot, F., Conchon, S., Contejean, E., Lescuyer, S.: Implementing polymorphism in SMT solvers. In: Barrett, C., de Moura, L. (eds.) SMT 2008: 6th International Workshop on Satisfiability Modulo (2008)Google Scholar
  12. 12.
  13. 13.
    Böhme, S., Leino, K.R.M., Wolff, B.: HOL-Boogie—an interactive prover for the Boogie program-verifier. In: Mohamed, O.A., Muñoz, C., Tahar, S. (eds.) TPHOLs. Lecture Notes in Computer Science, vol. 5170, pp. 150–166. Springer, New York (2008)Google Scholar
  14. 14.
    Brucker, A.D., Wolff, B.: An extensible encoding of object-oriented data models in HOL with an application to IMP+ +. J. Autom. Reason. 41(3–4), 219–249 (2008)zbMATHCrossRefGoogle Scholar
  15. 15.
    Cohen, E., Dahlweid, M., Hillebrand, M., Leinenbach, D., Moskal, M., Santen, T., Schulte, W., Tobies, S.: VCC: a practical system for verifying concurrent C. In: Theorem Proving in Higher Order Logics (TPHOLs 2009). Lecture Notes in Computer Science, vol. 5674. Springer, Munich Germany (2009, to appear)Google Scholar
  16. 16.
    Cohen, E., Moskal, M., Schulte, W., Tobies, S.: A precise yet efficient memory model for C. In: 4th International Workshop on Systems Software Verification (SSV 2009). Electronic Notes in Theoretical Computer Science. Elsevier Science B.V. (2009, to appear)Google Scholar
  17. 17.
    Corp., M.: Visual studio 2005 developer library. Online documentation. (2005)
  18. 18.
    Crocker, D., Carlton, J.: Verification of C programs using automated reasoning. In: SEFM ’07: Proceedings of the Fifth IEEE International Conference on Software Engineering and Formal Methods, pp. 7–14. IEEE Computer Society, Los Alamitos (2007)CrossRefGoogle Scholar
  19. 19.
    Das, M.: Formal specifications on industrial-strength code—from myth to reality. In: Ball, T., Jones, R.B. (eds.) CAV. Lecture Notes in Computer Science, vol. 4144, p. 1. Springer, New York (2006)Google Scholar
  20. 20.
    Daum, M., Dörrenbächer, J., Wolff, B.: Proving fairness and implementation correctness of a microkernel scheduler. J. Autom. Reason. 42(2–4), 349–388 (2009)zbMATHCrossRefGoogle Scholar
  21. 21.
    Dawson, J.E.: Isabelle theories for machine words. In: Seventh International Workshop on Automated Verification of Critical Systems (AVOCS’07). Elsevier, Amsterdam (2007)Google Scholar
  22. 22.
    de Moura, L., Bjørner, N.: Z3: an efficient SMT solver. In: TACAS 2008. LNCS, vol. 4963, pp. 337–340. Springer, New York (2008)Google Scholar
  23. 23.
    DeLine, R., Leino, K.R.M.: BoogiePL: a typed procedural language for checking object-oriented programs. Tech. Rep. 2005-70, Microsoft Research (2005)Google Scholar
  24. 24.
    Detlefs, D., Nelson, G., Saxe, J.B.: Simplify: A theorem prover for program checking. J. ACM 52(3), 365–473 (2005)CrossRefMathSciNetGoogle Scholar
  25. 25.
    Erkök, L., Matthews, J.: Using Yices as an automated solver in Isabelle/HOL. In: Automated Formal Methods’08, Princeton, New Jersey, USA, pp. 3–13. ACM, New York (2008)Google Scholar
  26. 26.
    Filliâtre, J.-C.: Why: a multi-language multi-prover verification condition generator. Tech. Rep. 1366, LRI, Université Paris Sud (2003)Google Scholar
  27. 27.
    Filliâtre, J.-C., Marché, C.: Multi-prover verification of C programs. In: ICFEM 2004. LNCS, vol. 3308, pp. 15–29. Springer, New York (2004)Google Scholar
  28. 28.
    Filliâtre, J.-C., Marché, C.: The Why/Krakatoa/Caduceus platform for deductive program verification. In: CAV 2007. LNCS, vol. 4590, pp. 173–177. Springer, New York (2007)Google Scholar
  29. 29.
    Flanagan, C., Leino, K.R.M., Lillibridge, M., Nelson, G., Saxe, J.B., Stata, R.: Extended static checking for Java. In: PLDI 2002, pp. 234–245. ACM, New York (2002)CrossRefGoogle Scholar
  30. 30.
    Fontaine, P., Marion, J.-Y., Merz, S., Prensa Nieto, L., Tiu, A.: Expressiveness + automation + soundness: towards combining SMT solvers and interactive proof assistants. In: Hermanns, H., Palsberg, J. (eds.) 12th International Conference on Tools and Algorithms for the Construction and Analysis of Systems—TACAS’06, 03/2006. Lecture Notes in Computer Science, vol. 3920, pp. 167–181. Springer, New York (2006)CrossRefGoogle Scholar
  31. 31.
    Ganzinger, H., Hagen, G., Nieuwenhuis, R., Tinelli, C.: DPLL(T): fast decision procedures. In: Proceedings of the 16th International Conference on Computer Aided Verification, CAV’04, pp. 175–188. Springer, New York (2004)Google Scholar
  32. 32.
    Heiser, G., Elphinstone, K., Kuz, I., Klein, G., Petters, S.M.: Towards trustworthy computing systems: taking microkernels to the next level. SIGOPS 41(4), 3–11 (2007)CrossRefGoogle Scholar
  33. 33.
    Hurd, J.: First-order proof tactics in higher-order logic theorem provers. In: Archer, M., Vito, B.D., Muñoz, C. (eds.) Design and Application of Strategies/Tactics in Higher Order Logics (STRATA 2003), no. NASA/CP-2003-212448 in NASA Technical Reports, pp. 56–68 (2003)Google Scholar
  34. 34.
    Jacobs, B., Smans, J., Piessens, F., Schulte, W.: A simple sequential reasoning approach for sound modular verification of mainstream multithreaded programs. Electr. Notes Theor. Comput. Sci. 174(9), 23–47 (2007)CrossRefGoogle Scholar
  35. 35.
    Leinenbach, D., Paul, W., Petrova, E.: Towards the formal verification of a C0 compiler: code generation and implementation correctness. In: SEFM 2005, pp. 2–12. IEEE, Piscataway (2005)Google Scholar
  36. 36.
    Leino, K.R.M., Millstein, T., Saxe, J.B.: Generating error traces from verification-condition counterexamples. Sci. Comput. Program. 55(1–3), 209–226 (2005)zbMATHCrossRefMathSciNetGoogle Scholar
  37. 37.
    Leino, K.R.M., Saxe, J.B., Stata, R.: Checking Java programs via guarded commands. In: FTfJP 1999, Tech. Rep. 251, Fernuniversität Hagen (1999)Google Scholar
  38. 38.
    McLaughlin, S., Barrett, C., Ge, Y.: Cooperating theorem provers: a case study combining HOL-light and CVC lite. Electr. Notes Theor. Comput. Sci. 144(2), 43–51 (2006)CrossRefGoogle Scholar
  39. 39.
    Meng, J., Paulson, L.C.: Lightweight relevance filtering for machine-generated resolution problems. In: ESCoR: Empirically Successful Computerized Reasoning, pp. 53–69 (2006)Google Scholar
  40. 40.
    Morgan, C.: The specification statement. ACM TOPLAS 10(3), 403–419 (1988)zbMATHCrossRefGoogle Scholar
  41. 41.
    Mürk, O., Larsson, D., Hähnle, R.: KeY-C: A Tool for Verification of C Programs. In: Pfenning, F. (ed.) CADE. Lecture Notes in Computer Science, vol. 4603, pp. 385–390. Springer, New York (2007)Google Scholar
  42. 42.
    Nelson, G.: A generalization of Dijkstra’s calculus. ACM TOPLAS 11(4), 517–561 (1989)CrossRefGoogle Scholar
  43. 43.
    Nipkow, T., Paulson, L.C., Wenzel, M.: Isabelle/HOL—A Proof Assistant for Higher-Order Logic. LNCS, vol. 2283. Springer, New York (2002)zbMATHGoogle Scholar
  44. 44.
    Norrish, M.: C formalised in HOL. Ph.D. thesis, Computer Laboratory, University of Cambridge (1998)Google Scholar
  45. 45.
    Paul, W., Santen, T., Tobies, S.: Verifying 50000 Lines of Code. Futures—Microsoft’s European Innovation Magazine, pp. 42–43 (2008)Google Scholar
  46. 46.
    Paul, W., von der Rhieden, T., Santen, T., Schulte, W.: The Verisoft XT Project. Universität des Saarlandes (2007)Google Scholar
  47. 47.
    Ranise, S., Tinelli, C.: The SMT-LIB standard: version 1.2. Tech. rep., Dept. of Comp. Sci., The University of Iowa (2006)Google Scholar
  48. 48.
    Schirmer, N.: Verification of sequential imperative programs in Isabelle/HOL. Ph.D. thesis, Technische Universität München (2006)Google Scholar
  49. 49.
    Schulte, W., Xia, S., Smans, J., Piessens, F.: A glimpse of a verifying C compiler (extended abstract). In: C/C+ + Verification Workshop (2007)Google Scholar
  50. 50.
    Tuch, H., Klein, G., Norrish, M.: Types, bytes, and separation logic. In: Hofmann, M., Felleisen, M. (eds.) POPL, pp. 97–108. ACM, New York (2007)CrossRefGoogle Scholar
  51. 51.
    Wenzel, M., Wolff, B.: Building formal method tools in the Isabelle/Isar framework. In: TPHOLs 2007, LNCS, vol. 4732, pp. 351–366. Springer, New York (2007)Google Scholar

Copyright information

© Springer Science+Business Media B.V. 2009

Authors and Affiliations

  • Sascha Böhme
    • 1
    Email author
  • Michał Moskal
    • 2
  • Wolfram Schulte
    • 3
  • Burkhart Wolff
    • 4
  1. 1.Technische Universität MünchenMunichGermany
  2. 2.European Microsoft Innovation CenterAachenGermany
  3. 3.Microsoft ResearchRedmondUSA
  4. 4.Université Paris-Sud, LRI, CNRSOrsayFrance

Personalised recommendations