HOL-Boogie — An Interactive Prover for the Boogie Program-Verifier

  • Sascha Böhme
  • K. Rustan M. Leino
  • Burkhart Wolff
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5170)


Boogie is a program verification condition generator for an imperative core language. It has front-ends for the programming languages C# and C enriched by annotations in first-order logic.

Its verification conditions — constructed via a wp calculus from these annotations — are usually transferred to automated theorem provers such as Simplify or Z3. In this paper, however, we present a proof-environment, HOL-BoogieP, that combines Boogie with the interactive theorem prover Isabelle/HOL. In particular, we present specific techniques combining automated and interactive proof methods for code-verification.

We will exploit our proof-environment in two ways: First, we present scenarios to ”debug” annotations (in particular: invariants) by interactive proofs. Second, we use our environment also to verify ”background theories”, i.e. theories for data-types used in annotations as well as memory and machine models underlying the verification method for C.


Basic Block Background Theory Execution Trace Automate Theorem Prover Interactive Proof 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Barnett, M., Chang, B.-Y.E., DeLine, R., Jacobs, B., Leino, K.R.M.: Boogie: A modular reusable verifier for object-oriented programs. In: de Boer, F.S., Bonsangue, M.M., Graf, S., de Roever, W.-P. (eds.) FMCO 2005. LNCS, vol. 4111, pp. 364–387. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  2. 2.
    Barnett, M., Leino, K.R.M.: Weakest-precondition of unstructured programs. In: PASTE 2005, pp. 82–87. ACM Press, New York (2005)Google Scholar
  3. 3.
    Barnett, M., Leino, K.R.M., Schulte, W.: The Spec# Programming System: An Overview. In: Barthe, G., Burdy, L., Huisman, M., Lanet, J.-L., Muntean, T. (eds.) CASSIS 2004. LNCS, vol. 3362, pp. 49–69. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  4. 4.
    Basin, D., Kuruma, H., Miyazaki, K., Takaragi, K., Wolff, B.: Verifying a signature architecture: A comparative case study. Formal Aspects of Computing 19(1), 63–91 (2007)CrossRefzbMATHGoogle Scholar
  5. 5.
    Cohen, E., Hillebrand, M., Leinenbach, D., der Rieden, T.I., Moskal, M., Paul, W., Santen, T., Schirmer, N., Schulte, W., Tobies, S., Wolff, B.: The Microsoft Hypervisor Verification Project (manuscript in preparation) (2008)Google Scholar
  6. 6.
    de Moura, L., Bjørner, N.: Z3: An efficient SMT solver. In: TACAS 2008. LNCS, vol. 4963, pp. 337–340. Springer, Heidelberg (2008)Google Scholar
  7. 7.
    DeLine, R., Leino, K.R.M.: BoogiePL: A typed procedural language for checking object-oriented programs. Tech. Rep. 2005-70, Microsoft Research (2005)Google Scholar
  8. 8.
    Filliâtre, J.-C.: Why: A multi-language multi-prover verification condition generator. Tech. Rep. 1366, LRI, Université Paris Sud (2003)Google Scholar
  9. 9.
    Filliâtre, J.-C., Marché, C.: Multi-prover verification of C programs. In: Davies, J., Schulte, W., Barnett, M. (eds.) ICFEM 2004. LNCS, vol. 3308, pp. 15–29. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  10. 10.
    Filliâtre, J.-C., Marché, C.: The Why/Krakatoa/Caduceus platform for deductive program verification. In: Damm, W., Hermanns, H. (eds.) CAV 2007. LNCS, vol. 4590, pp. 173–177. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  11. 11.
    Flanagan, C., Leino, K.R.M., Lillibridge, M., Nelson, G., Saxe, J.B., Stata, R.: Extended static checking for Java. In: PLDI 2002, pp. 234–245. ACM Press, New York (2002)Google Scholar
  12. 12.
    Leinenbach, D., Paul, W., Petrova, E.: Towards the formal verification of a C0 compiler: Code generation and implementation correctness. In: SEFM 2005, pp. 2–12. IEEE Computer Society Press, Los Alamitos (2005)Google Scholar
  13. 13.
    Leino, K.R.M., Millstein, T., Saxe, J.B.: Generating error traces from verification-condition counterexamples. Science of Computer Programming 55(1-3), 209–226 (2005)MathSciNetCrossRefzbMATHGoogle Scholar
  14. 14.
    Leino, K.R.M., Saxe, J.B., Stata, R.: Checking Java programs via guarded commands. In: FTfJP 1999, Tech. Rep. 251. Fernuniversität Hagen (1999)Google Scholar
  15. 15.
    Morgan, C.: The specification statement. ACM toplas 10(3), 403–419 (1988)CrossRefzbMATHGoogle Scholar
  16. 16.
    Nelson, G.: A generalization of Dijkstra’s calculus. ACM toplas 11(4), 517–561 (1989)CrossRefGoogle Scholar
  17. 17.
    Nipkow, T., Paulson, L.C., Wenzel, M.T.: Isabelle/HOL. LNCS, vol. 2283. Springer, Heidelberg (2002)zbMATHGoogle Scholar
  18. 18.
    Norrish, M.: C formalised in HOL. Ph.D. thesis, Computer Laboratory, University of Cambridge (1998)Google Scholar
  19. 19.
    Ranise, S., Tinelli, C.: The smt-lib standard: Version 1.2. Tech. rep., Dept. of Comp. Sci., The University of Iowa (2006),
  20. 20.
    Schirmer, N.: Verification of Sequential Imperative Programs in Isabelle/HOL. Ph.D. thesis, Technische Universität München (2006)Google Scholar
  21. 21.
    Schulte, W., Xia, S., Smans, J., Piessens, F.: A glimpse of a verifying C compiler (extended abstract). In: C/C++ Verification Workshop (2007)Google Scholar
  22. 22.
    Wenzel, M., Wolff, B.: Building Formal Method Tools in the Isabelle/Isar Framework. In: Schneider, K., Brandt, J. (eds.) TPHOLs 2007. LNCS, vol. 4732, pp. 351–366. Springer, Heidelberg (2007)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Sascha Böhme
    • 1
  • K. Rustan M. Leino
    • 2
  • Burkhart Wolff
    • 3
  1. 1.Technische Universität MünchenGermany
  2. 2.Microsoft Research, RedmondUSA
  3. 3.Universität SaarbrückenGermany

Personalised recommendations