Certifying Safety and Termination Proofs for Integer Transition Systems

  • Marc Brockschmidt
  • Sebastiaan J. C. Joosten
  • René Thiemann
  • Akihisa Yamada
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10395)


Modern program analyzers translate imperative programs to an intermediate formal language like integer transition systems (ITSs), and then analyze properties of ITSs. Because of the high complexity of the task, a number of incorrect proofs are revealed annually in the Software Verification Competitions.

In this paper, we establish the trustworthiness of termination and safety proofs for ITSs. To this end we extend our Isabelle/HOL formalization IsaFoR by formalizing several verification techniques for ITSs, such as invariant checking, ranking functions, etc. Consequently the extracted certifier CeTA can now (in)validate safety and termination proofs for ITSs. We also adapted the program analyzers T2 and AProVE to produce machine-readable proof certificates, and as a result, most termination proofs generated by these tools on a standard benchmark set are now certified.


  1. 1.
    Albert, E., Arenas, P., Codish, M., Genaim, S., Puebla, G., Zanardini, D.: Termination analysis of Java Bytecode. In: FMOODS 2008, pp. 2–18Google Scholar
  2. 2.
    Albert, E., Bubel, R., Genaim, S., Hähnle, R., Puebla, G., Román-Díez, G.: A formal verification framework for static analysis. Softw. Syst. Model. 15(4), 987–1012 (2016)CrossRefGoogle Scholar
  3. 3.
    Beyer, D., Dangl, M., Dietsch, D., Heizmann, M.: Correctness witnesses: exchanging verification results between verifiers. In: FSE 2016, pp. 326–337. ACM (2016)Google Scholar
  4. 4.
    Blanchette, J.C., Fleury, M., Weidenbach, C.: A verified SAT solver framework with learn, forget, restart, and incrementality. In: Olivetti, N., Tiwari, A. (eds.) IJCAR 2016. LNCS (LNAI), vol. 9706, pp. 25–44. Springer, Cham (2016). doi: 10.1007/978-3-319-40229-1_4 Google Scholar
  5. 5.
    Blanqui, F., Koprowski, A.: CoLoR: a Coq library on well-founded rewrite relations and its application to the automated verification of termination certificates. Math. Struct. Comput. Sci. 21(4), 827–859 (2011)MathSciNetCrossRefzbMATHGoogle Scholar
  6. 6.
    Borralleras, C., Brockschmidt, M., Larraz, D., Oliveras, A., Rodríguez-Carbonell, E., Rubio, A.: Proving termination through conditional termination. In: TACAS 2017 (to appear)Google Scholar
  7. 7.
    Bradley, A.R., Manna, Z., Sipma, H.B.: The polyranking principle. In: ICALP 2005, pp. 1349–1361Google Scholar
  8. 8.
    Brockschmidt, M., Cook, B., Fuhs, C.: Better termination proving through cooperation. In: CAV 2013, pp. 413–429Google Scholar
  9. 9.
    Brockschmidt, M., Cook, B., Ishtiaq, S., Khlaaf, H., Piterman, N.: T2: temporal property verification. In: TACAS 2016, pp. 387–393Google Scholar
  10. 10.
    Caleiro, C., Gonçalves, R.: On the algebraization of many-sorted logics. In: WADT 2006, pp. 21–36Google Scholar
  11. 11.
    Cho, S., Kang, J., Choi, J., Yi, K.: SparrowBerry: a verified validator for an industrial-strength static analyzer.
  12. 12.
    Contejean, E., Paskevich, A., Urbain, X., Courtieu, P., Pons, O., Forest, J.: A3PAT, an approach for certified automated termination proofs. In: PEPM 2010, pp. 63–72Google Scholar
  13. 13.
    Cook, B., See, A., Zuleger, F.: Ramsey vs. lexicographic termination proving. In: TACAS 2013, pp. 47–61Google Scholar
  14. 14.
    Cook, B., Podelski, A., Rybalchenko, A.: Termination proofs for systems code. In: PLDI 2006, pp. 415–426Google Scholar
  15. 15.
    Cousot, P., Cousot, R.: Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: POPL 1977, pp. 238–252 (1977)Google Scholar
  16. 16.
    Falke, S., Kapur, D., Sinz, C.: Termination analysis of C programs using compiler intermediate languages. In: RTA 2011, pp. 41–50Google Scholar
  17. 17.
    Farkas, J.: Theorie der einfachen Ungleichungen. J. für die reine Angew. Math. 124, 1–27 (1902)MathSciNetzbMATHGoogle Scholar
  18. 18.
    Giesl, J., Aschermann, C., Brockschmidt, M., Emmes, F., Frohn, F., Fuhs, C., Hensel, J., Otto, C., Plücker, M., Schneider-Kamp, P., Ströder, T., Swiderski, S., Thiemann, R.: Analyzing program termination and complexity automatically with AProVE. J. Autom. Reason. 58, 3–31 (2017)MathSciNetCrossRefzbMATHGoogle Scholar
  19. 19.
    Heule, M.J., Hunt, W.A., Wetzler, N.: Trimming while checking clausal proofs. In: FMCAD 2013, pp. 181–188. IEEEGoogle Scholar
  20. 20.
    Jourdan, J., Laporte, V., Blazy, S., Leroy, X., Pichardie, D.: A formally-verified C static analyzer. In: POPL 2015, pp. 247–259Google Scholar
  21. 21.
    Klein, G., Nipkow, T.: A machine-checked model for a java-like language, virtual machine and compiler. ACM Trans. Progr. Lang. Syst. 28(4), 619–695 (2006)CrossRefGoogle Scholar
  22. 22.
    Komuravelli, A., Gurfinkel, A., Chaki, S.: SMT-based model checking for recursive programs. In: CAV 2014, pp. 17–34Google Scholar
  23. 23.
    Lammich, P.: Verified efficient implementation of Gabow’s strongly connected component algorithm. In: Klein, G., Gamboa, R. (eds.) ITP 2014, pp. 325–340Google Scholar
  24. 24.
    Leroy, X.: Formal verification of a realistic compiler. Commun. ACM 52(7), 107–115 (2009)CrossRefGoogle Scholar
  25. 25.
    Marić, F., Janičić, P.: Formal correctness proof for DPLL procedure. Informatica 21(1), 57–78 (2010)MathSciNetzbMATHGoogle Scholar
  26. 26.
    McMillan, K.: Lazy abstraction with interpolants. In: CAV 2006, pp. 123–136Google Scholar
  27. 27.
    Nipkow, T., Wenzel, M., Paulson, L.C. (eds.): Isabelle/HOL - A Proof Assistant for Higher-Order Logic. LNCS, vol. 2283. Springer, Heidelberg (2002)zbMATHGoogle Scholar
  28. 28.
    Nipkow, T.: Linear quantifier elimination. J. Autom. Reason. 45(2), 189–212 (2010)MathSciNetCrossRefzbMATHGoogle Scholar
  29. 29.
    Otto, C., Brockschmidt, M., von Essen, C., Giesl, J.: Automated termination analysis of Java Bytecode by term rewriting. In: RTA 2010, pp. 259–276Google Scholar
  30. 30.
    Schrijver, A.: Theory of Linear and Integer Programming. Wiley, Hoboken (1999)zbMATHGoogle Scholar
  31. 31.
    Spasić, M., Marić, F.: Formalization of incremental simplex algorithm by stepwise refinement. In: Giannakopoulou, D., Méry, D. (eds.) FM 2012, pp. 434–449Google Scholar
  32. 32.
    Spoto, F., Mesnard, F., Payet, É.: A termination analyser for Java Bytecode based on path-length. ACM Trans. Progr. Lang. Syst. 32(3), 8: 1–8: 70 (2010)CrossRefGoogle Scholar
  33. 33.
    Sternagel, C., Thiemann, R.: The certification problem format. In: UITP 2014, EPTCS, vol. 167, pp. 61–72 (2014)Google Scholar
  34. 34.
    Ströder, T., Giesl, J., Brockschmidt, M., Frohn, F., Fuhs, C., Hensel, J., Schneider-Kamp, P., Aschermann, C.: Automatically proving termination and memory safety for programs with pointer arithmetic. J. Autom. Reason. 58, 33–65 (2017)MathSciNetCrossRefzbMATHGoogle Scholar
  35. 35.
    Thiemann, R., Sternagel, C.: Certification of termination proofs using CeTA. In: TPHOLs 2009, pp. 452–468Google Scholar
  36. 36.
    Tseitin, G.S.: On the complexity of proof in prepositional calculus. Stud. Constr. Math. Math. Logic Part II 8, 234–259 (1968)MathSciNetGoogle Scholar
  37. 37.
    Urban, C., Gurfinkel, A., Kahsai, T.: Synthesizing ranking functions from bits and pieces. In: TACAS 2016, pp. 54–70Google Scholar
  38. 38.
    Wang, H.: Logic of many-sorted theories. J. Symb. Logic 17(2), 105–116 (1952)MathSciNetCrossRefzbMATHGoogle Scholar
  39. 39.
    Zhao, J., Nagarakatte, S., Martin, M.M., Zdancewic, S.: Formalizing the LLVM intermediate representation for verified program transformations. In: POPL 2012, pp. 427–440Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Marc Brockschmidt
    • 1
  • Sebastiaan J. C. Joosten
    • 2
  • René Thiemann
    • 2
  • Akihisa Yamada
    • 2
  1. 1.Microsoft Research CambridgeCambridgeUK
  2. 2.University of InnsbruckInnsbruckAustria

Personalised recommendations