Claus Sengler’s research while affiliated with Deutsches Forschungszentrum für Künstliche Intelligenz and other places

What is this page?


This page lists works of an author who doesn't have a ResearchGate profile or hasn't added the works to their profile yet. It is automatically generated from public (personal) data to further our legitimate goal of comprehensive and accurate scientific recordkeeping. If you are this author and want this page removed, please let us know.

Publications (15)


Deduction in the Verification Support Environment (VSE)
  • Chapter
  • Full-text available

January 2006

·

45 Reads

·

25 Citations

Lecture Notes in Computer Science

·

Bruno Langenstein

·

Claus Sengler

·

[...]

·

AndreasWolpers Wolpers

The reliability of complex software systems is becoming increasingly important for the technical systems they are embedded in. In order to assure the highest levels of trustworthiness of software formal methods for the development of software are required. The VSE-tool was developed by a consortium of German universities and industry to make a tool available which supports this formal development process. VSE is based on a particular method for programming in the large. This method is embodied in an administration system to edit and maintain formal developments. A deduction component is integrated into this administration system in order to provide proof support for the formed concepts. In parallel to the development of the system itself, two large case studies were conducted in close collaboration with an industrial partner. In both cases components of systems previously developed by the industry were re-developed from scratch, starting with a formal specification derived from the original documents. This paper focuses on the deduction component and its integration. We use a part of one of the industrial case studies in order to illustrate the important aspects of the deduction component: We argue that a close integration which makes the structure of developments visible for the theorem prover is necessary for an efficient treatment of changes and an indispensable structuring of the deduction process itself. Also we commend an architecture for interactive strategic theorem proving which has turned out to be adequate for applications in the context of formal program development. The last one of the three main sections addresses the important point of detecting bugs in implementations and specifications.

Download

Verification Support Environment (VSE)

March 1998

·

9 Reads

·

22 Citations

Um das Vertrauen in die Korrektheit eines IT-Systems (Informationstechnisches System) zu beurteilen, werden in einschlägigen Sicherheitskriterien [IT-SK, ITSEC] Qualitätsanforderungen u.a. an den Entwicklungsprozeß der Sicherheitsfunktionalität von IT-Systemen gestellt. Für die hohen Qualitätssstufen [IT-SK]/Evaluationsstufen [ITSEC] wird insbesondere der Einsatz formaler Methoden zur Entwicklung der sicherheitsrelevanten Systemkomponenten vorgeschrieben. In diesem Beitrag wird das Entwicklungswerkzeug Verification Support Environment und seine Methodik zur Entwicklung vertrauenswürdiger Software-Systeme vorgestellt. Dieses Werkzeug ist konzeptionell an den Anforderungen der höheren Qualitätsstufen/Evaluationsstufen einschlägiger Sicherheitskriterienwerke ausgerichtet. Das Neue und Außergewöhnliche an diesem Werkzeug gegenüber klassischen CASE-Werkzeugen ist die Möglichkeit, über formale Spezifikations- und Verifikationsmethodiken, die Korrektheit ganzer Software-Systeme oder Teilen davon formal nachzuweisen.


Deduction in the Verification Support Environment (VSE)

April 1997

·

41 Reads

·

15 Citations

. The reliability of complex software systems is becoming increasingly important for the technical systems they are embedded in. In order to assure the highest levels of trustworthiness of software formal methods for the development of software are required. The VSE-tool was developed by a consortium of German universities and industry to make a tool available which supports this formal development process. VSE is based on a particular method for programming in the large. This method is embodied in an administration system to edit and maintain formal developments. A deduction component is integrated into this administration system in order to provide proof support for the formal concepts. In parallel to the development of the system itself, two large case studies were conducted in close collaboration with an industrial partner. In both cases components of systems previously developed by the industry were re-developed from scratch, starting with a formal specification derived from the o...


Analogical Transfer of Verification Proofs for State-Based Specifications

April 1997

·

17 Reads

The amount of user interaction is the prime cause of costs in interactive program verification. This paper describes an internal analogy technique that reuses subproofs in the verification of state-based specifications. It identifies common patterns of subproofs and their justifications in order reuse these subproofs; thus significant savings on the number of user interactions in a verification proof are achievable. 1 Introduction Software verification is the job of taming complexity: in order to verify, say one hundred thousand lines of source code, several ten thousands of proof obligations have to be shown, some of which may require formal proofs of up to eight or ten thousand steps. Usually these long proofs consist of a considerable number of relatively simple subproofs to be established. Even for a small percentage of interactive steps, i.e., those steps the user has to supply as opposed to those steps that are generated automatically by the system (in the VSE system [3] curre...


Termination of Algorithms over Non-Freely Generated Data Types

April 1997

·

12 Reads

·

16 Citations

Lecture Notes in Computer Science

. Termination proofs for recursively defined operations serve several purposes: On the one hand, of course, they ensure the termination of the respective algorithms which is an essential topic in software verification. On the other hand, a successful termination proof allows to use the termination ordering as an induction ordering for future inductive proofs. So far, in the area of explicit inductive theorem proving only data types were admitted whose objects possess a unique syntactical representation. These data types include nat 1 , lists, and trees. However, there are data types that do not possess this property, as, for instance, finite sets and finite arrays, which are frequently used for specifications in software verification. In this paper we are concerned with these data types. We admit them to explicit inductive theorem proving and, furthermore, we present an approach for an automated termination analysis of recursively defined algorithms over these data types. 1 Motivatio...


Fig. 1. Single Deduction Steps 
INKA: The next generation

April 1997

·

103 Reads

·

57 Citations

Lecture Notes in Computer Science

. The INKA system is a first-order theorem prover with induction based on the explicit induction paradigm. Since 1986 when a first version of the INKA system was developed there have been many improvements. In this description we will give a short overview of the current system state and its abilities. 1 Introduction The original INKA system dates back to 1986 [2]. The current version of the INKA system which will be described below has been developed at DFKI GmbH 1 between 1991 and 1995. The INKA system is a first-order theorem prover with induction based on the explicit induction paradigm. In contrast to Nqthm, the Boyer-Moore prover, [3], the system is based on a full first-order calculus, a special variant of an ordersorted resolution calculus with paramodulation, [7]. However, it is not specialized on inductive proofs but possesses a powerful predicate-logic proof component. INKA is designed to be used for practical applications of inductive theorem proving, for instance, in th...


Figure 1: Case Analysis proven (indicated by the blue boxes with wide borders) the second base case has still some open subgoals (indicated by the light red box with a tiny border). The case analysis given by the tree is subject to changes by the user. On selecting a box (i.e. a case) by a mouse click, a pop up menu appears and allows the revision of the selected subtree. In case this subtree is non-empty the user may revise the case analysis or in case of an empty subtree he may add an additional case analysis either by a simple case split or by explicit induction. Furthermore, he may generalize the theorem in order to enable an appropriate induction. Possible induction schemes are computed by the system and presented to the user by a pop up menu, but if desired, the user may also specify his own individual scheme which is automatically checked for soundness by the system before it is applied to the speciied case. As usual a case may be inspected by a double left mouse click which results in a visualization of the proof attempt for the respective case.
Figure 2: Single Deduction Steps tion step within the formula box. In our example, the result of the last deduction step (no. 7) of this compound step is shown. The labels of the arcs between the circles refer to the formulas used to modify the theorem. In case the result of the last deduction step is selected (as given in gure 2) the user may continue the proof attempt interactively. All terms displayed in the formula box are mouse sensitive and selecting one of them will pop up a menu of possible choices in order to manipulate that speciic term. INKA provides a large variety of possible interactions. At a basic level the user may specify a speciic deduction step (\Apply Lemma") while on a more sophisticated level the user may suggest a so-called bridge lemma (\Enable application of lemma"). Then, INKA tries to enable the use of the speciied lemma by modiication of the selected term. As mentioned before, INKA uses the technique of coloring terms to control the proof search in various cases. A typical example is the task of enabling the use of a lemma by diierence-reduction techniques. The INKA interface supports these techniques by displaying the syntactical diierences of a term which prohibit the application of a lemma in a diierent color. Figure 3 illustrates the deduction steps that were made to enable the use of an induction hypothesis. The diierences of conclusion and hypothesis are colored red while the common parts are colored blue. In case the process gets stuck this coloring gives the user an insight into the anticipated deduction and supports the formulation of adequate lemmas to unblock the situation.
Figure 3: Colors and for recursively deened operations based on them are the basic elements of these speciications. In order to deal with large and complex speciications appropriately, the specication is distributed among the nodes of a so-called speciication graph. Formulas are always proven relative to a node of this directed, acyclic graph. By doing so only the speciications inside reachable nodes are visible to the system. In case of success the user may add the proven formula into the set of theorems of the actual node, thus enlarging the local part of the speciication. Figure 4 shows an example of a speciication graph. The nodes of the graph correspond to single theories each of them consisting of a number of axioms and lemmas. Selecting a node by a mouse click pops up a menu of activities in order to manipulate the actual speciication. The user may add or delete theories, he may specify new axioms, or he may add new lemmas in case they can be proven with respect to the speciication of the actual node and its subgraph. Besides the visualization of the speciication graph, INKA provides hypertext facilities in order to examine all components of a speciication, i.e. predicates, functions and sorts. In each case the selected object is displayed presenting all the relevant properties. For function and predicate symbols their original speciication, their derived axioms as well as the system generated simpliication lemmas can be inspected. In addition, for recursively deened functions and predicates their suggested recursion orderings are visualized.
Figure 4: A speciication graph
The Graphical User Interface of INKA

August 1996

·

47 Reads

·

1 Citation

The development of software components, that are provably correct with respect to a formal specification, requires semantic conditions to be formalized and proved. Only then, the corresponding development step is guaranteed to be correct. Besides the adequacy of the concepts underlying the overall development method, the time and skill necessary to fulfill these proof obligations are the main limiting factors for an application of formal techniques. Powerful deduction systems are therefore essential components of computer-aided software development systems. The INKA system is a first-order theorem prover with induction, and it is designed to be used for practical applications such as the formal development of software. Therefore, INKA possesses an interaction facility which follows the paradigm of direct manipulation. Any proof or proof attempt is summarized as a proof sketch which contains all deduction steps done so far as well as the strategic information concerning the...





Citations (12)


... Sponsored by BSI, the german agency for IT security, and the European Space Agency, as a part of the VSE project, Hutter et al., 1995] contains 4,000 lines, and the implementation 7100 lines of text. The veriication eeort amounts to ca. 2 person years. ...

Reference:

Formal Support for Development of Knowledge-Based Systems
The VSE development method - a way to engineer high: assurance software systems
  • Citing Book
  • January 1995

... The current list of integrated mathematical services consist of the theorem provers and computer algebra systems mentioned in the introduction, the knowledge base system MBase, the proof transformation and presentation system ProVerb Huang and Fiedler, 1996 and the L U I Siekmann et al., 1998 and OctOpus user interfaces. Currently, these services are used by the three control components InKa Hutter andSengler, 1996 , Clam Richardson et al., 1998 , and the mega kernel Benzm uller et al., 1997 . A rst synergy e ect of Math-Web has been that the rst two systems can now partake in infrastructure such as L U Iand MBase developed for the latter, while the mega system can now turn to InKa or Clam when it needs support for inductive proofs. ...

Verification Support Environment
  • Citing Article
  • January 1996

... Argument bounded algorithms are the key concept for the automated termination analysis proposed in [10]. The method has been implemented and proved successful in verification tools, [18], [19], [20], [21], [12], and provided the base for further developments of termination analysis [22], [23], [24], [3], [4], [25], [26], [27], [9] as well. Termination analysis with argument bounded algorithms is based on the syntactic estimation Γ,C of terms, where selector and procedure calls are estimated above by some argument(s) of the call. ...

Verification Support Environment (VSE)
  • Citing Article
  • January 1996

... Compared to VSE I ( Hutter et al. 1996a;1996b), which was based on a simple, non-compositional approach for state based systems, VSE II (Hutter et al. 1999) is extended with respect to comprehensive methods in order to deal with distributed and concurrent systems (Rock, Stephan, and Wolpers 1997) and with respect to an even more efficient and uniform proof support which makes use of implicit structuring of the proof obligations that arise. The basic formalism used in VSE II is close to TLA (Temporal Logic of Actions) (Lamport 1994). ...

The Verification Support Environment VSE
  • Citing Article
  • October 1992

IFAC Proceedings Volumes

... For reasoning about state transitions, our logic further extends dynamic logic. First-order dynamic logic (DL) [15] is a successful approach for reasoning about (discrete) state changes [3, 4, 15, 18]. Like model checking, first-order DL can analyse the behaviour of operational system models [21, 22]. ...

Deduction in the Verification Support Environment (VSE)

Lecture Notes in Computer Science

... Yet knowledge and intuition are essential for the invention of useful axiomatisations and theorems, for their interpretations and for the discovery of proofs. In fact, most of the systems supporting the formal development of software operate with interactive theorem provers as for example VSE [52,51,54] or the B-Tool [11,27,31]. From experience we know that many of the problems arising in the verification of a system need induction. ...

Deduction in the Verification Support Environment (VSE).
  • Citing Conference Paper
  • January 1996

... The central device for structured theorem proving and proof management in Hets is the formalism of development graphs. Development graphs have been used for large industrial-scale applications [27]. The graph structure provides a direct visualization of the structure of specifications, and it also allows for managing large specifications with hundreds of sub-specifications. ...

Verification Support Environment (VSE)
  • Citing Article
  • March 1998

... In essence it supports the command-line tactics of the provers, allowing the user to edit proof scripts at will, whilst maintaining prover consistency behind the scenes. Other explorations in this area include INKA [13], Lovely OMEGA [16], Window inference [17], Generalized Rewriting in Type Theory [3], The CoRe Calculus, [2] and the Jape Theorem Proving framework (http://japeforall.org.uk/.) Of the above, [2],[3] seems designed to support equational reasoning, but lack any notion of a GUI. ...

The Graphical User Interface of INKA