Computer Aided Verification 26th

International Conference CAV 2014

Held as Part of the Vienna Summer of
Logic VSL 2014 Vienna Austria July 18
22 2014 Proceedings 1st Edition Armin
Biere
Visit to download the full and correct content document:
https://textbookfull.com/product/computer-aided-verification-26th-international-confere
nce-cav-2014-held-as-part-of-the-vienna-summer-of-logic-vsl-2014-vienna-austria-july
-18-22-2014-proceedings-1st-edition-armin-biere/
More products digital (pdf, epub, mobi) instant
download maybe you interests ...

Automated Reasoning 7th International Joint Conference

IJCAR 2014 Held as Part of the Vienna Summer of Logic
VSL 2014 Vienna Austria July 19 22 2014 Proceedings 1st
Edition Stéphane Demri
https://textbookfull.com/product/automated-reasoning-7th-
international-joint-conference-ijcar-2014-held-as-part-of-the-
vienna-summer-of-logic-vsl-2014-vienna-austria-
july-19-22-2014-proceedings-1st-edition-stephane-demri/

Rewriting and Typed Lambda Calculi Joint International

Conference RTA TLCA 2014 Held as Part of the Vienna
Summer of Logic VSL 2014 Vienna Austria July 14 17 2014
Proceedings 1st Edition Gilles Dowek (Eds.)
https://textbookfull.com/product/rewriting-and-typed-lambda-
calculi-joint-international-conference-rta-tlca-2014-held-as-
part-of-the-vienna-summer-of-logic-vsl-2014-vienna-austria-
july-14-17-2014-proceedings-1st-edition-gilles-dowek/

Computer Aided Verification 30th International

Conference CAV 2018 Held as Part of the Federated Logic
Conference FloC 2018 Oxford UK July 14 17 2018
Proceedings Part II Hana Chockler
https://textbookfull.com/product/computer-aided-
verification-30th-international-conference-cav-2018-held-as-part-
of-the-federated-logic-conference-floc-2018-oxford-uk-
july-14-17-2018-proceedings-part-ii-hana-chockler/

Learning and Collaboration Technologies Designing and

Developing Novel Learning Experiences First
International Conference LCT 2014 Held as Part of HCI
International 2014 Heraklion Crete Greece June 22 27
2014 Proceedings Part I 1st Edition Panayiotis Zaphiris
https://textbookfull.com/product/learning-and-collaboration-
technologies-designing-and-developing-novel-learning-experiences-
first-international-conference-lct-2014-held-as-part-of-hci-
Design User Experience and Usability User Experience
Design Practice Third International Conference DUXU
2014 Held as Part of HCI International 2014 Heraklion
Crete Greece June 22 27 2014 Proceedings Part IV 1st
Edition Aaron Marcus (Eds.)
https://textbookfull.com/product/design-user-experience-and-
usability-user-experience-design-practice-third-international-
conference-duxu-2014-held-as-part-of-hci-
international-2014-heraklion-crete-greece-
june-22-27-2014-proceedings/
Runtime Verification 5th International Conference RV
2014 Toronto ON Canada September 22 25 2014 Proceedings
1st Edition Borzoo Bonakdarpour

https://textbookfull.com/product/runtime-verification-5th-
international-conference-rv-2014-toronto-on-canada-
september-22-25-2014-proceedings-1st-edition-borzoo-bonakdarpour/

Informatics in Control Automation and Robotics 11th

International Conference ICINCO 2014 Vienna Austria
September 2 4 2014 Revised Selected Papers 1st Edition
Joaquim Filipe
https://textbookfull.com/product/informatics-in-control-
automation-and-robotics-11th-international-conference-
icinco-2014-vienna-austria-september-2-4-2014-revised-selected-
papers-1st-edition-joaquim-filipe/

Computer Aided Verification 28th International

Conference CAV 2016 Toronto ON Canada July 17 23 2016
Proceedings Part II 1st Edition Swarat Chaudhuri

https://textbookfull.com/product/computer-aided-
verification-28th-international-conference-cav-2016-toronto-on-
canada-july-17-23-2016-proceedings-part-ii-1st-edition-swarat-
chaudhuri/

Digital Human Modeling Applications in Health Safety

Ergonomics and Risk Management 5th International
Conference DHM 2014 Held as Part of HCI International
2014 Heraklion Crete Greece June 22 27 2014 Proceedings
1st Edition Vincent G. Duffy
https://textbookfull.com/product/digital-human-modeling-
applications-in-health-safety-ergonomics-and-risk-management-5th-
international-conference-dhm-2014-held-as-part-of-hci-
 Armin Biere
Roderick Bloem (Eds.)
LNCS 8559

Computer Aided
Verification
26th International Conference, CAV 2014
Held as Part of the Vienna Summer of Logic, VSL 2014
Vienna, Austria, July 18–22, 2014, Proceedings

123
Lecture Notes in Computer Science 8559
Commenced Publication in 1973
Founding and Former Series Editors:
Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen

Editorial Board
David Hutchison
Lancaster University, UK
Takeo Kanade
Carnegie Mellon University, Pittsburgh, PA, USA
Josef Kittler
University of Surrey, Guildford, UK
Jon M. Kleinberg
Cornell University, Ithaca, NY, USA
Alfred Kobsa
University of California, Irvine, CA, USA
Friedemann Mattern
ETH Zurich, Switzerland
John C. Mitchell
Stanford University, CA, USA
Moni Naor
Weizmann Institute of Science, Rehovot, Israel
Oscar Nierstrasz
University of Bern, Switzerland
C. Pandu Rangan
Indian Institute of Technology, Madras, India
Bernhard Steffen
TU Dortmund University, Germany
Demetri Terzopoulos
University of California, Los Angeles, CA, USA
Doug Tygar
University of California, Berkeley, CA, USA
Gerhard Weikum
Max Planck Institute for Informatics, Saarbruecken, Germany
Armin Biere Roderick Bloem (Eds.)

Computer Aided
Verification
26th International Conference, CAV 2014
Held as Part of the Vienna Summer of Logic, VSL 2014
Vienna, Austria, July 18-22, 2014
Proceedings

13
Volume Editors
Armin Biere
Johannes Kepler University Linz
Altenbergerstr. 69, 4040 Linz, Austria
E-mail: biere@jku.at
Roderick Bloem
IAIK, Graz University of Technology
Inffeldgasse 16a, 8010 Graz, Austria
E-mail: roderick.bloem@iaik.tugraz.at

ISSN 0302-9743 e-ISSN 1611-3349

ISBN 978-3-319-08866-2 e-ISBN 978-3-319-08867-9
DOI 10.1007/978-3-319-08867-9
Springer Cham Heidelberg New York Dordrecht London

Library of Congress Control Number: 2014942534

LNCS Sublibrary: SL 1 – Theoretical Computer Science and General Issues

© Springer International Publishing Switzerland 2014
This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of
the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation,
broadcasting, reproduction on microfilms or in any other physical way, and transmission or information
storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology
now known or hereafter developed. Exempted from this legal reservation are brief excerpts in connection
with reviews or scholarly analysis or material supplied specifically for the purpose of being entered and
executed on a computer system, for exclusive use by the purchaser of the work. Duplication of this publication
or parts thereof is permitted only under the provisions of the Copyright Law of the Publisher’s location,
in ist current version, and permission for use must always be obtained from Springer. Permissions for use
may be obtained through RightsLink at the Copyright Clearance Center. Violations are liable to prosecution
under the respective Copyright Law.
The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication
does not imply, even in the absence of a specific statement, that such names are exempt from the relevant
protective laws and regulations and therefore free for general use.
While the advice and information in this book are believed to be true and accurate at the date of publication,
neither the authors nor the editors nor the publisher can accept any legal responsibility for any errors or
omissions that may be made. The publisher makes no warranty, express or implied, with respect to the
material contained herein.
Typesetting: Camera-ready by author, data conversion by Scientific Publishing Services, Chennai, India
Printed on acid-free paper
Springer is part of Springer Science+Business Media (www.springer.com)
.
 Foreword

In the summer of 2014, Vienna hosted the largest scientific conference in the
history of logic. The Vienna Summer of Logic (VSL, http://vsl2014.at) con-
sisted of twelve large conferences and 82 workshops, attracting more than 2000
researchers from all over the world. This unique event was organized by the Kurt
Gödel Society and took place at Vienna University of Technology during July
9 to 24, 2014, under the auspices of the Federal President of the Republic of
Austria, Dr. Heinz Fischer.
The conferences and workshops dealt with the main theme, logic, from three
important angles: logic in computer science, mathematical logic, and logic in
artificial intelligence. They naturally gave rise to respective streams gathering
the following meetings:

Logic in Computer Science / Federated Logic Conference (FLoC)

• 26th International Conference on Computer Aided Verification (CAV)

• 27th IEEE Computer Security Foundations Symposium (CSF)
• 30th International Conference on Logic Programming (ICLP)
• 7th International Joint Conference on Automated Reasoning (IJCAR)
• 5th Conference on Interactive Theorem Proving (ITP)
• Joint meeting of the 23rd EACSL Annual Conference on Computer Science
Logic (CSL) and the 29th ACM/IEEE Symposium on Logic in Computer
Science (LICS)
• 25th International Conference on Rewriting Techniques and Applications
(RTA) joint with the 12th International Conference on Typed Lambda Cal-
culi and Applications (TLCA)
• 17th International Conference on Theory and Applications of Satisfiability
Testing (SAT)
• 76 FLoC Workshops
• FLoC Olympic Games (System Competitions)
VIII Foreword

Mathematical Logic

• Logic Colloquium 2014 (LC)

• Logic, Algebra and Truth Degrees 2014 (LATD)
• Compositional Meaning in Logic (GeTFun 2.0)
• The Infinity Workshop (INFINITY)
• Workshop on Logic and Games (LG)
• Kurt Gödel Fellowship Competition

Logic in Artificial Intelligence

• 14th International Conference on Principles of Knowledge Representation

and Reasoning (KR)
• 27th International Workshop on Description Logics (DL)
• 15th International Workshop on Non-Monotonic Reasoning (NMR)
• 6th International Workshop on Knowledge Representation for Health Care
2014 (KR4HC)

The VSL keynote talks which were directed to all participants were given by
Franz Baader (Technische Universität Dresden), Edmund Clarke (Carnegie Mel-
lon University), Christos Papadimitriou (University of California, Berkeley) and
Alex Wilkie (University of Manchester); Dana Scott (Carnegie Mellon Univer-
sity) spoke in the opening session. Since the Vienna Summer of Logic contained
more than a hundred invited talks, it would not be feasible to list them here.
The program of the Vienna Summer of Logic was very rich, including not only
scientific talks, poster sessions and panels, but also two distinctive events. One
was the award ceremony of the Kurt Gödel Research Prize Fellowship Competi-
tion, in which the Kurt Gödel Society awarded three research fellowship prizes
endowed with 100.000 Euro each to the winners. This was the third edition of
the competition, themed Logical Mind: Connecting Foundations and Technology
this year.
The 1st FLoC Olympic Games formed the other event and were hosted by
the Federated Logic Conference (FLoC) 2014. Intended as a new FLoC element,
the Games brought together 12 established logic solver competitions by different
research communities. In addition to the competitions, the Olympic Games facili-
tated the exchange of expertise between communities, and increased the visibility
and impact of state-of-the-art solver technology. The winners in the competition
categories were honored with Kurt Gödel medals at the FLoC Olympic Games
award ceremonies.
Organizing an event like the Vienna Summer of Logic was a challenge. We
are indebted to numerous people whose enormous efforts were essential in mak-
ing this vision become reality. With so many colleagues and friends working
with us, we are unable to list them individually here. Nevertheless, as rep-
resentatives of the three streams of VSL, we would like to particularly ex-
press our gratitude to all people who helped to make this event a success:
the sponsors and the Honorary Committee; the Organization Committee and
 Foreword IX

the local organizers; the conference and workshop chairs and Program Commit-
tee members; the reviewers and authors; and of course all speakers and partici-
pants of the many conferences, workshops and competitions.
The Vienna Summer of Logic continues a great legacy of scientific thought
that started in Ancient Greece and flourished in the city of Gödel, Wittgenstein
and the Vienna Circle. The heroes of our intellectual past shaped the scientific
world-view and changed our understanding of science. Owing to their achieve-
ments, logic has permeated a wide range of disciplines, including computer sci-
ence, mathematics, artificial intelligence, philosophy, linguistics, and many more.
Logic is everywhere – or in the language of Aristotle,      

July 2014 Matthias Baaz

Thomas Eiter
Helmut Veith
 Preface

This volume contains the papers presented at CAV 2014: International Confer-
ence on Computer Aided Verification held during July 18–22, 2014 in Vienna,
Austria.
CAV 2014 was the 26th in a series dedicated to the advancement of the
theory and practice of computer-aided formal analysis methods for hardware
and software systems.
As part of the Federated Logic Conference (FLoC) and the Vienna Summer
of Logic, CAV 2014 was collocated with many other conferences in logic. CAV
considers it vital to continue spurring advances in hardware and software verifi-
cation while expanding to new domains such as biological systems and computer
security.
The conference covered the spectrum from theoretical results to concrete
applications, with an emphasis on practical verification tools and the algorithms
and techniques that are needed for their implementation. The proceedings of
the conference will have been the Springer-Verlag Lecture Notes in Computer
Science series. A selection of papers was invited to a special issue of Formal
Methods in System Design and the Journal of the ACM.
There were 229 paper submissions, 175 regular papers and 54 short papers.
Each submission was reviewed by at least three, and on average 4 Program Com-
mittee members. The Program Committee decided to accept 57 papers which is
an acceptance rate of 25%, consisting of 46 regular papers (26%) and 11 short
papers (20%).
There were 293 abstract submissions originally and a couple of papers, not
included in the number of 229 papers above, immediately rejected due to ex-
cessively exceeding the page limit. Among the 172 rejected papers considered
for computing the acceptance rate, there were 7 regular and one short paper
withdrawn on behalf of the authors after first versions of reviews had been sent
out during the rebuttal phase.
Regarding paper format, CAV 2014 saw some important changes compared
to previous versions. Beside long papers, e.g., regular papers, there were also
short papers, but short papers were not restricted to be tool papers anymore. It
was also encouraged to submit high quality tool papers and empirical evaluations
as long papers. These regular papers with mostly only empirical results, and not
necessarily new theory, produced some reservations on the side of the review-
ers and was an import topic during the discussion of the Program Committee.
Further, references did not count towards the page limit.
Beside the presentations of the accepted papers, and shared FLoC sessions,
the program of CAV 2014 featured two tutorials, two CAV invited talks, three
competition presentations and last but not least the presentation of the CAV
award.
XII Preface

The first tutorial was given by David Monniaux, Verimag, Grenoble, France,
on “How Do We Get Inductive Invariants?” and the second tutorial by Fabio
Somenzi, University of Colorado at Boulder, USA, on “Hardware Model Check-
ing”.
The first invited talk by Erik Winfree, Caltech, Pasadena, California, USA,
had “Designing and Verifying Molecular Circuits and Systems Made of DNA” as
the title. The second invited talk by Rance Cleaveland, University of Maryland
and Fraunhofer, USA, discussed “Automated Testing”.
The CAV 2014 affiliated competitions consisted of the first “Syntax-Guided
Synthesis Competition”, organized by Rajeev Alur, Dana Fisman, Rishabh Singh
and Armando Solar-Lezama. Then there was the presentation of the results of
the first Synthesis Competition for Reactive Systems “SYNTCOMP” organized
by Swen Jacobs, Roderick Bloem, Rüdiger Ehlers and the 7th incarnation of the
“Hardware Model Checking Competition”, which was organized by Armin Biere
and Keijo Heljanko.
The CAV award was presented by the CAV Award Committee, which con-
sisted of Moshe Vardi, Ahmed Bouajjani, Tom Ball, and headed by Marta
Kwiatkowska.
The FLoC 2014 Interconference Topics on Security and SAT/SMT/QBF are a
FLoC 2014 initiative by CAV, CSF, and IJCAR to foster exchange and discussion
between conferences. The Interconference Topics consist of sessions from the
participating conferences with a joint thematic focus. They provide a special
opportunity for FLoC participants with particular interest in these topics.
We would like to thank our workshop and competition chair Martina Seidl,
for caring about 21 CAV workshops, including 4 workshops affiliated with other
FLoC conferences too. As publication chair Swen Jacobs did an excellent job
setting up the web-pages and producing the proceedings.
Of course without the tremendous effort put in the reviewing process by our
Program Committee members this conference would not have been possible. We
would further thank the Steering Committee for support and guidance during the
whole conference process as well as Andrei Voronkov for providing the EasyChair
service in general and excellent support during using EasyChair for CAV 2014.

May 2014 Armin Biere

Roderick Bloem
 Organization

Program Chairs
Armin Biere Johannes Kepler University of Linz, Austria
Roderick Bloem Graz University of Technology, Austria

Program Committee
Rajeev Alur University of Pennsylvania, USA
Domagoj Babic Google, USA
Gogul Balakrishnan University of Wisconsin, USA
Nikolaj Bjorner Microsoft Research, USA
Ahmed Bouajjani LIAFA, University Paris Diderot, France
Aaron Bradley University of Colorado Boulder, USA
Pavol Cerny University of Colorado Boulder, USA
Koen Claessen Chalmers University of Technology, Sweden
Byron Cook Microsoft Research, UK
Azadeh Farzan University of Toronto, Canada
Bernd Finkbeiner Saarland University, Germany
Jasmin Fisher Microsoft Research, UK
Mike Gordon University of Cambridge, UK
Orna Grumberg Technion - Israel Institute of Technology, Israel
Leopold Haller University of Oxford, UK
Keijo Heljanko Aalto University, Finland
William Hung Synopsys Inc, USA
Somesh Jha University of Wisconsin, USA
Susmit Jha Intel, USA
Barbara Jobstmann EPFL, Jasper DA, CNRS-Verimag,
Switzerland/France
Bengt Jonsson Uppsala University, Sweden
Laura Kovacs Chalmers University of Technology, Sweden
Daniel Kroening University of Oxford, UK
Marta Kwiatkowska University of Oxford, UK
Kim Guldstrand Larsen Aalborg University, Denmark
Joao Marques-Silva University College Dublin, Ireland
Kedar Namjoshi Bell Labs, USA
Corina Pasareanu CMU and NASA Ames Research Center, USA
Doron Peled Bar Ilan University, Israel
Pavithra Prabhakar IMDEA Software Institute, Spain
Jean-Francois Raskin Université Libre de Bruxelles, Belgium
XIV Organization

Koushik Sen University of California Berkeley, USA

Natasha Sharygina Università della Svizzera Italiana, Switzerland
Nishant Sinha IBM Research, India
Anna Slobodova Centaur Technology, USA
Fabio Somenzi University of Colorado Boulder, USA
Cesare Tinelli University of Iowa, USA
Thomas Wahl Northeastern University, USA
Georg Weissenbacher Vienna University of Technology, Austria
Eran Yahav Technion - Israel Institute of Technology, Israel

Organization Committee
Swen Jacobs Graz University of Technology, Austria
Martina Seidl Johannes Kepler University Linz, Austria

Steering Committee
Michael Gordon University of Cambridge, UK
Orna Grumberg Technion - Israel Institute of Technology, Israel
Aarti Gupta NEC Laboratories, USA
Kenneth McMillan Microsoft Research, USA

Additional Reviewers
Abate, Alessandro Batty, Mark
Abd Elkader, Karam Belov, Anton
Adzkiya, Dieky Ben Sassi, Mohamed Amin
Albarghouthi, Aws Bingham, Jesse
Alberti, Francesco Birgmeier, Johannes
Alglave, Jade Blackshear, Sam
Alt, Leonardo Bogomolov, Sergiy
Althoff, Matthias Boker, Udi
Aronis, Stavros Boldo, Sylvie
Atig, Mohamed Faouzi Botincan, Matko
Avigad, Jeremy Boudjadar, A. Jalil
Bacci, Giorgio Boulmé, Sylvain
Bacci, Giovanni Bozianu, Rodica
Bandhakavi, Sruthi Brain, Martin
Bansal, Kshitij Brenguier, Romain
Basler, Gerard Brockschmidt, Marc
Basset, Nicolas Bucheli, Samuel
Bastani, Osbert Bultan, Tevfik
Basu, Samik Cabodi, Gianpiero
 Organization XV

Cassel, Sofia Faymonville, Peter

Cassez, Franck Fedyukovich, Grigory
Ceska, Milan Feng, Lu
Chadha, Rohit Ferrara, Pietro
Chakarov, Aleksandar Filieri, Antonio
Chen, Hong-Yi Filiot, Emmanuel
Chen, Hongyi Fisman, Dana
Chen, Xin Forejt, Vojtech
Chen, Yu-Fang Fredrikson, Matt
Chockler, Hana Fränzle, Martin
Choi, Wontae Fu, Hongfei
Chowdhury, Omar Fuhs, Carsten
Christodorescu, Mihai Furia, Carlo A.
Ciardo, Gianfranco Galenson, Joel
Clemente, Lorenzo Ganai, Malay
Cordeiro, Lucas Ganty, Pierre
D’Amorim, Marcelo Gerke, Michael
D’Antoni, Loris Girard, Antoine
D’Silva, Vijay Gopan, Denis
D’Souza, Deepak Greaves, David
Daca, Przemyslaw Greenstreet, Mark
Dalsgaard, Andreas Engelbredt Griesmayer, Andreas
Dang, Thao Griggio, Alberto
David, Alexandre Groce, Alex
David, Cristina Grosu, Radu
Davidson, Drew Grundy, Jim
Davis, Jared Gupta, Ashutosh
De Carli, Lorenzo Gurfinkel, Arie
De Moura, Leonardo Haase, Christoph
Dehnert, Christian Hadarean, Liana
Delahaye, Benoit Haddad, Axel
Delaune, Stephanie Hahn, Ernst Moritz
Delzanno, Giorgio Hall, Ben
Dhawan, Mohan Hao, Kecheng
Dillig, Isil Harris, William
Dodds, Mike Hassan, Zyad
Donaldson, Alastair He, Fei
Doyen, Laurent Hendriks, Martijn
Drachsler, Dana Herbreteau, Frédéric
Dragoi, Cezara Hermanns, Holger
Duret-Lutz, Alexandre Hoare, Tony
Een, Niklas Hochreiter, Sepp
Emmi, Michael Holik, Lukas
Enea, Constantin Holzer, Andreas
Falcone, Ylies Hunter, Paul
XVI Organization

Hyvärinen, Antti Logozzo, Francesco

Ignatiev, Alexey Lopes, Nuno
Iosif, Radu Lopes, Nuno P.
Itzhaky, Shachar Luchaup, Daniel
Ivancic, Franjo Luckow, Kasper
Jacobs, Swen Malik, Sharad
Jaeger, Manfred Mangal, Ravi
Janota, Mikolas Manquinho, Vasco
Jansen, Nils Markey, Nicolas
Jha, Sumit Kumar Mauborgne, Laurent
Jin, Hoon Sang McCamant, Stephen
Johansson, Moa McClurg, Jedidiah
Joshi, Saurabh Mereacre, Alexandru
Jovanovic, Aleksandra Meshman, Yuri
Kahlon, Vineet Meyer, Roland
Kahsai, Temesghen Mikucionis, Marius
Kannan, Jayanthkumar Minea, Marius
Katz, Omer Mitra, Sayan
Khlaaf, Heidy Moarref, Salar
Kiefer, Stefan Monmege, Benjamin
Kim, Chang Hwan Peter Morgado, Antonio
Kim, Hyondeuk Moses, Yoram
Kincaid, Zachary Mukherjee, Rajdeep
Klein, Felix Mukund, Madhavan
Komuravelli, Anvesh Myers, Andrew
Konev, Boris Nadel, Alexander
Konnov, Igor Natraj, Ashutosh
Kotek, Tomer Navarro Perez, Juan Antonio
Kuismin, Tuomas Navas, Jorge
Kuncak, Viktor Nghiem, Truong
Kupferman, Orna Nickovic, Dejan
Kupriyanov, Andrey Niebert, Peter
Kähkönen, Kari Nimkar, Kaustubh
Lal, Akash Norman, Gethin
Landsberg, David Nyman, Ulrik
Lee, Wonchan Olesen, Mads Chr.
Leino, Rustan Omari, Adi
Leonardsson, Carl Ozay, Necmiye
Leue, Stefan Pajic, Miroslav
Liang, Tianyi Palikareva, Hristina
Liu, Jun Paoletti, Nicola
Liu, Lingyi Papavasileiou, Vasilis
Liu, Peizun Parker, David
Liu, Wanwei Parkinson, Matthew
Loginov, Alexey Parlato, Gennaro
 Organization XVII

Partush, Nimrod Sheinvald, Sarai

Passmore, Grant Shoham, Sharon
Pavlogiannis, Andreas Siirtola, Antti Tapani
Payer, Mathias Singhania, Nimit
Perez, Guillermo Sinha, Rohit
Peter, Isabelle Sinha, Saurabh
Pichon, Jean Sorrentino, Francesco
Piskac, Ruzica Sosnovich, Adi
Podelski, Andreas Srba, Jiri
Poetzl, Daniel Stainer, Amelie
Prabhu, Prakash Stenman, Jari
Pradel, M. Stergiou, Christos
Pradel, Michael Sticksel, Christoph
Putot, Sylvie Strichman, Ofer
Qian, Kairong Sturm, Thomas
Rabe, Markus N. Su, Kaile
Radhakrishna, Arjun Sznajder, Nathalie
Raghothaman, Mukund Tarrach, Thorsten
Ramachandran, Jaideep Tasiran, Serdar
Raman, Vishwanath Tautschnig, Michael
Ranise, Silvio Tentrup, Leander
Ratschan, Stefan Terauchi, Tachio
Ravanbakhsh, Hadi Thachuk, Chris
Ray, Sandip Tiwari, Ashish
Rezine, Ahmed Tonetta, Stefano
Rezine, Othmane Topcu, Ufuk
Rinetzky, Noam Torfah, Hazem
Rodriguez, Cesar Totla, Nishant
Rogalewicz, Adam Trefler, Richard
Rollini, Simone Fulvio Trinh, Cong Quy
Rubio-Gonzalez, Cindy Tripakis, Stavros
Ruemmer, Philipp Trivedi, Ashutosh
Rybalchenko, Andrey Tschantz, Michael Carl
Saarikivi, Olli Tsiskaridze, Nestan
Šafránek, David Tsitovich, Aliaksei
Sagonas, Konstantinos Turrini, Andrea
Saha, Indranil Udupa, Abhishek
Sanchez, Cesar Ujma, Mateusz
Sangnier, Arnaud Urban, Caterina
Sankaranarayanan, Sriram Vafeiadis, Viktor
Sarkar, Susmit Vardi, Moshe
Schrammel, Peter Veanes, Margus
Sezgin, Ali Vechev, Martin
Shacham, Ohad Villard, Jules
Sharma, Subodh Viswanathan, Mahesh
XVIII Organization

Viswanathan, Ramesh Wrigstad, Tobias

Vizel, Yakir Xia, Bican
Von Essen, Christian Xue, Bingtian
Wachter, Björn Yi, Wang
Widder, Josef Zheng, Feijun
Wieringa, Siert Zhou, Min
Wiltsche, Clemens Zhu, Yunyun
Wintersteiger, Christoph Zielonka, Wieslaw
Wintersteiger, Christoph M. Zimmermann, Martin
Worrell, James Zwirchmayr, Jakob
Invited Tutorials and Talks
 How Do We Get Inductive Invariants?
David Monniaux
CNRS, Verimag, Grenoble, France

Verifying the correctness of loop-free programs (or of general programs, up to

bounded depth) is difficult: the state space explodes exponentially as the depth
increases. Yet, the difficulty increases as we allow unboundedly many execu-
tion steps; proof approaches then generally rely on finding inductive invariants
(properties shown to hold initially, then to remain true by induction).
Abstract interpretation attempts finding inductive invariants within a given
domain, e.g. conjunctions of linear inequalities. The classical approach iterates a
transformer until the property becomes inductive. In general, this approach may
not terminate; thus termination is often enforced with a “widening” operator,
which attempts at generalizing the iterates into an inductive property. Unfortu-
nately, widening operators are brittle, with non-monotonic behaviors (supplying
more information about a system may result in worse analysis outcomes!). There-
fore, other approaches have been developed (policy iteration,. . . ), which avoid
this pitfall.
Finally, we shall discuss possible combinations of abstract interpretation and
SMT-solving.

Hardware Model Checking

Fabio Somenzi
University of Colorado at Boulder, USA

This tutorial described the state-of-the art in Hardware-Model Checking using

SAT and BDD-based techniques, including a discussion of the overall architec-
ture of modern, multi-engine model checkers.
Designing and Verifying Molecular Circuits and
Systems Made of DNA
Erik Winfree
California Institute of Technology, Pasadena, CA, USA

Inspired by the information processing core of biological organisms and its abil-
ity to fabricate intricate machinery from the molecular scale up to the macro-
scopic scale, research in synthetic biology, molecular programming, and nucleic
acid nanotechnology aims to create information-based chemical systems that
carry out human-defined molecular programs that input, output, and manip-
ulate molecules and molecular structures. For chemistry to become the next
information technology substrate, we will need improved tools for designing,
simulating, and analyzing complex molecular circuits and systems. Using DNA
nanotechnology as a model system, I will discuss how programming languages
can be devised for specifying molecular systems at a high level, how compilers
can translate such specifications into concrete molecular implementations, how
both high-level and low-level specifications can be simulated and verified accord-
ing to behavioral logic and the underlying biophysics of molecular interactions,
and how Bayesian analysis techniques can be used to understand and predict
the behavior of experimental systems that, at this point, still inevitably contain
many ill-characterized components and interactions.

Automated Testing
Rance Cleaveland
University of Maryland, USA

In model-based testing, (semi-)formal models of systems are used to drive the

derivation of test cases to be applied to the system-under-test (SUT). The tech-
nology has long been a part of the traditional hardware-design workflows, and
it is beginning to find application in embedded-software development processes
also. In automotive and land-vehicle control-system design in particular, models
in languages such as MATLAB(r) / Simulink(r) / Stateflow(r) are used to drive
the testing of the software used to control vehicle behavior, with tools like Reac-
tis(r), developed by a team including the speaker, providing automated test-case
generation support for this endeavor.
This talk will discuss how test-case generation capabilities may also be used to
help verify that models meet formal specifications of their behavior. The method
we advocate, Instrumentation-Based Verification (IBV), involves the formalizaton
of behavior specifications as models that are used to instrument the model to be
verified, and the use of coverage testing of the instrumented model to search for
specification violations. The presentation will discuss the foundations of IBV, the
test-generation approach and other features in Reactis that are used to support
IBV, and the results of several case studies involving the use of the methods.
Competition Presentations
The First Syntax-Guided Synthesis Competition
(SyGuS-COMP 2014)
Rajeev Alur1 , Dana Fisman1 , Rishabh Singh2 , and Armando Solar-Lezama2,
1
University of Pennsylvania
2
Massachusetts Institute of Technology

Abstract. Syntax-Guided Synthesis (SyGuS) is the computational prob-

lem of finding an implementation f that meets both a semantic constraint
given by a logical formula ϕ in a background theory T , and a syntac-
tic constraint given by a grammar G, which specifies the allowed set of
candidate implementations [1]. Such a synthesis problem can be formally
defined in SyGuS-IF [2], a language that is built on top of SMT-LIB.
The Syntax-Guided Synthesis Competition (SyGuS-COMP) is an ef-
fort to facilitate, bring together and accelerate research and development
of efficient solvers for SyGuS by providing a platform for evaluating dif-
ferent synthesis techniques on a comprehensive set of benchmarks. The
benchmarks for the first competition are restricted to the theories of bit-
vector and integer linear arithmetic, yet their origin spans a variety of
domains including bitvector algorithms, concurrency, robotics, and in-
variant generation. The solvers are scored primarily on the number of
benchmark solved and the solving time, and secondarily on the succinct-
ness of the synthesized solution.

References
1. Alur, R., Bodı́k, R., Juniwal, G., Martin, M.M.K., Raghothaman, M., Seshia, S.A.,
Singh, R., Solar-Lezama, A., Torlak, E., Udupa, A.: Syntax-Guided Synthesis. In:
FMCAD, pp. 1–17. IEEE (2013)
2. Raghothaman, M., Udupa, A.: Language to Specify Syntax-Guided Synthesis Prob-
lems (May 2014), http://arxiv.org/abs/1405.5590

*
This research was supported by NSF Expeditions in Computing award CCF-1138996
and the competition awards were sponsored by Microsoft Research and FLoC.
 Hardware Model Checking Competition
CAV 2014 Edition
Armin Biere1 and Keijo Heljanko2
1
Johannes Kepler University Linz, Austria
2
Aalto University, Finland

The results of the 7th International Hardware Model Checking Competition were
presented at CAV 2014. Model checkers were required to produce witnesses for
single safety properties. The traces were checked by the AIGSIM tool, which is
part of the AIGER tools. Otherwise, the competition was run in almost the same
way as in the previous two years. The competition was run on a cluster at Aalto
University with exclusive access to 32 nodes of 2x Six-Core AMD Opteron 2435
2.6GHz with at least 16 GB of RAM. This meant 12 cores for each solver per
benchmark, memory limit of 15 GB and time limit of 900 seconds. As fall back
we had the cluster at JKU with the same characteristics as in previous years.
Beside the requirement to produces witnesses, rules, input and output format
did not change.
During the FLoC Olympic Games ceremony in the second week, three real sil-
ver medals were handed out to the winners of the three tracks of the competition.
These three tracks in the CAV 2014 edition of the competitHardwaion consisted
of: the single safety, the liveness and the deep bound track. There was no multi-
ple property track for the CAV edition. It was considered to be the technically
most challenging track, particularly while moving to new hardware, and further,
only three medals were available. The winner of the deep bound track received
both a medal and check, sponsored again by Oski technology. The competition
further relied on support by the national research network on Rigorous System
Engineering (RiSE) funded by the Austrian Science Fund (FWF) and also used
resources made available through the Science-IT project at Aalto University.
 SYNTCOMP -
Synthesis Competition for Reactive Systems
Roderick Bloem1 , Rüdiger Ehlers2,3 , and Swen Jacobs1
1
Graz University of Technology
Austria
2
University of Bremen
Germany
3
DFKI GmbH
Bremen, Germany

We present results of the first competition for reactive synthesis tools. For this
first iteration, we focused on safety specifications, which are given as sequential
circuits in an extension of the AIGER format for and-inverter graphs [1]. In
the extended format, input signals of the circuit can be declared as controllable
or uncontrollable. The synthesized implementation can read the uncontrollable
input signals, and uses this information to drive the controllable signals such
that the circuit never emits a true value at its error output signal.
The setting allows to encode a wide range of synthesis problems, and bench-
marks for the first competition ranged from machine and robot controllers to
hardware components like on-chip bus arbiters, and translations of LTL proper-
ties in general. Liveness properties are encodable in the form of bounded liveness
properties, and the competition featured both benchmarks that make and that
do not make use of this approach.
Tools were ranked with respect to the time needed for realizability checks and
the size of circuits produced. Particular focus has been put on the verification
of the synthesized implementations. Tools had to output the resulting controller
in a format that is suitable as input to tools from the hardware model checking
competition (HWMCC), i.e., as another and-inverter-graph circuit. Solutions
had to be verifiable by current model checking tools in order to count for the
competition. The competition also featured a track in which only the realizability
of a specification needed to be checked, i.e., whether some controller exists or
not.
SYNTCOMP was part of the FLoC 2014 Olympic Games and relied on sup-
port by the Austrian national research network on Rigorous Systems Engineering
(RiSE), funded by the Austrian Science Fund (FWF).

Reference
1. Jacobs, S.: Extended AIGER Format for Synthesis. arXiv:1405.5793 (May 2014)
 Table of Contents

Software Verification
The Spirit of Ghost Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Jean-Christophe Filliâtre, Léon Gondelman, and Andrei Paskevich

SMT-Based Model Checking for Recursive Programs . . . . . . . . . . . . . . . . . 17

Anvesh Komuravelli, Arie Gurfinkel, and Sagar Chaki

Property-Directed Shape Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Shachar Itzhaky, Nikolaj Bjørner, Thomas Reps, Mooly Sagiv, and
Aditya Thakur

Shape Analysis via Second-Order Bi-Abduction . . . . . . . . . . . . . . . . . . . . . . 52

Quang Loc Le, Cristian Gherghina, Shengchao Qin, and
Wei-Ngan Chin

ICE: A Robust Framework for Learning Invariants . . . . . . . . . . . . . . . . . . . 69

Pranav Garg, Christof Löding, P. Madhusudan, and Daniel Neider

From Invariant Checking to Invariant Inference Using Randomized

Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Rahul Sharma and Alex Aiken

SMACK: Decoupling Source Language Details from Verifier

Implementations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Zvonimir Rakamarić and Michael Emmi

Security
Synthesis of Masking Countermeasures against Side Channel Attacks . . . 114
Hassan Eldib and Chao Wang

Temporal Mode-Checking for Runtime Monitoring of Privacy Policies . . . 131

Omar Chowdhury, Limin Jia, Deepak Garg, and Anupam Datta

String Constraints for Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

Parosh Aziz Abdulla, Mohamed Faouzi Atig, Yu-Fang Chen,
Lukáš Holı́k, Ahmed Rezine, Philipp Rümmer, and Jari Stenman

A Conference Management System with Verified Document

Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Sudeep Kanav, Peter Lammich, and Andrei Popescu
XXX Table of Contents

VAC - Verifier of Administrative Role-Based Access Control Policies . . . . 184

Anna Lisa Ferrara, P. Madhusudan, Truc L. Nguyen, and
Gennaro Parlato

Automata
From LTL to Deterministic Automata: A Safraless Compositional
Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Javier Esparza and Jan Křetı́nský

Symbolic Visibly Pushdown Automata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

Loris D’Antoni and Rajeev Alur

Model Checking and Testing

Engineering a Static Verification Tool for GPU Kernels . . . . . . . . . . . . . . . 226
Ethel Bardsley, Adam Betts, Nathan Chong, Peter Collingbourne,
Pantazis Deligiannis, Alastair F. Donaldson, Jeroen Ketema,
Daniel Liew, and Shaz Qadeer

Lazy Annotation Revisited . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243

Kenneth L. McMillan

Interpolating Property Directed Reachability . . . . . . . . . . . . . . . . . . . . . . . . 260

Yakir Vizel and Arie Gurfinkel

Verifying Relative Error Bounds Using Symbolic Simulation . . . . . . . . . . . 277

Jesse Bingham and Joe Leslie-Hurd

Regression Test Selection for Distributed Software Histories . . . . . . . . . . . 293

Milos Gligoric, Rupak Majumdar, Rohan Sharma,
Lamyaa Eloussi, and Darko Marinov

GPU-Based Graph Decomposition into Strongly Connected and

Maximal End Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
Anton Wijs, Joost-Pieter Katoen, and Dragan Bošnački

Software Verification in the Google App-Engine Cloud . . . . . . . . . . . . . . . . 327

Dirk Beyer, Georg Dresler, and Philipp Wendler

The nuXmv Symbolic Model Checker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334

Roberto Cavada, Alessandro Cimatti, Michele Dorigatti,
Alberto Griggio, Alessandro Mariotti, Andrea Micheli, Sergio Mover,
Marco Roveri, and Stefano Tonetta
 Table of Contents XXXI

Biology and Hybrid Systems

Analyzing and Synthesizing Genomic Logic Functions . . . . . . . . . . . . . . . . 343
Nicola Paoletti, Boyan Yordanov, Youssef Hamadi,
Christoph M. Wintersteiger, and Hillel Kugler
Finding Instability in Biological Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Byron Cook, Jasmin Fisher, Benjamin A. Hall, Samin Ishtiaq,
Garvit Juniwal, and Nir Piterman
Invariant Verification of Nonlinear Hybrid Automata Networks of
Cardiac Cells . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
Zhenqi Huang, Chuchu Fan, Alexandru Mereacre, Sayan Mitra, and
Marta Kwiatkowska
Diamonds Are a Girl’s Best Friend: Partial Order Reduction for Timed
Automata with Abstractions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Henri Hansen, Shang-Wei Lin, Yang Liu,
Truong Khanh Nguyen, and Jun Sun
Reachability Analysis of Hybrid Systems Using Symbolic Orthogonal
Projections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
Willem Hagemann
Verifying LTL Properties of Hybrid Systemswith K-Liveness . . . . . . . . . 424
Alessandro Cimatti, Alberto Griggio, Sergio Mover, and
Stefano Tonetta

Games and Synthesis

Safraless Synthesis for Epistemic Temporal Specifications . . . . . . . . . . . . . 441
Rodica Bozianu, Cătălin Dima, and Emmanuel Filiot
Minimizing Running Costs in Consumption Systems . . . . . . . . . . . . . . . . . . 457
Tomáš Brázdil, David Klaška, Antonı́n Kučera, and Petr Novotný
CEGAR for Qualitative Analysis of Probabilistic Systems . . . . . . . . . . . . . 473
Krishnendu Chatterjee, Martin Chmelı́k, and Przemyslaw Daca
Optimal Guard Synthesis for Memory Safety . . . . . . . . . . . . . . . . . . . . . . . . 491
Thomas Dillig, Isil Dillig, and Swarat Chaudhuri
Don’t Sit on the Fence: A Static Analysis Approach to Automatic
Fence Insertion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508
Jade Alglave, Daniel Kroening, Vincent Nimal, and Daniel Poetzl
MCMAS-SLK: A Model Checker for the Verification of Strategy Logic
Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525
Petr Čermák, Alessio Lomuscio, Fabio Mogavero, and
Aniello Murano
XXXII Table of Contents

Solving Games without Controllable Predecessor . . . . . . . . . . . . . . . . . . . . . 533

Nina Narodytska, Alexander Legg, Fahiem Bacchus,
Leonid Ryzhyk, and Adam Walker

G4LTL-ST: Automatic Generation of PLC Programs . . . . . . . . . . . . . . . . . . 541

Chih-Hong Cheng, Chung-Hao Huang, Harald Ruess, and
Stefan Stattelmann

Concurrency
Automatic Atomicity Verification for Clients of Concurrent Data
Structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 550
Mohsen Lesani, Todd Millstein, and Jens Palsberg

Regression-Free Synthesis for Concurrency . . . . . . . . . . . . . . . . . . . . . . . . . . 568

Pavol Černý, Thomas A. Henzinger, Arjun Radhakrishna,
Leonid Ryzhyk, and Thorsten Tarrach

Bounded Model Checking of Multi-threaded C Programs via Lazy

Sequentialization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585
Omar Inverso, Ermenegildo Tomasco, Bernd Fischer,
Salvatore La Torre, and Gennaro Parlato

An SMT-Based Approach to Coverability Analysis . . . . . . . . . . . . . . . . . . . 603

Javier Esparza, Ruslán Ledesma-Garza, Rupak Majumdar,
Philipp Meyer, and Filip Niksic

LEAP: A Tool for the Parametrized Verification of Concurrent

Datatypes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 620
Alejandro Sánchez and César Sánchez

SMT and Theorem Proving

Monadic Decomposition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 628
Margus Veanes, Nikolaj Bjørner, Lev Nachmanson, and Sergey Bereg

A DPLL(T ) Theory Solver for a Theory of Strings and Regular

Expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 646
Tianyi Liang, Andrew Reynolds, Cesare Tinelli, Clark Barrett, and
Morgan Deters

Bit-Vector Rewriting with Automatic Rule Generation . . . . . . . . . . . . . . . . 663

Alexander Nadel

A Tale of Two Solvers: Eager and Lazy Approaches to Bit-Vectors . . . . . 680

Liana Hadarean, Kshitij Bansal, Dejan Jovanović,
Clark Barrett, and Cesare Tinelli
 Table of Contents XXXIII

AVATAR: The Architecture for First-Order Theorem Provers . . . . . . . . . . 696

Andrei Voronkov

Automating Separation Logic with Trees and Data . . . . . . . . . . . . . . . . . . . 711

Ruzica Piskac, Thomas Wies, and Damien Zufferey

A Nonlinear Real Arithmetic Fragment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 729

Ashish Tiwari and Patrick Lincoln

Yices 2.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 737

Bruno Dutertre

Bounds and Termination

A Simple and Scalable Static Analysis for Bound Analysis and
Amortized Complexity Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 745
Moritz Sinn, Florian Zuleger, and Helmut Veith

Symbolic Resource Bound Inference for Functional Programs . . . . . . . . . . 762

Ravichandhran Madhavan and Viktor Kuncak

Proving Non-termination Using Max-SMT . . . . . . . . . . . . . . . . . . . . . . . . . . 779

Daniel Larraz, Kaustubh Nimkar, Albert Oliveras,
Enric Rodrı́guez-Carbonell, and Albert Rubio

Termination Analysis by Learning Terminating Programs . . . . . . . . . . . . . 797

Matthias Heizmann, Jochen Hoenicke, and Andreas Podelski

Causal Termination of Multi-threaded Programs . . . . . . . . . . . . . . . . . . . . . 814

Andrey Kupriyanov and Bernd Finkbeiner

Abstraction
Counterexample to Induction-Guided Abstraction-Refinement
(CTIGAR) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 831
Johannes Birgmeier, Aaron R. Bradley, and Georg Weissenbacher

Unbounded Scalable Verification Based on Approximate Property-

Directed Reachability and Datapath Abstraction . . . . . . . . . . . . . . . . . . . . . 849
Suho Lee and Karem A. Sakallah

QUICr: A Reusable Library for Parametric Abstraction of Sets and

Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 866
Arlen Cox, Bor-Yuh Evan Chang, and Sriram Sankaranarayanan

Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 875

 The Spirit of Ghost Code

Jean-Christophe Filliâtre1,2 , Léon Gondelman1 , and Andrei Paskevich1,2

1
Lab. de Recherche en Informatique, Univ. Paris-Sud, CNRS, Orsay, F-91405
2
INRIA Saclay – Île-de-France, Orsay, F-91893

Abstract. In the context of deductive program verification, ghost code

is part of the program that is added for the purpose of specification.
Ghost code must not interfere with regular code, in the sense that it
can be erased without observable difference in the program outcome. In
particular, ghost data cannot participate in regular computations and
ghost code cannot mutate regular data or diverge. The idea exists in the
folklore since the early notion of auxiliary variables and is implemented
in many state-of-the-art program verification tools. However, a rigorous
definition and treatment of ghost code is surprisingly subtle and few
formalizations exist.
In this article, we describe a simple ML-style programming language
with mutable state and ghost code. Non-interference is ensured by a type
system with effects, which allows, notably, the same data types and func-
tions to be used in both regular and ghost code. We define the procedure
of ghost code erasure and we prove its safety using bisimulation. A sim-
ilar type system, with numerous extensions which we briefly discuss, is
implemented in the program verification environment Why3.

1 Introduction
A common technique in deductive program verification consists in introducing
data and computations, traditionally named ghost code, that only serve to fa-
cilitate specification. Ghost code can be safely erased from a program without
affecting its final result. Consequently, a ghost expression cannot be used in a
regular (non-ghost) computation, it cannot modify a regular mutable value, and
it cannot raise exceptions that would escape into regular code. However, a ghost
expression can use regular values and its result can be used in program annota-
tions: preconditions, postconditions, loop invariants, assertions, etc. A classical
use case for ghost code is to equip a data structure with ghost fields containing
auxiliary data for specification purposes. Another example is ghost step counters
to prove the time complexity of an algorithm.
When it comes to computing verification conditions, for instance using a weak-
est precondition calculus, there is no need to make a distinction between ghost
and regular code. At this moment, ghost code is just a computation that supplies
auxiliary values to use in specification and to simplify proofs. This computation,

This work is partly supported by the Bware (ANR-12-INSE-0010, http://bware.
lri.fr/) project of the French national research organization (ANR).

A. Biere and R. Bloem (Eds.): CAV 2014, LNCS 8559, pp. 1–16, 2014.

c Springer International Publishing Switzerland 2014
Another random document with
no related content on Scribd:
yards. The Austrian army was similarity equipped. The Italians were
equipped with a 105-mm gun essentially of the same characteristics
as the French 105-mm M-1913.
Medium Gun. Ideal. A caliber of between 4.7 and 5” on a carriage
permitting a vertical arc of fire of from minus 5 degrees to plus 80
degrees; a horizontal arc of fire of 360 degrees. Shrapnel and shell
weighing not over 60 pounds, maximum range 18,000 yards; with
semi-fixed or separate loading ammunition permissible.
Medium Gun Practical. Corps artillery should be armed with the
present type 4.7” gun, Model 1906, except that at least one regiment
should be armed with the British type 5”-guns purchased abroad.
Transport. All corps guns should be developed for long, rapid
hauls. Similar ammunition vehicles should be developed. The wheels
for the gun carriage should be rubber-tired.
Medium Howitzer. In the opinion of the French, Italians, British
and the Americans, the 155-mm howitzer (Schnieder) was
conspicuously successful in the present war. It should, therefore, be
retained as a type. The howitzer and carriage as it stands at present,
is a highly satisfactory and efficient piece of armament. For the
future it is believed that effort should be made to increase the range
by improvements in the form of projectile, and it is believed that the
form of howitzer and carriage should be studied with a view of
obtaining, through modifications, a maximum range of approximately
16,000 yards.
Many batteries of 155-mm howitzers (Schnieder) were motorized
in the American Army in France, and the consensus of opinion is
definitely toward the retention of this form of prime mover. It is
interesting to note that all the important belligerents have settled
upon a howitzer of approximately 6” in caliber, and otherwise
essentially of the same ballistic characteristics as the type in
question. The projectile of this caliber is the smallest projectile which
can be called upon to give adequate mining effect against material
targets of semi-permanent nature. The place of this howitzer is,
therefore, determined by considerations of its destructive ability. It is
a splendid destruction and neutralizing weapon.
 Medium Howitzer. Ideal. A caliber of about 155-mm on a carriage
permitting a vertical arc of fire of from minus 5 degrees to plus 65
degrees; and a horizontal arc of fire of 360 degrees. The projectile
should not weigh over 100 pounds and should be interchangeable
with projectiles for other guns of this caliber referred to later on. High
explosive shell, only, should be supplied.
Medium Howitzer. Practical. The corps should be armed with the
155-mm (Schnieder) howitzer referred to above. The type of fuses
for shell should be super quick and long delay.

ARMY ARTILLERY.
Missions. In addition to the division and corps artillery fulfilling the
missions outlined above there must be additional artillery available.
There are missions of interdiction, neutralization and destruction
which fall beyond the activities or capabilities of the normal corps or
medium field types; there must exist a surplus of division or corps
types, properly transported, for strategic reinforcements of divisions
and corps during such times as the normal allotment to such units is
insufficient; there must be artillery of special purpose—mountain
artillery, trench and super guns and howitzers. Of the above
additional artillery, a type of heavy field gun and a type of heavy field
howitzer are considered normally necessary in the armament of a
field army; the gun should have a range of approximately 25,000
yards, and the howitzer a range of about 18,000 yards. These
weapons are more powerful than the medium field types, add range
to the interdiction and harassing and to the neutralization and
destruction possible with the corps type. Considering the paragraphs
pertaining to divisional artillery and the introduction to corps artillery
it will be seen that the normal artillery of a field army can be
accomplished by the assignments of two caliber, i. e., two light
weapons, two medium weapons and two heavy weapons—a gun
and a howitzer in each class—and a satisfactory anti-aircraft gun.
Heavy Field Gun. The consensus of opinion of all artillery officers
—British, Italian and American—is that the heavy field gun should be
of approximately 6” caliber and that guns of greater caliber than this
are necessary in limited number for field operations. The French
were constructing 194-mm guns during the latter stages of the war. It
is believed that in developing this type of gun the French were
actuated almost entirely by the necessity for increased range, since
the German 150-mm gun, Model 1916, outranged the G. P. F. by
approximately 5,500 yards. The French have recently made
considerable progress in securing the necessary increase in range
with the G. P. F. All of the principal nations engaged in the war used
a heavy field gun of approximately 6” caliber. This type has given
such general satisfaction that its continuance is assured. The
principal mission of the heavy field gun is harassing and interdiction
fire, and for these uses the 6” projectile is sufficiently heavy. The
maximum practicable traverse and elevation should be provided by
the carriage of the heavy field gun. The G. P. F. carriage has given
general satisfaction, but its wide tread and the excessive time
required to occupy a position are very objectionable features. It is the
consensus of all artillery officers—French, British and American—
that the heavy field gun should be of approximately 6” caliber and
with a range in excess of 25,000 yards, with not less than 60 degree
traverse, weighing not more than 12 tons, limbered, capable of
occupying and leaving a position quickly, and with a width of tread
which does not prevent two-way traffic on ordinary roads. The
Italians differ from this opinion only in that they are satisfied with a
maximum range of 18,000 yards.
Heavy Field Gun. Ideal. A caliber of about 155-mm on a carriage
permitting a vertical arc of fire from 0 degrees to plus 65 degrees;
with a horizontal arc of fire of 360 degrees. The maximum range
should be about 25,000 yards.
Heavy Field Gun. Practical. Arm with the present type 155-mm
G. P. F. and carry on experiments for type of carriage as outlined for
division field gun. The fuses should be super-quick and short delay.
Transport. All artillery of this type should be motorized and tested
and experiments for ammunition vehicles to correspond with the
types of carriages developed, and should be carried on
simultaneously.
 Heavy Field Howitzer. No type of heavy field howitzer developed
during the war has given general satisfaction. The consensus of all
army artillery officers—French, English and American—is that two
calibers of howitzers are necessary—one a companion piece for the
6” gun and one of the maximum possible power consistent with the
necessary mobility. The lighter of these two howitzers should have
the same mobility as the 6” gun, with a caliber of about 8” and a
maximum range of not less than 16,000 yards. The heavy field
howitzer should be of about 9.5” caliber with a range in excess of
16,000 yards; the carriage should provide for wide traverse and must
have sufficient mobility to accompany the army in the field. It will
probably be necessary to transport this howitzer in more than one
load, and the maximum weight of any load should not exceed 12
tons. The average time necessary for occupying a position should
not exceed six hours under actual field conditions.
Heavy Field Howitzer. Ideal. A caliber of about 8” on a carriage
permitting a vertical arc of fire of from 0 to plus 65 degrees; and a
horizontal arc of fire of 360 degrees. The maximum range should be
18,000 yards.
Heavy Field Howitzer. Practical. Use at present 8” material of
British design which is on hand.
Railway Artillery. The war has demonstrated the necessity for
long range and powerful guns for distant interdiction and harassing
work and for super-heavy howitzers for the destruction of semi-
permanent fortifications. Artillery of these types can best be mounted
on railway carriages and this type of mount offers no serious
disadvantages since these guns will not be used except with large
forces which require extensive railroad systems for their supply. This
does not apply to guns of the type used to bombard Paris; such guns
have no military value and their construction is not justifiable.

ANTI-AIRCRAFT GUNS.
Light Gun. Ideal. Caliber about 3” with initial velocity of at least
2,600 f. s.; semi-automatic breechblock, mounted on carriage,
permitting 80 degrees elevation and 360 degrees traverse;
projectiles weighing not less than 15 pounds, of one type high
explosive shell with maximum ballistic qualities and as large
explosive charge as possible; fixed ammunition; smokeless,
flashless powder, mechanical fuse. In this type every effort must be
made to increase the rate of fire and decrease time of flight; this
latter is limited only by considerations of a reasonable accuracy life
for the gun.
Light Gun. Practical. Arm units with present 3” anti-aircraft
equipment. Continue experiments leading to the development of the
ideal.
Transport. Ideal. Caterpillar mount or caterpillar trailer mount
drawn by caterpillar tractor, each unit to permit a sustained speed of
12 miles per hour.
 CHAPTER V
THE 3-INCH FIELD GUN.

THE GUN.
The Gun is known officially as the 3-inch Field Gun, Model 1905. It
is a built-up construction of nickel-steel and consists of a tube with a
rifled bore, 3 inches in diameter, upon which are shrunk the jacket,
locking hoop and front clip hoop. The jacket reinforces the rear half
of the tube. The locking hoop serves to secure the jacket from any
longitudinal movement to the rear. On the under side of the gun,
extending the entire length of the jacket, locking hoop, and front clip,
are formed two recoil guides or clips which fit over and secure the
gun to the guide rails of the cradle. When the gun is fired, it slides
along the guide rails. The dust guard covers the part of the guide
rails between the locking hoop and the front clip. The rifling of the
bore is right-hand twist and starts with 0 turns at the breech
increasing to 1 turn in 25 calibers at 10 inches from the muzzle, then
uniform to the muzzle.

Weights and Dimensions.

Weight of gun 788 lbs.

Calibre 3 inches
Length about 7 feet
Number of lands and grooves 24
Muzzle velocity 1700 ft. sec.
Maximum pressure per sq. in. 33,000 lbs.
Limit of depression (90 mils.) 5 degrees
Maximum elevation (265 mils.) 15 degrees
Maximum range, trail sunk, about 8,500 yds. (5 M)
Range at 15° elevation (265 mils) 6,000 yds. (3½ M)

3 Inch Field Gun, Models of 1904 & 1905.

Breech Mechanism Assembled.

Nomenclature of parts of Gun:—

Jacket.
Locking hoop.
Tube.
Bore.
Rifling.
Lands.
Grooves
Breech recess.
Front clip.
 Muzzle.
Dust guard.
Recoil guides or clips.
Chamber.
Recoil lug.
Line sight (front and rear).
Handy oilers.

THE BREECH MECHANISM.

The breechblock is of the interrupted-screw type, and is provided
with four threaded and four slotted sectors. The front end of the axial
recess in the block is closed by a bushing. Four ventholes lead from
a cavity in the bushing and permit the escape of gas to the rear in
case of a ruptured primer. On the rear face of the breechblock are
cut gear teeth, in which the gear teeth of the operating lever
bevelgear mesh. The breechblock is concentrically mounted on a
hub on the block carrier, in which the firing-lock case is fitted. Its
position in the breech of the gun with reference to the axis of the
bore is eccentric.
The breechblock is closed or locked by a continuous movement of
the operating lever. When the block is swung to the closed position
the front face of the block latch comes in contact with the rear face of
the breech of the gun, thus forcing the latch out of the notch in the
breechblock and back into a recess in the carrier. By continuing the
motion of closing the mechanism, the breechblock is then rotated on
the hub of the carrier and its threads engage with corresponding
ones in the gun. When the breechblock is in the closed position, a
lug on the firing-lock case serves to lock the carrier to the
breechblock and prevents displacement due to a blowback.
The firing mechanism belongs to that type known as a
continuous-pull mechanism; that is, no cocking of the firing-pin is
required.
 The firing-lock case is eccentrically fitted in the hub of the block
carrier, in such a position that the axis of the firing-pin is always in
line with the bore of the gun. The vent bushing in the front end of the
breech block through which the firing pin passes when in the fired
position, is fitted eccentrically with reference to the breechblock. This
eccentric arrangement of the breechblock, masks the point of the
firing-pin and prevents any possible contact between the pin and the
primer in the cartridge case when the block is unlocked. The block
will be practically fully locked before any contact between the firing-
pin and primer can take place.
Nomenclature of important parts of Breech & Firing Mechanism.
Mod. 1905:—
Name of Part Where located
Breech Block On block carrier
Vent Bushing Front end of block
Block Carrier Hinged to jacket; supports block
Block Stop Screwed into front face of carrier
Hinge Pin Hinges carrier to jacket
Hinge Pin Catch In hinge pin
Extractor In breech recess
Extractor Lever Mounted on hinge pin
Operating Lever Pivoted on block carrier
Lever Pivot Pivots lever on block carrier
Lever Latch In operating lever
Lever Latch Spring In operating lever, lower part
Lever Latch Pivot In operating lever, lower part
Block Latch In recess in carrier
Block Latch Spring Around latch bolt
Firing Lock Case In hub of the block carrier
Locking Bolt Nut and Pin On firing lock case, rear face of carrier
Firing Pin In axle hole, center of firing lock case
Firing Pin Spring Around firing pin
Firing Spring Sleeve Around firing pin spring
Sear In slot in firing lock case
Trigger Fork Rear end firing lock case
Trigger Shaft On rear end firing lock case
Trigger Shaft Detent On trigger shaft
Firing Pallet On pallet shank
Pallet Shank On recoil lug of gun
Firing Handle On firing handle shaft
Firing Handle Bracket Attached to right side of cradle
Firing Handle Shaft Assembled in bracket, right side of cradle
Trip Latch Attached to trip latch plunger
Trip Latch Plunger Assembled to firing handle
Adjusting Screw Assembled to firing handle bracket
Check Nut Assembled in adjusting screw
 3 Inch Gun Carriage, Model of 1902.
Plan

THE GUN CARRIAGE.

The gun carriage for the 3-inch gun Model 1905 is of the type
known as the long-recoil, in which the gun is permitted a sufficient
length of recoil (about 45 inches) upon the carriage to render the
latter stationary under firing stresses. The gun is mounted upon a
cradle which forms a housing for the recoil controlling parts. The
cradle rests upon the rocker and has a small traversing motion of 70
mils on each side of the axis of the carriage. The rocker is journaled
upon the axle and its rear end is supported by the elevating
mechanism, which is seated in the trail.
The principal parts of the carriage are the wheels, axle, trail and
elevating mechanism forming the lower carriage, the cradle and
recoil-controlling parts constituting the upper carriage, and the rocker
and traversing mechanism intermediate between the two. In addition
there are provided shields, ammunition carriers, the road brake, and
the axle seats.
The Wheels and the Axle. The wheels are a modified form of the
Archibald pattern, 56 inches in diameter, with 3-inch tires. The axle is
hollow and forged from a single piece of steel. The wheels are held
on by the wheel fastenings.
Trail.—The trail consists of two steel flasks of channel section with
the flanges turned inward, tied together by transoms and plates to
form the sight and the tool boxes. Attached to the trail are the trail
spade, float trail handspike, trail handles and the lunette.
Elevating Gear.—The elevating gear is of double-screw type and
consists of an inner and outer elevating screw, an elevating-gear
bracket, an elevating bevel gear, two elevating bevel pinions, and
two elevating crank shafts. The inner elevating screw is a steel
screw, threaded with a right-hand thread. It is attached at its upper
end by the elevating pin to the rear end of the rocker. The outer
elevating screw is of bronze and is threaded on the exterior with a
right-hand thread to take the inner elevating screw. On the exterior
are also cut two longitudinal keyways, in which the keys of the bevel
gear work.
Traversing Mechanism.—The traversing mechanism consists of
a shaft, called the traversing shaft, mounted in bearings in the
traversing-gear case, and a traversing nut moving longitudinally on
the shaft, but restrained from turning with it by its bearings in the
gear case. A cylindrical lug on top of the nut fits in a hole in a bronze
traversing link, the right end of which is pivoted by the traversing-link
pivot to the traversing lug on the underside of the cradle. This pivot is
secured to the cradle-traversing lug by a nut and split pin. The left
bearing of the traversing shaft is split for the purpose of assembling
and rests between two collars on the shaft. The bearing, with the
shaft in place, is slipped into its seat in the gear case, where it is
held in position by two pins.
 TRAVERSING GEAR, VERTICAL SECTION

Elevating Gear Half Elevation and Half Section

 The Cradle Complete.—The cradle supports the gun, guides it in
recoil, and forms a housing for the recoil-controlling parts; it consists
of a flange steel body with the upper edges flanged outward. The
flanges are bronze lined, engage the clips on the gun, forming the
guide rails for the gun on recoil. Riveted to the bottom of the cradle
are four steel forgings, the pintle, traversing lug, rear clip, and
elevating and traversing lock lug. The pintle fits the pintle socket in
the rocker and forms a bearing upon which the cradle is traversed.
The traversing lug has been heretofore mentioned as affording a
point of attachment for the traversing-link pivot. The cradle rear clip,
in addition to embracing the rear end of the rocker, has a broad
bearing on the latter directly over the point of attachment of the
elevating screw.
To relieve the pointing mechanism from all strains in travelling, an
elevating and traversing lock is provided, by which the cradle may be
securely locked to the trail.
The recoil-controlling parts contained inside the cradle are the
cylinder, the piston rod, the counter-recoil buffer, the counter-recoil
springs and the spring support.
To the rear end of the cradle is riveted a steel cradle head, rear,
through which the cylinder moves in recoil and projects for
attachment to the recoil lug on the gun by means of the cylinder end
stud and nut. The front end of the cradle is closed by the cradle
head, front, and the retaining ring.
 Recoil Controlling Mechanism

The cylinder lies inside the cradle and is surrounded by the

counter-recoil springs. Its rear end is closed and has a projection on
the inside to which is screwed the counter-recoil buffer, a tapered
bronze rod which fits with small clearance into a bore at the rear end
of the piston-rod. The front end of the cylinder is closed by a bronze
oiltight gland, through which the piston-rod slides. The cylinder is
filled with a neutral oil called hydroline. The interior of the cylinder is
cylindrical. Three longitudinal ribs or throttling bars of uniform width
but varying height extend along the interior from the rear end to
within 19 inches from the front end. Three notches are cut in the
piston head, forming ports for the passage of the liquid from one side
of the piston to the other. The height of the throttling bars is
calculated so that the resistance which the liquid offers, plus the
resistance of the springs, is constant and such that the recoil will be
checked at the desired point. During recoil the front end of the
cylinder is supported by the spring support.
The piston rod is of steel, and is provided with a bronze piston
head, screwed against a shoulder at the rear end. The head has
three notches cut in its perimeter, which fit over the throttling-bar
projections on the cylinder wall. The rear end of the piston is bored
out to take the counter-recoil buffer. In counter recoil the oil in this
bore can escape only by a small clearance. In this way the return of
the gun into battery is so eased and regulated that very little shock
and consequent derangement of the aim of the piece occur. The
front end of the piston-rod is attached to the cradle head, front, by
means of the piston-rod nut.
The counter-recoil springs (three in number each 36 inches long)
are helical, being made from a rectangular steel bar coiled on edge.
They are assembled in the cradle, end to end around the cylinder
and bear in front against the spring support and in the rear against
the cradle head, rear. They are assembled under an initial
compression of approximately 750 lbs. which is sufficient to return
the gun into battery at the maximum elevation. In place of the single
counter-recoil springs a set of three inner and three outer counter-
recoil springs is also being issued.
The spring support forms a support for the front end of the cylinder
and a bearing for the front end of the spring column. It has guide
lugs which fit into and glide along guide rails inside the cradle during
recoil. The spring support is held in place by the retaining ring.

Action of the Mechanism.

The action of the recoil mechanism when the gun is fired is as
follows:—The gun moves to the rear 45 inches on the cradle,
carrying with it the cylinder and compressing the recoil springs. The
piston rod being attached to a fixed part of the carriage in front, (the
cradle-head) does not move. Therefore, since the cylinder moves to
the rear, the oil in it must pass from one side of the piston head to
the other. The energy of recoil of the gun is therefore absorbed by
the resistance which the oil offers when being forced through small
openings between the notches in the piston head and the throttling
bars along the inside of the cylinder and also by the resistance of the
counter-recoil springs to additional compression. The energy stored
up by the springs during this compression, returns the gun and
cylinder to the firing or original position. This return movement is
eased and regulated by the counter-recoil buffer. The piston rod pull
and the spring resistance are transmitted to the carriage, but owing
to the latter’s weight and the resistance opposed to the trail spade by
its engagement in the ground the carriage remains stationary.

Weights and Dimensions.

Weight of gun and carriage complete 2,520 lbs.

Width of track 60 inches
Length of recoil on carriage 45 inches
Amount of traverse of gun on carriage 140 mils
Nomenclature of important parts of the Gun Carriage:—

Axle
Trail, consisting of—
Flasks (right and left)
Tool box
Elevating gear transom
Rear sight box
Spade
Spade Edge
Float
Handspike fulcrum
Cradle, head, rear
Gun slides or Guide Rails
Cradle Pintle
Traversing lug
Rear clip
Lug for elevating and traversing lock
Bracket seat, firing handle
Quadrant fastening
Rear-sight bracket support
Front-sight bracket support
Spring-support guides
Retaining ring, with hasp and fastening
Cradle head, front
Shoulder guard
Cradle brush
Recoil-indicator throw
Recoil indicator
Cylinder head
Cylinder with cylinder end screwed in
Cylinder end stud and nut
Counter-recoil buffer
Rings, packing
Gland
Piston rod, with plug, screwed in
Piston
Piston-rod nut
Filling plug with gasket
Drain plug
Spring support
Counter-recoil springs
Rocker
Cradle Pintle socket
Elevating and traversing lock
Traversing mechanism, consisting of—
Traversing-gear case
Traversing plate
Handwheel with handle and spindle
Traversing shaft
Traversing-shaft bearing in two parts
Traversing link with bushing
Traversing-link pivot with nut
Azimuth pointer and scale
Elevating mechanism, consisting of—
Elevating pin
Inner elevating screw
Outer elevating screw
Wheels guards
Trail handles
Trail seats
 Trail-seat supports
Sponge-staff socket
Name plate
Handspike
Lunette
Cradle, consisting of—
Cradle body
Elevating bevel gear
Elevating bevel pinions
Elevating crank shafts, with handles
Elevating screw cover
Axle seats, include—
Seat arms
Seat-arm guards
Foot rests
Tie rods
Shield braces
Apron shield
Apron latches
Main shield, consisting of—
Main shield
Hood
Shutter, open-sight port
Shutter, panoramic-sight port
Top shield, consisting of—
Top shield
Top shield fastenings
Road brake, includes—
Brake beams
Brake shoes
Springs with covers
Brake rods
Brake lever
Brake shaft
Brake segment with two segment racks
Ammunition carriers
Range quadrant case