mulae with transitive closure and performs data-flow analysis interpreting formulae under three-valued logic structure. Space constraints do not permit in-depth discus- sion, thus, we only offer a high-level comparison. We trade-off complete soundness (unbounded heap) for fully automatic analysis, while the above approaches either use some fixed algorithms to handle a limited number of heap structures (i.e., limited spec- ification expressiveness) or require some level of user intervention to help the analysis.

In the end, we do not limit ourselves to the approach presented here. That is, we can incorporate richer logics and abstractions in the same way we can enhance concrete ex- ecution with symbolic execution as they become more mature and automated analysis is possible.

9.7 Conclusion and Future Work

We have presented Kiasan, an alternative technique to reason about open systems based on symbolic execution that is able to check strong heap properties. We have implemented Kiasan on top of the Bogor framework. Methodologically, we envision our tool being used similar to frameworks like ESC/Java [FLL⁺02]. For example, a user can start checking a method (even compositionally) without annotation and re- ceive error feedback from the tool. One can then inspect the feedback or look at the generated counter-examples to determine whether the errors are really errors or be- cause of a lack of specification. The user can either fix the code or add/modify the specifications and repeat the process. We believe using a small k for interactive pro- gramming and checking mode is acceptable, while using larger k increasingly can be employed using, for example, continuous testing [SE03] or a distributed solution. We now highlight several future research directions to improve Bogor/Kiasan.

1. Currently, Kiasan conjoins class invariants and method preconditions to generate the initial state of symbolic execution. Using a two-staged approach, where the initial state is generated based on invariants first and then a precondition is added for each method to tailor the initial state, may be better. This approach allows one to generate the initial states using class invariants only once to analyze all the methods in the class that should satisfy the invariants.

2. Our prototype uses a rudimentary specification processor that hinders us to con- duct systematic case studies. To address this, we plan to collaborate with the JML-oriented Integrated Verification Environment (IVE) effort [KCH05]. By targeting the same specification language, we can reuse a significant amount of previous work, e.g., the Java library models. Moreover, [KCH05] plans to sup- port multiple theorem provers using SMT-Lib [SMT]. This integration would allow us to cross-pollinate ideas and to conduct systematic case studies compar- ing ESC/Java2 and Bogor/Kiasan.

3. Section 9.4 describes how we can leverage heap region and transitivity informa- tion for checking strong heap properties. While these reasoning patterns can be used to check, for example, the merge method, however, we believe we need

various reasoning patterns for different kinds of strong properties (e.g., mono- tonicity). To address this, we plan to incorporate other common reasoning pat- terns in Kiasan.

4. Kiasan’s stateless analysis is embarrassingly parallel; we can fork the analysis when exploring different paths. This can help curbing the analysis time consid- ering processor developments are moving toward multi-core architecture.

Bibliography

[ABE00] Parosh Aziz Abdulla, Per Bjesse, and Niklas E´en. Symbolic reachability analysis based on SAT-solvers. In Proceedings of 6th International Con- ference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’00), volume 1785 of LNCS, pages 411–425. Springer- Verlag, 2000.

[ADS91] Hiralal Agrawal, Richard A. DeMillo, and Eugene H. Spafford. An execution-backtracking approach to debugging. IEEE Software, 8(3):21–

26, 1991.

[ADS93] Hiralal Agrawal, Richard A. DeMillo, and Eugene H. Spafford. Debug- ging with dynamic slicing and backtracking. Software - Practice and Experience, 23(6):589–616, 1993.

[AM02] Tankut Akgul and Vincent J. Mooney III. Instruction-level reverse exe- cution for debugging. In Matthew B. Dwyer and Jens Palsberg, editors, Proceedings of the Workshop on Program Analysis For Software Tools and Engineering (PASTE’02), pages 18–25. ACM Press, 2002.

[AM04] Tankut Akgul and Vincent J. Mooney III. Assembly instruction level reverse execution for debugging. ACM Transactions on Software Engi- neering and Methodology, 13(2):149–198, April 2004.

[AMP04] Tankut Akgul, Vincent J. Mooney III, and Santosh Pande. A fast assem- bly level reverse execution method via dynamic slicing. In Proceedings of the 26th International Conference on Software Engineering (ICSE‘04), pages 522–531, 2004.

[APV06] Saswat Anand, Corina S. P˘as˘areanu, and Willem Visser. Symbolic exe- cution with abstract subsumption checking. In Proceedings of the 13th International SPIN Workshop on Model Checking Software, volume 3925 of LNCS, pages 163–181. Springer-Verlag, 2006.

[Bal69] R. M. Balzer. EXDAMS–EXtendable Debugging and Monitoring Sys- tem. In Proceedings of AFIPS Spring Joing Computer Conference, vol- ume 34, pages 567–580. AFIPS Press, 1969.

[BB04] Clark Barrett and Sergey Berezin. CVC Lite: A new implementation of the cooperating validity checker. In Proceedings of the 16th International

103

Conference on Computer Aided Verification (CAV ’04), volume 3114 of LNCS, pages 515–518. Springer-Verlag, 2004.

[BC85] Jean-Francois Bergeretti and Bernard A. Carr´e. Information-flow and data-flow analysis of while-programs. ACM Transactions on Program- ming Languages and Systems (TOPLAS), 7(1):37–61, January 1985.

[BCC97] Sergey Berezin, S´ergio Vale Aguiar Campos, and Edmund M. Clarke.

Compositional reasoning in model checking. In Compositionality: The Significant Difference: International Symposium, COMPOS’97, Bad Ma- lente, Germany, September 1997. Revised Lectures, volume 1536 of LNCS, pages 81–102. Springer-Verlag, 1997.

[BCC⁺99] Armin Biere, Alessandro Cimatti, Edmund M. Clarke, Masahiro Fujita, and Yunshan Zhu. Symbolic model checking using SAT procedures in- stead of BDDs. In Proceedings of the 36th ACM/IEEE conference on Design automation, pages 317–320. ACM Press, 1999.

[BCCZ99] Armin Biere, Alessandro Cimatti, Edmund M. Clarke, and Yunshan Zhu.

Symbolic model checking without BDDs. In Proceedings of the 5th In- ternational Conference on Tools and Algorithms for Construction and Analysis of Systems (TACAS’99), volume 1579 of 193-207, page LNCS.

Springer-Verlag, 1999.

[BCM⁺92] Jerry R. Burch, Edmund M. Clarke, Kenneth L. McMillan, David L. Dill, and L. J. Hwang. Symbolic model checking: 10²⁰ states and beyond. In Proceedings of the 5th Annual IEEE Symposium on Logic in Computer Science (LICS’90), pages 428–439, 1992.

[BCO05] Josh Berdine, Cristiano Calcagno, and Peter W. O’Hearn. Symbolic ex- ecution with separation logic. In Proceedings of the Third Asian Sympo- sium on Programming Languages and Systems, volume 3780 of LNCS, pages 52–68. Springer-Verlag, June 2005.

[BCO06] Josh Berdine, Cristiano Calcagno, and Peter W. O’Hearn. Smallfoot:

modular automatic assertion checking with separation logic. In 5th In- ternational Symposium on Formal Methods for Components and Objects, volume 4111 of LNCS. Springer-Verlag, November 2006. To appear.

[BGM91] Gilles Bernot, Marie Claude Gaudel, and Bruno Marre. Software testing based on formal specifications: a theory and a tool. Software Engineering Journal, 6(6):387–405, November 1991. Michael Faraday House.

[BHRV06] Ahmed Bouajjani, Peter Habermehl, Adam Rogalewicz, and Tom´as Vo- jnar. Abstract regular tree model checking. In Proceedings of the 7th International Workshop on Verification of Infinite-State Systems (INFIN- ITY ’05), volume 149 of ENTCS, pages 37–48. Elsevier Science, 2006.

[BJ97] Simon P. Booth and Simon B. Jones. Walk backwards to happiness – debugging by time travel. In Proceedings of the Workshop on Automated and Algorithmic Debugging, pages 171–183, 1997.

Bibliography 105 [BJ01] Joachim van den Berg and Bart Jacobs. The LOOP compiler for Java and JML. In Proceedings of the 7th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS 2001), volume 2031 of LNCS, pages 299–312. Springer-Verlag, 2001.

[BJNT00] Ahmed Bouajjani, Bengt Jonsson, Marcus Nilsson, and Tayssir Touili.

Regular model checking. In Proceedings of the 12th International Con- ference on Computer Aided Verification (CAV’00), volume 1855 of LNCS, pages 403–418. Springer-Verlag, 2000.

[BKM02] Chandrasekhar Boyapati, Sarfraz Khurshid, and Darko Marinov. Korat:

Automated testing based on Java predicates. In Proceedings of the Inter- national Symposium on Software Testing and Analysis (ISSTA’02), pages 123–133. ACM Press, July 2002.

[BLM05] Thomas Ball, Shuvendu K. Lahiri, and Madanlal Musuvathi. Zap: Au- tomated theorem proving for software analysis. In Proceedings of 12th International Conference on Logic for Programming, Artificial Intelli- gence, and Reasoning, volume 3835 of LNCS, pages 2–22. Springer- Verlag, 2005.

[BLS05] Mike Barnett, K. Rustan M. Leino, and Wolfram Schulte. The Spec#

programming system: An overview. In Proceedings of the Workshop on Construction and Analysis of Safe, Secure, and Interoperable Smart De- vices (CASSIS’04), volume 3362 of LNCS, pages 49–69. Springer-Verlag, 2005.

[BM99] Bitan Biswas and R. Mall. Reverse execution of programs. SIGPLAN Notices, 34(4):61–69, 1999.

[BNR03] Thomas Ball, Mayur Naik, and Sriram K. Rajamani. From symptom to cause: localizing errors in counterexample traces. In Proceedings of the 30th ACM SIGPLAN-SIGACT symposium on Principles of programming languages (POPL’03), pages 97–105. ACM Press, 2003.

[Bog] Bogor website. |http://bogor.projects.cis.ksu.edu—.

[Boo00] Bob Boothe. Efficient algorithms for bidirectional debugging. In Pro- ceedings of the 2000 ACM SIGPLAN Conference on Programming Lan- guage Design and Implementation, pages 299–310, 2000.

[BR00] Thomas Ball and Sriram K. Rajamani. Checking temporal properties of software with boolean programs. In Proceedings of the Workshop on Ad- vances in Verification, 2000. affiliated with the Conference on Computer- Aided Verification (CAV’00).

[BR01] Thomas Ball and Sriram K. Rajamani. The SLAM toolkit. In Proceed- ings of 13th International Conference on Computer Aided Verification (CAV’01), volume 2102 of LNCS, pages 260–264. Springer-Verlag, 2001.

[Bru99] Derek L. Bruening. Systematic testing of multithreaded Java programs.

Master’s thesis, Massachusetts Institute of Technology, USA, 1999.

[Bry86] Randal E. Bryant. Graph-based algorithms for Boolean function manip- ulation. IEEE Transactions on Computers, 35(8):677–691, August 1986.

[Bry92] Randal E. Bryant. Symbolic boolean manipulation with ordered binary- decision diagrams. ACM Computing Surveys, 24(3):293–318, 1992.

[CC77] Patrick Cousot and Radhia Cousot. Abstract interpretation: A uni- fied lattice model for static analysis of programs by construction or approximation of fixpoints. In Proceedings of the Sixth Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Lan- guages (POPL’77), pages 238–252. ACM Press, 1977.

[CC93] T. Y. Chen and Y. Y. Cheung. Dynamic program dicing. In Proceed- ings of the Conference on Software Maintenance, pages 378–385. IEEE Computer Society, 1993.

[CD89] E. M. Clarke and I. A. Draghicescu. Expressibility results for linear- time and branching-time logics. In Proceedings of School/Workshop on Linear Time, Branching Time and Partial Order in Logics and Models for Concurrency, volume 354 of LNCS, pages 428–437. Springer-Verlag, 1989.

[CDH⁺00] James C. Corbett, Matthew B. Dwyer, John Hatcliff, Shawn Laubach, Corina S. P˘as˘areanu, Robby, and Hongjun Zheng. Bandera: Extracting finite-state models from Java source code. In Proceedings of the 22nd In- ternational Conference on Software Engineering (ICSE’00), pages 439–

448. ACM Press, June 2000.

[CE81] Edmund M. Clarke and E. Allen Emerson. Design and synthesis of syn- chronization skeletons using branching-time temporal logic. In Proceed- ings of the Workshop on Logic of Programs, volume 131 of LNCS, pages 52–71. Springer-Verlag, 1981.

[CGJ⁺00] Edmund Clarke, Orna Grumberg, Somesh Jha, Yuan Lu, and Helmut Veith. Counterexample-guided abstraction refinement. In Proceedings of the 12th International Conference on Computer Aided Verification (CAV’00), volume 1855 of LNCS, pages 154–169. Springer-Verlag, 2000.

[CJEF96] Edmund M. Clarke, Somesh Jha, Reinhard Enders, and Thomas Filkorn.

Exploiting symmetry in temporal logic model checking. Formal Methods in System Design, 9(1-2):77–104, 1996.

[CK04] David R. Cok and Joseph Kiniry. ESC/Java2: Uniting ESC/Java and JML. In Proceedings of the International Workshop on Construction and Analysis of Safe, Secure, and Interoperable Smart Devices (CASSIS’04), volume 3362 of LNCS, pages 108–128. Springer-Verlag, 2004.

Bibliography 107 [CKL04] Edmund M. Clarke, Daniel Kroening, and Flavio Lerda. A tool for checking ANSI-C programs. In Proceedings of Tools and Algorithms for the Construction and Analysis of Systems (TACAS’04), volume 2988 of LNCS, pages 168–176. Springer-Verlag, 2004.

[CL02] Yoonsik Cheon and Gary T. Leavens. A runtime assertion checker for the Java Modeling Language (JML). In Proceedings of the International Conference on Software Engineering Research and Practice (SERP’02), pages 322–328. CSREA Press, June 2002.

[Coo78] Stephen A. Cook. Soundness and completeness of an axiom system for program verification. SIAM Journal on Computing, 7(1):70–90, 1978.

[Coo02] Jonathan J. Cook. Reverse execution of Java bytecode. The Computer Journal, 45(6):608–619, 2002.

[CPF99] Christopher D. Carothers, Kalyan S. Perumalla, and Richard M. Fuji- moto. Efficient optimistic parallel simulations using reverse computa- tion. In Proceedings of the 13th Workshop on Parallel and Distributed Simulation, pages 126–135, 1999.

[CS98] Jong-Deok Choi and Harini Srinivasan. Deterministic replay of Java mul- tithreaded applications. In Proceedings of the SIGMETRICS Symposium on Parallel and Distributed Tools (SPDT’98), pages 48–59. ACM Press, 1998.

[CSS03] Michael A. Col´on, Sriram Sankaranarayanan, and Henny B. Sipma. Lin- ear invariant generation using non-linear constraint solving. In Proceed- ings of the 15th International Conference on Computer Aided Verification (CAV’03), volume 2725 of LNCS, pages 420–432. Springer-Verlag, 2003.

[CU90] Wei Chen and Jan Tijmen Udding. Program inversion: more than fun!

Science of Computer Programming, 15(1):1–13, November 1990.

[CVWY92] Costas Courcoubetis, Moshe Y. Vardi, Pierre Wolper, and Mihalis Yan- nakakis. Memory-efficient algorithms for the verification of temporal properties. Formal Methods in System Design, 1(2-3):275–288, October 1992.

[CW82] Ronald Curtis and Larry D. Wittie. BUGNET: A debugging system for parallel programming environments. In Proceedings of the 3rd Interna- tional Conference on Distributed Computing Systems, pages 394–400.

IEEE Computer Society, 1982.

[DF93] Jeremy Dick and Alain Faivre. Automating the generation and se- quencing of test cases from model-based specifications. In Proceed- ings of the First International Symposium of Formal Methods Europe on Industrial-Strength Formal Methods, volume 670 of LNCS, pages 268–

284. Springer-Verlag, 1993.

[Dij76] Edsger W. Dijkstra. A Discipline of Programming. Prentice Hall, Engle- wood Cliffs, 1976.

[Dij78] Edsger W. Dijkstra. Program inversion. In Friedrich L. Bauer and Man- fred Broy, editors, Program Construction, International Summer School, volume 69 of LNCS, pages 54–57. Springer-Verlag, 1978.

[Dil94] Antoni Diller. Z: An Introduction to Formal Methods, 2nd Edition. John Wiley & Sons, 1994.

[DIS99] Claudio Demartini, Radu Iosif, and Riccardo Sisto. A deadlock detection tool for concurrent Java programs. Software: Practice and Experience, 29(7):577–603, 1999.

[DLNS98] David L. Detlefs, K. Rustan M. Leino, Greg Nelson, and James B. Saxe.

Extended static checking. Technical report, COMPAQ Systems Research Center, 1998.

[DLR06] Xianghua Deng, Jooyong Lee, and Robby. Bogor/Kiasan: A k-bounded symbolic execution for checking strong heap properties of open sys- tems. In Proceedings of Conference on Automated Software Engineering (ASE’06), pages 157–166. IEEE Computer Society, 2006. Presented in Chapter 9.

[DNS05] David Detlefs, Greg Nelson, and James B. Saxe. Simplify: a theorem prover for program checking. Journal of the ACM (JACM), 52(3):365–

473, May 2005.

[Epp85] David Eppstein. A heuristic approach to program inversion. In Proceed- ings of the 9 thInternational Joint Conference on Artificial Intelligence (IJCAI’85), pages 219–221, 1985.

[ES96] E. Allen Emerson and A. Prasad Sistla. Symmetry and model checking.

Formal Methods in System Design, 9(1-2):105–131, 1996.

[ES03] Niklas E´en and Niklas S ¨orensson. An extensible SAT-solver. In Proceed- ings of Theory and Applications of Satisfiability Testing, number 2919 in LNCS, pages 502–518. Springer-Verlag, 2003.

[FB89] Stuart I. Feldman and Channing B. Brown. IGOR: a system for program debugging via reversible execution. In Proceedings of Workshop on Par- allel and Distributed Debugging, pages 112–123. ACM Press, 1989.

[FLL⁺02] Cormac Flanagan, K. Rustan M. Leino, Mark Lillibridge, Greg Nelson, James B. Saxe, and Raymie Stata. Extended static checking for Java. In Proceedings of the ACM SIGPLAN 2002 Conference on Programming Language Design and Implementation (PLDI’02), volume 37 of ACM SIGPLAN Notices, pages 234–245. ACM Press, May 2002.

[Flo67a] Robert W. Floyd. Assigning meaning to programs. In Proceedings of Symposium on Applied Mathematical Aspects of Computer Science, pages 19–32, 1967.

Bibliography 109 [Flo67b] Robert W. Floyd. Nondeterministic algorithms. Journal of the ACM

(JACM), 14(4):636–644, October 1967.

[GG75] John B. Goodenough and Susan L. Gerhart. Toward a theory of test data selection. In Proceedings of the International Conference on Reliable Software, pages 493–510. ACM Press, 1975.

[GK03] Robert Gl¨uck and Masahiko Kawabe. A program inverter for a functional language with equality and constructors. In Atsushi Ohori, editor, Pro- ceedings of the First Asian Symposium on Programming Languages and Systems, volume 2895 of LNCS, pages 246–264. Springer-Verlag, 2003.

[GK04] Robert Gl¨uck and Masahiko Kawabe. Derivation of deterministic inverse programs based on LR parsing. In Yukiyoshi Kameyama and Peter J.

Stuckey, editors, Proceedings of 7th International Symposium on Func- tional and Logic Programming, volume 2998 of LNCS, pages 291–306.

Springer-Verlag, March 2004.

[GK05] Robert Gl¨uck and Masahiko Kawabe. Revisiting an automatic pro- gram inverter for Lisp. In Proceedings of the Third Workshop on Pro- grammable Structured Documents, January 2005. Available as SIGPLAN Notices 40(5): 8-17 (2005).

[GLB75] Donald I. Good, Ralph L. London, and W. W. Bledsoe. An interactive program verification system. In Proceedings of the international confer- ence on Reliable software, pages 482–492. ACM Press, 1975.

[G ¨od31] Kurt G ¨odel. ¨Uber formal unentscheidbare S¨atze der Principia Mathemat- ica und verwandter Systeme I. Monatshefte f¨ur Mathematik, 38(1):173–

198, December 1931. English translation is available at [G ¨od00].

[God95] Patrice Godefroid. Partial-Order Methods for the Verification of Concur- rent Systems: An Approach to the State-Explosion Problem. PhD thesis, Univerite De Liege, 1995.

[God97] Patrice Godefroid. Model checking for programming languages using VeriSoft. In Proceedings of the 24th ACM Symposium on Principles of Programming Languages (POPL’97), pages 174–186. ACM Press, Jan- uary 1997.

[G ¨od00] Kurt G ¨odel. On formally undecidable propositions of Prin- cipia Mathematica and related systems I. Available at http://www.research.ibm.com/people/h/hirzel, 2000. En- glish translation of [G ¨od31] by Martin Hirzel.

[Goo85] Donald I. Good. Mechanical proofs about computer programs. In Pro- ceedings of a discussion meeting of the Royal Society of London on Math- ematical logic and programming languages, pages 55–75. Prentice-Hall, Inc., 1985.

[GPVW95] Rob Gerth, Doron Peled, Moshe Y. Vardi, and Pierre Wolper. Simple on-the-fly automatic verification of linear temporal logic. In Proceed- ings of the Fifteenth IFIP WG6.1 International Symposium on Protocol Specification, Testing and Verification XV, volume 38 of IFIP Conference Proceedings, pages 3–18. Chapman & Hall, Ltd., 1995.

[Gri81] David Gries. Inverting programs. In David Gries, editor, The Science of Programming, Monographs in Computer Science, chapter 21, pages 265–274. Springer-Verlag, 1981.

[GS97] Susanne Graf and Hassen Sa¨ıdi. Construction of abstract state graphs with PVS. In Proceedings of the 9th International Conference on Com- puter Aided Verification (CAV’97), volume 1254 of LNCS, pages 72–83.

Springer-Verlag, 1997.

[GTS06] Wolfgang Grieskamp, Nikolai Tillmann, and Wolfram Schulte. XRT - ex- ploring runtime for .NET - architecture and applications. In Proceedings of the Workshop on Software Model Checking (SoftMC 2005), volume 144 of ENTCS, pages 3–26. Elsevier Science, February 2006.

[GV03] Alex Groce and Willem Visser. What went wrong: Explaining counterex- amples. In Proceedings of 10th International SPIN Workshop on Model Checking Software (SPIN’03), volume 2648 of LNCS, pages 121–135.

Springer-Verlag, 2003.

[Hal88] P.A.V. Hall. Towards testing with respect to formal specification. In Pro- ceedings of the Second IEE/BCS Conference on Software Engineering, pages 159–163, 1988.

[Han70] Per Brinch Hansen. The nucleus of a multiprogramming system. Com- munications of the ACM, 13(4):238–241, April 1970. ACM press.

[HDZ00] John Hatcliff, Matthew B. Dwyer, and Hongjun Zheng. Slicing soft- ware for model construction. Higher-Order and Symbolic Computation, 13(4):315–353, 2000.

[HJJ⁺95] Jesper G. Henriksen, Jakob L. Jensen, Michael E. Jørgensen, Nils Klar- lund, Robert Paige, Theis Rauhe, and Anders Sandholm. Mona: Monadic second-order logic in practice. In Proceedings of the First International Workshop on Tools and Algorithms for Construction and Analysis of Sys- tems (TACAS’95), volume 1019 of LNCS, pages 89–110. Springer-Verlag, 1995.

[HJMS02] Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar, and Gre- goire Sutre. Lazy abstraction. In Proceedings of the 29th ACM SIGPLAN-SIGACT symposium on Principles of programming languages (POPL’02), pages 58–70. ACM Press, 2002.

[HK76] Sidney L. Hantler and James C. King. An introduction to proving the correctness of programs. ACM Computing Surveys (CSUR), 8(3):331–

353, September 1976.

Bibliography 111 [Hoa69] C. A. R. Hoare. An axiomatic basis for computer programming. Com-

munications of the ACM, 12(10):576–580, October 1969.

[Hol97] Gerard J. Holzmann. The model checker SPIN. IEEE Transactions on Software Engineering, 23(5):279–295, 1997.

[HP95] Hans-Martin H ¨orcher and Jan Peleska. Using formal specifications to support software testing. Software Quality Journal, 4(4):309–327, De- cember 1995. Springer Netherlands.

[HP99] Klaus Havelund and Thomas Pressburger. Java PathFinder, a translator from Java to Promela. In Proceedings of 5th and 6th International SPIN Workshops, volume 1680 of LNCS, page 152. Springer-Verlag, 1999.

[HP00] Klaus Havelund and Thomas Pressburger. Model checking JAVA pro- grams using JAVA PathFinder. International Journal on Software Tools for Technology Transfer (STTT), 2(4):366–381, March 2000.

[HS01] Gerard J. Holzmann and Margaret H. Smith. Software model checking:

extracting verification models from source code. Software Testing, Veri- fication and Reliability, 11(2):65–79, May 2001.

[ID96] C. Norris Ip and David L. Dill. Better verification through symmetry.

Formal Methods in System Design, 9(1-2):41–75, 1996.

[ILL75] Shigeru Igarashi, Ralph L. London, and David C. Luckham. Automatic program verification I: A logical basis and its implementation. Acta In- formatica, 4(2):145–182, June 1975.

[Jac02a] Daniel Jackson. Alloy: a lightweight object modelling notation.

ACM Transactions on Software Engineering and Methodology (TOSEM), 11(2):256–290, 2002.

[Jac02b] Daniel Jackson. Alloy: A new technology for software modelling. In Proceedings of the 8th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’02), volume 2280 of LNCS. Springer-Verlag, 2002.

[JM79] Niel D. Jones and Steven S. Muchnick. Flow analysis and optimization of LISP-like structures. In Proceedings of the 6th ACM SIGACT-SIGPLAN symposium on Principles of programming languages (POPL’79), pages 244–256. ACM Press, 1979.

[Jon90] CliffB. Jones. Systematic Software Development using VDM. Prentice- Hall, 1990.

[KCH05] Joseph R. Kiniry, Patrice Chalin, and Cl´ement Hurlin. Integrating static checking and interactive verification: Supporting multiple theo- ries and provers in verification. In Proceedings of the Conference on Verified Software: Theories, Tools, Experiments, 2005. Available at http://vstte.ethz.ch/papers.html.