DOCSLIB.ORG

User Interaction in Deductive Interactive Program Verification

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
User Interaction in Deductive Interactive Program Verification User Interaction in Deductive Interactive Program Verification Zur Erlangung des akademischen Grades eines Doktors der Naturwissenschaften von der KIT-Fakult¨atf¨urInformatik des Karlsruher Instituts f¨urTechnologie (KIT) genehmigte Dissertation von Sarah Caecilia Grebing aus Mannheim Tag der m¨undlichen Pr¨ufung: 07. Februar 2019 Erster Gutachter: Prof. Dr. Bernhard Beckert Zweiter Gutachter: Assoc. Prof. Dr. Andr´ePlatzer Contents Deutsche Zusammenfassung xv 1. Introduction1 1.1. Structure and Contribution of this Thesis . .2 1.1.1. Qualitative, Explorative User Studies . .3 1.1.2. Interaction Concept for Interactive Program Verification . .5 1.2. Previously Published Material . .6 I. Foundations for this Thesis9 2. Usability of Software Systems: Background and Methods 11 2.1. Human-Computer Interaction . 12 2.2. User-Centered Process . 12 2.3. Usability . 13 2.3.1. What is Usability? . 13 2.3.2. Usability Principles . 14 2.4. Interactions . 16 2.4.1. Models of Interaction . 16 2.4.2. Interaction Styles . 18 2.5. Task Analysis . 20 2.5.1. A brief Introduction to Sequence Models . 20 2.6. Evaluation Methods . 22 2.6.1. Questionnaires . 23 2.6.2. Interviews . 24 2.6.3. Focus Groups . 24 2.6.4. Preparation and Conduction of Focus Groups and Interviews . 25 3. Interactive Deductive Program Verification 29 3.1. Introduction . 29 3.2. Logical Calculi . 30 3.3. Specification of Java Programs with JML . 32 3.3.1. Method Contracts . 33 3.3.2. Loop Invariants . 34 3.3.3. Class Invariants . 36 3.3.4. The Purpose of Specifications . 36 3.4. A Brief Introduction to Java Dynamic Logic (JavaDL) . 36 3.4.1. A Sequent Calculus for JavaDL . 38 iii Contents 3.4.2. Symbolic Execution . 41 3.4.3. Taclets . 43 3.5. Proof Process for Deductive Program Verification . 45 3.6. Interaction Styles in Interactive Program Verification Systems . 47 3.6.1. Annotation-Based Interaction . 48 3.6.2. Text-Based Interaction . 49 3.6.3. Direct Manipulation Interaction . 50 3.7. Program Verification Systems . 51 3.7.1. Direct Manipulation Interaction: KeY and KeYmaeraX . 51 3.7.2. Annotation-Based Interaction: Dafny and Why3 . 54 3.7.3. Script-Based Interaction: Isabelle/HOL and Coq . 58 II. Context of Use 61 4. User Study with Focus Groups 65 4.1. Problem Description and Research Hypothesis . 65 4.2. Study Design and Implementation . 68 4.2.1. The Script . 68 4.2.2. Participants and Setup of the Study . 71 4.2.3. Conducting the Focus Group Discussions . 72 4.3. Data Analysis . 73 4.3.1. Targets of Evaluation: KeY and Isabelle . 73 4.3.2. Strengths and Weaknesses of the Targets of Evaluation . 73 4.3.3. User Support during the Proof Process . 77 4.3.4. Mechanisms Supporting Proof State Comprehension . 80 4.3.5. The Ideal Interactive Proof System . 82 4.4. Discussion . 83 4.5. Conclusion and Future Work . 84 5. User Study: Interviews with Practical Tasks 87 5.1. Introduction . 88 5.1.1. Research Questions For This Study . 89 5.2. Prototypical History Mechanism . 90 5.2.1. Origin of Formulas . 90 5.2.2. Mocked Mechanism . 92 5.3. Methodology . 93 5.4. Script Design . 96 5.5. Running the User Study . 107 5.5.1. Moderator . 107 5.5.2. Technical Setup . 108 5.5.3. Recordings and Transcription . 108 5.5.4. Participants . 109 5.6. Results of the User Study { Proof Process . 109 5.6.1. The Proof Process . 110 iv Contents 5.6.2. Expectations if a Proof Attempt in KeY is Unfinished . 111 5.6.3. Approaches to Proceed in the Verification Process . 114 5.6.4. Improvements for User Support in the Proof Process . 118 5.6.5. Practical Task: Proof Process . 122 5.6.6. Orientation After Applying Automatic Strategies . 134 5.7. Results of the User Study { Origin of Formulas . 141 5.7.1. History Mechanism . 141 5.7.2. Origin of formulas (Practical Tasks) . 146 5.7.3. Intuition about the Origin of Formulas . 148 5.8. Conclusion and Discussion . 149 6. Summary and Conclusion 153 6.1. Summary and Conclusion . 153 6.2. Related Work . 155 III. Integration 159 7. Proof Scripting Language 163 7.1. Introduction . 163 7.2. Characteristics of Program Verification Proofs . 164 7.3. Concept for a Proof Scripting Language . 165 7.4. Prerequisites For the Proof Scripting Language . 166 7.5. Script Language Constructs . 168 7.6. An Instantiation of the Language Concept for a Proof Scripting Lan- guage for KeY . 173 7.6.1. Syntax of KPS ............................ 174 7.6.2. Configuration and Variables . 177 7.7. Formalized Semantics of KPS ........................ 178 7.7.1. Evaluation of Matching Expressions . 184 7.7.2. The keywords closes and derivable ............... 192 7.8. Conclusion and Future Work . 193 7.9. Related Work . 194 8. Proof Script Debugger 197 8.1. Debugging Proof Attempts . 198 8.1.1. Analogy between Programs and Proof Scripts . 199 8.1.2. Analogy between Debugging and Failed Proof Analysis . 200 8.1.3. Adoption of Program Debugging Methods for Proof Debugging . 201 8.2. Integrating Direct-Manipulation and Script-Based Interaction . 203 8.3. First Experiments Using the Proof Script Debugger and KPS ...... 212 8.3.1. Objectives of the Experiments . 212 8.3.2. Performing the Experiments . 213 8.3.3. Analysis of the Results and Room for Improvement . 214 v Contents 8.3.4. Experiences in Using PSDBG for the Experiments and Improve- ments . 215 8.3.5. Lessons Learned from the Evaluation . 215 8.4. Conclusion . 218 8.5. Related Work . 219 9. Proof Exploration 223 9.1. Introduction . 223 9.2. Our Concept for Proof Exploration . 224 9.2.1. Reasons and Corrective Actions for Unfinished Proof Attempts . 225 9.2.2. Exploration Actions . 226 9.3. The Exploration Mode . 228 9.4. Interaction in the Exploration Mode . 229 9.4.1. Interplay: Exploration Mode and Regular Proof Mode . 229 9.4.2. Proof Exploration in Action . 231 9.4.3. presentation of Additional Information in the Exploration Mode 234 9.5. Related Work . 236 9.6. Conclusion and Future Work . 237 10.Seamless Program Verification 239 10.1. The Structure of Verification Tasks . 241 10.2. Description of Our Concept . 242 10.2.1. Projections: Multiple Views onto the Proof Problem . 243 10.2.2. Logical and Proof Construction View . 247 10.2.3. Relations between Proof Artifacts . 249 10.3. A Concretization of the Concept . 250 10.3.1. System and Proof Overview . 251 10.3.2. The Source Code View . 253 10.3.3. The Interplay between System and Proof Overview and Source Code View .............................. 255 10.3.4. Logical and Proof Construction View . 255 10.3.5. Interplay between the Source Code View and the Logical and Proof Construction View ...................... 259 10.4. Conclusion and Future Work . 260 10.5. Related Work . 261 IV. Conclusion 265 11.Conclusions 267 V. Bibliography 271 vi Contents VI. Appendix 287 A. Appendix: Focus Groups 289 A.1. Examples for Visual Cues in the Focus Group Discussions . 289 A.1.1. Isabelle . 289 A.1.2. KeY System . 290 B. Appendix: User Study 291 B.1. Proof Process . ..
Load more

Recommended publications
  • Well-Founded Functions and Extreme Predicates in Dafny: a Tutorial
    EPiC Series in Computing Volume 40, 2016, Pages 52–66 IWIL-2015. 11th International Work- shop on the Implementation of Logics Well-founded Functions and Extreme Predicates in Dafny: A Tutorial K. Rustan M. Leino Microsoft Research [email protected] Abstract A recursive function is well defined if its every recursive call corresponds a decrease in some well-founded order. Such well-founded functions are useful for example in computer programs when computing a value from some input. A boolean function can also be defined as an extreme solution to a recurrence relation, that is, as a least or greatest fixpoint of some functor. Such extreme predicates are useful for example in logic when encoding a set of inductive or coinductive inference rules. The verification-aware programming language Dafny supports both well-founded functions and extreme predicates. This tutorial describes the difference in general terms, and then describes novel syntactic support in Dafny for defining and proving lemmas with extreme predicates. Various examples and considerations are given. Although Dafny’s verifier has at its core a first-order SMT solver, Dafny’s logical encoding makes it possible to reason about fixpoints in an automated way. 0. Introduction Recursive functions are a core part of computer science and mathematics. Roughly speaking, when the definition of such a function spells out a terminating computation from given arguments, we may refer to it as a well-founded function. For example, the common factorial and Fibonacci functions are well-founded functions. There are also other ways to define functions. An important case regards the definition of a boolean function as an extreme solution (that is, a least or greatest solution) to some equation.
    [Show full text]
  • Programming Language Features for Refinement
    Programming Language Features for Refinement Jason Koenig K. Rustan M. Leino Stanford University Microsoft Research [email protected] [email protected] Algorithmic and data refinement are well studied topics that provide a mathematically rigorous ap- proach to gradually introducing details in the implementation of software. Program refinements are performed in the context of some programming language, but mainstream languages lack features for recording the sequence of refinement steps in the program text. To experiment with the combination of refinement, automated verification, and language design, refinement features have been added to the verification-aware programming language Dafny. This paper describes those features and reflects on some initial usage thereof. 0. Introduction Two major problems faced by software engineers are the development of software and the maintenance of software. In addition to fixing bugs, maintenance involves adapting the software to new or previously underappreciated scenarios, for example, using new APIs, supporting new hardware, or improving the performance. Software version control systems track the history of software changes, but older versions typically do not play any significant role in understanding or evolving the software further. For exam- ple, when a simple but inefficient data structure is replaced by a more efficient one, the program edits are destructive. Consequently, understanding the new code may be significantly more difficult than un- derstanding the initial version, because the source code will only show how the more complicated data structure is used. The initial development of the software may proceed in a similar way, whereby a software engi- neer first implements the basic functionality and then extends it with additional functionality or more advanced behaviors.
    [Show full text]
  • Developing Verified Sequential Programs with Event-B
    UNIVERSITY OF SOUTHAMPTON Developing Verified Sequential Programs with Event-B by Mohammadsadegh Dalvandi A thesis submitted in partial fulfillment for the degree of Doctor of Philosophy in the Faculty of Physical Sciences and Engineering Electronics and Computer Science April 2018 UNIVERSITY OF SOUTHAMPTON ABSTRACT FACULTY OF PHYSICAL SCIENCES AND ENGINEERING ELECTRONICS AND COMPUTER SCIENCE Doctor of Philosophy by Mohammadsadegh Dalvandi The constructive approach to software correctness aims at formal modelling of the in- tended behaviour and structure of a system in different levels of abstraction and verifying properties of models. The target of analytical approach is to verify properties of the final program code. A high level look at these two approaches suggests that the con- structive and analytical approaches should complement each other well. The aim of this thesis is to build a link between Event-B (constructive approach) and Dafny (analytical approach) for developing sequential verified programs. The first contribution of this the- sis is a tool supported method for transforming Event-B models to simple Dafny code contracts (in the form of method pre- and post-conditions). Transformation of Event-B formal models to Dafny method declarations and code contracts is enabled by a set of transformation rules. Using this set of transformation rules, one can generate code contracts from Event-B models but not implementations. The generated code contracts must be seen as an interface that can be implemented. If there is an implementation that satisfies the generated contracts then it is considered to be a correct implementation of the abstract Event-B model. A tool for automatic transformation of Event-B models to simple Dafny code contracts is presented.
    [Show full text]
  • Master's Thesis
    FACULTY OF SCIENCE AND TECHNOLOGY MASTER'S THESIS Study programme/specialisation: Computer Science Spring / Autumn semester, 20......19 Open/Confidential Author: ………………………………………… Nicolas Fløysvik (signature of author) Programme coordinator: Hein Meling Supervisor(s): Hein Meling Title of master's thesis: Using domain restricted types to improve code correctness Credits: 30 Keywords: Domain restrictions, Formal specifications, Number of pages: …………………75 symbolic execution, Rolsyn analyzer, + supplemental material/other: …………0 Stavanger,……………………….15/06/2019 date/year Title page for Master's Thesis Faculty of Science and Technology Domain Restricted Types for Improved Code Correctness Nicolas Fløysvik University of Stavanger Supervised by: Professor Hein Meling University of Stavanger June 2019 Abstract ReDi is a new static analysis tool for improving code correctness. It targets the C# language and is a .NET Roslyn live analyzer providing live analysis feedback to the developers using it. ReDi uses principles from formal specification and symbolic execution to implement methods for performing domain restriction on variables, parameters, and return values. A domain restriction is an invariant implemented as a check function, that can be applied to variables utilizing an annotation referring to the check method. ReDi can also help to prevent runtime exceptions caused by null pointers. ReDi can prevent null exceptions by integrating nullability into the domain of the variables, making it feasible for ReDi to statically keep track of null, and de- tecting variables that may be null when used. ReDi shows promising results with finding inconsistencies and faults in some programming projects, the open source CoreWiki project by Jeff Fritz and several web service API projects for services offered by Innovation Norway.
    [Show full text]
  • Essays on Emotional Well-Being, Health Insurance Disparities and Health Insurance Markets
    University of New Mexico UNM Digital Repository Economics ETDs Electronic Theses and Dissertations Summer 7-15-2020 Essays on Emotional Well-being, Health Insurance Disparities and Health Insurance Markets Disha Shende Follow this and additional works at: https://digitalrepository.unm.edu/econ_etds Part of the Behavioral Economics Commons, Health Economics Commons, and the Public Economics Commons Recommended Citation Shende, Disha. "Essays on Emotional Well-being, Health Insurance Disparities and Health Insurance Markets." (2020). https://digitalrepository.unm.edu/econ_etds/115 This Dissertation is brought to you for free and open access by the Electronic Theses and Dissertations at UNM Digital Repository. It has been accepted for inclusion in Economics ETDs by an authorized administrator of UNM Digital Repository. For more information, please contact [email protected], [email protected], [email protected]. Disha Shende Candidate Economics Department This dissertation is approved, and it is acceptable in quality and form for publication: Approved by the Dissertation Committee: Alok Bohara, Chairperson Richard Santos Sarah Stith Smita Pakhale i Essays on Emotional Well-being, Health Insurance Disparities and Health Insurance Markets DISHA SHENDE B.Tech., Shri Guru Govind Singh Inst. of Engr. and Tech., India, 2010 M.A., Applied Economics, University of Cincinnati, 2015 M.A., Economics, University of New Mexico, 2017 DISSERTATION Submitted in Partial Fulfillment of the Requirements for the Degree of Doctor of Philosophy Economics At the The University of New Mexico Albuquerque, New Mexico July 2020 ii DEDICATION To all the revolutionary figures who fought for my right to education iii ACKNOWLEDGEMENT This has been one of the most important bodies of work in my academic career so far.
    [Show full text]
  • Dafny: an Automatic Program Verifier for Functional Correctness K
    Dafny: An Automatic Program Verifier for Functional Correctness K. Rustan M. Leino Microsoft Research [email protected] Abstract Traditionally, the full verification of a program’s functional correctness has been obtained with pen and paper or with interactive proof assistants, whereas only reduced verification tasks, such as ex- tended static checking, have enjoyed the automation offered by satisfiability-modulo-theories (SMT) solvers. More recently, powerful SMT solvers and well-designed program verifiers are starting to break that tradition, thus reducing the effort involved in doing full verification. This paper gives a tour of the language and verifier Dafny, which has been used to verify the functional correctness of a number of challenging pointer-based programs. The paper describes the features incorporated in Dafny, illustrating their use by small examples and giving a taste of how they are coded for an SMT solver. As a larger case study, the paper shows the full functional specification of the Schorr-Waite algorithm in Dafny. 0 Introduction Applications of program verification technology fall into a spectrum of assurance levels, at one extreme proving that the program lives up to its functional specification (e.g., [8, 23, 28]), at the other extreme just finding some likely bugs (e.g., [19, 24]). Traditionally, program verifiers at the high end of the spectrum have used interactive proof assistants, which require the user to have a high degree of prover expertise, invoking tactics or guiding the tool through its various symbolic manipulations. Because they limit which program properties they reason about, tools at the low end of the spectrum have been able to take advantage of satisfiability-modulo-theories (SMT) solvers, which offer some fixed set of automatic decision procedures [18, 5].
    [Show full text]
  • Bounded Model Checking of Pointer Programs Revisited?
    Bounded Model Checking of Pointer Programs Revisited? Witold Charatonik1 and Piotr Witkowski2 1 Institute of Computer Science, University of Wroclaw, [email protected] 2 [email protected] Abstract. Bounded model checking of pointer programs is a debugging technique for programs that manipulate dynamically allocated pointer structures on the heap. It is based on the following four observations. First, error conditions like dereference of a dangling pointer, are express- ible in a fragment of first-order logic with two-variables. Second, the fragment is closed under weakest preconditions wrt. finite paths. Third, data structures like trees, lists etc. are expressible by inductive predi- cates defined in a fragment of Datalog. Finally, the combination of the two fragments of the two-variable logic and Datalog is decidable. In this paper we improve this technique by extending the expressivity of the underlying logics. In a sequence of examples we demonstrate that the new logic is capable of modeling more sophisticated data structures with more complex dependencies on heaps and more complex analyses. 1 Introduction Automated verification of programs manipulating dynamically allocated pointer structures is a challenging and important problem. In [11] the authors proposed a bounded model checking (BMC) procedure for imperative programs that manipulate dynamically allocated pointer struc- tures on the heap. Although in this procedure an explicit bound is assumed on the length of the program execution, the size of the initial data structure is not bounded. Therefore, such programs form infinite and infinitely branching transition systems. The procedure is based on the following four observations. First, error conditions like dereference of a dangling pointer, are expressible in a fragment of first-order logic with two-variables.
    [Show full text]
  • The Merger Control Review
    [ Exclusively for: Suncica Vaglenarova | 09-Sep-15, 07:52 AM ] ©The Law Reviews The MergerThe Control Review Merger Control Review Sixth Edition Editor Ilene Knable Gotts Law Business Research The Merger Control Review The Merger Control Review Reproduced with permission from Law Business Research Ltd. This article was first published in The Merger Control Review - Edition 6 (published in July 2015 – editor Ilene Knable Gotts) For further information please email [email protected] The Merger Control Review Sixth Edition Editor Ilene Knable Gotts Law Business Research Ltd PUBLISHER Gideon Roberton BUSINESS DEVELOPMENT MANAGER Nick Barette SENIOR ACCOUNT MANAGERS Katherine Jablonowska, Thomas Lee, Felicity Bown ACCOUNT MANAGER Joel Woods PUBLISHING MANAGER Lucy Brewer MARKETING ASSISTANT Rebecca Mogridge EDITORIAL COORDINATOR Shani Bans HEAD OF PRODUCTION Adam Myers PRODUCTION EDITOR Anne Borthwick SUBEDITOR Caroline Herbert MANAGING DIRECTOR Richard Davey Published in the United Kingdom by Law Business Research Ltd, London 87 Lancaster Road, London, W11 1QQ, UK © 2015 Law Business Research Ltd www.TheLawReviews.co.uk No photocopying: copyright licences do not apply. The information provided in this publication is general and may not apply in a specific situation, nor does it necessarily represent the views of authors’ firms or their clients. Legal advice should always be sought before taking any legal action based on the information provided. The publishers accept no responsibility for any acts or omissions contained herein. Although the information provided is accurate as of July 2015, be advised that this is a developing area. Enquiries concerning reproduction should be sent to Law Business Research, at the address above.
    [Show full text]
  • Metadefender Core V4.17.3
    MetaDefender Core v4.17.3 © 2020 OPSWAT, Inc. All rights reserved. OPSWAT®, MetadefenderTM and the OPSWAT logo are trademarks of OPSWAT, Inc. All other trademarks, trade names, service marks, service names, and images mentioned and/or used herein belong to their respective owners. Table of Contents About This Guide 13 Key Features of MetaDefender Core 14 1. Quick Start with MetaDefender Core 15 1.1. Installation 15 Operating system invariant initial steps 15 Basic setup 16 1.1.1. Configuration wizard 16 1.2. License Activation 21 1.3. Process Files with MetaDefender Core 21 2. Installing or Upgrading MetaDefender Core 22 2.1. Recommended System Configuration 22 Microsoft Windows Deployments 22 Unix Based Deployments 24 Data Retention 26 Custom Engines 27 Browser Requirements for the Metadefender Core Management Console 27 2.2. Installing MetaDefender 27 Installation 27 Installation notes 27 2.2.1. Installing Metadefender Core using command line 28 2.2.2. Installing Metadefender Core using the Install Wizard 31 2.3. Upgrading MetaDefender Core 31 Upgrading from MetaDefender Core 3.x 31 Upgrading from MetaDefender Core 4.x 31 2.4. MetaDefender Core Licensing 32 2.4.1. Activating Metadefender Licenses 32 2.4.2. Checking Your Metadefender Core License 37 2.5. Performance and Load Estimation 38 What to know before reading the results: Some factors that affect performance 38 How test results are calculated 39 Test Reports 39 Performance Report - Multi-Scanning On Linux 39 Performance Report - Multi-Scanning On Windows 43 2.6. Special installation options 46 Use RAMDISK for the tempdirectory 46 3.
    [Show full text]
  • Btech Cse Syllabus 2017.Pdf
    NATIONAL INSTITUTE OF TECHNOLOGY WARANGAL RULES AND REGULATIONS SCHEME OF INSTRUCTION AND SYLLABI FOR B.TECH PROGRAM Effective from 2017-18 DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING NATIONAL INSTITUTE OF TECHNOLOGY WARANGAL VISION Towards a Global Knowledge Hub, striving continuously in pursuit of excellence in Education, Research, Entrepreneurship and Technological services to the society. MISSION Imparting total quality education to develop innovative, entrepreneurial and ethical future professionals fit for globally competitive environment. Allowing stake holders to share our reservoir of experience in education and knowledge for mutual enrichment in the field of technical education. Fostering product oriented research for establishing a self-sustaining and wealth creating centre to serve the societal needs. DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING VISION Attaining global recognition in Computer Science & Engineering education, research and training to meet the growing needs of the industry and society. MISSION Imparting quality education through well-designed curriculum in tune with the challenging software needs of the industry. Providing state-of-art research facilities to generate knowledge and develop technologies in the thrust areas of Computer Science and Engineering. Developing linkages with world class organizations to strengthen industry-academia relationships for mutual benefit. DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING B.TECH IN COMPUTER SCIENCE AND ENGINEERING PROGRAM EDUCATIONAL OBJECTIVES Apply computer science theory blended with mathematics and engineering to model PEO1 computing systems. Design, implement, test and maintain software systems based on requirement PEO2 specifications. Communicate effectively with team members, engage in applying technologies and PEO3 lead teams in industry. Assess the computing systems from the view point of quality, security, privacy, cost, PEO4 utility, etiquette and ethics.
    [Show full text]
  • Developing Verified Programs with Dafny
    Developing Verified Programs with Dafny K. Rustan M. Leino Microsoft Research, Redmond, WA, USA [email protected] Abstract—Dafny is a programming language and program method Sort(a: int, b: int, c: int) returns (x: int, y: int, z: int) verifier. The language includes specification constructs and the ensures x ≤ y ≤ z ^ multiset{a, b, c} = multiset{x, y, z}; verifier checks that the program lives up to its specifications. { These tutorial notes give some Dafny programs used as examples x, y, z := a, b, c; if z < y { y, z := z, y; } in the tutorial. if y < x { x, y := y, x; } if z < y { y, z := z, y; } I. INTRODUCTION } Reasoning about programs is a fundamental skill that every software engineer needs. Dafny is a programming language Fig. 0. Example that shows some basic features of Dafny. The method’s specification says that x,y,z is a sorted version of a,b,c, and the verifier designed with verification in mind [0]. It can be used to automatically checks the code to satisfy this specification. develop provably correct code (e.g., [1]). Because its state-of- the-art program verifier is easy to run—it runs automatically method TriangleNumber(N: int) returns (t: int) 0 in the background in the integrated development environment requires 0 ≤ N; and it runs at the click of a button in the web version1—Dafny ensures t = N*(N+1) / 2; { also stands out as a tool that through its analysis feedback t := 0; helps teach reasoning about programs. This tutorial shows how var n := 0; while n < N to use Dafny, and these tutorial notes show some example invariant 0 ≤ n ≤ N ^ t = n*(n+1) / 2; programs that highlight major features of Dafny.
    [Show full text]
  • Vexcel Imaging / Microsoft Photogrammetry User Meeting, Tokyo, September 2008
    Vexcel Imaging / Microsoft Photogrammetry User Meeting, Tokyo, September 2008 Michael Gruber, [email protected] Vexcel Imaging Photogrammetry Products UltraCamXp UltraCam Xp Based on the most successfull UltraCamX Key features • CCD size 6.0 µm (UCX: 7.2 µm) • 195 Mega pixel (UCX: 136 Mega pixel) • Storage system 2 x 2.1 Terra byte (UCX: 2 x 1.7 TB) • Storage system 6600 images (UCX: 4700 images) • New filters for even improved image dynamic UltraCam Xp Projects • 500m flying height ‐> 2.9 cm GSD ‐> 514m strip width • 1000m flying height ‐> 5.8 cm GSD ‐> 1028m strip width • 3000m flying height ‐> 17.4 cm GSD ‐> 3085m strip width Largest digital camera world‐wide Lowest possible collection costs Most efficient digital camera world‐wide Success Story Sales Figures • 244 cameras world‐wide • 101 cameras of UCD and UCX • 47 UltraCamD • 54 UltraCamX Announcement: The UltraCam #100 has been sold in July 2008 Vexcel market share to Geokosmos, Russia, 42% with UCD/UCX by our partner GeoLidar Success Story Sales Figures Announcement: • 244 cameras world‐wide Aerodata, Belgium, • 103 cameras of UCD, UCX purchased UltraCam Xp and UCXp #1 and #2 at ISPRS 08 • 47 UltraCamD • 54 UltraCamX • 2 UltraCamXp • (end of July 08) UltraCamXp Computing Unit exchangeable Data Unit Data Unit Docking Station 4 parallel Download Ports UltraCamXp Largest Image Format 17310 by 11310 pixel (195 Mpixel) On board Data Storage 6600 Frames / Data Unit Short frame intervall (2 sec) 3cm GSD / 60% Endlap / 140 kn Microsoft/Vexcel Aerial Camera Evolution UltraCamD
    [Show full text]