pith. sign in

arxiv: 2606.08824 · v1 · pith:FVKDMZPFnew · submitted 2026-06-07 · 💻 cs.SE

Syntax-driven Incremental Program Verification of Matching Logic Properties

Pith reviewed 2026-06-27 17:41 UTC · model grok-4.3

classification 💻 cs.SE
keywords incremental verificationmatching logicoperator precedence grammarsynthesized attributesKernelCformal methodsprogram annotation
0
0 comments X

The pith

Expressing KernelC syntax as an operator precedence grammar and semantics as a synthesized attribute schema allows re-verification of only the program parts affected by a change.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper develops a method for incrementally verifying KernelC programs annotated with matching logic properties. Syntax is captured by an operator precedence grammar while semantics are captured by a synthesized attribute schema; together they support analysis of code chunks in isolation. After an edit, only the fragment whose semantics changes is re-processed. A prototype shows the method preserves overall verification efficiency and can reduce work relative to full re-verification when annotations, change location, and program structure align favorably.

Core claim

By representing the language syntax through an operator precedence grammar and formalizing its semantics through a synthesized attribute schema, verification of matching logic properties can be performed on isolated code chunks so that a change triggers re-processing solely of the semantically affected fragment.

What carries the argument

Operator precedence grammar paired with synthesized attribute schema, which computes semantic information bottom-up to determine which program fragments must be re-verified after an edit.

If this is right

  • Verification cost scales with the size of the changed semantic region rather than the whole program
  • Continuous re-verification after each edit becomes feasible for long-lived systems
  • Performance gains appear when changes are local and annotations are present in the affected region
  • The same matching logic properties are checked as in non-incremental verification

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same isolation technique could be applied to other languages whose syntax admits an operator precedence grammar
  • Integration with development environments could deliver verification results immediately after small edits
  • Savings would grow with program size provided the grammar and attribute schema remain complete

Load-bearing premise

That any change to a program fragment affects only a localized semantic region that the attribute schema can isolate without missing or over-including other parts.

What would settle it

An experiment on a changed program in which verification results for an unrelated distant fragment differ from the results obtained before the change.

Figures

Figures reproduced from arXiv: 2606.08824 by Alessandro Maria Rizzi, Antonio Filieri, Carlo Ghezzi, Dino Mandrioli, Domenico Bianculli.

Figure 1
Figure 1. Figure 1: Example of an operator grammar and its operator precedence matrix [PITH_FULL_IMAGE:figures/full_fig_p005_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: The syntax tree of sentence 𝑥𝑦𝑧𝑣𝑤 symbol ‘#’, which yields precedence to all symbols in 𝑉𝑇 and over which all symbols in 𝑉𝑇 take precedence, we obtain the following labeling of the string: ‘#’ ⋖ ‘n’ ⋗ ‘+’ ⋖ ‘n’ ⋗ ‘*’  ‘n’ ⋗ ‘#’. This labeled string displays two occurrences of the rhs ‘n’ (each of them enclosed in a ⟨⋖, ⋗⟩ pair); each of them can be reduced, in any order, to the corresponding lhs T. Since … view at source ↗
Figure 3
Figure 3. Figure 3: Incremental evaluation of semantic attributes [PITH_FULL_IMAGE:figures/full_fig_p008_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Excerpt of the KernelC grammar In the rest of the section we describe semantics by presenting, for each type of syntactic con￾struct, the structure of the corresponding cells and the associated reachability rules. Due to space reasons, we omit the description of input/output and provide only a short overview to mem￾ory management; the description of the complete semantics for these constructs is available … view at source ↗
Figure 5
Figure 5. Figure 5: The Process and Check algorithms for verification tasks 4.1 Overview As we mentioned earlier, our approach can handle program verification at any level of precision, ranging from Hoare-style program verification, when the program is fully annotated, to debugging￾style verification if few or no annotations are provided. In fact, a distinguishing feature of Matching Logic is the integration of symbolic inter… view at source ↗
Figure 6
Figure 6. Figure 6: The CompAttribute algorithm for semantic attribute evaluation rules defined in Section 3 as templates which are instantiated on the actual code of the program to be verified. • 𝑉 , a set of pending verification tasks. • 𝐶, a boolean flag indicating whether the specification can be satisfied, according to the information available at the node. • Two attributes 𝑆 and 𝐹 to handle struct definitions. Our synta… view at source ↗
Figure 7
Figure 7. Figure 7: Sample parse tree 1: function CheckNonFinal(𝐶𝑟 ) 2: for 𝑐𝑖 ∈ 𝐶𝑟 do 3: if isNonFinal(𝑐𝑖 ) then 4: return delay 5: end if 6: end for 7: return false 8: end function [PITH_FULL_IMAGE:figures/full_fig_p024_7.png] view at source ↗
Figure 8
Figure 8. Figure 8: The CheckNonFinal function changed to handle delayed verification tasks To deal with delayed verification tasks, we have to modify the Check algorithm in figure 5, described in Section 4.1. While the original formulation assumed that 𝑅𝑣 contains the complete semantics, and thus the Process algorithm could complete the execution of the verification task, the modified version must also handle the case in whi… view at source ↗
Figure 9
Figure 9. Figure 9: List sort example (see Fig. 10 for the functions used in the [PITH_FULL_IMAGE:figures/full_fig_p026_9.png] view at source ↗
Figure 10
Figure 10. Figure 10: Signatures and description of the functions and predicates used in the [PITH_FULL_IMAGE:figures/full_fig_p027_10.png] view at source ↗
Figure 11
Figure 11. Figure 11: List of abbreviations , Vol. 1, No. 1, Article . Publication date: June 2026 [PITH_FULL_IMAGE:figures/full_fig_p027_11.png] view at source ↗
Figure 12
Figure 12. Figure 12: Sketch of the abstract syntax tree of the example in Fig. 9 [PITH_FULL_IMAGE:figures/full_fig_p028_12.png] view at source ↗
Figure 13
Figure 13. Figure 13: Simplified abstract syntax tree of the swap function. Triangle-shaped leaves correspond to subtrees not expanded; the numbers on them refer to the corresponding line numbers in [PITH_FULL_IMAGE:figures/full_fig_p028_13.png] view at source ↗
Figure 14
Figure 14. Figure 14: Steps of the symbolic execution for the example in Fig. 9 (nodes are labeled with the configuration [PITH_FULL_IMAGE:figures/full_fig_p032_14.png] view at source ↗
Figure 15
Figure 15. Figure 15: Subtree affected by the change at line 9 of the example in Fig. 9 [PITH_FULL_IMAGE:figures/full_fig_p033_15.png] view at source ↗
Figure 16
Figure 16. Figure 16: Part of the syntax tree of the example in Fig. 9 affected by the change [PITH_FULL_IMAGE:figures/full_fig_p034_16.png] view at source ↗
Figure 18
Figure 18. Figure 18: Steps of the symbolic execution for the example in Fig. 9 modified with the change at line 9 (nodes [PITH_FULL_IMAGE:figures/full_fig_p036_18.png] view at source ↗
Figure 19
Figure 19. Figure 19: Excerpt of the reduced symbolic execution for the example in Fig. 9 modified with the change at [PITH_FULL_IMAGE:figures/full_fig_p037_19.png] view at source ↗
Figure 20
Figure 20. Figure 20: The architecture of SCMatchC type of changes) affect the benefits of our approach for incremental verification. More specifically, we evaluate our approach by answering the following research questions: RQ1: What is the overhead introduced by the machinery needed to support our syntax-based incre￾mental verification approach when compared with non-incremental tools for the verification of matching logic p… view at source ↗
Figure 21
Figure 21. Figure 21: Subtree representing the statement at line 12 of the [PITH_FULL_IMAGE:figures/full_fig_p058_21.png] view at source ↗
Figure 22
Figure 22. Figure 22: Subtree representing the statement at line 14 of the [PITH_FULL_IMAGE:figures/full_fig_p059_22.png] view at source ↗
Figure 23
Figure 23. Figure 23: Subtree representing the statement at line 10 of the [PITH_FULL_IMAGE:figures/full_fig_p059_23.png] view at source ↗
Figure 24
Figure 24. Figure 24: Subtree representing the statement at line 8 of the [PITH_FULL_IMAGE:figures/full_fig_p060_24.png] view at source ↗
Figure 25
Figure 25. Figure 25: Excerpt from the abstract syntax tree in Fig. 12, corresponding to the declaration of [PITH_FULL_IMAGE:figures/full_fig_p060_25.png] view at source ↗
read the original abstract

Incrementality is a fundamental design principle to master the complexity of large, long-lived software systems. This principle has been embraced by agile development processes and it lays at the base of continuous software evolution. A major challenge in this context is to incrementally re-verify the correctness of software artifacts after every change, focusing the verification efforts only on the parts affected by the change. We present an approach to the incremental verification of programs written in KernelC, annotated with properties expressed in matching logic. The approach is based on a syntactic-semantic framework that enables analyzing code chunks in isolation so that, after a change to a program fragment, only the part whose semantics is affected by the change is re-processed. This property is obtained by expressing the language syntax through an operator precedence grammar and by formalizing its semantics through a synthesized attribute schema. We have implemented our technique in a prototype tool and experimentally evaluated its effectiveness. The results show that our approach does not penalize the efficiency of formal verification and can outperform program re-verification after changes, depending on the presence and type of annotations, as well as the position of the change and the program structure.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

1 major / 0 minor

Summary. The paper presents a syntax-driven framework for incremental verification of matching logic properties on KernelC programs. Syntax is captured via an operator precedence grammar and semantics via a synthesized attribute schema; this combination is claimed to permit isolating code chunks so that only semantically affected fragments are re-processed after a change. A prototype implementation is described and experimentally evaluated, with the abstract asserting that the approach incurs no efficiency penalty relative to full re-verification and can outperform it depending on annotation presence, change location, and program structure.

Significance. If the isolation property is shown to hold for realistic changes and the experimental claims are substantiated with concrete benchmarks and metrics, the work would contribute a lightweight, syntax-based route to incremental verification that re-uses standard grammar and attribute machinery. The explicit grounding in operator-precedence grammars and synthesized attributes is a strength, as it avoids ad-hoc incremental machinery and makes the isolation argument derivable from the grammar definition.

major comments (1)
  1. [Experimental Evaluation] Experimental Evaluation (or equivalent section containing the reported results): the abstract asserts that the prototype 'does not penalize the efficiency of formal verification and can outperform program re-verification after changes' yet supplies no benchmark programs, change scenarios, annotation types, measured metrics (time, memory, number of re-verified fragments), or baseline comparison. Without these data the central empirical claim that the approach is practically viable remains unsupported.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for the review and for highlighting the need for concrete experimental details. We respond to the single major comment below.

read point-by-point responses
  1. Referee: [Experimental Evaluation] Experimental Evaluation (or equivalent section containing the reported results): the abstract asserts that the prototype 'does not penalize the efficiency of formal verification and can outperform program re-verification after changes' yet supplies no benchmark programs, change scenarios, annotation types, measured metrics (time, memory, number of re-verified fragments), or baseline comparison. Without these data the central empirical claim that the approach is practically viable remains unsupported.

    Authors: We agree with the referee that the current manuscript states experimental results at a high level in the abstract and introduction but does not supply the requested concrete details (specific KernelC benchmark programs, change scenarios, annotation types, quantitative metrics, or baseline comparisons). This omission leaves the central empirical claim unsupported. We will revise the paper by adding (or substantially expanding) an Experimental Evaluation section that reports the prototype's benchmarks, the change scenarios considered, the annotation types used, measured metrics (verification time, memory, number of re-verified fragments), and direct comparisons against full re-verification. The revised section will also discuss how results vary with annotation presence, change location, and program structure. revision: yes

Circularity Check

0 steps flagged

No significant circularity; direct application of standard grammar/attribute concepts

full rationale

The paper's central claim rests on expressing KernelC syntax via an operator precedence grammar and semantics via a synthesized attribute schema to enable isolation of affected code fragments for incremental re-verification. No equations, fitted parameters, predictions, or self-citations appear in the abstract or description that reduce any result to its own inputs by construction. The approach is presented as a straightforward formalization using established syntactic-semantic techniques without self-referential definitions or load-bearing prior-author uniqueness theorems. This is the most common honest non-finding for framework papers that apply known formalisms to a new domain.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 0 invented entities

The central claim rests on two domain assumptions about the suitability of operator precedence grammars and synthesized attributes for isolating semantic effects; no free parameters or invented entities are introduced.

axioms (2)
  • domain assumption The syntax of KernelC can be expressed through an operator precedence grammar that enables isolation of code chunks.
    Invoked to support analyzing fragments in isolation after changes.
  • domain assumption The semantics of KernelC can be formalized through a synthesized attribute schema that localizes effects of changes.
    Invoked to ensure only affected parts are re-processed.

pith-pipeline@v0.9.1-grok · 5739 in / 1368 out tokens · 23075 ms · 2026-06-27T17:41:56.128296+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

59 extracted references · 34 canonical work pages

  1. [1]

    Alessandro Barenghi, Stefano Crespi Reghizzi, Dino Mandrioli, Federica Panella, and Matteo Pradella. 2015. Parallel Parsing Made Practical. Science of Computer Programming 112, P3 (Nov. 2015), 195–226. DOI:http://dx.doi.org/10.1016/ j.scico.2015.09.002

  2. [2]

    Martin Steve Mellor, Ken Schwaber, Jeff Sutherland, and Dave Thomas

    Kent Beck, Mike Beedle, Arie van Bennekum, Alistair Cockburn, Ward Cunningham, Martin Fowler, James Grenning, Jim Highsmith, Andrew Hunt, Ron Jeffries, Jon Kern, Brian Marick, Robert C. Martin Steve Mellor, Ken Schwaber, Jeff Sutherland, and Dave Thomas. 2001. Manifesto for Agile Software Development. http://agilemanifesto.org/. (2001)

  3. [3]

    Domenico Bianculli, Antonio Filieri, Carlo Ghezzi, and Dino Mandrioli. 2013. A Syntactic-Semantic Approach to Incremental Verification. (2013). http://arxiv.org/abs/1304.8034

  4. [4]

    Domenico Bianculli, Antonio Filieri, Carlo Ghezzi, and Dino Mandrioli. 2014. Incremental Syntactic-semantic Reliability Analysis of Evolving Structured Workflows. InPart I of the Proceedings of the 6th International Symposium on Leveraging Applications of Formal Methods, Verification and Validation. Technologies for Mastering Change, ISoLA’14 (Lecture Not...

  5. [5]

    Domenico Bianculli, Antonio Filieri, Carlo Ghezzi, and Dino Mandrioli. 2015a. Syntactic-semantic Incrementality for Agile Verification. Science of Computer Programming 97 (2015), 47–54. DOI:http://dx.doi.org/10.1016/j.scico.2013.11.026

  6. [6]

    Domenico Bianculli, Antonio Filieri, Carlo Ghezzi, Dino Mandrioli, and Alessandro Maria Rizzi. 2015b. Syntax-driven Program Verification of Matching Logic Properties. In Proceedings of the 3rd IEEE/ACM FME Workshop on Formal Methods in Software Engineering (FORMALISE’15). IEEE Computer Society Press, Los Alamitos, CA, USA, 68–74. DOI: http://dx.doi.org/10...

  7. [7]

    Poppleton

    Geoff Birch, Bernd Fischer, and Michael R. Poppleton. 2015. Fast Model-Based Fault Localisation with Test Suites . Springer-Verlag, Berlin, Heidelberg, 38–57. DOI:http://dx.doi.org/10.1007/978-3-319-21215-9_3

  8. [8]

    Roderick Bloem, Rolf Drechsler, Görschwin Fey, Alexander Finder, Georg Hofferek, Robert Könighofer, Jaan Raik, Urmas Repinski, and André Sülflow. 2013. FoREnSiC– An Automatic Debugging Environment for C Programs . Springer- Verlag, Berlin, Heidelberg, 260–265. DOI:http://dx.doi.org/10.1007/978-3-642-39611-3_24

  9. [9]

    O’Hearn, and Hongseok Yang

    Cristiano Calcagno, Dino Distefano, Peter W. O’Hearn, and Hongseok Yang. 2011. Compositional Shape Analysis by Means of Bi-Abduction. J. ACM 58, 6, Article 26 (Dec. 2011), 66 pages. DOI:http://dx.doi.org/10.1145/2049697.2049700

  10. [10]

    Clarke, Alex Groce, Somesh Jha, and Helmut Veith

    Sagar Chaki, Edmund M. Clarke, Alex Groce, Somesh Jha, and Helmut Veith. 2004. Modular Verification of Software Components in C. IEEE Trans. Softw. Eng. 30, 6 (June 2004), 388–402. DOI:http://dx.doi.org/10.1109/TSE.2004.22

  11. [11]

    Sagar Chaki, Arie Gurfinkel, and Ofer Strichman. 2012. Regression Verification for Multi-threaded Programs. In Verification, Model Checking, and Abstract Interpretation (Lecture Notes in Computer Science) , Vol. 7148. Springer-Verlag, Berlin, Heidelberg, 119–135

  12. [12]

    Manuel Clavel, Francisco Durán, Steven Eker, Patrick Lincoln, Narciso Martí-Oliet, José Meseguer, and Carolyn Talcott

  13. [13]

    Springer-Verlag, Berlin, Heidelberg

    All About Maude - a High-performance Logical Framework: How to Specify, Program and Verify Systems in Rewriting Logic. Springer-Verlag, Berlin, Heidelberg

  14. [14]

    Cobleigh, Dimitra Giannakopoulou, and Corina S

    Jamieson M. Cobleigh, Dimitra Giannakopoulou, and Corina S. Păsăreanu. 2003. Learning Assumptions for Compo- sitional Verification. In Proceedings of the 9th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’03). Springer-Verlag, Berlin, Heidelberg, 331–346. http://dl.acm.org/citation.cfm?id= 1765871.1765903

  15. [15]

    Conway, Kedar S

    Christopher L. Conway, Kedar S. Namjoshi, Dennis Dams, and Stephen A. Edwards. 2005. Incremental Algorithms for Inter-procedural Analysis of Safety Properties. In Proceedings of the 17th International Conference on Computer Aided Verification (CA V’05). Springer-Verlag, Berlin, Heidelberg, 449–461. DOI:http://dx.doi.org/10.1007/11513988_45

  16. [16]

    Cormen, Charles E

    Thomas H. Cormen, Charles E. Leiserson, Ronald L. Rivest, and Clifford Stein. 2009. Introduction to Algorithms (3. ed.) . MIT Press, Cambridge MA. http://mitpress.mit.edu/books/introduction-algorithms , Vol. 1, No. 1, Article . Publication date: June 2026. :50 Domenico Bianculli, Antonio Filieri, Carlo Ghezzi, Dino Mandrioli, and Alessandro M. Rizzi

  17. [17]

    Andrei Ştefănescu. 2014. MatchC: A Matching Logic Reachability Verifier Using the K Framework. Electronic Notes in Theoretical Computer Science 304 (2014), 183–198. DOI:http://dx.doi.org/10.1016/j.entcs.2014.05.010

  18. [18]

    C. Daws. 2005. Symbolic and Parametric Model Checking of Discrete-Time Markov chains. In Proc. of ICTAC 2004 (LNCS), Vol. 3407. Springer, Berlin, Heidelberg, 280–294

  19. [19]

    Koen de Bosschere. 1996. An Operator Precedence Parser for Standard Prolog Text. Software: Practice and Experience 26, 7 (July 1996), 763–779. DOI:http://dx.doi.org/10.1002/(SICI)1097-024X(199607)26:7<763::AID-SPE33>3.3.CO;2-C

  20. [20]

    Leonardo De Moura and Nikolaj Bjørner. 2008. Z3: An Efficient SMT Solver. In Proceedings of the Theory and Practice of Software, 14th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’08/ETAPS’08). Springer-Verlag, Berlin, Heidelberg, 337–340. http://dl.acm.org/citation.cfm?id=1792734.1792766

  21. [21]

    Grigory Fedyukovich, Ondrej Sery, and Natasha Sharygina. 2013. eVolCheck: Incremental Upgrade Checker for C. In Proceedings of the 19th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’13). Springer-Verlag, Berlin, Heidelberg, 292–307. DOI:http://dx.doi.org/10.1007/978-3-642-36742-7_21

  22. [22]

    Antonio Filieri and Carlo Ghezzi. 2012. Further steps towards efficient runtime verification: Handling probabilistic cost models. In Proc. of FormSERA. IEEE Computer Society, Los Alamitos, CA, USA, 2–8

  23. [23]

    Antonio Filieri, Carlo Ghezzi, and Giordano Tamburrelli. 2011. Run-time efficient probabilistic model checking. In Proc. of ICSE 2011 . ACM, New York, NY, USA, 341–350

  24. [24]

    Michael J. Fischer. 1969. Some Properties of Precedence Languages. In Proceedings of the 1st Annual ACM Symposium on Theory of Computing (STOC’69). ACM, New York, NY, USA, 181–190. DOI:http://dx.doi.org/10.1145/800169.805432

  25. [25]

    Robert W. Floyd. 1963. Syntactic Analysis and Operator Precedence. J. ACM 10, 3 (July 1963), 316–333. DOI: http://dx.doi.org/10.1145/321172.321179

  26. [26]

    Carlo Ghezzi. 2012. Evolution, Adaptation, and the Quest for Incrementality. In Proceedings of the 17th Monterey Conference on Large-Scale Complex IT Systems: Development, Operation and Management . Springer-Verlag, Berlin, Heidelberg, 369–379. DOI:http://dx.doi.org/10.1007/978-3-642-34059-8_19

  27. [27]

    Carlo Ghezzi and Dino Mandrioli. 1979. Incremental Parsing. ACM Transactions on Programming Languages and Systems 1, 1 (Jan. 1979), 58–70. DOI:http://dx.doi.org/10.1145/357062.357066

  28. [28]

    Benny Godlin and Ofer Strichman. 2012. Regression Verification: Proving the Equivalence of Similar Programs. STVR 23, 3 (2012), 241–258

  29. [29]

    Dick Grune and Ceriel J. H. Jacobs. 2008. Parsing Techniques: A Practical Guide (Second Edition) . Springer-Verlag, Berlin, Heidelberg

  30. [30]

    Shengjian Guo, Markus Kusano, and Chao Wang. 2016. Conc-iSE: Incremental Symbolic Execution of Concurrent Software. In Proceedings of the 31st IEEE/ACM International Conference on Automated Software Engineering (ASE 2016) . ACM, New York, NY, USA, 531–542. DOI:http://dx.doi.org/10.1145/2970276.2970332

  31. [31]

    ErnstMoritz Hahn, Holger Hermanns, Björn Wachter, and Lijun Zhang. 2010. PARAM: A Model Checker for Parametric Markov Models. In Proc. of CA V 2010. LNCS, Vol. 6174. Springer, Berlin, Heidelberg, 660–664

  32. [32]

    Henzinger, Ranjit Jhala, Rupak Majumdar, and Marco A

    Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar, and Marco A. A. Sanvido. 2003. Extreme Model Checking. In Verification: Theory and Practice, Essays Dedicated to Zohar Manna on the Occasion of His 64th Birthday (Lecture Notes in Computer Science), Vol. 2772. Springer-Verlag, Berlin, Heidelberg, 332–358

  33. [33]

    Fahimeh Jalili. 1985. A General Incremental Evaluator for Attribute Grammars. Science of Computer Programming 5, 1 (1985), 83–96. DOI:http://dx.doi.org/10.1016/0167-6423(85)90005-X

  34. [34]

    Cliff B. Jones. 1983. Tentative Steps Toward a Development Method for Interfering Programs. ACM Transactions on Programming Languages and Systems 5, 4 (Oct. 1983), 596–619. DOI:http://dx.doi.org/10.1145/69575.69577

  35. [35]

    Donald E. Knuth. 1968. Semantics of Context-Free Languages. Mathematical Systems Theory 2, 2 (1968), 127–145. DOI: http://dx.doi.org/10.1007/BF01692511

  36. [36]

    Robert Könighofer, Ronald Toegl, and Roderick Bloem. 2014. Automatic Error Localization for Software Using Deductive Verification. Springer Berlin Heidelberg, Berlin, Heidelberg, 92–98. DOI:http://dx.doi.org/10.1007/978-3-319-13338-6_8

  37. [37]

    Marta Kwiatkowska, Gethin Norman, David Parker, and Hongyang Qu. 2010. Assume-Guarantee Verification for Probabilistic Systems. In Proceedings of the 16th International Conference on Tools and Algorithms for the Construc- tion and Analysis of Systems (TACAS’10). Springer-Verlag, Berlin, Heidelberg, 23–37. DOI:http://dx.doi.org/10.1007/ 978-3-642-12002-2_3

  38. [38]

    Craig Larman and Victor R. Basili. 2003. Iterative and Incremental Development: A Brief History. Computer 36, 6 (June 2003), 47–56. DOI:http://dx.doi.org/10.1109/MC.2003.1204375

  39. [39]

    Steven Lauterburg, Ahmed Sobeih, Darko Marinov, and Mahesh Viswanathan. 2008. Incremental State-space Explo- ration for Programs with Dynamically Allocated Data. In Proceedings of the 30th International Conference on Software Engineering (ICSE’08). ACM, New York, NY, USA, 291–300. DOI:http://dx.doi.org/10.1145/1368088.1368128

  40. [40]

    Rustan M

    K. Rustan M. Leino and Valentin Wüstholz. 2015. Fine-Grained Caching of Verification Results. In Part I of the Proceedings of the 27th International Conference on Computer Aided Verification, CA V’15 (Lecture Notes in Computer Science), Vol. 9206. Springer-Verlag, Berlin, Heidelberg, 380–397. DOI:http://dx.doi.org/10.1007/978-3-319-21690-4_22 , Vol. 1, No...

  41. [41]

    John Levine and Levine John. 2009. Flex & Bison (1st ed.). O’Reilly Media, Inc., Sebastopol, CA, USA

  42. [42]

    G. S. Makanin. 1977. The problem of the solvability of equations in a free semigroup. Matematicheskii Sbornik 103(145), 2 (1977), 147–236, 319

  43. [43]

    John McCarthy. 1962. Towards a Mathematical Science of Computation. In IFIP Congress. Springer Netherlands, Dordrecht, 21–28

  44. [44]

    Lambert G. L. T. Meertens and Johannes C. van Vliet. 1981.An Operator-Priority Grammar For Algol 68+. CWI Technical Report IW 173/81. Stichting Mathematisch Centrum. 1–24 pages

  45. [45]

    Design by Contract

    Bertrand Meyer. 1992. Applying “Design by Contract”. Computer 25, 10 (Oct. 1992), 40–51. DOI:http://dx.doi.org/10. 1109/2.161279

  46. [46]

    Ernst, and David Notkin

    Kivanç Muşlu, Yuriy Brun, Michael D. Ernst, and David Notkin. 2013. Making Offline Analyses Continuous. In Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering (ESEC/FSE 2013) . ACM, New York, NY, USA, 323–333. DOI:http://dx.doi.org/10.1145/2491411.2491460

  47. [47]

    Derek C. Oppen. 1980. Reasoning About Recursively Defined Data Structures. J. ACM 27, 3 (July 1980), 403–411. DOI: http://dx.doi.org/10.1145/322203.322204

  48. [48]

    David Lorge Parnas. 1972. On the Criteria to Be Used in Decomposing Systems into Modules. Commun. ACM 15, 12 (Dec. 1972), 1053–1058. DOI:http://dx.doi.org/10.1145/361598.361623

  49. [49]

    Suzette Person, Guowei Yang, Neha Rungta, and Sarfraz Khurshid. 2011. Directed Incremental Symbolic Execution. ACM SIGPLAN Notices 46, 6 (June 2011), 504–515. DOI:http://dx.doi.org/10.1145/1993316.1993558

  50. [50]

    Grigore Roşu and Traian-Florin Şerbănuţă. 2010. An Overview of the K Semantic Framework.Journal of Logic and Algebraic Programming 79, 6 (2010), 397–434. DOI:http://dx.doi.org/10.1016/j.jlap.2010.03.012

  51. [51]

    Grigore Roşu and Andrei Ştefănescu. 2012. Checking Reachability Using Matching Logic. ACM SIGPLAN Notices 47, 10 (Oct. 2012), 555–574. DOI:http://dx.doi.org/10.1145/2398857.2384656

  52. [52]

    Grigore Roşu, Chucky Ellison, and Wolfram Schulte. 2011. Matching Logic: An Alternative to Hoare/Floyd Logic. In Proceedings of the 13th International Conference on Algebraic Methodology and Software Technology (AMAST’10) . Springer-Verlag, Berlin, Heidelberg, 142–162. http://dl.acm.org/citation.cfm?id=1946031.1946042

  53. [53]

    Neha Rungta, Joshua Branchaud, and Suzette Person. 2012. A Change Impact Analysis to Characterize Evolving Program Behaviors. In Proceedings of the 28th IEEE International Conference on Software Maintenance (ICSM’12) . IEEE Computer Society Press, Los Alamitos, CA, USA, 109–118. DOI:http://dx.doi.org/10.1109/ICSM.2012.6405261

  54. [54]

    David Saff and Michael D. Ernst. 2004. An Experimental Evaluation of Continuous Testing During Development. ACM SIGSOFT Software Engineering Notes 29, 4 (July 2004), 76–85. DOI:http://dx.doi.org/10.1145/1013886.1007523

  55. [55]

    Arto Salomaa. 1987. Formal Languages. Academic Press Professional, Inc., Cambridge, Massachusetts

  56. [56]

    Natasha Sharygina, Sagar Chaki, Edmund Clarke, and Nishant Sinha. 2005. Dynamic Component Substitutability Analysis. In Proceedings of the 2005 International Conference on Formal Methods (FM’05) . Springer-Verlag, Berlin, Heidelberg, 512–528. DOI:http://dx.doi.org/10.1007/11526841_34

  57. [57]

    Prasad Sistla. 1996. Hybrid and Incremental Model Checking Techniques. Comput. Surveys 28, 4es (Dec. 1996), 125. DOI:http://dx.doi.org/10.1145/242224.242384

  58. [58]

    Tamás Szabó, Sebastian Erdweg, and Markus Voelter. 2016. IncA: A DSL for the Definition of Incremental Program Analyses. In Proceedings of the 31st IEEE/ACM International Conference on Automated Software Engineering (ASE 2016) . ACM, New York, NY, USA, 320–331. DOI:http://dx.doi.org/10.1145/2970276.2970298

  59. [59]

    %i", &v) · . . . 𝑘 𝑗 · . . . 𝑖𝑛 v ↦→ 𝑖 𝑗 . . . env (93) Similarly, function printf takes as argument an integer value and appends it to list out, as described in rule (94): printf(

    Guowei Yang, Matthew B. Dwyer, and Gregg Rothermel. 2009. Regression Model Checking. In Proceedings of the 25th IEEE International Conference on Software Maintenance (ICSM’09). IEEE Computer Society, Los Alamitos, CA, USA, 115–124. DOI:http://dx.doi.org/10.1109/ICSM.2009.5306334 APPENDICES In these appendices we first provide various details about the for...