Abstract. This paper shows how classic inductive assertions can be used in conjunction with an operational semantics to prove partial correctness properties of programs. The method imposes only the proof obligations that would be produced by a verification condition generator but does not require the definition of a verification condition generation. The paper focuses on iterative programs but recursive programs are briefly discussed. Assertions are attached to the program by defining a predicate on states. This predicate is then “completed ” to an alleged invariant by the definition of a partial function defined in terms of the state transition function of the operational semantics. If this alleged invariant can be proved to be an invariant under the state transition function, it follows that the assertions are true every time they are encountered in execution and thus that the post-condition is true if reached from a state satisfying the pre-condition. But because of the manner in which the alleged invariant is defined, the verification conditions are sufficient to prove invariance. Indeed, the “natural ” proof generates the classical verification conditions as subgoals. The invariant function may be thought of as a state-based verification condition generator for the annotated program. The method allows standard inductive assertion style proofs to be constructed directly in an operational semantics setting. The technique is demonstrated by proving the partial correctness of simple bytecode programs with respect to a pre-existing operational model of the Java Virtual Machine. 1

Abstract J Moore has discovered an elegant approach for verifying state invariants of imperative programs without having to write a verification condition generator (VCG) or clock function. Users need only make assertions about selected cutpoint instructions of a program, such as loop tests and subroutine entry and exit points. ACL2's rewriter is then used to automatically propagate these assertions through the intervening instructions.

Abstract. In my view, the “verification problem ” is the theorem proving problem, restricted to a computational logic. My approach is: adopt a functional programming language, build a general purpose formal reasoning engine around it, integrate it into a program and proof development environment, and apply it to model and verify a wide variety of computing artifacts, usually modeled operationally within the functional programming language. Everything done in this approach is software verification since the models are runnable programs in a subset of an ANSI standard programming language (Common Lisp). But this approach is of interest to proponents of other approaches (e.g., verification of procedural programs or synthesis) because of the nature of the mathematics of computing. I summarize the progress so far using this approach, sketch the key research challenges ahead and describe my vision of the role and shape of a useful verification system. 1

To the few people who believed I could do it even when I myself didn’t Acknowledgments This dissertation has been shaped by many people, including my teachers, collabo-rators, friends, and family. I would like to take this opportunity to acknowledge the influence they have had in my development as a person and as a scientist. First and foremost, I wish to thank my advisor J Strother Moore. J is an amazing advisor, a marvellous collaborator, an insightful researcher, an empathetic teacher, and a truly great human being. He gave me just the right balance of freedom, encouragement, and direction to guide the course of this research. My stimulating discussions with him made the act of research an experience of pure enjoyment, and helped pull me out of many low ebbs. At one point I used to believe that whenever I was stuck with a problem one meeting with J would get me back on track. Furthermore, my times together with J and Jo during Thanksgivings and other occasions always made me feel part of his family. There was no problem, technical or otherwise, that I could not discuss with J, and there was no time when

We investigate the logical issues behind axiomatizing equations that contain both recursive calls and quantifiers in ACL2. We identify a class of such equations, named extended tail-recursive equations, that can be uniformly introduced in the logic. We point out some potential benefits of this axiomatization, and discuss the logical impediments behind introducing more general quantified formulas.