This paper was originally submitted to ACM Transactions on Programming Languages and Systems. The responsible editor was Susan L. Graham. The authors and editor kindly agreed to transfer the paper to the ACM Transactions on Computer Systems

Reynolds has developed a logic for reasoning about mutable data structures in which the pre- and postconditions are written in an intuitionistic logic enriched with a spatial form of conjunction. We investigate the approach from the point of view of the logic BI of bunched implications of O'Hearn and Pym. We begin by giving a model in which the law of the excluded middle holds, thus showing that the approach is compatible with classical logic. The relationship between the intuitionistic and classical versions of the system is established by a translation, analogous to a translation from intuitionistic logic into the modal logic S4. We also consider the question of completeness of the axioms. BI's spatial implication is used to express weakest preconditions for object-component assignments, and an axiom for allocating a cons cell is shown to be complete under an interpretation of triples that allows a command to be applied to states with dangling pointers. We make this latter a feature, by incorporating an operation, and axiom, for disposing of memory. Finally, we describe a local character enjoyed by specifications in the logic, and show how this enables a class of frame axioms, which say what parts of the heap don't change, to be inferred automatically.

This paper describes an approach for verifying programs in the presence of data abstraction and information hiding, which are key features of modern programming languages with objects and modules. The paper focuses on the property of modular soundness, that is, the property that the separate verifications of the individual modules of the program suffice to ensure the correctness of the composite program. The paper introduces a new specification language construct, the abstraction dependency, and argues that it is needed to achieve modular soundness in the presence of data abstraction and information hiding. This paper discusses in detail two varieties of abstraction dependencies: static and dynamic. The paper also presents a new technical definition of modular soundness as a monotonicity property of verifiability with respect to scope and uses this technical definition to formally prove the modular soundness of a programming discipline for static dependencies.

. It is possible, but difficult, to reason in Hoare logic about programs which address and modify data structures defined by pointers. The challenge is to approach the simplicity of Hoare logic's treatment of variable assignment, where substitution affects only relevant assertion formul. The axiom of assignment to object components treats each component name as a pointerindexed array. This permits a formal treatment of inductively defined data structures in the heap but tends to produce instances of modified component mappings in arguments to inductively defined assertions. The major weapons against these troublesome mappings are assertions which describe spatial separation of data structures. Three example proofs are sketched. 1 Introduction The power of the Floyd/Hoare treatment of imperative programs [8][11] lies in its use of variable substitution to capture the semantics of assignment: simply, R E x , the result of replacing every free occurrence of variable x in R by...

A survey of various results concerning Hoare's approach to proving partial and total correctness of programs is presented. Emphasis is placed on the soundness and completeness issues. Various proof systems for while programs, recursive procedures, local variable declarations, and procedures with parameters, together with the corresponding soundness, completeness, and incompleteness results, are discussed.

The technique of abstract interpretation analyzes a computer program to infer various properties about the program. The particular properties inferred depend on the particular abstract domains used in the analysis. Roughly speaking, the properties representable by an abstract domain follow a domain-specific schema of relations among variables. This paper introduces the congruence-closure abstract domain, which in effect extends the properties representable by a given abstract domain to schemas over arbitrary terms, not just variables. Also, this paper introduces the heap succession abstract domain, which when used as a base domain for the congruence-closure domain, allows given abstract domains to infer properties in a program’s heap. This combination of abstract domains has applications, for example, to the analysis of object-oriented programs.

This paper introduces a compositional program logic for higherorder polymorphic functions and standard data types. The logic enables us to reason about observable properties of polymorphic programs starting from those of their constituents. Just as types attached to programs offer information on their composability so as to guarantee basic safety of composite programs, formulae of the proposed logic attached to programs offer information on their composability so as to guarantee fine-grained behavioural properties of polymorphic programs. The central feature of the logic is a systematic usage of names and operations on them, whose origin is in the logics for typed π-calculi. The paper introduces the program logic and its proof rules and illustrates their usage by non-trivial reasoning examples, taking a prototypical call-by-value functional language with impredicative polymorphism and recursive types as a target language.

: The current algebraic models for nondeterminism focus on the notion of possibility rather than necessity, and con sequently equate (nondeterministic) terms that one intuitively would not consider equal. Furthermore, existing models for nondeterminism depart radically from the standard models for (equational) specifications of deterministic operators. One would prefer that a specification language for nondeterministic operators be based on an extension of the standard model concepts, preferably in such a way that the reasoning system for (possibly nondeterministic) operators becomes the standard equational one whenever restricted to the deterministic operators -- the objective should be to minimize the departure from the standard frameworks. In this paper we define a specification language for nondeterministic operators and multialgebraic semantics. The first complete reasoning system for such specifications is introduced. We also define a transformation of specifications of nondeterm...

This paper shows how analysis of programs in terms of pre- and post- conditions can be improved using a generalisation of conditioned program slicing called pre/post conditioned slicing. Such conditions play an important role in program comprehension, reuse, verification and reengineering. Fully automated analysis is impossible because of the inherent undecidability of pre- and post- conditions. The method presented here reformulates the problem to circumvent this. The reformulation is constructed so that programs which respect the pre- and post-conditions applied to them have empty slices. For those which do not respect the conditions, the slice contains statements which could potentially break the conditions. This separates the automatable part of the analysis from the human analysis.

Bornat has recently described an approach to reasoning about pointers, building on work of Morris. Here we describe a semantics that validates the approach, and use it to help devise axioms for operations that allocate and dispose of memory. 1. INTRODUCTION It is widely acknowledged that pointers cause problems for program-proving formalisms (e.g. [8, 17, 13, 16, 9, 1, 14, 7]), but there is less agreement on precisely what the problems are. So, before describing our own work, we rst discuss where we believe the diculties lie. The rst issue that must be faced is aliasing , where distinct expressions can denote the same l-value. The problem here can be seen by reference to Hoare logic, where assignment is treated using substitution on the object-language level: fP [E=x]g x := E fPg: For this treatment of assignment to be sound it is necessary that dierent identiers are not aliases. With pointers the problem is that aliasing is not an exceptional circumstance: for example, it wi...