Results 1  10
of
19
Compositional Model Checking
, 1999
"... We describe a method for reducing the complexity of temporal logic model checking in systems composed of many parallel processes. The goal is to check properties of the components of a system and then deduce global properties from these local properties. The main difficulty with this type of approac ..."
Abstract

Cited by 2407 (62 self)
 Add to MetaCart
We describe a method for reducing the complexity of temporal logic model checking in systems composed of many parallel processes. The goal is to check properties of the components of a system and then deduce global properties from these local properties. The main difficulty with this type of approach is that local properties are often not preserved at the global level. We present a general framework for using additional interface processes to model the environment for a component. These interface processes are typically much simpler than the full environment of the component. By composing a component with its interface processes and then checking properties of this composition, we can guarantee that these properties will be preserved at the global level. We give two example compositional systems based on the logic CTL*.
Dynamic Logic
 Handbook of Philosophical Logic
, 1984
"... ed to be true under the valuation u iff there exists an a 2 N such that the formula x = y is true under the valuation u[x=a], where u[x=a] agrees with u everywhere except x, on which it takes the value a. This definition involves a metalogical operation that produces u[x=a] from u for all possibl ..."
Abstract

Cited by 825 (8 self)
 Add to MetaCart
ed to be true under the valuation u iff there exists an a 2 N such that the formula x = y is true under the valuation u[x=a], where u[x=a] agrees with u everywhere except x, on which it takes the value a. This definition involves a metalogical operation that produces u[x=a] from u for all possible values a 2 N. This operation becomes explicit in DL in the form of the program x := ?, called a nondeterministic or wildcard assignment. This is a rather unconventional program, since it is not effective; however, it is quite useful as a descriptive tool. A more conventional way to obtain a square root of y, if it exists, would be the program x := 0 ; while x < y do x := x + 1: (1) In DL, such programs are firstclass objects on a par with formulas, complete with a collection of operators for forming compound programs inductively from a basis of primitive programs. To discuss the effect of the execution of a program on the truth of a formula ', DL uses a modal construct <>', which
A Logic of ObjectOriented Programs
, 1998
"... We develop a logic for reasoning about objectoriented programs. The logic is for a language with an imperative semantics and aliasing, and accounts for selfreference in objects. It is much like a type system for objects with subtyping, but our specifications go further than types in detailing pre ..."
Abstract

Cited by 130 (5 self)
 Add to MetaCart
We develop a logic for reasoning about objectoriented programs. The logic is for a language with an imperative semantics and aliasing, and accounts for selfreference in objects. It is much like a type system for objects with subtyping, but our specifications go further than types in detailing pre and postconditions. We intend the logic as an analogue of Hoare logic for objectoriented programs. Our main technical result is a soundness theorem that relates the logic to a standard operational semantics.
Ten Years of Hoare's Logic: A Survey  Part l
, 1981
"... A survey of various results concerning Hoare's approach to proving partial and total correctness of programs is presented. Emphasis is placed on the soundness and completeness issues. Various proof systems for while programs, recursive procedures, local variable declarations, and procedures with par ..."
Abstract

Cited by 66 (2 self)
 Add to MetaCart
A survey of various results concerning Hoare's approach to proving partial and total correctness of programs is presented. Emphasis is placed on the soundness and completeness issues. Various proof systems for while programs, recursive procedures, local variable declarations, and procedures with parameters, together with the corresponding soundness, completeness, and incompleteness results, are discussed.
An observationally complete program logic for imperative higherorder functions
 In Proc. LICS’05
, 2005
"... Abstract. We propose a simple compositional program logic for an imperative extension of callbyvalue PCF, built on Hoare logic and our preceding work on program logics for pure higherorder functions. A systematic use of names and operations on them allows precise and general description of comple ..."
Abstract

Cited by 39 (11 self)
 Add to MetaCart
Abstract. We propose a simple compositional program logic for an imperative extension of callbyvalue PCF, built on Hoare logic and our preceding work on program logics for pure higherorder functions. A systematic use of names and operations on them allows precise and general description of complex higherorder imperative behaviour. The proof rules of the logic exactly follow the syntax of the language and can cleanly embed, justify and extend the standard proof rules for total correctness of Hoare logic. The logic offers a foundation for general treatment of aliasing and local state on its basis, with minimal extensions. After establishing soundness, we prove that valid assertions for programs completely characterise their behaviour up to observational congruence, which is proved using a variant of finite canonical forms. The use of the logic is illustrated through reasoning examples which are hard to assert and infer using existing program logics.
Predicate Transformer Semantics of a Higher Order Imperative Language With . . .
 SCIENCE OF COMPUTER PROGRAMMING
, 1998
"... Using a settheoretic model of predicate transformers and ordered data types, we give a totalcorrectness semantics for a typed higherorder imperative programming language that includes record extension, local variables, and proceduretype variables and parameters. The language includes infeasibl ..."
Abstract

Cited by 19 (9 self)
 Add to MetaCart
Using a settheoretic model of predicate transformers and ordered data types, we give a totalcorrectness semantics for a typed higherorder imperative programming language that includes record extension, local variables, and proceduretype variables and parameters. The language includes infeasible speci cation constructs, for a calculus of re nement. Procedures may have global variables, subject to mild syntactic restrictions to avoid the semantic complications of Algollike languages. The semantics is used to validate simple proof rules for noninterference, type extension, and calls of procedure variables and constants.
Verification of Safety Properties for Concurrent Assembly Code
 IN PROC. 2004 ACM SIGPLAN INT’L CONF. ON FUNCTIONAL PROG
, 2004
"... Concurrency, as a useful feature of many modern programming languages and systems, is generally hard to reason about. Although existing work has explored the verification of concurrent programs using highlevel languages and calculi, the verification of concurrent assembly code remains an open probl ..."
Abstract

Cited by 17 (6 self)
 Add to MetaCart
Concurrency, as a useful feature of many modern programming languages and systems, is generally hard to reason about. Although existing work has explored the verification of concurrent programs using highlevel languages and calculi, the verification of concurrent assembly code remains an open problem, largely due to the lack of abstraction at a lowlevel. Nevertheless, it is sometimes necessary to reason about assembly code or machine executables so as to achieve higher assurance. In this paper
Ensuring Efficiently the Integrity of Persistent Object Systems Via Interpretation
, 1996
"... In this paper, we propose an efficient and reliable method to deal with integrity constraints in a persistent object system. First we provide the application programmer with the ability to express integrity constraints but we also give him the possibility to use high level language constructs to ..."
Abstract

Cited by 7 (2 self)
 Add to MetaCart
In this paper, we propose an efficient and reliable method to deal with integrity constraints in a persistent object system. First we provide the application programmer with the ability to express integrity constraints but we also give him the possibility to use high level language constructs to help him in writing safe transactions. The goal of our approach is to avoid the (run time) checking of constraints by proving formally that transactions preserve integrity constraints. We mainly use two abstract interpretation techniques to do that. Abstract interpretation is a semanticsbased tool that yields some reliable information about the possible runtime behaviour of programs, with fully automatic algorithms. We present informally the methods that we use: a simple method, based on path reachability, and a more powerful and complex method that uses a predicate transformer. A predicate transformer is a function that, given a transaction and a formula describing its input data,...
Static management of integrity in objectoriented databases: Design and implementation
 In Extending Database Technology (EDBT
, 1998
"... Abstract. In this paper, we propose an efficient technique to statically manage integrity constraints in objectoriented database programming languages. We place ourselves in the context of a simplified database programming language, close to O2, in which we assume that updates are undertaken by mea ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
Abstract. In this paper, we propose an efficient technique to statically manage integrity constraints in objectoriented database programming languages. We place ourselves in the context of a simplified database programming language, close to O2, in which we assume that updates are undertaken by means of methods. An important issue when dealing with constraints is that of efficiency. A nave management of such constraints can cause a severe floundering of the overall system. Our basic assumption is that the runtime checking of constraints is too costly to be undertaken systematically. Therefore, methods that are always safe with respect to integrity constraints should be proven so at compile time. The runtime checks should only concern the remaining methods. To that purpose, we propose a new approach, based on the use of predicate transformers combined with automatic theorem proving techniques, to prove the invariance of integrity constraints under complex methods. We then describe the current implementation of our prototype, and report some experiments that have been performed with it on non trivial examples. The counterpart of the problem of program verification is that of program correction. Static analysis techniques can also be applied to solve that problem. We present a systematic approach to undertake the automatic correction of potentially unsafe methods. However, the advantages of the latter technique are not as clear as those of program verification. We will therefore discuss some arguments for and against the use of method correction. 1
On the Completeness of Propositional Hoare Logic
, 2001
"... . We investigate the completeness of Hoare logic on the propositional level. In particular, the expressiveness requirements of Cook's proof are characterized propositionally. We give a completeness result for propositional Hoare logic (PHL): all relationally valid rules fb1g p1 fc1g; : : : ; fbng p ..."
Abstract

Cited by 5 (2 self)
 Add to MetaCart
. We investigate the completeness of Hoare logic on the propositional level. In particular, the expressiveness requirements of Cook's proof are characterized propositionally. We give a completeness result for propositional Hoare logic (PHL): all relationally valid rules fb1g p1 fc1g; : : : ; fbng pn fcng fbg p fcg are derivable in PHL, provided the propositional expressiveness conditions are met. Moreover, if the programs p i in the premises are atomic, no expressiveness assumptions are needed. 1 Introduction As shown by Cook [7], Hoare logic is relatively complete for partial correctness assertions (PCAs) over while programs whenever the underlying assertion language is sufficiently expressive. The expressiveness conditions in Cook's formulation provide for the expression of weakest preconditions. These conditions hold for firstorder logic over N, for example, because of the coding power of firstorder number theory. Cook's proof essentially shows that in any sufficiently expressive...