Formal reasoning about computer programs can be based directly on the semantics of the programming language, or done in a special purpose logic like Hoare logic. The advantage of the first approach is that it guarantees that the formal reasoning applies to the language being used (it is well known, for example, that Hoare’s assignment axiom fails to hold for most programming languages). The advantage of the second approach is that the proofs can be more direct and natural. In this paper, an attempt to get the advantages of both approaches is described. The rules of Hoare logic are mechanically derived from the semantics of a simple imperative programming language (using the HOL system). These rules form the basis for a simple program verifier in which verification conditions are generated by LCF-style tactics whose validations use the derived Hoare rules. Because Hoare logic is derived, rather than postulated, it is straightforward to mix semantic and axiomatic reasoning. It is also straightforward to combine the constructs of Hoare logic with other application-specific notations. This is briefly illustrated for various logical constructs, including termination statements, VDM-style ‘relational’ correctness specifications, weakest precondition statements and dynamic logic formulae. The theory underlying the work presented here is well known. Our contribution is to propose a way of mechanizing this theory in a way that makes certain practical details work out smoothly.

Concurrency, as a useful feature of many modern programming languages and systems, is generally hard to reason about. Although existing work has explored the verification of concurrent programs using high-level languages and calculi, the verification of concurrent assembly code remains an open problem, largely due to the lack of abstraction at a low-level. Nevertheless, it is sometimes necessary to reason about assembly code or machine executables so as to achieve higher assurance. In this paper

Abstract. This paper establishes a strong completeness property of compositional program logics for pure and imperative higher-order functions introduced in [2, 15–18]. This property, called descriptive completeness, says that for each program there is an assertion fully describing the former’s behaviour up to the standard observational semantics. This formula is inductively calculable from the program text alone. As a consequence we obtain the first relative completeness result for compositional logics of pure and imperative call-by-value higher-order functions in the full type hierarchy. 1

A class of transactions is defined that expresses exactly first-order definable database updates. A complete Hoare axiom system is developed for the reasoning of transactions. The system has applications in the verification, optimization, and synthesis of database programs. Key Words and Phrases: Axiomatization, Data Manipulation Language, Database Integrity, Transaction Verification 1 Introduction A critical aspect of database programming is the availability of database semantics expressed as integrity constraints. Update transactions have to preserve the validity of constraints, and the fact that transactions always operate in valid databases should be utilized for optimization purposes. Another important aspect of database programming is that simple language constructs suffice, because transactions are dominated by data retrieval and manipulation tasks rather than by complex computations. In designing database programming languages, these properties suggest the need for balance be...

. An arithmetically complete axiom system for full Algol-like higher order procedures with mode depth one is presented. To show soundness, a translation of the calculus into a variant of Dynamic Logic is defined. The completeness proof is outlined. 1 Introduction The treatment of higher-order procedures (procedures can be passed as parameters) in Hoare-like axiomatic systems has been a major research topic since the problem of sound and relatively complete calculi for `simple' procedures was solved in a satisfactory way, [Coo78], [Old81], [Apt81]. All known proof systems for higher-order procedures extend the basic formalism introduced by Hoare, [Hoa69], in a significant way. Olderog, [Old84], and Damm and Josko, [DJ83], extend the language for pre- and postconditions while the form of the partial correctness assertions is maintained. In contrast to that German, Clarke and Halpern, [GCH89], extend the expressiveness of the underlying logic adhering to a first-order language for pr...

Contents 1 Program Specification 1 1.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.2 A little programming language . . . . . . . . . . . . . . . . . . . . . 1 1.2.1 Assignments . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.2.2 Array assignments . . . . . . . . . . . . . . . . . . . . . . . . 2 1.2.3 Sequences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.2.4 Blocks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.2.5 One-armed conditionals . . . . . . . . . . . . . . . . . . . . . 3 1.2.6 Two-armed conditionals . . . . . . . . . . . . . . . . . . . . . 3 1.2.7 WHILE-commands . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.2.8 FOR-commands . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.2.9 Summary of syntax . . . . . . . . . . . . . . . . . . . . . . . . 4 1.3 Hoare's notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.4 Some exam