Results 1  10
of
26
Proving pointer programs in Hoare Logic
, 2000
"... . It is possible, but difficult, to reason in Hoare logic about programs which address and modify data structures defined by pointers. The challenge is to approach the simplicity of Hoare logic's treatment of variable assignment, where substitution affects only relevant assertion formul. The axio ..."
Abstract

Cited by 99 (7 self)
 Add to MetaCart
. It is possible, but difficult, to reason in Hoare logic about programs which address and modify data structures defined by pointers. The challenge is to approach the simplicity of Hoare logic's treatment of variable assignment, where substitution affects only relevant assertion formul. The axiom of assignment to object components treats each component name as a pointerindexed array. This permits a formal treatment of inductively defined data structures in the heap but tends to produce instances of modified component mappings in arguments to inductively defined assertions. The major weapons against these troublesome mappings are assertions which describe spatial separation of data structures. Three example proofs are sketched. 1 Introduction The power of the Floyd/Hoare treatment of imperative programs [8][11] lies in its use of variable substitution to capture the semantics of assignment: simply, R E x , the result of replacing every free occurrence of variable x in R by...
Ten Years of Hoare's Logic: A Survey  Part l
, 1981
"... A survey of various results concerning Hoare's approach to proving partial and total correctness of programs is presented. Emphasis is placed on the soundness and completeness issues. Various proof systems for while programs, recursive procedures, local variable declarations, and procedures with par ..."
Abstract

Cited by 66 (2 self)
 Add to MetaCart
A survey of various results concerning Hoare's approach to proving partial and total correctness of programs is presented. Emphasis is placed on the soundness and completeness issues. Various proof systems for while programs, recursive procedures, local variable declarations, and procedures with parameters, together with the corresponding soundness, completeness, and incompleteness results, are discussed.
Hoare Logic and Auxiliary Variables
 Formal Aspects of Computing
, 1998
"... Auxiliary variables are essential for specifying programs in Hoare Logic. They are required to relate the value of variables in different states. However, the axioms and rules of Hoare Logic turn a blind eye to the rle of auxiliary variables. We stipulate a new structural rule for adjusting auxiliar ..."
Abstract

Cited by 38 (0 self)
 Add to MetaCart
Auxiliary variables are essential for specifying programs in Hoare Logic. They are required to relate the value of variables in different states. However, the axioms and rules of Hoare Logic turn a blind eye to the rle of auxiliary variables. We stipulate a new structural rule for adjusting auxiliary variables when strengthening preconditions and weakening postconditions. Courtesy of this new rule, Hoare Logic is adaptation complete, which benefits software reuse. This property is responsible for a number of improvements. Relative completeness follows uniformly from the Most General Formula property. Moreover, contrary to common belief, one can show that Hoare Logic subsumes VDM's operation decomposition rules in that every derivation in VDM can be naturally embedded in Hoare Logic. Furthermore, the new treatment leads to a significant simplification in the presentation for verification calculi dealing with more interesting features such as recursion or concurrency.
Variables as resource in Hoare logics
 In 21st LICS
, 2006
"... Hoare logic is bedevilled by complex and unmemorable side conditions on the use of variables. We define a logic free of side conditions, and show that it admits translations of proofs in Hoare logic, thereby showing that nothing is lost. Our work draws on ideas from separation logic: program variabl ..."
Abstract

Cited by 32 (4 self)
 Add to MetaCart
Hoare logic is bedevilled by complex and unmemorable side conditions on the use of variables. We define a logic free of side conditions, and show that it admits translations of proofs in Hoare logic, thereby showing that nothing is lost. Our work draws on ideas from separation logic: program variables are treated as resource and separated with ⋆, rather than as logical variables in disguise. For clarity we exclude a treatment of the heap. 1.
Hoare Logic and VDM: MachineChecked Soundness and Completeness Proofs
, 1998
"... Investigating soundness and completeness of verification calculi for imperative programming languages is a challenging task. Many incorrect results have been published in the past. We take advantage of the computeraided proof tool LEGO to interactively establish soundness and completeness of both H ..."
Abstract

Cited by 31 (1 self)
 Add to MetaCart
Investigating soundness and completeness of verification calculi for imperative programming languages is a challenging task. Many incorrect results have been published in the past. We take advantage of the computeraided proof tool LEGO to interactively establish soundness and completeness of both Hoare Logic and the operation decomposition rules of the Vienna Development Method (VDM) with respect to operational semantics. We deal with parameterless recursive procedures and local variables in the context of total correctness. As a case study, we use LEGO to verify the correctness of Quicksort in Hoare Logic. As our main contribution, we illuminate the rle of auxiliary variables in Hoare Logic. They are required to relate the value of program variables in the final state with the value of program variables in the initial state. In our formalisation, we reflect their purpose by interpreting assertions as relations on states and a domain of auxiliary variables. Furthermore, we propose a new structural rule for adjusting auxiliary variables when strengthening preconditions and weakening postconditions. This rule is stronger than all previously suggested structural rules, including rules of adaptation. With the new treatment, we are able to show that, contrary to common belief, Hoare Logic subsumes VDM in that every derivation in VDM can be naturally embedded in Hoare Logic. Moreover, we establish completeness results uniformly as corollaries of Most General Formula theorems which remove the need to reason about arbitrary assertions.
A Logical Analysis of Aliasing in Imperative HigherOrder Functions
 INTERNATIONAL CONFERENCE ON FUNCTIONAL PROGRAMMING, ICFP’05
, 2005
"... We present a compositional program logic for callbyvalue imperative higherorder functions with general forms of aliasing, which can arise from the use of reference names as function parameters, return values, content of references and part of data structures. The program logic ..."
Abstract

Cited by 28 (3 self)
 Add to MetaCart
We present a compositional program logic for callbyvalue imperative higherorder functions with general forms of aliasing, which can arise from the use of reference names as function parameters, return values, content of references and part of data structures. The program logic
SMTbased bounded model checking for embedded ANSIC software
 In Proc. ASE
, 2009
"... Propositional bounded model checking has been applied successfully to verify embedded software but is limited by the increasing propositional formula size and the loss of structure during the translation. These limitations can be reduced by encoding wordlevel information in theories richer than pro ..."
Abstract

Cited by 19 (2 self)
 Add to MetaCart
Propositional bounded model checking has been applied successfully to verify embedded software but is limited by the increasing propositional formula size and the loss of structure during the translation. These limitations can be reduced by encoding wordlevel information in theories richer than propositional logic and using SMT solvers for the generated verification conditions. Here, we investigate the application of different SMT solvers to the verification of embedded software written in ANSIC. We have extended the encodings from previous SMTbased bounded model checkers to provide more accurate support for finite variables, bitvector operations, arrays, structures, unions and pointers. We have integrated the CVC3, Boolector, and Z3 solvers with the CBMC frontend and evaluated them using both standard software model checking benchmarks and typical embedded applications from telecommunications, control systems and medical devices. The experiments show that our approach can analyze larger problems and substantially reduce the verification time. 1.
Calculating Sharp Adaptation Rules
 Information Processing Letters
, 2000
"... Introduction For reasoning about total correctness of whileprograms, the rules proposed by Hoare [10] have stood the test of time. But for procedure calls, a number of dierent rules have appeared (e.g, [11,9,2,1,5,12]). There appears to be no consensus on the \right" rule, and some proposals even t ..."
Abstract

Cited by 17 (5 self)
 Add to MetaCart
Introduction For reasoning about total correctness of whileprograms, the rules proposed by Hoare [10] have stood the test of time. But for procedure calls, a number of dierent rules have appeared (e.g, [11,9,2,1,5,12]). There appears to be no consensus on the \right" rule, and some proposals even turn out to be unsound. The results reported in this note were found in an attempt to derive an adaptation rule rather than pulling it from a magician's hat using tools from renement calculus. This sheds new light on the subject, explaining and extending the applicability of recent proposals, and it brings to light a new form of specication statement. Adaptation rules. For the moment, let us take for granted a semantics for commands and predicates. Say a triple f pre g S f post g is valid if every computation of command S from a state satisfying pre terminates in
A sharp proof rule for procedures in wp semantics
 Acta Informatica
, 1989
"... Summary. A proof rule for the procedure call is proposed that has the property that the precondition it defines is the weakest precondition that can be inferred solely from the procedure's specification. Thus the rule enforces exactly the abstraction introduced by the specification. Gries's proof r ..."
Abstract

Cited by 15 (1 self)
 Add to MetaCart
Summary. A proof rule for the procedure call is proposed that has the property that the precondition it defines is the weakest precondition that can be inferred solely from the procedure's specification. Thus the rule enforces exactly the abstraction introduced by the specification. Gries's proof rule for the procedure call is shown not to have this property in cases when the specification involves socalled specification variables.
Inference rules for programming languages with side effects in expressions
 In International Conference on Theorem Proving in Higher Order Logics
, 1996
"... Abstract. Much of the work on verifying software has been done on simple, often artificial, languages or subsets of existing languages to avoid difficult details. In trying to verify a secure application written in C, we have encountered and overcome some semantically complicated uses of the languag ..."
Abstract

Cited by 15 (2 self)
 Add to MetaCart
Abstract. Much of the work on verifying software has been done on simple, often artificial, languages or subsets of existing languages to avoid difficult details. In trying to verify a secure application written in C, we have encountered and overcome some semantically complicated uses of the language. We present inference rules for assignment statements with pre and postevaluation side effects and while loops with arbitrary preevaluation side effects in the test expression. We also discuss the need to abstract the semantics of program functions and present an inference rule for abstraction.