A survey of various results concerning Hoare's approach to proving partial and total correctness of programs is presented. Emphasis is placed on the soundness and completeness issues. Various proof systems for while programs, recursive procedures, local variable declarations, and procedures with parameters, together with the corresponding soundness, completeness, and incompleteness results, are discussed.

In previous work we have proposed a Dependent Hoare Type Theory (HTT) as a framework for development and reasoning about higher-order functional programs with effects of state, aliasing and nontermination. The main feature of HTT is the type of Hoare triples {P}x:A{Q} specifying computations with precondition P and postcondition Q, that return a result of type A. Here we extend HTT with predicative type polymorphism. Type quantification is possible in both types and assertions, and we can also quantify over Hoare triples. We show that as a consequence it becomes possible to reason about disjointness of heaps in the assertion logic of HTT. We use this expressiveness to interpret the Hoare triples in the “small footprint ” manner advocated by Separation Logic, whereby a precondition tightly describes the heap fragment required by the computation. We support stateful commands of allocation, lookup, strong update, deallocation, and pointer arithmetic. 1

We present a compositional program logic for call-by-value imperative higherorder functions with general forms of aliasing, which can arise from the use of reference names as function parameters, return values, content of references and part of data structures. The program logic

Hoare logic is bedevilled by complex and unmemorable side conditions on the use of variables. We define a logic free of side conditions, and show that it admits translations of proofs in Hoare logic, thereby showing that nothing is lost. Our work draws on ideas from separation logic: program variables are treated as resource and separated with ⋆, rather than as logical variables in disguise. For clarity we exclude a treatment of the heap. 1.

Building semantic models that account for various kinds of indirect reference has traditionally been a difficult problem. Indirect reference can appear in many guises, such as heap pointers, higher-order functions, object references, and shared-memory mutexes. We give a general method to construct models containing indirect reference by presenting a “theory of indirection”. Our method can be applied in a wide variety of settings and uses only simple, elementary mathematics. In addition to various forms of indirect reference, the resulting models support powerful features such as impredicative quantification and equirecursion; moreover they are compatible with the kind of powerful substructural accounting required to model (higher-order) separation logic. In contrast to previous work, our model is easy to apply to new settings and has a simple axiomatization, which is complete in the sense that all models of it are isomorphic. Our proofs are machine-checked in Coq.

This paper will be most easily appreciated by the reader with some prior knowledge of Mathematical Logic [8, 19], Set Theory [11], and Denotational Semantics [9, 18, 20]. Verdi differs from its predecessor m-Verdi [4] in several significant ways:

In this paper we investigate a logic for reasoning about programs with higher-order functions and effectful features like non-termination and state with aliasing. We propose a dependent type theory HTT (short for Hoare Type Theory), where types serve as program specifications. In case of effectful programs, the type of Hoare triples {P}x:A{Q} specifies the precondition P, the type of the return result A, and the postcondition Q. By Curry-Howard isomorphism, a dependent type theory may be viewed as a functional programming language. From this perspective, the type of Hoare triples is a monad, and HTT is a monadic language, whose pure fragment consists of higher-order functions, while the effectful fragment is a full Turingcomplete imperative language with conditionals, loops, recursion and commands for stateful operations like allocation, lookup and mutation of location content. 1

A fundamental complexity in human understanding and reasoning about imperative, objectbased software systems has to do with the need to distinguish references and values of objects. It is possible to eliminate this complexity by (deep) copying values of all mutable objects, but this is too inefficient for typical, non-trivial objects. The problem of minimizing the impact of the reference-value distinction without resorting to value copying manifests itself when objects are repeated as parameters to procedures. From a software engineering perspective, we consider alternative strategies to address the repeated argument problem ranging from ones that disallow repeated arguments to more permissive ones; from ones that do not require any new programming language mechanisms to ones that need new features. We introduce a parameter passing approach that neither requires the reference-value distinction nor value copying to handle repeated arguments. We present a specificationaware, unrestricted, proof rule schema for procedure calls that is suitable for verification using alternative parameter passing techniques, separately or in combination.

References are indispensable to computing practice. Unlike deep copying, reference copying per-mits constant-time data assignment and parameter passing for all objects. Unfortunately, reference copying introduces aliasing among mutable objects and complicates software behavior by requiring developers to distinguish between references and values of objects for sound reasoning. The objec-tive of this dissertation is to preserve the benefits of reference copying but simplify reasoning. It introduces a notion of conceptually direct reasoning, in which programmers may ignore references and treat all variables directly as object values. It explains how this notion can be applied without compromising soundness. It proposes a new approach to parameter passing that avoids both alias-ing and deep copying. It explains how to segregate the few components that require aliasing from the many that do not. It contains formal specifications of components and appropriate proof rules. As a proof of concept, it applies the principles to the design of DirectJava, a prototype language that is syntactically similar to Java but facilitates conceptually direct reasoning without resorting to copying.

Abstract not found