Results 1  10
of
14
Ten Years of Hoare's Logic: A Survey  Part l
, 1981
"... A survey of various results concerning Hoare's approach to proving partial and total correctness of programs is presented. Emphasis is placed on the soundness and completeness issues. Various proof systems for while programs, recursive procedures, local variable declarations, and procedures with par ..."
Abstract

Cited by 66 (2 self)
 Add to MetaCart
A survey of various results concerning Hoare's approach to proving partial and total correctness of programs is presented. Emphasis is placed on the soundness and completeness issues. Various proof systems for while programs, recursive procedures, local variable declarations, and procedures with parameters, together with the corresponding soundness, completeness, and incompleteness results, are discussed.
Mechanizing Programming Logics in Higher Order Logic
 in Current Trends in Hardware Verification and Automated Theorem Proving, ed. P.A. Subrahmanyam and Graham Birtwistle
, 1989
"... Formal reasoning about computer programs can be based directly on the semantics of the programming language, or done in a special purpose logic like Hoare logic. The advantage of the first approach is that it guarantees that the formal reasoning applies to the language being used (it is well known, ..."
Abstract

Cited by 58 (3 self)
 Add to MetaCart
Formal reasoning about computer programs can be based directly on the semantics of the programming language, or done in a special purpose logic like Hoare logic. The advantage of the first approach is that it guarantees that the formal reasoning applies to the language being used (it is well known, for example, that Hoare’s assignment axiom fails to hold for most programming languages). The advantage of the second approach is that the proofs can be more direct and natural. In this paper, an attempt to get the advantages of both approaches is described. The rules of Hoare logic are mechanically derived from the semantics of a simple imperative programming language (using the HOL system). These rules form the basis for a simple program verifier in which verification conditions are generated by LCFstyle tactics whose validations use the derived Hoare rules. Because Hoare logic is derived, rather than postulated, it is straightforward to mix semantic and axiomatic reasoning. It is also straightforward to combine the constructs of Hoare logic with other applicationspecific notations. This is briefly illustrated for various logical constructs, including termination statements, VDMstyle ‘relational’ correctness specifications, weakest precondition statements and dynamic logic formulae. The theory underlying the work presented here is well known. Our contribution is to propose a way of mechanizing this theory in a way that makes certain practical details work out smoothly.
Trustworthy Tools for Trustworthy Programs: A Verified Verification Condition Generator
, 1994
"... Verification Condition Generator (VCG) tools have been effective in simplifying the task of proving programs correct. However, in the past these VCG tools have in general not themselves been mechanically proven, so any proof using and depending on these VCGs might have contained errors. In our w ..."
Abstract

Cited by 21 (1 self)
 Add to MetaCart
Verification Condition Generator (VCG) tools have been effective in simplifying the task of proving programs correct. However, in the past these VCG tools have in general not themselves been mechanically proven, so any proof using and depending on these VCGs might have contained errors. In our work, we define and rigorously prove correct a VCG tool within the HOL theorem proving system, for a standard whileloop language, with one new feature not usually treated: expressions with side effects. Starting from a structural operational semantics of this programming language, we prove as theorems the axioms and rules of inference of a Hoarestyle axiomatic semantics, verifying their soundness. This axiomatic semantics is then used to define and prove correct a VCG tool for this language. Finally, this verified VCG is applied to an example program to verify its correctness.
Program verification
 Journal of Automated Reasoning
, 1985
"... Computer programs may be regarded as formal mathematical objects whose properties are subject to mathematical proof. Program verification is the use of formal, mathematical techniques to debug software and software specifications. 1. Code Verification How are the properties of computer programs prov ..."
Abstract

Cited by 14 (4 self)
 Add to MetaCart
Computer programs may be regarded as formal mathematical objects whose properties are subject to mathematical proof. Program verification is the use of formal, mathematical techniques to debug software and software specifications. 1. Code Verification How are the properties of computer programs proved? We discuss three approaches in this article: inductive invariants, functional semantics, and explicit semantics. Because the first approach has received by far the most attention, it has produced the most impressive results to date. However, the field is now moving away from the inductive invariant approach. 1.1. Inductive Assertions The socalled FloydHoare inductive assertion method of program verification [25, 33] has its roots in the classic Goldstine and von Neumann reports [53] and handles the usual kind of programming language, of which FORTRAN is perhaps the best example. In this style of verification, the specifier "annotates " certain points in the program with mathematical assertions that are supposed to describe relations that hold between the program variables and the initial input values each time "control " reaches the annotated point. Among these assertions are some that characterize acceptable input and the desired output. By exploring all possible paths from one assertion to the next and analyzing the effects of intervening program statements it is possible to reduce the correctness of the program to the problem of proving certain derived formulas called verification conditions. Below we illustrate the idea with a simple program for computing the factorial of its integer input N flowchart assertion start with input(N) input N A: = 1 N = 0 yes stop with? answer A
Using Reflection to Explain and Enhance Type Theory
 Proof and Computation, volume 139 of NATO Advanced Study Institute, International Summer School held in Marktoberdorf, Germany, July 20August 1, NATO Series F
, 1994
"... The five lectures at Marktoberdorf on which these notes are based were about the architecture of problem solving environments which use theorem provers. Experience with these systems over the past two decades has shown that the prover must be extensible, yet it must be kept safe. We examine a way to ..."
Abstract

Cited by 11 (5 self)
 Add to MetaCart
The five lectures at Marktoberdorf on which these notes are based were about the architecture of problem solving environments which use theorem provers. Experience with these systems over the past two decades has shown that the prover must be extensible, yet it must be kept safe. We examine a way to safely add new decision procedures to the Nuprl prover. It relies on a reflection mechanism and is applicable to any tacticoriented prover with sufficient reflection. The lectures explain reflection in the setting of constructive type theory, the core logic of Nuprl.
Explanationbased Scenario Generation for Reactive System Models
 Automated Software Engineering
, 1998
"... Reactive systems control many useful and complex realworld devices. Toolsupportedspeci#cation modeling helps software engineers design such systems correctly. One such tool is a scenario generator, which constructs an input event sequence for the specmodel that reaches a state satisfying given cri ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
Reactive systems control many useful and complex realworld devices. Toolsupportedspeci#cation modeling helps software engineers design such systems correctly. One such tool is a scenario generator, which constructs an input event sequence for the specmodel that reaches a state satisfying given criteria. It can uncover counterexamples to desired safety properties, explain feature interactions in concrete terms to requirements analysts, and even provide online help to end users learning how to use a system. However, while exhaustive search algorithms work in limited domains, the problem is highly intractable for the functionally rich models that correspond naturally to complex systems engineers wish to design. This paper describes a novel heuristic approach to the problem that is applicable to a large class of in#nite state reactive systems. The key ideaistopiecetogether scenarios that achieve subgoals into a single scenario achieving the conjunction of the subgoals. The scenarios are ...
CAViT: a consistency maintenance framework based on visual model transformation and transformation contracts
 Transformation Techniques in Software Engineering, number 05161 in Dagstuhl Seminar Proceedings. Internationales Begegnungs und Forschungszentrum für Informatik (IBFI), Schloss Dagstuhl
, 2005
"... Abstract. Model driven engineering is a software engineering methodology that aims to manage the complexity of frameworks by relying on models and transformations. Unfortunately it is only poorly understood where and how this new methodology differs from traditional methodologies. Therefore, this pa ..."
Abstract

Cited by 3 (2 self)
 Add to MetaCart
Abstract. Model driven engineering is a software engineering methodology that aims to manage the complexity of frameworks by relying on models and transformations. Unfortunately it is only poorly understood where and how this new methodology differs from traditional methodologies. Therefore, this paper formalizes how contract based model transformation extends existing design by contract theory. The key extension is that transformation contracts can be maintained automatically by mapping consistency invariants to the postconditions of transformation rules. When an invariant is violated, the corresponding transformation rule will be called provided that its precondition is satisfied. This paper presents the Contract Aware Visual Transformation (CAViT) framework, an implementation of declarative middleware for contract based model transformation. We illustrate how CAViT can be used to integrate UML based visual model transformations with OCL based transformation contracts.
Secure Mechanical Verification of Mutually Recursive Procedures
 Information and Computation
, 2003
"... . The verification of programs that contain mutually recursive procedures is a difficult task, and one which has not been satisfactorily addressed in the literature. Published proof rules have been later discovered to be unsound. Verification Condition Generator (VCG) tools have been effective in pa ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
. The verification of programs that contain mutually recursive procedures is a difficult task, and one which has not been satisfactorily addressed in the literature. Published proof rules have been later discovered to be unsound. Verification Condition Generator (VCG) tools have been effective in partially automating the verification of programs, but in the past these VCG tools have in general not themselves been proven, so any proof using and depending on these VCGs might not be sound. In this paper we present a set of proof rules for proving the partial correctness of programs with mutually recursive procedures, together with a VCG that automates the use of the proof rules in program correctness proofs. The soundness of the proof rules and the VCG itself have been mechanically proven within the Higher Order Logic theorem prover, with respect to the underlying structural operational semantics of the programming language. This proof of soundness then forms the core of an implementation...