## A.W.: A compositional logic for control flow (2006)

### Cached

### Download Links

Venue: | Verification, Model Checking and Abstract Interpretation (VMCAI |

Citations: | 36 - 1 self |

### BibTeX

@INPROCEEDINGS{Tan06a.w.:a,

author = {Gang Tan},

title = {A.W.: A compositional logic for control flow},

booktitle = {Verification, Model Checking and Abstract Interpretation (VMCAI},

year = {2006},

publisher = {Springer}

}

### Years of Citing Articles

### OpenURL

### Abstract

We present a program logic, Lc, which modularly reasons about unstructured control flow in machine-language programs. Unlike previous program logics, the basic reasoning units in Lc are multiple-entry and multiple-exit program fragments. Lc provides composition rules to combine program fragments together, and rules to eliminate intermediate entries/exits in the combined fragment. Lc is not only useful for reasoning about unstructured control flow in machine languages, but also useful for deriving rules for common control-flow structures such as while-loops, repeat-until-loops, and many others. We also present a semantics for Lc and prove that Lc is both sound and complete with respect to this semantics. As an application, Lc and its semantics have been implemented on top of the SPARC machine language, and are used in the Foundational Proof-Carrying Code Project to produce type-safety proofs for machine-language programs. 1

### Citations

1371 | An axiomatic basis for computer programming
- Hoare
- 1969
(Show Context)
Citation Context ...mented on top of the SPARC machine language, and are embedded in the Foundational Proof-Carrying Code project to produce memory-safety proofs for machine-language programs. 1 Introduction Hoare Logic =-=[1]-=- has long been used to verify properties of programs written in high-level programming languages. In Hoare Logic, a triple {p}s{q} describes the relationship between exactly two states—the normal entr... |

1099 | Proof-carrying code
- Necula
- 1997
(Show Context)
Citation Context ...evious works also differ from Lc in terms of the form of specification. The work by de Bruin [8] is a typical example. In his system, the judgment for a statement s is: 〈L1 : p1,...,Ln : pn|{p}s{q}〉, =-=(2)-=- where L1,...,Ln are labels in a program P ; the assertion pi is the invariant associated with the label Li; the statement s is a part of the program P . Judgment (2) judges a triple {p}s{q}, but unde... |

591 | From system F to typed assembly language
- Morrisett, Walker, et al.
- 1999
(Show Context)
Citation Context ...ments, and its rule for goto statements is 〈L1 : p1,...,Ln : pn|{pi}goto Li{false}〉. Judgment (2) is sufficient for verifying properties of programs with goto statements. Typed Assembly Language (TAL =-=[3]-=-) by Morrisett et al. uses a similar judgment to verify type safety of assembly-language programs. However, judgment (2) assumes the availability of global information, because it judges a statement s... |

568 |
Assigning meanings to programs
- Floyd
- 1967
(Show Context)
Citation Context ...only those label invariants associated with exits in s. This new form of specification makes fewer assumptions (fewer label invariants) about the rest of the program and is more modular. Floyd’s work =-=[10]-=- on program verification associates a predicate for each arc in the flowchart representation of a program. The program is correct if each statement in the program has been verified correct with respec... |

326 |
Denotational Semantics: A Methodology For Language Development
- Schmidt
- 1986
(Show Context)
Citation Context ... needs to reason about the ending state of F. However, it is not straightforward to extract the ending state on von Neumann-style operational semantics. In some denotational semantics for Hoare Logic =-=[17]-=-, F is modeled as a state-transformation function in the domain of Σ → Σ. In this kind of semantics, given a state σ, the ending state is just F(σ). It is not straightforward to get the ending state f... |

229 | Foundational proof-carrying code
- Appel
- 2001
(Show Context)
Citation Context ...ntics for the logic. The soundness and completeness theorems are then presented. In Section 4, we briefly discuss the implementation and the role of Lc in the Foundational Proof-Carrying Code project =-=[4]-=-. In Section 5, we conclude and discuss future work. A more detailed treatment of the logic, its semantics, and its applications can be found in the first author’s PhD thesis [16]. 2 Program Logic Lc ... |

145 | Program fragments, linking, and modularization
- Cardelli
- 1997
(Show Context)
Citation Context ...formal rules for composing statements. When verifying properties of goto statements and labels, Floyd’s system also assumes the availability of the complete program. Cardelli proposed a linking logic =-=[11]-=- to formalize program linking. Glew and Morrisett [12] defined a modular assembly language to perform type-safe linking. Our logic is related to these works because exit labels can be thought as impor... |

134 | An indexed model of recursive types for foundational proof-carrying code
- APPEL, MCALLESTER
(Show Context)
Citation Context ...gher approximation. In this inductive interpretation, Ψ ′ and Ψ are treated differently, and it allows the discharge rule to be justified by induction. Appel and McAllester proposed the indexed model =-=[17]-=-, where all predicates are approximated by counting computation steps. Our own work [18] used the indexed model to construct a semantic model for a typed assembly language. Next, we will adopt the ide... |

117 | Soundness and completeness of an axiom system for program verification
- Cook
- 1978
(Show Context)
Citation Context ...We informally explain the meanings of expressiveness, Assertion being negatively testable, and (F, Ψ ′ ,Ψ) being normal below; their precise definitions are in the thesis [16]. As pointed out by Cook =-=[20]-=-, a program logic can fail to be complete, if the assertion language is not powerful enough to express invariants for loops in a program. Therefore, the completeness theorem assumes that the assertion... |

93 | A syntactic approach to foundational proof-carrying code
- Hamid, Shao, et al.
- 2002
(Show Context)
Citation Context ......,Ln : pn|{pi}goto Li{false}〉. Judgment (1) is sufficient for verifying properties of programs with goto statements. Typed Assembly Languages (TAL) by Morrisett et al. [13] and many of its variants =-=[5, 8, 10]-=- use a similar judgment to verify type safety of assembly-language programs. However, judgment (1) assumes the availability of global information, because it judges a statement s under all label invar... |

88 | Toward a foundational typed assembly language
- Crary
- 2003
(Show Context)
Citation Context ......,Ln : pn|{pi}goto Li{false}〉. Judgment (1) is sufficient for verifying properties of programs with goto statements. Typed Assembly Languages (TAL) by Morrisett et al. [13] and many of its variants =-=[5, 8, 10]-=- use a similar judgment to verify type safety of assembly-language programs. However, judgment (1) assumes the availability of global information, because it judges a statement s under all label invar... |

59 | Type-safe linking and modular assembly language
- Glew, Morrisett
- 1999
(Show Context)
Citation Context ...properties of goto statements and labels, Floyd’s system also assumes the availability of the complete program. Cardelli proposed a linking logic [11] to formalize program linking. Glew and Morrisett =-=[12]-=- defined a modular assembly language to perform type-safe linking. Our logic is related to these works because exit labels can be thought as imported labels in a module, and entry labels as exported l... |

53 |
Certified assembly programming with embedded code pointers. POPL
- Ni, Shao
- 2006
(Show Context)
Citation Context ...op(e1,...,ear(op)) boolean expressions BExp b ::= true | b1 ∨ b2 |¬b | re(e1,...,ear(re)) Fig. 1. Language syntax, where ar(op) is the arity of the symbol op. Recent works by Benton [13], Ni and Shao =-=[14]-=-, and Saabas and Usstalu [15] define compositional program logics for low-level machines; their systems also reason modularly about program fragments and linking. To deal with procedure calls and retu... |

40 | A provably sound TAL for back-end optimization
- Chen, Wu, et al.
- 2003
(Show Context)
Citation Context ...with the soundness proof is the safety proof of the machine code. The major research problem of the FPCC project is to prove the soundness of our type system—a low-level typed assembly language (LTAL =-=[21]-=-). LTAL can check the memory-safety of SPARC machine code that is generated from our ML compiler. When proving the soundness of LTAL, we found it is easier to have an intermediate calculus to aid the ... |

31 |
Program proving: Jumps and functions
- Clint, Hoare
- 1972
(Show Context)
Citation Context ...ments need to jump to it. Related work on program logic for goto statements. Many researchers have also realized the difficulty of verifying properties of programs with goto statements in Hoare Logic =-=[6, 12, 4, 9, 15]-=-. Some of them have proposed improvements over Hoare Logic. Almost all of these works are at the level of high-level languages. For example, they treat a while loop as a separate syntactic construct a... |

22 | A typed, compositional logic for a stack-based abstract machine
- Benton
- 2005
(Show Context)
Citation Context ...ons Exp e ::= x | op(e1,...,ear(op)) boolean expressions BExp b ::= true | b1 ∨ b2 |¬b | re(e1,...,ear(re)) Fig. 1. Language syntax, where ar(op) is the arity of the symbol op. Recent works by Benton =-=[13]-=-, Ni and Shao [14], and Saabas and Usstalu [15] define compositional program logics for low-level machines; their systems also reason modularly about program fragments and linking. To deal with proced... |

21 |
Axiomatic approach to side effects and general jumps
- Kowaltowski
- 1977
(Show Context)
Citation Context ...ments need to jump to it. Related work on program logic for goto statements. Many researchers have also realized the difficulty of verifying properties of programs with goto statements in Hoare Logic =-=[6, 12, 4, 9, 15]-=-. Some of them have proposed improvements over Hoare Logic. Almost all of these works are at the level of high-level languages. For example, they treat a while loop as a separate syntactic construct a... |

15 |
Proof rules for gotos
- Arbib, Alagic
- 1979
(Show Context)
Citation Context ...ments need to jump to it. Related work on program logic for goto statements. Many researchers have also realized the difficulty of verifying properties of programs with goto statements in Hoare Logic =-=[6, 12, 4, 9, 15]-=-. Some of them have proposed improvements over Hoare Logic. Almost all of these works are at the level of high-level languages. For example, they treat a while loop as a separate syntactic construct a... |

15 | A compositional natural semantics and Hoare logic for low-level languages, Theor
- Saabas, Uustalu
(Show Context)
Citation Context ...pressions BExp b ::= true | b1 ∨ b2 |¬b | re(e1,...,ear(re)) Fig. 1. Language syntax, where ar(op) is the arity of the symbol op. Recent works by Benton [13], Ni and Shao [14], and Saabas and Usstalu =-=[15]-=- define compositional program logics for low-level machines; their systems also reason modularly about program fragments and linking. To deal with procedure calls and returns, Benton uses Hoare-style ... |

14 | Construction of a semantic model for a typed assembly language
- Tan, Appel, et al.
- 2004
(Show Context)
Citation Context ... and it allows the discharge rule to be justified by induction. Appel and McAllester proposed the indexed model [17], where all predicates are approximated by counting computation steps. Our own work =-=[18]-=- used the indexed model to construct a semantic model for a typed assembly language. Next, we will adopt the idea of approximation by counting computation steps from the indexed model to develop a sem... |

11 |
Goto statements: Semantics and deduction systems
- Bruin
- 1981
(Show Context)
Citation Context ...tic construct and have a rule for it. In comparison, Lc derives rules for control-flow structures. These previous works also differ from Lc in terms of the form of specification. The work by de Bruin =-=[8]-=- is a typical example. In his system, the judgment for a statement s is: 〈L1 : p1,...,Ln : pn|{p}s{q}〉, (2) where L1,...,Ln are labels in a program P ; the assertion pi is the invariant associated wit... |

10 |
A Compositional Logic for Control Flow and its Application to Foundational Proof-Carrying Code
- Tan
- 2005
(Show Context)
Citation Context ...Carrying Code project [4]. In Section 5, we conclude and discuss future work. A more detailed treatment of the logic, its semantics, and its applications can be found in the first author’s PhD thesis =-=[16]-=-. 2 Program Logic Lc We present Lc on a simple imperative language. Figure 1 presents the syntax of the language. Most of the syntax is self-explanatory, and we only stress a few points. First, since ... |

8 |
A critique of the foundations of hoare style programming logics
- O’Donnell
- 1982
(Show Context)
Citation Context |

5 |
Typed Machine Language
- Swadi
- 2003
(Show Context)
Citation Context ...m logic plus machine semantics. Then we prove LTAL is sound based on the lemmas provided by the intermediate calculus. The intermediate calculus in the FPCC project is Lc, together with a type theory =-=[22]-=- as the assertion language. By encoding on top of SPARC machine the semantics of Lc, which we have presented, we have proved that Lc is sound with machine-checked proofs in Twelf. Then, we prove that ... |

1 | A compositional logic for control flow. http://www.cs.princeton.edu/∼gtan/paper/logic tr.pdf - Tan, Appel - 2004 |