Showing papers on "Hoare logic published in 2004"

Simple relational correctness proofs for static analyses and program transformations

Abstract: We show how some classical static analyses for imperative programs, and the optimizing transformations which they enable, may be expressed and proved correct using elementary logical and denotationaltechniques. The key ingredients are an interpretation of program properties as relations, rather than predicates, and a realization that although many program analyses are traditionally formulated in very intensional terms, the associated transformations are actually enabled by more liberal extensional properties.We illustrate our approach with formal systems for analysing and transforming while-programs. The first is a simple type system which tracks constancy and dependency information and can be used to perform dead-code elimination, constant propagation and program slicing as well as capturing a form of secure information flow. The second is a relational version of Hoare logic, which significantly generalizes our first type system and can also justify optimizations including hoisting loop invariants. Finally we show how a simple available expression analysis and redundancy elimination transformation may be justified by translation into relational Hoare logic.

Information Flow Analysis in Logical Form

Abstract: We specify an information flow analysis for a simple imperative language, using a Hoare-like logic. The logic facilitates static checking of a larger class of programs than can be checked by extant type-based approaches in which a program is deemed insecure when it contains an insecure subprogram. The logic is based on an abstract interpretation of program traces that makes independence between program variables explicit. Unlike other, more precise, approaches based on a Hoare-like logic, our approach does not require a theorem prover to generate invariants. We demonstrate the modularity of our approach by showing that a frame rule holds in our logic. Moreover, given an insecure but terminating program, we show how strongest postconditions can be employed to statically generate failure explanations.

A Tutorial Introduction to CSP in Unifying Theories of Programming

Abstract: In their Unifying Theories of Programming (UTP), Hoare & He use the alphabetised relational calculus to give denotational semantics to a wide variety of constructs taken from different programming paradigms. A key concept in their programme is the design: the familiar precondition-postcondition pair that describes the contract between a programmer and a client. We give a tutorial introduction to the theory of alphabetised relations, and its sub-theory of designs. We illustrate the ideas by applying them to theories of imperative programming, including Hoare logic, weakest preconditions, and the refinement calculus.

Cocktail : a tool for deriving correct programs

Abstract: Cocktail is a tool for deriving correct programs from their specifications. The present version is powerful enough for educational purposes. The tool yields support for many sorted first order predicate logic, formulated in a pure type system with parametric constants (CPTS), as the specification language, a simple While- language, a Hoare logic represented in the same CPTS for deriving programs from their specifications and a simple tableau based automated theorem prover for verifying proof obligations.

Simple relational correctness proofs for static analyses and program transformations

Abstract: We show how some classical static analyses for imperative programs, and the optimizing transformations which they enable, may be expressed and proved correct using elementary logical and denotation...

Towards Mechanized Program Verification with Separation Logic

Abstract: Using separation logic, this paper presents three Hoare logics (corresponding to different notions of correctness) for the simple While language extended with commands for heap access and modification. Properties of separating conjunction and separating implication are mechanically verified and used to prove soundness and relative completeness of all three Hoare logics. The whole development, including a formal proof of the Frame Rule, is carried out in the theorem prover Isabelle/HOL.

A tutorial introduction to unifying theories of programming

Abstract: In their Unifying Theories of Programming (UTP), Hoare & He use the alphabetised relational calculus to give denotational semantics to a wide variety of constructs taken from different programming paradigms. A key concept in their programme is the design: the familiar precondition-postcondition pair that describes the contract between a programmer and a client. We give a tutorial introduction to the theory of alphabetised relations, and its sub-theory of designs. We illustrate the ideas by applying them to theories of imperative programming, including Hoare logic, weakest preconditions, and the refinement calculus.

Generic Exception Handling and the Java Monad

Abstract: We develop an equational definition of exception monads that characterizes Moggi’s exception monad transformer. This axiomatization is then used to define an extension of previously described monad-independent computational logics by abnormal termination. Instantiating this generic formalism with the Java monad used in the LOOP project yields in particular the known Hoare calculi with abnormal termination and JML’s method specifications; this opens up the possibility of extending these formalisms by hitherto missing computational features such as I/O and nondeterminism.

Reasoning about Web information systems using story algebras

Abstract: As web information systems (WIS) tend to become large, it becomes decisive that the underlying application story is well designed. Such stories can be expressed by a process algebra. In this paper we show that such WIS-oriented process algebras lead to many-sorted Kleene algebras with tests, where the sorts correspond to scenes in the story space. As Kleene algebras with tests subsume propositional Hoare logic, they are an ideal candidate for reasoning about the story space. We show two applications for this: (1) the personalisation of the story space to the preferences of a particular user, and (2) the satisfaction of particular information needs of a WIS user.

Reasoning about Web information systems using story algebras

Abstract: As web information systems (WIS) tend to become large, it becomes decisive that the underlying application story is well designed. Such stories can be expressed by a process algebra. In this paper we show that such WIS-oriented process algebras lead to many-sorted Kleene algebras with tests, where the sorts correspond to scenes in the story space. As Kleene algebras with tests subsume propositional Hoare logic, they are an ideal candidate for reasoning about the story space. We show two applications for this: (1) the personalisation of the story space to the preferences of a particular user, and (2) the satisfaction of particular information needs of a WIS user.

Mechanical theorem proving in computational geometry

Abstract: Algorithms for solving geometric problems are widely used in many scientific disciplines. Applications range from computer vision and robotics to molecular biology and astrophysics. Proving the correctness of these algorithms is vital in order to boost confidence in them. By specifying the algorithms formally in a theorem prover such as Isabelle, it is hoped that rigorous proofs showing their correctness will be obtained. This paper outlines our current framework for reasoning about geometric algorithms in Isabelle. It focuses on our case study of the convex hull problem and shows how Hoare logic can be used to prove the correctness of such algorithms.

Monad-independent Dynamic Logic in HasCasl

Abstract: Monads have been recognized by Moggi as an elegant device for dealing with stateful computation in functional programming languages. In previous work, we have introduced a Hoare calculus for partial correctness of monadic programs. All this has been done in an entirely monad-independent way. Here, we extend this to a monad-independent dynamic logic (assuming amoderate amount of additional infrastructure for the monad). Dynamic logic is more expressive than the Hoare calculus; in particular, it allows reasoning about termination and total correctness. The background formalism for these concepts is the logic of HasCasl, a higher-order language for functional specification and programming. As an example application, we develop a monad-independent Hoare calculus for total correctness based on our dynamic logic, and illustrate this calculus by a termination proof for Dijkstra's nondeterministic implementation of Euclid's algorithm.

A Relational Model for Object-Oriented Designs

Abstract: This paper develops a mathematical characterisation of object-oriented concepts by defining an observation-oriented semantics for an object-oriented language (OOL) with a rich variety of features including subtypes, visibility, inheritance, dynamic binding and polymorphism. The language is expressive enough for the specification of object-oriented designs and programs. We also propose a calculus based on this model to support both structural and behavioural refinement of object-oriented designs. We take the approach of the development of the design calculus based on the standard predicate logic in Hoare and He’s Unifying Theories of Programming (UTP). We also consider object reference in terms of object identity as values and mutually dependent methods.

Semantics of a sequential language for exact real-number computation

Abstract: We study a programming language with a built-in ground type for real numbers. In order for the language to be sufficiently expressive but still sequential, we consider a construction proposed by Boehm and Cartwright. The non-deterministic nature of the construction suggests the use of powerdomains in order to obtain a denotational semantics for the language. We show that the construction cannot be modelled by the Plotkin or Smyth powerdomains, but that the Hoare powerdomain gives a computationally adequate semantics. As is well known, Hoare semantics can be used in order to establish partial correctness only. Since computations on the reals are infinite, one cannot decompose total correctness into the conjunction of partial correctness and termination as it is traditionally done. We instead introduce a suitable operational notion of strong convergence and show that total correctness can be proved by establishing partial correctness (using denotational methods) and strong convergence (using operational methods). We illustrate the technique with a representative example.

Modal Kleene Algebra and partial correctness

Abstract: Modal Kleene algebra is Kleene algebra enriched by forward and backward box and diamond operators. We formalize the symmetries of these operators as Galois connections and dualities. We study their properties in the associated semirings of operators. Modal Kleene algebra provides a unifying semantics for various program calculi and enhances efficient cross-theory reasoning in this class, often in a very concise state-free style. This claim is supported by novel algebraic soundness and completeness proofs for Hoare logic.

From process logic to program logic

Abstract: We present a process logic for the p -calculus with the linear/affine type discipline [6, 7, 31, 32, 33, 59, 60]. Built on the preceding studies on logics for programs and processes, simple systems of assertions are developed, capturing the classes of behaviours ranging from purely functional interactions to those with destructive update, local state and genericity. A central feature of the logic is representation of the behaviour of an environment as the dual of that of a process in an assertion, which is crucial for obtaining compositional proof systems. From the process logic we can derive compositional program logics for various higher-order programming languages, whose soundness is proved via their embeddings into the process logic. In this paper, the key technical framework of the process logic and its applications is presented focussing on pure functional behaviour and a prototypical call-by-value functional language, leaving the full technical development to [27, 26].

Formal methods for components and objects : Second International Symposium, FMCO 2003, Leiden, the Netherlands, November 4-7, 2003 : revised lectures

Abstract: Causality and Scheduling Constraints in Heterogeneous Reactive Systems Modeling.- Machine Function Based Control Code Algebras.- Exploiting Abstraction for Specification Reuse. The Java/C# Case Study.- On the Verification of Cooperating Traffic Agents.- How to Cook a Complete Hoare Logic for Your Pet OO Language.- Behavioural Specification for Hierarchical Object Composition.- Consistency Management within Model-Based Object-Oriented Development of Components.- CommUnity on the Move: Architectures for Distribution and Mobility.- TulaFale: A Security Tool for Web Services.- A Checker for Modal Formulae for Processes with Data.- Semantic Essence of AsmL: Extended Abstract.- An MDA Approach to Tame Component Based Software Development.- An Application of Stream Calculus to Signal Flow Graphs.- Synchronous Closing and Flow Analysis for Model Checking Timed Systems.- Priority Systems.- Preserving Properties under Change.- Tools for Generating and Analyzing Attack Graphs.

How to cook a complete Hoare logic for your pet OO language

Abstract: This paper introduces a general methodology for obtaining complete Hoare logics for object-oriented languages. The methodology is based on a new completeness result of a Hoare logic for a procedural language with dynamically allocated variables. This new result involves a generalization of Gorelick's seminal completeness result of the standard Hoare logic for recursive procedures with simple variables. We show how this completeness result can be generalized to existing Hoare logics for typical object-oriented concepts like method calls, sub-typing and inheritance, and dynamic binding, by transforming an encoding of these concepts into this procedural language with dynamically allocated variables.

Experimental Program Verification in the Theorema System.

Abstract: We describe practical experiments of program verification in the frame of the Theorema system. This includes both imperative programs (using Hoare logic), as well as functional programs (using fixpoint theory). For a certain class of imperative programs we are able to generate automatically the loop invariants and then verification conditions, by using combinatorial and algebraic techniques. Verification conditions for functional recursive programs are derived and soundness theorem is proven. The verification conditions in both cases are generated as natural-style predicate logic formulae, which can be then proven by Theorema, by issuing naturalstyle proofs which are human–readable.

Partial correctness assertions provable in dynamic logics

Abstract: We consider a formalism DL for first order Dynamic Logic, based on Segerberg’s axioms for modalities, and observe that DL is not conservative over Hoare Logic (HL) when the background theory is empty, but is conservative if the background theory is the complete theory of an expressive structure (in the sense of Cook). We identify Peano Arithmetic (PA) as the transition point between these two states of affairs: DL is conservative over HL in the presence of a number theory that contains PA, and is not conservative for the sub-theories of PA with a bound on the complexity of induction formulas.

Interfacing hoare logic and type systems for Foundational Proof-Carrying code

Abstract: In this paper, we introduce a Foundational Proof-Carrying Code (FPCC) framework for constructing certified code packages from typed assembly language that will interface with a similarly certified runtime system Our framework permits the typed assembly language to have a foreign function interface, in which stubs, initially provided when the program is being written, are eventually compiled and linked to code that may have been written in a language with a different type system, or even certified directly in the FPCC logic using a proof assistant We have increased the potential scalability and flexibility of our FPCC system by providing a way to integrate programs compiled from different source type systems In the process, we are explicitly manipulating the interface between Hoare logic and a syntactic type system

Modularity and the Rule of Adaptation

Abstract: This paper presents a new rule for reasoning about method calls in object-oriented programs. It is an adaptation of Hoare’s rule of adaptation to the object-oriented paradigm, which takes both the write effects and the creational effects of a method into account. The new rule contributes in various ways to the modularity of the specification. We also argue that our rule of adaptation is the missing link between Hoare logics and proof outlines for object-oriented programs.

Automatic verification of cryptographic protocols

Abstract: Cryptographic protocols play a major role in any application where data integrity, confidentiality, authenticity and other security related properties are crucial. Such applications include Smart-Cards, e-business, electronic vote or internet-based contract signing. In the first part of thesis, we show that the reachability problem for timed bounded cryptographic protocols and security properties, such as secret and authentication, is decidable and NP-complete. Our procedure is based on a complete and effective Hoare logic for timed bounded cryptographic protocols and an expressive assertion language. In the second part, using abstract interpretation techniques, we apply this method for verifying secrecy properties of cryptographic protocols in a general setting. We deal with unbounded number of sessions, unbounded number of principals, unbounded message depth and unbounded creation of fresh nonces. We provide an algorithm which computes an inductive invariant using patterns as symbolic representation. This algorithm has been implemented in the Hermes tool and has been validated on several case studies.

Modularity and the rule of adaptation

Abstract: This paper presents a new rule for reasoning about method calls in object-oriented programs. It is an adaptation of Hoare's rule of adaptation to the object-oriented paradigm, which takes both the write effects and the creational effects of a method into account. The new rule contributes in various ways to the modularity of the specification. We also argue that our rule of adaptation is the missing link between Hoare logics and proof outlines for object-oriented programs.

A Practical Approach to Proving Termination of Recursive Programs in Theorema

Abstract: We report work in progress concerning the theoretical basis and the implementation in the Theorema system of a methodology for the generation of verification conditions for recursive procedures, with the aim of practical verification of recursive programs. Proving total correctness is achieved by proving separately partial correctness and then termination. In contrast to other approaches, which use a special theory describing the behavior of programs, we use such a theory only “in the background”, for developing a general rule for generating verification conditions, while the conditions themselves are presented (and provable) using the theories relevant to the program text only. This is very important for automatic proving, since it reduces significantly the effort of the provers. We performed practical experiments in which various programs are completely verified using the verification condition generator and the provers of the Theorema system. Introduction. While proving [partial] correctness of non-recursive procedural programs is quite well understood, for instance by using Hoare Logic [3], [6], there are relatively few approaches to recursive procedures (see e.g. [8] Chap. 2). We discuss here a practical approach to automatic generation of verification conditions for functional recursive programs, partially based on Scott induction in the fixpoint theory of programs [13,11,7,9] and the implementation of this approach. The implementation is part of the Theorema system, and complements the research performed in the Theorema group on verification and synthesis of functional algorithms based on logic principles [1,2,4]. The Theorema system (www.theorema.org, [12]) aims at realization of a computer aided assistant for the working mathematicians and engineers, which integrates automatic reasoning, algebraic computing, and equational solving. The system provides an uniform environment in natural logico-mathematical language for defining, testing, and proving properties of algorithms, and in general for creating and investigating mathematical models. We consider the correctness problem expressed as follows: given the program (by its source text) which computes the function F and given its specification by a precondition on the input IF [x] and a postcondition on the input and the output OF [x, y], generate the verification conditions which are [minimally] sufficient for the program to satisfy the specification. For simplifying the presentation, we consider here the “homogeneous” case: all functions and predicates are interpreted over the same domain. Proving the verification conditions ? The program verification project in the frame of e-Austria Timisoara is supported by BMBWK (Austrian Ministry of Education, Science and Culture), BMWA (Austrian Ministry of Economy and Work) and MEC (Romanian Ministry of Education and Research). The Theorema project is supported by FWF (Austrian National Science Foundation) – SFB project P1302. Additional support comes from the EU project CALCULEMUS (HPRN-CT-2000-00102). will require the specific theory relevant to this domain and to the auxiliary functions and predicates which occur in the program. The functional program of F can be interpreted as a set of predicate logic formulae, and the correctness of the program can be expressed as: ∀x IF [x] : OF [x, F [x]], (1) which we will call the correctness formula of F . In order for the program to be correct, the correctness formula (1) must be a logical consequence the formulae corresponding to the definition of the function (and the specific theory). This approach was previously used by other authors and is also experimented in the Theorema system [1]. However, the proof of such one-single theorem may be difficult, because the prover has to find the appropriate induction principle and has to find out how to use the properties of the auxiliary functions present in the program. The method presented in this paper generates several verification conditions, which are easier to prove. In particular, only the termination condition needs an inductive proof, and this termination condition is “reusable”, because it basically expresses an induction principle which may be useful for several programs. This is important for automatic verification embedded in a practical verification system, because it leads to early detection of bugs (when proofs of simpler verification conditions fail). Moreover, the verification conditions are provable in the frame of predicate logic, without using any theoretical model for program semantics or program execution, but only using the theories relevant to the predicates and functions present in the program text. This is again important for the automatic verification, because any additional theory present in the system will significantly increase the proving effort. We start by developing a set of rules for generating verification conditions, for programs having a particular structure. The rules for partial correctness are developed using Scott induction and the fixpoint theory of programs, however the verification conditions themselves do not refer to this theory, they only state facts about the predicates and functions present in the program text. In particular, the termination condition consists in a property of a certain simplified version of the original program. By inspecting the shape of these rules for several program structures, it is possible to derive a more general rule for the derivation of verification conditions, such that the correctness formula (see above) is a logical consequence of these verification conditions in the frame of predicate logic, without using any model of computation. We approach the correctness problem by splitting it into two parts: partial correctness (prove that the program satisfies the specification provided it terminates), and termination (prove that the program always terminates). Proving partial correctness may be achieved by Scott’s induction [13,11,7,9] – a detailed description of the method for a certain class of functional programs is presented in [10]. Example: Simple Recursive Programs. Let be the program: F [x] = If Q[x] then S[x] else C[x, F [R[x]]],

Real-Time and Fault-Tolerant Systems

Abstract: In this chapter, we show that functional and many non-functional properties of a real-time system, such as schedulability, or proving that its implementation meets its timing constraints, can be verified in a similar way. Likewise, the fault-tolerance of a system can be proved using the same techniques. We use a single notation and model and take a unified view of the functional and non-functional properties of programs. A simple transformational method is used to combine these properties [167, 168]. We show how the theory of concurrency, fault-tolerance, real-time and scheduling can be built on the theories of sequential programming, such as those of Dijkstra’s calculus of weakest preconditions [81], Hoare Logic [114], Morgan’s refinement calculus [192] and Hoare and He’s UTP [117]. These theories are discussed and used in Chapter 4 and Chapter 6.

Theorem proving in higher order logics: 17th International conference, TPHOLs 2004 park city, Utah, USA, september 14-17, 2004 proceedings 13

Abstract: Error Analysis of Digital Filters Using Theorem Proving.- Verifying Uniqueness in a Logical Framework.- A Program Logic for Resource Verification.- Proof Reuse with Extended Inductive Types.- Hierarchical Reflection.- Correct Embedded Computing Futures.- Higher Order Rippling in IsaPlanner.- A Mechanical Proof of the Cook-Levin Theorem.- Formalizing the Proof of the Kepler Conjecture.- Interfacing Hoare Logic and Type Systems for Foundational Proof-Carrying Code.- Extensible Hierarchical Tactic Construction in a Logical Framework.- Theorem Reuse by Proof Term Transformation.- Proving Compatibility Using Refinement.- Java Program Verification via a JVM Deep Embedding in ACL2.- Reasoning About CBV Functional Programs in Isabelle/HOL.- Proof Pearl: From Concrete to Functional Unparsing.- A Decision Procedure for Geometry in Coq.- Recursive Function Definition for Types with Binders.- Abstractions for Fault-Tolerant Distributed System Verification.- Formalizing Integration Theory with an Application to Probabilistic Algorithms.- Formalizing Java Dynamic Loading in HOL.- Certifying Machine Code Safety: Shallow Versus Deep Embedding.- Term Algebras with Length Function and Bounded Quantifier Alternation.

On the Use of goto's in Programming Based on Finite State Machines: From the Hoare Logic Viewpoint

Abstract: Rights 社団法人 情報処理学会, 金藤栄孝,二木厚吉, 情報処 理学会論文誌, 45(9), 2004, 2124-2137. ここに掲載 した著作物の利用に関する注意: 本著作物の著作権は (社)情報処理学会に帰属します。本著作物は著作権 者である情報処理学会の許可のもとに掲載するもので す。ご利用に当たっては「著作権法」ならびに「情報 処理学会倫理綱領」に従うことをお願いいたします。 Notice for the use of this material: The copyright of this material is retained by the Information Processing Society of Japan (IPSJ). This material is published on this web site with the agreement of the author (s) and the IPSJ. Please be complied with Copyright Law of Japan and the Code of Ethics of the IPSJ if any users wish to reproduce, make derivative work, distribute or make available to the public any part or whole thereof. All Rights Reserved, Copyright (C) Information Processing Society of Japan.

Using automated reasoning systems on molecular computing

Abstract: This paper is focused on the interplay between automated reasoning systems (as theoretical and formal devices to study the correctness of a program) and DNA computing (as practical devices to handle DNA strands to solve classical hard problems with laboratory techniques). To illustrate this work we have proven in the PVS proof checker, the correctness of a program, in a sticker based model for DNA computation, solving the pairwise disjoint families problem. Also we introduce the formalization of the Floyd–Hoare logic for imperative programs.