No full-text available
To read the full-text of this research,
you can request a copy directly from the author.
Programming Language Constructs for Which It Is Impossible To Obtain Good Hoare Axiom Systems
Abstract
Hoare-like deduction systems for establishing partial correctness of programs may fail to be complete because of (a) incompleteness of the assertion language relative to the underlying interpretation or (b) inability of the assertion language to express the invariants of loops. S. Cook has shown that if there is a complete proof system for the assertion language (e.g. all true statements of the assertion language) and if the assertion language satisfies a certain natural expressibility condition, then sound and complete axiom systems for a fairly large subset of Algol may be devised. We exhibit programming language constructs for which it is impossible to obtain sound and complete sets of Hoare-like axioms even in this special sense of Cook's. These constructs include (i) recursive procedures with procedure parameters in a programming language which uses static scope of identifiers and (ii) coroutines in a language which allows parameterless recursive procedures. Modifications of these constructs for which it is possible to obtain sound and complete systems of axioms are also discussed.
... Wer sich mit den Themen Korrektheit und Vollständigkeit tiefergehend beschäftigen möchte, sei auf [Coo78], [Cla79] und [Jos85] verwiesen. [Coo78] hat für die Vollständigkeit die Bedingung der Expressivität eingeführt. ...
... [Coo78] hat für die Vollständigkeit die Bedingung der Expressivität eingeführt. [Cla79] findet Beispiele, wo Expressivität für einen korrekten und vollständigen Hoare-Kalkül nicht ausreicht (Stichwort Rekursion). Clark definiert 5 Kriterien, die diesen verhindern, und diskutiert jene einfacheren Sprachen, die entstehen, wenn eines der Kriterien ausgelassen wird. ...
... Clark definiert 5 Kriterien, die diesen verhindern, und diskutiert jene einfacheren Sprachen, die entstehen, wenn eines der Kriterien ausgelassen wird. Für 4 dieser Sprachen wird in [Cla79] bzw. [Old81] gezeigt, dass sie vollständige Hoare-Kalküle haben. ...
... The main difficulty in the proof, that proceeds by induction on the program structure, consists in finding the loop invariants. A simpler argument was provided in [Cla79], where a dual definition of expressiveness was used. Instead of the strongest postcondition it relied on the so-called weakest liberal precondition, which, given an interpretation I , assertion Q and a program S , is defined by ...
... Programming languages like Algol 60 [NBB + 63] and Pascal [JW75] contain procedure mechanisms that are considerably more complex than what we discussed so far. In his seminal paper [Cla79], E.M. Clarke identified a combination of features for which it is impossible to obtain a Hoare-like proof system that is sound and relatively complete (in the sense of Cook). By a Hoare-like proof system we mean a set of syntax-directed proof rules for correctness formulas about programs in the programming language under consideration such that the application of each proof rule is decidable. ...
... Clarke [Cla79] described his simulation idea of a queue machine with a program in L as follows: ...
We present a history of Hoare’s logic.
... The main difficulty in the proof, that proceeds by induction on the program structure, consists in finding the loop invariants. A simpler argument was provided in [Cla79], where a dual definition of expressiveness was used. Instead of the strongest postcondition it relied on the so-called weakest liberal precondition, which, given an interpretation I, assertion Q and a program S, is defined by ...
... Programming languages like Algol 60 [NBB + 63] and Pascal [JW75] contain procedure mechanisms that are considerably more complex than what we discussed so far. In his seminal paper [Cla79], Edmund M. Clarke identified a combination of features for which it is impossible to obtain a Hoare-like proof system that is sound and relatively complete (in the sense of Cook). Clarke proved this incompleteness result for a block-structured programming language L 0 which includes the following features that are present in Algol 60 and Pascal: ...
... Clarke [Cla79] described his simulation idea of a queue machine with a program in L as follows: ...
We discuss a history of Hoare's logic.
... Throughout this paper, we assume that procedures cannot be passed as parameters. There exist several program models where safety is efficiently decidable (with the stated assumption [7]), e.g., Boolean programs with (unbounded) recursion and the unbounded use of stack [1,8]. The general observation behind these algorithms is that one can summarize the input-output behavior of a procedure, where a summary of a procedure is an input-output relation describing what is currently known about its behavior. ...
... We now define an MBP LRAProj η for LRA as a map from models of η m to disjuncts in (7). Given M | η m , LRAProj η picks a disjunct that covers M based on values of the literals of the form x = e and < x in M. Ties are broken by a syntactic ordering on terms (e.g., when M | = for two literals < x and < x). ...
... LRAProj η is a Model Based Projection.Proof By definition, LRAProj η has a finite image, as there are only finitely many disjuncts in(7). Thus, it suffices to show that for every M | η m , M | LRAProj η (M).Let M | η m and LRAProj η ...
We present an SMT-based symbolic model checking algorithm for safety verification of recursive programs. The algorithm is modular and analyzes procedures individually. Unlike other SMT-based approaches, it maintains both over- and under-approximations of procedure summaries. Under-approximations are used to analyze procedure calls without inlining. Over-approximations are used to block infeasible counterexamples and detect convergence to a proof. We show that for programs and properties over a decidable theory, the algorithm is guaranteed to find a counterexample, if one exists. However, efficiency depends on an oracle for quantifier elimination (QE). For Boolean programs, the algorithm is a polynomial decision procedure, matching the worst-case bounds of the best BDD-based algorithms. For Linear Arithmetic (integers and rationals), we give an efficient instantiation of the algorithm by applying QE lazily. We use existing interpolation techniques to over-approximate QE and introduce Model Based Projection to under-approximate QE. Empirical evaluation on SV-COMP benchmarks shows that our algorithm improves significantly on the state-of-the-art.
... First, we define a transition relation + between configurations of an abstract machine, where a configuration is simply a pair (S, 6) consisting of a program S and a state 8. ...
... It turns out that the language of Presburger arithmetic is not expressive relative to I+ and W . But the language of Peano arithmetic is expressive relative to IN and W. Also, as observed by Clarke [6], any language L is expressive relative to any finite interpretation and W . Actually, these are the only two possibilities, as shown by the following theorem However, Clarke [6] proved an astonishing incompleteness result , w hich is: ...
... It turns out that the language of Presburger arithmetic is not expressive relative to I+ and W . But the language of Peano arithmetic is expressive relative to IN and W. Also, as observed by Clarke [6], any language L is expressive relative to any finite interpretation and W . Actually, these are the only two possibilities, as shown by the following theorem However, Clarke [6] proved an astonishing incompleteness result , w hich is: ...
GOLOG is a situation calculus-based logic programming laquage for dynamic domains iike robots, industrial processes, intelligent software agents, etc. This thesis explores Hoare's axiomatic approach to program verification in the GOLOG context. We present Hoamstyle proof systems for partial correctness and termination of procedure-less GOLOG programs, and prove the corresponding soundness and completeness results. We extend t hese proof systems to deal with partial correctness and termination of recursive GO LOG procedures, and prove the soundness of the resulting systems. Examples are given to il- Iustrate the use of these proof systems.
... Despite its age, research problems in [21] can still be considered as actually not resolved, for instance, the aliasing problem, which is the case whenever two locations point to the same value memory cell in dynamic memory. Moreover, the Hoare calculus is found inappropriate as it has been suggested initially for (i) the automated generation of loop invariants for an arbitrary incoming program (ii) procedures which are passed as arguments (iii) changing the scope mode of variables (e.g. ...
... For the sake of completeness, Clarke suggests forbidding location sharing, which will be dropped here. [21] shows it is possible to prove the correctness of co-routines when recursion is guaranteed to be absent. ...
This review article provides an overview of recent approaches and techniques in specifying and verifying dynamic memory with class objects. Dynamic memory verification may be used in order to show, for instance, the absence of memory leaks or the validity of memory access.
... Cook's result was extended by Gerald A. Gorelick in [16], where a proof system for recursive procedures was introduced and proved to be sound and relatively complete. This line of research led to the seminal paper [8] of Edmund M. Clarke who exhibited a combination of five programming features the presence of which makes it impossible to obtain a Hoare-like proof system that is sound and relatively complete. ...
... The already mentioned work of [8] led to a research on proof systems for programming languages in which in presence of static scope both nested declarations of mutually recursive procedures and procedure names as parameters of procedure calls were allowed. In particular in [19], [11] and [15] sound and relatively complete Hoare-like proof systems were established, each time under different assumptions concerning the assertion language. ...
We provide a sound and relatively complete Hoare-like proof system for reasoning about partial correctness of recursive procedures in presence of local variables and the call-by-value parameter mechanism, and in which the correctness proofs are linear in the length of the program. We argue that in spite of the fact that Hoare-like proof systems for recursive procedures were intensively studied, no such proof system has been proposed in the literature.
... Cet codage vérifie les propriétés , 1979, Apt, 1981, Damm & Josko, 1983, German et al , 1983, Goerdt, 1985). Plus récemment, les structures de données modifiables et allouées dynamiquement ainsi que les fonctionnalités liées aux langages orientés objets ontétéénormémentétudiéesontétéontétéénormémentontétéénormémentétudiées. ...
... Les origines de notre travail proviennent de la logique de Hoare (Floyd, 1967, Hoare, 1969). Les extensions de la logique de Hoare pour intégrer les fonctions récursives et d'ordre supérieur ontétéontété intensivementétudiéesàintensivementétudiéesintensivementétudiéesà la fin des années 70 et au début des années 80 (Clarke, 1979, Apt, 1981, Damm & Josko, 1983, German et al , 1983, Goerdt, 1985). Damm & Josko, 1983, German et al , 1983) ont fait remarquer qu'il suffit d'utiliser une logique d'ordre supérieur pour passer outre le résultat négatif de Clarke. ...
Cette thèse étudie deux approches fondées sur l’analyse statique pour augmenter la sûreté defonctionnement et la correction des programmes informatiques.La première approche est le typage qui permet de prouver automatiquement qu’un programmes’évalue sans échouer. Le langage fonctionnel ML possède un système de type très riche et un algorithmeeffectuant une synthèse automatique de ces types. On s’intéresse à l’adaptation de cet algorithme auxtypes algébriques généralisés (GADT), une forme restreinte des inductifs de Coq, qui ont été introduitspar Hongwei Xi en 2003.Dans ce cadre, le calcul efficace d’un type plus général est impossible. On propose une stratificationqui maintient les caractéristiques habituelles sur le fragment ML et qui isole le traitement des GADTen explicitant leur utilisation. Le langage obtenu, MLGX, nécessite des annotations de type qui alour-dissent les programmes. Une seconde strate, MLGI, offre au programmeur un mécanisme de synthèselocale, prédictible et efficace bien qu’incomplet, de la plupart de ces annotations. La première parties’achève avec une démonstration de l’expressivité des GADT pour coder les invariants des automatesà pile utilisés par l’analyse syntaxique LR.La seconde approche augmente le langage de programmation par des assertions logiques permettantd’exprimer des spécifications de complexité arbitraire dans la logique d’ordre supérieur polymorphi-quement typée. On vérifie statiquement la conformité de la sémantique du programme vis-à-vis de cesspécifications à l’aide d’une technique appelée logique de Hoare qui consiste à engendrer un ensembled’obligations de preuves à partir d’un programme annoté. Une fois ces obligations de preuve traitées,si un programme est utilisé correctement et si il renvoie une valeur alors il est certain que celle-ci estcorrecte.Habituellement, cette technique est employée sur les langages impératifs. Avec un langage fonc-tionnel pur, les problèmes liés à l’état de la mémoire d’évanouissent tandis que l’ordre supérieur etle polymorphisme en posent de nouveaux. Nos choix de conceptions cherchent à maximiser les op-portunités d’utilisation de prouveurs automatiques en traduisant minutieusement les objets d’ordresupérieur en objets du premier ordre. Une implantation prototype du système en fournit une illustra-tion dans la preuve presque totalement automatique d’un module CAML d’arbres équilibrés dénotantdes ensembles finis.
... The problem of completeness also becomes more subtle. A result of Clarke (1979) shows that for sufficiently rich programming languages, with local variables and recursive higher-order procedures, no complete proof system exists. However, the situation is different again (i.e., complete systems may exist) if one is willing to sacrifice effective proof checking and moves to a second-order assertion language (Halpern 1984). ...
... Many of the papers for class-based languages cited above prove completeness of the presented proof systems for objects. In view of (Clarke 1979) such results must rely on one of the following properties. Firstly, the assertion language is higher-order logic rather than first-order logic; for example this is the case in (von Oheimb 2001). ...
... Hoare logics for this simple high-level programming language and high-level programming languages with more complicated constructs have been extensively studied since (see e.g. [8,10,12] for individual studies and [1] for a survey). Hoare logics and Hoare-like logics for simple highlevel programming languages with goto statements have been studied since as well (see e.g. ...
... The line of the proof of Theorem 2 for the case that the rule of inference last applied is R5 is reminiscent of the line of the soundness proof in [10] for the case that the rule of inference last applied is the recursion rule for calls of recursive procedures. In the proof of Theorem 2, S i ;#0 b is used instead of S i to guarantee that b is never greater than the length of the approximations of S ω . ...
We present a formal system for proving the partial correctness of a single-pass instruction sequence as considered in program algebra by decomposition into proofs of the partial correctness of segments of the single-pass instruction sequence concerned. The system is similar to Hoare logics, but takes into account that, by the presence of jump instructions, segments of single-pass instruction sequences may have multiple entry points and multiple exit points. It is intended to support a sound general understanding of the issues with Hoare-like logics for low-level programming languages.
... That implies that every property that is true of a program is provable (i.e., their method is complete). However, for some complex languages with some sophisticated features such as aliasing, Clarke [Cla79] has shown that completeness cannot be obtained. That has lead us to define a abstract predicate transformers, as they cannot claim to produce the most-precise information about program behaviour (i.e., strongest post-conditions or weakest pre-condition). ...
... Besides, [Cla79] has spotlighted the deficiencies of Hoare's logic for languages with complex features such as aliasing, side effects... that are shared by most database programming languages. ...
In this paper, we propose an efficient technique to statically manage integrity constraints in object- oriented database programming languages. We place ourselves in the context of a simplified database programming language, close to O , in which we assume that updates are undertaken by means of meth- ods. An important issue when dealing with constraints is that of efficiency. A na¨ ive management of such constraints can cause a severe floundering of the overall system. Our basic as sumption is that the run- time checking of constraints is too costly to be undertaken systematically. Therefore, methods that are always safe with respect to integrity constraints should be proven so at compile time. The run-time checks should only concern the remaining methods. To that purpose, we propose a new approach, based on the use of predicate transformers combined with automatic theorem proving techniques, to prove the invari- ance of integrity constraints under complex methods. We then describe the current implementation of our prototype, and report some experiments that have been performed with it on non trivial examples. The counterpart of the problem of program verification is that of program correction. Static analysis techniques can also be applied to solve that problem. We present a systematic approach to undertake the automatic correction of potentially unsafe methods. However, the advantages of the latter technique are not as clear as those of program verification. We will therefore discuss some arguments for and against the use of method correction. Though our work is developed in the context of object-oriented database programming languages, it can easily be applied to the problem of static verification and correction of object-oriented languages providing pre and post-conditions such as Eiffel.
... Hoare logic has been most successfully employed to reason about first-order imperative programs. Extensions to programs with procedures and more generally higher-order functions have been known to be subtle [7,9,8,1]. As discussed by Apt in his survey of Hoare Logic [3, page 462], the problems usually appear because "... the semantics of parameter passing is always modeled syntactically by some form of variable substitution in a program, and this leads to various subtle problems concerning variable clashes. ...
... On a related note, it is well known that a Hoare-like logic for a language with higher-order and local functions, recursion, static scope and global variables, and with first-order assertion logic cannot be Cook complete [9]. Cook completeness in these cases requires stronger assertion logics [16]. ...
We present a dependent Hoare Type Theory (HTT) which provides support for reasoning about programs with higher- order functions and effects, including non-termination, state with aliasing and pointer arithmetic. The type struc- ture encapsulates effectful commands using a monad in- dexed by pre- and post-conditions in the style of Hoare logic. The theory carefully distinguishes between an ap- propriate notion of definitional equality and propositional equality, in order to maintain the relative decidability of type-checking.
... Second, these languages are constructive in a sense. For instance, for a number of dynamic logics the problem of general validity is soluble on a given finite algebraic system (this property is important for applications to program verification, see [12], and to the theory of relational data bases). ...
... There are many open questions in this area (see [29]). For example, the well-known Clarke language L-4 (see [12]) turns out to be equivalent to the union of all {FL^}. Nevertheless, it is not clear whether FL fc is equivalent to the sublanguage of L-4 consisting of all programs whose level is no greater than k (the known reduction method increases the level of a program). ...
CONTENTS Introduction § 1. Preliminary information § 2. Brief survey of known results § 3. Open questions and relevant results § 4. Concurrence § 5. Functions and data of higher types References
... W P . Clarke [18] exhibited programming language structures for which Hoare logic is not complete relative to the finite structures, and observed that if a programming language possesses a relatively complete Hoare logic for partial correctness (relative to the finite structures) then the halting problem for finite interpretations must be decidable (Clarke's Observation). Lipton [19], Clarke et. ...
The general completeness problem of Hoare logic relative to the standard model $N$ of Peano arithmetic has been studied by Cook, and it allows for the use of arbitrary arithmetical formulas as assertions. In practice, the assertions would be simple arithmetical formulas, e.g. of a low level in the arithmetical hierarchy. In addition, we find that, by restricting inputs to $N$, the complexity of the minimal assertion theory for the completeness of Hoare logic to hold can be reduced. This paper further studies the completeness of Hoare Logic relative to $N$ by restricting assertions to subclasses of arithmetical formulas (and by restricting inputs to $N$). Our completeness results refine Cook's result by reducing the complexity of the assertion theory.
... Clarke [15] exhibited programming language structures for which Hoare logic is not complete relative to the finite structures, and observed that if a programming language possesses a relatively complete Hoare logic for partial correctness (relative to the finite structures) then the halting problem for finite interpretations must be decidable (Clarke's Observation). Lipton [16], Clarke et al. [17], and Grabowski [18] investigated under what circumstances the converse of Clarke's Observation holds. ...
The general completeness problem of Hoare logic relative to the standard model N of Peano arithmetic has been studied by Cook, and it allows for the use of arbitrary arithmetical formulas as assertions. In practice, the assertions would be simple arithmetical formulas, e.g. of a low level in the arithmetical hierarchy. This paper further studies the completeness of Hoare Logic relative to N with assertions restricted to subclasses of arithmetical formulas. Our completeness results refine Cook’s result by reducing the complexity of the assertion theory.
... To explore the applicability of this idea, we have to formalize what "capturing the true partial correctness formulas" means. [20] In that paper he investigates completeness of Hoare calculi and limits thereof for programs with procedures [20,19] based on his dissertation [18], refining earlier results of Clarke [7]. It is quite an achievement for a proper treatment of semantics to span such a wide range of topics, each with its own different conceptual and technical challenges. ...
While it is indubitably impossible to summarize all the many important aspects of Ernst-Rüdiger Olderog’s scientific contributions and to do justice to each and every one of the areas that he contributed to, it is remarkably easy to identify and characterize the common core behind his investigations. An important leitmotif in his research agenda is semantics, the study of meaning.
... The notions of expressiveness and relative completeness are introduced in Cook (1978), which finds that Hoare logic is only complete in a certain sense, relative to his interpretive semantics. Clarke (1979) researches on the expressiveness of finite interpretations, with the result that certain programming languages can not possess a sound and relatively complete Hoare calculus, because the halting problem is undecidable for the languages, even if the underlying interpretation is finite. Lipton (1977) claims that the only expressive interpretations should be the standard interpretation of Peano arithmetic and the finite interpretation. ...
... This does not violate Clarke's result[11] because our logic has higher-order features (evaluation formulae and code evaluation predicates). See[22] for a more extensive discussion. ...
This paper provides the first program logic for homogeneous generative
run-time meta-programming---using a variant of MiniML by Davies and Pfenning as
its underlying meta-programming language. We show the applicability of our
approach by reasoning about example meta-programs from the literature. We also
demonstrate that our logics are relatively complete in the sense of Cook,
enable the inductive derivation of characteristic formulae, and exactly capture
the observational properties induced by the operational semantics.
... The scenario, then, becomes similar to the one in Floyd-Hoare program logics for imperative programs, where completeness holds [9] (at least for the simplest idioms [7]) and weakest preconditions can be generated automatically (see, e.g., [3]). A benefit of working with functional programs is that type inference -the analogue of generating WPs -can be done compositionally without the need of guessing invariants. ...
We show that time complexity analysis of higher-order functional programs can be effectively reduced to an arguably simpler (although computationally equivalent) verification problem, namely checking first-order inequalities for validity. This is done by giving an efficient inference algorithm for linear dependent types which, given a PCF term, produces in output both a linear dependent type and a cost expression for the term, together with a set of proof obligations. Actually, the output type judgement is derivable iff all proof obligations are valid. This, coupled with the already known relative completeness of linear dependent types, ensures that no information is lost, i.e., that there are no false positives or negatives. Moreover, the procedure reflects the difficulty of the original problem: simple PCF terms give rise to sets of proof obligations which are easy to solve. The latter can then be put in a format suitable for automatic or semi-automatic verification by external solvers. Ongoing experimental evaluation has produced encouraging results, which are briefly presented in the paper.
... ⋆ This paper is originally published by Springer-Verlag as part of the proceedings of CAV 2014. The final publication is available at link.springer.com. 1 This is no longer true when we allow procedures as parameters [12]. ...
We present an SMT-based symbolic model checking algorithm for safety
verification of recursive programs. The algorithm is modular and analyzes
procedures individually. Unlike other SMT-based approaches, it maintains both
"over-" and "under-approximations" of procedure summaries. Under-approximations
are used to analyze procedure calls without inlining. Over-approximations are
used to block infeasible counterexamples and detect convergence to a proof. We
show that for programs and properties over a decidable theory, the algorithm is
guaranteed to find a counterexample, if one exists. However, efficiency depends
on an oracle for quantifier elimination (QE). For Boolean Programs, the
algorithm is a polynomial decision procedure, matching the worst-case bounds of
the best BDD-based algorithms. For Linear Arithmetic (integers and rationals),
we give an efficient instantiation of the algorithm by applying QE "lazily". We
use existing interpolation techniques to over-approximate QE and introduce
"Model Based Projection" to under-approximate QE. Empirical evaluation on
SV-COMP benchmarks shows that our algorithm improves significantly on the
state-of-the-art.
... Unfortunately, we can not generalize Theorem 1 to statements S as it is impossible to achieve completeness. The reason for this is that given the combination of a decidable logic for assertions and a Turing-complete programming language, there is no complete Hoare-style axiom system [6]. We continue to show that our method is sound. ...
We present a fully automated method for the verification of annotated recursive programs with dynamic pointer structures. Assertions are expressed in a dialect of dynamic logic extended with nominals and tailored to heap structures, in which one can express complex reachability properties. Verification conditions are generated using a novel calculus for computing the strongest postcondition of statements manipulating the heap, such as dynamic allocation and field-assignment. Further, we introduce a new decidable tableaux-based method and its prototype implementation to automatically check these verification conditions.
... Modularity, the ability to reason separately about separate components of a program, is considered to be one of the key properties to have for any proof system. Clarke (1979) was able to prove that a sound and complete Hoare logic for a programming language with the following features: ...
In this thesis, we first present a theoretical system that enables proof of
higher-order programs with side effects. This system consists of three major
parts. First, a programming language with a traditional type, effect and
region system, with effect polymorphism. Second, a higher-order specification
language, that also contains a means to describe modifications of the state.
Finally, a weakest precondition calculus that, starting from an annotated
program, allows to obtain proof obligations, that is, formulas whose validity
implies the correctness of the program w.r.t. its specification. We also
present two restrictions of the initial system. The first disallows region
aliasing, obtaining better modularity of the calculus, the second restricts
the system to regions that are singleton, containing only a single reference.
Both restrictions enable important simplifications that can be applied to
proof obligations, but restrict the set of accepted programs.
We also present an implementation of this theoretical system, called Who. This
tool uses in particular translations of the proof obligations to higher-order
logic and first-order logic; these translations are detailed in this thesis.
The translation to higher-order logic in particular allows using the Coq proof
assistant to validate proof obligations. The translation to first-order logic
allows using automated theorem provers. Higher-order programs, found in the
standard library of OCaml and elsewhere, have been proved correct using the
tool Who, as well as a continuation-based implementation of the Koda-Ruskey
algorithm.
... Hoare's logic is a formal system for the derivation of statements about the partial correctness of programs [1]; it was introduced by Hoare [ Email address: xuzw@ios.ac.cn (Zhaowei Xu) studied by Cook [3], Lipton [4], Wand [5] and Clarke [6]. Separation logic is a spatial logic for reasoning about mutable heap structure ( [7,8,9]), which is an extension to Hoare's logic to describe the applications of programs on the heap structure and the reasoning about memory update. ...
Hoare's logic is an axiomatic system of proving programs correct, which has
been extended to be a separation logic to reason about mutable heap structure.
We develop the most fundamental logical structure of strongest postcondition of
Hoare's logic in Peano's arithmetic $PA$. Let $p\in L$ and $S$ be any
while-program. The arithmetical definability of $\textbf{N}$-computable
function $f_S^{\textbf{N}}$ leads to separate $S$ from $SP(p,S)$, which defines
the strongest postcondition of $p$ and $S$ over $\textbf{N}$, achieving an
equivalent but more meaningful form in $PA$. From the reduction of Hoare's
logic to PA, together with well-defined underlying semantics, it follows that
Hoare's logic is sound and complete relative to the theory of $PA$, which is
different from the relative completeness in the sense of Cook. Finally, we
discuss two ways to extend computability from the standard structure to
nonstandard models of $PA$.
... Noticeably, the bounds one obtains this way translate to bounds on the number of steps performed by evaluation machines for the λ-calculus, which means that the induced metrics are not too abstract after all. The type inference algorithm is described in Section 4. The scenario, then, becomes similar to the one in Floyd-Hoare program logics for imperative programs, where completeness holds [9] (at least for the simplest idioms [7]) and weakest preconditions can be generated automatically (see, e.g., [22]). A benefit of working with functional programs is that type inference -the analogue of generating WPs -can be done compositionally without the need of guessing invariants. ...
We show that time complexity analysis of higher-order functional programs can
be effectively reduced to an arguably simpler (although computationally
equivalent) verification problem, namely checking first-order inequalities for
validity. This is done by giving an efficient inference algorithm for linear
dependent types which, given a PCF term, produces in output both a linear
dependent type and a cost expression for the term, together with a set of proof
obligations. Actually, the output type judgement is derivable iff all proof
obligations are valid. This, coupled with the already known relative
completeness of linear dependent types, ensures that no information is lost,
i.e., that there are no false positives or negatives. Moreover, the procedure
reflects the difficulty of the original problem: simple PCF terms give rise to
sets of proof obligations which are easy to solve. The latter can then be put
in a format suitable for automatic or semi-automatic verification by external
solvers. Ongoing experimental evaluation has produced encouraging results,
which are briefly presented in the paper.
... Of course, there has been much research on Floyd-Hoare logics [31,41,42] (see the surveys [1] and [17]). Such program logics for higher-order procedures have been defined for instance in [24] (for Clarke's language L4 [11]) or more recently for stored parameterless procedures in [78]. Program logics for jumps exists since [13] and they have been successfully used recently for proving properties in low-level languages [30,85]. ...
We derive a Floyd-Hoare logic for non-local jumps and mutable higher-order procedural variables from a for-mulae-as-types notion of control for classical logic. A key contribution of this work is the design of an imperative dependent type system for Hoare triples, which corresponds to classical logic, but where the famous consequence rule is admissible. Moreover, we prove that this system is complete for a reasonable notion of validity for Hoare judgments.
According to some proponents, artificial intelligence seems to be a presupposition for machine autonomy, wheras autonomy and conscious machines are the presupposition for singularity (Cf. Logan, Information 8: 161, 2017); further on, singularity is a presupposition for transhumanism. The chapter analyses the different forms of transhumanism and its underlying philosophical anthropology, which is reductionist as well as naturalistic. Nevertheless, it can be shown that transhumanism has some (pseudo-)religious borderlines. Besides this, massive interests behind the arguments of the proponents can be figured out. Due to these hidden business models, it would be a good idea to discuss objection and rules to hedge an uncontrolled shape of these technologies.
This chapter argues that, although transhumanism depicts itself as following the footsteps of the tradition of humanism, i.e. as seeking for a better world for all human beings, it is realizing ambiguous trajectories. Despite officially proclaimed integrative intentions and goals of some of its most prominent leaders, it seems that transhumanism tends to push forward social innovations that are a double-edged sword. Indeed, we face an era of military rearmament also due to achievements that have emerged in the converging fields of AI, robotics and human enhancement. Some of the most controversial views concerning these achievements and their possible impacts on modern warfare are discussed. Moreover, we outline how these developments in the military sector are symptomatic for a broader technological trend that seems to become a major transformative driver in the twenty-first century—a world where inequality is on the rise both in the social, the technological and the military spheres.
В статье дается обзор существующих методов верификации динамической памяти; проводится их сравнительный анализ; оценивается применимость для решения задач управления, контроля и верификации динамической памяти. Данная статья состоит из восьми разделов. Первый раздел - введение. Во втором обсуждаются проблемы управления динамической памятью. В третьем рассматривается исчисление Хоара. В четвёртом речь идёт о преобразованиях heap в стек. Пятый вводит понятие анализа образов динамической памяти. Шестой посвящен ротации указателей, седьмой - логике распределенной памяти. В последнем разделе рассматриваются возможные направления дальнейших научных исследований в данной области, в частности: распознавание на уровне записи различных экземпляров объектов; автоматизация доказательств; использование «горячего» кода, то есть программного кода, который сам себя обновляет при запуске программы; расширение интуитивности объяснений доказательств и другие
A sunple programming language ffm IS defined for which a complete axiomatics is obtamable. Completeness is shown by presemmg a relauvely complete Hoare axiomatics, demonstrating, by direct constmcuon, that the first-order theory of addmon + as express,ve, and noting that + Is complete. It is then shown that m aS maxunal wath this property Further, a notton of complexity of a Hoare system is introduced based upon the lengths of proofs (dasregardmg proofs m the underlying logsc), and the system im,.+ is shown to have polynomial complexity The nouon ts shown to be nontnvlal by presenting a language for which any Hoare axiom system has exponenual complextty.
The languages Ada and Euclid are compared and evaluated in the context of three application areas: secure systems, real-time systems, and systems programming. Specific issues considered are verification, robustness, structuring, implementation, functionality, and portability. Programming experiments, supported by the MIT test translator and the Toronto Euclid compiler, are described. The program specifications chosen, Wirth’s p1/0 compiler in Pascal, UNIX levels 0–2 in SPECIAL, the Ada radar track manager example, and the Euclid zone example, were chosen to exercise areas of strength in each language and to represent the applications of interest. Conclusions regarding the suitability of Ada and Euclid for these application areas are given.RésuméLes langages Ada et Euclid sont comparés et evalués dans le contexte de trois domaines d’application: systèmes sûrs, systèmes à temps réel et la programmation de systèmes. En particulier les questions de verification, robustesse, structuration, implantation, fonctionalisme, et “portabilite” sont considérées. Des expériences de programmation soutenues par le traducteur expérimental du MIT et le compilateur Toronto Euclid sont décrites. Les spécifications de programme choisies, le compilateur p1/0 en Pascal de Wirth, UNIX niveaux 0-2 en SPECIAL, I’éxample de gestion de radar en Ada, et l’éxample de zone en Euclid, furent choisis pour mettre à l’oeuvre les points forts de chaque langage et présenter des applications intéressantes. Des conclusions concernant la convenance d’Ada et d’Euclid pour ses domaines d’application sont donnees.
Semantic models are the basis for specification and verification of software. Operational, denotational, and axiomatic or algebraic methods offer complementary insights and reasoning techniques which are surveyed here. Unifying theories are needed to link models. Also considered are selected programming features for which new models are needed.
Although most typically used in other contexts, program transformations can simplify program verification by transforming a program containing complex language features into a semantically equivalent program containing only simpler language features. The proof of the transformed program can then be performed using a set of proof rules for only the simpler features. There are tradeoffs between the transformational approach and the standard approach to program verification with regard to proof understandability and compactness of programs and assertions, establishing soundness of the program verification method, and providing mechanized support for the method. The transformational approach has clear advantages in some of these aspects. This paper illustrates this transformational approach by considering proof rules for escape statements in iterative constructs, and discusses the tradeoffs with respect to its use. It also suggests how the approach can be applied to other language constructs, including some involving concurrency, and to solving some problems connected with the development of Hoare axiomatizations.
Ausgehend von Turings 1949 gehaltenem Vortrag ,,Checking a Large Routine“ untersuchen wir, welche seiner Ideen zur Verifikation von Programmen sich durchgesetzt haben, und skizzieren, wie sich das Gebiet der Verifikation seitdem bis heute weiterentwickelt hat.
A survey of various results concerning the use of Hoare's logic in proving correctness of nondeterministic programs is presented. Various proof systems together with the example proofs are given and the corresponding soundness and completeness proofs of the systems are discussed. Programs allowing bounded and countable nondeterminism are studied. Proof systems deal with partial and total correctness, freedom of failure and the issue of fairness. The paper is a continuation of Part I by Apt (1981), where various results concerning Hoare's approach to proving correctness of sequential programs are presented.
This paper discusses the design of programming languages suitable for program verification, considering in particular Pascal, Euclid, Gypsy, and Ada. Basing our discussion on programming capabilities found in Pascal, we evaluate (a) how well each language solves or reduces verification problems such as name visibility, aliasing, relative completeness, side effects and (b) how the language's treatment of these verification problems impacts other language design concerns.
This is a survey of methods of formalizing semantics of programming languages (algorithmic languages and specification languages). Principal attention is devoted to the logical approach.
A survey of various results concerning Hoare's approach to proving partial and total correctness of programs is presented. Emphasis is placed on the soundness and completeness issues. Various proof systems for while programs, recursive procedures, local variable declarations, and procedures with parameters, together with the corresponding soundness, completeness, and incompleteness results, are discussed.
The Runcheck verifier is a working prototype system for proving the absence of runtime errors such as arithmetic overflow, array subscripting out of range, accessing an uninitialized variable, and dereferencing a null pointer. Such errors cannot be detected at compile time by most compilers. Runcheck accepts Pascal programs documented with assertions and proves that the assertions are consistent with the program and that no runtime errors can occur.
This report describes an investigation of techniques to support the specification and verification of concurrent and distributed software systems, with special emphasis on issues of security. The investigation has focused on two major areas. The primary focus is a survey of existing methodologies and systems that are relevant to the specification and verification of concurrency. The secondary focus is on the initial design of a short-term workbench that embodies capabilities of existing systems together with new features that extend the current state of the art in the specification and verification of concurrency. The introduction to the report summarizes survey results and presents overall conclusions about the current state of the art. Sections 2 and 3 of the report present the details of the methodology and system surveys respectively. The surveys include high level feature comparison tables accompanied by extended reviews. Section 4 describes a design for the short-term workbench that will support computer-aided specification and verification. Section 5 describes a set of extended examples that were developed to test the design ideas. Section 6 concludes with an overall summary and an overview of targets for future work.
The most common spelling errors are one extra letter, one missing letter, one wrong letter, or the transposition of two letters. Deletion, exchange, and rotation operators are defined which detect and “mend” such spelling errors and thus permit retrieval despite the errors. These three operators essentially delete a letter of a word, exchange two adjacent letters, and rotate a word cyclically. Moreover, the operators can be used in conjunction with hashing, thus permitting very fast retrieval. Results of experiments run on large databases in Hebrew and in English are briefly indicated.
In the spirit of the previous axiomatixation of the programming language Pascal, this paper describes Hoare-style proof rules for Euclid, a programming language intended for the expression of system programs which are to be verified. All constructs of Euclid are covered except for storage allocation and machine dependencies.
The report gives a complete defining description of the international algorithmic language ALGOL 60. This is a language suitable for expressing a large class of numerical processes in a form sufficiently concise for direct automatic translation into the language of programmed automatic computers.The introduction contains an account of the preparatory work leading up to the final conference, where the language was defined. In addition the notions reference language, publication language, and hardware representations are explained.In the first chapter a survey of the basic constituents and features of the language is given, and the formal notation, by which the syntactic structure is defined, is explained.The second chapter lists all the basic symbols, and the syntactic units known as identifiers, numbers, and strings are defined. Further, some important notions such as quantity and value are defined.The third chapter explains the rules for forming expressions, and the meaning of these expressions. Three different types of expressions exist: arithmetic, Boolean (logical), and designational.The fourth chapter describes the operational units of the language, known as statements. The basic statements are: assignment statements (evaluation of a formula), go to statements (explicit break of the sequence of execution of statements), dummy statements, and procedure statements (call for execution of a closed process, defined by a procedure declaration). The formation of more complex structures, having statement character, is explained. These include: conditional statements, for statements, compound statements, and blocks.In the fifth chapter the units known as declarations, serving for defining permanent properties of the units entering into a process described in the language, are defined.The report ends with two detailed examples of the use of the language, and an alphabetic index of definitions.
This paper presents a comparative study of different methods for formal description of programming languages. These methods have been applied to a simple but realistically usable programming language; the more abstract definitions have been proved to be consistent relative to the more concrete ones.
The semantics of a simple parallel programming language is presented in two ways: deductively, by a set of Hoare-like axioms and inference rules, and operationally, by means of an interpreter. It is shown that the deductive system is consistent with the interpreter. It would be desirable to show that the deductive system is also complete with respect to the interpreter, but this is impossible since the programming language contains the natural numbers. Instead it is proved that the deductive system is complete relative to a complete proof system for the natural numbers; this result is similar to Cook's relative completeness for sequential programs. The deductive semantics given here is an extension of an incomplete deductive system proposed by Hoare. The key difference is an additional inference rule which provides for the introduction of auxiliary variables in a program to be verified.
A simple programming language which corresponds in computational power to the class of generalized sequential machines with final states is defined. It is shown that a variety of questions of practical programming interest about the language are of nondeterministic linear space complexity. Extensions to the language are defined (adding arithmetic and array data structures) and their complexity properties are explored. It is concluded that questions about halting, equivalence, optimization, and so on are intractable even for very simple programming languages.
A structure A is presented for which Hoare's formal system for partial correctness is incomplete, even if the entire first-order theory of A is included among the axioms. It follows that the language of first-order logic is insufficient to express all loop invariants. The implications of this result for program-proving are discussed.
The contour model of block structured processes
JOHNSTON, J.B The contour model of block structured processes Proc ACM SIGPLAN Symp on Data
Structures m Programming Languages, Feb 1971, pp 55-82
A Formallzauon of properUes of functional programs J A CM
- And Pnueli
MANNA, Z, AND PNUELI, A Formallzauon of properUes of functional programs J A CM 17, 3 (July 1970),
555-569.
C A R An ax~omauc approach to computer programming
, C A R An ax~omauc approach to computer programming Comm ACM 12, l0 (Oct 1969), 322-329
Pathological mteractton of programming language features Tech Rep CS-1976-15
- E Duke
- U Durham
, E M JR Pathological mteractton of programming language features Tech Rep CS-1976-15,
Comptr So Dept, Duke U, Durham, N C, Sept 1976.
3 CLINT, M Program proving. Coroutmes Acta InformaUca 2 (1973), 50-63
Axlomaac and mterpreUve semanttcs for Algol fragment Tech Rep
- S A Cook
CooK, S A Axlomaac and mterpreUve semanttcs for Algol fragment Tech Rep. 79, Comptr So Dept, U
of Toronto, Toronto, Canada, 1975 To be pubhshed m SCICOMP.
Mathematical semanttcs as a complementary definmon for axiomaucally defined programming language constructs In Three Approaches to Rehable Software Language Design, Dya&c Speclficatwn, Complementary Semanttcs
, J. Mathematical semanttcs as a complementary definmon for axiomaucally defined programming
language constructs In Three Approaches to Rehable Software Language Design, Dya&c Speclficatwn,
Complementary Semanttcs, by J Donahue et al, also Tech Rep CSRG-45, Comptr Syst Res Group, U of
Toronto, Toronto, Canada, Dec 1974
An axlomauc approach In Symposmm on Semanttcs of Algortthmtc Languages
- C A Procedures
- Parameters
, C.A R Procedures and parameters" An axlomauc approach In Symposmm on Semanttcs of Algortthmtc Languages, E Engeler, Ed, Spnnger-Verlag, Berlin, 1971, pp 102-116
Programming language constructs for which tt is tmposslble to obtain good Hoare-hke axioms Tech Rep No 76-287
- L Clarke
- E M Jr
L CLARKE, E M JR. Programming language constructs for which tt is tmposslble to obtain good Hoare-hke
axioms Tech Rep No 76-287, Comptr Sct Dept, Cornell U, Ithaca, N Y, Aug 1976