We present a compositional program logic for call-by-value imperative higherorder functions with general forms of aliasing, which can arise from the use of reference names as function parameters, return values, content of references and part of data structures. The program logic

The incorrect use of pointers is one of the most common source of bugs. As a consequence, any kind of static code checking capable of detecting potential bugs at compile time is welcome. This paper presents a static analysis for the detection of incorrect accesses to memory (dereferences of invalid pointers). A pointer may be invalid because it has not been initialised or because it refers to a memory location which has been deallocated. The analyser is derived from an axiomatisation of alias and connectivity properties which is shown to be sound with respect to the natural semantics of the language. It deals with dynamically allocated data structures and it is accurate enough to handle circular structures. 1 Introduction The motivation for the work described in this paper comes from two observations: ffl Most widely used programming languages allow explicit pointer manipulations. The expressiveness provided by such features is appreciated by many programmers because it makes it pos...

This paper presents sound and complete Hoare logics for partial and total correctness of recursive parameterless procedures in the context of unbounded nondeterminism. For total correctness, the literature so far has either restricted recursive procedures to be deterministic or has studied unbounded nondeterminism only in conjunction with loops rather than procedures. We consider both single procedures and systems of mutually recursive procedures. All proofs have been checked with the theorem prover Isabelle/HOL.

A constraint is a relation among program variables that is maintained throughout execution. Type declarations and a very general form of aliasing can be expressed as constraints. A proof system based upon the interpretation of Hoare triples as temporal logic formulas is given for reasoning about programs with constraints. The proof system is shown to be sound and relatively complete, and example program proofs are given. 1 Introduction Type declarations and aliasing relations have traditionally been thought of as unrelated concepts. However, both can be viewed as specifying properties that do not change during program execution. This view leads to a uniform method for reasoning about types and aliasing in which the usual Hoare logic triples are regarded as temporal logic formulas. Aliasing two variables x and y means they always have the same value. This is usually implemented by allocating the same memory location to x # Work supported in part by the National Science Foundation unde...

In this paper we investigate a logic for reasoning about programs with higher-order functions and effectful features like non-termination and state with aliasing. We propose a dependent type theory HTT (short for Hoare Type Theory), where types serve as program specifications. In case of effectful programs, the type of Hoare triples {P}x:A{Q} specifies the precondition P, the type of the return result A, and the postcondition Q. By Curry-Howard isomorphism, a dependent type theory may be viewed as a functional programming language. From this perspective, the type of Hoare triples is a monad, and HTT is a monadic language, whose pure fragment consists of higher-order functions, while the effectful fragment is a full Turingcomplete imperative language with conditionals, loops, recursion and commands for stateful operations like allocation, lookup and mutation of location content. 1

In recent years, the use of symbolic analysis in systems for testing and verifying programs has experienced a resurgence. By “symbolic program analysis”, we mean logic-based techniques to analyze state changes along individual program paths. The three basic primitives used in symbolic analysis are functions that perform forward symbolic evaluation, weakest precondition, and symbolic composition by manipulating formulas. The conventional approach to implementing systems that use symbolic analysis is to write each of the three symbolic-analysis functions by hand for the programming language of interest. In this paper, we develop a method to create implementations of these primitives so that they can be made available easily for multiple programming languages—particularly for multiple machine-code instruction sets. In particular, we have created a system in which, for the cost of writing just one specification—of the semantics of the programming language of interest, in the form of an interpreter expressed in a functional language—one obtains automaticallygenerated implementations of all three symbolic-analysis functions. We show that this can be carried out even for programming languages with pointers, aliasing, dereferencing, and address arithmetic. The technique has been implemented, and used to automatically generate symbolic-analysis primitives for multiple machinecode instruction sets. 1.

Previous work presented a language called Rhodium for writing program analyses and transformations, in the form of declarative flow functions that propagate instances of user-defined dataflow fact schemas. Each dataflow fact schema specifies a semantic meaning, which allows the Rhodium system to automatically verify the correctness of the user’s flow functions. In this work, we have reversed the roles of the flow functions and semantic meanings: rather than checking the correctness of the user-written flow functions using the facts’ semantic meanings, we automatically infer correct flow functions solely from the meanings of the dataflow fact schemas. We have implemented our algorithm for inferring flow functions from fact schemas in the context of the Whirlwind compiler, and have used this implementation to infer flow functions for a variety of fact schemas. The automatically generated flow functions cover most of the situations covered by an earlier suite of handwritten rules.

A flow-graph language which includes a simultaneous assignment, pointers and computed jumps is developed. The language is expressive enough that sequential composition can be defined as a function on commands, constructing a single command from its arguments. This allows the abstraction of a program to be constructed from the program text. This form of abstraction is the reverse of compilation: the abstraction of a program is also a program. The sequential composition operator can reduce the number of commands which must be considered when verifying a program. This provides a method for simplifying program verification. Proof rules are defined for reasoning about the liveness properties of flow-graph programs. The language is expressive enough to describe sequential object code programs and a program for...

: The incorrect use of pointers is one of the most common source of bugs. As a consequence, any kind of static code checking capable of detecting potential bugs at compile time is welcome. This paper presents a static analysis for the detection of incorrect accesses to memory (dereferences of invalid pointers). A pointer may be invalid because it has not been initialised or because it refers to a memory location which has been deallocated. The analyser is derived from an axiomatisation of alias and connectivity properties which is shown to be sound with respect to the natural semantics of the language. It deals with dynamically allocated data structures and it is accurate enough to handle circular structures. Key-words: alias analysis, debugging tool, Hoare logic, correctness proof. (R'esum'e : tsvp) [fradet,gaugne,lemetayer]@irisa.fr Unite de recherche INRIA Rennes IRISA, Campus universitaire de Beaulieu, 35042 RENNES Cedex (France) Telephone : (33) 99 84 71 00 -- Telecopie : (33) ...

: The incorrect use of pointers is one of the most common source of bugs. As a consequence, any kind of static code checking capable of detecting potential bugs at compile time is welcome. This paper presents a static analysis for the detection of incorrect accesses to memory (dereferences of invalid pointers). A pointer may be invalid because it has not been initialised or because it refers to a memory location which has been deallocated. The analyser is derived from an axiomatisation of alias and connectivity properties which is shown to be sound with respect to the natural semantics of the language. It deals with dynamically allocated data structures and it is accurate enough to handle circular structures. Key-words: alias analysis, debugging tool, Hoare logic, correctness proof. (R'esum'e : tsvp) * [fradet,gaugne,lemetayer]@irisa.fr CENTRE NATIONAL DE LA RECHERCHE SCIENTIFIQUE Centre National de la Recherche Scientifique Institut National de Recherche en Informatique (URA 227) U...