| products/sources/formale sprachen/Isabelle/HOL/Hoare/README.html |
 |
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML>
<HEAD>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<TITLE>HOL/Hoare/ReadMe</TITLE>
</HEAD>
<BODY>
<H2>Hoare Logic for a Simple WHILE Language</H2>
<H3>Language and logic</H3>
This directory contains an implementation of Hoare logic for a simple WHILE
language. The constructs are
<UL>
<LI> <kbd>SKIP</kbd>
<LI> <kbd>_ := _</kbd>
<LI> <kbd>_ ; _</kbd>
<LI> <kbd>IF _ THEN _ ELSE _ FI</kbd>
<LI> <kbd>WHILE _ INV {_} DO _ OD</kbd>
</UL>
Note that each WHILE-loop must be annotated with an invariant.
<P>
After loading theory Hoare, you can state goals of the form
<PRE>
VARS x y ... {P} prog {Q}
</PRE>
where <kbd>prog</kbd> is a program in the above language, <kbd>P</kbd> is the
precondition, <kbd>Q</kbd> the postcondition, and <kbd>x y ...</kbd> is the
list of all <i>program variables</i> in <kbd>prog</kbd>. The latter list must
be nonempty and it must include all variables that occur on the left-hand
side of an assignment in <kbd>prog</kbd>. Example:
<PRE>
VARS x {x = a} x := x+1 {x = a+1}
</PRE>
The (normal) variable <kbd>a</kbd> is merely used to record the initial
value of <kbd>x</kbd> and is not a program variable. Pre/post conditions
can be arbitrary HOL formulae mentioning both program variables and normal
variables.
<P>
The implementation hides reasoning in Hoare logic completely and provides a
method <kbd>vcg</kbd> for transforming a goal in Hoare logic into an
equivalent list of verification conditions in HOL:
<PRE>
apply vcg
</PRE>
If you want to simplify the resulting verification conditions at the same
time:
<PRE>
apply vcg_simp
</PRE>
which, given the example goal above, solves it completely. For further
examples see <a href="Examples.html">Examples</a>.
<P>
IMPORTANT:
This is a logic of partial correctness. You can only prove that your program
does the right thing <i>if</i> it terminates, but not <i>that</i> it
terminates.
A logic of total correctness is also provided and described below.
<H3>Total correctness</H3>
To prove termination, each WHILE-loop must be annotated with a variant:
<UL>
<LI> <kbd>WHILE _ INV {_} VAR {_} DO _ OD</kbd>
</UL>
A variant is an expression with type <kbd>nat</kbd>, which may use program
variables and normal variables.
<P>
A total-correctness goal has the form
<PRE>
VARS x y ... [P] prog [Q]
</PRE>
enclosing the pre- and postcondition in square brackets.
<P>
Methods <kbd>vcg_tc</kbd> and <kbd>vcg_tc_simp</kbd> can be used to derive
verification conditions.
<P>
From a total-correctness proof, a function can be extracted which
for every input satisfying the precondition returns an output
satisfying the postcondition.
<H3>Notes on the implementation</H3>
The implementation loosely follows
<P>
Mike Gordon.
<cite>Mechanizing Programming Logics in Higher Order Logic.</cite><BR>
University of Cambridge, Computer Laboratory, TR 145, 1988.
<P>
published as
<P>
Mike Gordon.
<cite>Mechanizing Programming Logics in Higher Order Logic.</cite><BR>
In
<cite>Current Trends in Hardware Verification and Automated Theorem Proving
</cite>,<BR>
edited by G. Birtwistle and P.A. Subrahmanyam, Springer-Verlag, 1989.
<P>
The main differences: the state is modelled as a tuple as suggested in
<P>
J. von Wright and J. Hekanaho and P. Luostarinen and T. Langbacka.
<cite>Mechanizing Some Advanced Refinement Concepts</cite>.
Formal Methods in System Design, 3, 1993, 49-81.
<P>
and the embeding is deep, i.e. there is a concrete datatype of programs. The
latter is not really necessary.
</BODY>
</HTML>
¤ Diese beiden folgenden Angebotsgruppen bietet das Unternehmen0.30Angebot
Wie Sie bei der Firma Beratungs- und Dienstleistungen beauftragen können
¤
|
Lebenszyklus
Die hierunter aufgelisteten Ziele sind für diese Firma wichtig
Ziele
Entwicklung einer Software für die statische Quellcodeanalyse
|
