Readable Formal Proofs
The need to integrate the processes of programming and program verification requires notations for formal proofs that are easily readable. We discuss this problem in the context of Hoare logic and separation logic.
It has long been the custom to describe formal proofs in these logics informally by means of “annotated specifications” or “proof outlines”. For simple programs, these annotated specifications are essentially similar to the annotated flow charts introduced by Floyd and Naur. For more elaborate programs, a richer notation has evolved for dealing with procedure calls and various structural rules, such as the frame axiom, as well as various rules for concurrency.
Our goal is to devise a formalism for insuring that annotated specifications actually determine valid formal proofs (modulo the correctness of verification conditions), while providing as much flexibility as possible. For this purpose, we give inference rules for “annotation definitions” that assert that an annotated specification determines a particular Hoare triple. We consider verification algorithms in a wide sense. The outcome of a verification algorithm can be a definite (yes or no) answer, a “don’t know” answer, or a conditional answer or no answer at all (divergence). We obtain these kinds of verification algorithms if we apply the existing technology of abstraction to least-fixpoint checking, i.e., checking whether the least fixpoint of a given operator in a given lattice is smaller than a given bound. The formulation of the verification algorithm as least-fixpoint checking is classical for the class of correctness properties that are reducible to non-reachability (validity of assertions, partial correctness, safety properties). We need to investigate the approach also for the class of correctness properties that are reducible to termination (validity of intermittent assertions, total correctness, liveness properties), for all classes of programs including procedural (recursive) programs and concurrent programs.