Secure mechanical verification of mutually recursive procedures

The veriication of programs that contain mutually recursive procedures is a diicult task, and one which has not been satisfactorily addressed in the literature. Published proof rules have been later discovered to be unsound. Veriication Condition Generator (VCG) tools have been eeective in partially automating the veriication of programs, but in the past these VCG tools have in general not themselves been proven, so any proof using and depending on these VCGs might not be sound. In this paper we present a set of proof rules for proving the partial correctness of programs with mutually recursive procedures, together with a VCG that automates the use of the proof rules in program correctness proofs. The soundness of the proof rules and the VCG itself have been mechanically proven within the Higher Order Logic theorem prover, with respect to the underlying structural operational semantics of the programming language. This proof of soundness then forms the core of an implementation of the VCG that signiicantly eases the veriication of individual programs with complete security.