2 Generation of Proof Obligations

1 Background The system PAMELA (Proof Assistant for Meta IV-like Languages) was designed originally to check partial correctness of VDM-like speciications 3] of code generators with respect to implicit speciications given as sets of pre-and postconditions 1]. Explicit speciications in this framework essentially are systems of mutually recursive functions and procedures (in the following called operations) over a set of global variables. Operations are deened as sequential programs. The goal of PAMELA is the calculation of a set of proof obligations for each operation that together ensure partial correctness of the overall system. An earlier version tried to discharge these obligations based on sets of rewriting and deduction rules provided by the user. PAMELA+PVS is a modiication of PAMELA that supports proofs for a larger class of speciications including non-deterministic sequential programs and uses PVS 5] as prover component for discharging proof obligations. Non-deterministic sequential programs are of interest for a development approach based on CSP 2] that was introduced in Peleska 4]. A certain subclass of CSP processes can be transformed into equivalent non-deterministic programs. The proof that such a CSP process satisses a given trace speciication can thus be transformed into an invariant proof for the equivalent non-deterministic program. The generation of proof obligations in PAMELA+PVS is based on the splitting approach introduced by Buth 1]. The idea is to symbolically evaluate the code of operation bodies using the implicit speciication as an interface to cope with recur-sive calls. The process corresponds to the calculation of strongest postconditions except for the treatment of calls. The result of splitting can thus be called a relative strongest prostcondition. The name \splitting" refers to the process of splitting the code for which the obligations are to be generated into separate paths and generating obligations for the each individual path. The overall obligation then is that the disjunction of the obligations for each paths implies the postcondition that is stated for the operation under consideration, which is discharged by proving that the obligations for each path imply the postcondition. 3 PVS PVS 5] is currently one of the most advanced speciication and veriication systems for software applications. The system consists of a speciication language and a number of tools including a sophisticated prover.