On Complete Reasoning about Axiomatic Specifications

Automated software verification tools typically accept specifications of functions in terms of pre- and postconditions. However, many properties of functional programs can be more naturally specified using a more general form of universally quantified properties. Such general specifications may relate multiple user-defined functions, and compare multiple invocations of a function on different arguments. We present new decision procedures for complete and terminating reasoning about such universally quantified properties of functional programs. Our results use local theory extension methodology. We establish new classes of universally quantified formulas whose satisfiability can be checked in a complete way by finite quantifier instantiation. These new classes include single-invocation axioms that generalize standard function contracts, but also certain many-invocation axioms, specifying that functions satisfy congruence, injectivity, or monotonicity with respect to abstraction functions, as well as conjunctions of some of these properties. These many-invocation axioms can specify correctness of abstract data type implementations as well as certain information-flow properties. We also present a construction that enables the same function to be specified using different classes of decidable specifications on different partitions of its domain. This results in complete and terminating decision procedure for proving an interesting class of universally quantified specifications of functional programs.