Proof Carrying Code

History
  Certified code Butler Lampson, 1974 
  An Open OS for a single-user machine

Defining a VCgen
  To define a verification-condition generator for the language,
  we start by defining the langauage of predicates

  predicates:
    p ::= b
      |  P ^ P
      |  A => P
      |  Vi.P
      |  e ? P : P

  annotations:
    A ::= b
      |  A ^ A

  boolean expressions
    b ::= true
      |  false
      |  e >= e
      |  e = e

  Weakest Preconditions
    it's a simple variant of Dijkstra's weakest precondition calculus

    it makes use of genralized predicates of the form: (P, e)
      -- true if P is true and at least e units of resource
	 are currently available

    Hoare triples
    -- the VCgen's job is to compute for each statement S in the program
       the Hoare triple
	 (P', e') S (P, e)
    -- vcg(S, (P,i)) -> (P', i')
       since we have postcondition (true, 0) for the last statement in 
       the program. so, given a statement and it's post condtion, produce
       the weakest precondition
    -- require the programmer or compiler insert invariants to cut the loop

  VC explosion
    growth can usually be controlled by careful placement of just the right
    "join-point" invariants

Proving the predicates
  A simple proover
    - prove(anotation, pred) -> bool
    - prove(A, P) is true iff A => P
  
  Soundness
    stated in terms of a formal operational semantics

Logical Framework
  The Edinburgh Logical Framework (LF) is a language for
  specifyig logics.

  Pfenning's Elf

  used as the internal language


Certifying Compilation
   source code "Bcopy*

