crowfoot: a verifier for higher order store programs billiejoe (nathaniel) charlton ben horsfall...
TRANSCRIPT
![Page 1: Crowfoot: a verifier for higher order store programs Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus University of Sussex VMCAI 2012](https://reader030.vdocuments.site/reader030/viewer/2022032802/56649e115503460f94afcd1e/html5/thumbnails/1.jpg)
Crowfoot: a verifier for higher order store programs
Billiejoe (Nathaniel) CharltonBen Horsfall
Bernhard Reus
University of Sussex
VMCAI 2012
![Page 2: Crowfoot: a verifier for higher order store programs Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus University of Sussex VMCAI 2012](https://reader030.vdocuments.site/reader030/viewer/2022032802/56649e115503460f94afcd1e/html5/thumbnails/2.jpg)
Outline
• Background on Higher Order Store (HOS)
- What is HOS? Why should I care?
- Reasoning about HOS programs: Hoare logic with nested triples
• Automated reasoning in Hoare logics with nested triples
- What are the difficulties?
- How we address them in our Crowfoot tool
• Some things we have verified using Crowfoot
![Page 3: Crowfoot: a verifier for higher order store programs Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus University of Sussex VMCAI 2012](https://reader030.vdocuments.site/reader030/viewer/2022032802/56649e115503460f94afcd1e/html5/thumbnails/3.jpg)
What is higher order store?
• A programming language is said to feature HOS when:
a program’s code / commands / procedures are part of the mutable store which the program manipulates as it runs
![Page 4: Crowfoot: a verifier for higher order store programs Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus University of Sussex VMCAI 2012](https://reader030.vdocuments.site/reader030/viewer/2022032802/56649e115503460f94afcd1e/html5/thumbnails/4.jpg)
What is higher order store?
• A programming language is said to feature HOS when:
a program’s code / commands / procedures are part of the mutable store which the program manipulates as it runs
• So HOS programs can modify their own code while running
![Page 5: Crowfoot: a verifier for higher order store programs Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus University of Sussex VMCAI 2012](https://reader030.vdocuments.site/reader030/viewer/2022032802/56649e115503460f94afcd1e/html5/thumbnails/5.jpg)
What is higher order store?
• A programming language is said to feature HOS when:
a program’s code / commands / procedures are part of the mutable store which the program manipulates as it runs
• So HOS programs can modify their own code while running
• Where does HOS occur?
- in functional languages with mutable higher order state e.g. ML
- dynamic loading and unloading of code e.g. Plugins, OSes
- “hot update” – updating a program while it is running
- runtime code generation
![Page 6: Crowfoot: a verifier for higher order store programs Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus University of Sussex VMCAI 2012](https://reader030.vdocuments.site/reader030/viewer/2022032802/56649e115503460f94afcd1e/html5/thumbnails/6.jpg)
![Page 7: Crowfoot: a verifier for higher order store programs Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus University of Sussex VMCAI 2012](https://reader030.vdocuments.site/reader030/viewer/2022032802/56649e115503460f94afcd1e/html5/thumbnails/7.jpg)
square brackets indicate heap access
![Page 8: Crowfoot: a verifier for higher order store programs Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus University of Sussex VMCAI 2012](https://reader030.vdocuments.site/reader030/viewer/2022032802/56649e115503460f94afcd1e/html5/thumbnails/8.jpg)
square brackets indicate heap access
stores procedure onto the heap, possibly doing partial application at the same time
![Page 9: Crowfoot: a verifier for higher order store programs Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus University of Sussex VMCAI 2012](https://reader030.vdocuments.site/reader030/viewer/2022032802/56649e115503460f94afcd1e/html5/thumbnails/9.jpg)
square brackets indicate heap access
stores procedure onto the heap, possibly doing partial application at the same time
runs the procedure stored in the heap at address , with arguments
![Page 10: Crowfoot: a verifier for higher order store programs Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus University of Sussex VMCAI 2012](https://reader030.vdocuments.site/reader030/viewer/2022032802/56649e115503460f94afcd1e/html5/thumbnails/10.jpg)
square brackets indicate heap access
stores procedure onto the heap, possibly doing partial application at the same time
runs the procedure stored in the heap at address , with arguments
ordinary procedure call
![Page 11: Crowfoot: a verifier for higher order store programs Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus University of Sussex VMCAI 2012](https://reader030.vdocuments.site/reader030/viewer/2022032802/56649e115503460f94afcd1e/html5/thumbnails/11.jpg)
![Page 12: Crowfoot: a verifier for higher order store programs Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus University of Sussex VMCAI 2012](https://reader030.vdocuments.site/reader030/viewer/2022032802/56649e115503460f94afcd1e/html5/thumbnails/12.jpg)
![Page 13: Crowfoot: a verifier for higher order store programs Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus University of Sussex VMCAI 2012](https://reader030.vdocuments.site/reader030/viewer/2022032802/56649e115503460f94afcd1e/html5/thumbnails/13.jpg)
![Page 14: Crowfoot: a verifier for higher order store programs Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus University of Sussex VMCAI 2012](https://reader030.vdocuments.site/reader030/viewer/2022032802/56649e115503460f94afcd1e/html5/thumbnails/14.jpg)
But what should we write here?
We need to describe the code which must be stored on the heap at address f
![Page 15: Crowfoot: a verifier for higher order store programs Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus University of Sussex VMCAI 2012](https://reader030.vdocuments.site/reader030/viewer/2022032802/56649e115503460f94afcd1e/html5/thumbnails/15.jpg)
First attempt: says exactly which code is stored at f.
But only allows us to invoke P if we’re adding 10!
![Page 16: Crowfoot: a verifier for higher order store programs Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus University of Sussex VMCAI 2012](https://reader030.vdocuments.site/reader030/viewer/2022032802/56649e115503460f94afcd1e/html5/thumbnails/16.jpg)
Second attempt: better.
But still not really satisfying.Doesn’t seem like a generic specification.
![Page 17: Crowfoot: a verifier for higher order store programs Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus University of Sussex VMCAI 2012](https://reader030.vdocuments.site/reader030/viewer/2022032802/56649e115503460f94afcd1e/html5/thumbnails/17.jpg)
Instead, we use a nested Hoare triple to talk about the behaviour of the code, rather than which exact code it is.
![Page 18: Crowfoot: a verifier for higher order store programs Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus University of Sussex VMCAI 2012](https://reader030.vdocuments.site/reader030/viewer/2022032802/56649e115503460f94afcd1e/html5/thumbnails/18.jpg)
Instead, we use a nested Hoare triple to talk about the behaviour of the code, rather than which exact code it is.
![Page 19: Crowfoot: a verifier for higher order store programs Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus University of Sussex VMCAI 2012](https://reader030.vdocuments.site/reader030/viewer/2022032802/56649e115503460f94afcd1e/html5/thumbnails/19.jpg)
Instead, we use a nested Hoare triple to talk about the behaviour of the code, rather than which exact code it is.
Nested triples first appear in work by Honda, Yoshida and Berger; later developments by many others.
![Page 20: Crowfoot: a verifier for higher order store programs Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus University of Sussex VMCAI 2012](https://reader030.vdocuments.site/reader030/viewer/2022032802/56649e115503460f94afcd1e/html5/thumbnails/20.jpg)
Our tool Crowfoot
• Our tool Crowfoot implements (semi-) automated verification of HOS programs, using nested triples
• Employs symbolic execution with separation logic technique, as in Smallfoot, VeriFast, jStar ...
• What issues did we face in implementing Crowfoot?
![Page 21: Crowfoot: a verifier for higher order store programs Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus University of Sussex VMCAI 2012](https://reader030.vdocuments.site/reader030/viewer/2022032802/56649e115503460f94afcd1e/html5/thumbnails/21.jpg)
Issues for implementation
• Assertion language: must include nested triples but still be restricted enough that automated reasoning is possible
![Page 22: Crowfoot: a verifier for higher order store programs Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus University of Sussex VMCAI 2012](https://reader030.vdocuments.site/reader030/viewer/2022032802/56649e115503460f94afcd1e/html5/thumbnails/22.jpg)
Assertion language
![Page 23: Crowfoot: a verifier for higher order store programs Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus University of Sussex VMCAI 2012](https://reader030.vdocuments.site/reader030/viewer/2022032802/56649e115503460f94afcd1e/html5/thumbnails/23.jpg)
Assertion language
This is all circular! So triples can be nested to arbitrary depth.
![Page 24: Crowfoot: a verifier for higher order store programs Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus University of Sussex VMCAI 2012](https://reader030.vdocuments.site/reader030/viewer/2022032802/56649e115503460f94afcd1e/html5/thumbnails/24.jpg)
Issues for implementation
• Assertion language: must include nested triples but still be restricted enough that automated reasoning is possible
• New symbolic execution rules for the HOS statements: those which write code to the heap, and invoke code stored on the heap
![Page 25: Crowfoot: a verifier for higher order store programs Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus University of Sussex VMCAI 2012](https://reader030.vdocuments.site/reader030/viewer/2022032802/56649e115503460f94afcd1e/html5/thumbnails/25.jpg)
![Page 26: Crowfoot: a verifier for higher order store programs Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus University of Sussex VMCAI 2012](https://reader030.vdocuments.site/reader030/viewer/2022032802/56649e115503460f94afcd1e/html5/thumbnails/26.jpg)
![Page 27: Crowfoot: a verifier for higher order store programs Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus University of Sussex VMCAI 2012](https://reader030.vdocuments.site/reader030/viewer/2022032802/56649e115503460f94afcd1e/html5/thumbnails/27.jpg)
![Page 28: Crowfoot: a verifier for higher order store programs Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus University of Sussex VMCAI 2012](https://reader030.vdocuments.site/reader030/viewer/2022032802/56649e115503460f94afcd1e/html5/thumbnails/28.jpg)
![Page 29: Crowfoot: a verifier for higher order store programs Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus University of Sussex VMCAI 2012](https://reader030.vdocuments.site/reader030/viewer/2022032802/56649e115503460f94afcd1e/html5/thumbnails/29.jpg)
Issues for implementation
• Assertion language: must include nested triples but still be restricted enough that automated reasoning is possible
• New symbolic execution rules for the HOS statements: those which write code to the heap, and invoke code stored on the heap
• Entailment prover for assertions involving nested triples
![Page 30: Crowfoot: a verifier for higher order store programs Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus University of Sussex VMCAI 2012](https://reader030.vdocuments.site/reader030/viewer/2022032802/56649e115503460f94afcd1e/html5/thumbnails/30.jpg)
Consider the following entailment between symbolic states:
![Page 31: Crowfoot: a verifier for higher order store programs Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus University of Sussex VMCAI 2012](https://reader030.vdocuments.site/reader030/viewer/2022032802/56649e115503460f94afcd1e/html5/thumbnails/31.jpg)
Consider the following entailment between symbolic states:
![Page 32: Crowfoot: a verifier for higher order store programs Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus University of Sussex VMCAI 2012](https://reader030.vdocuments.site/reader030/viewer/2022032802/56649e115503460f94afcd1e/html5/thumbnails/32.jpg)
Consider the following entailment between symbolic states:
We need to find c to make this entailment between specifications hold:
![Page 33: Crowfoot: a verifier for higher order store programs Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus University of Sussex VMCAI 2012](https://reader030.vdocuments.site/reader030/viewer/2022032802/56649e115503460f94afcd1e/html5/thumbnails/33.jpg)
Consider the following entailment between symbolic states:
We need to find c to make this entailment between specifications hold:
So, unlike in existing tools
- Solving entailments between symbolic states requires solving entailments between specifications
- And vice versa
![Page 34: Crowfoot: a verifier for higher order store programs Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus University of Sussex VMCAI 2012](https://reader030.vdocuments.site/reader030/viewer/2022032802/56649e115503460f94afcd1e/html5/thumbnails/34.jpg)
Issues for implementation
• Assertion language: must include nested triples but still be restricted enough that automated reasoning is possible
• New symbolic execution rules for the HOS statements: those which write code to the heap, and invoke code stored on the heap
• Entailment prover for assertions involving nested triples
• Recursive specifications for programs which perform “recursion through the store”
![Page 35: Crowfoot: a verifier for higher order store programs Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus University of Sussex VMCAI 2012](https://reader030.vdocuments.site/reader030/viewer/2022032802/56649e115503460f94afcd1e/html5/thumbnails/35.jpg)
Issues for implementation
• Assertion language: must include nested triples but still be restricted enough that automated reasoning is possible
• New symbolic execution rules for the HOS statements: those which write code to the heap, and invoke code stored on the heap
• Entailment prover for assertions involving nested triples
• Recursive specifications for programs which perform “recursion through the store”
• Implementing the deep frame rule
![Page 36: Crowfoot: a verifier for higher order store programs Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus University of Sussex VMCAI 2012](https://reader030.vdocuments.site/reader030/viewer/2022032802/56649e115503460f94afcd1e/html5/thumbnails/36.jpg)
Provers: the of Crowfoot
At its heart, crowfoot implements provers for five related judgements.
1. Symbolic execution:
![Page 37: Crowfoot: a verifier for higher order store programs Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus University of Sussex VMCAI 2012](https://reader030.vdocuments.site/reader030/viewer/2022032802/56649e115503460f94afcd1e/html5/thumbnails/37.jpg)
Provers: the of Crowfoot
At its heart, crowfoot implements provers for five related judgements.
1. Symbolic execution:
predicate definitions, procedure context
![Page 38: Crowfoot: a verifier for higher order store programs Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus University of Sussex VMCAI 2012](https://reader030.vdocuments.site/reader030/viewer/2022032802/56649e115503460f94afcd1e/html5/thumbnails/38.jpg)
Provers: the of Crowfoot
At its heart, crowfoot implements provers for five related judgements.
1. Symbolic execution:
For example:
predicate definitions, procedure context
![Page 39: Crowfoot: a verifier for higher order store programs Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus University of Sussex VMCAI 2012](https://reader030.vdocuments.site/reader030/viewer/2022032802/56649e115503460f94afcd1e/html5/thumbnails/39.jpg)
2. Entailment between symbolic states:
Inferred frameI maps existentially bound variablesto appropriate instance
![Page 40: Crowfoot: a verifier for higher order store programs Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus University of Sussex VMCAI 2012](https://reader030.vdocuments.site/reader030/viewer/2022032802/56649e115503460f94afcd1e/html5/thumbnails/40.jpg)
2. Entailment between symbolic states:
For example:
Inferred frameI maps existentially bound variablesto appropriate instance
![Page 41: Crowfoot: a verifier for higher order store programs Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus University of Sussex VMCAI 2012](https://reader030.vdocuments.site/reader030/viewer/2022032802/56649e115503460f94afcd1e/html5/thumbnails/41.jpg)
2. Entailment between symbolic states:
For example:
Inferred frameI maps existentially bound variablesto appropriate instance
![Page 42: Crowfoot: a verifier for higher order store programs Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus University of Sussex VMCAI 2012](https://reader030.vdocuments.site/reader030/viewer/2022032802/56649e115503460f94afcd1e/html5/thumbnails/42.jpg)
2. Entailment between symbolic states:
For example:
3. Entailment between specifications:
For example:
Inferred frameI maps existentially bound variablesto appropriate instance
![Page 43: Crowfoot: a verifier for higher order store programs Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus University of Sussex VMCAI 2012](https://reader030.vdocuments.site/reader030/viewer/2022032802/56649e115503460f94afcd1e/html5/thumbnails/43.jpg)
4. Computing the post-condition for a ‘call’ or ‘eval’:
current symbolic state
specification of routine about to be run
![Page 44: Crowfoot: a verifier for higher order store programs Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus University of Sussex VMCAI 2012](https://reader030.vdocuments.site/reader030/viewer/2022032802/56649e115503460f94afcd1e/html5/thumbnails/44.jpg)
4. Computing the post-condition for a ‘call’ or ‘eval’:
For example:
current symbolic state
specification of routine about to be run
![Page 45: Crowfoot: a verifier for higher order store programs Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus University of Sussex VMCAI 2012](https://reader030.vdocuments.site/reader030/viewer/2022032802/56649e115503460f94afcd1e/html5/thumbnails/45.jpg)
4. Computing the post-condition for a ‘call’ or ‘eval’:
For example:
current symbolic state
specification of routine about to be run
![Page 46: Crowfoot: a verifier for higher order store programs Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus University of Sussex VMCAI 2012](https://reader030.vdocuments.site/reader030/viewer/2022032802/56649e115503460f94afcd1e/html5/thumbnails/46.jpg)
4. Computing the post-condition for a ‘call’ or ‘eval’:
For example:
5. Finding a nested triple to use with ‘eval’:
current symbolic state
specification of routine about to be run
current symbolic state
address of code on heapto be run
![Page 47: Crowfoot: a verifier for higher order store programs Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus University of Sussex VMCAI 2012](https://reader030.vdocuments.site/reader030/viewer/2022032802/56649e115503460f94afcd1e/html5/thumbnails/47.jpg)
4. Computing the post-condition for a ‘call’ or ‘eval’:
For example:
5. Finding a nested triple to use with ‘eval’:
For example:
current symbolic state
specification of routine about to be run
current symbolic state
address of code on heapto be run
![Page 48: Crowfoot: a verifier for higher order store programs Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus University of Sussex VMCAI 2012](https://reader030.vdocuments.site/reader030/viewer/2022032802/56649e115503460f94afcd1e/html5/thumbnails/48.jpg)
4. Computing the post-condition for a ‘call’ or ‘eval’:
For example:
5. Finding a nested triple to use with ‘eval’:
For example:
current symbolic state
specification of routine about to be run
current symbolic state
address of code on heapto be run
![Page 49: Crowfoot: a verifier for higher order store programs Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus University of Sussex VMCAI 2012](https://reader030.vdocuments.site/reader030/viewer/2022032802/56649e115503460f94afcd1e/html5/thumbnails/49.jpg)
Two of the proof rules
![Page 50: Crowfoot: a verifier for higher order store programs Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus University of Sussex VMCAI 2012](https://reader030.vdocuments.site/reader030/viewer/2022032802/56649e115503460f94afcd1e/html5/thumbnails/50.jpg)
Recursion through the store
• Recursion through the store is when code on the heap invokes itself through a pointer
• Specifications for such code needs to appear in their own pre-conditions!
• Crowfoot allows the declaration of such specifications:
![Page 51: Crowfoot: a verifier for higher order store programs Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus University of Sussex VMCAI 2012](https://reader030.vdocuments.site/reader030/viewer/2022032802/56649e115503460f94afcd1e/html5/thumbnails/51.jpg)
The deep frame rule
• The deep frame rule (introduced by Birkedal, Torp-Smith and Yang) allows adding invariants to a specification
- like the regular frame rule
- but the invariant is added at all nesting levels
- allows some very nice modular proofs
- we’ve implemented this in Crowfoot
![Page 52: Crowfoot: a verifier for higher order store programs Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus University of Sussex VMCAI 2012](https://reader030.vdocuments.site/reader030/viewer/2022032802/56649e115503460f94afcd1e/html5/thumbnails/52.jpg)
The deep frame rule
• The deep frame rule (introduced by Birkedal, Torp-Smith and Yang) allows adding invariants to a specification
- like the regular frame rule
- but the invariant is added at all nesting levels:
- allows some very nice modular proofs
- we’ve implemented this in Crowfoot
![Page 53: Crowfoot: a verifier for higher order store programs Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus University of Sussex VMCAI 2012](https://reader030.vdocuments.site/reader030/viewer/2022032802/56649e115503460f94afcd1e/html5/thumbnails/53.jpg)
Some things we have verified
We have used Crowfoot to verify for example (models of):
• A generic memoiser for recursive functions (see the paper)
- Makes very neat use of deep frame rule
• Updateable web server
- A server which can be updated without stopping it running
• Programs that load and unload plugins as they run
• Higher order expression evaluator
![Page 54: Crowfoot: a verifier for higher order store programs Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus University of Sussex VMCAI 2012](https://reader030.vdocuments.site/reader030/viewer/2022032802/56649e115503460f94afcd1e/html5/thumbnails/54.jpg)
Try Crowfoot online
www.sussex.ac.uk/informatics/crowfoot
The End
![Page 55: Crowfoot: a verifier for higher order store programs Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus University of Sussex VMCAI 2012](https://reader030.vdocuments.site/reader030/viewer/2022032802/56649e115503460f94afcd1e/html5/thumbnails/55.jpg)
Main rule for
![Page 56: Crowfoot: a verifier for higher order store programs Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus University of Sussex VMCAI 2012](https://reader030.vdocuments.site/reader030/viewer/2022032802/56649e115503460f94afcd1e/html5/thumbnails/56.jpg)
Main rule for
![Page 57: Crowfoot: a verifier for higher order store programs Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus University of Sussex VMCAI 2012](https://reader030.vdocuments.site/reader030/viewer/2022032802/56649e115503460f94afcd1e/html5/thumbnails/57.jpg)
Main rule for
![Page 58: Crowfoot: a verifier for higher order store programs Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus University of Sussex VMCAI 2012](https://reader030.vdocuments.site/reader030/viewer/2022032802/56649e115503460f94afcd1e/html5/thumbnails/58.jpg)
Main rule for
![Page 59: Crowfoot: a verifier for higher order store programs Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus University of Sussex VMCAI 2012](https://reader030.vdocuments.site/reader030/viewer/2022032802/56649e115503460f94afcd1e/html5/thumbnails/59.jpg)
Main rule for