Further with Hoare Logic Sections 6.12, 6.10, 6.13

Overview Assignment to composite structures Reasoning about more exotic imperative constructs Motivation: tool support for verification array assignment, block, exception, expr with side effect, etc 2

About computer support for verification We can implement Hoare logic Syntax driven! Use e.g. theorem prover or SAT solver at the back-end to prove the resulting verification conditions. Big-logic architecture: The Hoare logic is defined to work natively on e.g. Java Complex logic; maintenance (of the logic) is an issue Example: LOOP Small-logic architecture: Translate Java to a much simpler intermediate language (e.g. Boogie PL); Hoare logic operates on this intermediate language Feedback is an issue Example : SPEC#, Esc/Java

Assignment to array Recall : wp (x:=e) Q = Q[e/x] {* Q[e/x] *} x:=e {* Q *} Does these “rules” extend to a[e1] := e2 ? {* y = 10 *} a[i] := y {* a[i] = 10 *} // valid {* a[0] = 10 *} a[i] := y {* a[0] = 10 *} // not valid!! {* (i=0  y | a[0]) = 10 *}

The formalism Introduce : a (i repby e) : the same array as a, except its i-th element, which is e. Define it indirectly via : a (i repby e) [k] = i=k  e | a[k] Treat assignment : a[i] := 0  a := a(i repby 0)

Now we can derive the “rule” So : wp (a[e1] := e2) Q = wp (a := a(e1 repby e2)) Q = { this is now an ordinary assignment ! } Q [ a(e1 repby e2) / a ]

Example Prove: {* ik *} a[k]:= 0 ; a[i]:=1 {* a[k] = 0 *} By calculating wp: {* i=k  1 | 0 = 0 *} // def. repby {* ... a(k repby 0)[k] .... *} // wp a[k]:=0 // a := a(k repby 0) {* i=k  1 | a[k] = 0 *} // def. repby {* a(i repby 1)[k] = 0 *} // wp a[i]:=1 // a := a(i repby 1) {* a[k] = 0 *}

Record Can be handled in a way analogous to array : r.fn := e  r := r(fn repby e) But since field names are static, we can immediately collapse the resulting repby expression: r (fn repby e) . fn = e r (fn repby e) . otherfield = r.otherfield See Lec. Notes.

“Predicate transformer” semantics we can abstractly define the meaning/semantic of a statement S by defining how to calculate its wp. wp (assert P) Q = P /\ Q wp (assume P) Q = P  Q

Now we can dealing with actual arrays Array expressions e.g. a[i] has to be checked that the index i is within a’s actual domain. Well, we can adapt uPL logic. Alternatively, keep the logic, but use a pre-processor to translate, e.g.: a[i] := a[k]  assert 0i<#a ; assert 0k<#a ; a[i] := a[k] What if we use assume instead of assert ?

Expressing non-determinism S [] T On a begin state, non-deterministically choose between S and T, and execute it. Define it via wp: wp (S [] T) Q = wp S Q /\ wp T Q

Non-deterministic IF We can now have a non-deterministic IF; define : if g1  S1 g2  S2 = (encoded by) { assume g1 ; S1 } [] { assume g2 ; S2 } Can’t be implemented literally like that; but with respect to their Hoare triple specs, these are equivalent. So, what happens if it is executed on a state not satisfying one of the guards? 

Non-deterministic loop while g1 do S1 g2 do S2 If g1 true, do S1, if g2 true, do S2. If both are true, choose one non-deterministically. Repeat the above. Terminate when g1 and g2 are false. while g1 \/ g2 do if g1  S1 g2  S2

Example Prove that eventually the bag will be empty. By proving this specification: {* reds = 100 /\ blues = 100 *} while reds>0 do reds,blues := reds-1 , blues+2 blues>0 do blues := blues - 1 {* reds = 0 /\ blues = 0 *} Take as invariant: r>=0 /\ w>=0 On termination we have ~g1 /\ ~g2 = r<=0 /\ b<=0, which with inv implies r=b=0. Termination metric: 3r + b Note that for the specification to be valid, we have to take into account all the non-deterministic choices made by the loop.

Block { var x:T ; S } Introduce a local, uninitialized variable x (means its value can be anything of the type T), then does S. The scope of x is limited within the block. Variant, with initialization: { var x = e ; S }  { var x ; x := e ; S } But we can also have a non-deterministic intialization: { var x ; assume x>9 ; S }

Block Define the semantics via wp; first some examples: {* true *} {* y=0 *} { var x ; x:=0 ; y:=x } {* y=x *} {* 0=0 *} // no! {* 0=x *}

Block {* y>x *} x>0  x > x’ y > x’ We may need to protect and restore variable names We may have to quantify { var x ; assume x>0 ; y:=x } {* y>x *} x>0  x > x’ y > x’ // rename x to x’ (x:: x>0  x > x’) (@x:: @x>0  @x > x’) // rename bound var (@x:: @x>0  @x > x) // restore x’ to x Equivalent with 0  x

Block So: wp {var x ; S } Q = restorex (x :: wp S (protectx Q)) where protectx Q = Q[x’/x] // x’ fresh var restorex (x:: R) = (@x:: R[@x/x][x/x’]) // @x fresh var The wp of {var x=e ; S } can be simplified  home work 

Non-deterministic assignment x,y  P Change the values of x and y to arbitrary values satisfying P; other variables stay unchanged. For example, x  x>0 can be encoded by: {var x’ ; assume x’>0 ; x:=x’ } // assuming x’ fresh Theorem: wp (x  P) Q = (x:: P  Q) = (z :: (P  Q)[z/x]) // z fresh Wp {var x’; assume x’>0; x=x’} Q = (forall x’ :: x’>0 ==> Q[x’ / x]) = (forall x :: x>0 ==> Q)

Exception raise Cause the program to enter an exception state. There is only one exception sort. But our concept of Hoare triple does not understand “exceptional state”. Extend “triple” to “quadruple” : {* P *} S {* Q , E *} If S is executed on a state satisfying P it will terminate. If it terminates in a normal state, then the state should satisfy Q. If it is an exceptional state, it should satisfy E.

Exception But now we have to extend all our Hoare logic rules and our defs for wp {* E *} raise {* Q, E *} {* P *} S1 {* Q, E *} , {* Q *} S2 {* R, E *} ---------------------------------------------------------------------- {*P*} S1 ; S2 {* R, E *} wp (x:=e) (Q,E) = Q[e/x] wp (S1 ; S2) (R,E) = wp S1 (wp S2 (R,E), E) wp raise (Q,E) = E

Catching exception try S catch T Execute S, if it jumps to an exception state, continue with T. The logic: {* P *} S {* R, Q *} , {* Q *} T {* R, E *} ---------------------------------------------------------------------- {*P*} try S catch T {* R, E *} wp (try S catch T) (R,E) = wp S (R, wp T (R,E)) { P } S { Q, R } , { R } T {Q, E} -------------------------------------------------- { P } try S catch T { Q, E }

Expression with side effect Assume this simple syntax of expression <expr> ::= <constant> | <var> | <expr> "+" <expr> | <expr> "=" <expr> | <var> "++“ Define a function flat that transform such an expression to statement, such that e.g. : x := e  … ; x:=@0 flat @0 e

Expression with side effect flat @0 (e1 + e2) = flat @1 e1 ; flat @2 e2 ; @0 := @1 + @2 flat @0 var = @0 := var flat @0 var++ = @0 := var ; var:=var+1 … All the @i vars are fresh. Example: x := x++ + y  @1:=x ; x:=x+1 ; @2:=y ; @0:=@1 + @2 ; x := @0 Can be handled by usual uPL logic.