Spring 2017 Program Analysis and Verification Lecture 4: Axiomatic Semantics II Roman Manevich Ben-Gurion University
Tentative syllabus Program Verification Program Analysis Basics Operational semantics Hoare Logic Applying Hoare Logic Predicate Calculus Proving Termination Data structures Program Analysis Basics Control Flow Graphs Equation Systems Collecting Semantics Using Soot Abstract Interpretation fundamentals Lattices Fixed-Points Chaotic Iteration Galois Connections Domain constructors Widening/ Narrowing Analysis Techniques Numerical Domains Alias analysis Interprocedural Analysis Shape Analysis CEGAR
Previously Basic notions of correctness Formalizing Hoare triples FO logic Free variables Substitutions Hoare logic rules
Warm-up exercises Define program state: Define state predicate: Formalize {P} C {Q} via structural semantics: FV(m. x=k+1 0mx-1 nums(m)res) = { } (m. x=k+1 0mx-1 nums(m)res)[x+1/x] =
Agenda Inference system Annotating programs with proofs Properties of the semantics Chapter 6
Axiomatic semantics as an inference system
Inference trees Trees describing rule applications that ultimately prove a program correct Leaves are axiom applications Internal nodes correspond to rule applications over triples inferred from sub-trees Inference tree is called Simple if tree is only an axiom Composite otherwise
Factorial proof inference tree Goal: { x=n } y:=1; while (x1) do (y:=y*x; x:=x–1) { y=n! n>0 } W = while (x1) do (y:=y*x; x:=x–1) INV = x > 0 (y x! = n! n x) will show later { INV[x-1/x][y*x/y] } y:=y*x { INV[x-1/x] } { INV[x-1/x] } x:=x-1 {INV} [comp] { INV[x-1/x][y*x/y] } y:=y*x; x:=x–1 {INV} [cons] {x1 INV } y:=y*x; x:=x–1 { INV } [while] { INV } W { x=1 INV } { INV[1/y] } y:=1 { INV } [cons] [cons] { x=n } y:=1 { INV } { INV } W {y=n! n>0 } [comp] { x=n } y:=1; while (x1) do (y:=y*x; x:=x–1) {y=n! n>0 }
Provability We say that an assertion { P } C { Q } is provable if there exists an inference tree Written as p { P } C { Q } Are inference trees unique? {true} x:=1; {P} x:=x+5 {x0} Exercise: what is strongest P? Exercise: what is weakest P? Where does the non-determinism come from?
Annotating programs with proofs
Annotated programs A streamlined version of inference trees Inline inference trees into programs A kind of “proof carrying code” Going from annotated program to proof tree is a linear time translation
Annotating composition We can inline inference trees into programs Using proof equivalence of S1; (S2; S3) and (S1; S2); S3 instead of writing deep trees, e.g., {P} S1 {P’} {P’} S2 {P’’} {P’’} S3 {P’’’} {P’’’} S4 {P’’} {P} (S1; S2) {P’’} {P’’} (S3 ; S4) {Q} {P} (S1; S2); (S3 ; S4) {Q} We can annotate a composition S1; S2;…; Sn by {P1} S1 {P2} S2 … {Pn-1} Sn-1 {Pn}
Annotating conditions { b P } S1 { Q }, { b P } S2 { Q } { P } if b then S1 else S2 { Q } [ifp] { P } if b then { b P } S1 else { b P } S2 { Q }
Annotating conditions { b P } S1 { Q }, { b P } S2 { Q } { P } if b then S1 else S2 { Q } [ifp] { P } if b then { b P } S1 { Q1 } else { b P } S2 { Q2 } { Q } { b P } S1 { Q1 } { b P } S2 { Q2 } { b P } S1 { Q }, { b P } S2 { Q } { P } if b then S1 else S2 { Q } [ifp] [cons]
{ b P } S { P } { P } while b do S {b P } Annotating loops { b P } S { P } { P } while b do S {b P } [whilep] { P } while b do { b P } S {b P }
{ b P } S { P } { P } while b do S {b P } Annotating loops { b P } S { P } { P } while b do S {b P } [whilep] { P } while b do { b P } S { P’ } {b P } { Q } P’ implies P b P implies Q
{ b P } S { P } { P } while b do S {b P } Annotating loops { b P } S { P } { P } while b do S {b P } [whilep] { P } while b do { b P } S {b P } Source of confusion
Annotating loops – alternative 1 { b P } S { P } { P } while b do S {b P } [whilep] while { P } b do { b P } S {b P }
Annotating loops – alternative 2 { b P } S { P } { P } while b do S {b P } [whilep] Inv = { P } while b do { b P } S {b P } We will take this alternative in our examples and homework assignments
Annotating formula transformations We often rewrite formulas To make proofs more readable Using logical/mathematical identities Imported mathematical theorems { } { ’ } // transformation 1 { ’’ } // transformation 2
Exercising Hoare logic
Exercise 1: variable swap – specify { ? } t := x x := y y := t { ? }
Exercise 1: Prove using Hoare logic { y=b x=a } t := x { ? } x := y { ? } y := t { x=b y=a }
Exercise 1: Prove using Hoare logic { y=b x=a } t := x { y=b t=a } x := y { x=b t=a } y := t { x=b y=a }
Absolute value program if x<0 then x := -x else skip if b then S is syntactic sugar for if b then S else skip The latter form is easier to reason about
Absolute value program – specify { ? } if x<0 then x := -x else skip { ? }
Absolute value program – specify { x=v } if x<0 then x := -x else skip { x=|v| }
Exercise 2: Prove using Hoare logic { x=v } { } if x<0 then { } x := -x { } else { } skip { } {x=|v| }
Exercise 2: Prove using Hoare logic { x=v } { (-x=|v| x<0) (x=|v| x0) } if x<0 then { -x=|v| } x := -x { x=|v| } else { x=|v| } skip { x=|v| } { x=|v| }
Annotated programs: factorial { x=n } y := 1; Inv = { x>0 y*x!=n! nx } while (x=1) do { x-1>0 (y*x)*(x-1)!=n! n(x-1) } y := y*x; { x-1>0 y*(x-1)!=n! n(x-1) } x := x–1 { y*x!=n! n>0 } Contrast with proof via structural semantics Where did the inductive argument over loop iterations go?
Detailed proof steps { x=n } y := 1; { x=n y=1 } Inv = { x>0 y*x!=n! nx } while (x=1) do { x1 (x>0 y*x!=n! nx) } => ? { x>1 y*x!=n! n(x-1) } y := y*x; { x-1>0 y*(x-1)!=n! n(x-1) } x := x–1 { x>0 y*x!=n! nx } { y*x!=n! n>0 }
Detailed proof of implication { x1 (x>0 y*x!=n! nx) } => relax inequality { x1 (x>0 y*x!=n! n(x-1)) } => use logical identity AB equals AB { x1 (x0 y*x!=n! n(x-1)) } => distribute over {(x1 x0) (x1 y*x!=n! n(x-1)) } => x0 subsumes x1 x0 { x0 (x1 y*x!=n! n(x-1)) } => weaken conjunction by removing x1 { x0 (y*x!=n! n(x-1)) } => relax x0 into x1 { x1 (y*x!=n! n(x-1)) } => use logical identity AB equals AB { x1 (x1 y*x!=n! n(x-1))} write x1 as x>1 { x>1 y*x!=n! n(x-1) }
Properties of the semantics
Properties of the semantics Equivalence What is the analog of program equivalence in axiomatic verification? Soundness Can we prove incorrect properties? Completeness Is there something we can’t prove?
Proving properties of axiomatic semantics Examples p { P } C { true } for any P and C p { false } C { P } for any P and C By induction on the shape of the inference tree
Provable equivalence We say that C1 and C2 are provably equivalent if for all P and Q p { P } C1 { Q } if and only if p { P } C2 { Q } Examples: S; skip and S S1; (S2; S3) and (S1; S2); S3
S1; (S2; S3) is provably equivalent to (S1; S2); S3 Without consequence rule applications T2 T3 T1 {P’} S2 {P’’} {P’’} S3 {Q} {P} S1 {P’} {P’} (S2; S3) {Q} {P} S1; (S2; S3) {Q} T1 T2 {P} S1 {P’} {P’} S2 {P’’} T3 {P} (S1; S2) {P’’} {P’’} S3 {Q} {P} (S1; S2); S3 {Q}
Compressing chains of consequences A chain of consequence rules can be compressed into a single application since Pn … P1 and Q1 … Pn {Pn} S {Qn} {Pn} S {Qn} cons cons … {P1} S {Q1} cons {P1} S {Q1}
S1; (S2; S3) is provably equivalent to (S1; S2); S3 T2 T1 T2 {P5} S2 {P4} T3 cons {P3} S1 {P5} {P5} S2 {P4} {P5} S2 {P2} {P2} S3 {Q1} seq seq {P3} (S1; S2) {P4} T3 T1 {P5} (S2; S3) {Q1} cons cons {P1} (S1; S2) {P2} {P2} S3 {Q1} {P3} S1 {P5} {P5} (S2; S3) {Q} seq seq {P1} (S1; S2); S3 {Q1} {P3} S1; (S2; S3) {Q} cons cons {P} (S1; S2); S3 {Q} {P1} S1; (S2; S3) {Q} cons {P} S1; (S2; S3) {Q} The other direction is similar
Valid assertions Q P C(P) C ’ We say that { P } C { Q } is valid if for all states , if P and C, * ’ then ’Q Denoted by p { P } C { Q } Q P C(P) C ’
Soundness and completeness The inference system is sound: p { P } C { Q } implies p { P } C { Q } The inference system is complete: p { P } C { Q } implies p { P } C { Q } Is Hoare logic sound? yes Is Hoare logic complete? relatively
See you next time