Formal Methods in software development a.a.2016/2017 Prof. Anna Labella 2/28/2019

concurrent and sequential systems Hoare Logic Dealing with critical situations Software aging See Ben Ari, Huth Ryan chap.4 2/28/2019

Verifying satisfiability of properties A posteriori Model Checking Automatic Model-based Verifying satisfiability of properties A posteriori Application: concurrent and reactive systems Hoare Logic Semiautomatic Proof-based Verifying satisfiability of properties A priori Application: sequential and transformational programs 2/28/2019

Our language Our core language has three syntactic domains: integer expressions, boolean expressions and commands Arithmetical expressions E ::= n | x | (−E) | (E + E) | (E − E) | (E ∗ E) Propositions B ::= true | false | (!B) | (B &B) | (B ||B) | (E < E) Commands C ::= x = E | C;C | if B {C} else {C} | while B {C} 2/28/2019

Hoare triples Let us define |=part (|φ|) S (|ψ|) If s is a state verifying φ, then, by applying the instruction S, we obtain a state where ψ holds. φ is called “precondition” ψ “postcondition” 2/28/2019

Hoare triples: examples (|x> 0|) S (| y.y < x |) Many possible solutions: 2/28/2019

Partial and total correctness If preconditions are verified: A then, after the execution of the program B1 postconditions are verified: B2 A  (B1  B2) 2/28/2019

Partial correctness If preconditions are verified: A Then, if the program teminates B1 postconditions are verified: B2 A  (B1  B2) 2/28/2019

Total correctness If preconditions are verified: A then, the program terminates B1 and postconditions are verified: B2 A  (B1  B2) !?!?! 2/28/2019

Total correctness The only command that can be non terminating is the while command 2/28/2019

A deductive system tree-like proofs 2/28/2019

Hoare logic (proof rules for partial correctness) (|φ1|) C1 (|φ2|) (|φ2|) C2(|φ3|) composition (|φ1|) C1 ; C2 (|φ3|) ________________________ assignment (|ψ [E/x]|) x = E (|ψ|) (|φB|) C1 (|ψ|) (|φ¬ B|) C2 (|ψ|) if-statement (|φ|) if B then C1 else C2 (|ψ|) (|ψB|) C (|ψ|) partial while (|ψ|) while B do C (|ψ¬B|) (|φ’ φ|) (|φ|) C (|ψ|) (|ψ  ψ’|) implied (|φ’|) C (|ψ’|) 2/28/2019

Proofs as trees They are difficult to deal with 2/28/2019

Proof tableaux (|φ0|) C1 (|φ1|) C2 ……(|φn-1|) Cn (|φn|) How? Reduce a program to a concatenation of steps, inserting justification between any two of them (|φ0|) C1 (|φ1|) C2 ……(|φn-1|) Cn (|φn|) Going backword from the postcondition to the precondition How? 2/28/2019

Weaker condition φ  ψ means that φ is stronger than ψ (because “not as true as” ψ) We proceed backwards: Given (|φ|) C (|ψ|), we can compute the weakest precondition wp (C, ψ) (predicate trasformer) s.t. wp (C, ψ) C (|ψ|) Hence to prove a triple, we have to show: (|φ|) C (|ψ|)  φwp (C, ψ) 2/28/2019

Semantically We usually identify the set of states verifying a property with the property itself and work bottom up in the verification looking for the maximal set of states verifying the precondition in order to get the postcodition φ  ψ means that the set of states verifying |φ| is contained in the set of states verifying |ψ| |φ|  |ψ| 2/28/2019

(inductive definition) Weakest precondition (inductive definition) Hence we look for the maximal set of states s.t., starting from one of them, after doing C, we reach a state Satisfying the postcondition wp (x = E, ψ) = [E/x] ψ wp (C;C‘, ψ) = wp (C, wp (C‘, ψ )) wp (if B then C1 else C2, ψ ) = (B wp (C1, ψ ) (B  wp (C2, ψ)) wp (while B do C, ψ) = ( B  ψ )(B wp (C; while B do C, ψ)) 2/28/2019

Exercises 2/28/2019

Exercises (| u = x + y |) z = x; assignment z = z + y; assignment u=z; assignment (| u = x + y |) 2/28/2019

Exercises (| z = x + y |) (| u = x + y |) z = x; assignment z = z + y; assignment (| z = x + y |) u=z; assignment (| u = x + y |) 2/28/2019

Exercises (assignment) z = x; assignment (| z + y = x + y |) z = z + y; assignment (| z = x + y |) u=z; assignment (| u = x + y |) 2/28/2019

Exercises (assignment) (| x + y = x + y |) z = x; assignment (| z + y = x + y |) z = z + y; assignment (| z = x + y |) u=z; assignment (| u = x + y |) 2/28/2019

Exercises (assignment) (| x + y = x + y |) z = x; assignment (| z + y = x + y |) z = z + y; assignment (| z = x + y |) u=z; assignment (| u = x + y |) 2/28/2019

Exercises (assignment) 2/28/2019

Exercises (assignment) The first one is immediate (| x = x |) (| y = x |) (| x = x  x>1|) (| x = x  x>a|) (| y = x  y>a|) (|y > 0  x>y|) 2/28/2019

Exercises (assignment) 2/28/2019

Exercises (assignment) x := x+1 ; y := x+1 u := x+2 ; v := y+3 ; z := u+v 2/28/2019

Exercises (assignment) (| x+1 + 1 = x + 2 |) t = x + 1; (| t + 1 = x + 2 |) z = t + 1; (| z = x + 2 |) y = z; (| y = x + 2 |) 2/28/2019

Exercises (if then else) 2/28/2019

Exercises (if then else) (| x>y|) (|  x>y|) (| y = min (x, y) |) (| x = min (x, y) |) z = y; z = x; (| z = min (x, y) |) 2/28/2019

Exercises (if then else) 2/28/2019

Invariants (while do) 2/28/2019

Example (while do) 2/28/2019

Example cont’d 2/28/2019

Example cont’d 2/28/2019

Exercise (while do) Invariant? Total correctness? 2/28/2019

Hoare triples: total correctness Let us define |= tot(|φ|) S (|ψ|) If s is a state verifying φ, then, by applying the instruction S, then S terminates and we obtain a state where ψ holds. φ is called “precondition” ψ “postcondition” 2/28/2019

Hoare logic: total correctness If we want to prove total correctness, we need (|ψB  0≤E=E0|) C (|ψ0≤E<E0|) total while (|ψ0≤E|) while B do C (|ψ¬B|) Variants 2/28/2019

Hoare triples: total correctness Fac1 2/28/2019

Hoare logic: total correctness 2/28/2019