CSE Winter 2008 Introduction to Program Verification symbolic execution continued

well-behaved expression assumption Exercise 7.9 if (count > 2) flag = adjust(total - 1); else flag = adjust(total - 1); post-condition? how does it depend on the well-behaved expression assumption?

exception raising use a specification variable to "fill in" a partial function: example: x = 1/n; post-condition: n ≠ 0 implies x = 1/n ?? leaves case n = 0 unspecified better: have n = 0 raise an exception; post-condition: n ≠ 0 and x = 1/n or exceptionRaised Note: specification variable converts a test (run-time) into part of a general assertion

programs as "propositional transformers" start with a proposition (perhaps “true”) ‘execute’ a code segment calculate a resulting proposition symbolic execution maintains a description of the state of computation at each step

assignment statements if a variable is assigned a new value, we may need its initial value: x = x - y //{x = 'old x' - y} parallel assignment (corrected from Ch. 8, p. 21:) x 1, x 2,.., x k = e 1, e 2,.., e k ; means replace x j by old x i in each e k and assign x i = e i, for each x i

parallel assignment motivation for parallel assignment: x=1 and y=x is the same logically as y=x and x=1 but not if = is sequential assignment scripting languages with parallel assignment: Python, Perl, Ruby, Windows PowerShell, OCaml and JavaScript (since 1.7) (source: Wikipedia)

symbex symbex symbolically executes a code fragment containing assignment and conditional statements handles assignment operators: x += y; allows A[X] in the assigned expression gets changed to array(A, X) why? doesn't handle parallel assignments

symbex assertions pre-condition: //{... }... assertion or post-condition:... //{... }... current state: //{ false }..

exercise 8.4 //{ not b implies v = e } if (b) //{ (not b implies v=e)and b } v = e ; // assert: v=e // -- assertion is verified. //{ (not b implies v=e)and not b or (not b implies old v=e)and v=e and b } compare post-condition for each case what does "assuming everything is well- behaved” mean in this specific case?

stronger and weaker P is stronger (as a condition) than Q if P implies Q and (P xor Q) P is weaker than Q if Q is stronger than P simple refinement weakens the pre- condition, strengthens the post-condition why is this desirable?

strongest Suppose P is the strongest proposition such that P implies Q what is P's relation to Q? If R is stronger than (or =) Q, then P is stronger than R, (or = R) i. e., (R implies Q) implies (P implies R)

what does symbex compute? strongest post-condition resulting from executing the code, given the pre-condition what if P is false? strongest possible proposition, but can't be a (descriptive) post-condition !

symbex in detail symbex processes a code segment; interprets its input (up to an end-of-file (^D)) as a sequence of assignment and conditional statements annotated with comments in the form //{ term } maintains a table of computational states described in terms of the code’s variables initial value is given by a pre-condition or described as ‘old V’

states and relations description is complicated by having two parts: states of variables = "trace table" values don't involve code variables current values are substituted for variables relations among variables

relations and values relations are either pre-conditions or created by conditional statements: if(x>0) {y=2; x = 2*x;} pre-condition to the {} is x > 0 after "y=2;" we have x > 0 and y=2 now x changes: new description is 'old x'> 0 and y = 2 and x =2*'old x' what's the post-condition calculated for the if? x 0 and y = 2 and x =2*'old x'

symbex vs. Java assertions often we are only interested in some of the variables; insert assertions to verify the (partial) state difference between these assertions and assertions in Java (version 1.4 and after): the assertions in Java test the code executing on a specific set of values assertions in symbex are asserted to be true for all values in the domains of the functions and relations

executing conditionals p. 26: if ( i != 4 || i != 5) x =no; else x = yes; //{ x = no} where did //{not i=5 or not i=4} come from? why is the post-condition verified?

illogical Dan