Axiomatic Methods for Software Verification Hongseok Yang

Things like even software verification, this has been the Holy Grail of computer science for many decades but now in some very key areas, for example, driver verification we ’ re building tools that can do actual proof about the software and how it works in order to guarantee the reliability." Bill Gates, April 18, Keynote address at WinHec 2002Keynote address WinHec 2002

Verification Tools Tools for software verification: –Compaq: ESC/Java –Microsoft: SLAM –KSU, NASA: Bandera Axiomatic methods play a crucial role in those tools.

Axiomatic Methods Hoare triple {P}C{Q} –P, Q: assertions such as (x==3)&&(y==z) –C: imperative programs –e.g. {x==4}y=x;{y%2==0} Weakest precondition WP(C,Q) –WP(C,Q): the weakest P s.t. {P}C{Q} –WP(y=x;, y%2==0) = (x%2==0)

History Naur66, Floyd67: –used assertions to specify/verify flowchart programs Hoare69: –developed the proof system for Hoare triples Reynolds00, Ishtiaq&O ’ Hearn01 –extended Hoare ’ s proof system using separating connectives to handle pointers

Fibonacci Numbers n ’ th Fibonacci number fib(n): –fib(0) = 0, fib(1) = 1 –fib(n+2) = fib(n+1) + fib(n)

Implementation in C if (n==0) { a=0; } else { i=1; p=0; a=1; while (i != n) { t=p; p=a; a=p+t; i=i+1; } Does this program calculate “ fib(n) ” and store the result in “ a ” ?

Specification Spec: {true}FIB{a==fib(n)}

Specification Spec: {true}FIB{a==fib(n)} FIB does not satisfy the spec: when n<0, fib(n) is not even defined!!

Specification Spec: {true}FIB{a==fib(n)} FIB does not satisfy the spec: when n<0, fib(n) is not even defined!! New spec: {n>=0}FIB{a==fib(n)} But, how can we be sure that the new spec holds?

Hoare Logic Hoare logic consists of inference rules for proving valid Hoare triples. So, we can use these rules to show that {n>=0}FIB{a==fib(n)} holds.

Rule for Conditional So, {n>=0}FIB{a==fib(n)} holds if FIB satisfies: if (n==0) { {n>=0&&n==0}C 1 {a==fib(n)} } else { {n>=0&&!(n==0)}C 2 {a==fib(n)}}

Rule for Assignment So, {n==0}a=0;{a==fib(n)} because n==0 implies 0==fib(n). It suffices to show the correctness of C 2 : if (n==0) { {n>=0&&n==0}a=0;{a==fib(n)} } else { {n>=0&&!(n==0)}C 2 {a==fib(n)} }

Rule for Sequencing So, it suffices to show: if (n==0) { {n>=0&&n==0}a=0;{a==fib(n)} } else { {n>=0&&!(n==0)} i=1;p=0;a=1; {a==fib(i)&&p==fib(i-1)&&i<=n} while (I!=n) { t=p;p=a; a=p+t;i=i+1; } {a==fib(n)} } We focus on this step

Rule for Loop So, we have: {a==fib(i)&&p==fib(i-1)&&i<=n} while(i!=n) { {a==fib(i)&&p==fib(i-1)&&i<=n&&i!=n} t=p; p=a; a=p+t; i=i+1; {a==fib(i)&&p==fib(i-1)&&i<=n} } {a==fib(i)&&p==fib(i-1)&&i<=n&&!(i!=n)} We prove this in the next slide

Preservation of the Loop Invariant {a==fib(i)&&p==fib(i-1)&&i<=n&&i!=n} {(a+p)==fib(i+1)&&a==fib(i+1-1)&&(i+1)<=n} t=p; {(a+t)==fib(i+1)&&a==fib(i+1-1)&&(i+1)<=n} p=a; {(p+t)==fib(i+1)&&p==fib(i+1-1)&&(i+1)<=n} a=p+t; {a==fib(i+1)&&p==fib(i+1-1)&&(i+1)<=n} i=i+1; {a==fib(i)&&p==fib(i-1)&&i<=n}

Consequence Since a==fib(i)&&!(i!=n) implies a==fib(n), we have: {a==fib(i)&&p==fib(i-1)&&i<=n} while(i!=n) { t=p; p=a; a=p+t; i=i+1; } {a==fib(i)&&p==fib(i-1)&&i<=n&&!(i!=n)} {a==fib(n)}

Simple Twist void PFIB(int *n, int *a) {int t,i,p; if (*n==0) { *a=0; } else { i=1; p=0; *a=1; while (i != *n) { t=p; p=*a; *a=p+t; i=i+1; } } Does the same reasoning prove {*n>=0}PFIB(n,a){*a==fib(*n)}?

Pointers cause a problem! Not quite!! What if a=n? The problem is that the following rule is not sound. Two Solutions: –Morris ’ s solution: modify subsitution using dynamic aliasing checks in the above rule –Reynolds ’ s solution: use separating conjunction “ ** ’’ in assertions.

Semantics of Assertions Semantic Domains –s 2 Stacks = Vars ! fin Ints –h 2 Heaps = Nats ! fin Ints –(s,h) 2 States = Stacks x Heaps “ (s,h)²P ” : P holds for the state (s,h). –(s,h)²P&&Q iff (s,h)²P and (s,h)²Q –(s,h)²(x  E) iff dom(h)={s(x)} and h(s(x))=«E¬

Separating Conjunction #,* for heaps: –h 1 #h 2 iff dom(h 1 )\dom(h 2 ) = ; –When h 1 #h 2, h 1 *h 2 =h 1 [h 2 (s,h)²P**Q iff there exist h 1,h 2 such that –h 1 *h 2 =h; and –(s,h 1 ) ² P and (s,h 2 ) ² Q. e.g. (n  n 0 )**true, (n  n 0 )**(a  fib(n 0 ))

Rule for Pointer Swing By this rule we can prove: {(n  n 0 )**(a  fib(i))**(t==fib(i-1)&&p==fib(i)&&i+1<=n 0 )} *a=p+t; {(n  n 0 )**(a  p+t)**(t==fib(i-1)&&p==fib(i)&&i+1<=n 0 )}

Correctness of PFIB(n,a) Spec: {(n  n 0 )**(a  -)**(n 0 >=0)} PFIB(n,a) {(n  n 0 )**(a  fib(n 0 ))**true} Loop Invariant: (n  n 0 )**(a  fib(i))**(p==fib(i-1)&& i<=n 0 )

Preservation of Loop Invariant {(n  n 0 )**(a  fib(i))**(p==fib(i-1)&& i<=n 0 &&i!=n 0 )} {(n  n 0 )**(a  fib(i))**(p==fib(i-1)&& i+1<=n 0 )} t=p; {(n  n 0 )**(a  fib(i))**(t==fib(i-1)&& i+1<=n 0 )} p=*a; {(n  n 0 )**(a  fib(i))**(t==fib(i-1)&&p==fib(i)&& i+1<=n 0 )} *a=p+t; {(n  n 0 )**(a  p+t)**(t==fib(i-1)&&p==fib(i)&&i+1<=n 0 )} {(n  n 0 )**(a  fib(i+1))**(p==fib(i)&&i+1<=n 0 )} i=i+1; {(n  n 0 )**(a  fib(i))**(p==fib(i-1)&&i<=n 0 )}

Concluding Remarks Why don ’ t you verify your C program using Hoare logic? Well, even if you are lazy, you still might want to play with verification tools. Look at: