Program Analysis and Verification Spring 2014 Program Analysis and Verification Lecture 4: Axiomatic Semantics I Roman Manevich Ben-Gurion University

Syllabus Semantics Natural Semantics Structural semantics Axiomatic Verification Static Analysis Automating Hoare Logic Abstract Interpretation fundamentals Lattices Galois Connections Fixed-Points Widening/ Narrowing Domain constructors Interprocedural Analysis Analysis Techniques Numerical Domains CEGARAlias analysis Shape Analysis Crafting your own Soot From proofs to abstractions Systematically developing transformers 2

Today Basic concepts of correctness Axiomatic semantics (pages ) – Hoare Logic – Properties of the semantics – Weakest precondition 3

program correctness 4

Program correctness concepts Property = a certain relationship between initial state and final state Partial correctness = properties that hold if program terminates Termination = program always terminates – i.e., for every input state 5 partial correctness + termination = total correctness Other correctness concepts exist: liveness, resource usage, … Main focus of this course

Factorial example Factorial partial correctness property = if the statement terminates then the final value of y will be the factorial of the initial value of x – What if  x < 0? Formally, using natural semantics: …? 6 S fac  y := 1; while  (x=1) do (y := y*x; x := x–1)  S fac,    ’ implies  ’ y = (  x )!

Verifying factorial with natural semantics 7

Natural semantics for While 8  x := a,    [x  A  a   ] [ass ns ]  skip,    [skip ns ]  S 1,    ’,  S 2,  ’    ’’  S 1 ; S 2,    ’’ [comp ns ]  S 1,    ’  if b then S 1 else S 2,    ’ if B  b   = tt [if tt ns ]  S 2,    ’  if b then S 1 else S 2,    ’ if B  b   = ff [if ff ns ]  while b do S,    if B  b   = ff [while ff ns ]  S,    ’,  while b do S,  ’    ’’  while b do S,    ’’ if B  b   = tt [while tt ns ]

Staged proof 9

Stages 10 y := 1; while  (x=1) do (y := y*x; x := x–1) ss’s’ s’ y = (s x)!  s x > 0 while  (x=1) do (y := y*x; x := x–1) y := y*x; x := x–1 ss’’ s y  (s x)! = s’’ y  (s’’ x)!  s x > 0 ss’’ s y  (s x)! = s’’ y  (s’’ x)!  s’’x = 1  s x > 0

Inductive proof over iterations 11 while  (x=1) do (y := y*x; x := x–1) (y := y*x; x := x–1) while  (x=1) do (y := y*x; x := x–1) ss’’ s y  (s x)! = s’’ y  (s’’ x)!  s’’x = 1  s x > 0 s s’s’ s’s’ s’’ s’ y  (s’ x)! = s’’ y  (s’’ x)!  s’’x = 1  s’ x > 0 s y  (s x)! = s’ y  (s’ x)!  s x > 0

First stage 12

Second stage 13

 while  (x=1) do (y := y*x; x := x–1), s   s’ 14

Third stage 15

How easy was that? Proof is very laborious – Need to connect all transitions and argues about relationships between their states – Reason: too closely connected to semantics of programming language Proof is long – Makes it hard to find possible mistakes How did we know to find this proof? – Is there a methodology? 16

17 Can you prove my program correct? I’ll use operational semantics Better use axiomatic verification

A systematic approach to program verification 18

Axiomatic verification approach What do we need in order to prove that the program does what it supposed to do? 19 Specify the required behavior Compare the behavior with the one obtained by the operational semantics Develop a proof system for showing that the program satisfies a requirement Mechanically use the proof system to show correctness

Axiomatic semantics contributors C.A.R. Hoare Robert Floyd Edsger W. Dijkstra : use assertions as foundation for static correctness proofs 1969: use Floyd’s ideas to define axiomatic semantics “An axiomatic basis for computer programming”An axiomatic basis for computer programming Predicate transformer semantics: weakest precondition and strongest postcondition

Assertions, a.k.a Hoare triples P and Q are state predicates – Example: x >0 If P holds in the initial state, and if execution of C terminates on that state, then Q will hold in the state in which C halts C is not required to always terminate {true} while true do skip {false} 21 { P } C { Q } precondition postcondition statement a.k.a command

Total correctness assertions If P holds in the initial state, execution of C must terminate on that state, and Q will hold in the state in which C halts 22 [ P ] C [ Q ]

Specifying correctness of factorial 23

Factorial example: specify precondition/postcondition 24 { ? } y := 1; while  (x=1) do (y := y*x; x := x–1) { ? }

First attempt 25 { x >0 } y := 1; while  (x=1) do (y := y*x; x := x–1) { y = x ! } Holds only for value of x at state after execution finishes We need a way to “remember” value of x before execution

Fixed assertion 26 { x =n } y := 1; while  (x=1) do (y := y*x; x := x–1) { y =n!  n>0 } A logical variable, must not appear in statement - immutable

The proof outline 27 { x=n } y := 1; { x>0  y*x!=n!  n  x } while  (x=1) do { x-1>0  (y*x)*(x-1)!=n!  n  (x-1) } y := y*x; { x-1>0  y*(x-1)!=n!  n  (x-1) } x := x–1 { y*x!=n!  n>0  x=1 } {n!*(n+1) = (n+1)! } Background axiom

Formalizing partial correctness via hoare logic 28

States and predicates  – program states  – undefined A state predicate P is a (possibly infinite) set of states   P – P holds in state  29 P  

Formalizing Hoare triples { P } C { Q } –  ,  ’  . (   P   C,    ’)   ’  Q alternatively –    . (   P  S ns  C    )  S ns  C    Q – Convention:   P for all P    .   P  S ns  C    Q 30 P C(P)C(P) Q  ’’ C Why did we choose natural semantics? S ns  C   =  ’if  C,    ’  else

Formalizing Hoare triples { P } C { Q } –  ,  ’  . (   P   C,   *  ’)   ’  Q alternatively –    . (   P  S sos  C    )  S sos  C    Q – Convention:   P for all P    .   P  S sos  C    Q 31 P C(P)C(P) Q  ’’ C S ns  C   =  ’if  C,    ’  else

How do we express predicates? Extensional approach – Abstract mathematical functions P : State  {tt, ff} Intensional approach – via language of formulae 32

An assertion language Bexp is not expressive enough to express predicates needed for many proofs – Extend Bexp Allow quantification –  z. … –  z. …  z. z = k  n Import well known mathematical concepts – n!  n  (n-1)   2  1 33

An assertion language 34 a ::= n | x | a 1 + a 2 | a 1  a 2 | a 1 – a 2 A ::= true | false | a 1 = a 2 | a 1  a 2 |  A | A 1  A 2 | A 1  A 2 | A 1  A 2 |  z. A |  z. A Either a program variables or a logical variable

35 Some FO logic definitions before we get to the rules

Free/bound variables A variable is said to be bound in a formula when it occurs in the scope of a quantifier. Otherwise it is said to be free –  i. k=i  m – (i+100  77)  i. j+1=i+3) FV(A)  the free variables of A Defined inductively on the abstract syntax tree of A 36

Free variables 37 FV ( n )  {} FV ( x )  {x} FV ( a 1 + a 2 )  FV ( a 1  a 2 )  FV ( a 1 - a 2 )  FV ( a 1 )  FV ( a 2 ) FV ( true )  FV ( false )  {} FV ( a 1 = a 2 )  FV ( a 1  a 2 )  FV ( a 1 )  FV ( a 2 ) FV (  A )  FV ( A ) FV ( A 1  A 2 )  FV ( A 1  A 2 )  FV ( A 1  A 2 )  FV ( a 1 )  FV ( a 2 ) FV (  z. A )  FV (  z. A )  FV ( A ) \ { z }

Substitution An expression t is pure (a term) if it does not contain quantifiers A[t/z] denotes the assertion A’ which is the same as A, except that all instances of the free variable z are replaced by t A   i. k=i  m A[5/k] = …? A[5/i] = …? 38 What if t is not pure?

Calculating substitutions 39 n[t/z] = n x[t/z] = x x[t/x] = t (a 1 + a 2 )[t/z]= a 1 [t/z] + a 2 [t/z] (a 1  a 2 )[t/z]= a 1 [t/z]  a 2 [t/z] (a 1 - a 2 )[t/z]= a 1 [t/z] - a 2 [t/z]

Calculating substitutions 40 true[t/x] = true false[t/x] = false (a 1 = a 2 )[t/z]= a 1 [t/z] = a 2 [t/z] (a 1  a 2 )[t/z]= a 1 [t/z]  a 2 [t/z] (  A)[t/z]=  (A[t/z]) (A 1  A 2 )[t/z]= A 1 [t/z]  A 2 [t/z] (A 1  A 2 )[t/z] = A 1 [t/z]  A 2 [t/z] (A 1  A 2 )[t/z] = A 1 [t/z]  A 2 [t/z] (  z. A)[t/z] =  z. A (  z. A)[t/y] =  z. A[t/y] (  z. A)[t/z] =  z. A (  z. A)[t/y] =  z. A[t/y]

41 and now… the rules six are completely enough

Axiomatic semantics for While 42 { P[a/ x ] } x := a { P } [ass p ] { P } skip { P } [skip p ] { P } S 1 { Q },{ Q } S 2 { R } { P } S 1 ; S 2 { R } [comp p ] { b  P } S 1 { Q }, {  b  P } S 2 { Q } { P } if b then S 1 else S 2 { Q } [if p ] { b  P } S { P } { P } while b do S {  b  P } [while p ] { P’ } S { Q’ } { P } S { Q } [cons p ] if P  P’ and Q’  Q Notice similarity to natural semantics rules What’s different about this rule?

Assignment rule A “backwards” rule x := a always finishes Why is this true? – Recall operational semantics: Example: {y*z<9} x:=y*z {x<9} What about {y*z<9  w=5} x:=y*z {w=5} ? 43  x := a,    [x  A  a   ] [ass ns ]  [x  A  a   ]  P

skip rule 44  skip,    [skip ns ]

Composition rule Holds when S 1 terminates in every state where P holds and then Q holds and S 2 terminates in every state where Q holds and then R holds 45  S 1,    ’,  S 2,  ’    ’’  S 1 ; S 2,    ’’ [comp ns ]

Condition rule 46  S 1,    ’  if b then S 1 else S 2,    ’ if B  b   = tt [if tt ns ]  S 2,    ’  if b then S 1 else S 2,    ’ if B  b   = ff [if ff ns ]

Loop rule Here P is called an invariant for the loop – Holds before and after each loop iteration – Finding loop invariants – most challenging part of proofs When loop finishes, b is false 47  while b do S,    if B  b   = ff [while ff ns ]  S,    ’,  while b do S,  ’    ’’  while b do S,    ’’ if B  b   = tt [while tt ns ]

Rule of consequence Allows strengthening the precondition and weakening the postcondition The only rule that is not related to a statement 48

Rule of consequence 49 Why do we need it? Allows the following {y*z<9} x:=y*z {x<9} {y*z<9  w=5} x:=y*z {x<10}

Next lecture: axiomatic semantics practice and extensions