Download presentation
Presentation is loading. Please wait.
1
Spring 2017 Program Analysis and Verification
Lecture 4: Axiomatic Semantics II Roman Manevich Ben-Gurion University
2
Tentative syllabus Program Verification Program Analysis Basics
Operational semantics Hoare Logic Applying Hoare Logic Predicate Calculus Proving Termination Data structures Program Analysis Basics Control Flow Graphs Equation Systems Collecting Semantics Using Soot Abstract Interpretation fundamentals Lattices Fixed-Points Chaotic Iteration Galois Connections Domain constructors Widening/ Narrowing Analysis Techniques Numerical Domains Alias analysis Interprocedural Analysis Shape Analysis CEGAR
3
Previously Basic notions of correctness Formalizing Hoare triples
FO logic Free variables Substitutions Hoare logic rules
4
Warm-up exercises Define program state: Define state predicate:
Formalize {P} C {Q} via structural semantics: FV(m. x=k+1 0mx-1 nums(m)res) = { } (m. x=k+1 0mx-1 nums(m)res)[x+1/x] =
5
Agenda Inference system Annotating programs with proofs
Properties of the semantics Chapter 6
6
Axiomatic semantics as an inference system
7
Inference trees Trees describing rule applications that ultimately prove a program correct Leaves are axiom applications Internal nodes correspond to rule applications over triples inferred from sub-trees Inference tree is called Simple if tree is only an axiom Composite otherwise
8
Factorial proof inference tree
Goal: { x=n } y:=1; while (x1) do (y:=y*x; x:=x–1) { y=n! n>0 } W = while (x1) do (y:=y*x; x:=x–1) INV = x > 0 (y x! = n! n x) will show later { INV[x-1/x][y*x/y] } y:=y*x { INV[x-1/x] } { INV[x-1/x] } x:=x-1 {INV} [comp] { INV[x-1/x][y*x/y] } y:=y*x; x:=x–1 {INV} [cons] {x1 INV } y:=y*x; x:=x–1 { INV } [while] { INV } W { x=1 INV } { INV[1/y] } y:=1 { INV } [cons] [cons] { x=n } y:=1 { INV } { INV } W {y=n! n>0 } [comp] { x=n } y:=1; while (x1) do (y:=y*x; x:=x–1) {y=n! n>0 }
9
Provability We say that an assertion { P } C { Q } is provable if there exists an inference tree Written as p { P } C { Q } Are inference trees unique? {true} x:=1; {P} x:=x+5 {x0} Exercise: what is strongest P? Exercise: what is weakest P? Where does the non-determinism come from?
10
Annotating programs with proofs
11
Annotated programs A streamlined version of inference trees
Inline inference trees into programs A kind of “proof carrying code” Going from annotated program to proof tree is a linear time translation
12
Annotating composition
We can inline inference trees into programs Using proof equivalence of S1; (S2; S3) and (S1; S2); S3 instead of writing deep trees, e.g., {P} S1 {P’} {P’} S2 {P’’} {P’’} S3 {P’’’} {P’’’} S4 {P’’} {P} (S1; S2) {P’’} {P’’} (S3 ; S4) {Q} {P} (S1; S2); (S3 ; S4) {Q} We can annotate a composition S1; S2;…; Sn by {P1} S1 {P2} S2 … {Pn-1} Sn-1 {Pn}
13
Annotating conditions
{ b P } S1 { Q }, { b P } S2 { Q } { P } if b then S1 else S2 { Q } [ifp] { P } if b then { b P } S1 else { b P } S2 { Q }
14
Annotating conditions
{ b P } S1 { Q }, { b P } S2 { Q } { P } if b then S1 else S2 { Q } [ifp] { P } if b then { b P } S1 { Q1 } else { b P } S2 { Q2 } { Q } { b P } S1 { Q1 } { b P } S2 { Q2 } { b P } S1 { Q }, { b P } S2 { Q } { P } if b then S1 else S2 { Q } [ifp] [cons]
15
{ b P } S { P } { P } while b do S {b P }
Annotating loops { b P } S { P } { P } while b do S {b P } [whilep] { P } while b do { b P } S {b P }
16
{ b P } S { P } { P } while b do S {b P }
Annotating loops { b P } S { P } { P } while b do S {b P } [whilep] { P } while b do { b P } S { P’ } {b P } { Q } P’ implies P b P implies Q
17
{ b P } S { P } { P } while b do S {b P }
Annotating loops { b P } S { P } { P } while b do S {b P } [whilep] { P } while b do { b P } S {b P } Source of confusion
18
Annotating loops – alternative 1
{ b P } S { P } { P } while b do S {b P } [whilep] while { P } b do { b P } S {b P }
19
Annotating loops – alternative 2
{ b P } S { P } { P } while b do S {b P } [whilep] Inv = { P } while b do { b P } S {b P } We will take this alternative in our examples and homework assignments
20
Annotating formula transformations
We often rewrite formulas To make proofs more readable Using logical/mathematical identities Imported mathematical theorems { } { ’ } // transformation 1 { ’’ } // transformation 2
21
Exercising Hoare logic
22
Exercise 1: variable swap – specify
{ ? } t := x x := y y := t { ? }
23
Exercise 1: Prove using Hoare logic
{ y=b x=a } t := x { ? } x := y { ? } y := t { x=b y=a }
24
Exercise 1: Prove using Hoare logic
{ y=b x=a } t := x { y=b t=a } x := y { x=b t=a } y := t { x=b y=a }
25
Absolute value program
if x<0 then x := -x else skip if b then S is syntactic sugar for if b then S else skip The latter form is easier to reason about
26
Absolute value program – specify
{ ? } if x<0 then x := -x else skip { ? }
27
Absolute value program – specify
{ x=v } if x<0 then x := -x else skip { x=|v| }
28
Exercise 2: Prove using Hoare logic
{ x=v } { } if x<0 then { } x := -x { } else { } skip { } {x=|v| }
29
Exercise 2: Prove using Hoare logic
{ x=v } { (-x=|v| x<0) (x=|v| x0) } if x<0 then { -x=|v| } x := -x { x=|v| } else { x=|v| } skip { x=|v| } { x=|v| }
30
Annotated programs: factorial
{ x=n } y := 1; Inv = { x>0 y*x!=n! nx } while (x=1) do { x-1>0 (y*x)*(x-1)!=n! n(x-1) } y := y*x; { x-1>0 y*(x-1)!=n! n(x-1) } x := x–1 { y*x!=n! n>0 } Contrast with proof via structural semantics Where did the inductive argument over loop iterations go?
31
Detailed proof steps { x=n } y := 1; { x=n y=1 } Inv = { x>0 y*x!=n! nx } while (x=1) do { x1 (x>0 y*x!=n! nx) } => ? { x>1 y*x!=n! n(x-1) } y := y*x; { x-1>0 y*(x-1)!=n! n(x-1) } x := x–1 { x>0 y*x!=n! nx } { y*x!=n! n>0 }
32
Detailed proof of implication
{ x1 (x>0 y*x!=n! nx) } => relax inequality { x1 (x>0 y*x!=n! n(x-1)) } => use logical identity AB equals AB { x1 (x0 y*x!=n! n(x-1)) } => distribute over {(x1 x0) (x1 y*x!=n! n(x-1)) } => x0 subsumes x1 x0 { x0 (x1 y*x!=n! n(x-1)) } => weaken conjunction by removing x1 { x0 (y*x!=n! n(x-1)) } => relax x0 into x1 { x1 (y*x!=n! n(x-1)) } => use logical identity AB equals AB { x1 (x1 y*x!=n! n(x-1))} write x1 as x>1 { x>1 y*x!=n! n(x-1) }
33
Properties of the semantics
34
Properties of the semantics
Equivalence What is the analog of program equivalence in axiomatic verification? Soundness Can we prove incorrect properties? Completeness Is there something we can’t prove?
35
Proving properties of axiomatic semantics
Examples p { P } C { true } for any P and C p { false } C { P } for any P and C By induction on the shape of the inference tree
36
Provable equivalence We say that C1 and C2 are provably equivalent if for all P and Q p { P } C1 { Q } if and only if p { P } C2 { Q } Examples: S; skip and S S1; (S2; S3) and (S1; S2); S3
37
S1; (S2; S3) is provably equivalent to (S1; S2); S3
Without consequence rule applications T2 T3 T1 {P’} S2 {P’’} {P’’} S3 {Q} {P} S1 {P’} {P’} (S2; S3) {Q} {P} S1; (S2; S3) {Q} T1 T2 {P} S1 {P’} {P’} S2 {P’’} T3 {P} (S1; S2) {P’’} {P’’} S3 {Q} {P} (S1; S2); S3 {Q}
38
Compressing chains of consequences
A chain of consequence rules can be compressed into a single application since Pn … P1 and Q1 … Pn {Pn} S {Qn} {Pn} S {Qn} cons cons … {P1} S {Q1} cons {P1} S {Q1}
39
S1; (S2; S3) is provably equivalent to (S1; S2); S3
T2 T1 T2 {P5} S2 {P4} T3 cons {P3} S1 {P5} {P5} S2 {P4} {P5} S2 {P2} {P2} S3 {Q1} seq seq {P3} (S1; S2) {P4} T3 T1 {P5} (S2; S3) {Q1} cons cons {P1} (S1; S2) {P2} {P2} S3 {Q1} {P3} S1 {P5} {P5} (S2; S3) {Q} seq seq {P1} (S1; S2); S3 {Q1} {P3} S1; (S2; S3) {Q} cons cons {P} (S1; S2); S3 {Q} {P1} S1; (S2; S3) {Q} cons {P} S1; (S2; S3) {Q} The other direction is similar
40
Valid assertions Q P C(P) C ’
We say that { P } C { Q } is valid if for all states , if P and C, * ’ then ’Q Denoted by p { P } C { Q } Q P C(P) C ’
41
Soundness and completeness
The inference system is sound: p { P } C { Q } implies p { P } C { Q } The inference system is complete: p { P } C { Q } implies p { P } C { Q } Is Hoare logic sound? yes Is Hoare logic complete? relatively
42
See you next time
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.