Presentation is loading. Please wait.

Presentation is loading. Please wait.

Spring 2017 Program Analysis and Verification

Similar presentations


Presentation on theme: "Spring 2017 Program Analysis and Verification"— Presentation transcript:

1 Spring 2017 Program Analysis and Verification
Lecture 4: Axiomatic Semantics II Roman Manevich Ben-Gurion University

2 Tentative syllabus Program Verification Program Analysis Basics
Operational semantics Hoare Logic Applying Hoare Logic Predicate Calculus Proving Termination Data structures Program Analysis Basics Control Flow Graphs Equation Systems Collecting Semantics Using Soot Abstract Interpretation fundamentals Lattices Fixed-Points Chaotic Iteration Galois Connections Domain constructors Widening/ Narrowing Analysis Techniques Numerical Domains Alias analysis Interprocedural Analysis Shape Analysis CEGAR

3 Previously Basic notions of correctness Formalizing Hoare triples
FO logic Free variables Substitutions Hoare logic rules

4 Warm-up exercises Define program state: Define state predicate:
Formalize {P} C {Q} via structural semantics: FV(m. x=k+1  0mx-1  nums(m)res) = { } (m. x=k+1  0mx-1  nums(m)res)[x+1/x] =

5 Agenda Inference system Annotating programs with proofs
Properties of the semantics Chapter 6

6 Axiomatic semantics as an inference system

7 Inference trees Trees describing rule applications that ultimately prove a program correct Leaves are axiom applications Internal nodes correspond to rule applications over triples inferred from sub-trees Inference tree is called Simple if tree is only an axiom Composite otherwise

8 Factorial proof inference tree
Goal: { x=n } y:=1; while (x1) do (y:=y*x; x:=x–1) { y=n!  n>0 } W = while (x1) do (y:=y*x; x:=x–1) INV = x > 0  (y  x! = n!  n  x) will show later { INV[x-1/x][y*x/y] } y:=y*x { INV[x-1/x] } { INV[x-1/x] } x:=x-1 {INV} [comp] { INV[x-1/x][y*x/y] } y:=y*x; x:=x–1 {INV} [cons] {x1  INV } y:=y*x; x:=x–1 { INV } [while] { INV } W { x=1  INV } { INV[1/y] } y:=1 { INV } [cons] [cons] { x=n } y:=1 { INV } { INV } W {y=n!  n>0 } [comp] { x=n } y:=1; while (x1) do (y:=y*x; x:=x–1) {y=n!  n>0 }

9 Provability We say that an assertion { P } C { Q } is provable if there exists an inference tree Written as p { P } C { Q } Are inference trees unique? {true} x:=1; {P} x:=x+5 {x0} Exercise: what is strongest P? Exercise: what is weakest P? Where does the non-determinism come from?

10 Annotating programs with proofs

11 Annotated programs A streamlined version of inference trees
Inline inference trees into programs A kind of “proof carrying code” Going from annotated program to proof tree is a linear time translation

12 Annotating composition
We can inline inference trees into programs Using proof equivalence of S1; (S2; S3) and (S1; S2); S3 instead of writing deep trees, e.g., {P} S1 {P’} {P’} S2 {P’’} {P’’} S3 {P’’’} {P’’’} S4 {P’’} {P} (S1; S2) {P’’} {P’’} (S3 ; S4) {Q} {P} (S1; S2); (S3 ; S4) {Q} We can annotate a composition S1; S2;…; Sn by {P1} S1 {P2} S2 … {Pn-1} Sn-1 {Pn}

13 Annotating conditions
{ b  P } S1 { Q }, { b  P } S2 { Q } { P } if b then S1 else S2 { Q } [ifp] { P } if b then { b  P } S1 else { b  P } S2 { Q }

14 Annotating conditions
{ b  P } S1 { Q }, { b  P } S2 { Q } { P } if b then S1 else S2 { Q } [ifp] { P } if b then { b  P } S1 { Q1 } else { b  P } S2 { Q2 } { Q } { b  P } S1 { Q1 } { b  P } S2 { Q2 } { b  P } S1 { Q }, { b  P } S2 { Q } { P } if b then S1 else S2 { Q } [ifp] [cons]

15 { b  P } S { P } { P } while b do S {b  P }
Annotating loops { b  P } S { P } { P } while b do S {b  P } [whilep] { P } while b do { b  P } S {b  P }

16 { b  P } S { P } { P } while b do S {b  P }
Annotating loops { b  P } S { P } { P } while b do S {b  P } [whilep] { P } while b do { b  P } S { P’ } {b  P } { Q } P’ implies P b  P implies Q

17 { b  P } S { P } { P } while b do S {b  P }
Annotating loops { b  P } S { P } { P } while b do S {b  P } [whilep] { P } while b do { b  P } S {b  P } Source of confusion

18 Annotating loops – alternative 1
{ b  P } S { P } { P } while b do S {b  P } [whilep] while { P } b do { b  P } S {b  P }

19 Annotating loops – alternative 2
{ b  P } S { P } { P } while b do S {b  P } [whilep] Inv = { P } while b do { b  P } S {b  P } We will take this alternative in our examples and homework assignments

20 Annotating formula transformations
We often rewrite formulas To make proofs more readable Using logical/mathematical identities Imported mathematical theorems {  } { ’ } // transformation 1 { ’’ } // transformation 2

21 Exercising Hoare logic

22 Exercise 1: variable swap – specify
{ ? } t := x x := y y := t { ? }

23 Exercise 1: Prove using Hoare logic
{ y=b  x=a } t := x { ? } x := y { ? } y := t { x=b  y=a }

24 Exercise 1: Prove using Hoare logic
{ y=b  x=a } t := x { y=b  t=a } x := y { x=b  t=a } y := t { x=b  y=a }

25 Absolute value program
if x<0 then x := -x else skip if b then S is syntactic sugar for if b then S else skip The latter form is easier to reason about

26 Absolute value program – specify
{ ? } if x<0 then x := -x else skip { ? }

27 Absolute value program – specify
{ x=v } if x<0 then x := -x else skip { x=|v| }

28 Exercise 2: Prove using Hoare logic
{ x=v } { } if x<0 then { } x := -x { } else { } skip { } {x=|v| }

29 Exercise 2: Prove using Hoare logic
{ x=v } { (-x=|v|  x<0)  (x=|v|  x0) } if x<0 then { -x=|v| } x := -x { x=|v| } else { x=|v| } skip { x=|v| } { x=|v| }

30 Annotated programs: factorial
{ x=n } y := 1; Inv = { x>0  y*x!=n!  nx } while (x=1) do { x-1>0  (y*x)*(x-1)!=n!  n(x-1) } y := y*x; { x-1>0  y*(x-1)!=n!  n(x-1) } x := x–1 { y*x!=n!  n>0 } Contrast with proof via structural semantics Where did the inductive argument over loop iterations go?

31 Detailed proof steps { x=n } y := 1; { x=n  y=1 } Inv = { x>0  y*x!=n!  nx } while (x=1) do { x1  (x>0  y*x!=n!  nx) } => ? { x>1  y*x!=n!  n(x-1) } y := y*x; { x-1>0  y*(x-1)!=n!  n(x-1) } x := x–1 { x>0  y*x!=n!  nx } { y*x!=n!  n>0 }

32 Detailed proof of implication
{ x1  (x>0  y*x!=n!  nx) } => relax inequality { x1  (x>0  y*x!=n!  n(x-1)) } => use logical identity AB equals AB { x1  (x0  y*x!=n!  n(x-1)) } => distribute  over  {(x1  x0)  (x1  y*x!=n!  n(x-1)) } => x0 subsumes x1  x0 { x0  (x1  y*x!=n!  n(x-1)) } => weaken conjunction by removing x1 { x0  (y*x!=n!  n(x-1)) } => relax x0 into x1 { x1  (y*x!=n!  n(x-1)) } => use logical identity AB equals AB { x1  (x1  y*x!=n!  n(x-1))} write x1 as x>1 { x>1  y*x!=n!  n(x-1) }

33 Properties of the semantics

34 Properties of the semantics
Equivalence What is the analog of program equivalence in axiomatic verification? Soundness Can we prove incorrect properties? Completeness Is there something we can’t prove?

35 Proving properties of axiomatic semantics
Examples p { P } C { true } for any P and C p { false } C { P } for any P and C By induction on the shape of the inference tree

36 Provable equivalence We say that C1 and C2 are provably equivalent if for all P and Q p { P } C1 { Q } if and only if p { P } C2 { Q } Examples: S; skip and S S1; (S2; S3) and (S1; S2); S3

37 S1; (S2; S3) is provably equivalent to (S1; S2); S3
Without consequence rule applications T2 T3 T1 {P’} S2 {P’’} {P’’} S3 {Q} {P} S1 {P’} {P’} (S2; S3) {Q} {P} S1; (S2; S3) {Q} T1 T2 {P} S1 {P’} {P’} S2 {P’’} T3 {P} (S1; S2) {P’’} {P’’} S3 {Q} {P} (S1; S2); S3 {Q}

38 Compressing chains of consequences
A chain of consequence rules can be compressed into a single application since Pn …  P1 and Q1 …  Pn {Pn} S {Qn} {Pn} S {Qn} cons cons {P1} S {Q1} cons {P1} S {Q1}

39 S1; (S2; S3) is provably equivalent to (S1; S2); S3
T2 T1 T2 {P5} S2 {P4} T3 cons {P3} S1 {P5} {P5} S2 {P4} {P5} S2 {P2} {P2} S3 {Q1} seq seq {P3} (S1; S2) {P4} T3 T1 {P5} (S2; S3) {Q1} cons cons {P1} (S1; S2) {P2} {P2} S3 {Q1} {P3} S1 {P5} {P5} (S2; S3) {Q} seq seq {P1} (S1; S2); S3 {Q1} {P3} S1; (S2; S3) {Q} cons cons {P} (S1; S2); S3 {Q} {P1} S1; (S2; S3) {Q} cons {P} S1; (S2; S3) {Q} The other direction is similar

40 Valid assertions Q P C(P)  C ’
We say that { P } C { Q } is valid if for all states , if  P and C,  * ’ then ’Q Denoted by p { P } C { Q } Q P C(P) C ’

41 Soundness and completeness
The inference system is sound: p { P } C { Q } implies p { P } C { Q } The inference system is complete: p { P } C { Q } implies p { P } C { Q } Is Hoare logic sound? yes Is Hoare logic complete? relatively

42 See you next time


Download ppt "Spring 2017 Program Analysis and Verification"

Similar presentations


Ads by Google