Download presentation
Presentation is loading. Please wait.
1
Formal Methods in software development
a.a.2016/2017 Prof. Anna Labella 2/28/2019
2
concurrent and sequential systems
Hoare Logic Dealing with critical situations Software aging See Ben Ari, Huth Ryan chap.4 2/28/2019
3
Verifying satisfiability of properties A posteriori
Model Checking Automatic Model-based Verifying satisfiability of properties A posteriori Application: concurrent and reactive systems Hoare Logic Semiautomatic Proof-based Verifying satisfiability of properties A priori Application: sequential and transformational programs 2/28/2019
4
Our language Our core language has three syntactic domains: integer expressions, boolean expressions and commands Arithmetical expressions E ::= n | x | (−E) | (E + E) | (E − E) | (E ∗ E) Propositions B ::= true | false | (!B) | (B &B) | (B ||B) | (E < E) Commands C ::= x = E | C;C | if B {C} else {C} | while B {C} 2/28/2019
5
Hoare triples Let us define |=part (|φ|) S (|ψ|)
If s is a state verifying φ, then, by applying the instruction S, we obtain a state where ψ holds. φ is called “precondition” ψ “postcondition” 2/28/2019
6
Hoare triples: examples
(|x> 0|) S (| y.y < x |) Many possible solutions: 2/28/2019
7
Partial and total correctness
If preconditions are verified: A then, after the execution of the program B1 postconditions are verified: B2 A (B1 B2) 2/28/2019
8
Partial correctness If preconditions are verified: A Then,
if the program teminates B1 postconditions are verified: B2 A (B1 B2) 2/28/2019
9
Total correctness If preconditions are verified: A then,
the program terminates B1 and postconditions are verified: B2 A (B1 B2) !?!?! 2/28/2019
10
Total correctness The only command that can be non terminating is the while command 2/28/2019
11
A deductive system tree-like proofs 2/28/2019
12
Hoare logic (proof rules for partial correctness)
(|φ1|) C1 (|φ2|) (|φ2|) C2(|φ3|) composition (|φ1|) C1 ; C2 (|φ3|) ________________________ assignment (|ψ [E/x]|) x = E (|ψ|) (|φB|) C1 (|ψ|) (|φ¬ B|) C2 (|ψ|) if-statement (|φ|) if B then C1 else C2 (|ψ|) (|ψB|) C (|ψ|) partial while (|ψ|) while B do C (|ψ¬B|) (|φ’ φ|) (|φ|) C (|ψ|) (|ψ ψ’|) implied (|φ’|) C (|ψ’|) 2/28/2019
13
Proofs as trees They are difficult to deal with 2/28/2019
14
Proof tableaux (|φ0|) C1 (|φ1|) C2 ……(|φn-1|) Cn (|φn|) How?
Reduce a program to a concatenation of steps, inserting justification between any two of them (|φ0|) C1 (|φ1|) C2 ……(|φn-1|) Cn (|φn|) Going backword from the postcondition to the precondition How? 2/28/2019
15
Weaker condition φ ψ means that φ is stronger than ψ
(because “not as true as” ψ) We proceed backwards: Given (|φ|) C (|ψ|), we can compute the weakest precondition wp (C, ψ) (predicate trasformer) s.t. wp (C, ψ) C (|ψ|) Hence to prove a triple, we have to show: (|φ|) C (|ψ|) φwp (C, ψ) 2/28/2019
16
Semantically We usually identify the set of states verifying a property with the property itself and work bottom up in the verification looking for the maximal set of states verifying the precondition in order to get the postcodition φ ψ means that the set of states verifying |φ| is contained in the set of states verifying |ψ| |φ| |ψ| 2/28/2019
17
(inductive definition)
Weakest precondition (inductive definition) Hence we look for the maximal set of states s.t., starting from one of them, after doing C, we reach a state Satisfying the postcondition wp (x = E, ψ) = [E/x] ψ wp (C;C‘, ψ) = wp (C, wp (C‘, ψ )) wp (if B then C1 else C2, ψ ) = (B wp (C1, ψ ) (B wp (C2, ψ)) wp (while B do C, ψ) = ( B ψ )(B wp (C; while B do C, ψ)) 2/28/2019
18
Exercises 2/28/2019
19
Exercises (| u = x + y |) z = x; assignment z = z + y; assignment
u=z; assignment (| u = x + y |) 2/28/2019
20
Exercises (| z = x + y |) (| u = x + y |) z = x; assignment
z = z + y; assignment (| z = x + y |) u=z; assignment (| u = x + y |) 2/28/2019
21
Exercises (assignment)
z = x; assignment (| z + y = x + y |) z = z + y; assignment (| z = x + y |) u=z; assignment (| u = x + y |) 2/28/2019
22
Exercises (assignment)
(| x + y = x + y |) z = x; assignment (| z + y = x + y |) z = z + y; assignment (| z = x + y |) u=z; assignment (| u = x + y |) 2/28/2019
23
Exercises (assignment)
(| x + y = x + y |) z = x; assignment (| z + y = x + y |) z = z + y; assignment (| z = x + y |) u=z; assignment (| u = x + y |) 2/28/2019
24
Exercises (assignment)
2/28/2019
25
Exercises (assignment)
The first one is immediate (| x = x |) (| y = x |) (| x = x x>1|) (| x = x x>a|) (| y = x y>a|) (|y > 0 x>y|) 2/28/2019
26
Exercises (assignment)
2/28/2019
27
Exercises (assignment)
x := x+1 ; y := x+1 u := x+2 ; v := y+3 ; z := u+v 2/28/2019
28
Exercises (assignment)
(| x = x + 2 |) t = x + 1; (| t + 1 = x + 2 |) z = t + 1; (| z = x + 2 |) y = z; (| y = x + 2 |) 2/28/2019
29
Exercises (if then else)
2/28/2019
30
Exercises (if then else)
(| x>y|) (| x>y|) (| y = min (x, y) |) (| x = min (x, y) |) z = y; z = x; (| z = min (x, y) |) 2/28/2019
31
Exercises (if then else)
2/28/2019
32
Invariants (while do) 2/28/2019
33
Example (while do) 2/28/2019
34
Example cont’d 2/28/2019
35
Example cont’d 2/28/2019
36
Exercise (while do) Invariant? Total correctness? 2/28/2019
37
Hoare triples: total correctness
Let us define |= tot(|φ|) S (|ψ|) If s is a state verifying φ, then, by applying the instruction S, then S terminates and we obtain a state where ψ holds. φ is called “precondition” ψ “postcondition” 2/28/2019
38
Hoare logic: total correctness
If we want to prove total correctness, we need (|ψB 0≤E=E0|) C (|ψ0≤E<E0|) total while (|ψ0≤E|) while B do C (|ψ¬B|) Variants 2/28/2019
39
Hoare triples: total correctness
Fac1 2/28/2019
40
Hoare logic: total correctness
2/28/2019
Similar presentations
