Presentation is loading. Please wait.

Presentation is loading. Please wait.

Hoare-style program verification K. Rustan M. Leino Guest lecturer Rob DeLines CSE 503, Software Engineering University of Washington 26 Apr 2004.

Published byElla Boyle Modified over 11 years ago

Similar presentations

Presentation on theme: "Hoare-style program verification K. Rustan M. Leino Guest lecturer Rob DeLines CSE 503, Software Engineering University of Washington 26 Apr 2004."— Presentation transcript:

1 Hoare-style program verification K. Rustan M. Leino Guest lecturer Rob DeLines CSE 503, Software Engineering University of Washington 26 Apr 2004

2 Is this program correct? How do we know? int Find(float[] a, int m, int n, float x) { while (m < n) { int j = (m+n) / 2 ; if (a[j] < x) { m = j+ 1 ; } else if (x < a[j]) { n = j-1; } else { return j; } } return - 1 ; }

3 Making sense of programs Program semantics defines programming language – e.g., Hoare logic, Dijkstra's weakest preconditions Specifications record design decisions – bridge intent and code Tools amplify human effort – manage details – find inconsistencies – ensure quality

4 State predicates A predicate is a boolean function on the program state Examples: – x = 8 – x < y – m n (j | 0j<a.length a[j] NaN) – true – false

5 Hoare triples For any predicates P and Q and any program S, {P} S {Q} says that if S is started in (a state satisfying) P, then it terminates in Q postcondition precondition

6 Examples {true} x := 12 {x = 12 } {x < 40 } x := 12 { 10 x} {x < 40 } x := x+ 1 {x 40 } {m n} j :=(m+n)/ 2 {m j n} {0 m < n a.length a[m] = x} r := Find(a, m, n, x) {m r} {false} S {x n + y n = z n }

7 Precise triples If{P} S {Q} and {P} S {R}, then does {P} S {Q R} hold?

8 Precise triples If{P} S {Q} and {P} S {R}, then does {P} S {Q R} hold? The most precise Q such that {P} S {Q} is called the strongest postcondition of S with respect to P. yes

9 Weakest preconditions If{P} S {R} and {Q} S {R}, then {P Q} S {R} holds. The most general P such that {P} S {R} is called the weakest precondition of S with respect to R, written wp(S, R)

10 Triples and wp {P} S {Q} if and only if P wp(S, Q)

11 Program semantics skip no-op wp(skip, R) R wp(skip, x n + y n = z n ) x n + y n = z n

12 Program semantics assignment evaluate E and change value of w to E wp(w := E, R) R[w := E] wp(x := x + 1, x 10)x+1 10x < 10 wp(x := 15, x 10)15 10false wp(y := x + 3*y, x 10) x 10 wp(x,y := y,x, x < y)y < x replace w by E in R

13 Program semantics assert if P holds, do nothing, else don't terminate wp(assert P, R) P R wp(assert x < 10, 0 x)0 x < 10 wp(assert x = y*y, 0 x)x = y*y 0 xx = y*y wp(assert false, x 10)false

14 Program compositions If {P} S {Q} and {Q} T {R}, then {P} S ; T {R} If {P B} S {R} and {P B} T {R}, then {P} if B then S else T end {R}

15 wp(S;T, R) wp(S, wp(T, R)) wp(x := x+1 ; assert x y, 0 < x)wp(x := x+1, wp(assert x y, 0 < x))wp(x := x+1, 0 < x y) 0 < x+1 y0 x < y wp(y := y+1 ; x := x + 3*y, y 10 3 x)wp(y := y+1, wp(x := x+3*y, y 10 3 x))wp(y := y+1, y 10 3 x+3*y)y+1 10 3 x+3*(y+1)y < 10 3 x + 3*y + 3y < 10 0 x + 3*y Program semantics sequential composition

16 wp(if B then S else T end, R) (B wp(S, R)) (B wp(T, R)) (B wp(S, R)) (B wp(T, R)) wp(if x < y then z := y else z := x end, 0 z)(x < y wp(z := y, 0 z)) ((x < y) wp(z := x, 0 z))(x < y 0 y) (y x 0 x)0 y 0 x wp(if x10 then x := x+1 else x := x + 2 end, x 10)(x10 wp(x := x+1, x 10)) ((x10) wp(x := x+2, x 10))(x10 x+1 10) (x=10 x+2 10)(x10 x < 10) falsex < 10 Program semantics conditional composition

17 Example if (x != null) { n = x.f; } else { n = z-1; z++; } a = new char[n]; true n >= 0 z-1 >= 0 x != null && x.f >= 0 (x != null ==> x != null && x.f >= 0) && (x == null ==> z-1 >= 0)

18 A good exercise Define change w such that P by giving its weakest precondition

19 Loops To prove {P} while B do S end {Q} find invariant J and well-founded variant function vf such that: – invariant holds initially: P J – invariant is maintained: {J B} S {J} – invariant is sufficient: J B Q – variant function is bounded: J B 0 vf – variant function decreases: {J B vf=VF} S {vf<VF}

Download ppt "Hoare-style program verification K. Rustan M. Leino Guest lecturer Rob DeLines CSE 503, Software Engineering University of Washington 26 Apr 2004."

Similar presentations

Hoare-style program verification K. Rustan M. Leino Guest lecturer Rob DeLines CSE 503, Software Engineering University of Washington 28 Apr 2004.

Hoare-style program verification K. Rustan M. Leino Guest lecturer Rob DeLines CSE 503, Software Engineering University of Washington 28 Apr 2004.
Advanced programming tools at Microsoft

Advanced programming tools at Microsoft
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.

Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
Extended Static Checking for Java Cormac Flanagan K. Rustan M. Leino Mark Lillibridge Greg Nelson James B. Saxe Raymie Stata Compaq SRC 18 June 2002 PLDI02,

Extended Static Checking for Java Cormac Flanagan K. Rustan M. Leino Mark Lillibridge Greg Nelson James B. Saxe Raymie Stata Compaq SRC 18 June 2002 PLDI02,
The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Lunch seminar, Praxis Bath, UK 6 Dec 2005 joint work with Mike Barnett,

The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Lunch seminar, Praxis Bath, UK 6 Dec 2005 joint work with Mike Barnett,
Bor-Yuh Evan Chang Daan Leijen Peter Müller David A. Naumann The Spec# programming system Mike Barnett Rob DeLine Manuel Fähndrich Bart Jacobs K. Rustan.

Bor-Yuh Evan Chang Daan Leijen Peter Müller David A. Naumann The Spec# programming system Mike Barnett Rob DeLine Manuel Fähndrich Bart Jacobs K. Rustan.
Demand-driven inference of loop invariants in a theorem prover

Demand-driven inference of loop invariants in a theorem prover
Checking correctness properties of object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 3 EEF summer school on Specification,

Checking correctness properties of object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 3 EEF summer school on Specification,
Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.

Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.
Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 2 Summer school on Formal Models.

Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 2 Summer school on Formal Models.
Checking correctness properties of object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 2 EEF summer school on Specification,

Checking correctness properties of object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 2 EEF summer school on Specification,
Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,

Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,
1 Towards a Verifying Compiler: The Spec# Approach Wolfram Schulte Microsoft Research Formal Methods 2006 Joint work with Rustan Leino, Mike Barnett, Manuel.

1 Towards a Verifying Compiler: The Spec# Approach Wolfram Schulte Microsoft Research Formal Methods 2006 Joint work with Rustan Leino, Mike Barnett, Manuel.
Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 3 Summer school on Formal Models.

Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 3 Summer school on Formal Models.
Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models.

Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models.
Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 0 Summer school on Formal Models.

Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 0 Summer school on Formal Models.
Spec# K. Rustan M. Leino Senior Researcher Programming Languages and Methods Microsoft Research, Redmond, WA, USA Microsoft Research faculty summit, Redmond,

Spec# K. Rustan M. Leino Senior Researcher Programming Languages and Methods Microsoft Research, Redmond, WA, USA Microsoft Research faculty summit, Redmond,
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.

Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.
Formal techniques for getting software right: some old ideas and some new tools Applied Formal Methods Research Group 2012-11-02 David Lightfoot:

Formal techniques for getting software right: some old ideas and some new tools Applied Formal Methods Research Group David Lightfoot:

Similar presentations

Ads by Google