Presentation is loading. Please wait.

Presentation is loading. Please wait.

David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 20: Total Correctness; Proof-

Published byChasity Standring Modified over 9 years ago

Similar presentations

Presentation on theme: "David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 20: Total Correctness; Proof-"— Presentation transcript:

1

2 David Evans http://www.cs.virginia.edu/~evans CS655: Programming Languages University of Virginia Computer Science Lecture 20: Total Correctness; Proof- Carrying Code, Code- Carrying Proof

3 10 April 2001CS 655: Lecture 202 Menu Axiomatic Semantics review and continuation Proof-Carrying Code

4 10 April 2001CS 655: Lecture 203 Goal: find weakest pre-condition P & x 0 = x { while n <= x do n := n + 1; result := result * n; end } result = x 0 ! Elevator speech

5 10 April 2001CS 655: Lecture 204 Go backwards: Inv & ~Pred  Q Inv & ~Pred  Q Inv & ~(n <= x)  result = x 0 ! Guess an Invariant: Inv = result = (n - 1)! & x = x 0 & n <= x + 1 Inv & ~(n <= x)  result = x 0 ! n <= x + 1 & ~(n <= x)  n = x + 1 result = ((x + 1) – 1)!  result = x! x = x 0  result = x 0 !

6 10 April 2001CS 655: Lecture 205 Inv & Pred { Statement } Inv result = (n - 1)! & x = x 0 & n <= x + 1 & n <= x { n := n + 1; result := result * n; } result = (n - 1)! & x = x 0 & n <= x + 1 Rule for sequences: { A } s0 { B }, { B } s1 { C } { A } s0 ; s1 { C }

7 10 April 2001CS 655: Lecture 206 Push: result := result * n result 0 = result & result = (n - 1)! & x = x 0 & n <= x + 1 & n <= x { result := result * n } B Substitute result = result 0 * n: B = result = (n – 1)! * n & rest is same B = result = n! & rest is same

8 10 April 2001CS 655: Lecture 207 Push: n := n + 1 n 0 = n & result = n 0 ! & x = x 0 & n 0 <= x + 1 & n 0 <= x { n := n + 1 } Q Substitute n = n 0 + 1 (n 0 = n – 1) : result = (n – 1)! & x = x 0 & (n – 1) <= x + 1 & (n – 1) <= x  result = (n – 1)! & x = x 0 & n <= x + 2 & n <= x + 1  result = (n – 1)! & x = x 0 & n <= x + 1  Inv Reminder: Inv = result = (n - 1)! & x = x 0 & n <= x + 1

9 10 April 2001CS 655: Lecture 208 Progress Checklist P  Inv, Inv { Pred }  Inv, Inv & Pred { Statement } Inv, (Inv & ~Pred)  Q, while Pred do Statement end terminates P { while Pred do Statement end } Q    Trivial since Pred = (n <= x) We need to pick P to make this work.

10 10 April 2001CS 655: Lecture 209 Find weakest pre-condition Need to show P & x = x 0  result = (n - 1)! & x = x 0 & n <= x + 1 Weakest: P = result = (n – 1)! & n <= x + 1 More intuitive (but stronger): P = result = 1 & n = 0 & x >= 0  result = 0! & n <= x + 1  Inv

11 10 April 2001CS 655: Lecture 2010 What have we proved? Partial correctness of: result = 1 & n = 0 & x >= 0 & x 0 = x { while n <= x do n := n + 1; result := result * n; end } result = x 0 !

12 10 April 2001CS 655: Lecture 2011 Total Correctness: Must show termination also 1.Define an energy function, E  integer 2.Show P  E is finite, non-negative 3.Show Pred does not change E 4.Show loop body decreases E e 0 = E & Pred { Statement } E < e 0 5.Show E = 0  ~Pred (termination) Remind you of anything?

13 10 April 2001CS 655: Lecture 2012 Termination Proof 1.Energy Function E = x + 1 – n 2.P  E is finite, non-negative n = 0 & x >= 0  E = x + 1 – 0 x is >= 0, so x + 1 is finite, non-negative 3.Pred does not change E Trivial, Pred is n <= x

14 10 April 2001CS 655: Lecture 2013 Termination Proof, Part 2 4.Show loop body decreases E e 0 = x + 1 – n & n <= x & n 0 = n { n := n + 1; result := result * n; } x + 1 - n < e 0 True: x + 1 – (n 0 + 1) < x + 1 - n 0. 5.Show termination: x + 1 - n = 0  ~(n <= x) x + 1 = n  ~(x + 1 <= x)

15 10 April 2001CS 655: Lecture 2014 Proof-Carrying Code

16 10 April 2001CS 655: Lecture 2015 PCC: Basic Idea Creating a proof is hard –Have to make up invariants, etc. Checking a proof is easy –Simple mechanical application of rules Guarantee properties of untrustworthy code by checking a proof provided by code producer

17 10 April 2001CS 655: Lecture 2016 Proof-Carrying Code Program Certifying Compiler Native Code Proof Code Producer Code Consumer Native CodeProof Proof Checker CPU Ok Policy

18 10 April 2001CS 655: Lecture 2017 Tamper with Code Program Certifying Compiler Native Code Proof Code Producer Code Consumer Tampered CodeProof Proof Checker CPU Wily Hacker No!

19 10 April 2001CS 655: Lecture 2018 Tamper with Both Program Certifying Compiler Native Code Proof Code Producer Code Consumer Tampered CodeTampered Proof Proof Checker CPU No! Wily P. Hacker Ok But it means the desired property still holds!

20 10 April 2001CS 655: Lecture 2019 What must the proof prove? Depends on the policy Code consumer must run VCGen (can’t trust proof unless it proves safety predicate) VCGen can be developed from an operational semantics VCGen Safety Policy Program Safety Predicate

21 10 April 2001CS 655: Lecture 2020 How many PCC systems in active use? 2 100 1000 1 Million 10 Million > 20 Million Java byte code verifier is a limited implementation of PCC: Bytecodes include extra information on typing, stack use, etc. Bytecode verifier checks it to enforce low-level code safety properties Peter Lee claims most linkers are instances of PCC also.

22 10 April 2001CS 655: Lecture 2021 SVML Program::= TypeHint* Statement* TypeHint::= TYPE MemoryLocation Type Type::= INTEGER | REF Type Statement::= STORE Expression_m Expression_v Expression_m must have type ref (typeof Expression_v). | READ ExpressionExpression must have type ref (integer). | WHILE Expression_l <= Expression_r Expression_l and Expression_r must have type integer. | ENDWHILE | HALT | CHECKTYPE Expression Type Generates a run-time error if type of Expression is not Type. Expression::= ADD Expression_1 Expression_2 Expression_1 and Expression_2 must have type integer. | ADDP Expression_1 Expression_2 Expression_1 must have type ref(T). Expression_2 must have type integer. | DEREF ExpressionExpression must have type ref (T).

23 10 April 2001CS 655: Lecture 2022 An SVML Program [T0] TYPE M0 INT [T1] TYPE M1 REF INT [T2] TYPE M100-M200 INT % abbrev for 201 decls [0] STORE M0 0 [1] STORE M1 M100 [2] WHILE DEREF M0 <= 99 [3] CHECKTYPE DEREF M1 REF INT [4] READ DEREF M1 [5] STORE M1 ADDP DEREF M1 1 [6] STORE M0 ADD DEREF M0 1 [7] ENDWHILE [8] HALT

24 10 April 2001CS 655: Lecture 2023 VCGen for SVML VCGen (PC) = if Inst[PC] = STORE Expression_m Expression_v typeof (Expression_m) = ref (typeof (Expression_v)) & VCGenE (Expression_m) & VCGenE (Expression_v) & VCGen (PC + 1) if Inst[PC] = WHILE Expression_l <= Expression_r typeof (Expression_l) = integer & typeof (Expression_r) = integer & VCGenE (Expression_l) & VCGenE (Expression_r) & VCGen (PC + 1) & VCGen ( ) if INST[PC] = READ Expression typeof (Expression) = ref (integer) & VCGenE (Expression) & VCGen (PC + 1) if INST[PC] = CHECKTYPE Expression Type VCGen (PC + 1) can assume typeof (Expression) = Type if INST[PC] = ENDWHILE VCGen (PC + 1) if INST[PC] = HALT true

25 10 April 2001CS 655: Lecture 2024 VCGenE VCGenE (E) = if E = ADD Expression_1 Expression_2 typeof (Expression_1) = integer & typeof (Expression_2) = integer & VCGenE (Expression_1) & VCGenE (Expression_2) if E = ADDP Expression_1 Expression_2 typeof (Expression_1) = ref (T) & typeof (Expression_2) = integer & VCGenE (Expression_1) & VCGenE (Expression_2) if E = DEREF Expression typeof (Expression) = ref (T) & VCGenE (Expression) if E = IntLiteral true if E = MemoryLocation true

26 10 April 2001CS 655: Lecture 2025 [T0] TYPE M0 INT [T1] TYPE M1 REF INT [T2] TYPE M100-M200 INT % abbrev for 201 decls [0] STORE M0 0 [1] STORE M1 M100 [2] WHILE DEREF M0 <= 99 [3] CHECKTYPE DEREF M1 REF INT [4] READ DEREF M1 [5] STORE M1 ADDP DEREF M1 1 [6] STORE M0 ADD DEREF M0 1 [7] ENDWHILE [8] HALT VCGen for Program

27 10 April 2001CS 655: Lecture 2026 Constructing a Proof A = type environment = [ M0: ref (integer), M1: ref (ref (integer)), M100-M200: ref (integer) ] Axioms are typing judgments (your PS2 solution) We need to show: A proves VCGen (0) Type bindings given by CHECKTYPE Expression Type are true until STORE Expression_x Expression or READ Expression_x where typeof (Expression_x) = Type.

28 10 April 2001CS 655: Lecture 2027 So Far About as easy to generate these proofs as to check them, so no need to pass proof around with code. Except: the type hints are really a proof! CHECKTYPE is expensive – optimizing compiler should be able to remove it for this program

29 10 April 2001CS 655: Lecture 2028 An SVML Program [T0] TYPE M0 INT[T1] TYPE M1 REF INT [T2] TYPE M100-M199 INT % abbrev for 200 decls [0] STORE M0 0 [1] STORE M1 M100 [2] WHILE DEREF M0 <= 99 [3] READ DEREF M1 [4] STORE M1 ADDP M1 1 [5] STORE M0 ADD M0 1 [6] ENDWHILE [7] HALT Need a loop invariant

30 10 April 2001CS 655: Lecture 2029 Requirements for Invariant Strong enough to prove: Inv & Pred  VCGen ([3] READ DEREF M1) Inv & ( DEREF M0 <= 99)  typeof (DEREF M1) = ref (integer) Weak enough to prove: TypeHints + [0] STORE M0 0 + [1] STORE M1 M100  Inv Weak and strong enough to prove WHILE loop axioms Inv & (DEREF M0 <= 99) { [3] READ DEREF M1 [4] STORE M1 ADDP M1 1 [5] STORE M0 ADD M0 1} Inv

31 10 April 2001CS 655: Lecture 2030 Loop Invariant Inv = DEREF (DEREF M1) = 100 + DEREF M0 & DEREF M0 >= 0 This is the “proof” attached to the code. Once you have it, checking is easy!

32 10 April 2001CS 655: Lecture 2031 PCC Summary Code producer provides a checkable proof of desired property Code consumer verifies the proof –Can use invariants, type hints, etc. but must not assume they are true –Help direct the checker to construct a proof quickly Enables optimizations not possible without proof Enables guarantees not possible without proof (lack of run-time errors)

33 10 April 2001CS 655: Lecture 2032 Charge Thursday: –My INFOSEC PCC talk –Elevator Speeches –Intro to Concurrency PS4 –Some things are more “optional” than others; this is really optional, but strongly recommended. Projects - progress email by tonight –Meet with me if: You aren’t making good progress You aren’t sure what to do Your project has changed substantially

Download ppt "David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 20: Total Correctness; Proof-"

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 6: Types of Types “It would.

David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 6: Types of Types “It would.
Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.

A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.
Reasoning About Code; Hoare Logic, continued

Reasoning About Code; Hoare Logic, continued
David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 19: Minding Ps & Qs: Axiomatic.

David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 19: Minding Ps & Qs: Axiomatic.
Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.

Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
Program Proving Notes Ellen L. Walker.

Program Proving Notes Ellen L. Walker.
Fall 20021 Semantics Juan Carlos Guzmán CS 3123 Programming Languages Concepts Southern Polytechnic State University.

Fall Semantics Juan Carlos Guzmán CS 3123 Programming Languages Concepts Southern Polytechnic State University.
1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.

1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.
CS 355 – Programming Languages

CS 355 – Programming Languages
An Introduction to Proof-Carrying Code David Walker Princeton University (slides kindly donated by George Necula; modified by David Walker)

An Introduction to Proof-Carrying Code David Walker Princeton University (slides kindly donated by George Necula; modified by David Walker)
The Design and Implementation of a Certifying Compiler [Necula, Lee] A Certifying Compiler for Java [Necula, Lee et al] David W. Hill CSCI 297 5.31.2005.

The Design and Implementation of a Certifying Compiler [Necula, Lee] A Certifying Compiler for Java [Necula, Lee et al] David W. Hill CSCI
Code-Carrying Proofs Aytekin Vargun Rensselaer Polytechnic Institute.

Code-Carrying Proofs Aytekin Vargun Rensselaer Polytechnic Institute.
Extensible Verification of Untrusted Code Bor-Yuh Evan Chang, Adam Chlipala, Kun Gao, George Necula, and Robert Schneck May 14, 2004 OSQ Retreat Santa.

Extensible Verification of Untrusted Code Bor-Yuh Evan Chang, Adam Chlipala, Kun Gao, George Necula, and Robert Schneck May 14, 2004 OSQ Retreat Santa.
David Evans CS150: Computer Science University of Virginia Computer Science Lecture 31: Types of Types.

David Evans CS150: Computer Science University of Virginia Computer Science Lecture 31: Types of Types.
Proof-system search ( ` ) Interpretation search ( ² ) Main search strategy DPLL Backtracking Incremental SAT Natural deduction Sequents Resolution Main.

Proof-system search ( ` ) Interpretation search ( ² ) Main search strategy DPLL Backtracking Incremental SAT Natural deduction Sequents Resolution Main.
Programmability with Proof-Carrying Code George C. Necula University of California Berkeley Peter Lee Carnegie Mellon University.

Programmability with Proof-Carrying Code George C. Necula University of California Berkeley Peter Lee Carnegie Mellon University.
Axiomatic Semantics Dr. M Al-Mulhem ICS535-091.

Axiomatic Semantics Dr. M Al-Mulhem ICS

Similar presentations

Ads by Google