Presentation is loading. Please wait.

Presentation is loading. Please wait.

Program Analysis and Verification Spring 2014 Program Analysis and Verification Lecture 5: Axiomatic Semantics II Roman Manevich Ben-Gurion University.

Published byLucas Nicholson Modified over 9 years ago

Similar presentations

Presentation on theme: "Program Analysis and Verification Spring 2014 Program Analysis and Verification Lecture 5: Axiomatic Semantics II Roman Manevich Ben-Gurion University."— Presentation transcript:

1 Program Analysis and Verification Spring 2014 Program Analysis and Verification Lecture 5: Axiomatic Semantics II Roman Manevich Ben-Gurion University

2 Syllabus Semantics Natural Semantics Structural semantics Axiomatic Verification Static Analysis Automating Hoare Logic Abstract Interpretation fundamentals Lattices Galois Connections Fixed-Points Widening/ Narrowing Domain constructors Interprocedural Analysis Analysis Techniques Numerical Domains CEGARAlias analysis Shape Analysis Crafting your own Soot From proofs to abstractions Systematically developing transformers 2

3 Previously Basic notions of correctness Formalizing Hoare triples FO logic – Free variables – Substitutions Hoare logic rules 3

4 States and predicates  – program states  – undefined A state predicate P is a (possibly infinite) set of states   P – P holds in state  4 P  

5 Formalizing Hoare triples { P } C { Q } –  ,  ’  . (   P   C,    ’)   ’  Q alternatively –    . (   P  S ns  C    )  S ns  C    Q – Convention:   P for all P    .   P  S ns  C    Q 5 P C(P)C(P) Q  ’’ C S ns  C   =  ’if  C,    ’  else

6 An assertion language 6 a ::= n | x | a 1 + a 2 | a 1  a 2 | a 1 – a 2 A ::= true | false | a 1 = a 2 | a 1  a 2 |  A | A 1  A 2 | A 1  A 2 | A 1  A 2 |  z. A |  z. A Either a program variables or a logical variable

7 Free/bound variables A variable is said to be bound in a formula when it occurs in the scope of a quantifier. Otherwise it is said to be free –  i. k=i  m – (i+100  77)  i. j+1=i+3) FV(A)  the free variables of A Defined inductively on the abstract syntax tree of A 7

8 Free variables 8 FV ( n )  {} FV ( x )  {x} FV ( a 1 + a 2 )  FV ( a 1  a 2 )  FV ( a 1 - a 2 )  FV ( a 1 )  FV ( a 2 ) FV ( true )  FV ( false )  {} FV ( a 1 = a 2 )  FV ( a 1  a 2 )  FV ( a 1 )  FV ( a 2 ) FV (  A )  FV ( A ) FV ( A 1  A 2 )  FV ( A 1  A 2 )  FV ( A 1  A 2 )  FV ( a 1 )  FV ( a 2 ) FV (  z. A )  FV (  z. A )  FV ( A ) \ { z }

9 Substitution An expression t is pure (a term) if it does not contain quantifiers A[t/z] denotes the assertion A’ which is the same as A, except that all instances of the free variable z are replaced by t A   i. k=i  m A[5/k] = …? A[5/i] = …? 9 What if t is not pure?

10 Calculating substitutions 10 n[t/z] = n x[t/z] = x x[t/x] = t (a 1 + a 2 )[t/z]= a 1 [t/z] + a 2 [t/z] (a 1  a 2 )[t/z]= a 1 [t/z]  a 2 [t/z] (a 1 - a 2 )[t/z]= a 1 [t/z] - a 2 [t/z]

11 Calculating substitutions 11 true[t/x] = true false[t/x] = false (a 1 = a 2 )[t/z]= a 1 [t/z] = a 2 [t/z] (a 1  a 2 )[t/z]= a 1 [t/z]  a 2 [t/z] (  A)[t/z]=  (A[t/z]) (A 1  A 2 )[t/z]= A 1 [t/z]  A 2 [t/z] (A 1  A 2 )[t/z] = A 1 [t/z]  A 2 [t/z] (A 1  A 2 )[t/z] = A 1 [t/z]  A 2 [t/z] (  z. A)[t/z] =  z. A (  z. A)[t/y] =  z. A[t/y] (  z. A)[t/z] =  z. A (  z. A)[t/y] =  z. A[t/y]

12 Today The rules Inference system Annotating programs with proofs Properties of the semantics Weakest precondition calculus 12

13 FO Logic reminder We write A  B if for all states  if   A then   B – {  |   A }  {  |   B } – For every predicate A: false  A  true We write A  B if A  B and B  A – false  5=7 In writing Hoare-style proofs, we will often replace a predicate A with A’ such that A  A’ and A’ is “simpler” 13

14 14 the rules six are completely enough

15 Axiomatic semantics for While 15 { P[a/ x ] } x := a { P } [ass p ] { P } skip { P } [skip p ] { P } S 1 { Q },{ Q } S 2 { R } { P } S 1 ; S 2 { R } [comp p ] { b  P } S 1 { Q }, {  b  P } S 2 { Q } { P } if b then S 1 else S 2 { Q } [if p ] { b  P } S { P } { P } while b do S {  b  P } [while p ] { P’ } S { Q’ } { P } S { Q } [cons p ] if P  P’ and Q’  Q Notice similarity to natural semantics rules What’s different about this rule?

16 Assignment rule A “backwards” rule x := a always finishes Why is this true? – Recall operational semantics: Example: {y*z<9} x:=y*z {x<9} What about {y*z<9  w=5} x:=y*z {w=5} ? 16  x := a,    [x  A  a   ] [ass ns ]  [x  A  a   ]  P

17 skip rule 17  skip,    [skip ns ]

18 Composition rule Holds when S 1 terminates in every state where P holds and then Q holds and S 2 terminates in every state where Q holds and then R holds 18  S 1,    ’,  S 2,  ’    ’’  S 1 ; S 2,    ’’ [comp ns ]

19 Condition rule 19  S 1,    ’  if b then S 1 else S 2,    ’ if B  b   = tt [if tt ns ]  S 2,    ’  if b then S 1 else S 2,    ’ if B  b   = ff [if ff ns ]

20 Loop rule Here P is called an invariant for the loop – Holds before and after each loop iteration – Finding loop invariants – most challenging part of proofs When loop finishes, b is false 20  while b do S,    if B  b   = ff [while ff ns ]  S,    ’,  while b do S,  ’    ’’  while b do S,    ’’ if B  b   = tt [while tt ns ]

21 Rule of consequence Allows strengthening the precondition and weakening the postcondition The only rule that is not related to a statement 21

22 Rule of consequence 22 Why do we need it? Allows the following {y*z<9} x:=y*z {x<9} {y*z<9  w=5} x:=y*z {x<10}

23 Axiomatic semantics as an inference system 23

24 Inference trees Similar to derivation trees of natural semantics Leaves are …? Internal nodes correspond to …? 24

25 Inference trees Similar to derivation trees of natural semantics Leaves are …? Internal nodes correspond to …? Inference tree is called – Simple if tree is only an axiom – Composite otherwise 25

26 Provability We say that an assertion { P } C { Q } is provable if there exists an inference tree – Written as  p { P } C { Q } – Are inference trees unique? {true} x:=1; x:=x+5 {x  0} Proofs of properties of axiomatic semantics use induction on the shape of the inference tree – Example: prove  p { P } C { true } for any P and C 26

27 Factorial proof inference tree 27 W = while (x  1) do (y:=y*x; x:=x–1) INV = x > 0  (y  x! = n!  n  x) { INV[x-1/x][y*x/y] } y:=y*x; x:=x–1 {INV} { INV[x-1/x] } x:=x-1 {INV} { INV } W { x=1  INV } { INV[1/y] } y:=1 { INV } { INV[x-1/x][y*x/y] } y:=y*x { INV[x-1/x] } { x  1  INV } y:=y*x; x:=x–1 { INV } [comp] [cons] [while] [cons] { INV } W { y =n!  n>0 }{ x=n } y:=1 { INV } [cons] { x=n } while (x  1) do (y:=y*x; x:=x–1) { y =n!  n>0 } [comp] Goal: { x=n } y:=1; while (x  1) do (y:=y*x; x:=x–1) { y =n!  n>0 } will show later

28 Annotating programs with proofs 28

29 Annotated programs A streamlined version of inference trees – Inline inference trees into programs – A kind of “proof carrying code”proof carrying code – Going from annotated program to proof tree is a linear time translation 29

30 Annotating composition We can inline inference trees into programs Using proof equivalence of S 1 ; (S 2 ; S 3 ) and (S 1 ; S 2 ); S 3 instead writing deep trees, e.g., 30 {P} (S 1 ; S 2 ); (S 3 ; S 4 ) {Q} {P} (S 1 ; S 2 ) {P’’} {P’’} (S 3 ; S 4 ) {Q} {P} S 1 {P’} {P’} S 2 {P’’}{P’’} S 3 {P’’’} {P’’’} S 4 {P’’} We can annotate a composition S 1 ; S 2 ;…; S n by {P 1 } S 1 {P 2 } S 2 … {P n-1 } S n-1 {P n }

31 Annotating conditions 31 { P } if b then { b  P } S 1 else {  b  P } S 2 { Q }

32 Annotating conditions 32 { P } if b then { b  P } S 1 { Q 1 } else {  b  P } S 2 { Q 2 } { Q } Usually Q is the result of using the consequence rule, so a more explicit annotation adds the postcondition of each branch

33 Annotating loops 33 { P } while b do { b  P } S {  b  P }

34 Annotating loops 34 { P } while b do { b  P } S { P’ } {  b  P } { Q } P’ implies P  b  P implies Q

35 Annotating loops 35 { P } while b do { b  P } S {  b  P } Source of confusion

36 Annotating loops – alternative 1 36 while { P } b do { b  P } S {  b  P }

37 Annotating loops – alternative 2 37 Inv = { P } while b do { b  P } S {  b  P } We will take this alternative in our examples and homework assignments

38 Annotating formula transformations We often rewrite formulas – To make proofs more readable – Using logical identities – Import theorems 38 {  } {  ’ } // transformation 1 {  ’’ } // transformation 2

39 Annotated programs: factorial 39 { x=n } y := 1; Inv = { x>0  y*x!=n!  n  x } while  (x=1) do { x-1>0  (y*x)*(x-1)!=n!  n  (x-1) } y := y*x; { x-1>0  y*(x-1)!=n!  n  (x-1) } x := x–1 { y*x!=n!  n>0 } Contrast with proof via natural semantics Where did the inductive argument over loop iterations go?

40 Detailed proof steps 40 { x=n } y := 1; { x=n  y=1 } Inv = { x>0  y*x!=n!  n  x } while  (x=1) do { x  1  (x>0  y*x!=n!  n  x) } { x  1  (x>0  (y*x)*(x-1)!=n!  n  x) } // Factorial { x  1  (x>0  (y*x)*(x-1)!=n!  n  (x-1) } // Cons { x-1>0  (y*x)*(x-1)!=n!  n  (x-1) } // Cons y := y*x; { x-1>0  y*(x-1)!=n!  n  (x-1) } x := x–1 { x>0  y*x!=n!  n  x } { y*x!=n!  n>0 }

41 Properties of the semantics 41

42 Properties of the semantics Equivalence – What is the analog of program equivalence in axiomatic verification? 42 By Cjprice88 (Own work) [CC-BY-SA-3.0 (http://creativecommons.org/licenses/by-sa/3.0)], via Wikimedia Commons Soundness – Can we prove incorrect properties? Completeness – Is there something we can’t prove?

43 Provable equivalence We say that C 1 and C 2 are provably equivalent if for all P and Q  p { P } C 1 { Q } if and only if  p { P } C 2 { Q } Examples: – S; skip and S – S 1 ; (S 2 ; S 3 ) and (S 1 ; S 2 ); S 3 43

44 S 1 ; (S 2 ; S 3 ) is provably equivalent to (S 1 ; S 2 ); S 3 44 {P} S 1 ; (S 2 ; S 3 ) {Q} {P} S 1 {P’} {P’} (S 2 ; S 3 ) {Q} {P’} S 2 {P’’} {P’’} S 3 {Q} {P} (S 1 ; S 2 ); S 3 {Q} {P} (S 1 ; S 2 ) {P’’} {P’’} S 3 {Q} {P} S 1 {P’} {P’} S 2 {P’’}

45 Valid assertions We say that { P } C { Q } is valid if for all states , if   P and  C,    ’ then  ’  Q Denoted by  p { P } C { Q } 45 P C(P)C(P) Q  ’’ C

46 Soundness and completeness The inference system is sound: –  p { P } C { Q } implies  p { P } C { Q } The inference system is complete: –  p { P } C { Q } implies  p { P } C { Q } 46 By Cjprice88 (Own work) [CC-BY-SA-3.0 (http://creativecommons.org/licenses/by-sa/3.0)], via Wikimedia Commons

47 Weakest precondition calculus 47

48 From inference to calculus A Hoare-style proof is declarative – You can check that a proof is correct Is there a more operative approach to producing proofs? – Weakest precondition calculus – Strongest postcondition calculus WP/SP provide limits for Hoare triples WP helps prove that Hoare logic is relatively complete 48

49 Weakest liberal precondition A backward-going predicate transformer The weakest liberal precondition for Q is   wlp(C, Q) if and only if for all states  ’ if  C,    ’ then  ’  Q Propositions: 1.  p { wlp(C, Q) } C { Q } 2.If  p { P } C { Q } then P  wlp(C, Q) 49

50 Weakest liberal precondition A backward-going predicate transformer The weakest liberal precondition for Q is   wlp(C, Q) if and only if for all states  ’ if  C,    ’ then  ’  Q 50 P C(P)C(P) Q C wlp(C, Q) C(wlp(C, Q))

51 Strongest postcondition A forward-going predicate transformer The strongest postcondition for P is  ’  sp(P, C) if and only if there exists  such that   P and  C,    ’ Propositions: 1.  p { P } C { sp(P, C) } 2.If  p { P } C { Q } then sp(P, C)  Q 51

52 Predicate transformer semantics wlp and sp can be seen functions that transform predicates to other predicates – wlp  C  : Predicate  Predicate { P } C { Q } if and only if wlp  C  Q = P – sp  C  : Predicate  Predicate { P } C { Q } if and only if sp  C  P = Q 52

53 Is Hoare logic complete? Extensional approach: yes Proving  p { P } C { Q } implies  p { P } C { Q } boils down to proving  p { wlp(C, Q) } C { Q } See proof in book 53

54 Is Hoare logic complete? Intentional approach: no Only as complete as the logic of assertions Requires that we are able to prove the validity of assertions that occur in the rule of consequence Relative completeness of Hoare logic (Cook 1974) 54

55 Calculating Weakest preconditions 55

56 Calculating wlp 1.wlp( skip, Q) = Q 2.wlp( x := a, Q) = Q[a/ x ] 3.wlp(S 1 ; S 2, Q) = wlp(S 1, wlp(S 2, Q)) 4.wlp( if b then S 1 else S 2, Q) = (b  wlp(S 1, Q))  (  b  wlp(S 2, Q)) 5.wlp( while b do S, Q) = … ? hard to capture 56

57 Calculating wlp of a loop 57 wlp( while b do S, Q) = Idea: we know the following statements are semantically equivalent while b do S if b do ( S ; while b do S ) else skip Let’s try to substitute and calculate on wlp( if b do ( S ; while b do S ) else skip, Q) = (b  wlp(S ; while b do S, Q))  (  b  wlp( skip, Q)) = (b  wlp(S, wlp( while b do S, Q)))  (  b  Q) LoopInv = (b  wlp(S, LoopInv))  (  b  Q) We have a recurrence The loop invariant

58 Write a specification 58 { ? } while (timer > 0) do timer := timer – 1 { ? } “The program should count to zero”

59 Prove the following triple LoopInv = (b  wlp(S, LoopInv))  (  b  Q) Let’s substitute LoopInv with timer  0 Show that timer  0 is equal to (timer>0  wlp(timer:=timer-1, timer  0))  (timer  0  timer=0) = (timer>0  (timer  0)[timer-1/timer])  (timer  0  timer=0) = (timer>0  timer-1  0)  (timer  0  timer=0) = timer>0  timer=0 = timer  0 59 { timer  0 } while (timer > 0) do timer := timer – 1 { timer = 0 }

60 Issues with wlp-based proofs Requires backwards reasoning – not very intuitive Backward reasoning is non-deterministic – causes problems when While is extended with dynamically allocated heaps (aliasing) Also, a few more rules will be helpful 60

61 Making the proof system more practical 61

62 Conjunction rule 62 Not necessary (for completeness) but practically useful Starting point of extending Hoare logic to handle parallelism Related to Cartesian abstraction – Will point this out when we learn it

63 More rules exist 63 { P } C { Q } { P’ } C { Q’ } { P  P’ } C {Q  Q’ } [disj p ] { P } C { Q } {  v. P } C {  v. Q } [exist p ] v  FV( C) { P } C { Q } {  v. P } C {  v. Q } [univ p ] v  FV(C ) { F } C { F } Mod(C)  FV(F)={} [Inv p ] Mod(C) = set of variables assigned to in sub-statements of C FV(F) = free variables of F Breaks if C is non- deterministic

64 Invariance + Conjunction = Constancy 64 Mod(C) = set of variables assigned to in sub-statements of C FV(F) = free variables of F { P } C { Q } { F  P } C { F  Q } [constancy p ] Mod(C)  FV(F)={}

65 Next lecture: axiomatic semantics part 3

Download ppt "Program Analysis and Verification Spring 2014 Program Analysis and Verification Lecture 5: Axiomatic Semantics II Roman Manevich Ben-Gurion University."

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
ICE1341 Programming Languages Spring 2005 Lecture #6 Lecture #6 In-Young Ko iko.AT. icu.ac.kr iko.AT. icu.ac.kr Information and Communications University.

ICE1341 Programming Languages Spring 2005 Lecture #6 Lecture #6 In-Young Ko iko.AT. icu.ac.kr iko.AT. icu.ac.kr Information and Communications University.
Reasoning About Code; Hoare Logic, continued

Reasoning About Code; Hoare Logic, continued
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
Formal Semantics of Programming Languages 虞慧群 Topic 5: Axiomatic Semantics.

Formal Semantics of Programming Languages 虞慧群 Topic 5: Axiomatic Semantics.
David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 19: Minding Ps & Qs: Axiomatic.

David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 19: Minding Ps & Qs: Axiomatic.
Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.

Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
Copyright © 2006 Addison-Wesley. All rights reserved. 3.5 Dynamic Semantics Meanings of expressions, statements, and program units Static semantics – type.

Copyright © 2006 Addison-Wesley. All rights reserved. 3.5 Dynamic Semantics Meanings of expressions, statements, and program units Static semantics – type.
Predicate Transformers

Predicate Transformers
1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.

1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.
1/22 Programs : Semantics and Verification Charngki PSWLAB Programs: Semantics and Verification Mordechai Ben-Ari Mathematical Logic for Computer.

1/22 Programs : Semantics and Verification Charngki PSWLAB Programs: Semantics and Verification Mordechai Ben-Ari Mathematical Logic for Computer.
CS 355 – Programming Languages

CS 355 – Programming Languages
Programming Language Semantics Axiomatic Semantics Chapter 6.

Programming Language Semantics Axiomatic Semantics Chapter 6.
1 Operational Semantics Mooly Sagiv Tel Aviv University 640-6706 Textbook: Semantics with Applications.

1 Operational Semantics Mooly Sagiv Tel Aviv University Textbook: Semantics with Applications.
ESC Java. Static Analysis Spectrum Power Cost Type checking Data-flow analysis Model checking Program verification AutomatedManual ESC.

ESC Java. Static Analysis Spectrum Power Cost Type checking Data-flow analysis Model checking Program verification AutomatedManual ESC.
ESC Java. Static Analysis Spectrum Power Cost Type checking Data-flow analysis Model checking Program verification AutomatedManual ESC.

ESC Java. Static Analysis Spectrum Power Cost Type checking Data-flow analysis Model checking Program verification AutomatedManual ESC.
Review: forward E { P } { P && E } TF { P && ! E } { P 1 } { P 2 } { P 1 || P 2 } x = E { P } { \exists … }

Review: forward E { P } { P && E } TF { P && ! E } { P 1 } { P 2 } { P 1 || P 2 } x = E { P } { \exists … }

Similar presentations

Ads by Google