Presentation is loading. Please wait.

Presentation is loading. Please wait.

Program Analysis and Verification 0368-4479

Published byClaud Allison Modified over 9 years ago

Similar presentations

Presentation on theme: "Program Analysis and Verification 0368-4479"— Presentation transcript:

1 Program Analysis and Verification 0368-4479 http://www.cs.tau.ac.il/~maon/teaching/2013-2014/paav/paav1314b.html http://www.cs.tau.ac.il/~maon/teaching/2013-2014/paav/paav1314b.html Noam Rinetzky Lecture 5: Aximatic Semantics Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

2 Good manners Mobiles 2

3 Home Work Assignment #1 In the following, we refer to the “Semantics with Application” book as “the book”. The book can be found here: http://www.daimi.au.dk/~bra8130/Wiley_book/wiley.html. http://www.daimi.au.dk/~bra8130/Wiley_book/wiley.html. 1.Solve Ex 2.8 and 2.18 in the book. 2.In the previous question, you were asked to extend the While language with a new construct (a for loop). Extend the proof of theorem 2.26 in the book (semantic equivalence) to handle for commands. 3.Solve Ex 2.34 in the book. 4.Read Section 2.5 in the book and solve Ex 2.45. 5.Prove or disprove: The denotational semantics of any statement in the While language shown in the lectures is a monotone and continuous function. 6.Define a denotational semantics for the the While language extended with the random command. (The extension is described in Question 3). 3

4 Denotational Sematnics Added examples Equivalences of operational and denotational semantics Complete lattices Tarski-Kantor Fixed-point theorem 4

5 Axiomatic Semantics C.A.R. Hoare Robert Floyd Edsger W. Dijkstra 5

6 Proving program correctness Why prove correctness? What is correctness? How? – Reasoning at the operational semantics level Tedious Error prone – Formal reasoning using “axiomatic” semantics Syntactic technique (“game of tokens”) Mechanically checkable – Sometimes automatically derivable 6

7 A simple imperative language: While Abstract syntax: a ::= n | x | a 1 + a 2 | a 1  a 2 | a 1 – a 2 b ::= true | false | a 1 = a 2 | a 1  a 2 |  b | b 1  b 2 S ::= x := a | skip | S 1 ; S 2 | if b then S 1 else S 2 | while b do S 7

8 Program correctness concepts Property = a certain relationship between initial state and final state Partial correctness = properties that hold if program terminates Termination = program always terminates – i.e., for every input state 8 partial correctness + termination = total correctness Other correctness concepts exist: resource usage, linearizability, … Mostly focus in this course Other notions of properties exist

9 Factorial example Factorial partial correctness property = – if the statement terminates then the final value of y will be the factorial of the initial value of x What if s x < 0? Formally, using natural semantics:  S fac, s   s’ implies s’ y = (s x )! 9 S fac  y := 1; while  (x=1) do (y := y*x; x := x–1)

10 Natural semantics for While 10  x := a, s   s[x  A  a  s] [ass ns ]  skip, s   s [skip ns ]  S 1, s   s’,  S 2, s’   s’’  S 1 ; S 2, s   s’’ [comp ns ]  S 1, s   s’  if b then S 1 else S 2, s   s’ if B  b  s = tt [if tt ns ]  S 2, s   s’  if b then S 1 else S 2, s   s’ if B  b  s = ff [if ff ns ]  while b do S, s   s if B  b  s = ff [while ff ns ]  S, s   s’,  while b do S, s’   s’’  while b do S, s   s’’ if B  b  s = tt [while tt ns ]

11 Staged proof 11

12 First stage 12

13 Second stage 13

14  while  (x=1) do (y := y*x; x := x–1), s   s’ 14

15 Third stage 15

16 How easy was that? Proof is very laborious – Need to connect all transitions and argues about relationships between their states – Reason: too closely connected to semantics of programming language Is the proof correct? How did we know to find this proof? – Is there a methodology? 16

17 Axiomatic verification approach What do we need in order to prove that the program does what it supposed to do? 17 Specify the required behavior Compare the behavior with the one obtained by the operational semantics Develop a proof system for showing that the program satisfies a requirement Mechanically use the proof system to show correctness The meaning of a program is a set of verification rules

18 Assertions, a.k.a Hoare triples P and Q are state predicates – Example: x >0 If P holds in the initial state, and if execution of C terminates on that state, then Q will hold in the state in which C halts C is not required to always terminate {true} while true do skip {false} 18 { P } C { Q } precondition postcondition statement a.k.a command

19 Total correctness assertions If P holds in the initial state, execution of C must terminate on that state, and Q will hold in the state in which C halts 19 [ P ] C [ Q ]

20 Factorial example 20 { ? } y := 1; while  (x=1) do (y := y*x; x := x–1) { ? }

21 First attempt 21 { x >0 } y := 1; while  (x=1) do (y := y*x; x := x–1) { y = x ! } Holds only for value of x at state after execution finishes We need a way to “remember” value of x before execution

22 Fixed assertion 22 { x =n } y := 1; while  (x=1) do (y := y*x; x := x–1) { y =n!  n>0 } A logical variable, must not appear in statement - immutable

23 The proof outline 23 { x =n } y := 1; { x >0  y * x !=n!  n  x } while  (x=1) do { x-1 >0  ( y*x) *( x-1) !=n!  n  (x-1) } y := y*x; { x-1 >0  y *( x-1) !=n!  n  (x-1) } x := x–1 { y * x !=n!  n >0  x =1 }

24 Factorial example Factorial partial correctness property = if the statement terminates then the final value of y will be the factorial of the initial value of x – What if s x < 0? Formally, using natural semantics:  S fac, s   s’ implies s’ y = (s x )! 24 S fac  y := 1; while  (x=1) do (y := y*x; x := x–1)

25 Staged proof 25

26 Stages 26 y := 1; while  (x=1) do (y := y*x; x := x–1) ss’s’ s’ y = (s x)!  s x > 0 while  (x=1) do (y := y*x; x := x–1) y := y*x; x := x–1 ss’’ s y  (s x)! = s’’ y  (s’’ x)!  s x > 0 ss’’ s y  (s x)! = s’’ y  (s’’ x)!  s’’x = 1  s x > 0

27 Inductive proof over iterations 27 while  (x=1) do (y := y*x; x := x–1) (y := y*x; x := x–1) while  (x=1) do (y := y*x; x := x–1) ss’’ s y  (s x)! = s’’ y  (s’’ x)!  s’’x = 1  s x > 0 s s’s’ s’s’ s’’ s’ y  (s’ x)! = s’’ y  (s’’ x)!  s’’x = 1  s’ x > 0 s y  (s x)! = s’ y  (s’ x)!  s x > 0

28 Assertions, a.k.a Hoare triples P and Q are state predicates – Example: x >0 If P holds in the initial state, and if execution of C terminates on that state, then Q will hold in the state in which C halts C is not required to always terminate {true} while true do skip {false} 28 { P } C { Q }

29 Total correctness assertions If P holds in the initial state, execution of C must terminate on that state, and Q will hold in the state in which C halts 29 [ P ] C [ Q ]

30 Factorial assertion 30 { x =n } y := 1; while  (x=1) do (y := y*x; x := x–1) { y =n!  n>0 } A logical variable, must not appear in statement - immutable

31 Factorial partial correctness proof 31 { x =n } y := 1; { x >0  y * x !=n!  n  x } while  (x=1) do { x-1 >0  ( y*x) *( x-1) !=n!  n  (x-1) } y := y*x; { x-1 >0  y *( x-1) !=n!  n  (x-1) } x := x–1 { y * x !=n!  n >0  x =1 }

32 P Formalizing partial correctness s  P – P holds in state s  – program states  – undefined 32 S ns  C  s = s’if  C, s   s’  else s 

33 Formalizing partial correctness s  P – P holds in state s  – program states  – undefined { P } C { Q } –  s, s’  . (s  P   C, s   s’)  s’  Q alternatively –  s  . (s  P  S ns  C  s  )  S ns  C   Q – Convention:   P for all P  s  . s  P  S ns  C  s  Q 33 P C(P)C(P) Q s s’ C Why did we choose natural semantics?

34 Formalizing partial correctness s  P – P holds in state s  – program states  – undefined { P } C { Q } –  s, s’  . (s  P   C, s   *s’)  s’  Q alternatively –  s  . (s  P  S sos  C  s  )  S sos  C   Q – Convention:   P for all P  s  . s  P  S sos  C  s  Q 34 P C(P)C(P) Q s s’ C

35 How do we express predicates? Extensional approach – Abstract mathematical functions P : State  T Intensional approach – Via language of formulae 35

36 An assertion language Bexp is not expressive enough to express predicates needed for many proofs – Extend Bexp Allow quantifications –  z. … –  z. …  z. z = k  n Import well known mathematical concepts – n!  n  (n-1)   2  1 36

37 An assertion language 37 a ::= n | x | a 1 + a 2 | a 1  a 2 | a 1 – a 2 A ::= true | false | a 1 = a 2 | a 1  a 2 |  A | A 1  A 2 | A 1  A 2 | A 1  A 2 |  z. A |  z. A Either a program variables or a logical variable

38 First Order Logic Reminder 38

39 Free/bound variables A variable is said to be bound in a formula when it occurs in the scope of a quantifier. Otherwise it is said to be free –  i. k=i  m – (i+100  77)  i. j+1=i+3) FV(A)  the free variables of A Defined inductively on the abstract syntax tree of A 39

40 Free variables 40 FV ( n )  {} FV ( x )  {x} FV ( a 1 + a 2 )  FV ( a 1  a 2 )  FV ( a 1 - a 2 )  FV ( a 1 )  FV ( a 2 ) FV ( true )  FV ( false )  {} FV ( a 1 = a 2 )  FV ( a 1  a 2 )  FV ( a 1 )  FV ( a 2 ) FV (  A )  FV ( A ) FV ( A 1  A 2 )  FV ( A 1  A 2 )  FV ( A 1  A 2 ) FV (  z. A )  FV (  z. A )  FV ( A ) \ { z }

41 Substitution An expression t is pure (a term) if it does not contain quantifiers A[t/z] denotes the assertion A’ which is the same as A, except that all instances of the free variable z are replaced by t A   i. k=i  m A[5/k] = A[5/i] = 41 What if t is not pure?

42 Calculating substitutions 42 n[t/z] = n x[t/z] = x x[t/x] = t (a 1 + a 2 )[t/z]= a 1 [t/z] + a 2 [t/z] (a 1  a 2 )[t/z]= a 1 [t/z]  a 2 [t/z] (a 1 - a 2 )[t/z]= a 1 [t/z] - a 2 [t/z]

43 Calculating substitutions 43 true[t/x] = true false[t/x] = false (a 1 = a 2 )[t/z]= a 1 [t/z] = a 2 [t/z] (a 1  a 2 )[t/z]= a 1 [t/z]  a 2 [t/z] (  A)[t/z]=  (A[t/z]) (A 1  A 2 )[t/z]= A 1 [t/z]  A 2 [t/z] (A 1  A 2 )[t/z] = A 1 [t/z]  A 2 [t/z] (A 1  A 2 )[t/z] = A 1 [t/z]  A 2 [t/z] (  z. A)[t/z] =  z. A (  z. A)[t/y] =  z. A[t/y] (  z. A)[t/z] =  z. A (  z. A)[t/y] =  z. A[t/y]

44 Proof Rules 44

45 Axiomatic semantics for While 45 { P[a/ x ] } x := a { P } [ass p ] { P } skip { P } [skip p ] { P } S 1 { Q },{ Q } S 2 { R } { P } S 1 ; S 2 { R } [comp p ] { b  P } S 1 { Q }, {  b  P } S 2 { Q } { P } if b then S 1 else S 2 { Q } [if p ] { b  P } S { P } { P } while b do S {  b  P } [while p ] { P’ } S { Q’ } { P } S { Q } [cons p ] if P  P’ and Q’  Q Notice similarity to natural semantics rules

46 Assignment rule A “backwards” rule x := a always finishes Why is this true? – Recall operational semantics: Example: {y*z<9} x:=y*z {x<9} What about {y*z<9  w=5} x:=y*z {w=5} ? 46  x := a, s   s[x  A  a  s] [ass ns ] s[x  A  a  s]  P

47 skip rule 47  skip, s   s [skip ns ]

48 Composition rule Holds when S 1 terminates in every state where P holds and then Q holds and S 2 terminates in every state where Q holds and then R holds 48  S 1, s   s’,  S 2, s’   s’’  S 1 ; S 2, s   s’’ [comp ns ]

49 Condition rule 49  S 1, s   s’  if b then S 1 else S 2, s   s’ if B  b  s = tt [if tt ns ]  S 2, s   s’  if b then S 1 else S 2, s   s’ if B  b  s = ff [if ff ns ]

50 Loop rule Here P is called an invariant for the loop – Holds before and after each loop iteration – Finding loop invariants – most challenging part of proofs When loop finishes, b is false 50  while b do S, s   s if B  b  s = ff [while ff ns ]  S, s   s’,  while b do S, s’   s’’  while b do S, s   s’’ if B  b  s = tt [while tt ns ]

51 Rule of consequence Allows strengthening the precondition and weakening the postcondition The only rule that is not sensitive to the form of the statement 51

52 Rule of consequence 52 Why do we need it? Allows the following {y*z<9} x:=y*z {x<9} {y*z<9  w=5} x:=y*z {x<10}

53 Inference trees Similar to derivation trees of natural semantics Leaves are … Internal nodes correspond to … Inference tree is called – Simple if tree is only an axiom – Composite otherwise 53

54 Provability We say that an assertion { P } C { Q } is provable if there exists an inference tree – Written as  p { P } C { Q } – Are inference trees unique? {true} x:=1; x:=x+5 {x  0} Proofs of properties of axiomatic semantics use induction on the shape of the inference tree – Example: prove  p { P } C { true } for any P and C 54

55 Factorial proof 55 W = while (x  1) do (y:=y*x; x:=x–1) INV = x > 0  (y  x! = n!  n  x) { INV[x-1/x][y*x/y] } y:=y*x; x:=x–1 {INV} { INV[x-1/x] } x:=x-1 {INV} { INV } W {x=1  INV } { INV[1/y] } y:=1 { INV } { INV[x-1/x][y*x/y] } y:=y*x { INV[x-1/x] } { x  1  INV } y:=y*x; x:=x–1 { INV } [comp] [cons] [while] [cons] { INV } W { y =n!  n>0 }{ x=n } y:=1 { INV } [cons] { x=n } while (x  1) do (y:=y*x; x:=x–1) { y =n!  n>0 } [comp] Goal: { x=n } y:=1; while (x  1) do (y:=y*x; x:=x–1) { y =n!  n>0 }

56 Annotated programs A streamlined version of inference trees – Inline inference trees into programs – A kind of “proof carrying code”proof carrying code – Going from annotated program to proof tree is a linear time translation 56

57 Annotating composition We can inline inference trees into programs Using proof equivalence of S 1 ; (S 2 ; S 3 ) and (S 1 ; S 2 ); S 3 instead writing deep trees, e.g., 57 {P} (S 1 ; S 2 ); (S 3 ; S 4 ) {Q} {P} (S 1 ; S 2 ) {P’’} {P’’} (S 3 ; S 4 ) {Q} {P} S 1 {P’} {P’} S 2 {P’’}{P’’} S 3 {P’’’} {P’’’} S 4 {P’’} We can annotate a composition S 1 ; S 2 ;…; S n by {P 1 } S 1 {P 2 } S 2 … {P n-1 } S n-1 {P n }

58 Annotating conditions 58 { P } if b then { b  P } S 1 else S 2 { Q }

59 Annotating conditions 59 { P } if b then { b  P } S 1 { Q 1 } else S 2 { Q 2 } { Q } Usually Q is the result of using the consequence rule, so a more explicit annotation is

60 Annotating loops 60 { P } while b do { b  P } S {  b  P }

61 Annotating loops 61 { P } while b do { b  P } S { P’ } {  b  P } { Q } P’ implies P  b  P implies Q

62 Annotated factorial program 62 { x =n } y := 1; { x >0  y * x !=n!  n  x } while  (x=1) do { x-1 >0  ( y*x) *( x-1) !=n!  n  (x-1) } y := y*x; { x-1 >0  y *( x-1) !=n!  n  (x-1) } x := x–1 { y * x !=n!  n >0 } Contrast with proof via natural semantics Where did the inductive argument over loop iterations go?

63 Properties of the semantics Equivalence – What is the analog of program equivalence in axiomatic verification? 63 Soundness – Can we prove incorrect properties? Completeness – Is there something we can’t prove?

64 Provable equivalence We say that C 1 and C 2 are provably equivalent if for all P and Q  p { P } C 1 { Q } if and only if  p { P } C 2 { Q } Examples: – S; skip and S – S 1 ; (S 2 ; S 3 ) and (S 1 ; S 2 ); S 3 64

65 S 1 ; (S 2 ; S 3 ) is provably equivalent to (S 1 ; S 2 ); S 3 65 {P} S 1 ; (S 2 ; S 3 ) {Q} {P} S 1 {P’} {P’} (S 2 ; S 3 ) {Q} {P’} S 2 {P’’} {P’’} S 3 {Q} {P} (S 1 ; S 2 ); S 3 {Q} {P} (S 1 ; S 2 ) {P’’} {P’’} S 3 {Q} {P} S 1 {P’} {P’} S 2 {P’’}

66 Valid assertions We say that { P } C { Q } is valid if for all states s, if s  P and  C, s   s’ then s’  Q Denoted by  p { P } C { Q } 66 P C(P)C(P) Q s s’ C

67 Logical implication and equivalence We write A  B if for all states s if s  A then s  B – {s | s  A }  {s | s  B } – For every predicate A: false  A  true We write A  B if A  B and B  A – false  5=7 In writing Hoare-style proofs, we will often replace a predicate A with A’ such that A  A’ and A’ is “simpler” 67

68 Soundness and completeness The inference system is sound: –  p { P } C { Q } implies  p { P } C { Q } The inference system is complete: –  p { P } C { Q } implies  p { P } C { Q } 68

69 Weakest liberal precondition A backward-going predicate transformer The weakest liberal precondition for Q is s  wlp(C, Q) if and only if for all states s’ if  C, s   s’ then s’  Q Propositions: 1.  p { wlp(C, Q) } C { Q } 2.If  p { P } C { Q } then P  wlp(C, Q) 69

70 Strongest postcondition A forward-going predicate transformer The strongest postcondition for P is s’  sp(P, C) if and only if there exists s such that if  C, s   s’ and s  P 1.  p { P } C { sp(P, C) } 2.If  p { P } C { Q } then sp(P, C)  Q 70

71 Predicate transformer semantics wlp and sp can be seen functions that transform predicates to other predicates – wlp  C  : Predicate  Predicate { P } C { Q } if and only if wlp  C  Q = P – sp  C  : Predicate  Predicate { P } C { Q } if and only if sp  C  P = Q 71

72 Hoare logic is (relatively) complete Proving  p { P } C { Q } implies  p { P } C { Q } is the same as proving  p { wlp(C, Q) } C { Q } Suppose that  p { P } C { Q } then (from proposition 2) P  { wlp(C, Q) } 72 { P } S { Q } { wlp(C, Q) } S { Q } [cons p ]

73 Calculating wlp 1.wlp( skip, Q) = Q 2.wlp( x := a, Q) = Q[a/ x ] 3.wlp(S 1 ; S 2, Q) = wlp(S 1, wlp(S 2, Q)) 4.wlp( if b then S 1 else S 2, Q) = (b  wlp(S 1, Q))  (  b  wlp(S 2, Q)) 5.wlp( while b do S, Q) = … ? hard to capture 73

74 Calculating wlp of a loop 74 wlp( while b do S, Q) = Idea: we know the following statements are semantically equivalent while b do S if b do ( S ; while b do S ) else skip Let’s try to substitute and calculate on wlp( if b do ( S ; while b do S ) else skip, Q) = (b  wlp(S ; while b do S, Q))  (  b  wlp( skip, Q)) = (b  wlp(S, wlp( while b do S, Q)))  (  b  Q) LoopInv = (b  wlp(S, LoopInv))  (  b  Q) We have a recurrence The loop invariant

75 Prove the following triple LoopInv = (b  wlp(S, LoopInv))  (  b  Q) Let’s substitute LoopInv with timer  0 Show that timer  0 is equal to (timer>0  wlp(timer:=timer-1, timer  0))  (timer  0  timer=0) = (timer>0  (timer  0)[timer-1/timer])  (timer  0  timer=0) = (timer>0  timer-1  0)  (timer  0  timer=0) = timer>0  timer=0 = timer  0 75 { timer  0 } while (timer > 0) do timer := timer – 1 { timer = 0 }

76 Issues with wlp-based proofs Requires backwards reasoning – not very intuitive Backward reasoning is non-deterministic – causes problems when While is extended with dynamically allocated heaps (aliasing) Also, a few more rules will be helpful 76

77 Conjunction rule 77 Not necessary (for completeness) but practically useful Starting point of extending Hoare logic to handle parallelism Related to Cartesian abstraction – Will point this out when we learn it

78 Structural Rules 78 { P } C { Q } { P’ } C { Q’ } { P  P’ } C {Q  Q’ } [disj p ] { P } C { Q } {  v. P } C {  v. Q } [exist p ] v  FV( C) { P } C { Q } {  v. P } C {  v. Q } [univ p ] v  FV(C ) { F } C { F } Mod(C)  FV(F)={} [Inv p ] Mod(C) = set of variables assigned to in sub-statements of C FV(F) = free variables of F

79 Invariance + Conjunction = Constancy 79 Mod(C) = set of variables assigned to in sub-statements of C FV(F) = free variables of F { P } C { Q } { F  P } C { F  Q } [constancy p ] Mod(C)  FV(F)={}

80 Floyd’s strongest postcondition rule Example { z=x } x:=x+1 { ?  v. x=v+1  z=v } This rule is often considered problematic because it introduces a quantifier – needs to be eliminated further on We will now see a variant of this rule 80 { P } x := a {  v. x=a[v/x]  P[v/x] } where v is a fresh variable [ass Floyd ]

81 “Small” assignment axiom Examples: {x=n} x:=5*y {x=5*y} {x=n} x:=x+1 {x=n+1} {x=y} x:=y+1 {x=y+1} {x=n} x:=y+1 {x=y+1} [exist p ] {  n. x=n} x:=y+1 {  n. x=y+1} therefore {true} x:=y+1 {x=y+1} [constancy p ] {z=9} x:=y+1 {z=9  x=y+1} 81 { x=v } x:=a { x=a[v/x] } where v  FV(a) [ass floyd ] First evaluate a in the precondition state (as a may access x) Then assign the resulting value to x Create an explicit Skolem variable in precondition

82 Buggy sum program 82 { y  0 } x := 0 { y  0  x=0 } res := 0 { y  0  x=0  res=0 } Inv = { y  0  res=Sum(0, x) } = { y  0  res=m  x=n  m=Sum(0, n) } while (x  y) do { y  0  res=m  x=n  m=Sum(0, n)  x  y  n  y } x := x+1 { y  0  res=m  x=n+1  m=Sum(0, n)  n  y} res := res+x { y  0  res=m+x  x=n+1  m=Sum(0, n)  n  y} { y  0  res-x=Sum(0, x-1)  n  y} { y  0  res=Sum(0, x) } { y  0  res=Sum(0, x)  x>y }  {res = Sum(0, y) }

83 Sum program Define Sum(0, n) = 0+1+…+n 83 { y  0 } x := 0 { y  0  x=0 } res := 0 { y  0  x=0  res=0 } Inv = { y  0  res=Sum(0, x)  x  y } { y  0  res=m  x=n  n  y  m=Sum(0, n) } while (x<y) do { y  0  res=m  x=n  m=Sum(0, n)  x<y  n<y } res := res+x { y  0  res=m+x  x=n  m=Sum(0, n)  n<y } x := x+1 { y  0  res=m+x  x=n+1  m=Sum(0, n)  n<y } { y  0  res-x=Sum(0, x-1)  x-1<y } { y  0  res=Sum(0, x) } { y  0  res=Sum(0, x)  x  y  x  y } { y  0  res=Sum(0, y)  x=y } { res = Sum(0, y) } { x=Sum(0, n) } { y=n+1 } { x+y=Sum(0, n+1) } Background axiom

84 Floyd’s strongest postcondition rule Example { z=x } x:=x+1 { ?  v. x=v+1  z=v } This rule is often considered problematic because it introduces a quantifier – needs to be eliminated further on We will now see a variant of this rule 84 { P } x := a {  v. x=a[v/x]  P[v/x] } where v is a fresh variable [ass Floyd ]

85 Floyd’s strongest postcondition rule Example { z=x } x:=x+1 {  v. x=v+1  z=v } This rule is often considered problematic because it introduces a quantifier – needs to be eliminated further on We will now see a variant of this rule 85 { P } x := a {  v. x=a[v/x]  P[v/x] } where v is a fresh variable [ass Floyd ]

86 “Small” assignment axiom Examples: {x=n} x:=5*y {x=5*y} {x=n} x:=x+1 {x=n+1} {x=n} x:=y+1 {x=y+1} [exist p ] {  n. x=n} x:=y+1 {  n. x=y+1} therefore {true} x:=y+1 {x=y+1} [constancy p ] {z=9} x:=y+1 {z=9  x=y+1} 86 { x=v } x:=a { x=a[v/x] } where v  FV(a) [ass floyd ] First evaluate a in the precondition state (as a may access x) Then assign the resulting value to x Create an explicit Skolem variable in precondition

87 “Small” assignment axiom Examples: {x=n} x:=5*y {x=5*y} {x=n} x:=x+1 {x=n+1} {x=n} x:=y+1 {x=y+1} [exist p ] {  n. x=n} x:=y+1 {  n. x=y+1} therefore {true} x:=y+1 {x=y+1} [constancy p ] {z=9} x:=y+1 {z=9  x=y+1} 87 { x=v } x:=a { x=a[v/x] } where v  FV(a) [ass floyd ]

88 “Small” assignment axiom Examples: {x=n} x:=5*y {x=5*y} {x=n} x:=x+1 {x=n+1} {x=n} x:=y+1 {x=y+1} [exist p ] {  n. x=n} x:=y+1 {  n. x=y+1} therefore {true} x:=y+1 {x=y+1} [constancy p ] {z=9} x:=y+1 {z=9  x=y+1} 88 { x=v } x:=a { x=a[v/x] } where v  FV(a) [ass floyd ]

89 “Small” assignment axiom Examples: {x=n} x:=5*y {x=5*y} {x=n} x:=x+1 {x=n+1} {x=n} x:=y+1 {x=y+1} [exist p ] {  n. x=n} x:=y+1 {  n. x=y+1} therefore {true} x:=y+1 {x=y+1} [constancy p ] {z=9} x:=y+1 {z=9  x=y+1} 89 { x=v } x:=a { x=a[v/x] } where v  FV(a) [ass floyd ]

90 Buggy sum program 90 { y  0 } x := 0 { y  0  x=0 } res := 0 { y  0  x=0  res=0 } Inv = { y  0  res=Sum(0, x) } = { y  0  res=m  x=n  m=Sum(0, n) } while (x  y) do { y  0  res=m  x=n  m=Sum(0, n)  x  y  n  y } x := x+1 { y  0  res=m  x=n+1  m=Sum(0, n)  n  y} res := res+x { y  0  res=m+x  x=n+1  m=Sum(0, n)  n  y} { y  0  res-x=Sum(0, x-1)  n  y} { y  0  res=Sum(0, x) } { y  0  res=Sum(0, x)  x>y }  {res = Sum(0, y) }

91 Sum program Define Sum(0, n) = 0+1+…+n 91 { y  0 } x := 1 { y  0  x=1 } res := 0 { y  0  x=1  res=0 } Inv = { y  0  res=Sum(0, x-1)  x  y+1 } { y  0  res=m  x=n  n  y+1  m=Sum(0, n-1) } while (x  y) do { y  0  res=m  x=n  m=Sum(0, n-1)  x<y  n  y+1 } res := res+x { y  0  res=m+x  x=n  m=Sum(0, n-1)  n  y+1 } x := x+1 { y  0  res=m+x  x=n+1  m=Sum(0, n-1)  n  y+1 } { y  0  res-x=Sum(0, x-1)  x-1<y+1 } { y  0  res=Sum(0, x-1)  x  y+1 } // axm-Sum { y  0  res=Sum(0, x-1)  x  y+1  x>y } { y  0  res=Sum(0, x-1)  x=y+1 } { y  0  res=Sum(0, y) } { res = Sum(0, y) } Background axiom { x=Sum(0, n) } { y=n+1 } { x+y=Sum(0, n+1) } [axm-Sum]

92 Sum program Define Sum(0, n) = 0+1+…+n 92 { y  0 } x := 1 { y  0  x=0 } res := 0 { y  0  x=0  res=0 } Inv = { y  0  res=Sum(0, x-1)  x  y+1 } while (x  y) do { y  0  res=m  x=n  m=Sum(0, n-1)  n  y+1  x<y } res := res+x { y  0  res=m+x  x=n  m=Sum(0, n-1)  n  y+1 } { y  0  res=Sum(0, n)  x=n  n  y+1 } // axm-Sum x := x+1 { y  0  res=Sum(0, n)  x=n+1  n  y+1 } { y  0  res=Sum(0, x-1)  x  y+1 } { y  0  res=Sum(0, x-1)  x  y+1  x>y } { y  0  res=Sum(0, x-1)  x=y+1 } { y  0  res=Sum(0, y) } { res = Sum(0, y) } Background axiom { x=Sum(0, n) } { y=n+1 } { x+y=Sum(0, n+1) } [axm-Sum]

93 Example 1: Absolute value program 93 { } if x<0 then x := -x else skip { }

94 Absolute value program 94 { x=v } if x 0 } else { x=v  x  0 } skip { x=v  x  0 } { v<0  x=-v  v  0  x=v} { x=|v| }

95 Example 2: Variable swap program 95 { } t := x x := y y := t { }

96 Variable swap program 96 { x=a  y=b } t := x { x=a  y=b  t=a } x := y { x=b  y=b  t=a } y := t { x=b  y=a  t=a } { x=b  y=a } // cons

97 Example 3: Axiomatizing data types 97 We added a new type of variables – array variables – Model array variable as a function y : Z  Z We need the two following axioms: S ::= x := a | x := y [ a ] | y [ a ] := x | skip | S 1 ; S 2 | if b then S 1 else S 2 | while b do S { y[x  a](x) = a } { z  x  y[x  a](z) = y(z) }

98 Array update rules (wp) Treat an array assignment y[a] := x as an update to the array function y – y := y[a  x] meaning y’=  v. v=a ? X : y(v) 98 S ::= x := a | x := y [ a ] | y [ a ] := x | skip | S 1 ; S 2 | if b then S 1 else S 2 | while b do S [array-update] { P[y[a  x]/y] } y[a] := x { P } [array-load] { P[y(a)/x] } x := y[a] { P } A very general approach – allows handling many data types

99 Array update rules (wp) example Treat an array assignment y[a] := x as an update to the array function y – y := y[a  x] meaning y’=  v. v=a ? x : y(v) 99 [array-update] { P[y[a  x]/y] } y[a] := x { P } {x=y[i  7](i)} y[i]:=7 {x=y(i)} {x=7} y[i]:=7 {x=y(i)} [array-load] { P[y(a)/x] } x := y[a] { P } {y(a)=7} x:=y[a] {x=7}

100 Array update rules (sp) 100 [array-update F ] { x=v  y=g  a=b } y[a] := x { y=g[b  v] } [array-load F ] { y=g  a=b } x := y[a] { x=g(b) } In both rules v, g, and b are fresh

101 Array-max program 101 nums : array N : int // N stands for num’s length { N  0  nums=orig_nums } x := 0 res := nums[0] while x res then res := nums[x] x := x + 1 1.{ x=N } 2.{  m. (m  0  m<N)  nums(m)  res } 3.{  m. m  0  m<N  nums(m)=res } 4.{ nums=orig_nums }

102 Array-max program 102 nums : array N : int // N stands for num’s length { N  0  nums=orig_nums } x := 0 res := nums[0] while x res then res := nums[x] x := x + 1 Post 1 : { x=N } Post 2 : { nums=orig_nums } Post 3 : {  m. 0  m<N  nums(m)  res } Post 4 : {  m. 0  m<N  nums(m)=res }

103 Summary C programming language P assertions {P} C {Q} judgments { P[a/ x ] } x := a { P } proof Rules – Soundness – Completeness {x = N} y:=factorial(x) { y = N!} proofs 103

104 Extensions to axiomatic semantics Procedures Total correctness assertions Assertions for execution time – Exact time – Order of magnitude time Assertions for dynamic memory – Separation Logic Assertions for parallelism – Owicki-Gries – Concurrent Separation Logic – Rely-guarantee 104

Download ppt "Program Analysis and Verification 0368-4479"

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
Program Analysis and Verification 0368-4479

Program Analysis and Verification
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
Formal Semantics of Programming Languages 虞慧群 Topic 5: Axiomatic Semantics.

Formal Semantics of Programming Languages 虞慧群 Topic 5: Axiomatic Semantics.
Axiomatic Verification I Prepared by Stephen M. Thebaut, Ph.D. University of Florida Software Testing and Verification Lecture 17.

Axiomatic Verification I Prepared by Stephen M. Thebaut, Ph.D. University of Florida Software Testing and Verification Lecture 17.
Axiomatic Semantics The meaning of a program is defined by a formal system that allows one to deduce true properties of that program. No specific meaning.

Axiomatic Semantics The meaning of a program is defined by a formal system that allows one to deduce true properties of that program. No specific meaning.
Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.

Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
Predicate Transformers

Predicate Transformers
1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.

1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.
Program Analysis and Verification Spring 2014 Program Analysis and Verification Lecture 5: Axiomatic Semantics II Roman Manevich Ben-Gurion University.

Program Analysis and Verification Spring 2014 Program Analysis and Verification Lecture 5: Axiomatic Semantics II Roman Manevich Ben-Gurion University.
Programming Language Semantics Axiomatic Semantics Chapter 6.

Programming Language Semantics Axiomatic Semantics Chapter 6.
1 Operational Semantics Mooly Sagiv Tel Aviv University 640-6706 Textbook: Semantics with Applications.

1 Operational Semantics Mooly Sagiv Tel Aviv University Textbook: Semantics with Applications.
Programming Language Semantics Mooly SagivEran Yahav Schrirber 317Open space 03-640-760603-640-5358 html://www.cs.tau.ac.il/~msagiv/courses/sem03.html.

Programming Language Semantics Mooly SagivEran Yahav Schrirber 317Open space html://
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.

Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
Semantics with Applications Mooly Sagiv Schrirber 317 03-640-7606 html://www.cs.tau.ac.il/~msagiv/courses/sem08.html Textbooks:Winskel The.

Semantics with Applications Mooly Sagiv Schrirber html:// Textbooks:Winskel The.
Operational Semantics Semantics with Applications Chapter 2 H. Nielson and F. Nielson

Operational Semantics Semantics with Applications Chapter 2 H. Nielson and F. Nielson
Describing Syntax and Semantics

Describing Syntax and Semantics

Similar presentations

Ads by Google