Presentation is loading. Please wait.

Presentation is loading. Please wait.

Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 4: Axiomatic Semantics I Roman Manevich Ben-Gurion University.

Published byHolly Cannon Modified over 9 years ago

Similar presentations

Presentation on theme: "Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 4: Axiomatic Semantics I Roman Manevich Ben-Gurion University."— Presentation transcript:

1 Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 4: Axiomatic Semantics I Roman Manevich Ben-Gurion University

2 Agenda Basic concepts of correctness Axiomatic semantics (pages 175-183) – Hoare Logic – Properties of the semantics – Weakest precondition 2

3 Tentative syllabus Semantics Natural Semantics Structural semantics Axiomatic Verification Static Analysis Automating Hoare Logic Control Flow Graphs Equation Systems Collecting Semantics Abstract Interpretation fundamentals LatticesFixed-Points Chaotic Iteration Galois Connections Domain constructors Widening/ Narrowing Analysis Techniques Numerical Domains Alias analysis Interprocedural Analysis Shape Analysis CEGAR Crafting your own Soot From proofs to abstractions Systematically developing transformers 3

4 program correctness 4

5 Program correctness concepts Property = a certain relationship between initial state and final state Partial correctness = properties that hold if program terminates Termination = program always terminates – i.e., for every input state 5 partial correctness + termination = total correctness Other correctness concepts exist: liveness, resource usage, … Main focus of this course

6 Factorial example Factorial partial correctness property = if the statement terminates then the final value of y will be the factorial of the initial value of x – What if  x < 0? Formally, using natural semantics: …? 6 S fac  y := 1; while  (x=1) do (y := y*x; x := x–1)  S fac,    ’ implies  ’ y = (  x )!

7 Verifying factorial with natural semantics 7

8 Natural semantics for While 8  x := a,    [x  A  a   ] [ass ns ]  skip,    [skip ns ]  S 1,    ’,  S 2,  ’    ’’  S 1 ; S 2,    ’’ [comp ns ]  S 1,    ’  if b then S 1 else S 2,    ’ if B  b   = tt [if tt ns ]  S 2,    ’  if b then S 1 else S 2,    ’ if B  b   = ff [if ff ns ]  while b do S,    if B  b   = ff [while ff ns ]  S,    ’,  while b do S,  ’    ’’  while b do S,    ’’ if B  b   = tt [while tt ns ]

9 Staged proof 9

10 Stages 10 y := 1; while  (x=1) do (y := y*x; x := x–1) ss’s’ s’ y = (s x)!  s x > 0 while  (x=1) do (y := y*x; x := x–1) y := y*x; x := x–1 ss’’ s y  (s x)! = s’’ y  (s’’ x)!  s x > 0 ss’’ s y  (s x)! = s’’ y  (s’’ x)!  s’’x = 1  s x > 0

11 Inductive proof over iterations 11 while  (x=1) do (y := y*x; x := x–1) (y := y*x; x := x–1) while  (x=1) do (y := y*x; x := x–1) ss’’ s y  (s x)! = s’’ y  (s’’ x)!  s’’x = 1  s x > 0 s s’s’ s’s’ s’’ s’ y  (s’ x)! = s’’ y  (s’’ x)!  s’’x = 1  s’ x > 0 s y  (s x)! = s’ y  (s’ x)!  s x > 0

12 First stage 12

13 Second stage 13

14  while  (x=1) do (y := y*x; x := x–1), s   s’ 14

15 Third stage 15

16 How easy was that? Proof is very laborious – Need to connect all transitions and argue about relationships between their states – Reason: too closely connected to semantics of programming language Proof is long – Makes it hard to find possible mistakes How did we know to find this proof? – Is there a methodology? 16

17 17 Can you prove my program correct? I’ll use operational semantics Better use axiomatic verification

18 18 "P. Oxy. I 29" by Euclid - http://www.math.ubc.ca/~cass/Euclid/papyrus/tha.jpg. Licensed under Public Domain via Wikimedia Commons - http://commons.wikimedia.org/wiki/File:P._Oxy._I_29.jpg#/media/File:P._Oxy._I_29.jpg One of the oldest surviving fragments of Euclid's Elements, a textbook used for millennia to teach proof-writing techniques. The diagram accompanies Book II, Proposition 5

19 A systematic approach to program verification 19

20 Axiomatic verification approach What do we need in order to prove that the program does what it supposed to do? 20 Specify the required behavior: express properties Compare the behavior with the one obtained by the operational semantics Develop a proof system for showing that the program satisfies a requirement Mechanically use the proof system to show correctness

21 Axiomatic semantics contributors C.A.R. Hoare Robert Floyd Edsger W. Dijkstra 21 1967: use assertions as foundation for static correctness proofs 1969: use Floyd’s ideas to define axiomatic semantics “An axiomatic basis for computer programming”An axiomatic basis for computer programming Predicate transformer semantics: weakest precondition and strongest postcondition

22 Assertions, a.k.a Hoare triples P and Q are state predicates expressed as logical formulas – Example: x >0 If P holds in the initial state, and if execution of C terminates on that state, then Q will hold in the state in which C halts C is not required to always terminate {true} while true do skip {false} 22 { P } C { Q } precondition postcondition statement a.k.a command

23 Total correctness assertions If P holds in the initial state, execution of C must terminate on that state, and Q will hold in the state in which C halts 23 [ P ] C [ Q ]

24 Specifying correctness of factorial 24

25 Factorial example: specify precondition/postcondition 25 { ? } y := 1; while  (x=1) do (y := y*x; x := x–1) { ? }

26 First attempt 26 { x >0 } y := 1; while  (x=1) do (y := y*x; x := x–1) { y = x ! } Holds only for value of x at state after execution finishes We need a way to “remember” value of x before execution

27 Fixed assertion 27 { x =n } y := 1; while  (x=1) do (y := y*x; x := x–1) { y =n!  n>0 } A logical variable, must not appear in statement - immutable

28 The proof outline 28 { x=n } y := 1; { x>0  y*x!=n!  n  x } while  (x=1) do { x-1>0  (y*x)*(x-1)!=n!  n  (x-1) } y := y*x; { x-1>0  y*(x-1)!=n!  n  (x-1) } x := x–1 { y*x!=n!  n>0  x=1 } { n!*(n+1) = (n+1)! } Background axiom

29 Formalizing partial correctness via hoare logic 29

30 States and predicates  – program states (State)  – undefined A state predicate P is a (possibly infinite) set of states   P – P holds in state  30 P  

31 FO Logic reminder We write A  B if for all states  if   A then   B – {  |   A }  {  |   B } – For every predicate A: false  A  true We write A  B if A  B and B  A – false  5=7 In writing Hoare-style proofs, we will often replace a predicate A with A’ such that A  A’ and A’ is “simpler” 31

32 Formalizing Hoare triples { P } C { Q } –  ,  ’  . (   P   C,    ’)   ’  Q alternatively – Convention:   P for all P    .   P  S ns  C    Q 32 P C(P)C(P) Q  ’’ C Why did we choose natural semantics? S ns  C   =  ’ if  C,    ’  else

33 Formalizing Hoare triples { P } C { Q } –  ,  ’  . (   P   C,   *  ’)   ’  Q alternatively – Convention:   P for all P    .   P  S sos  C    Q 33 P C(P)C(P) Q  ’’ C S sos  C   =  ’ if  C,   *  ’  else

34 How do we express predicates? Extensional approach – Abstract mathematical functions P : State  {tt, ff} Intensional approach – via language of formulae 34

35 An assertion language Bexp is not expressive enough to express predicates needed for many proofs – Extend Bexp Allow quantification –  z. … –  z. …  z. z = k  n Import well known mathematical concepts – n!  n  (n-1)   2  1 35

36 An assertion language 36 a ::= n | x | a 1 + a 2 | a 1  a 2 | a 1 – a 2 A ::= true | false | a 1 = a 2 | a 1  a 2 |  A | A 1  A 2 | A 1  A 2 | A 1  A 2 |  z. A |  z. A Either a program variables or a logical variable

37 37 Some FO logic definitions before we get to the rules

38 Free/bound variables A variable is said to be bound in a formula when it occurs in the scope of a quantifier Otherwise it is said to be free –  i. k=i  m – (i+100  77)  i. j+1=i+3) FV(A)  the free variables of A Defined inductively on the abstract syntax tree of A 38

39 Computing free variables 39 FV ( n )  {} FV ( x )  { x } FV ( a 1 + a 2 )  FV ( a 1  a 2 )  FV ( a 1 - a 2 )  FV ( a 1 )  FV ( a 2 ) FV ( true )  FV ( false )  {} FV ( a 1 = a 2 )  FV ( a 1  a 2 )  FV ( a 1 )  FV ( a 2 ) FV (  A )  FV ( A ) FV ( A 1  A 2 )  FV ( A 1  A 2 )  FV ( A 1  A 2 )  FV ( a 1 )  FV ( a 2 ) FV (  z. A )  FV (  z. A )  FV ( A ) \ { z }

40 Substitution An expression t is pure (a term) if it does not contain quantifiers A[t/z] denotes the assertion A’ which is the same as A, except that all instances of the free variable z are replaced by t A   i. k=i  m A[5/k] = …? A[5/i] = …? 40

41 Calculating substitutions 41 n[t/z] = n x[t/z] = x x[t/x] = t (a 1 + a 2 )[t/z]= a 1 [t/z] + a 2 [t/z] (a 1  a 2 )[t/z]= a 1 [t/z]  a 2 [t/z] (a 1 - a 2 )[t/z]= a 1 [t/z] - a 2 [t/z]

42 Calculating substitutions 42 true[t/x] = true false[t/x] = false (a 1 = a 2 )[t/z]= a 1 [t/z] = a 2 [t/z] (a 1  a 2 )[t/z]= a 1 [t/z]  a 2 [t/z] (  A)[t/z]=  (A[t/z]) (A 1  A 2 )[t/z]= A 1 [t/z]  A 2 [t/z] (A 1  A 2 )[t/z] = A 1 [t/z]  A 2 [t/z] (A 1  A 2 )[t/z] = A 1 [t/z]  A 2 [t/z] (  z. A)[t/z] =  z. A (  z. A)[t/y] =  z. A[t/y] (  z. A)[t/z] =  z. A (  z. A)[t/y] =  z. A[t/y]

43 43 and now… the rules six are completely enough

44 Axiomatic semantics for While 44 { P[a/ x ] } x := a { P } [ass p ] { P } skip { P } [skip p ] { P } S 1 { Q },{ Q } S 2 { R } { P } S 1 ; S 2 { R } [comp p ] { b  P } S 1 { Q }, {  b  P } S 2 { Q } { P } if b then S 1 else S 2 { Q } [if p ] { b  P } S { P } { P } while b do S {  b  P } [while p ] { P’ } S { Q’ } { P } S { Q } [cons p ] if P  P’ and Q’  Q Notice similarity to natural semantics rules What’s different about this rule?

45 Assignment rule A “backwards” rule x := a always finishes Why is this true? – Recall operational semantics: Exercises: {?} x:=y*z {x 8} {?} x:=y*z {w=5} 45  x := a,    [ x  A  a   ] [ass ns ] [xAa] P[xAa] P

46 skip rule 46  skip,    [skip ns ]

47 Composition rule Holds when S 1 terminates in every state where P holds and then Q holds and S 2 terminates in every state where Q holds and then R holds 47  S 1,    ’,  S 2,  ’    ’’  S 1 ; S 2,    ’’ [comp ns ]

48 Condition rule 48  S 1,    ’  if b then S 1 else S 2,    ’ if B  b   = tt [if tt ns ]  S 2,    ’  if b then S 1 else S 2,    ’ if B  b   = ff [if ff ns ]

49 Loop rule Here P is called an invariant for the loop – Holds before and after each loop iteration – Finding loop invariants – most challenging part of proofs When loop finishes, b is false 49  while b do S,    if B  b   = ff [while ff ns ]  S,    ’,  while b do S,  ’    ’’  while b do S,    ’’ if B  b   = tt [while tt ns ]

50 Rule of consequence Allows strengthening the precondition and weakening the postcondition The only rule that is not related to a statement 50

51 Rule of consequence 51 Why do we need it? Allows the following {y*z<9} x:=y*z {x<9} {y*z<9  w=5} x:=y*z {x<9}

52 Next lecture: axiomatic semantics II

Download ppt "Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 4: Axiomatic Semantics I Roman Manevich Ben-Gurion University."

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
Copyright 2003-04, Doron Peled and Cesare Tinelli. These notes are based on a set of lecture notes originally developed by Doron Peled at the University.

Copyright , Doron Peled and Cesare Tinelli. These notes are based on a set of lecture notes originally developed by Doron Peled at the University.
ICE1341 Programming Languages Spring 2005 Lecture #6 Lecture #6 In-Young Ko iko.AT. icu.ac.kr iko.AT. icu.ac.kr Information and Communications University.

ICE1341 Programming Languages Spring 2005 Lecture #6 Lecture #6 In-Young Ko iko.AT. icu.ac.kr iko.AT. icu.ac.kr Information and Communications University.
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
Formal Semantics of Programming Languages 虞慧群 Topic 5: Axiomatic Semantics.

Formal Semantics of Programming Languages 虞慧群 Topic 5: Axiomatic Semantics.
Axiomatic Verification I Prepared by Stephen M. Thebaut, Ph.D. University of Florida Software Testing and Verification Lecture 17.

Axiomatic Verification I Prepared by Stephen M. Thebaut, Ph.D. University of Florida Software Testing and Verification Lecture 17.
Partial correctness © Marcelo d’Amorim 2010.

Partial correctness © Marcelo d’Amorim 2010.
Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.

Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.

1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.
1/22 Programs : Semantics and Verification Charngki PSWLAB Programs: Semantics and Verification Mordechai Ben-Ari Mathematical Logic for Computer.

1/22 Programs : Semantics and Verification Charngki PSWLAB Programs: Semantics and Verification Mordechai Ben-Ari Mathematical Logic for Computer.
Program Analysis and Verification Spring 2014 Program Analysis and Verification Lecture 5: Axiomatic Semantics II Roman Manevich Ben-Gurion University.

Program Analysis and Verification Spring 2014 Program Analysis and Verification Lecture 5: Axiomatic Semantics II Roman Manevich Ben-Gurion University.
CS 355 – Programming Languages

CS 355 – Programming Languages
Programming Language Semantics Axiomatic Semantics Chapter 6.

Programming Language Semantics Axiomatic Semantics Chapter 6.
CSE115/ENGR160 Discrete Mathematics 04/12/11 Ming-Hsuan Yang UC Merced 1.

CSE115/ENGR160 Discrete Mathematics 04/12/11 Ming-Hsuan Yang UC Merced 1.
1 Operational Semantics Mooly Sagiv Tel Aviv University 640-6706 Textbook: Semantics with Applications.

1 Operational Semantics Mooly Sagiv Tel Aviv University Textbook: Semantics with Applications.
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.

Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
PSUCS322 HM 1 Languages and Compiler Design II Formal Semantics Material provided by Prof. Jingke Li Stolen with pride and modified by Herb Mayer PSU Spring.

PSUCS322 HM 1 Languages and Compiler Design II Formal Semantics Material provided by Prof. Jingke Li Stolen with pride and modified by Herb Mayer PSU Spring.

Similar presentations

Ads by Google