Presentation is loading. Please wait.

Presentation is loading. Please wait.

Program Analysis and Verification 0368-4479

Published byLesley Burke Modified over 9 years ago

Similar presentations

Presentation on theme: "Program Analysis and Verification 0368-4479"— Presentation transcript:

1 Program Analysis and Verification 0368-4479 http://www.cs.tau.ac.il/~maon/teaching/2013-2014/paav/paav1314b.html http://www.cs.tau.ac.il/~maon/teaching/2013-2014/paav/paav1314b.html Noam Rinetzky Lecture 7: Axiomatic Semantics - Concurrency Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

2 Good manners Mobiles

3 Home Work Assignment #1 & #2 #1 due today – Modulo justified extensions #2 Wednesday – Due lesson 10

4 Axiomatic Semantics (Hoare Logic) Programming Language – Syntax ( skip | S 1 ; S 2 | … ) – Semantics (e.g., states ∑ + Stmts  C, s   s) Assertions – Syntax ( x = 3 | x < y + a | …) – Semantics (P ⊆ ∑ alt. s  p P) Judgments – {P} C {Q}, [P] C [Q] –  p {P} C {Q} :  s, s’  . (s  p P   C, s   s’)  s’  p Q) Inference rules Proofs

5 Axiomatic semantics for While { P[a/ x ] } x := a { P } [ass p ] { P } skip { P } [skip p ] { P } S 1 { Q },{ Q } S 2 { R } { P } S 1 ; S 2 { R } [comp p ] { b  P } S 1 { Q }, {  b  P } S 2 { Q } { P } if b then S 1 else S 2 { Q } [if p ] { b  P } S { P } { P } while b do S {  b  P } [while p ] { P’ } S { Q’ } { P } S { Q } [cons p ] if P  P’ and Q’  Q Inference rule for every composed statement Axiom for every primitive statement

6 Factorial proof W = while (x  1) do (y:=y*x; x:=x–1) INV = x > 0  (y  x! = n!  n  x) { INV[x-1/x][y*x/y] } y:=y*x; x:=x–1 {INV} { INV[x-1/x] } x:=x-1 {INV} { INV } W {x=1  INV } { INV[1/y] } y:=1 { INV } { INV[x-1/x][y*x/y] } y:=y*x { INV[x-1/x] } { x  1  INV } y:=y*x; x:=x–1 { INV } [comp] [cons] [while] [cons] { INV } W { y =n!  n>0 }{ x=n } y:=1 { INV } [cons] { x=n } while (x  1) do (y:=y*x; x:=x–1) { y =n!  n>0 } [comp] Goal: { x=n } y:=1; while (x  1) do (y:=y*x; x:=x–1) { y =n!  n>0 }

7 Soundness The inference system is sound: –  p { P } C { Q } implies  p { P } C { Q }

8 Soundness and completeness The inference system is sound: –  p { P } C { Q } implies  p { P } C { Q } The inference system is relatively complete: –  p { P } C { Q } implies  p { P } C { Q } ∀ A,B. A ⇒ B Assertion language is expressive enough

9 While + Concurrency Abstract syntax: a ::= n | x | a 1 + a 2 | a 1  a 2 | a 1 – a 2 b ::= true | false | a 1 = a 2 | a 1  a 2 |  b | b 1  b 2 S ::= x := a | skip | S 1 ; S 2 | if b then S 1 else S 2 | while b do S | cobegin S 1 ‖ … ‖ S n coend

10 Proofs {P 1 Λ P 1 } S 1 ‖ S 2 { Q 2 Λ Q 2 } { P 1 } S 1 { Q 2 } { P 2 } S 2 { Q 2 } … … … Challenge: Interference

11 Disjoint Parallelism {P 1 Λ P 1 } S 1 ‖ S 2 { Q 2 Λ Q 2 } { P 1 } S 1 { Q 2 } { P 2 } S 2 { Q 2 } FV(P 1,S 1,Q 1 ) ∩ FV(P 2,S 2,Q 2 ) = ∅

12 Global Invariant I ⊢ {P 1 Λ P 1 } S 1 ‖ S 2 { Q 2 Λ Q 2 } I ⊢ { P 1 } S 1 { Q 2 } I ⊢ { P 2 } S 2 { Q 2 }

13 Global Invariant I ⊢ {P 1 Λ P 1 } S 1 ‖ S 2 { Q 2 Λ Q 2 } I ⊢ { P 1 } S 1 { Q 2 } I ⊢ { P 2 } S 2 { Q 2 } I ⊢ { P } S 1 ; S 2 { R } I ⊢ { P } S 1 { Q } I ⊢ { Q } S 2 { R }

14 Global Invariant I ⊢ {P 1 Λ P 1 } S 1 ‖ S 2 { Q 2 Λ Q 2 } I ⊢ { P 1 } S 1 { Q 2 } I ⊢ { P 2 } S 2 { Q 2 } I ⊢ { P } S 1 ; S 2 { Q } I ⊢ { P } S 1 { R } I ⊢ { R } S 2 { Q } I ⊢ { P } S { Q } { P Λ I } S { Q Λ I }

15 Owicky-Gries A command C with a precondition pre(C) does not interfere with the proof of {P} S {Q} if: – {Q  pre(C) } C {Q} – For any S’ “ ∈ ” S: {pre(S’)  pre(C) } C {pre(S’)} {P 1 } C 1 {Q 1 }... {P k } C k {Q k } are interference free if ∀ i  j and ∀ x:=a “ ∈ ” C i, x:=a does not interfere with {P j } C j {Q j }

16 Parallel Composition Rule I ⊢ {P 1 Λ P 1 } S 1 ‖ S 2 { Q 2 Λ Q 2 } I ⊢ { P 1 } S 1 { Q 2 } I ⊢ { P 2 } S 2 { Q 2 } {P 1 } C 1 {Q 1 }... {P k } C k {Q k } are interference free

17 Owicky-Gries: Limiations Checking interference can be hard – Non-compositionality Until you finished the local proofs cannot check interference Proofs need to be “saved” – Hard to handle libraries and missing code A non-standard meaning of Hoare triples – Depends on the interference of other threads with the proof – Soundness is non-trivial Completeness depends on auxiliary variables

18 Rely / Guarantee Aka assume Guarantee Cliff Jones Main idea: Modular capture of interference – Compositional proofs

19 Commands as relations It is convenient to view the meaning of commands as relations between pre-states and post-states In {P} C {Q} – P is a one state predicate – Q is a two-state predicate Recall auxiliary variables Example – {true} x := x + 1 {x= x + 1}

20 Intuition C G Hoare: { P } S { Q } ~ {P} ⇒⇒⇒⇒ {Q} C R/G: R,G ⊢ { P } S { Q } ~ {P} ⇒⇒⇒⇒⇒⇒⇒ {Q} G R R R G G

21 From one- to two-state relations p( ,  ) =p(  ) A single state predicate p is preserved by a two-state relation R if – p  R  p – ,  : p(  )  R( ,  )  p(  )

22 Operations on Relations (P;Q)( ,  )=  :P( ,  )  Q( ,  ) ID( ,  )= (  =  ) R * =ID  R  (R;R)  (R;R;R)  … 

23 Formulas ID(x) = (x = x) ID(p) =(p  p) Preserve (p)= p  p

24 Informal Semantics c  (p, R, G, Q) – For every state  such that   p: Every execution of c on state  with (potential) interventions which satisfy R results in a state  such that ( ,  )  Q The execution of every atomic sub-command of c on any possible intermediate state satisfies G

25 Informal Semantics c  (p, R, G, Q) – For every state  such that   p: Every execution of c on state  with (potential) interventions which satisfy R results in a state  such that ( ,  )  Q The execution of every atomic sub-command of c on any possible intermediate state satisfies G c  [p, R, G, Q] – For every state  such that   p: Every execution of c on state  with (potential) interventions which satisfy R must terminate in a state  such that ( ,  )  Q The execution of every atomic sub-command of c on any possible intermediate state satisfies G

26 A Formal Semantics Let  C  R denotes the set of quadruples s.t. that when c executes on  1 with potential interferences by R it yields an intermediate state  2 followed by an intermediate state  3 and a final state  4 – as usual  4 =  when c does not terminate  C  R = { :   :  R  (  *  2   2 =  3 =  4    ’, C’:  *  ( (  2 =  1   2 =  )  (  3 =    3 =  ’)   4 =  )    C’  R ) c  (p, R, G, Q) – For every   C  R such that  1  p  G If  4   :  Q

27 Simple Examples X := X + 1  (true, X=X, X =X+1  X=X, X =X+1) X := X + 1  (X  0, X  X, X>0  X=X, X>0) X := X + 1 ; Y := Y + 1  (X  0  Y  0, X  X  Y  Y, G, X>0  Y>0)

28 Inference Rules Define c  (p, R, G, Q) by structural induction on c Soundness – If c  (p, R, G, Q) then c  (p, R, G, Q)

29 Atomic Command {p} c {Q} atomic {c}  (p, preserve(p), Q  ID, Q) (Atomic)

30 Conditional Critical Section {p  b} c {Q} await b then c  (p, preserve(p), Q  ID, Q) (Critical)

31 Sequential Composition c 1  (p 1, R, G, Q 1 ) c 1 ; c 2  (p 1, R, G, (Q 1 ; R * ; Q 2 )) (SEQ) c 2  (p 2, R, G, Q 2 ) Q 1  p 2

32 Conditionals c 1  (p  b 1, R, G, Q) p  b  R *  b 1 if atomic {b} then c 1 else c 2  (p, R, G, Q) (IF) c 2  (p  b 2, R, G, Q) p   b  R*  b 2

33 Loops c  (j  b 1, R, G, j) j  b  R *  b 1 while atomic {b} do c  (j, R, G,  b  j) (WHILE) R  Preserve(j)

34 Refinement c  (p, R, G, Q) c  (p’, R’, G’, Q’) (REFINE) p’  p Q  Q’ R’  R G  G’

35 Parallel Composition c 1  (p 1, R 1, G 1, Q 1 ) c 1 || c 2  (p 1  p 1, (R 1  R2), (G 1  G 2 ), Q) where Q= (Q 1 ; (R 1  R 2 )*; Q 2 )  (Q 2 ; (R 1  R 2 )*; Q 1 ) (PAR) c 2  (p 2, R 2, G 2, Q 2 ) G 1  R 2 G 2  R 1

36 Issues in R/G Total correctness is trickier Restrict the structure of the proofs – Sometimes global proofs are preferable Many design choices – Transitivity and Reflexivity of Rely/Guarantee – No standard set of rules Suitable for designs

Download ppt "Program Analysis and Verification 0368-4479"

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
Program Analysis and Verification 0368-4479

Program Analysis and Verification
50.530: Software Engineering Sun Jun SUTD. Week 13: Rely-Guarantee Reasoning.

50.530: Software Engineering Sun Jun SUTD. Week 13: Rely-Guarantee Reasoning.
Reasoning About Code; Hoare Logic, continued

Reasoning About Code; Hoare Logic, continued
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
Formal Semantics of Programming Languages 虞慧群 Topic 5: Axiomatic Semantics.

Formal Semantics of Programming Languages 虞慧群 Topic 5: Axiomatic Semantics.
Program Analysis and Verification 0368-4479

Program Analysis and Verification
David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 19: Minding Ps & Qs: Axiomatic.

David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 19: Minding Ps & Qs: Axiomatic.
Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.

Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
Predicate Transformers

Predicate Transformers
Program Analysis and Verification Spring 2014 Program Analysis and Verification Lecture 5: Axiomatic Semantics II Roman Manevich Ben-Gurion University.

Program Analysis and Verification Spring 2014 Program Analysis and Verification Lecture 5: Axiomatic Semantics II Roman Manevich Ben-Gurion University.
Programming Language Semantics Rely/Guarantee Reasoning Parallel Programs Tal Lev-Ami Viktor Vafeiadis Mooly Sagiv.

Programming Language Semantics Rely/Guarantee Reasoning Parallel Programs Tal Lev-Ami Viktor Vafeiadis Mooly Sagiv.
1 Operational Semantics Mooly Sagiv Tel Aviv University 640-6706 Textbook: Semantics with Applications.

1 Operational Semantics Mooly Sagiv Tel Aviv University Textbook: Semantics with Applications.
Axiomatic Semantics Dr. M Al-Mulhem ICS535-091.

Axiomatic Semantics Dr. M Al-Mulhem ICS
Programming Language Semantics Mooly SagivEran Yahav Schrirber 317Open space 03-640-760603-640-5358 html://www.cs.tau.ac.il/~msagiv/courses/sem03.html.

Programming Language Semantics Mooly SagivEran Yahav Schrirber 317Open space html://
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.

Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
Dr. Muhammed Al-Mulhem 1ICS535-101 ICS 535 Design and Implementation of Programming Languages Part 1 Fundamentals (Chapter 4) Axiomatic Semantics ICS 535.

Dr. Muhammed Al-Mulhem 1ICS ICS 535 Design and Implementation of Programming Languages Part 1 Fundamentals (Chapter 4) Axiomatic Semantics ICS 535.

Similar presentations

Ads by Google