Final Exam /614 Bug Catching: Automated Program Verification Matt Fredrikson André Platzer. December 17, 2017

Size: px

Start display at page:

Download "Final Exam /614 Bug Catching: Automated Program Verification Matt Fredrikson André Platzer. December 17, 2017"

Augustus Jacobs
5 years ago
Views:

1 Final Exam /614 Bug Catching: Automated Program Verification Matt Fredrikson André Platzer December 17, 2017 Name: Andrew ID: André Platzer aplatzer Instructions This exam is closed-book with one sheet of notes permitted. You have 180 minutes to complete the exam. There are 6 problems on 11 pages. Read each problem carefully before attempting to solve it. Do not spend too much time on any one problem. Consider if you might want to skip a problem on a first pass and return to it later. Max What Why3 Did Why? 60 Total Correctness 60 Sound and Unsound Axioms 50 Path Laws 30 News: Nondeterministic Choice 70 Temporal Properties 40 Total: 310 Score Please keep in mind that this is a sample solution, not a model solution. Problems admit multiple correct answers, and the answer the instructor thought of may not necessarily be the best or most elegant. 1

2 /614 Final, page 2/11 Andrew ID: 1 What Why3 Did Why? (60 points) Verification tools like Why3 take a correctness statement about a program as input and phrase them in simpler logic. Your job in this question is to provide a sequent calculus proof justifying why this reduction from a DL formula (conclusion) to arithmetic (premises) was correct. Fill in the blanks of the proof to justify correctness. Or else explain why the reduction was unsound. Task 1 x + y = a [x := x + y; u := 5] x = a x + y = a [:=] [x := x + y] x = a [:=] [x := x + y][u := 5] x = a [;] [x := x + y; u := 5] x = a 20 Task 2 z = x + y z = a [x := x + y; y := 5] x = a

3 15-414/614 Final, page 3/11 Andrew ID: z = x + y z = a z = x + y [y := 5] z = a [:=] = [x := x + y][y := 5] x = a [;] [x := x + y; y := 5] x = a 20 Task 3 x = 0 x 0 x < 10, x 0 x x 0 x = a, x < 10 x = 0 [while(x < 10) x := x + 1] x = a loop x = 0 x 0 x = 0 x 0 [:=] x < 10, x 0 x x 0 x = a, x < 10 L x < 10, x 0 [x := x + 1]x 0 x 0, x 10 x = a x = 0 [while(x < 10) x := x + 1] x = a

4 15-414/614 Final, page 4/11 Andrew ID: 2 Total Correctness (60 points) Recall the loop variant proof rule: (var) Γ J, J, Q, ϕ = n α (J ϕ < n) J, Q ϕ 0 J, Q P Γ while(q) α P, (n fresh) In each of the following examples, identify a loop invariant J and variant ϕ for which all three premises resulting from applying this loop rule will prove. You do not need to show the proof but should convince yourself that the subgoals are valid. You will recieve partial credit if you specify either variant or invariant, and full credit for giving both. 20 Task 1 x = 0, i = 10 while(i 0) {x := x + a(i); i := i 1} x = 0<j 10 a(j) J ϕ 0 i 10 x = i<j 10 a(j) i 20 Task 2 0 m, i = 0 while(i < m x a(i)) {(i := i + 1} ( 0 i < m x = a(i) ) J ϕ 0 i m j.0 j < i x a(j) m i 20 Task 3 0 x, 0 < y, q = 0, r = x while(r y) {r := r y; q := q + 1} q y + r = x J ϕ 0 r 0 < y q y + r = x r

5 15-414/614 Final, page 5/11 Andrew ID: 3 Sound and Unsound Axioms (50 points) Axioms have to be sound, i.e. correspond to valid first-order dynamic logic formulas. 20 Task 1 The following axiom deals with assignments that update an array at an index e. The term p(a(e)) denotes a predicate p with a free occurrence of the array lookup term a(e) inside of it. So this axiom says that the effect of updating an array at e is the same as replacing occurrences of a(e) in p with the assigned value ẽ. ([:=] () ) [a(e) := ẽ]p(a(e)) p(ẽ) Show that this axiom is unsound by giving a counterexample, i.e., use it in a proof with an incorrect conclusion. id a(j) 5 a(j) 5 [:=] a(j) 5 [i := j]a(j) 5 [:=] () a(j) 5 [i := j][a(i) := 5]a(j) 5 [;] a(j) 5 [i := j; a(i) := 5]a(j) 5 10 Task 2 Write the correct axiom for array updates that we used in class and on the homeworks, and show that your counterexample from Task 1 is not possible with this rule. ([:=] () ) [a(e) := ẽ]p(a) p(a{e ẽ}) a(j) row1 a(j) 5 a{j 5}(j) 5 [:=] a(j) 5 [i := j]a{i 5}(j) 5 [:=] () a(j) 5 [i := j][a(i) := 5]a(j) 5 [;] a(j) 5 [i := j; a(i) := 5]a(j) 5

6 15-414/614 Final, page 6/11 Andrew ID: 20 Task 3 Is the following axiom sound? If so use the semantics of dynamic logic to prove soundness or else give a counterexample: α; β P α β P This axiom is sound. Recall the semantics of sequential composition: [α; β ] = [[α] [β ] = {(ω, ν) : (ω, µ) [α], (µ, ν) [β ]} In order to show that the formula α; β P α β P is valid, i.e. α; β P α β P, consider any state ω and show that ω = α; β P α β P. Assume the left hand side ω = α; β P and show ω = α β P. Consequently, there is a state ν such that (ω, ν) [α; β ] and ν = P. Now (ω, µ) [α] and (µ, ν) [β ] iff (ω, ν) [α; β ] by the semantics of sequential composition. Hence, there is a state µ such that (ω, µ) [α] and µ = β P. Thus, ω = α β P.

7 15-414/614 Final, page 7/11 Andrew ID: 4 Path Laws (30 points) LTL formulas P and Q are equivalent when for any path σ, σ = P whenever σ = Q. Likewise, CTL formulas P and Q are equivalent whenever for any state s in any Kripke structure K, s = P whenever s = Q. Recall that unlike with LTL, CTL formulas contain path quantifiers which denote that a temporal property either holds on some path starting at a state (E), or on all paths starting at a state (A). The following LTL equivalence is valid: (P Q) P Q In this question, you are to reason about the validity of corresponding CTL formulas that include path quantifiers. 15 Task 1 Is the following CTL formula valid? If so, use the semantics of CTL to argue that it is. If it is not, give a computation structure that satisfies one side but not the other. AF(P Q) AFP AFQ This formula is not valid. P Q

8 15-414/614 Final, page 8/11 Andrew ID: 15 Task 2 Is the following CTL formula valid? If so, use the semantics of CTL to argue that it is. If it is not, give a computation structure that satisfies one side but not the other. EF(P Q) EFP EFQ This formula is valid, which is seen by the following reasoning in either direction. Assume that s = EFP EFQ, and further without loss of generality that s = EFP. So there is a path starting in s on which some state s satisfies P, so s = P Q. Then by the semantics of CTL it follows that s = EF(P Q). Assume that s = EF(P Q). Then theres exist a path from s on which some state s satisfies s = P Q, and without loss of generality assume that it is s = P. Then by the semantics of CTL, s = EFP, and thus s = EFP EFQ.

9 15-414/614 Final, page 9/11 Andrew ID: 5 News: Nondeterministic Choice (70 points) Every operator in DL has a syntax, a semantics, and an axiom or proof rule. This question asks you to add a new operator for nondeterministic choices between two programs. Informally, the nondeterministic choice program α β will either run α or β, and can nondeterministically choose whether it runs α or β. Similar to other sources of nondeterminism such as α and x :=, there is no way of predicting whether α β will run α or β, because both are possible. 5 Task 1 Change the grammar of DL such that such that the nondeterministic choice α β between program α and program β is allowed in the syntax: P, Q ::= e = ẽ e ẽ P P Q P Q P Q P Q x P x P [α]p α P α, β ::= x := e?q if(q) α else β α; β while(q) α α, β ::= x := e?q if(q) α else β α; β while(q) α α β 20 Task 2 Define the semantics [α β ] as the set of all pairs of initial state ω and final state ν such that final state ν is reachable from initial state ω by nondeterministically running either program α or program β: [α β ] = {(ω, ν) : (ω, ν) [α] or (ω, ν) [β ] } 20 Task 3 Provide an axiom for proving formulas of the form [α β]p, which expresses that all ways of running α β satisfy formula P : [α β]p [α]p [β]p

10 15-414/614 Final, page 10/11 Andrew ID: 25 Task 4 Use your semantics from task 2 to prove that your axiom from task 3 is sound, i.e. all its instances are valid formulas (true in all states). In order to show the axiom is sound, we consider any state ω and show that ω = [α]p [β]p [α β]p. Consider each direction. Consider any state ω, and show that ω = [α]p [β]p [α β]p. Assume the left side ω = [α]p [β]p. So it must be that for any ν where (ω, ν) α, ν = P. Likewise for any ν where (ω, ν) β, ν = P. Therefore, for any (ω, ν) α or (ω, ν) β, ν = P. Thus by Task 2, for any (ω, ν) α β, ν = P. Then ω = [α β]p. Consider any state ω, and show that ω = [α β]p [α]p [β]p. Assume that ω = [α β]p, so for any (ω, ν) α or (ω, ν) β, ν = P. Then ω = [α]p and ω = [β]p. So we conclude that ω = [α]p [β]p.

11 15-414/614 Final, page 11/11 Andrew ID: 6 Temporal Properties (40 points) Alice and Bob are users who share a single printer device. Because it can only print one job at a time, they want certain temporal properties to hold of its controller. Suppose we define the following atomic propositions: areq, breq indicates that Alice (a) or Bob (b) requests usage of the printer ause, buse indicates that Alice (a) or Bob (b) is currently using the printer arel, brel indicates that Alice (a) or Bob (b) releases the printer 10 Task 1 Write an LTL formula which specifies that only one person (Alice or Bob) can use the printer at any given moment in time. ( ause buse) 10 Task 2 Write an LTL formula specifying that whenever Alice uses the printer, she will release it in a finite amount of time. (ause arel) 10 Task 3 Write a CTL formula which states that there is always a possible future in which Bob eventually requests access to the printer. AG EF breq 10 Task 4 Write a nondeterministic Büchi automaton which accepts all traces that satisfy your formula from Task 1. Be sure to clearly mark the initial and accepting states. ause buse ause buse

Lecture Notes on Loop Variants and Convergence

15-414: Bug Catching: Automated Program Verification Lecture Notes on Loop Variants and Convergence Matt Fredrikson Ruben Martins Carnegie Mellon University Lecture 9 1 Introduction The move to total correctness