CS256/Winter 2009 Lecture #6. Zohar Manna

Similar documents
CS256/Winter 2009 Lecture #1. Zohar Manna. Instructor: Zohar Manna Office hours: by appointment

Verifying Temporal Properties of Reactive Systems: A STeP Tutorial *

Temporal Logic of Actions

Chapter 6: Computation Tree Logic

THEORY OF SYSTEMS MODELING AND ANALYSIS. Henny Sipma Stanford University. Master class Washington University at St Louis November 16, 2006

Understanding IC3. Aaron R. Bradley. ECEE, CU Boulder & Summit Middle School. Understanding IC3 1/55

Introduction to Model Checking. Debdeep Mukhopadhyay IIT Madras

Lecture Notes: Axiomatic Semantics and Hoare-style Verification

Verification Constraint Problems with Strengthening

Bilateral Proofs of Safety and Progress Properties of Concurrent Programs (Working Draft)

IC3 and Beyond: Incremental, Inductive Verification

The Polyranking Principle

SAT-Based Verification with IC3: Foundations and Demands

Hoare Logic I. Introduction to Deductive Program Verification. Simple Imperative Programming Language. Hoare Logic. Meaning of Hoare Triples

Computer-Aided Program Design

Model checking for LTL (= satisfiability over a finite-state program)

Linear Temporal Logic and Büchi Automata

What s Decidable About Arrays?

Program verification. Hoare triples. Assertional semantics (cont) Example: Semantics of assignment. Assertional semantics of a program

CS156: The Calculus of Computation

Automata-Theoretic Model Checking of Reactive Systems

Axiomatic Semantics. Lecture 9 CS 565 2/12/08

Program verification using Hoare Logic¹

Formal Verification of the Ricart-Agrawala Algorithm

The State Explosion Problem

Program Analysis Part I : Sequential Programs

Floyd-Hoare Style Program Verification

The algorithmic analysis of hybrid system

Constraint Solving for Program Verification: Theory and Practice by Example

In this episode of The Verification Corner, Rustan Leino talks about Loop Invariants. He gives a brief summary of the theoretical foundations and

Linear-Time Logic. Hao Zheng

Logical Abduction and its Applications in Program Verification. Isil Dillig MSR Cambridge

Constraint Solving for Program Verification: Theory and Practice by Example

Constraint-Based Static Analysis of Programs

Lecture Notes on Software Model Checking

CS156: The Calculus of Computation Zohar Manna Autumn 2008

Correctness of Concurrent Programs

Overview. overview / 357

A Short Introduction to Hoare Logic

Logic. Propositional Logic: Syntax

FORMAL METHODS LECTURE III: LINEAR TEMPORAL LOGIC

1 Introduction. 2 First Order Logic. 3 SPL Syntax. 4 Hoare Logic. 5 Exercises

Mathematics 114L Spring 2018 D.A. Martin. Mathematical Logic

Safety and Liveness Properties

An Inquisitive Formalization of Interrogative Inquiry

PSL Model Checking and Run-time Verification via Testers

CMSC 451: Lecture 7 Greedy Algorithms for Scheduling Tuesday, Sep 19, 2017

Proof Calculus for Partial Correctness

COMP3151/9151 Foundations of Concurrency Lecture 4

Axiomatic Semantics: Verification Conditions. Review of Soundness of Axiomatic Semantics. Questions? Announcements

Axiomatic Verification II

Axiomatic Semantics. Hoare s Correctness Triplets Dijkstra s Predicate Transformers

Temporal Logic and Fair Discrete Systems

Transition Predicate Abstraction and Fair Termination

FORMAL METHODS LECTURE IV: COMPUTATION TREE LOGIC (CTL)

Introducing Proof 1. hsn.uk.net. Contents

CS1800: Strong Induction. Professor Kevin Gold

Soundness and Completeness of Axiomatic Semantics

5. Peano arithmetic and Gödel s incompleteness theorem

Unranked Tree Automata with Sibling Equalities and Disequalities

Model Theory of Modal Logic Lecture 4. Valentin Goranko Technical University of Denmark

Proof Rules for Correctness Triples

1 The decision problem for First order logic

Diagram-based Formalisms for the Verication of. Reactive Systems. Anca Browne, Luca de Alfaro, Zohar Manna, Henny B. Sipma and Tomas E.

Discrete Mathematics for CS Spring 2007 Luca Trevisan Lecture 27

COMPUTER SCIENCE TEMPORAL LOGICS NEED THEIR CLOCKS

22c:145 Artificial Intelligence

Lecture 3: Semantics of Propositional Logic

Characterizing Fault-Tolerant Systems by Means of Simulation Relations

Notes. Corneliu Popeea. May 3, 2013

arxiv: v1 [cs.pl] 5 Apr 2017

Software Verification

Axiomatic Semantics: Verification Conditions. Review of Soundness and Completeness of Axiomatic Semantics. Announcements

Propositional Logic: Syntax

- Introduction to propositional, predicate and higher order logics

Model Checking Algorithms

Temporal Logic. Stavros Tripakis University of California, Berkeley. We have designed a system. We want to check that it is correct.

Hoare Logic and Model Checking

Sequential programs. Uri Abraham. March 9, 2014

Temporal logics and explicit-state model checking. Pierre Wolper Université de Liège

First Order Logic vs Propositional Logic CS477 Formal Software Dev Methods

Completeness in the Monadic Predicate Calculus. We have a system of eight rules of proof. Let's list them:

Constructing Invariants for Hybrid Systems

COMP2111 Glossary. Kai Engelhardt. Contents. 1 Symbols. 1 Symbols 1. 2 Hoare Logic 3. 3 Refinement Calculus 5. rational numbers Q, real numbers R.

Control Predicates Are Better Than Dummy Variables For Reasoning About Program Control

CS256/Spring 2008 Lecture #11 Zohar Manna. Beyond Temporal Logics

Hoare Logic (I): Axiomatic Semantics and Program Correctness

Introduction to Intuitionistic Logic

Learning Goals of CS245 Logic and Computation

Natural Deduction. Formal Methods in Verification of Computer Systems Jeremy Johnson

P P P NP-Hard: L is NP-hard if for all L NP, L L. Thus, if we could solve L in polynomial. Cook's Theorem and Reductions

Normal Forms of Propositional Logic

Logic as a Tool Chapter 1: Understanding Propositional Logic 1.1 Propositions and logical connectives. Truth tables and tautologies

An Introduction to Temporal Logics

Lecture 11 Safety, Liveness, and Regular Expression Logics

Chapter 4: Computation tree logic

Wollongong College Australia

AN ALTERNATIVE NATURAL DEDUCTION FOR THE INTUITIONISTIC PROPOSITIONAL LOGIC

Identical Particles in Quantum Mechanics

Transcription:

CS256/Winter 2009 Lecture #6 Zohar Manna

Chapter 1 Invariance: Proof Methods For assertion q and SPL program P show P Õ ¼ q (i.e., q is P-invariant) 6-1

Proving Invariances Definitions Recall: the variables of assertion: free (flexible) system variables V = Y {π} where Y are the program variables and π is the control variable quantified (rigid) specification variables q is the primed version of q, obtained by replacing each free occurrence of a system variable y V by its primed version y. ρ τ is the transition relation of τ, expressing the relation holding between a state s and any of its τ- successors s τ(s). 6-2

Verification Conditions (proof obligations) standard verification condition For assertions ϕ, ψ and transition τ, {ϕ} τ {ψ} ( Hoare triple ) stands for the state formula ρ τ ϕ ψ Verification condition (VC) of ϕ and ψ relative to transition τ ϕ τ ψ j j + 1 6-3

Example: Verification Conditions (Con t) ρ τ : x 0 y = x + y x = x ϕ: y = 3 ψ: y = x + 3 Then {ϕ} τ {ψ}: x 0 y = x + y x = x y = 3 ρ τ ϕ y = x + 3 ψ 6-4

Verification Conditions (Con t) for τ T in P {ϕ}τ{ψ}: ρ τ ϕ ψ τ leads from ϕ to ψ in P for T in P {ϕ}t {ψ}: {ϕ}τ{ψ} for every τ T T leads from ϕ to ψ in P Claim (Verification Condition) If {ϕ}τ{ψ} is P-state valid, then every τ-successor of a ϕ-state is a ψ-state. 6-5

Verification Conditions (Con t) Special Cases while, conditional ρ τ : ρ t τ ρf τ {ϕ}τ t {ψ}: ρ t τ ϕ ψ {ϕ}τ f {ψ}: ρ f τ ϕ ψ {ϕ}τ{ψ} : {ϕ}τ t {ψ} {ϕ}τ f {ψ} idle {ϕ}τ I {ϕ}: ρ τi ϕ ϕ always valid, since ρ τi v = v for all v V, so ϕ = ϕ. 6-6

Verification Conditions (Con t) Substituted Form of Verification Condition Transition relation can be written as ρ τ : C τ (V = E) where C τ : enabling condition V : primed variable list E: expression list The substituted form of verification condition {ϕ}τ{ψ}: where ψ[e/v ]: C τ ϕ ψ[e/v ] Note: No primed variables! replace each variable v V in ψ by the corresponding e E The substituted form of a verification condition is P-state valid iff the standard form is 6-7

Verification Conditions (Con t) Example: ρ τ : x 0 y = x + y x = x ϕ : y = 3 ψ : y = x + 3 Standard x 0 y = x + y x = x y = 3 ρ τ ϕ y = x + 3 ψ Substituted } x {{ 0 } y = 3 C τ ϕ x + y = x + 3 ψ[e/v ] 6-8

Verification Conditions (Con t) Example: ϕ: x = y ψ: x = y + 1 ρ τ : x } {{ 0 } (x, y ) = (x + 1, y) C τ V E The substituted form of {ϕ}τ{ψ} is x 0 C τ or equivalently x = y ϕ (x = y + 1)[(x + 1, y)/(x, y)] ψ[e/v ] x 0 x = y x + 1 = y + 1 6-9

Simplifying Control Expressions move(l 1, L 2 ): L 1 π π = (π L 1 ) L 2 e.g., for L 1 = {l 1 }, L 2 = {l 2 } move(l 1, l 2 ): l 1 π π = (π {l 1 }) {l 2 } Consequences implied by move(l 1, L 2 ): for every [l] L 1 at l = t (i.e., [l] π) for every [l] L 2 at l = t (i.e., [l] π ) for every [l] L 1 L 2 at l = t (i.e., [l] π) and at l = f (i.e., [l] π ) for every l / L 1 L 2 at l = at l (i.e., [l] π, π or [l] π, π ) 6-10

Proving invariance properties: P Õ ¼ q We want to show that for every computation of P σ : s 0, s 1, s 2,... assertion q holds in every state s j, j 0, i.e., s j Õ q. Recall: A sequence σ : s 0, s 1, s 2,... is a computation if the following hold (from Chapter 0): 1. Initiality: s 0 Õ Θ 2. Consecution: For each j 0, s j+1 is a τ-successor of s j for some τ T (s j+1 τ(s j )) 3, 4. Fairness conditions are respected. Note: Truth of safety properties over programs does not depend on fairness conditions. 6-11

Proving invariance properties (Con t) This definition suggests a way to prove invariance properties ¼ q: 1. Base case: Prove that q holds initially Θ q i.e., q holds at s 0. 2. Inductive step: prove that q is preserved by all transitions q ρ τ q {q}τ{q} for all τ T i.e., if q holds at s j, then it holds at every τ-successor s j+1. 6-12

Rule B-INV (basic invariance) Show P Õ ¼ q (i.e. q is P-invariant) For assertion q, B1. P Õ Θ q B2. P Õ {q} T {q} P Õ ¼ q where B2 stands for P Õ {q} τ {q} for every τ T The rule states that if we can prove the P-state validity of Θ q and {q}t {q} then we can conclude that ¼ q is P-valid. Thus the proof of a temporal property is reduced to the proof of 1 + T first-order verification conditions. 6-13

Example 1: request-release local x: integer where x = 1 l 0 : request x l 1 : critical l 2 : release x l 3 : Θ: x = 1 π = {l 0 } T : {τ I, τ l0, τ l1, τ l2 } Prove using b-inv. P Õ ¼ x 0 q 6-14

Example 1: request-release (Con t) B1: x = 1 π = {l 0 } B2: Θ x 0 q holds since x = 1 x 0 τ l0 : x 0 q move(l 0, l 1 ) x > 0 x = x 1 x } {{ 0 } ρ τl0 holds since x > 0 x 1 0 τ l1 : x 0 q move(l 1, l 2 ) x = x x } {{ 0 } ρ τl1 holds since x 0 x 0 τ l2 : x 0 q move(l 2, l 3 ) x = x + 1 x } {{ 0 } ρ τl2 holds since x 0 x + 1 0 q q q 6-15

Example 1: request-release (Con t) local x: integer where x = 1 l 0 : request x l 1 : critical l 2 : release x l 3 : We proved using b-inv. P Õ ¼ x 0 Now we want to prove P Õ ¼ (at l 1 x = 0) q 6-16

Example 1: request-release (Con t) Attempted proof: B1: x = 1 π = {l 0 } Θ (at l 1 x = 0) holds since π = {l 0 } at l 1 = f B2: {q}τ l0 {q} at l 1 x = 0 q q move(l 0, l 1 ) x > 0 x = x 1 ρ τl0 at l 1 x = 0 q We have move(l 0, l 1 ) at l 1 = f, at l 1 = t BUT (f x = 0) x > 0 x = x 1 (t x = 0) Cannot prove: not state-valid What is the problem? We need a stronger rule. 6-17

Strategies for invariance proofs For assertion q, Rule b-inv (basic invariance) B1. P Õ Θ q B2. P Õ {q} T {q} P Õ ¼ q q is inductive if B1 and B2 are (state) valid By rule b-inv, every inductive assertion q is P-invariant The converse is not true Example: In request-release at l 1 x = 0 is P-invariant, but not inductive 6-18

Rule b-inv(con t) The problem is: The invariant is not inductive i.e., it is not strong enough to be preserved by all transitions. Another way to look at it is to observe that {q} τ l0 {q} is not state valid, but it is P-state valid, i.e., it is true in all P-accessible states, since in all P-accessible states x = 1 when at location l 0. This suggests two strategies to overcome this problem: strengthening incremental proof 6-19

Strategy 1: Strengthening Find a stronger assertion ϕ that is inductive and implies the assertion q we want to prove. q ϕ τ 00 11 0000 1111 0000 1111 0000 1111 P-accessible Σ In Chapter 2 it will be shown that there always exists such an assertion ϕ. 6-20

Example: To show Strategy 1: Strengthening (Con t) strengthen q to ¼ (at l 1 x = 0) q ϕ : (at l 1 x = 0) (at l 0 x = 1) and show ¼ (at l 1 x = 0) (at l 0 x = 1) ϕ by rule b-inv. 6-21

Strategy 1: Strengthening (Con t) The strengthening strategy relies on the following rule, mon-i, which, combined with b-inv leads to the general invariance rule inv. Rule mon-i (Monotonicity) For assertions q 1, q 2, P Õ ¼ q 1 P Õ q 1 q 2 P Õ ¼ q 2 6-22

Strategy 1: Strengthening (Con t) Rule inv (general invariance) For assertions q, ϕ I1. P Õ ϕ q I2. P Õ Θ ϕ I3. P Õ {ϕ} T {ϕ} P Õ ¼ q 6-23

Soundness: If we manage to prove ¼ q using the inv rule for some program P, is q really an invariant for the program? We can prove that this is indeed the case. So inv rule is sound. Completeness: What if q is an invariant for a program P but there is no way of proving it under the inv rule? We can prove that this never happens. There always exists an appropriate ϕ. In other words inv rule is complete. 6-24

Strategy 1: Strengthening (Con t) Motivation: P Õ ¼ ϕ (by I2 and I3) P Õ ϕ q (by I1) Therefore, P Õ ¼ q (by mon-i) i.e., this rule requires that ¼ ϕ holds and ϕ implies q, then ¼ q can be concluded to hold by monotonicity. 6-25

Control Invariants Some control invariants that can always be used (without mentioning them) conflict: for labels l i, l j that are in conflict (i.e., not L, not parallel): ¼ (at l i at l j ) somewhere: for the set of labels L i in a top-level process: ¼ l L i at l equal: for labels l, m, s.t. l L m: ¼ (at l at m) 6-26

Control Invariants (Con t) parallel: for substatement [S 1 S 2 ]: ¼ (in S 1 in S 2 ) i.e, if control is in S 1 it must also be in S 2 and vice versa. Example: Using the invariant conflict, move(l 2, l 3 ) implies l 0 π, l 1 π, l 3 π l 0 π, l 1 π, l 2 π 6-27

Example: Strategy 1: Strengthening (Con t) We proposed the strengthened invariant ϕ : (at l 0 x = 1) (at l 1 x = 0) Consider {ϕ} τ l0 {ϕ}: (at l 0 x = 1) (at l 1 x = 0) ϕ move(l 0, l 1 ) x > 0 x = x 1 ρ τl0 (at l 0 x = 1) (at l 1 x = 0) ϕ move(l 0, l 1 ) implies l 0 π, l 1 π, l 1 π, l 0 π Therefore (t x = 1) (f...)... x = x 1... (f...) (t x = 0) holds. 6-28

Strategy 1: Strengthening (Con t) Example (Con t): Consider {ϕ} τ l2 {ϕ}: (at l 0 x = 1) (at l 1 x = 0) ϕ move(l 2, l 3 ) x = x + 1 ρ τl2 (at l 0 x = 1) (at l 1 x = 0) ϕ move(l 2, l 3 ) implies l 3 π and by conflict invariants l 0, l 1 π. Therefore...... (f x = 1) (f x = 0) holds. {ϕ} τ l2 {ϕ} is not state-valid, but it is P-state valid. Why? 6-29

Strategy 2: Incremental proof Use previously proven invariances χ to exclude parts of the state space from consideration. Σ χ q τ P-accessible 6-30

Strategy 2: Incremental proof (Con t) Example: To show ¼ (at l 1 x = 0) q prove first (separately) by rule b-inv then show ¼ (at l 0 x = 1), χ ¼ (at l 1 x = 0) q by rule b-inv, but add the conjunct at l 0 x = 1 to the antecedent of all verification conditions. (Example continues...) 6-31

Strategy 2: Incremental proof (Con t) Example: (cont d) e.g., to show {χ q}τ l0 {q}, prove at l 0 x = 1 χ at l 1 x = 0 q move(l 0, l 1 ) x > 0 x = x 1 ρ τl0 at l 1 x = 0 q 6-32

Strategy 2: Incremental proof (Con t) In an incremental proof we use previously proven properties to eliminate parts of the state space (non P-accessible states) from consideration, relying on the following rules: Rule sv-psv: from state validities to P-state validities For assertions q 1, q 2 and χ, P Õ ¼ χ P Õ χ q 1 q 2 P Õ ¼ (q 1 q 2 ) Rule i-con: Conjunction For assertions q 1 and q 2, P Õ ¼ q 1 P Õ ¼ q 2 P Õ ¼ (q 1 q 2 ) 6-33

Strategy 2: Incremental proof (Con t) Example: Program mux-sem (mutual exclusion by semaphores) P 1 :: l 0 : loop forever do l 1 : noncritical l 2 : request y l 3 : critical l 4 : release y local y: integer where y = 1 P 2 :: m 0 : loop forever do m 1 : noncritical m 2 : request y m 3 : critical m 4 : release y Prove mutual exclusion ¼ (at l 3 at m 3 ) q 6-34

Program mux-sem (Con t) 3 steps: ¼ (y 0) ϕ 1 ¼ (at l 3,4 + at m 3,4 + y = 1) ϕ 2 ¼ (at l 3 at m 3 ) p where f = 0,t = 1. Let π l : π {l 0,..., l 4 } π m : π {m 0,..., m 4 } By control invariants (conflict, somewhere and parallel) π l = π m = 1 6-35

Program mux-sem (Con t) Step 1: ¼ (y 0) ϕ 1 by rule b-inv B1. π = {l 0, m 0 } y = 1 Θ y 0 ϕ 1 B2. ρ τ y 0 y 0 check only l 2, l 4, m 2, m 4 ( y-modifiable transitions ) 6-36

Program mux-sem (Con t) l 2 : move(l 2, l 3 ) y > 0 y = y 1 y 0 ρ τ ϕ holds since y > 0 y 1 0 y 0 ϕ l 4 : move(l 4, l 0 ) y = y+1 y 0 ρ τ ϕ y 0 ϕ holds since y 0 y+1 0. Similarly for m 2, m 4. 6-37

Program mux-sem (Con t) Step 2: ¼ (at l 3,4 + at m 3,4 + y = 1) ϕ 2 by rule b-inv B1. π = {l 0, m 0 } y = 1 Θ at l 3,4 + at m 3,4 + y = 1 0 0 1 ϕ 2 6-38

Program mux-sem (Con t) B2. ρ τ ϕ 2 ϕ 2 ρ l0 0 + at m 3,4 + y = 1 0 + at m 3,4 + y = 1 ρ l1 0 + at m 3,4 + y = 1 0 + at m 3,4 + y = 1 ρ l2 0 + at m 3,4 + y = 1 1 + at m 3,4 + (y 1) = 1 ρ l3 1 + at m 3,4 + y = 1 1 + at m 3,4 + y = 1 ρ l4 1 + at m 3,4 + y = 1 0 +at m 3,4 +(y+1) = 1 at l 3,4 at y m 3,4 6-39

Program mux-sem (Con t) Step 3: Show P Õ ¼ (at l 3 at m 3 ) q By i-con P Õ ¼ ϕ 1, P Õ ¼ ϕ 2 P Õ ¼ (ϕ 1 ϕ 2 ) By mon-i P Õ ¼ (ϕ 1 ϕ 2 ) P Õ y 0 at l 3,4 + at m 3,4 + y = 1 ϕ 1 ϕ 2 (at l 3 at m 3 ) q P Õ ¼ (at l 3 at m 3 ) q 6-40

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback