Program Analysis and Verification

Similar documents
Spring 2014 Program Analysis and Verification. Lecture 6: Axiomatic Semantics III. Roman Manevich Ben-Gurion University

Spring 2015 Program Analysis and Verification. Lecture 6: Axiomatic Semantics III. Roman Manevich Ben-Gurion University

Spring 2015 Program Analysis and Verification. Lecture 4: Axiomatic Semantics I. Roman Manevich Ben-Gurion University

Spring 2016 Program Analysis and Verification. Lecture 3: Axiomatic Semantics I. Roman Manevich Ben-Gurion University

Programming Languages and Compilers (CS 421)

Classical Program Logics: Hoare Logic, Weakest Liberal Preconditions

Axiomatic semantics. Semantics and Application to Program Verification. Antoine Miné. École normale supérieure, Paris year

Program Analysis Part I : Sequential Programs

Hoare Logic (I): Axiomatic Semantics and Program Correctness

Axiomatic Semantics. Lecture 9 CS 565 2/12/08

Lecture Notes: Axiomatic Semantics and Hoare-style Verification

Hoare Logic and Model Checking

What happens to the value of the expression x + y every time we execute this loop? while x>0 do ( y := y+z ; x := x:= x z )

The Assignment Axiom (Hoare)

Program verification. 18 October 2017

Reasoning About Imperative Programs. COS 441 Slides 10b

Proof Rules for Correctness Triples

Hoare Calculus and Predicate Transformers

Hoare Logic I. Introduction to Deductive Program Verification. Simple Imperative Programming Language. Hoare Logic. Meaning of Hoare Triples

A Short Introduction to Hoare Logic

Deterministic Program The While Program

Verifying Properties of Parallel Programs: An Axiomatic Approach

Floyd-Hoare Style Program Verification

Axiomatic Semantics: Verification Conditions. Review of Soundness and Completeness of Axiomatic Semantics. Announcements

Program verification. Hoare triples. Assertional semantics (cont) Example: Semantics of assignment. Assertional semantics of a program

Dynamic Semantics. Dynamic Semantics. Operational Semantics Axiomatic Semantics Denotational Semantic. Operational Semantics

Hoare Logic: Reasoning About Imperative Programs

Deductive Verification

First Order Logic vs Propositional Logic CS477 Formal Software Dev Methods

Axiomatic Semantics. Semantics of Programming Languages course. Joosep Rõõmusaare

Program verification using Hoare Logic¹

Predicate Transforms I

Axiomatic Semantics. Stansifer Ch 2.4, Ch. 9 Winskel Ch.6 Slonneger and Kurtz Ch. 11 CSE

CS558 Programming Languages

In this episode of The Verification Corner, Rustan Leino talks about Loop Invariants. He gives a brief summary of the theoretical foundations and

Axiomatic Semantics. Operational semantics. Good for. Not good for automatic reasoning about programs

Axiomatic Semantics. Hoare s Correctness Triplets Dijkstra s Predicate Transformers

Weakest Precondition Calculus

Proofs of Correctness: Introduction to Axiomatic Verification

CSC 7101: Programming Language Structures 1. Axiomatic Semantics. Stansifer Ch 2.4, Ch. 9 Winskel Ch.6 Slonneger and Kurtz Ch. 11.

Solutions to exercises for the Hoare logic (based on material written by Mark Staples)

Hoare Logic: Reasoning About Imperative Programs

Calculating axiomatic semantics from program equations by means of functional predicate calculus

COMP2111 Glossary. Kai Engelhardt. Contents. 1 Symbols. 1 Symbols 1. 2 Hoare Logic 3. 3 Refinement Calculus 5. rational numbers Q, real numbers R.

Verification Frameworks and Hoare Logic

Axiomatic Semantics: Verification Conditions. Review of Soundness of Axiomatic Semantics. Questions? Announcements

Learning Goals of CS245 Logic and Computation

Introduction to Axiomatic Semantics

Programming Languages

Foundations of Computation

Hoare Logic: Part II

Control Predicates Are Better Than Dummy Variables For Reasoning About Program Control

Hoare Examples & Proof Theory. COS 441 Slides 11

Proof Calculus for Partial Correctness

COP4020 Programming Languages. Introduction to Axiomatic Semantics Prof. Robert van Engelen

Last Time. Inference Rules

Bilateral Proofs of Safety and Progress Properties of Concurrent Programs (Working Draft)

Design of Distributed Systems Melinda Tóth, Zoltán Horváth

Probabilistic Guarded Commands Mechanized in HOL

Views: Compositional Reasoning for Concurrent Programs

Iris: Higher-Order Concurrent Separation Logic. Lecture 9: Concurrency Intro and Invariants

Introduction to Permission-Based Program Logics Part II Concurrent Programs

Denotational Semantics of Programs. : SimpleExp N.

Lecture 17: Floyd-Hoare Logic for Partial Correctness

Lecture 2: Axiomatic semantics

Soundness and Completeness of Axiomatic Semantics

CSE 331 Winter 2018 Reasoning About Code I

Inductive Data Flow Graphs

Propositional Logic: Syntax

Chapter 3. Specifications. 3.1 Hoare Triples. An Introduction to Separation Logic c 2011 John C. Reynolds February 3, 2011

Static Program Analysis

Extending the theory of Owicki and Gries with a logic of progress

Strength; Weakest Preconditions

Logic. Propositional Logic: Syntax

1 Introduction. 2 First Order Logic. 3 SPL Syntax. 4 Hoare Logic. 5 Exercises

Recent developments in concurrent program logics

Formal Methods in Software Engineering

Softwaretechnik. Lecture 13: Design by Contract. Peter Thiemann University of Freiburg, Germany

Automata-Theoretic Model Checking of Reactive Systems

EDA045F: Program Analysis LECTURE 10: TYPES 1. Christoph Reichenbach

A Humble Introduction to DIJKSTRA S A A DISCIPLINE OF PROGRAMMING

Verifying Concurrent Memory Reclamation Algorithms with Grace

Axiomatic Verification II

Logic. Propositional Logic: Syntax. Wffs

Software Engineering

arxiv: v1 [cs.pl] 5 Apr 2017

Formal Specification and Verification. Specifications

Softwaretechnik. Lecture 13: Design by Contract. Peter Thiemann University of Freiburg, Germany

Formal Reasoning CSE 331. Lecture 2 Formal Reasoning. Announcements. Formalization and Reasoning. Software Design and Implementation

Concurrent separation logic and operational semantics

THE AUSTRALIAN NATIONAL UNIVERSITY Second Semester COMP2600/COMP6260 (Formal Methods for Software Engineering)

Marie Farrell Supervisors: Dr Rosemary Monahan & Dr James Power Principles of Programming Research Group

Unifying Theories of Programming

Structuring the verification of heap-manipulating programs

Theories of Programming Languages Assignment 5

A Logic for Information Flow Analysis with an Application to Forward Slicing of Simple Imperative Programs

CSE 331 Software Design & Implementation

Technical Report. A safety proof of a lazy concurrent list-based set implementation. Viktor Vafeiadis, Maurice Herlihy, Tony Hoare, Marc Shapiro

Asynchronous Communication 2

AN INTRODUCTION TO SEPARATION LOGIC. 2. Assertions

Transcription:

Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 4: Axiomatic Semantics Slides credit: Tom Ball, Dawson Engler, Roman Manevich, Erik Poll, Mooly Sagiv, Jean Souyris, Eran Tromer, Avishai Wool, Eran Yahav

Natural semantics for While [ass ns ] [skip ns ] x := a, s s[x A a s] skip, s s [comp ns ] S 1, s s, S 2, s s S 1 ; S 2, s s [if tt ns] S 1, s s if b then S 1 else S 2, s s if B b s = tt [if ff ns] S 2, s s if b then S 1 else S 2, s s if B b s = ff 2

Natural semantics for While [while ff ns] while b do S, s s if B b s = ff [while tt ns] S, s s, while b do S, s s while b do S, s s if B b s = tt 3

Axiomatic semantics for While [ass p ] [skip p ] { P[a/x] } x := a { P } { P } skip { P } [comp p ] { P } S 1 { Q }, { Q } S 2 { R } { P } S 1 ; S 2 { R } [if p ] { b P } S 1 { Q }, { b P } S 2 { Q } { P } if b then S 1 else S 2 { Q } [while p ] { b P } S { P } { P } while b do S { b P } [cons p ] { P } S { Q } { P } S { Q } if P P and Q Q 4

Assertions, a.k.a Hoare triples { P } C { Q } precondition statement a.k.a command postcondition P and Q are state predicates Example: x>0 If P holds in the initial state, and if execution of C terminates on that state, then Q will hold in the state in which C halts C is not required to always terminate {true} while true do skip {false} 5

Valid assertions We say that { P } C { Q } is valid if for all states s, if s P and C, s s then s Q Denoted by p { P } C { Q } Q P s C C(P) s 6

Assignment rule [ass p ] { P[a/x] } x := a { P } A backwards rule x := a always finishes Why is this true? Recall operational semantics: s[x A a s] P [ass ns ] x := a, s s[x A a s] Example: {y*z<9} x:=y*z {x<9} What about {y*z<9 w=5} x:=y*z {w=5}? 7

Assignment rule [ass p ] { P} x := a { v.p[v/x] x=a[v/x] } A forward rule x := a always finishes Why is this true? s P s[v sx] P[v/x] 8

skip rule [skip p ] { P } skip { P } [skip ns ] skip, s s 9

Composition rule [comp p ] { P } S 1 { Q }, { Q } S 2 { R } { P } S 1 ; S 2 { R } [comp ns ] S 1, s s, S 2, s s S 1 ; S 2, s s Holds when S 1 terminates in every state where P holds and then Q holds and S 2 terminates in every state where Q holds and then R holds 10

Condition rule [if p ] { b P } S 1 { Q }, { b P } S 2 { Q } { P } if b then S 1 else S 2 { Q } [if tt ns] [if ff ns] S 1, s s if b then S 1 else S 2, s s S 2, s s if b then S 1 else S 2, s s if B b s = tt if B b s = ff 11

Loop rule [while p ] { b P } S { P } { P } while b do S { b P } [while ff ns] [while tt ns] while b do S, s s S, s s, while b do S, s s while b do S, s s if B b s = ff if B b s = tt Here P is called an invariant for the loop Holds before and after each loop iteration Finding loop invariants most challenging part of proofs When loop finishes, b is false 12

Rule of consequence [cons p ] { P } S { Q } { P } S { Q } if P P and Q Q Allows strengthening the precondition and weakening the postcondition The only rule that is not sensitive to the form of the statement 13

Rule of consequence [cons p ] { P } S { Q } { P } S { Q } if P P and Q Q Why do we need it? Allows the following {y*z<9} x:=y*z {x<9} {y*z<9 w=5} x:=y*z {x<10} 14

Axiomatic semantics for While Axiom for every primitive statement [ass p ] { P[a/x] } x := a { P } [skip p ] { P } skip { P } [comp p ] { P } S 1 { Q }, { Q } S 2 { R } { P } S 1 ; S 2 { R } Inference rule for every composed statement [if p ] [while p ] { b P } S 1 { Q }, { b P } S 2 { Q } { P } if b then S 1 else S 2 { Q } { b P } S { P } { P } while b do S { b P } [cons p ] { P } S { Q } { P } S { Q } if P P and Q Q 15

Properties of the semantics Equivalence What is the analog of program equivalence in axiomatic verification? Soundness Can we prove incorrect properties? Completeness Is there something we can t prove? 16

Valid assertions We say that { P } C { Q } is valid if for all states s, if s P and C, s s then s Q Denoted by p { P } C { Q } Q P s C C(P) s 17

Soundness and completeness The inference system is sound: p { P } C { Q } implies p { P } C { Q } The inference system is complete: p { P } C { Q } implies p { P } C { Q } 18

Soundness: Hoare logic is sound and (relatively) complete p { P } C { Q } implies p { P } C { Q } (Relative) completeness: p { P } C { Q } implies p { P } C { Q } Provided we can prove any implication R R 19

Soundness: Hoare logic is sound and (relatively) complete p { P } C { Q } implies p { P } C { Q } (Relative) completeness: p { P } C { Q } implies p { P } C { Q } Provided we can prove any implication R R FYI, nobody tells us how to find a proof 20

Is there an Algorithm? { x=n } y := 1; { x>0 y*x!=n! n x } while (x=1) do { x-1>0 (y*x)*(x-1)!=n! n (x-1) } y := y*x; { x-1>0 y*(x-1)!=n! n (x-1) } x := x 1 { y*x!=n! n>0 } Annotated programs provides a compact representation of inference trees 21

? 22

Predicate Transformers 23

Weakest liberal precondition A backward-going predicate transformer The weakest liberal precondition for Q is s wlp(c, Q) if and only if for all states s if C, s s then s Q Propositions: 1. p { wlp(c, Q) } C { Q } 2. If p { P } C { Q } then P wlp(c, Q) 24

Strongest postcondition A forward-going predicate transformer The strongest postcondition for P is s sp(p, C) if and only if there exists s such that if C, s s and s P 1. p { P } C { sp(p, C) } 2. If p { P } C { Q } then sp(p, C) Q 25

Predicate transformer semantics wlp and sp can be seen functions that transform predicates to other predicates wlp C : Predicate Predicate { P } C { Q } if and only if wlp C Q = P sp C : Predicate Predicate { P } C { Q } if and only if sp C P = Q 26

Hoare logic is (relatively) complete Proving p { P } C { Q } implies p { P } C { Q } is the same as proving p { wlp(c, Q) } C { Q } Suppose that p { P } C { Q } then (from proposition 2) P { wlp(c, Q) } [cons p ] { P } S { Q } { wlp(c, Q) } S { Q } 27

Calculating wlp 1. wlp(skip, Q) = Q 2. wlp(x := a, Q) = Q[a/x] 3. wlp(s 1 ; S 2, Q) = wlp(s 1, wlp(s 2, Q)) 4. wlp(if b then S 1 else S 2, Q) = (b wlp(s 1, Q)) ( b wlp(s 2, Q)) 5. wlp(while b do S, Q) =? hard to capture 28

Calculating wlp of a loop Idea: we know the following statements are semantically equivalent while b do S if b do (S; while b do S) else skip Let s try to substitute and calculate on wlp(while b do S, Q) = wlp(if b do (S; while b do S) else skip, Q) = (b wlp(s; while b do S, Q)) ( b wlp(skip, Q)) = (b wlp(s, wlp(while b do S, Q))) ( b Q) LoopInv = (b wlp(s, LoopInv)) ( b Q) We have a recurrence The loop invariant 29

Prove the following triple { timer 0 } while (timer > 0) do timer := timer 1 { timer = 0 } LoopInv = (b wlp(s, LoopInv)) ( b Q) Let s substitute LoopInv with timer 0 Show that timer 0 is equal to (timer>0 wlp(timer:=timer-1, timer 0)) (timer 0 timer=0) = (timer>0 (timer 0)[timer-1/timer]) (timer 0 timer=0) = (timer>0 timer-1 0) (timer 0 timer=0) = timer>0 timer=0 = timer 0 30

Issues with wlp-based proofs Requires backwards reasoning not very intuitive Backward reasoning is non-deterministic causes problems when While is extended with dynamically allocated heaps (aliasing) Also, a few more rules will be helpful 31

Conjunction rule [conj p ] { P } S { Q } { P } S { Q } { P P } S {Q Q } Not necessary (for completeness) but practically useful Starting point of extending Hoare logic to handle parallelism Related to Cartesian abstraction Will point this out when we learn it 32

Structural Rules [disj p ] { P } C { Q } { P } C { Q } { P P } C {Q Q } [exist p ] [univ p ] { P } C { Q } { v. P } C { v. Q } { P } C { Q } { v. P } C { v. Q } v FV(C) v FV(C) [Inv p ] { F } C { F } Mod(C) FV(F)={} Mod(C) = set of variables assigned to in sub-statements of C FV(F) = free variables of F 33

Invariance + Conjunction = Constancy [constancy p ] { P } C { Q } { F P } C { F Q } Mod(C) FV(F)={} Mod(C) = set of variables assigned to in sub-statements of C FV(F) = free variables of F 34

Floyd s strongest postcondition rule [ass Floyd ] { P } x := a { v. x=a[v/x] P[v/x] } where v is a fresh variable Example { z=x } x:=x+1 {? v. x=v+1 z=v } This rule is often considered problematic because it introduces a quantifier needs to be eliminated further on We will now see a variant of this rule 35

Small assignment axiom Create an explicit Skolem variable in precondition Then assign the resulting value to x First evaluate a in the precondition state (as a may access x) [ass floyd ] { x=v } x:=a { x=a[v/x] } where v FV(a) Examples: {x=n} x:=5*y {x=5*y} {x=n} x:=x+1 {x=n+1} {x=y} x:=y+1 {x=y+1} {x=n} x:=y+1 {x=y+1} [exist p ] { n. x=n} x:=y+1 { n. x=y+1} therefore {true} x:=y+1 {x=y+1} [constancy p ] {z=9} x:=y+1 {z=9 x=y+1} 36

Small assignment axiom [ass { x=v } x:=a { x=a[v/x] } floyd ] Examples: {x=n} x:=5*y {x=5*y} {x=n} x:=x+1 {x=n+1} where v FV(a) {x=n} x:=y+1 {x=y+1} [exist p ] { n. x=n} x:=y+1 { n. x=y+1} therefore {true} x:=y+1 {x=y+1} [constancy p ] {z=9} x:=y+1 {z=9 x=y+1} 43

Small assignment axiom [ass { x=v } x:=a { x=a[v/x] } floyd ] Examples: {x=n} x:=5*y {x=5*y} {x=n} x:=x+1 {x=n+1} where v FV(a) {x=n} x:=y+1 {x=y+1} [exist p ] { n. x=n} x:=y+1 { n. x=y+1} therefore {true} x:=y+1 {x=y+1} [constancy p ] {z=9} x:=y+1 {z=9 x=y+1} 44

Example 1: Absolute value program { } if x<0 then x := -x else skip { } 48

Absolute value program { x=v } if x<0 then { x=v x<0 } x := -x { x=-v x>0 } else { x=v x 0 } skip { x=v x 0 } { v<0 x=-v v 0 x=v} { x= v } 49

Example 2: Variable swap program { } t := x x := y y := t { } 50

Variable swap program { x=a y=b } t := x { x=a y=b t=a } x := y { x=b y=b t=a } y := t { x=b y=a t=a } { x=b y=a } // cons 51

Example 3: Axiomatizing data types S ::= x := a x := y[a] y[a] := x skip S 1 ; S 2 if b then S 1 else S 2 while b do S We added a new type of variables array variables Model array variable as a function y : Z Z We need the two following axioms: { y[x a](x) = a } { z x y[x a](z) = y(z) } 52

Array update rules (wp) S ::= x := a x := y[a] y[a] := x skip S 1 ; S 2 if b then S 1 else S 2 A very general approach allows handling many data types while b do S Treat an array assignment y[a] := x as an update to the array function y y := y[a x] meaning y = v. v=a? X : y(v) [array-update] { P[y[a x]/y] } y[a] := x { P } [array-load] { P[y(a)/x] } x := y[a] { P } 53

Array update rules (wp) example Treat an array assignment y[a] := x as an update to the array function y y := y[a x] meaning y = v. v=a? x : y(v) [array-update] { P[y[a x]/y] } y[a] := x { P } {x=y[i 7](i)} y[i]:=7 {x=y(i)} {x=7} y[i]:=7 {x=y(i)} [array-load] { P[y(a)/x] } x := y[a] { P } {y(a)=7} x:=y[a] {x=7} 54

Array update rules (sp) In both rules v, g, and b are fresh [array-update F ] { x=v y=g a=b } y[a] := x { y=g[b v] } [array-load F ] { y=g a=b } x := y[a] { x=g(b) } 55

Array-max program nums : array N : int // N stands for num s length { N 0 nums=orig_nums } x := 0 res := nums[0] while x < N if nums[x] > res then res := nums[x] x := x + 1 1. { x=n } 2. { m. (m 0 m<n) nums(m) res } 3. { m. m 0 m<n nums(m)=res } 4. { nums=orig_nums } 56

Array-max program nums : array N : int // N stands for num s length { N 0 nums=orig_nums } x := 0 res := nums[0] while x < N if nums[x] > res then res := nums[x] x := x + 1 Post 1 : { x=n } Post 2 : { nums=orig_nums } Post 3 : { m. 0 m<n nums(m) res } Post 4 : { m. 0 m<n nums(m)=res } 57

Summary C programming language P assertions {P} C {Q} judgments { P[a/x] } x := a { P } proof Rules Soundness Completeness {x = N} y:=factorial(x){ y = N!} proofs 58

Extensions to axiomatic semantics Procedures Total correctness assertions Assertions for execution time Exact time Order of magnitude time Assertions for dynamic memory Separation Logic Assertions for parallelism Owicki-Gries Concurrent Separation Logic Rely-guarantee 59

Concurrency Operational Semantics

While + Concurrency Abstract syntax: a ::= n x a 1 + a 2 a 1 a 2 a 1 a 2 b ::= true false a 1 = a 2 a 1 a 2 b b 1 b 2 S ::= x := a skip S 1 ; S 2 if b then S 1 else S 2 while b do S cobegin S 1 S n coend 69

While + Concurrency cobegin S 1 S n coend All the interleaving of S 1 S n are executed Example: cobegin x:=1 (x:=2; x:=x+2) Possible outcomes for x: 1, 3, 4 70

While + parallelism: structural semantics [par 1 sos] S 1, s S 1, s S 1 S 2, s S 1 S 2, s [par 2 sos] S 1, s s S 1 S 2, s S 2, s [par 3 sos] S 2, s S 2, s S 1 S 2, s S 1 S 2, s [par 4 sos] S 2, s s S 1 S 2, s S 1, s 71

Example: derivation sequences of a parallel statement x:=1 (x:=2; x:=x+2), s 72

Concurrency Axiomatic Semantics

Axiomatic semantics for While Axiom for every primitive statement [ass p ] { P[a/x] } x := a { P } [skip p ] { P } skip { P } [comp p ] { P } S 1 { Q }, { Q } S 2 { R } { P } S 1 ; S 2 { R } Inference rule for every composed statement [if p ] [while p ] { b P } S 1 { Q }, { b P } S 2 { Q } { P } if b then S 1 else S 2 { Q } { b P } S { P } { P } while b do S { b P } [cons p ] { P } S { Q } { P } S { Q } if P P and Q Q 75

Proofs { P 1 } S 1 { Q 2 } { P 2 } S 2 { Q 2 } {P 1 Λ P 1 } S 1 S 2 { Q 2 Λ Q 2 } Challenge: Interference 76

Axiomatic Semantics (Hoare Logic) Disjoint parallelism Global invariant Owicky Gries [PhD. 76] { P } S 1 S 2 { Q } Rely/Guarantee [Jones. ] 77

Disjoint Parallelism { P 1 } S 1 { Q 2 } { P 2 } S 2 { Q 2 } {P 1 Λ P 1 } S 1 S 2 { Q 2 Λ Q 2 } FV(P 1,S 1,Q 1 ) FV(P 2,S 2,Q 2 ) = 78

Global Invariant I { P 1 } S 1 { Q 2 } I { P 2 } S 2 { Q 2 } I {P 1 Λ P 1 } S 1 S 2 { Q 2 Λ Q 2 } FV(P 1,S 1,Q 1 ) FV(P 2,S 2,Q 2 ) = FV(I) FV(P 1,Q 1 ) FV(P 2,Q 2 ) = FV(P i,q i ) FV(I) = i=1,2 79

Meaning of (atomic) Commands A relation between pre-states and post-states c c 0 c 1 c k S 0, s 0 S 1, s 1 s k+1 80

Meaning of (atomic) Commands A relation between pre-states and post-states c c 0 c 1 c k S 0, s 0 S 1, s 1 s k+1 81

Meaning of (atomic) Commands A relation between pre-states and post-states c 0 c 1 c k c k+1 c k+2 c k+3 c k+3 c n S 0, s 0 s 1 s k+1 s k+2 s k+3 s k+3 s k+4 s n+1 82

Intuition: Global Invariant Every (intermediate) state satisfies invariant I c 0 c 1 c k c k+1 c k+2 c k+3 c k+3 c n S 0, s 0 s 1 s k+1 s k+2 s k+3 s k+3 s k+4 s n+1 I= 83

Intuition: Global Invariant Thread-view c 0 c 1 c k c k+1 c k+2 c k+3 c k+3 c n S 0, s 0 s 1 s k+1 s k+2 s k+3 s k+3 s k+4 s n+1 I= 84

Global Invariant I { P } S 1 { R } I { R } S 2 { Q } I { P } S 1 ; S 2 { Q } I { P 1 } S 1 { Q 2 } I { P 2 } S 2 { Q 2 } I {P 1 Λ P 1 } S 1 S 2 { Q 2 Λ Q 2 } 85

Global Invariant I { P } S 1 { R } I { R } S 2 { Q } I { P } S 1 ; S 2 { Q } { P Λ I } S { Q Λ I } I { P } S { Q } I { P 1 } S 1 { Q 2 } I { P 2 } S 2 { Q 2 } I {P 1 Λ P 1 } S 1 S 2 { Q 2 Λ Q 2 } FV(P 1,S 1,Q 1 ) FV(P 2,S 2,Q 2 ) = FV(I) FV(P 1,Q 1 ) FV(P 2,Q 2 ) = FV(P i,q i ) FV(I) = i=1,2 86

Owicki-Gries Reasoning Susan Owicki David Gries 87

Owicky-Gries: Interference in Proofs A command C with a precondition pre(c) does not interfere with the proof of {P} S {Q} if: {Q pre(c) } C {Q} For any S S: {pre(s ) pre(c) } C {pre(s )} {P 1 } C 1 {Q 1 }... {P k } C k {Q k } are interference free if i j and x:=a C i, x:=a does not interfere with {P j } C j {Q j } 88

Parallel Composition Rule I { P 1 } S 1 { Q 2 } I { P 2 } S 2 { Q 2 } I {P 1 Λ P 1 } S 1 S 2 { Q 2 Λ Q 2 } {P 1 } C 1 {Q 1 }... {P k } C k {Q k } are interference free 89

90

91

92

93

94

95

96

97

98

99

10

101

102

103

104

105

Owicky-Gries: Limiations Checking interference can be hard Non-compositionality Until you finished the local proofs cannot check interference Proofs need to be saved Hard to handle libraries and missing code A non-standard meaning of Hoare triples Depends on the interference of other threads with the proof Soundness is non-trivial Completeness depends on auxiliary variables 106

Rely/Guarantee Reasoning Cliff Jones 107

Rely / Guarantee Aka assume Guarantee Cliff Jones Main idea: Modular capture of interference Compositional proofs 108

Commands as relations It is convenient to view the meaning of commands as relations between pre-states and post-states In {P} C {Q} P is a one state predicate Q is a two-state predicate Recall auxiliary variables Example {true} x := x + 1 {x= x + 1} 109

Intuition: Rely Guarantee Thread-view c 0 c 1 c k c k+1 c k+2 c k+3 c k+3 c n S 0, s 0 s 1 s k+1 s k+2 s k+3 s k+3 s k+4 s n+1 110

Intuition: Rely Guarantee Thread-view c 0 c 1 c k c k+1 c k+2 c k+3 c k+3 c n S 0, s 0 s 1 s k+1 s k+2 s k+3 s k+3 s k+4 s n+1 G RRRR G G R G RRRR 111

Intuition: Rely Guarantee Thread-view c 0 c 1 c k c k+1 c k+2 c k+3 c k+3 c n S 0, s 0 s 1 s k+1 s k+2 s k+3 s k+3 s k+4 s n+1 G R * G G R * G R * 112

Relational Post-Conditions meaning of commands a relations between pre-states and post-states Option I: {P} C {Q} P is a one state predicate Q is a two-state predicate Example {true} x := x + 1 {x= x + 1} 113

Relational Post-Conditions meaning of commands a relations between pre-states and post-states Option II: {P} C {Q} P is a one state predicate P is a one-state predicate Use logical variables to record pre-state Example {x = X} x := x + 1 {x= X + 1} 114

Intuition (again) Hoare: { P } S { Q } ~ {P} {Q} R/G: R,G { P } S { Q } ~ {P} {Q} C C R G R R G G G 115

Goal: Parallel Composition R G 2, G 1 { P } S 1 S 2 { Q } R G 1, G 2 { P } S 1 S 2 { Q } (PAR) R, G 1 G 2 { P } S 1 S 2 { Q } 116

Relational Post-Conditions meaning of commands a relations between pre-states and post-states Option I: {P} C {Q} P is a one state predicate Q is a two-state predicate Example {true} x := x + 1 {x= x + 1} 117

From one- to two-state relations p(, ) =p( ) p(, ) =p( ) A single state predicate p is preserved by a two-state relation R if p R p, : p( ) R(, ) p( ) 118

Operations on Relations (P;Q)(, )= :P(, ) Q(, ) ID(, )= ( = ) R * =ID R (R;R) (R;R;R) 119

Formulas ID(x) = (x = x) ID(p) =(p p) Preserve (p)= p p 120

Informal Semantics c (p, R, G, Q) For every state such that p: Every execution of c on state with (potential) interventions which satisfy R results in a state such that (, ) Q The execution of every atomic sub-command of c on any possible intermediate state satisfies G 121

Informal Semantics c (p, R, G, Q) For every state such that p: Every execution of c on state with (potential) interventions which satisfy R results in a state such that (, ) Q The execution of every atomic sub-command of c on any possible intermediate state satisfies G c [p, R, G, Q] For every state such that p: Every execution of c on state with (potential) interventions which satisfy R must terminate in a state such that (, ) Q The execution of every atomic sub-command of c on any possible intermediate state satisfies G 122

A Formal Semantics Let C R denotes the set of quadruples < 1, 2, 3, 4 > s.t. that when c executes on 1 with potential interferences by R it yields an intermediate state 2 followed by an intermediate state 3 and a final state 4 as usual 4 = when c does not terminate C R = {< 1, 2, 3, 4 > : : < 1, > R ( <C, > * 2 2 = 3 = 4, C : <C, > * <C, > ( ( 2 = 1 2 = ) ( 3 = 3 = ) 4 = ) <, 2, 3, 4 > C R ) c (p, R, G, Q) For every < 1, 2, 3, 4 > C R such that 1 p < 2, 3 > G If 4 : < 1, 4 > Q 123

Simple Examples X := X + 1 (true, X=X, X =X+1 X=X, X =X+1) X := X + 1 (X 0, X X, X>0 X=X, X>0) X := X + 1 ; Y := Y + 1 (X 0 Y 0, X X Y Y, G, X>0 Y>0) 124

Inference Rules Define c (p, R, G, Q) by structural induction on c Soundness If c (p, R, G, Q) then c (p, R, G, Q) 125

Atomic Command {p} c {Q} (Atomic) atomic {c} (p, preserve(p), Q ID, Q) 126

Conditional Critical Section {p b} c {Q} (Critical) await b then c (p, preserve(p), Q ID, Q) 127

Sequential Composition c 1 (p 1, R, G, Q 1 ) c 2 (p 2, R, G, Q 2 ) Q 1 p 2 (SEQ) c 1 ; c 2 (p 1, R, G, (Q 1 ; R * ; Q 2 )) 128

Conditionals c 1 (p b 1, R, G, Q) p b R * b 1 c 2 (p b 2, R, G, Q) p b R* b 2 (IF) if atomic {b} then c 1 else c 2 (p, R, G, Q) 129

Loops c (j b 1, R, G, j) j b R * b 1 R Preserve(j) (WHILE) while atomic {b} do c (j, R, G, b j) 130

Refinement c (p, R, G, Q) p p Q Q R R G G (REFINE) c (p, R, G, Q ) 131

Parallel Composition c 1 (p 1, R 1, G 1, Q 1 ) c 2 (p 2, R 2, G 2, Q 2 ) G 1 R 2 G 2 R 1 (PAR) c 1 c 2 (p 1 p 1, (R 1 R2), (G 1 G 2 ), Q) where Q= (Q 1 ; (R 1 R 2 )*; Q 2 ) (Q 2 ; (R 1 R 2 )*; Q 1 ) 132

13

13

13

13

13

13

13

14

14

14

14

14

14

14

14

Issues in R/G Total correctness is trickier Restrict the structure of the proofs Sometimes global proofs are preferable Many design choices Transitivity and Reflexivity of Rely/Guarantee No standard set of rules Suitable for designs 148

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback