Soundness and Completeness of Axiomatic Semantics

Similar documents
Axiomatic Semantics: Verification Conditions. Review of Soundness of Axiomatic Semantics. Questions? Announcements

Axiomatic Semantics: Verification Conditions. Review of Soundness and Completeness of Axiomatic Semantics. Announcements

Introduction to Axiomatic Semantics

Axiomatic Semantics. Lecture 9 CS 565 2/12/08

Lecture Notes: Axiomatic Semantics and Hoare-style Verification

Hoare Logic I. Introduction to Deductive Program Verification. Simple Imperative Programming Language. Hoare Logic. Meaning of Hoare Triples

Floyd-Hoare Style Program Verification

Programming Languages

Hoare Logic: Part II

Axiomatic Semantics. Hoare s Correctness Triplets Dijkstra s Predicate Transformers

Hoare Calculus and Predicate Transformers

Program verification using Hoare Logic¹

Deductive Verification

Program verification. 18 October 2017

Reasoning About Imperative Programs. COS 441 Slides 10b

Dynamic Semantics. Dynamic Semantics. Operational Semantics Axiomatic Semantics Denotational Semantic. Operational Semantics

Verification and Validation

CSE 331 Winter 2018 Reasoning About Code I

In this episode of The Verification Corner, Rustan Leino talks about Loop Invariants. He gives a brief summary of the theoretical foundations and

Axiomatic Semantics. Operational semantics. Good for. Not good for automatic reasoning about programs

Mid-Semester Quiz Second Semester, 2012

Hoare Logic: Reasoning About Imperative Programs

Classical Program Logics: Hoare Logic, Weakest Liberal Preconditions

CS558 Programming Languages

CSC 7101: Programming Language Structures 1. Axiomatic Semantics. Stansifer Ch 2.4, Ch. 9 Winskel Ch.6 Slonneger and Kurtz Ch. 11.

Weakest Precondition Calculus

Formal Reasoning CSE 331. Lecture 2 Formal Reasoning. Announcements. Formalization and Reasoning. Software Design and Implementation

Axiomatic Semantics. Semantics of Programming Languages course. Joosep Rõõmusaare

Software Engineering

What happens to the value of the expression x + y every time we execute this loop? while x>0 do ( y := y+z ; x := x:= x z )

Softwaretechnik. Lecture 13: Design by Contract. Peter Thiemann University of Freiburg, Germany

A Short Introduction to Hoare Logic

Softwaretechnik. Lecture 13: Design by Contract. Peter Thiemann University of Freiburg, Germany

CSE 331 Software Design & Implementation

Axiomatic Semantics. Stansifer Ch 2.4, Ch. 9 Winskel Ch.6 Slonneger and Kurtz Ch. 11 CSE

Program verification. Hoare triples. Assertional semantics (cont) Example: Semantics of assignment. Assertional semantics of a program

Lecture 2: Axiomatic semantics

Hoare Logic: Reasoning About Imperative Programs

Programming Languages and Compilers (CS 421)

Introduction. Pedro Cabalar. Department of Computer Science University of Corunna, SPAIN 2013/2014

Proof Rules for Correctness Triples

Hoare Logic (I): Axiomatic Semantics and Program Correctness

Program Analysis Part I : Sequential Programs

Proofs of Correctness: Introduction to Axiomatic Verification

COP4020 Programming Languages. Introduction to Axiomatic Semantics Prof. Robert van Engelen

Introduction to Axiomatic Semantics

Spring 2015 Program Analysis and Verification. Lecture 4: Axiomatic Semantics I. Roman Manevich Ben-Gurion University

Propositional Logic: Syntax

CS 6110 Lecture 21 The Fixed-Point Theorem 8 March 2013 Lecturer: Andrew Myers. 1 Complete partial orders (CPOs) 2 Least fixed points of functions

The Assignment Axiom (Hoare)

Programming Languages

Hoare Logic and Model Checking

Hoare Examples & Proof Theory. COS 441 Slides 11

Logic. Propositional Logic: Syntax

Deterministic Program The While Program

Logic. Propositional Logic: Syntax. Wffs

Bilateral Proofs of Safety and Progress Properties of Concurrent Programs (Working Draft)

THE AUSTRALIAN NATIONAL UNIVERSITY Second Semester COMP2600 (Formal Methods for Software Engineering)

Probabilistic Guarded Commands Mechanized in HOL

Abstract Interpretation (Non-Standard Semantics) a.k.a. Picking The Right Abstraction

Proof Calculus for Partial Correctness

Spring 2016 Program Analysis and Verification. Lecture 3: Axiomatic Semantics I. Roman Manevich Ben-Gurion University

Last Time. Inference Rules

Formal Methods in Software Engineering

Decision Procedures. Jochen Hoenicke. Software Engineering Albert-Ludwigs-University Freiburg. Winter Term 2016/17

Design of Distributed Systems Melinda Tóth, Zoltán Horváth

Abstract Interpretation (Non-Standard Semantics) a.k.a. Picking The Right Abstraction

Examples: P: it is not the case that P. P Q: P or Q P Q: P implies Q (if P then Q) Typical formula:

Proving Inter-Program Properties

C241 Homework Assignment 9

THE AUSTRALIAN NATIONAL UNIVERSITY Second Semester COMP2600/COMP6260 (Formal Methods for Software Engineering)

Axiomatic semantics. Semantics and Application to Program Verification. Antoine Miné. École normale supérieure, Paris year

Strength; Weakest Preconditions

First Order Logic vs Propositional Logic CS477 Formal Software Dev Methods

Formal Methods for Probabilistic Systems

Formal Specification and Verification. Specifications

ESE601: Hybrid Systems. Introduction to verification

Loop Convergence. CS 536: Science of Programming, Fall 2018

Abstract Interpretation, or Non-Standard Semantics, or Picking the Right Abstraction

Axiomatic Verification II

5. Program Correctness: Mechanics

CS156: The Calculus of Computation Zohar Manna Autumn 2008

Lecture Notes on Software Model Checking

Model Checking: An Introduction

Automata-Theoretic Model Checking of Reactive Systems

AN INTRODUCTION TO SEPARATION LOGIC. 2. Assertions

Logics - Introduction

CSE 331 Winter 2018 Homework 1

Program Analysis and Verification

Foundations of Computation

A Humble Introduction to DIJKSTRA S A A DISCIPLINE OF PROGRAMMING

G54FOP: Lecture 17 & 18 Denotational Semantics and Domain Theory III & IV

Přednáška 12. Důkazové kalkuly Kalkul Hilbertova typu. 11/29/2006 Hilbertův kalkul 1

Abstractions and Decision Procedures for Effective Software Model Checking

Spring 2014 Program Analysis and Verification. Lecture 6: Axiomatic Semantics III. Roman Manevich Ben-Gurion University

Automata, Logic and Games: Theory and Application

Propositions. c D. Poole and A. Mackworth 2010 Artificial Intelligence, Lecture 5.1, Page 1

CS156: The Calculus of Computation

Computer Science and State Machines

Spring 2015 Program Analysis and Verification. Lecture 6: Axiomatic Semantics III. Roman Manevich Ben-Gurion University

Transcription:

#1 Soundness and Completeness of Axiomatic Semantics

#2 One-Slide Summary A system of axiomatic semantics is sound if everything we can prove is also true: if ` { A } c { B } then ² { A } c { B } We prove this by simultaneous induction on the structure of the operational semantics derivation and the axiomatic semantics proof. A system of axiomatic semantics is complete if we can prove all true things: if ² { A } c { B } then ` { A } c { B } Our system is relatively complete (= just as complete as the underlying logic). We use weakest preconditions to reason about soundness. Verification conditions are preconditions that are easy to compute.

Where Do We Stand? We have a language for asserting properties of programs We know when such an assertion is true We also have a symbolic method for deriving assertions meaning A {A} c {B} symbolic derivation (theorem proving) soundness ` A ` { A} c {B} completeness σ ² A ² {A} c {B} #3

Soundness of Axiomatic Semantics Formal statement of soundness: if ` { A } c { B } then ² { A } c { B } or, equivalently For all σ, if σ ² A and Op :: <c, σ> σ and Pr :: ` { A } c { B } then σ ² B Op === Opsem Derivation Pr === Axiomatic Proof How shall we prove this, oh class? #4

#5 Not Easily! By induction on the structure of c? No, problems with while and rule of consequence By induction on the structure of Op? No, problems with while By induction on the structure of Pr? No, problems with consequence By simultaneous induction on the structure of Op and Pr Yes! New Technique!

#6 Simultaneous Induction Consider two structures Op and Pr Assume that x < y iff x is a substructure of y Define the ordering (o, p) Á (o, p ) iff o < o or o = o and p < p Called lexicographic (dictionary) ordering This Á is a well-founded order and leads to simultaneous induction If o < o then h can actually be larger than h! It can even be unrelated to h!

Soundness of Axiomatic Semantics Formal statement of soundness: If ` { A } c { B } then ² { A } c { B } or, equivalently For all σ, if σ ² A and Op :: <c, σ> σ and Pr :: ` { A } c { B } then σ ² B Op = Opsem Derivation Pr = Axiomatic Proof #7

#8 Simultaneous Induction Consider two structures Op and Pr Assume that x < y iff x is a substructure of y Define the ordering (o, p) Á (o, p ) iff o < o or o = o and p < p Called lexicographic (dictionary) ordering This Á is a well founded order and leads to simultaneous induction If o < o then p can actually be larger than p! It can even be unrelated to p!

Soundness of the While Rule (Indiana Proof and the Slide of Doom) Case: last rule used in Pr : ` {A} c {B} was the while rule: Pr 1 :: ` {A Æ b} c {A} ` {A} while b do c {A Æ : b} Two possible rules for the root of Op (by inversion) We ll only do the complicated case: Op 1 :: <b, σ> true Op 2 :: <c,σ> σ Op 3 :: <while b do c, σ > σ Assume that σ ² A To show that σ ² A Æ : b <while b do c, σ > σ By soundness of booleans and Op 1 we get σ ² b Hence σ ² A Æ b By IH on Pr 1 and Op 2 we get σ ² A By IH on Pr and Op 3 we get σ ² A Æ : b, q.e.d. (tricky!) #9

#10 Soundness of the While Rule Note that in the last use of IH the derivation Pr did not decrease But Op 3 was a sub-derivation of Op See Winskel, Chapter 6.5, for a soundness proof with denotational semantics

#11 Completeness of Axiomatic Semantics If ² {A} c {B} can we always derive ` {A} c {B}? If so, axiomatic semantics is complete If not then there are valid properties of programs that we cannot verify with Hoare rules :-( Good news: for our language the Hoare triples are complete Bad news: only if the underlying logic is complete (whenever ² A we also have ` A) - this is called relative completeness

#12 Examples, General Plan OK, so: ² { x < 5 Æ z = 2 } y := x + 2 { y < 7 } Can we prove it??`? { x < 5 Æ z = 2 } y := x + 2 { y < 7 } Well, we could easily prove: ` { x+2 < 7 } y := x + 2 { y < 7 } And we know ` x < 5 Æ z = 2 ) x+2 < 7 Shouldn t those two proofs be enough?

#13 Proof Idea Dijkstra s idea: To verify that { A } c { B } a) Find out all predicates A such that ² { A } c { B } call this set Pre(c, B) (Pre = pre-conditions ) b) Verify for one A 2 Pre(c, B) that A ) A Assertions can be ordered: false strong Pre(c, B) A ) weakest precondition: WP(c, B) true weak Thus: compute WP(c, B) and prove A ) WP(c, B)

#14 Proof Idea (Cont.) Completeness of axiomatic semantics: If ² { A } c { B } then ` { A } c { B } Assuming that we can compute wp(c, B) with the following properties: wp is a precondition (according to the Hoare rules) ` { wp(c, B) } c { B } wp is (truly) the weakest precondition If ² { A } c { B } then ² A ) wp(c, B) ` A ) wp(c, B) ` {A} c {B} ` {wp(c, B)} c {B} We also need that whenever ² A then ` A!

Q: Bonus Despite having physically appeared in only about ten movies, this Indian singer has received the Bharat Ratna (India's highest civilian honor) and holds the Guinness Book of World Records entry for most recordings (30,000 songs by 1987). At one point the Pakistani prime minister said the he would gladly exchange [her] for Kashmir. She is the sister of Asha Bhosle and specializes in playback or voiceover movie music.

Q: Computer Science This American Turing-Award winner is known for the Venus operating system; the language CLU; the first language for distributed systems; and a definition of subtyping based on substitution. Recent research interests include Byzantine fault tolerance. The associated Turing Award dedication cited programming languages and software methodology for object-oriented programming.

#17 Axiomatic Semantics: Preconditions

#18 Weakest Preconditions Define wp(c, B) inductively on c, following the Hoare rules: wp(c 1 ; c 2, B) = wp(c 1, wp(c 2, B)) {A} c 1 {C} { A } c 1 ; c 2 {B} {C} c 2 {B} wp(x := e, B) = [e/x]b { [e/x]b } x := E {B} {A 1 } c 1 {B} {A 2 } c 2 {B} { E ) A 1 Æ : E ) A 2 } if E then c 1 else c 2 {B} wp(if E then c 1 else c 2, B) = E ) wp(c 1, B) Æ :E ) wp(c 2, B)

#19 Weakest Preconditions for Loops We start from the unwinding equivalence while b do c = if b then c; while b do c else skip Let w = while b do c and W = wp(w, B) We have that W = b ) wp(c, W) Æ : b ) B But this is a recursive equation! We know how to solve these using domain theory But we need a domain for assertions

#20 A Partial Order for Assertions Which assertion contains the least information? true does not say anything about the state What is an appropriate information ordering? A v A iff ² A ) A Is this partial order complete? Take a chain A 1 v A 2 v Let ÆA i be the infinite conjunction of A i σ ² ÆA i iff for all i we have that σ ² A i I assert that ÆA i is the least upper bound Can ÆA i be expressed finitely in our language of assertions? In many cases: yes (see Winskel), we ll assume yes for now

#21 Weakest Precondition for WHILE Use the fixed-point theorem F(A) = b ) wp(c, A) Æ : b ) B (Where did this come from? Two slides back!) I assert that F is both monotonic and continuous The least-fixed point (= the weakest fixed point) is wp(w, B) = ÆF i (true) (Notice that unlike for denotational semantics of IMP we are not working on a flat domain. Bonus: What does that sentence mean?)

#22 Weakest Preconditions (Cont.) Define a family of wp s wp k (while e do c, B) = weakest precondition on which the loop terminates in B if it terminates in k or fewer iterations wp 0 = : E ) B wp 1 = E ) wp(c, wp 0 ) Æ : E ) B wp(while e do c, B) = Æ k 0 wp k = lub {wp k k 0} See Necula document on the web page for the proof of completeness with weakest preconditions Weakest preconditions are Impossible to compute (in general) Can we find something easier to compute yet sufficient?

#23 Not Quite Weakest Preconditions Recall what we are trying to do: false strong Pre(s, B) ) weakest A precondition: WP(c, B) verification condition: VC(c, B) true weak Construct a verification condition: VC(c, B) Our loops will be annotated with loop invariants! VC is guaranteed to be stronger than WP But still weaker than A: A ) VC(c, B) ) WP(c, B)

#24 Groundwork Factor out the hard work Loop invariants Function specifications (pre- and post-conditions) Assume programs are annotated with such specs Good software engineering practice anyway Requiring annotations = Kiss of Death? New form of while that includes a loop invariant: while Inv b do c Invariant formula Inv must hold every time before b is evaluated A process for computing VC(annotated_command, post_condition) is called VCGen

#25 Verification Condition Generation Mostly follows the definition of the wp function: VC(skip, B) VC(c 1 ; c 2, B) VC(if b then c 1 else c 2, B) = = B = VC(c 1, VC(c 2, B)) b ) VC(c 1, B) Æ :b ) VC(c 2, B) VC(x := e, B) = [e/x] B VC(let x = e in c, B) = [e/x] VC(c, B) VC(while Inv b do c, B) =?

#26 VCGen for WHILE VC(while Inv e do c, B) = Inv Æ (8x 1 x n. Inv ) (e ) VC(c, Inv) Æ : e ) B) ) Inv holds on entry Inv is preserved in an arbitrary iteration B holds when the loop terminates in an arbitrary iteration Inv is the loop invariant (provided externally) x 1,, x n are all the variables modified in c The 8 is similar to the 8 in mathematical induction: P(0) Æ 8n 2 N. P(n) ) P(n+1)

#27 Example VCGen Problem Let s compute the VC of this program with respect to post-condition x 0 x = 0; y = 2; while x+y=2 y > 0 do y := y - 1; x := x + 1 First, what do we expect? What precondition do we need to ensure x 0 after this?

#28 Example of VC By the sequencing rule, first we do the while loop (call it w): while x+y=2 y > 0 do y := y - 1; x := x + 1 VCGen(w, x 0) = x+y=2 Æ evr es er P t nair avni 8x,y. x+y=2 ) (y>0 ) VC(c, x+y=2) Æ y 0 ) x 0) VCGen(y:=y-1 ; x:=x+1, x+y=2) = (x+1) + (y-1) = 2 w Result: x+y=2 Æ 8x,y. x+y=2 ) (y>0 ) (x+1)+(y-1)=2 Æ y 0 ) x 0) pool er us ne no ts op xe ti

#29 Example of VC (2) VC(w, x 0) = x+y=2 Æ 8x,y. x+y=2 ) (y>0 ) (x+1)+(y-1)=2 Æ y 0 ) x 0) VC(x := 0; y := 2 ; w, x 0) = 0+2=2 Æ 8x,y. x+y=2 ) (y>0 ) (x+1)+(y-1)=2 Æ y 0 ) x 0) So now we ask an automated theorem prover to prove it.

#30 Thoreau, Thoreau, Thoreau $./Simplify > (AND (EQ (+ 0 2) 2) (FORALL ( x y ) (IMPLIES (EQ (+ x y) 2) (AND (IMPLIES (> y 0) (EQ (+ (+ x 1)(- y 1)) 2)) (IMPLIES (<= y 0) (NEQ x 0)))))) 1: Valid. Huzzah! Simplify is a non-trivial five megabytes Z3 is 15 megabytes

#31 Can We Mess Up VCGen? The invariant is from the user (= the adversary, the untrusted code base) Let s use a loop invariant that is too weak, like true. VC = true Æ 8x,y. true ) (y>0 ) true Æ y 0 ) x 0) Let s use a loop invariant that is false, like x 0. VC = 0 0 Æ 8x,y. x 0 ) (y>0 ) x+1 0 Æ y 0 ) x 0)

#32 Emerson, Emerson, Emerson $./Simplify > (AND TRUE (FORALL ( x y ) (IMPLIES TRUE (AND (IMPLIES (> y 0) TRUE) (IMPLIES (<= y 0) (NEQ x 0)))))) Counterexample: context: (AND (EQ x 0) (<= y 0) ) 1: Invalid. OK, so we won t be fooled.

#33 Soundness of VCGen Simple form ² { VC(c,B) } c { B } Or equivalently that ² VC(c, B) ) wp(c, B) Proof is by induction on the structure of c Try it! Soundness holds for any choice of invariant! Next: properties and extensions of VCs

#34 Questions Homework? Project proposal?

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback