Program verification using Hoare Logic¹

Similar documents
Hoare Logic and Model Checking

The Assignment Axiom (Hoare)

Hoare Logic I. Introduction to Deductive Program Verification. Simple Imperative Programming Language. Hoare Logic. Meaning of Hoare Triples

What happens to the value of the expression x + y every time we execute this loop? while x>0 do ( y := y+z ; x := x:= x z )

Dynamic Semantics. Dynamic Semantics. Operational Semantics Axiomatic Semantics Denotational Semantic. Operational Semantics

Axiomatic Semantics. Lecture 9 CS 565 2/12/08

Axiomatic Semantics. Semantics of Programming Languages course. Joosep Rõõmusaare

Proofs of Correctness: Introduction to Axiomatic Verification

Hoare Logic: Reasoning About Imperative Programs

Reasoning About Imperative Programs. COS 441 Slides 10b

Lecture Notes: Axiomatic Semantics and Hoare-style Verification

Spring 2015 Program Analysis and Verification. Lecture 4: Axiomatic Semantics I. Roman Manevich Ben-Gurion University

COP4020 Programming Languages. Introduction to Axiomatic Semantics Prof. Robert van Engelen

Hoare Logic: Part II

Programming Languages and Compilers (CS 421)

A Short Introduction to Hoare Logic

Program verification. Hoare triples. Assertional semantics (cont) Example: Semantics of assignment. Assertional semantics of a program

Foundations of Computation

Axiomatic Semantics: Verification Conditions. Review of Soundness and Completeness of Axiomatic Semantics. Announcements

Axiomatic Semantics: Verification Conditions. Review of Soundness of Axiomatic Semantics. Questions? Announcements

Hoare Logic: Reasoning About Imperative Programs

Spring 2016 Program Analysis and Verification. Lecture 3: Axiomatic Semantics I. Roman Manevich Ben-Gurion University

Program verification. 18 October 2017

Program Analysis Part I : Sequential Programs

Floyd-Hoare Style Program Verification

Deductive Verification

Lecture 17: Floyd-Hoare Logic for Partial Correctness

Soundness and Completeness of Axiomatic Semantics

Last Time. Inference Rules

Axiomatic Semantics. Hoare s Correctness Triplets Dijkstra s Predicate Transformers

Introduction. Pedro Cabalar. Department of Computer Science University of Corunna, SPAIN 2013/2014

Hoare Examples & Proof Theory. COS 441 Slides 11

Softwaretechnik. Lecture 13: Design by Contract. Peter Thiemann University of Freiburg, Germany

Softwaretechnik. Lecture 13: Design by Contract. Peter Thiemann University of Freiburg, Germany

Hoare Calculus and Predicate Transformers

Classical Program Logics: Hoare Logic, Weakest Liberal Preconditions

Introduction to Axiomatic Semantics

Learning Goals of CS245 Logic and Computation

Axiomatic semantics. Semantics and Application to Program Verification. Antoine Miné. École normale supérieure, Paris year

CS558 Programming Languages

Marie Farrell Supervisors: Dr Rosemary Monahan & Dr James Power Principles of Programming Research Group

Design of Distributed Systems Melinda Tóth, Zoltán Horváth

Software Engineering

Weakest Precondition Calculus

Programming Languages

Static Program Analysis

Probabilistic Guarded Commands Mechanized in HOL

THE AUSTRALIAN NATIONAL UNIVERSITY Second Semester COMP2600/COMP6260 (Formal Methods for Software Engineering)

Bilateral Proofs of Safety and Progress Properties of Concurrent Programs (Working Draft)

Decision Procedures. Jochen Hoenicke. Software Engineering Albert-Ludwigs-University Freiburg. Winter Term 2016/17

Deterministic Program The While Program

Hoare Logic (I): Axiomatic Semantics and Program Correctness

1 Introduction. 2 First Order Logic. 3 SPL Syntax. 4 Hoare Logic. 5 Exercises

Axiomatic Semantics. Stansifer Ch 2.4, Ch. 9 Winskel Ch.6 Slonneger and Kurtz Ch. 11 CSE

Gerwin Klein, June Andronick, Ramana Kumar S2/2016

Proof Rules for Correctness Triples

(La méthode Event-B) Proof. Thanks to Jean-Raymond Abrial. Language of Predicates.

Solutions to exercises for the Hoare logic (based on material written by Mark Staples)

PREDICATE LOGIC: UNDECIDABILITY AND INCOMPLETENESS HUTH AND RYAN 2.5, SUPPLEMENTARY NOTES 2

A Termination Checker for Isabelle Hoare Logic

Axiomatic Semantics. Operational semantics. Good for. Not good for automatic reasoning about programs

EDA045F: Program Analysis LECTURE 10: TYPES 1. Christoph Reichenbach

Axiomatic Verification II

Formal Reasoning CSE 331. Lecture 2 Formal Reasoning. Announcements. Formalization and Reasoning. Software Design and Implementation

Verification Frameworks and Hoare Logic

Program Analysis and Verification

Formal Specification and Verification. Specifications

CSC 7101: Programming Language Structures 1. Axiomatic Semantics. Stansifer Ch 2.4, Ch. 9 Winskel Ch.6 Slonneger and Kurtz Ch. 11.

Proof Calculus for Partial Correctness

First Order Logic vs Propositional Logic CS477 Formal Software Dev Methods

Formal Methods in Software Engineering

Logical Abstract Domains and Interpretations

In this episode of The Verification Corner, Rustan Leino talks about Loop Invariants. He gives a brief summary of the theoretical foundations and

Verification and Validation

CS156: The Calculus of Computation Zohar Manna Autumn 2008

G54FOP: Lecture 17 & 18 Denotational Semantics and Domain Theory III & IV

Limits of Computability

5. Program Correctness: Mechanics

arxiv: v1 [cs.pl] 5 Apr 2017

CSE 331 Software Design & Implementation

Lecture Notes on Programs with Arrays

Coinductive big-step semantics and Hoare logics for nontermination

Calculating axiomatic semantics from program equations by means of functional predicate calculus

Mid-Semester Quiz Second Semester, 2012

Program Construction and Verification Components Based on Kleene Algebra

THE AUSTRALIAN NATIONAL UNIVERSITY Second Semester COMP2600 (Formal Methods for Software Engineering)

Introduction to Axiomatic Semantics

The Expressivity of Universal Timed CCP: Undecidability of Monadic FLTL and Closure Operators for Security

Programming Languages

Proving Inter-Program Properties

Mechanized Operational Semantics

PROOFS IN PREDICATE LOGIC AND COMPLETENESS; WHAT DECIDABILITY MEANS HUTH AND RYAN 2.3, SUPPLEMENTARY NOTES 2

λ Slide 1 Content Exercises from last time λ-calculus COMP 4161 NICTA Advanced Course Advanced Topics in Software Verification

Lecture 11: Measuring the Complexity of Proofs

Propositional Logic: Syntax

Logic. Propositional Logic: Syntax

Spring 2015 Program Analysis and Verification. Lecture 6: Axiomatic Semantics III. Roman Manevich Ben-Gurion University

Software Verification

A Certified Denotational Abstract Interpreter (Proof Pearl)

Technical Report. Mechanizing programming logics in higher order logic. Michael J.C. Gordon. Number 145. September Computer Laboratory

Transcription:

Program verification using Hoare Logic¹ Automated Reasoning - Guest Lecture Petros Papapanagiotou Part 2 of 2 ¹Contains material from Mike Gordon s slides:

Previously on Hoare Logic A simple while language Sequence: ; Skip (do nothing): Variable assignment: := Conditional: Loop: Hoare Logic {P} C {Q} Formal specification Axiomatic semantics Hoare Logic Rules and examples

Conditional Rule {P S} C 1 {Q} {P S} C 2 {Q} {P} S C 1 C 2 {Q} Example ( ): {X X X Y} := {MAX X MAX Y} {T X Y} := {MAX X MAX Y} (1) {Y X Y Y} := {MAX X MAX Y} {T (X Y)} := {MAX X MAX Y} (1) (2) {T} := := {MAX X MAX Y} (2) (3)

What if? {P S} C 1 {Q} {P S} C 2 {Q} {P} S C 1 C 2 {Q} Example ( ): {X = max(x, Y)} := {MAX = max(x, Y)}??? {T X Y} := {MAX = max(x, Y)} (4) {Y = max(x, Y)} := {MAX = max(x, Y)}??? {T (X Y)} := {MAX = max(x, Y)} (5) (4) (5) {T} := := {MAX = max(x, Y)} (6)

Precondition Strengthening P P {P } C {Q} {P} C {Q} Replace a precondition with a stronger condition Example: X = n X + 1 = n + 1 {X + 1 = n + 1} := + {X = n + 1} {X = n} := + {X = n + 1}

Postcondition Weakening {P} C {Q } Q Q {P} C {Q} Replace a postcondition with a weaker condition Example: {X = n} := + {X = n + 1} X = n + 1 X > n {X = n} := + {X > n}

Aha! P P {P } C {Q} {P} C {Q} Example ( ): T X Y X = max(x, Y) {X = max(x, Y)} := {MAX = max(x, Y)} {T X Y} := {MAX = max(x, Y)} (7) T (X Y) Y = max(x, Y) {Y = max(x, Y)} := {MAX = max(x, Y)} {T (X Y)} := {MAX = max(x, Y)} (8) (7) (8) {T} := := {MAX = max(x, Y)} (9)

Verification Conditions (VCs) {T} := := {MAX = max(x, Y)} FOL VCs: T X Y X = max(x, Y) T (X Y) Y = max(x, Y) Hoare Logic rules can be applied automatically to generate VCs e.g. Isabelle s tactic We need to provide proofs for the VCs / proof obligations Reduced to FOL statements From simple algebraic proofs to reasoning about inductive data types

WHILE Rule {P S} C {P} {P} S C {P S} P is an invariant for C whenever S holds WHILE rule: If executing C once preserves the truth of P, then executing C any number of times also preserves the truth of P If P is an invariant for C when S holds then P is an invariant of the whole WHILE loop, i.e. a loop invariant

WHILE Rule {P S} C {P} {P} S C {P S} {Y = 1 Z = 0} {Y = X!} vs. {P} {P Z X} What is P?

WHILE Rule - How to find an invariant {P S} C {P} {P} S C {P S} The invariant P should: Say what has been done so far together with what remains to be done Hold at each iteration of the loop. Give the desired result when the loop terminates

WHILE Rule - Invariant VCs {P S} C {P} {P} S C {P S} {Y = 1 Z = 0} := + ; := {Y = X!} {P} := + ; := {P Z X} We need to find an invariant P such that: {P Z X} := + ; := {P} (WHILE rule) Y = 1 Z = 0 P (precondition strengthening) P (Z X) Y = X! (postcondition weakening)

WHILE Rule - Loop invariant for factorial Y = Z! VCs: {P Z X} := + ; := {P} Y = 1 Z = 0 P P (Z X) Y = X! {Y = Z! Z X} := + ; := {Y = Z!} because: Y = Z! Z X Y (Z + 1) = (Z + 1)! and (10) Y = 1 Z = 0 Y = Z! because: 0! = 1 Y = Z! (Z X) Y = X! because: (Z X) Z = X {Y (Z + 1) = (Z + 1)!} := + {Y Z = Z!} {Y Z = Z!} := {Y = Z!} {Y (Z + 1) = (Z + 1)!} := + ; := {Y = Z!} (10)

WHILE Rule - Complete factorial example {Y = 1 Z = 0} {Y = Z!} {Y = Z! Z X} {Y (Z + 1) = (Z + 1)!} {Y Z = Z!} {Y = Z!} {Y = Z! Z X} {Y = X!}

Another example - Multiplication! {Y 0} {0 = (I I) X} {0 = (Y I) X} {Z = (Y I) X} {Z = (Y I) X I 0} {Z + X = (Y (I 1)) X} {Z = (Y (I 1)) X} {Z = (Y I) X} {Z = (Y I) X I 0} {Z = X Y}

Isabelle

Isabelle

Specification and correctness {T} {Z = X Y} vs. {Y 0} {Z = X Y} What is the difference? - Termination!

Hoare Logic Rules (it does!) P P {P } C {Q} {P} C {Q} PS {P} C {Q } Q Q {P} C {Q} PW {Q[E/V]} := {Q} ASSIGN {P} {P} SKIP {P} C 1 {Q} {Q} C 2 {R} {P} C 1 ; C 2 {R} SEQ {P S} C 1 {Q} {P S} C 2 {Q} {P} S C 1 C 2 {Q} IF {P S} C {P} {P} S C {P S} WHILE

Other topics {P} C {Q} Weakest preconditions, strongest postconditions

Other topics {P} C {Q} Meta-theory: Is Hoare logic sound? - Yes! Based on programming language semantics (but what about more complex languages?) decidable? - No! {T} C {F} is the halting problem! complete? - Relatively / only for simple languages

Other topics {P} C {Q} Automatic Verification Condition Generation (VCG) Automatic generation/inference of loop invariants! More complex languages - e.g. Pointers = Separation logic Functional programming (recursion = induction)

Summary Precondition strengthening Postcondition weakening Automated generation of Verification Conditions (VCs) WHILE rule: Loop invariants! Properties that hold during while loops Loop invariant generation is generally undecidable

Recommended reading Theory: Mike Gordon, Background Reading on Hoare Logic, (pp. 1-27, 37-48) Huth & Ryan, Sections 4.1-4.3 (pp. 256-292) Nipkow & Klein, Section 12.2.1 (pp. 191-199) Practice: Isabelle s Hoare Logic library: Tutorial exercise

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback