Spring 2015 Program Analysis and Verification. Lecture 4: Axiomatic Semantics I. Roman Manevich Ben-Gurion University

Similar documents
Spring 2016 Program Analysis and Verification. Lecture 3: Axiomatic Semantics I. Roman Manevich Ben-Gurion University

Spring 2015 Program Analysis and Verification. Lecture 6: Axiomatic Semantics III. Roman Manevich Ben-Gurion University

Spring 2014 Program Analysis and Verification. Lecture 6: Axiomatic Semantics III. Roman Manevich Ben-Gurion University

Program Analysis and Verification

Axiomatic Semantics. Semantics of Programming Languages course. Joosep Rõõmusaare

Dynamic Semantics. Dynamic Semantics. Operational Semantics Axiomatic Semantics Denotational Semantic. Operational Semantics

First Order Logic vs Propositional Logic CS477 Formal Software Dev Methods

The Assignment Axiom (Hoare)

What happens to the value of the expression x + y every time we execute this loop? while x>0 do ( y := y+z ; x := x:= x z )

Program verification. 18 October 2017

Program verification using Hoare Logic¹

COP4020 Programming Languages. Introduction to Axiomatic Semantics Prof. Robert van Engelen

Programming Languages and Compilers (CS 421)

Axiomatic Semantics. Lecture 9 CS 565 2/12/08

Floyd-Hoare Style Program Verification

Hoare Logic and Model Checking

CS558 Programming Languages

Axiomatic Semantics. Operational semantics. Good for. Not good for automatic reasoning about programs

Weakest Precondition Calculus

Foundations of Computation

Lecture Notes: Axiomatic Semantics and Hoare-style Verification

Hoare Logic I. Introduction to Deductive Program Verification. Simple Imperative Programming Language. Hoare Logic. Meaning of Hoare Triples

Hoare Logic (I): Axiomatic Semantics and Program Correctness

Hoare Logic: Reasoning About Imperative Programs

Program verification. Hoare triples. Assertional semantics (cont) Example: Semantics of assignment. Assertional semantics of a program

Classical Program Logics: Hoare Logic, Weakest Liberal Preconditions

Proof Calculus for Partial Correctness

Deductive Verification

Hoare Logic: Part II

Lecture 2: Axiomatic semantics

Hoare Examples & Proof Theory. COS 441 Slides 11

CSC 7101: Programming Language Structures 1. Axiomatic Semantics. Stansifer Ch 2.4, Ch. 9 Winskel Ch.6 Slonneger and Kurtz Ch. 11.

Reasoning About Imperative Programs. COS 441 Slides 10b

A Short Introduction to Hoare Logic

Hoare Logic: Reasoning About Imperative Programs

Programming Languages

Program Analysis Part I : Sequential Programs

Axiomatic Semantics. Stansifer Ch 2.4, Ch. 9 Winskel Ch.6 Slonneger and Kurtz Ch. 11 CSE

Proof Rules for Correctness Triples

Lecture 17: Floyd-Hoare Logic for Partial Correctness

Marie Farrell Supervisors: Dr Rosemary Monahan & Dr James Power Principles of Programming Research Group

Axiomatic Semantics. Hoare s Correctness Triplets Dijkstra s Predicate Transformers

Solutions to exercises for the Hoare logic (based on material written by Mark Staples)

Axiomatic Semantics: Verification Conditions. Review of Soundness and Completeness of Axiomatic Semantics. Announcements

Last Time. Inference Rules

In this episode of The Verification Corner, Rustan Leino talks about Loop Invariants. He gives a brief summary of the theoretical foundations and

Software Engineering

Verification Frameworks and Hoare Logic

Axiomatic semantics. Semantics and Application to Program Verification. Antoine Miné. École normale supérieure, Paris year

Hoare Calculus and Predicate Transformers

Axiomatic Semantics: Verification Conditions. Review of Soundness of Axiomatic Semantics. Questions? Announcements

Learning Goals of CS245 Logic and Computation

Softwaretechnik. Lecture 13: Design by Contract. Peter Thiemann University of Freiburg, Germany

Softwaretechnik. Lecture 13: Design by Contract. Peter Thiemann University of Freiburg, Germany

Formal Specification and Verification. Specifications

Design of Distributed Systems Melinda Tóth, Zoltán Horváth

Introduction to Axiomatic Semantics

Proofs of Correctness: Introduction to Axiomatic Verification

Verifying Properties of Parallel Programs: An Axiomatic Approach

Calculating axiomatic semantics from program equations by means of functional predicate calculus

Static Program Analysis

A Humble Introduction to DIJKSTRA S A A DISCIPLINE OF PROGRAMMING

Soundness and Completeness of Axiomatic Semantics

Deterministic Program The While Program

Introduction to Axiomatic Semantics

Problem Sheet 1: Axiomatic Semantics

Axiomatic Verification II

Mid-Semester Quiz Second Semester, 2012

Predicate Transforms I

THE AUSTRALIAN NATIONAL UNIVERSITY Second Semester COMP2600/COMP6260 (Formal Methods for Software Engineering)

Introduction. Pedro Cabalar. Department of Computer Science University of Corunna, SPAIN 2013/2014

(La méthode Event-B) Proof. Thanks to Jean-Raymond Abrial. Language of Predicates.

CS156: The Calculus of Computation Zohar Manna Autumn 2008

Unifying Theories of Programming

Mechanics of Static Analysis

Denotational Semantics

COMP2111 Glossary. Kai Engelhardt. Contents. 1 Symbols. 1 Symbols 1. 2 Hoare Logic 3. 3 Refinement Calculus 5. rational numbers Q, real numbers R.

G54FOP: Lecture 17 & 18 Denotational Semantics and Domain Theory III & IV

Logic. Propositional Logic: Syntax

Formal Reasoning CSE 331. Lecture 2 Formal Reasoning. Announcements. Formalization and Reasoning. Software Design and Implementation

EDA045F: Program Analysis LECTURE 10: TYPES 1. Christoph Reichenbach

1 Introduction. 2 First Order Logic. 3 SPL Syntax. 4 Hoare Logic. 5 Exercises

THE AUSTRALIAN NATIONAL UNIVERSITY Second Semester COMP2600 (Formal Methods in Software Engineering)

Today s Lecture. Lecture 4: Formal SE. Some Important Points. Formal Software Engineering. Introduction to Formal Software Engineering

Propositional Logic: Syntax

THE AUSTRALIAN NATIONAL UNIVERSITY Second Semester COMP2600 (Formal Methods for Software Engineering)

Principles of Program Analysis: A Sampler of Approaches

Formal Methods in Software Engineering

Logic. Propositional Logic: Syntax. Wffs

Verificación de Programas!

Lecture Notes on Compositional Reasoning

Formal Methods for Probabilistic Systems

Predicate Logic. Xinyu Feng 09/26/2011. University of Science and Technology of China (USTC)

Program Analysis Probably Counts

Logical Abstract Domains and Interpretations

Model Checking: An Introduction

Introduction to Kleene Algebra Lecture 14 CS786 Spring 2004 March 15, 2004

Loop Convergence. CS 536: Science of Programming, Fall 2018

Lecture Notes on Invariants for Arbitrary Loops

Verification and Validation

Transcription:

Spring 2015 Program Analysis and Verification Lecture 4: Axiomatic Semantics I Roman Manevich Ben-Gurion University

Agenda Basic concepts of correctness Axiomatic semantics (pages 175-183) Hoare Logic Properties of the semantics Weakest precondition 2

Tentative syllabus Semantics Static Analysis Abstract Interpretation fundamentals Analysis Techniques Crafting your own Natural Semantics Automating Hoare Logic Lattices Numerical Domains Soot Structural semantics Control Flow Graphs Fixed-Points Alias analysis From proofs to abstractions Axiomatic Verification Equation Systems Chaotic Iteration Interprocedural Analysis Systematically developing transformers Collecting Semantics Galois Connections Shape Analysis Domain constructors CEGAR Widening/ Narrowing 3

program correctness 4

Program correctness concepts Property = a certain relationship between initial state and final state Main focus of this course Partial correctness = properties that hold if program terminates Termination = program always terminates i.e., for every input state partial correctness + termination = total correctness Other correctness concepts exist: liveness, resource usage, 5

Factorial example S fac y := 1; while (x=1) do (y := y*x; x := x 1) Factorial partial correctness property = if the statement terminates then the final value of y will be the factorial of the initial value of x What if x < 0? Formally, using natural semantics:? S fac, implies y = ( x)! 6

Verifying factorial with natural semantics 7

Natural semantics for While [ass ns ] [skip ns ] [comp ns ] [if tt ns] [if ff ns] [while ff ns] x := a, [x A a ] skip, S 1,, S 2, S 1 ; S 2, S 1, if b then S 1 else S 2, S 2, if b then S 1 else S 2, while b do S, if B b = tt if B b = ff if B b = ff [while tt ns] S,, while b do S, while b do S, if B b = tt 8

Staged proof 9

Stages s y (s x)! = s y (s x)! s x > 0 s s y (s x)! = s y (s x)! s x = 1 s x > 0 y := y*x; x := x 1 s s while (x=1) do (y := y*x; x := x 1) s s y = (s x)! s x > 0 s y := 1; while (x=1) do (y := y*x; x := x 1) s 10

Inductive proof over iterations s y (s x)! = s y (s x)! s x > 0 s (y := y*x; x := x 1) s s while (x=1) do (y := y*x; x := x 1) s s y (s x)! = s y (s x)! s x = 1 s x > 0 s while (x=1) do (y := y*x; x := x 1) s s y (s x)! = s y (s x)! s x = 1 s x > 0 11

First stage 12

Second stage 13

while (x=1) do (y := y*x; x := x 1), s s 14

Third stage 15

How easy was that? Proof is very laborious Need to connect all transitions and argue about relationships between their states Reason: too closely connected to semantics of programming language Proof is long Makes it hard to find possible mistakes How did we know to find this proof? Is there a methodology? 16

I ll use operational semantics Can you prove my program correct? Better use axiomatic verification 17

One of the oldest surviving fragments of Euclid's Elements, a textbook used for millennia to teach proof-writing techniques. The diagram accompanies Book II, Proposition 5 "P. Oxy. I 29" by Euclid - http://www.math.ubc.ca/~cass/euclid/papyrus/tha.jpg. Licensed under Public Domain via Wikimedia Commons - http://commons.wikimedia.org/wiki/file:p._oxy._i_29.jpg#/media/file:p._oxy._i_29.jpg 18

A systematic approach to program verification 19

Axiomatic verification approach What do we need in order to prove that the program does what it supposed to do? Specify the required behavior: express properties Compare the behavior with the one obtained by the operational semantics Develop a proof system for showing that the program satisfies a requirement Mechanically use the proof system to show correctness 20

Axiomatic semantics contributors Robert Floyd C.A.R. Hoare Edsger W. Dijkstra 1967: use assertions as foundation for static correctness proofs 1969: use Floyd s ideas to define axiomatic semantics An axiomatic basis for computer programming Predicate transformer semantics: weakest precondition and strongest postcondition 21

Assertions, a.k.a Hoare triples { P } C { Q } precondition statement a.k.a command postcondition P and Q are state predicates expressed as logical formulas Example: x>0 If P holds in the initial state, and if execution of C terminates on that state, then Q will hold in the state in which C halts C is not required to always terminate {true} while true do skip {false} 22

Total correctness assertions [ P ] C [ Q ] If P holds in the initial state, execution of C must terminate on that state, and Q will hold in the state in which C halts 23

Specifying correctness of factorial 24

Factorial example: specify precondition/postcondition {? } y := 1; while (x=1) do (y := y*x; x := x 1) {? } 25

First attempt We need a way to remember value of x before execution { x>0 } y := 1; while (x=1) do (y := y*x; x := x 1) { y=x! } Holds only for value of x at state after execution finishes 26

Fixed assertion A logical variable, must not appear in statement - immutable { x=n } y := 1; while (x=1) do (y := y*x; x := x 1) { y=n! n>0 } 27

The proof outline { n!*(n+1) = (n+1)! } Background axiom { x=n } y := 1; { x>0 y*x!=n! n x } while (x=1) do { x-1>0 (y*x)*(x-1)!=n! n (x-1) } y := y*x; { x-1>0 y*(x-1)!=n! n (x-1) } x := x 1 { y*x!=n! n>0 x=1 } 28

Formalizing partial correctness via hoare logic 29

States and predicates program states (State) undefined A state predicate P is a (possibly infinite) set of states P P holds in state P 30

FO Logic reminder We write A B if for all states if A then B { A } { B } For every predicate A: false A true We write A B if A B and B A false 5=7 In writing Hoare-style proofs, we will often replace a predicate A with A such that A A and A is simpler 31

Formalizing Hoare triples S ns C = { P } C { Q } if C, else,. ( P C, ) Q alternatively Convention: P for all P. P S ns C Q P C Q C(P) Why did we choose natural semantics? 32

Formalizing Hoare triples S sos C = { P } C { Q } if C, * else,. ( P C, * ) Q alternatively Convention: P for all P. P S sos C Q P C Q C(P) 33

How do we express predicates? Extensional approach Abstract mathematical functions P : State {tt, ff} Intensional approach via language of formulae 34

An assertion language Bexp is not expressive enough to express predicates needed for many proofs Extend Bexp Allow quantification z. z. z. z = k n Import well known mathematical concepts n! n (n-1) 2 1 35

An assertion language Either a program variables or a logical variable a ::= n x a 1 + a 2 a 1 a 2 a 1 a 2 A ::= true false a 1 = a 2 a 1 a 2 A A 1 A 2 A 1 A 2 A 1 A 2 z. A z. A 36

Some FO logic definitions before we get to the rules 37

Free/bound variables A variable is said to be bound in a formula when it occurs in the scope of a quantifier Otherwise it is said to be free i. k=i m (i+100 77) i. j+1=i+3) FV(A) the free variables of A Defined inductively on the abstract syntax tree of A 38

Computing free variables FV(n) {} FV(x) {x} FV(a 1 +a 2 ) FV(a 1 a 2 ) FV(a 1 -a 2 ) FV(a 1 ) FV(a 2 ) FV(true) FV(false) {} FV(a 1 =a 2 ) FV(a 1 a 2 ) FV(a 1 ) FV(a 2 ) FV( A) FV(A) FV(A 1 A 2 ) FV(A 1 A 2 ) FV(A 1 A 2 ) FV(a 1 ) FV(a 2 ) FV( z. A) FV( z. A) FV(A) \ {z} 39

Substitution An expression t is pure (a term) if it does not contain quantifiers A[t/z] denotes the assertion A which is the same as A, except that all instances of the free variable z are replaced by t A i. k=i m A[5/k] =? A[5/i] =? 40

Calculating substitutions n[t/z] = n x[t/z] = x x[t/x] = t (a 1 + a 2 )[t/z] = a 1 [t/z] + a 2 [t/z] (a 1 a 2 )[t/z] = a 1 [t/z] a 2 [t/z] (a 1 - a 2 )[t/z] = a 1 [t/z] - a 2 [t/z] 41

Calculating substitutions true[t/x] = true false[t/x] = false (a 1 = a 2 )[t/z] = a 1 [t/z] = a 2 [t/z] (a 1 a 2 )[t/z]= a 1 [t/z] a 2 [t/z] ( A)[t/z] = (A[t/z]) (A 1 A 2 )[t/z] = A 1 [t/z] A 2 [t/z] (A 1 A 2 )[t/z] = A 1 [t/z] A 2 [t/z] (A 1 A 2 )[t/z] = A 1 [t/z] A 2 [t/z] ( z. A)[t/z] = z. A ( z. A)[t/y] = z. A[t/y] ( z. A)[t/z] = z. A ( z. A)[t/y] = z. A[t/y] 42

six are completely enough and now the rules 43

Axiomatic semantics for While Notice similarity to natural semantics rules [ass p ] [skip p ] [comp p ] { P[a/x] } x := a { P } { P } skip { P } { P } S 1 { Q }, { Q } S 2 { R } { P } S 1 ; S 2 { R } [if p ] { b P } S 1 { Q }, { b P } S 2 { Q } { P } if b then S 1 else S 2 { Q } What s different about this rule? [while p ] { b P } S { P } { P } while b do S { b P } [cons p ] { P } S { Q } { P } S { Q } if P P and Q Q 44

Assignment rule [ass p ] { P[a/x] } x := a { P } A backwards rule x := a always finishes Why is this true? Recall operational semantics: [x A a ] P [ass ns ] x:= a, [x A a ] Exercises: {?} x:=y*z {x<9} {?} x:=x+1 {x>8} {?} x:=y*z {w=5} 45

skip rule [skip p ] { P } skip { P } [skip ns ] skip, 46

Composition rule [comp p ] { P } S 1 { Q }, { Q } S 2 { R } { P } S 1 ; S 2 { R } [comp ns ] S 1,, S 2, S 1 ; S 2, Holds when S 1 terminates in every state where P holds and then Q holds and S 2 terminates in every state where Q holds and then R holds 47

Condition rule [if p ] { b P } S 1 { Q }, { b P } S 2 { Q } { P } if b then S 1 else S 2 { Q } [if tt ns] [if ff ns] S 1, if b then S 1 else S 2, S 2, if b then S 1 else S 2, if B b = tt if B b = ff 48

Loop rule [while p ] { b P } S { P } { P } while b do S { b P } [while ff ns] [while tt ns] while b do S, S,, while b do S, while b do S, if B b = ff if B b = tt Here P is called an invariant for the loop Holds before and after each loop iteration Finding loop invariants most challenging part of proofs When loop finishes, b is false 49

Rule of consequence [cons p ] { P } S { Q } { P } S { Q } if P P and Q Q Allows strengthening the precondition and weakening the postcondition The only rule that is not related to a statement 50

Rule of consequence [cons p ] { P } S { Q } { P } S { Q } if P P and Q Q Why do we need it? Allows the following {y*z<9} x:=y*z {x<9} {y*z<9 w=5} x:=y*z {x<9} 51

Next lecture: axiomatic semantics II

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback