Spring 2016 Program Analysis and Verification. Lecture 3: Axiomatic Semantics I. Roman Manevich Ben-Gurion University

Similar documents
Spring 2015 Program Analysis and Verification. Lecture 4: Axiomatic Semantics I. Roman Manevich Ben-Gurion University

Spring 2015 Program Analysis and Verification. Lecture 6: Axiomatic Semantics III. Roman Manevich Ben-Gurion University

Spring 2014 Program Analysis and Verification. Lecture 6: Axiomatic Semantics III. Roman Manevich Ben-Gurion University

Program Analysis and Verification

Programming Languages and Compilers (CS 421)

Axiomatic Semantics. Semantics of Programming Languages course. Joosep Rõõmusaare

Dynamic Semantics. Dynamic Semantics. Operational Semantics Axiomatic Semantics Denotational Semantic. Operational Semantics

The Assignment Axiom (Hoare)

What happens to the value of the expression x + y every time we execute this loop? while x>0 do ( y := y+z ; x := x:= x z )

First Order Logic vs Propositional Logic CS477 Formal Software Dev Methods

Program verification. 18 October 2017

Hoare Logic and Model Checking

Program verification using Hoare Logic¹

Axiomatic Semantics. Operational semantics. Good for. Not good for automatic reasoning about programs

CS558 Programming Languages

Floyd-Hoare Style Program Verification

COP4020 Programming Languages. Introduction to Axiomatic Semantics Prof. Robert van Engelen

Axiomatic Semantics. Lecture 9 CS 565 2/12/08

Deductive Verification

Proof Calculus for Partial Correctness

Lecture Notes: Axiomatic Semantics and Hoare-style Verification

Weakest Precondition Calculus

Hoare Logic: Reasoning About Imperative Programs

Hoare Logic: Reasoning About Imperative Programs

Foundations of Computation

Classical Program Logics: Hoare Logic, Weakest Liberal Preconditions

Program verification. Hoare triples. Assertional semantics (cont) Example: Semantics of assignment. Assertional semantics of a program

Hoare Logic I. Introduction to Deductive Program Verification. Simple Imperative Programming Language. Hoare Logic. Meaning of Hoare Triples

CSC 7101: Programming Language Structures 1. Axiomatic Semantics. Stansifer Ch 2.4, Ch. 9 Winskel Ch.6 Slonneger and Kurtz Ch. 11.

Hoare Logic: Part II

A Short Introduction to Hoare Logic

Hoare Logic (I): Axiomatic Semantics and Program Correctness

Software Engineering

Program Analysis Part I : Sequential Programs

Axiomatic Semantics. Stansifer Ch 2.4, Ch. 9 Winskel Ch.6 Slonneger and Kurtz Ch. 11 CSE

Reasoning About Imperative Programs. COS 441 Slides 10b

Solutions to exercises for the Hoare logic (based on material written by Mark Staples)

Lecture 2: Axiomatic semantics

Hoare Examples & Proof Theory. COS 441 Slides 11

Proof Rules for Correctness Triples

Hoare Calculus and Predicate Transformers

Calculating axiomatic semantics from program equations by means of functional predicate calculus

Programming Languages

Last Time. Inference Rules

Axiomatic Semantics: Verification Conditions. Review of Soundness and Completeness of Axiomatic Semantics. Announcements

Marie Farrell Supervisors: Dr Rosemary Monahan & Dr James Power Principles of Programming Research Group

Formal Specification and Verification. Specifications

Softwaretechnik. Lecture 13: Design by Contract. Peter Thiemann University of Freiburg, Germany

Design of Distributed Systems Melinda Tóth, Zoltán Horváth

Softwaretechnik. Lecture 13: Design by Contract. Peter Thiemann University of Freiburg, Germany

Verification Frameworks and Hoare Logic

Axiomatic Semantics. Hoare s Correctness Triplets Dijkstra s Predicate Transformers

Axiomatic semantics. Semantics and Application to Program Verification. Antoine Miné. École normale supérieure, Paris year

In this episode of The Verification Corner, Rustan Leino talks about Loop Invariants. He gives a brief summary of the theoretical foundations and

Introduction to Axiomatic Semantics

Lecture 17: Floyd-Hoare Logic for Partial Correctness

Static Program Analysis

Mid-Semester Quiz Second Semester, 2012

Verifying Properties of Parallel Programs: An Axiomatic Approach

Axiomatic Semantics: Verification Conditions. Review of Soundness of Axiomatic Semantics. Questions? Announcements

Learning Goals of CS245 Logic and Computation

EDA045F: Program Analysis LECTURE 10: TYPES 1. Christoph Reichenbach

Unifying Theories of Programming

Proofs of Correctness: Introduction to Axiomatic Verification

Soundness and Completeness of Axiomatic Semantics

Formal Methods in Software Engineering

Mechanics of Static Analysis

Denotational Semantics

Deterministic Program The While Program

COMP2111 Glossary. Kai Engelhardt. Contents. 1 Symbols. 1 Symbols 1. 2 Hoare Logic 3. 3 Refinement Calculus 5. rational numbers Q, real numbers R.

CS156: The Calculus of Computation Zohar Manna Autumn 2008

THE AUSTRALIAN NATIONAL UNIVERSITY Second Semester COMP2600 (Formal Methods for Software Engineering)

Formal Reasoning CSE 331. Lecture 2 Formal Reasoning. Announcements. Formalization and Reasoning. Software Design and Implementation

(La méthode Event-B) Proof. Thanks to Jean-Raymond Abrial. Language of Predicates.

A Humble Introduction to DIJKSTRA S A A DISCIPLINE OF PROGRAMMING

Introduction to Axiomatic Semantics

Applied Logic for Computer Scientists. Answers to Some Exercises

Problem Sheet 1: Axiomatic Semantics

Program Construction and Reasoning

THE AUSTRALIAN NATIONAL UNIVERSITY Second Semester COMP2600/COMP6260 (Formal Methods for Software Engineering)

Axiomatic Verification II

G54FOP: Lecture 17 & 18 Denotational Semantics and Domain Theory III & IV

Principles of Program Analysis: A Sampler of Approaches

Predicate Transforms I

Beyond First-Order Logic

Lecture Notes on Compositional Reasoning

Introduction to Kleene Algebra Lecture 14 CS786 Spring 2004 March 15, 2004

Program Analysis Probably Counts

Predicate Logic. Xinyu Feng 09/26/2011. University of Science and Technology of China (USTC)

1 Introduction. 2 First Order Logic. 3 SPL Syntax. 4 Hoare Logic. 5 Exercises

Model Checking: An Introduction

NICTA Advanced Course. Theorem Proving Principles, Techniques, Applications

Formal Verification with Ada 2012

Introduction. Pedro Cabalar. Department of Computer Science University of Corunna, SPAIN 2013/2014

Logic. Propositional Logic: Syntax

Loop Convergence. CS 536: Science of Programming, Fall 2018

Lecture Notes on Inductive Definitions

Proving Inter-Program Properties

Control Predicates Are Better Than Dummy Variables For Reasoning About Program Control

CSE 331 Winter 2018 Reasoning About Code I

Transcription:

Spring 2016 Program Analysis and Verification Lecture 3: Axiomatic Semantics I Roman Manevich Ben-Gurion University

Warm-up exercises 1. Define program state: 2. Define structural semantics configurations: 3. Define the form of structural semantics transitions: 2

Tentative syllabus Program Verification Program Analysis Basics Abstract Interpretation fundamentals Analysis Techniques Operational semantics Control Flow Graphs Lattices Numerical Domains Axiomatic Verification Equation Systems Fixed-Points Alias analysis Collecting Semantics Chaotic Iteration Interprocedural Analysis Using Soot Galois Connections Shape Analysis Domain constructors CEGAR Widening/ Narrowing 3

Agenda Basic concepts of correctness Axiomatic semantics (pages 175-183) Motivation First-order logic reminder Hoare Logic 4

program correctness 5

Program correctness concepts Specification = a certain relationship between initial state and final state Main focus of this course Partial correctness = specifications that hold if the program terminates Termination = program always terminates i.e., for every input state partial correctness + termination = total correctness Other correctness concepts exist: liveness, resource usage, 6

Verifying factorial with structural semantics 7

Structural semantics for While [ass sos ] [skip sos ] x := a, 1 [x A a ] skip, 1 [comp 1 sos] [comp 2 sos] S 1, 1 S 1, S 1 ; S 2, 1 S 1 ; S 2, S 1, 1 S 1 ; S 2, 1 S 2, [if tt sos] if b then S 1 else S 2, 1 S 1, if B b = tt [if ff sos] if b then S 1 else S 2, 1 S 2, if B b = ff [while sos ] while b do S, 1 if b then S; while b do S) else skip, 8

Factorial example S fac y:=1; while (x 1) do (y:=y*x; x:=x 1) Factorial partial correctness specification = if the statement terminates then the final value of y will be the factorial of the initial value of x What if x < 0? Formally, using structural semantics: S fac, 1 * implies y = ( x)! 9

Factorial proof strategy S fac y:=1; while (x 1) do (y:=y*x; x:=x 1) Lemma 3 Lemma 2 Lemma 1 Lemma 1: if x>1 then y:=y*x; x:=x 1, 1 * implies y * ( x)! = y * ( x)! and x 1 Lemma 2: if x 1 then while (x=1) do (y:=y*x; x:=x 1), 1 * implies y * ( x)! = y * ( x)! and x=1 Lemma 3: if x 1 then S fac, 1 * implies y = ( x)! 10

Factorial example: lemma 1 S fac y:=1; while (x 1) do (y:=y*x; x:=x 1) Lemma 1: if x>1 then y:=y*x; x:=x 1, 1 * implies y * ( x)! = y * ( x)! and x 1 Proof: Assume x>1 y:=y*x; x:=x 1, 1 x:=x 1, [y y* x] 1 [y y* x, x x 1] = Now y * ( x)! = ( y* x) * ( x 1)! = y * ( x)! And since x = x-1 we have that x 1 QED 11

Factorial example: lemma 2 S fac y:=1; while (x 1) do (y:=y*x; x:=x 1) Lemma 2: if x 1 then while (x 1) do (y:=y*x; x:=x 1), 1 * implies y * ( x)! = y * ( x)! and x=1 Proof: W, 1 if (x 1) then (y:=y*x; x:=x 1); W) else skip, Case 1: x=1 Case 2: x 1 meaning x>1 12

Factorial example: lemma 2, case 1 S fac y:=1; while (x 1) do (y:=y*x; x:=x 1) Lemma 2: if x 1 then while (x 1) do (y:=y*x; x:=x 1), 1 * implies y * ( x)! = y * ( x)! and x=1 Proof: W, 1 if (x 1) then (y:=y*x; x:=x 1); W) else skip, 1 skip, 1 Claim holds 13

Factorial example: lemma 2, case 2 S fac y:=1; while (x 1) do (y:=y*x; x:=x 1) Lemma 2: if x 1 then while (x 1) do (y:=y*x; x:=x 1), 1 * implies y * ( x)! = y * ( x)! and x=1 Proof: W, 1 if (x 1) then (y:=y*x; x:=x 1); W) else skip, 1 (y:=y*x; x:=x 1); while, 1 * while, 1 * From lemma 1 we have that y * ( x)! = y * ( x)! and x 1 Applying Lemma by induction (case 1 is the base case) gives us that y * ( x)! = y * ( x)! and x=1 Combining the two, we get y * ( x)! = y * ( x)! = y * ( x)! and x=1 QED 14

Factorial example: lemma 3 S fac y:=1; while (x 1) do (y:=y*x; x:=x 1) Lemma 3: if x 1 then S fac, 1 * implies y = ( x)! Proof: Assume x 1 Now y:=1; W, 1 W, [y 1] and [y 1] x = x Therefore, we can apply lemma 2 and obtain W, 1 * [y 1] y * ( [y 1] x)! = y * ( x)! and x=1 Simplifying this yields: 1 * ( x)! = y * 1! and x=1 Meaning: y = ( x)! QED 15

How easy was that? Proof is very laborious Need to connect all transitions and argue about relationships between their states Reason: too closely connected to semantics of programming language Proof is long Makes it hard to find possible mistakes How did we know to find this proof? Is there a methodology? 16

I ll use operational semantics Can you prove my program correct? Better use axiomatic verification 17

One of the oldest surviving fragments of Euclid's Elements, a textbook used for millennia to teach proof-writing techniques. The diagram accompanies Book II, Proposition 5 "P. Oxy. I 29" by Euclid - http://www.math.ubc.ca/~cass/euclid/papyrus/tha.jpg. Licensed under Public Domain via Wikimedia Commons - http://commons.wikimedia.org/wiki/file:p._oxy._i_29.jpg#/media/file:p._oxy._i_29.jpg 18

A systematic approach to program verification 19

Axiomatic verification approach What do we need in order to prove that the program does what it supposed to do? A language to express specifications Compare the behavior with the one obtained by the operational semantics Develop a proof system for showing that the program satisfies the specification Mechanically use the proof system to show correctness 20

Axiomatic semantics contributors Robert Floyd C.A.R. Hoare Edsger W. Dijkstra 1967: use assertions as foundation for static correctness proofs 1969: use Floyd s ideas to define axiomatic semantics An axiomatic basis for computer programming Predicate transformer semantics: weakest precondition and strongest postcondition 21

Assertions, a.k.a Hoare triples { P } C { Q } precondition statement a.k.a command postcondition P and Q are state predicates expressed as logical formulas Example: x>0 If P holds in the initial state, and if execution of C terminates on that state, then Q will hold in the state in which C halts C is not required to always terminate {true} while true do skip {false} 22

Total correctness assertions [ P ] C [ Q ] If P holds in the initial state, execution of C must terminate on that state, and Q will hold in the state in which C halts 23

Specifying correctness of factorial 24

Factorial example: specify precondition/postcondition {? } y := 1; while (x=1) do (y := y*x; x := x 1) {? } 25

First attempt We need a way to remember value of x before execution { x>0 } y := 1; while (x=1) do (y := y*x; x := x 1) { y=x! } Holds only for value of x at state after execution finishes 26

Fixed assertion A logical variable, must not appear in statements immutable. Also called a ghost variable. { x=n } y := 1; while (x=1) do (y := y*x; x := x 1) { y=n! n>0 } 27

The proof outline { n!=n*(n-1)! } Background axiom { x>0 x=n } y := 1; { x>0 y*x!=n! n x } while (x=1) do { x-1>0 (y*x)*(x-1)!=n! n (x-1) } y := y*x; { x-1>0 y*(x-1)!=n! n (x-1) } x := x 1 { y*x!=n! n>0 x=1 } 28

Factorial spec and proof in Dafny function Factorial(n: int): int requires n >= 1 { if n == 1 then 1 else n * Factorial(n - 1) } method ComputeFactorial(n: int) returns (y: int) requires n >= 1 ensures y == Factorial(n) { var x := n; y := 1; while x!= 1 invariant y * Factorial(x) == Factorial(n) decreases x { y := y * x; x := x - 1; } } online 29

Formalizing partial correctness via hoare logic 30

States and predicates program states (State) undefined A state predicate P is a (possibly infinite) set of states P P holds in state P 31

S sos C = { P } C { Q } Formalizing Hoare triples if C, 1 * else,. ( P C, 1 * ) Q alternatively Convention: P for all P. P S sos C Q P C Q C(P) 32

How do we express predicates? Extensional approach Abstract mathematical functions P : State {tt, ff} Intensional approach via language of formulae 33

An assertion language Bexp is not expressive enough to express predicates needed for many proofs Extend Bexp Allow quantification z. z. z. z = k n Import well-known mathematical concepts n! n (n-1) 2 1 34

An assertion language Either a program variables or a logical variable a ::= n x a 1 + a 2 a 1 a 2 a 1 a 2 A ::= true false a 1 = a 2 a 1 a 2 A A 1 A 2 A 1 A 2 A 1 A 2 z. A z. A 35

Some FO logic definitions before we get to the rules 36

Free/bound variables A variable is said to be bound in a formula when it occurs in the scope of a quantifier Otherwise it is said to be free i. k=i m (i+100 77) i. j+1=i+3) FV(A) the free variables of A Defined inductively on the abstract syntax tree of A 37

Computing free variables FV(n) {} FV(x) {x} FV(a 1 +a 2 ) FV(a 1 a 2 ) FV(a 1 -a 2 ) FV(a 1 ) FV(a 2 ) FV(true) FV(false) {} FV(a 1 =a 2 ) FV(a 1 a 2 ) FV(a 1 ) FV(a 2 ) FV( A) FV(A) FV(A 1 A 2 ) FV(A 1 A 2 ) FV(A 1 A 2 ) FV(a 1 ) FV(a 2 ) FV( z. A) FV( z. A) FV(A) \ {z} 38

Substitution An expression t is pure (a term) if it does not contain quantifiers A[t/z] denotes the assertion A which is the same as A, except that all instances of the free variable z are replaced by t A i. k=i m A[5/k] =? A[5/i] =? 39

Calculating substitutions n[t/z] = n x[t/z] = x x[t/x] = t (a 1 + a 2 )[t/z] = a 1 [t/z] + a 2 [t/z] (a 1 a 2 )[t/z] = a 1 [t/z] a 2 [t/z] (a 1 - a 2 )[t/z] = a 1 [t/z] - a 2 [t/z] 40

Calculating substitutions true[t/x] = true false[t/x] = false (a 1 = a 2 )[t/z] = a 1 [t/z] = a 2 [t/z] (a 1 a 2 )[t/z]= a 1 [t/z] a 2 [t/z] ( A)[t/z] = (A[t/z]) (A 1 A 2 )[t/z] = A 1 [t/z] A 2 [t/z] (A 1 A 2 )[t/z] = A 1 [t/z] A 2 [t/z] (A 1 A 2 )[t/z] = A 1 [t/z] A 2 [t/z] ( z. A)[t/z] = z. A ( z. A)[t/y] = z. A[t/y] ( z. A)[t/z] = z. A ( z. A)[t/y] = z. A[t/y] 41

Equivalence in FO logic We write A B if for all states if A then B { A } { B } For every predicate A: false A true We write A B if A B and B A false 5=7 In writing Hoare-style proofs, we will often replace a predicate A with A such that A A and A is simpler 42

six are completely enough and now the rules 43

Axiomatic semantics for While [ass p ] [skip p ] { P[a/x] } x := a { P } { P } skip { P } [comp p ] { P } S 1 { Q }, { Q } S 2 { R } { P } S 1 ; S 2 { R } [if p ] { b P } S 1 { Q }, { b P } S 2 { Q } { P } if b then S 1 else S 2 { Q } What s different about this rule? [while p ] { b P } S { P } { P } while b do S { b P } [cons p ] { P } S { Q } { P } S { Q } if P P and Q Q 44

Assignment rule [ass p ] { P[a/x] } x := a { P } A backwards rule x := a always finishes Why is this true? Recall operational semantics: [ass] [x A a ] P x:= a, 1 [x A a ] { [x A a P} 1 { [x A a [x A a P} 45

Practice with Dafny Ghost methods do not get compiled to code Filters out states that do not satisfy the predicate A proof obligation ghost method AssignRuleTest1() { var x, y, z; assume???; x := y * z; assert x < 9; } ghost method AssignRuleTest2() { var x: int, y: int, z: int; assume???; x := x + 1; assert x > 8; } ghost method AssignRuleTest3() { var x: int, y: int, z: int, w: int; assume???; x := y * z; assert w == 5; } { } x:=y*z {x<9} { } x:=x+1 {x>8} { } x:=y*z {w=5} 46

skip rule [skip p ] { P } skip { P } 48

Composition rule [comp p ] { P } S 1 { Q }, { Q } S 2 { R } { P } S 1 ; S 2 { R } Lemma: S 1, 1 *, S 2, 1 * S 1 ; S 2, 1 * Holds when S 1 terminates in every state where P holds and then Q holds and S 2 terminates in every state where Q holds and then R holds 49

Practice with Dafny ghost method CompositionRuleTest() { var x: int; assume x < 9; x := x + 1; assert???; x := x * 2; assert x < 20; } { x < 9 } x := x + 1 { } x := x * 2; { x < 20 } 50

Condition rule [if p ] { b P } S 1 { Q }, { b P } S 2 { Q } { P } if b then S 1 else S 2 { Q } Intuitively, it means: Split cases on either b holds or not For each case make sure Q holds Conclude that Q holds on both cases 51

Practice with Dafny ghost method ConditionRuleTest() { var x: int, y: int; assume x > 8 x < -8; if x > 0 { y := x; } else { y := -1 * x; } assert???; } 52

Loop rule [while p ] { b P } S { P } { P } while b do S { b P } Here P is called an invariant for the loop Holds before and after each loop iteration Finding loop invariants most challenging part of proofs When loop finishes, b is false 53

Example: write a specification { } while (timer 0) do timer := timer 1 { } The program should count to zero 54

Practice with Dafny ghost method Timer(x: int) returns (timer: int) requires x >= 0; ensures timer == 0; { timer := x; while (timer!= 0) invariant timer >= 0; { timer := timer - 1; } } 55

Rule of consequence [cons p ] { P } S { Q } { P } S { Q } if P P and Q Q Allows strengthening the precondition and weakening the postcondition The only rule that is not related to a statement 56

Rule of consequence [cons p ] { P } S { Q } { P } S { Q } if P P and Q Q Why do we need it? Allows the following {y*z<9} x:=y*z {x<9} {y*z<9 w=5} x:=y*z {x<9} 57

See you next time 58

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback