Program verification. Hoare triples. Assertional semantics (cont) Example: Semantics of assignment. Assertional semantics of a program

Similar documents
Axiomatic Semantics. Lecture 9 CS 565 2/12/08

Proofs of Correctness: Introduction to Axiomatic Verification

Dynamic Semantics. Dynamic Semantics. Operational Semantics Axiomatic Semantics Denotational Semantic. Operational Semantics

Programming Languages and Compilers (CS 421)

Hoare Logic (I): Axiomatic Semantics and Program Correctness

Hoare Logic and Model Checking

Program verification. 18 October 2017

COP4020 Programming Languages. Introduction to Axiomatic Semantics Prof. Robert van Engelen

Floyd-Hoare Style Program Verification

Axiomatic Verification II

Hoare Calculus and Predicate Transformers

CS558 Programming Languages

Classical Program Logics: Hoare Logic, Weakest Liberal Preconditions

Program verification using Hoare Logic¹

Proof Calculus for Partial Correctness

Axiomatic Semantics. Hoare s Correctness Triplets Dijkstra s Predicate Transformers

Lecture Notes: Axiomatic Semantics and Hoare-style Verification

The Assignment Axiom (Hoare)

Learning Goals of CS245 Logic and Computation

Axiomatic Semantics. Stansifer Ch 2.4, Ch. 9 Winskel Ch.6 Slonneger and Kurtz Ch. 11 CSE

CSC 7101: Programming Language Structures 1. Axiomatic Semantics. Stansifer Ch 2.4, Ch. 9 Winskel Ch.6 Slonneger and Kurtz Ch. 11.

Hoare Logic: Reasoning About Imperative Programs

Foundations of Computation

Deductive Verification

What happens to the value of the expression x + y every time we execute this loop? while x>0 do ( y := y+z ; x := x:= x z )

COMP2111 Glossary. Kai Engelhardt. Contents. 1 Symbols. 1 Symbols 1. 2 Hoare Logic 3. 3 Refinement Calculus 5. rational numbers Q, real numbers R.

Axiomatic Semantics. Semantics of Programming Languages course. Joosep Rõõmusaare

Spring 2015 Program Analysis and Verification. Lecture 4: Axiomatic Semantics I. Roman Manevich Ben-Gurion University

Bilateral Proofs of Safety and Progress Properties of Concurrent Programs (Working Draft)

Last Time. Inference Rules

Hoare Logic: Reasoning About Imperative Programs

Program Analysis Part I : Sequential Programs

Reasoning About Imperative Programs. COS 441 Slides 10b

Axiomatic Semantics: Verification Conditions. Review of Soundness and Completeness of Axiomatic Semantics. Announcements

Spring 2016 Program Analysis and Verification. Lecture 3: Axiomatic Semantics I. Roman Manevich Ben-Gurion University

Weakest Precondition Calculus

Logic. Propositional Logic: Syntax

First Order Logic vs Propositional Logic CS477 Formal Software Dev Methods

In this episode of The Verification Corner, Rustan Leino talks about Loop Invariants. He gives a brief summary of the theoretical foundations and

Hoare Logic: Part II

Lecture 2: Axiomatic semantics

Softwaretechnik. Lecture 13: Design by Contract. Peter Thiemann University of Freiburg, Germany

Hoare Logic I. Introduction to Deductive Program Verification. Simple Imperative Programming Language. Hoare Logic. Meaning of Hoare Triples

Softwaretechnik. Lecture 13: Design by Contract. Peter Thiemann University of Freiburg, Germany

Introduction to Axiomatic Semantics

Verifying Properties of Parallel Programs: An Axiomatic Approach

Program Analysis and Verification

1 Introduction. 2 First Order Logic. 3 SPL Syntax. 4 Hoare Logic. 5 Exercises

Propositional Logic: Syntax

Axiomatic Semantics. Operational semantics. Good for. Not good for automatic reasoning about programs

Logic. Propositional Logic: Syntax. Wffs

Lecture 17: Floyd-Hoare Logic for Partial Correctness

Deterministic Program The While Program

A Short Introduction to Hoare Logic

Marie Farrell Supervisors: Dr Rosemary Monahan & Dr James Power Principles of Programming Research Group

Software Engineering

Axiomatic Semantics: Verification Conditions. Review of Soundness of Axiomatic Semantics. Questions? Announcements

Verification Frameworks and Hoare Logic

Mid-Semester Quiz Second Semester, 2012

Solutions to exercises for the Hoare logic (based on material written by Mark Staples)

Applied Logic. Lecture 1 - Propositional logic. Marcin Szczuka. Institute of Informatics, The University of Warsaw

THE AUSTRALIAN NATIONAL UNIVERSITY Second Semester COMP2600 (Formal Methods for Software Engineering)

Calculating axiomatic semantics from program equations by means of functional predicate calculus

Soundness and Completeness of Axiomatic Semantics

Abstract Interpretation and Static Analysis

Unifying Theories of Programming

Notation for Logical Operators:

Hoare Examples & Proof Theory. COS 441 Slides 11

Probabilistic Guarded Commands Mechanized in HOL

Asynchronous Communication 2

Proof Rules for Correctness Triples

Design of Distributed Systems Melinda Tóth, Zoltán Horváth

A Humble Introduction to DIJKSTRA S A A DISCIPLINE OF PROGRAMMING

G54FOP: Lecture 17 & 18 Denotational Semantics and Domain Theory III & IV

CSE20: Discrete Mathematics

CIS (More Propositional Calculus - 6 points)

arxiv: v1 [cs.pl] 5 Apr 2017

Predicate Logic. x. x + 0 = x. Predicate logic over integer expressions: a language of logical assertions, for example. Why discuss predicate logic?

THE AUSTRALIAN NATIONAL UNIVERSITY Second Semester COMP2600/COMP6260 (Formal Methods for Software Engineering)

Axiomatic semantics. Semantics and Application to Program Verification. Antoine Miné. École normale supérieure, Paris year

Control Predicates Are Better Than Dummy Variables For Reasoning About Program Control

(La méthode Event-B) Proof. Thanks to Jean-Raymond Abrial. Language of Predicates.

n Empty Set:, or { }, subset of all sets n Cardinality: V = {a, e, i, o, u}, so V = 5 n Subset: A B, all elements in A are in B

Proving Programs Correct

EDA045F: Program Analysis LECTURE 10: TYPES 1. Christoph Reichenbach

Abstract Interpretation from a Topological Perspective

Introduction to Kleene Algebra Lecture 14 CS786 Spring 2004 March 15, 2004

Formal Methods in Software Engineering

Today s Lecture. Lecture 4: Formal SE. Some Important Points. Formal Software Engineering. Introduction to Formal Software Engineering

Lecture Notes on Software Model Checking

ICS141: Discrete Mathematics for Computer Science I

Semantics and Verification of Software

Formal Verification with Ada 2012

Loop Convergence. CS 536: Science of Programming, Fall 2018

Introduction to Metalogic

INVARIANT RELATIONS: A CONCEPT FOR ANALYZING WHILE LOOPS. Ali Mili, NJIT NII, Tokyo, Japan December 20, 2011

Decision Procedures. Jochen Hoenicke. Software Engineering Albert-Ludwigs-University Freiburg. Winter Term 2016/17

Spring 2014 Program Analysis and Verification. Lecture 6: Axiomatic Semantics III. Roman Manevich Ben-Gurion University

Propositional Calculus - Hilbert system H Moonzoo Kim CS Division of EECS Dept. KAIST

NICTA Advanced Course. Theorem Proving Principles, Techniques, Applications

Transcription:

Program verification Assertional semantics of a program Meaning of a program: relation between its inputs and outputs; specified by input assertions (pre-conditions) and output assertions (post-conditions) assertions are predicate-logic formulae; atomic propositions are program variables Example assertion: x > 20 y 5 where x and y are variables Assertional semantics (cont) Key ideas: Formalize the meaning of each type of statement using a deductive system of axioms and inference rules. Program can be proved correct by constructing a proof in this system. Program can even be synthesized from its axiomatic specification by searching for such a proof, using the structure of the proof to construct the program. Contributions to programming: Proofs of program correctness Notion of invariants to aid in documentation and understanding Hoare triples Assertions of the form: {P} S {Q} where P & Q are assertions and S is a statement. Interpretation: If P is true before execution of S, and if S terminates, then Q is true thereafter. Example: { x = 5 } x := x + { x = 6 } Semantics of assignment Given an assignment of the form: x := E and a post-condition P. Axiomatic definition of assignment is: { P [x E] } x := E { P } where P [x E] is the consistent substitution of E for all occurrences of x in P Example: Theorem: { k = 5 } k := k + { k = 6 } Let P { k = 6 } be the post-condition By the assignment axiom, the pre-condition must be: P [k k + ] P [ k k + ] { k + = 6 } { k = 5 }

Example: Theorem: { a > 0 } a := a { a 0 } Let P { a 0 } be the post-condition Then the pre-condition must be P [ a a ] P [a a ] (a ) 0 Thus: { (a ) 0 } a := a { a 0 } Note: this is not exactly what we wanted Inference rules Sometimes a pre-condition is stronger than what is proved by applying the assignment axiom. This is OK. The following inference rule justifies replacing the proved pre-condition with the stronger one: P Q, { Q } S { R } { P } S { R} [strengthenpre] Example (continued) Strengthen pre-condition to finish proving { a > 0 } a := a { a 0 } from: { (a ) 0 } a := a { a 0 } Weakening post-conditions It may also be useful to weaken a postcondition. The following rule justifies such an action: Proof (continued): Note: a > 0 a a 0 Thus: a > 0 a 0 Then apply pre-condition strengthening rule. { P} S { Q }, Q R { P } S { R} [weakenpost] Semantics of read and write I/O commands: assume existence of input and output files We use IN = and OUT = to indicate contents of these files in assertions Semantics of sequencing Sequential composition of statements requires the post-condition of the first to establish the pre-condition of the second. Axiom for read: { IN = [K] L P [V K ] } read V { IN = L P } Axiom for write: { OUT = L E = K P } write E { OUT = L[K] E = K P } { P} S { Q }, { Q } S 2 { R } { P } S ; S 2 { R } [sequence] 2

Semantics of conditionals The if command involves a choice between options. Semantics of conditionals (cont) When there is no else part, the rule simplifies to: { P B } S { Q }, { P B } S 2 { Q } { P } if B then S else S 2 if { Q } [ifelse] { P B } S { Q }, P B Q { P } if B then S if { Q } [ifthen] Semantics of loops Example Proof rule organized around loop invariant Assertion which: Must hold initially, Must hold after each execution of loop body, and Combined with exit condition, must imply loop post-condition Captures the essence of computation in the loop Requires insight to develop { I B } S { I } { I } while B do S while { I B } [loop] { N 0 } k := N; f := ; while k > 0 do f := f * k; f := k ; while { f = N! } Question: What is the invariant? Example (continued) Example: Setting up invariant k 5 4 3 2 0 k! 24 6 2 f 5 20 60 f*k! Observe: By tabulating values, we can discover a value that is invariant N! = 5 * 4 * 3 * 2 * f k! Candidate invariant: I { N! = f * k! k 0 } Theorem: { N 0 } k := N; f := { f * k! = N! k 0 } { N 0 } { N! = N! N 0 } k := N; { k! = N! k 0 } { * k! = N! k 0 } f := ; { f * k! = N! k 0 } 3

Example: Invariant preserved in body Example: Assertion after loop Theorem: { I (k > 0) } f := f * k; k := k { I } { I (k > 0) } { f * k! = N! k > 0 } { f * k * (k )! = N! k > 0 } f := f * k; { f * (k )! = N! k > 0 } { f * (k )! = N! (k ) 0 } k := k ; { f * k! = N! k 0 } { I } { I (k > 0) } { f * k! = N! k 0 k 0 } { f * k! = N! k = 0 } { f = N! k = 0 } { f = N! } Guidelines for discovering invariant Loop invariant describes relationship among variables that does not change as loop executes Variables may change values, but relationship remains the same Constructing table of values for variables often reveals a property that does not change Combining what has been computed with what has yet to be computed often yields a constant Expression related to test (B) for the loop can usually be combined with assertion ( B) to produce part of postcondition Algol-60 style blocks Block declarations take the form: Block Declaration* Command Declaration const Identifier = Expression var Identifier : Type procedure Identifier is Block procedure Identifier ( Identifier : Type ) is Block Example: const x = 0; var y : integer; read y; y := x + y; write y Semantics of blocks Procedure/constant declarations pre-processed : For each d constant c with value N, predicate Const has a conjunct: c = N. For each d procedure p, predicate Procs has: a conjunct: body(p) = B, where B is the body of p, and a conjunct: parameter(p) = F, where F is the formal parameter of p (if any). Proof rule is: Procs { P Const } C { Q } { P } D C { Q } [sequence] Non-recursive procedure calls Calling non-recursive procedure with no parameter requires proving logical relation of assertions around the execution of procedure body. { P } B { Q }, body(proc) = B { P } proc { Q } [Call 0 ] 4

Example (procedure call) Calls with parameters procedure square is x := x * x square Here: Procs is the assertion body(square) = (x := x * x) Const is the assertion true Thus, we must show: body(square) = ( x := x * x ) { x = N true } square { x = N * N } To apply Call0, we must show: { x = N true } x := x * x { x = N * N } Calling non-recursive procedure with parameter requires binding actual parameter to formal in pre- and post-condition. { P } B { Q }, body(proc) = B, parameter(proc) = F { P [F E] } proc(e) { Q [F E] } [Call ] Example (procedure call) Proof procedure increment( step : integer ) is x := x + step Procs parameter(increment) = step body(increment) = (x := x + step) Const true We must show: parameter(increment) = step body(increment) = (x := x + step) { x = M y = N true } { x = M + N y = N } By rule for procedure invocation with parameters, we must show: { x = M step = N } x := x + step { x = M + N step = N } Formal proof Recursive procedures parameter(increment) = step body(increment) = (x := x + step) parameter(increment) = step body(increment) = (x := x + step) { x = M step = N } x := x + step { x = M + N step = N } { x = M y = N true } { x = M + N y = N } Prove a call to a recursive procedure is correct by assuming embedded calls to the procedure are correct. { x = M y = N } procedure increment( step : integer ) is x := x + step { x = M + N y = N } { P } proc { Q } { P } C { Q }, body(proc) = C { P} proc { Q } [Recursion 0 ] 5

Proving termination Proof rules described thus far: show only partial correctness i.e., {P} S {Q} means that when initiated with P true, if execution of S terminates, then Q will be true thereafter. proof of termination handled as separate problem Termination not problem for some statements: e.g., assignments, i/o, and non-recursive procedure invocation Must prove termination for while loops and invocation of recursively defined procedures Showing termination of while loops Two steps: Find a set W with a strict well-founded ordering Find a termination expression, E, with the following properties: Whenever control passes through the ning of the iterative loop, the value of E is in W E takes a smaller value with respect to > each time the top of the iterative loop is passed. P B E W { P B E=A } C { A > E } Example read n; k := 0; f := ; while k < n do k := k + ; f := k * f while; write f Let: W be set of natural numbers E be the expression n k Clearly: (n k 0) which implies n k is in W. Can easily prove: { n k = A } k := k + ; f := f * k; { n k = A < A } 6

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback