Axiomatic Semantics: Verification Conditions. Review of Soundness of Axiomatic Semantics. Questions? Announcements

Similar documents
Axiomatic Semantics: Verification Conditions. Review of Soundness and Completeness of Axiomatic Semantics. Announcements

Soundness and Completeness of Axiomatic Semantics

Introduction to Axiomatic Semantics

Lecture Notes: Axiomatic Semantics and Hoare-style Verification

Axiomatic Semantics. Lecture 9 CS 565 2/12/08

Hoare Logic I. Introduction to Deductive Program Verification. Simple Imperative Programming Language. Hoare Logic. Meaning of Hoare Triples

Hoare Logic: Part II

Programming Languages

Floyd-Hoare Style Program Verification

Formal Reasoning CSE 331. Lecture 2 Formal Reasoning. Announcements. Formalization and Reasoning. Software Design and Implementation

CSE 331 Winter 2018 Reasoning About Code I

Hoare Calculus and Predicate Transformers

Program verification using Hoare Logic¹

Deductive Verification

Program verification. 18 October 2017

Dynamic Semantics. Dynamic Semantics. Operational Semantics Axiomatic Semantics Denotational Semantic. Operational Semantics

Introduction to Axiomatic Semantics

Axiomatic Semantics. Hoare s Correctness Triplets Dijkstra s Predicate Transformers

CS558 Programming Languages

Verification and Validation

In this episode of The Verification Corner, Rustan Leino talks about Loop Invariants. He gives a brief summary of the theoretical foundations and

Reasoning About Imperative Programs. COS 441 Slides 10b

CSE 331 Software Design & Implementation

Weakest Precondition Calculus

CSC 7101: Programming Language Structures 1. Axiomatic Semantics. Stansifer Ch 2.4, Ch. 9 Winskel Ch.6 Slonneger and Kurtz Ch. 11.

What happens to the value of the expression x + y every time we execute this loop? while x>0 do ( y := y+z ; x := x:= x z )

Program Analysis Part I : Sequential Programs

Proof Rules for Correctness Triples

Programming Languages and Compilers (CS 421)

Mid-Semester Quiz Second Semester, 2012

Axiomatic Semantics. Semantics of Programming Languages course. Joosep Rõõmusaare

Hoare Logic: Reasoning About Imperative Programs

Axiomatic Semantics. Stansifer Ch 2.4, Ch. 9 Winskel Ch.6 Slonneger and Kurtz Ch. 11 CSE

Deterministic Program The While Program

Classical Program Logics: Hoare Logic, Weakest Liberal Preconditions

Softwaretechnik. Lecture 13: Design by Contract. Peter Thiemann University of Freiburg, Germany

Logic. Propositional Logic: Syntax. Wffs

A Short Introduction to Hoare Logic

COP4020 Programming Languages. Introduction to Axiomatic Semantics Prof. Robert van Engelen

Axiomatic Semantics. Operational semantics. Good for. Not good for automatic reasoning about programs

Software Engineering

Hoare Logic: Reasoning About Imperative Programs

Model Checking: An Introduction

Proofs of Correctness: Introduction to Axiomatic Verification

Softwaretechnik. Lecture 13: Design by Contract. Peter Thiemann University of Freiburg, Germany

Formal Methods in Software Engineering

Program verification. Hoare triples. Assertional semantics (cont) Example: Semantics of assignment. Assertional semantics of a program

Spring 2015 Program Analysis and Verification. Lecture 4: Axiomatic Semantics I. Roman Manevich Ben-Gurion University

Lecture 2: Axiomatic semantics

Propositional Logic: Syntax

The Assignment Axiom (Hoare)

Loop Convergence. CS 536: Science of Programming, Fall 2018

Decision Procedures. Jochen Hoenicke. Software Engineering Albert-Ludwigs-University Freiburg. Winter Term 2016/17

Probabilistic Guarded Commands Mechanized in HOL

Hoare Logic and Model Checking

Strength; Weakest Preconditions

Bilateral Proofs of Safety and Progress Properties of Concurrent Programs (Working Draft)

Spring 2014 Program Analysis and Verification. Lecture 6: Axiomatic Semantics III. Roman Manevich Ben-Gurion University

Hoare Logic (I): Axiomatic Semantics and Program Correctness

Logic. Propositional Logic: Syntax

CS 6110 Lecture 21 The Fixed-Point Theorem 8 March 2013 Lecturer: Andrew Myers. 1 Complete partial orders (CPOs) 2 Least fixed points of functions

CS156: The Calculus of Computation Zohar Manna Autumn 2008

Last Time. Inference Rules

Proof Calculus for Partial Correctness

Spring 2015 Program Analysis and Verification. Lecture 6: Axiomatic Semantics III. Roman Manevich Ben-Gurion University

THE AUSTRALIAN NATIONAL UNIVERSITY Second Semester COMP2600/COMP6260 (Formal Methods for Software Engineering)

5. Program Correctness: Mechanics

Programming Languages

Introduction. Pedro Cabalar. Department of Computer Science University of Corunna, SPAIN 2013/2014

Hoare Examples & Proof Theory. COS 441 Slides 11

Spring 2016 Program Analysis and Verification. Lecture 3: Axiomatic Semantics I. Roman Manevich Ben-Gurion University

CSE 331 Winter 2018 Homework 1

First Order Logic vs Propositional Logic CS477 Formal Software Dev Methods

THE AUSTRALIAN NATIONAL UNIVERSITY Second Semester COMP2600 (Formal Methods for Software Engineering)

Program Analysis and Verification

ESE601: Hybrid Systems. Introduction to verification

Axiomatic semantics. Semantics and Application to Program Verification. Antoine Miné. École normale supérieure, Paris year

Formal Methods for Probabilistic Systems

C241 Homework Assignment 9

Lecture Notes on Software Model Checking

CS156: The Calculus of Computation

Foundations of Computation

G54FOP: Lecture 17 & 18 Denotational Semantics and Domain Theory III & IV

Abstract Interpretation (Non-Standard Semantics) a.k.a. Picking The Right Abstraction

Chapter 7 Propositional Satisfiability Techniques

CS156: The Calculus of Computation

Learning Goals of CS245 Logic and Computation

Abstract Interpretation, or Non-Standard Semantics, or Picking the Right Abstraction

Formal Specification and Verification. Specifications

Design of Distributed Systems Melinda Tóth, Zoltán Horváth

n Empty Set:, or { }, subset of all sets n Cardinality: V = {a, e, i, o, u}, so V = 5 n Subset: A B, all elements in A are in B

Proving Inter-Program Properties

Abstraction for Falsification

Abstract Interpretation, or Non-Standard Semantics, or Picking the Right Abstraction

Abstractions and Decision Procedures for Effective Software Model Checking

Automata-Theoretic Model Checking of Reactive Systems

Top Down Design. Gunnar Gotshalks 03-1

A Humble Introduction to DIJKSTRA S A A DISCIPLINE OF PROGRAMMING

2. Introduction to commutative rings (continued)

Axiomatic Verification II

Transcription:

Axiomatic Semantics: Verification Conditions Meeting 18, CSCI 5535, Spring 2010 Announcements Homework 6 is due tonight Today s forum: papers on automated testing using symbolic execution Anyone looking for a group? HW5 Time: 12.2 hrs mean, 4.9 stddev, 12 median 2 Questions? Review of Soundness of Axiomatic Semantics One-Slide Summary A system of axiomatic semantics is sound if everything we can prove is also true. if ` { A } c { B } then ² { A } c { B } We prove this by nested induction on the structure of the operational semantics derivation and the axiomatic semantics proof. A system of axiomatic semantics is complete if we can prove all true things. if ² { A } c { B } then ` { A } c { B } Our system is relatively complete (= just as complete as the underlying logic. We use weakest preconditions to reason about soundness. Verification conditions are preconditions that are easy to compute. 5 Where Do We Stand? We have a language for asserting properties of programs We know when such an assertion is true We also have a symbolic method for deriving assertions meaning A {A} c {B} soundness symbolic derivation (theorem proving ` A ` { A} c {B} σ²a ² {A} c {B} completeness 6 1

Completeness of Axiomatic Semantics End of Review If ² {A} c {B} can we always derive ` {A} c {B}? If so, axiomatic semantics is complete If not then there are valid properties of programs that we cannot verify with Hoare rules :-( Good news: for our language the Hoare triples are complete Bad news: only if we can decide the underlying logic (given an oracle to decide ² A - this is called relative completeness 8 Proof Idea Dijkstra s idea: To verify that { A } c { B } a Find out all predicates A such that ² { A } c { B } call this set Pre(c, B (Pre = pre-conditions b Verify for one A 2 Pre(c, B that AA Assertions can be ordered: false strong Pre(c, B A weakest precondition: wp(c, B true weak Thus: compute wp(c, B and prove Awp(c, B 9 Proof Idea Completeness of axiomatic semantics: If ² { A } c { B } then ` { A } c { B } Assuming that we can compute wp(c, B with the following properties: wp is a precondition (according to the Hoare rules ` { wp(c, B } c { B } wp is (truly the weakest precondition If ²{ A } c { B } then ²A wp(c, B ² A wp(c, B ` {wp(c, B} c {B} ` {A} c {B} 10 Define wp(c, B inductively on c, following the Hoare rules: wp(c 1 ; c 2, B = {A} c 1 {C} {C} c 2 {B} { A } c 1 ; c 2 {B} wp(x := e, B = { [e/x]b } x := E {B} {A 1 } c 1 {B} {A 2 } c 2 {B} { b A 1 Æ:b A 2 } if b then c 1 else c 2 {B} wp(if b then c 1 else c 2, B = 11 Define wp(c, B inductively on c, following the Hoare rules: wp(c 1 ; c 2, B = wp(c 1, wp(c 2, B wp(x := e, B = [e/x]b {A} c 1 {C} {C} c 2 {B} { A } c 1 ; c 2 {B} { [e/x]b } x := E {B} {A 1 } c 1 {B} {A 2 } c 2 {B} { E A 1 Æ:E A 2 } if E then c 1 else c 2 {B} wp(if E then c 1 else c 2, B = E wp(c 1, B Æ:E wp(c 2, B 12 2

for while We start from the unwinding equivalence while b do c = if b then c; while b do c else skip Let w = while b do c and W = wp(w, B We have that W = b wp(c, W Æ :b B But this is a recursive equation! We know how to solve these using domain theory But we need a domain for assertions 13 A Partial-Order for Assertions Which assertion contains the least information? true does not say anything about the state What is an appropriate information ordering? A v A iff ² A A Is this partial order complete? Take a chain A 1 v A 2 v Let ÆA i be the infinite conjunction of A i σ²æa i iff for all i we have that σ²a i I assert that ÆA i is the least upper bound Can ÆA i be expressed in our language of assertions? Often yes (see Winskel, we ll assume yes for now 14 Weakest Precondition for while Use the fixed-point theorem F(A = b wp(c, A Æ:b B (Where did this come from? Three slides back! I assert that F is both monotonic and continuous The least-fixed point (= the weakest fixed point is wp(w, B = ÆF i (true Define a family of wp s wp k (while e do c, B = weakest precondition on which the loop terminates in B if it terminates in k or fewer iterations wp 0 = : E B wp 1 = E wp(c, wp 0 Æ:E B wp(while e do c, B = Æ k 0 wp k = lub {wp k k 0} See notes on the web page for the proof of completeness with weakest preconditions Weakest preconditions are Impossible to compute (in general Can we find something easier to compute yet sufficient? 15 16 About your classmates At one point nationally ranked in tennis Rated 2 dan from American Go Association Listens almost exclusively to early music (Medieval, Renaissance, Baroque Has a 5 year old who builds amazing things with Legos Grew up in Santa Claus, Indiana Spent 2 weeks in Mexico studying how Professors teach English BS from Christopher Newport Univ Verification Condition Generation 17 3

Not Quite Recall what we are trying to do: false Pre(s, B strong weakest A precondition: WP(c, B verification condition: VC(c, B true weak We shall construct a verification condition: VC(c, B The loops are annotated with loop invariants! VC is guaranteed stronger than WP But hopefully still weaker than A: A VC(c, B WP(c, B CS 263 19 Groundwork Factor out the hard work Loop invariants Function specifications (pre- and post-conditions Assume programs are annotated with such specs Good software engineering practice anyway Requiring annotations = Kiss of Death? New form of while that includes a loop invariant: while Inv b do c Invariant formula Inv must hold every time before b is evaluated A process for computing VC(annotated_command, post_condition is called VCGen CS 263 20 Verification Condition Generation Mostly follows the definition of the wp function: VC(skip, B = B VC(c 1 ; c 2, B = VC(c 1, VC(c 2, B VC(if b then c 1 else c 2, B = b VC(c 1, B Æ:b VC(c 2, B VC(x := e, B = [e/x] B VC(while Inv b do c, B =? 21 VCGen for while VC(while Inv e do c, B = Inv Æ (8x 1 x n. Inv (e VC(c, Inv Æ :e B Inv holds on entry Inv is preserved in an arbitrary iteration B holds when the loop terminates in an arbitrary iteration Inv is the loop invariant (provided externally x 1,, x n are all the variables modified in c The 8 is similar to the 8 in mathematical induction: P(0 Æ8n 2N. P(n P(n+1 22 Example VCGen Problem Let s compute the VC of this program with respect to post-condition x 0 x = 0; y = 2; while x+y=2 y > 0 do y := y - 1; x := x + 1 First, what do we expect? What pre-condition do we need to ensure x 0 after this? 23 Example of VCGen By the sequencing rule, first we do the while loop (call it w: while x+y=2 y > 0 do y := y - 1; x := x + 1 VCGen(w, x 0 = x+y=2 Æ Preserve loop invariant Ensure post on exit 8x,y. x+y=2 (y>0 VC(c, x+y=2 Æ y 0 x 0 VCGen(y:=y-1 ; x:=x+1, x+y=2 = (x+1 + (y-1 = 2 w Result: x+y=2 Æ 8x,y. x+y=2 (y>0 (x+1+(y-1=2 Æ y 0 x 0 24 4

Example of VCGen VC(w, x 0 = x+y=2 Æ 8x,y. x+y=2 (y>0 (x+1+(y-1=2 Æ y 0 x 0 VC(x := 0; y := 2 ; w, x 0 = 0+2=2 Æ 8x,y. x+y=2 (y>0 (x+1+(y-1=2 Æ y 0 x 0 So now we ask an automated theorem prover to prove it. 25 Prove it! $./Simplify > (AND (EQ (+ 0 2 2 (FORALL ( x y (IMPLIES (EQ (+ x y 2 (AND (IMPLIES (> y 0 (EQ (+ (+ x 1(- y 1 2 (IMPLIES (<= y 0 (NEQ x 0 1: Valid. Great! Simplify is a non-trivial five megabytes 26 Can We Mess Up VCGen? Prove it! The invariant is from the user (= the adversary, the untrusted code base Let s use a loop invariant that is false, like x 0. VC = 0 0 Æ 8x,y. x 0 (y>0 x+1 0 Æ y 0 x 0 Let s use a loop invariant that is too weak, like true. VC = true Æ 8x,y. true (y>0 true Æ y 0 x 0 27 $./Simplify > (AND TRUE (FORALL ( x y (IMPLIES TRUE (AND (IMPLIES (> y 0 TRUE (IMPLIES (<= y 0 (NEQ x 0 Counterexample: context: (AND (EQ x 0 (<= y 0 1: Invalid. OK, so we won t be fooled. 28 Soundness of VCGen Simple form Or equivalently that ² { VC(c,B } c { B } ² VC(c, B wp(c, B Proof is by induction on the structure of c Try it! Soundness holds for any choice of the invariant! Next: properties and extensions of VCs 29 5

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback