Presentation is loading. Please wait.

Presentation is loading. Please wait.

Program Analysis and Verification Spring 2016 Program Analysis and Verification Lecture 5: Axiomatic Semantics II Roman Manevich Ben-Gurion University.

Published byEmery Gabriel Stone Modified over 7 years ago

Similar presentations

Presentation on theme: "Program Analysis and Verification Spring 2016 Program Analysis and Verification Lecture 5: Axiomatic Semantics II Roman Manevich Ben-Gurion University."— Presentation transcript:

1 Program Analysis and Verification Spring 2016 Program Analysis and Verification Lecture 5: Axiomatic Semantics II Roman Manevich Ben-Gurion University

2 Tentative syllabus Program Verification Operational semantics Hoare Logic Applying Hoare Logic Weakest Precondition Calculus Proving Termination Data structures Program Analysis Basics Control Flow Graphs Equation Systems Collecting Semantics Using Soot Abstract Interpretation fundamentals LatticesFixed-Points Chaotic Iteration Galois Connections Domain constructors Widening/ Narrowing Analysis Techniques Numerical Domains Alias analysis Interprocedural Analysis Shape Analysis CEGAR 2

3 Previously Basic notions of correctness Formalizing Hoare triples FO logic – Free variables – Substitutions Hoare logic rules 3

4 Warm-up exercises 1.Define program state: 2.Define state predicate: 3.Define   P 4.Formalize {P} C {Q} via structural semantics: 5.FV(  m. x=k+1  0  m  x-1  nums(m)  res ) = { } 6.(  m. x=k+1  0  m  x-1  nums(m)  res )[x+1/x] = 4

5 Inference system Annotating programs with proofs Properties of the semantics Predicate transformer calculus – Weakest precondition calculus – Strongest postcondition calculus 5 Chapter 6 Agenda

6 Axiomatic semantics as an inference system 6

7 Inference trees Trees describing rule applications that ultimately prove a program correct Leaves are axiom applications Internal nodes correspond to rule applications over triples inferred from sub-trees Inference tree is called – Simple if tree is only an axiom – Composite otherwise 7

8 Factorial proof inference tree 8 W = while (x  1) do (y:=y*x; x:=x–1) INV = x > 0  (y  x! = n!  n  x) { INV[x-1/x][y*x/y] } y:=y*x; x:=x–1 {INV} { INV[x-1/x] } x:=x-1 {INV} { INV } W { x=1  INV } { INV[1/y] } y:=1 { INV } { INV[x-1/x][y*x/y] } y:=y*x { INV[x-1/x] } {x  1  INV } y:=y*x; x:=x–1 { INV } [comp] [cons] [while] [cons] { INV } W {y=n!  n>0 }{ x=n } y:=1 { INV } [cons] { x=n } while (x  1) do (y:=y*x; x:=x–1) {y=n!  n>0 } [comp] Goal: { x=n } y:=1; while (x  1) do (y:=y*x; x:=x–1) { y =n!  n>0 } will show later

9 Provability We say that an assertion { P } C { Q } is provable if there exists an inference tree – Written as  p { P } C { Q } – Are inference trees unique? {true} x:=1; x:=x+5 {x  0} Proving properties of axiomatic semantics by induction on the shape of the inference tree – Example: prove  p { P } C { true } for any P and C 9 Where does the non-determinism come from?

10 Annotating programs with proofs 10

11 Annotated programs A streamlined version of inference trees – Inline inference trees into programs – A kind of “proof carrying code”proof carrying code – Going from annotated program to proof tree is a linear time translation 11

12 Annotating composition We can inline inference trees into programs Using proof equivalence of S 1 ; (S 2 ; S 3 ) and (S 1 ; S 2 ); S 3 instead of writing deep trees, e.g., 12 {P} (S 1 ; S 2 ); (S 3 ; S 4 ) {Q} {P} (S 1 ; S 2 ) {P’’} {P’’} (S 3 ; S 4 ) {Q} {P} S 1 {P’} {P’} S 2 {P’’}{P’’} S 3 {P’’’} {P’’’} S 4 {P’’} We can annotate a composition S 1 ; S 2 ;…; S n by {P 1 } S 1 {P 2 } S 2 … {P n-1 } S n-1 {P n }

13 Annotating conditions 13 { P } if b then { b  P } S 1 else {  b  P } S 2 { Q }

14 Annotating conditions 14 { P } if b then { b  P } S 1 { Q 1 } else {  b  P } S 2 { Q 2 } { Q } { b  P } S 1 { Q 1 } {  b  P } S 2 { Q 2 } { b  P } S 1 { Q }, {  b  P } S 2 { Q } { P } if b then S 1 else S 2 { Q } [if p ] [cons]

15 Annotating loops 15 { P } while b do { b  P } S {  b  P }

16 Annotating loops 16 { P } while b do { b  P } S { P’ } {  b  P } { Q } P’ implies P  b  P implies Q

17 Annotating loops 17 { P } while b do { b  P } S {  b  P } Source of confusion

18 Annotating loops – alternative 1 18 while { P } b do { b  P } S {  b  P }

19 Annotating loops – alternative 2 19 Inv = { P } while b do { b  P } S {  b  P } We will take this alternative in our examples and homework assignments

20 Annotating formula transformations We often rewrite formulas – To make proofs more readable – Using logical/mathematical identities – Imported mathematical theorems 20 {  } {  ’ } // transformation 1 {  ’’ } // transformation 2

21 Exercising Hoare logic 21

22 Exercise 1: variable swap – specify 22 { ? } t := x x := y y := t { ? }

23 Exercise 1: Prove using Hoare logic 23 { y=b  x=a } t := x { ? } x := y { ? } y := t { x=b  y=a }

24 Exercise 1: Prove using Hoare logic 24 { y=b  x=a } t := x { y=b  t=a } x := y { x=b  t=a } y := t { x=b  y=a }

25 Absolute value program 25 if x<0 then x := -x else skip if b then S is syntactic sugar for if b then S else skip The latter form is easier to reason about

26 Absolute value program – specify 26 { ? } if x<0 then x := -x else skip { ? }

27 Absolute value program – specify 27 { x=v } if x<0 then x := -x else skip { x=|v| }

28 Exercise 2: Prove using Hoare logic 28 { x=v } { } if x<0 then { } x := -x { } else { } skip { } {x=|v| }

29 Exercise 2: Prove using Hoare logic 29 { x=v } { (-x=|v|  x<0)  (x=|v|  x  0) } if x<0 then { -x=|v| } x := -x { x=|v| } else { x=|v| } skip { x=|v| } { x=|v| }

30 Annotated programs: factorial 30 { x=n } y := 1; Inv = { x>0  y*x!=n!  n  x } while  (x=1) do { x-1>0  (y*x)*(x-1)!=n!  n  (x-1) } y := y*x; { x-1>0  y*(x-1)!=n!  n  (x-1) } x := x–1 { y*x!=n!  n>0 } Contrast with proof via structural semantics Where did the inductive argument over loop iterations go?

31 Detailed proof steps 31 { x=n } y := 1; { x=n  y=1 } Inv = { x>0  y*x!=n!  n  x } while  (x=1) do { x  1  (x>0  y*x!=n!  n  x) } => ? { x>1  y*x!=n!  n  (x-1) } y := y*x; { x-1>0  y*(x-1)!=n!  n  (x-1) } x := x–1 { x>0  y*x!=n!  n  x } { y*x!=n!  n>0 }

32 Detailed proof of implication 32 { x  1  (x>0  y*x!=n!  n  x) } => relax inequality { x  1  (x>0  y*x!=n!  n  (x-1)) } => use logical identity A  B equals  A  B { x  1  (x  0  y*x!=n!  n  (x-1)) } => distribute  over  {(x  1  x  0)  (x  1  y*x!=n!  n  (x-1)) } => x  0 subsumes x  1  x  0 { x  0  (x  1  y*x!=n!  n  (x-1)) } => weaken conjunction by removing x  1 { x  0  (y*x!=n!  n  (x-1)) } => relax x  0 into x  1 { x  1  (y*x!=n!  n  (x-1)) } => use logical identity A  B equals  A  B { x  1  (x  1  y*x!=n!  n  (x-1))} write x  1 as x>1 { x>1  y*x!=n!  n  (x-1) }

33 Properties of the semantics 33

34 Properties of the semantics Equivalence – What is the analog of program equivalence in axiomatic verification? 34 Soundness – Can we prove incorrect properties? Completeness – Is there something we can’t prove?

35 Provable equivalence We say that C 1 and C 2 are provably equivalent if for all P and Q  p { P } C 1 { Q } if and only if  p { P } C 2 { Q } Examples: – S; skip and S – S 1 ; (S 2 ; S 3 ) and (S 1 ; S 2 ); S 3 35

36 S 1 ; (S 2 ; S 3 ) is provably equivalent to (S 1 ; S 2 ); S 3 36 {P} S 1 ; (S 2 ; S 3 ) {Q} {P} S 1 {P’} {P’} (S 2 ; S 3 ) {Q} {P’} S 2 {P’’} {P’’} S 3 {Q} {P} (S 1 ; S 2 ); S 3 {Q} {P} (S 1 ; S 2 ) {P’’} {P’’} S 3 {Q} {P} S 1 {P’} {P’} S 2 {P’’}

37 Valid assertions We say that { P } C { Q } is valid if for all states , if   P and  C,   1 *  ’ then  ’  Q Denoted by  p { P } C { Q } 37 P C(P)C(P) Q  ’’ C

38 Soundness and completeness The inference system is sound: –  p { P } C { Q } implies  p { P } C { Q } The inference system is complete: –  p { P } C { Q } implies  p { P } C { Q } Is Hoare logic sound? yes Is Hoare logic complete? depends 38

39 Weakest precondition calculus 39

40 From inference to calculus A Hoare-style proof is declarative – You can check that a proof is correct – Check is decidable given an algorithm to check implication Is there a more calculational approach to producing proofs? – Weakest precondition calculus (WP) – Strongest postcondition calculus (SP) WP/SP provide limits for Hoare triples WP helps prove that Hoare logic is relatively complete 40

41 Weakest liberal precondition A backward-going predicate transformer The weakest liberal precondition for Q is   wlp(C, Q) if and only if for all states  ’ if  C,   1 *  ’ then  ’  Q Propositions: 1.  p { wlp(C, Q) } C { Q } 2.If  p { P } C { Q } then P  wlp(C, Q) 41

42 Weakest liberal precondition A backward-going predicate transformer The weakest liberal precondition for Q is   wlp(C, Q) if and only if for all states  ’ if  C,   1 *  ’ then  ’  Q 42 P C(P)C(P) Q C wlp(C, Q) C(wlp(C, Q)) Give an example where this gap exists

43 Strongest postcondition A forward-going predicate transformer The strongest postcondition for P is  ’  sp(P, C) if and only if there exists  such that   P and  C,   1 *  ’ Propositions: 1.  p { P } C { sp(P, C) } 2.If  p { P } C { Q } then sp(P, C)  Q 43

44 Predicate transformer semantics wlp and sp can be seen functions that transform predicates to other predicates – wlp  C  : Predicate  Predicate { P } C { Q } if and only if wlp  C  Q = P – sp  C  : Predicate  Predicate { P } C { Q } if and only if sp  C  P = Q 44

45 Is Hoare logic complete? Extensional approach: yes Proving  p { P } C { Q } implies  p { P } C { Q } boils down to proving  p { wlp(C, Q) } C { Q } See proof in book 45

46 Is Hoare logic complete? Intentional approach: no Gödel’s incompleteness theorem Only as complete as the logic of assertions Requires that we are able to prove the validity of assertions that occur in the rule of consequence Relative completeness of Hoare logic (Cook 1974) 46

47 Weakest (liberal) precondition calculus 47 By Vadim Plessky (http://svgicons.sourceforge.net/) [see page for license], via Wikimedia Commons

48 Calculating wlp 1.wlp( skip, Q) = Q 2.wlp( x := a, Q) = Q[a/ x ] 3.wlp(S 1 ; S 2, Q) = wlp(S 1, wlp(S 2, Q)) 4.wlp( if b then S 1 else S 2, Q) = (b  wlp(S 1, Q))  (  b  wlp(S 2, Q)) 5.wlp( while b do S, Q) = … ? hard to capture 48

49 Calculating wlp of a loop 49 wlp( while b do S, Q) = Idea: we know the following statements are semantically equivalent. Also they are provably equivalent (prove it) while b do S if b do ( S ; while b do S ) else skip Let’s try to substitute and calculate on wlp( if b do ( S ; while b do S ) else skip, Q) = (b  wlp(S ; while b do S, Q))  (  b  wlp( skip, Q)) = (b  wlp(S, wlp( while b do S, Q)))  (  b  Q) LoopInv = (b  wlp(S, LoopInv))  (  b  Q) We have a recurrence The loop invariant: a fixpoint of the right-hand side transformer

50 Example: write a specification 50 { ? } while (timer  0) do timer := timer – 1 { ? } “The program should count to zero”

51 Example: prove the following triple LoopInv = (b  wlp(S, LoopInv))  (  b  Q) Let’s substitute LoopInv with timer  0 Show that timer  0 is equivalent to (timer  0  wlp(timer:=timer-1, timer  0))  (timer=0  timer=0) Start from right hand side and get left hand side (timer  0  wlp(timer:=timer-1, timer  0))  (timer=0  timer=0) = (timer  0  (timer  0)[timer-1/timer])  (timer=0  timer=0) = (timer  0  timer-1  0)  (timer=0  timer=0) = timer>0  timer=0 = timer  0 51 { timer  0 } while (timer  0) do timer := timer – 1 { timer = 0 }

52 A variant of wlp for loops Parametric in the loop invariant wlp( while b do {  } S, Q) =  where {b   } S {  } and  b    Q 52

53 wlp rules 1.wlp( skip, Q) = Q 2.wlp( x := a, Q) = Q[a/ x ] 3.wlp(S 1 ; S 2, Q) = wlp(S 1, wlp(S 2, Q)) 4.wlp( if b then S 1 else S 2, Q) = (b  wlp(S 1, Q))  (  b  wlp(S 2, Q)) 5.wlp( while b do {  } S, Q) =  where {b   } S {  } and  b    Q 53

54 Issues with wlp-based proofs Requires backwards reasoning – not very intuitive Backward reasoning is non-deterministic – causes problems when While is extended with dynamically allocated heaps (aliasing) 54

55 Strongest postcondition calculus 55 By Vadim Plessky (http://svgicons.sourceforge.net/) [see page for license], via Wikimedia Commons

56 Strongest postcondition rules 1.sp( skip, P) = P 2.sp( x := a, P) =  v. x=a[v/x]  P[v/x] 3.sp(S 1 ; S 2, P) = sp(S 2, sp(S 1, P)) 4.sp( if b then S 1 else S 2, P) = sp(S 1, b  P)  sp(S 2,  b  P) 5.sp( while b do {  } S, P) =    b where {b   } S {  } and P   b   56

57 Floyd’s strongest postcondition rule Example { z=x } x:=x+1 { ?} 57 { P } x := a {  v. x=a[v/x]  P[v/x] } where v is a fresh variable [ass Floyd ] The value of x in the pre-state

58 Floyd’s strongest postcondition rule Example { z=x } x:=x+1 {  v. x=v+1  z=v } This rule is often considered problematic because it introduces a quantifier – needs to be eliminated further on Next lecture we will see a variant of this rule 58 { P } x := a {  v. x=a[v/x]  P[v/x] } where v is a fresh variable [ass Floyd ] meaning: {x=z+1}

59 See you next time 59

Download ppt "Program Analysis and Verification Spring 2016 Program Analysis and Verification Lecture 5: Axiomatic Semantics II Roman Manevich Ben-Gurion University."

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
ICE1341 Programming Languages Spring 2005 Lecture #6 Lecture #6 In-Young Ko iko.AT. icu.ac.kr iko.AT. icu.ac.kr Information and Communications University.

ICE1341 Programming Languages Spring 2005 Lecture #6 Lecture #6 In-Young Ko iko.AT. icu.ac.kr iko.AT. icu.ac.kr Information and Communications University.
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 19: Minding Ps & Qs: Axiomatic.

David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 19: Minding Ps & Qs: Axiomatic.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
Predicate Transformers

Predicate Transformers
1/22 Programs : Semantics and Verification Charngki PSWLAB Programs: Semantics and Verification Mordechai Ben-Ari Mathematical Logic for Computer.

1/22 Programs : Semantics and Verification Charngki PSWLAB Programs: Semantics and Verification Mordechai Ben-Ari Mathematical Logic for Computer.
Program Analysis and Verification Spring 2014 Program Analysis and Verification Lecture 5: Axiomatic Semantics II Roman Manevich Ben-Gurion University.

Program Analysis and Verification Spring 2014 Program Analysis and Verification Lecture 5: Axiomatic Semantics II Roman Manevich Ben-Gurion University.
ESC Java. Static Analysis Spectrum Power Cost Type checking Data-flow analysis Model checking Program verification AutomatedManual ESC.

ESC Java. Static Analysis Spectrum Power Cost Type checking Data-flow analysis Model checking Program verification AutomatedManual ESC.
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.

Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
ESC Java. Static Analysis Spectrum Power Cost Type checking Data-flow analysis Model checking Program verification AutomatedManual ESC.

ESC Java. Static Analysis Spectrum Power Cost Type checking Data-flow analysis Model checking Program verification AutomatedManual ESC.
Software Verification Bertrand Meyer Chair of Software Engineering Lecture 2: Axiomatic semantics.

Software Verification Bertrand Meyer Chair of Software Engineering Lecture 2: Axiomatic semantics.
Describing Syntax and Semantics

Describing Syntax and Semantics
Floyd Hoare Logic. Semantics A programming language specification consists of a syntactic description and a semantic description. Syntactic description:symbols.

Floyd Hoare Logic. Semantics A programming language specification consists of a syntactic description and a semantic description. Syntactic description:symbols.
Proving Program Correctness The Axiomatic Approach.

Proving Program Correctness The Axiomatic Approach.
Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav.

Program Analysis and Verification Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav.
Program Analysis and Verification 0368-4479

Program Analysis and Verification
Program Analysis and Verification Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I Roman Manevich Ben-Gurion University.

Program Analysis and Verification Spring 2014 Program Analysis and Verification Lecture 7: Static Analysis I Roman Manevich Ben-Gurion University.

Similar presentations

Ads by Google