Download presentation

Presentation is loading. Please wait.

Published byElla Boyle Modified over 4 years ago

1
Hoare-style program verification K. Rustan M. Leino Guest lecturer Rob DeLines CSE 503, Software Engineering University of Washington 26 Apr 2004

2
Is this program correct? How do we know? int Find(float[] a, int m, int n, float x) { while (m < n) { int j = (m+n) / 2 ; if (a[j] < x) { m = j+ 1 ; } else if (x < a[j]) { n = j-1; } else { return j; } } return - 1 ; }

3
Making sense of programs Program semantics defines programming language – e.g., Hoare logic, Dijkstra's weakest preconditions Specifications record design decisions – bridge intent and code Tools amplify human effort – manage details – find inconsistencies – ensure quality

4
State predicates A predicate is a boolean function on the program state Examples: – x = 8 – x < y – m n (j | 0j<a.length a[j] NaN) – true – false

5
Hoare triples For any predicates P and Q and any program S, {P} S {Q} says that if S is started in (a state satisfying) P, then it terminates in Q postcondition precondition

6
Examples {true} x := 12 {x = 12 } {x < 40 } x := 12 { 10 x} {x < 40 } x := x+ 1 {x 40 } {m n} j :=(m+n)/ 2 {m j n} {0 m < n a.length a[m] = x} r := Find(a, m, n, x) {m r} {false} S {x n + y n = z n }

7
Precise triples If{P} S {Q} and {P} S {R}, then does {P} S {Q R} hold?

8
Precise triples If{P} S {Q} and {P} S {R}, then does {P} S {Q R} hold? The most precise Q such that {P} S {Q} is called the strongest postcondition of S with respect to P. yes

9
Weakest preconditions If{P} S {R} and {Q} S {R}, then {P Q} S {R} holds. The most general P such that {P} S {R} is called the weakest precondition of S with respect to R, written wp(S, R)

10
Triples and wp {P} S {Q} if and only if P wp(S, Q)

11
Program semantics skip no-op wp(skip, R) R wp(skip, x n + y n = z n ) x n + y n = z n

12
Program semantics assignment evaluate E and change value of w to E wp(w := E, R) R[w := E] wp(x := x + 1, x 10)x+1 10x < 10 wp(x := 15, x 10)15 10false wp(y := x + 3*y, x 10) x 10 wp(x,y := y,x, x < y)y < x replace w by E in R

13
Program semantics assert if P holds, do nothing, else don't terminate wp(assert P, R) P R wp(assert x < 10, 0 x)0 x < 10 wp(assert x = y*y, 0 x)x = y*y 0 xx = y*y wp(assert false, x 10)false

14
Program compositions If {P} S {Q} and {Q} T {R}, then {P} S ; T {R} If {P B} S {R} and {P B} T {R}, then {P} if B then S else T end {R}

15
wp(S;T, R) wp(S, wp(T, R)) wp(x := x+1 ; assert x y, 0 < x)wp(x := x+1, wp(assert x y, 0 < x))wp(x := x+1, 0 < x y) 0 < x+1 y0 x < y wp(y := y+1 ; x := x + 3*y, y 10 3 x)wp(y := y+1, wp(x := x+3*y, y 10 3 x))wp(y := y+1, y 10 3 x+3*y)y+1 10 3 x+3*(y+1)y < 10 3 x + 3*y + 3y < 10 0 x + 3*y Program semantics sequential composition

16
wp(if B then S else T end, R) (B wp(S, R)) (B wp(T, R)) (B wp(S, R)) (B wp(T, R)) wp(if x < y then z := y else z := x end, 0 z)(x < y wp(z := y, 0 z)) ((x < y) wp(z := x, 0 z))(x < y 0 y) (y x 0 x)0 y 0 x wp(if x10 then x := x+1 else x := x + 2 end, x 10)(x10 wp(x := x+1, x 10)) ((x10) wp(x := x+2, x 10))(x10 x+1 10) (x=10 x+2 10)(x10 x < 10) falsex < 10 Program semantics conditional composition

17
Example if (x != null) { n = x.f; } else { n = z-1; z++; } a = new char[n]; true n >= 0 z-1 >= 0 x != null && x.f >= 0 (x != null ==> x != null && x.f >= 0) && (x == null ==> z-1 >= 0)

18
A good exercise Define change w such that P by giving its weakest precondition

19
Loops To prove {P} while B do S end {Q} find invariant J and well-founded variant function vf such that: – invariant holds initially: P J – invariant is maintained: {J B} S {J} – invariant is sufficient: J B Q – variant function is bounded: J B 0 vf – variant function decreases: {J B vf=VF} S {vf<VF}

Similar presentations

OK

Using and Building an Automatic Program Verifier K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond Lecture 0 Marktoberdorf.

Using and Building an Automatic Program Verifier K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond Lecture 0 Marktoberdorf.

© 2018 SlidePlayer.com Inc.

All rights reserved.

To make this website work, we log user data and share it with processors. To use this website, you must agree to our Privacy Policy, including cookie policy.

Ads by Google