Download presentation

Presentation is loading. Please wait.

Published byElla Boyle Modified over 3 years ago

1
Hoare-style program verification K. Rustan M. Leino Guest lecturer Rob DeLines CSE 503, Software Engineering University of Washington 26 Apr 2004

2
Is this program correct? How do we know? int Find(float[] a, int m, int n, float x) { while (m < n) { int j = (m+n) / 2 ; if (a[j] < x) { m = j+ 1 ; } else if (x < a[j]) { n = j-1; } else { return j; } } return - 1 ; }

3
Making sense of programs Program semantics defines programming language – e.g., Hoare logic, Dijkstra's weakest preconditions Specifications record design decisions – bridge intent and code Tools amplify human effort – manage details – find inconsistencies – ensure quality

4
State predicates A predicate is a boolean function on the program state Examples: – x = 8 – x < y – m n (j | 0j

5
Hoare triples For any predicates P and Q and any program S, {P} S {Q} says that if S is started in (a state satisfying) P, then it terminates in Q postcondition precondition

6
Examples {true} x := 12 {x = 12 } {x < 40 } x := 12 { 10 x} {x < 40 } x := x+ 1 {x 40 } {m n} j :=(m+n)/ 2 {m j n} {0 m < n a.length a[m] = x} r := Find(a, m, n, x) {m r} {false} S {x n + y n = z n }

7
Precise triples If{P} S {Q} and {P} S {R}, then does {P} S {Q R} hold?

8
Precise triples If{P} S {Q} and {P} S {R}, then does {P} S {Q R} hold? The most precise Q such that {P} S {Q} is called the strongest postcondition of S with respect to P. yes

9
Weakest preconditions If{P} S {R} and {Q} S {R}, then {P Q} S {R} holds. The most general P such that {P} S {R} is called the weakest precondition of S with respect to R, written wp(S, R)

10
Triples and wp {P} S {Q} if and only if P wp(S, Q)

11
Program semantics skip no-op wp(skip, R) R wp(skip, x n + y n = z n ) x n + y n = z n

12
Program semantics assignment evaluate E and change value of w to E wp(w := E, R) R[w := E] wp(x := x + 1, x 10)x+1 10x < 10 wp(x := 15, x 10)15 10false wp(y := x + 3*y, x 10) x 10 wp(x,y := y,x, x < y)y < x replace w by E in R

13
Program semantics assert if P holds, do nothing, else don't terminate wp(assert P, R) P R wp(assert x < 10, 0 x)0 x < 10 wp(assert x = y*y, 0 x)x = y*y 0 xx = y*y wp(assert false, x 10)false

14
Program compositions If {P} S {Q} and {Q} T {R}, then {P} S ; T {R} If {P B} S {R} and {P B} T {R}, then {P} if B then S else T end {R}

15
wp(S;T, R) wp(S, wp(T, R)) wp(x := x+1 ; assert x y, 0 < x)wp(x := x+1, wp(assert x y, 0 < x))wp(x := x+1, 0 < x y) 0 < x+1 y0 x < y wp(y := y+1 ; x := x + 3*y, y 10 3 x)wp(y := y+1, wp(x := x+3*y, y 10 3 x))wp(y := y+1, y 10 3 x+3*y)y+1 10 3 x+3*(y+1)y < 10 3 x + 3*y + 3y < 10 0 x + 3*y Program semantics sequential composition

16
wp(if B then S else T end, R) (B wp(S, R)) (B wp(T, R)) (B wp(S, R)) (B wp(T, R)) wp(if x < y then z := y else z := x end, 0 z)(x < y wp(z := y, 0 z)) ((x < y) wp(z := x, 0 z))(x < y 0 y) (y x 0 x)0 y 0 x wp(if x10 then x := x+1 else x := x + 2 end, x 10)(x10 wp(x := x+1, x 10)) ((x10) wp(x := x+2, x 10))(x10 x+1 10) (x=10 x+2 10)(x10 x < 10) falsex < 10 Program semantics conditional composition

17
Example if (x != null) { n = x.f; } else { n = z-1; z++; } a = new char[n]; true n >= 0 z-1 >= 0 x != null && x.f >= 0 (x != null ==> x != null && x.f >= 0) && (x == null ==> z-1 >= 0)

18
A good exercise Define change w such that P by giving its weakest precondition

19
Loops To prove {P} while B do S end {Q} find invariant J and well-founded variant function vf such that: – invariant holds initially: P J – invariant is maintained: {J B} S {J} – invariant is sufficient: J B Q – variant function is bounded: J B 0 vf – variant function decreases: {J B vf=VF} S {vf

Similar presentations

Presentation is loading. Please wait....

OK

Advanced programming tools at Microsoft

Advanced programming tools at Microsoft

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google

Download ppt on diversity in living organisms Free download ppt on probability for class 9 Ppt on self awareness institute Ppt on networking related topics about work Ppt on regional trade agreements japan Ppt on history of atom worksheet Ppt on water activity measurement Ppt on phonetic transcription to english Ppt on tsunami warning system to mobile phones Ppt on shipping industry in india