Download presentation

Presentation is loading. Please wait.

Published byDominic Frazier Modified over 3 years ago

1
Automatic verification of summations K. Rustan M. Leino IFIP WG 2.3 meeting 46 Sydney, Australia 11 January 2007

2
Goal: prove the following program { 0 N } s := 0; n := 0; while n < N invariant 0 n N s = (Σ i | 0 i < n :: a[i]) do s := s + a[n]; n := n + 1 end { s = (Σ i | 0 i < N :: a[i]) } … automatically, using a VC generator and an SMT solver

3
Need feedback on Related work More clever encoding Some completeness argument/thoughts Decision procedure to fit into an SMT solver More examples – useful ones – contrived ones

4
Background VC generation arrays assignment-free form SMT solver term sets quantifiers

5
Arrays x := a[i]is treated asx := select(a, i) a[i] := xis treated asa := store(a, i, x) wp( a[i] := 5; assert a[k] = 12, true ) = wp( a[i] := 5, select(a, k) = 12 ) = select(store(a, i, 5), k) = 12

6
Assignment-free form a[i] := 5; assert a[k] = 12 is rewritten into: assume a 1 = store(a 0, i, 5); assert select(a 1, k) = 12 whose wp is: a 1 = store(a 0, i, 5) select(a 1, k) = 12

7
Example wp(havoc b; assume ( n :: n i b[n] = a[n]) b[i] = 5; a := b; assert a[k] = 12, true ) = ( n :: n i b 1 [n] = a 0 [n]) b 1 [i] = 5 a 2 = b 1 select(a 2, k) = 12

8
Term sets All equalities and congruences are represented explicitly, but other derived facts may not be Examples: – given: x y, y xalso represents: x = y – given: x y, y zmay not represent: x z – given: x = 3, y = x+1may not represent: y = 4

9
Quantifiers Instantiation via e-graph matching A matching pattern (trigger) is a set of terms that together mention all the bound variables, and none of which is just a bound variable by itself Examples: – ( x :: { f(x) } 0 f(x)) – ( x,y :: { g(x,y) } f(x) < g(x,y))

10
More examples ( x,y :: { f(x), f(y) } x y f(x) f(y)) ( x :: { f(x) } x null f(x) f(next(x))) ( x :: { f(next(x)) } x null f(x) f(next(x))) ( x :: { f(x+1) } f(x) f(x+1)) ( x,y,z :: { x*(y+z) } x*(y+z) = x*y + x*z) ( x,y :: { P(x,y) } x = y P(x,y) = 10) ( x :: { P(x,x) } P(x,x) = 10)

11
sum0 (rendered in BoogiePL) var a: [int]int; // map from int to int procedure Sum(N: int) returns (s: int) requires 0 <= N; ensures s == qsum(0, N, a); { var n: int; entry: n := 0; s := 0; goto Head; Head: assert 0 <= n && n <= N && s == qsum(0, n, a); // loop invariant goto Body, Done; Body: assume n < N;// loop guard s := s + a[n]; n := n + 1; goto Head; Done: assume !(n < N);// negation of loop guard return; } function qsum(lo: int, hi: int, A: [int]int) returns (int); axiom (forall lo: int, hi: int, A: [int]int :: { qsum(lo, hi, A) } hi qsum(lo, hi, A) == 0); axiom (forall lo: int, hi: int, A: [int]int :: { qsum(lo, hi+1, A) } lo qsum(lo, hi+1, A) == qsum(lo, hi, A) + A[hi]); This program (and the ones on the following slides) verifies with Boogie, using Simplify as the underlying SMT solver

12
sum1 var a: [int]int; procedure Sum(N: int) returns (s: int) requires 0 <= N; modifies a; ensures s == qsum(0, N, old(a)); { var n: int; entry: n := 0; s := 0; goto Head; Head: assert 0 <= n && n <= N && s == qsum(0, n, a); // loop invariant assert (forall i: int :: 0 a[i] == old(a)[i]); goto Body, Done; Body: assume n < N;// loop guard s := s + a[n]; a[-2] := s;// assignment outside a[0,..N] n := n + 1; goto Head; Done: assume !(n < N);// negation of loop guard return; } function qsum(lo: int, hi: int, A: [int]int) returns (int); axiom (forall lo: int, hi: int, A: [int]int :: { qsum(lo, hi, A) } hi qsum(lo, hi, A) == 0); axiom (forall lo: int, hi: int, A: [int]int :: { qsum(lo, hi+1, A) } lo qsum(lo, hi+1, A) == qsum(lo, hi, A) + A[hi]); axiom (forall lo: int, hi: int, A: [int]int, B: [int]int :: { qsum(lo, hi, A), qsum(lo, hi, B) } (forall j: int :: lo A[j] == B[j]) ==> qsum(lo, hi, A) == qsum(lo, hi, B));

13
inc.bpl var a: [int]int; procedure Inc(j: int, N: int, x: int) requires 0 <= j && j < N; modifies a; ensures qsum(0, N, a) == old(qsum(0, N, a)) + x; { entry: a[j] := a[j] + x; return; } function qsum(lo: int, hi: int, A: [int]int) returns (int); axiom (forall lo: int, hi: int, A: [int]int :: { qsum(lo, hi, A) } hi qsum(lo, hi, A) == 0); axiom (forall lo: int, hi: int, A: [int]int :: { qsum(lo, hi+1, A) } lo qsum(lo, hi+1, A) == qsum(lo, hi, A) + A[hi]); axiom (forall lo: int, hi: int, A: [int]int, B: [int]int :: { qsum(lo, hi, A), qsum(lo, hi, B) } (forall j: int :: lo A[j] == B[j]) ==> qsum(lo, hi, A) == qsum(lo, hi, B)); axiom (forall lo: int, hi: int, k: int, A: [int]int, B: [int]int :: { qsum(lo, hi, A), qsum(lo, hi, B), A[k] } (forall j: int :: lo A[j] == B[j]) && (forall j: int :: k A[j] == B[j]) ==> qsum(lo, hi, A) - A[k] == qsum(lo, hi, B) - B[k]);

14
swap.bpl var a: [int]int; procedure Swap(i: int, j: int, N: int) requires 0 <= i && i < N; requires 0 <= j && j < N; modifies a; ensures qsum(0, N, a) == old(qsum(0, N, a)); { var tmp: int; entry: tmp := a[i]; a[i] := a[j]; assert qsum(0, N, a) == qsum(0, N, a); a[j] := tmp; return; } function qsum(lo: int, hi: int, A: [int]int) returns (int); axiom (forall lo: int, hi: int, A: [int]int :: { qsum(lo, hi, A) } hi qsum(lo, hi, A) == 0); axiom (forall lo: int, hi: int, A: [int]int :: { qsum(lo, hi+1, A) } lo qsum(lo, hi+1, A) == qsum(lo, hi, A) + A[hi]); axiom (forall lo: int, hi: int, A: [int]int, B: [int]int :: { qsum(lo, hi, A), qsum(lo, hi, B) } (forall j: int :: lo A[j] == B[j]) ==> qsum(lo, hi, A) == qsum(lo, hi, B)); axiom (forall lo: int, hi: int, k: int, A: [int]int, B: [int]int :: { qsum(lo, hi, A), qsum(lo, hi, B), A[k] } (forall j: int :: lo A[j] == B[j]) && (forall j: int :: k A[j] == B[j]) ==> qsum(lo, hi, A) - A[k] == qsum(lo, hi, B) - B[k]);

Similar presentations

OK

1 Towards a Verifying Compiler: The Spec# Approach Wolfram Schulte Microsoft Research Formal Methods 2006 Joint work with Rustan Leino, Mike Barnett, Manuel.

1 Towards a Verifying Compiler: The Spec# Approach Wolfram Schulte Microsoft Research Formal Methods 2006 Joint work with Rustan Leino, Mike Barnett, Manuel.

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google

View my ppt online student Ppt on indian politics nehru Ppt online marketing Ppt on teachers day wishes Ppt on 360 degree performance appraisal Ppt on acute renal failure Ppt on personality development for college students Ppt on book review writing Ppt on blood donation in india Ppt on sources of water for kindergarten