# Program Verification -- new recipe for old problem Zhou Chaochen Institute of Software, CAS

## Presentation on theme: "Program Verification -- new recipe for old problem Zhou Chaochen Institute of Software, CAS"— Presentation transcript:

Program Verification -- new recipe for old problem Zhou Chaochen Institute of Software, CAS zcc@ios.ac.cn

Computer Science Computing System – Millions of simple instructions Bio System – DNA (A,T,G,C) Manufacturing vs Evolving Fundamental Issues # Computability and Solvability # Algorithm Design and Analysis # Programming Methodology: Correctness, etc

Program Correctness Test: Debug vs Prove Verification: Proof and Model Checking Transformation: Curry-Howard Isomorphism, Intuitionistic Logic, …

Assertion Program Language – Artificial Language Assignment: x:=x-1 x:=e Loop: while x>0 do x:=x-1 while B do S Sequential Composition: S1;S2 …

Intrinsic Logic Assignment: P(e){x:=e}P(x) x-1>0{x:=x-1}x>0 P(e) – Pre-Condition P(x) – Post-Condition

Loop: If B&I{S}I then I{while B do S}I&~B Due to x>0&x>=0{x:=x-1}x>=0 hence x>=0 {while x>0 do x:=x-1} x>=0&~(x>0) I.e. x>=0{while}x=0 I – Invariant

Sequential Composition: If P{S1}Q1, Q1=>Q2 and Q2{S2}Q, then P{S1;S2}Q … Pre, Post, Inv -- Assertion

Program Verification Partial Correctness x>=0 {FAC} y=x! If FAC terminates, then … Safety Total Correctness Termination plus Partial Correctness Liveness (deadlock free, livelock free,…)

Floyd Assertion & Hoare Logic Robert Floyd: 1978 Turing Award Laureate. 1967 Assigning Meanings to Program. Inductive Assertion Method: Pre- and Post- Assertion Tony Hoare: 1980 Turing Award Laureate. 1969 An Axiomatic Basis for Computer Programming. Hoare Logic: Pre- and Post-Condition, Invariant

Assertion at Microsoft Microsoft Office: 250k assertions (ASSERT macro) Test: Dump instead of Crash (over half effort) Simplifying Assumption: for the next version (Overflow,…) Compile Time Check (Size,…) etc Microsoft Windows: over 1000 different assertion macros Bill Gates: Trustworthy Computing

Verifying Compiler A compiler which verifies correctness of program: a major challenge of Computer Science in 21 Century Include assertions into programming languages (Eiffel, JML,…) Improve program analysis tools in Industry (PREfix,…) Joint contributions from different mechanised proof technologies: a vast project unprecedented in Computer Science Academy Legacy and Open Source Movement IFIP workshop in 2005: Hoare and Misra, Shankar (He Jifeng, Zhang Jian,…) et al

Software Model Checking Given infinite value domain program is an infinite state system Finite State Machine: BDD, CTL, 10^(100), … Real Time System: Infinite State Machine

Infinite State Model Checking Reduction to Finite State System: Regional Graph (?) Reduction to Linear Programming, Integer and Mixed Programming, (Zhou, Zhang, Yang and Kesten, Pnueli, Sifakis, Yovine)… Real Algebra (Tarski, Wu, Zhang, Yang, …) Relation between the above two?

Reduction to Linear Programming Timed Automaton G B f (>=30) r (<=1) Over any interval greater or equal to 60 Bad states occupy no more than 20% of the interval

A timed behaviour (f,t1),(r,t2),(f,t3) t1>=30, 0 =30 Linear Programming Problem Constraints t1>=30, 0 =30 and t1+t2+t3>=60 Objective function 20*t2-(t1+t2+t3) Reduce infinite many behaviour to finite many

Program Termination Ashish Tiwari, SRI (CAV 2004, LNCS 3114) Undecidable in general Linear Program while (B*x>b) do x:=A*x+c A,B – real matrices, x,b,c – real vectors The termination problem for linear program is decidable

P: while c*x>0 do x:=A*x Intuition If v is an eigenvector of A with positive eigenvalue e, then A*v=e*v by definition, and A^n*v=e^n*v c*e^n*v=e^n*c*v So c*e^n*v has the same sign of c*v, as e>0 P is not terminating with input x=v, where c*v>0

Theorem: If P is not terminating then there exists a real eigenvector v of A, corresponding to positive eigenvalue, such that c*v>=0 Proof: If nonterminating, NT is not empty NT={x:c*A^i*x>0, i=0,1,…} Let NT’=NT+Boundary. NT’ is closed under A Applying Brouwer’s fixed point theorem there exists eigenvector v of A in NT’.

Change into c*v>0 Add more conditions to have necessary and sufficient conclusion Generalise to general linear program

Termination – Matrix Eigenvalue Stability – Matrix Eigenvalue Termination characterization of linear programs is more complex than stability characterization for both continuous- and discrete-time linear systems

As told by Yang Good to use off-line symbolic computation (Yang has developed a very powerful symbolic computation tools, called Bottema and Discoverer, for real algebra, including a complete discrimination system) The deciding condition becomes 10^4 terms (of Dixon resultant) for 4-dimension, dozens for 3, and several for 2

Invariant Generation Abstract Interpretation (P. Cousot and R. Cousot POPL77): symbolic execution until a fixed point is reached Linear Invariants for Linear Programs (Colon, Shankaranarayanan, Sipma CAV03): assume a linear invariant, and solve constraints (maybe nonlinear) on the coefficients of the linear invariant

Reachability Lafferriere, Pappas and Yovine (JSC 11,2001) dX/dt = AX+Bu X,B – vectors, A – matrix, u – vector (control input) X = F(x,u,t) x – vector (initial value of X)

Reachability: state y is reachable from state x, if there exists u and t such that y=F(x,u,t) Reduced to real algebraic formula (under certain conditions) Quantifier elimination tools: REDLOG, QEPCAD An example of the paper impossible to resolve by REDLOG and QEPCAD alone can be done by Yang’s tools easily (as told by Yang)

Interdisciplinary Joint Effort Decidability for real algebra is most fundamental result with respect to real numbers Program verification is employing more mathematics, in particular real algebra Strong in mechanical proving: Wu, Zhang, Yang,… Beautiful tools Control theory much more mature than CS We need your support and you can help us

Download ppt "Program Verification -- new recipe for old problem Zhou Chaochen Institute of Software, CAS"

Similar presentations