Presentation is loading. Please wait.

Presentation is loading. Please wait.

Program Analysis and Verification 0368-4479

Published byMarjory French Modified over 9 years ago

Similar presentations

Presentation on theme: "Program Analysis and Verification 0368-4479"— Presentation transcript:

1 Program Analysis and Verification 0368-4479 http://www.cs.tau.ac.il/~maon/teaching/2013-2014/paav/paav1314b.html http://www.cs.tau.ac.il/~maon/teaching/2013-2014/paav/paav1314b.html Noam Rinetzky Lecture 8: Axiomatic Semantics – Rely/Guarantee (Take II * ) Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

2 We begin … Mobiles Scribe

3 Programming Language Syntax: … S 1 ‖ … ‖ S n | c | await b then c – In our case: c = case | x:=a Operational Semantics: – States – Commands – Traces S 1, s ⇒ S’ 1, s’ S 1 ‖ S 2, s ⇒ S’ 1 ‖ S 2, s [Par 1 ] s ∈ ∑ S 0, s 0 ⇒ S 1, s 1 ⇒ … ⇒ s k c0c0 c1c1 ckck

4 Programming Language Syntax: … S 1 ‖ … ‖ S n | c | await b then c – In our case: c = case | x:=a Operational Semantics: – States – Commands – Traces S 1, s ⇒ S’ 1, s’ S 1 ‖ S 2, s ⇒ S’ 1 ‖ S 2, s [Par 1 ] s ∈ ∑ S 0, s 0 ⇒ S 1, s 1 ⇒ … ⇒ … c0c0 c1c1 ckck

5 Axiomatic Semantics (Hoare Logic) Disjoint parallelism Global invariant Owicky – Gries [PhD. ‘76] { P } S 1 ‖ S 2 { Q } … …

6 Rely / Guarantee Aka Assume/Guarantee Cliff Jones [IFIP ‘83] Main idea: Modular capture of interference – Compositional proofs

7 Meaning of (atomic) Commands A relation between pre-states and post-states c ⊆ ∑ × ∑ S 0, s 0 ⇒ S 1, s 1 ⇒ … ⇒ s k+1 c0c0 c1c1 ckck

8 Meaning of (atomic) Commands A relation between pre-states and post-states c ⊆ ∑ × ∑ S 0, s 0 ⇒ S 1, s 1 ⇒ … ⇒ s k+1 c0c0 c1c1 ckck

9 Meaning of (atomic) Commands A relation between pre-states and post-states S 0, s 0 ⇒ s 1 ⇒ … ⇒ s k+1 ⇒ s k+2 ⇒ s k+3 ⇒ s k+3 ⇒ s k+4 … ⇒ s n+1 ⇒ ⇒ ⇒ ⇒ ⇒ ⇒ … c0c0 c1c1 ckck c k+1 c k+2 c k+3 cncn c0c0 c1c1 ckck c k+1 c k+2 c k+3 cncn

10 Intuition: Global Invariant Every (intermediate) state satisfies invariant I S 0, s 0 ⇒ s 1 ⇒ … ⇒ s k+1 ⇒ s k+2 ⇒ s k+3 ⇒ s k+3 ⇒ s k+4 … ⇒ s n+1 c0c0 c1c1 ckck c k+1 c k+2 c k+3 cncn ⇒ ⇒ ⇒ ⇒ ⇒ ⇒ … I=I= c0c0 c1c1 ckck c k+1 c k+2 c k+3 cncn

11 Intuition: Global Invariant Thread-view S 0, s 0 ⇒ s 1 ⇒ … ⇒ s k+1 ⇒ s k+2 ⇒ s k+3 ⇒ s k+3 ⇒ s k+4 … ⇒ s n+1 ⇒ ⇒ ⇒ ⇒ ⇒ … I=I= c0c0 c1c1 ckck c k+1 c k+2 c k+3 cncn ⇒

12 Intuition: Rely Guarantee Thread-view S 0, s 0 ⇒ s 1 ⇒ … ⇒ s k+1 ⇒ s k+2 ⇒ s k+3 ⇒ s k+3 ⇒ s k+4 … ⇒ s n+1 c0c0 c1c1 ckck c k+1 c k+2 c k+3 cncn ⇒ ⇒ ⇒ ⇒ … ⇒ …

13 Intuition: Rely Guarantee Thread-view S 0, s 0 ⇒ s 1 ⇒ … ⇒ s k+1 ⇒ s k+2 ⇒ s k+3 ⇒ s k+3 ⇒ s k+4 … ⇒ s n+1 c0c0 c1c1 ckck c k+1 c k+2 c k+3 cncn ⇒ ⇒ ⇒ ⇒ … ⇒ … G G G G RRRR R

14 Intuition: Rely Guarantee Thread-view S 0, s 0 ⇒ s 1 ⇒ … ⇒ s k+1 ⇒ s k+2 ⇒ s k+3 ⇒ s k+3 ⇒ s k+4 … ⇒ s n+1 c0c0 c1c1 ckck c k+1 c k+2 c k+3 cncn ⇒ ⇒ ⇒ ⇒ … ⇒ … G G G G R*R* R*R* R*R*

15 Relational Post-Conditions meaning of commands a relations between pre-states and post-states Option I: {P} C {Q} – P is a one state predicate – Q is a two-state predicate Example – {true} x := x + 1 {x= x + 1}

16 Relational Post-Conditions meaning of commands a relations between pre-states and post-states Option II: {P} C {Q} – P is a one state predicate – P is a one-state predicate Use logical variables to record pre-state Example – {x = X} x := x + 1 {x= X + 1}

17 Intuition (again) C G Hoare: { P } S { Q } ~ {P} ⇒⇒⇒⇒ {Q} C R/G: R,G ⊢ { P } S { Q } ~ {P} ⇒⇒⇒⇒⇒⇒⇒ {Q} G RRR GG

18 Goal: Parallel Composition R  G 2, G 1 ⊢ { P } S 1 ‖ S 2 { Q } R, G 1  G 2 ⊢ { P } S 1 ‖ S 2 { Q } (PAR) R  G 1, G 2 ⊢ { P } S 1 ‖ S 2 { Q }

19 Relational Post-Conditions meaning of commands a relations between pre-states and post-states Option I: {P} C {Q} – P is a one state predicate – Q is a two-state predicate Example – {true} x := x + 1 {x= x + 1}

20 Meaning of (atomic) Commands meaning of atomic commands is relations between pre-states and post-states C {Q} – P is a one state predicate – Q is a two-state predicate Example – {true} x := x + 1 {x= x + 1}

21 Meaning of (atomic) Commands meaning of atomic commands is relations between pre-states and post-states C {Q} – P is a one state predicate – Q is a two-state predicate Example – {true} x := x + 1 {x= x + 1}

22 From one- to two-state relations p( ,  ) =p(  ) A single state predicate p is preserved by a two-state relation R if – p  R  p – ,  : p(  )  R( ,  )  p(  ) – P is stable under R

23 Operations on Relations (P;Q)( ,  )=  :P( ,  )  Q( ,  ) ID( ,  )= (  =  ) R * = ID  R  (R;R)  (R;R;R)  …  – Reflexive transitive closure of R

24 Formulas ID(x) = (x = x) ID(p) =(p  p) Preserve (p)= p  p

25 Judgements c  (p, R, G, Q)

26 Informal Semantics c  (p, R, G, Q) – For every state  such that   p: Every execution of c on state  with (potential) interventions which satisfy R results in a state  such that ( ,  )  Q The execution of every atomic sub-command of c on any possible intermediate state satisfies G

27 Informal Semantics c  (p, R, G, Q) – For every state  such that   p: Every execution of c on state  with (potential) interventions which satisfy R results in a state  such that ( ,  )  Q The execution of every atomic sub-command of c on any possible intermediate state satisfies G c  [p, R, G, Q] – For every state  such that   p: Every execution of c on state  with (potential) interventions which satisfy R must terminate in a state  such that ( ,  )  Q The execution of every atomic sub-command of c on any possible intermediate state satisfies G

28 A Formal Semantics Let  C  R denotes the set of quadruples s.t. that when c executes on  1 with potential interferences by R it yields an intermediate state  2 followed by an intermediate state  3 and a final state  4 –  4 =  when c does not terminate  C  R = { :   :  R  (  *  2   2 =  3 =  4    ’, C’:  *  ( (  2 =  1   2 =  )  (  3 =    3 =  ’)   4 =  )    C’  R ) c  (p, R, G, Q) – For every   C  R such that  1  p  G If  4   :  Q

29 A Formal Semantics Let  C  R denotes the set of quadruples s.t. that when c executes on  1 with potential interferences by R it yields an intermediate state  2 followed by an intermediate state  3 and a final state  4 –  4 =  when c does not terminate  C  R = { :   :  R  (  *  2   2 =  3 =  4 )  (   ’, C’:  *  ( (  2 =  1   2 =  )  (  3 =    3 =  ’)  (  4 =     C’  R ) ) c  (p, R, G, Q) – For every   C  R such that  1  p  G If  4   :  Q

30 A Formal Semantics Let  C  R denotes the set of quadruples s.t. that when c executes on  1 with potential interferences by R it yields an intermediate state  2 followed by an intermediate state  3 and a final state  4 –  4 =  when c does not terminate  C  R = { :   :  R  (  *  2   2 =  3 =  4 )  (   ’, C’:  *  ( (  2 =  1   2 =  )  (  3 =    3 =  ’)   4 =  )    C’  R )) c  (p, R, G, Q) – For every   C  R such that  1  p  G If  4   :  Q

31 Simple Examples X := X + 1  (true, X=X, X =X+1  X=X, X =X+1) X := X + 1  (X  0, X  X, X>0  X=X, X>0) X := X + 1 ; Y := Y + 1  (X  0  Y  0, X  X  Y  Y, G, X>0  Y>0)

32 Inference Rules Define c  (p, R, G, Q) by structural induction on c Soundness – If c  (p, R, G, Q) then c  (p, R, G, Q)

33 Atomic Command {p} c {Q} c  (p, preserve(p), Q  ID, Q) (Atomic)

34 Conditional Critical Section {p  b} c {Q} await b then c  (p, preserve(p), Q  ID, Q) (Critical)

35 Sequential Composition c 1  (p 1, R, G, Q 1 ) c 1 ; c 2  (p 1, R, G, (Q 1 ; R * ; Q 2 )) (SEQ) c 2  (p 2, R, G, Q 2 ) Q 1  p 2

36 Conditionals c 1  (b 1, R, G, Q) p  b  R *  b 1 if atomic {b} then c 1 else c 2  (p, R, G, Q) (IF) c 2  (b 2, R, G, Q) p   b  R*  b 2

37 Loops c  (j  b 1, R, G, j) j  b  R *  b 1 while atomic {b} do c  (j, R, G,  b  j) (WHILE) R  Preserve(j)

38 Refinement c  (p, R, G, Q) c  (p’, R’, G’, Q’) (REFINE) p’  p Q  Q’ R’  R G  G’

39 Parallel Composition c 1  (p 1, R 1, G 1, Q 1 ) c 1 || c 2  (p 1  p 1, (R 1  R2), (G 1  G 2 ), Q) where Q= (Q 1 ; (R 1  R 2 )*; Q 2 )  (Q 2 ; (R 1  R 2 )*; Q 1 ) (PAR) c 2  (p 2, R 2, G 2, Q 2 ) G 1  R 2 G 2  R 1

40 Issues in R/G Total correctness is trickier Restrict the structure of the proofs – Sometimes global proofs are preferable Many design choices – Transitivity and Reflexivity of Rely/Guarantee – No standard set of rules Suitable for designs

Download ppt "Program Analysis and Verification 0368-4479"

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
PZ03D Programming Language design and Implementation -4th Edition Copyright©Prentice Hall, 2000 1 PZ03D - Program verification Programming Language Design.

PZ03D Programming Language design and Implementation -4th Edition Copyright©Prentice Hall, PZ03D - Program verification Programming Language Design.
Program Analysis and Verification 0368-4479

Program Analysis and Verification
50.530: Software Engineering Sun Jun SUTD. Week 13: Rely-Guarantee Reasoning.

50.530: Software Engineering Sun Jun SUTD. Week 13: Rely-Guarantee Reasoning.
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
Formal Semantics of Programming Languages 虞慧群 Topic 5: Axiomatic Semantics.

Formal Semantics of Programming Languages 虞慧群 Topic 5: Axiomatic Semantics.
This Week Finish relational semantics Hoare logic Interlude on one-point rule Building formulas from programs.

This Week Finish relational semantics Hoare logic Interlude on one-point rule Building formulas from programs.
Axiomatic Verification I Prepared by Stephen M. Thebaut, Ph.D. University of Florida Software Testing and Verification Lecture 17.

Axiomatic Verification I Prepared by Stephen M. Thebaut, Ph.D. University of Florida Software Testing and Verification Lecture 17.
Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.

Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
Dynamic semantics Precisely specify the meanings of programs. Why? –programmers need to understand the meanings of programs they read –programmers need.

Dynamic semantics Precisely specify the meanings of programs. Why? –programmers need to understand the meanings of programs they read –programmers need.
Predicate Transformers

Predicate Transformers
1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.

1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.
1/22 Programs : Semantics and Verification Charngki PSWLAB Programs: Semantics and Verification Mordechai Ben-Ari Mathematical Logic for Computer.

1/22 Programs : Semantics and Verification Charngki PSWLAB Programs: Semantics and Verification Mordechai Ben-Ari Mathematical Logic for Computer.
A Survey of Rely-Guarantee Approaches in Compositional Verification Murat Demirbas OSU.

A Survey of Rely-Guarantee Approaches in Compositional Verification Murat Demirbas OSU.
10.6.2008 Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der.

Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der.
Programming Language Semantics Rely/Guarantee Reasoning Parallel Programs Tal Lev-Ami Viktor Vafeiadis Mooly Sagiv.

Programming Language Semantics Rely/Guarantee Reasoning Parallel Programs Tal Lev-Ami Viktor Vafeiadis Mooly Sagiv.
1 Operational Semantics Mooly Sagiv Tel Aviv University 640-6706 Textbook: Semantics with Applications.

1 Operational Semantics Mooly Sagiv Tel Aviv University Textbook: Semantics with Applications.
Axiomatic Semantics Dr. M Al-Mulhem ICS535-091.

Axiomatic Semantics Dr. M Al-Mulhem ICS

Similar presentations

Ads by Google