Presentation is loading. Please wait.

Presentation is loading. Please wait.

ECI 2007: Specification and Verification of Object- Oriented Programs Lecture 4.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "ECI 2007: Specification and Verification of Object- Oriented Programs Lecture 4."— Presentation transcript:

1 ECI 2007: Specification and Verification of Object- Oriented Programs Lecture 4

2 Proving verification conditions What is the decision procedure for proving validity of VC(f)? Depends on the logic in which VC(f) is expressed VC(f)  pre  VC(S, post)

3 Verification condition logic Atoms connected by boolean operators – , , ,  Atoms depend on the program variables and operations on them –boolean, integer, memory Atoms depend on the language of assertions, i.e., program assertions, loop invariants, preconditions and postconditions –quantification, reachability predicate

4 Assume each assertion is a quantifier-free boolean combination of expressions over program variables. VC(f) is a boolean combination of atoms –Each atom is a relation over terms –Each term is built using functions and logical constants Logical constants are different from program variables –program variables change over time –logical constants are fixed The logical constants in VC(f) refer to the values of program variables at the beginning of f.

5 Case I: Boolean programs Boolean-valued variables and boolean operations   Formula := A |  |    A  Atom := b b  SymBoolConst

6 Example returns c requires true ensures c = a  b bool or(bool a, bool b) { if (a) c := true else c := b } Conjecture to be proved: true  (a  true = a  b)  (  a  b = a  b) VC(S, c = a  b) = (a  true = a  b)  (  a  b = a  b) S

7 Case II: Arithmetic programs In addition, integer-valued variables with affine operations   Formula := A |   |    A  Atom := b | t = 0 | t < 0 | t  0 t  Term := c | x | t + t | t – t | ct b  SymBoolConst x  SymIntConst c  {…,-1,0,1,…}

8 returns c requires b >= 0 ensures c = a + b int add(int a, int b) { int t; t := b c := a invariant t  0  c = a + b - t while (t > 0) { c := c + 1 t := t - 1 } Example Conjecture to be proved: b  0  VC(A, c = a + b) VC(B, t  0  c = a + b - t)  t - 1  0  c + 1 = a + b – (t – 1) B L A VC(L, c = a + b)  t  0  c = a + b – t  (t  0  c = a + b – t   t > 0  t - 1  0  c + 1 = a + b – (t - 1)  t  0  c = a + b)[c 0 /c,t 0 /t] VC(L, c = a + b)  t  0  c = a + b – t  (t 0  0  c 0 = a + b – t 0   t 0 > 0  t 0 - 1  0  c 0 + 1 = a + b – (t 0 - 1)  t 0  0  c 0 = a + b) VC(A, c = a + b)  b  0  a = a + b – b  (t 0  0  c 0 = a + b – t 0   t 0 > 0  t 0 - 1  0  c 0 + 1 = a + b – (t 0 - 1)  t 0  0  c 0 = a + b)

9 Case III: Memory programs In addition, a memory with read and write operations –an unbounded set of objects –a finite set of fields in each object –each field contains a boolean value, an integer value, or a reference to an object For each field f, two operations Select and Update –Select(f,o) is the content of the memory at object o and field f –Update(f,o,v) is a new memory obtained by updating field f of object o to v

10 Memory axioms for all objects o and o’, and memories m:  o = o’  Select(Update(m,o,v),o’) = v  o  o’  Select(Update(m,o,v),o’) = Select(m,o’)

11 Modeling memory operations Treat each field f as a map variable: a = b.f a = Select(f,b) a.f = b f = Update(f,a,b) { ? } a.f = 5 { a.f + b.f = 10 } WP(a.f = 5, a.f + b.f = 10)  WP(f = Update(f,a,5), Select(f,a) + Select(f,b) = 10)  Select(Update(f,a,5),a) + Select(Update(f,a,5),b) = 10

12 Simplify using memory axiom Select(Update(f,a,5),a) + Select(Update(f,a,5),b) = 10 iff 5 + Select(Update(f,a,5),b) = 10 iff Select(Update(f,a,5),b) = 5 iff  a = b  5 = 5  a  b  Select(f,b) = 5 iff a  b  Select(f,b) = 5

13   Formula := A |   |    A  Atom := b | t = 0 | t < 0 | t  0 t  Term := c | x | t + t | t – t | ct | Select(m,t) m  MemTerm := f | Update(m,t,t) b  SymBoolConst x  SymIntConst c  {…,-1,0,1,…}

14 Decision procedures Boolean programs –Propositional satisfiability Arithmetic programs –Propositional satisfiability modulo theory of linear arithmetic Memory programs –Propositional satisfiability modulo theory of linear arithmetic + arrays

15 Decision procedures Boolean programs –Propositional satisfiability Arithmetic programs –Propositional satisfiability modulo theory of linear arithmetic Memory programs –Propositional satisfiability modulo theory of linear arithmetic + arrays

16 Case I: Boolean programs Boolean-valued variables and boolean operations   Formula := b |  |    b  SymBoolConst

17 SAT First NP-complete problem (Cook 1972) Davis-Putnam algorithm (1960) –resolution-based –may use exponential memory Davis-Logemann-Loveland algorithm (1962) –search-based –basis for all successful modern solvers Conflict-driven learning and non-chronological backtracking (1996) –resolution strikes back! Amazing progress –GRASP, SATO, Chaff, ZChaff, BerkMin, …

18 Conjunctive Normal Form  CNF Formula ::= c 1  c 2  … c m c  Clause ::= l 1  l 2  … l n l  Literal ::= b |  b b  SymBoolConst Unit clause ( l ) -a clause containing a single literal Empty clause ( ) - a clause containing no literal - equivalent to false

19 Conversion into CNF In general, converting  into an equivalent CNF formula may result in an exponential blow-up We are only interested in satisfiability of  Convert into an equi-satisfiable CNF formula EQCNF(  ) –  is satisfiable iff EQCNF(  ) is satisfiable –size of EQCNF(  ) is polynomial in size of 

20 Conversion into CNF Convert formula  into normal form NF(  ) –NF(  ) is polynomial in  Convert  = NF(  ) into equisatisfiable CNF formula EQCNF(  ) –EQCNF(  ) is polynomial in 

21 Normal form: NF(  )   Negated normal form: NNF(  )   Normal Form NF(b) = b NNF(b) =  b NF(  ) = NNF(  ) NNF(  ) = NF(  ) NF(  1   2 ) = NF(  1 )  NF(  1 ) NNF(  1   2 ) = NNF(  1 )  NNF(  2 )

22 Equi-satisfiable CNF Cl(b) = Cl(  b) = true Cl(  ) = Cl(  )  Cl(  )  (v   v   v  )  (v   v  )  (v   v  ) Cl(  ) = Cl(  )  Cl(  )  (v   v   v  )  (v   v  )  (v   v  ) Let  be a formula in normal form. For each subformula  of  : - create a fresh symbol v  in SymBoolConst Identify v b with b and v  b with  b EQCNF(  ) = v   Cl(  )

23 Resolution (c 1  b) (c 2   b) (c 1  c 2 ) clauses resolvent resolvent(b, c 1  b, c 2   b) = c 1  c 2 =  b. (c 1  b)  (c 2   b) c 1, c 2 independent of b

24   (c 1  b)  (c 2   b) iff   (c 1  b)  (c 2   b)  (c 1  c 2 ) Theorem Adding the resolvent to the set of clauses does not affect the satisfiability of the clause set.

25 Unit resolution ( b ) (c 2   b) ( c 2 ) One of the clauses being resolved is a unit clause Derivation of the empty clause (denoted by  ) ( b ) (  b )  (  b ) (c 2  b) ( c 2 )

26 Davis-Putnam algorithm (I) Given clause set C: Rule 1: If a clause (c  l  l)  C, replace it with (c  l) Rule 2: If a clause (c  b   b)  C, remove it from C Rule 3a: If  b does not occur in any clause in C, remove every clause containing b from C Rule 3b: If b does not occur in any clause in C, remove every clause containing  b from C

27 Davis-Putnam algorithm (II) Saturate C w.r.t Rules 1, 2, 3a, and 3b while (C is nonempty) { Pick a variable b appearing in some clause in C C’ = { resolvent(b,c 1,c 2 ) | c 1,c 2  C } Saturate C’ w.r.t. Rules 1, 2, 3a, and 3b if (   C’) return unsatisfiable C = C’ } return satisfiable

28 (a  b  c) (b   c   f) (  b  c) Satisfiable example (b   c   f) (  b  c) Rule 3a (c   c   f) Resolve on b Rule 2 Clause set is empty

29 (a  b) (a   b) (  a  c) (  a   c) ( a ) (  a  c) (  a   c) ( c ) (  c )  Unsatisfiable example Pick b Pick a Pick c

30 Correctness Saturate C w.r.t Rules 1, 2, 3a, and 3b while (C is nonempty) { Pick a variable b appearing in some clause in C C’ = { resolvent(b,c 1,c 2 ) | c 1,c 2  C } Saturate C’ w.r.t. Rules 1, 2, 3a, and 3b if (   C’) return unsatisfiable C = C’ } return satisfiable Two observations: - Each of the rules 1, 2, 3a, and 3b preserve satisfiability - C’ =  b. C

31 Memory explosion Saturate C w.r.t Rules 1, 2, 3a, and 3b while (C is nonempty) { Pick a variable b appearing in some clause in C C’ = { resolvent(b,c 1,c 2 ) | c 1,c 2  C } Saturate C’ w.r.t. Rules 1, 2, 3a, and 3b if (   C’) return unsatisfiable C = C’ } return satisfiable Let n be the number of clauses in the input clause set Number of clauses after i-th iteration of loop: O(n^(2^i))

32 Davis-Logemann-Loveland algorithm Slides 42-72 of sat_course1.pdf Download from: http://research.microsoft.com/users/lintaoz/SATSolving/satsolving.htm

33 Davis-Logemann-Loveland algorithm Eliminates exponential memory requirement Might still need exponential time

34 Conflict-driven learning and non- chronological backtracking Slides 2-20 of sat_course2.pdf Download from: http://research.microsoft.com/users/lintaoz/SATSolving/satsolving.htm

Download ppt "ECI 2007: Specification and Verification of Object- Oriented Programs Lecture 4."

Similar presentations

Logical Abstract Interpretation Sumit Gulwani Microsoft Research, Redmond.

Logical Abstract Interpretation Sumit Gulwani Microsoft Research, Redmond.
Automated Theorem Proving

Automated Theorem Proving
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Synthesis, Analysis, and Verification Lecture 04c Lectures: Viktor Kuncak VC Generation for Programs with Data Structures “Beyond Integers”

Synthesis, Analysis, and Verification Lecture 04c Lectures: Viktor Kuncak VC Generation for Programs with Data Structures “Beyond Integers”
Knowledge & Reasoning Logical Reasoning: to have a computer automatically perform deduction or prove theorems Knowledge Representations: modern ways of.

Knowledge & Reasoning Logical Reasoning: to have a computer automatically perform deduction or prove theorems Knowledge Representations: modern ways of.
UIUC CS 497: Section EA Lecture #2 Reasoning in Artificial Intelligence Professor: Eyal Amir Spring Semester 2004.

UIUC CS 497: Section EA Lecture #2 Reasoning in Artificial Intelligence Professor: Eyal Amir Spring Semester 2004.
Propositional and First Order Reasoning. Terminology Propositional variable: boolean variable (p) Literal: propositional variable or its negation p 

Propositional and First Order Reasoning. Terminology Propositional variable: boolean variable (p) Literal: propositional variable or its negation p 
Disjunctive Normal Form CS 680: Formal Methods Jeremy Johnson.

Disjunctive Normal Form CS 680: Formal Methods Jeremy Johnson.
Models and Propositional Logic In propositional logic, a model in general simply fixes the truth value – true or false – for every proposition symbol.

Models and Propositional Logic In propositional logic, a model in general simply fixes the truth value – true or false – for every proposition symbol.
Logic.

Logic.
CPSC 422, Lecture 21Slide 1 Intelligent Systems (AI-2) Computer Science cpsc422, Lecture 21 Mar, 4, 2015 Slide credit: some slides adapted from Stuart.

CPSC 422, Lecture 21Slide 1 Intelligent Systems (AI-2) Computer Science cpsc422, Lecture 21 Mar, 4, 2015 Slide credit: some slides adapted from Stuart.
Daniel Kroening and Ofer Strichman 1 Decision Procedures An Algorithmic Point of View SAT.

Daniel Kroening and Ofer Strichman 1 Decision Procedures An Algorithmic Point of View SAT.
1/30 SAT Solver Changki PSWLAB SAT Solver Daniel Kroening, Ofer Strichman.

1/30 SAT Solver Changki PSWLAB SAT Solver Daniel Kroening, Ofer Strichman.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:
Computability and Complexity 9-1 Computability and Complexity Andrei Bulatov Logic Reminder (Cnt’d)

Computability and Complexity 9-1 Computability and Complexity Andrei Bulatov Logic Reminder (Cnt’d)
Computability and Complexity 8-1 Computability and Complexity Andrei Bulatov Logic Reminder.

Computability and Complexity 8-1 Computability and Complexity Andrei Bulatov Logic Reminder.
Willis Lemasters Grant Conklin. Searching a tree recursively one branch at a time, abandoning any branch which does not satisfy the search constraints.

Willis Lemasters Grant Conklin. Searching a tree recursively one branch at a time, abandoning any branch which does not satisfy the search constraints.
Nikolaj Bjørner Microsoft Research Lecture 3. DayTopicsLab 1Overview of SMT and applications. SAT solving, Z3 Encoding combinatorial problems with Z3.

Nikolaj Bjørner Microsoft Research Lecture 3. DayTopicsLab 1Overview of SMT and applications. SAT solving, Z3 Encoding combinatorial problems with Z3.
ECI 2007: Specification and Verification of Object- Oriented Programs Lecture 5.

ECI 2007: Specification and Verification of Object- Oriented Programs Lecture 5.
Automated Theorem Proving Lecture 4.   Formula := A |  |    A  Atom := b | t = 0 | t < 0 | t  0 t  Term := c | x | t + t | t – t | ct | Select(m,t)

Automated Theorem Proving Lecture 4.   Formula := A |  |    A  Atom := b | t = 0 | t < 0 | t  0 t  Term := c | x | t + t | t – t | ct | Select(m,t)

Similar presentations

Ads by Google