Presentation is loading. Please wait.

Presentation is loading. Please wait.

Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav.

Published byDouglas Cameron Modified over 8 years ago

Similar presentations

Presentation on theme: "Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav."— Presentation transcript:

1 Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

2 Axiomatic Semantics C.A.R. Hoare Robert W. Floyd 2 Edsger W. Dijkstra

3 Axiomatic Semantics C.A.R. Hoare Robert W. Floyd 3 Edsger W. Dijkstra BTW, what do all these people have in common?

4 Axiomatic Semantics C.A.R. Hoare Robert W. Floyd 4 Edsger W. Dijkstra 197219781980 For having a clear influence on methodologies for the creation of efficient and reliable software, and for helping to found the following important subfields of computer science: the theory of parsing, the semantics of programming languages, automatic program verification, automatic program synthesis, and analysis of algorithms. For fundamental contributions to programming as a high, intellectual challenge; for eloquent insistence and practical demonstration that programs should be composed correctly, not just debugged into correctness; for illuminating perception of problems at the foundations of program design. For his fundamental contributions to the definition and design of programming languages. http://amturing.acm.org/

5 Proving program correctness Why prove correctness? What is correctness? How? – Reasoning at the operational semantics level Tedious Error prone – Formal reasoning using “axiomatic” semantics Syntactic technique (“game of tokens”) Mechanically checkable – Sometimes automatically derivable 5

6 A simple imperative language: While Abstract syntax: a ::= n | x | a 1 + a 2 | a 1  a 2 | a 1 – a 2 b ::= true | false | a 1 = a 2 | a 1  a 2 |  b | b 1  b 2 S ::= x := a | skip | S 1 ; S 2 | if b then S 1 else S 2 | while b do S 6

7 Program correctness concepts Property = a certain relationship between initial state and final state Partial correctness = properties that hold if program terminates Termination = program always terminates – i.e., for every input state 7 partial correctness + termination = total correctness Other correctness concepts exist: resource usage, linearizability, … Mostly focus in this course Other notions of properties exist

8 Factorial example  S fac, s   s’ implies s’ y = (s x )! 8 S fac  y := 1; while  (x=1) do (y := y*x; x := x–1)

9 Factorial example  S fac, s   s’ implies s’ y = (s x )! Factorial partial correctness property = – if the statement terminates then the final value of y will be the factorial of the initial value of x What if s x < 0? 9 S fac  y := 1; while  (x=1) do (y := y*x; x := x–1)

10 Natural semantics for While 10  x := a, s   s[x  A  a  s] [ass ns ]  skip, s   s [skip ns ]  S 1, s   s’,  S 2, s’   s’’  S 1 ; S 2, s   s’’ [comp ns ]  S 1, s   s’  if b then S 1 else S 2, s   s’ if B  b  s = tt [if tt ns ]  S 2, s   s’  if b then S 1 else S 2, s   s’ if B  b  s = ff [if ff ns ]  while b do S, s   s if B  b  s = ff [while ff ns ]  S, s   s’,  while b do S, s’   s’’  while b do S, s   s’’ if B  b  s = tt [while tt ns ]

11 Staged proof 11

12 First stage 12

13 Second stage 13

14  while  (x=1) do (y := y*x; x := x–1), s   s’ 14

15 Third stage 15

16 How easy was that? Proof is very laborious – Need to connect all transitions and argues about relationships between their states – Reason: too closely connected to semantics of programming language Is the proof correct? How did we know to find this proof? – Is there a methodology? 16

17 Axiomatic verification approach What do we need in order to prove that the program does what it supposed to do? 17 Specify the required behavior Compare the behavior with the one obtained by the operational semantics Develop a proof system for showing that the program satisfies a requirement Mechanically use the proof system to show correctness The meaning of a program is a set of verification rules

18 Axiomatic Verification: Spec  S fac, s   s’ implies s’ y = (s x )! {x = N} S fac {y = N!} – {Pre-condition (s)} Command (S fac ) {post-state(s’)} – Not {true} S fac {y = x!} 18 S fac  y := 1; while  (x=1) do (y := y*x; x := x–1)

19 Partial vs. Total Correctness  S fac, s   s’ implies s’ y = (s x )! {x = N} S fac {y = N!} – {Pre-condition (s)} Command (S fac ) {post-state(s’)} – Not {true} S fac {y = x!} [x = N] S fac [y = N!] 19 S fac  y := 1; while  (x=1) do (y := y*x; x := x–1) Hoare Triples

20 Verification: Assertion-Based [Floyd, ‘67] Assertion: invariant at specific program point – E.g., assert(e) use assertions as foundation for static correctness proofs specify assertions at every program point correctness reduced to reasoning about individual statements 20

21 Annotated Flow Programs 21 Reduction: Program verification is reduced to claims about the subject of discourse Straight line code: claims are determined “by construction”

22 Annotated Flow Programs 22 Reduction: Program verification is reduced to claims about the subject of discourse Straight line code: claims are determined “by construction” Cut points

23 Assertion-Based Verification [Floyd, ‘67] Assertion: invariant at specific program point – E.g., assert(e) Proof reduced to logical claims – Considering the effect of statements – But, not reusable Challenge: Finding invariants at cut points in loops 23

24 Floyd-Hoare Logic 1969 Use Floyd’s ideas to define axiomatic semantics – Structured programming No gotos Modular (reusable claims) – Hoare triples {P} C {Q} [P] C [Q] (often C ) – Define the programming language semantics as a proof system 24

25 Assertions, a.k.a Hoare triples P and Q are state predicates – Example: x >0 If P holds in the initial state, and if execution of C terminates on that state, then Q will hold in the state in which C halts C is not required to always terminate {true} while true do skip {false} 25 { P } C { Q } precondition postcondition statement a.k.a command

26 Total correctness assertions If P holds in the initial state, execution of C must terminate on that state, and Q will hold in the state in which C halts 26 [ P ] C [ Q ]

27 Factorial example 27 { ? } y := 1; while  (x=1) do (y := y*x; x := x–1) { ? }

28 First attempt 28 { x >0 } y := 1; while  (x=1) do (y := y*x; x := x–1) { y = x ! } Holds only for value of x at state after execution finishes We need a way to “remember” value of x before execution

29 Fixed assertion 29 { x =n } y := 1; while  (x=1) do (y := y*x; x := x–1) { y =n!  n>0 } A logical variable, must not appear in statement - immutable

30 The proof outline 30 { x =n } y := 1; { x >0  y * x !=n!  n  x } while  (x=1) do { x-1 >0  ( y*x) *( x-1) !=n!  n  (x-1) } y := y*x; { x-1 >0  y *( x-1) !=n!  n  (x-1) } x := x–1 { y * x !=n!  n >0  x =1 }

31 Factorial example Factorial partial correctness property = if the statement terminates then the final value of y will be the factorial of the initial value of x – What if s x < 0? Formally, using natural semantics:  S fac, s   s’ implies s’ y = (s x )! 31 S fac  y := 1; while  (x=1) do (y := y*x; x := x–1)

32 Staged proof 32

33 Stages 33 y := 1; while  (x=1) do (y := y*x; x := x–1) ss’s’ s’ y = (s x)!  s x > 0 while  (x=1) do (y := y*x; x := x–1) y := y*x; x := x–1 ss’’ s y  (s x)! = s’’ y  (s’’ x)!  s x > 0 ss’’ s y  (s x)! = s’’ y  (s’’ x)!  s’’x = 1  s x > 0

34 Inductive proof over iterations 34 while  (x=1) do (y := y*x; x := x–1) (y := y*x; x := x–1) while  (x=1) do (y := y*x; x := x–1) ss’’ s y  (s x)! = s’’ y  (s’’ x)!  s’’x = 1  s x > 0 s s’s’ s’s’ s’’ s’ y  (s’ x)! = s’’ y  (s’’ x)!  s’’x = 1  s’ x > 0 s y  (s x)! = s’ y  (s’ x)!  s x > 0

35 Assertions, a.k.a Hoare triples P and Q are state predicates – Example: x >0 If P holds in the initial state, and if execution of C terminates on that state, then Q will hold in the state in which C halts C is not required to always terminate {true} while true do skip {false} 35 { P } C { Q }

36 Total correctness assertions If P holds in the initial state, execution of C must terminate on that state, and Q will hold in the state in which C halts 36 [ P ] C [ Q ]

37 Factorial assertion 37 { x =n } y := 1; while  (x=1) do (y := y*x; x := x–1) { y =n!  n>0 } A logical variable, must not appear in statement - immutable

38 Factorial partial correctness proof 38 { x =n } y := 1; { x >0  y * x !=n!  n  x } while  (x=1) do { x-1 >0  ( y*x) *( x-1) !=n!  n  (x-1) } y := y*x; { x-1 >0  y *( x-1) !=n!  n  (x-1) } x := x–1 { y * x !=n!  n >0  x =1 }

39 P Formalizing partial correctness s  P – P holds in state s  – program states  – undefined 39 S ns  C  s = s’if  C, s   s’  else s 

40 Formalizing partial correctness s  P – P holds in state s  – program states  – undefined { P } C { Q } –  s, s’  . (s  P   C, s   s’)  s’  Q alternatively –  s  . (s  P  S ns  C  s  )  S ns  C   Q – Convention:   P for all P  s  . s  P  S ns  C  s  Q 40 P C(P)C(P) Q s s’ C Why did we choose natural semantics?

41 Formalizing partial correctness s  P – P holds in state s  – program states  – undefined { P } C { Q } –  s, s’  . (s  P   C, s   *s’)  s’  Q alternatively –  s  . (s  P  S sos  C  s  )  S sos  C   Q – Convention:   P for all P  s  . s  P  S sos  C  s  Q 41 P C(P)C(P) Q s s’ C

42 How do we express predicates? Extensional approach – Abstract mathematical functions P : State  T Intensional approach – Via language of formulae 42

43 An assertion language Bexp is not expressive enough to express predicates needed for many proofs – Extend Bexp Allow quantifications –  z. … –  z. …  z. z = k  n Import well known mathematical concepts – n!  n  (n-1)   2  1 43

44 An assertion language 44 a ::= n | x | a 1 + a 2 | a 1  a 2 | a 1 – a 2 A ::= true | false | a 1 = a 2 | a 1  a 2 |  A | A 1  A 2 | A 1  A 2 | A 1  A 2 |  z. A |  z. A Either a program variables or a logical variable

45 First Order Logic Reminder 45

46 Free/bound variables A variable is said to be bound in a formula when it occurs in the scope of a quantifier. Otherwise it is said to be free –  i. k=i  m – (i+100  77)  i. j+1=i+3) FV(A)  the free variables of A Defined inductively on the abstract syntax tree of A 46

47 Free variables 47 FV ( n )  {} FV ( x )  {x} FV ( a 1 + a 2 )  FV ( a 1  a 2 )  FV ( a 1 - a 2 )  FV ( a 1 )  FV ( a 2 ) FV ( true )  FV ( false )  {} FV ( a 1 = a 2 )  FV ( a 1  a 2 )  FV ( a 1 )  FV ( a 2 ) FV (  A )  FV ( A ) FV ( A 1  A 2 )  FV ( A 1  A 2 )  FV ( A 1  A 2 ) FV (  z. A )  FV (  z. A )  FV ( A ) \ { z }

48 Substitution An expression t is pure (a term) if it does not contain quantifiers A[t/z] denotes the assertion A’ which is the same as A, except that all instances of the free variable z are replaced by t A   i. k=i  m A[5/k] = A[5/i] = 48 What if t is not pure?

49 Calculating substitutions 49 n[t/z] = n x[t/z] = x x[t/x] = t (a 1 + a 2 )[t/z]= a 1 [t/z] + a 2 [t/z] (a 1  a 2 )[t/z]= a 1 [t/z]  a 2 [t/z] (a 1 - a 2 )[t/z]= a 1 [t/z] - a 2 [t/z]

50 Calculating substitutions 50 true[t/x] = true false[t/x] = false (a 1 = a 2 )[t/z]= a 1 [t/z] = a 2 [t/z] (a 1  a 2 )[t/z]= a 1 [t/z]  a 2 [t/z] (  A)[t/z]=  (A[t/z]) (A 1  A 2 )[t/z]= A 1 [t/z]  A 2 [t/z] (A 1  A 2 )[t/z] = A 1 [t/z]  A 2 [t/z] (A 1  A 2 )[t/z] = A 1 [t/z]  A 2 [t/z] (  z. A)[t/z] =  z. A (  z. A)[t/y] =  z. A[t/y] (  z. A)[t/z] =  z. A (  z. A)[t/y] =  z. A[t/y]

51 Proof Rules 51

52 Axiomatic semantics for While 52 { P[a/ x ] } x := a { P } [ass p ] { P } skip { P } [skip p ] { P } S 1 { Q },{ Q } S 2 { R } { P } S 1 ; S 2 { R } [comp p ] { b  P } S 1 { Q }, {  b  P } S 2 { Q } { P } if b then S 1 else S 2 { Q } [if p ] { b  P } S { P } { P } while b do S {  b  P } [while p ] { P’ } S { Q’ } { P } S { Q } [cons p ] if P  P’ and Q’  Q Notice similarity to natural semantics rules

53 Assignment rule A “backwards” rule x := a always finishes Why is this true? – Recall operational semantics: Example: {y*z<9} x:=y*z {x<9} What about {y*z<9  w=5} x:=y*z {w=5} ? 53  x := a, s   s[x  A  a  s] [ass ns ] s[x  A  a  s]  P

54 skip rule 54  skip, s   s [skip ns ]

55 Composition rule Holds when S 1 terminates in every state where P holds and then Q holds and S 2 terminates in every state where Q holds and then R holds 55  S 1, s   s’,  S 2, s’   s’’  S 1 ; S 2, s   s’’ [comp ns ]

56 Condition rule 56  S 1, s   s’  if b then S 1 else S 2, s   s’ if B  b  s = tt [if tt ns ]  S 2, s   s’  if b then S 1 else S 2, s   s’ if B  b  s = ff [if ff ns ]

57 Loop rule Here P is called an invariant for the loop – Holds before and after each loop iteration – Finding loop invariants – most challenging part of proofs When loop finishes, b is false 57  while b do S, s   s if B  b  s = ff [while ff ns ]  S, s   s’,  while b do S, s’   s’’  while b do S, s   s’’ if B  b  s = tt [while tt ns ]

58 Rule of consequence Allows strengthening the precondition and weakening the postcondition The only rule that is not sensitive to the form of the statement 58

59 Rule of consequence 59 Why do we need it? Allows the following {y*z<9} x:=y*z {x<9} {y*z<9  w=5} x:=y*z {x<10}

60 Axiomatic semantics for While 60 { P[a/ x ] } x := a { P } [ass p ] { P } skip { P } [skip p ] { P } S 1 { Q },{ Q } S 2 { R } { P } S 1 ; S 2 { R } [comp p ] { b  P } S 1 { Q }, {  b  P } S 2 { Q } { P } if b then S 1 else S 2 { Q } [if p ] { b  P } S { P } { P } while b do S {  b  P } [while p ] { P’ } S { Q’ } { P } S { Q } [cons p ] if P  P’ and Q’  Q Inference rule for every composed statement Axiom for every primitive statement

61 Inference trees Similar to derivation trees of natural semantics Leaves are … Internal nodes correspond to … Inference tree is called – Simple if tree is only an axiom – Composite otherwise Similar to derivation trees of natural semantics – Reasoning about immediate constituent 61

62 Factorial proof 62 W = while (x  1) do (y:=y*x; x:=x–1) INV = x > 0  (y  x! = n!  n  x) { INV[x-1/x][y*x/y] } y:=y*x; x:=x–1 {INV} { INV[x-1/x] } x:=x-1 {INV} { INV } W {x=1  INV } { INV[1/y] } y:=1 { INV } { INV[x-1/x][y*x/y] } y:=y*x { INV[x-1/x] } { x  1  INV } y:=y*x; x:=x–1 { INV } [comp] [cons] [while] [cons] { INV } W { y =n!  n>0 }{ x=n } y:=1 { INV } [cons] { x=n } while (x  1) do (y:=y*x; x:=x–1) { y =n!  n>0 } [comp] Goal: { x=n } y:=1; while (x  1) do (y:=y*x; x:=x–1) { y =n!  n>0 }

63 Factorial proof 63 W = while (x  1) do (y:=y*x; x:=x–1) INV = x > 0  (y  x! = n!  n  x) { INV[x-1/x][y*x/y] } y:=y*x; x:=x–1 {INV} { INV[x-1/x] } x:=x-1 {INV} { INV } W {x=1  INV } { INV[1/y] } y:=1 { INV } { INV[x-1/x][y*x/y] } y:=y*x { INV[x-1/x] } { x  1  INV } y:=y*x; x:=x–1 { INV } [comp] [cons] [while] [cons] { INV } W { y =n!  n>0 }{ x=n } y:=1 { INV } [cons] { x=n } while (x  1) do (y:=y*x; x:=x–1) { y =n!  n>0 } [comp] Goal: { x=n } y:=1; while (x  1) do (y:=y*x; x:=x–1) { y =n!  n>0 } { b  P } S { P } { P } while b do S {  b  P }

64 Factorial proof 64 W = while (x  1) do (y:=y*x; x:=x–1) INV = x > 0  (y  x! = n!  n  x) { INV[x-1/x][y*x/y] } y:=y*x; x:=x–1 {INV} { INV[x-1/x] } x:=x-1 {INV} { INV } W {x=1  INV } { INV[1/y] } y:=1 { INV } { INV[x-1/x][y*x/y] } y:=y*x { INV[x-1/x] } { x  1  INV } y:=y*x; x:=x–1 { INV } [comp] [cons] [while] [cons] { INV } W { y =n!  n>0 }{ x=n } y:=1 { INV } [cons] { x=n } while (x  1) do (y:=y*x; x:=x–1) { y =n!  n>0 } [comp] Goal: { x=n } y:=1; while (x  1) do (y:=y*x; x:=x–1) { y =n!  n>0 } { P’ } S { Q’ } { P } S { Q } if P  P’ and Q’  Q

65 Provability We say that an assertion { P } C { Q } is provable if there exists an inference tree – Written as  p { P } C { Q } 65

66 Annotated programs A streamlined version of inference trees – Inline inference trees into programs – A kind of “proof carrying code”proof carrying code – Going from annotated program to proof tree is a linear time translation 66

67 Annotating composition We can inline inference trees into programs Using proof equivalence of S 1 ; (S 2 ; S 3 ) and (S 1 ; S 2 ); S 3 instead writing deep trees, e.g., 67 {P} (S 1 ; S 2 ); (S 3 ; S 4 ) {Q} {P} (S 1 ; S 2 ) {P’’} {P’’} (S 3 ; S 4 ) {Q} {P} S 1 {P’} {P’} S 2 {P’’}{P’’} S 3 {P’’’} {P’’’} S 4 {P’’} We can annotate a composition S 1 ; S 2 ;…; S n by {P 1 } S 1 {P 2 } S 2 … {P n-1 } S n-1 {P n }

68 Annotating conditions 68 { P } if b then { b  P } S 1 else S 2 { Q }

69 Annotating conditions 69 { P } if b then { b  P } S 1 { Q 1 } else S 2 { Q 2 } { Q } Usually Q is the result of using the consequence rule, so a more explicit annotation is

70 Annotating loops 70 { P } while b do { b  P } S {  b  P }

71 Annotating loops 71 { P } while b do { b  P } S { P’ } {  b  P } { Q } P’ implies P  b  P implies Q

72 Annotated factorial program 72 { x =n } y := 1; { x >0  y * x !=n!  n  x } while  (x=1) do { x-1 >0  ( y*x) *( x-1) !=n!  n  (x-1) } y := y*x; { x-1 >0  y *( x-1) !=n!  n  (x-1) } x := x–1 { y * x !=n!  n >0 } Contrast with proof via natural semantics Where did the inductive argument over loop iterations go?

73 Properties of the semantics Equivalence – What is the analog of program equivalence in axiomatic verification? 73 Soundness – Can we prove incorrect properties? Completeness – Is there something we can’t prove?

74 Provability We say that an assertion { P } C { Q } is provable if there exists an inference tree – Written as  p { P } C { Q } – Are inference trees unique? {true} x:=1; x:=x+5 {x  0} Proofs of properties of axiomatic semantics use induction on the shape of the inference tree – Example: prove  p { P } C { true } for any P and C 74

75 Provable equivalence We say that C 1 and C 2 are provably equivalent if for all P and Q  p { P } C 1 { Q } if and only if  p { P } C 2 { Q } Examples: – S; skip and S – S 1 ; (S 2 ; S 3 ) and (S 1 ; S 2 ); S 3 75

76 Valid assertions We say that { P } C { Q } is valid if for all states s, if s  P and  C, s   s’ then s’  Q Denoted by  p { P } C { Q } 76 P C(P)C(P) Q s s’ C

77 Logical implication and equivalence We write A  B if for all states s if s  A then s  B – {s | s  A }  {s | s  B } – For every predicate A: false  A  true We write A  B if A  B and B  A – false  5=7 In writing Hoare-style proofs, we will often replace a predicate A with A’ such that A  A’ and A’ is “simpler” 77

78 Soundness and completeness The inference system is sound: –  p { P } C { Q } implies  p { P } C { Q } The inference system is complete: –  p { P } C { Q } implies  p { P } C { Q } 78

79 Hoare logic is sound and (relatively) complete Soundness:  p { P } C { Q } implies  p { P } C { Q } (Relative) completeness:  p { P } C { Q } implies  p { P } C { Q } – Provided we can prove any implication R  R’ 79

80 Hoare logic is sound and (relatively) complete Soundness:  p { P } C { Q } implies  p { P } C { Q } (Relative) completeness:  p { P } C { Q } implies  p { P } C { Q } – Provided we can prove any implication R  R’ FYI, nobody tells us how to find a proof … 80

81 Is there an Algorithm? 81 { x =n } y := 1; { x >0  y * x !=n!  n  x } while  (x=1) do { x-1 >0  ( y*x) *( x-1) !=n!  n  (x-1) } y := y*x; { x-1 >0  y *( x-1) !=n!  n  (x-1) } x := x–1 { y * x !=n!  n >0 } Annotated programs provides a compact representation of inference trees

82 ? 82

83 Predicate Transformers 83

84 Weakest liberal precondition A backward-going predicate transformer The weakest liberal precondition for Q is s  wlp(C, Q) if and only if for all states s’ if  C, s   s’ then s’  Q Propositions: 1.  p { wlp(C, Q) } C { Q } 2.If  p { P } C { Q } then P  wlp(C, Q) 84

85 Strongest postcondition A forward-going predicate transformer The strongest postcondition for P is s’  sp(P, C) if and only if there exists s such that if  C, s   s’ and s  P 1.  p { P } C { sp(P, C) } 2.If  p { P } C { Q } then sp(P, C)  Q 85

86 Predicate transformer semantics wlp and sp can be seen functions that transform predicates to other predicates – wlp  C  : Predicate  Predicate { P } C { Q } if and only if wlp  C  Q = P – sp  C  : Predicate  Predicate { P } C { Q } if and only if sp  C  P = Q 86

87 Hoare logic is (relatively) complete Proving  p { P } C { Q } implies  p { P } C { Q } is the same as proving  p { wlp(C, Q) } C { Q } Suppose that  p { P } C { Q } then (from proposition 2) P  { wlp(C, Q) } 87 { P } S { Q } { wlp(C, Q) } S { Q } [cons p ]

88 Calculating wlp 1.wlp( skip, Q) = Q 2.wlp( x := a, Q) = Q[a/ x ] 3.wlp(S 1 ; S 2, Q) = wlp(S 1, wlp(S 2, Q)) 4.wlp( if b then S 1 else S 2, Q) = (b  wlp(S 1, Q))  (  b  wlp(S 2, Q)) 5.wlp( while b do S, Q) = … ? hard to capture 88

89 Calculating wlp of a loop 89 wlp( while b do S, Q) = Idea: we know the following statements are semantically equivalent while b do S if b do ( S ; while b do S ) else skip Let’s try to substitute and calculate on wlp( if b do ( S ; while b do S ) else skip, Q) = (b  wlp(S ; while b do S, Q))  (  b  wlp( skip, Q)) = (b  wlp(S, wlp( while b do S, Q)))  (  b  Q) LoopInv = (b  wlp(S, LoopInv))  (  b  Q) We have a recurrence The loop invariant

90 Prove the following triple LoopInv = (b  wlp(S, LoopInv))  (  b  Q) Let’s substitute LoopInv with timer  0 Show that timer  0 is equal to (timer>0  wlp(timer:=timer-1, timer  0))  (timer  0  timer=0) = (timer>0  (timer  0)[timer-1/timer])  (timer  0  timer=0) = (timer>0  timer-1  0)  (timer  0  timer=0) = timer>0  timer=0 = timer  0 90 { timer  0 } while (timer > 0) do timer := timer – 1 { timer = 0 }

91 Issues with wlp-based proofs Requires backwards reasoning – not very intuitive Backward reasoning is non-deterministic – causes problems when While is extended with dynamically allocated heaps (aliasing) Also, a few more rules will be helpful 91

92 Conjunction rule 92 Not necessary (for completeness) but practically useful Starting point of extending Hoare logic to handle parallelism Related to Cartesian abstraction – Will point this out when we learn it

93 Structural Rules 93 { P } C { Q } { P’ } C { Q’ } { P  P’ } C {Q  Q’ } [disj p ] { P } C { Q } {  v. P } C {  v. Q } [exist p ] v  FV( C) { P } C { Q } {  v. P } C {  v. Q } [univ p ] v  FV(C ) { F } C { F } Mod(C)  FV(F)={} [Inv p ] Mod(C) = set of variables assigned to in sub-statements of C FV(F) = free variables of F

94 Invariance + Conjunction = Constancy 94 Mod(C) = set of variables assigned to in sub-statements of C FV(F) = free variables of F { P } C { Q } { F  P } C { F  Q } [constancy p ] Mod(C)  FV(F)={}

95 Floyd’s strongest postcondition rule Example { z=x } x:=x+1 { ?  v. x=v+1  z=v } This rule is often considered problematic because it introduces a quantifier – needs to be eliminated further on We will now see a variant of this rule 95 { P } x := a {  v. x=a[v/x]  P[v/x] } where v is a fresh variable [ass Floyd ]

96 “Small” assignment axiom Examples: {x=n} x:=5*y {x=5*y} {x=n} x:=x+1 {x=n+1} {x=y} x:=y+1 {x=y+1} {x=n} x:=y+1 {x=y+1} [exist p ] {  n. x=n} x:=y+1 {  n. x=y+1} therefore {true} x:=y+1 {x=y+1} [constancy p ] {z=9} x:=y+1 {z=9  x=y+1} 96 { x=v } x:=a { x=a[v/x] } where v  FV(a) [ass floyd ] First evaluate a in the precondition state (as a may access x) Then assign the resulting value to x Create an explicit Skolem variable in precondition

97 Buggy sum program 97 { y  0 } x := 0 { y  0  x=0 } res := 0 { y  0  x=0  res=0 } Inv = { y  0  res=Sum(0, x) } = { y  0  res=m  x=n  m=Sum(0, n) } while (x  y) do { y  0  res=m  x=n  m=Sum(0, n)  x  y  n  y } x := x+1 { y  0  res=m  x=n+1  m=Sum(0, n)  n  y} res := res+x { y  0  res=m+x  x=n+1  m=Sum(0, n)  n  y} { y  0  res-x=Sum(0, x-1)  n  y} { y  0  res=Sum(0, x) } { y  0  res=Sum(0, x)  x>y }  {res = Sum(0, y) }

98 Sum program Define Sum(0, n) = 0+1+…+n 98 { y  0 } x := 0 { y  0  x=0 } res := 0 { y  0  x=0  res=0 } Inv = { y  0  res=Sum(0, x)  x  y } { y  0  res=m  x=n  n  y  m=Sum(0, n) } while (x<y) do { y  0  res=m  x=n  m=Sum(0, n)  x<y  n<y } res := res+x { y  0  res=m+x  x=n  m=Sum(0, n)  n<y } x := x+1 { y  0  res=m+x  x=n+1  m=Sum(0, n)  n<y } { y  0  res-x=Sum(0, x-1)  x-1<y } { y  0  res=Sum(0, x) } { y  0  res=Sum(0, x)  x  y  x  y } { y  0  res=Sum(0, y)  x=y } { res = Sum(0, y) } { x=Sum(0, n) } { y=n+1 } { x+y=Sum(0, n+1) } Background axiom

99 Floyd’s strongest postcondition rule Example { z=x } x:=x+1 { ?  v. x=v+1  z=v } This rule is often considered problematic because it introduces a quantifier – needs to be eliminated further on We will now see a variant of this rule 99 { P } x := a {  v. x=a[v/x]  P[v/x] } where v is a fresh variable [ass Floyd ]

100 Floyd’s strongest postcondition rule Example { z=x } x:=x+1 {  v. x=v+1  z=v } This rule is often considered problematic because it introduces a quantifier – needs to be eliminated further on We will now see a variant of this rule 100 { P } x := a {  v. x=a[v/x]  P[v/x] } where v is a fresh variable [ass Floyd ]

101 “Small” assignment axiom Examples: {x=n} x:=5*y {x=5*y} {x=n} x:=x+1 {x=n+1} {x=n} x:=y+1 {x=y+1} [exist p ] {  n. x=n} x:=y+1 {  n. x=y+1} therefore {true} x:=y+1 {x=y+1} [constancy p ] {z=9} x:=y+1 {z=9  x=y+1} 101 { x=v } x:=a { x=a[v/x] } where v  FV(a) [ass floyd ] First evaluate a in the precondition state (as a may access x) Then assign the resulting value to x Create an explicit Skolem variable in precondition

102 “Small” assignment axiom Examples: {x=n} x:=5*y {x=5*y} {x=n} x:=x+1 {x=n+1} {x=n} x:=y+1 {x=y+1} [exist p ] {  n. x=n} x:=y+1 {  n. x=y+1} therefore {true} x:=y+1 {x=y+1} [constancy p ] {z=9} x:=y+1 {z=9  x=y+1} 102 { x=v } x:=a { x=a[v/x] } where v  FV(a) [ass floyd ]

103 “Small” assignment axiom Examples: {x=n} x:=5*y {x=5*y} {x=n} x:=x+1 {x=n+1} {x=n} x:=y+1 {x=y+1} [exist p ] {  n. x=n} x:=y+1 {  n. x=y+1} therefore {true} x:=y+1 {x=y+1} [constancy p ] {z=9} x:=y+1 {z=9  x=y+1} 103 { x=v } x:=a { x=a[v/x] } where v  FV(a) [ass floyd ]

104 “Small” assignment axiom Examples: {x=n} x:=5*y {x=5*y} {x=n} x:=x+1 {x=n+1} {x=n} x:=y+1 {x=y+1} [exist p ] {  n. x=n} x:=y+1 {  n. x=y+1} therefore {true} x:=y+1 {x=y+1} [constancy p ] {z=9} x:=y+1 {z=9  x=y+1} 104 { x=v } x:=a { x=a[v/x] } where v  FV(a) [ass floyd ]

105 Buggy sum program 105 { y  0 } x := 0 { y  0  x=0 } res := 0 { y  0  x=0  res=0 } Inv = { y  0  res=Sum(0, x) } = { y  0  res=m  x=n  m=Sum(0, n) } while (x  y) do { y  0  res=m  x=n  m=Sum(0, n)  x  y  n  y } x := x+1 { y  0  res=m  x=n+1  m=Sum(0, n)  n  y} res := res+x { y  0  res=m+x  x=n+1  m=Sum(0, n)  n  y} { y  0  res-x=Sum(0, x-1)  n  y} { y  0  res=Sum(0, x) } { y  0  res=Sum(0, x)  x>y }  {res = Sum(0, y) }

106 Sum program Define Sum(0, n) = 0+1+…+n 106 { y  0 } x := 1 { y  0  x=1 } res := 0 { y  0  x=1  res=0 } Inv = { y  0  res=Sum(0, x-1)  x  y+1 } { y  0  res=m  x=n  n  y+1  m=Sum(0, n-1) } while (x  y) do { y  0  res=m  x=n  m=Sum(0, n-1)  x<y  n  y+1 } res := res+x { y  0  res=m+x  x=n  m=Sum(0, n-1)  n  y+1 } x := x+1 { y  0  res=m+x  x=n+1  m=Sum(0, n-1)  n  y+1 } { y  0  res-x=Sum(0, x-1)  x-1<y+1 } { y  0  res=Sum(0, x-1)  x  y+1 } // axm-Sum { y  0  res=Sum(0, x-1)  x  y+1  x>y } { y  0  res=Sum(0, x-1)  x=y+1 } { y  0  res=Sum(0, y) } { res = Sum(0, y) } Background axiom { x=Sum(0, n) } { y=n+1 } { x+y=Sum(0, n+1) } [axm-Sum]

107 Sum program Define Sum(0, n) = 0+1+…+n 107 { y  0 } x := 1 { y  0  x=0 } res := 0 { y  0  x=0  res=0 } Inv = { y  0  res=Sum(0, x-1)  x  y+1 } while (x  y) do { y  0  res=m  x=n  m=Sum(0, n-1)  n  y+1  x<y } res := res+x { y  0  res=m+x  x=n  m=Sum(0, n-1)  n  y+1 } { y  0  res=Sum(0, n)  x=n  n  y+1 } // axm-Sum x := x+1 { y  0  res=Sum(0, n)  x=n+1  n  y+1 } { y  0  res=Sum(0, x-1)  x  y+1 } { y  0  res=Sum(0, x-1)  x  y+1  x>y } { y  0  res=Sum(0, x-1)  x=y+1 } { y  0  res=Sum(0, y) } { res = Sum(0, y) } Background axiom { x=Sum(0, n) } { y=n+1 } { x+y=Sum(0, n+1) } [axm-Sum]

108 Example 1: Absolute value program 108 { } if x<0 then x := -x else skip { }

109 Absolute value program 109 { x=v } if x 0 } else { x=v  x  0 } skip { x=v  x  0 } { v<0  x=-v  v  0  x=v} { x=|v| }

110 Example 2: Variable swap program 110 { } t := x x := y y := t { }

111 Variable swap program 111 { x=a  y=b } t := x { x=a  y=b  t=a } x := y { x=b  y=b  t=a } y := t { x=b  y=a  t=a } { x=b  y=a } // cons

112 Example 3: Axiomatizing data types 112 We added a new type of variables – array variables – Model array variable as a function y : Z  Z We need the two following axioms: S ::= x := a | x := y [ a ] | y [ a ] := x | skip | S 1 ; S 2 | if b then S 1 else S 2 | while b do S { y[x  a](x) = a } { z  x  y[x  a](z) = y(z) }

113 Array update rules (wp) Treat an array assignment y[a] := x as an update to the array function y – y := y[a  x] meaning y’=  v. v=a ? X : y(v) 113 S ::= x := a | x := y [ a ] | y [ a ] := x | skip | S 1 ; S 2 | if b then S 1 else S 2 | while b do S [array-update] { P[y[a  x]/y] } y[a] := x { P } [array-load] { P[y(a)/x] } x := y[a] { P } A very general approach – allows handling many data types

114 Array update rules (wp) example Treat an array assignment y[a] := x as an update to the array function y – y := y[a  x] meaning y’=  v. v=a ? x : y(v) 114 [array-update] { P[y[a  x]/y] } y[a] := x { P } {x=y[i  7](i)} y[i]:=7 {x=y(i)} {x=7} y[i]:=7 {x=y(i)} [array-load] { P[y(a)/x] } x := y[a] { P } {y(a)=7} x:=y[a] {x=7}

115 Array update rules (sp) 115 [array-update F ] { x=v  y=g  a=b } y[a] := x { y=g[b  v] } [array-load F ] { y=g  a=b } x := y[a] { x=g(b) } In both rules v, g, and b are fresh

116 Array-max program 116 nums : array N : int // N stands for num’s length { N  0  nums=orig_nums } x := 0 res := nums[0] while x res then res := nums[x] x := x + 1 1.{ x=N } 2.{  m. (m  0  m<N)  nums(m)  res } 3.{  m. m  0  m<N  nums(m)=res } 4.{ nums=orig_nums }

117 Array-max program 117 nums : array N : int // N stands for num’s length { N  0  nums=orig_nums } x := 0 res := nums[0] while x res then res := nums[x] x := x + 1 Post 1 : { x=N } Post 2 : { nums=orig_nums } Post 3 : {  m. 0  m<N  nums(m)  res } Post 4 : {  m. 0  m<N  nums(m)=res }

118 Summary C programming language P assertions {P} C {Q} judgments { P[a/ x ] } x := a { P } proof Rules – Soundness – Completeness {x = N} y:=factorial(x) { y = N!} proofs 118

119 Extensions to axiomatic semantics Procedures Total correctness assertions Assertions for execution time – Exact time – Order of magnitude time Assertions for dynamic memory – Separation Logic Assertions for parallelism – Owicki-Gries – Concurrent Separation Logic – Rely-guarantee 119

Download ppt "Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav."

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
Formal Semantics of Programming Languages 虞慧群 Topic 5: Axiomatic Semantics.

Formal Semantics of Programming Languages 虞慧群 Topic 5: Axiomatic Semantics.
David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 19: Minding Ps & Qs: Axiomatic.

David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 19: Minding Ps & Qs: Axiomatic.
Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.

Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
Predicate Transformers

Predicate Transformers
1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.

1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.
Program Analysis and Verification Spring 2014 Program Analysis and Verification Lecture 5: Axiomatic Semantics II Roman Manevich Ben-Gurion University.

Program Analysis and Verification Spring 2014 Program Analysis and Verification Lecture 5: Axiomatic Semantics II Roman Manevich Ben-Gurion University.
Programming Language Semantics Axiomatic Semantics Chapter 6.

Programming Language Semantics Axiomatic Semantics Chapter 6.
1 Operational Semantics Mooly Sagiv Tel Aviv University 640-6706 Textbook: Semantics with Applications.

1 Operational Semantics Mooly Sagiv Tel Aviv University Textbook: Semantics with Applications.
Programming Language Semantics Mooly SagivEran Yahav Schrirber 317Open space 03-640-760603-640-5358 html://www.cs.tau.ac.il/~msagiv/courses/sem03.html.

Programming Language Semantics Mooly SagivEran Yahav Schrirber 317Open space html://
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.

Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
Semantics with Applications Mooly Sagiv Schrirber 317 03-640-7606 html://www.cs.tau.ac.il/~msagiv/courses/sem08.html Textbooks:Winskel The.

Semantics with Applications Mooly Sagiv Schrirber html:// Textbooks:Winskel The.
Operational Semantics Semantics with Applications Chapter 2 H. Nielson and F. Nielson

Operational Semantics Semantics with Applications Chapter 2 H. Nielson and F. Nielson
Describing Syntax and Semantics

Describing Syntax and Semantics
Floyd Hoare Logic. Semantics A programming language specification consists of a syntactic description and a semantic description. Syntactic description:symbols.

Floyd Hoare Logic. Semantics A programming language specification consists of a syntactic description and a semantic description. Syntactic description:symbols.
Proving Program Correctness The Axiomatic Approach.

Proving Program Correctness The Axiomatic Approach.

Similar presentations

Ads by Google