Presentation is loading. Please wait.

Presentation is loading. Please wait.

Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models.

Published byColin Daley Modified over 10 years ago

Similar presentations

Presentation on theme: "Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models."— Presentation transcript:

1 Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models of Software 2 Sep 2003, Tunis, Tunisia

2 Review: Tool architecture Source program Verification condition Counterexample context Warning messages Automatic theorem prover Post processor Sugared command Primitive command Passive command Translator Focus today

3 Commands and their possible outcomes Normal termination – terminates normally in some state Erroneous termination – goes wrong, crashes the computer Non-termination – diverges, fails to terminates, results in infinite recursion Miraculous termination – fails to start, blocks (partial/miraculous commands) you breach contract, demon wins demon breaches contract, you win!

4 Commands C::=w := E |assert P |assume P |var w in C end |C 0 ; C 1 |C 0 [] C 1

5 Semantics Hoare logic – {P} C {R} says that if command C is started in (a state satisfying) P, then: C does not go wrong, and if C terminates normally, then it terminates in (a state satisfying) R Weakest preconditions – for a given C and R, the weakest P satisfying {P} C {R} – written wp(C, R) or simply C.R

6 Command semantics assignment evaluate E and change value of w to E (w := E).R R[w := E] (x := x + 1).(x 10)x+1 10x < 10 (x := 15).(x 10)15 10false (y := x + 3*y).(x 10) x 10 (x,y := y,x).(x < y)y < x replace w by E in R

7 Command semantics assert if P holds, do nothing, else go wrong (assert P).R P R (assert x < 10).(0 x)0 x < 10 (assert x = y*y).(0 x)x = y*y 0 xx = y*y (assert false).(x 10)false logical AND, conjunction

8 Command semantics assume logical implication logical NOT, negation logical OR, disjunction if P holds, do nothing, else block (assume P).R P R P R (assume x < 10).(0 x)10 x 0 x0 x (assume x = y*y).(0 x)x = y*y 0 xtrue (assume false).(x 10)true

9 introduce w with an arbitrary initial value, then do C (var w in C end).R (w C.R) (var y in y := x end).(0 x)(y (y := x).(0 x))(y 0 x)0 x (var y in x := y end).(0 x)(y (x := y).(0 x))(y 0 y)false Command semantics local variable provided w does not occur free in R

10 do C 0, then C 1 (C 0 ; C 1 ).R C 0.(C 1.R) (x := x+1 ; assert x y).(0 < x)(x := x+1).( (assert x y).(0 < x) )(x := x+1).(0 < x y) 0 < x+1 y0 x < y (assume 0 y+z ; x := y).(0 x)(assume 0 y+z).( (x:=y).(0 x) )(assume 0 y+z).(0 y)0 y+z 0 y-y z -y 00 z Command semantics sequential composition

11 do either C 0 or C 1 (the demon chooses which) (C 0 [] C 1 ).R C 0.R C 1.R (x := x+1 [] x := x + 2).(x 10)(x := x+1). (x 10) (x := x+2).(x 10)x 9 x 8 x 8 (assume false [] x := y).(0 x)(assume false).(0 x) (x:=y).(0 x)true 0 y0 y Command semantics choice composition

12 Convenient shorthands skip = assert true = assume true wrong = assert false magic = assume false P C = assume P; C if P then C 0 else C 1 end = P C 0 [] P C 1 havoc w = var win w := wend

13 Change such that change w such that P = havoc w ; assume P change x such that y = x+1havoc x ; assume y = x+1x := y-1 change x such that y < xx := y+1 [] x := y+2 [] … change x such that x = x+1havoc x ; assume falsemagic change r such that r*r = yy < 0 magic []0 y r := y []0 y r := -y

14 Specification statement w:[P, Q] =requires P modifies w ensures Q =assert P ; var w 0 in w 0 := w ; change w such that Q end x:[true, x 0 =x+1]x := x-1 r:[0 y, r*r = y]assert 0 y ; (r := y [] r := -y) x:[0 x, x 2 x 0 < (x+1) 2 ] ? x,y,z,n:[1xy1z2n, x n +y n =z n ] ?

15 Variables with internal structure: maps x := a[i] = x := select(a, i) a[i] := E = a := store(a, i, E) where (m,i,j,v i j select(store(m, i, v), i) = v select(store(m, i, v), j) = select(m, j))

16 Example: maps (a[5] := 12 ; a[7] := 14 ; x := a[5]).(x=12) =(a[5] := 12 ; a[7] := 14).(select(a, 5) = 12) =(a[5] := 12).(select(store(a, 7, 14), 5) = 12) =select(store(store(a, 5, 12), 7, 14), 5) = 12 ={ select/store axiom, since 7 5 } select(store(a, 5, 12), 5) = 12 ={ select/store axiom, since 5 = 5 } 12 = 12 =true

17 Refinement B C = (R B.R C.R ) change x such that y < x x := y+4 assert x < 10 skip skip assume x < 10 wrong C C magic command B is refined by command C C is better than B anyone who requests B would be happy with C

18 Compositions are monotonic with respect to refinement if B C then: – var w in B end var w in C end – A;B A;C – B;D C;D – A [] B A [] C var x in... change x such that y < x... end var x in... x := y+4... end

19 Commands form a lattice Commands form a semi-lattice under ordering, with meet operation [], top element magic, and bottom element wrong A lattice theorem: B C 0 B C 1 B C 0 [] C 1 Corollary: C 0 [] C 1 C 0

20 Example application of lattice theorem Let B = x:[true, x = |x 0 | ]. Then: B assume 0 x = C 0 B assume x 0 ; x := -x = C 1 B assume x = -3 ; x := 3 = C 2 B magic = C 3 Therefore: B C 0 [] C 1 [] C 2 [] C 3

21 Procedures proc P(x,y,z) returns (r,s,t) spec S call to P: a,b,c := P(E 0, E 1, E 2 ) = var x,y,z,r,s,t in x := E 0 ; y := E 1 ; z := E 2 ; S ; a,b,c := r,s,t end

22 Example: procedure proc Add(x) returns (r) specrequires 0 x modifies k ensures k = k 0 +x r = k 0 a := Add(k+25) = var x,r in x := k+25 ; k:[0 x, k = k 0 +x r = k 0 ] ; a := r end

23 Procedure implementations proc P(x,y,z) returns (r,s,t) spec S impl P(x,y,z) returns (r,s,t) is C Proof obligation: S C Let C 0,..., C m- 1 be the declared implementations of P. Then, the language implementation of a call to P can replace S by: C 0 []... [] C m- 1

24 Exercise Redefine (in terms of the commands we've seen) the specification statement so that the postcondition mentions x,x instead of x 0,x Example: – old form: x:[0 x, x*x x 0 < (x+1)*(x+1)] – new form: x:[0 x, x*x x < (x+1)*(x+1)]

25 Exercise Define while {inv J} B do w: S end where: – B is the loop guard – S is the loop body – J is the loop invariant – w is the list of assignment targets in S in terms of the commands we've seen.

26 Loop (answer to exercise) while {inv J} B do w: S end = assert J ; change w such that J ; if B then S ; assert J ; magic else skip end

27 Summary Language is built up from 6 primitive commands Semantics can be given by weakest preconditions Partial (miraculous) commands are important and very useful select/store handle map variables Procedures are names for specifications Procedure implementations are hints for compiler

Download ppt "Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models."

Similar presentations

A SAT characterization of boolean-program correctness K. Rustan M. Leino Microsoft Research, Redmond, WA 14 Nov 2002 IFIP WG 2.4 meeting, Schloβ Dagstuhl,

A SAT characterization of boolean-program correctness K. Rustan M. Leino Microsoft Research, Redmond, WA 14 Nov 2002 IFIP WG 2.4 meeting, Schloβ Dagstuhl,
Joint work with Mike Barnett, Robert DeLine, Manuel Fahndrich, and Wolfram Schulte Verifying invariants in object-oriented programs K. Rustan M. Leino.

Joint work with Mike Barnett, Robert DeLine, Manuel Fahndrich, and Wolfram Schulte Verifying invariants in object-oriented programs K. Rustan M. Leino.
Extended Static Checking for Java Cormac Flanagan K. Rustan M. Leino Mark Lillibridge Greg Nelson James B. Saxe Raymie Stata Compaq SRC 18 June 2002 PLDI02,

Extended Static Checking for Java Cormac Flanagan K. Rustan M. Leino Mark Lillibridge Greg Nelson James B. Saxe Raymie Stata Compaq SRC 18 June 2002 PLDI02,
Demand-driven inference of loop invariants in a theorem prover

Demand-driven inference of loop invariants in a theorem prover
Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 2 Summer school on Formal Models.

Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 2 Summer school on Formal Models.
Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,

Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,
1 Towards a Verifying Compiler: The Spec# Approach Wolfram Schulte Microsoft Research Formal Methods 2006 Joint work with Rustan Leino, Mike Barnett, Manuel.

1 Towards a Verifying Compiler: The Spec# Approach Wolfram Schulte Microsoft Research Formal Methods 2006 Joint work with Rustan Leino, Mike Barnett, Manuel.
Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 3 Summer school on Formal Models.

Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 3 Summer school on Formal Models.
Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 0 Summer school on Formal Models.

Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 0 Summer school on Formal Models.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
In this episode of The Verification Corner, Rustan Leino talks about Loop Invariants. He gives a brief summary of the theoretical foundations and shows.

In this episode of The Verification Corner, Rustan Leino talks about Loop Invariants. He gives a brief summary of the theoretical foundations and shows.
Synthesis, Analysis, and Verification Lecture 04c Lectures: Viktor Kuncak VC Generation for Programs with Data Structures “Beyond Integers”

Synthesis, Analysis, and Verification Lecture 04c Lectures: Viktor Kuncak VC Generation for Programs with Data Structures “Beyond Integers”
Abstraction of Source Code (from Bandera lectures and talks)

Abstraction of Source Code (from Bandera lectures and talks)
Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
PZ03D Programming Language design and Implementation -4th Edition Copyright©Prentice Hall, 2000 1 PZ03D - Program verification Programming Language Design.

PZ03D Programming Language design and Implementation -4th Edition Copyright©Prentice Hall, PZ03D - Program verification Programming Language Design.
Reasoning About Code; Hoare Logic, continued

Reasoning About Code; Hoare Logic, continued
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
This Week Finish relational semantics Hoare logic Interlude on one-point rule Building formulas from programs.

This Week Finish relational semantics Hoare logic Interlude on one-point rule Building formulas from programs.
David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 19: Minding Ps & Qs: Axiomatic.

David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 19: Minding Ps & Qs: Axiomatic.
Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.

Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.

Similar presentations

Ads by Google