Presentation is loading. Please wait.

Presentation is loading. Please wait.

Program Analysis and Verification 0368-4479

Published byCaroline Shepherd Modified over 8 years ago

Similar presentations

Presentation on theme: "Program Analysis and Verification 0368-4479"— Presentation transcript:

1 Program Analysis and Verification 0368-4479 http://www.cs.tau.ac.il/~maon/teaching/2013-2014/paav/paav1314b.html http://www.cs.tau.ac.il/~maon/teaching/2013-2014/paav/paav1314b.html Noam Rinetzky Lecture 6: Axiomatic Semantics II Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

2 Good manners Mobiles 2

3 Home Work Assignment #1 In the following, we refer to the “Semantics with Application” book as “the book”. The book can be found here: http://www.daimi.au.dk/~bra8130/Wiley_book/wiley.html. http://www.daimi.au.dk/~bra8130/Wiley_book/wiley.html. 1.Solve Ex 2.8 and 2.18 in the book. 2.In the previous question, you were asked to extend the While language with a new construct (a for loop). Extend the proof of theorem 2.26 in the book (semantic equivalence) to handle for commands. 3.Solve Ex 2.34 in the book. 4.Read Section 2.5 in the book and solve Ex 2.45. 5.Prove or disprove: The denotational semantics of any statement in the While language shown in the lectures is a monotone and continuous function. 6.Define a denotational semantics for the the While language extended with the random command. (The extension is described in Question 3). 3 (due next lesson)

4 Axiomatic Semantics C.A.R. Hoare Robert Floyd Edsger W. Dijkstra 4

5 A simple imperative language: While Abstract syntax: a ::= n | x | a 1 + a 2 | a 1  a 2 | a 1 – a 2 b ::= true | false | a 1 = a 2 | a 1  a 2 |  b | b 1  b 2 S ::= x := a | skip | S 1 ; S 2 | if b then S 1 else S 2 | while b do S 5

6 Program correctness concepts Property = a certain relationship between initial state and final state Partial correctness = properties that hold if program terminates Termination = program always terminates – i.e., for every input state 6 partial correctness + termination = total correctness Other correctness concepts exist: resource usage, linearizability, … Mostly focus in this course Other notions of properties exist

7 Factorial example  S fac, s   s’ implies s’ y = (s x )! 7 S fac  y := 1; while  (x=1) do (y := y*x; x := x–1)

8 Natural semantics for While 8  x := a, s   s[x  A  a  s] [ass ns ]  skip, s   s [skip ns ]  S 1, s   s’,  S 2, s’   s’’  S 1 ; S 2, s   s’’ [comp ns ]  S 1, s   s’  if b then S 1 else S 2, s   s’ if B  b  s = tt [if tt ns ]  S 2, s   s’  if b then S 1 else S 2, s   s’ if B  b  s = ff [if ff ns ]  while b do S, s   s if B  b  s = ff [while ff ns ]  S, s   s’,  while b do S, s’   s’’  while b do S, s   s’’ if B  b  s = tt [while tt ns ]

9 Semantics-based Proof 9  x := a, s   s[x  A  a  s] [ass ns ]  S 1, s   s’,  S 2, s’   s’’  S 1 ; S 2, s   s’’ [comp ns ]

10 Semantics-based Proof  S fac, s   s’ implies s’ y = (s x )! 10 S fac  y := 1; while  (x=1) do (y := y*x; x := x–1) Tedious Correct? How do we check correctness? Rigorous vs. formal

11 Axiomatic verification approach What do we need in order to prove that the program does what it supposed to do? 11 Specify the required behavior Compare the behavior with the one obtained by the operational semantics Develop a proof system for showing that the program satisfies a requirement Mechanically (systematically) use the proof system to show correctness The meaning of a program language is a set of verification rules

12 Axiomatic Verification: Spec  S fac, s   s’ implies s’ y = (s x )! {x = N} S fac {y = N!} – {Pre-condition (s)} Command (S fac ) {post-state(s’)} – Not {true} S fac {y = x!} 12 S fac  y := 1; while  (x=1) do (y := y*x; x := x–1)

13 Partial vs. Total Correctness  S fac, s   s’ implies s’ y = (s x )! {x = N} S fac {y = N!} – {Pre-condition (s)} Command (S fac ) {post-state(s’)} – Not {true} S fac {y = x!} [x = N] S fac [y = N!] 13 S fac  y := 1; while  (x=1) do (y := y*x; x := x–1) Hoare Triples

14 Verification: Assertion-Based [Floyd, ‘67] Assertion: invariant at specific program point – E.g., assert(e) use assertions as foundation for static correctness proofs specify assertions at every program point correctness reduced to reasoning about individual statements 14

15 Annotated Flow Programs 15 Reduction: Program verification is reduced to claims about the subject of discourse Straight line code: claims are determined “by construction”

16 Annotated Flow Programs 16 Reduction: Program verification is reduced to claims about the subject of discourse Straight line code: claims are determined “by construction” Cut points

17 Assertion-Based Verification [Floyd, ‘67] Assertion: invariant at specific program point – E.g., assert(e) Proof reduced to logical claims – Considering the effect of statements – But, not reusable Challenge: Finding invariants at cut points in loops 17

18 Floyd-Hoare Logic 1969 Use Floyd’s ideas to define axiomatic semantics – Structured programming No gotos Modular (reusable claims) – Hoare triples {P} C {Q} [P] C [Q] (often C ) – Define the programming language semantics as a proof system 18

19 Axiomatic semantics for While 19 { P[a/ x ] } x := a { P } [ass p ] { P } skip { P } [skip p ] { P } S 1 { Q },{ Q } S 2 { R } { P } S 1 ; S 2 { R } [comp p ] { b  P } S 1 { Q }, {  b  P } S 2 { Q } { P } if b then S 1 else S 2 { Q } [if p ] { b  P } S { P } { P } while b do S {  b  P } [while p ] { P’ } S { Q’ } { P } S { Q } [cons p ] if P  P’ and Q’  Q Inference rule for every composed statement Axiom for every primitive statement

20 Proofs: Inference trees Leaves are axiom Internal nodes correspond to composed statements Inference tree is called – Simple if tree is only an axiom – Composite otherwise Similar to derivation trees of natural semantics – Reasoning about immediate constituents 20

21 Factorial proof 21 W = while (x  1) do (y:=y*x; x:=x–1) INV = x > 0  (y  x! = n!  n  x) { INV[x-1/x][y*x/y] } y:=y*x; x:=x–1 {INV} { INV[x-1/x] } x:=x-1 {INV} { INV } W {x=1  INV } { INV[1/y] } y:=1 { INV } { INV[x-1/x][y*x/y] } y:=y*x { INV[x-1/x] } { x  1  INV } y:=y*x; x:=x–1 { INV } [comp] [cons] [while] [cons] { INV } W { y =n!  n>0 }{ x=n } y:=1 { INV } [cons] { x=n } while (x  1) do (y:=y*x; x:=x–1) { y =n!  n>0 } [comp] Goal: { x=n } y:=1; while (x  1) do (y:=y*x; x:=x–1) { y =n!  n>0 }

22 Factorial proof 22 W = while (x  1) do (y:=y*x; x:=x–1) INV = x > 0  (y  x! = n!  n  x) { INV[x-1/x][y*x/y] } y:=y*x; x:=x–1 {INV} { INV[x-1/x] } x:=x-1 {INV} { INV } W {x=1  INV } { INV[1/y] } y:=1 { INV } { INV[x-1/x][y*x/y] } y:=y*x { INV[x-1/x] } { x  1  INV } y:=y*x; x:=x–1 { INV } [comp] [cons] [while] [cons] { INV } W { y =n!  n>0 }{ x=n } y:=1 { INV } [cons] { x=n } while (x  1) do (y:=y*x; x:=x–1) { y =n!  n>0 } [comp] Goal: { x=n } y:=1; while (x  1) do (y:=y*x; x:=x–1) { y =n!  n>0 } { b  P } S { P } { P } while b do S {  b  P }

23 Factorial proof 23 W = while (x  1) do (y:=y*x; x:=x–1) INV = x > 0  (y  x! = n!  n  x) { INV[x-1/x][y*x/y] } y:=y*x; x:=x–1 {INV} { INV[x-1/x] } x:=x-1 {INV} { INV } W {x=1  INV } { INV[1/y] } y:=1 { INV } { INV[x-1/x][y*x/y] } y:=y*x { INV[x-1/x] } { x  1  INV } y:=y*x; x:=x–1 { INV } [comp] [cons] [while] [cons] { INV } W { y =n!  n>0 }{ x=n } y:=1 { INV } [cons] { x=n } while (x  1) do (y:=y*x; x:=x–1) { y =n!  n>0 } [comp] Goal: { x=n } y:=1; while (x  1) do (y:=y*x; x:=x–1) { y =n!  n>0 } { P’ } S { Q’ } { P } S { Q } if P  P’ and Q’  Q

24 Axiomatic semantics for While 24 { P[a/ x ] } x := a { P } [ass p ] { P } skip { P } [skip p ] { P } S 1 { Q },{ Q } S 2 { R } { P } S 1 ; S 2 { R } [comp p ] { b  P } S 1 { Q }, {  b  P } S 2 { Q } { P } if b then S 1 else S 2 { Q } [if p ] { b  P } S { P } { P } while b do S {  b  P } [while p ] { P’ } S { Q’ } { P } S { Q } [cons p ] if P  P’ and Q’  Q Inference rule for every composed statement Axiom for every primitive statement

25 Axiomatic semantics for While 25 { P[a/ x ] } x := a { P } [ass p ] { P } skip { P } [skip p ] { P } S 1 { Q },{ Q } S 2 { R } { P } S 1 ; S 2 { R } [comp p ] { b  P } S 1 { Q }, {  b  P } S 2 { Q } { P } if b then S 1 else S 2 { Q } [if p ] { b  P } S { P } { P } while b do S {  b  P } [while p ] { P’ } S { Q’ } { P } S { Q } [cons p ] if P  P’ and Q’  Q Notice similarity to natural semantics rules

26 Assignment rule A “backwards” rule x := a always finishes Why is this true? – Recall operational semantics: Example: {y*z<9} x:=y*z {x<9} What about {y*z<9  w=5} x:=y*z {w=5} ? 26  x := a, s   s[x  A  a  s] [ass ns ] s[x  A  a  s]  P

27 skip rule 27  skip, s   s [skip ns ]

28 Composition rule Holds when S 1 terminates in every state where P holds and then Q holds and S 2 terminates in every state where Q holds and then R holds 28  S 1, s   s’,  S 2, s’   s’’  S 1 ; S 2, s   s’’ [comp ns ]

29 Condition rule 29  S 1, s   s’  if b then S 1 else S 2, s   s’ if B  b  s = tt [if tt ns ]  S 2, s   s’  if b then S 1 else S 2, s   s’ if B  b  s = ff [if ff ns ]

30 Loop rule Here P is called an invariant for the loop – Holds before and after each loop iteration – Finding loop invariants – most challenging part of proofs When loop finishes, b is false 30  while b do S, s   s if B  b  s = ff [while ff ns ]  S, s   s’,  while b do S, s’   s’’  while b do S, s   s’’ if B  b  s = tt [while tt ns ]

31 Rule of consequence Allows strengthening the precondition and weakening the postcondition The only rule that is not sensitive to the form of the statement 31

32 Rule of consequence 32 Why do we need it? Allows the following {y*z<9} x:=y*z {x<9} {y*z<9  w=5} x:=y*z {x<10}

33 Inference trees Similar to derivation trees of natural semantics Leaves are … Internal nodes correspond to … Inference tree is called – Simple if tree is only an axiom – Composite otherwise 33

34 Provability We say that an assertion { P } C { Q } is provable if there exists an inference tree – Written as  p { P } C { Q } 34

35 Validity s  P – P holds in state s  – program states { P } C { Q } is valid if  s, s’  . (s  P   C, s   s’)  s’  Q 35 P Q s s’ C

36 Soundness and completeness The inference system is sound: –  p { P } C { Q } implies  p { P } C { Q } The inference system is complete: –  p { P } C { Q } implies  p { P } C { Q } 36

37 Hoare logic is sound and (relatively) complete Soundness:  p { P } C { Q } implies  p { P } C { Q } (Relative) completeness:  p { P } C { Q } implies  p { P } C { Q } – Provided we can prove any implication R  R’ 37

38 Hoare logic is sound and (relatively) complete Soundness:  p { P } C { Q } implies  p { P } C { Q } (Relative) completeness:  p { P } C { Q } implies  p { P } C { Q } – Provided we can prove any implication R  R’ FYI, nobody tells us how to find a proof … 38

39 Is there an Algorithm? 39 { x =n } y := 1; { x >0  y * x !=n!  n  x } while  (x=1) do { x-1 >0  ( y*x) *( x-1) !=n!  n  (x-1) } y := y*x; { x-1 >0  y *( x-1) !=n!  n  (x-1) } x := x–1 { y * x !=n!  n >0 } Annotated programs provides a compact representation of inference trees

40 ? 40

41 Predicate Transformers 41

42 Weakest liberal precondition A backward-going predicate transformer The weakest liberal precondition for Q is s  wlp(C, Q) if and only if ∀ s’. if  C, s   s’ then s’  Q Propositions: 1.  p { wlp(C, Q) } C { Q } 2.If  p { P } C { Q } then P  wlp(C, Q) 42

43 Strongest postcondition A forward-going predicate transformer The strongest postcondition for P is s’  sp(P, C) if and only if ∃ s’.  C, s   s’ and s  P Propositions: a.  p { P } C { sp(P, C) } b.If  p { P } C { Q } then sp(P, C)  Q 43

44 Predicate transformer semantics wlp and sp can be seen functions that transform predicates to other predicates – wlp  C  : Predicate  Predicate { P } C { Q } if and only if wlp  C  Q = P – sp  C  : Predicate  Predicate { P } C { Q } if and only if sp  C  P = Q 44

45 Hoare logic is (relatively) complete Proving  p { P } C { Q } implies  p { P } C { Q } is the same as proving  p { wlp(C, Q) } C { Q } Suppose that  p { P } C { Q } then (from proposition 2) P  { wlp(C, Q) } 45 { P } S { Q } { wlp(C, Q) } S { Q } [cons p ]

46 Calculating wlp 1.wlp( skip, Q) = Q 2.wlp( x := a, Q) = Q[a/ x ] 3.wlp(S 1 ; S 2, Q) = wlp(S 1, wlp(S 2, Q)) 4.wlp( if b then S 1 else S 2, Q) = (b  wlp(S 1, Q))  (  b  wlp(S 2, Q)) 5.wlp( while b do S, Q) = … ? hard to capture 46

47 Calculating wlp of a loop 47 wlp( while b do S, Q) = Idea: we know the following statements are semantically equivalent while b do S if b do ( S ; while b do S ) else skip Let’s try to substitute and calculate on wlp( if b do ( S ; while b do S ) else skip, Q) = (b  wlp(S ; while b do S, Q))  (  b  wlp( skip, Q)) = (b  wlp(S, wlp( while b do S, Q)))  (  b  Q) LoopInv = (b  wlp(S, LoopInv))  (  b  Q) We have a recurrence The loop invariant

48 Prove the following triple LoopInv = (b  wlp(S, LoopInv))  (  b  Q) Let’s substitute LoopInv with timer  0 Show that timer  0 is equal to (timer>0  wlp(timer:=timer-1, timer  0))  (timer  0  timer=0) = (timer>0  (timer  0)[timer-1/timer])  (timer  0  timer=0) = (timer>0  timer-1  0)  (timer  0  timer=0) = timer>0  timer=0 = timer  0 48 { timer  0 } while (timer > 0) do timer := timer – 1 { timer = 0 }

49 Issues with wlp-based proofs Requires backwards reasoning – not very intuitive Backward reasoning is non-deterministic – causes problems when While is extended with dynamically allocated heaps (aliasing) Also, a few more rules will be helpful 49

50 Verification Conditions Generate assertions that describe the partial correctness of the program Use automatic theorem provers to show partial correctness Existing tools ESC/Java, Spec#

51 Verification condition for annotated commands S ::= skip | X := a | S; (X:=a) | S 0 ; {D} S 1 | if b then S 0 else S 1 | while b {D} do S vc({P} skip {Q}) = {P  Q} vc({P} X:= a {Q}) = {P  Q[a/X]} vc({P} S ; X:=a {Q}) = vc({P} S {Q[a/X]}) vc({P} S 0 ; {D} S 1 {Q}) = vc({P} S 0 {D})  vc({D} S 1 {Q}) vc({P} if b then S 0 else S 1 {Q}) = vc({P  b} S 0 {Q})  vc({P   b} S 1 {Q}) vc({P} while b {D} do c {Q}) = vc({D  b} c {D})  {P  D}  {D   b  Q}

52 Conjunction rule 52 Not necessary (for completeness) but practically useful Starting point of extending Hoare logic to handle parallelism Related to Cartesian abstraction – Will point this out when we learn it

53 Structural Rules 53 { P } C { Q } { P’ } C { Q’ } { P  P’ } C {Q  Q’ } [disj p ] { P } C { Q } {  v. P } C {  v. Q } [exist p ] v  FV( C) { P } C { Q } {  v. P } C {  v. Q } [univ p ] v  FV(C ) { F } C { F } Mod(C)  FV(F)={} [Inv p ] Mod(C) = set of variables assigned to in sub-statements of C FV(F) = free variables of F

54 Invariance + Conjunction = Constancy 54 Mod(C) = set of variables assigned to in sub-statements of C FV(F) = free variables of F { P } C { Q } { F  P } C { F  Q } [constancy p ] Mod(C)  FV(F)={}

55 Floyd’s strongest postcondition rule Example { z=x } x:=x+1 { ?  v. x=v+1  z=v } This rule is often considered problematic because it introduces a quantifier – needs to be eliminated further on We will now see a variant of this rule 55 { P } x := a {  v. x=a[v/x]  P[v/x] } where v is a fresh variable [ass Floyd ]

56 “Small” assignment axiom Examples: {x=n} x:=5*y {x=5*y} {x=n} x:=x+1 {x=n+1} {x=y} x:=y+1 {x=y+1} {x=n} x:=y+1 {x=y+1} [exist p ] {  n. x=n} x:=y+1 {  n. x=y+1} therefore {true} x:=y+1 {x=y+1} [constancy p ] {z=9} x:=y+1 {z=9  x=y+1} 56 { x=v } x:=a { x=a[v/x] } where v  FV(a) [ass floyd ] First evaluate a in the precondition state (as a may access x) Then assign the resulting value to x Create an explicit Skolem variable in precondition

57 Buggy sum program 57 { y  0 } x := 0 { y  0  x=0 } res := 0 { y  0  x=0  res=0 } Inv = { y  0  res=Sum(0, x) } = { y  0  res=m  x=n  m=Sum(0, n) } while (x  y) do { y  0  res=m  x=n  m=Sum(0, n)  x  y  n  y } x := x+1 { y  0  res=m  x=n+1  m=Sum(0, n)  n  y} res := res+x { y  0  res=m+x  x=n+1  m=Sum(0, n)  n  y} { y  0  res-x=Sum(0, x-1)  n  y} { y  0  res=Sum(0, x) } { y  0  res=Sum(0, x)  x>y }  {res = Sum(0, y) }

58 Sum program Define Sum(0, n) = 0+1+…+n 58 { y  0 } x := 0 { y  0  x=0 } res := 0 { y  0  x=0  res=0 } Inv = { y  0  res=Sum(0, x)  x  y } { y  0  res=m  x=n  n  y  m=Sum(0, n) } while (x<y) do { y  0  res=m  x=n  m=Sum(0, n)  x<y  n<y } res := res+x { y  0  res=m+x  x=n  m=Sum(0, n)  n<y } x := x+1 { y  0  res=m+x  x=n+1  m=Sum(0, n)  n<y } { y  0  res-x=Sum(0, x-1)  x-1<y } { y  0  res=Sum(0, x) } { y  0  res=Sum(0, x)  x  y  x  y } { y  0  res=Sum(0, y)  x=y } { res = Sum(0, y) } { x=Sum(0, n) } { y=n+1 } { x+y=Sum(0, n+1) } Background axiom

59 Floyd’s strongest postcondition rule Example { z=x } x:=x+1 { ?  v. x=v+1  z=v } This rule is often considered problematic because it introduces a quantifier – needs to be eliminated further on We will now see a variant of this rule 59 { P } x := a {  v. x=a[v/x]  P[v/x] } where v is a fresh variable [ass Floyd ]

60 Floyd’s strongest postcondition rule Example { z=x } x:=x+1 {  v. x=v+1  z=v } This rule is often considered problematic because it introduces a quantifier – needs to be eliminated further on We will now see a variant of this rule 60 { P } x := a {  v. x=a[v/x]  P[v/x] } where v is a fresh variable [ass Floyd ]

61 “Small” assignment axiom Examples: {x=n} x:=5*y {x=5*y} {x=n} x:=x+1 {x=n+1} {x=n} x:=y+1 {x=y+1} [exist p ] {  n. x=n} x:=y+1 {  n. x=y+1} therefore {true} x:=y+1 {x=y+1} [constancy p ] {z=9} x:=y+1 {z=9  x=y+1} 61 { x=v } x:=a { x=a[v/x] } where v  FV(a) [ass floyd ] First evaluate a in the precondition state (as a may access x) Then assign the resulting value to x Create an explicit Skolem variable in precondition

62 “Small” assignment axiom Examples: {x=n} x:=5*y {x=5*y} {x=n} x:=x+1 {x=n+1} {x=n} x:=y+1 {x=y+1} [exist p ] {  n. x=n} x:=y+1 {  n. x=y+1} therefore {true} x:=y+1 {x=y+1} [constancy p ] {z=9} x:=y+1 {z=9  x=y+1} 62 { x=v } x:=a { x=a[v/x] } where v  FV(a) [ass floyd ]

63 “Small” assignment axiom Examples: {x=n} x:=5*y {x=5*y} {x=n} x:=x+1 {x=n+1} {x=n} x:=y+1 {x=y+1} [exist p ] {  n. x=n} x:=y+1 {  n. x=y+1} therefore {true} x:=y+1 {x=y+1} [constancy p ] {z=9} x:=y+1 {z=9  x=y+1} 63 { x=v } x:=a { x=a[v/x] } where v  FV(a) [ass floyd ]

64 “Small” assignment axiom Examples: {x=n} x:=5*y {x=5*y} {x=n} x:=x+1 {x=n+1} {x=n} x:=y+1 {x=y+1} [exist p ] {  n. x=n} x:=y+1 {  n. x=y+1} therefore {true} x:=y+1 {x=y+1} [constancy p ] {z=9} x:=y+1 {z=9  x=y+1} 64 { x=v } x:=a { x=a[v/x] } where v  FV(a) [ass floyd ]

65 Sum program Define Sum(0, n) = 0+1+…+n 65 { y  0 } x := 1 { y  0  x=1 } res := 0 { y  0  x=1  res=0 } Inv = { y  0  res=Sum(0, x-1)  x  y+1 } { y  0  res=m  x=n  n  y+1  m=Sum(0, n-1) } while (x  y) do { y  0  res=m  x=n  m=Sum(0, n-1)  x<y  n  y+1 } res := res+x { y  0  res=m+x  x=n  m=Sum(0, n-1)  n  y+1 } x := x+1 { y  0  res=m+x  x=n+1  m=Sum(0, n-1)  n  y+1 } { y  0  res-x=Sum(0, x-1)  x-1<y+1 } { y  0  res=Sum(0, x-1)  x  y+1 } // axm-Sum { y  0  res=Sum(0, x-1)  x  y+1  x>y } { y  0  res=Sum(0, x-1)  x=y+1 } { y  0  res=Sum(0, y) } { res = Sum(0, y) } Background axiom { x=Sum(0, n) } { y=n+1 } { x+y=Sum(0, n+1) } [axm-Sum]

66 Buggy sum program 66 { y  0 } x := 0 { y  0  x=0 } res := 0 { y  0  x=0  res=0 } Inv = { y  0  res=Sum(0, x) } = { y  0  res=m  x=n  m=Sum(0, n) } while (x  y) do { y  0  res=m  x=n  m=Sum(0, n)  x  y  n  y } x := x+1 { y  0  res=m  x=n+1  m=Sum(0, n)  n  y} res := res+x { y  0  res=m+x  x=n+1  m=Sum(0, n)  n  y} { y  0  res-x=Sum(0, x-1)  n  y} { y  0  res=Sum(0, x) } { y  0  res=Sum(0, x)  x>y }  {res = Sum(0, y) }

67 Sum program Define Sum(0, n) = 0+1+…+n 67 { y  0 } x := 1 { y  0  x=0 } res := 0 { y  0  x=0  res=0 } Inv = { y  0  res=Sum(0, x-1)  x  y+1 } while (x  y) do { y  0  res=m  x=n  m=Sum(0, n-1)  n  y+1  x<y } res := res+x { y  0  res=m+x  x=n  m=Sum(0, n-1)  n  y+1 } { y  0  res=Sum(0, n)  x=n  n  y+1 } // axm-Sum x := x+1 { y  0  res=Sum(0, n)  x=n+1  n  y+1 } { y  0  res=Sum(0, x-1)  x  y+1 } { y  0  res=Sum(0, x-1)  x  y+1  x>y } { y  0  res=Sum(0, x-1)  x=y+1 } { y  0  res=Sum(0, y) } { res = Sum(0, y) } Background axiom { x=Sum(0, n) } { y=n+1 } { x+y=Sum(0, n+1) } [axm-Sum]

68 Example 1: Absolute value program 68 { } if x<0 then x := -x else skip { }

69 Absolute value program 69 { x=v } if x 0 } else { x=v  x  0 } skip { x=v  x  0 } { v<0  x=-v  v  0  x=v} { x=|v| }

70 Example 2: Variable swap program 70 { } t := x x := y y := t { }

71 Variable swap program 71 { x=a  y=b } t := x { x=a  y=b  t=a } x := y { x=b  y=b  t=a } y := t { x=b  y=a  t=a } { x=b  y=a } // cons

72 Example 3: Axiomatizing data types 72 We added a new type of variables – array variables – Model array variable as a function y : Z  Z We need the two following axioms: S ::= x := a | x := y [ a ] | y [ a ] := x | skip | S 1 ; S 2 | if b then S 1 else S 2 | while b do S y[x  a](x) = a z  x  y[x  a](z) = y(z)

73 Array update rules (wp) Treat an array assignment y[a] := x as an update to the array function y – y := y[a  x] meaning y’=  v. v=a ? X : y(v) 73 S ::= x := a | x := y [ a ] | y [ a ] := x | skip | S 1 ; S 2 | if b then S 1 else S 2 | while b do S [array-update] { P[y[a  x]/y] } y[a] := x { P } [array-load] { P[y(a)/x] } x := y[a] { P } A very general approach – allows handling many data types

74 Array update rules (wp) example Treat an array assignment y[a] := x as an update to the array function y – y := y[a  x] meaning y’=  v. v=a ? x : y(v) 74 [array-update] { P[y[a  x]/y] } y[a] := x { P } {x=y[i  7](i)} y[i]:=7 {x=y(i)} {x=7} y[i]:=7 {x=y(i)} [array-load] { P[y(a)/x] } x := y[a] { P } {y(a)=7} x:=y[a] {x=7}

75 Array update rules (sp) 75 [array-update F ] { x=v  y=g  a=b } y[a] := x { y=g[b  v] } [array-load F ] { y=g  a=b } x := y[a] { x=g(b) } In both rules v, g, and b are fresh

76 Array-max program 76 nums : array N : int // N stands for num’s length { N  0  nums=orig_nums } x := 0 res := nums[0] while x res then res := nums[x] x := x + 1 1.{ x=N } 2.{  m. (m  0  m<N)  nums(m)  res } 3.{  m. m  0  m<N  nums(m)=res } 4.{ nums=orig_nums }

77 Array-max program 77 nums : array N : int // N stands for num’s length { N  0  nums=orig_nums } x := 0 res := nums[0] while x res then res := nums[x] x := x + 1 Post 1 : { x=N } Post 2 : { nums=orig_nums } Post 3 : {  m. 0  m<N  nums(m)  res } Post 4 : {  m. 0  m<N  nums(m)=res }

78 Summary C programming language P assertions {P} C {Q} judgments { P[a/ x ] } x := a { P } proof Rules – Soundness – Completeness {x = N} y:=factorial(x) { y = N!} proofs 78

79 Extensions to axiomatic semantics Assertions for parallelism – Owicki-Gries – Concurrent Separation Logic – Rely-guarantee Assertions for dynamic memory – Separation Logic Procedures Total correctness assertions Assertions for execution time – Exact time – Order of magnitude time 79

Download ppt "Program Analysis and Verification 0368-4479"

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
Program Analysis and Verification 0368-4479

Program Analysis and Verification
ICE1341 Programming Languages Spring 2005 Lecture #6 Lecture #6 In-Young Ko iko.AT. icu.ac.kr iko.AT. icu.ac.kr Information and Communications University.

ICE1341 Programming Languages Spring 2005 Lecture #6 Lecture #6 In-Young Ko iko.AT. icu.ac.kr iko.AT. icu.ac.kr Information and Communications University.
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
Program Analysis and Verification 0368-4479

Program Analysis and Verification
Axiomatic Verification I Prepared by Stephen M. Thebaut, Ph.D. University of Florida Software Testing and Verification Lecture 17.

Axiomatic Verification I Prepared by Stephen M. Thebaut, Ph.D. University of Florida Software Testing and Verification Lecture 17.
Partial correctness © Marcelo d’Amorim 2010.

Partial correctness © Marcelo d’Amorim 2010.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
Predicate Transformers

Predicate Transformers
1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.

1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.
Program Analysis and Verification Spring 2014 Program Analysis and Verification Lecture 5: Axiomatic Semantics II Roman Manevich Ben-Gurion University.

Program Analysis and Verification Spring 2014 Program Analysis and Verification Lecture 5: Axiomatic Semantics II Roman Manevich Ben-Gurion University.
1 Operational Semantics Mooly Sagiv Tel Aviv University 640-6706 Textbook: Semantics with Applications.

1 Operational Semantics Mooly Sagiv Tel Aviv University Textbook: Semantics with Applications.
ESC Java. Static Analysis Spectrum Power Cost Type checking Data-flow analysis Model checking Program verification AutomatedManual ESC.

ESC Java. Static Analysis Spectrum Power Cost Type checking Data-flow analysis Model checking Program verification AutomatedManual ESC.
Programming Language Semantics Mooly SagivEran Yahav Schrirber 317Open space 03-640-760603-640-5358 html://www.cs.tau.ac.il/~msagiv/courses/sem03.html.

Programming Language Semantics Mooly SagivEran Yahav Schrirber 317Open space html://
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.

Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
ESC Java. Static Analysis Spectrum Power Cost Type checking Data-flow analysis Model checking Program verification AutomatedManual ESC.

ESC Java. Static Analysis Spectrum Power Cost Type checking Data-flow analysis Model checking Program verification AutomatedManual ESC.
Semantics with Applications Mooly Sagiv Schrirber 317 03-640-7606 html://www.cs.tau.ac.il/~msagiv/courses/sem08.html Textbooks:Winskel The.

Semantics with Applications Mooly Sagiv Schrirber html:// Textbooks:Winskel The.
CS 330 Programming Languages 09 / 16 / 2008 Instructor: Michael Eckmann.

CS 330 Programming Languages 09 / 16 / 2008 Instructor: Michael Eckmann.

Similar presentations

Ads by Google