Program Verification with Hoare Logic CS 510/10 Program Verification with Hoare Logic

Program Verification Decides if specific properties hold for a program. Other Approaches Model checking Symbolic : (program + properties) -> CNF -> SAT Explicit state: explore all possible states Problem lies in scalability Static program analysis Conservatively consider all possible executions False positives

Verification through Hoare Logic It is proof based A set of proof rules are available which can be applied to prove a program satisfies certain properties. Semi-automatic Some steps have to involve human intelligence Popular Proof based implies scalability as proof is constructed by looking at the structure of the program and the structure of the formula. Better scalability. Long history. Job opennings. A formal software process: Turn informal requirements to an equivalent formula of some logic write the program Prove the program satisfies the formula.

Intuition

A Sample Hoare Triple Initial informal requirement Computer a number y whose square is less than the input x. Revised informal requirement If the input x is a positive number, compute a number whose square is less than x. The formal specification (( x>0 )) P (( y*y <x )) P is free to do whatever it wants if x<=0 What if x is a negative number

Definition of Hoare Logic The form ((Φ)) P ((Ψ)) is called hoare triple Φ is called the precondition and Ψ the postcondition In the core language, a store or state is a function L that assigns to each variable x an integer For a formula Φ with function symbols – (unary), +, -, and * (binary); and binary predicate symbols < and =, we say a state L satisfies Φ, denoted as L |= Φ, if and only if Φ is evaluated to true with the value assignment given in L.

Examples Assume a state L(x)=-2, L(y)=5, L(z)=-1 L |= ! (x+y<z) ? L |= y-x*z<z ? L |= V u (y<u → y*z < u*z ) ? x, y, z are variables in the program, u is a variable in the formula

Partial Correctness vs. Total Correctness We say a triple ((Φ)) P ((Ψ)) is satisfied under partial correctness if it holds under the condition that P terminates for all states that satisfy Φ. |=par ((Φ)) P ((Ψ)) a weak requirement. While (true) {x=0;} We say a triple ((Φ)) P ((Ψ)) is satisfied under total correctness if it holds and P terminates. |=tot ((Φ)) P ((Ψ)) Seems to be more desirable, but very challenging.

A Core Programming Language E ::= n | x | (-E) | ( E+E) | (E-E) | (E*E) B ::=true | false | (!B) | (B&B) | (B||B) | (E<E) C ::= x=E | C;C | if B {C} else {C} | while B {C} y=1; z=0; while (z!=x) { z=z+1; y=y*z; } Partial correctness vs. total correctness

Proof Rules for Partial Correctness

Composition \eta Eta is called the midcondition

Assignment Has no premises and thus an axiom of our logic Φ[t/x] is to replace x with t in Φ A backward rule and machine friendly

Confusion

Clarification

More Examples (( ?? )) x=2 (( x=2 )) (( ?? )) x=2 (( x=y ))

If-Statements (( T )) if x = 0 then y := 1 else y := a / x (( y==1 || y==a/x ))

While Loops Loop invariant If e if false as soon as embark on the while-statement, then we do not execute C at all. Nothing has happened to change the truth value of phi, so we end the while-statement with phi and !e. If B is true, we execute C again; phi is again set up. No matter how many times we execute C in this way, phi is true at the end of each execution of C. The while terminates if and only if e is false after the loop. The rule is still true.

Implied The proof rules do not always give the desired pre/post condition

Proof Tableaux

Constructing a Proof Tableau

Backwards Derivation

Weakest Precondition The process of obtaining Φi from Ci+1 and Φi+1 is called computing the weakest precondition of Ci+1, given the postcondition Φi+1. The logically weakest formula whose truth at the beginning of the execution of Ci+1 is enough to guarantee Φi+1. x>5 vs x>10 |=par ((y>10)) x=y+1 ((x>6)) |=par ((T)) z=x; z=z+y; u=z; ((u=x+y)) Why do we want the weakest condition instead of the strongest condition? Because we want to maximize the chance of applying the implied rule to prove the target precondition.

WP for If-Statements Push Ψ upwards through C+, resulting in Φ1 Set Φ to be (e→ Φ1) && (!e→Φ2)

An Example

Proving While Loops The requirement Rule at hand

Proving While Loops

Finding an Invariant

Checking the Invariant

Completing the Proof

A Case: Minimal-Sum Section Let a[0],…, a[n-1]be the integer values of an array a. A section of a is a continuous piece a[i],…, a[j], where 0<=i <= j <n. We denote the sum of that section: a[i]+ a[i+1]+ … + a[j] as the Si,j. A minimal sum section is a section that is less than or equal to the sum Si’,j’ for any other 0<=i’ <= j’ <n. [-1, 3, 15, -6, 4, -5]

One Implementation Formally specify the requirements. Prove the following implementation satisfies the requirements. k=1; t=a[0]; s=a[0]; while (k !=n ) { t= min(t+a[k], a[k]); s= min (s,t); k=k+1; }

Requirements ((T)) Min_Sum (( for all i,j, 0<=i <=j < n → s<=Si,j )) ((T)) Min_Sum (( exist i,j, 0<=i <=j < n → s==Si,j ))

Proving the First Property