(c) 2007 Mauro Pezzè & Michal Young Ch 7, slide 1 Symbolic Execution and Proof of Properties.

Slides:



Advertisements
Similar presentations
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Advertisements

Copyright W. Howden1 Programming by Contract CSE 111 6/4/2014.
In this episode of The Verification Corner, Rustan Leino talks about Loop Invariants. He gives a brief summary of the theoretical foundations and shows.
An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.
Abstraction of Source Code (from Bandera lectures and talks)
Semantics Static semantics Dynamic semantics attribute grammars
Addressing the Challenges of Current Software. Questions to Address Why? What? Where? How?
Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Reasoning About Code; Hoare Logic, continued
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 19: Minding Ps & Qs: Axiomatic.
Background information Formal verification methods based on theorem proving techniques and model­checking –to prove the absence of errors (in the formal.
Axiomatic Verification I Prepared by Stephen M. Thebaut, Ph.D. University of Florida Software Testing and Verification Lecture 17.
Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.
ISBN Chapter 3 Describing Syntax and Semantics.
Predicate Transformers
1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.
1/22 Programs : Semantics and Verification Charngki PSWLAB Programs: Semantics and Verification Mordechai Ben-Ari Mathematical Logic for Computer.
CS 355 – Programming Languages
ESC Java. Static Analysis Spectrum Power Cost Type checking Data-flow analysis Model checking Program verification AutomatedManual ESC.
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
ESC Java. Static Analysis Spectrum Power Cost Type checking Data-flow analysis Model checking Program verification AutomatedManual ESC.
Dr. Muhammed Al-Mulhem 1ICS ICS 535 Design and Implementation of Programming Languages Part 1 Fundamentals (Chapter 4) Axiomatic Semantics ICS 535.
Describing Syntax and Semantics
MCA –Software Engineering Kantipur City College. Topics include  Formal Methods Concept  Formal Specification Language Test plan creation Test-case.
Mathematics throughout the CS Curriculum Support by NSF #
Procedure specifications CSE 331. Outline Satisfying a specification; substitutability Stronger and weaker specifications - Comparing by hand - Comparing.
Reading and Writing Mathematical Proofs
1 Program Correctness CIS 375 Bruce R. Maxim UM-Dearborn.
Chapter 3 (Part 3): Mathematical Reasoning, Induction & Recursion  Recursive Algorithms (3.5)  Program Correctness (3.6)
© by Kenneth H. Rosen, Discrete Mathematics & its Applications, Sixth Edition, Mc Graw-Hill, 2007 Chapter 4 (Part 3): Mathematical Reasoning, Induction.
1 Inference Rules and Proofs (Z); Program Specification and Verification Inference Rules and Proofs (Z); Program Specification and Verification.
Proofs of Correctness: An Introduction to Axiomatic Verification Prepared by Stephen M. Thebaut, Ph.D. University of Florida CEN 5035 Software Engineering.
CSI 3125, Axiomatic Semantics, page 1 Axiomatic semantics The assignment statement Statement composition The "if-then-else" statement The "while" statement.
1 Conditions Logical Expressions Selection Control Structures Chapter 5.
Chapter 25 Formal Methods Formal methods Specify program using math Develop program using math Prove program matches specification using.
ISBN Chapter 3 Describing Semantics -Attribute Grammars -Dynamic Semantics.
CS 363 Comparative Programming Languages Semantics.
Formal Verification Lecture 9. Formal Verification Formal verification relies on Descriptions of the properties or requirements Descriptions of systems.
Muhammad Idrees Lecturer University of Lahore 1. Outline Introduction The General Problem of Describing Syntax Formal Methods of Describing Syntax Attribute.
Reading and Writing Mathematical Proofs Spring 2015 Lecture 4: Beyond Basic Induction.
Chapter 3 Part II Describing Syntax and Semantics.
Semantics In Text: Chapter 3.
COP4020 Programming Languages Introduction to Axiomatic Semantics Prof. Robert van Engelen.
13 Aug 2013 Program Verification. Proofs about Programs Why make you study logic? Why make you do proofs? Because we want to prove properties of programs.
Principle of Programming Lanugages 3: Compilation of statements Statements in C Assertion Hoare logic Department of Information Science and Engineering.
PROGRAMMING PRE- AND POSTCONDITIONS, INVARIANTS AND METHOD CONTRACTS B MODULE 2: SOFTWARE SYSTEMS 13 NOVEMBER 2013.
CSE Winter 2008 Introduction to Program Verification for-loops; review.
Formal Verification. Background Information Formal verification methods based on theorem proving techniques and model­checking –To prove the absence of.
Dr. Naveed Riaz Design and Analysis of Algorithms 1 1 Formal Methods in Software Engineering Lecture # 26.
Cs7100(Prasad)L18-9WP1 Axiomatic Semantics Predicate Transformers.
CSC3315 (Spring 2009)1 CSC 3315 Languages & Compilers Hamid Harroud School of Science and Engineering, Akhawayn University
C HAPTER 3 Describing Syntax and Semantics. D YNAMIC S EMANTICS Describing syntax is relatively simple There is no single widely acceptable notation or.
IS 2620: Developing Secure Systems Formal Verification/Methods Lecture 9 March 15, 2012.
Verification vs. Validation Verification: "Are we building the product right?" The software should conform to its specification.The software should conform.
Chapter 4 (Part 3): Mathematical Reasoning, Induction & Recursion
Chapter 3 of Programming Languages by Ravi Sethi
Formal Methods in Software Engineering 1
Mathematical Structures for Computer Science Chapter 1
Axiomatic semantics Points to discuss: The assignment statement
Programming Languages and Compilers (CS 421)
IS 2935: Developing Secure Systems
Programming Languages 2nd edition Tucker and Noonan
Semantics In Text: Chapter 3.
Predicate Transformers
Formal Methods in software development
Programming Languages and Compilers (CS 421)
Programming Languages 2nd edition Tucker and Noonan
COP4020 Programming Languages
Presentation transcript:

(c) 2007 Mauro Pezzè & Michal Young Ch 7, slide 1 Symbolic Execution and Proof of Properties

(c) 2007 Mauro Pezzè & Michal Young Ch 7, slide 2 Learning objectives Understand the goal and implication of symbolically executing programs Learn how to use assertions to summarize infinite executions Learn how to reason about program correctness Learn how to use symbolic execution to reason about program properties Understand limits and problems of syombilc execution

(c) 2007 Mauro Pezzè & Michal Young Ch 7, slide 3 Symbolic Execution Builds predicates that characterize –Conditions for executing paths –Effects of the execution on program state Bridges program behavior to logic Finds important applications in –program analysis –test data generation –formal verification (proofs) of program correctness

(c) 2007 Mauro Pezzè & Michal Young Ch 7, slide 4 Formal proof of properties Relevant application domains: –Rigorous proofs of properties of critical subsystems Example: safety kernel of a medical device –Formal verification of critical properties particularly resistant to dynamic testing Example: security properties –Formal verification of algorithm descriptions and logical designs less complex than implementations

(c) 2007 Mauro Pezzè & Michal Young Ch 7, slide 5 Symbolic state Execution with concrete values before low12 high15 mid- mid = (high+low)/2 after low12 high15 mid13 Execution with symbolic values before lowL highH mid- mid = (high+low)/2 after LowL highH mid(L+H)/2 Values are expressions over symbols Executing statements computes new expressions

(c) 2007 Mauro Pezzè & Michal Young Ch 7, slide 6 Dealing with branching statements a sample program char *binarySearch( char *key, char *dictKeys[ ], char *dictValues[ ], int dictSize) { int low = 0; int high = dictSize - 1; int mid; int comparison; while (high >= low) { mid = (high + low) / 2; comparison = strcmp( dictKeys[mid], key ); if (comparison < 0) { low = mid + 1; } else if ( comparison > 0 ) { high = mid - 1; } else { return dictValues[mid]; } return 0; Branching stmt

(c) 2007 Mauro Pezzè & Michal Young Ch 7, slide 7 Executing while (high >= low) { before low = 0 andhigh = (H-1)/2 -1 and mid = (H-1)/2 while (high >= low) { after low = 0 and high = (H-1)/2 -1 andmid = (H-1)/2 and(H-1)/2 - 1 >= 0 Add an expression that records the condition for the execution of the branch (PATH CONDITION) if the TRUE branch was taken... and not((H-1)/2 - 1 >= 0) if the FALSE branch was taken

(c) 2007 Mauro Pezzè & Michal Young Ch 7, slide 8 Summary information Symbolic representation of paths may become extremely complex We can simplify the representation by replacing a complex condition P with a weaker condition W such that P => W W describes the path with less precision W is a summary of P

(c) 2007 Mauro Pezzè & Michal Young Ch 7, slide 9 Example of summary information (Referring to Binary search: Line 17, mid = (high+low)/2 ) If we are reasoning about the correctness of the binary search algorithm, the complete condition: low = L and high = H andmid = M andM = (L+H)/2 Contains more information than needed and can be replaced with the weaker condition: low = L and high = H andmid = M andL <= M <= H The weaker condition contains less information, but still enough to reason about correctness.

(c) 2007 Mauro Pezzè & Michal Young Ch 7, slide 10 Weaker preconditions The weaker predicate L <= mid <= H is chosen based on what must be true for the program to execute correctly It cannot be derived automatically from source code it depends on our understanding of the code and our rationale for believing it to be correct A predicate stating what should be true at a given point can be expressed in the form of an assertion Weakening the predicate has a cost for testing: –satisfying the predicate is no longer sufficient to find data that forces program execution along that path. test data that satisfies a weaker predicate W is necessary to execute the path, but it may not be sufficient showing that W cannot be satisfied shows path infeasibility

(c) 2007 Mauro Pezzè & Michal Young Ch 7, slide 11 Loops and assertions The number of execution paths through a program with loops is potentially infinite To reason about program behavior in a loop, we can place within the loop an invariant: –assertion that states a predicate that is expected to be true each time execution reaches that point. Each time program execution reaches the invariant assertion, we can weaken the description of program state: –If predicate P represents the program state –and the assertion is W –we must first ascertain P => W –and then we can substitute W for P

(c) 2007 Mauro Pezzè & Michal Young Ch 7, slide 12 Pre- and post-conditions Suppose: –every loop contains an assertion –there is an assertion at the beginning of the program –a final assertion at the end Then: –every possible execution path would be a sequence of segments from one assertion to the next. Terminology: –Precondition: The assertion at the beginning of a segment, –Postcondition: The assertion at the end of the segment

(c) 2007 Mauro Pezzè & Michal Young Ch 7, slide 13 Verifying program correctness If for each program segment we can verify that –Starting from the precondition –Executing the program segment –The postcondition holds at the end of the segment Then –We verify the correctness of an infinite number of program paths

(c) 2007 Mauro Pezzè & Michal Young Ch 7, slide 14 Example Forall{i,j} 0 <= i < j < size : dictKeys[i] <= dictKeys[j] Precondition: is sorted: Forall{i} 0 <= i < size : dictKeys[i] = key => low <= i <= high Invariant: in range char *binarySearch( char *key, char *dictKeys[ ], char *dictValues[ ], int dictSize) { int low = 0; int high = dictSize - 1; int mid; int comparison; while (high >= low) { mid = (high + low) / 2; comparison = strcmp( dictKeys[mid], key ); if (comparison < 0) { low = mid + 1; } else if ( comparison > 0 ) { high = mid - 1; } else { return dictValues[mid]; } return 0;

(c) 2007 Mauro Pezzè & Michal Young Ch 7, slide 15 Executing the loop once… low = L and high = H Forall{i,j} 0 <= i < j < size : dictKeys[i] <= dictKeys[j] and Forall{k} 0 <= k < size : dictKeys[k] = key => L <= k <= H Initial values: Instantiated invariant: low = L and high = H and mid = M and Forall{i,j} 0 <= i < j < size : dictKeys[i] <= dictKeys[j] and Forall{k} 0 <= k < size : dictKeys[k] = key => L <= k <= H and H >= M >= L After executing: mid = (high + low)/2 …. Invariant Forall{i} 0 <= i < size : dictKeys[i] = key => low <= i <= high Precondition Forall{i,j} 0 <= i < j < size dictKeys[i] <= dictKeys[j]

(c) 2007 Mauro Pezzè & Michal Young Ch 7, slide 16 …executing the loop once low = M+1 and high = H and mid = M and Forall{i,j} 0 <= i < j < size : dictKeys[i] <= dictKeys[j] and Forall{k} 0 <= k < size : dictKeys[k] = key => L <= k <= H and H >= M >= L and dictkeys[M]<key After executing the loop The new instance of the invariant: Forall{i,j} 0 <= i < j < size : dictKeys[i] <= dictKeys[j] and Forall{k} 0 <= k < size : dictKeys[k] = key => M+1 <= k <= H If the invariant is satisfied, the loop is correct wrt the preconditions and the invariant

(c) 2007 Mauro Pezzè & Michal Young Ch 7, slide 17 From the loop to the end If the invariant is satisfied, but the condition is false: low = L and high = H and Forall{i,j} 0 <= i < j < size : dictKeys[i] <= dictKeys[j] and Forall{k} 0 <= k < size : dictKeys[k] = key => L <= k <= H and L > H If the the condition satisfies the post-condition, the program is correct wrt the pre- and post-condition:

(c) 2007 Mauro Pezzè & Michal Young Ch 7, slide 18 Compositional reasoning Follow the hierarchical structure of a program –at a small scale (within a single procedure) –at larger scales (across multiple procedures…) Hoare triple:[pre] block [post] if the program is in a state satisfying the precondition pre at entry to the block, then after execution of the block it will be in a state satisfying the postcondition post

(c) 2007 Mauro Pezzè & Michal Young Ch 7, slide 19 Reasoning about Hoare triples: inference [I and C] S [I] [I] while(C){S} [I and notC] Inference rule says: if we can verify the premise (top), then we can infer the conclusion (bottom) premise conclusion

(c) 2007 Mauro Pezzè & Michal Young Ch 7, slide 20 Some other rules: if statement [P and C] thenpart [Q] [P and notC] elsepart [Q] [P] if (C){thenpart} else {elsepart} [Q]

(c) 2007 Mauro Pezzè & Michal Young Ch 7, slide 21 Reasoning style Summarize the effect of a block of program code (a whole procedure) by a contract == precondition + postcondition Then use the contract wherever the procedure is called example summarizing binarySearch: (forall i,j, 0 <= i < j < size : keys[i] <= keys[j]) s = binarySearch(k, keys, vals, size) (s=v and exists i, 0 <= i, size : keys[i] = k and vals[i] = v) or (s=v and not exists i, 0 <= i, size : keys[i] = k)

(c) 2007 Mauro Pezzè & Michal Young Ch 7, slide 22 Reasoning about data structures and classes Data structure module = collection of procedures (methods) whose specifications are strongly interrelated Contracts: specified by relating procedures to an abstract model of their (encapsulated) inner state example: Dictionary can be abstracted as { } independent of the implementation as a list, tree, hash table, etc.

(c) 2007 Mauro Pezzè & Michal Young Ch 7, slide 23 Structural invariants Structural characteristics that must be maintained as specified as structural invariants (~loop invariants) Reasoning about data structures –if the structural invariant holds before execution –and each method execution preserve the invariant –…then the invariant holds for all executions Example: Each method in a search tree class maintains the ordering of keys in the tree

(c) 2007 Mauro Pezzè & Michal Young Ch 7, slide 24 Abstraction function maps concrete objects to abstract model states Dictionary example [ in  (dict) ] o = dict.get(k) [ o = v ] abstraction function

(c) 2007 Mauro Pezzè & Michal Young Ch 7, slide 25 Summary Symbolic execution = bridge from an operational view of program execution to logical and mathematical statements. Basic symbolic execution technique: execute using symbols Symbolic execution for loops, procedure calls, and data structures: proceed hierarchically –compose facts about small parts into facts about larger parts Fundamental technique for –Generating test data –Verifying systems –Performing or checking program transformations Tools are essential to scale up

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.