Software Verification 1 Deductive Verification Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität und Fraunhofer Institut für offene Kommunikationssysteme FOKUS
Folie 2 H. Schlingloff, Software-Verifikation I Contracted questions... What is a function contract? Why is it necessary for verification? Which parameter passing mechanisms do you know? Can you explain the Church-Rosser property? What is the semantics of a recursive function? denotational? operational? axiomatic?
Folie 3 H. Schlingloff, Software-Verifikation I Parallelism increasing importance (multicore processors) in C, parallelism by multithreading unfortunately not standardized POSIX: pthread_create (name, function, args) pthread_join, pthread_exit,... key issue: synchronization hard to understand, error-prone
Folie 4 H. Schlingloff, Software-Verifikation I Multithreading in Java class TicTac implements Runnable{ static int summe = 0; Thread faden; private int wer; public TicTac(int w) { faden = new Thread(this); wer=w; } public void run() { for(int i=1; i<100; i++) { if(wer==1) summe = summe + 1; else summe = summe - 1; } public static void main(String[] args) { TicTac tic = new TicTac(1); TicTac tac = new TicTac(2); tic.faden.start(); tac.faden.start(); try {tic.faden.join(); tac.faden.join(); } catch (Exception e) {} System.out.println("Summe=" + summe); } Ergebnis ???
Folie 5 H. Schlingloff, Software-Verifikation I Concept Language we add the following new constructs to the language of while-programs { 1 || 2 } or, more generally, { 1 ||... || n } await (b) ; semantics parallel (interleaved) execution of the i blocking wait until condition is satisfied; program fragment within await is noninterruptable for simplicity, assignments are atomic actions semaphore-concept (Dijkstra), monitor-concept (Hoare) “test-and-set”-operation in processor hardware
Folie 6 H. Schlingloff, Software-Verifikation I Examples int n=0; { for (int i = 0; i<100; i++) n++; || for (int i = 0; i<100; i++) n--; } int n=0; int l, r; {for (int i = 0; i<100; i++) {l=n; l++; n=l;} || for (int i = 0; i<100; i++) {r=n; r--; n=r;}} int n=0; {for (int i = 0; i<100; i++) await (true) {l=n; l++; n=l;} || for (int i = 0; i<100; i++) await (true) {r=n; r--; n=r;}}
Folie 7 H. Schlingloff, Software-Verifikation I More Examples a=0; {a*=a; a-=5; || a=2*a+3; a=1-a;} a=0; {a++; || a--;} {a=0; a++; || a=0; a--} a=0; {await (a>=0); a++; || await (a<=0); a--} a=0; {await (a>=0) a++; || await (a<=0) a--}
Folie 8 H. Schlingloff, Software-Verifikation I A realistic example a=n; b=0; c=1; { while (a!=n-k) {c=c*a; a--;} || while (b!=k) {b++; await (a+b<=n); c=c/b;} } program calculates binomial coefficient
Folie 9 H. Schlingloff, Software-Verifikation I Interleaving Semantics A state of the program consists of an assignment of values to variables a set of program counters (depending on the number of parallel components), and SOS-rules for parallel programs if (U,I,V) ⊨ b and ( , V) * (skip,V’), then (await (b) , V) (skip,V’) if ( 1, V) ( 1 ’,V’), then ({ 1 || 2 }, V) ({ 1 ’ || 2 },V’) if ( 2, V) ( 2 ’,V’), then ({ 1 || 2 }, V) ({ 1 || 2 ’},V’) ({skip || skip}, V) (skip,V) In general, several possible executions! (tree of possibilities)
Folie 10 H. Schlingloff, Software-Verifikation I A realistic example a=n; b=0; c=1; :{ 1: while (a!=n-k) { 2: c=c*a; 3: a--; } 4: || 1: while (b!=k) { 2: b++; 3: await (a+b<=n); 4: c=c/b; } 5: }
Folie 11 H. Schlingloff, Software-Verifikation I Deadlocks a=0; b=0; {await (a!=0) || await (b!=0)} a=0; b=0; {await (a==1) b=1 || await (b==1) a=1} prt=T; dsk=T; {await (prt) prt=F; await(dsk) dsk=F; foo; prt=T; dsk=T; || await (dsk) dsk=F; await(prt) prt=F; bar; prt=T; dsk=T;}
Folie 12 H. Schlingloff, Software-Verifikation I Invariants for Parallel Programs Assume is a formula such that { } { } for every subprogram of { 1 || 2 }. Then { } { 1 || 2 } { } Example: a=0; : {a++; : || a--; :} : Invariant a==0+ - (or, more explicit: ( ¬ ¬ a==0 a==0 ¬ a==1 ¬ a==-1) ) int n=0; { for (int i = 0; i<100; i++) n++; || for (int j = 0; j<100; j++) n--;} Invariant n=i-j
Folie 13 H. Schlingloff, Software-Verifikation I Problem with Invariant Method Non-compositionality: In order to show { }{ 1 || 2 }{ } it is not sufficient to show { }{ 1 }{ } and { }{ 2 }{ } Sequential composition rule (seq): if ⊢ { } 1 { } and ⊢ { } 2 { }, then { }{ 1 ; 2 }{ } ? if ⊢ { 1 } 1 { 1 } and ⊢ { 2 } 2 { 2 }, then { 1 2 }{ 1 || 2 }{ 1 2 }
Folie 14 H. Schlingloff, Software-Verifikation I Hoare-Rule for Parallel Programs Susan Owicki, 1975: If ⊢ { 1 } 1 { 1 } and ⊢ { 2 } 2 { 2 }, then ⊢ { 1 2 } { 1 || 2 } { 1 2 }, if the proofs of { 1 } 1 { 1 } and { 2 } 2 { 2 } are interference free Two proofs are interference-free, if for any two Hoare triples { a } a { a } in { 1 } 1 { 1 } and { b } b { b } in { 2 } 2 { 2 } it holds that { a b } a { b } Example: {x=0 x=2} x++ {x=1 x=3} interferes with {x=0} x+=2 {x=2} but not with {x=0 x=1} x+=2 {x=2 x=3}
Folie 15 H. Schlingloff, Software-Verifikation I Hoare-Owicki-Proof {x==0 x==-1} x++ {x==1 x==0} {x==0 x==1} x-- {x==-1 x==0} Interference freedom: {x==0 x==-1 x==0 x==1} x++ {x==0 x==1} {x==0 x==1 x==0 x==-1} x-- {x==0 x==-1} Therefore, {x==0 x==-1 x==0 x==1} {x++||x--} {x==1 x==0 x==-1 x==0} {x==0} {x++||x--} {x==0} Proof does not work for {x==0} {h=x; h++; x=h; || h=x; h--; x=h;} {x==0}
Folie 16 H. Schlingloff, Software-Verifikation I Proof (scetch) of example program a=n; b=0; c=1; // calculate n over k { while (a!=n-k) {c=c*a; a--;} || while (b!=k) {b++; await (a+b<=n); c=c/b;} } Idea: at the await it holds that c=(n*(n-1)*...*(n-j+1)/1*2*...*(i-1) a=n-j, b=i If a+b<=n, then i<=j. In this case, c is divisible by j: n is divisible by 1 n*(n-1) is divisible by 2 n*(n-1)*(n-2) is divisible by 2 and 3 n*(n-1)*(n-2)*(n-3) is divisible by 1*2*3*4