Software Verification 1 Deductive Verification Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität und Fraunhofer Institut für offene Kommunikationssysteme FOKUS
Folie 2 H. Schlingloff, Software-Verifikation I Ein (bekanntes?) Szenario
Folie 3 H. Schlingloff, Software-Verifikation I Questions on Quantifiers… How do you define equality in FOL? How do you define equality in SOL? What is a first-order signature? How can you denote a first-order model? What is a partial function?
Folie 4 H. Schlingloff, Software-Verifikation I Presburger Arithmetic Given a signature (N, 0,´,+) of FOL =, define n ( n´==0) m n (m´==n´ m==n) p(0) n(p(n) p(n´)) n p(n) If the third axiom holds for all p, then this uniquely characterizes the natural numbers (“monomorphic”) n (n+0==n) m n ((m+n)+1 == m+(n+1)) Second-order quantification This theory is decidable!
Folie 5 H. Schlingloff, Software-Verifikation I Peano Arithmetic Given the signature (N, 0,´,+,*) and above axioms, plus n (n*0==0) m n (m*n´ == (m*n)+m) This theory is undecidable
Folie 6 H. Schlingloff, Software-Verifikation I Formalizing C in FOL Consider the following C program int gcd (int a, int b){ int c; while ( a != 0 ) { c = a; a = b%a; b = c; } return b; } Consider the following FOL formula : t:N ( a(t)==0 c(t+1)==a(t) a(t+1)==b(t)%a(t) b(t+1)=c(t) a(t)==0 a(t+1)==a(t) b(t+1)==b(t) c(t+1)==c(t) ) In which way are these equivalent?
Folie 7 H. Schlingloff, Software-Verifikation I Correctness From this formalization, we expect that ⊨ t (a(t)==0 → b(t)==gcd(a(0),b(0))) (partial correctness) ⊨ t (a(t)==0 b(t)==gcd(a(0),b(0))) (total correctness) Can we prove these statements with Z3? (try this at home)
Folie 8 H. Schlingloff, Software-Verifikation I Programs Several programming paradigms functional, imperative, object-oriented, … While-Programs Syntax Semantics - denotational: Scott Domains - operational: SOS - axiomatic: Dynamic logic Calculus: Hoare calculus
Folie 9 H. Schlingloff, Software-Verifikation I Syntax of while-Programs Given a (typed) signature =( D, F, R ) and a (denumerable) set V of program variables. (each program variable has a type) ( T is the set of terms in the signature) for simplicity, assume always R contains equality == A while-program is defined as follows whileProg ::= skip | V=T | {whileProg; whileProg} | if (FOL - ) whileProg else whileProg | while (FOL - ) whileProg where FOL - is a quantifier-free first-order formula over ( , V )
Folie 10 H. Schlingloff, Software-Verifikation I Examples =({int}, {0,%}, {==}), V =(a, b, c) 1 = while ( a==0) {{c = a; a = b%a}; b = c} 2 = if (0==(a%0)%a) skip else {skip;skip} =({int}, {0,1,48,+,-,**}, {<,isprim}), V =(n,k) 3 = if (isprim(n)) n=k Mersenne = {n=0; k=0; while (k<49) {n++; if (isprim((2**n)-1)) k++}} Note: in C, “skip” and “else skip” is omitted, and n++ denotes n=n+1
Folie 11 H. Schlingloff, Software-Verifikation I An Alternative Syntax function gcd( x : Z, y : Z ) : Z var a : Z b : Z c : Z begin c := 1 while a != 0 do begin c := a a := b / a b := c end gcd := c end
Folie 12 H. Schlingloff, Software-Verifikation I Semantics What is the “meaning” of such a program? e.g., 3 = if (isprim(n)) k=n need a first-order model M: (U,I,V) for ( , V ) e.g., U=({zero,one,two,three,...}), I(0)=zero, I(1)=one,..., I(isprim)={two, three, five,...}, V(n)=two, V(k)=zero Program modifies states (valuations) V’(n)=two, V’(k)=two semantics = function from initial to final valuations? [[ 3 ]] = {(two,zero) (two,two), (one,two) (one,two),..., (two,three) (two,two), (one,three) (one,three),...}
Folie 13 H. Schlingloff, Software-Verifikation I Nonterminating Programs What is the meaning of the following? e.g., 5 = if (isprim(n)) while(n==n) skip; 5 : zero zero, one one, two ? Theory of Scott-Domains extend every domain with an element # “undefined” intuitively, # denotes nontermination 1 < 2 if 2 is “more defined” than 1 5 9 isprim(n)) while(n==n) skip;
Folie 14 H. Schlingloff, Software-Verifikation I Denotational Semantics Given a universe U # =U {#} and interpretation I for =( D, F, R ), the semantics of a program is a function mapping a program variable valuation into a program variable valuation: [[ ]]: V V [[skip]]=Id, where x(Id(x)==x)) (identity function) [[v=t]]=Upd(v,t), where Upd(v,t)(V)(v)=t M and Upd(v,t)(V)(w)=w M
Folie 15 H. Schlingloff, Software-Verifikation I Denotational Semantics [[{ 1 ; 2 }]]= 2 ( 1 ) (function application) [[if (b) 1 else 2 ]](V)=#, if b contains any v s.t. V(v)=#, [[if (b) 1 else 2 ]](V)= 1, if (U #,I,V) ⊨ b [[if (b) 1 else 2 ]](V)= 2, if (U #,I,V) ⊭ b Define {while (b) } k as follows: - {while (b) } 0 =skip - {while (b) } k+1 ={if (b) ; {while(b) } k } [[while(b) ]]=[[{while(b) } k ]], where k is the smallest number for which (U #,I, [[{while(b) } k ]](V)) ⊭ b (or else, [[while(b) ]](V)=#)
Folie 16 H. Schlingloff, Software-Verifikation I Examples [[if (isprim(n)) k=n]](n=x, k=y) = (x, y+(x-y)*|isprim(x)|) [[(while (a!=0) {c = a; a = b%a; b = c}]](x,y,z) = (0, gcd(x,y), gcd(x,y))
Folie 17 H. Schlingloff, Software-Verifikation I Structured Operational Semantics Denotational semantics can be made mathematically sound, but is not “intuitive” Operations of a “real” machine? transitions from valuation to valuation program counter is increased with the program Abstract representation: state=(program, valuation) - program means the part which is still to be executed transition=(state1, state2) “Meaning” of a program is a (possibly infinite) set of such transitions
Folie 18 H. Schlingloff, Software-Verifikation I SOS-Rules (v=t, V) (skip, V[v:=t]); ({skip; },V) ( ,V) if ( 1, V 1 ) ( 2,V 2 ), then ({ 1 ; }, V 1 ) ({ 2 ; },V 2 ) if (U,I,V) ⊨ b, then (if (b) 1 else 2, V) ( 1,V) if (U,I,V) ⊭ b, then (if (b) 1 else 2, V) ( 2,V) (while (b) , V) ({if (b) { ; while (b) }}, V)
Folie 19 H. Schlingloff, Software-Verifikation I Structured Operational Semantics Denotational semantics can be made mathematically sound, but is not “intuitive” Operations of a “real” machine? transitions from valuation to valuation program counter is increased with the program Abstract representation: state=(program, valuation) - program means the part which is still to be executed transition=(state1, state2) “Meaning” of a program is a (possibly infinite) set of such transitions
Folie 20 H. Schlingloff, Software-Verifikation I SOS-Rules (v=t, V) (skip, V[v:=t]); ({skip; },V) ( ,V) if ( 1, V 1 ) ( 2,V 2 ), then ({ 1 ; }, V 1 ) ({ 2 ; },V 2 ) if (U,I,V) ⊨ b, then (if (b) 1 else 2, V) ( 1,V) if (U,I,V) ⊭ b, then (if (b) 1 else 2, V) ( 2,V) (while (b) , V) (if (b) { ; while (b) }}, V) these are so-called “small-step rules”; “big-step rule”: if ( 1, V 1 ) ( 2,V 2 ), and ( 2, V 2 ) ( 3,V 3 ), then ({ 1 ; 2 }, V 1 ) ( 3, V 3 ) derivable?
Folie 21 H. Schlingloff, Software-Verifikation I SOS-Example (while (a!=0) {c = a; a = b%a; b = c},(a=20, b=12, c=0)) ...
Folie 22 H. Schlingloff, Software-Verifikation I About operational semantics For every ( 1, V 1 ), there is exactly one sequence ( 1, V 1 ) ( 2, V 2 ) ( 3, V 3 ) ... allows to “symbolically execute” a program does not allow to show properties e.g. “program calculates gcd” e.g. “program terminates” Hoare-Tripel: { } { } meaning: if holds before the execution of , then holds afterwards and are first-order formulas (possibly with quantification; logical variables vs. program variables)
Folie 23 H. Schlingloff, Software-Verifikation I Hoare calculus ⊢ { [v:=t]} v=t { } (ass) ⊢ { } skip { } (usually omitted) if ⊢ { } 1 { } and ⊢ { } 2 { }, then { } { 1 ; 2 }{ } (seq) if ⊢ { b} 1 { } and ⊢ { ¬b } 2 { }, then ⊢ { } if (b) 1 else 2 { } (ite) if ⊢ { b} { }, then ⊢ { } while (b) { ¬b } (whi) If ⊢ ( ’ ) and ⊢ { } { }, then ⊢ { ’} { } (imp1) If ⊢ { } { } and ⊢ ( ’), then ⊢ { } { ’} (imp2) the semantics (meaning) of a program is the set of all derivable Hoare-tripels { } { }
Folie 24 H. Schlingloff, Software-Verifikation I Examples {x==17} x++ {x==18} {x==17} y=x+1 {y==18} {x==17} {x++; y=x+1} {y==19} {a==m b==n} if (a<=b) c = a else c = b {c==min(m,n)} {a==m>0 b==n>0} while (a!=0) {c = a; a = b%a; b = c} {b==gcd(m,n)}