Presentation is loading. Please wait.

Presentation is loading. Please wait.

Further with Hoare Logic Sections 6.12, 6.10, 6.13

Published byThomasina Norton Modified over 6 years ago

Similar presentations

Presentation on theme: "Further with Hoare Logic Sections 6.12, 6.10, 6.13"— Presentation transcript:

1 Further with Hoare Logic Sections 6.12, 6.10, 6.13

2 Overview Assignment to composite structures
Reasoning about more exotic imperative constructs Motivation: tool support for verification array assignment, block, exception, expr with side effect, etc 2

3 About computer support for verification
We can implement Hoare logic Syntax driven! Use e.g. theorem prover or SAT solver at the back-end to prove the resulting verification conditions. Big-logic architecture: The Hoare logic is defined to work natively on e.g. Java Complex logic; maintenance (of the logic) is an issue Example: LOOP Small-logic architecture: Translate Java to a much simpler intermediate language (e.g. Boogie PL); Hoare logic operates on this intermediate language Feedback is an issue Example : SPEC#, Esc/Java

4 Assignment to array Recall : wp (x:=e) Q = Q[e/x] {* Q[e/x] *} x:=e {* Q *} Does these “rules” extend to a[e1] := e2 ? {* y = 10 *} a[i] := y {* a[i] = 10 *} // valid {* a[0] = 10 *} a[i] := y {* a[0] = 10 *} // not valid!! {* (i=0  y | a[0]) = 10 *}

5 The formalism Introduce : a (i repby e) : the same array as a, except its i-th element, which is e. Define it indirectly via : a (i repby e) [k] = i=k  e | a[k] Treat assignment : a[i] := 0  a := a(i repby 0)

6 Now we can derive the “rule”
So : wp (a[e1] := e2) Q = wp (a := a(e1 repby e2)) Q = { this is now an ordinary assignment ! } Q [ a(e1 repby e2) / a ]

7 Example Prove: {* ik *} a[k]:= 0 ; a[i]:=1 {* a[k] = 0 *}
By calculating wp: {* i=k  1 | = 0 *} // def. repby {* a(k repby 0)[k] *} // wp a[k]:= // a := a(k repby 0) {* i=k  1 | a[k] = *} // def. repby {* a(i repby 1)[k] = 0 *} // wp a[i]:= // a := a(i repby 1) {* a[k] = 0 *}

8 Record Can be handled in a way analogous to array : r.fn := e  r := r(fn repby e) But since field names are static, we can immediately collapse the resulting repby expression: r (fn repby e) . fn = e r (fn repby e) . otherfield = r.otherfield See Lec. Notes.

9 “Predicate transformer” semantics
we can abstractly define the meaning/semantic of a statement S by defining how to calculate its wp. wp (assert P) Q = P /\ Q wp (assume P) Q = P  Q

10 Now we can dealing with actual arrays
Array expressions e.g. a[i] has to be checked that the index i is within a’s actual domain. Well, we can adapt uPL logic. Alternatively, keep the logic, but use a pre-processor to translate, e.g.: a[i] := a[k]  assert 0i<#a ; assert 0k<#a ; a[i] := a[k] What if we use assume instead of assert ?

11 Expressing non-determinism
S [] T On a begin state, non-deterministically choose between S and T, and execute it. Define it via wp: wp (S [] T) Q = wp S Q /\ wp T Q

12 Non-deterministic IF We can now have a non-deterministic IF; define : if g1  S g2  S2 = (encoded by) { assume g1 ; S1 } [] { assume g2 ; S2 } Can’t be implemented literally like that; but with respect to their Hoare triple specs, these are equivalent. So, what happens if it is executed on a state not satisfying one of the guards? 

13 Non-deterministic loop
while g1 do S g2 do S2 If g1 true, do S1, if g2 true, do S2. If both are true, choose one non-deterministically. Repeat the above. Terminate when g1 and g2 are false. while g1 \/ g2 do if g1  S g2  S2

14 Example Prove that eventually the bag will be empty. By proving this specification: {* reds = /\ blues = 100 *} while reds>0 do reds,blues := reds-1 , blues blues>0 do blues := blues {* reds = 0 /\ blues = 0 *} Take as invariant: r>=0 /\ w>=0 On termination we have ~g1 /\ ~g2 = r<=0 /\ b<=0, which with inv implies r=b=0. Termination metric: 3r + b Note that for the specification to be valid, we have to take into account all the non-deterministic choices made by the loop.

15 Block { var x:T ; S } Introduce a local, uninitialized variable x (means its value can be anything of the type T), then does S. The scope of x is limited within the block. Variant, with initialization: { var x = e ; S }  { var x ; x := e ; S } But we can also have a non-deterministic intialization: { var x ; assume x>9 ; S }

16 Block Define the semantics via wp; first some examples: {* true *}
{* y=0 *} { var x ; x:=0 ; y:=x } {* y=x *} {* 0=0 *} // no! {* 0=x *}

17 Block {* y>x *} x>0  x > x’ y > x’
We may need to protect and restore variable names We may have to quantify { var x ; assume x>0 ; y:=x } {* y>x *} x>0  x > x’ y > x’ // rename x to x’ (x:: x>0  x > x’) @x>0  @x > x’) // rename bound var @x>0  @x > x) // restore x’ to x Equivalent with 0  x

18 Block So: wp {var x ; S } Q = restorex (x :: wp S (protectx Q)) where protectx Q = Q[x’/x] // x’ fresh var restorex (x:: R) = fresh var The wp of {var x=e ; S } can be simplified  home work 

19 Non-deterministic assignment
x,y  P Change the values of x and y to arbitrary values satisfying P; other variables stay unchanged. For example, x  x>0 can be encoded by: {var x’ ; assume x’>0 ; x:=x’ } // assuming x’ fresh Theorem: wp (x  P) Q = (x:: P  Q) = (z :: (P  Q)[z/x]) // z fresh Wp {var x’; assume x’>0; x=x’} Q = (forall x’ :: x’>0 ==> Q[x’ / x]) = (forall x :: x>0 ==> Q)

20 Exception raise Cause the program to enter an exception state. There is only one exception sort. But our concept of Hoare triple does not understand “exceptional state”. Extend “triple” to “quadruple” : {* P *} S {* Q , E *} If S is executed on a state satisfying P it will terminate. If it terminates in a normal state, then the state should satisfy Q. If it is an exceptional state, it should satisfy E.

21 Exception But now we have to extend all our Hoare logic rules and our defs for wp {* E *} raise {* Q, E *} {* P *} S1 {* Q, E *} , {* Q *} S2 {* R, E *} {*P*} S1 ; S2 {* R, E *} wp (x:=e) (Q,E) = Q[e/x] wp (S1 ; S2) (R,E) = wp S1 (wp S2 (R,E), E) wp raise (Q,E) = E

22 Catching exception try S catch T Execute S, if it jumps to an exception state, continue with T. The logic: {* P *} S {* R, Q *} , {* Q *} T {* R, E *} {*P*} try S catch T {* R, E *} wp (try S catch T) (R,E) = wp S (R, wp T (R,E)) { P } S { Q, R } , { R } T {Q, E} { P } try S catch T { Q, E }

23 Expression with side effect
Assume this simple syntax of expression <expr> ::= <constant> | <var> | <expr> "+" <expr> | <expr> "=" <expr> | <var> "++“ Define a function flat that transform such an expression to statement, such that e.g. : x := e  … ; flat @0 e

24 Expression with side effect
(e1 + e2) = e1 ; e2 flat @0 var = @0 := var flat @0 var = @0 := var ; var:=var+1 … All vars are fresh. Example: x := x++ + y ; x:=x+1 ; ; x Can be handled by usual uPL logic.

Download ppt "Further with Hoare Logic Sections 6.12, 6.10, 6.13"

Similar presentations

Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models.

Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models.
Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 0 Summer school on Formal Models.

Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 0 Summer school on Formal Models.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
In this episode of The Verification Corner, Rustan Leino talks about Loop Invariants. He gives a brief summary of the theoretical foundations and shows.

In this episode of The Verification Corner, Rustan Leino talks about Loop Invariants. He gives a brief summary of the theoretical foundations and shows.
Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
ICE1341 Programming Languages Spring 2005 Lecture #6 Lecture #6 In-Young Ko iko.AT. icu.ac.kr iko.AT. icu.ac.kr Information and Communications University.

ICE1341 Programming Languages Spring 2005 Lecture #6 Lecture #6 In-Young Ko iko.AT. icu.ac.kr iko.AT. icu.ac.kr Information and Communications University.
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
1 University of Toronto Department of Computer Science © 2001, Steve Easterbrook Lecture 10: Formal Verification Formal Methods Basics of Logic first order.

1 University of Toronto Department of Computer Science © 2001, Steve Easterbrook Lecture 10: Formal Verification Formal Methods Basics of Logic first order.
David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 19: Minding Ps & Qs: Axiomatic.

David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 19: Minding Ps & Qs: Axiomatic.
Partial correctness © Marcelo d’Amorim 2010.

Partial correctness © Marcelo d’Amorim 2010.
Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.

Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
Predicate Transformers

Predicate Transformers
Program Proving Notes Ellen L. Walker.

Program Proving Notes Ellen L. Walker.
1/22 Programs : Semantics and Verification Charngki PSWLAB Programs: Semantics and Verification Mordechai Ben-Ari Mathematical Logic for Computer.

1/22 Programs : Semantics and Verification Charngki PSWLAB Programs: Semantics and Verification Mordechai Ben-Ari Mathematical Logic for Computer.
Wishnu Prasetya Hoare Logic and Predicate Transformers.

Wishnu Prasetya Hoare Logic and Predicate Transformers.
ESC Java. Static Analysis Spectrum Power Cost Type checking Data-flow analysis Model checking Program verification AutomatedManual ESC.

ESC Java. Static Analysis Spectrum Power Cost Type checking Data-flow analysis Model checking Program verification AutomatedManual ESC.
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.

Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
ESC Java. Static Analysis Spectrum Power Cost Type checking Data-flow analysis Model checking Program verification AutomatedManual ESC.

ESC Java. Static Analysis Spectrum Power Cost Type checking Data-flow analysis Model checking Program verification AutomatedManual ESC.

Similar presentations

Ads by Google