Download presentation
Presentation is loading. Please wait.
1
Formal Methods in software development
a.a.2017/2018 Prof. Anna Labella 2/24/2019
2
concurrent and sequential systems
Hoare Logic Dealing with critical situations Software aging See Huth Ryan chap.4 and Ben Ari 2/24/2019
3
Verifying satisfiability of properties A posteriori
Model Checking Automatic Model-based Verifying satisfiability of properties A posteriori Application: concurrent and reactive systems Hoare Logic Semiautomatic Proof-based Verifying satisfiability of properties A priori Application: sequential and transformational programs 2/24/2019
4
Our language Our core language has three syntactic domains: integer expressions, boolean expressions and commands Arithmetical expressions E ::= n | x | (−E) | (E + E) | (E − E) | (E ∗ E) Propositions B ::= true | false | (!B) | (B &B) | (B ||B) | (E < E) Commands C ::= x = E | C;C | if B {C} else {C} | while B {C} 2/24/2019
5
Hoare triples (partial) correctness
let us define |- (|φ|) S (|ψ|) If φ holds before applying the instruction S (A), then ψ holds after the application (B). Metalinguistically A B φ is called “precondition” ψ “postcondition” 2/24/2019
6
A deductive system we can prove (partial) correctness
by adopting a logical system tree-like proofs 2/24/2019
7
Hoare logic (proof rules for partial correctness)
(|φ1|) C1 (|φ2|) (|φ2|) C2(|φ3|) composition (|φ1|) C1 ; C2 (|φ3|) ________________________ assignment (|ψ [E/x]|) x = E (|ψ|) (|φB|) C1 (|ψ|) (|φ¬ B|) C2 (|ψ|) if-statement (|φ|) if B then C1 else C2 (|ψ|) (|ψB|) C (|ψ|) partial while (|ψ|) while B do C (|ψ¬B|) (|φ’ φ|) (|φ|) C (|ψ|) (|ψ ψ’|) implied (|φ’|) C (|ψ’|) 2/24/2019
8
Proofs as trees They are difficult to deal with
We prefer to go on semantically This is possible because we have a soundness and a completeness theorem 2/24/2019
9
Semantically We usually identify the set of states verifying a property with the property itself and work bottom up in the verification looking for the maximal set of states verifying the precondition in order to get the postcodition φ ψ means that the set of states verifying |φ| is contained in the set of states verifying |ψ| |φ| |ψ| 2/24/2019
10
Hoare triples semantically
let us define |= (|φ|) S (|ψ|) If s is a state verifying φ, then, by applying the instruction S, we obtain a state where ψ holds. 2/24/2019
11
Partial correctness |=par (|φ|) S (|ψ|)
If preconditions are verified: A then, if the program teminates B0 postconditions are verified: B A (B0 B) 2/24/2019
12
Total correctness |=tot (|φ|) S (|ψ|) If preconditions are verified: A
then, the program terminates B0 and postconditions are verified: B A (B0 B) !?!?! 2/24/2019
13
Termination The only command that can be non terminating is the while command 2/24/2019
14
Weaker condition φ ψ means that φ is stronger than ψ
(because “not as true as” ψ) We proceed backwards: Given (|φ|) C (|ψ|), we can compute the weakest precondition wp (C, ψ) (predicate trasformer) s.t. wp (C, ψ) C (|ψ|) Hence to prove a triple, we have to show: (|φ|) C (|ψ|) φwp (C, ψ) 2/24/2019
15
(inductive definition)
Weakest precondition (inductive definition) Hence we look for the maximal set of states s.t., starting from one of them, after doing C, we reach a state Satisfying the postcondition wp (x = E, ψ) = [E/x] ψ wp (C;C‘, ψ) = wp (C, wp (C‘, ψ )) wp (if B then C1 else C2, ψ) = (B wp (C1, ψ) (B wp (C2, ψ)) wp (while B do C, ψ) = ( B ψ)(B wp (C; while B do C, ψ)) 2/24/2019
16
Proof tableaux Reduce a program to a concatenation of steps, inserting justification between any two of them (|φ0|) C1 (|φ1|) C2 ……(|φn-1|) Cn (|φn|) and prove that |- (|φ0|) C1 (|φ1|) C2 ……(|φn-1|) Cn (|φn|) going backword from the postcondition to the precondition as we do in the case of weakest precondition How? 2/24/2019
17
Example Let us have the program Prove its partial correctness
2/24/2019
18
Example (assignment and concatenation)
z = x; assignment z = z + y; assignment u=z; assignment (| u = x + y |) 2/24/2019
19
Example (assignment and concatenation)
z = x; assignment z = z + y; assignment (| z = x + y |) u=z; assignment (| u = x + y |) 2/24/2019
20
Example (assignment and concatenation)
z = x; assignment (| z + y = x + y |) z = z + y; assignment (| z = x + y |) u=z; assignment (| u = x + y |) 2/24/2019
21
Example (assignment and concatenation)
(| x + y = x + y |) z = x; assignment (| z + y = x + y |) z = z + y; assignment (| z = x + y |) u=z; assignment (| u = x + y |) 2/24/2019
22
Example (assignment and concatenation)
(| x + y = x + y |) z = x; assignment (| z + y = x + y |) z = z + y; assignment (| z = x + y |) u=z; assignment (| u = x + y |) 2/24/2019
23
Exercises (assignment and concatenation)
2/24/2019
24
Exercises (assignment and concatenation)
The first one is immediate (| x >0 |) (| x+1>1 |) (| y>1 |) (|T|) (| 3 * x = x+x+x |) (| 3 * x = x+x+y |) (| y = 3 * x |) (| x > 1 x>x-1|) (| x>a x>x-a|) (| y>a x>y-a |) (| y-a>0 x>y-a |) (| y>0 x>y|) 2/24/2019
25
Example (if then else) 2/24/2019
26
Example (if then else) The two premises of the “if then else” are
(| x>y|) (| x>y|) (| y = min (x, y) |) (| x = min (x, y) |) z = y; z = x; (| z = min (x, y) |) their disjunction gives the truth (| T |) 2/24/2019
27
Invariants (while do) In order to prove the correctness of such a program, we need: 2/24/2019
28
Example (while do) Fac1 |=par 2/24/2019
29
Example (while do) 2/24/2019
30
Example (while do) 2/24/2019
31
Exercise 2/24/2019
32
Hoare triples: total correctness
Let us define |= tot(|φ|) S (|ψ|) If s is a state verifying φ, then, by applying the instruction S, then S terminates and we obtain a state where ψ holds. φ is called “precondition” ψ “postcondition” 2/24/2019
33
Hoare logic: total correctness
If we want to prove total correctness, we need (|ψB 0≤E=E0|) C (|ψ0≤E<E0|) total while (|ψ0≤E|) while B do C (|ψ¬B|) Variants 2/24/2019
34
Example (total while) Fac1 2/24/2019
35
Example (total-while)
2/24/2019
Similar presentations
