Presentation is loading. Please wait.

Presentation is loading. Please wait.

Program Verification with Hoare Logic

Published byÁron Bodnár Modified over 5 years ago

Similar presentations

Presentation on theme: "Program Verification with Hoare Logic"— Presentation transcript:

1 Program Verification with Hoare Logic
CS 510/10 Program Verification with Hoare Logic

2 Program Verification Decides if specific properties hold for a program. Other Approaches Model checking Symbolic : (program + properties) -> CNF -> SAT Explicit state: explore all possible states Problem lies in scalability Static program analysis Conservatively consider all possible executions False positives

3 Verification through Hoare Logic
It is proof based A set of proof rules are available which can be applied to prove a program satisfies certain properties. Semi-automatic Some steps have to involve human intelligence Popular Proof based implies scalability as proof is constructed by looking at the structure of the program and the structure of the formula. Better scalability. Long history. Job opennings. A formal software process: Turn informal requirements to an equivalent formula of some logic write the program Prove the program satisfies the formula.

4 Intuition

5 A Sample Hoare Triple Initial informal requirement
Computer a number y whose square is less than the input x. Revised informal requirement If the input x is a positive number, compute a number whose square is less than x. The formal specification (( x>0 )) P (( y*y <x )) P is free to do whatever it wants if x<=0 What if x is a negative number

6 Definition of Hoare Logic
The form ((Φ)) P ((Ψ)) is called hoare triple Φ is called the precondition and Ψ the postcondition In the core language, a store or state is a function L that assigns to each variable x an integer For a formula Φ with function symbols – (unary), +, -, and * (binary); and binary predicate symbols < and =, we say a state L satisfies Φ, denoted as L |= Φ, if and only if Φ is evaluated to true with the value assignment given in L.

7 Examples Assume a state L(x)=-2, L(y)=5, L(z)=-1 L |= ! (x+y<z) ?
L |= y-x*z<z ? L |= V u (y<u → y*z < u*z ) ? x, y, z are variables in the program, u is a variable in the formula

8 Partial Correctness vs. Total Correctness
We say a triple ((Φ)) P ((Ψ)) is satisfied under partial correctness if it holds under the condition that P terminates for all states that satisfy Φ. |=par ((Φ)) P ((Ψ)) a weak requirement. While (true) {x=0;} We say a triple ((Φ)) P ((Ψ)) is satisfied under total correctness if it holds and P terminates. |=tot ((Φ)) P ((Ψ)) Seems to be more desirable, but very challenging.

9 A Core Programming Language
E ::= n | x | (-E) | ( E+E) | (E-E) | (E*E) B ::=true | false | (!B) | (B&B) | (B||B) | (E<E) C ::= x=E | C;C | if B {C} else {C} | while B {C} y=1; z=0; while (z!=x) { z=z+1; y=y*z; } Partial correctness vs. total correctness

10 Proof Rules for Partial Correctness

11 Composition \eta Eta is called the midcondition

12 Assignment Has no premises and thus an axiom of our logic
Φ[t/x] is to replace x with t in Φ A backward rule and machine friendly

13 Confusion

14 Clarification

15 More Examples (( ?? )) x=2 (( x=2 )) (( ?? )) x=2 (( x=y ))

16 If-Statements (( T )) if x = 0 then y := 1 else y := a / x (( y==1 || y==a/x ))

17 While Loops Loop invariant
If e if false as soon as embark on the while-statement, then we do not execute C at all. Nothing has happened to change the truth value of phi, so we end the while-statement with phi and !e. If B is true, we execute C again; phi is again set up. No matter how many times we execute C in this way, phi is true at the end of each execution of C. The while terminates if and only if e is false after the loop. The rule is still true.

18 Implied The proof rules do not always give the desired pre/post condition

19 Proof Tableaux

20 Constructing a Proof Tableau

21 Backwards Derivation

22 Weakest Precondition The process of obtaining Φi from Ci+1 and Φi+1 is called computing the weakest precondition of Ci+1, given the postcondition Φi+1. The logically weakest formula whose truth at the beginning of the execution of Ci+1 is enough to guarantee Φi+1. x>5 vs x>10 |=par ((y>10)) x=y+1 ((x>6)) |=par ((T)) z=x; z=z+y; u=z; ((u=x+y)) Why do we want the weakest condition instead of the strongest condition? Because we want to maximize the chance of applying the implied rule to prove the target precondition.

23 WP for If-Statements Push Ψ upwards through C+, resulting in Φ1
Set Φ to be (e→ Φ1) && (!e→Φ2)

24 An Example

25 Proving While Loops The requirement Rule at hand

26 Proving While Loops

27 Finding an Invariant

28 Checking the Invariant

29 Completing the Proof

30 A Case: Minimal-Sum Section
Let a[0],…, a[n-1]be the integer values of an array a. A section of a is a continuous piece a[i],…, a[j], where 0<=i <= j <n. We denote the sum of that section: a[i]+ a[i+1]+ … + a[j] as the Si,j. A minimal sum section is a section that is less than or equal to the sum Si’,j’ for any other 0<=i’ <= j’ <n. [-1, 3, 15, -6, 4, -5]

31 One Implementation Formally specify the requirements.
Prove the following implementation satisfies the requirements. k=1; t=a[0]; s=a[0]; while (k !=n ) { t= min(t+a[k], a[k]); s= min (s,t); k=k+1; }

32 Requirements ((T)) Min_Sum (( for all i,j, 0<=i <=j < n → s<=Si,j )) ((T)) Min_Sum (( exist i,j, 0<=i <=j < n → s==Si,j ))

33 Proving the First Property

Download ppt "Program Verification with Hoare Logic"

Similar presentations

Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models.

Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
In this episode of The Verification Corner, Rustan Leino talks about Loop Invariants. He gives a brief summary of the theoretical foundations and shows.

In this episode of The Verification Corner, Rustan Leino talks about Loop Invariants. He gives a brief summary of the theoretical foundations and shows.
ICE1341 Programming Languages Spring 2005 Lecture #6 Lecture #6 In-Young Ko iko.AT. icu.ac.kr iko.AT. icu.ac.kr Information and Communications University.

ICE1341 Programming Languages Spring 2005 Lecture #6 Lecture #6 In-Young Ko iko.AT. icu.ac.kr iko.AT. icu.ac.kr Information and Communications University.
Reasoning About Code; Hoare Logic, continued

Reasoning About Code; Hoare Logic, continued
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
1 University of Toronto Department of Computer Science © 2001, Steve Easterbrook Lecture 10: Formal Verification Formal Methods Basics of Logic first order.

1 University of Toronto Department of Computer Science © 2001, Steve Easterbrook Lecture 10: Formal Verification Formal Methods Basics of Logic first order.
David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 19: Minding Ps & Qs: Axiomatic.

David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 19: Minding Ps & Qs: Axiomatic.
Partial correctness © Marcelo d’Amorim 2010.

Partial correctness © Marcelo d’Amorim 2010.
Axiomatic Semantics The meaning of a program is defined by a formal system that allows one to deduce true properties of that program. No specific meaning.

Axiomatic Semantics The meaning of a program is defined by a formal system that allows one to deduce true properties of that program. No specific meaning.
Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.

Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
Dynamic semantics Precisely specify the meanings of programs. Why? –programmers need to understand the meanings of programs they read –programmers need.

Dynamic semantics Precisely specify the meanings of programs. Why? –programmers need to understand the meanings of programs they read –programmers need.
Copyright © 2006 Addison-Wesley. All rights reserved. 3.5 Dynamic Semantics Meanings of expressions, statements, and program units Static semantics – type.

Copyright © 2006 Addison-Wesley. All rights reserved. 3.5 Dynamic Semantics Meanings of expressions, statements, and program units Static semantics – type.
1 Discrete Structures Lecture 29 Predicates and Programming Read Ch. 10.1 - 10.2.

1 Discrete Structures Lecture 29 Predicates and Programming Read Ch
Predicate Transformers

Predicate Transformers
Announcements We are done with homeworks Second coding exam this week, in recitation –Times will be posted later today –If in doubt, show up for your regular.

Announcements We are done with homeworks Second coding exam this week, in recitation –Times will be posted later today –If in doubt, show up for your regular.
CSE 331 Software Design & Implementation Dan Grossman Winter 2014 Lecture 2 – Reasoning About Code With Logic 1CSE 331 Winter 2014.

CSE 331 Software Design & Implementation Dan Grossman Winter 2014 Lecture 2 – Reasoning About Code With Logic 1CSE 331 Winter 2014.
1/22 Programs : Semantics and Verification Charngki PSWLAB Programs: Semantics and Verification Mordechai Ben-Ari Mathematical Logic for Computer.

1/22 Programs : Semantics and Verification Charngki PSWLAB Programs: Semantics and Verification Mordechai Ben-Ari Mathematical Logic for Computer.

Similar presentations

Ads by Google