Presentation is loading. Please wait.

Presentation is loading. Please wait.

Prof. Necula CS 294-8 Lecture 91 Theorem Proving CS 294-8 Lecture 9.

Published byDarren Anthony Modified over 9 years ago

Similar presentations

Presentation on theme: "Prof. Necula CS 294-8 Lecture 91 Theorem Proving CS 294-8 Lecture 9."— Presentation transcript:

1 Prof. Necula CS 294-8 Lecture 91 Theorem Proving CS 294-8 Lecture 9

2 Prof. Necula CS 294-8 Lecture 92 Theorem Proving: Historical Perspective Theorem proving (or automated deduction) = logical deduction performed by machine At the intersection of several areas –Mathematics: original motivation and techniques –Logic: the framework and the meta-reasoning techniques One of the most advanced and technically deep fields of computer science –Some results as much as 75 years old –Automation efforts are about 40 years old

3 Prof. Necula CS 294-8 Lecture 93 Applications Software/hardware productivity tools –Hardware and software verification (or debugging) –Security protocol checking Automatic program synthesis from specifications Discovery of proofs of conjectures –A conjecture of Tarski was proved by machine (1996) –There are effective geometry theorem provers

4 Prof. Necula CS 294-8 Lecture 94 Program Verification Fact: mechanical verification of software would improve software productivity, reliability, efficiency Fact: such systems are still in experimental stage –After 40 years ! –Research has revealed formidable obstacles –Many believe that program verification is dead

5 Prof. Necula CS 294-8 Lecture 95 Program Verification Myth: –“Think of the peace of mind you will have when the verifier finally says “ Verified ”, and you can relax in the mathematical certainty that no more errors exist” Answer: –Use instead to find bugs (like more powerful type checkers) –We should change “ verified ” to “ Sorry, I can’t find more bugs ”

6 Prof. Necula CS 294-8 Lecture 96 Program Verification Fact: –Many logical theories are undecidable or decidable by super- exponential algorithms –There are theorems with super-exponential proofs Answer: –Such limits apply to human proof discovery as well –If the smallest correctness argument of program P is huge then how did the programmer find it? –Theorems arising in PV are usually shallow but tedious

7 Prof. Necula CS 294-8 Lecture 97 Program Verification Opinion: –Mathematicians do not use formal methods to develop proofs –Why then should we try to verify programs formally ? Answer: –In programming, we are often lacking an effective formal framework for describing and checking results –Compare the statements The area bounded by y=0, x=1 and y=x 2 is 1/3 By splicing two circular lists we obtain another circular list with the union of the elements

8 Prof. Necula CS 294-8 Lecture 98 Program Verification Fact: –Verification is done with respect to a specification –Is the specification simpler than the program ? –What if the specification is not right ? Answer: –Developing specifications is hard –Still redundancy exposes many bugs as inconsistencies –We are interested in partial specifications An index is within bounds, a lock is released

9 Prof. Necula CS 294-8 Lecture 99 Theorem Proving and Software Meets spec/Found Bug Theorem in a logic Program Specification Semantics VC generation Validity Provability (theorem proving) Soundness: –If the theorem is valid then the program meets specification –If the theorem is provable then it is valid

10 Theorem ProvingProgram Analysis Start from real code and face head-on issues like: aliasing and side-effects looping data types and recursion exceptions Most often used for sequential programs Ambitious: – Complex properties – Flow sensitive – Inter-procedural Modest: – Simple properties – Flow insensitive – Intra-procedural Semi-automaticAutomatic Requires invariants and validates them Discovers simple invariants

11 Theorem ProvingModel Checking Operate on models of the software and reduce the checking problem to a decision problem in a logic Ambitious: – Starts from real code – Inter-procedural – Complex properties More modest: – Models are heavily abstracted – Function calls, data structures are abstracted – Simpler properties (typically) Model generated automaticallyModel generated manually Mostly sequential programsAlso concurrent programs Requires invariants and validates them Discovers invariants

12 Prof. Necula CS 294-8 Lecture 912 Overview of the Next Few Lectures Focus Expose basic techniques useful for software debugging From programs to theorems –Verification condition generation From theorems to proofs –Theorem provers –Decision procedures Applications –Combining program analysis and decision procedures

13 Prof. Necula CS 294-8 Lecture 913 Programs  Theorems. Axiomatic Semantics Consists of: –A language for making assertions about programs –Rules for establishing when assertions hold Typical assertions: –During the execution, only non-null pointers are dereferenced –This program terminates with x = 0 Partial vs. total correctness assertions –Safety vs. liveness properties –Usually focus on safety (partial correctness)

14 Prof. Necula CS 294-8 Lecture 914 Assertion or Specification Languages Must be easy to use and expressive (conflicting needs) –Most often only expressive Typically they are extensions of first-order logic –Although higher-order or modal logics are also used Semantics given in the context of the underlying logic We focus here on state-based assertions (for safety) State = values of variables + contents of memory (+ past state) –Not allowed: “variable x is live”, “lock L will be released”, “there is no correlation between the values of x and y”

15 Prof. Necula CS 294-8 Lecture 915 An Assertion Language We’ll use a fragment of first-order logic: Formulas P ::= A | T |  | P 1  P 2 |  x.P | P 1  P 2 Atoms A ::= E 1  E 2 | E 1 = E 2 | f(A 1,…,A n ) | … –All boolean expressions from our language are atoms Can have an arbitrary collection of function symbols –reachable(E 1,E 2 ) - list cell E 2 is reachable from E 1 –sorted(A, L, H) - array A is sorted between L and H –ptr(E,T) - expression E denotes a pointer to T –E : ptr(T) - same in a different notation An assertion can hold or not in a given state –Equivalently, an assertion denotes a set of states

16 Prof. Necula CS 294-8 Lecture 916 Handling Program State We cannot have side-effects in assertions –While creating the theorem we must remove side-effects ! –But how to do that when lacking precise aliasing information ? Important technique #1: Postpone alias analysis Model the state of memory as a symbolic mapping from addresses to values: –If E denotes an address and M a memory state then: –sel(M,E) denotes the contents of memory cell –upd(M,E,V) denotes a new memory state obtained from M by writing V at address E

17 Prof. Necula CS 294-8 Lecture 917 More on Memory We allow variables to range over memory states –So we can quantify over all possible memory states And we use the special pseudo-variable  in assertions to refer to the current state of memory Example: “  i. i  0  i 0” = allpositive( , A, 0, 5) says that entries 0..4 in array A are positive

18 Prof. Necula CS 294-8 Lecture 918 Hoare Triples Partial correctness: { A } s { B} –When you start s in any state that satisfies A –If the execution of s terminates –It does so in a state that satisfies B Total correctness: [ A ] s [ B ] –When you start s in any state that satisfies A –The execution of s terminates and –It does so in a state that satisfies B Defined inductively on the structure of statements

19 Prof. Necula CS 294-8 Lecture 919 Hoare Rules {A} s 1 {C} {C} s 2 {B} { A } s 1 ; s 2 {B} {A} s 1 {B} {A’} s 2 {B} { E  A   E  A’} if E then s 1 else s 2 {B} {I  E} s {I} I   E  B { I} while E do s {B}

20 Prof. Necula CS 294-8 Lecture 920 Hoare Rules: Assignment Example: { A } x := x + 2 {x >= 5 }. What is A? General rule: Surprising how simple the rule is ! The key is to compute “backwards” the precondition from the postcondition Before Hoare: { B[E/x] } x := E {B} { A } x := E {  x’. A[x’/x]  x = E[x’/x] }

21 Prof. Necula CS 294-8 Lecture 921 Hoare Rules: Assignment But now try: { A } *x = 5 { *x + *y = 10 } A ought to be “*y = 5 or x = y” The Hoare rule would give us: (*x + *y = 10)[5/*x] = 5 + *y = 10 = *y = 5 (we lost one case) How come the rule does not work?

22 Prof. Necula CS 294-8 Lecture 922 Hoare Rules: Side-Effects To correctly model writes we use memory expressions –A memory write changes the value of memory Important technique #1a: treat memory as a whole And (#1b) reason later about memory expressions with inference rules such as (McCarthy): { B[upd( , E 1, E 2 )/  ] } *E 1 := E 2 {B} sel(upd(M, E 1, E 2 ), E 3 ) = E2E2 if E 1  E 3 sel(M, E 3 )if E 1  E 3

23 Prof. Necula CS 294-8 Lecture 923 Memory Aliasing Consider again: { A } *x = 5 { *x + *y = 10 } We obtain: A = (*x + *y = 10)[upd( , x, 5)/  ] = (sel( , x) + sel( , y) = 10) [upd( , x, 5)/  ] = sel(upd( , x, 5), x) + sel(upd( , x, 5), y) = 10 (*) = 5 + sel(upd( , x, 5), y) = 10 = if x = y then 5 + 5 = 10 else 5 + sel( , y) = 10 = x = y or *y = 5 (**) To (*) is theorem generation From (*) to (**) is theorem proving

24 Prof. Necula CS 294-8 Lecture 924 Alternative Handling for Memory Reasoning about aliasing can be expensive (NP-hard) Sometimes completeness is sacrificed with the following (approximate) rule: sel(upd(M, E 1, E 2 ), E 3 ) = E2E2 if E 1  (obviously) E 3 sel(M, E 3 )if E 1  (obviously) E 3 p otherwise (p is a fresh new parameter) The meaning of “obvious” varies: The addresses of two distinct globals are  The address of a global and one of a local are  “PREfix” and GCC use such schemes

25 Prof. Necula CS 294-8 Lecture 925 Weakest Preconditions Dijkstra’s idea: To verify that { A } s { B} a) Find out all predicates A’ such that { A’} s { B} call this set Pre(s, B) b) Verify for one A’  Pre(s, B) that A  A’ Predicates form a lattice: falsetrue  strong weak Pre(s, B) weakest precondition: WP(s, B) Thus: compute WP(s, B) and prove A  WP(s, B) A

26 Prof. Necula CS 294-8 Lecture 926 Theorem Proving and Program Analysis (again) Predicates form a lattice: WP(s, B) = lub  (Pre(s, B)) This is not obvious at all: –lub {P 1, P 2 } = P 1  P 2 –lub PS =  P  PS P –But can we always write this with a finite number of  ? Even checking implication can be quite hard Compare with program analysis in which lattices are of finite height and quite simple Program Verification is Program Analysis on the lattice of first order formulas

27 Prof. Necula CS 294-8 Lecture 927 Weakest Preconditions Computed by a backward reading of Hoare rules –wp(s 1 ; s 2, B) = wp(s 1, wp(s 2, B)) –wp(x := E, B) = B[E/x] –wp(if E then s 1 else s 2, B) = E  wp(s 1, B)   E  wp(s 2, B) {A} s 1 {C} {C} s 2 {B} { A } s 1 ; s 2 {B} { B[E/x] } x := E {B} {A} s 1 {B} {A’} s 2 {B} { E  A   E  A’} if E then s 1 else s 2 {B}

28 Prof. Necula CS 294-8 Lecture 928 Weakest Preconditions (Cont.) What about loops? Define a family of WPs –WP k (while E do S, B) = weakest precondition on which the loop if it terminates in k or fewer iterations, it terminates in B WP 0 =  E  B WP 1 = E  WP(s, WP 0 )   E  B … WP(while E do S, B) =  k  0 WP k = lub {WP k | k  0} –Kind of hard to compute –Can we find something easier yet sufficient ?

29 Prof. Necula CS 294-8 Lecture 929 Not Quite Weakest Preconditions Recall what we are trying to do: falsetrue  strong weak Pre(s, B) weakest precondition: WP(s, B) A verification condition: VC(s, B) We shall construct a verification condition: VC(s, B) –The loops are annotated with loop invariants ! –VC is guaranteed stronger than WP –But hopefully still weaker than A: A  VC(s, B)  WP(s, B)

30 Prof. Necula CS 294-8 Lecture 930 Invariants Are Not Easy Consider the following code from QuickSort int partition(int *a, int L 0, int H 0, int pivot) { int L = L 0, H = H 0 ; while(L < H) { while(a[L] < pivot) L ++; while(a[H] > pivot) H --; if(L < H) { swap a[L] and a[H] } } return L } Consider verifying only memory safety What is the loop invariant for the outer loop ?

Download ppt "Prof. Necula CS 294-8 Lecture 91 Theorem Proving CS 294-8 Lecture 9."

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Synthesis, Analysis, and Verification Lecture 04c Lectures: Viktor Kuncak VC Generation for Programs with Data Structures “Beyond Integers”

Synthesis, Analysis, and Verification Lecture 04c Lectures: Viktor Kuncak VC Generation for Programs with Data Structures “Beyond Integers”
Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
1 University of Toronto Department of Computer Science © 2001, Steve Easterbrook Lecture 10: Formal Verification Formal Methods Basics of Logic first order.

1 University of Toronto Department of Computer Science © 2001, Steve Easterbrook Lecture 10: Formal Verification Formal Methods Basics of Logic first order.
David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 19: Minding Ps & Qs: Axiomatic.

David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 19: Minding Ps & Qs: Axiomatic.
Partial correctness © Marcelo d’Amorim 2010.

Partial correctness © Marcelo d’Amorim 2010.
Axiomatic Semantics The meaning of a program is defined by a formal system that allows one to deduce true properties of that program. No specific meaning.

Axiomatic Semantics The meaning of a program is defined by a formal system that allows one to deduce true properties of that program. No specific meaning.
Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.

Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
1 Design by Contract Building Reliable Software. 2 Software Correctness Correctness is a relative notion  A program is correct with respect to its specification.

1 Design by Contract Building Reliable Software. 2 Software Correctness Correctness is a relative notion  A program is correct with respect to its specification.
Predicate Transformers

Predicate Transformers
Program Proving Notes Ellen L. Walker.

Program Proving Notes Ellen L. Walker.
1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.

1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.
1/22 Programs : Semantics and Verification Charngki PSWLAB Programs: Semantics and Verification Mordechai Ben-Ari Mathematical Logic for Computer.

1/22 Programs : Semantics and Verification Charngki PSWLAB Programs: Semantics and Verification Mordechai Ben-Ari Mathematical Logic for Computer.
CS 355 – Programming Languages

CS 355 – Programming Languages
ESC Java. Static Analysis Spectrum Power Cost Type checking Data-flow analysis Model checking Program verification AutomatedManual ESC.

ESC Java. Static Analysis Spectrum Power Cost Type checking Data-flow analysis Model checking Program verification AutomatedManual ESC.
CS 330 Programming Languages 09 / 18 / 2007 Instructor: Michael Eckmann.

CS 330 Programming Languages 09 / 18 / 2007 Instructor: Michael Eckmann.
ECI 2007: Specification and Verification of Object- Oriented Programs Lecture 1.

ECI 2007: Specification and Verification of Object- Oriented Programs Lecture 1.

Similar presentations

Ads by Google