Download presentation

Presentation is loading. Please wait.

Published byColin Daley Modified over 5 years ago

1
Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models of Software 2 Sep 2003, Tunis, Tunisia

2
Review: Tool architecture Source program Verification condition Counterexample context Warning messages Automatic theorem prover Post processor Sugared command Primitive command Passive command Translator Focus today

3
Commands and their possible outcomes Normal termination – terminates normally in some state Erroneous termination – goes wrong, crashes the computer Non-termination – diverges, fails to terminates, results in infinite recursion Miraculous termination – fails to start, blocks (partial/miraculous commands) you breach contract, demon wins demon breaches contract, you win!

4
Commands C::=w := E |assert P |assume P |var w in C end |C 0 ; C 1 |C 0 [] C 1

5
Semantics Hoare logic – {P} C {R} says that if command C is started in (a state satisfying) P, then: C does not go wrong, and if C terminates normally, then it terminates in (a state satisfying) R Weakest preconditions – for a given C and R, the weakest P satisfying {P} C {R} – written wp(C, R) or simply C.R

6
Command semantics assignment evaluate E and change value of w to E (w := E).R R[w := E] (x := x + 1).(x 10)x+1 10x < 10 (x := 15).(x 10)15 10false (y := x + 3*y).(x 10) x 10 (x,y := y,x).(x < y)y < x replace w by E in R

7
Command semantics assert if P holds, do nothing, else go wrong (assert P).R P R (assert x < 10).(0 x)0 x < 10 (assert x = y*y).(0 x)x = y*y 0 xx = y*y (assert false).(x 10)false logical AND, conjunction

8
Command semantics assume logical implication logical NOT, negation logical OR, disjunction if P holds, do nothing, else block (assume P).R P R P R (assume x < 10).(0 x)10 x 0 x0 x (assume x = y*y).(0 x)x = y*y 0 xtrue (assume false).(x 10)true

9
introduce w with an arbitrary initial value, then do C (var w in C end).R (w C.R) (var y in y := x end).(0 x)(y (y := x).(0 x))(y 0 x)0 x (var y in x := y end).(0 x)(y (x := y).(0 x))(y 0 y)false Command semantics local variable provided w does not occur free in R

10
do C 0, then C 1 (C 0 ; C 1 ).R C 0.(C 1.R) (x := x+1 ; assert x y).(0 < x)(x := x+1).( (assert x y).(0 < x) )(x := x+1).(0 < x y) 0 < x+1 y0 x < y (assume 0 y+z ; x := y).(0 x)(assume 0 y+z).( (x:=y).(0 x) )(assume 0 y+z).(0 y)0 y+z 0 y-y z -y 00 z Command semantics sequential composition

11
do either C 0 or C 1 (the demon chooses which) (C 0 [] C 1 ).R C 0.R C 1.R (x := x+1 [] x := x + 2).(x 10)(x := x+1). (x 10) (x := x+2).(x 10)x 9 x 8 x 8 (assume false [] x := y).(0 x)(assume false).(0 x) (x:=y).(0 x)true 0 y0 y Command semantics choice composition

12
Convenient shorthands skip = assert true = assume true wrong = assert false magic = assume false P C = assume P; C if P then C 0 else C 1 end = P C 0 [] P C 1 havoc w = var win w := wend

13
Change such that change w such that P = havoc w ; assume P change x such that y = x+1havoc x ; assume y = x+1x := y-1 change x such that y < xx := y+1 [] x := y+2 [] … change x such that x = x+1havoc x ; assume falsemagic change r such that r*r = yy < 0 magic []0 y r := y []0 y r := -y

14
Specification statement w:[P, Q] =requires P modifies w ensures Q =assert P ; var w 0 in w 0 := w ; change w such that Q end x:[true, x 0 =x+1]x := x-1 r:[0 y, r*r = y]assert 0 y ; (r := y [] r := -y) x:[0 x, x 2 x 0 < (x+1) 2 ] ? x,y,z,n:[1xy1z2n, x n +y n =z n ] ?

15
Variables with internal structure: maps x := a[i] = x := select(a, i) a[i] := E = a := store(a, i, E) where (m,i,j,v i j select(store(m, i, v), i) = v select(store(m, i, v), j) = select(m, j))

16
Example: maps (a[5] := 12 ; a[7] := 14 ; x := a[5]).(x=12) =(a[5] := 12 ; a[7] := 14).(select(a, 5) = 12) =(a[5] := 12).(select(store(a, 7, 14), 5) = 12) =select(store(store(a, 5, 12), 7, 14), 5) = 12 ={ select/store axiom, since 7 5 } select(store(a, 5, 12), 5) = 12 ={ select/store axiom, since 5 = 5 } 12 = 12 =true

17
Refinement B C = (R B.R C.R ) change x such that y < x x := y+4 assert x < 10 skip skip assume x < 10 wrong C C magic command B is refined by command C C is better than B anyone who requests B would be happy with C

18
Compositions are monotonic with respect to refinement if B C then: – var w in B end var w in C end – A;B A;C – B;D C;D – A [] B A [] C var x in... change x such that y < x... end var x in... x := y+4... end

19
Commands form a lattice Commands form a semi-lattice under ordering, with meet operation [], top element magic, and bottom element wrong A lattice theorem: B C 0 B C 1 B C 0 [] C 1 Corollary: C 0 [] C 1 C 0

20
Example application of lattice theorem Let B = x:[true, x = |x 0 | ]. Then: B assume 0 x = C 0 B assume x 0 ; x := -x = C 1 B assume x = -3 ; x := 3 = C 2 B magic = C 3 Therefore: B C 0 [] C 1 [] C 2 [] C 3

21
Procedures proc P(x,y,z) returns (r,s,t) spec S call to P: a,b,c := P(E 0, E 1, E 2 ) = var x,y,z,r,s,t in x := E 0 ; y := E 1 ; z := E 2 ; S ; a,b,c := r,s,t end

22
Example: procedure proc Add(x) returns (r) specrequires 0 x modifies k ensures k = k 0 +x r = k 0 a := Add(k+25) = var x,r in x := k+25 ; k:[0 x, k = k 0 +x r = k 0 ] ; a := r end

23
Procedure implementations proc P(x,y,z) returns (r,s,t) spec S impl P(x,y,z) returns (r,s,t) is C Proof obligation: S C Let C 0,..., C m- 1 be the declared implementations of P. Then, the language implementation of a call to P can replace S by: C 0 []... [] C m- 1

24
Exercise Redefine (in terms of the commands we've seen) the specification statement so that the postcondition mentions x,x instead of x 0,x Example: – old form: x:[0 x, x*x x 0 < (x+1)*(x+1)] – new form: x:[0 x, x*x x < (x+1)*(x+1)]

25
Exercise Define while {inv J} B do w: S end where: – B is the loop guard – S is the loop body – J is the loop invariant – w is the list of assignment targets in S in terms of the commands we've seen.

26
Loop (answer to exercise) while {inv J} B do w: S end = assert J ; change w such that J ; if B then S ; assert J ; magic else skip end

27
Summary Language is built up from 6 primitive commands Semantics can be given by weakest preconditions Partial (miraculous) commands are important and very useful select/store handle map variables Procedures are names for specifications Procedure implementations are hints for compiler

Similar presentations

© 2019 SlidePlayer.com Inc.

All rights reserved.

To make this website work, we log user data and share it with processors. To use this website, you must agree to our Privacy Policy, including cookie policy.

Ads by Google