1 / 58

Chapter 5

Chapter 5. Safety Properties by David Kjerrumgaard. Introduction. “Correctness” has a broad range of meanings, from the narrow technical ones to the more esoteric. There are two major classes of program properties related to the technical notion of correctness; safety & progress.

alec
Télécharger la présentation

Chapter 5

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 5 Safety Properties by David Kjerrumgaard

  2. Introduction • “Correctness” has a broad range of meanings, from the narrow technical ones to the more esoteric. • There are two major classes of program properties related to the technical notion of correctness; safety & progress. • This chapter focuses on safety.

  3. Safety • Informally “Something will not happen” • A safety property constrains the permitted actions of a program, and consequently, the program’s permitted state changes. • The primary operator for expressing safety properties is co, for constrains. • For example, requiring that an integer x be non-decreasing prevents any program action from decreasing x.

  4. Meaning of co • p co q denotes that whenever p holds before execution of any action, q holds after the action. • This can be expressed formally as, • p co q   t :: { p } t { q }  • where t is any action of the system.

  5. Given pcoq; it follows that p q, because skip  t and execution of skip results in no change in the program’s state. Thus the previous state satisfies q only if p q. • If t is of the form q  s, then { p } t { q }is established by proving { p  q } s { q }.

  6. Ineffective executions of actions are equivalent to skip when establishing safety properties because they result in no change in the program’s state. • Given that pcoq is a property of the program, once p holds, predicate q continues to hold up to (and including) the point where p ceases to hold.

  7. This can be restated as follows; once p holds, it continues to hold until p  q holds. • In particular, pcop means that p holds forever once it becomes true. • An equivalent formulation of co using Dijkstra’s wp-calculus is: • pcoq   t :: wlp.t.q 

  8. The co operator has lower binding power than all arithmetic and predicate calculus operators. Thus, p  qcor  s should be interpreted as ( p  q ) co ( r  s ). • Examples of co. • “Once x is zero it remains zero until it becomes positive” can be represented as x = 0 cox 0. • “x never decreases” is equivalent to “if x has a certain value m, it continues to have that value until it exceeds m.” That is, x = mcox m.

  9. More examples of co. • “x may only be incremented” This means that in any step, either x retains its old value, say m, or x acquires the new value m+1. Using free variable m, x = mcox = m  x = m+1. • “A line in a delay-intensive circuit is held at its current value until it has been read.” Let x be the variable that denotes the line value and let y be the variable into which x’s value is read. Using free variable m, x = m  y  mcox = m  y = m.

  10. More examples of co. • “A message is received only if it has been sent.” There are two possible interpretations using sent and received • sent  receivedco received • sent  receivedco received  sent • “Variables x and y are never changed simultaneously.” Using free variables m and n, x,y = m,ncox = m  y = n

  11. Other Safety Operators • We define punlessq, for arbitrary predicates p and q, to mean that once p holds, it continues to hold as long as q does not.If p and q hold simultaneously, nothing can asserted about the next state. • This can be expressed formally as: •  t :: { p  q } t { p q } 

  12. Thus, punlessq p qcop q • Conversely, if p q, then pcoq  punless p  q. • To say that p can be falsified only if q holds as a pre-condition, we write: •  t :: { p  q } t { p }  or p  q cop • To express that once p holds it continues to hold until (p  q) holds, we write: •  t :: {p} t {p  (p q)}  or pcop  q

  13. Special Cases of co • Several special cases of co appear frequently in practice, so there are special names for these cases: • stablep pcop. • invariantp  initially p and stablep • constante  k :: stablee = k , where k is a free variable of the same type as e.

  14. There is a distinction between a predicate being an invariant and a predicate being always true. • Consider the following program: • program distinction • integer x,y := 0,0; • x, y = 0, x; • end • x = 0  y = 0 is an invariant, because it holds initially and { x = 0  y = 0 } x,y:=0,0 { y = 0 } • y = 0 is always true, but cannot be shown to be invariant, because y = 0 cannot be proven stable since { y = 0 } x,y:=0,0; { y = 0 } does not hold.

  15. Fixed Point • For a given program, once the fixed point predicate FP holds, further execution of the program will not change its state. • For a state in which FP does not hold, some execution of the program causes it to change state. • FP holds on termination.

  16. Computing the Fixed Point • Let i be of the form gi Ciand predicate biholds in exactly those states where the execution of Cihas no effect, then • FP  i :: gi  bi  • FP holds in any state where all gi are false.

  17. Computing bi • For an assignment statement x := e, the FP is x := e. Similarly, for multiple assignments; x,y := e,f , the FP is x,y := e,f. • However, for assignments that increment or decrement a single variable, i.e. x := x + 1, FP is false. • The FP of a conditional statement, ifbthenRelseSendif , is(b FR)  ( b FS) , where FR and Fs are the FP of R and S respectively.

  18. Example: • if bthenx := x+1elsex := -x endif • ( b  x = x +1 )  ( b x = -x ) • ( b  false )  (b x = 0 ) • b  (b x = 0 ) • b  x = 0

  19. Sequential composition poses a problem in computing FP. • The FP of R;S is not FR  FS . There may be additional states that do not satisfy FR  FS inwhich execution has no effect. • When computing the FP of R;S , the strategy is to transform R;S to an equivalent program that has no sequential composition.

  20. If the first component of a sequential composition is a conditional, then the desired transformation is: • ifbthenRelseSendif; T •  • ifbthenR ; TelseS ; Tendif;

  21. A similar transformation can be applied when the second component is a conditional: • R ; ifbthenSelseTendif; •  • ifbthenR ; SelseR ; Tendif; • Repeated application of these transformations results in a program where sequential composition is applied to assignment statements only.

  22. Elimination of sequential composition applied to assignment statements. • Note that x := e ; x := f is equivalent to x := f [ x := e ], where f [ x := e ] is the expression obtained from f by replacing every free occurrence of x by e. • For distinct variables, x and y • x := e; y := f is equivalent to x,y := e, f [ x := e ]

  23. In general, x := e; Y := f , where the second statement assigns to a list of variables is equivalent to: • If x is in Y, then Y := f [x:=e] • If x is not in Y, then x,Y := e, f [x :=e]

  24. For example, given •  i : 0  i  n : m = max(m, A[ i ])  • The FP is calculated as follows:   i : 0  i  n : m = max(m, A[ i ])    i : 0  i  n : m  A[ i ]  m  max i : 0  i  n : A[ i ] 

  25. Derived Rules • Basic Rules: All of these rules follow directly from facts about the predicate transformer wlp (Weakest liberal pre-conditions). • The weakestpre-condition of program s with respect to predicate q is written wp.s.q . A state satisfies wp.s.q iff starting an execution of s in that state results in a state that satisfies q.

  26. Thus { p } s { q } is the same as pwp.s.q • The notion of weakest liberal pre-condition (wlp) differs from the weakest pre-condition only when s is non-terminating. • wp.s is universally conjunctive and disjunctive. • wp.s.false false. • wp.s is monotonic, i.e. ( pq )  ( wp.s.p wp.s.q ).

  27. Basic Rules • Given p, q, p´,q´, and r are arbitrary predicates we can assert the following facts: • false cop • pco true • ( Conjunction, Disjunction ) • pcoq , p´co q´ • p p´ co q  q´ • p p´ co q  q´

  28. Corollaries of conjunction and disjunction • (LHS strengthening) Conjunction of rco true and pcoq, • pcoq • p rcoq • (RHS weakening) Disjunction of false cor and pcoq • pcoq • pcoq r

  29. Additionally, the co operator is transitive: • pcoq , qcor • pcor • However, it is NOT reflexive, i.e. pcop does not always hold. • Nor can we deduce a contrapositive, i.e. qco p cannot be deduced from pcoq.

  30. Rules for the Special Cases • Stable conjunction, stable disjunction: • pcoq, stabler • prcoqr • p rcoqr • A special case of the above is: • stablep, stableq • stable p q • stable p  q

  31. Invariant conjunction • invariantp, invariantq • invariantp q • Constant formation: Any expression built out of constants and free variables is a constant.

  32. Substitution Axiom • “An invariant may be replaced by true and vice versa in any property of a program.” • Given that invariant p and p q, we can establish invariant q as follows: • invariant p , given • invariant p  q , p  p  q since p q • invariant q , replace p with true (Axiom)

  33. Rational for Substitution Axiom • In the definition of pcoq, we interpreted { p } t { q } to mean that if action t is started in any state that satisfies p,q holds in the resulting state upon completion of t. • If we restrict the state space to the reachable states, it follows that every reachable state, by definition, satisfies every invariant. • In fact, the set of reachable states is the set of states that satisfy the strongest invariant.

  34. For action t in a program, we take { p } t { q } to mean that if t is started in any reachable state that satisfies p, the resulting reachable state satisfies q. • We prove { p } t { q } by showing, for some invariant J, p J  wlp.t.q • This is because the set of states that satisfy p J includes all reachable states that satisfy p. In particular, we can substitute true for J.

  35. Elimination Theorem • Free variables can be introduced in the LHS by strengthening and in the RHS by weakening, e.g. from pcoq we can deduce for program variable x and free variable m • p q = mcoq • pco q  x  m

  36. Free variables can be eliminated by taking conjunctions or disjunctions. • Let p be a predicate, x a program variable, and m a free variable of the same type as x. Let p[ x:=m ] be the predicate obtained by replacing all free occurrences of x by m in p. If p names no program variable other than x, then p[ x:=m ] has no program variable, so it is constant. In particular p[ x:=m ] is stable. We can observe that p m :: p[ x:=m ]  x = m .

  37. Elimination Theorem: • x = mcoq, where m is free and • p names neither m nor any • program variable other than x. • pco m :: p[ x:=m ]  q  • Proof: • x = mcoq • p[ x:=m ]  x = mcop[ x:=m ]  q •  m :: p[ x:=m ]  x = m  co  m :: p[ x:=m ]  q  • p   m :: p[ x:=m ]  x = m  • p co  m :: p[ x:=m ]  q 

  38. The consequence of the elimination theorem can be written as • p co  m :: p[ x:=m ] : q  • The elimination theorem can be applied where x is a list of variables, as in the following example: • Given u,v = m,ncou,v = m,n  (m > n  u,v= m-1, n), we show that stableu v. Using p u v in the elimination theorem we have: • u vco m,n :: (m>n)  (u,v = m,n   m > n  u,v= m-1, n )  •  m,n :: u v u v  • u v

  39. Properties & Predicates • Given that p and q are predicates, pcoq is a property. • Therefore it is incorrect to view a property as a predicates, e.g. • p ( qcor ) { Wrong !! }

  40. We use the following logic symbols , ,  in the combining properties with the following interpretation: • For properties  and ,    holds in a program p provided that both  and  can be inferred as a property of p. • Property    holds in a program p if by taking  as an additional premise,  can be inferred as a property of p. •    holds whenever    and   

  41. Consider a program over integer variables x and y whose actions are shown below. (There is no fairness in the program execution). • x,y := x + 1, y + 1  x,y := x – 1, y – 1 • It is possible to show that x ascending  y ascending, or more formally: •  m :: stablex  m   n :: stabley n

  42. Applications • We apply our theory to several small problems. In each case, we convert an informal description to a set of co-properties, apply some of the manipulation rules discussed previously, and interpret the derived results. • Refer to book ( pg 105 – 133 ).

  43. Non-operational descriptions of algorithms. • It is often preferable to describe an algorithm by its properties rather than programmatically. This approach has several advantages: • We can express a family of algorithms by one set of properties. • It is easier to prove facts about an algorithm from its properties than its code. • It is easier to understand an algorithm from its properties than its code.

  44. The typical algorithm to compute the maximum value v of a nonempty finite set S of integers is: • (1) Initially assign a small value to v, such as - . • (2) Scan the elements of S, updating v whenever the scanned element has a larger value than v.

  45. Instead of expressing this algorithm in the notation of a programming language, we can describe it by it properties as follows: • initiallyv = -  • v = mco v = m ( v  S  v > m ) • The co-property says that v is changed only to a higher value that is also in S. • This description ignores the order in which the elements are scanned, leaving numerous possibilities for implementation.

  46. Now we can deduce several properties of the algorithm. • (1) v is nondecreasing, i.e. for any n, stable v n. • (2) v never exceeds the maximum of S, i.e., invariantv M, where M = max x : x  S : x. • (3) Once v is in S, it remains in S, i.e., stable v  S.

  47. Proof of invariantv M • initially v = - ; hence initiallyv  M • - Using the elimination theorem: v=mcov=m  (v  S  v > m), we establish: • v  M co  m :: (m  M  v = m)  (m M v  S  v > m) • - Weakening each disjunct yields •  m :: v  M  v  S  • v  M  v  S { simplification } • v  M {v  S  v  M , from the definition of M }

  48. Application : Token Ring • A process is in one of three states: waiting to transmit (hungry), transmitting (eating), or neither of the above (thinking). • An eating process can only transit to thinking. • A thinking process can only transit to hungry. • A hungry process can transition only to eating. • A hungry process remains hungry as long as it does not hold the token. • The process holding the token relinquishes it only if it becomes non-eating.

  49. Notation: We writeti to denote that process i is thinking; similarly hi and ei stand for hungry and eating respectively. • The position of the token is in variable p, thus pi denotes the process p holds the token. • initiallyei p = I (TR0) • eicoei ti (TR1) • ti co ti  hi(TR2) • hicohi ei (TR3) • hi p  ico hi(TR4) • p = i co p = i   ei (TR5)

  50. The expression that at most one eating process cam be expressed by the invariant  i , j :: ei  ej  i = j  • This result can be shown by proving that an eating process holds the token: • ei  ej ,given • p = i  p = j ,from ei p = i and ej p = j • i = j ,predicate calculus

More Related