Spring 2014 Program Analysis and Verification Lecture 6: Axiomatic Semantics III

# Spring 2014 Program Analysis and Verification Lecture 6: Axiomatic Semantics III

Télécharger la présentation

## Spring 2014 Program Analysis and Verification Lecture 6: Axiomatic Semantics III

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
##### Presentation Transcript

1. Spring 2014Program Analysis and Verification Lecture 6: Axiomatic Semantics III Roman Manevich Ben-Gurion University

2. Syllabus

3. Previously • Hoare logic • Inference system • Annotated programs • Soundness and completeness • Weakest precondition calculus

4. Axiomatic semantics for While { P[a/x] } x:= a { P } [assp] [skipp] { P } skip { P } { P } S1 { Q }, { Q } S2 { R } { P } S1; S2 { R } [compp] { b P} S1 { Q}, { b P} S2 { Q} { P} if bthenS1elseS2 { Q} { b P } S { P } { P } while bdoS {b P } { P’ } S { Q’ } { P } S { Q } [ifp] [whilep] [consp] if PP’ and Q’Q

5. Weakest precondition calculus

6. Weakest liberal precondition A backward-going predicate transformer The weakest liberal precondition for Q is wlp(C, Q)if and only if for all states ’if C,  ’ then ’  Q Propositions: p { wlp(C, Q) } C { Q } If p { P } C { Q } then P wlp(C, Q)

7. Weakest liberal precondition Q wlp(C, Q) C(wlp(C, Q)) P C C(P) A backward-going predicate transformer The weakest liberal precondition for Q is wlp(C, Q)if and only if for all states ’if C,  ’ then ’  Q

8. Strongest postcondition A forward-going predicate transformer The strongest postcondition for P is’  sp(P, C)if and only if there exists  such that  P and C, ’ Propositions: p { P } C { sp(P, C) } If p { P } C { Q } then sp(P, C)  Q

9. CalculatingWeakestpreconditions By VadimPlessky (http://svgicons.sourceforge.net/) [see page for license], via Wikimedia Commons

10. Calculating wlp wlp(skip, Q) = Q wlp(x := a, Q) = Q[a/x] wlp(S1; S2, Q) = wlp(S1, wlp(S2, Q)) wlp(if bthenS1elseS2, Q) = (b wlp(S1, Q))  (b  wlp(S2, Q)) wlp(while bdoS, Q) = … ? hard to capture

11. Calculating the wlp of a loop • Idea: we know the following statements are semantically equivalent • while bdoS • if bdo (S; while bdoS) else skip • Let’s try to substitute and calculate on wlp(while bdoS, Q) = wlp(if bdo (S; while bdoS) else skip, Q) = (b wlp(S; while bdoS, Q))  (b  wlp(skip, Q)) = (b wlp(S, wlp(while bdoS, Q)))  (b  Q) LoopInv = (b wlp(S, LoopInv))  (b  Q)

12. Another variant for WP of loops Parametric in the loop invariant wlp(while bdo{}S, Q) =  where {b } S{}and b   Q

13. Variable swap program – specify { ? } t := xx := yy := t{ ? }

14. Prove using weakest precondition { y=b  x=a } t := x{ ? }x := y{ ? } y := t{ x=b  y=a }

15. Prove using weakest precondition { y=b  x=a } t := x{ y=b  t=a }x := y{ x=b  t=a } y := t{ x=b  y=a }

16. Absolute value program if x<0 then x := -xelse skip if b then Sis syntactic sugar forif b then S else skip The latter form is easier to reason about

17. Absolute value program – specify { ? }if x<0 then x := -xelse skip{ ? }

18. Absolute value program – specify { x=v }if x<0 then x := -xelse skip{ x=|v| }

19. Prove using weakest precondition { x=v }{ } if x<0 then{ } x := -x{ }else{ } skip{ }{x=|v| }

20. Prove using weakest precondition { x=v }{ (-x=|v|  x<0)  (x=|v|  x0) } if x<0 then{ -x=|v| } x := -x{ x=|v| }else{ x=|v| } skip{ x=|v| }{ x=|v| }

21. Making the proof systemmore practical

22. Conjunction rule { P } S { Q } { P’ } S { Q’ } { P P’ } S {Q Q’ } [conjp] Allows breaking up proofs into smaller, easier to manage, sub-proofs

23. More useful rules Breaks if C is non-deterministic { P } C { Q } { P’ } C { Q’ } { P P’ } C {Q Q’ } [disjp] { P } C { Q } { v. P } C { v.Q } [existp] vFV(C) { P } C { Q } {v. P } C {v. Q } vFV(C) [univp] [Invp] { F } C { F } Mod(C)  FV(F)={} Mod(C) = set of variables assigned to in sub-statements of C FV(F) = free variables of F

24. Invariance + Conjunction = Constancy { P } C { Q } { F P } C { F Q } [constancyp] Mod(C)  FV(F)={} Mod(C) = set of variables assigned to in sub-statements of C FV(F) = free variables of F

25. Today Strongest postcondition Extension for memory Proving termination

26. Strongestpostconditioncalculus By VadimPlessky (http://svgicons.sourceforge.net/) [see page for license], via Wikimedia Commons

27. Floyd’s strongest postcondition rule { P } x:= a { v. x=a[v/x]  P[v/x] } where v is a fresh variable [assFloyd] The value of x in the pre-state Example{ z=x } x:=x+1 { ? } This rule is often considered problematic because it introduces a quantifier – needs to be eliminated further on We will now see a variant of this rule

28. Floyd’s strongest postcondition rule { P } x:= a { v. x=a[v/x]  P[v/x] } where v is a fresh variable [assFloyd] meaning: {x=z+1} Example{ z=x } x:=x+1 { v. x=v+1  z=v } This rule is often considered problematic because it introduces a quantifier – needs to be eliminated further on We will now see a variant of this rule

29. “Small” assignment axiom First evaluate ain the precondition state(as a may access x) Create an explicit Skolem variable in precondition Then assign the resulting value to x { x=v } x:=a { x=a[v/x]}where vFV(a) [assfloyd] Examples:{x=n} x:=5*y {x=5*y}{x=n} x:=x+1 {x=n+1}{x=n} x:=y+1 {x=y+1}[existp] {n. x=n} x:=y+1 {n. x=y+1} therefore {true} x:=y+1 {x=y+1} [constancyp] {z=9} x:=y+1 {z=9  x=y+1}

30. “Small” assignment axiom { x=v } x:=a { x=a[v/x]}where vFV(a) [assfloyd] Examples:{x=n} x:=5*y {x=5*y}{x=n} x:=x+1 {x=n+1}{x=n} x:=y+1 {x=y+1}[existp] {n. x=n} x:=y+1 {n. x=y+1} therefore {true} x:=y+1 {x=y+1} [constancyp] {z=9} x:=y+1 {z=9  x=y+1}

31. “Small” assignment axiom { x=v } x:=a { x=a[v/x]}where vFV(a) [assfloyd] Examples:{x=n} x:=5*y {x=5*y}{x=n} x:=x+1 {x=n+1}{x=n} x:=y+1 {x=y+1}[existp] {n. x=n} x:=y+1 {n. x=y+1} therefore {true} x:=y+1 {x=y+1} [constancyp] {z=9} x:=y+1 {z=9  x=y+1}

32. “Small” assignment axiom { x=v } x:=a { x=a[v/x]}where vFV(a) [assfloyd] Examples:{x=n} x:=5*y {x=5*y}{x=n} x:=x+1 {x=n+1}{x=n} x:=y+1 {x=y+1}[existp] {n. x=n} x:=y+1 {n. x=y+1} therefore {true} x:=y+1 {x=y+1} [constancyp] {z=9} x:=y+1 {z=9  x=y+1}

33. Calculating sp sp(skip, P) = P sp(x:=a, P) = v. x=a[v/x]  P[v/x] sp(S1;S2, P) = sp(S2, sp(S1, P)) sp(ifbthenS1elseS2, P) =sp(S1, b P)  sp(S2, b P) sp(whilebdo {} S, P) =   bwhere {b } S {}and P  b  

34. Prove using strongest postcondition { x=a  y=b }t := xx := yy := t{ x=b  y=a }

35. Prove using strongest postcondition { x=a  y=b }t := x{ x=a  y=b t=a } x := yy := t{ x=b  y=a }

36. Prove using strongest postcondition { x=a  y=b }t := x{ x=a  y=b t=a } x := y{ x=b  y=b t=a }y := t{ x=b  y=a }

37. Prove using strongest postcondition { x=a  y=b }t := x{ x=a  y=b t=a } x := y{ x=b  y=b t=a }y := t{ x=b  y=a t=a }{ x=b  y=a } // cons

38. Prove using strongest postcondition { x=v }if x<0 then{ x=v  x<0 } x := -x{ x=-v  x>0 }else{ x=v  x0 } skip{ x=v  x0 }{ v<0  x=-v  v0  x=v }{ x=|v| }

39. Prove using strongest postcondition { x=v }if x<0 then{ x=v  x<0 } x := -x{ x=-v  x>0 }else{ x=v  x0 } skip{ x=v  x0 }{ v<0  x=-v  v0  x=v }{ x=|v| }

40. Sum program – specify { x=Sum(0, n) } { y=n+1 } { x+y=Sum(0, n+1) } { ? }x := 0res := 0while (x<y) do res := res+x x := x+1 { ? } Background axiom Define Sum(0, n) = 0+1+…+n

41. Sum program – specify { x=Sum(0, n) } { y=n+1 } { x+y=Sum(0, n+1) } { y0 }x := 0res := 0while (x<y) do res := res+x x := x+1 { res = Sum(0, y) } Background axiom Define Sum(0, n) = 0+1+…+n

42. Sum program – prove { x=Sum(0, n) } { y=n+1 } { x+y=Sum(0, n+1) } { y0 }x := 0res := 0Inv = while (x<y) do res := res+x x := x+1 { res = Sum(0, y)} Define Sum(0, n) = 0+1+…+n

43. Sum program – prove { x=Sum(0, n) } { y=n+1 } { x+y=Sum(0, n+1) } { y0 }x := 0{ y0  x=0 }res := 0Inv = while (x<y) do res := res+x x := x+1 { res = Sum(0, y)} Define Sum(0, n) = 0+1+…+n

44. Sum program – prove { x=Sum(0, n) } { y=n+1 } { x+y=Sum(0, n+1) } { y0 }x := 0{ y0  x=0 }res := 0{ y0  x=0  res=0 }Inv = while (x<y) do res := res+x x := x+1 { res = Sum(0, y)} Define Sum(0, n) = 0+1+…+n

45. Sum program – prove { x=Sum(0, n) } { y=n+1 } { x+y=Sum(0, n+1) } { y0 }x := 0{ y0  x=0 }res := 0{ y0  x=0  res=0 }Inv = { y0  res=Sum(0, x)  xy }while (x<y) do res := res+x x := x+1 { res = Sum(0, y)} Define Sum(0, n) = 0+1+…+n

46. Sum program – prove { x=Sum(0, n) } { y=n+1 } { x+y=Sum(0, n+1) } { y0 }x := 0{ y0  x=0 }res := 0{ y0  x=0  res=0 }Inv = { y0  res=Sum(0, x)  xy }while (x<y) do { y0  res=m  x=n  ny m=Sum(0, n)  x<y } { y0  res=m  x=n  m=Sum(0, n)  n<y } res := res+x x := x+1 { res = Sum(0, y)} Define Sum(0, n) = 0+1+…+n

47. Sum program – prove { x=Sum(0, n) } { y=n+1 } { x+y=Sum(0, n+1) } { y0 }x := 0{ y0  x=0 }res := 0{ y0  x=0  res=0 }Inv = { y0  res=Sum(0, x)  xy }while (x<y) do { y0  res=m  x=n  ny m=Sum(0, n)  x<y } { y0  res=m  x=n  m=Sum(0, n)  n<y } res := res+x { y0  res=m+x  x=n  m=Sum(0, n)  n<y } x := x+1 { res = Sum(0, y)} Define Sum(0, n) = 0+1+…+n

48. Sum program – prove { x=Sum(0, n) } { y=n+1 } { x+y=Sum(0, n+1) } { y0 }x := 0{ y0  x=0 }res := 0{ y0  x=0  res=0 }Inv = { y0  res=Sum(0, x)  xy }while (x<y) do { y0  res=m  x=n  ny m=Sum(0, n)  x<y } { y0  res=m  x=n  m=Sum(0, n)  n<y } res := res+x { y0  res=m+x  x=n  m=Sum(0, n)  n<y } x := x+1 { y0  res=m+x  x=n+1  m=Sum(0, n)  n<y } { y0  res=Sum(0, x)  x=n+1  n<y} // sum axiom { y0  res=Sum(0, x)  xy } // cons{ res = Sum(0, y)} Define Sum(0, n) = 0+1+…+n

49. Sum program – prove { x=Sum(0, n) } { y=n+1 } { x+y=Sum(0, n+1) } { y0 }x := 0{ y0  x=0 }res := 0{ y0  x=0  res=0 }Inv = { y0  res=Sum(0, x)  xy }while (x<y) do { y0  res=m  x=n  ny m=Sum(0, n)  x<y } { y0  res=m  x=n  m=Sum(0, n)  n<y } res := res+x { y0  res=m+x  x=n  m=Sum(0, n)  n<y } x := x+1 { y0  res=m+x  x=n+1  m=Sum(0, n)  n<y } { y0  res=Sum(0, x)  x=n+1  n<y} // sum axiom { y0  res=Sum(0, x)  xy } // cons{ y0  res=Sum(0, x)  xy xy}{ y0  res=Sum(0, y)  x=y}{ res = Sum(0, y)} Define Sum(0, n) = 0+1+…+n

50. Buggy sum program { y0 }x := 0{ y0  x=0 }res := 0{ y0  x=0  res=0 }Inv = { y0  res=Sum(0, x) } = { y0  res=m  x=n  m=Sum(0, n)} while (xy) do { y0  res=m  x=n  m=Sum(0, n)  xy ny } x := x+1 { y0  res=m  x=n+1  m=Sum(0, n)  ny} res := res+x { y0  res=m+x  x=n+1  m=Sum(0, n)  ny} { y0  res-x=Sum(0, x-1)  ny} { y0  res=Sum(0, x) }{ y0  res=Sum(0, x)  x>y } {res = Sum(0, y)}