1 / 50

Spring 2014 Program Analysis and Verification Lecture 4: Axiomatic Semantics I

Spring 2014 Program Analysis and Verification Lecture 4: Axiomatic Semantics I. Roman Manevich Ben-Gurion University. Syllabus. Today. Basic concepts of correctness Axiomatic semantics (pages 175-183) Hoare Logic Properties of the semantics Weakest precondition. program correctness.

melora
Télécharger la présentation

Spring 2014 Program Analysis and Verification Lecture 4: Axiomatic Semantics I

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Spring 2014Program Analysis and Verification Lecture 4: Axiomatic Semantics I Roman Manevich Ben-Gurion University

  2. Syllabus

  3. Today • Basic concepts of correctness • Axiomatic semantics (pages 175-183) • Hoare Logic • Properties of the semantics • Weakest precondition

  4. program correctness

  5. Program correctness concepts Main focus of this course partial correctness + termination = total correctness Other correctness concepts exist: liveness, resource usage, … • Property = a certain relationship between initial state and final state • Partial correctness = properties that holdif program terminates • Termination = program always terminates • i.e., for every input state

  6. Factorial example Sfacy := 1; while (x=1) do (y := y*x; x := x–1) Sfac,   ’ implies ’ y = (x)! • Factorial partial correctness property =if the statement terminates then the final value of y will be the factorial of the initial value of x • What if  x < 0? • Formally, using natural semantics: …?

  7. Verifying factorial with natural semantics

  8. Natural semantics for While x:= a,  [x Aa] [assns] skip,  [skipns] S1, ’, S2, ’’’S1; S2, ’’ [compns] S2, ’ if bthenS1elseS2, ’ S,  ’, while bdoS, ’’’while bdoS, ’’ S1, ’ if bthenS1elseS2, ’ while bdoS,    • if B b  = tt • if B b  = ff • if B b  = tt • if B b  = ff [whilettns] [ifttns] [whileffns] [ifffns]

  9. Staged proof

  10. Stages s y  (s x)! = s’’ y  (s’’ x)!  s x > 0 s s’’ y := y*x; x := x–1 s y  (s x)! = s’’ y  (s’’ x)!  s’’x = 1  s x > 0 s s’’ while (x=1) do (y := y*x; x := x–1) s’ y = (s x)!  s x > 0 s s’ y := 1; while (x=1) do (y := y*x; x := x–1)

  11. Inductive proof over iterations s y  (s x)! = s’ y  (s’ x)!  s x > 0 s s’ (y := y*x; x := x–1) s’ s’’ while (x=1) do (y := y*x; x := x–1) s’ y  (s’ x)! = s’’ y  (s’’ x)!  s’’x = 1  s’ x > 0 s s’’ while (x=1) do (y := y*x; x := x–1) s y  (s x)! = s’’ y  (s’’ x)!  s’’x = 1  s x > 0

  12. First stage

  13. Second stage

  14. while (x=1) do (y := y*x; x := x–1),s  s’

  15. Third stage

  16. How easy was that? • Proof is very laborious • Need to connect all transitions and argues about relationships between their states • Reason: too closely connected to semantics of programming language • Proof is long • Makes it hard to find possible mistakes • How did we know to find this proof? • Is there a methodology?

  17. I’ll use operational semantics Can you prove my program correct? Better use axiomatic verification

  18. A systematic approachto program verification

  19. Axiomatic verification approach • Specify the required behavior • Compare the behavior with the one obtained by the operational semantics • Develop a proof system for showing that the program satisfies a requirement • Mechanically use the proof system to show correctness • What do we need in order to prove that the program does what it supposed to do?

  20. Axiomatic semantics contributors Robert Floyd Edsger W. Dijkstra C.A.R. Hoare 1967: use assertionsas foundationfor static correctness proofs 1969: use Floyd’s ideasto define axiomatic semantics“An axiomatic basis for computer programming” Predicate transformersemantics: weakest precondition and strongest postcondition

  21. Assertions, a.k.aHoare triples { P } C { Q } statementa.k.a command precondition postcondition • P and Q are state predicates • Example: x>0 • IfP holds in the initial state, andif execution of C terminates on that state,thenQ will hold in the state in which C halts • C is not required to always terminate {true} while true do skip {false}

  22. Total correctness assertions [ P ] C [ Q ] IfP holds in the initial state,execution of Cmust terminate on that state,andQ will hold in the state in which C halts

  23. Specifying correctnessof factorial

  24. Factorial example:specify precondition/postcondition { ? }y := 1; while (x=1) do (y := y*x; x := x–1){ ? }

  25. First attempt We need a way to “remember” value of x before execution { x>0 }y := 1; while (x=1) do (y := y*x; x := x–1){ y=x! } Holds only for value of x at state after execution finishes

  26. Fixed assertion A logical variable, must not appear in statement - immutable { x=n }y := 1; while (x=1) do (y := y*x; x := x–1){ y=n! n>0 }

  27. The proof outline Backgroundaxiom {n!*(n+1)= (n+1)! } { x=n } y := 1;{ x>0  y*x!=n!  nx} while (x=1) do{ x-1>0  (y*x)*(x-1)!=n!  n(x-1) } y := y*x;{ x-1>0  y*(x-1)!=n!  n(x-1) } x := x–1{ y*x!=n!  n>0  x=1}

  28. Formalizing partial correctness via hoare logic

  29. States and predicates  P  •  – program states – undefined • A state predicate Pis a (possibly infinite) setof states •  P • Pholds in state 

  30. Formalizing Hoare triples Q P C(P)  C ’ ’ if C,  ’ else SnsC  = Why did we choose natural semantics? • { P } C { Q } • , ’  . (P  C, ’)  ’Qalternatively •  . (P  SnsC )  SnsCQ • Convention:  P for all P . P  SnsCQ

  31. Formalizing Hoare triples Q P C(P)  C ’ ’ if C,  ’ else SnsC  = • { P } C { Q } • , ’  . (P  C, *’)  ’Qalternatively •  . (P  SsosC )  SsosCQ • Convention:  P for all P . P  SsosCQ

  32. How do we express predicates? • Extensional approach • Abstract mathematical functionsP : State {tt, ff} • Intensional approach • via language of formulae

  33. An assertion language • Bexp is not expressive enough to express predicates needed for many proofs • Extend Bexp • Allow quantification • z. … • z. … • z. z = kn • Import well known mathematical concepts • n! n  (n-1)   2  1

  34. An assertion language Either a program variablesor a logical variable a ::= n | x | a1+a2 | a1a2 | a1–a2 A ::=true|false|a1=a2|a1a2|A|A1A2 |A1A2|A1A2 |z. A| z.A

  35. SomeFO logic definitionsbefore we get to the rules

  36. Free/bound variables • A variable is said to be bound in a formula when it occurs in the scope of a quantifier. Otherwise it is said to be free • i. k=im • (i+10077)i. j+1=i+3) • FV(A)  the free variables of A • Defined inductively on the abstract syntax tree of A

  37. Free variables FV(n)  {}FV(x)  {x}FV(a1+a2) FV(a1a2) FV(a1-a2) FV(a1)  FV(a2) FV(true) FV(false) {}FV(a1=a2) FV(a1a2) FV(a1)  FV(a2)FV(A) FV(A)FV(A1A2) FV(A1A2) FV(A1 A2) FV(a1)  FV(a2) FV(z. A) FV(z. A) FV(A) \ {z}

  38. Substitution What if t is not pure? • An expression t is pure (a term) if it does not contain quantifiers • A[t/z] denotes the assertion A’ which is the same as A, except that all instances of the free variable z are replaced by t • A i. k=imA[5/k] = …? A[5/i] = …?

  39. Calculating substitutions n[t/z] =nx[t/z] =xx[t/x] =t(a1+ a2)[t/z] = a1[t/z] + a2[t/z](a1 a2)[t/z] = a1[t/z]  a2[t/z](a1- a2)[t/z] = a1[t/z] - a2[t/z]

  40. Calculating substitutions true[t/x] = truefalse[t/x] = false(a1= a2)[t/z] = a1[t/z] = a2[t/z] (a1a2)[t/z] = a1[t/z] a2[t/z] (A)[t/z] = (A[t/z])(A1 A2)[t/z] = A1[t/z]  A2[t/z](A1 A2)[t/z] = A1[t/z]  A2[t/z] (A1A2)[t/z] = A1[t/z] A2[t/z] (z. A)[t/z] = z. A(z. A)[t/y] = z. A[t/y]( z. A)[t/z] =  z. A( z. A)[t/y] =  z. A[t/y]

  41. six are completely enough and now…the rules

  42. Axiomatic semantics for While Notice similarity to natural semantics rules { P[a/x] } x:= a { P } [assp] [skipp] { P } skip { P } { P } S1 { Q }, { Q } S2 { R } { P } S1; S2 { R } [compp] { b P} S1 { Q}, { b P} S2 { Q} { P} if bthenS1elseS2 { Q} { b P } S { P } { P } while bdoS {b P } { P’ } S { Q’ } { P } S { Q } What’s different about this rule? [ifp] [whilep] [consp] if PP’ and Q’Q

  43. Assignment rule { P[a/x] } x:= a { P } [assp] x:= a, [xAa] [assns] [xAa] P • A “backwards” rule • x := a always finishes • Why is this true? • Recall operational semantics: • Example: {y*z<9} x:=y*z {x<9}What about {y*z<9w=5} x:=y*z {w=5}?

  44. skip rule skip,  [skipns] { P } skip { P } [skipp]

  45. Composition rule { P } S1 { Q }, { Q } S2 { R } { P } S1; S2 { R } S1, ’, S2, ’’’S1; S2, ’’ [compns] [compp] Holds when S1 terminates in every state where P holds and then Q holdsand S2 terminates in every state where Q holds and then R holds

  46. Condition rule { b P} S1 { Q}, { b P} S2 { Q} { P} if bthenS1elseS2 { Q} S1, ’ if bthenS1elseS2, ’ S2, ’ if bthenS1elseS2, ’ [ifp] • if B b  = tt • if B b  = ff [ifttns] [ifffns]

  47. Loop rule { b P } S { P } { P } while bdoS {b P } S,  ’, while bdoS, ’’’while bdoS, ’’ while bdoS,    • if B b  = ff • if B b  = tt [whilettns] [whilep] [whileffns] • Here P is called an invariant for the loop • Holds before and after each loop iteration • Finding loop invariants – most challenging part of proofs • When loop finishes, b is false

  48. Rule of consequence { P’ } S { Q’ } { P } S { Q } [consp] if PP’ and Q’Q Allows strengthening the precondition and weakening the postcondition The only rule that is not related to a statement

  49. Rule of consequence { P’ } S { Q’ } { P } S { Q } [consp] if PP’ and Q’Q Why do we need it? Allows the following{y*z<9} x:=y*z {x<9}{y*z<9w=5} x:=y*z {x<10}

  50. Next lecture:axiomatic semanticspractice and extensions

More Related