1 / 89

Spring 2014 Program Analysis and Verification Lecture 6: Axiomatic Semantics III

Spring 2014 Program Analysis and Verification Lecture 6: Axiomatic Semantics III. Roman Manevich Ben-Gurion University. Syllabus. Previously. Hoare logic Inference system Annotated programs Soundness and completeness Weakest precondition calculus. Axiomatic semantics for While.

mahlah
Download Presentation

Spring 2014 Program Analysis and Verification Lecture 6: Axiomatic Semantics III

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Spring 2014Program Analysis and Verification Lecture 6: Axiomatic Semantics III Roman Manevich Ben-Gurion University

  2. Syllabus

  3. Previously • Hoare logic • Inference system • Annotated programs • Soundness and completeness • Weakest precondition calculus

  4. Axiomatic semantics for While { P[a/x] } x:= a { P } [assp] [skipp] { P } skip { P } { P } S1 { Q }, { Q } S2 { R } { P } S1; S2 { R } [compp] { b P} S1 { Q}, { b P} S2 { Q} { P} if bthenS1elseS2 { Q} { b P } S { P } { P } while bdoS {b P } { P’ } S { Q’ } { P } S { Q } [ifp] [whilep] [consp] if PP’ and Q’Q

  5. Weakest precondition calculus

  6. Weakest liberal precondition A backward-going predicate transformer The weakest liberal precondition for Q is wlp(C, Q)if and only if for all states ’if C,  ’ then ’  Q Propositions: p { wlp(C, Q) } C { Q } If p { P } C { Q } then P wlp(C, Q)

  7. Weakest liberal precondition Q wlp(C, Q) C(wlp(C, Q)) P C C(P) A backward-going predicate transformer The weakest liberal precondition for Q is wlp(C, Q)if and only if for all states ’if C,  ’ then ’  Q

  8. Strongest postcondition A forward-going predicate transformer The strongest postcondition for P is’  sp(P, C)if and only if there exists  such that  P and C, ’ Propositions: p { P } C { sp(P, C) } If p { P } C { Q } then sp(P, C)  Q

  9. CalculatingWeakestpreconditions By VadimPlessky (http://svgicons.sourceforge.net/) [see page for license], via Wikimedia Commons

  10. Calculating wlp wlp(skip, Q) = Q wlp(x := a, Q) = Q[a/x] wlp(S1; S2, Q) = wlp(S1, wlp(S2, Q)) wlp(if bthenS1elseS2, Q) = (b wlp(S1, Q))  (b  wlp(S2, Q)) wlp(while bdoS, Q) = … ? hard to capture

  11. Calculating the wlp of a loop • Idea: we know the following statements are semantically equivalent • while bdoS • if bdo (S; while bdoS) else skip • Let’s try to substitute and calculate on wlp(while bdoS, Q) = wlp(if bdo (S; while bdoS) else skip, Q) = (b wlp(S; while bdoS, Q))  (b  wlp(skip, Q)) = (b wlp(S, wlp(while bdoS, Q)))  (b  Q) LoopInv = (b wlp(S, LoopInv))  (b  Q)

  12. Another variant for WP of loops Parametric in the loop invariant wlp(while bdo{}S, Q) =  where {b } S{}and b   Q

  13. Variable swap program – specify { ? } t := xx := yy := t{ ? }

  14. Prove using weakest precondition { y=b  x=a } t := x{ ? }x := y{ ? } y := t{ x=b  y=a }

  15. Prove using weakest precondition { y=b  x=a } t := x{ y=b  t=a }x := y{ x=b  t=a } y := t{ x=b  y=a }

  16. Absolute value program if x<0 then x := -xelse skip if b then Sis syntactic sugar forif b then S else skip The latter form is easier to reason about

  17. Absolute value program – specify { ? }if x<0 then x := -xelse skip{ ? }

  18. Absolute value program – specify { x=v }if x<0 then x := -xelse skip{ x=|v| }

  19. Prove using weakest precondition { x=v }{ } if x<0 then{ } x := -x{ }else{ } skip{ }{x=|v| }

  20. Prove using weakest precondition { x=v }{ (-x=|v|  x<0)  (x=|v|  x0) } if x<0 then{ -x=|v| } x := -x{ x=|v| }else{ x=|v| } skip{ x=|v| }{ x=|v| }

  21. Making the proof systemmore practical

  22. Conjunction rule { P } S { Q } { P’ } S { Q’ } { P P’ } S {Q Q’ } [conjp] Allows breaking up proofs into smaller, easier to manage, sub-proofs

  23. More useful rules Breaks if C is non-deterministic { P } C { Q } { P’ } C { Q’ } { P P’ } C {Q Q’ } [disjp] { P } C { Q } { v. P } C { v.Q } [existp] vFV(C) { P } C { Q } {v. P } C {v. Q } vFV(C) [univp] [Invp] { F } C { F } Mod(C)  FV(F)={} Mod(C) = set of variables assigned to in sub-statements of C FV(F) = free variables of F

  24. Invariance + Conjunction = Constancy { P } C { Q } { F P } C { F Q } [constancyp] Mod(C)  FV(F)={} Mod(C) = set of variables assigned to in sub-statements of C FV(F) = free variables of F

  25. Today Strongest postcondition Extension for memory Proving termination

  26. Strongestpostconditioncalculus By VadimPlessky (http://svgicons.sourceforge.net/) [see page for license], via Wikimedia Commons

  27. Floyd’s strongest postcondition rule { P } x:= a { v. x=a[v/x]  P[v/x] } where v is a fresh variable [assFloyd] The value of x in the pre-state Example{ z=x } x:=x+1 { ? } This rule is often considered problematic because it introduces a quantifier – needs to be eliminated further on We will now see a variant of this rule

  28. Floyd’s strongest postcondition rule { P } x:= a { v. x=a[v/x]  P[v/x] } where v is a fresh variable [assFloyd] meaning: {x=z+1} Example{ z=x } x:=x+1 { v. x=v+1  z=v } This rule is often considered problematic because it introduces a quantifier – needs to be eliminated further on We will now see a variant of this rule

  29. “Small” assignment axiom First evaluate ain the precondition state(as a may access x) Create an explicit Skolem variable in precondition Then assign the resulting value to x { x=v } x:=a { x=a[v/x]}where vFV(a) [assfloyd] Examples:{x=n} x:=5*y {x=5*y}{x=n} x:=x+1 {x=n+1}{x=n} x:=y+1 {x=y+1}[existp] {n. x=n} x:=y+1 {n. x=y+1} therefore {true} x:=y+1 {x=y+1} [constancyp] {z=9} x:=y+1 {z=9  x=y+1}

  30. “Small” assignment axiom { x=v } x:=a { x=a[v/x]}where vFV(a) [assfloyd] Examples:{x=n} x:=5*y {x=5*y}{x=n} x:=x+1 {x=n+1}{x=n} x:=y+1 {x=y+1}[existp] {n. x=n} x:=y+1 {n. x=y+1} therefore {true} x:=y+1 {x=y+1} [constancyp] {z=9} x:=y+1 {z=9  x=y+1}

  31. “Small” assignment axiom { x=v } x:=a { x=a[v/x]}where vFV(a) [assfloyd] Examples:{x=n} x:=5*y {x=5*y}{x=n} x:=x+1 {x=n+1}{x=n} x:=y+1 {x=y+1}[existp] {n. x=n} x:=y+1 {n. x=y+1} therefore {true} x:=y+1 {x=y+1} [constancyp] {z=9} x:=y+1 {z=9  x=y+1}

  32. “Small” assignment axiom { x=v } x:=a { x=a[v/x]}where vFV(a) [assfloyd] Examples:{x=n} x:=5*y {x=5*y}{x=n} x:=x+1 {x=n+1}{x=n} x:=y+1 {x=y+1}[existp] {n. x=n} x:=y+1 {n. x=y+1} therefore {true} x:=y+1 {x=y+1} [constancyp] {z=9} x:=y+1 {z=9  x=y+1}

  33. Calculating sp sp(skip, P) = P sp(x:=a, P) = v. x=a[v/x]  P[v/x] sp(S1;S2, P) = sp(S2, sp(S1, P)) sp(ifbthenS1elseS2, P) =sp(S1, b P)  sp(S2, b P) sp(whilebdo {} S, P) =   bwhere {b } S {}and P  b  

  34. Prove using strongest postcondition { x=a  y=b }t := xx := yy := t{ x=b  y=a }

  35. Prove using strongest postcondition { x=a  y=b }t := x{ x=a  y=b t=a } x := yy := t{ x=b  y=a }

  36. Prove using strongest postcondition { x=a  y=b }t := x{ x=a  y=b t=a } x := y{ x=b  y=b t=a }y := t{ x=b  y=a }

  37. Prove using strongest postcondition { x=a  y=b }t := x{ x=a  y=b t=a } x := y{ x=b  y=b t=a }y := t{ x=b  y=a t=a }{ x=b  y=a } // cons

  38. Prove using strongest postcondition { x=v }if x<0 then{ x=v  x<0 } x := -x{ x=-v  x>0 }else{ x=v  x0 } skip{ x=v  x0 }{ v<0  x=-v  v0  x=v }{ x=|v| }

  39. Prove using strongest postcondition { x=v }if x<0 then{ x=v  x<0 } x := -x{ x=-v  x>0 }else{ x=v  x0 } skip{ x=v  x0 }{ v<0  x=-v  v0  x=v }{ x=|v| }

  40. Sum program – specify { x=Sum(0, n) } { y=n+1 } { x+y=Sum(0, n+1) } { ? }x := 0res := 0while (x<y) do res := res+x x := x+1 { ? } Background axiom Define Sum(0, n) = 0+1+…+n

  41. Sum program – specify { x=Sum(0, n) } { y=n+1 } { x+y=Sum(0, n+1) } { y0 }x := 0res := 0while (x<y) do res := res+x x := x+1 { res = Sum(0, y) } Background axiom Define Sum(0, n) = 0+1+…+n

  42. Sum program – prove { x=Sum(0, n) } { y=n+1 } { x+y=Sum(0, n+1) } { y0 }x := 0res := 0Inv = while (x<y) do res := res+x x := x+1 { res = Sum(0, y)} Define Sum(0, n) = 0+1+…+n

  43. Sum program – prove { x=Sum(0, n) } { y=n+1 } { x+y=Sum(0, n+1) } { y0 }x := 0{ y0  x=0 }res := 0Inv = while (x<y) do res := res+x x := x+1 { res = Sum(0, y)} Define Sum(0, n) = 0+1+…+n

  44. Sum program – prove { x=Sum(0, n) } { y=n+1 } { x+y=Sum(0, n+1) } { y0 }x := 0{ y0  x=0 }res := 0{ y0  x=0  res=0 }Inv = while (x<y) do res := res+x x := x+1 { res = Sum(0, y)} Define Sum(0, n) = 0+1+…+n

  45. Sum program – prove { x=Sum(0, n) } { y=n+1 } { x+y=Sum(0, n+1) } { y0 }x := 0{ y0  x=0 }res := 0{ y0  x=0  res=0 }Inv = { y0  res=Sum(0, x)  xy }while (x<y) do res := res+x x := x+1 { res = Sum(0, y)} Define Sum(0, n) = 0+1+…+n

  46. Sum program – prove { x=Sum(0, n) } { y=n+1 } { x+y=Sum(0, n+1) } { y0 }x := 0{ y0  x=0 }res := 0{ y0  x=0  res=0 }Inv = { y0  res=Sum(0, x)  xy }while (x<y) do { y0  res=m  x=n  ny m=Sum(0, n)  x<y } { y0  res=m  x=n  m=Sum(0, n)  n<y } res := res+x x := x+1 { res = Sum(0, y)} Define Sum(0, n) = 0+1+…+n

  47. Sum program – prove { x=Sum(0, n) } { y=n+1 } { x+y=Sum(0, n+1) } { y0 }x := 0{ y0  x=0 }res := 0{ y0  x=0  res=0 }Inv = { y0  res=Sum(0, x)  xy }while (x<y) do { y0  res=m  x=n  ny m=Sum(0, n)  x<y } { y0  res=m  x=n  m=Sum(0, n)  n<y } res := res+x { y0  res=m+x  x=n  m=Sum(0, n)  n<y } x := x+1 { res = Sum(0, y)} Define Sum(0, n) = 0+1+…+n

  48. Sum program – prove { x=Sum(0, n) } { y=n+1 } { x+y=Sum(0, n+1) } { y0 }x := 0{ y0  x=0 }res := 0{ y0  x=0  res=0 }Inv = { y0  res=Sum(0, x)  xy }while (x<y) do { y0  res=m  x=n  ny m=Sum(0, n)  x<y } { y0  res=m  x=n  m=Sum(0, n)  n<y } res := res+x { y0  res=m+x  x=n  m=Sum(0, n)  n<y } x := x+1 { y0  res=m+x  x=n+1  m=Sum(0, n)  n<y } { y0  res=Sum(0, x)  x=n+1  n<y} // sum axiom { y0  res=Sum(0, x)  xy } // cons{ res = Sum(0, y)} Define Sum(0, n) = 0+1+…+n

  49. Sum program – prove { x=Sum(0, n) } { y=n+1 } { x+y=Sum(0, n+1) } { y0 }x := 0{ y0  x=0 }res := 0{ y0  x=0  res=0 }Inv = { y0  res=Sum(0, x)  xy }while (x<y) do { y0  res=m  x=n  ny m=Sum(0, n)  x<y } { y0  res=m  x=n  m=Sum(0, n)  n<y } res := res+x { y0  res=m+x  x=n  m=Sum(0, n)  n<y } x := x+1 { y0  res=m+x  x=n+1  m=Sum(0, n)  n<y } { y0  res=Sum(0, x)  x=n+1  n<y} // sum axiom { y0  res=Sum(0, x)  xy } // cons{ y0  res=Sum(0, x)  xy xy}{ y0  res=Sum(0, y)  x=y}{ res = Sum(0, y)} Define Sum(0, n) = 0+1+…+n

  50. Buggy sum program { y0 }x := 0{ y0  x=0 }res := 0{ y0  x=0  res=0 }Inv = { y0  res=Sum(0, x) } = { y0  res=m  x=n  m=Sum(0, n)} while (xy) do { y0  res=m  x=n  m=Sum(0, n)  xy ny } x := x+1 { y0  res=m  x=n+1  m=Sum(0, n)  ny} res := res+x { y0  res=m+x  x=n+1  m=Sum(0, n)  ny} { y0  res-x=Sum(0, x-1)  ny} { y0  res=Sum(0, x) }{ y0  res=Sum(0, x)  x>y } {res = Sum(0, y)}

More Related