Spring 2016 Program Analysis and Verification
Lecture 5: Axiomatic Semantics II
Roman Manevich Ben-Gurion University Tentative syllabus
Abstract Program Program Analysis Interpretation Verification Analysis Basics Techniques fundamentals
Operational Control Flow Numerical Lattices semantics Graphs Domains
Equation Hoare Logic Fixed-Points Alias analysis Systems
Applying Hoare Collecting Chaotic Interprocedural Logic Semantics Iteration Analysis
Weakest Galois Shape Precondition Using Soot Connections Analysis Calculus
Proving Domain CEGAR Termination constructors
Widening/ Data structures Narrowing 2 Previously
• Basic notions of correctness • Formalizing Hoare triples • FO logic – Free variables – Substitutions • Hoare logic rules
3 Warm-up exercises
1. Define program state: 2. Define state predicate: 3. Define P 4. Formalize {P} C {Q} via structural semantics: 5. FV(m. x=k+1 0mx-1 nums(m)res) = { } 6. (m. x=k+1 0mx-1 nums(m)res)[x+1/x] =
4 Agenda
• Inference system • Annotating programs with proofs • Properties of the semantics Chapter 6
• Predicate transformer calculus – Weakest precondition calculus – Strongest postcondition calculus
5 Axiomatic semantics as an inference system
6 Inference trees
• Trees describing rule applications that ultimately prove a program correct • Leaves are axiom applications • Internal nodes correspond to rule applications over triples inferred from sub-trees • Inference tree is called – Simple if tree is only an axiom – Composite otherwise
7 Factorial proof inference tree
Goal: { x=n } y:=1; while (x1) do (y:=y*x; x:=x–1) { y=n! n>0 }
W = while (x1) do (y:=y*x; x:=x–1)
INV = x > 0 (y x! = n! n x)
will show { INV[x-1/x][y*x/y] } y:=y*x { INV[x-1/x] } { INV[x-1/x] } x:=x-1 {INV} [comp] later { INV[x-1/x][y*x/y] } y:=y*x; x:=x–1 {INV} [cons] {x1 INV } y:=y*x; x:=x–1 { INV } [while] { INV } W { x=1 INV } { INV[1/y] } y:=1 { INV } [cons] [cons] { x=n } y:=1 { INV } { INV } W {y=n! n>0 } [comp] { x=n } while (x1) do (y:=y*x; x:=x–1) {y=n! n>0 }
8 Provability
• We say that an assertion { P } C { Q } is provable if there exists an inference tree – Written as { P } C { Q } Where does the p non-determinism – Are inference trees unique? come from? {true} x:=1; x:=x+5 {x0} • Proving properties of axiomatic semantics by induction on the shape of the inference tree
– Example: prove p { P } C { true } for any P and C
9 Annotating programs with proofs
10 Annotated programs
• A streamlined version of inference trees – Inline inference trees into programs – A kind of “proof carrying code” – Going from annotated program to proof tree is a linear time translation
11 Annotating composition
• We can inline inference trees into programs
• Using proof equivalence of S1; (S2; S3) and (S1; S2); S3 instead of writing deep trees, e.g.,
{P} S1 {P’} {P’} S2 {P’’} {P’’} S3 {P’’’} {P’’’} S4 {P’’}
{P} (S1; S2) {P’’} {P’’} (S3 ; S4) {Q}
{P} (S1; S2); (S3 ; S4) {Q}
• We can annotate a composition S1; S2;…; Sn by {P1} S1 {P2} S2 … {Pn-1} Sn-1 {Pn}
12 Annotating conditions
{ b P } S1 { Q }, { b P } S2 { Q } [ifp] { P } if b then S1 else S2 { Q }
{ P } if b then { b P }
S1 else { b P } S2
{ Q }
13 Annotating conditions
{ b P } S1 { Q }, { b P } S2 { Q } [ifp] { P } if b then S1 else S2 { Q }
{ P } if b then { b P } S { b P } S { Q } { b P } S { Q } 1 [cons] 1 1 2 2 [cons] { Q1 } { b P } S1 { Q }, { b P } S2 { Q } [ifp] else { P } if b then S1 else S2 { Q } { b P } S2 { Q2 } { Q }
14 Annotating loops
{ b P } S { P } [while ] p { P } while b do S {b P }
{ P } while b do { b P } S {b P }
15 Annotating loops
{ b P } S { P } [while ] p { P } while b do S {b P }
{ P } while b do { b P } P’ implies P S { P’ } b P implies Q {b P } { Q }
16 Annotating loops
{ b P } S { P } [while ] p { P } while b do S {b P }
{ P } Source of confusion while b do { b P } S {b P }
17 Annotating loops – alternative 1
{ b P } S { P } [while ] p { P } while b do S {b P }
while { P } b do { b P } S {b P }
18 Annotating loops – alternative 2
{ b P } S { P } [while ] p { P } while b do S {b P }
Inv = { P } We will take this alternative in our while b do examples and homework assignments { b P } S {b P }
19 Annotating formula transformations
• We often rewrite formulas – To make proofs more readable – Using logical/mathematical identities – Imported mathematical theorems
{ } { ’ } // transformation 1 { ’’ } // transformation 2
20 Exercising Hoare logic
21 Exercise 1: variable swap – specify { ? } t := x x := y y := t { ? }
22 Exercise 1: Prove using Hoare logic
{ y=b x=a } t := x { ? } x := y { ? } y := t { x=b y=a }
23 Exercise 1: Prove using Hoare logic
{ y=b x=a } t := x { y=b t=a } x := y { x=b t=a } y := t { x=b y=a }
24 Absolute value program
if x<0 then x := -x else skip
if b then S is syntactic sugar for if b then S else skip The latter form is easier to reason about
25 Absolute value program – specify { ? } if x<0 then x := -x else skip { ? }
26 Absolute value program – specify { x=v } if x<0 then x := -x else skip { x=|v| }
27 Exercise 2: Prove using Hoare logic
{ x=v } { } if x<0 then { } x := -x { } else { } skip { } {x=|v| }
28 Exercise 2: Prove using Hoare logic
{ x=v } { (-x=|v| x<0) (x=|v| x0) } if x<0 then { -x=|v| } x := -x { x=|v| } else { x=|v| } skip { x=|v| } { x=|v| }
29 Annotated programs: factorial
{ x=n } y := 1; Inv = { x>0 y*x!=n! nx } while (x=1) do { x-1>0 (y*x)*(x-1)!=n! n(x-1) } y := y*x; { x-1>0 y*(x-1)!=n! n(x-1) } x := x–1 { y*x!=n! n>0 }
• Contrast with proof via structural semantics • Where did the inductive argument over loop iterations go?
30 Detailed proof steps
{ x=n } y := 1; { x=n y=1 } Inv = { x>0 y*x!=n! nx } while (x=1) do { x1 (x>0 y*x!=n! nx) } => ? { x>1 y*x!=n! n(x-1) } y := y*x; { x-1>0 y*(x-1)!=n! n(x-1) } x := x–1 { x>0 y*x!=n! nx } { y*x!=n! n>0 }
31 Detailed proof of implication
{ x1 (x>0 y*x!=n! nx) } => relax inequality { x1 (x>0 y*x!=n! n(x-1)) } => use logical identity AB equals AB { x1 (x0 y*x!=n! n(x-1)) } => distribute over {(x1 x0) (x1 y*x!=n! n(x-1)) } => x0 subsumes x1 x0 { x0 (x1 y*x!=n! n(x-1)) } => weaken conjunction by removing x1 { x0 (y*x!=n! n(x-1)) } => relax x0 into x1 { x1 (y*x!=n! n(x-1)) } => use logical identity AB equals AB { x1 (x1 y*x!=n! n(x-1))} write x1 as x>1 { x>1 y*x!=n! n(x-1) } 32 Properties of the semantics
33 Properties of the semantics
Equivalence – What is the analog of program equivalence in axiomatic verification?
Soundness – Can we prove incorrect properties?
Completeness – Is there something we can’t prove?
34 Provable equivalence
• We say that C1 and C2 are provably equivalent if for all P and Q
p { P } C1 { Q } if and only if p { P } C2 { Q } • Examples: – S; skip and S
– S1; (S2; S3) and (S1; S2); S3
35 S1; (S2; S3) is provably equivalent to (S1; S2); S3
{P’} S2 {P’’} {P’’} S3 {Q}
{P} S1 {P’} {P’} (S2; S3) {Q}
{P} S1; (S2; S3) {Q}
{P} S1 {P’} {P’} S2 {P’’}
{P} (S1; S2) {P’’} {P’’} S3 {Q}
{P} (S1; S2); S3 {Q}
36 Valid assertions
• We say that { P } C { Q } is valid
if for all states , if P and C, 1* ’ then ’Q
• Denoted by p { P } C { Q } Q P C(P) C ’
37 Soundness and completeness
• The inference system is sound:
– p { P } C { Q } implies p { P } C { Q }
• The inference system is complete:
– p { P } C { Q } implies p { P } C { Q }
• Is Hoare logic sound? yes • Is Hoare logic complete? depends
38 Weakest precondition calculus
39 From inference to calculus
• A Hoare-style proof is declarative – You can check that a proof is correct – Check is decidable given an algorithm to check implication • Is there a more calculational approach to producing proofs? – Weakest precondition calculus (WP) – Strongest postcondition calculus (SP) • WP/SP provide limits for Hoare triples • WP helps prove that Hoare logic is relatively complete
40 Weakest liberal precondition
• A backward-going predicate transformer • The weakest liberal precondition for Q is wlp(C, Q) if and only if for all states ’ if C, 1* ’ then ’ Q
Propositions:
1. p { wlp(C, Q) } C { Q } 2. If p { P } C { Q } then P wlp(C, Q)
41 Weakest liberal precondition
• A backward-going predicate transformer • The weakest liberal precondition for Q is wlp(C, Q) Give an example if and only if for all states ’ where this if C, * ’ then ’ Q gap exists 1 Q wlp(C, Q) C(wlp(C, Q)) P
C C(P)
42 Strongest postcondition
• A forward-going predicate transformer • The strongest postcondition for P is ’ sp(P, C) if and only if there exists such that
P and C, 1* ’
Propositions:
1. p { P } C { sp(P, C) }
2. If p { P } C { Q } then sp(P, C) Q
43 Predicate transformer semantics
• wlp and sp can be seen functions that transform predicates to other predicates – wlpC : Predicate Predicate { P } C { Q } if and only if wlpC Q = P – spC : Predicate Predicate { P } C { Q } if and only if spC P = Q
44 Is Hoare logic complete?
• Extensional approach: yes • Proving
p { P } C { Q } implies p { P } C { Q } boils down to proving
p { wlp(C, Q) } C { Q } • See proof in book
45 Is Hoare logic complete?
• Intentional approach: no • Gödel’s incompleteness theorem • Only as complete as the logic of assertions • Requires that we are able to prove the validity of assertions that occur in the rule of consequence • Relative completeness of Hoare logic (Cook 1974)
{ P’ } S { Q’ } [cons ] if PP’ and Q’Q p { P } S { Q }
46 Weakest (liberal) precondition calculus By Vadim Plessky (http://svgicons.sourceforge.net/) [see page for license], via Wikimedia Commons
47 Calculating wlp
1. wlp(skip, Q) = Q 2. wlp(x := a, Q) = Q[a/x]
3. wlp(S1; S2, Q) = wlp(S1, wlp(S2, Q))
4. wlp(if b then S1 else S2, Q) = (b wlp(S1, Q)) (b wlp(S2, Q)) 5. wlp(while b do S, Q) = … ? hard to capture
48 Calculating wlp of a loop
Idea: we know the following statements are semantically equivalent. Also they are provably equivalent (prove it) while b do S if b do (S; while b do S) else skip Let’s try to substitute and calculate on wlp(while b do S, Q) = wlp(if b do (S; while b do S) else skip, Q) =
(b wlp(S; while b do S, Q)) (b wlp(skip, Q)) =
(b wlp(S, wlp(while b do S, Q))) (b Q)
LoopInv = (b wlp(S, LoopInv)) (b Q) We have a recurrence
The loop invariant: a fixpoint of the right-hand side transformer 49 Example: write a specification
{ ? } while (timer 0) do timer := timer – 1 { ? }
• “The program should count to zero”
50 Example: prove the following triple
{ timer 0 } while (timer 0) do timer := timer – 1 { timer = 0 }
• LoopInv = (b wlp(S, LoopInv)) (b Q) • Let’s substitute LoopInv with timer0 • Show that timer0 is equivalent to (timer0 wlp(timer:=timer-1, timer0)) (timer=0 timer=0) • Start from right hand side and get left hand side (timer0 wlp(timer:=timer-1, timer0)) (timer=0 timer=0) = (timer0 (timer0)[timer-1/timer]) (timer=0 timer=0) = (timer0 timer-10) (timer=0 timer=0) = timer>0 timer=0 = timer0
51 A variant of wlp for loops
• Parametric in the loop invariant • wlp(while b do {} S, Q) = where {b } S {} and b Q
52 wlp rules
1. wlp(skip, Q) = Q 2. wlp(x := a, Q) = Q[a/x]
3. wlp(S1; S2, Q) = wlp(S1, wlp(S2, Q))
4. wlp(if b then S1 else S2, Q) = (b wlp(S1, Q)) (b wlp(S2, Q)) 5. wlp(while b do {} S, Q) = where {b } S {} and b Q
53 Issues with wlp-based proofs
• Requires backwards reasoning – not very intuitive • Backward reasoning is non-deterministic – causes problems when While is extended with dynamically allocated heaps (aliasing)
54 Strongest postcondition calculus
By Vadim Plessky (http://svgicons.sourceforge.net/) [see page for license], via Wikimedia Commons
55 Strongest postcondition rules
1. sp(skip, P) = P 2. sp(x := a, P) = v. x=a[v/x] P[v/x]
3. sp(S1; S2, P) = sp(S2, sp(S1, P))
4. sp(if b then S1 else S2, P) = sp(S1, b P) sp(S2, b P) 5. sp(while b do {} S, P) = b where {b } S {} and P b
56 Floyd’s strongest postcondition rule
[assFloyd] { P } x := a { v. x=a[v/x] P[v/x] } where v is a fresh variable The value of x in the pre-state • Example { z=x } x:=x+1 { ? }
57 Floyd’s strongest postcondition rule
[assFloyd] { P } x := a { v. x=a[v/x] P[v/x] } where v is a fresh variable
meaning: {x=z+1} • Example { z=x } x:=x+1 { v. x=v+1 z=v } • This rule is often considered problematic because it introduces a quantifier – needs to be eliminated further on • Next lecture we will see a variant of this rule
58 See you next time
59