Automated Program Verification and Testing 15414/15614 Fall 2016 Lecture 13: Deductive Verification Matt Fredrikson [email protected] October 13, 2016 Matt Fredrikson Deductive Verification 1 / 38 Partial Correctness (Review) Partial correctness refers to a program’s terminating behavior We specify partial correctness using Hoare triples fP g c fQg I c is a program I P and Q are assertions in a first-order theory I Free variables in P; Q can range over program variables I P is the precondition and Q is the postcondition Matt Fredrikson Deductive Verification 2 / 38 Hoare Triples: Meaning (Review) The meaning of fP g c fQg is as follows: I If we begin executing c in an environment satisfying P , I and if c terminates, I then its final environment will satisfy Q The specification says nothing about: I Executions that do not terminate (i.e., diverge) I Executions that do not begin in P Notice: fP g c fQg is a predicate Goal of verification: prove that it holds, i.e., is a valid Hoare triple Matt Fredrikson Deductive Verification 3 / 38 Hoare Triples: Total Correctness (Review) Partial correctness doesn’t require termination Total correctness is a stronger statement, written: [P ] c [Q] The meaning of [P ] c [Q] is: I If we begin executing c in an environment satisfying P , I then c terminates, I and its final environment will satisfy Q Total correctness introduces another obligation for verification Matt Fredrikson Deductive Verification 4 / 38 Hoare Logic Inference Rules Skip Asgn fP g skip fP g fQ[a/x]g x := afQg P ) P 0 ` fP 0g c fQ0g Q0 ) Q Conseq fP g c fQg 0 0 fP g c1 fP g fP g c2 fQg Seq fP g c1; c2fQg fP ^ bg c1 fQg fP ^ :bg c2 fQg If fP g if b then c1 else c2fQg fP ^ bg c fP g While fP g while b do c fP ^ :bg Matt Fredrikson Deductive Verification 5 / 38 Soundness of Hoare Logic The proof rules we’ve just covered are sound for partial correctness: If ` fP g c fQg; then j= fP g c fQg If we can derive a triple using the rules, then it is valid To prove this, we use the operational semantics Show equivalence between proof rules and reductions Need to use induction on derivations Matt Fredrikson Deductive Verification 6 / 38 Completeness of Hoare Logic Completness of Hoare logic is stated as: If j= fP g c fQg; then ` fP g c fQg If fP g c fQg is valid, then we can derive it using the rules Is this true? For strengthening, we need to prove statements of the form: P ) Q This requires proving a universal implication in Peano arithmetic Recall that TPA is undecidable! Matt Fredrikson Deductive Verification 7 / 38 Relative Completeness of Hoare Logic So, we know there can’t be a proof system that derives all valid triples The Hoare logic has relative completeness If we assume an oracle for deciding P ) Q Then we can derive any valid Hoare triple for Imp However, for more complex languages, this isn’t always the case Matt Fredrikson Deductive Verification 8 / 38 Mechanics of Verification Working in Hoare logic is nicer than working directly with semantics But still isn’t “fun”, and not quite trivial I How to decompose the program? I When to apply the rule of consequence, and how? I Lots of tedious details, e.g., discharging (x = r + (q × y) ^ y ≤ r) ) x = (r − y) + ((q + 1) × y) I Even for short programs, the proofs can be long (and boring) Now we’ll take steps towards mechanizing this process Matt Fredrikson Deductive Verification 9 / 38 Basic Approach Given a program c annotated with a specification: fP g c fQg To prove the triple, we’ll generate a set of verification conditions I VC’s are a function of the code, specification, and loop invariants I Each VC is a first-order formula in some theory I If all VC’s are valid, then so is fP g c fQg Program verifiers consist of two main components: 1. Verification condition generator producing T -formulas 2. Decision procedure for first-order theory T Intuitively, VC gen. “compiles” a verification problem into a math problem Matt Fredrikson Deductive Verification 10 / 38 Automation This is the approach taken by tools like Dafny As you know, it doesn’t prove things automatically You often need to provide: 1. Loop invariants 2. Termination metrics 3. Extra assertions 4. Different (but possibly equivalent) contracts 5. Moral support and encouragement These are all the subject of active research (except 5) I (1), (2) addressed by static analysis, but unsolvable in general I (3), (4) are improved by more powerful decision procedures Matt Fredrikson Deductive Verification 11 / 38 VC Generation Given an assertion Q and program c, we’ll describe a function: I That is a predicate transformer: produces another assertion I Assertion for the corresponding precondition P for c I P guaranteed to be the weakest such assertion This is the weakest precondition predicate transformer wp(c; Q) The weakest precondition satisfies the following conditions: 1. The triple [wp(c; Q)] c [Q] is valid 2. For any P where [P ] c [Q] is valid, P ) wp(c; Q) For partial correctness, use weakest liberal precondition wlp(c; Q) Matt Fredrikson Deductive Verification 12 / 38 “Backwards” VC Generation Intuitively, wlp allows us to: 1. Start with a desired postcondition 2. Work backwards to a precondition that must hold 3. Verify that P ) wlp(c; Q) 4. Or just use wlp(c; Q) to write a contract There is also a “forward” transformer: strongest postcondition 1. Written sp(c; P ) 2. The triple [P ] c [sp(c; P )] is valid 3. For any Q where [P ] c [Q] is valid, sp(c; P ) ) Q What does sp(c; true) characterize? For the rest of today (and most of the semester), we’ll focus on wlp Matt Fredrikson Deductive Verification 13 / 38 Language Extension: Arrays But first, let’s add arrays to Imp a 2 AExp ::= n 2 Z | x 2 Var | a1 + a2 | a1 × a2 | x[a] b 2 BExp ::= true | false | a1 = a2 | a1 ≤ a2 | :b | b1 ^ b2 c 2 Com ::= skip | x := a | c1; c2 | x[a1]:= a2 | if b then c1 else c2 | while b do c Allow array lookup, assignment to array indices Matt Fredrikson Deductive Verification 14 / 38 Array Semantics The environment can map to array values (i.e., from TA) ha; σi + n σ(x) is an array ALookup hx[a]; σi + σ(x)[n] ha1; σi + n1 ha2; σi + n2 AWrite hx[a1]:= a2; σi + σ[x 7! σ(x)hn1 / n2i] Assignment produces a new array using the array update term Matt Fredrikson Deductive Verification 15 / 38 Defining wlp(c; Q): Assignment We’ll use Hoare triples to define wlp Recall the rule for assignment: Asgn fQ[a/x]g x := afQg The corresponding transformer is: wlp(x := a; Q) = Q[a/x] This will produce valid preconditions. Is it weak enough? If P 6) Q[a/x], then fP g c fQg won’t hold Matt Fredrikson Deductive Verification 16 / 38 Example What is wlp(y := x + 1; (8x:x < z ! x < y) ! x + 1 ≤ y)? Applying the definition of wlp for assignment, (8x:x < z ! x < x + 1) ! x + 1 ≤ x + 1 Is this right? No. When we substituted y with x + 1 in (8x:x < z ! x < y) the variable x was captured Recall: x is bound in 8x:x < a ! x < y Outside the scope of this 8, we’re referring to a different x Matt Fredrikson Deductive Verification 17 / 38 Capture-avoiding substitution When performing substitution, we need to be careful about scoping When we expand out P [a/x], we need to: I Only substitute free occurrences of x I Rename bound variables appearing in a to avoid capture Renaming bound variables is called α-substitution For a substitution P [F /G], let [ Vfree = free(F ) [ free(G) i To expand P [F /G]: I For each quantified variable x in P such that x 2 Vfree, rename x to a fresh variable to produce P 0 I Apply the substitution directly to P 0 Matt Fredrikson Deductive Verification 18 / 38 Example Consider the formula: F :(8x:p(x; y)) ! q(f(y); x) Suppose we want F [y/f(x); q(f(y); x)/(9x:h(x; y))] First, we find all the free variables: free(y) [ free(f(x)) [ free(q(f(y); x)) [ free(9x:h(x; y)) = fxg [ fxg [ fyg [ fxg [ fx; yg [ fyg = fx; yg F has one quantified variable x, which is in this set. So: F :(8x0:p(x0; y)) ! q(f(y); x) Applying the substitution: (8x0:p(x0; f(x))) ! 9x:h(x; y) Matt Fredrikson Deductive Verification 19 / 38 Example F 0 :(8x0:p(x0; y)) ! q(f(y); x) Applying the first substitution q(f(y); x)/(9x:h(x; y)): F 0 :(8x0:p(x0; y)) ! 9x:h(x; y) Now we apply the second substitution: y/f(x) We need to rename bound variables that occur in Vfree: F 00 :(8x0:p(x0; y)) ! 9x0:h(x0; y) Which brings us to: F 00 :(8x0:p(x0; f(x))) ! 9x0:h(x0; f(x)) Matt Fredrikson Deductive Verification 20 / 38 Defining wlp(c; Q): Array Assignment Array assignment gives the rule AsgnArr fQ[xha1 / a2i/x]g x[a1]:= a2 fQg The corresponding transformer is: wlp(x[a1]:= a2;Q) = Q[aha1 / a2i/x] This is no different than normal assignment In this case, we’re working with array values rather than integers Matt Fredrikson Deductive Verification 21 / 38 Example Let’s compute: wlp(b[i]:= 5; b[i] = 5) Proceeding with the substitution, wlp(b[i]:= 5; b[i] = 5) = (bhi / 5i[i] = 5) = (5 = 5) = true Matt Fredrikson Deductive Verification 22 / 38 Example Let’s compute: wlp(b[n]:= x; 8i:1 ≤ i < n ! b[i] ≤ b[i + 1]) Proceeding with the substitution, wlp(b[n]:= x; 8i:1 ≤ i < n ! b[i] ≤ b[i + 1]) = 8i:1 ≤ i < n ! (bhn / xi)[i] ≤ (bhn / xi)[i + 1] = (bhn / xi)[n − 1] ≤ (bhn / xi)[n] ^8i:1 ≤ i < n ! (bhn / xi)[i] ≤ (bhn / xi)[i + 1] = b[n − 1] ≤ x ^ 8i:1 ≤ i < n − 1 ! b[i] ≤ b[i + 1] Matt Fredrikson Deductive Verification 23 / 38 Defining wlp(c; Q): Sequencing 0 0 fP g c1 fP g fP g c2 fQg Seq fP g c1; c2fQg The corresponding transformer is: wlp(c1; c2;Q) = wlp(c1; wlp(c2;Q)) Compose the transformer, working backwards from c2 The precondition for c2 becomes the postcondition for c1 Note: we don’t need to use consequence to “glue” these together Matt Fredrikson