Spring 2016 Program Analysis and Verification Lecture 5: Axiomatic Semantics II Roman Manevich Ben-Gurion University Tentative syllabus Abstract Program Program Analysis Interpretation Verification Analysis Basics Techniques fundamentals Operational Control Flow Numerical Lattices semantics Graphs Domains Equation Hoare Logic Fixed-Points Alias analysis Systems Applying Hoare Collecting Chaotic Interprocedural Logic Semantics Iteration Analysis Weakest Galois Shape Precondition Using Soot Connections Analysis Calculus Proving Domain CEGAR Termination constructors Widening/ Data structures Narrowing 2 Previously • Basic notions of correctness • Formalizing Hoare triples • FO logic – Free variables – Substitutions • Hoare logic rules 3 Warm-up exercises 1. Define program state: 2. Define state predicate: 3. Define P 4. Formalize {P} C {Q} via structural semantics: 5. FV(m. x=k+1 0mx-1 nums(m)res) = { } 6. (m. x=k+1 0mx-1 nums(m)res)[x+1/x] = 4 Agenda • Inference system • Annotating programs with proofs • Properties of the semantics Chapter 6 • Predicate transformer calculus – Weakest precondition calculus – Strongest postcondition calculus 5 Axiomatic semantics as an inference system 6 Inference trees • Trees describing rule applications that ultimately prove a program correct • Leaves are axiom applications • Internal nodes correspond to rule applications over triples inferred from sub-trees • Inference tree is called – Simple if tree is only an axiom – Composite otherwise 7 Factorial proof inference tree Goal: { x=n } y:=1; while (x1) do (y:=y*x; x:=x–1) { y=n! n>0 } W = while (x1) do (y:=y*x; x:=x–1) INV = x > 0 (y x! = n! n x) will show { INV[x-1/x][y*x/y] } y:=y*x { INV[x-1/x] } { INV[x-1/x] } x:=x-1 {INV} [comp] later { INV[x-1/x][y*x/y] } y:=y*x; x:=x–1 {INV} [cons] {x1 INV } y:=y*x; x:=x–1 { INV } [while] { INV } W { x=1 INV } { INV[1/y] } y:=1 { INV } [cons] [cons] { x=n } y:=1 { INV } { INV } W {y=n! n>0 } [comp] { x=n } while (x1) do (y:=y*x; x:=x–1) {y=n! n>0 } 8 Provability • We say that an assertion { P } C { Q } is provable if there exists an inference tree – Written as { P } C { Q } Where does the p non-determinism – Are inference trees unique? come from? {true} x:=1; x:=x+5 {x0} • Proving properties of axiomatic semantics by induction on the shape of the inference tree – Example: prove p { P } C { true } for any P and C 9 Annotating programs with proofs 10 Annotated programs • A streamlined version of inference trees – Inline inference trees into programs – A kind of “proof carrying code” – Going from annotated program to proof tree is a linear time translation 11 Annotating composition • We can inline inference trees into programs • Using proof equivalence of S1; (S2; S3) and (S1; S2); S3 instead of writing deep trees, e.g., {P} S1 {P’} {P’} S2 {P’’} {P’’} S3 {P’’’} {P’’’} S4 {P’’} {P} (S1; S2) {P’’} {P’’} (S3 ; S4) {Q} {P} (S1; S2); (S3 ; S4) {Q} • We can annotate a composition S1; S2;…; Sn by {P1} S1 {P2} S2 … {Pn-1} Sn-1 {Pn} 12 Annotating conditions { b P } S1 { Q }, { b P } S2 { Q } [ifp] { P } if b then S1 else S2 { Q } { P } if b then { b P } S1 else { b P } S2 { Q } 13 Annotating conditions { b P } S1 { Q }, { b P } S2 { Q } [ifp] { P } if b then S1 else S2 { Q } { P } if b then { b P } S { b P } S { Q } { b P } S { Q } 1 [cons] 1 1 2 2 [cons] { Q1 } { b P } S1 { Q }, { b P } S2 { Q } [ifp] else { P } if b then S1 else S2 { Q } { b P } S2 { Q2 } { Q } 14 Annotating loops { b P } S { P } [while ] p { P } while b do S {b P } { P } while b do { b P } S {b P } 15 Annotating loops { b P } S { P } [while ] p { P } while b do S {b P } { P } while b do { b P } P’ implies P S { P’ } b P implies Q {b P } { Q } 16 Annotating loops { b P } S { P } [while ] p { P } while b do S {b P } { P } Source of confusion while b do { b P } S {b P } 17 Annotating loops – alternative 1 { b P } S { P } [while ] p { P } while b do S {b P } while { P } b do { b P } S {b P } 18 Annotating loops – alternative 2 { b P } S { P } [while ] p { P } while b do S {b P } Inv = { P } We will take this alternative in our while b do examples and homework assignments { b P } S {b P } 19 Annotating formula transformations • We often rewrite formulas – To make proofs more readable – Using logical/mathematical identities – Imported mathematical theorems { } { ’ } // transformation 1 { ’’ } // transformation 2 20 Exercising Hoare logic 21 Exercise 1: variable swap – specify { ? } t := x x := y y := t { ? } 22 Exercise 1: Prove using Hoare logic { y=b x=a } t := x { ? } x := y { ? } y := t { x=b y=a } 23 Exercise 1: Prove using Hoare logic { y=b x=a } t := x { y=b t=a } x := y { x=b t=a } y := t { x=b y=a } 24 Absolute value program if x<0 then x := -x else skip if b then S is syntactic sugar for if b then S else skip The latter form is easier to reason about 25 Absolute value program – specify { ? } if x<0 then x := -x else skip { ? } 26 Absolute value program – specify { x=v } if x<0 then x := -x else skip { x=|v| } 27 Exercise 2: Prove using Hoare logic { x=v } { } if x<0 then { } x := -x { } else { } skip { } {x=|v| } 28 Exercise 2: Prove using Hoare logic { x=v } { (-x=|v| x<0) (x=|v| x0) } if x<0 then { -x=|v| } x := -x { x=|v| } else { x=|v| } skip { x=|v| } { x=|v| } 29 Annotated programs: factorial { x=n } y := 1; Inv = { x>0 y*x!=n! nx } while (x=1) do { x-1>0 (y*x)*(x-1)!=n! n(x-1) } y := y*x; { x-1>0 y*(x-1)!=n! n(x-1) } x := x–1 { y*x!=n! n>0 } • Contrast with proof via structural semantics • Where did the inductive argument over loop iterations go? 30 Detailed proof steps { x=n } y := 1; { x=n y=1 } Inv = { x>0 y*x!=n! nx } while (x=1) do { x1 (x>0 y*x!=n! nx) } => ? { x>1 y*x!=n! n(x-1) } y := y*x; { x-1>0 y*(x-1)!=n! n(x-1) } x := x–1 { x>0 y*x!=n! nx } { y*x!=n! n>0 } 31 Detailed proof of implication { x1 (x>0 y*x!=n! nx) } => relax inequality { x1 (x>0 y*x!=n! n(x-1)) } => use logical identity AB equals AB { x1 (x0 y*x!=n! n(x-1)) } => distribute over {(x1 x0) (x1 y*x!=n! n(x-1)) } => x0 subsumes x1 x0 { x0 (x1 y*x!=n! n(x-1)) } => weaken conjunction by removing x1 { x0 (y*x!=n! n(x-1)) } => relax x0 into x1 { x1 (y*x!=n! n(x-1)) } => use logical identity AB equals AB { x1 (x1 y*x!=n! n(x-1))} write x1 as x>1 { x>1 y*x!=n! n(x-1) } 32 Properties of the semantics 33 Properties of the semantics Equivalence – What is the analog of program equivalence in axiomatic verification? Soundness – Can we prove incorrect properties? Completeness – Is there something we can’t prove? 34 Provable equivalence • We say that C1 and C2 are provably equivalent if for all P and Q p { P } C1 { Q } if and only if p { P } C2 { Q } • Examples: – S; skip and S – S1; (S2; S3) and (S1; S2); S3 35 S1; (S2; S3) is provably equivalent to (S1; S2); S3 {P’} S2 {P’’} {P’’} S3 {Q} {P} S1 {P’} {P’} (S2; S3) {Q} {P} S1; (S2; S3) {Q} {P} S1 {P’} {P’} S2 {P’’} {P} (S1; S2) {P’’} {P’’} S3 {Q} {P} (S1; S2); S3 {Q} 36 Valid assertions • We say that { P } C { Q } is valid if for all states , if P and C, 1* ’ then ’Q • Denoted by p { P } C { Q } Q P C(P) C ’ 37 Soundness and completeness • The inference system is sound: – p { P } C { Q } implies p { P } C { Q } • The inference system is complete: – p { P } C { Q } implies p { P } C { Q } • Is Hoare logic sound? yes • Is Hoare logic complete? depends 38 Weakest precondition calculus 39 From inference to calculus • A Hoare-style proof is declarative – You can check that a proof is correct – Check is decidable given an algorithm to check implication • Is there a more calculational approach to producing proofs? – Weakest precondition calculus (WP) – Strongest postcondition calculus (SP) • WP/SP provide limits for Hoare triples • WP helps prove that Hoare logic is relatively complete 40 Weakest liberal precondition • A backward-going predicate transformer • The weakest liberal precondition for Q is wlp(C, Q) if and only if for all states ’ if C, 1* ’ then ’ Q Propositions: 1. p { wlp(C, Q) } C { Q } 2. If p { P } C { Q } then P wlp(C, Q) 41 Weakest liberal precondition • A backward-going predicate transformer • The weakest liberal precondition for Q is wlp(C, Q) Give an example if and only if for all states ’ where this if C, * ’ then ’ Q gap exists 1 Q wlp(C, Q) C(wlp(C, Q)) P C C(P) 42 Strongest postcondition • A forward-going predicate transformer • The strongest postcondition for P is ’ sp(P, C) if and only if there exists such that P and C, 1* ’ Propositions: 1.