Axiomatic Semantics 1. Language for making assertions about programs Floyd-Hoare Logic 2. Rules for establishing, i.e. proving the assertions Typical kinds of assertions: Ranjit Jhala • This program terminates. UC San Diego • During execution if var z has value 0, then x equals y • All array accesses are within array bounds Some typical languages of assertions: • First-order logic • Other logics (e.g., temporal logic) 1 2 TODAY’S PLAN IMP: An Imperative Language 1. Define a small language syntax and operational 2. Define a logic for verifying assertions semantics 3 4 IMP Syntactic Entities Abstract Syntax: Arith Expressions (Aexp) • Int integer literals n e ::= n for n ∈ Int | x for x ∈ Loc • Bool booleans {true,false} | e1 + e2 for e1, e2 ∈ Aexp | e1 - e2 for e1, e2 ∈ Aexp • Loc locations x,y,z,… | e1 * e2 for e1, e2 ∈ Aexp • Aexp arithmetic expressions e Note: • Variables are not declared • Bexp boolean expressions b • All variables have integer type • There are no side-effects • Comm commands c 5 6 Abstract Syntax: Bool Expressions (Bexp) Abstract Syntax: Commands (Comm) c ::= skip true ::= true | x:= e for x ∈ L & e ∈ Aexp | false | c1;c2 for c1,c2 ∈ Comm | if b then c else c2 for b ∈Bexp & c ,c2∈ Comm | e1 = e2 for e1,e2 ∈ Aexp 1 1 | while b do c for c ∈ Comm & b ∈ Bexp | e1 < e2 for e1,e2 ∈ Aexp | ! b for b ∈ Bexp Note: | b || b for e , e ∈ Bexp • Typing rules embedded in syntax definition 1 2 1 2 – Other checks may not be context-free – need to be specified separately (e.g., variables are declared) | b1 & b2 for e1, e2 ∈ Bexp • Commands contain all the side-effects in the language 7 8 Semantics of IMP : States Operational Semantics of IMP • Meaning of IMP expressions depends on Evaluation judgment for expressions: the values of variables • Ternary relation on expression, a state, and a value: • We write: <e, σ> ⇓ n “Expression e in state σ evaluates to n” • A state σ is a function from Loc to Int – Value of variables at a given moment Q: Why no state on the right ? – Evaluation of expressions has no side-effects: – Set of all states is Σ = Loc -> Int – i.e., state unchanged by evaluating an expression Q: Can we view judgment as a function of 2 args e, σ ? – Only if there is a unique derivation … 9 10 Operational Semantics of IMP Evaluation Rules (for Aexp) Evaluation judgement for commands • Ternary relation on expression, state, and a new state <n, σ> ⇓ n <x, σ> ⇓ σ(x) • We write: <c, σ> ⇓ σ’ “Executing cmd c from state σ takes system into state σ’ ” <e1, σ> ⇓ n1 <e2, σ> ⇓ n2 <e1, σ> ⇓ n1 <e2, σ> ⇓ n2 • Evaluation of a command has effect < , > n + n n - n – but no direct value e1 + e2 σ ⇓ 1 2 <e1 - e2, σ> ⇓ 1 2 – So, “result” of a command is a new state σ’ Note: evaluation of a command may not terminate <e1, σ> ⇓ n1 <e2, σ> ⇓ n2 <e1 * e2, σ> ⇓ n1 * n2 Q: Can we view judgment as a function of 2 args e, σ ? – Only if there is a unique successor state … 11 12 Evaluation Rules (for Bexp) Evaluation Rules (for Comm) <true, σ> ⇓ true <false, σ> ⇓ false <skip , σ> ⇓ σ < > n < > n p is n <n <e1, σ>⇓n1 <e2, σ>⇓n2 p is n1=n2 e1, σ ⇓ 1 e2, σ ⇓ 2 1 2 <e = e , σ> ⇓ p <e < e , σ> ⇓ p 1 2 1 2 <c1, σ> ⇓ σ’ <c2, σ’> ⇓ σ’’ <c1;c2, σ> ⇓ σ’’ <b1, σ> ⇓ p1 <b2, σ> ⇓ p2 <b1, σ> ⇓ p1 <b2, σ> ⇓ p2 <b1 Æ b2, σ> ⇓ p1Æ p2 <b1 Ç b2, σ> ⇓ p1Ç p2 Define σ[x := n] as: <e, σ> ⇓ n <b, σ> ⇓ p σ[x := n](x) = n < , σ> ⇓ σ[ := n] < :b, σ> ⇓ : p x := e x σ[x := n](y) = σ(y) 13 14 Evaluation Rules (for Comm) Axiomatic Semantics 1. Language for making assertions about programs <b, σ> ⇓ true <c1, σ> ⇓ σ’ 2. Rules for establishing, i.e. proving the assertions <if b then c else c , σ> ⇓ σ’ 1 2 Typical kinds of assertions: • This program terminates. • During execution if var z has value 0, then x equals y • All array accesses are within array bounds <b, σ> ⇓ false <c2, σ> ⇓ σ’ <if b then c else c , σ> ⇓ σ’ 1 2 Some typical languages of assertions: • First-order logic • Other logics (e.g., temporal logic) 15 16 History : Program Verification • Tu r i n g 1949: Checking a large routine • Floyd 1967: Assigning meaning to programs • Hoare 1971: An axiomatic basis for computer programming Axiomatic Semantics • Program Verifiers (70’s – 80’s) • PREfix: Symbolic Execution for bug-hunting (WinXP) • Software Validation tools Foundation for Software Verification • Deductive Verifiers: ESCJava, Spec#, Verifast, Y0, ... • Model Checkers: SLAM, BLAST,... • Test Generators: DART, CUTE, EXE,... 17 18 Hoare Triples The Assertion Language • Partial correctness assertion: {A} c {B} • Arith Exprs + First-order Predicate logic If A holds in state σ and exists σ’ s.t. <c, σ >⇓σ’ then B holds in σ’ A ::= true | false • Total correctness assertion: [A] c [B] | e1 = e2 | e1 ¸ e2 If A holds in state σ | ¬ A | A1 && A2 | A1 || A2 | A1 => A2 then there exists σ’ s.t. <c, σ >⇓σ’ and B holds in σ’ | \exists x.A | \forall x.A • [A] is called precondition, [B] is called postcondition • IMP boolean expressions are assertions • Example: { y=x } z := x; z := z+1 { y < z } 19 20 Semantics of Assertions Semantics of Assertions • Judgment σ |= A means assertion holds in given state σ |= true always Formal definition of partial correctness assertion: σ |= e1 = e2 iff <e1, σ> ⇓ n1 , <e2,σ> ⇓ n2 and n1 = n2 |= { A } c { B } σ |= e <= e iff <e , σ> ⇓ n , <e ,σ> ⇓ n and n <= n 1 2 1 1 2 2 1 2 iff σ |= A1 && A2 iff σ |= A1 and σ |= A2 forall σ in Σ. σ |= A σ |= A1 || A2 iff σ |= A1 or σ |= A2 implies [forall σ’ in Σ. <c,σ> ⇓ σ’ implies σ’ |= B] σ |= A1 => A2 iff σ |= A1 implies σ |= A2 σ |= \exists x.A iff for some n in Z. σ[x := n] |= A σ |= \forall x. A iff for all n in Z. σ[x := n] |= A 21 22 Semantics of Assertions Deriving Assertions • Formal |= {A} {B} hard to use • Total correctness assertion: c |= [ A ] c [ B ] iff • Defined in terms of the op-semantics |= { A } c { B } and • Next, symbolic technique (logic) forall σ in Σ. σ |= A implies [exists σ’ in Σ. <c,σ> ⇓ σ] • for deriving valid triples |- {A} c {B} 23 24 Derivation Rules for Hoare Triples Deriv. Rules for Hoare Logic |- {A} c {B} • Write |- {A} c {B} when we can derive the Rules for each language construct triple using derivation rules |- {A} c1 {B} |- {B} c2 {C} |- {A} {A} skip |- {A} c1;c2 {C} • One rule per command |- {A && b} c1 {B} |- {A&& !b} c2 {B} |- {A} if b then c else c {B} • Plus, the rule of consequence: 1 2 A’ => A |- {A} c {B} B => B’ |- {A && b} c {A} |- {A} while b do c {A && !b} |- {[e/x]A} x:=e {A} |- {A’} c {B’} And the rule of consequence… 25 26 Free and Bound Variables Substitution Key idea in logic/PL: scoping & substitution • [e’/x] e is substituting e’ for x in e – Also written as e[e’/x] • Assertions are equivalent up to renaming – Note: only substitute the free occurrences of bound variables (a.k.a. alpha-renaming) • Alpha-rename bound variables to avoid conflicts – To subst. [e’/x] in y.x = y rename y if it occurs in e’ • Examples: ∀ – Result of alpha-renaming: ∀z. e’ = z ∀x.x = x is the same as ∀y.y = y – Rename bound x with y • We say that substitution avoids variable capture ∀x. ∀y.x = y is the same as ∀z. ∀x.z = x [ x/z ] ∀x.z = x is ? – Rename bound x with z and y with x • ∀x.x = x Wrong • ∀y.x = y Correct 27 28 Example: Assignment Example: Conditional Assume x does not appear in e Prove: {true} if y<=0 then x:=1 else x:=y {x>0} Prove |- {true} x:=e { x = e } true & y<=0 =>1>0 |- {1>0} x:=1 {x>0} true & y>0 =>y>0 |- {y>0} x:=y{x>0} Note [e/x](x = e) = e = [e/x]e = e = e |- {true & y<=0} x:=1 {x>0} |- {true & y>0} x:=y {x>0} |- {true} if y<=0 then x:=1 else x:=y {x > 0} Use assignment rule … then conseq. rule • Rule for if-then-else x does not appear in e • Rule for assignment + consequence true => e = e |- {e = e} x:=e {x = e} |- {true} x:=e {x = e} 29 30 Example: Loop Soundness of Axiomatic Semantics • Prove |- {x<=0} while x<=5 do x:=x+1 {x=6} Formal Statement of Soundness: • Use the rule for while with invariant x <= 6: If |- {A} c {B} then |= {A} c {B} |- {x+1<=6} {x<=6} x<=6 & x<=5 => x+1<=6 x:=x+1 Equivalently |- {x<=6 & x<=5} x:=x+1 {x<=6} If H:: |- {A} c {B} then |- {x<=6} while x<=5 do x:=x+1 {x<=6 & x>5} forall σ if σ |= A and D::<c,σ> ⇓ σ’ then σ’ |= B • Finish off with consequence rule: Proof: x<=0 => x<=6 |- {x<=6} W {x<=6 & x>5} x<=6 & x>5 =>x=6 Simultaneous induction on structure of D and H |- {x<=0} W {x = 6} 31 32 Algorithmic Verification Hoare rules mostly syntax directed, but: 1.