Axiomatic Semantics I

Axiomatic Semantics I

Spring 2016 Program Analysis and Verification Lecture 3: Axiomatic Semantics I Roman Manevich Ben-Gurion University Warm-up exercises 1. Define program state: 2. Define structural semantics configurations: 3. Define the form of structural semantics transitions: 2 Tentative syllabus Abstract Program Program Analysis Interpretation Verification Analysis Basics Techniques fundamentals Operational Control Flow Numerical Lattices semantics Graphs Domains Axiomatic Equation Fixed-Points Alias analysis Verification Systems Collecting Chaotic Interprocedural Semantics Iteration Analysis Galois Shape Using Soot Connections Analysis Domain CEGAR constructors Widening/ Narrowing 3 Agenda • Basic concepts of correctness • Axiomatic semantics (pages 175-183) – Motivation – First-order logic reminder – Hoare Logic 4 program correctness 5 Program correctness concepts • Specification = a certain relationship between initial state and final state Main focus of this course • Partial correctness = specifications that hold if the program terminates • Termination = program always terminates – i.e., for every input state partial correctness + termination = total correctness Other correctness concepts exist: liveness, resource usage, … 6 Verifying factorial with structural semantics 7 Structural semantics for While [asssos] x := a, 1 [x Aa] [skipsos] skip, 1 1 S1, 1 S1’, ’ [comp sos] S1; S2, 1 S1’; S2, 2 S1, 1 ’ [comp sos] S1; S2, 1 S2, ’ tt [if sos] if b then S1 else S2, 1 S1, if B b = tt ff [if sos] if b then S1 else S2, 1 S2, if B b = ff while b do S, 1 [whilesos] if b then S; while b do S) else skip, 8 Factorial example Sfac y:=1; while (x1) do (y:=y*x; x:=x–1) • Factorial partial correctness specification = if the statement terminates then the final value of y will be the factorial of the initial value of x – What if x < 0? • Formally, using structural semantics: Sfac, 1* ’ implies ’ y = ( x)! 9 Factorial proof strategy Sfac y:=1; while (x1) do (y:=y*x; x:=x–1) Lemma 1 Lemma 2 Lemma 3 • Lemma 1: if x>1 then y:=y*x; x:=x–1, 1* ’ implies y * ( x)! = ’ y * (’ x)! and ’ x1 • Lemma 2: if x1 then while (x=1) do (y:=y*x; x:=x–1), 1* ’ implies y * ( x)! = ’ y * (’ x)! and ’ x=1 • Lemma 3: if x1 then Sfac, 1* ’ implies ’ y = ( x)! 10 Factorial example: lemma 1 Sfac y:=1; while (x1) do (y:=y*x; x:=x–1) • Lemma 1: if x>1 then y:=y*x; x:=x–1, 1 * ’ implies y * ( x)! = ’ y * (’ x)! and ’ x1 • Proof: Assume x>1 y:=y*x; x:=x–1, 1 x:=x–1, [y y* x] 1 [y y* x, xx–1] = ’ • Now ’ y * (’ x)! = ( y* x) * ( x–1)! = y * ( x)! And since’ x = x-1 we have that ’ x1 • QED 11 Factorial example: lemma 2 Sfac y:=1; while (x1) do (y:=y*x; x:=x–1) • Lemma 2: if x1 then while (x1) do (y:=y*x; x:=x–1), 1* ’ implies y * ( x)! = ’ y * (’ x)! and ’ x=1 • Proof: W, 1 if (x1) then (y:=y*x; x:=x–1); W) else skip, – Case 1: x=1 – Case 2: x1 – meaning x>1 12 Factorial example: lemma 2, case 1 Sfac y:=1; while (x1) do (y:=y*x; x:=x–1) • Lemma 2: if x1 then while (x1) do (y:=y*x; x:=x–1), 1* ’ implies y * ( x)! = ’ y * (’ x)! and ’ x=1 • Proof: W, 1 if (x1) then (y:=y*x; x:=x–1); W) else skip, 1 skip, 1 • Claim holds 13 Factorial example: lemma 2, case 2 Sfac y:=1; while (x1) do (y:=y*x; x:=x–1) • Lemma 2: if x1 then while (x1) do (y:=y*x; x:=x–1), 1* ’ implies y * ( x)! = ’ y * (’ x)! and ’ x=1 • Proof: W, 1 if (x1) then (y:=y*x; x:=x–1); W) else skip, 1 (y:=y*x; x:=x–1); while, 1* while, ’’ 1* ’ • From lemma 1 we have that y * ( x)! = ’ y * (’’ x)! and ’’ x1 • Applying Lemma by induction (case 1 is the base case) gives us that ’’ y * (’’ x)! = ’ y * (’ x)! and ’ x=1 • Combining the two, we get ’ y * (’ x)! = ’’ y * (’’ x)! = y * ( x)! • and ’ x=1 • QED 14 Factorial example: lemma 3 Sfac y:=1; while (x1) do (y:=y*x; x:=x–1) • Lemma 3: if x1 then Sfac, 1* ’ implies ’ y = ( x)! • Proof: • Assume x1 • Now y:=1; W, 1 W, [y1] and [y1] x = x • Therefore, we can apply lemma 2 and obtain W, 1* ’ • [y1] y * ( [y1] x)! = ’ y * (’ x)! and ’ x=1 • Simplifying this yields: • 1 * ( x)! = ’ y * 1! and ’ x=1 • Meaning: ’ y = ( x)! • QED 15 How easy was that? • Proof is very laborious – Need to connect all transitions and argue about relationships between their states – Reason: too closely connected to semantics of programming language • Proof is long – Makes it hard to find possible mistakes • How did we know to find this proof? – Is there a methodology? 16 Can you I’ll use prove my operational program semantics correct? Better use axiomatic verification 17 One of the oldest surviving fragments of Euclid's Elements, a textbook used for millennia to teach proof-writing techniques. The diagram accompanies Book II, Proposition 5 "P. Oxy. I 29" by Euclid - http://www.math.ubc.ca/~cass/Euclid/papyrus/tha.jpg. Licensed under Public Domain via Wikimedia Commons - http://commons.wikimedia.org/wiki/File:P._Oxy._I_29.jpg#/media/File:P._Oxy._I_29.jpg 18 A systematic approach to program verification 19 Axiomatic verification approach • What do we need in order to prove that the program does what it supposed to do? • A language to express specifications • Compare the behavior with the one obtained by the operational semantics • Develop a proof system for showing that the program satisfies the specification • Mechanically use the proof system to show correctness 20 Axiomatic semantics contributors Robert Floyd C.A.R. Hoare Edsger W. Dijkstra 1967: use assertions 1969: use Floyd’s ideas Predicate transformer as foundation for static to define axiomatic semantics: weakest correctness proofs semantics precondition and “An axiomatic basis for strongest postcondition computer programming” 21 Assertions, a.k.a Hoare triples { P } C { Q } statement precondition a.k.a command postcondition • P and Q are state predicates expressed as logical formulas – Example: x>0 • If P holds in the initial state, and if execution of C terminates on that state, then Q will hold in the state in which C halts • C is not required to always terminate {true} while true do skip {false} 22 Total correctness assertions [ P ] C [ Q ] • If P holds in the initial state, execution of C must terminate on that state, and Q will hold in the state in which C halts 23 Specifying correctness of factorial 24 Factorial example: specify precondition/postcondition { ? } y := 1; while (x=1) do (y := y*x; x := x–1) { ? } 25 First attempt We need a way to “remember” value of x before execution { x>0 } y := 1; while (x=1) do (y := y*x; x := x–1) { y=x! } Holds only for value of x at state after execution finishes 26 Fixed assertion A logical variable, must not appear in statements – immutable. Also called a ghost variable. { x=n } y := 1; while (x=1) do (y := y*x; x := x–1) { y=n! n>0 } 27 The proof outline Background axiom { x>0 x=n } { n!=n*(n-1)! } y := 1; { x>0 y*x!=n! nx } while (x=1) do { x-1>0 (y*x)*(x-1)!=n! n(x-1) } y := y*x; { x-1>0 y*(x-1)!=n! n(x-1) } x := x–1 { y*x!=n! n>0 x=1 } 28 Factorial spec and proof in Dafny online function Factorial(n: int): int requires n >= 1 { if n == 1 then 1 else n * Factorial(n - 1) } method ComputeFactorial(n: int) returns (y: int) requires n >= 1 ensures y == Factorial(n) { var x := n; y := 1; while x != 1 invariant y * Factorial(x) == Factorial(n) decreases x { y := y * x; x := x - 1; } } 29 Formalizing partial correctness via hoare logic 30 States and predicates • – program states (State) – undefined P • A state predicate P is a (possibly infinite) set of states • P – P holds in state 31 Formalizing Hoare triples ’ if C, 1*’ Q Ssos C = else P C(P) C ’ • { P } C { Q } – , ’ . ( P C, 1* ’) ’ Q alternatively – Convention: P for all P . P SsosC Q 32 How do we express predicates? • Extensional approach – Abstract mathematical functions P : State {tt, ff} • Intensional approach – via language of formulae 33 An assertion language • Bexp is not expressive enough to express predicates needed for many proofs – Extend Bexp • Allow quantification – z. … – z. … • z. z = kn • Import well-known mathematical concepts – n! n (n-1) 2 1 34 An assertion language Either a program variables or a logical variable a ::= n | x | a1 + a2 | a1 a2 | a1 – a2 A ::= true | false | a1 = a2 | a1 a2 | A | A1 A2 | A1 A2 | A1 A2 | z. A | z. A 35 Some FO logic definitions before we get to the rules 36 Free/bound variables • A variable is said to be bound in a formula when it occurs in the scope of a quantifier Otherwise it is said to be free – i. k=im – (i+10077)i. j+1=i+3) • FV(A) the free variables of A • Defined inductively on the abstract syntax tree of A 37 Computing free variables FV(n) {} FV(x) {x} FV(a1+a2) FV(a1a2) FV(a1-a2) FV(a1) FV(a2) FV(true) FV(false) {} FV(a1=a2) FV(a1a2) FV(a1) FV(a2) FV(A) FV(A) FV(A1 A2) FV(A1 A2) FV(A1 A2) FV(a1) FV(a2) FV(z.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    57 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us