Spring 2014
Program Analysis and Verification
Lecture 5: Axiomatic Semantics II
Roman Manevich
Ben-Gurion University
Syllabus
Semantics
Natural
Semantics
Static
Analysis
Automating
Hoare Logic
Abstract
Interpretation
fundamentals
Analysis
Techniques
Crafting your
own
Lattices
Numerical
Domains
Soot
Structural
semantics
Galois
Connections
CEGAR
From proofs to
abstractions
Axiomatic
Verification
Fixed-Points
Alias analysis
Systematically
developing
transformers
Widening/
Narrowing
Shape
Analysis
Domain
constructors
Interprocedural
Analysis
2
Previously
• Basic notions of correctness
• Formalizing Hoare triples
• FO logic
– Free variables
– Substitutions
• Hoare logic rules
3
States and predicates
•
– program states
– undefined
• A state predicate P is a
(possibly infinite) set
of states
•  P
P

– P holds in state 
4
Formalizing Hoare triples
Sns C 
=
’
• {P}C{Q}
if C, 
else
Q
’
P

C(P)
C
’
. ( P C,  ’) ’ Q
alternatively
– 
. ( P Sns C 
) Sns C  Q
– Convention:
P for all P

.  P Sns C  Q
–
, ’
5
An assertion language
Either a program variables
or a logical variable
a ::= n | x | a1 + a2 | a1 a2 | a1 – a2
A ::= true | false
| a1 = a2 | a1 a2 | A | A1 A2 | A1
| A1 A2 | z. A | z. A
A2
6
Free/bound variables
• A variable is said to be bound in a formula
when it occurs in the scope of a quantifier.
Otherwise it is said to be free
– i. k=im
– (i+10077)i. j+1=i+3)
• FV(A)  the free variables of A
• Defined inductively on the abstract syntax tree
of A
7
Free variables
FV(n) {}
FV(x) {x}
FV(a1+a2) FV(a1 a2) FV(a1-a2) FV(a1)
FV(a2)
FV(true) FV(false) {}
FV(a1=a2) FV(a1 a2) FV(a1) FV(a2)
FV( A) FV(A)
FV(A1 A2) FV(A1 A2) FV(A1 A2)
FV(a1) FV(a2)
FV( z. A) FV( z. A) FV(A) \ {z}
8
Substitution
What if t is not pure?
• An expression t is pure (a term) if it does not
contain quantifiers
• A[t/z] denotes the assertion A’ which is the
same as A, except that all instances of the free
variable z are replaced by t
• A i. k=i m
A[5/k] = …?
A[5/i] = …?
9
Calculating substitutions
n[t/z] = n
x[t/z] = x
x[t/x] = t
(a1 + a2)[t/z] = a1[t/z] + a2[t/z]
(a1 a2)[t/z] = a1[t/z] a2[t/z]
(a1 - a2)[t/z] = a1[t/z] - a2[t/z]
10
Calculating substitutions
true[t/x] = true
false[t/x] = false
(a1 = a2)[t/z] = a1[t/z] = a2[t/z]
(a1 a2)[t/z]
= a1[t/z] a2[t/z]
( A)[t/z] = (A[t/z])
(A1 A2)[t/z]
= A1[t/z] A2[t/z]
(A1 A2)[t/z]
= A1[t/z] A2[t/z]
(A1 A2)[t/z]
= A1[t/z] A2[t/z]
(
(
(
(
z. A)[t/z] = z. A
z. A)[t/y] = z. A[t/y]
z. A)[t/z] = z. A
z. A)[t/y] = z. A[t/y]
11
Today
•
•
•
•
•
The rules
Inference system
Annotating programs with proofs
Properties of the semantics
Weakest precondition calculus
12
FO Logic reminder
• We write A B if for all states 
if  A then  B
– { |  A } { |  B }
– For every predicate A: false
• We write A
– false
B if A
A
B and B
true
A
5=7
• In writing Hoare-style proofs, we will often
replace a predicate A with A’ such that A A’
and A’ is “simpler”
13
six are
completely
enough
the rules
14
Axiomatic semantics for While
[assp] { P[a/x] } x := a { P }
Notice similarity
to natural
semantics rules
[skipp] { P } skip { P }
{ P } S1 { Q }, { Q } S2 { R }
[compp]
{ P } S1; S2 { R }
{b
P } S1 { Q }, { b P } S2 { Q
}
[ifp]
{ P } if b then S1 else S2 { Q }
What’s different
about this rule?
[whilep]
[consp]
{b P}S{P}
{ P } while b do S { b
{ P’ } S { Q’ }
{P}S{Q}
P}
if P P’ and Q’ Q
15
Assignment rule
[assp]
{ P[a/x] } x := a { P }
• A “backwards” rule
• x := a always finishes
• Why is this true?
– Recall operational semantics:
[assns]
x := a, 
[x A a ]
P
[x A a ]
• Example: {y*z<9} x:=y*z {x<9}
What about {y*z<9 w=5} x:=y*z {w=5}?
16
skip rule
[skipp] { P } skip { P }
[skipns] skip, 

17
Composition rule
{ P } S1 { Q }, { Q } S2 { R }
[compp]
{ P } S1; S2 { R }
S1,  ’, S2, ’ ’’
[compns]
S1; S2,  ’’
• Holds when S1 terminates in every state where P
holds and then Q holds
and S2 terminates in every state where Q holds
and then R holds
18
Condition rule
{ b P } S1 { Q }, { b P } S2 { Q }
[ifp]
{ P } if b then S1 else S2 { Q }
[ifttns]
S1,  ’
if b then S1 else S2, 
[ifffns]
S2,  ’
if b then S1 else S2, 
’
’
if B
if B
b  = tt
b  = ff
19
Loop rule
{b P}S{P}
[whilep] { P } while b do S { b
}
[whileffns]
while b do S,   
[whilettns]
S,   ’, while b do S, ’
while b do S,  ’’
if B
’’ if B
P
b  = ff
b  = tt
• Here P is called an invariant for the loop
– Holds before and after each loop iteration
– Finding loop invariants – most challenging part of proofs
• When loop finishes, b is false
20
Rule of consequence
{ P’ } S { Q’ }
[consp]
{P}S{Q}
if P P’ and Q’ Q
• Allows strengthening the precondition and
weakening the postcondition
• The only rule that is not related to a statement
21
Rule of consequence
{ P’ } S { Q’ }
[consp]
{P}S{Q}
if P P’ and Q’ Q
• Why do we need it?
• Allows the following
{y*z<9} x:=y*z {x<9}
{y*z<9 w=5} x:=y*z {x<10}
22
Axiomatic semantics
as an inference system
23
Inference trees
• Similar to derivation trees of natural
semantics
• Leaves are …?
• Internal nodes correspond to …?
24
Inference trees
• Similar to derivation trees of natural
semantics
• Leaves are …?
• Internal nodes correspond to …?
• Inference tree is called
– Simple if tree is only an axiom
– Composite otherwise
25
Provability
• We say that an assertion { P } C { Q } is
provable if there exists an inference tree
– Written as p { P } C { Q }
– Are inference trees unique?
{true} x:=1; x:=x+5 {x 0}
• Proofs of properties of axiomatic semantics
use induction on the shape of the inference
tree
– Example: prove
p
{ P } C { true } for any P and C
26
Factorial proof inference tree
Goal: { x=n } y:=1; while (x1) do (y:=y*x; x:=x–1) { y=n!
n>0 }
W = while (x1) do (y:=y*x; x:=x–1)
INV = x > 0
will show
later
(y  x! = n!
[comp]
n
x)
{ INV[x-1/x][y*x/y] } y:=y*x { INV[x-1/x] }
{ INV[x-1/x] } x:=x-1 {INV}
{ INV[x-1/x][y*x/y] } y:=y*x; x:=x–1 {INV}
[cons]
{ x1
[while]
[cons]
{ INV[1/y] } y:=1 { INV }
{ x=n } y:=1 { INV }
INV } y:=y*x; x:=x–1 { INV
}
{ INV } W { x=1 INV }
[cons]
{ INV } W { y=n!
n>0 }
[comp]
{ x=n } while (x1) do (y:=y*x; x:=x–1) { y=n!
n>0 }
27
Annotating programs
with proofs
28
Annotated programs
• A streamlined version of inference trees
– Inline inference trees into programs
– A kind of “proof carrying code”
– Going from annotated program to proof tree is a
linear time translation
29
Annotating composition
• We can inline inference trees into programs
• Using proof equivalence of S1; (S2; S3) and (S1; S2); S3
instead writing deep trees, e.g.,
{P} S1 {P’} {P’} S2 {P’’}
{P’’} S3 {P’’’} {P’’’} S4 {P’’}
{P} (S1; S2) {P’’}
{P’’} (S3 ; S4) {Q}
{P} (S1; S2); (S3 ; S4) {Q}
• We can annotate a composition S1; S2;…; Sn by
{P1} S1 {P2} S2 … {Pn-1} Sn-1 {Pn}
30
Annotating conditions
{ b P } S1 { Q }, { b P } S2 { Q }
[ifp]
{ P } if b then S1 else S2 { Q }
{P}
if b then
{b P}
S1
else
{ b
S2
P}
{Q}
31
Annotating conditions
{ b P } S1 { Q }, { b P } S2 { Q }
[ifp]
{ P } if b then S1 else S2 { Q }
{P}
if b then
{b P}
S1
{ Q1 }
else
{ b P}
S2
{ Q2 }
{Q}
Usually Q is the result of using
the consequence rule, so a more
explicit annotation adds the
postcondition of each branch
32
Annotating loops
{b P}S{P}
[whilep] { P } while b do S { b
}
P
{P}
while b do
{b P}
S
{ b P}
33
Annotating loops
{b P}S{P}
[whilep] { P } while b do S { b
}
{P}
while b do
{b P}
S
{ P’ }
{ b P}{Q}
P
P’ implies P
b
P implies Q
34
Annotating loops
{b P}S{P}
[whilep] { P } while b do S { b
}
{P}
while b do
{b P}
S
{ b P}
P
Source of confusion
35
Annotating loops – alternative 1
{b P}S{P}
[whilep] { P } while b do S { b
}
P
while { P } b do
{b P}
S
{ b P}
36
Annotating loops – alternative 2
{b P}S{P}
[whilep] { P } while b do S { b
}
Inv = { P }
while b do
{b P}
S
{ b P}
P
We will take this alternative in
our examples and homework
assignments
37
Annotating formula transformations
• We often rewrite formulas
– To make proofs more readable
– Using logical identities
– Import theorems
{}
{ ’ } // transformation 1
{ ’’ } // transformation 2
38
Annotated programs: factorial
{ x=n }
y := 1;
Inv = { x>0
y*x!=n!
n x }
while (x=1) do
{ x-1>0
(y*x)*(x-1)!=n!
n (x-1) }
y := y*x;
{ x-1>0
y*(x-1)!=n!
n (x-1) }
x := x–1
{ y*x!=n!
n>0 }
• Contrast with proof via natural semantics
• Where did the inductive argument over loop iterations go?
39
Detailed proof steps
{ x=n }
y := 1;
{ x=n
y=1 }
Inv = { x>0
y*x!=n!
n x }
while (x=1) do
{ x1
(x>0
y*x!=n!
n x) }
{ x1
(x>0
(y*x)*(x-1)!=n!
n x) } // Factorial
{ x1
(x>0
(y*x)*(x-1)!=n!
n (x-1) } // Cons
{ x-1>0
(y*x)*(x-1)!=n!
n (x-1) } // Cons
y := y*x;
{ x-1>0
y*(x-1)!=n!
n (x-1) }
x := x–1
{ x>0
y*x!=n!
n x }
{ y*x!=n!
n>0 }
40
Properties of the semantics
41
Properties of the semantics
Equivalence
– What is the analog of program
equivalence in axiomatic verification?
Soundness
– Can we prove incorrect properties?
By Cjprice88 (Own work) [CC-BY-SA-3.0 (http://creativecommons.org/licenses/by-sa/3.0)], via Wikimedia Commons
Completeness
– Is there something we can’t prove?
42
Provable equivalence
• We say that C1 and C2 are provably equivalent
if for all P and Q
p { P } C1 { Q } if and only if p { P } C2 { Q }
• Examples:
– S; skip and S
– S1; (S2; S3) and (S1; S2); S3
43
S1; (S2; S3) is provably equivalent to (S1; S2); S3
{P’} S2 {P’’} {P’’} S3 {Q}
{P} S1 {P’}
{P’} (S2; S3) {Q}
{P} S1; (S2; S3) {Q}
{P} S1 {P’} {P’} S2 {P’’}
{P} (S1; S2) {P’’}
{P’’} S3 {Q}
{P} (S1; S2); S3 {Q}
44
Valid assertions
• We say that { P } C { Q } is valid
if for all states , if  P and C,  ’
then ’ Q
• Denoted by p { P } C { Q }
Q
P

C(P)
C
’
45
Soundness and completeness
• The inference system is sound:
–
p
{ P } C { Q } implies
p
{P}C{Q}
By Cjprice88 (Own work) [CC-BY-SA-3.0 (http://creativecommons.org/licenses/by-sa/3.0)], via Wikimedia Commons
• The inference system is complete:
–
p
{ P } C { Q } implies
p
{P}C{Q}
46
Weakest precondition
calculus
47
From inference to calculus
• A Hoare-style proof is declarative
– You can check that a proof is correct
• Is there a more operative approach to
producing proofs?
– Weakest precondition calculus
– Strongest postcondition calculus
• WP/SP provide limits for Hoare triples
• WP helps prove that Hoare logic is relatively
complete
48
Weakest liberal precondition
• A backward-going predicate transformer
• The weakest liberal precondition for Q is
 wlp(C, Q)
if and only if for all states ’
if C,  ’ then ’ Q
Propositions:
1. p { wlp(C, Q) } C { Q }
2. If p { P } C { Q } then P
wlp(C, Q)
49
Weakest liberal precondition
• A backward-going predicate transformer
• The weakest liberal precondition for Q is
 wlp(C, Q)
if and only if for all states ’
if C,  ’ then ’ Q
Q
wlp(C, Q)
P
C
C(wlp(C, Q))
C(P)
50
Strongest postcondition
• A forward-going predicate transformer
• The strongest postcondition for P is
’ sp(P, C)
if and only if there exists  such that
 P and C,  ’
Propositions:
1. p { P } C { sp(P, C) }
2. If p { P } C { Q } then sp(P, C)
Q
51
Predicate transformer semantics
• wlp and sp can be seen functions that transform
predicates to other predicates
– wlp C : Predicate  Predicate
{ P } C { Q } if and only if wlp C Q = P
– sp C : Predicate  Predicate
{ P } C { Q } if and only if sp C P = Q
52
Is Hoare logic complete?
• Extensional approach: yes
• Proving
p { P } C { Q } implies p { P } C { Q }
boils down to proving
p { wlp(C, Q) } C { Q }
• See proof in book
53
Is Hoare logic complete?
• Intentional approach: no
• Only as complete as the logic of assertions
• Requires that we are able to prove the validity of
assertions that occur in the rule of consequence
• Relative completeness of Hoare logic (Cook 1974)
{ P’ } S { Q’ }
[consp]
{P}S{Q}
if P P’ and Q’ Q
54
Calculating Weakest
preconditions
55
Calculating wlp
1.
2.
3.
4.
wlp(skip, Q) = Q
wlp(x := a, Q) = Q[a/x]
wlp(S1; S2, Q) = wlp(S1, wlp(S2, Q))
wlp(if b then S1 else S2, Q) =
(b wlp(S1, Q))
( b wlp(S2, Q))
5. wlp(while b do S, Q) = … ?
hard to capture
56
Calculating wlp of a loop
Idea: we know the following statements are semantically equivalent
while b do S
if b do (S; while b do S) else skip
Let’s try to substitute and calculate on
wlp(while b do S, Q) =
wlp(if b do (S; while b do S) else skip, Q) =
(b
wlp(S; while b do S, Q))
(b
wlp(S, wlp(while b do S, Q)))
LoopInv = (b
wlp(S, LoopInv))
( b
( b
wlp(skip, Q)) =
( b
Q)
The loop invariant
Q)
We have a recurrence
57
Write a specification
{ ? }
while (timer > 0) do
timer := timer – 1
{ ? }
• “The program should count to zero”
58
Prove the following triple
{ timer
0 }
while (timer > 0) do
timer := timer – 1
{ timer = 0 }
• LoopInv = (b wlp(S, LoopInv))
( b Q)
• Let’s substitute LoopInv with timer 0
• Show that timer 0 is equal to
(timer>0 wlp(timer:=timer-1, timer 0))
(timer 0 timer=0)
= (timer>0 (timer 0)[timer-1/timer])
(timer 0 timer=0)
= (timer>0 timer-1 0)
(timer 0 timer=0)
= timer>0 timer=0
= timer 0
59
Issues with wlp-based proofs
• Requires backwards reasoning – not very
intuitive
• Backward reasoning is non-deterministic –
causes problems when While is extended with
dynamically allocated heaps (aliasing)
• Also, a few more rules will be helpful
60
Making the proof system
more practical
61
Conjunction rule
{P}S{Q}
{ P’ } S { Q’ }
[conjp]
{ P P’ } S {Q Q’ }
• Not necessary (for completeness) but practically
useful
• Starting point of extending Hoare logic to handle
parallelism
• Related to Cartesian abstraction
– Will point this out when we learn it
62
Breaks if C is nondeterministic
More rules exist
{P}C{Q}
{ P’ } C { Q’ }
[disjp]
{ P P’ } C {Q Q’ }
{P}C{Q}
[existp] { v. P } C { v. Q v FV(C
}
)
{P}C{Q}
v FV(C
[univp]
{ v. P } C { v. Q }
)
[Invp] { F } C { F } Mod(C) FV(F)={}
• Mod(C) = set of variables assigned to in sub-statements of C
• FV(F) = free variables of F
63
Invariance + Conjunction = Constancy
{P}C{Q}
[constancyp]
Mod(C)
{F P}C{F Q}
FV(F)={}
• Mod(C) = set of variables assigned to in sub-statements of C
• FV(F) = free variables of F
64
Next lecture:
axiomatic semantics part 3