1. No category

Document

Spring 2017
Program Analysis and Verification
Lecture 4: Axiomatic Semantics II
Roman Manevich
Ben-Gurion University
Tentative syllabus
Program
Verification
Program
Analysis Basics
Abstract
Interpretation
fundamentals
Analysis
Techniques
Operational
semantics
Control Flow
Graphs
Lattices
Numerical
Domains
Hoare Logic
Equation
Systems
Fixed-Points
Alias analysis
Applying Hoare
Logic
Collecting
Semantics
Chaotic
Iteration
Interprocedural
Analysis
Predicate
Calculus
Using Soot
Galois
Connections
Shape
Analysis
Proving
Termination
Domain
constructors
CEGAR
Data structures
Widening/
Narrowing
2
Previously
• Basic notions of correctness
• Formalizing Hoare triples
• FO logic
– Free variables
– Substitutions
• Hoare logic rules
3
Warm-up exercises
1.
2.
3.
4.
5.
6.
Define program state:
Define state predicate:
Define  P
Formalize {P} C {Q} via structural semantics:
FV( m. x=k+1 0 m x-1  nums(m) res) = {
}
( m. x=k+1 0 m x-1  nums(m) res)[x+1/x] =
4
Agenda
• Inference system
• Annotating programs with proofs
• Properties of the semantics
Chapter 6
5
Axiomatic semantics
as an inference system
6
Inference trees
• Trees describing rule applications that
ultimately prove a program correct
• Leaves are axiom applications
• Internal nodes correspond to rule applications
over triples inferred from sub-trees
• Inference tree is called
– Simple if tree is only an axiom
– Composite otherwise
7
Factorial proof inference tree
Goal: { x=n } y:=1; while (x1) do (y:=y*x; x:=x–1) { y=n!
n>0 }
W = while (x1) do (y:=y*x; x:=x–1)
INV = x > 0
will show
later
(y  x! = n!
[comp]
n
x)
{ INV[x-1/x][y*x/y] } y:=y*x { INV[x-1/x] }
{ INV[x-1/x] } x:=x-1 {INV}
{ INV[x-1/x][y*x/y] } y:=y*x; x:=x–1 {INV}
[cons]
{x1
INV } y:=y*x; x:=x–1 { INV }
[while]
[cons]
{ INV[1/y] } y:=1 { INV }
{ x=n } y:=1 { INV }
{ INV } W { x=1
INV }
{ INV } W {y=n!
n>0 }
[cons]
[comp]
{ x=n } y:=1; while (x1) do (y:=y*x; x:=x–1) {y=n!
n>0 }
8
Provability
• We say that an assertion { P } C { Q } is
provable if there exists an inference tree
– Written as p { P } C { Q }
– Are inference trees unique?
{true} x:=1; {P} x:=x+5 {x 0}
– Exercise: what is strongest P?
– Exercise: what is weakest P?
Where does the
non-determinism
come from?
9
Annotating programs
with proofs
10
Annotated programs
• A streamlined version of inference trees
– Inline inference trees into programs
– A kind of “proof carrying code”
– Going from annotated program to proof tree is a
linear time translation
11
Annotating composition
• We can inline inference trees into programs
• Using proof equivalence of S1; (S2; S3) and (S1; S2); S3
instead of writing deep trees, e.g.,
{P} S1 {P’} {P’} S2 {P’’}
{P’’} S3 {P’’’} {P’’’} S4 {P’’}
{P} (S1; S2) {P’’}
{P’’} (S3 ; S4) {Q}
{P} (S1; S2); (S3 ; S4) {Q}
• We can annotate a composition S1; S2;…; Sn by
{P1} S1 {P2} S2 … {Pn-1} Sn-1 {Pn}
12
Annotating conditions
{ b P } S1 { Q }, { b P } S2 { Q }
[ifp]
{ P } if b then S1 else S2 { Q }
{P}
if b then
{b P}
S1
else
{ b
S2
P}
{Q}
13
Annotating conditions
{ b P } S1 { Q }, { b P } S2 { Q }
[ifp]
{ P } if b then S1 else S2 { Q }
{P}
if b then
{b P}
S1
{ Q1 }
else
{ b P}
S2
{ Q2 }
{Q}
{ b P } S1 { Q1 } { b P } S2 { Q2 }
[cons]
[cons]
{ b P } S1 { Q }, { b P } S2 { Q }
[if ]
{ P } if b then S1 else S2 { Q } p
14
Annotating loops
{b P}S{P}
[whilep] { P } while b do S { b
}
P
{P}
while b do
{b P}
S
{ b P}
15
Annotating loops
{b P}S{P}
[whilep] { P } while b do S { b
}
{P}
while b do
{b P}
S
{ P’ }
{ b P}{Q}
P
P’ implies P
b
P implies Q
16
Annotating loops
{b P}S{P}
[whilep] { P } while b do S { b
}
{P}
while b do
{b P}
S
{ b P}
P
Source of confusion
17
Annotating loops – alternative 1
{b P}S{P}
[whilep] { P } while b do S { b
}
P
while { P } b do
{b P}
S
{ b P}
18
Annotating loops – alternative 2
{b P}S{P}
[whilep] { P } while b do S { b
}
Inv = { P }
while b do
{b P}
S
{ b P}
P
We will take this alternative in our
examples and homework assignments
19
Annotating formula transformations
• We often rewrite formulas
– To make proofs more readable
– Using logical/mathematical identities
– Imported mathematical theorems
{}
{ ’ } // transformation 1
{ ’’ } // transformation 2
20
Exercising Hoare logic
21
Exercise 1: variable swap – specify
{
t
x
y
{
? }
:= x
:= y
:= t
? }
22
Exercise 1: Prove using Hoare logic
{
t
{
x
{
y
{
y=b
:= x
? }
:= y
? }
:= t
x=b
x=a }
y=a }
23
Exercise 1: Prove using Hoare logic
{
t
{
x
{
y
{
y=b
:= x
y=b
:= y
x=b
:= t
x=b
x=a }
t=a }
t=a }
y=a }
24
Absolute value program
if x<0 then
x := -x
else
skip
if b then S
is syntactic sugar for
if b then S else skip
The latter form is easier to
reason about
25
Absolute value program – specify
{ ? }
if x<0 then
x := -x
else
skip
{ ? }
26
Absolute value program – specify
{ x=v }
if x<0 then
x := -x
else
skip
{ x=|v| }
27
Exercise 2: Prove using Hoare logic
{ x=v
{
if x<0 then
{
x := -x
{
else
{
skip
{
{x=|v|
}
}
}
}
}
}
}
28
Exercise 2: Prove using Hoare logic
{ x=v
{ (-x=|v|
x<0)
if x<0 then
{ -x=|v|
x := -x
{ x=|v|
else
{ x=|v|
skip
{ x=|v|
{ x=|v|
(x=|v|
}
x 0) }
}
}
}
}
}
29
Annotated programs: factorial
{ x=n }
y := 1;
Inv = { x>0
y*x!=n!
n x }
while (x=1) do
{ x-1>0
(y*x)*(x-1)!=n!
n (x-1) }
y := y*x;
{ x-1>0
y*(x-1)!=n!
n (x-1) }
x := x–1
{ y*x!=n!
n>0 }
• Contrast with proof via structural semantics
• Where did the inductive argument over loop iterations go?
30
Detailed proof steps
{ x=n }
y := 1;
{ x=n
y=1 }
Inv = { x>0
y*x!=n!
n x }
while (x=1) do
{ x1
(x>0
y*x!=n!
n x) }
=> ?
{ x>1
y*x!=n!
n (x-1) }
y := y*x;
{ x-1>0
y*(x-1)!=n!
n (x-1) }
x := x–1
{ x>0
y*x!=n!
n x }
{ y*x!=n!
n>0 }
31
Detailed proof of implication
{ x1
(x>0
y*x!=n!
n x) } =>
relax inequality
{ x1
(x>0
y*x!=n!
n (x-1)) } =>
use logical identity A B equals A B
{ x1
(x 0
y*x!=n!
n (x-1)) } =>
distribute over
{(x1
x 0)
(x1
y*x!=n!
n (x-1)) } =>
x 0 subsumes x1 x 0
{ x 0
(x1
y*x!=n!
n (x-1)) } =>
weaken conjunction by removing x1
{ x 0
(y*x!=n!
n (x-1)) } =>
relax x 0 into x 1
{ x 1
(y*x!=n!
n (x-1)) } =>
use logical identity A B equals A B
{ x 1
(x1
y*x!=n!
n (x-1))}
write x 1 as x>1
{ x>1
y*x!=n!
n (x-1) }
32
Properties of the semantics
33
Properties of the semantics
Equivalence
– What is the analog of program equivalence in
axiomatic verification?
Soundness
– Can we prove incorrect properties?
Completeness
– Is there something we can’t prove?
34
Proving properties of axiomatic semantics
• Examples
–
–
{ P } C { true } for any P and C
p { false } C { P } for any P and C
p
• By induction on the shape of the inference tree
35
Provable equivalence
• We say that C1 and C2 are provably equivalent
if for all P and Q
p { P } C1 { Q } if and only if p { P } C2 { Q }
• Examples:
– S; skip and S
– S1; (S2; S3) and (S1; S2); S3
36
S1; (S2; S3) is provably equivalent to (S1; S2); S3
Without consequence rule applications
T1
{P} S1 {P’}
T3
T2
{P’} S2 {P’’} {P’’} S3 {Q}
{P’} (S2; S3) {Q}
{P} S1; (S2; S3) {Q}
T1
T2
{P} S1 {P’} {P’} S2 {P’’}
T3
{P} (S1; S2) {P’’}
{P’’} S3 {Q}
{P} (S1; S2); S3 {Q}
37
Compressing chains of consequences
• A chain of consequence rules can be
compressed into a single application since
Pn …  P1 and Q1 …  Pn
cons
…
cons
{Pn} S {Qn}
{P1} S {Q1}
cons
{Pn} S {Qn}
{P1} S {Q1}
38
S1; (S2; S3) is provably equivalent to (S1; S2); S3

seq
cons
seq
cons
T1
T2
{P3} S1 {P5} {P5} S2 {P4}
T2
cons
{P5} S2 {P4}
T3
{P5} S2 {P2} {P2} S3 {Q1}
seq
{P3} (S1; S2) {P4}
T3
T1
{P5} (S2; S3) {Q1}
{P1} (S1; S2) {P2}
{P2} S3 {Q1}
{P3} S1 {P5}
{P5} (S2; S3) {Q}
{P1} (S1; S2); S3 {Q1}
{P} (S1; S2); S3 {Q}
{P3} S1; (S2; S3) {Q}
{P1}
S1; (S2; S3) {Q}
{P} S1; (S2; S3) {Q}
cons
seq
cons
cons
The other direction is similar
39
Valid assertions
• We say that { P } C { Q } is valid
if for all states , if  P and C,  * ’
then ’ Q
• Denoted by p { P } C { Q }
Q
P

C(P)
C
’
40
Soundness and completeness
• The inference system is sound:
–
p
{ P } C { Q } implies
p
{P}C{Q}
• The inference system is complete:
–
p
{ P } C { Q } implies
p
{P}C{Q}
• Is Hoare logic sound? yes
• Is Hoare logic complete? relatively
41
See you next time
42

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz