Software Verification 1
Deductive Verification
Prof. Dr. Holger Schlingloff
Institut für Informatik der Humboldt Universität
und
Fraunhofer Institut für offene Kommunikationssysteme FOKUS
21.5.2015
Ein (bekanntes?) Szenario
H. Schlingloff, Software-Verifikation I
Folie 2
Questions on Quantifiers…
•
•
•
•
•
How do you define equality in FOL?
How do you define equality in SOL?
What is a first-order signature?
How can you denote a first-order model?
What is a partial function?
H. Schlingloff, Software-Verifikation I
Folie 3
Presburger Arithmetic
• Given a signature (N, 0,´,+) of FOL=, define
n (n´==0)
m n (m´==n´ m==n)
p(0) n(p(n) p(n´)) n p(n)
• If the third axiom holds for all p, then this uniquely
characterizes the natural numbers (“monomorphic”)
n (n+0==n)
mn ((m+n)+1 == m+(n+1))
• Second-order quantification
• This theory is decidable!
H. Schlingloff, Software-Verifikation I
Folie 4
Peano Arithmetic
• Given the signature (N, 0,´,+,*) and above axioms,
plus
n (n*0==0)
mn (m*n´ == (m*n)+m)
• This theory is undecidable
H. Schlingloff, Software-Verifikation I
Folie 5
Formalizing C in FOL
• Consider the following C program
int gcd (int a, int b){
int c;
while ( a != 0 ) {
c = a; a = b%a; b = c;
}
return b;
}
• Consider the following FOL formula
: t:N (a(t)==0 c(t+1)==a(t) a(t+1)==b(t)%a(t) b(t+1)=c(t)
a(t)==0 a(t+1)==a(t) b(t+1)==b(t) c(t+1)==c(t) )
• In which way are these equivalent?
H. Schlingloff, Software-Verifikation I
Folie 6
Correctness
From this formalization, we expect that
• ⊨ t (a(t)==0 → b(t)==gcd(a(0),b(0)))
(partial correctness)
• ⊨ t (a(t)==0 b(t)==gcd(a(0),b(0)))
(total correctness)
Can we prove these statements with Z3?
(try this at home)
H. Schlingloff, Software-Verifikation I
Folie 7
Programs
• Several programming paradigms
functional, imperative, object-oriented, …
• While-Programs
Syntax
Semantics
- denotational: Scott Domains
- operational: SOS
- axiomatic: Dynamic logic
Calculus: Hoare calculus
H. Schlingloff, Software-Verifikation I
Folie 8
Syntax of while-Programs
• Given a (typed) signature =(D, F, R) and a
(denumerable) set V of program variables.
(each program variable has a type)
(T is the set of terms in the signature)
for simplicity, assume always R contains equality ==
• A while-program is defined as follows
whileProg ::= skip | V=T | {whileProg; whileProg} |
if (FOL-) whileProg else whileProg |
while (FOL-) whileProg
where FOL- is a quantifier-free first-order formula over (,V)
H. Schlingloff, Software-Verifikation I
Folie 9
Examples
• =({int}, {0,%}, {==}), V=(a, b, c)
•
1 = while (a==0) {{c = a; a = b%a}; b = c}
2 = if (0==(a%0)%a) skip else {skip;skip}
=({int}, {0,1,48,+,-,**}, {<,isprim}), V=(n,k)
3 = if (isprim(n)) n=k
Mersenne = {n=0; k=0;
while (k<49) {n++; if (isprim((2**n)-1)) k++}}
• Note: in C, “skip” and “else skip” is omitted,
and n++ denotes n=n+1
H. Schlingloff, Software-Verifikation I
Folie 10
An Alternative Syntax
function gcd( x : Z, y : Z ) : Z
var a : Z
b : Z
c : Z
begin
c := 1
while a != 0 do
begin
c := a
a := b / a
b := c
end
gcd := c
end
H. Schlingloff, Software-Verifikation I
Folie 11
Semantics
• What is the “meaning” of such a program?
e.g., 3 = if (isprim(n)) k=n
• need a first-order model M: (U,I,V) for (,V)
e.g., U=({zero,one,two,three,...}), I(0)=zero, I(1)=one,
..., I(isprim)={two, three, five,...},
V(n)=two, V(k)=zero
• Program modifies states (valuations)
V’(n)=two, V’(k)=two
• semantics = function from initial to final valuations?
[[3]] = {(two,zero)(two,two), (one,two)(one,two),
..., (two,three)(two,two), (one,three)(one,three), ...}
H. Schlingloff, Software-Verifikation I
Folie 12
Nonterminating Programs
• What is the meaning of the following?
e.g., 5 = if (isprim(n)) while(n==n) skip;
5: zerozero, oneone, two?
• Theory of Scott-Domains
extend every domain with an element #
“undefined”
intuitively, # denotes nontermination
• 1< 2 if 2 is “more defined” than 1
5 < if (n>9 isprim(n)) while(n==n) skip;
H. Schlingloff, Software-Verifikation I
Folie 13
Denotational Semantics
• Given a universe U#=U{#} and interpretation I
for =(D, F, R), the semantics of a program is a
function mapping a program variable valuation into a
program variable valuation:
[[]]: VV
[[skip]]=Id, where x(Id(x)==x)) (identity function)
[[v=t]]=Upd(v,t), where
Upd(v,t)(V)(v)=tM and
Upd(v,t)(V)(w)=wM
H. Schlingloff, Software-Verifikation I
Folie 14
Denotational Semantics
[[{1; 2}]]=2(1) (function application)
[[if (b) 1 else 2]](V)=#, if b contains any v s.t. V(v)=#,
[[if (b) 1 else 2]](V)= 1, if (U#,I,V)⊨ b
[[if (b) 1 else 2]](V)= 2, if (U#,I,V)⊭ b
Define {while (b) }k as follows:
- {while (b) }0=skip
- {while (b) }k+1={if (b) ; {while(b) }k }
[[while(b) ]]=[[{while(b) }k]], where k is the smallest
number for which (U#,I, [[{while(b) }k]](V))⊭ b
(or else, [[while(b) ]](V)=#)
H. Schlingloff, Software-Verifikation I
Folie 15
Examples
• [[if (isprim(n)) k=n]](n=x, k=y) =
(x, y+(x-y)*|isprim(x)|)
• [[(while (a!=0) {c = a; a = b%a; b = c}]](x,y,z) =
(0, gcd(x,y), gcd(x,y))
H. Schlingloff, Software-Verifikation I
Folie 16
Structured Operational Semantics
• Denotational semantics can be made mathematically
•
sound, but is not “intuitive”
Operations of a “real” machine?
transitions from valuation to valuation
program counter is increased with the program
• Abstract representation:
state=(program, valuation)
- program means the part which is still to be executed
transition=(state1, state2)
• “Meaning” of a program is a (possibly infinite) set of
such transitions
H. Schlingloff, Software-Verifikation I
Folie 17
SOS-Rules
•
•
•
•
•
•
(v=t, V)(skip, V[v:=t]);
({skip; },V) (,V)
if (1, V1) (2,V2), then ({1; }, V1) ({2; },V2)
if (U,I,V) ⊨ b, then (if (b) 1 else 2, V) (1,V)
if (U,I,V) ⊭ b, then (if (b) 1 else 2, V) (2,V)
(while (b) , V) ({if (b) {; while (b) }}, V)
H. Schlingloff, Software-Verifikation I
Folie 18
Structured Operational Semantics
• Denotational semantics can be made mathematically
•
sound, but is not “intuitive”
Operations of a “real” machine?
transitions from valuation to valuation
program counter is increased with the program
• Abstract representation:
state=(program, valuation)
- program means the part which is still to be executed
transition=(state1, state2)
• “Meaning” of a program is a (possibly infinite) set of
such transitions
H. Schlingloff, Software-Verifikation I
Folie 19
SOS-Rules
•
•
•
•
•
•
(v=t, V)(skip, V[v:=t]);
({skip; },V) (,V)
if (1, V1) (2,V2), then ({1; }, V1) ({2; },V2)
if (U,I,V) ⊨ b, then (if (b) 1 else 2, V) (1,V)
if (U,I,V) ⊭ b, then (if (b) 1 else 2, V) (2,V)
(while (b) , V) (if (b) {; while (b) }}, V)
• these are so-called “small-step rules”; “big-step rule”:
•
if (1, V1) (2,V2), and (2, V2) (3,V3),
then ({1; 2}, V1) (3, V3)
derivable?
H. Schlingloff, Software-Verifikation I
Folie 20
SOS-Example
• (while (a!=0) {c = a; a = b%a; b =
c},(a=20, b=12, c=0))
...
H. Schlingloff, Software-Verifikation I
Folie 21
About operational semantics
• For every (1, V1), there is exactly one sequence (1,
•
•
V1)(2, V2)(3, V3) ...
allows to “symbolically execute” a program
does not allow to show properties
e.g. “program calculates gcd”
e.g. “program terminates”
• Hoare-Tripel: {} {}
•
meaning: if holds before the execution of , then holds
afterwards
and are first-order formulas (possibly with quantification;
logical variables vs. program variables)
H. Schlingloff, Software-Verifikation I
Folie 22
Hoare calculus
•
•
•
•
•
•
•
⊢ {[v:=t]} v=t {} (ass)
⊢ {} skip {} (usually omitted)
if ⊢ {} 1 {} and ⊢ {} 2 {}, then {} {1; 2}{} (seq)
if ⊢ { b} 1 {} and ⊢ { ¬b} 2 {}, then
⊢ {} if (b) 1 else 2 {} (ite)
if ⊢ { b} {}, then ⊢ {} while (b) { ¬b} (whi)
If ⊢ (’ ) and ⊢ {} {}, then ⊢ {’} {} (imp1)
If ⊢ {} {} and ⊢ ( ’), then ⊢ {} {’} (imp2)
• the semantics (meaning) of a program is the set of all
derivable Hoare-tripels {} {}
H. Schlingloff, Software-Verifikation I
Folie 23
Examples
• {x==17} x++ {x==18}
• {x==17} y=x+1 {y==18}
• {x==17} {x++; y=x+1} {y==19}
• {a==m b==n}
if (a<=b) c = a else c = b
{c==min(m,n)}
• {a==m>0 b==n>0}
while (a!=0) {c = a; a = b%a; b = c}
{b==gcd(m,n)}
H. Schlingloff, Software-Verifikation I
Folie 24
© Copyright 2025 Paperzz