Download PPTX

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
page
44
page
45
page
46
page
47
page
48
page
49
page
50
Document related concepts

Corecursion wikipedia , lookup

Transcript 
Spring 2014
Program Analysis and Verification
Lecture 4: Axiomatic Semantics I
Roman Manevich
Ben-Gurion University
Syllabus
Semantics
Natural
Semantics
Static
Analysis
Automating
Hoare Logic
Abstract
Interpretation
fundamentals
Analysis
Techniques
Crafting your
own
Lattices
Numerical
Domains
Soot
Structural
semantics
Galois
Connections
CEGAR
From proofs to
abstractions
Axiomatic
Verification
Fixed-Points
Alias analysis
Systematically
developing
transformers
Widening/
Narrowing
Shape
Analysis
Domain
constructors
Interprocedural
Analysis
2
Today
• Basic concepts of correctness
• Axiomatic semantics (pages 175-183)
– Hoare Logic
– Properties of the semantics
– Weakest precondition
3
program correctness
4
Program correctness concepts
• Property = a certain relationship between initial
state and final state
Main focus of
this course
• Partial correctness = properties that hold
if program terminates
• Termination = program always terminates
– i.e., for every input state
partial correctness + termination = total correctness
Other correctness concepts exist:
liveness, resource usage, …
5
Factorial example
Sfac
y := 1; while (x=1) do (y := y*x; x := x–1)
• Factorial partial correctness property =
if the statement terminates then the final
value of y will be the factorial of the initial
value of x
– What if  x < 0?
• Formally, using natural semantics: …?
Sfac ,  ’ implies ’ y = ( x)!
6
Verifying factorial
with natural semantics
7
Natural semantics for While
[assns]
[skipns]
x := a,   [x
Aa]
skip,  
S1,  ’, S2, ’ ’’
[compns]
S1; S2,  ’’
[ifttns]
S1,  ’
if b then S1 else S2, 
[ifffns]
S2,  ’
if b then S1 else S2, 
’
if B b  = tt
’
[whileffns]
while b do S,   
[whilettns]
S,   ’, while b do S, ’
while b do S,  ’’
if B b  = ff
if B b  = ff
’’ if B b  = tt
8
Staged proof
9
Stages
sy
s
sy
(s x)! = s’’ y
s
(s’’ x)!
(s x)! = s’’ y
sx>0
y := y*x; x := x–1
s’’x = 1
s’’
sx>0
while (x=1) do (y := y*x; x := x–1)
s’ y = (s x)!
s
(s’’ x)!
s’’
sx>0
y := 1; while (x=1) do (y := y*x; x := x–1)
s’
10
Inductive proof over iterations
sy
(s x)! =
s’ y
(s’ x)!
sx>0
s (y := y*x; x := x–1) s’
s’ while (x=1) do (y := y*x; x := x–1) s’’
s’ y
s
s’’x = 1
s’ x > 0
while (x=1) do (y := y*x; x := x–1)
s’’
sy
(s x)! = s’’ y
(s’ x)! = s’’ y
(s’’ x)!
s’’x = 1
(s’’ x)!
sx>0
11
First stage
12
Second stage
13
while (x=1) do (y := y*x; x := x–1), s
s’
14
Third stage
15
How easy was that?
• Proof is very laborious
– Need to connect all transitions and argues about
relationships between their states
– Reason: too closely connected to semantics of
programming language
• Proof is long
– Makes it hard to find possible mistakes
• How did we know to find this proof?
– Is there a methodology?
16
I’ll use
operational
semantics
Can you
prove my
program
correct?
Better use
axiomatic
verification
17
A systematic approach
to program verification
18
Axiomatic verification approach
• What do we need in order to prove that the
program does what it supposed to do?
• Specify the required behavior
• Compare the behavior with the one obtained by the
operational semantics
• Develop a proof system for showing that the program
satisfies a requirement
• Mechanically use the proof system to show correctness
19
Axiomatic semantics contributors
Robert Floyd
1967: use assertions
as foundation
for static correctness proofs
C.A.R. Hoare
1969: use Floyd’s ideas
to define axiomatic
semantics
“An axiomatic basis for
computer programming”
Edsger W. Dijkstra
Predicate transformer
semantics: weakest
precondition and
strongest postcondition
20
Assertions, a.k.a Hoare triples
{P}C{Q}
precondition
statement
a.k.a command
postcondition
• P and Q are state predicates
– Example: x>0
• If P holds in the initial state, and
if execution of C terminates on that state,
then Q will hold in the state in which C halts
• C is not required to always terminate
{true} while true do skip {false}
21
Total correctness assertions
[P]C[Q]
• If P holds in the initial state,
execution of C must terminate on that state,
and Q will hold in the state in which C halts
22
Specifying correctness
of factorial
23
Factorial example:
specify precondition/postcondition
{?}
y := 1; while (x=1) do (y := y*x; x := x–1)
{?}
24
First attempt
We need a way to
“remember” value of
x before execution
{ x>0 }
y := 1; while (x=1) do (y := y*x; x := x–1)
{ y=x! }
Holds only for value of x at
state after execution finishes
25
Fixed assertion
A logical variable, must not
appear in statement - immutable
{ x=n }
y := 1; while (x=1) do (y := y*x; x := x–1)
{ y=n!
n>0 }
26
The proof outline
Background
axiom
{n!*(n+1) = (n+1)! }
{ x=n }
y := 1;
{ x>0
y*x!=n!
n x }
while (x=1) do
{ x-1>0
(y*x)*(x-1)!=n!
n (x-1)
}
y := y*x;
{ x-1>0
y*(x-1)!=n!
n (x-1) }
x := x–1
{ y*x!=n!
n>0
x=1 }
27
Formalizing partial
correctness via hoare logic
28
States and predicates
•
– program states
– undefined
• A state predicate P is a
(possibly infinite) set
of states
•  P
P

– P holds in state 
29
Formalizing Hoare triples
Sns C 
=
’
if C, 
else
Q
’
P

C(P)
C
• {P}C{Q}
’
. ( P C,  ’) ’ Q
alternatively
– 
. ( P Sns C 
) Sns C  Q
– Convention:
P for all P

.  P Sns C  Q Why did we choose
–
, ’
natural semantics?
30
Formalizing Hoare triples
Sns C 
=
’
if C, 
else
Q
’
P

C(P)
C
• {P}C{Q}
. ( P C,  *’)
alternatively
– 
. ( P Ssos C 
)
– Convention:
P for all P

.  P Ssos C  Q
–
, ’
’
’ Q
Ssos C  Q
31
How do we express predicates?
• Extensional approach
– Abstract mathematical functions
P : State {tt, ff}
• Intensional approach
– via language of formulae
32
An assertion language
• Bexp is not expressive enough to express
predicates needed for many proofs
– Extend Bexp
• Allow quantification
– z. …
– z. …
• z. z = kn
• Import well known mathematical concepts
– n!  n  (n-1)   2  1
33
An assertion language
Either a program variables
or a logical variable
a ::= n | x | a1 + a2 | a1 a2 | a1 – a2
A ::= true | false
| a1 = a2 | a1 a2 | A | A1 A2 | A1
| A1 A2 | z. A | z. A
A2
34
Some
FO logic
definitions
before we get
to the rules
35
Free/bound variables
• A variable is said to be bound in a formula
when it occurs in the scope of a quantifier.
Otherwise it is said to be free
– i. k=im
– (i+10077)i. j+1=i+3)
• FV(A)  the free variables of A
• Defined inductively on the abstract syntax tree
of A
36
Free variables
FV(n) {}
FV(x) {x}
FV(a1+a2) FV(a1 a2) FV(a1-a2) FV(a1)
FV(a2)
FV(true) FV(false) {}
FV(a1=a2) FV(a1 a2) FV(a1) FV(a2)
FV( A) FV(A)
FV(A1 A2) FV(A1 A2) FV(A1 A2)
FV(a1) FV(a2)
FV( z. A) FV( z. A) FV(A) \ {z}
37
Substitution
What if t is not pure?
• An expression t is pure (a term) if it does not
contain quantifiers
• A[t/z] denotes the assertion A’ which is the
same as A, except that all instances of the free
variable z are replaced by t
• A i. k=i m
A[5/k] = …?
A[5/i] = …?
38
Calculating substitutions
n[t/z] = n
x[t/z] = x
x[t/x] = t
(a1 + a2)[t/z] = a1[t/z] + a2[t/z]
(a1 a2)[t/z] = a1[t/z] a2[t/z]
(a1 - a2)[t/z] = a1[t/z] - a2[t/z]
39
Calculating substitutions
true[t/x] = true
false[t/x] = false
(a1 = a2)[t/z] = a1[t/z] = a2[t/z]
(a1 a2)[t/z]
= a1[t/z] a2[t/z]
( A)[t/z] = (A[t/z])
(A1 A2)[t/z]
= A1[t/z] A2[t/z]
(A1 A2)[t/z]
= A1[t/z] A2[t/z]
(A1 A2)[t/z]
= A1[t/z] A2[t/z]
(
(
(
(
z. A)[t/z] = z. A
z. A)[t/y] = z. A[t/y]
z. A)[t/z] = z. A
z. A)[t/y] = z. A[t/y]
40
six are
completely
enough
and now…
the rules
41
Axiomatic semantics for While
[assp] { P[a/x] } x := a { P }
Notice similarity
to natural
semantics rules
[skipp] { P } skip { P }
{ P } S1 { Q }, { Q } S2 { R }
[compp]
{ P } S1; S2 { R }
{b
P } S1 { Q }, { b P } S2 { Q
}
[ifp]
{ P } if b then S1 else S2 { Q }
What’s different
about this rule?
[whilep]
[consp]
{b P}S{P}
{ P } while b do S { b
{ P’ } S { Q’ }
{P}S{Q}
P}
if P P’ and Q’ Q
42
Assignment rule
[assp]
{ P[a/x] } x := a { P }
• A “backwards” rule
• x := a always finishes
• Why is this true?
– Recall operational semantics:
[assns]
x := a, 
[x A a ]
P
[x A a ]
• Example: {y*z<9} x:=y*z {x<9}
What about {y*z<9 w=5} x:=y*z {w=5}?
43
skip rule
[skipp] { P } skip { P }
[skipns] skip, 

44
Composition rule
{ P } S1 { Q }, { Q } S2 { R }
[compp]
{ P } S1; S2 { R }
S1,  ’, S2, ’ ’’
[compns]
S1; S2,  ’’
• Holds when S1 terminates in every state where P
holds and then Q holds
and S2 terminates in every state where Q holds
and then R holds
45
Condition rule
{ b P } S1 { Q }, { b P } S2 { Q }
[ifp]
{ P } if b then S1 else S2 { Q }
[ifttns]
S1,  ’
if b then S1 else S2, 
[ifffns]
S2,  ’
if b then S1 else S2, 
’
’
if B
if B
b  = tt
b  = ff
46
Loop rule
{b P}S{P}
[whilep] { P } while b do S { b
}
[whileffns]
while b do S,   
[whilettns]
S,   ’, while b do S, ’
while b do S,  ’’
if B
’’ if B
P
b  = ff
b  = tt
• Here P is called an invariant for the loop
– Holds before and after each loop iteration
– Finding loop invariants – most challenging part of proofs
• When loop finishes, b is false
47
Rule of consequence
{ P’ } S { Q’ }
[consp]
{P}S{Q}
if P P’ and Q’ Q
• Allows strengthening the precondition and
weakening the postcondition
• The only rule that is not related to a statement
48
Rule of consequence
{ P’ } S { Q’ }
[consp]
{P}S{Q}
if P P’ and Q’ Q
• Why do we need it?
• Allows the following
{y*z<9} x:=y*z {x<9}
{y*z<9 w=5} x:=y*z {x<10}
49
Next lecture:
axiomatic semantics
practice and extensions
Related documents
Desired articles in the philosophy of language If you are interested
Desired articles in the philosophy of language If you are interested
formato Word
formato Word
Lecture 10 Notes
Lecture 10 Notes
Microsoft Word 97/2000/XP
Microsoft Word 97/2000/XP
Database Systems and Security Research
Database Systems and Security Research
Semantic Computing in Social Media
Semantic Computing in Social Media
Principles of Programming Languages
Principles of Programming Languages
Lecture 32 : Course Summary
Lecture 32 : Course Summary
Document
Document
Document 8399475
Document 8399475