Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Spring 2014 Program Analysis and Verification Lecture 4: Axiomatic Semantics I Roman Manevich Ben-Gurion University Syllabus Semantics Natural Semantics Static Analysis Automating Hoare Logic Abstract Interpretation fundamentals Analysis Techniques Crafting your own Lattices Numerical Domains Soot Structural semantics Galois Connections CEGAR From proofs to abstractions Axiomatic Verification Fixed-Points Alias analysis Systematically developing transformers Widening/ Narrowing Shape Analysis Domain constructors Interprocedural Analysis 2 Today • Basic concepts of correctness • Axiomatic semantics (pages 175-183) – Hoare Logic – Properties of the semantics – Weakest precondition 3 program correctness 4 Program correctness concepts • Property = a certain relationship between initial state and final state Main focus of this course • Partial correctness = properties that hold if program terminates • Termination = program always terminates – i.e., for every input state partial correctness + termination = total correctness Other correctness concepts exist: liveness, resource usage, … 5 Factorial example Sfac y := 1; while (x=1) do (y := y*x; x := x–1) • Factorial partial correctness property = if the statement terminates then the final value of y will be the factorial of the initial value of x – What if x < 0? • Formally, using natural semantics: …? Sfac , ’ implies ’ y = ( x)! 6 Verifying factorial with natural semantics 7 Natural semantics for While [assns] [skipns] x := a, [x Aa] skip, S1, ’, S2, ’ ’’ [compns] S1; S2, ’’ [ifttns] S1, ’ if b then S1 else S2, [ifffns] S2, ’ if b then S1 else S2, ’ if B b = tt ’ [whileffns] while b do S, [whilettns] S, ’, while b do S, ’ while b do S, ’’ if B b = ff if B b = ff ’’ if B b = tt 8 Staged proof 9 Stages sy s sy (s x)! = s’’ y s (s’’ x)! (s x)! = s’’ y sx>0 y := y*x; x := x–1 s’’x = 1 s’’ sx>0 while (x=1) do (y := y*x; x := x–1) s’ y = (s x)! s (s’’ x)! s’’ sx>0 y := 1; while (x=1) do (y := y*x; x := x–1) s’ 10 Inductive proof over iterations sy (s x)! = s’ y (s’ x)! sx>0 s (y := y*x; x := x–1) s’ s’ while (x=1) do (y := y*x; x := x–1) s’’ s’ y s s’’x = 1 s’ x > 0 while (x=1) do (y := y*x; x := x–1) s’’ sy (s x)! = s’’ y (s’ x)! = s’’ y (s’’ x)! s’’x = 1 (s’’ x)! sx>0 11 First stage 12 Second stage 13 while (x=1) do (y := y*x; x := x–1), s s’ 14 Third stage 15 How easy was that? • Proof is very laborious – Need to connect all transitions and argues about relationships between their states – Reason: too closely connected to semantics of programming language • Proof is long – Makes it hard to find possible mistakes • How did we know to find this proof? – Is there a methodology? 16 I’ll use operational semantics Can you prove my program correct? Better use axiomatic verification 17 A systematic approach to program verification 18 Axiomatic verification approach • What do we need in order to prove that the program does what it supposed to do? • Specify the required behavior • Compare the behavior with the one obtained by the operational semantics • Develop a proof system for showing that the program satisfies a requirement • Mechanically use the proof system to show correctness 19 Axiomatic semantics contributors Robert Floyd 1967: use assertions as foundation for static correctness proofs C.A.R. Hoare 1969: use Floyd’s ideas to define axiomatic semantics “An axiomatic basis for computer programming” Edsger W. Dijkstra Predicate transformer semantics: weakest precondition and strongest postcondition 20 Assertions, a.k.a Hoare triples {P}C{Q} precondition statement a.k.a command postcondition • P and Q are state predicates – Example: x>0 • If P holds in the initial state, and if execution of C terminates on that state, then Q will hold in the state in which C halts • C is not required to always terminate {true} while true do skip {false} 21 Total correctness assertions [P]C[Q] • If P holds in the initial state, execution of C must terminate on that state, and Q will hold in the state in which C halts 22 Specifying correctness of factorial 23 Factorial example: specify precondition/postcondition {?} y := 1; while (x=1) do (y := y*x; x := x–1) {?} 24 First attempt We need a way to “remember” value of x before execution { x>0 } y := 1; while (x=1) do (y := y*x; x := x–1) { y=x! } Holds only for value of x at state after execution finishes 25 Fixed assertion A logical variable, must not appear in statement - immutable { x=n } y := 1; while (x=1) do (y := y*x; x := x–1) { y=n! n>0 } 26 The proof outline Background axiom {n!*(n+1) = (n+1)! } { x=n } y := 1; { x>0 y*x!=n! n x } while (x=1) do { x-1>0 (y*x)*(x-1)!=n! n (x-1) } y := y*x; { x-1>0 y*(x-1)!=n! n (x-1) } x := x–1 { y*x!=n! n>0 x=1 } 27 Formalizing partial correctness via hoare logic 28 States and predicates • – program states – undefined • A state predicate P is a (possibly infinite) set of states • P P – P holds in state 29 Formalizing Hoare triples Sns C = ’ if C, else Q ’ P C(P) C • {P}C{Q} ’ . ( P C, ’) ’ Q alternatively – . ( P Sns C ) Sns C Q – Convention: P for all P . P Sns C Q Why did we choose – , ’ natural semantics? 30 Formalizing Hoare triples Sns C = ’ if C, else Q ’ P C(P) C • {P}C{Q} . ( P C, *’) alternatively – . ( P Ssos C ) – Convention: P for all P . P Ssos C Q – , ’ ’ ’ Q Ssos C Q 31 How do we express predicates? • Extensional approach – Abstract mathematical functions P : State {tt, ff} • Intensional approach – via language of formulae 32 An assertion language • Bexp is not expressive enough to express predicates needed for many proofs – Extend Bexp • Allow quantification – z. … – z. … • z. z = kn • Import well known mathematical concepts – n! n (n-1) 2 1 33 An assertion language Either a program variables or a logical variable a ::= n | x | a1 + a2 | a1 a2 | a1 – a2 A ::= true | false | a1 = a2 | a1 a2 | A | A1 A2 | A1 | A1 A2 | z. A | z. A A2 34 Some FO logic definitions before we get to the rules 35 Free/bound variables • A variable is said to be bound in a formula when it occurs in the scope of a quantifier. Otherwise it is said to be free – i. k=im – (i+10077)i. j+1=i+3) • FV(A) the free variables of A • Defined inductively on the abstract syntax tree of A 36 Free variables FV(n) {} FV(x) {x} FV(a1+a2) FV(a1 a2) FV(a1-a2) FV(a1) FV(a2) FV(true) FV(false) {} FV(a1=a2) FV(a1 a2) FV(a1) FV(a2) FV( A) FV(A) FV(A1 A2) FV(A1 A2) FV(A1 A2) FV(a1) FV(a2) FV( z. A) FV( z. A) FV(A) \ {z} 37 Substitution What if t is not pure? • An expression t is pure (a term) if it does not contain quantifiers • A[t/z] denotes the assertion A’ which is the same as A, except that all instances of the free variable z are replaced by t • A i. k=i m A[5/k] = …? A[5/i] = …? 38 Calculating substitutions n[t/z] = n x[t/z] = x x[t/x] = t (a1 + a2)[t/z] = a1[t/z] + a2[t/z] (a1 a2)[t/z] = a1[t/z] a2[t/z] (a1 - a2)[t/z] = a1[t/z] - a2[t/z] 39 Calculating substitutions true[t/x] = true false[t/x] = false (a1 = a2)[t/z] = a1[t/z] = a2[t/z] (a1 a2)[t/z] = a1[t/z] a2[t/z] ( A)[t/z] = (A[t/z]) (A1 A2)[t/z] = A1[t/z] A2[t/z] (A1 A2)[t/z] = A1[t/z] A2[t/z] (A1 A2)[t/z] = A1[t/z] A2[t/z] ( ( ( ( z. A)[t/z] = z. A z. A)[t/y] = z. A[t/y] z. A)[t/z] = z. A z. A)[t/y] = z. A[t/y] 40 six are completely enough and now… the rules 41 Axiomatic semantics for While [assp] { P[a/x] } x := a { P } Notice similarity to natural semantics rules [skipp] { P } skip { P } { P } S1 { Q }, { Q } S2 { R } [compp] { P } S1; S2 { R } {b P } S1 { Q }, { b P } S2 { Q } [ifp] { P } if b then S1 else S2 { Q } What’s different about this rule? [whilep] [consp] {b P}S{P} { P } while b do S { b { P’ } S { Q’ } {P}S{Q} P} if P P’ and Q’ Q 42 Assignment rule [assp] { P[a/x] } x := a { P } • A “backwards” rule • x := a always finishes • Why is this true? – Recall operational semantics: [assns] x := a, [x A a ] P [x A a ] • Example: {y*z<9} x:=y*z {x<9} What about {y*z<9 w=5} x:=y*z {w=5}? 43 skip rule [skipp] { P } skip { P } [skipns] skip, 44 Composition rule { P } S1 { Q }, { Q } S2 { R } [compp] { P } S1; S2 { R } S1, ’, S2, ’ ’’ [compns] S1; S2, ’’ • Holds when S1 terminates in every state where P holds and then Q holds and S2 terminates in every state where Q holds and then R holds 45 Condition rule { b P } S1 { Q }, { b P } S2 { Q } [ifp] { P } if b then S1 else S2 { Q } [ifttns] S1, ’ if b then S1 else S2, [ifffns] S2, ’ if b then S1 else S2, ’ ’ if B if B b = tt b = ff 46 Loop rule {b P}S{P} [whilep] { P } while b do S { b } [whileffns] while b do S, [whilettns] S, ’, while b do S, ’ while b do S, ’’ if B ’’ if B P b = ff b = tt • Here P is called an invariant for the loop – Holds before and after each loop iteration – Finding loop invariants – most challenging part of proofs • When loop finishes, b is false 47 Rule of consequence { P’ } S { Q’ } [consp] {P}S{Q} if P P’ and Q’ Q • Allows strengthening the precondition and weakening the postcondition • The only rule that is not related to a statement 48 Rule of consequence { P’ } S { Q’ } [consp] {P}S{Q} if P P’ and Q’ Q • Why do we need it? • Allows the following {y*z<9} x:=y*z {x<9} {y*z<9 w=5} x:=y*z {x<10} 49 Next lecture: axiomatic semantics practice and extensions