Download Verification Condition Generation

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
Document related concepts

Philosophy of artificial intelligence wikipedia , lookup

Computer Go wikipedia , lookup

History of artificial intelligence wikipedia , lookup

Logic programming wikipedia , lookup

Sequent calculus wikipedia , lookup

Knowledge representation and reasoning wikipedia , lookup

Transcript 
Axiomatic Semantics
Computer Science and Artificial Intelligence Laboratory
MIT
October 21, 2015
1
Motivation
o
Consider the following program
...
if(x > y){
t = x – y;
while(t > 0){
x = x – 1;
y = y + 1;
t = t – 1;
}
}
o
I claim that for any values of x and y
- the loop will terminate
- when it does, if x > y, the values of x and y will be swapped
o
How could I prove this?
2
Motivation
o
The tools we have seen so far are insufficient
- Operational semantics
• easy to argue that a given input will produce a given output
• also easy to argue that all constructs in the language will preserve
some property (like when we proved type soundness)
• much harder to prove general properties of the behavior of a program
on all inputs
- Type-based reasoning
• types allow us to design custom checkers to verify specific properties
• very good at reasoning about properties of the data pointed at by
particular variables.
3
Axiomatic Semantics
o
o
A system for proving properties about programs
Key idea:
- we can define the semantics of a construct by describing its effect
on assertions about the program state
o
Two components
- A language for stating assertions
• can be First Order Logic (FOL) or a specialized logic such as
separation logic.
• many specialized languages developed over the years
– Z, Larch, JML, Spec#
- Deductive rules for establishing the truth of such assertions
4
A little history
o
Early years: Unbridled optimism
- Heavily endorsed by the likes of Hoare and Dijkstra
- If you can prove programs correct, bugs will be a thing of the past
• you won’t even have to test your programs
o
The middle ages
- 1979 paper by DeMillo, Lipton and Perllis
• proofs in math only work because there is a social process in place to
get people to argue them and internalize them
• program proofs are too boring for social process to form around them
• programs change too fast and proofs are too brittle
o
The renaissance
- New generation of automated reasoning tools
- A handful of success stories
- Better appreciation of costs, benefits and limitations?
5
The basics
{A} stmt {B}
Precondition
o
Postcondition
Hoare triple
- If the precondition holds before stmt and stmt terminates
postcondition will hold afterwards
o
This is a partial correctness assertion
- we sometimes use the notation
[A] stmt [B]
to denote a total correctness assertion
• that means you also have to prove termination
6
What do assertions mean?
o
o
o
o
We first need to introduce a language
For today we will be using Winskel’s IMP
e:= n | x | e1 + e2 | e1 = e2
c:= x := e | c1 ; c2 | if e then c1 else c2
| while e do c | skip
Big Step Semantics have two kinds of judgments
expressions result in values
commands change the state
7
Semantics of IMP
o
o
Commands mutate the state
What about loops?
8
Semantics of IMP
o
The definition for loops must be recursive
9
What do assertions mean?
o
The language of assertions
- A := true | false | e1 = e2 | e1 >= e2 | A1 and A2 |
not A |
x.A
A
o
Notation
means that the assertion holds on state
- This is defined inductively over the structure of A.
- Ex.
10
What do assertions mean
o
Complete list
- 𝜎 ⊨ 𝑡𝑟𝑢𝑒 𝜎 ⊨ 𝑓𝑎𝑙𝑠𝑒
-
𝑒1 ,𝜎 →𝑣 𝑒2 ,𝜎 →𝑣
𝜎 ⊨𝑒1 =𝑒2
𝑒1 ,𝜎 →𝑣1
𝑒2 ,𝜎 →𝑣2 𝑣1 ≤𝑣2
𝜎 ⊨𝑒1 ≤ 𝑒2
-
𝑒1 ,𝜎 →𝑣1
𝑒2 ,𝜎 →𝑣2 𝑣1 ≠𝑣2
𝜎 ⊨𝑒1 =𝑒2
-
𝜎⊨𝐴 𝜎⊨𝐵
𝜎⊨𝐴 𝑎𝑛𝑑 𝐵
-
𝜎⊨𝐴
𝜎⊨𝑛𝑜𝑡 𝐴
𝑒1 ,𝜎 →𝑣1
∀ 𝑣. 𝜎 𝑥→𝑣 ⊨𝐴 𝜎⊨𝐴 𝜎⊨𝐵
𝜎⊨∀𝑥.𝐴
𝜎⊨𝐴 𝑎𝑛𝑑 𝐵
𝑒2 ,𝜎 →𝑣2 𝑣1 >𝑣2
𝜎⊨ 𝑒1 ≤ 𝑒2
𝜎⊨𝐴
𝜎⊨𝐴 𝑎𝑛𝑑 𝐵
𝜎⊨𝐵
∃ 𝑣. 𝜎 𝑥→𝑣 ⊨𝐴
𝜎⊨𝐴 𝑎𝑛𝑑 𝐵
𝜎⊨∀𝑥.𝐴
𝜎⊨𝐴
𝜎⊨ 𝑛𝑜𝑡 𝐴
11
Partial correctness
o
Partial Correctness can then be defined in terms of OS
{A} c {B} iff
12
Defining axiomatic semantics
o
o
Establishing the truth of a Hoare triple in terms of the
operational semantics is impractical
The real power of AS is the ability to establish the validity
of a Hoare triple by using deduction rules
-
means we can deduce the triple from a set of basic
axioms
13
Derivation Rules
o
o
Derivation rules for each language construct
Can be combined together with the rule of consequence
14
Soundness and Completeness
o
What does it mean for our deduction rules to be sound?
- You will never be able to prove anything that is not true
- truth is defined in terms of our original definition of {A} c {B}
- we can prove this, but it’s tricky
o
What does it mean for them to be complete?
- If a statement is true, we should be able to prove it via deduction
o
So are they complete?
- yes and no
• They are complete relative to the logic
• but there are no complete and consistent logics for elementary
arithmetic (Gödel)
15
Completeness Argument
⇒
⊢ 𝐴 𝑐 {𝐵}
o
Prove by induction on the structure of the derivation of
𝑐, 𝜎 → 𝜎′
- Look at all the different ways of proving that 𝑐, 𝜎 → 𝜎′
- Make sure that for each of those, I can prove ⊢ 𝐴 𝑐 𝐵
16
Completeness: Base case
Need to prove: 𝜎 ⊨ 𝐴 ∧ 𝜎 𝑋 → 𝑒 ′ ⊨ 𝐵 ⇒ ⊢ 𝐴 𝑋 ≔ 𝑒 {𝐵}
o
I only have one rule to prove ⊢ 𝐴 𝑋 ≔ 𝑒 𝐵
- (well, that plus the rule of consequence).
o
So I need to show that
- 𝜎 ⊨ 𝐴 ∧ 𝜎 𝑋 → 𝑒 ′ ⊨ 𝐵 ⇒ (𝐴 ⇒ 𝐵 𝑥 → 𝑒 )
- Equivalently ∀ 𝜎. 𝜎 ⊨ 𝐴 ∧ 𝜎 𝑋 → 𝑒 ′ ⊨ 𝐵 ⇒ (𝜎 ⊨ 𝐵 𝑥 → 𝑒 )
17
Completeness: An inductive case
Need to prove: 𝜎 ⊨ 𝐴 ∧ 𝜎′ ⊨ 𝐵 ⇒ ⊢ 𝐴 𝑐1 ; 𝑐2 {𝐵}
Assuming 𝜎 ⊨ 𝐴 ∧ 𝜎 ′′ ⊨ 𝐶 ∧ ⊢ 𝐴 𝑐1 {𝐶}
and 𝜎′′ ⊨ 𝐶 ∧ 𝜎 ′ ⊨ 𝐵 ∧ ⊢ 𝐶 𝑐1 {𝐵}
18
MIT OpenCourseWare
http://ocw.mit.edu
6.820 Fundamentals of Program Analysis
Fall 2015
For information about citing these materials or our Terms of Use, visit: http://ocw.mit.edu/terms.
Related documents
Assignment 6
Assignment 6
Lecture 39 Notes
Lecture 39 Notes
Inequalities in 2 triangles and indirect proofs
Inequalities in 2 triangles and indirect proofs
Solutions – §4.2 8. The set of all ordered pairs of real numbers with
Solutions – §4.2 8. The set of all ordered pairs of real numbers with
MATH 266 (092) ASSIGNMENT 2 Due Monday, Feb. 2. 1. Translate
MATH 266 (092) ASSIGNMENT 2 Due Monday, Feb. 2. 1. Translate
LOYOLA COLLEGE (AUTONOMOUS), CHENNAI – 600 034
LOYOLA COLLEGE (AUTONOMOUS), CHENNAI – 600 034
MATH 260 2001/2002 Midterm Exam 1
MATH 260 2001/2002 Midterm Exam 1
Preliminary Exam 2 1. Prove that every compact Hausdorff space is
Preliminary Exam 2 1. Prove that every compact Hausdorff space is
Products and quotients via universal property
Products and quotients via universal property
Review - sandquist
Review - sandquist
Existence/Occurrence Completeness/Period Valuation/Allocation
Existence/Occurrence Completeness/Period Valuation/Allocation