![Page 1: Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models](https://reader034.vdocuments.us/reader034/viewer/2022051613/551475e5550346284e8b62a6/html5/thumbnails/1.jpg)
Technologies for finding errorsTechnologies for finding errorsin object-oriented softwarein object-oriented software
Technologies for finding errorsTechnologies for finding errorsin object-oriented softwarein object-oriented software
K. Rustan M. LeinoMicrosoft Research, Redmond, WA
Lecture 1Summer school on Formal Models of Software2 Sep 2003, Tunis, Tunisia
![Page 2: Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models](https://reader034.vdocuments.us/reader034/viewer/2022051613/551475e5550346284e8b62a6/html5/thumbnails/2.jpg)
Review: Tool architectureSource programSource program
Verification conditionVerification condition
Counterexample contextCounterexample context
Warning messagesWarning messages
Automatic theorem proverAutomatic theorem prover
Post processorPost processor
Sugared commandSugared command
Primitive commandPrimitive command
Passive commandPassive commandTra
nsl
ato
rTra
nsl
ato
rFocus today
![Page 3: Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models](https://reader034.vdocuments.us/reader034/viewer/2022051613/551475e5550346284e8b62a6/html5/thumbnails/3.jpg)
Commands and their possible outcomes• Normal termination
– terminates normally in some state
• Erroneous termination– goes wrong, crashes the computer
• Non-termination– diverges, fails to terminates, results in infinite
recursion
• Miraculous termination– fails to start, blocks
(partial/miraculous commands)
you breach
contract,demon wins
demon breaches contract,you win!
![Page 4: Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models](https://reader034.vdocuments.us/reader034/viewer/2022051613/551475e5550346284e8b62a6/html5/thumbnails/4.jpg)
Commands
C ::= w := E| assert P| assume P| var w in C end| C0 ; C1
| C0 [] C1
![Page 5: Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models](https://reader034.vdocuments.us/reader034/viewer/2022051613/551475e5550346284e8b62a6/html5/thumbnails/5.jpg)
Semantics• Hoare logic
– {P} C {R} says that if command C is started in (a state satisfying) P, then:• C does not go wrong, and• if C terminates normally, then it
terminates in (a state satisfying) R
• Weakest preconditions– for a given C and R, the weakest P
satisfying {P} C {R}– written wp(C, R) or simply C.R
![Page 6: Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models](https://reader034.vdocuments.us/reader034/viewer/2022051613/551475e5550346284e8b62a6/html5/thumbnails/6.jpg)
Command semantics—assignment
• evaluate E and change value of w to E• (w := E).R ≡ R[w := E]
• (x := x + 1).(x ≦ 10)≡ x+1 ≦ 10≡ x < 10
• (x := 15).(x ≦ 10)≡ 15 ≦ 10≡ false
• (y := x + 3*y).(x ≦ 10)≡ x ≦ 10
• (x,y := y,x).(x < y)≡ y < x
replace w by Ein R
![Page 7: Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models](https://reader034.vdocuments.us/reader034/viewer/2022051613/551475e5550346284e8b62a6/html5/thumbnails/7.jpg)
Command semantics—assert
• if P holds, do nothing, else go wrong• (assert P).R ≡ P ∧ R
• (assert x < 10).(0 ≦ x)≡ 0 ≦ x < 10
• (assert x = y*y).(0 ≦ x)≡ x = y*y ∧ 0 ≦ x≡ x = y*y
• (assert false).(x ≦ 10)≡ false
logical AND,conjunction
![Page 8: Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models](https://reader034.vdocuments.us/reader034/viewer/2022051613/551475e5550346284e8b62a6/html5/thumbnails/8.jpg)
Command semantics—assume
logicalimplication
logical NOT,negation
logical OR,disjunction
• if P holds, do nothing, else block
• (assume P).R ≡ ¬ P ∨ R≡ P ⇒ R
• (assume x < 10).(0 ≦ x)≡ 10 ≦ x ∨ 0 ≦ x≡ 0 ≦ x
• (assume x = y*y).(0 ≦ x)≡ x = y*y ⇒ 0 ≦ x≡ true
• (assume false).(x ≦ 10)≡ true
![Page 9: Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models](https://reader034.vdocuments.us/reader034/viewer/2022051613/551475e5550346284e8b62a6/html5/thumbnails/9.jpg)
• introduce w with an arbitrary initial value,then do C
• (var w in C end).R ≡ (∀w ・ C.R)
• (var y in y := x end).(0 ≦ x)≡ (∀y ・ (y := x).(0 ≦ x))≡ (∀y ・ 0 ≦ x)≡ 0 ≦ x
• (var y in x := y end).(0 ≦ x)≡ (∀y ・ (x := y).(0 ≦ x))≡ (∀y ・ 0 ≦ y)≡ false
Command semantics—local variable
provided w does not occur free in R
![Page 10: Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models](https://reader034.vdocuments.us/reader034/viewer/2022051613/551475e5550346284e8b62a6/html5/thumbnails/10.jpg)
• do C0, then C1
• (C0 ; C1).R ≡ C0.(C1.R)
• (x := x+1 ; assert x ≦ y).(0 < x)≡ (x := x+1).( (assert x ≦ y).(0 < x) )≡ (x := x+1).(0 < x ≦ y)
≡ 0 < x+1 ≦ y≡ 0 ≦ x < y
• (assume 0 ≦ y+z ; x := y).(0 ≦ x)≡ (assume 0 ≦ y+z).( (x:=y).(0 ≦
x) )≡ (assume 0 ≦ y+z).(0 ≦ y)≡ 0 ≦ y+z ⇒ 0 ≦ y≡ -y ≦ z ⇒ -y ≦ 0≡ 0 ≦ z
Command semantics—sequential composition
![Page 11: Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models](https://reader034.vdocuments.us/reader034/viewer/2022051613/551475e5550346284e8b62a6/html5/thumbnails/11.jpg)
• do either C0 or C1 (the demon chooses which)
• (C0 [] C1).R ≡ C0.R ∧ C1.R
• (x := x+1 [] x := x + 2).(x ≦ 10)≡ (x := x+1). (x ≦ 10) ∧ (x := x+2).(x ≦ 10)≡ x ≦ 9 ∧ x ≦ 8
≡ x ≦ 8• (assume false [] x := y).(0 ≦ x)
≡ (assume false).(0 ≦ x) ∧ (x:=y).(0 ≦ x) ≡ true ∧ 0 ≦ y≡ 0 ≦ y
Command semantics—choice composition
![Page 12: Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models](https://reader034.vdocuments.us/reader034/viewer/2022051613/551475e5550346284e8b62a6/html5/thumbnails/12.jpg)
Convenient shorthands• skip = assert true = assume true• wrong = assert false• magic = assume false• P C = assume P; C• if P then C0 else C1 end
= P C0 [] ¬ P C1
• havoc w = var w’in w := w’end
![Page 13: Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models](https://reader034.vdocuments.us/reader034/viewer/2022051613/551475e5550346284e8b62a6/html5/thumbnails/13.jpg)
Change such that• change w such that P
= havoc w ; assume P
• change x such that y = x+1≡ havoc x ; assume y = x+1≡ x := y-1
• change x such that y < x≡ x := y+1 [] x := y+2 [] …
• change x such that x = x+1≡ havoc x ; assume false≡ magic
• change r such that r*r = y≡ y < 0 magic [] 0 ≦ y r := √y [] 0 ≦ y r := -√y
![Page 14: Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models](https://reader034.vdocuments.us/reader034/viewer/2022051613/551475e5550346284e8b62a6/html5/thumbnails/14.jpg)
Specification statementw:[P, Q]
= requires P modifies w ensures Q= assert P ;
var w0 inw0 := w ;change w such that Q
end• x:[true, x0=x+1]
≡ x := x-1• r:[0 ≦ y, r*r = y]
≡ assert 0 ≦ y ; (r := √y [] r := -√y)• x:[0 ≦ x, x2 ≦ x0 < (x+1)2] ≡ ?• x,y,z,n:[1≦x≦y∧1≦z∧2≦n, xn+yn=zn] ≡ ?
![Page 15: Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models](https://reader034.vdocuments.us/reader034/viewer/2022051613/551475e5550346284e8b62a6/html5/thumbnails/15.jpg)
Variables with internal structure: maps
• x := a[i] = x := select(a, i)• a[i] := E = a := store(a, i, E)
where
(∀m,i,j,v ・ i ≠j ⇒
select(store(m, i, v), i) = v ∧ select(store(m, i, v), j) = select(m, j))
![Page 16: Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models](https://reader034.vdocuments.us/reader034/viewer/2022051613/551475e5550346284e8b62a6/html5/thumbnails/16.jpg)
Example: maps(a[5] := 12 ; a[7] := 14 ; x := a[5]).(x=12)
=(a[5] := 12 ; a[7] := 14).(select(a, 5) = 12)=(a[5] := 12).(select(store(a, 7, 14), 5) = 12)=select(store(store(a, 5, 12), 7, 14), 5) = 12= { select/store axiom, since 7 ≠ 5 }
select(store(a, 5, 12), 5) = 12= { select/store axiom, since 5 = 5 }
12 = 12=true
![Page 17: Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models](https://reader034.vdocuments.us/reader034/viewer/2022051613/551475e5550346284e8b62a6/html5/thumbnails/17.jpg)
RefinementB ⊆ C
=(∀R ・ B.R ⇒ C.R )
• change x such that y < x ⊆ x := y+4• assert x < 10 ⊆ skip• skip ⊆ assume x < 10• wrong ⊆ C• C ⊆ magic
command Bis refined bycommand C
• C is “better” than B
• “anyone who requests B would be happy with C”
![Page 18: Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models](https://reader034.vdocuments.us/reader034/viewer/2022051613/551475e5550346284e8b62a6/html5/thumbnails/18.jpg)
Compositions are monotonic with respect to refinement• if B ⊆ C then:
– var w in B end ⊆ var w in C end– A;B ⊆ A;C– B;D ⊆ C;D– A [] B ⊆ A [] C
• var x in ... change x such that y < x ... end⊆ var x in ... x := y+4 ... end
![Page 19: Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models](https://reader034.vdocuments.us/reader034/viewer/2022051613/551475e5550346284e8b62a6/html5/thumbnails/19.jpg)
Commands form a lattice• Commands form a semi-lattice under
ordering ⊆, with meet operation [], top element magic, and bottom element wrong
• A lattice theorem: B ⊆ C0 ∧ B ⊆ C1 ≡ B ⊆ C0 [] C1
• Corollary: C0 [] C1 ⊆ C0
![Page 20: Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models](https://reader034.vdocuments.us/reader034/viewer/2022051613/551475e5550346284e8b62a6/html5/thumbnails/20.jpg)
Example application of lattice theoremLet B = x:[true, x = |x0| ]. Then:• B ⊆ assume 0 ≦ x = C0
• B ⊆ assume x ≦ 0 ; x := -x = C1
• B ⊆ assume x = -3 ; x := 3 = C2
• B ⊆ magic = C3
Therefore:B ⊆ C0 [] C1 [] C2 [] C3
![Page 21: Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models](https://reader034.vdocuments.us/reader034/viewer/2022051613/551475e5550346284e8b62a6/html5/thumbnails/21.jpg)
Procedures• proc P(x,y,z) returns (r,s,t) spec S• call to P:
a,b,c := P(E0, E1, E2) =
var x,y,z,r,s,t inx := E0 ; y := E1 ; z := E2 ;S ;a,b,c := r,s,t
end
![Page 22: Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models](https://reader034.vdocuments.us/reader034/viewer/2022051613/551475e5550346284e8b62a6/html5/thumbnails/22.jpg)
Example: procedure• proc Add(x) returns (r)
spec requires 0 ≦ xmodifies kensures k = k0+x ∧ r = k0
• a := Add(k+25)= var x,r in
x := k+25 ;k:[0 ≦ x, k = k0+x ∧ r = k0] ;a := r
end
![Page 23: Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models](https://reader034.vdocuments.us/reader034/viewer/2022051613/551475e5550346284e8b62a6/html5/thumbnails/23.jpg)
Procedure implementations• proc P(x,y,z) returns (r,s,t) spec S
• impl P(x,y,z) returns (r,s,t) is CProof obligation: S ⊆ C
• Let C0, ..., Cm-1 be the declared implementations of P. Then, the language implementation of a call to P can replace S by:
C0 [] ... [] Cm-1
![Page 24: Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models](https://reader034.vdocuments.us/reader034/viewer/2022051613/551475e5550346284e8b62a6/html5/thumbnails/24.jpg)
Exercise• Redefine (in terms of the commands we've
seen) the specification statement so that the postcondition mentions x,x’ instead of x0,x
• Example:– old form:
x:[0 ≦ x, x*x ≦ x0 < (x+1)*(x+1)]– new form:
x:[0 ≦ x, x’*x’≦ x < (x’+1)*(x’+1)]
![Page 25: Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models](https://reader034.vdocuments.us/reader034/viewer/2022051613/551475e5550346284e8b62a6/html5/thumbnails/25.jpg)
ExerciseDefine
while {inv J} B do w: S end where:– B is the loop guard– S is the loop body– J is the loop invariant– w is the list of assignment targets in S
in terms of the commands we've seen.
![Page 26: Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models](https://reader034.vdocuments.us/reader034/viewer/2022051613/551475e5550346284e8b62a6/html5/thumbnails/26.jpg)
Loop (answer to exercise)
while {inv J} B do w: S end=
assert J ;change w such that J ;if B then
S ; assert J ; magicelse
skipend
![Page 27: Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models](https://reader034.vdocuments.us/reader034/viewer/2022051613/551475e5550346284e8b62a6/html5/thumbnails/27.jpg)
Summary• Language is built up from 6 primitive
commands• Semantics can be given by weakest
preconditions• Partial (miraculous) commands are
important and very useful• select/store handle “map” variables• Procedures are names for specifications• Procedure implementations are hints for
compiler