Program Verification -- new recipe for old problem

Zhou Chaochen

Institute of Software, CAS

zcc@ios.ac.cn

Computer Science

• Computing System – Millions of simple instructions

Bio System – DNA (A,T,G,C)

Manufacturing vs Evolving• Fundamental Issues

# Computability and Solvability

# Algorithm Design and Analysis

# Programming Methodology: Correctness, etc

Program Correctness

• Test: Debug vs Prove

• Verification: Proof and Model Checking

• Transformation: Curry-Howard Isomorphism, Intuitionistic Logic, …

Assertion

• Program Language – Artificial Language

Assignment: x:=x-1

x:=e

Loop: while x>0 do x:=x-1

while B do S

Sequential Composition: S1;S2

…

• Intrinsic Logic

Assignment: P(e){x:=e}P(x)

x-1>0{x:=x-1}x>0

P(e) – Pre-Condition

P(x) – Post-Condition

Loop: If B&I{S}I

then I{while B do S}I&~B

Due to x>0&x>=0{x:=x-1}x>=0

hence x>=0

{while x>0 do x:=x-1}

x>=0&~(x>0)

I.e. x>=0{while}x=0

I – Invariant

Sequential Composition:If P{S1}Q1, Q1=>Q2 and Q2{S2}Q,then P{S1;S2}Q

…

Pre, Post, Inv -- Assertion

Program Verification

• Partial Correctness

x>=0 {FAC} y=x!

If FAC terminates, then …

Safety

• Total Correctness

Termination plus Partial Correctness

Liveness (deadlock free, livelock free,…)

Floyd Assertion & Hoare Logic

• Robert Floyd: 1978 Turing Award Laureate. 1967 Assigning Meanings to Program. Inductive Assertion Method: Pre- and Post-Assertion

• Tony Hoare: 1980 Turing Award Laureate. 1969 An Axiomatic Basis for Computer Programming. Hoare Logic: Pre- and Post-Condition, Invariant

Assertion at Microsoft

• Microsoft Office: 250k assertions (ASSERT macro)

• Test: Dump instead of Crash (over half effort)

• Simplifying Assumption: for the next version (Overflow,…)

• Compile Time Check (Size,…) etc

• Microsoft Windows: over 1000 different assertion macros

• Bill Gates: Trustworthy Computing

Verifying Compiler

• A compiler which verifies correctness of program: a major challenge of Computer Science in 21 Century• Include assertions into programming languages (Eiffel, JM

L,…)• Improve program analysis tools in Industry (PREfix,…) Joint contributions from different mechanised proof techn

ologies: a vast project unprecedented in Computer Science Academy

• Legacy and Open Source Movement• IFIP workshop in 2005: Hoare and Misra, Shankar (He Jife

ng, Zhang Jian,…) et al

Software Model Checking

• Given infinite value domain program is an infinite state system

• Finite State Machine: BDD, CTL, 10^(100), …

• Real Time System: Infinite State Machine

Infinite State Model Checking

• Reduction to Finite State System: Regional Graph (?)

• Reduction to Linear Programming, Integer and Mixed Programming, (Zhou, Zhang, Yang and Kesten, Pnueli, Sifakis, Yovine)…

Real Algebra (Tarski, Wu, Zhang, Yang, …)

• Relation between the above two?

Reduction to Linear Programming

• Timed Automaton

GBf (>=30)

r (<=1)

Over any interval greater or equal to 60 Bad statesoccupy no more than 20% of the interval

• A timed behaviour (f,t1),(r,t2),(f,t3) t1>=30, 0<=t2<=1,t3>=30

• Linear Programming Problem Constraints t1>=30, 0<=t2<=1, t3>=30 and t1+t2+t3>=60 Objective function 20*t2-(t1+t2+t3)

• Reduce infinite many behaviour to finite many

Program Termination

• Ashish Tiwari, SRI (CAV 2004, LNCS 3114)

• Undecidable in general

• Linear Program while (B*x>b) do x:=A*x+c A,B – real matrices, x,b,c – real vectors

• The termination problem for linear program is decidable

• P: while c*x>0 do x:=A*x

• Intuition If v is an eigenvector of A with positive eigenvalue e, then A*v=e*v by definition, and A^n*v=e^n*v c*e^n*v=e^n*c*v So c*e^n*v has the same sign of c*v, as e>0

• P is not terminating with input x=v, where c*v>0

• Theorem: If P is not terminating then there exists a real eigenvector v of A, corresponding to positive eigenv

alue, such that c*v>=0

Proof: If nonterminating, NT is not empty NT={x:c*A^i*x>0, i=0,1,…} Let NT’=NT+Boundary. NT’ is closed under A Applying Brouwer’s fixed point theorem there exists e

igenvector v of A in NT’.

• Change into c*v>0

• Add more conditions to have necessary and sufficient conclusion

• Generalise to general linear program

• Termination – Matrix Eigenvalue

Stability – Matrix Eigenvalue

• Termination characterization of linear programs is more complex than stability characterization for both continuous- and discrete-time linear systems

• As told by Yang

Good to use off-line symbolic computation

(Yang has developed a very powerful symbolic computation tools, called Bottema and Discoverer, for real algebra, including a complete discrimination system)

• The deciding condition becomes 10^4 terms (of Dixon resultant) for 4-dimension, dozens for 3, and several for 2

Invariant Generation

• Abstract Interpretation (P. Cousot and R. Cousot POPL77): symbolic execution until a fixed point is reached

• Linear Invariants for Linear Programs (Colon, Shankaranarayanan, Sipma CAV03): assume a linear invariant, and solve constraints (maybe nonlinear) on the coefficients of the linear invariant

Reachability

• Lafferriere, Pappas and Yovine (JSC 11,2001)

• dX/dt = AX+Bu

X,B – vectors, A – matrix, u – vector (control input)

• X = F(x,u,t)

x – vector (initial value of X)

• Reachability: state y is reachable from state x, if there exists u and t such that y=F(x,u,t)

• Reduced to real algebraic formula (under certain conditions)

• Quantifier elimination tools: REDLOG, QEPCAD

• An example of the paper impossible to resolve by REDLOG and QEPCAD alone can be done by Yang’s tools easily (as told by Yang)

Interdisciplinary Joint Effort

• Decidability for real algebra is most fundamental result with respect to real numbers

• Program verification is employing more mathematics, in particular real algebra

• Strong in mechanical proving: Wu, Zhang, Yang,… Beautiful tools

• Control theory much more mature than CS

• We need your support and you can help us