program verification[1].color

8/9/2019 Program Verification[1].Color

1/109

Core Programming Language

Hoare Triples; Partial and Total Correctness

Proof Calculus for Partial Correctness

Proof Calculus for Total Correctness

Programming by Contract

11Program Verification

CS 3234: Logic and Formal Systems

Martin Henz and Aquinas Hobor

October 29, 2009

Generated on Thursday 29th October, 2009, 13:52
http://find/http://goback/


2/109






1 Core Programming Language

2 Hoare Triples; Partial and Total Correctness

3 Proof Calculus for Partial Correctness

4 Proof Calculus for Total Correctness

5 Programming by Contract
http://find/http://goback/http://find/http://goback/


3/109






Motivation

Model checking is bumping into major problems, if the

systems deal with complex data structures and numbers,and interact with the user and each other in complex ways.


4/109






Motivation



Models become infinite.


5/109






Motivation



Models become infinite.Satisfaction/validity becomes undecidable.


6/109






Motivation



Models become infinite.Satisfaction/validity becomes undecidable.

We retreat to a proof-based framework for software

program verification.


7/109






Characteristics of the Approach

Proof-based instead of model checking


8/109








Semi-automatic instead of automatic


9/109









Property-oriented not using full specification


10/109










Application domain fixed to sequential programs using integers


11/109










Application domain fixed to sequential programs using integers

Interleaved with development rather than a-posteriori

verification

C P i L


12/109






Reasons for Program Verification

Documentation. Program properties formulated as theorems

can serve as concise documentation

C P i L


13/109









Time-to-market. Verification prevents/catches bugs and can

reduce development time

C P i L


14/109











Reuse. Clear specification provides basis for reuse

Core Programming Lang age


15/109











Reuse. Clear specification provides basis for reuse

Certification. Verification is required in safety-critical domains

such as nuclear power stations and aircraftcockpits



16/109






Framework for Software Verification

Convert informal description R of requirementsfor anapplication domain into formula R.



17/109








Write program P that meets R.



18/109









Prove that P satisfies R.



19/109









Prove that P satisfies R.

Each step provides risks and opportunities.



20/109













21/109






Motivation of Core Language

Real-world languages are quite large; many features and

constructs



22/109








constructs

Verification framework would exceed time we have inCS3234



23/109








constructs


Theoretical constructions such as Turing machines or

lambda calculus are too far from actual applications; too

low-level



24/109








constructs




low-level

Idea: use subset of Pascal/C/C++/Java



25/109








constructs




low-level

Idea: use subset of Pascal/C/C++/Java

Benefit: we can study useful realistic examples



26/109

g g g g





Expressions in Core Language

Expressions come as arithmetic expressions E:

E ::= n | x | (E) | (E + E) | (E E) | (E E)


27/109



28/109

g g g g





Expressions in Core Language

Expressions come as arithmetic expressions E:

E ::= n | x | (E) | (E + E) | (E E) | (E E)

and boolean expressions B:

B ::= true | false | (!B) | (B&B) | (BB) | (E< E)

Where are the other comparisons, for example ==?



29/109

g g g g





Commands in Core Language

Commands cover some common programming idioms.Expressions are components of commands.

C ::= x = E | C; C | if B {C} else {C} | while B {C}



30/109





Example

Consider the factorial function:

0!def= 1

(n+ 1)! def= (n+ 1) n!

We shall show that after the execution of the following Core

program, we have y = x!.

y = 1 ;z = 0 ;

while ( z ! = x ) { z = z + 1 ; y = y z ; }



31/109











32/109



33/109





Example

y = 1 ;z = 0 ;

while ( z ! = x ) { z = z + 1 ; y = y z ; }

We need to be able to say that at the end, y is x!



34/109





Example

y = 1 ;

z = 0 ;while ( z ! = x ) { z = z + 1 ; y = y z ; }

We need to be able to say that at the end, y is x!

That means we require a post-condition y = x!



35/109





Example

y = 1 ;z = 0 ;

while ( z ! = x ) { z = z + 1 ; y = y z ; }

Do we need pre-conditions, too?


H T i l P i l d T l C


36/109





Example

y = 1 ;

z = 0 ;

while ( z ! = x ) { z = z + 1 ; y = y z ; }


Yes, they specify what needs to be the case before

execution.Example: x> 0


H T i l P ti l d T t l C t


37/109





Example

y = 1 ;

z = 0 ;

while ( z ! = x ) { z = z + 1 ; y = y z ; }



execution.

Example: x> 0

Do we have to prove the postcondition in one go?


H T i l P ti l d T t l C t


38/109





Example

y = 1 ;

z = 0 ;

while ( z ! = x ) { z = z + 1 ; y = y z ; }



execution.

Example: x> 0

Do we have to prove the postcondition in one go?

No, the postcondition of one line can be the

pre-condition of the next!


39/109




40/109





Assertions on Programs

Shape of assertions

(||) P (||)

Informal meaning

If the program P is run in a state that satisfies , then the state

resulting from Ps execution will satisfy .




41/109





(Slightly Trivial) Example

Informal specification

Given a positive number x, the program P calculates a number

y whose square is less than x.




42/109









Assertion

(|x> 0|) P (|y y< x|)




43/109









Assertion

(|x> 0|) P (|y y< x|)

Example for P

y = 0

Core Programming LanguageHoare Triples; Partial and Total Correctness


44/109









Assertion

(|x> 0|) P (|y y< x|)

Example for P

y = 0

Our first Hoare triple

(|x> 0|) y = 0 (|y y< x|)



45/109





(Slightly Less Trivial) Example

Same assertion

(|x> 0|) P (|y y< x|)

Another example for P

y = 0 ;

w h i le ( y y < x ) {

y = y + 1 ;}y = y 1 ;



46/109





Recall: Models in Predicate Logic

Definition

Let F contain function symbols and P contain predicate

symbols. A model M for (F,P) consists of:1 A non-empty set A, the universe;

2 for each nullary function symbol f F a concrete elementfM A;

3

for each f F with arity n> 0, a concrete functionfM : An A;

4 for each P P with arity n> 0, a set PM An.


47/109


48/109


49/109


50/109



51/109

p ;




Partial Correctness

Definition

We say that the triple (||) P (||) is satisfied under partialcorrectnessif, for all states which satisfy , the state resultingfrom Ps execution satisfies , provided that P terminates.


52/109



53/109




Extreme Example

(||) while true { x = 0; } (||)

holds for all and .



54/109




Total Correctness

Definition

We say that the triple (||) P (||) is satisfied under totalcorrectnessif, for all states which satisfy , P is guaranteed toterminate and the resulting state satisfies .

Notation

We write |=tot (||) P (||).



55/109




Back to Factorial

Consider Fac1:

y = 1 ;

z = 0 ;

while ( z ! = x ) { z = z + 1 ; y = y z ; }


56/109



57/109




Back to Factorial

Consider Fac1:

y = 1 ;z = 0 ;

while ( z ! = x ) { z = z + 1 ; y = y z ; }

|=tot (|x 0|) Fac1 (|y = x!|)

|=tot (||) Fac1 (|y = x!|)



58/109




Back to Factorial

Consider Fac1:

y = 1 ;

z = 0 ;while ( z ! = x ) { z = z + 1 ; y = y z ; }

|=tot (|x 0|) Fac1 (|y = x!|)

|=tot (||)Fac1

(|y = x!|)|=par (|x 0|) Fac1 (|y = x!|)


59/109


P f C l l f P i l C


60/109










P f C l l f P ti l C t


61/109




Strategy

We are looking for a proof calculus that allows us to establish

par(|

|) P (

|

|)


P f C l l f P ti l C t


62/109




Strategy


par

(||) P (||)

where

|=par (||) P (||) holds whenever par (||) P (||)(correctness)




63/109




Strategy


par

(||) P (||)

where

|=par (||) P (||) holds whenever par (||) P (||)(correctness), and

par (||) P (||) holds whenever |=par (||) P (||)(completeness).




64/109




Rules for Partial Correctness

(||) C1 (||) (||) C2 (||)

(||) C1; C2 (||)

[Composition]




65/109




Rules for Partial Correctness (continued)

(|[x E]|) x = E (||)

[Assignment]




66/109




Examples

Let P be the program x = 2.


67/109




68/109




Examples


Using

(|[x E]|) x = E (||)

[Assignment]

we can prove:

(|2 = 2|) P (|x = 2|)




69/109




Examples


Using

(|[x E]|) x = E (||)

[Assignment]

we can prove:

(|2 = 2|) P (|x = 2|)

(|2 = 4|) P (|x = 4|)




70/109




Examples


Using

(|[x E]|) x = E (||)

[Assignment]

we can prove:

(|2 = 2|) P (|x = 2|)

(|2 = 4|) P (|x = 4|)

(|2 = y|) P (|x = y|)




71/109




Examples


Using

(|[x E]|) x = E (||)

[Assignment]

we can prove:

(|2 = 2|) P (|x = 2|)

(|2 = 4|) P (|x = 4|)

(|2 = y|) P (|x = y|)

(|2 > 0|) P (|x> 0|)


72/109


73/109




74/109



More Examples

Let P be the program x = x + 1.

Using

(|[x E]|) x = E (||)

[Assignment]

we can prove:

(|x + 1 = 2|) P (|x = 2|)




75/109



More Examples

Let P be the program x = x + 1.

Using

(|[x E]|) x = E (||)

[Assignment]

we can prove:

(|x + 1 = 2|) P (|x = 2|)(|x + 1 = y|) P (|x = y|)




76/109




(| B|) C1 (||) (| B|) C2 (||)

(||) if B { C1 } else { C2 } (||)

[If-statement]




77/109




(| B|) C1 (||) (| B|) C2 (||)

(||) if B { C1 } else { C2 } (||)

[If-statement]

(| B|) C (||)

(||) while B { C } (| B|)

[Partial-while]


78/109




79/109



Proof Tableaux

Proofs have tree shape

All rules have the structure

something

something else

As a result, all proofs can be written as a tree.

Practical concern

These trees tend to be very wide when written out on paper.

Thus we are using a linear format, called proof tableaux.


80/109


81/109




82/109



Working Backwards

Overall goal

Find a proof that at the end of executing a program P, some

condition holds.

Common situation

If P has the shape C1; . . . ; Cn, we need to find the weakestformula such that

(||) Cn (||)



C C


83/109



Working Backwards

Overall goal

Find a proof that at the end of executing a program P, some

condition holds.

Common situation

If P has the shape C1; . . . ; Cn, we need to find the weakestformula such that

(||) Cn (||)

Terminology

The weakest formula is called weakest precondition.



P f C l l f T l C


84/109



Example

(|y< 3|)(|y + 1 < 4|) Impliedy = y + 1;

(|y< 4|) Assignment



P f C l l f T t l C t


85/109



Another Example

Can we claim u = x + y after z = x; z = z + y; u = z; ?



P f C l l f T t l C t


86/109



Another Example

Can we claim u = x + y after z = x; z = z + y; u = z; ?

(||)

(|x + y = x + y|) Impliedz = x;

(|z+ y = x + y|) Assignmentz = z + y;

(|z = x + y|) Assignment

u = z;(|u = x + y|) Assignment





87/109



An Alternative Rule for If

We have:

(| B|) C1 (||) (| B|) C2 (||)

(||) if B { C1 } else { C2 } (||)

[If-statement]

Sometimes, the following derived rule is more suitable:

(|1|) C1 (||) (|2|) C2 (||)

(|(B 1) (B 2)|) if B { C1 } else { C2 } (||)

[If-stmt 2]





88/109



Example

Consider this implementation of Succ:

a = x + 1 ;

i f ( a = 1 == 0 ) {y = 1 ;

} e l s e {y = a ;

}

Can we prove (||) Succ (|y = x + 1|) ?





89/109



Another Example

...

i f ( a 1 == 0 ) {(|1 = x + 1|) If-Statement 2

y = 1;(|y = x + 1|) Assignment

} else {(|a= x + 1|) If-Statement 2y = a;

(|y = x + 1|) Assignment}

(|y = x + 1|) If-Statement 2


90/109





91/109



Recall: Partial-while Rule

(| B|) C (||)

(||) while B { C } (| B|)

[Partial-while]





92/109



Factorial Example

We shall show that the following Core program Fac1 meets this

specification:

y = 1 ;

z = 0 ;

while ( z ! = x ) { z = z + 1 ; y = y z ; }

Thus, to show:

(||) Fac1 (|y = x!|)





93/109



Partial Correctness of Fac1

...

(|y = z!|)while ( z != x ) {

(|y = z! z = x|) Invariant(|y (z + 1) = (z + 1)!|) Impliedz = z + 1;

(|y z = z!|) Assignmenty = y z;

(|y = z!|) Assignment}(|y = z! (z = x)|) Partial-while(|y = x!|) Implied





94/109



Partial Correctness of Fac1

(||)(|(1 = 0!)|) Impliedy = 1;

(|y = 0!|) Assignmentz = 0;

(|y = z!|) Assignmentwhile ( z != x ) {

...

}(|y = z! (z = x)|) Partial-while(|y = x!|) Implied





95/109












96/109



Ideas for Total Correctness

The only source of non-termination is the while

command.

If we can show that the value of an integer expressiondecreases in each iteration, but never goes negative, we

have proven termination.





97/109

oo Ca cu us o ota Co ect ess




command.



Why?





98/109




command.



Why? Well-foundedness of natural numbers





99/109




command.



Why? Well-foundedness of natural numbers

We shall include this argument in a new version of thewhile rule.





100/109



(| B|) C (||)

(||) while B { C } (| B|)

[Partial-while]

(| B 0 E = E0|) C (| 0 E< E0|)

(| 0 E|) while B { C } (| B|)

[Total-while]





101/109


Factorial Example (Again!)

y = 1 ;z = 0 ;

while ( z ! = x ) { z = z + 1 ; y = y z ; }

What could be a good invariant?





102/109


Factorial Example (Again!)

y = 1 ;

z = 0 ;

while ( z ! = x ) { z = z + 1 ; y = y z ; }

What could be a good invariant?

Answer:

x z





103/109


Total Correctness of Fac1

...

(|y = z! 0 x z|)while ( z != x ) {

(|y = z! z = x 0 x z = E0|) Invariant(|y (z + 1) = (z + 1)! 0 x (z+ 1) < E0|) Impliedz = z + 1;

(|y z = z! 0 x z< E0|) Assignmenty = y z;

(|y = z! 0 x z< E0|) Assignment}(|y = z! (z = x)|) Total-while(|y = x!|) Implied





104/109


Total Correctness of Fac1

(|x 0|)(|(1 = 0! 0 x 0|) Impliedy = 1;

(|y = 0! 0 x 0|) Assignmentz = 0;

(|y = z! 0 x z|) Assignmentwhile ( z != x ) {

...

}(|y = z! (z = x)|) Total-while(|y = x!|) Implied





105/109











106/109



Consider

(||) P (||)

Obligation for consumer of P

Only run P when is met.

Obligation for producer of P

Make sure is met after every run of P, assuming that is metbefore the run.


107/109




P i b C


108/109


Next Week

Lecture 12: Semantics of Hoare Logic


109/109

program verification[1].color

Documents