Programming Languages

Transcription

1 CSE 230: Winter 2010 Principles of Programming Languages Lecture 8: Program Verification Ranjit Jhala UC San Diego Loop Example Verify: {x=8 Æ y=16 while(x>0){x--; y-=2; {y=0 x--; y-=2 { I { I Æ x>0 x>0 { x = 8 Æ y = 16 { I ind an appropriate invariant I Holds initially x = 8 Æ y = 16 Holds at the end y == 0 { y = 0 Loop Example (II) Guess invariant y = 2*x Check : { y = 2*x x--; y-=2 x>0 { y = 2*x Æ x > 0 { x = 8 Æ y = 16 { y = 2*x { y = 0 Initial: x = 8 Æ y = 16 y = 2*x Preservation: y = 2*x Æ x>0 y 2 = 2*(x 1) inal: y = 2*x Æ x 0 y = 0 Invalid

2 Loop Example (III) Guess invariant y = 2*x Æ x 0 Check { y=2*x Æ x 0 x--; y-=2 x>0 { y = 2*x Æ x 0 Æ x>0 { x = 8 Æ y = 16 { y = 2*x Æ x 0 { y = 0 Initial: x = 8 Æ y = 16 y = 2*x Æ x 0 Preservation: y = 2*x Æ x 0 Æ x>0 y 2 = 2*(x 1) Æ x 1 0 inal: y = 2*x Æ x 0 Æ x 0 y = 0 Loops Discussion Simple forward/backward propagation fails Require loop invariants Hardest part of program verification Guess the invariants (existing programs) Write the invariants (new programs) Note: Invariant depends on what you want to prove! Verification Example int square(int n) { int k=0, r=0, s=1; while(k!= n) { r = r + s; k:=0 r:=0 s:=1 { true s=s+2; Pick I: r = k 2 k=k + 1; return r;??? r:=r+s s:=s+2 k!=n { r=0 Æ k=0 I : {r = k 2 k:=k+1 k {r=n 2 {r=k 2 {r=k Æ k=n 2 Æk=n Need: {r=k 2 Æ k=n c {r=k 2 i.e. {r=k 2 Æ k=n WP(c,{r=k 2 ) i.e. {r=k 2 Æ k=n {r+s=(k+1) 2 Invalid Verification Example Need: {r=k 2 Æ s=2k+1 Æ c {r=k 2 Æ s=2k+1 i.e. {r=k 2 Æ s=2k+1 WP(c,{r=k 2 Æs=2k+1) i.e. {r=k 2 Æ s=2k+1 {r+s=(k+1) 2 Æ (s+2) = 2(k+1)+1??? r:=r+s s:=s+2 k:=0 r:=0 s:=1 k!=n { true Valid { r=0 Æ k=0 Æ s=1 I : {r=k 2 Æ s=2k+1 {r=k 2 k:=k+1 {r=n 2 {r=k 2 Æs=2k+1Æ Æs=2k+1 Æk=n

3 What about real languages? Loops unction calls Pointers unctions are big instructions Suppose we have verified bsearch int bsearch(int a[], int p) { { sorted(a) Precondition { r=-1 Ç (r 0 Æ r < a.length Æ a[r]=p) return r; Postcondition unction spec = precondition i + postconditon Also called a contract unction Calls Consider a call to function y:=f(int E) return variable r precondition Pre, postcondition Post unction Calls Consider a call to function y:=f(int x) return variable r precondition Pre, postcondition Post Rule for function call: Rule for function call: { P if P Pre[E/x] ` P Pre[E/x] `{Pre f {Post ` Post[E/x,y/r] Q ` {P y:=f(e){q y := (E) { Q and Post[E/x,y/r] Q

4 unction Call: Example Consider the call {sorted(arr) y:=bsearch(arr,5) {y=-1 Ç arr[y]=5 if(y!=-1){ {y!=-1 Æ (y=-1çarr[y]=5 {arr[y]=5 int bsearch(int a[],int p) { { sorted(a) { r=-1ç(r 0 Æ r<a.lengthæ a[r]=p) [] return r; What about real languages? Loops unction calls Pointers sorted[array] ay] Pre[a := arr] Post[y/r,arr/a, 5/p] (y=-1 Ç arr[y]=5) Assignment and Aliasing Does assignment rule work with aliasing? If *x and *y are aliased then: {x=y *x:=5 {*x+*y=10 Hoare Rules: Assignment and References When is the following Hoare triple valid? { A *x := 5 { *x + *y = 10 Ashould be *y = 5 or x = y but Hoare rule for assignment gives: [5/*x](*x + *y = 10) = 5 + *y = 10 = *y = 5 (uh oh! we lost one case! What gives?)

5 Hoare Rules: Assignment and References Modeling writes with memory expressions reat memory as a whole w/ memory variables (M) upd(m,e 1,E 2 ) : update M at addr E 1 with value E 2 sel(m,e 1 ) : read M at address E 1 Reason about memory expressions with McCarthy s rule sel(upd(m, E 1, E 2 ), E 3 ) = E 2 if E 1 = E 3 sel(m, E 3 ) if E 1 E 3 Assignment (update) changes the value of memory {B[upd(M, E 1 1, E 2 2) )/M] *E 1:=E 2 {B Memory Aliasing Consider again: {A *x:=5 {*x+*y=10 {x+y=10 We obtain: A = [upd(m, x, 5)/M] (*x+*y=10) = [upd(m, x, 5)/M] (sel(m,x) + sel(m,y) = 10) = sel(upd(m, x, 5), x) + sel(upd(m, x, 5), y) = 10 = 5 + sel(upd(m, x, 5), y) = 10 = if x = y then = 10 else 5 + sel(m, y) = 10 = x=y or *y = 5 Program Verification ools Semi-automated You write some invariants and specifications ool tries to fill in the other invariants And to prove all implications Explains when implication is invalid: counterexample for your specification ESC/Java Spec# Algorithmic Program Verification or how does ESC/Java work? Q: How to algorithmically i ll prove {P c {Q? If no loops: 1. Compute: WP(c,Q) 2. Prove: P WP(c,Q) Verification Condition Discharged using Auto. heorem Prover

6 VC Generation for Loops Suppose all loops annotated with Invariant while I b do c Again, lets compute a VC such that: if VC is valid (true) then {P c {Q Q: Why not iff? as the loop invariants i may be bogus VCGen We will write a function VCG: comm (pred pred list) (pred pred list) Suppose (Q,L ) = VCG(c,(Q,L )) hen VC for {P c {Q is: P Q Æ {f in L f L : the set of conditions that must be true rom loops (init,preservation,final) Q : precondition modulo invariants Loops and Arrays VCGen VCG: comm (pred pred list) (pred pred list) VCG(c,(Q,L)) (Q = (Q,L L ) hen VC for {P c {Q is: P Q Æ {f in L f let rec VCG(c,(Q,L)) = match c with x:= e -> c1;c2 -> if b then c1 else c2 -> while I b do c ->

7 VCGen VCG: comm (pred pred list) (pred pred list) VCG(c,(Q,L)) (Q = (Q,L L ) hen VC for {P c {Q is: P Q Æ {f in L f let rec VCG(c,(Q,L)) = match c with x:= e -> (Q[e/x], L) c1;c2 -> VCG(c1,VCG(c2,(Q, L))) if b then c1 else c2 -> let (Q1,L1) = VCG( c1,(q, L)) (Q2,L2) = VCG( c2,(q, L)) in ((bæq1)ç( bæq2), L1 L2 ) while I b do c -> let (Q,L ) = VCG(c,(Q, L)) in (I, L {IÆb Q {IÆ b Q ) ESC/Java Semi-automated You write the invariants ESC/Java: VCGen: Simplify: heoremprover to prove VC Explains when implication is invalid: counterexample for your specification