Exercises: program verification using SAT/SMT

Transcription

1 Exercises: program verification using SAT/SMT For these exercises, we will use the program verifier Dafny. There is an online tutorial for Dafny available at: The source files of these exercises and a ZIP with Dafny for Linux/MacOSX can be found at ~sccblom/ipa_course.html. As we are in particular interested in the SMT problems that are generated by Dafny, we will use Dafny mainly from the commandline. Part 1: Getting Started With Dafny Exercise A Consider the file Incr-good.dfy with the following Dafny program: c l a s s MyClass method i n c r ( x : i n t ) r e t u r n s ( y : i n t ) r e q u i r e s x > 0 ; e n s u r e s y==x+481; y := x+481; Remark: Source code available as Incr-good.dfy Run Dafny on it from the commandline, using > dafny /compile:0 Incr-good.dfy You will get the following output: Dafny program verifier version , Copyright (c) , Microsoft. Dafny program verifier finished with 2 verified, 0 errors N.B. The option /compile:0 disables the compilation of succesfully verified code, because that part of Dafny does not work on Linux and MacOSX. Exercise B Copy your program to a file Incr-bad.dfy, and in this copy change the assignment in the program to y := x+37;. Run Dafny on Incr-bad.dfy. This program does not fulfill its contract, and Dafny will report a problem. Run Dafny, and understand the error message. Try to change the program in other ways, and study the different error messages. 1

2 Exercise C As explained during the lecture, Dafny works by translating the given program into a BoogiePL program. The BoogiePL program start with the contents of the file DafnyPrelude.bpl, which defines the Dafny predefined datatypes, such as sequences, sets and bags. From the Boogie program, verification conditions are generated that are checked by Z3. To get an idea of how this process works, you can call Dafny with the options that will save the Boogie program and the Z3 inputs: The option /print:@file@.bpl will record the encoding of the Dafny program as a Boogie program into a file. The option /proverlog:@file@-@proc@ will record the SMT problems submitted to Z3. The use is intentional. These string will be replaced by the Dafny file and the BoogiePL procedure being processed, respectively. Generate BoogiePL files for Incr-good.dfy and Incr-bad.dfy and study them. This results in quite long file, because checks for various aspects, such as heap access and types are added to the program. However, the original program can still be recognized in the implementations, which start with Impl$$_module. Look at the generated code, and try to match it to the original programs. Exercise D Now generate the SMT problems submitted to Z3 for both programs. Search for the line(s) containing (check-sat). The text above these lines encodes the actual check. Use the difference between Incr-good.dfy and Incr-bad.dfy to understand the generated verification condition. Exercise E Finally, change the body of Incr-good.dfy y := x+400; y := y+81; and study what changes in the generated BoogiePL code and SMT problems. Exercise F And now for something completely different. Do you recognize the following example? method search ( a : int, b : int, c : int, d : i n t ) r e t u r n s ( ) e n s u r e s! ( 2 a > b + c && 2 b > c + d && 2 c > 3 d && 3 d > a + c ) ; The code is in search.dfy. Run Dafny with SMT model printing enabled: > dafny /printmodel:2 /compile:0 search.dfy Then find a solution to the equation in the output. Exercise G In the search example, convert the method parameters to global variables. Then run Dafny again. Can you still find the counter example? 2

3 Part 2: Specification Exercises We will first look at some specification and verification examples using Dafny. These exercises have been borrowed from the online Dafny tutorial at Exercise A The following example is not quite right. Find the error, fix it and verify the fix. method MultipleReturns ( x : int, y : i n t ) r e t u r n s ( more : int, l e s s : i n t ) e n s u r e s l e s s < x ; e n s u r e s x < more ; more := x + y ; l e s s := x y ; Remark: Source code available as multiplereturn.dfy Exercise B Write a method Max that takes two integer parameters and returns their maximum. Add appropriate annotations and make sure your code respects its specification. method Max( a : int, b : i n t ) r e t u r n s ( c : i n t ) Exercise C In Dafny, inductively defined functions can be used in method contracts. For example, function fib gives the standard mathematical definition of the Fibonacci numbers, while method ComputeFib provides an efficient algorithm to compute Fibonacci numbers. f u n c t i o n f i b ( n : nat ) : nat i f n == 0 then 0 e l s e i f n == 1 then 1 e l s e f i b ( n 1) + f i b ( n 2) method ComputeFib ( n : nat ) r e t u r n s ( b : nat ) e n s u r e s b == f i b ( n ) ; i f ( n == 0) r eturn 0 ; var i : i n t := 1 ; var a := 0 ; b := 1 ; while ( i < n ) a, b := b, a + b ; i := i + 1 ; Remark: Source code available as fibonacci.dfy Add loop invariants to make the method ComputeFib verify. 3

4 Exercise D Implement and verify a binary search algorithm, respecting the following method specification: p r e d i c a t e s o r t e d ( a : array<int >) r e q u i r e s a!= n u l l ; reads a ; f o r a l l j, k : : 0 <= j < k < a. Length ==> a [ j ] <= a [ k ] method BinarySearch ( a : array<int >, value : i n t ) r e t u r n s ( index : i n t ) r e q u i r e s a!= n u l l && 0 <= a. Length && s o r t e d ( a ) ; e n s u r e s Remark: Source code available as sort.dfy If you would like to try a more challenging verification exercise, we recommend the prefix sum problem, available in the prefixsum directory. 1 1 The prefix sum was the second challenge in the 2012 VerifyThis verification competition: verifythis.org/challenges. 4

5 Part 3: SMT Encodings Exercise A Consider method Blank. method Blank ( a : array<int >) r e t u r n s ( ) m o d i f i e s a ; r e q u i r e s a!= n u l l ; e n s u r e s f o r a l l i : : 0 <= i < a. Length ==> a [ i ] == 0 ; var k : i n t := 0 ; while ( k<a. Length ) i n v a r i a n t 0 <= k <= a. Length ; i n v a r i a n t f o r a l l i : : 0 <= i < k ==> a [ i ] == 0 ; d e c r e a s e s a. Length k ; a [ k ] := 0 ; k := k + 1 ; Remark: Source code available as blank.dfy Use the same steps as in Exercise 1 to understand the generated SMT problems. In particular, we recommend that you make small variations in your program, and study the changes in the generated SMT problems. For example, commenting out parts of the specifications and/or code and then re-running and re-inspecting allows you to see what traces to what. 5

6 Exercise B This is the well-known Zune leap year bug. Consider the following loop : while ( days > 365) d e c r e a s e s days ; i f ( IsLeapYear ( year ) ) i f ( days > 366) days := days 366; year := year + 1 ; e l s e days := days 365; year := year + 1 ; Remark: Source code available as zune.dfy It is supposed to convert a large number of days into a number of years and a day of the year. Use Dafny model printing to find an initial value, where the loop fails to work. 6