An Annotated Language

Similar documents
Part II. Hoare Logic and Program Verification. Why specify programs? Specification and Verification. Code Verification. Why verify programs?

Lecture 5 - Axiomatic semantics

Verification Condition Generation

6. Hoare Logic and Weakest Preconditions

Introduction to Axiomatic Semantics

Harvard School of Engineering and Applied Sciences CS 152: Programming Languages

AXIOMS OF AN IMPERATIVE LANGUAGE PARTIAL CORRECTNESS WEAK AND STRONG CONDITIONS. THE AXIOM FOR nop

Semantics. There is no single widely acceptable notation or formalism for describing semantics Operational Semantics

Hoare triples. Floyd-Hoare Logic, Separation Logic

Lecture Notes: Hoare Logic

Hoare Logic. COMP2600 Formal Methods for Software Engineering. Rajeev Goré

Warm-Up Problem. 1. What is the definition of a Hoare triple satisfying partial correctness? 2. Recall the rule for assignment: x (assignment)

Introduction to Axiomatic Semantics (1/2)

The semantics of a programming language is concerned with the meaning of programs, that is, how programs behave when executed on computers.

Programming Languages Third Edition

Lectures 20, 21: Axiomatic Semantics

Hoare Logic: Proving Programs Correct

Introduction to Axiomatic Semantics (1/2)

From Hoare Logic to Matching Logic Reachability. Grigore Rosu and Andrei Stefanescu University of Illinois, USA

Induction and Semantics in Dafny

Chapter 3. Describing Syntax and Semantics ISBN

Abstract Interpretation

Note that in this definition, n + m denotes the syntactic expression with three symbols n, +, and m, not to the number that is the sum of n and m.

CS2104 Prog. Lang. Concepts

COSC252: Programming Languages: Semantic Specification. Jeremy Bolton, PhD Adjunct Professor

Chapter 3. Describing Syntax and Semantics

Program Verification. Program Verification 307/434

Softwaretechnik. Program verification. Albert-Ludwigs-Universität Freiburg. June 28, Softwaretechnik June 28, / 24

Softwaretechnik. Program verification. Software Engineering Albert-Ludwigs-University Freiburg. June 30, 2011

Hoare Logic and Model Checking

Warm-Up Problem. Let be a set of well-formed Predicate logic formulas. Let be well-formed Predicate logic formulas. Prove or disprove the following.

Chapter 3 (part 3) Describing Syntax and Semantics

Hoare logic. WHILE p, a language with pointers. Introduction. Syntax of WHILE p. Lecture 5: Introduction to separation logic

! Use of formal notations. ! in software system descriptions. ! for a broad range of effects. ! and varying levels of use. !

Hoare logic. Lecture 5: Introduction to separation logic. Jean Pichon-Pharabod University of Cambridge. CST Part II 2017/18

A CRASH COURSE IN SEMANTICS

Hoare logic. A proof system for separation logic. Introduction. Separation logic

Axiomatic Specification. Al-Said, Apcar, Jerejian

Hoare Logic and Model Checking

Hoare Logic and Model Checking. A proof system for Separation logic. Introduction. Separation Logic

Main Goal. Language-independent program verification framework. Derive program properties from operational semantics

Symbolic Execution and Proof of Properties

Formal Methods. CITS5501 Software Testing and Quality Assurance

Reasoning About Imperative Programs. COS 441 Slides 10

Outline. Computer Science 331. Three Classical Algorithms. The Sorting Problem. Classical Sorting Algorithms. Mike Jacobson. Description Analysis

CSC 501 Semantics of Programming Languages

Lecture 1 Contracts : Principles of Imperative Computation (Fall 2018) Frank Pfenning

Formal Systems II: Applications

Proving Properties on Programs From the Coq Tutorial at ITP 2015

Chapter 3. Describing Syntax and Semantics ISBN

Chapter 3. Describing Syntax and Semantics

Outline. Introduction. 2 Proof of Correctness. 3 Final Notes. Precondition P 1 : Inputs include

Contents. Chapter 1 SPECIFYING SYNTAX 1

COMP 507: Computer-Aided Program Design

The Rule of Constancy(Derived Frame Rule)

Specifying and Verifying Programs (Part 2)

The Formal Semantics of Programming Languages An Introduction. Glynn Winskel. The MIT Press Cambridge, Massachusetts London, England

Propositional Logic. Andreas Klappenecker

CITS5501 Software Testing and Quality Assurance Formal methods

CIS 500 Software Foundations. Final Exam. May 3, Answer key

Compilation and Program Analysis (#11) : Hoare triples and shape analysis

Reasoning about programs

Last time. Reasoning about programs. Coming up. Project Final Presentations. This Thursday, Nov 30: 4 th in-class exercise

The Pointer Assertion Logic Engine

Lecture 1 Contracts. 1 A Mysterious Program : Principles of Imperative Computation (Spring 2018) Frank Pfenning

CSE 307: Principles of Programming Languages

Discrete Mathematics Lecture 4. Harper Langston New York University

Chapter 3. Syntax - the form or structure of the expressions, statements, and program units

Lecture 5. Logic I. Statement Logic

3.4 Deduction and Evaluation: Tools Conditional-Equational Logic

Incremental Proof Development in Dafny

Why. an intermediate language for deductive program verification

axiomatic semantics involving logical rules for deriving relations between preconditions and postconditions.

Axiomatic Rules. Lecture 18: Axiomatic Semantics & Type Safety. Correctness using Axioms & Rules. Axiomatic Rules. Steps in Proof

Dynamic Logic David Harel, The Weizmann Institute Dexter Kozen, Cornell University Jerzy Tiuryn, University of Warsaw The MIT Press, Cambridge, Massac

Axiomatic Semantics. Automated Deduction - George Necula - Lecture 2 1

Goals: Define the syntax of a simple imperative language Define a semantics using natural deduction 1

1.3. Conditional expressions To express case distinctions like

Backward Reasoning: Rule for Assignment. Backward Reasoning: Rule for Sequence. Simple Example. Hoare Logic, continued Reasoning About Loops

Proving Programs Correct

CS422 - Programming Language Design

Lecture 6: Arithmetic and Threshold Circuits

Lecture 4. First order logic is a formal notation for mathematics which involves:

Principles of Program Analysis. Lecture 1 Harry Xu Spring 2013

Proof Carrying Code(PCC)

Lecture 11 Lecture 11 Nov 5, 2014

Software Development. Modular Design and Algorithm Analysis

Denotational Semantics of a Simple Imperative Language Using Intensional Logic

FreePascal changes: user documentation

Lecture 10 Design by Contract

3.7 Denotational Semantics

Formal Verification. Lecture 10

The Eiffel language. Slides partly based on :

Software Engineering Lecture Notes

Programming Languages

Advances in Programming Languages

1. true / false By a compiler we mean a program that translates to code that will run natively on some machine.

Recursion and Structural Induction

Spark verification features

Review: Hoare Logic Rules

Transcription:

Hoare Logic

An Annotated Language

State and Semantics Expressions are interpreted as functions from states to the corresponding domain of interpretation Operators have the obvious interpretation Free of side effects

Command Semantics Natural, or big-step semantics Evaluation relation See last lecture for definition!

Assertion Semantics Terms are interpreted very similarly to (program) integer expressions (but functions remain uninterpreted) Assertions are interpreted similarly to (program) boolean expressions (but predicates remain uninterpreted)

Validity In logical terms one considers a model (Z, I ), where I is the interpretation function that maps constants to their obvious interpretations as integer numbers, and maps functions and predicates to the corresponding arithmetic functions and comparison predicates (see Logic lectures!)

We assume the existence of external means for checking validity of assertions (see Logic lectures) These tools should allow us to define theories, i.e. to write axioms concerning the behaviour of the uninterpreted functions and predicates The following axiomatisation of factorial with a binary predicate is an example of this (not satisfying what is missing?)

Correctness Properties A total correctness property for a program C relative to specification (P, Q) has the following meaning: if P holds in a given state and C is executed in that state, then execution of C will stop, and moreover Q will hold in the final state of execution. A partial correctness property for a program C relative to specification (P, Q) has the meaning: if P holds in a given state and C is executed in that state, then either execution of C does not stop, or if it does, Q will hold in the final state.

Specifications and Hoare triples new syntactic classes for partial and total correctness

Loop Invariants Any property whose validity is preserved by executions of the loop s body. Since these executions may only take place when the loop condition is true, an invariant of the loop while (b) do C is any assertion I such that {I && b} C {I} is valid, in which case of course it also holds that {I} while (b) do C {I} is valid (WHY?)

The validity of [I && b] C [I] does not however imply the validity of [I] while (b) do C [I] (WHY?) The required notion here is a quantitative one: a loop variant is any positive integer expression that is strictly decreasing from iteration to iteration. The existence of a valid variant for a given loop implies the termination of all possible executions of the loop

Example How can this be proved? What is the role of the invariant?

Hoare Logic

The Consequence Rule Side conditions must be met in order for this rule to be applied in a derivation, corresponding to the validity of certain first-order implication formulas. If some of the rules applied in a tree have side conditions that are not satisfied, then this is not a proof-tree and the triple at its root is not inferred.

Total Correctness The identification of a decreasing { variant expression is necessary to guarantee that every loop terminates [I && B && V == n] C [I && V < n] I && B V >= 0 [I] while (B) do C [I && B]

Exercise Prove the validity of the following Hoare triple

What are the side conditions? The next slide contains an alternative derivation

Correctness of Hoare Logic Proof By induction on the derivation of {P}C{Q}. For the while case we also proceed by induction on the definition of the evaluation relation.

Problems with HL System Two desirable properties for backward proof construction are missing: Sub-formula property Unambiguous choice of rule The consequence rule causes ambiguity. Its presence is however necessary to make possible the application of rules for skip, assignment, and while An alternative is to distribute the side conditions among the different rules

HL without Consequ. Rule

Factorial Example

with side conditions:

Exercise Show that a triple is provable in this system iff it is provable in the original system of Hoare logic.

Auxiliary Variables How to specify formally a program that computes the minimum and maximum of a pair of numbers?

Solution Employ auxiliary variables, forbidden to occur in the program, to record initial values of variables

Factorial Spec. Updated or

Example: A Strategy for Proofs When an intemediate assertion is required, if possible choose the weakest precondition (for the given postcondition)

A Strategy for Proofs

A Strategy for Proofs

A Strategy for Proofs In this last step we are not free to choose the precondition and thus a side condition must be satisfied:

Exercise Use the weakest precondition strategy to verify Factorial

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback