Lectures 20, 21: Axiomatic Semantics

Similar documents
Introduction to Axiomatic Semantics (1/2)

Introduction to Axiomatic Semantics (1/2)

Introduction to Axiomatic Semantics

Axiomatic Semantics. More Semantics. Review - Operational Semantics. Partial Correctness Assertions. Programs Theorems. Axiomatic Semantics

Hoare Logic. COMP2600 Formal Methods for Software Engineering. Rajeev Goré

Lecture 5 - Axiomatic semantics

Axiomatic Semantics. Automated Deduction - George Necula - Lecture 2 1

Harvard School of Engineering and Applied Sciences CS 152: Programming Languages

An Annotated Language

Programming Languages Third Edition

The Rule of Constancy(Derived Frame Rule)

Hoare triples. Floyd-Hoare Logic, Separation Logic

Reasoning About Imperative Programs. COS 441 Slides 10

Program Verification. Aarti Gupta

CMSC 330: Organization of Programming Languages. Formal Semantics of a Prog. Lang. Specifying Syntax, Semantics

6. Hoare Logic and Weakest Preconditions

Chapter 3. Describing Syntax and Semantics

CITS5501 Software Testing and Quality Assurance Formal methods

Compilation and Program Analysis (#11) : Hoare triples and shape analysis

A CRASH COURSE IN SEMANTICS

Goals: Define the syntax of a simple imperative language Define a semantics using natural deduction 1

Lecture 1 Contracts : Principles of Imperative Computation (Fall 2018) Frank Pfenning

Introduction to Denotational Semantics. Class Likes/Dislikes Survey. Dueling Semantics. Denotational Semantics Learning Goals. You re On Jeopardy!

Semantics. There is no single widely acceptable notation or formalism for describing semantics Operational Semantics

Note that in this definition, n + m denotes the syntactic expression with three symbols n, +, and m, not to the number that is the sum of n and m.

Warm-Up Problem. 1. What is the definition of a Hoare triple satisfying partial correctness? 2. Recall the rule for assignment: x (assignment)

Chapter 3 (part 3) Describing Syntax and Semantics

Lecture 1 Contracts. 1 A Mysterious Program : Principles of Imperative Computation (Spring 2018) Frank Pfenning

AXIOMS OF AN IMPERATIVE LANGUAGE PARTIAL CORRECTNESS WEAK AND STRONG CONDITIONS. THE AXIOM FOR nop

Chapter 1. Introduction

Program Verification. Program Verification 307/434

! Use of formal notations. ! in software system descriptions. ! for a broad range of effects. ! and varying levels of use. !

Main Goal. Language-independent program verification framework. Derive program properties from operational semantics

axiomatic semantics involving logical rules for deriving relations between preconditions and postconditions.

Introduction to Denotational Semantics. Brutus Is An Honorable Man. Class Likes/Dislikes Survey. Dueling Semantics

The semantics of a programming language is concerned with the meaning of programs, that is, how programs behave when executed on computers.

COSC252: Programming Languages: Semantic Specification. Jeremy Bolton, PhD Adjunct Professor

Hoare Logic: Proving Programs Correct

COMP 507: Computer-Aided Program Design

Lecture Notes on Contracts

Formal Semantics of Programming Languages

Specification and Verification I

Hoare logic. A proof system for separation logic. Introduction. Separation logic

Formal Semantics of Programming Languages

Com S 541. Programming Languages I

Lecture Notes on Program Equivalence

Formal Methods. CITS5501 Software Testing and Quality Assurance

Induction and Semantics in Dafny

System Correctness. EEC 421/521: Software Engineering. System Correctness. The Problem at Hand. A system is correct when it meets its requirements

Program Analysis: Lecture 02 Page 1 of 32

Part II. Hoare Logic and Program Verification. Why specify programs? Specification and Verification. Code Verification. Why verify programs?

Proving the Correctness of Distributed Algorithms using TLA

Abstract Interpretation

Chapter 3. Describing Syntax and Semantics ISBN

Chapter 3. Describing Syntax and Semantics ISBN

Chapter 3. Describing Syntax and Semantics

1. true / false By a compiler we mean a program that translates to code that will run natively on some machine.

Outline. Introduction. 2 Proof of Correctness. 3 Final Notes. Precondition P 1 : Inputs include

Computation Club: Gödel s theorem

Software Quality Assurance

CMSC 330: Organization of Programming Languages

From Hoare Logic to Matching Logic Reachability. Grigore Rosu and Andrei Stefanescu University of Illinois, USA

Shared Variables and Interference

1 Introduction. 3 Syntax

Handout 9: Imperative Programs and State

CS558 Programming Languages

Verification Condition Generation

A Small Interpreted Language

Principles of AI Planning. Principles of AI Planning. 7.1 How to obtain a heuristic. 7.2 Relaxed planning tasks. 7.1 How to obtain a heuristic

Symbolic Execution and Proof of Properties

Acknowledgements. Outline

Overview. Probabilistic Programming. Dijkstra s guarded command language: Syntax. Elementary pgcl ingredients. Lecture #4: Probabilistic GCL

This is already grossly inconvenient in present formalisms. Why do we want to make this convenient? GENERAL GOALS

In Our Last Exciting Episode

CS 6110 S11 Lecture 25 Typed λ-calculus 6 April 2011

Hardware versus software

Program Syntax; Operational Semantics

Lecture Outline. COOL operational semantics. Operational Semantics of Cool. Motivation. Notation. The rules. Evaluation Rules So Far.

Axiomatic Rules. Lecture 18: Axiomatic Semantics & Type Safety. Correctness using Axioms & Rules. Axiomatic Rules. Steps in Proof

3.7 Denotational Semantics

Critical Analysis of Computer Science Methodology: Theory

Software Engineering Lecture Notes

Warm-Up Problem. Let be a set of well-formed Predicate logic formulas. Let be well-formed Predicate logic formulas. Prove or disprove the following.

Shared Variables and Interference

Chapter 3. Syntax - the form or structure of the expressions, statements, and program units

An Operational and Axiomatic Semantics for Non-determinism and Sequence Points in C

Operational Semantics. One-Slide Summary. Lecture Outline

Application: Programming Language Semantics

CS152: Programming Languages. Lecture 11 STLC Extensions and Related Topics. Dan Grossman Spring 2011

Forward Assignment; Strongest Postconditions

How invariants help writing loops Author: Sander Kooijmans Document version: 1.0

CIS 890: Safety Critical Systems

Module 3. Requirements Analysis and Specification. Version 2 CSE IIT, Kharagpur

CSE 307: Principles of Programming Languages

Behavioral Equivalence

Chapter 2 & 3: Representations & Reasoning Systems (2.2)

Behavioral Equivalence

CS-XXX: Graduate Programming Languages. Lecture 9 Simply Typed Lambda Calculus. Dan Grossman 2012

A Hoare Logic Contract Theory: An Exercise in Denotational Semantics

Distributed Systems Programming (F21DS1) Formal Verification

Transcription:

Lectures 20, 21: Axiomatic Semantics Polyvios Pratikakis Computer Science Department, University of Crete Type Systems and Static Analysis Based on slides by George Necula Pratikakis (CSD) Axiomatic Semantics CS49040, 2015-2016 1 / 39

Remember Operational Semantics We have a functional language with references We have defined the semantics of the language Operational semantics Relatively simple (related to state machines) Not compositional (due to loops and recursive calls) Adequate guide for implementing an interpreter Pratikakis (CSD) Axiomatic Semantics CS49040, 2015-2016 2 / 39

More kinds of semantics There is also denotational semantics Each program has a meaning in the form of a mathematical object Compositional More complex formalism (depending on the mathematics used) Closer to a compiler from source to math Neither is good for showing program correctness Operational semantics requires running the code Denotational semantics requires complex calculations Pratikakis (CSD) Axiomatic Semantics CS49040, 2015-2016 3 / 39

Axiomatic semantics An axiomatic semantics consists of A language for making assertions about programs Rules for establishing when assertions hold Typical assertions This program terminates If this program terminates, the variables x and y have the same value throughout the execution of the program The array accesses are within the array bounds Some typical languages of assertions First-order logic Other logics (temporal, linear) Special-purpose specification languages (Z, Larch, JML) Pratikakis (CSD) Axiomatic Semantics CS49040, 2015-2016 4 / 39

History Program verification is almost as old as programming (eg, Checking a Large Routine, Turing 1949) In the late 60s, Floyd had rules for flow-charts and Hoare had rules for structured languages Since then, there have been axiomatic semantics for substantial languages, and many applications Program verifiers (70s and 80s) PREfix: Symbolic execution for bug hunting (WinXP) Software validation tools Malware detection Automatic test generation Pratikakis (CSD) Axiomatic Semantics CS49040, 2015-2016 5 / 39

Hoare said Thus the practice of proving programs would seem to lead to solution of three of the most pressing problems in software and programming, namely, reliability, documentation, and compatibility However, program proving, certainly at present, will be difficult even for programmers of high caliber; and may be applicable only to quite simple program designs CAR Hoare, An Axiomatic Basis for Computer Programming, 1969 Pratikakis (CSD) Axiomatic Semantics CS49040, 2015-2016 6 / 39

Dijkstra said Program testing can be used to show the presence of bugs, but never to show their absence! Pratikakis (CSD) Axiomatic Semantics CS49040, 2015-2016 7 / 39

Hoare also said It has been found a serious problem to define these languages [ALGOL, FORTRAN, COBOL] with sufficient rigor to ensure compatibility among all implementations one way to achieve this would be to insist that all implementations of the language shall satisfy the axioms and rules of inference which underlie proofs of properties of programs expressed in the language In effect, this is equivalent to accepting the axioms and rules of inference as the ultimately definitive specification of the meaning of the language Pratikakis (CSD) Axiomatic Semantics CS49040, 2015-2016 8 / 39

Other Applications of Axiomatic Semantics The project of defining and proving everything formally has not succeeded (at least not yet) Proving has not replaced testing and debugging (and praying) Applications of axiomatic semantics Proving the correctness of algorithms (or finding bugs) Proving the correctness of hardware descriptions (or finding bugs) extended static checking (eg, checking array bounds) Documentation of programs and interfaces Pratikakis (CSD) Axiomatic Semantics CS49040, 2015-2016 9 / 39

Safety and liveness Partial vs total correectness assertions Safety vs liveness properties Safety: nothing bad happens Liveness: something good happens eventually Usually focus on safety (partial correctness) Pratikakis (CSD) Axiomatic Semantics CS49040, 2015-2016 10 / 39

Assertions The assertions we make about programs are of the form {A} c {B} If A holds in a state σ and σ, c σ Then B holds in σ A is the precondition and B is the postcondition For example {x y} z := x; z := z + 1 {x < y} This is called a Hoare triple or Hoare assertions Pratikakis (CSD) Axiomatic Semantics CS49040, 2015-2016 11 / 39

Assertions (cont d) {A} c {B} is a partial correctness assertion Does not imply termination [A] c [B] is a total correctness assertion If A holds at state σ Then there exists σ such that σ, c σ And B holds in state σ Pratikakis (CSD) Axiomatic Semantics CS49040, 2015-2016 12 / 39

State-based assertions Assertions that characterize the state of the execution Recall: state = state of locals + state of memory Our assertions will need to be able to refer to Variables Contents of memory These are not state-based assertions Variable x is live, lock L will be released There is no correlation between the values of x and y Pratikakis (CSD) Axiomatic Semantics CS49040, 2015-2016 13 / 39

The assertion language We use a fragment of first-order predicate logic Formulas A ::= O A A A A A => A xa xa Atoms O ::= f(o,, O) e e e = e Expressions e ::= n true false We can also have an arbitrary assortment of function symbols ptr(e,t) expression e denotes a pointer to a T e : ptr(t) same in a different notation reachable(e1, e 2 ) list cell e 2 is reachable from e 1 these can be built-in or defined Pratikakis (CSD) Axiomatic Semantics CS49040, 2015-2016 14 / 39

Semantics of assertions We introduced a language of assertions, we need to assign meanings to assertions We ignore references to memory for now Notation σ = A means that an assertion holds in a given state This is well defined when σ is defined on all variables well-defined occurring in A The = judgment is defined inductively on the structure of assertions Pratikakis (CSD) Axiomatic Semantics CS49040, 2015-2016 15 / 39

Semantics of assertions (cont d) Formal definition σ = true always σ = e 1 = e 2 iff σ, e 1 n 1 and σ, e 2 n 2 and n 1 = n 2 σ = e 1 e 2 iff σ, e 1 n 1 and σ, e 2 n 2 and n 1 n 2 σ = A 1 A 2 iff σ = A 1 and σ = A 2 σ = A 1 A 2 iff σ = A 1 or σ = A 2 σ = A 1 => A 2 iff σ = A 1 implies σ = A 2 σ = xa iff n Z σ[x := n] = A σ = xa iff n Z σ[x := n] = A Pratikakis (CSD) Axiomatic Semantics CS49040, 2015-2016 16 / 39

Semantics of assertions (cont d) Now we can define formally the meaning of a partial correctness assertion = {A} c {B} : σ σ (σ = A σ, c σ ) σ = B and the meaning of a total correctness assertion = [A] c [B] σ σ (σ = A σ, c σ ) σ = B σ σ = A σ σ, c σ Pratikakis (CSD) Axiomatic Semantics CS49040, 2015-2016 17 / 39

Is this enough? Now we have the formal mechanism to decide when {A} c {B} Start the program in all states that satisfies A Run the program Check that each final state satisfies B This is exhaustive testing Not enough Cannot try the program in all states satisfying the precondition Cannot find all final states for non-deterministic programs It is impossible to effectively verify the truth of a xa postcondition (by using the definition of validity) Pratikakis (CSD) Axiomatic Semantics CS49040, 2015-2016 18 / 39

Derivations as validity witnesses We define a symbolic technique for deriving valid assertions from others that are known to be valid We start with validity of first-order formulas We write A when we can derive (prove) assertion A We want ( σ σ = A) iff σ A We write {A} c {B} when we can derive (prove) the partial correctness assertion We want = {A} c {B} iff {A} c {B} Pratikakis (CSD) Axiomatic Semantics CS49040, 2015-2016 19 / 39

Derivation rules for assertions The derivation rules for A are the usual from first-order logic Axioms in natural deduction style (inference rules): A B A B A[α/x] αfresh xa xa A[e/x] A implies B A B A B B A A[e/x] xa xa A[α/x] implies B B Pratikakis (CSD) Axiomatic Semantics CS49040, 2015-2016 20 / 39

Derivation rules for triples Similarly, we define {A} c {B} when we can derive the triple using derivation rules There is a derivation rule for each instruction in the language Plus the rule of consequence A A {A} c {B} B B {A } c {B } Pratikakis (CSD) Axiomatic Semantics CS49040, 2015-2016 21 / 39

Derivation rules for Hoare logic One rule for each syntactic construct {A} skip {A} {A} c 1 {B} {B} c 2 {C} {A} c 1 ; c 2 {C} {A b} c 1 {B} {A b} c 2 {B} {A} if b then c 1 else c 2 {B} Pratikakis (CSD) Axiomatic Semantics CS49040, 2015-2016 22 / 39

Hoare rules: loop The rule for while is not syntax directed It needs a loop invariant {A b} c {A} {A} while bdo c {A b} Try and see what is wrong if you make changes (eg drop b, relax invariant, ) Pratikakis (CSD) Axiomatic Semantics CS49040, 2015-2016 23 / 39

Hoare rules: assignment Example: {A} x := x + 2 {x 5} What is A? A has to imply {x 3} General rule {A[e/x]} x := e {A} It was simple after all Example Assume that x does not appear in e Show that {true} x := e {x = e} Pratikakis (CSD) Axiomatic Semantics CS49040, 2015-2016 24 / 39

The assignment axiom Hoare said: Assignment is undoubtedly the most characteristic feature of programming a digital computer, and one that most clearly distinguishes it from other branches of mathematics It is surprising therefore that the axiom governing our reasoning about assignment is quite as simple as any to be found in elementary logic One catch: aliasing For languages with aliasing we might need extra machinery If x and y are aliased then {true} x := 5 {x + y = 10} is true Pratikakis (CSD) Axiomatic Semantics CS49040, 2015-2016 25 / 39

Multiple Hoare rules For some language constructs there are more than one possible rules Assignment {A} x := e { x 0 A[x 0 /x] x = e[x 0 /x]} Loop A b C {C} c {A} A b B {A} while bdo c {B} Loop (again) {A} c {(b A) ( b B)} {b A b B} while bdo c {B} Pratikakis (CSD) Axiomatic Semantics CS49040, 2015-2016 26 / 39

Example: conditional Verify that {true} if y 0 then x := 1 else x := y {x > 0} D 1 :: {true y 0} x := 1 {x > 0} D 2 :: {true (y 0)} x := y {x > 0} {true} if y 0 then x := 1 else x := y {x > 0} We prove D 1 using consequence and assignment D 1 :: {1 > 0} x := 1 {x > 0} true y 0 1 > 0 {true y 0} x := 1 {x > 0} We prove D 2 using consequence and assignment, too D 2 :: {y > 0} x := y {x > 0} true (y 0) y > 0 {true (y 0)} x := y {x > 0} Pratikakis (CSD) Axiomatic Semantics CS49040, 2015-2016 27 / 39

Example: loop Verify that {x 0} while x 5do x := x + 1 {x = 6} First, we must guess the invariant: x 6 Use the loop rule to verify the while (x 6) (x 5) (x + 1 6) {x + 1 6} x := x + 1 {x 6} {x 6 x 5} x := x + 1 {x 6} {x 6} while x 5do x := x + 1 {(x 6) (x 5)} Then use consequence to get the wanted property x 0 x 6 {x 6} while {(x 6) (x 5)} (x 6) (x 5) x = 6 {x 0} while x 5do x := x + 1 {x = 6} Pratikakis (CSD) Axiomatic Semantics CS49040, 2015-2016 28 / 39

Example: loop forever Verify that {A} while truedo c {B} holds for any A, B and c Again, we guess the invariant true and apply the consequence and loop rules {true true} c {true} {true} while truedo c {true true} A true true true => false {A} while truedo c {B} We need an additional lemma How do we prove it? c {true} c {true} Pratikakis (CSD) Axiomatic Semantics CS49040, 2015-2016 29 / 39

Example: GCD Let c be the program while (x y) do if (x y) then y := y x else x := x y Verify that {x = m y = n} c {x = gcd(m, n)} Pratikakis (CSD) Axiomatic Semantics CS49040, 2015-2016 30 / 39

Example: GCD (cont d) The precondition Pre is x = m y = n The postcondition Post is x = gcd(m, n) It is crucial to select the proper loop invariant I I def = gcd(x, y) = gcd(m, n) Before applying the rule for loop, we apply the rule of consequence to reduce the problem to {I} c {I (x y)} To do that we also need Pre I I (x y) Post The first is x = m y = n => gcd(x, y) = gcd(m, n) The second is gcd(x, y) = gcd(m, n) x = y => x = gcd(m, n) Pratikakis (CSD) Axiomatic Semantics CS49040, 2015-2016 31 / 39

Example: GCD (cont d) We still need to verify {I} c {I (x y)} Now we can apply the rule for loop to get {I x y} d {I} where d is the body of the loop if (x y) then y := y x else x := x y Pratikakis (CSD) Axiomatic Semantics CS49040, 2015-2016 32 / 39

Example: GCD (cont d) We use the rule for conditionals to reduce the last goal to the two subgoals {I x y x y} y := y x {I} {I x y (x y)} x := x y {I} We use consequence and assignment to reduce them to I x y x y I[(y x)/y] I x y (x y) I[(x y)/x] or I x y x y gcd(m, n) = gcd(x, y x) I x y (x y) gcd(m, n) = gcd(x y, y) Pratikakis (CSD) Axiomatic Semantics CS49040, 2015-2016 33 / 39

Example: GCD (cont d) But we can prove that gcd(x, y) = gcd(x y, y) QED verification is done Things to notice We used a lot of arithmetic to prove implications We have to invent, or guess the loop invariants What about total correctness? Pratikakis (CSD) Axiomatic Semantics CS49040, 2015-2016 34 / 39

Hoare rule for function call If the function is not recursive, we can inline it f(x 1,, x n ) = c f {A} c f {B[f/x]} {A[e 1 /x 1,, e n /x n ]} x := f(e 1,, e n ) {B} In general Each function has a precondition Pref and a postcondition Post f {Pre f [e 1 /x 1,, e n /x n ]} x := f(e 1,, e n ) {Post f [x/f]} We verify the function body for the function pre- and postcondition {Pre f } c f {Post f } Pratikakis (CSD) Axiomatic Semantics CS49040, 2015-2016 35 / 39

Using Hoare rules Hoare rules are mostly syntax directed There are three issues When do we apply the rule of consequence? How do we prove the implications used in consequence? What invariant do we use for each while loop? The implications of consequence are theorem proving This turns out to be doable! The hardest problem is the loop invariants Should we ask the programmer for invariants? Pratikakis (CSD) Axiomatic Semantics CS49040, 2015-2016 36 / 39

So far We have a language for asserting properties of programs We know when such an assertion is true We have a symbolic method for deriving assertions A {A} c {B} derivation meaning A {A} c {B} completeness soundness σ = A = {A} c {B} Pratikakis (CSD) Axiomatic Semantics CS49040, 2015-2016 37 / 39

Soundness of axiomatic semantics Formal statement If {A} c {B} then = {A} c {B} Equivalently For all σ, if σ = A and σ, c σ and {A} c {B} Then σ = B Pratikakis (CSD) Axiomatic Semantics CS49040, 2015-2016 38 / 39

Completeness of axiomatic semantics If = {A} c {B} holds, can we always derive {A} c {B}? If not, then there are valid properties that we cannot verify with Hoare rules The good news: For our language so far, Hoare triples are complete The bad news: only if the underlying logic is complete Ie, = A implies A This is called relative completeness Pratikakis (CSD) Axiomatic Semantics CS49040, 2015-2016 39 / 39

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback