Fundamentals of Software Engineering

Similar documents
15-819M: Data, Code, Decisions

Fundamentals of Software Engineering

Fundamentals of Software Engineering

Software Engineering using Formal Methods

Fundamentals of Software Engineering

Typed First-order Logic

From OCL to Typed First-order Logic

From OCL to Propositional and First-order Logic: Part I

Semantics and Pragmatics of NLP Propositional Logic, Predicates and Functions

COMBINING PARTIAL EVALUATION AND SYMBOLIC EXECUTION

Chapter 2 (First-Order Logic) of. Verification of Object-Oriented Software

Formal Specification and Verification

Software Engineering using Formal Methods

Formal Specification and Verification

Note that in this definition, n + m denotes the syntactic expression with three symbols n, +, and m, not to the number that is the sum of n and m.

Overview. CS389L: Automated Logical Reasoning. Lecture 6: First Order Logic Syntax and Semantics. Constants in First-Order Logic.

The Typed λ Calculus and Type Inferencing in ML

A First-Order Logic with First-Class Types

Formal Systems II: Applications

1 Introduction. 3 Syntax

Verifying Java Programs Verifying Java Programs with KeY

F. Brief review of classical predicate logic (PC)

A Short Introduction to First-Order Theorem Proving with KeY

Lecture 3: Recursion; Structural Induction

Formal Specification and Verification

Lecture 5: Predicate Calculus. ffl Predicate Logic ffl The Language ffl Semantics: Structures

Verifying Java Programs with KeY

Testing, Debugging, and Verification

Programming Languages Third Edition

Verifying Java Programs Verifying Java Programs with KeY

Dynamic Logic for Java

Towards a Logical Reconstruction of Relational Database Theory

Programming Languages and Compilers (CS 421)

Static Program Analysis

Overview of the KeY System

Propositional Calculus: Boolean Algebra and Simplification. CS 270: Mathematical Foundations of Computer Science Jeremy Johnson

Functional Programming. Pure Functional Programming

Formal Specification and Verification

Review Material: First Order Logic (FOL)

Formal Methods in Software Engineering 1

CS 6110 S11 Lecture 25 Typed λ-calculus 6 April 2011

Introduction to Logic Programming

CSCI.6962/4962 Software Verification Fundamental Proof Methods in Computer Science (Arkoudas and Musser) Chapter p. 1/27

Lecture 6: Arithmetic and Threshold Circuits

Subtyping. Lecture 13 CS 565 3/27/06

Reasoning About Imperative Programs. COS 441 Slides 10

3.7 Denotational Semantics

Computer Science Technical Report

Dynamic Logic with Non-rigid Functions

A Theorem Prover for Differential Dynamic Logic

Introduction & Review

Software Engineering using Formal Methods

Formal Methods for Software Development

Chapter 3: Propositional Languages

9/19/12. Why Study Discrete Math? What is discrete? Sets (Rosen, Chapter 2) can be described by discrete math TOPICS

LING 130: Quantified Noun Phrases

Application: Programming Language Semantics

Warm-Up Problem. Let L be the language consisting of as constant symbols, as a function symbol and as a predicate symbol. Give an interpretation where

Sets. Sets. Subset, universe. Specifying sets, membership. Examples: Specifying a set using a predicate. Examples

Typed Lambda Calculus for Syntacticians

Weiss Chapter 1 terminology (parenthesized numbers are page numbers)

CSC 501 Semantics of Programming Languages

Definition: A context-free grammar (CFG) is a 4- tuple. variables = nonterminals, terminals, rules = productions,,

(Refer Slide Time: 4:00)

Some instance messages and methods

CS152: Programming Languages. Lecture 11 STLC Extensions and Related Topics. Dan Grossman Spring 2011

Back to the knights and knaves island

Copyright 2011 Pearson Education, Inc. Publishing as Pearson Addison-Wesley. Chapter 6 Outline. Unary Relational Operations: SELECT and

Lecture 1: Conjunctive Queries

Questions? Static Semantics. Static Semantics. Static Semantics. Next week on Wednesday (5 th of October) no

Formal Predicate Calculus. Michael Meyling

T Reactive Systems: Kripke Structures and Automata

Curriculum Map Grade(s): Subject: AP Computer Science

Declarative programming. Logic programming is a declarative style of programming.

Part II. Hoare Logic and Program Verification. Why specify programs? Specification and Verification. Code Verification. Why verify programs?

Automated Reasoning. Natural Deduction in First-Order Logic

EXTENSIONS OF FIRST ORDER LOGIC

CMPSCI 250: Introduction to Computation. Lecture #1: Things, Sets and Strings David Mix Barrington 22 January 2014

Chapter 3 (part 3) Describing Syntax and Semantics

Denotational Semantics of a Simple Imperative Language Using Intensional Logic

Semantic Subtyping with an SMT Solver

Discrete Mathematics Lecture 4. Harper Langston New York University

COS 320. Compiling Techniques

Lecture 15 CIS 341: COMPILERS

Relational Databases

CMSC 330: Organization of Programming Languages. Operational Semantics

Type Systems. Today. 1. Organizational Matters. 1. Organizational Matters. Lecture 1 Oct. 20th, 2004 Sebastian Maneth. 1. Organizational Matters

Lecture Overview. [Scott, chapter 7] [Sebesta, chapter 6]

No model may be available. Software Abstractions. Recap on Model Checking. Model Checking for SW Verif. More on the big picture. Abst -> MC -> Refine

JML Class Specifications The Java Modeling Language (Part 2) A Java Class

axiomatic semantics involving logical rules for deriving relations between preconditions and postconditions.

CS 314 Principles of Programming Languages

Informationslogistik Unit 5: Data Integrity & Functional Dependency

Softwaretechnik. Lecture 08: Testing and Debugging Overview. Peter Thiemann SS University of Freiburg, Germany

THREE LECTURES ON BASIC TOPOLOGY. 1. Basic notions.

Variables. Substitution

Operational Semantics. One-Slide Summary. Lecture Outline

Compilation 2012 Static Type Checking

Softwaretechnik. Lecture 08: Testing and Debugging Overview. Peter Thiemann SS University of Freiburg, Germany

Formal Methods for Software Development

Transcription:

Fundamentals of Software Engineering Reasoning about Programs with Dynamic Logic - Part I Ina Schaefer Institute for Software Systems Engineering TU Braunschweig, Germany Slides by Wolfgang Ahrendt, Richard Bubel, Reiner Hähnle (Chalmers University of Technology, Gothenburg, Sweden) Ina Schaefer FSE 1

Where Are We? specification of Java programs with JML [last two lectures] dynamic logic (DL) for resoning about Java programs [this week] generating DL from JML/Java+ verifying the resulting proof obligations [next week] Ina Schaefer FSE 2

Today introducing dynamic logic for Java recap first-order logic (FOL) semantics of FOL dynamic logic = extending FOL with dynamic interpretations programs to describe state change Ina Schaefer FSE 3

Repetition: First-Order Logic Typed first-order logic as in 8th lecture: Signature A first-order signature Σ consists of a set T Σ of types a set F Σ of function symbols a set P Σ of predicate symbols Ina Schaefer FSE 4

Repetition: First-Order Logic Typed first-order logic as in 8th lecture: Signature A first-order signature Σ consists of a set T Σ of types a set F Σ of function symbols a set P Σ of predicate symbols Type Declarations τ x; variable x has type τ p(τ 1,..., τ r ); predicate p has argument types τ 1,..., τ r τ f (τ 1,..., τ r ); function f has argument types τ 1,..., τ r and result type τ Ina Schaefer FSE 5

First-Order Semantics From propositional to first-order semantics In prop. logic, an interpretation of variables with {T, F } sufficed In first-order logic we must assign meaning to: function symbols (incl. constants) predicate symbols Respect typing: int i, List l must denote different objects What we need (to interpret a first-order formula) 1. A collection of typed universes of objects 2. A mapping from variables to objects 3. A mapping from function arguments to function values 4. The set of argument tuples where a predicate is true Ina Schaefer FSE 6

First-Order Domains/Universes 1. A collection of typed universes of objects Definition (Universe/Domain) A non-empty set D of objects is a universe or domain Each element of D has a fixed type given by δ : D T Σ Notation for the domain elements of type τ T Σ : D τ = {d D δ(d) = τ} Each type τ T Σ must contain at least one domain element: D τ Ina Schaefer FSE 7

First-Order States 3. A mapping from function arguments to function values 4. The set of argument tuples where a predicate is true Definition (First-Order State) Let D be a domain with typing function δ Let f be declared as τ f (τ 1,..., τ r ); Let p be declared as p(τ 1,..., τ r ); Ina Schaefer FSE 8

First-Order States 3. A mapping from function arguments to function values 4. The set of argument tuples where a predicate is true Definition (First-Order State) Let D be a domain with typing function δ Let f be declared as τ f (τ 1,..., τ r ); Let p be declared as p(τ 1,..., τ r ); Let I(f ) be a function I(f ) : D τ 1 D τr D τ Ina Schaefer FSE 9

First-Order States 3. A mapping from function arguments to function values 4. The set of argument tuples where a predicate is true Definition (First-Order State) Let D be a domain with typing function δ Let f be declared as τ f (τ 1,..., τ r ); Let p be declared as p(τ 1,..., τ r ); Let I(f ) be a function I(f ) : D τ 1 D τr D τ Let I(p) be a relation I(p) D τ 1 D τr Ina Schaefer FSE 10

First-Order States 3. A mapping from function arguments to function values 4. The set of argument tuples where a predicate is true Definition (First-Order State) Let D be a domain with typing function δ Let f be declared as τ f (τ 1,..., τ r ); Let p be declared as p(τ 1,..., τ r ); Let I(f ) be a function I(f ) : D τ 1 D τr D τ Let I(p) be a relation I(p) D τ 1 D τr Then S = (D, δ, I) is a first-order state Ina Schaefer FSE 11

First-Order States Cont d Example Signature: int i; int j; int f(int); Object obj; <(int,int); D = {17, 2, o} I(i) = 17 I(j) = 17 I(obj) = o D int I(f ) 2 2 17 2 D int D int in I(<)? (2, 2) F (2, 17) T (17, 2) F (17, 17) F One of uncountably many possible first-order states! Ina Schaefer FSE 12

Semantics of Reserved Signature Symbols Definition Reserved predicate symbol for equality:. = Ina Schaefer FSE 13

Semantics of Reserved Signature Symbols Definition Reserved predicate symbol for equality: Interpretation is fixed as I(. =) =. = Ina Schaefer FSE 14

Semantics of Reserved Signature Symbols Definition Reserved predicate symbol for equality:. = Interpretation is fixed as I(. =) = {(d, d) d D} Ina Schaefer FSE 15

Semantics of Reserved Signature Symbols Definition Reserved predicate symbol for equality: Interpretation is fixed as I(. =) = {(d, d) d D} Referential Equality (holds if arguments refer to identical object) Exercise: write down the predicate table for example domain. = Ina Schaefer FSE 16

Signature Symbols vs. Domain Elements Domain elements different from the terms representing them First-order formulas and terms have no access to domain Example Signature: Object obj1, obj2; Domain: D = {o} Ina Schaefer FSE 17

Signature Symbols vs. Domain Elements Domain elements different from the terms representing them First-order formulas and terms have no access to domain Example Signature: Object obj1, obj2; Domain: D = {o} In this state, necessarily I(obj1) = I(obj2) = o Ina Schaefer FSE 18

Variable Assignments 2. A mapping from variables to domain elements Think of variable assignment as environment for storage of local variables Definition (Variable Assignment) A variable assignment β maps variables to domain elements It respects the variable type, i.e., if x has type τ then β(x) D τ Ina Schaefer FSE 19

Semantic Evaluation of Terms Given a first-order state S and a variable assignment β it is possible to evaluate first-order terms under S and β Definition (Valuation of Terms) val S,β : Term D such that val S,β (t) D τ for t Term τ : val S,β (x) = Ina Schaefer FSE 20

Semantic Evaluation of Terms Given a first-order state S and a variable assignment β it is possible to evaluate first-order terms under S and β Definition (Valuation of Terms) val S,β : Term D such that val S,β (t) D τ for t Term τ : val S,β (x) = β(x) Ina Schaefer FSE 21

Semantic Evaluation of Terms Given a first-order state S and a variable assignment β it is possible to evaluate first-order terms under S and β Definition (Valuation of Terms) val S,β : Term D such that val S,β (t) D τ for t Term τ : val S,β (x) = β(x) val S,β (f (t 1,..., t r )) = Ina Schaefer FSE 22

Semantic Evaluation of Terms Given a first-order state S and a variable assignment β it is possible to evaluate first-order terms under S and β Definition (Valuation of Terms) val S,β : Term D such that val S,β (t) D τ for t Term τ : val S,β (x) = β(x) val S,β (f (t 1,..., t r )) = I(f )(val S,β (t 1 ),..., val S,β (t r )) Ina Schaefer FSE 23

Semantic Evaluation of Terms Cont d Example Signature: int i; int j; int f(int); D = {17, 2, o} Variables: Object obj; int x; I(i) = 17 I(j) = 17 D int I(f) 2 17 17 2 Var β obj o x 17 val S,β (f(f(i)))? val S,β (f(f(x)))? val S,β (obj)? Ina Schaefer FSE 24

Preparing for Semantic Evaluation of Formulas Definition (Modified Variable Assignment) Let y be variable of type τ, β variable assignment, d D τ : { βy d β(x) x y (x) := d x = y Ina Schaefer FSE 25

Semantic Evaluation of Formulas Definition (Valuation of Formulas) val S,β (φ) for φ For val S,β (p(t 1,..., t r )) = T iff (val S,β (t 1 ),..., val S,β (t r )) I(p) Ina Schaefer FSE 26

Semantic Evaluation of Formulas Definition (Valuation of Formulas) val S,β (φ) for φ For val S,β (p(t 1,..., t r )) = T iff (val S,β (t 1 ),..., val S,β (t r )) I(p) val S,β (φ ψ) = T iff val S,β (φ) = T and val S,β (ψ) = T... as in propositional logic Ina Schaefer FSE 27

Semantic Evaluation of Formulas Definition (Valuation of Formulas) val S,β (φ) for φ For val S,β (p(t 1,..., t r )) = T iff (val S,β (t 1 ),..., val S,β (t r )) I(p) val S,β (φ ψ) = T iff val S,β (φ) = T and val S,β (ψ) = T... as in propositional logic val S,β ( τ x; φ) = T iff val S,β d x (φ) = T for all d D τ Ina Schaefer FSE 28

Semantic Evaluation of Formulas Definition (Valuation of Formulas) val S,β (φ) for φ For val S,β (p(t 1,..., t r )) = T iff (val S,β (t 1 ),..., val S,β (t r )) I(p) val S,β (φ ψ) = T iff val S,β (φ) = T and val S,β (ψ) = T... as in propositional logic val S,β ( τ x; φ) = T iff val S,β d x (φ) = T for all d D τ val S,β ( τ x; φ) = T iff val S,β d x (φ) = T for at least one d D τ Ina Schaefer FSE 29

Semantic Evaluation of Formulas Cont d Example Signature: int j; int f(int); Object obj; <(int,int); D = {17, 2, o} I(j) = 17 I(obj) = o D int I(f ) 2 2 17 2 D int D int in I(<)? (2, 2) F (2, 17) T (17, 2) F (17, 17) F val S,β (f (j) < j)? val S,β ( int x; f (x). = x)? val S,β ( Object o1; Object o2; o1. = o2)? Ina Schaefer FSE 30

Semantic Notions Definition (Satisfiability, Truth, Validity) val S,β (φ) = T (S, β satisfies φ) S = φ iff for all β : val S,β (φ) = T (φ is true in S) = φ iff for all S : S = φ (φ is valid) Closed formulas that are satisfiable are also true Ina Schaefer FSE 31

Semantic Notions Definition (Satisfiability, Truth, Validity) val S,β (φ) = T (S, β satisfies φ) S = φ iff for all β : val S,β (φ) = T (φ is true in S) = φ iff for all S : S = φ (φ is valid) Closed formulas that are satisfiable are also true Example f (j) < j is true in S. int x; i = x is valid int x; (x. = x) is not satisfiable Ina Schaefer FSE 32

Towards Dynamic Logic - Type Hierarchy First, we refine the type system of FOL: Definition (Type Hierarchy) T Σ is set of types Given subtype relation, with top element any τ any for all τ T Σ Ina Schaefer FSE 33

Towards Dynamic Logic - Type Hierarchy First, we refine the type system of FOL: Definition (Type Hierarchy) T Σ is set of types Given subtype relation, with top element any τ any for all τ T Σ Example (A Minimal Type Hierarchy) T = {any} All signature symbols have same type any. Example (Type Hierarchy for Java) (see next slide) Ina Schaefer FSE 34

Modelling Java in FOL: Fixing a Type Hierarchy Signature based on Java s type hierarchy any int boolean Object API, user-defined classes Null Each class in API and target program is a type, with appropriate subtyping. Ina Schaefer FSE 35

Modelling Attributes in FOL Modeling instance attributes int age int id Person int setage(int newage) int getid() domain of all Person objects: D Person Ina Schaefer FSE 36

Modelling Attributes in FOL Modeling instance attributes int age int id Person int setage(int newage) int getid() domain of all Person objects: D Person each o D Person has associated age value Ina Schaefer FSE 37

Modelling Attributes in FOL Modeling instance attributes int age int id Person int setage(int newage) int getid() domain of all Person objects: D Person each o D Person has associated age value I(age) is function from Person to int Ina Schaefer FSE 38

Modelling Attributes in FOL Modeling instance attributes int age int id Person int setage(int newage) int getid() domain of all Person objects: D Person each o D Person has associated age value I(age) is function from Person to int for each class C with attribute τ a: FSym declares function τ a(c); Ina Schaefer FSE 39

Modelling Attributes in FOL Modeling instance attributes int age int id Person int setage(int newage) int getid() Attribute Access domain of all Person objects: D Person each o D Person has associated age value I(age) is function from Person to int for each class C with attribute τ a: FSym declares function τ a(c); Signature FSym: int age(person); Person p; Java/JML expression p.age >= 0 Typed FOL age(p)>=0 KeY postfix notation for FOL p.age >= 0 Navigation expressions in KeY look exactly as in Java/JML Ina Schaefer FSE 40

Dynamic View Only static properties expressable in typed FOL, e.g., Values of attributes in a certain range Ina Schaefer FSE 41

Dynamic View Only static properties expressable in typed FOL, e.g., Values of attributes in a certain range Property (invariant) of a subclass implies property of a superclass Ina Schaefer FSE 42

Dynamic View Only static properties expressable in typed FOL, e.g., Values of attributes in a certain range Property (invariant) of a subclass implies property of a superclass... Ina Schaefer FSE 43

Dynamic View Only static properties expressable in typed FOL, e.g., Values of attributes in a certain range Property (invariant) of a subclass implies property of a superclass... Considers only one state at a time. Ina Schaefer FSE 44

Dynamic View Only static properties expressable in typed FOL, e.g., Values of attributes in a certain range Property (invariant) of a subclass implies property of a superclass... Considers only one state at a time. Goal: Express functional properties of a program, e.g. If method setage is called on an object o of type Person and the method argument newage is positive then afterwards attribute age has same value as newage. Ina Schaefer FSE 45

Observation Need a logic that allows us to relate different program states, i.e., before and after execution, within a formula Ina Schaefer FSE 46

Observation Need a logic that allows us to relate different program states, i.e., before and after execution, within a formula program variables/attributes represented by constant/function symbols that depend on program state Ina Schaefer FSE 47

Observation Need a logic that allows us to relate different program states, i.e., before and after execution, within a formula program variables/attributes represented by constant/function symbols that depend on program state Dynamic Logic meets the above requirements. Ina Schaefer FSE 48

Dynamic Logic (Java) Dynamic Logic Typed FOL + programs p Ina Schaefer FSE 49

Dynamic Logic (Java) Dynamic Logic Typed FOL + programs p + modalities p φ, [p]φ (p program, φ DL formula) Ina Schaefer FSE 50

Dynamic Logic (Java) Dynamic Logic Typed FOL + programs p + modalities p φ, [p]φ (p program, φ DL formula) +... (later) Ina Schaefer FSE 51

Dynamic Logic (Java) Dynamic Logic Typed FOL + programs p + modalities p φ, [p]φ (p program, φ DL formula) +... (later) An Example i > 5 [i = i + 10;]i > 15 Meaning? Ina Schaefer FSE 52

Dynamic Logic (Java) Dynamic Logic Typed FOL + programs p + modalities p φ, [p]φ (p program, φ DL formula) +... (later) An Example Meaning? i > 5 [i = i + 10;]i > 15 If program variable i is greater than 5, then after executing i = i + 10;, i is greater than 15. Ina Schaefer FSE 53

Type Hierarchy Dynamic Logic = Typed FOL +... Ina Schaefer FSE 54

Type Hierarchy Dynamic Logic = Typed FOL +... Type hierarchy T Σ = {int, boolean, any} with int, boolean incomparable, both are subtypes of any Ina Schaefer FSE 55

Type Hierarchy Dynamic Logic = Typed FOL +... Type hierarchy T Σ = {int, boolean, any} with int, boolean incomparable, both are subtypes of any int and boolean are the only types for today. Classes, interfaces etc. in tomorrows lecture. Ina Schaefer FSE 56

Program Variables Dynamic Logic = Typed FOL +... i > 5 [i = i + 10;]i > 15 Program variable i refers to different values before and after execution of a program. Program variables like i are state-dependent constant symbols. Value of state dependent symbols changeable by program. Ina Schaefer FSE 57

Program Variables Dynamic Logic = Typed FOL +... i > 5 [i = i + 10;]i > 15 Program variable i refers to different values before and after execution of a program. Program variables like i are state-dependent constant symbols. Value of state dependent symbols changeable by program. Three words one meaning: state-dependent, non-rigid, flexible Ina Schaefer FSE 58

Rigid versus Flexible Symbols Signature of program logic defined as in FOL, but: In addition there are program variables, attributes (tomorrow!), etc. Rigid versus Flexible Rigid symbols, same interpretation in all program states First-order variables (aka logical variables) Built-in functions and predicates such as 0,1,...,+,*,...,<,... Non-rigid (or flexible) symbols, interpretation depends on state Capture side effects on state during program execution Functions modeling program variables and attributes are flexible Any term containing at least one flexible symbol is also flexible Ina Schaefer FSE 59

Signature of Dynamic Logic Definition (Dynamic Logic Signature) Σ = (PSym r, FSym r, FSym nr, α), FSym r FSym nr = Rigid Predicate Symbols PSym = {>, >=,...} Rigid Function Symbols FSym r = {+,,, 0, 1,...} Non-rigid Function Symbols FSym nr = {i, j, k,...} Standard typing: boolean TRUE; <(int,int);, etc. Non-rigid constant/function symbols FSym nr used to model program variables (constants) and attributes (unary non-rigid functions) Ina Schaefer FSE 60

Dynamic Logic - KeY input file \sorts { // only additional sorts (int, boolean, any predefined) } \functions { // only additional rigid functions // (arithmetic functions like +,- etc. predefined) } \predicates { /* same as for functions */ } Empty sections can be left out. Ina Schaefer FSE 61

Dynamic Logic - KeY input file \sorts { // only additional sorts (int, boolean, any predefined) } \functions { // only additional rigid functions // (arithmetic functions like +,- etc. predefined) } \predicates { /* same as for functions */ } \programvariables { // non-rigid functions int i, j; boolean b; } Empty sections can be left out. Ina Schaefer FSE 62

Variables Definition (First-Order/Logical Variables) Typed logical variables (rigid), declared locally in quantifiers as T x; Program Variables Non-rigid constants int i; boolean p; used as program variables Ina Schaefer FSE 63

Terms First-order terms defined as in FOL First-order terms may contain rigid and non-rigid symbols Example Signature for FSym nr : int j; boolean p Quantified variables: int x; boolean b; j and j + x are flexible terms of type int p is a flexible term of type boolean x + x is a rigid term of type int j + b and j + p are not well-typed Ina Schaefer FSE 64

Dynamic Logic Programs Dynamic Logic = Typed FOL + programs... Programs here: any legal sequence of Java statements. Ina Schaefer FSE 65

Dynamic Logic Programs Dynamic Logic = Typed FOL + programs... Programs here: any legal sequence of Java statements. Example Signature for FSym nr : int r; int i; int n; Signature for FSym r : int 0; int +(int,int); int -(int,int); Signature for PSym r : <(int,int); i =0; r =0; while (i<n) { i=i +1; r=r+i; } r=r+r-n; Ina Schaefer FSE 66

Dynamic Logic Programs Dynamic Logic = Typed FOL + programs... Programs here: any legal sequence of Java statements. Example Signature for FSym nr : int r; int i; int n; Signature for FSym r : int 0; int +(int,int); int -(int,int); Signature for PSym r : <(int,int); i =0; r =0; while (i<n) { i=i +1; r=r+i; } r=r+r-n; Which value does the program compute in r? Ina Schaefer FSE 67

Relating Program States: Modalities DL extends FOL with two additional (mix-fix) operators: p φ (diamond) [p]φ (box) with p a program, φ another DL formula Ina Schaefer FSE 68

Relating Program States: Modalities DL extends FOL with two additional (mix-fix) operators: p φ (diamond) [p]φ (box) with p a program, φ another DL formula Intuitive Meaning p φ: p terminates and formula φ holds in final state (total correctness) Ina Schaefer FSE 69

Relating Program States: Modalities DL extends FOL with two additional (mix-fix) operators: p φ (diamond) [p]φ (box) with p a program, φ another DL formula Intuitive Meaning p φ: p terminates and formula φ holds in final state (total correctness) [p]φ: If p terminates then formula φ holds in final state (partial correctness) Ina Schaefer FSE 70

Relating Program States: Modalities DL extends FOL with two additional (mix-fix) operators: p φ (diamond) [p]φ (box) with p a program, φ another DL formula Intuitive Meaning p φ: p terminates and formula φ holds in final state (total correctness) [p]φ: If p terminates then formula φ holds in final state (partial correctness) Attention: Java programs are deterministic, i.e., if a Java program terminates then exactly one state is reached from a given initial state. Ina Schaefer FSE 71

Dynamic Logic - Examples Let i, j, old_i, old_j denote program variables. Give the meaning in natural language: 1. i. = old i i = i + 1; i > old i Ina Schaefer FSE 72

Dynamic Logic - Examples Let i, j, old_i, old_j denote program variables. Give the meaning in natural language: 1. i. = old i i = i + 1; i > old i If i = i + 1; is executed in a state where i and old_i have the same value, then the program terminates and in its final state the value of i is greater than the value of old_i. Ina Schaefer FSE 73

Dynamic Logic - Examples Let i, j, old_i, old_j denote program variables. Give the meaning in natural language: 1. i. = old i i = i + 1; i > old i If i = i + 1; is executed in a state where i and old_i have the same value, then the program terminates and in its final state the value of i is greater than the value of old_i. 2. i. = old i [while(true){i = old i - 1;}]i > old i Ina Schaefer FSE 74

Dynamic Logic - Examples Let i, j, old_i, old_j denote program variables. Give the meaning in natural language: 1. i. = old i i = i + 1; i > old i If i = i + 1; is executed in a state where i and old_i have the same value, then the program terminates and in its final state the value of i is greater than the value of old_i. 2. i. = old i [while(true){i = old i - 1;}]i > old i If the program is executed in a state where i and old_i have the same value and if the program terminates then in its final state the value of i is greater than the value of old_i. Ina Schaefer FSE 75

Dynamic Logic - Examples Let i, j, old_i, old_j denote program variables. Give the meaning in natural language: 1. i. = old i i = i + 1; i > old i If i = i + 1; is executed in a state where i and old_i have the same value, then the program terminates and in its final state the value of i is greater than the value of old_i. 2. i. = old i [while(true){i = old i - 1;}]i > old i If the program is executed in a state where i and old_i have the same value and if the program terminates then in its final state the value of i is greater than the value of old_i. 3. x. ( p i. = x q i. = x ) Ina Schaefer FSE 76

Dynamic Logic - Examples Let i, j, old_i, old_j denote program variables. Give the meaning in natural language: 1. i. = old i i = i + 1; i > old i If i = i + 1; is executed in a state where i and old_i have the same value, then the program terminates and in its final state the value of i is greater than the value of old_i. 2. i. = old i [while(true){i = old i - 1;}]i > old i If the program is executed in a state where i and old_i have the same value and if the program terminates then in its final state the value of i is greater than the value of old_i. 3. x. ( p i. = x q i. = x ) p and q are equivalent concerning termination and the final value of i. Ina Schaefer FSE 77

Dynamic Logic - KeY input file KeY // Declares global program variables int i, j; int old_i, old_j; \programvariables { } KeY Ina Schaefer FSE 78

Dynamic Logic - KeY input file KeY // Declares global program variables int i, j; int old_i, old_j; \programvariables { } \problem { } // The problem to verify is stated here. i = old_i -> \<{ i = i + 1; }\> i > old_i KeY Ina Schaefer FSE 79

Dynamic Logic - KeY input file KeY // Declares global program variables int i, j; int old_i, old_j; \programvariables { } \problem { } // The problem to verify is stated here. i = old_i -> \<{ i = i + 1; }\> i > old_i Visibility: Program variables declared global can be accessed anywhere in the formula. KeY inside modality like pre int j; p post only visible in p and post and only if declaration on top level. Ina Schaefer FSE 80

Dynamic Logic Formulas Definition (Dynamic Logic Formulas (DL Formulas)) Each FOL formula is a DL formula { } p φ If p is a program and φ a DL formula then is a DL formula [p]φ DL formulas closed under FOL quantifiers and connectives Ina Schaefer FSE 81

Dynamic Logic Formulas Definition (Dynamic Logic Formulas (DL Formulas)) Each FOL formula is a DL formula { } p φ If p is a program and φ a DL formula then is a DL formula [p]φ DL formulas closed under FOL quantifiers and connectives Program variables are flexible constants: never bound in quantifiers Program variables need not be declared or initialized in program Programs contain no logical variables Modalities can be arbitrarily nested Ina Schaefer FSE 82

Dynamic Logic Formulas Cont d Example (Well-formed? If yes, under which signature?) int y; (( x = 1; x. = y) ( x = 1*1; x. = y)) Ina Schaefer FSE 83

Dynamic Logic Formulas Cont d Example (Well-formed? If yes, under which signature?) int y; (( x = 1; x. = y) ( x = 1*1; x. = y)) Well-formed if FSym nr contains int x; Ina Schaefer FSE 84

Dynamic Logic Formulas Cont d Example (Well-formed? If yes, under which signature?) int y; (( x = 1; x =. y) ( x = 1*1; x =. y)) Well-formed if FSym nr contains int x; int x; [x = 1;](x =. 1) Ina Schaefer FSE 85

Dynamic Logic Formulas Cont d Example (Well-formed? If yes, under which signature?) int y; (( x = 1; x =. y) ( x = 1*1; x =. y)) Well-formed if FSym nr contains int x; int x; [x = 1;](x =. 1) Not well-formed, because logical variable occurs in program Ina Schaefer FSE 86

Dynamic Logic Formulas Cont d Example (Well-formed? If yes, under which signature?) int y; (( x = 1; x =. y) ( x = 1*1; x =. y)) Well-formed if FSym nr contains int x; int x; [x = 1;](x =. 1) Not well-formed, because logical variable occurs in program x = 1; ([while (true) {}]false) Ina Schaefer FSE 87

Dynamic Logic Formulas Cont d Example (Well-formed? If yes, under which signature?) int y; (( x = 1; x. = y) ( x = 1*1; x. = y)) Well-formed if FSym nr contains int x; int x; [x = 1;](x. = 1) Not well-formed, because logical variable occurs in program x = 1; ([while (true) {}]false) Well-formed if FSym nr contains int x; program formulas can be nested Ina Schaefer FSE 88

Dynamic Logic Semantics: States First-order state can be considered as program state Interpretation of non-rigid symbols can vary from state to state (eg, program variables, attribute values) Interpretation of rigid symbols is the same in all states (eg, built-in functions and predicates) Program states as first-order states From now, consider program state s as first-order state (D, δ, I) Only interpretation I of non-rigid symbols in FSym nr can change only record values of f FSym nr Set of all states s is States Ina Schaefer FSE 89

Kripke Structure Definition (Kripke Structure) Kripke structure or Labelled transition system K = (States, ρ) State (=first-order model) s = (D, δ, I) States Transition relation ρ : Program (States States) ρ(p)(s1) = s2 iff. program p executed in state s1 terminates and its final state is s2, otherwise undefined. ρ is the semantics of programs Program ρ(p)(s) can be undefined ( ): p may not terminate when started in s Our programs are deterministic (unlike Promela): ρ(p) is a function (at most one value) Ina Schaefer FSE 90

Semantic Evaluation of Program Formulas Definition (Validity Relation for Program Formulas) s = p φ iff ρ(p)(s) is defined and ρ(p)(s) = φ (p terminates and φ is true in the final state after execution) Ina Schaefer FSE 91

Semantic Evaluation of Program Formulas Definition (Validity Relation for Program Formulas) s = p φ iff ρ(p)(s) is defined and ρ(p)(s) = φ (p terminates and φ is true in the final state after execution) s = [p]φ iff ρ(p)(s) = φ whenever ρ(p)(s) is defined (If p terminates then φ is true in the final state after execution) Ina Schaefer FSE 92

Semantic Evaluation of Program Formulas Definition (Validity Relation for Program Formulas) s = p φ iff ρ(p)(s) is defined and ρ(p)(s) = φ (p terminates and φ is true in the final state after execution) s = [p]φ iff ρ(p)(s) = φ whenever ρ(p)(s) is defined (If p terminates then φ is true in the final state after execution) Duality: p φ iff [p] φ Exercise: justify this with help of semantic definitions Implication: if p φ then [p]φ Total correctness implies partial correctness converse is false holds only for deterministic programs Ina Schaefer FSE 93

More Examples valid? meaning? Example τ y; (( p x. = y) ( q x. = y)) Ina Schaefer FSE 94

More Examples valid? meaning? Example τ y; (( p x =. y) ( q x =. y)) Not valid in general Programs p behave q equivalently on variable τ x Ina Schaefer FSE 95

More Examples valid? meaning? Example τ y; (( p x =. y) ( q x =. y)) Not valid in general Programs p behave q equivalently on variable τ x Example τ y; (x. = y p true) Ina Schaefer FSE 96

More Examples valid? meaning? Example τ y; (( p x =. y) ( q x =. y)) Not valid in general Programs p behave q equivalently on variable τ x Example τ y; (x =. y p true) Not valid in general Program p terminates if only initial value of x is suitably chosen Ina Schaefer FSE 97

Semantics of Programs In labelled transition system K = (States, ρ): ρ : Program (States States) is semantics of programs p Program ρ defined recursively on programs Ina Schaefer FSE 98

Semantics of Programs In labelled transition system K = (States, ρ): ρ : Program (States States) is semantics of programs p Program ρ defined recursively on programs Example (Semantics of assignment) States s interpret non-rigid symbols f with I s (f ) ρ(x=t;)(s) = s where s identical to s except I s (x) = val s (t) Very tedious task to define ρ for Java... go directly to calculus for program formulas! Next Lecture! Ina Schaefer FSE 99

Literature for this Lecture Essential KeY Book Verification of Object-Oriented Software (see course web page), Chapter 10: Using KeY KeY Book Verification of Object-Oriented Software (see course web page), Chapter 3: Dynamic Logic (Sections 3.1, 3.2, 3.4, 3.5, 3.6.1, 3.6.3, 3.6.4) Ina Schaefer FSE 100

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback