Part II. Hoare Logic and Program Verification. Why specify programs? Specification and Verification. Code Verification. Why verify programs?

Similar documents
An Annotated Language

Semantics. There is no single widely acceptable notation or formalism for describing semantics Operational Semantics

Hoare Logic. COMP2600 Formal Methods for Software Engineering. Rajeev Goré

Lecture 5 - Axiomatic semantics

Chapter 3. Describing Syntax and Semantics ISBN

A CRASH COURSE IN SEMANTICS

Programming Languages Third Edition

Harvard School of Engineering and Applied Sciences CS 152: Programming Languages

A Partial Correctness Proof for Programs with Decided Specifications

Hoare Logic: Proving Programs Correct

CITS5501 Software Testing and Quality Assurance Formal methods

Chapter 3 (part 3) Describing Syntax and Semantics

Checking Program Properties with ESC/Java

Introduction to Axiomatic Semantics

Lecture 11 Lecture 11 Nov 5, 2014

Theorem proving. PVS theorem prover. Hoare style verification PVS. More on embeddings. What if. Abhik Roychoudhury CS 6214

FreePascal changes: user documentation

COMP 507: Computer-Aided Program Design

Warm-Up Problem. 1. What is the definition of a Hoare triple satisfying partial correctness? 2. Recall the rule for assignment: x (assignment)

Basic Verification Strategy

Secure Information Flow by Self-Composition

Verification Condition Generation

Proof Carrying Code(PCC)

Formal Methods. CITS5501 Software Testing and Quality Assurance

Formal Semantics of Programming Languages

Program Verification. Program Verification 307/434

Formal Semantics of Programming Languages

Lectures 20, 21: Axiomatic Semantics

Adam Chlipala University of California, Berkeley ICFP 2006

Proving Properties on Programs From the Coq Tutorial at ITP 2015

CIS 890: Safety Critical Systems

Chapter 3. Describing Syntax and Semantics

CS2104 Prog. Lang. Concepts

Arguing for program correctness and writing correct programs

CSC313 High Integrity Systems/CSCM13 Critical Systems. CSC313/CSCM13 Chapter 2 1/ 221

Softwaretechnik. Program verification. Albert-Ludwigs-Universität Freiburg. June 28, Softwaretechnik June 28, / 24

AXIOMS OF AN IMPERATIVE LANGUAGE PARTIAL CORRECTNESS WEAK AND STRONG CONDITIONS. THE AXIOM FOR nop

Formal Verification. Lecture 10

Chapter 3. Describing Syntax and Semantics ISBN

6. Hoare Logic and Weakest Preconditions

Chapter 3. Describing Syntax and Semantics

Verifying Java Programs Verifying Java Programs with KeY

CMSC 330: Organization of Programming Languages. Formal Semantics of a Prog. Lang. Specifying Syntax, Semantics

Verifying Java Programs Verifying Java Programs with KeY

COSC252: Programming Languages: Semantic Specification. Jeremy Bolton, PhD Adjunct Professor

Lecture Notes: Hoare Logic

Program Verification. Aarti Gupta

Warm-Up Problem. Let be a set of well-formed Predicate logic formulas. Let be well-formed Predicate logic formulas. Prove or disprove the following.

Abstract Interpretation

Runtime Checking and Test Case Generation for Python

Spark verification features

A Hoare Logic Contract Theory: An Exercise in Denotational Semantics

Static program checking and verification

CS558 Programming Languages

Assignment #4: Lambda Calculus & Semi-automatic Program Verification. You are allowed to work on this assignment in pairs. Hand in Requirements:

Induction and Semantics in Dafny

Software Quality Assurance

Program Verification (Rosen, Sections 5.5)

Transforming Programs into Recursive Functions

Verifying Java Programs with KeY

Shared Variables and Interference

BOOGIE. Presentation by Itsik Hefez A MODULAR REUSABLE VERIFIER FOR OBJECT-ORIENTED PROGRAMS MICROSOFT RESEARCH

UNIT 3

Chapter 3. Syntax - the form or structure of the expressions, statements, and program units

CIS 500 Software Foundations. Final Exam. May 3, Answer key

Verification Condition Generation via Theorem Proving

The Prototype Verification System PVS

Programming Languages

Axiomatic Rules. Lecture 18: Axiomatic Semantics & Type Safety. Correctness using Axioms & Rules. Axiomatic Rules. Steps in Proof

Testing, Debugging, and Verification

Reasoning About Imperative Programs. COS 441 Slides 10

Algorithmic Verification of Procedural Programs in the Presence of Code Variability

Lecture 10 Design by Contract

Axiomatic Specification. Al-Said, Apcar, Jerejian

Assertions, pre/postconditions

n Specifying what each method does q Specify it in a comment before method's header n Precondition q Caller obligation n Postcondition

Formal Systems II: Applications

! Use of formal notations. ! in software system descriptions. ! for a broad range of effects. ! and varying levels of use. !

Shared Variables and Interference

The Formal Semantics of Programming Languages An Introduction. Glynn Winskel. The MIT Press Cambridge, Massachusetts London, England

Lambda Calculus. Type Systems, Lectures 3. Jevgeni Kabanov Tartu,

Formal Specification: Z Notation. CITS5501 Software Testing and Quality Assurance

Runtime Checking for Program Verification Systems

Formal Verification! Prof. Leon Osterweil! Computer Science 520/620! Spring 2011!

Scheme Tutorial. Introduction. The Structure of Scheme Programs. Syntax

Typed Lambda Calculus. Chapter 9 Benjamin Pierce Types and Programming Languages

Goals: Define the syntax of a simple imperative language Define a semantics using natural deduction 1

Computation Club: Gödel s theorem

1. true / false By a compiler we mean a program that translates to code that will run natively on some machine.

Proofs about Programs

Chapter 1. Introduction

Combining Static and Dynamic Contract Checking for Curry

Program Verification (6EC version only)

Denotational Semantics. Domain Theory

Principles of Programming Languages

Chapter 3: Syntax and Semantics. Syntax and Semantics. Syntax Definitions. Matt Evett Dept. Computer Science Eastern Michigan University 1999

Symbolic Execution and Proof of Properties

More Untyped Lambda Calculus & Simply Typed Lambda Calculus

Advances in Programming Languages

Software Security: Vulnerability Analysis

Transcription:

Part II. Hoare Logic and Program Verification Part II. Hoare Logic and Program Verification Dilian Gurov Props: Models: Specs: Method: Tool: safety of data manipulation source code logic assertions Hoare logic, VCG VeriFast 2 Specification and Verification Program specification states program correctness, formally relates properties of states before och after the execution Program verification proves program correctness, formally relative to a specification Why specify programs? Good for documentation: capture unambiguously what the program should do (and not how) Programs annotated with specs can be fed into static checkers However, specifications: require expertise and time can get large and difficult to handle 3 4 Why verify programs? Testing can only find errors, but cannot prove their absense However, verification is expensive: requires formal specs requires expertise and time faces decidability and complexity issues Therefore: use light-weight tools for critical parts Code Verification Code verification the code itself is the model! i.e., no abstraction but must still be based on a formal description of execution: a formal semantics of the programming language 5 6 1

Semantics of Programming Languages Semantics a formal definition of how programs execute can be given in various ways see course DD2457 Semantics of Programming Languages Natural semantics relates states before and after the execution is defined inductively on the program structure here: informal understanding 7 8 A Core Programming Language A simple program: z = 0; while (z!= x) { z = z + 1; y = y * z; Formal Syntax Arithmetic expressions E ::= n x (E + E) (E E) (E E) Boolean expressions B ::= true false (E < E) (!B) (B & B) (B B) Commands C ::= x= E C ; C if B {C else {C while B {C 9 10 States and Configurations State (in this context) captures the values of the variables in the program formally, a mapping Var Int Configuration describes where we are in the execution consists of a control point and a state State Properties State properties can be expressed as logic formulas in predicate calculus (over program variables) are called assertions t.ex. x > y eller z (x = 2 z) We associate assertions with control points in the program could be seen as control point properties 11 12 2

Program Specification Can be accomplished with two assertions: precondition postcondition Formal notation: Hoare tripples P read (roughly): if execution of program P starts in a state where precondition holds, then the execution ends in a state where postcondition holds Specification The factorial program Fac1 z = 0; while (z!= x) { z = z + 1; y = y * z; can be specified with the Hoare tripple x 0 Fac1 y = x! 13 14 Partial Correctness = par P holds if: Total Correctness = tot P holds if: if the execution of P starts in a state where precondition holds, and the execution terminates, then postcondition holds in the final state if the execution of P starts in a state where precondition holds, then the execution terminates, and postcondition holds in the final state 15 16 When does = par true P false hold? When does = tot true P false hold? when execution of P does not terminate, regardless of the start state never! 17 18 3

Logic Variables Can the factorial program Fac2 while (x!= 0) { y = y * x; x = x - 1; be specified with the Hoare tripple x 0 Fac2 y = x! Logic Variables We need additional variables, socalled logic variables, to capture how the final values of the variables relate to the initial values These variables are considered universally quantified in a Hoare tripple 19 20 Logic Variables The factorial program Fac2 while (x!= 0) { y = y * x; x = x - 1; can be specified with the Hoare tripple x 0 x = x 0 Fac2 y = x 0! Program Specification It should be clear from the specification how the program can be used - without knowing the code itself! x 0 x = x 0 Fac2 y = x 0! x 0 then the program terminates x = x 0 binds the start value of x y = x 0! relates the final value of y to the initial value of x 21 Hoare Logic Consists of a set of rules for reasoning over Hoare tripples to verify programs (partial correctness) Proofs in the form of proof trees or so-called tableaux reduce the validity of Hoare tripples to the validity of predicate logic formulas over arithmetic Rule [E/x] x = E propagates the postcondition backwards 23 24 4

Implied Rules Proof C C C C x> 0 x + 1 > 0 x + 1> 0 x = x + 1 x > 0 x > 0 x = x + 1 x > 0 One proof obligation: x> 0 x + 1 > 0 to be proved in an external proof system 25 26 Sequential Composition Rule C 1 C 2 C 1 ; C 2 introduce an intermediate assertion in the control point preceding C 2 What does this program do z = x; x = y; y = z; and how can this be specified? 27 28 Program Swap z = x; x = y; y = z; can be specified with x = x 0 y = y 0 Swap x = y 0 y = x 0 The Proof Tree Too big to be shown here show on whiteboard instead 29 30 5

Proof Tableaux The Proof in Tableau Form Alternative presentation: as tableau correctness proofs can be presented as commented (or annotated) programs, where the comments are assertions associated with control points x = x 0 y = y 0 y = y 0 x = x 0 z = x; y = y 0 z = x 0 x = y; x = y 0 z = x 0 y = z; x = y 0 y = x 0 31 32 Tableaux A tableau is an annotated program An operational interpretation: if execution begins in a state where the first annotation (precondition) holds, then every time the execution reaches a control point, all assertions associated with this control point hold 33 Proofs in Tableau Form A proof in tableau form is a program annotated with at least one assertion at every control point, where the annotations match the rules (patterns) The proof process can be seen as completion of the initial annotation inwards Assertions associated with the same control point give rise to proof obligations 34 If Rule B C 1 B C 2 if B {C 1 else {C 2 What does the program if (x > 0) { y = x; else { y = -x; and how can this be specified? 35 36 6

Proof Tableau Program Abs if (x > 0) { y = x; else { y = -x; can be specified with x = x 0 Abs y = x 0 x = x 0 if (x > 0) { x = x 0 x > 0 x = x 0 y = x; y = x 0 else { x = x 0 (x > 0) -x = x 0 y = -x; y = x 0 y = x 0 If If Postcondition 37 38 Rule B C while B {C B Proof x < 0 while (x!=0) {x = x - 1; false Proof true while (x!=0) {x = x - 1; x = 0 loop invariant 39 40 Loop Invariants A loop invariant to while B {C is an assertion for which = par B C holds Big choice, e.g.: false and true Loop Invariants To the Hoare tripple while B {C we need a loop invariant such that: and B ( B) 41 42 7

Loop Invariants A whole assertion interval to choose from: B Two immediate candidates: B in case they are loop invariants! Find suitable loop invariants for: x < 0 while (x!=0) {x = x - 1; false true while (x!=0) {x = x - 1; x = 0 One answer: the preconditions! 43 44 Proof Tableau 1 Proof Tableau 2 x < 0 while (x!=0) { x < 0 x 0 x -1< 0 x = x - 1; x < 0 x < 0 (x 0) false true while (x!=0) { true x 0 true x = x - 1; true true (x 0) x = 0 45 46 Proof Tableau Verify the factorial program Fac1 z = 0; while (z!= x) { z = z + 1; y = y * z; specified with the Hoare tripple x 0 x = x 0 Fac1 y = x 0! x 0 x = x 0 1 = 0! x = x 0 0 0 y = 0! x = x 0 0 0 z = 0; y = z! x = x 0 z 0 while (z!= x) { y = z! x = x 0 z 0 z x y (z + 1) = (z + 1)! x = x 0 z+1 0 z = z + 1; y z = z! x = x 0 z 0 y = y * z; y = z! x = x 0 z 0 y = z! x = x 0 z 0 (z x) y = x 0! 47 48 8

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback