Hoare Logic: Proving Programs Correct

Similar documents
Review: Hoare Logic Rules

Lecture Notes: Hoare Logic

COMP 507: Computer-Aided Program Design

Checking Program Properties with ESC/Java

Backward Reasoning: Rule for Assignment. Backward Reasoning: Rule for Sequence. Simple Example. Hoare Logic, continued Reasoning About Loops

An Annotated Language

Harvard School of Engineering and Applied Sciences CS 152: Programming Languages

Lecture 5 - Axiomatic semantics

AXIOMS OF AN IMPERATIVE LANGUAGE PARTIAL CORRECTNESS WEAK AND STRONG CONDITIONS. THE AXIOM FOR nop

Formal Systems II: Applications

Forward Assignment; Strongest Postconditions

Proving Programs Correct

Arguing for program correctness and writing correct programs

Formal Methods. CITS5501 Software Testing and Quality Assurance

Softwaretechnik. Program verification. Albert-Ludwigs-Universität Freiburg. June 28, Softwaretechnik June 28, / 24

Introduction to Axiomatic Semantics

Chapter 3. Describing Syntax and Semantics ISBN

Reasoning about programs

Last time. Reasoning about programs. Coming up. Project Final Presentations. This Thursday, Nov 30: 4 th in-class exercise

Abstract Interpretation

The Rule of Constancy(Derived Frame Rule)

Lecture 1 Contracts. 1 A Mysterious Program : Principles of Imperative Computation (Spring 2018) Frank Pfenning

Analysis of Software Artifacts

6. Hoare Logic and Weakest Preconditions

Lecture 1 Contracts : Principles of Imperative Computation (Fall 2018) Frank Pfenning

Part II. Hoare Logic and Program Verification. Why specify programs? Specification and Verification. Code Verification. Why verify programs?

CMSC 330: Organization of Programming Languages. Formal Semantics of a Prog. Lang. Specifying Syntax, Semantics

Lectures 20, 21: Axiomatic Semantics

Softwaretechnik. Program verification. Software Engineering Albert-Ludwigs-University Freiburg. June 30, 2011

Program Verification (6EC version only)

Semantics. There is no single widely acceptable notation or formalism for describing semantics Operational Semantics

Program Static Analysis. Overview

Outline. Introduction. 2 Proof of Correctness. 3 Final Notes. Precondition P 1 : Inputs include

CSE 307: Principles of Programming Languages

Hardware versus software

Spark verification features

Shared Variables and Interference

Warm-Up Problem. 1. What is the definition of a Hoare triple satisfying partial correctness? 2. Recall the rule for assignment: x (assignment)

A CRASH COURSE IN SEMANTICS

Reminder of the last lecture. Aliasing Issues: Call by reference, Pointer programs. Introducing Aliasing Issues. Home Work from previous lecture

Recall our recursive multiply algorithm:

Shared Variables and Interference

Specifications. Prof. Clarkson Fall Today s music: Nice to know you by Incubus

Introduction to Axiomatic Semantics (1/2)

Program Verification. Program Verification 307/434

Axiomatic Semantics. More Semantics. Review - Operational Semantics. Partial Correctness Assertions. Programs Theorems. Axiomatic Semantics

Introduction to Axiomatic Semantics (1/2)

Axiomatic Semantics. Automated Deduction - George Necula - Lecture 2 1

4/24/18. Overview. Program Static Analysis. Has anyone done static analysis? What is static analysis? Why static analysis?

Chapter 3 (part 3) Describing Syntax and Semantics

Software Quality Assurance

Chapter 3. Describing Syntax and Semantics ISBN

Chapter 3. Describing Syntax and Semantics

Overview. Verification with Functions and Pointers. IMP with assertions and assumptions. Proof rules for Assert and Assume. IMP+: IMP with functions

Violations of the contract are exceptions, and are usually handled by special language constructs. Design by contract

CITS5501 Software Testing and Quality Assurance Formal methods

CS 161 Computer Security

Software Development. Modular Design and Algorithm Analysis

CORRECTNESS ISSUES AND LOOP INVARIANTS

Induction and Semantics in Dafny

ESC/Java2 vs. JMLForge. Juan Pablo Galeotti, Alessandra Gorla, Andreas Rau Saarland University, Germany

Verification Condition Generation

Handout 9: Imperative Programs and State

a correct statement? You need to know what the statement is supposed to do.

1 Introduction. 3 Syntax

Lecture 10 Design by Contract

CIS 890: Safety Critical Systems

Lecture 24: Loop Invariants

MSO Lecture Design by Contract"

Symbolic Execution and Verification Conditions. Review of Verification Conditions. Survey from Homework 4. Time spent: 7.1 hrs (mean), 6 hrs (median)

Verification Conditions. Juan Pablo Galeotti, Alessandra Gorla, Andreas Rau Saarland University, Germany

CS2104 Prog. Lang. Concepts

Assertions & Verification & Example Loop Invariants Example Exam Questions

Hoare Logic. COMP2600 Formal Methods for Software Engineering. Rajeev Goré

Specification and Verification I

15-122: Principles of Imperative Computation (Section G)

axiomatic semantics involving logical rules for deriving relations between preconditions and postconditions.

6.170 Lecture 6 Procedure specifications MIT EECS

The Formal Semantics of Programming Languages An Introduction. Glynn Winskel. The MIT Press Cambridge, Massachusetts London, England

Assertions & Verification Example Exam Questions

Programming Languages

CMSC 330: Organization of Programming Languages. Operational Semantics

CSE 331 Software Design and Implementation. Lecture 3 Loop Reasoning

Formal Verification of MIX Programs

Hoare logic. A proof system for separation logic. Introduction. Separation logic

Lecture 7: General Loops (Chapter 7)

SOME TYPICAL QUESTIONS, THEIR EXPECTED ANSWERS AND THINGS

Program Verification. Aarti Gupta

CMSC 330: Organization of Programming Languages

Complexity, Induction, and Recurrence Relations. CSE 373 Help Session 4/7/2016

Reasoning About Imperative Programs. COS 441 Slides 10

COSC252: Programming Languages: Semantic Specification. Jeremy Bolton, PhD Adjunct Professor

Chapter 3. Describing Syntax and Semantics

Algorithms. Notations/pseudo-codes vs programs Algorithms for simple problems Analysis of algorithms

Semantic Analysis. CSE 307 Principles of Programming Languages Stony Brook University

Lecture 18 Restoring Invariants

Exercises on Semantics of Programming Languages

SEQUENCES, MATHEMATICAL INDUCTION, AND RECURSION

Assertions. Assertions - Example

Lecture Notes on Linear Search

Transcription:

Hoare Logic: Proving Programs Correct 17-654/17-765 Analysis of Software Artifacts Jonathan Aldrich Reading: C.A.R. Hoare, An Axiomatic Basis for Computer Programming Some presentation ideas from a lecture by K. Rustan M. Leino Proofs using WHILE Semantics (minor corrections from class to incorporate strengthened induction hypothesis) Theorem: ([y 1, x n], while x > 1 do y := y*x; x := x-1) * ([y n!, x 1], skip) Proof: By induction on n. Strengthened induction hypothesis: ([y m, x n], while x > 1 do y := y*x; x := x-1) * ([y m*n! *n!, x 1], skip) Base case (n=1): ([y m, x 1], while x > 1 do y := y*x; x := x-1) ([y m*1!, x 1], skip) Inductive case (assume induction hypothesis for n-1): ([y m, x n], while x > 1 do y := y*x; x := x-1) ([y m, x n], y := y*x; x := x-1; while x > 1 do y := y*x; x := x-1) ([y m*n, x n], x := x-1; while x > 1 do y := y*x; x := x-1) ([y m*n, x n-1], while x > 1 do y := y*x; x := x-1) ([y m*n*(n-1)!, x 1], skip) // using induction hypothesis ([y m*n!, x 1], skip) // arithmetic simplification 2 1

How would you argue that this program is correct? float sum(float *array, int length) { } float sum = 0.0; int i = 0; while (i < length) { } sum = sum + array[i]; i = i + 1; return sum; 3 Function Specifications Predicate: a boolean function over program state x=3 y > x (x 0) (y+z = w) s = Σ (i 1..n) a[i] i 1..n. a[i] > a[i-1] true 4 2

Function Specifications Contract between client and implementation Precondition: A predicate describing the condition the function relies on for correct operation Postcondition: A predicate describing the condition the function establishes after correctly running Correctness with respect to the specification If the client of a function fulfills the function s precondition, the function will execute to completion and when it terminates, the postcondition will be true What does the implementation have to fulfill if the client violates the precondition? A: Nothing. It can do anything at all. 5 Function Specifications /*@ requires len >= 0 && array.length = len @ @ ensures \result == @ (\sum int j; 0 <= j && j < len; array[j]) @*/ float sum(int array[], int len) { float sum = 0.0; int i = 0; while (i < length) { sum = sum + array[i]; i = i + 1; } return sum; } 6 3

Hoare Triples Formal reasoning about program correctness using pre- and postconditions Syntax: {P} S {Q} P and Q are predicates S is a program If we start in a state where P is true and execute S, S will terminate in a state where Q is true 7 Hoare Triple Examples { true } x := 5 { x=5 } { x = y } x := x + 3 { x = y + 3 } { x > 0 } x := x * 2 { x > -2 } { x=a } if (x < 0) then x := -x { x= a } { false } x := 3 { x = 8 } 8 4

Strongest Postconditions Here are a number of valid Hoare Triples: {x = 5} x := x * 2 { true } {x = 5} x := x * 2 { x > 0 } {x = 5} x := x * 2 { x = 10 x = 5 } {x = 5} x := x * 2 { x = 10 } All are true, but this one is the most useful x=10 is the strongest postcondition If {P} S {Q} and for all Q such that {P} S {Q }, Q Q, then Q is the strongest postcondition of S with respect to P check: x = 10 true check: x = 10 x > 0 check: x = 10 x = 10 x = 5 check: x = 10 x = 10 9 Weakest Preconditions Here are a number of valid Hoare Triples: {x = 5 && y = 10} z := x / y { z < 1 } {x < y && y > 0} z := x / y { z < 1 } {y 0 && x / y < 1} z := x / y { z < 1 } All are true, but this one is the most useful because it allows us to invoke the program in the most general condition y 0 && x / y < 1 is the weakest precondition If {P} S {Q} and for all P such that {P } S {Q}, P P, then P is the weakest precondition wp(s,q) of S with respect to Q 10 5

Hoare Triples and Weakest Preconditions {P} S {Q} holds if and only if P wp(s,q) In other words, a Hoare Triple is still valid if the precondition is stronger than necessary, but not if it is too weak Question: Could we state a similar theorem for a strongest postcondition function? e.g. {P} S {Q} holds if and only if sp(s,p) Q A: Yes, but it s harder to compute 11 Hoare Logic Rules Assignment { P } x := 3 { x+y > 0 } What is the weakest precondition P? What is most general value of y such that 3 + y > 0? y > -3 12 6

Hoare Logic Rules Assignment { P } x := 3 { x+y > 0 } What is the weakest precondition P? Assignment rule wp(x := E, P) = [E/x] P Resulting triple: { [E/x] P } x := E { P } [3 / x] (x + y > 0) = (3) + y > 0 = y > -3 13 Hoare Logic Rules Assignment { P } x := 3*y + z { x * y - z > 0 } What is the weakest precondition P? Assignment rule wp(x := E, P) = [E/x] P [3*y+z / x] (x * y z > 0) = (3*y+z) * y - z > 0 = 3*y 2 + z*y - z > 0 14 7

Correctness of Assignment Use language semantics to show soundness of rule General soundness condition for {P} S {Q} Specialization to assignment Hoare rule: { [a/x] P } x := a { P } Soundness condition: 15 Correctness Proof To show: Prove more general property: Use assignment evaluation rule: Substitute v for true: 16 8

Correctness Proof Proof by induction on structure of P case n: then v = n, and using big-step semantics we get case x: then v = v, and using big-step semantics we get case y x: then v = η(y), and using big-step semantics we get case a op a : We use the induction hypotheses to get And similar for a, so that using big-step semantics we get other cases are similar 17 Hoare Logic Rules Sequence { P } x := x + 1; y := x + y { y > 5 } What is the weakest precondition P? Sequence rule wp(s;t, Q) = wp(s, wp(t, Q)) wp(x:=x+1; y:=x+y, y>5) = wp(x:=x+1, wp(y:=x+y, y>5)) = wp(x:=x+1, x+y>5) = x+1+y>5 = x+y>4 18 9

Hoare Logic Rules Conditional { P } if x > 0 then y := z else y := -z { y > 5 } What is the weakest precondition P? Conditional rule wp(if B then S else T, Q) = B wp(s,q) && B wp(t,q) wp(if x>0 then y:=z else y:=-z, y>5) = x>0 wp(y:=z,y>5) && x 0 wp(y:=-z,y>5) = x>0 z > 5 && x 0 -z > 5 = x>0 z > 5 && x 0 z < -5 19 Hoare Logic Rules Loops { P } while (i < x) f=f*i; i := i + 1 { f = x! } What is the weakest precondition P? 20 10

Proving loops correct First consider partial correctness The loop may not terminate, but if it does, the postcondition will hold {P} while B do S {Q} Find an invariant Inv such that: P Inv The invariant is initially true { Inv && B } S {Inv} Each execution of the loop preserves the invariant (Inv && B) Q The invariant and the loop exit condition imply the postcondition Why do we need each condition? 21 Loop Example Prove array sum correct { N 0 } j := 0; s := 0; while (j < N) do j := j + 1; s := s + a[j]; end { s = (Σi 0 i<n a[i]) } 22 11

Loop Example Prove array sum correct { N 0 } j := 0; s := 0; { 0 j N && s = (Σi 0 i<j a[i]) } while (j < N) do {0 j N && s = (Σi 0 i<j a[i]) && j < N} j := j + 1; s := s + a[j]; {0 j N && s = (Σi 0 i<j a[i]) } end { s = (Σi 0 i<n a[i]) } 23 Proof Obligations Invariant is initially true { N 0 } j := 0; s := 0; { 0 j N && s = (Σi 0 i<j a[i]) } Invariant is maintained {0 j N && s = (Σi 0 i<j a[i]) && j < N} j := j + 1; s := s + a[j]; {0 j N && s = (Σi 0 i<j a[i]) } Invariant and exit condition implies postcondition 0 j N && s = (Σi 0 i<j a[i]) && j N s = (Σi 0 i<n a[i]) 24 12

Proof Obligations Invariant is initially true { N 0 } { 0 0 N && 0 = (Σi 0 i<0 a[i]) } // by assignment rule j := 0; { 0 j N && 0 = (Σi 0 i<j a[i]) } // by assignment rule s := 0; { 0 j N && s = (Σi 0 i<j a[i]) } Need to show that: (N 0) (0 0 N && 0 = (Σi 0 i<0 a[i])) = (N 0) (0 N && 0 = 0) // 0 0 is true, empty sum is 0 = (N 0) (0 N) // 0=0 is true, P && true is P = true 25 Proof Obligations Invariant is maintained {0 j N && s = (Σi 0 i<j a[i]) && j < N} {0 j +1 N && s+a[j+1] = (Σi 0 i<j+1 a[i]) } // by assignment rule j := j + 1; {0 j N && s+a[j] = (Σi 0 i<j+1 a[i]) } // by assignment rule s := s + a[j]; {0 j N && s = (Σi 0 i<j a[i]) } Need to show that: (0 j N && s = (Σi 0 i<j a[i]) && j < N) (0 j +1 N && s+a[j+1] = (Σi 0 i<j+1 a[i])) = (0 j < N && s = (Σi 0 i<j a[i])) (-1 j < N && s+a[j+1] = (Σi 0 i<j+1 a[i])) // simplify bounds of j = (0 j < N && s = (Σi 0 i<j a[i])) (-1 j < N && s+a[j+1] = (Σi 0 i<j a[i]) + a[j] ) // separate last element // we have a problem we need a[j+1] and a[j] to cancel out 26 13

Where s the error? Prove array sum correct { N 0 } j := 0; s := 0; while (j < N) do j := j + 1; s := s + a[j]; Need to add element before incrementing j end { s = (Σi 0 i<n a[i]) } 27 Corrected Code Prove array sum correct { N 0 } j := 0; s := 0; while (j < N) do s := s + a[j]; j := j + 1; end { s = (Σi 0 i<n a[i]) } 28 14

Proof Obligations Invariant is maintained {0 j N && s = (Σi 0 i<j a[i]) && j < N} {0 j +1 N && s+a[j] = (Σi 0 i<j+1 a[i]) } // by assignment rule s := s + a[j]; {0 j +1 N && s = (Σi 0 i<j+1 a[i]) } // by assignment rule j := j + 1; {0 j N && s = (Σi 0 i<j a[i]) } Need to show that: (0 j N && s = (Σi 0 i<j a[i]) && j < N) (0 j +1 N && s+a[j] = (Σi 0 i<j+1 a[i])) = (0 j < N && s = (Σi 0 i<j a[i])) (-1 j < N && s+a[j] = (Σi 0 i<j+1 a[i])) // simplify bounds of j = (0 j < N && s = (Σi 0 i<j a[i])) (-1 j < N && s+a[j] = (Σi 0 i<j a[i]) + a[j] ) // separate last part of sum = (0 j < N && s = (Σi 0 i<j a[i])) (-1 j < N && s = (Σi 0 i<j a[i])) // subtract a[j] from both sides = true // 0 j -1 j 29 Proof Obligations Invariant and exit condition implies postcondition 0 j N && s = (Σi 0 i<j a[i]) && j N s = (Σi 0 i<n a[i]) = 0 j && j = N && s = (Σi 0 i<j a[i]) s = (Σi 0 i<n a[i]) // because (j N && j N) = (j = N) = 0 N && s = (Σi 0 i<n a[i]) s = (Σi 0 i<n a[i]) // by substituting N for j, since j = N = true // because P && Q Q 30 15

Invariant Intuition For code without loops, we are simulating execution directly We prove one Hoare Triple for each statement, and each statement is executed once For code with loops, we are doing one proof of correctness for multiple loop iterations Don t know how many iterations there will be Need our proof to cover all of them The invariant expresses a general condition that is true for every execution, but is still strong enough to give us the postcondition we need This tension between generality and precision can make coming up with loop invariants hard 31 Total Correctness for Loops {P} while B do S {Q} Partial correctness: Find an invariant Inv such that: P Inv The invariant is initially true { Inv && B } S {Inv} Each execution of the loop preserves the invariant (Inv && B) Q The invariant and the loop exit condition imply the postcondition Total correctness Loop will terminate How to show this? 32 16

Total Correctness for Loops {P} while B do S {Q} Partial correctness: Find an invariant Inv such that: P Inv The invariant is initially true { Inv && B } S {Inv} Each execution of the loop preserves the invariant (Inv && B) Q The invariant and the loop exit condition imply the postcondition Termination bound Find a variant function v such that: (Inv && B) v > 0 The variant function evaluates to a finite integer value greater than zero at the beginning of the loop { Inv && B && v=v } S {v < V} The value of the variant function decreases each time the loop body executes (here V is a constant) 33 Total Correctness Example while (j < N) do end {0 j N && s = (Σi 0 i<j a[i]) && j < N} s := s + a[j]; j := j + 1; {0 j N && s = (Σi 0 i<j a[i]) } Variant function for this loop? N-j 34 17

Guessing Variant Functions Loops with an index N ± i Applies if you always add or always subtract a constant, and if you exit the loop when the index reaches some constant Use N-i if you are incrementing i, N+i if you are decrementing i Set N such that N ± i 0 at loop exit Other loops Find an expression that is an upper bound on the number of iterations left in the loop 35 Additional Proof Obligations Variant function for this loop: N-j To show: variant function initially positive (0 j N && s = (Σi 0 i<j a[i]) && j < N) N-j > 0 To show: variant function is decreasing {0 j N && s = (Σi 0 i<j a[i]) && j < N && N-j = V} s := s + a[j]; j := j + 1; {N-j < V} 36 18

Additional Proof Obligations To show: variant function initially positive (0 j N && s = (Σi 0 i<j a[i]) && j < N) N-j > 0 = (0 j N && s = (Σi 0 i<j a[i]) && j < N) N > j // added j to both sides = true // (N > j) = (j < N), P && Q P 37 Additional Proof Obligations To show: variant function is decreasing {0 j N && s = (Σi 0 i<j a[i]) && j < N && N-j = V} {N-(j+1) < V} // by assignment s := s + a[j]; {N-(j+1) < V} // by assignment j := j + 1; {N-j < V} Need to show: (0 j N && s = (Σi 0 i<j a[i]) && j < N && N-j = V) (N-(j+1) < V) Assume 0 j N && s = (Σi 0 i<j a[i]) && j < N && N-j = V By weakening we have N-j = V Therefore N-j-1 < V But this is equivalent to N-(j+1) < V, so we are done. 38 19

Factorial { N 1 } k := 1 f := 1 while (k < N) do f := f * k k := k + 1 end { f = N! } Loop invariant? Variant function? 39 Factorial { N 1 } k := 1 f := 1 while (k < N) do k := k + 1 f := f * k end { f = N! } Loop invariant? f = k! && 0 k N Variant function? N-k Need to increment k before multiplying 40 20

Factorial { N 1 } { 1 = 1! && 0 1 N } k := 1 { 1 = k! && 0 k N } f := 1 { f = k! && 0 k N } while (k < N) do { f = k! && 0 k N && k < N && N-k = V} { f*(k+1) = (k+1)! && 0 k+1 N && N-(k+1) < V} k := k + 1 { f*k = k! && 0 k N && N-k < V} f := f * k { f = k! && 0 k N && N-k < V} end { f = k! && 0 k N && k N} { f = N! } 41 Factorial Obligations (1) (N 1) (1 = 1! && 0 1 N) = (N 1) (1 N) // because 1 = 1! and 0 1 = true // because (N 1) = (1 N) 42 21

Factorial Obligations (2) (f = k! && 0 k N && k < N && N-k = V) (f*(k+1) = (k+1)! && 0 k+1 N && N-(k+1)< V) = (f = k! && 0 k < N && N-k = V) (f*(k+1) = k!*(k+1) && 0 k+1 N && N-k-1< V) // by simplification and (k+1)!=k!*(k+1) Assume (f = k! && 0 k < N && N-k = V) Check each RHS clause: (f*(k+1) = k!*(k+1)) = (f = k!) // division by (k+1) (nonzero by assumption) = true // by assumption 0 k+1 = true // by assumption that 0 k k+1 N = true // by assumption that k < N N-k-1< V = N-k-1 < N-k // by assumption that N-k = V = N-1 < N // by addition of k = true // by properties of < 43 Factorial Obligations (3) (f = k! && 0 k N && k N) (f = N!) Assume f = k! && 0 k N && k N Then k=n by k N && k N So f = N! by substituting k=n 44 22

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback