Verifying Safety Property of Lustre Programs: Temporal Induction

Similar documents
1KOd17RMoURxjn2 CSE 20 DISCRETE MATH Fall

COT 3100 Spring 2010 Midterm 2

SEQUENCES, MATHEMATICAL INDUCTION, AND RECURSION

Discrete Mathematics Lecture 4. Harper Langston New York University

Reasoning About Imperative Programs. COS 441 Slides 10

Handout 9: Imperative Programs and State

CSE 20 DISCRETE MATH WINTER

Semantics via Syntax. f (4) = if define f (x) =2 x + 55.

Programming Embedded Systems

More Untyped Lambda Calculus & Simply Typed Lambda Calculus

Topology Homework 3. Section Section 3.3. Samuel Otten

Formal Semantics of Programming Languages

Introduction to Axiomatic Semantics

AXIOMS OF AN IMPERATIVE LANGUAGE PARTIAL CORRECTNESS WEAK AND STRONG CONDITIONS. THE AXIOM FOR nop

Outline. Introduction. 2 Proof of Correctness. 3 Final Notes. Precondition P 1 : Inputs include

Formal Semantics of Programming Languages

SEQUENCES, MATHEMATICAL INDUCTION, AND RECURSION

An Introduction to Lustre

Type Checking. Outline. General properties of type systems. Types in programming languages. Notation for type rules.

CMSC 330: Organization of Programming Languages. OCaml Expressions and Functions

Outline. General properties of type systems. Types in programming languages. Notation for type rules. Common type rules. Logical rules of inference

Semantics with Applications 3. More on Operational Semantics

Lecture 2: Analyzing Algorithms: The 2-d Maxima Problem

Intro to semantics; Small-step semantics Lecture 1 Tuesday, January 29, 2013

Reasoning about programs. Chapter 9 of Thompson

Harvard School of Engineering and Applied Sciences CS 152: Programming Languages

Inference rule for Induction

Program Analysis: Lecture 02 Page 1 of 32

1 Introduction. 3 Syntax

CS 6110 S11 Lecture 25 Typed λ-calculus 6 April 2011

Note that in this definition, n + m denotes the syntactic expression with three symbols n, +, and m, not to the number that is the sum of n and m.

Critical Analysis of Computer Science Methodology: Theory

CS422 - Programming Language Design

Type Systems. Pierce Ch. 3, 8, 11, 15 CSE

Propositional Logic. Andreas Klappenecker

CS 3512, Spring Instructor: Doug Dunham. Textbook: James L. Hein, Discrete Structures, Logic, and Computability, 3rd Ed. Jones and Barlett, 2010

Fall Recursion and induction. Stephen Brookes. Lecture 4

THE PRINCIPLE OF INDUCTION. MARK FLANAGAN School of Electrical, Electronic and Communications Engineering University College Dublin

Reasoning About Programs Panagiotis Manolios

1 Elementary number theory

(a) (4 pts) Prove that if a and b are rational, then ab is rational. Since a and b are rational they can be written as the ratio of integers a 1

Chapter Summary. Mathematical Induction Recursive Definitions Structural Induction Recursive Algorithms

CSE101: Design and Analysis of Algorithms. Ragesh Jaiswal, CSE, UCSD

Mutable References. Chapter 1

CSE 311: Foundations of Computing. Lecture 8: Predicate Logic Proofs

Induction and Semantics in Dafny

Functions 2/1/2017. Exercises. Exercises. Exercises. and the following mathematical appetizer is about. Functions. Functions

Induction and Recursion. CMPS/MATH 2170: Discrete Mathematics

Computing Fundamentals 2 Introduction to CafeOBJ

CSC Discrete Math I, Spring Sets

An Annotated Language

Computer-Aided Program Design

Arguing for program correctness and writing correct programs

Foundations of Computer Science Spring Mathematical Preliminaries

Lecture 15 CIS 341: COMPILERS

CS525 Winter 2012 \ Class Assignment #2 Preparation

Part II. Hoare Logic and Program Verification. Why specify programs? Specification and Verification. Code Verification. Why verify programs?

The Substitution Model

Module 11. Directed Graphs. Contents

Propositional Logic Formal Syntax and Semantics. Computability and Logic

Math Introduction to Advanced Mathematics

To prove something about all Boolean expressions, we will need the following induction principle: Axiom 7.1 (Induction over Boolean expressions):

On Meaning Preservation of a Calculus of Records

Introduction to Axiomatic Semantics (1/2)

Lemma (x, y, z) is a Pythagorean triple iff (y, x, z) is a Pythagorean triple.

Discrete Mathematics. Kruskal, order, sorting, induction

Lecture 6,

CMSC 330: Organization of Programming Languages. Formal Semantics of a Prog. Lang. Specifying Syntax, Semantics

Boolean networks, local models, and finite polynomial dynamical systems

Lecture 1 Contracts : Principles of Imperative Computation (Fall 2018) Frank Pfenning

The Substitution Model. Nate Foster Spring 2018

Lecture 2. The SCADE Language Data Flow Kernel. Daniel Kästner AbsInt GmbH 2012

A Lift Controller in Lustre. (a case study in developing a reactive system) Leszek Holenderski

Deductive Methods in Computer Science

Denotational Semantics. Domain Theory

CIS 890: Safety Critical Systems

Programming Languages

Programming Languages Fall 2013

Automated Reasoning. Natural Deduction in First-Order Logic

Lecture Notes on Induction and Recursion

Fall Lecture 3 September 4. Stephen Brookes

Lecture 1 Contracts. 1 A Mysterious Program : Principles of Imperative Computation (Spring 2018) Frank Pfenning

Programming Languages Third Edition

Syntax vs. semantics. Detour: Natural deduction. Syntax vs. semantics (cont d) Syntax = grammatical structure Semantics = underlying meaning

Chapter 3: Propositional Languages

The University of Iowa. 22c181: Formal Methods in Software Engineering. Spring Course Overview

COS 320. Compiling Techniques

4&5 Binary Operations and Relations. The Integers. (part I)

Hoare Logic: Proving Programs Correct

Pierce Ch. 3, 8, 11, 15. Type Systems

Recursion and Induction

Lecture (04) Boolean Algebra and Logic Gates

Lecture (04) Boolean Algebra and Logic Gates By: Dr. Ahmed ElShafee

Formal Syntax and Semantics of Programming Languages

3.4 Deduction and Evaluation: Tools Conditional-Equational Logic

Softwaretechnik. Lecture 03: Types and Type Soundness. Peter Thiemann. University of Freiburg, Germany SS 2008

Recursive Definitions Structural Induction Recursive Algorithms

SOFTWARE ENGINEERING DESIGN I

Using Arithmetic of Real Numbers to Explore Limits and Continuity

CS4215 Programming Language Implementation. Martin Henz

Transcription:

22c181: Formal Methods in Software Engineering The University of Iowa Spring 2008 Verifying Safety Property of Lustre Programs: Temporal Induction Copyright 2008 Cesare Tinelli. These notes are copyrighted materials and may not be used in other course settings outside of the University of Iowa in their current form or modified form without the express written permission of one of the copyright holders. 22c181: Formal Methods in Software Engineering p.1/21

Semantics of Lustre programs A Lustre program is in essence a set of constraints between its input streams and output streams. These constraints operate in an algebra of streams But they can also seen as Boolean and arithmetic constraints over instantaneous configurations of the program. Important observation: A stream x containing values of type T is essentially a function x : N T. For each n N, x(n) is the value of x at position (or, instant ) n. 22c181: Formal Methods in Software Engineering p.2/21

Instantaneous Configuration Let L be a Lustre program. Let x 1,...,x p be streams given in input to L, and x p+1,...,x p+q be the non-input (i.e., local and output) streams computed by P. For each n N, the tuple of values x 1 (n),x 2 (n),...,x p+q (n) is a configuration (of L at instant n). 22c181: Formal Methods in Software Engineering p.3/21

Instantaneous Configuration: Example node counter (R:bool, X:int) returns (Y:bool); var C: int; let C = X -> if R then X else pre(c) + 1; Y = (C = 5); tel; 0 1 2 3 4 5... R = ( false, false, false, true, false, false,... X = ( 0, 4, 5, 1, 0, 11,... C = ( 0, 1, 2, 1, 2, 3,... Y = ( false, false, false, false, false, false,... R(3),X(3),C(3),Y (3) = true, 1, 1,false is the configuration at instant 3. 22c181: Formal Methods in Software Engineering p.4/21

Instantaneous Configuration: Example node counter (R:bool, X:int) returns (Y:bool); var C: int; let C = X -> if R then X else pre(c) + 1; Y = (C = 5); tel; The program above can be seen as the following set of constraints for all n N. C(n) = if n = 0 then X(n) else if R(n) then X(n) else C(n 1) + 1 Y (n) = C(n) = 5 22c181: Formal Methods in Software Engineering p.5/21

Proving Properties node test( X: bool ) returns ( P : bool ); var A, B : bool; let A = X -> pre A; B = not (not X -> pre (not B)); --- A and B are identical streams P = A = B; tel; Conjecture: test always returns that constantly true stream. How do we prove that? 22c181: Formal Methods in Software Engineering p.6/21

Proving Properties by Induction Mathematically, the program test expresses, for all n N, the constraints set n : A(n) = if n = 0 then X(n) else A(n 1) B(n) = not (if n = 0 then not X(n) else not B(n 1)) P(n) = A(n) = B(n) We want to show that P(n) = true for all n N. To do that, we can reason by induction on n: 1. First, we prove that P(0) s value is always true. 2. Then, we prove that whenever P(n) is true for an arbitrary n then P(n + 1) is also true. 22c181: Formal Methods in Software Engineering p.7/21

Proving Properties by Induction Induction proof: Base case) Prove that 0 P(n) Induction Step) Prove that n n+1 P(n) P(n + 1) We have 3 possibilities. 1. Both the base case and the induction step hold. Then, we can conclude that P is always true. 2. The base case does not hold. Then, clearly, P is sometimes false. 3. The base case holds but the induction step does not. Then, we cannot conclude anything about P. 22c181: Formal Methods in Software Engineering p.8/21

Induction Proof: Example n : A(n) = if n = 0 then X(n) else A(n 1) B(n) = not (if n = 0 then not X(n) else not B(n 1)) P(n) = A(n) = B(n) Base case) 0 is equivalent to: Clearly, P(0) = true A(0) = X(0) B(0) = not (not X(0)) P(0) = A(0) = B(0) 22c181: Formal Methods in Software Engineering p.9/21

Induction Proof: Example A(n) = if n = 0 then X(n) else A(n 1) n : B(n) = not (if n = 0 then not X(n) else not B(n 1)) P(n) = A(n) = B(n) Induction Step) Assume that A(n), B(n), C(n) are defined as in n. n+1 is equivalent to: A(n + 1) = A(n) B(n + 1) = not (not B(n)) P(n + 1) = A(n + 1) = B(n + 1) If we assume that P(n) is true, it must be that A(n) = B(n). But then, we can conclude that P(n + 1) is true. 22c181: Formal Methods in Software Engineering p.9/21

Limits of Simple Induction node counter (R: bool) returns (P: bool); var C: int; let C = 0 -> if (R or pre(c) = 2) then 0 else pre(c) + 1; P = C <= 4; tel; Observe: C is never more than 2, so P is constantly true. However, simple induction is unable to prove that. The problem is that the induction step does not hold. 22c181: Formal Methods in Software Engineering p.10/21

Why the induction step does not hold n : n+1 : C(n) = if n = 0 then 0 else if R(n) or C(n 1) = 2 then 0 else C(n 1) + 1 P(n) = C(n) 4 C(n + 1) = if R(n + 1) or C(n) = 2 then 0 else C(n) + 1 P(n + 1) = C(n + 1) 4 We need to show that the following implication holds: n n+1 P(n) P(n + 1) ( ) However, if we set, e.g., n to 10, C(n 1) to 3, and R(n) and R(n + 1) to false, we can satisfy n n+1 P(n) and falsify P(n + 1). 22c181: Formal Methods in Software Engineering p.11/21

Why the induction step does not hold n : n+1 : C(n) = if n = 0 then 0 else if R(n) or C(n 1) = 2 then 0 else C(n 1) + 1 P(n) = C(n) 4 C(n + 1) = if R(n + 1) or C(n) = 2 then 0 else C(n) + 1 P(n + 1) = C(n + 1) 4 Problem: a value of 3 for C(n 1) is impossible in the program but the premise of ( ) is not strong enough to rule it out 22c181: Formal Methods in Software Engineering p.11/21

Why the induction step does not hold n : n+1 : C(n) = if n = 0 then 0 else if R(n) or C(n 1) = 2 then 0 else C(n 1) + 1 P(n) = C(n) 4 C(n + 1) = if R(n + 1) or C(n) = 2 then 0 else C(n) + 1 P(n + 1) = C(n + 1) 4 Problem: a value of 3 for C(n 1) is impossible in the program but the premise of ( ) is not strong enough to rule it out Solution: look at a few more preceding configurations 22c181: Formal Methods in Software Engineering p.11/21

k-induction: Induction with Depth Fix some k 0 Base case) Prove that 0 k P(0) P(k) Induction Step) Prove that n n+k+1 P(n) P(n + k) P(n + k + 1) We have again 3 possibilities: 22c181: Formal Methods in Software Engineering p.12/21

k-induction: Induction with Depth Fix some k 0 Base case) Prove that 0 k P(0) P(k) Induction Step) Prove that n n+k+1 P(n) P(n + k) P(n + k + 1) We have again 3 possibilities: 1. Both the base case and the induction step hold. Then, we can conclude that P is always true. 22c181: Formal Methods in Software Engineering p.12/21

k-induction: Induction with Depth Fix some k 0 Base case) Prove that 0 k P(0) P(k) Induction Step) Prove that n n+k+1 P(n) P(n + k) P(n + k + 1) We have again 3 possibilities: 2. The base case does not hold. Then, P is false for some m {0,...,k}. 22c181: Formal Methods in Software Engineering p.12/21

k-induction: Induction with Depth Fix some k 0 Base case) Prove that 0 k P(0) P(k) Induction Step) Prove that n n+k+1 P(n) P(n + k) P(n + k + 1) We have again 3 possibilities: 3. The base case holds but the induction step does not. Then, we cannot conclude anything about P. But we can increase k and start again. 22c181: Formal Methods in Software Engineering p.12/21

Previous Example n : C(n) = if n = 0 then 0 else P(n) = C(n) 4 if R(n) or C(n 1) = 2 then 0 else C(n 1) + 1 n+1 : C(n + 1) = if R(n + 1) or C(n) = 2 then 0 else C(n) + 1 P(n + 1) = C(n + 1) 4 With k-induction we can prove that P is always true. Exercise: Find the smallest value of k that will do. 22c181: Formal Methods in Software Engineering p.13/21

The k-induction Procedure 1: k := 0; 2: while true do 3: check validity of 0 k P(0) P(k); 4: if counter-example found then 5: return counter-example 6: end if; 7: check validity of n n+k+1 P(n) P(n + k) P(n + k + 1); 8: if valid then 9: return "Property holds" 10: end if; 11: k := k + 1; 12: end while 22c181: Formal Methods in Software Engineering p.14/21

Features of the k-induction Procedure When contains no multiplications, the validity tests in lines 3 and 7 can be performed completely automatically. The induction procedure is sound: if it says that the property holds, then the property does hold. However, the procedure is still incomplete: for some properties that do hold it may loop forever. The procedure can be made complete for some (large) classes of Lustre programs, including finite state ones. However, it is impossible to make the procedure complete (and still automatic) for all Lustre programs. 22c181: Formal Methods in Software Engineering p.15/21

Limits of k-induction node counter2 (R, X: bool) returns (P: bool); var C: int; let C = 0 -> if (R or pre(c) = 2) then 0 else pre(c) + 1; P = X or (C <= 4); tel; Observe: Similar to counter but now P is X or (C <= 4) instead of C <= 4, with X an additional input stream. P is always true but k-induction is unable to prove that for any k. For each k, there is a counter-example for the induction step, e.g., n = 10, C(n 1) = 4, X(n) = true,..., X(n + k) = true, and X(n + k + 1) = false. 22c181: Formal Methods in Software Engineering p.16/21

A Simplifying Assumption Let us consider only Lustre programs where pre applies only to variables. Note: This is with no loss of generality. For example, the first program below can be rewritten equivalently into the second: node Foo (X,Y: int) returns (Z:int); let Z = 0 -> pre (X + Y); tel; node FooNorm (X,Y: int) returns (Z:int); var U: int let U = X + Y; Z = 0 -> pre(u); tel; 22c181: Formal Methods in Software Engineering p.17/21

Program State If L is a Lustre program, let S be the tuple of L s state variables, non-input variables that occur within a pre. Example. S = A,C for this program: node test( X: bool ) returns ( P : bool ); var A, B, C : bool; let A = X -> pre A; B = not (not X -> pre(c)); C = not B; P = A = B; tel; The value S n that the tuple S has at some instant n is the state of L at instant n. 22c181: Formal Methods in Software Engineering p.18/21

k-induction with Distinct States We can make k-induction less incomplete, by considering only configurations with distinct states. Let D 0,k be the formula stating that the states S 0,...,S k are pairwise distinct. (And similarly for D n,n+k+1 ). We can use Base case) Induction step) D 0,k 0 k P(0) P(k) D n,n+k+1 n n+k+1 P(n) P(n + k) P(n + k + 1) 22c181: Formal Methods in Software Engineering p.19/21

The k-induction Procedure with Distinct States 1: k := 0; 2: while true do 3: check validity of D 0,k 0 k P(0) P(k); 4: if counter-example found then 5: return counter-example 6: end if; 7: check validity of D n,n+k+1 n n+k+1 P(n) P(n + k) P(n + k + 1); 8: if valid then 9: return "Property holds" 10: end if; 11: k := k + 1; 12: check validity of 0 k D 0,k ; 13: if valid then 14: return "Property holds" 15: end if; 16: end while 22c181: Formal Methods in Software Engineering p.20/21

k-induction with Distinct States Adding the distinct states restriction to k-induction preserves its soundness. It makes it complete for programs where every legal execution sequence with pairwise distinct states is shorter than some positive integer d. This is the case, for instance, for finite state programs, programs whose state variables can take only finitely many values. But it is also the case for some infinite state programs like counter2. 22c181: Formal Methods in Software Engineering p.21/21

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback