program analysis and verification spring 2014 program analysis and verification lecture 5: axiomatic...

Spring 2014Program Analysis and Verification

Lecture 5: Axiomatic Semantics II

Roman ManevichBen-Gurion University

2

Syllabus

Semantics

NaturalSemantics

Structural semantics

AxiomaticVerification

StaticAnalysis

AutomatingHoare Logic

AbstractInterpretation fundamentals

Lattices

Galois Connections

Fixed-Points

Widening/Narrowing

Domain constructors

InterproceduralAnalysis

AnalysisTechniques

Numerical Domains

CEGAR

Alias analysis

ShapeAnalysis

Crafting your own

Soot

From proofs to abstractions

Systematically developing

transformers

3

Previously

• Basic notions of correctness• Formalizing Hoare triples• FO logic– Free variables– Substitutions

• Hoare logic rules

4

States and predicates• – program states

– undefined• A state predicate P is a

(possibly infinite) setof states

• P– P holds in state

P

5

Formalizing Hoare triples

• { P } C { Q }– , ’ . (P C, ’) ’Q

alternatively– . (P SnsC ) SnsC Q– Convention: P for all P

. P SnsC Q

P C(P)

Q

’C

Sns C = ’ if C, ’ else

6

An assertion language

a ::= n | x | a1 + a2 | a1 a2 | a1 – a2

A ::= true | false| a1 = a2 | a1 a2 | A | A1 A2 | A1 A2

| A1 A2 | z. A | z. A

Either a program variablesor a logical variable

7

Free/bound variables

• A variable is said to be bound in a formula when it occurs in the scope of a quantifier. Otherwise it is said to be free– i. k=im– (i+10077)i. j+1=i+3)

• FV(A) the free variables of A• Defined inductively on the abstract syntax tree

of A

8

Free variables

FV(n) {}FV(x) {x}FV(a1+a2) FV(a1a2) FV(a1-a2) FV(a1) FV(a2)FV(true) FV(false) {}FV(a1=a2) FV(a1a2) FV(a1) FV(a2)FV(A) FV(A)FV(A1 A2) FV(A1 A2) FV(A1 A2)

FV(a1) FV(a2) FV(z. A) FV(z. A) FV(A) \ {z}

9

Substitution

• An expression t is pure (a term) if it does not contain quantifiers

• A[t/z] denotes the assertion A’ which is the same as A, except that all instances of the free variable z are replaced by t

• A i. k=imA[5/k] = …? A[5/i] = …?

What if t is not pure?

10

Calculating substitutions

n[t/z] = nx[t/z] = xx[t/x] = t

(a1 + a2)[t/z] = a1[t/z] + a2[t/z](a1 a2)[t/z] = a1[t/z] a2[t/z](a1 - a2)[t/z] = a1[t/z] - a2[t/z]

11

Calculating substitutionstrue[t/x] = truefalse[t/x] = false(a1 = a2)[t/z] = a1[t/z] = a2[t/z] (a1 a2)[t/z] = a1[t/z] a2[t/z] (A)[t/z] = (A[t/z])(A1 A2)[t/z]= A1[t/z] A2[t/z](A1 A2)[t/z] = A1[t/z] A2[t/z] (A1 A2)[t/z] = A1[t/z] A2[t/z]

(z. A)[t/z] = z. A(z. A)[t/y] = z. A[t/y]( z. A)[t/z] = z. A( z. A)[t/y] = z. A[t/y]

12

Today

• The rules• Inference system• Annotating programs with proofs• Properties of the semantics• Weakest precondition calculus

13

FO Logic reminder

• We write A B if for all states if A then B– { | A } { | B }– For every predicate A: false A true

• We write A B if A B and B A– false 5=7

• In writing Hoare-style proofs, we will often replace a predicate A with A’ such that A A’and A’ is “simpler”

14

the rules

six are completely

enough

15

Axiomatic semantics for While { P[a/x] } x := a { P }[assp]

{ P } skip { P }[skipp]

{ P } S1 { Q }, { Q } S2 { R } { P } S1; S2 { R }[compp]

{ b P } S1 { Q }, { b P } S2 { Q } { P } if b then S1 else S2 { Q }[ifp]

{ b P } S { P } { P } while b do S {b P }

[whilep]

{ P’ } S { Q’ } { P } S { Q }

[consp] if PP’ and Q’Q

Notice similarity to natural semantics rules

What’s different about this rule?

16

Assignment rule

• A “backwards” rule• x := a always finishes• Why is this true?– Recall operational semantics:

• Example: {y*z<9} x:=y*z {x<9}What about {y*z<9w=5} x:=y*z {w=5}?

x := a, [xAa][assns]

[xAa] P

17

skip rule

skip, [skipns]

18

Composition rule

• Holds when S1 terminates in every state where P holds and then Q holdsand S2 terminates in every state where Q holds and then R holds

S1, ’, S2, ’ ’’S1; S2, ’’ [compns]

19

Condition rule

S1, ’ if b then S1 else S2, ’

if B b = tt[ifttns]

S2, ’ if b then S1 else S2, ’

if B b = ff[ifffns]

20

Loop rule

• Here P is called an invariant for the loop– Holds before and after each loop iteration– Finding loop invariants – most challenging part of proofs

• When loop finishes, b is false

while b do S, if B b = ff[whileffns]

S, ’, while b do S, ’ ’’while b do S, ’’

if B b = tt[whilettns]

21

Rule of consequence

• Allows strengthening the precondition and weakening the postcondition

• The only rule that is not related to a statement

22

Rule of consequence

• Why do we need it?• Allows the following

{y*z<9} x:=y*z {x<9} {y*z<9w=5} x:=y*z {x<10}

23

Axiomatic semanticsas an inference system

24

Inference trees

• Similar to derivation trees of natural semantics• Leaves are …?• Internal nodes correspond to …?

25

Inference trees

• Similar to derivation trees of natural semantics• Leaves are …?• Internal nodes correspond to …?• Inference tree is called– Simple if tree is only an axiom– Composite otherwise

26

Provability

• We say that an assertion { P } C { Q } is provable if there exists an inference tree– Written as p { P } C { Q }– Are inference trees unique?

{true} x:=1; x:=x+5 {x0}• Proofs of properties of axiomatic semantics

use induction on the shape of the inference tree– Example: prove p { P } C { true } for any P and C

27

Factorial proof inference tree

W = while (x1) do (y:=y*x; x:=x–1)

INV = x > 0 (y x! = n! n x)

{ INV[x-1/x][y*x/y] } y:=y*x; x:=x–1 {INV}

{ INV[x-1/x] } x:=x-1 {INV}

{ INV } W { x=1 INV }{ INV[1/y] } y:=1 { INV }

{ INV[x-1/x][y*x/y] } y:=y*x { INV[x-1/x] }

{ x1 INV } y:=y*x; x:=x–1 { INV }

[comp]

[cons]

[while]

[cons]{ INV } W { y=n! n>0 }{ x=n } y:=1 { INV }

[cons]

{ x=n } while (x1) do (y:=y*x; x:=x–1) { y=n! n>0 }

[comp]

Goal: { x=n } y:=1; while (x1) do (y:=y*x; x:=x–1) { y=n! n>0 }

will show later

28

Annotating programswith proofs

29

Annotated programs

• A streamlined version of inference trees– Inline inference trees into programs– A kind of “proof carrying code”– Going from annotated program to proof tree is a

linear time translation

http://www.cs.berkeley.edu/~necula/pcc.html

30

Annotating composition

• We can inline inference trees into programs• Using proof equivalence of S1; (S2; S3) and (S1; S2); S3

instead writing deep trees, e.g.,

{P} (S1; S2); (S3 ; S4) {Q}{P} (S1; S2) {P’’} {P’’} (S3 ; S4) {Q}

{P} S1 {P’} {P’} S2 {P’’} {P’’} S3 {P’’’} {P’’’} S4 {P’’}

• We can annotate a composition S1; S2;…; Sn by{P1} S1 {P2} S2 … {Pn-1} Sn-1 {Pn}

31

Annotating conditions

{ P }if b then

{ b P }S1

else { b P }

S2

{ Q }

32

Annotating conditions

{ P }if b then

{ b P }S1

{ Q1 }else { b P }

S2

{ Q2 }{ Q }

Usually Q is the result of using the consequence rule, so a more explicit annotation adds the postcondition of each branch

33

Annotating loops

{ P }while b do { b P } S{b P }

34

Annotating loops

{ P }while b do { b P } S { P’ }{b P } { Q }

P’ implies P

b P implies Q

35

Annotating loops

{ P }while b do { b P } S {b P }

Source of confusion

36

Annotating loops – alternative 1

while { P } b do { b P } S{b P }

37

Annotating loops – alternative 2

Inv = { P }while b do { b P } S {b P }

We will take this alternative in our examples and homework assignments

38

Annotating formula transformations

• We often rewrite formulas– To make proofs more readable– Using logical identities– Import theorems

{ }{ ’ } // transformation 1{ ’’ } // transformation 2

39

Annotated programs: factorial{ x=n }y := 1;Inv = { x>0 y*x!=n! nx } while (x=1) do { x-1>0 (y*x)*(x-1)!=n! n(x-1) } y := y*x; { x-1>0 y*(x-1)!=n! n(x-1) } x := x–1{ y*x!=n! n>0 }

• Contrast with proof via natural semantics

• Where did the inductive argument over loop iterations go?

40

Detailed proof steps{ x=n }y := 1;{ x=n y=1 } Inv = { x>0 y*x!=n! nx } while (x=1) do { x1 (x>0 y*x!=n! nx) } { x1 (x>0 (y*x)*(x-1)!=n! nx) } // Factorial { x1 (x>0 (y*x)*(x-1)!=n! n(x-1) } // Cons { x-1>0 (y*x)*(x-1)!=n! n(x-1) } // Cons y := y*x; { x-1>0 y*(x-1)!=n! n(x-1) } x := x–1 { x>0 y*x!=n! nx } { y*x!=n! n>0 }

41

Properties of the semantics

42

Properties of the semanticsEquivalence– What is the analog of program

equivalence in axiomatic verification?

By Cjprice88 (Own work) [CC-BY-SA-3.0 (http://creativecommons.org/licenses/by-sa/3.0)], via Wikimedia Commons

Soundness– Can we prove incorrect properties?

Completeness– Is there something we can’t

prove?

43

Provable equivalence

• We say that C1 and C2 are provably equivalent if for all P and Qp { P } C1 { Q } if and only if p { P } C2 { Q }

• Examples:– S; skip and S– S1; (S2; S3) and (S1; S2); S3

44

S1; (S2; S3) is provably equivalent to (S1; S2); S3

{P} S1; (S2; S3) {Q}{P} S1 {P’} {P’} (S2; S3) {Q}

{P’} S2 {P’’} {P’’} S3 {Q}

{P} (S1; S2); S3 {Q}{P} (S1; S2) {P’’} {P’’} S3 {Q}

{P} S1 {P’} {P’} S2 {P’’}

45

Valid assertions

• We say that { P } C { Q } is validif for all states , if P and C, ’then ’Q

• Denoted by p { P } C { Q }

P C(P)

Q

’C

46

Soundness and completeness

• The inference system is sound:– p { P } C { Q } implies p { P } C { Q }

• The inference system is complete:– p { P } C { Q } implies p { P } C { Q }

By Cjprice88 (Own work) [CC-BY-SA-3.0 (http://creativecommons.org/licenses/by-sa/3.0)], via Wikimedia Commons

47

Weakest precondition calculus

48

From inference to calculus

• A Hoare-style proof is declarative– You can check that a proof is correct

• Is there a more operative approach to producing proofs?– Weakest precondition calculus– Strongest postcondition calculus

• WP/SP provide limits for Hoare triples• WP helps prove that Hoare logic is relatively

complete

49

Weakest liberal precondition

• A backward-going predicate transformer• The weakest liberal precondition for Q is

wlp(C, Q)if and only if for all states ’if C, ’ then ’ Q

Propositions:1. p { wlp(C, Q) } C { Q }

2. If p { P } C { Q } then P wlp(C, Q)

50

Weakest liberal precondition

• A backward-going predicate transformer• The weakest liberal precondition for Q is

wlp(C, Q)if and only if for all states ’if C, ’ then ’ Q

P

C(P)

Q

C

wlp(C, Q) C(wlp(C, Q))

51

Strongest postcondition

• A forward-going predicate transformer• The strongest postcondition for P is

’ sp(P, C)if and only if there exists such that P and C, ’

Propositions:1. p { P } C { sp(P, C) }

2. If p { P } C { Q } then sp(P, C) Q

52

Predicate transformer semantics• wlp and sp can be seen functions that transform

predicates to other predicates– wlpC : Predicate Predicate

{ P } C { Q } if and only if wlpC Q = P– spC : Predicate Predicate

{ P } C { Q } if and only if spC P = Q

53

Is Hoare logic complete?• Extensional approach: yes• Proving

p { P } C { Q } implies p { P } C { Q }boils down to provingp { wlp(C, Q) } C { Q }

• See proof in book

54

Is Hoare logic complete?• Intentional approach: no• Only as complete as the logic of assertions• Requires that we are able to prove the validity of

assertions that occur in the rule of consequence

• Relative completeness of Hoare logic (Cook 1974)

55

Calculating Weakest preconditions

56

Calculating wlp

1. wlp(skip, Q) = Q2. wlp(x := a, Q) = Q[a/x]3. wlp(S1; S2, Q) = wlp(S1, wlp(S2, Q))

4. wlp(if b then S1 else S2, Q) =(b wlp(S1, Q)) (b wlp(S2,

Q))5. wlp(while b do S, Q) = … ?

hard to capture

57

Calculating wlp of a loop

wlp(while b do S, Q) =

Idea: we know the following statements are semantically equivalentwhile b do Sif b do (S; while b do S) else skip

Let’s try to substitute and calculate on

wlp(if b do (S; while b do S) else skip, Q) =

(b wlp(S; while b do S, Q)) (b wlp(skip, Q)) =

(b wlp(S, wlp(while b do S, Q))) (b Q)

LoopInv = (b wlp(S, LoopInv)) (b Q) We have a recurrence

The loop invariant

58

Write a specification

{ ? }while (timer > 0) do

timer := timer – 1{ ? }

• “The program should count to zero”

59

Prove the following triple

• LoopInv = (b wlp(S, LoopInv)) (b Q)• Let’s substitute LoopInv with timer0• Show that timer0 is equal to

(timer>0 wlp(timer:=timer-1, timer0)) (timer0 timer=0)= (timer>0 (timer0)[timer-1/timer]) (timer0 timer=0)= (timer>0 timer-10) (timer0 timer=0)= timer>0 timer=0= timer0

{ timer 0 }while (timer > 0) do

timer := timer – 1{ timer = 0 }

60

Issues with wlp-based proofs

• Requires backwards reasoning – not very intuitive

• Backward reasoning is non-deterministic – causes problems when While is extended with dynamically allocated heaps (aliasing)

• Also, a few more rules will be helpful

61

Making the proof systemmore practical

62

Conjunction rule

• Not necessary (for completeness) but practically useful

• Starting point of extending Hoare logic to handle parallelism

• Related to Cartesian abstraction– Will point this out when we learn it

63

More rules exist{ P } C { Q } { P’ } C { Q’ }

{ P P’ } C {Q Q’ }[disjp]

{ P } C { Q } { v. P } C { v. Q }[existp] vFV(C

)

{ P } C { Q } {v. P } C {v. Q }[univp] vFV(C)

{ F } C { F } Mod(C) FV(F)={}[Invp]• Mod(C) = set of variables assigned to in sub-statements of C• FV(F) = free variables of F

Breaks if C is non-deterministic

64

Invariance + Conjunction = Constancy

• Mod(C) = set of variables assigned to in sub-statements of C• FV(F) = free variables of F

{ P } C { Q } { F P } C { F Q }[constancyp] Mod(C) FV(F)={}

Next lecture:axiomatic semantics part 3

program analysis and verification spring 2014 program analysis and verification lecture 5: axiomatic...

Documents