spring 2014 program analysis and verification lecture 6: axiomatic semantics iii
DESCRIPTION
Spring 2014 Program Analysis and Verification Lecture 6: Axiomatic Semantics III. Roman Manevich Ben-Gurion University. Syllabus. Previously. Hoare logic Inference system Annotated programs Soundness and completeness Weakest precondition calculus. Axiomatic semantics for While. - PowerPoint PPT PresentationTRANSCRIPT
Spring 2014Program Analysis and Verification
Lecture 6: Axiomatic Semantics III
Roman ManevichBen-Gurion University
2
Syllabus
Semantics
NaturalSemantics
Structural semantics
AxiomaticVerification
StaticAnalysis
AutomatingHoare Logic
AbstractInterpretation fundamentals
Lattices
Galois Connections
Fixed-Points
Widening/Narrowing
Domain constructors
InterproceduralAnalysis
AnalysisTechniques
Numerical Domains
CEGAR
Alias analysis
ShapeAnalysis
Crafting your own
Soot
From proofs to abstractions
Systematically developing
transformers
3
Previously
• Hoare logic– Inference system– Annotated programs– Soundness and completeness
• Weakest precondition calculus
4
Axiomatic semantics for While { P[a/x] } x := a { P }[assp]
{ P } skip { P }[skipp]
{ P } S1 { Q }, { Q } S2 { R } { P } S1; S2 { R }[compp]
{ b P } S1 { Q }, { b P } S2 { Q } { P } if b then S1 else S2 { Q }[ifp]
{ b P } S { P } { P } while b do S {b P }[whilep]
{ P’ } S { Q’ } { P } S { Q }[consp] if PP’ and Q’Q
5
Weakest precondition calculus
6
Weakest liberal precondition
• A backward-going predicate transformer• The weakest liberal precondition for Q is
wlp(C, Q)if and only if for all states ’if C, ’ then ’ Q
Propositions:1. p { wlp(C, Q) } C { Q }2. If p { P } C { Q } then P wlp(C, Q)
7
Weakest liberal precondition• A backward-going predicate transformer• The weakest liberal precondition for Q is
wlp(C, Q)if and only if for all states ’if C, ’ then ’ Q
P
C(P)
Q
C
wlp(C, Q) C(wlp(C, Q))
8
Strongest postcondition
• A forward-going predicate transformer• The strongest postcondition for P is
’ sp(P, C)if and only if there exists such that P and C, ’
Propositions:1. p { P } C { sp(P, C) }2. If p { P } C { Q } then sp(P, C) Q
9
CalculatingWeakest
preconditionsBy Vadim Plessky (http://svgicons.sourceforge.net/) [see page for license], via Wikimedia Commons
10
Calculating wlp
1. wlp(skip, Q) = Q2. wlp(x := a, Q) = Q[a/x]3. wlp(S1; S2, Q) = wlp(S1, wlp(S2, Q))4. wlp(if b then S1 else S2, Q) =
(b wlp(S1, Q)) (b wlp(S2, Q))
5. wlp(while b do S, Q) = … ?hard to capture
11
Calculating the wlp of a loop
wlp(while b do S, Q) =
Idea: we know the following statements are semantically equivalentwhile b do Sif b do (S; while b do S) else skip
Let’s try to substitute and calculate on
wlp(if b do (S; while b do S) else skip, Q) =
(b wlp(S; while b do S, Q)) (b wlp(skip, Q)) =
(b wlp(S, wlp(while b do S, Q))) (b Q)
LoopInv = (b wlp(S, LoopInv)) (b Q)
12
Another variant for WP of loops
• Parametric in the loop invariant• wlp(while b do {} S, Q) =
where {b } S {}and b Q
13
Variable swap program – specify
{ ? }t := xx := yy := t{ ? }
14
Prove using weakest precondition
{ y=b x=a }t := x{ ? }x := y{ ? } y := t{ x=b y=a }
15
Prove using weakest precondition
{ y=b x=a }t := x{ y=b t=a }x := y{ x=b t=a } y := t{ x=b y=a }
16
Absolute value program
if x<0 then x := -xelse skip
if b then Sis syntactic sugar forif b then S else skipThe latter form is easier to reason about
17
Absolute value program – specify
{ ? }if x<0 then x := -xelse skip{ ? }
18
Absolute value program – specify
{ x=v }if x<0 then x := -xelse skip{ x=|v| }
19
Prove using weakest precondition{ x=v }{ } if x<0 then { } x := -x { }else { } skip { }{x=|v| }
20
Prove using weakest precondition{ x=v }{ (-x=|v| x<0) (x=|v| x0) } if x<0 then { -x=|v| } x := -x { x=|v| }else { x=|v| } skip { x=|v| }{ x=|v| }
21
Making the proof systemmore practical
22
Conjunction rule
• Allows breaking up proofs into smaller, easier to manage, sub-proofs
23
More useful rules{ P } C { Q } { P’ } C { Q’ }
{ P P’ } C {Q Q’ }[disjp]
{ P } C { Q } { v. P } C { v. Q }[existp] vFV(C
)
{ P } C { Q } {v. P } C {v. Q }[univp] vFV(C)
{ F } C { F } Mod(C) FV(F)={}[Invp]• Mod(C) = set of variables assigned to in sub-statements of C• FV(F) = free variables of F
Breaks if C is non-deterministic
24
Invariance + Conjunction = Constancy
• Mod(C) = set of variables assigned to in sub-statements of C• FV(F) = free variables of F
{ P } C { Q } { F P } C { F Q }[constancyp] Mod(C) FV(F)={}
25
Today
• Strongest postcondition• Extension for memory• Proving termination
26
Strongestpostcondition
calculusBy Vadim Plessky (http://svgicons.sourceforge.net/) [see page for license], via Wikimedia Commons
27
Floyd’s strongest postcondition rule
• Example{ z=x } x:=x+1 { ? }
• This rule is often considered problematic because it introduces a quantifier – needs to be eliminated further on
• We will now see a variant of this rule
{ P } x := a { v. x=a[v/x] P[v/x] } where v is a fresh variable
[assFloyd]
The value of x in the pre-state
28
Floyd’s strongest postcondition rule
• Example{ z=x } x:=x+1 { v. x=v+1 z=v }
• This rule is often considered problematic because it introduces a quantifier – needs to be eliminated further on
• We will now see a variant of this rule
{ P } x := a { v. x=a[v/x] P[v/x] } where v is a fresh variable
[assFloyd]
meaning: {x=z+1}
29
“Small” assignment axiom
• Examples:{x=n} x:=5*y {x=5*y}{x=n} x:=x+1 {x=n+1}
{x=n} x:=y+1 {x=y+1}[existp] {n. x=n} x:=y+1 {n. x=y+1} therefore {true} x:=y+1 {x=y+1} [constancyp] {z=9} x:=y+1 {z=9 x=y+1}
{ x=v } x:=a { x=a[v/x] }where vFV(a)
[assfloyd]
First evaluate ain the precondition state(as a may access x)
Then assign the resulting value to x
Create an explicit Skolem variable in precondition
30
“Small” assignment axiom
• Examples:{x=n} x:=5*y {x=5*y}{x=n} x:=x+1 {x=n+1}
{x=n} x:=y+1 {x=y+1}[existp] {n. x=n} x:=y+1 {n. x=y+1} therefore {true} x:=y+1 {x=y+1} [constancyp] {z=9} x:=y+1 {z=9 x=y+1}
{ x=v } x:=a { x=a[v/x] }where vFV(a)
[assfloyd]
31
“Small” assignment axiom
• Examples:{x=n} x:=5*y {x=5*y}{x=n} x:=x+1 {x=n+1}
{x=n} x:=y+1 {x=y+1}[existp] {n. x=n} x:=y+1 {n. x=y+1} therefore {true} x:=y+1 {x=y+1} [constancyp] {z=9} x:=y+1 {z=9 x=y+1}
{ x=v } x:=a { x=a[v/x] }where vFV(a)
[assfloyd]
32
“Small” assignment axiom
• Examples:{x=n} x:=5*y {x=5*y}{x=n} x:=x+1 {x=n+1}
{x=n} x:=y+1 {x=y+1}[existp] {n. x=n} x:=y+1 {n. x=y+1} therefore {true} x:=y+1 {x=y+1} [constancyp] {z=9} x:=y+1 {z=9 x=y+1}
{ x=v } x:=a { x=a[v/x] }where vFV(a)
[assfloyd]
33
Calculating sp
1. sp(skip, P) = P2. sp(x := a, P) = v. x=a[v/x] P[v/x] 3. sp(S1; S2, P) = sp(S2, sp(S1, P))4. sp(if b then S1 else S2, P) =
sp(S1, b P) sp(S2, b P)5. sp(while b do {} S, P) = b
where {b } S {}and P b
34
Prove using strongest postcondition{ x=a y=b }t := x
x := y
y := t
{ x=b y=a }
35
Prove using strongest postcondition{ x=a y=b }t := x{ x=a y=b t=a }
x := y
y := t
{ x=b y=a }
36
Prove using strongest postcondition{ x=a y=b }t := x{ x=a y=b t=a }
x := y{ x=b y=b t=a }
y := t
{ x=b y=a }
37
Prove using strongest postcondition{ x=a y=b }t := x{ x=a y=b t=a }
x := y{ x=b y=b t=a }
y := t{ x=b y=a t=a }{ x=b y=a } // cons
38
Prove using strongest postcondition{ x=v }if x<0 then { x=v x<0 } x := -x { x=-v x>0 }else
{ x=v x0 }skip{ x=v x0 }
{ v<0 x=-v v0 x=v }{ x=|v| }
39
Prove using strongest postcondition{ x=v }if x<0 then { x=v x<0 } x := -x { x=-v x>0 }else
{ x=v x0 }skip{ x=v x0 }
{ v<0 x=-v v0 x=v }{ x=|v| }
40
Sum program – specify• Define Sum(0, n) = 0+1+…+n
{ ? }x := 0res := 0while (x<y) do res := res+x x := x+1 { ? }
{ x=Sum(0, n) } { y=n+1 }
{ x+y=Sum(0, n+1) }
Background axiom
41
Sum program – specify• Define Sum(0, n) = 0+1+…+n
{ y0 }x := 0res := 0while (x<y) do res := res+x x := x+1 { res = Sum(0, y) }
{ x=Sum(0, n) } { y=n+1 }
{ x+y=Sum(0, n+1) }
Background axiom
42
Sum program – prove• Define Sum(0, n) = 0+1+…+n
{ y0 }x := 0
res := 0
Inv = while (x<y) do
res := res+x
x := x+1
{ res = Sum(0, y) }
{ x=Sum(0, n) } { y=n+1 }
{ x+y=Sum(0, n+1) }
43
Sum program – prove• Define Sum(0, n) = 0+1+…+n
{ y0 }x := 0{ y0 x=0 }res := 0
Inv = while (x<y) do res := res+x x := x+1
{ res = Sum(0, y) }
{ x=Sum(0, n) } { y=n+1 }
{ x+y=Sum(0, n+1) }
44
Sum program – prove• Define Sum(0, n) = 0+1+…+n
{ y0 }x := 0{ y0 x=0 }res := 0{ y0 x=0 res=0 }Inv = while (x<y) do res := res+x x := x+1
{ res = Sum(0, y) }
{ x=Sum(0, n) } { y=n+1 }
{ x+y=Sum(0, n+1) }
45
Sum program – prove• Define Sum(0, n) = 0+1+…+n
{ y0 }x := 0{ y0 x=0 }res := 0{ y0 x=0 res=0 }Inv = { y0 res=Sum(0, x) xy }while (x<y) do
res := res+x x := x+1
{ res = Sum(0, y) }
{ x=Sum(0, n) } { y=n+1 }
{ x+y=Sum(0, n+1) }
46
Sum program – prove• Define Sum(0, n) = 0+1+…+n
{ y0 }x := 0{ y0 x=0 }res := 0{ y0 x=0 res=0 }Inv = { y0 res=Sum(0, x) xy }while (x<y) do { y0 res=m x=n ny m=Sum(0, n) x<y } { y0 res=m x=n m=Sum(0, n) n<y } res := res+x x := x+1
{ res = Sum(0, y) }
{ x=Sum(0, n) } { y=n+1 }
{ x+y=Sum(0, n+1) }
47
Sum program – prove• Define Sum(0, n) = 0+1+…+n
{ y0 }x := 0{ y0 x=0 }res := 0{ y0 x=0 res=0 }Inv = { y0 res=Sum(0, x) xy }while (x<y) do { y0 res=m x=n ny m=Sum(0, n) x<y } { y0 res=m x=n m=Sum(0, n) n<y } res := res+x { y0 res=m+x x=n m=Sum(0, n) n<y } x := x+1
{ res = Sum(0, y) }
{ x=Sum(0, n) } { y=n+1 }
{ x+y=Sum(0, n+1) }
48
Sum program – prove• Define Sum(0, n) = 0+1+…+n
{ y0 }x := 0{ y0 x=0 }res := 0{ y0 x=0 res=0 }Inv = { y0 res=Sum(0, x) xy }while (x<y) do { y0 res=m x=n ny m=Sum(0, n) x<y } { y0 res=m x=n m=Sum(0, n) n<y } res := res+x { y0 res=m+x x=n m=Sum(0, n) n<y } x := x+1 { y0 res=m+x x=n+1 m=Sum(0, n) n<y } { y0 res=Sum(0, x) x=n+1 n<y } // sum axiom { y0 res=Sum(0, x) xy } // cons
{ res = Sum(0, y) }
{ x=Sum(0, n) } { y=n+1 }
{ x+y=Sum(0, n+1) }
49
Sum program – prove• Define Sum(0, n) = 0+1+…+n
{ y0 }x := 0{ y0 x=0 }res := 0{ y0 x=0 res=0 }Inv = { y0 res=Sum(0, x) xy }while (x<y) do { y0 res=m x=n ny m=Sum(0, n) x<y } { y0 res=m x=n m=Sum(0, n) n<y } res := res+x { y0 res=m+x x=n m=Sum(0, n) n<y } x := x+1 { y0 res=m+x x=n+1 m=Sum(0, n) n<y } { y0 res=Sum(0, x) x=n+1 n<y } // sum axiom { y0 res=Sum(0, x) xy } // cons{ y0 res=Sum(0, x) xy xy }{ y0 res=Sum(0, y) x=y }{ res = Sum(0, y) }
{ x=Sum(0, n) } { y=n+1 }
{ x+y=Sum(0, n+1) }
50
Buggy sum program{ y0 }x := 0{ y0 x=0 }res := 0{ y0 x=0 res=0 }Inv = { y0 res=Sum(0, x) } = { y0 res=m x=n m=Sum(0, n) } while (xy) do { y0 res=m x=n m=Sum(0, n) xy ny } x := x+1 { y0 res=m x=n+1 m=Sum(0, n) ny} res := res+x { y0 res=m+x x=n+1 m=Sum(0, n) ny} { y0 res-x=Sum(0, x-1) ny} { y0 res=Sum(0, x) }{ y0 res=Sum(0, x) x>y } {res = Sum(0, y) }
51
Handling data structures
52
Problems with Hoare logic and heaps
• { P[a/x] } x := a { P }• Consider the annotated program{ y=5 }y := 5;{ y=5 }x := &y;{ y=5 }*x := 7;{ y=5 }
• Is it correct?
The rule works on a syntactic level unaware of possible aliasing between different terms (y and *x in our case)
53
Problems with Hoare logic and heaps
• { P[a/x] } x := a { P }• {(x=&y z=5) (x&y y=5)}*x = z;{ y=5 }
• What should the precondition be?
54
Problems with Hoare logic and heaps
• { P[a/x] } x := a { P }• {(x=&y z=5) (x&y y=5)}*x = z;{ y=5 }
• We split into cases depending on possible aliasing
55
Problems with Hoare logic and heaps
• { P[a/x] } x := a { P }• {(x=&y z=5) (x&y y=5)}*x = z;{ y=5 }
• What should the precondition be?• Joseph M. Morris:
A General Axiom of Assignment• A different approach: heaps as arrays• Really successful approach for heaps is based on
Separation Logic
56
Axiomatizing data types
• We added a new type of variables – array variables– Model array variable as a function y : Z Z
• We need the two following axioms:
S ::= x := a | x := y[a] | y[a] := x | skip | S1; S2| if b then S1 else S2| while b do S
{ y[xa](x) = a }
{ zx y[xa](z) = y(z) }
57
Array update rules (wlp)
• Treat an array assignment y[a] := x as an update to the array function y– y := y[ax] meaning y’=v. v=a ? x : y(v)
S ::= x := a | x := y[a] | y[a] := x | skip | S1; S2| if b then S1 else S2| while b do S
[array-update] { P[y[ax]/y] } y[a] := x { P }
[array-load] { P[y(a)/x] } x := y[a] { P }
A very general approach – allows handling many data types
58
Array update rules (wlp) example• Treat an array assignment y[a] := x as an
update to the array function y– y := y[ax] meaning y’=v. v=a ? x : y(v)
[array-update] { P[y[ax]/y] } y[a] := x { P }{x=y[i7](i)} y[i]:=7 {x=y(i)}
{x=7} y[i]:=7 {x=y(i)}
[array-load] { P[y(a)/x] } x := y[a] { P }{y(a)=7} x:=y[a] {x=7}
59
Array update rules (sp)
[array-updateF] { x=v y=g a=b } y[a] := x { y=g[bv] }
[array-loadF] { y=g a=b } x := y[a] { x=g(b) }
In both rulesv, g, and b are fresh
60
Example of proving program with arrays
61
Array-max program – specify
nums : arrayN : int // N stands for num’s length { N0 nums=orig_nums } x := 0res := nums[0]while x < N if nums[x] > res then res := nums[x] x := x + 11. { x=N }2. { m. (m0 m<N) nums(m)res }3. { m. m0 m<N nums(m)=res }4. { nums=orig_nums }
62
Array-max program
nums : arrayN : int // N stands for num’s length { N0 nums=orig_nums } x := 0res := nums[0]while x < N if nums[x] > res then res := nums[x] x := x + 1Post1: { x=N }Post2: { nums=orig_nums }Post3: { m. 0m<N nums(m)res }Post4: { m. 0m<N nums(m)=res }
63
Proof strategy• Prove each goal 1, 2, 3, 4 separately and use
conjunction rule to prove them all• After proving
– {N0} C {x=N}– {nums=orig_nums} C {nums=orig_nums}
• We have proved– {N0 nums=orig_nums} C{x=N nums=orig_nums}
• We can refer to assertions from earlier proofs in writing new proofs
64
Array-max example: Post1
nums : arrayN : int // N stands for num’s length { N0 } x := 0{ N0 x=0 }res := nums[0]{ x=0 }Inv = { xN }while x < N { x=k k<N } if nums[x] > res then { x=k k<N } res := nums[x] { x=k k<N } { x=k k<N } x := x + 1 { x=k+1 k<N }{ xN xN }{ x=N }
65
Array-max example: Post2
nums : arrayN : int // N stands for num’s length { nums=orig_nums }x := 0{ nums=orig_nums }res := nums[0]{ nums=orig_nums }Inv = { nums=orig_nums }while x < N { nums=orig_nums x < N } if nums[x] > res then { nums=orig_nums } res := nums[x] { nums=orig_nums } { nums=orig_nums } x := x + 1 { nums=orig_nums }{ nums=orig_nums xN }{ nums=orig_nums }
66
Array-max example: Post3nums : array{ N0 0m<N } // N stands for num’s lengthx := 0{ x=0 }res := nums[0]{ x=0 res=nums(0) }Inv = { 0m<x nums(m)res }while x < N { x=k res=oRes 0m<k nums(m)oRes } if nums[x] > res then { nums(x)>oRes res=oRes x=k 0m<k nums(m)oRes } res := nums[x] { res=nums(x) nums(x)>oRes x=k 0m<k nums(m)oRes } { x=k 0mk nums(m)res } { (x=k 0mk nums(m)res) (oResnums(x) res=oRes x=k res=oRes 0m<k nums(m)oRes)} { x=k 0mk nums(m)res } x := x + 1 { x=k+1 0mk nums(m)res } { 0m<x nums(m)res }{ x=N 0m<x nums(m)res} [univp]{ m. 0m<N nums(m)res }
67
Proving termination
68
Total correctness semantics for While [ P[a/x] ] x := a [ P ][assp]
[ P ] skip [ P ][skipp]
[ P ] S1 [ Q ], [ Q ] S2 [ R ] [ P ] S1; S2 [ R ][compp]
[ b P ] S1 [ Q ], [ b P ] S2 [ Q ][ P ] if b then S1 else S2 [ Q ][ifp]
[ P’ ] S [ Q’ ] [ P ] S [ Q ][consp] if PP’ and Q’Q
[whilep][ P(z+1) ] S [ P(z) ]
[ z. P(z) ] while b do S [ P(0) ]P(z+1) bP(0) b
69
Total correctness semantics for While[ P[a/x] ] x := a [ P ][assp]
[ P ] skip [ P ][skipp]
[ P ] S1 [ Q ], [ Q ] S2 [ R ] [ P ] S1; S2 [ R ][compp]
[ b P ] S1 [ Q ], [ b P ] S2 [ Q ][ P ] if b then S1 else S2 [ Q ][ifp]
[ P’ ] S [ Q’ ] [ P ] S [ Q ][consp] if PP’ and Q’Q
[whilep][ b P t=k ] S [ P t<k ]
[ P ] while b do S [ b P ] P t0
Rank, orLoop variant
70
Proving termination
• There is a more general rule based on well-founded relations– Partial orders with no infinite strictly decreasing
chains• Exercise: write a rule that proves only that a
program S, started with precondition P terminates[ ] S [ ]
71
Proving termination
• There is a more general rule based on well-founded relations– Partial orders with no infinite strictly decreasing
chains• Exercise: write a rule that proves only that a
program S, started with precondition P terminates[ P ] S [ true ]
72
Array-max – specify terminationnums : arrayN : int // N stands for num’s length x := 0res := nums[0]Variant = [ ? ]while x < N if nums[x] > res then res := nums[x] x := x + 1[ ? ]
73
Array-max – specify terminationnums : arrayN : int // N stands for num’s length x := 0res := nums[0]Variant = [ N-x ]while x < N [ ? ] if nums[x] > res then res := nums[x] x := x + 1 [ ? ][ true ]
74
Array-max – prove loop variantnums : arrayN : int // N stands for num’s length x := 0res := nums[0]Variant = [ t=N-x ]while x < N [ x<N N-x=k N-x0 ] if nums[x] > res then res := nums[x] x := x + 1 // [ N-x<k N-x0 ][ true ]
75
Array-max – prove loop variantnums : arrayN : int // N stands for num’s length x := 0res := nums[0]Variant = [ t=N-x ]while x < N [ x=x0 x0<N N-x0=k N-x00 ] if nums[x] > res then res := nums[x] x := x + 1 // [ N-x<k N-x0 ][ true ]
Capture initial value of x, since it changes in the loop
76
Array-max – prove loop variantnums : arrayN : int // N stands for num’s length x := 0res := nums[0]Variant = [ t=N-x ]while x < N [ x=x0 x0<N N-x0=k N-x00 ] if nums[x] > res then res := nums[x] [ x=x0 x0<N N-x0=k N-x00 ] // Frame x := x + 1 // [ N-x<k N-x0 ][ true ]
77
Array-max – prove loop variantnums : arrayN : int // N stands for num’s length x := 0res := nums[0]Variant = [ t=N-x ]while x < N [ x=x0 x0<N N-x0=k N-x00 ] if nums[x] > res then res := nums[x] [ x=x0 x0<N N-x0=k N-x00 ] // Frame x := x + 1 [ x=x0+1 x0<N N-x0=k N-x00 ] // [ N-x<k N-x0 ][ true ]
78
Array-max – prove loop variantnums : arrayN : int // N stands for num’s length x := 0res := nums[0]Variant = [ t=N-x ]while x < N [ x=x0 x0<N N-x0=k N-x00 ] if nums[x] > res then res := nums[x] [ x=x0 x0<N N-x0=k N-x00 ] // Frame x := x + 1 [ x=x0+1 x0<N N-x0=k N-x00 ] [ N-x<k N-x0 ] // cons[ true ]
Zune calendar bugwhile (days > 365) { if (IsLeapYear(year)) { if (days > 366) { days -= 366; year += 1; }
} else { days -= 365; year += 1; } }
79
Fixed codewhile (days > 365) { if (IsLeapYear(year)) { if (days > 366) { days -= 366; year += 1; } else { break; } } else { days -= 365; year += 1; } }
80
Fixed code – specify termination[ ? ]while (days > 365) { if (IsLeapYear(year)) { if (days > 366) { days -= 366; year += 1; }
else { break; } } else { days -= 365; year += 1; } }[ ? ]
81
Fixed code – specify variant[ true ]Variant = [ ? ]while (days > 365) { if (IsLeapYear(year)) { if (days > 366) { days -= 366; year += 1; } else { break; } } else { days -= 365; year += 1; } [ ? ]}[ true ]
82
Fixed code – proving termination[ true ]Variant = [ t=days ]while (days > 365) { [ days>365 days=k days0 ] if (IsLeapYear(year)) { if (days > 366) { days -= 366; year += 1; } else { break; [ false ] } } else { days -= 365; year += 1; } // [ days0 days<k ]}[ true ]
83
Let’s model break by a small cheat – assume execution never gets past it
Fixed code – proving termination[ true ]Variant = [ t=days ]while (days > 365) { [ days0 k=days days>365 ] -> [ days0 k=days days>365 ] if (IsLeapYear(year)) { [ k=days days>365 ] if (days > 366) { [ k=days days>365 days>366 ] -> [ k=days days>366 ] days -= 366; [ days=k-366 days>0 ] year += 1; [ days=k-366 days>0 ] } else {
[ k=days days>365 days366 ] break; [ false ] } [ (days=k-366 days>0) false ] -> [ days<k days>0 ] } else { [ k=days days>365 ] days -= 365; [ k-365=days days-365>365 ] -> [ k-365=days days0 ] -> [ days<k days0 ] year += 1; [ days<k days0 ] } [ days<k days0 ]}[ true ]
84
85
Challenge: proving non-termination
• Write a rule for proving that a program does not terminate when started with a precondition P
• Prove that the buggy Zune calendar program does not terminate
{ b P } S { b } { P } while b do S { false }[while-ntp]
86
conclusion
87
Extensions to axiomatic semantics
• Assertions for execution time– Exact time– Order of magnitude time
• Assertions for dynamic memory– Separation Logic
• Assertions for parallelism– Owicki-Gries– Concurrent Separation Logic– Rely-guarantee
88
Axiomatic verification conclusion
• Very powerful technique for reasoning about programs– Sound and complete
• Extendible• Static analysis can be used to automatically
synthesize assertions and loop invariants
Next lecture:static analysis