1 / 26

ECI 2007: Specification and Verification of Object-Oriented Programs

ECI 2007: Specification and Verification of Object-Oriented Programs. Lecture 7. Theory of lists.  Formula := A |    A  Atom := t = t | t  t t  Term := c | car(t) | cdr(t) | cons(t,t) c  SymConst. Axioms: x,y. car(cons(x,y)) = x x,y. cdr(cons(x,y)) = y

Jimmy
Download Presentation

ECI 2007: Specification and Verification of Object-Oriented Programs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. ECI 2007: Specification and Verification of Object-Oriented Programs Lecture 7

  2. Theory of lists •  Formula := A |    A  Atom := t = t | t  t t  Term := c | car(t) | cdr(t) | cons(t,t) c  SymConst • Axioms: • x,y. car(cons(x,y)) = x • x,y. cdr(cons(x,y)) = y • Extend congruence closure to deal with these axioms

  3. Car axiom Cdr axiom x = cons(u,v)  cons(car(x), cdr(x))  x cons cons cdr car u v x • Car axiom: x,y. car(cons(x,y)) = x • Cdr axiom: x,y. cdr(cons(x,y)) = y

  4. cons(u,v) = cons(x,y)  u  x cons cons u v x y • Car axiom: x,y. car(cons(x,y)) = x • Cdr axiom: x,y. cdr(cons(x,y)) = y Suppose cons(x,y) = cons(u,v) = n. Then car(n) = x and car(n) = u, which contradicts u  x. Hence, our current algorithm is incomplete.

  5. Problem: There are not enough terms in the e-graph. Solution: Whenever the term cons(u,v) exists in the e-graph, add the term car(cons(u,v)) to the e-graph. cons(u,v) = cons(x,y)  u  x car car cons cons u v x y

  6. cons(u,v) = cons(x,y)  v  y cons cons u v x y Problem: There are not enough terms in the e-graph. Solution: Whenever the term cons(u,v) exists in the e-graph, add the term cdr(cons(u,v)) to the e-graph.

  7. Algorithm • Add terms to the e-graph as follows: if cons(u,v) • exists, add car(cons(u,v)) and cdr(cons(u,v)) • 2. Close the graph under congruence and the car and • cdr axioms • 3. If there is a disequality t1  t2 and an equivalence • class containing both t1 and t2, return unsatisfiable. • 4. Otherwise, return satisfiable.

  8. An e-graph G defines a partial interpretation I over the set U of equivalence classes of G. I(c) = EC(c) For f  {cons, car, cdr}: I(f)() = EC(f(u)), if f()  G I(f)() is undefined, otherwise Completeness • Definition: Suppose  and  are equivalence classes of G. • car()  G iff u s.t. car(u) is a term in G. • cdr()  G iff u s.t. cdr(u) is a term in G. • cons(,)  G iff u,v  s.t. cons(u,v) is a term in G. Definition: Suppose t  G. Then EC(t) is the equivalence class containing t.

  9. G0 = e-graph at the termination of the algorithm Gi+1 is obtained from Gi by adding terms as follows: Case I: car cdr cons u v If there are equivalence classes , of Gi such that cons(,)  Gi

  10. Case II: car car car car cdr u If there is an equivalence class  of Gi such that car()  Gi cdr cdr cdr car cdr u If there is an equivalence class  of Gi such that cdr()  Gi

  11. Model Suppose Ik is the partial interpretation corresponding to the e-graph Gk. Then Ik+1 extends Ik for all k  0. The model is given by the infinite union Uk0Ik.

  12. Theory of arrays •  Formula := A |    A  Atom := t = t | t  t | m = m | m  m t  Term := c | Select(m,t) m  MemTerm := f | Update(m,t,t) c  SymConst for all objects o and o’, and memories m:  o = o’  Select(Update(m,o,v),o’) = v o  o’  Select(Update(m,o,v),o’) = Select(m,o’) Extend congruence closure with these axioms

  13. b = Update(a,i,v)  Select(b,i) = u  u  v Select Update u b a i v

  14. b = Update(a,i,e)  b = Update(a’,i,e’)  e  e’ Update b Update a a’ i e e’ Select(b,i) = e and Select(b,i) = e’, which contradicts e  e’. Hence, algorithm is incomplete.

  15. Select Rule 1 Update a i e

  16. Select b = Update(a,i,e)  b = Update(a’,i,e’)  e  e’ Update b Update a a’ i e e’

  17. x = Select(Update(a,i,e),j)  i  j  y = Select(Update(a,i’,e’),j)  i’  j  x  y x Select Select y Update Update a i e i’ e’ j

  18. Select Rule 2 Select Update j a i e

  19. Select x = Select(Update(a,i,e),j)  i  j  y = Select(Update(a,i’,e’),j)  i’  j  x  y x Select Select y Update Update a i e i’ e’ j

  20. Update(a,i,e) = Update(a’,i’,e’)  Select(a,j)  Select(a’,j)  i  j  i’  j Select Select Update Update a i e a’ i’ e’ j Suppose Update(a,i,e) = Update(a’,i’,e’) = n Select(n,j) = Select(a,j) since i  j Select(n,j) = Select(a’,j) since i’  j Hence, we get a contradiction

  21. Select Rule 3 Select Update j a i e

  22. Select Update(a,i,e) = Update(a’,i’,e’)  Select(a,j)  Select(a’,j)  i  j  i’  j Select Select Update Update a i e a’ i’ e’ j

  23. Algorithm • Construct e-graph G for initial set of constraints • For each Update(a,b,c)  G, add to G: (Rule 1) • - term Select(Update(a,b,c),b) • constraint Select(Update(a,b,c),b) = c • Maintain e-graph G and set of disequalities D • Iterate: • - Generate case split • Add new terms, equalities, and disequalities • to satisfy Rules 2 and 3 • - If satisfiable return else backtrack

  24. Case I G  i = j, D Case II  (G  Select(a,j))  Select(Update(a,i,v),j) = Select(a,j) , D  i  j G, D i j  Select(Update(a,i,v),j)  G Case split:

  25. Case I G  i = j, D Case II  (G  Select(Update(a,i,v),j))  Select(Update(a,i,v),j) = Select(a,j) , D  i  j G, D i j  Update(a,i,v)  G  Select(a,j)  G Case split:

  26. Completeness Similar to the theory of lists

More Related