180 likes | 266 Views
CSE 3341.03 Winter 2008 Introduction to Program Verification. symbolic execution continued. well-behaved expression assumption. Exercise 7.9 if (count > 2) flag = adjust(total - 1); else flag = adjust(total - 1); post-condition? how does it depend on the well-behaved expression assumption?.
E N D
CSE 3341.03 Winter 2008Introduction to Program Verification symbolic execution continued
well-behaved expression assumption • Exercise 7.9 if (count > 2) flag = adjust(total - 1); else flag = adjust(total - 1); post-condition? how does it depend on the well-behaved expression assumption?
exception raising • use a specification variable to "fill in" a partial function: example: x = 1/n; post-condition: n ≠ 0 implies x = 1/n ?? leaves case n = 0 unspecified better: have n = 0 raise an exception; post-condition: n ≠ 0 and x = 1/n or exceptionRaised Note: specification variable converts a test (run-time) into part of a general assertion
programs as "propositional transformers" • start with a proposition (perhaps “true”) • ‘execute’ a code segment • calculate a resulting proposition symbolic execution maintains a description of the state of computation at each step
assignment statements • if a variable is assigned a new value, we may need its initial value: x = x - y //{x = 'old x' - y} • parallel assignment (corrected from Ch. 8, p. 21:) x1, x2, . . , xk = e1, e2, . . , ek ; means replace xjby old xi in each ek and assign xi = ei , for each xi
parallel assignment • motivation for parallel assignment: x=1 and y=x is the same logically as y=x and x=1 but not if = is sequential assignment • scripting languages with parallel assignment: Python, Perl, Ruby, Windows PowerShell, OCaml and JavaScript (since 1.7) (source: Wikipedia)
symbex • symbex symbolically executes a code fragment containing assignment and conditional statements • handles assignment operators: x += y; • allows A[X] in the assigned expression • gets changed to array(A, X) • why? • doesn't handle parallel assignments
symbex assertions • pre-condition: //{ . . . } . . . • assertion or post-condition: . . . //{ . . . } . . . • current state: //{ false } . .
exercise 8.4 • //{ not b implies v = e } if (b) //{ (not b implies v=e)and b } v = e ; // assert: v=e // -- assertion is verified. //{ (not b implies v=e)and not b or (not b implies old v=e)and v=e and b } • compare post-condition for each case • what does "assuming everything is well-behaved” mean in this specific case?
stronger and weaker • P is stronger (as a condition) than Q if P implies Q and (P xor Q) • P is weaker than Q if Q is stronger than P • simple refinement weakens the pre-condition, strengthens the post-condition • why is this desirable?
strongest • Suppose P is the strongest proposition such that P implies Q • what is P's relation to Q? If R is stronger than (or =) Q, then P is stronger than R, (or = R) i. e., (R implies Q) implies (P implies R)
what does symbex compute? strongest post-condition resulting from executing the code, given the pre-condition • what if P is false? strongest possible proposition, but can't be a (descriptive) post-condition !
symbex in detail • symbex processes a code segment; • interprets its input (up to an end-of-file (^D)) as a sequence of assignment and conditional statements annotated with comments in the form //{ term } • maintains a table of computational states described in terms of the code’s variables • initial value is given by a pre-condition or described as ‘old V’
states and relations • description is complicated by having two parts: • states of variables = "trace table" • values don't involve code variables • current values are substituted for variables • relations among variables
relations and values • relations are either pre-conditions or created by conditional statements: • if(x>0) {y=2; x = 2*x;} • pre-condition to the {} is x > 0 after "y=2;" we have x > 0 and y=2 • now x changes: new description is • 'old x'> 0 and y = 2 and x =2*'old x' what's the post-condition calculated for the if? • x <= 0 or 'old x'> 0 and y = 2 and x =2*'old x'
symbex vs. Java assertions • often we are only interested in some of the variables; insert assertions to verify the (partial) state • difference between these assertions and assertions in Java (version 1.4 and after): • the assertions in Java test the code executing on a specific set of values • assertions in symbex are asserted to be true for all values in the domains of the functions and relations
executing conditionals • p. 26: if ( i != 4 || i != 5) x =no; else x = yes; //{ x = no} • where did //{not i=5 or not i=4} come from? • why is the post-condition verified?