1 / 103

Noam Rinetzky Lecture 5: Aximatic Semantics

Program Analysis and Verification 0368- 4479 http://www.cs.tau.ac.il/~maon/teaching/2013-2014/paav/paav1314b.html. Noam Rinetzky Lecture 5: Aximatic Semantics. Slides credit: Roman Manevich , Mooly Sagiv , Eran Yahav. Good manners. Mobiles. Home Work Assignment #1.

naomi
Download Presentation

Noam Rinetzky Lecture 5: Aximatic Semantics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Program Analysis and Verification 0368-4479http://www.cs.tau.ac.il/~maon/teaching/2013-2014/paav/paav1314b.html Noam Rinetzky Lecture 5: Aximatic Semantics Slides credit: Roman Manevich, MoolySagiv, EranYahav

  2. Good manners • Mobiles

  3. Home Work Assignment #1 In the following, we refer to the “Semantics with Application” book as “the book”. The book can be found here: http://www.daimi.au.dk/~bra8130/Wiley_book/wiley.html. Solve Ex 2.8 and 2.18 in the book. In the previous question, you were asked to extend the While language with a new construct (a for loop). Extend the proof of theorem 2.26 in the book (semantic equivalence) to handle for commands. Solve Ex 2.34 in the book. Read Section 2.5 in the book and solve Ex 2.45. Prove or disprove: The denotational semantics of any statement in the While language shown in the lectures is a monotone and continuous function. Define a denotational semantics for the the While language extended with the random command. (The extension is described in Question 3) .

  4. DenotationalSematnics Added examples Equivalences of operational and denotational semantics Complete lattices Tarski-Kantor Fixed-point theorem

  5. Axiomatic Semantics Robert Floyd Edsger W. Dijkstra C.A.R. Hoare

  6. Proving program correctness • Why prove correctness? • What is correctness? • How? • Reasoning at the operational semantics level • Tedious • Error prone • Formal reasoning using “axiomatic” semantics • Syntactic technique (“game of tokens”) • Mechanically checkable • Sometimes automatically derivable

  7. A simple imperative language: While Abstract syntax: a ::= n | x | a1+a2 | a1a2 | a1–a2 b ::=true|false|a1=a2|a1a2|b|b1b2 S::=x:=a | skip | S1;S2| ifbthenS1elseS2 | whilebdoS

  8. Program correctness concepts Other notions of properties exist Mostly focus in this course partial correctness + termination = total correctness Other correctness concepts exist: resource usage, linearizability, … • Property = a certain relationship between initial state and final state • Partial correctness = properties that holdif program terminates • Termination = program always terminates • i.e., for every input state

  9. Factorial example Sfacy := 1; while (x=1) do (y := y*x; x := x–1) • Factorial partial correctness property = • if the statement terminates then the final value of y will be the factorial of the initial value of x • What if s x < 0? • Formally, using natural semantics:Sfac, s  s’ implies s’ y = (sx)!

  10. Natural semantics for While x:= a, ss[x Aas] [assns] skip, ss [skipns] S1, ss’, S2, s’s’’S1; S2, ss’’ [compns] S2, ss’ if bthenS1elseS2, ss’ S, s s’, while bdoS, s’s’’while bdoS, ss’’ S1, ss’ if bthenS1elseS2, ss’ while bdoS, s  s • if B b s = tt • if B b s = ff • if B b s = ff • if B b s = tt [whilettns] [ifttns] [whileffns] [ifffns]

  11. Staged proof

  12. First stage

  13. Second stage

  14. while (x=1) do (y := y*x; x := x–1),s  s’

  15. Third stage

  16. How easy was that? • Proof is very laborious • Need to connect all transitions and argues about relationships between their states • Reason: too closely connected to semantics of programming language • Is the proof correct? • How did we know to find this proof? • Is there a methodology?

  17. Axiomatic verification approach • Specify the required behavior • Compare the behavior with the one obtained by the operational semantics • Develop a proof system for showing that the program satisfies a requirement • Mechanically use the proof system to show correctness • The meaning of a program is a set of verification rules • What do we need in order to prove that the program does what it supposed to do?

  18. Assertions, a.k.aHoare triples { P } C { Q } statementa.k.a command precondition postcondition • P and Q are state predicates • Example: x>0 • IfP holds in the initial state, andif execution of C terminates on that state,thenQ will hold in the state in which C halts • C is not required to always terminate {true} while true do skip {false}

  19. Total correctness assertions [ P ] C [ Q ] IfP holds in the initial state,execution of Cmust terminate on that state,andQ will hold in the state in which C halts

  20. Factorial example { ? }y := 1; while (x=1) do (y := y*x; x := x–1){ ? }

  21. First attempt We need a way to “remember” value of x before execution { x>0 }y := 1; while (x=1) do (y := y*x; x := x–1){ y=x! } Holds only for value of x at state after execution finishes

  22. Fixed assertion A logical variable, must not appear in statement - immutable { x=n }y := 1; while (x=1) do (y := y*x; x := x–1){ y=n! n>0 }

  23. The proof outline { x=n }y := 1;{ x>0  y*x!=n!  nx} while (x=1) do{ x-1>0  (y*x)*(x-1)!=n!  n(x-1) } y := y*x;{ x-1>0  y*(x-1)!=n!  n(x-1) } x := x–1{ y*x!=n!  n>0  x=1}

  24. Factorial example Sfacy := 1; while (x=1) do (y := y*x; x := x–1) • Factorial partial correctness property = if the statement terminates then the final value of y will be the factorial of the initial value of x • What if s x < 0? • Formally, using natural semantics:Sfac, s  s’ implies s’ y = (sx)!

  25. Staged proof

  26. Stages s y  (s x)! = s’’ y  (s’’ x)!  s x > 0 s s’’ y := y*x; x := x–1 s y  (s x)! = s’’ y  (s’’ x)!  s’’x = 1  s x > 0 s s’’ while (x=1) do (y := y*x; x := x–1) s’ y = (s x)!  s x > 0 s s’ y := 1; while (x=1) do (y := y*x; x := x–1)

  27. Inductive proof over iterations s y  (s x)! = s’ y  (s’ x)!  s x > 0 s s’ (y := y*x; x := x–1) s’ s’’ while (x=1) do (y := y*x; x := x–1) s’ y  (s’ x)! = s’’ y  (s’’ x)!  s’’x = 1  s’ x > 0 s s’’ while (x=1) do (y := y*x; x := x–1) s y  (s x)! = s’’ y  (s’’ x)!  s’’x = 1  s x > 0

  28. Assertions, a.k.aHoare triples { P } C { Q } • P and Q are state predicates • Example: x>0 • IfP holds in the initial state, andif execution of C terminates on that state,thenQ will hold in the state in which C halts • C is not required to always terminate {true} while true do skip {false}

  29. Total correctness assertions [ P ] C [ Q ] IfP holds in the initial state,execution of Cmust terminate on that state,andQ will hold in the state in which C halts

  30. Factorial assertion A logical variable, must not appear in statement - immutable { x=n }y := 1; while (x=1) do (y := y*x; x := x–1){ y=n! n>0 }

  31. Factorial partial correctness proof { x=n }y := 1;{ x>0  y*x!=n!  nx} while (x=1) do{ x-1>0  (y*x)*(x-1)!=n!  n(x-1) } y := y*x;{ x-1>0  y*(x-1)!=n!  n(x-1) } x := x–1{ y*x!=n!  n>0  x=1}

  32. Formalizing partial correctness  P s s’ if C, s s’ else SnsC s = • s P • P holds in state s •  – program states – undefined

  33. Formalizing partial correctness Q P C(P) s C s’ Why did we choose natural semantics? • s P • P holds in state s •  – program states – undefined • { P } C { Q } • s, s’  . (sP  C, ss’)  s’Qalternatively • s . (sP  SnsC s)  SnsC Q • Convention:  P for all Ps . sP  SnsC s Q

  34. Formalizing partial correctness Q P C(P) s C s’ • s P • P holds in state s •  – program states – undefined • { P } C { Q } • s, s’  . (sP  C, s*s’)  s’Qalternatively • s . (sP  SsosC s)  SsosC Q • Convention:  P for all Ps . sP  SsosC s Q

  35. How do we express predicates? • Extensional approach • Abstract mathematical functionsP : State T • Intensional approach • Via language of formulae

  36. An assertion language • Bexp is not expressive enough to express predicates needed for many proofs • Extend Bexp • Allow quantifications • z. … • z. … • z. z = kn • Import well known mathematical concepts • n! n  (n-1)   2  1

  37. An assertion language Either a program variables or a logical variable a ::= n | x | a1+a2 | a1a2 | a1–a2 A ::=true|false|a1=a2|a1a2|A|A1A2 |A1A2|A1A2 |z. A| z.A

  38. First Order Logic Reminder

  39. Free/bound variables • A variable is said to be bound in a formula when it occurs in the scope of a quantifier. Otherwise it is said to be free • i. k=im • (i+10077)i. j+1=i+3) • FV(A)  the free variables of A • Defined inductively on the abstract syntax tree of A

  40. Free variables FV(n)  {}FV(x)  {x}FV(a1+a2) FV(a1a2) FV(a1-a2) FV(a1)  FV(a2) FV(true) FV(false) {}FV(a1=a2) FV(a1a2) FV(a1)  FV(a2)FV(A) FV(A)FV(A1A2) FV(A1A2) FV(A1 A2)FV(z. A) FV(z. A) FV(A) \ {z}

  41. Substitution What if t is not pure? • An expression t is pure (a term) if it does not contain quantifiers • A[t/z] denotes the assertion A’ which is the same as A, except that all instances of the free variable z are replaced by t • A i. k=imA[5/k] = A[5/i] =

  42. Calculating substitutions n[t/z] =nx[t/z] =xx[t/x] =t(a1+ a2)[t/z] = a1[t/z] + a2[t/z](a1 a2)[t/z] = a1[t/z]  a2[t/z](a1- a2)[t/z] = a1[t/z] - a2[t/z]

  43. Calculating substitutions true[t/x] = truefalse[t/x] = false(a1= a2)[t/z] = a1[t/z] = a2[t/z] (a1a2)[t/z] = a1[t/z] a2[t/z] (A)[t/z] = (A[t/z])(A1 A2)[t/z] = A1[t/z]  A2[t/z](A1 A2)[t/z] = A1[t/z]  A2[t/z] (A1A2)[t/z] = A1[t/z] A2[t/z] (z. A)[t/z] = z. A(z. A)[t/y] = z. A[t/y]( z. A)[t/z] =  z. A( z. A)[t/y] =  z. A[t/y]

  44. Proof Rules

  45. Axiomatic semantics for While { P[a/x] } x:= a { P } [assp] [skipp] { P } skip { P } { P } S1 { Q }, { Q } S2 { R } { P } S1; S2 { R } Notice similarity to natural semantics rules [compp] { b P} S1 { Q}, { b P} S2 { Q} { P} if bthenS1elseS2 { Q} { b P } S { P } { P } while bdoS {b P } { P’ } S { Q’ } { P } S { Q } [ifp] [whilep] [consp] if PP’ and Q’Q

  46. Assignment rule { P[a/x] } x:= a { P } [assp] x:= a, ss[xAas] [assns] s[xAas] P • A “backwards” rule • x := a always finishes • Why is this true? • Recall operational semantics: • Example: {y*z<9} x:=y*z {x<9}What about {y*z<9w=5} x:=y*z {w=5}?

  47. skip rule skip, ss [skipns] { P } skip { P } [skipp]

  48. Composition rule { P } S1 { Q }, { Q } S2 { R } { P } S1; S2 { R } S1, ss’, S2, s’s’’S1; S2, ss’’ [compns] [compp] Holds when S1 terminates in every state where P holds and then Q holdsand S2 terminates in every state where Q holds and then R holds

  49. Condition rule { b P} S1 { Q}, { b P} S2 { Q} { P} if bthenS1elseS2 { Q} S1, ss’ if bthenS1elseS2, ss’ S2, ss’ if bthenS1elseS2, ss’ [ifp] • if B b s = tt • if B b s = ff [ifttns] [ifffns]

  50. Loop rule { b P } S { P } { P } while bdoS {b P } S, s s’, while bdoS, s’s’’while bdoS, ss’’ while bdoS, s  s • if B b s = ff • if B b s = tt [whilettns] [whilep] [whileffns] • Here P is called an invariant for the loop • Holds before and after each loop iteration • Finding loop invariants – most challenging part of proofs • When loop finishes, b is false

More Related