Programs: Semantics and Verification

Programs:Semantics and Verification Mordechai Ben-Ari Mathematical Logic for Computer Science TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAA

Table of Contents • Introduction • Semantics of programming language • Weakest precondition • The deductive system HL • Program verification • Total correctness • Program synthesis • References

Introduction • The syntax of programming language is specified using formal systems such as BNF, but the semantics is usually informally specified • Example : • The formal BNF syntax of an if-statement • if-statement ::= if expression then statement [else statement] • But its semantics is described informally • The boolean expression is evaluated. If true, the statement following then is executed, otherwise the statement following else is executed. • If the semantics is informally defined there is no formal way of determining the validity or correctness of a program.

Semantics of programming language (1/8) • A statement in a programming language is considered to be a function that transforms the state of computation. • If the variables (x,y) = (8,7) in a state s, then the result of executing the statement x := 2*y+1 is the state s’ in which (x,y) = (15,7) • Definition 1. • Let U be the set of all n-tuples of values over some domain, and let U’ µ U. PU’(x1, … , xn), the characteristic predicate of U’, is defined so that U’ = { (x1,…,xn) 2 U | P U’ (x1,…,xn) }

Semantics of programming language (2/8) • Example of def.1 • Let U be the set of 2-tuples over Z and let U’ µ U be the 2-tuples described in the following table … …(-2,-3), (-2,-2), (-2, -1), (-2,0), (-2,1), (-2,2), (-2,3) …(-1,-3), (-1,-2), (-1, -1), (-1,0), (-1,1), (-1,2), (-1,3) … (0,-3), (0,-2), (0, -1), (0,0), (0,1), (0,2), (0,3) … (1,-3), (1,-2), (1, -1), (1,0), (1,1), (1,2), (1,3) … • The characteristic predicate of U’ is (x1 = x1) Æ (x2·3)

Semantics of programming language (3/8) • Definition. 2 • An assertion is a triple {p} S {q}, where S is a program, and p and q are formulas in the predicate calculus called the precondition and postcondition, respectively. • An assertion is true, denoted ² {p} S {q}, iff: if S is started in a state satisfying p and if this computation of S terminates, then the computation terminates in a state satisfying q. • If ² {p} S {q}, then S is said to be partially correct with respect to p and q • Assertions are also called Hoare triples • Example • ² { y · 3} x:= 2*y+1 {(x · 7) Æ (y·3)}

Semantics of programming language (4/8) • Weakest preconditions • Definition 3. • A formula A is weaker than formula B if B ! A. Given a set of formulas {A1, A2,…An}, Ai is the weakest formula in the set if Aj!Ai for all j. • Definition 4. • For program S and formula q, wp(S,q), the weakest precondition of S and q, is the weakest formula p such that ² {p} S {q} • Example • y · 3 is weaker than y = 1 Ç y = 3 • wp(x:=2*y+1, (x·7)Æ(y·3)) = y·3

Semantics of programming language (5/8) • Lemma 5. • ² {p} S {q} if and only if ² p ! wp( S, q ) • Definition 6. • wp( x := t, p(x) ) = p(x) { x Ã t } • Example • wp( y := y-1 , y ¸0 ) = ( y-1¸ 0 ) = ( y ¸1) • Definition 7. • wp( S1; S2, q ) = wp( S1, wp(S2, q) )

Semantics of programming language (6/8) • Examples of def. 7 • wp(x := x+1; y := y+2, x < y) = wp(x := x+1, wp(y :=y+2, x < y )) = wp(x := x+1, x < y+2) = x +1 < y+2 ≡x < y+1 • wp( x := x+a; y := y-1, x = (b-y)·a ) = wp( x := x+a, wp(y := y-1, x = (b-y)·a)) = wp( x := x+a, x = (b–y+1)·a) = x + a = ( b – y + 1)·a ≡ x= (b-y)·a

Semantics of programming language (7/8) • Definition 8. • A predicate I is an invariant of S iffwp( S, I ) = I • Definition 9. • if-statement • wp(if B then S1 else S2, q) = (B !wp(S1, q)) Æ (:B !wp(S2, q)) • Definition 10. • while-statement • wp(while B do S, q) = (: B !q) Æ (B !wp(S; while B do S, q))

Semantics of programming language (8/8) • If-statement • wp(if y=0 then x := 0 else x := y+1, x=y) = ( y=0 !wp(x :=0, x=y)) Æ ( y 0 !wp(x := y+1, x=y)) ≡ ((y=0) ! (y=0)) Æ ((y 0) ! (y+1 = y)) ≡ trueÆ ((y 0) !false) ≡ : ( y 0 ) ≡ y = 0 • While-statement • You’ll see many of this examples later.

The deductive system HL (1/4) • A deductive system HL(Hoare Logic) whose formulas are assertions can be used to prove properties of programs • Definition 11. • Domain axioms • Every true formula over the domain(s) of the program variables • Assignment axiom • ` {p(x) {xÃt }} x := t {p(x)} • Composition rule

The deductive system HL (2/4) • Alternative rule • Loop rule • Consequence rule

The deductive system HL (3/4) • Loop rule • the formula p is called an invariant: it describes the behavior of an execution of the statement S in the while statement • To prove ` {p0} while B do S {q} • We need to find an invariant • We need to show that p0! p is true • We need to show that (p Æ: B) ! q is true • The most difficult part in proving programs is to find appropriate invariants

The deductive system HL (4/4) • Example of loop rule • x = 5 is too strong to be an invariant of above while statement • x ¸ 0 is an invariant • x ¸ 0 Æ x > 0 implies x ¸ 0 after executing the loop body • loop terminates if x¸ 0 Æ:(x>0) is true • while x > 0 do x := x - 1

Program verification (1/3) • Use HL to prove the partial correctness of the program • Let the formula x = (b-y)·a be the invariant • { p Æ y  0 } x : = x+a; y := y-1 {p}, where p is x = (b-y)·a • Postcondition of the loop can be written p Æ (y = 0) so we can deduce x = a · b {true} x := 0; {x = 0} y := b; {x = 0 Æy = b} while y <> 0 do { x = (b-y)·a } begin x := x + a; y := y-1 end; { x = a·b }

Program verification (2/3) • Total correctness • We have proved only partial correctness • If the initial value of b is negative, the program will not terminate • We need to strengthen the precondition • b ¸ 0 • Strengthening the precondition will obviously not invalidate the proof of partial correctness, since a stronger precondition simply selects a subset of the set of states for which the computation is correct • All we need to prove is that the program terminates

Program verification (3/3) • To show termination, we search for a numeric function whose value decreases with every execution of the loop, and whose value has an invariant lower bound. • The loop must eventually terminate because there can not be an infinite decreasing sequence greater than the lower bound. • Since y is decreasing and yet bounded from below by y ¸ 0, the loop must terminate and the program is totally correct. { x = (b-y)·aÆy ¸ 0 Æ y  0} begin x := x + a; y := y-1 end; {x = (b-y)·aÆ y ¸0}

Program synthesis (1/3) • The most difficult part in proving program is to find invariants • How to find invariants? • Solution • delete part of postcondition • We demonstrate the method by developing two different programs for finding the integer square root of a non-negative integer: • { 0 ·a } S { 0 ·x2·a< (x+1)2 }

Program synthesis (2/3) • Solution the postcondition of the while statement is p Æ: B(x,a), so B(x,a) is (x+1)2· a { 0 ·a } x := ? ; while B(x, a) do { 0 ·x2·a} x := ? ; {0 ·x2·a < (x+1)2 } the loop should be terminated, so x should be incremented in every iteration

Program synthesis (3/3) • Solution • We must check the loop invariant { p Æ B } S {p} • { 0 ·x2·aÆ (x+1)2·a } x := x+1 { 0 ·x2·a } { 0 ·a } x := ? ; while B(x, a) do { 0 ·x2·a} x := ? ; {0 ·x2·a < (x+1)2 } { 0 ·a } x := 0 ; while (x+1)2·a do { 0 ·x2·a} x := x + 1 ; {0 ·x2·a < (x+1)2 }

References • Mathematical logic for computer science, Mordechai Ben-Ari • Logic in computer science, Michael Huth and Mark Ryan

Programs: Semantics and Verification