250 likes | 334 Views
Program Verification -- new recipe for old problem. Zhou Chaochen Institute of Software, CAS zcc@ios.ac.cn. Computer Science. Computing System – Millions of simple instructions Bio System – DNA (A,T,G,C) Manufacturing vs Evolving Fundamental Issues
E N D
Program Verification -- new recipe for old problem Zhou Chaochen Institute of Software, CAS zcc@ios.ac.cn
Computer Science • Computing System – Millions of simple instructions Bio System – DNA (A,T,G,C) Manufacturing vs Evolving • Fundamental Issues # Computability and Solvability # Algorithm Design and Analysis # Programming Methodology: Correctness, etc
Program Correctness • Test: Debug vs Prove • Verification: Proof and Model Checking • Transformation: Curry-Howard Isomorphism, Intuitionistic Logic, …
Assertion • Program Language – Artificial Language Assignment: x:=x-1 x:=e Loop: while x>0 do x:=x-1 while B do S Sequential Composition: S1;S2 …
Intrinsic Logic Assignment: P(e){x:=e}P(x) x-1>0{x:=x-1}x>0 P(e) – Pre-Condition P(x) – Post-Condition
Loop: If B&I{S}I then I{while B do S}I&~B Due to x>0&x>=0{x:=x-1}x>=0 hence x>=0 {while x>0 do x:=x-1} x>=0&~(x>0) I.e. x>=0{while}x=0 I – Invariant
Sequential Composition: If P{S1}Q1, Q1=>Q2 and Q2{S2}Q, then P{S1;S2}Q … Pre, Post, Inv -- Assertion
Program Verification • Partial Correctness x>=0 {FAC} y=x! If FAC terminates, then … Safety • Total Correctness Termination plus Partial Correctness Liveness (deadlock free, livelock free,…)
Floyd Assertion & Hoare Logic • Robert Floyd: 1978 Turing Award Laureate. 1967 Assigning Meanings to Program. Inductive Assertion Method: Pre- and Post-Assertion • Tony Hoare: 1980 Turing Award Laureate. 1969 An Axiomatic Basis for Computer Programming. Hoare Logic: Pre- and Post-Condition, Invariant
Assertion at Microsoft • Microsoft Office: 250k assertions (ASSERT macro) • Test: Dump instead of Crash (over half effort) • Simplifying Assumption: for the next version (Overflow,…) • Compile Time Check (Size,…) etc • Microsoft Windows: over 1000 different assertion macros • Bill Gates: Trustworthy Computing
Verifying Compiler • A compiler which verifies correctness of program: a major challenge of Computer Science in 21 Century • Include assertions into programming languages (Eiffel, JML,…) • Improve program analysis tools in Industry (PREfix,…) Joint contributions from different mechanised proof technologies: a vast project unprecedented in Computer Science Academy • Legacy and Open Source Movement • IFIP workshop in 2005: Hoare and Misra, Shankar (He Jifeng, Zhang Jian,…) et al
Software Model Checking • Given infinite value domain program is an infinite state system • Finite State Machine: BDD, CTL, 10^(100), … • Real Time System: Infinite State Machine
Infinite State Model Checking • Reduction to Finite State System: Regional Graph (?) • Reduction to Linear Programming, Integer and Mixed Programming, (Zhou, Zhang, Yang and Kesten, Pnueli, Sifakis, Yovine)… Real Algebra (Tarski, Wu, Zhang, Yang, …) • Relation between the above two?
Reduction to Linear Programming • Timed Automaton f (>=30) G B r (<=1) Over any interval greater or equal to 60 Bad states occupy no more than 20% of the interval
A timed behaviour (f,t1),(r,t2),(f,t3) t1>=30, 0<=t2<=1,t3>=30 • Linear Programming Problem Constraints t1>=30, 0<=t2<=1, t3>=30 and t1+t2+t3>=60 Objective function 20*t2-(t1+t2+t3) • Reduce infinite many behaviour to finite many
Program Termination • Ashish Tiwari, SRI (CAV 2004, LNCS 3114) • Undecidable in general • Linear Program while (B*x>b) do x:=A*x+c A,B – real matrices, x,b,c – real vectors • The termination problem for linear program is decidable
P: while c*x>0 do x:=A*x • Intuition If v is an eigenvector of A with positive eigenvalue e, then A*v=e*v by definition, and A^n*v=e^n*v c*e^n*v=e^n*c*v So c*e^n*v has the same sign of c*v, as e>0 • P is not terminating with input x=v, where c*v>0
Theorem: If P is not terminating then there exists a real eigenvector v of A, corresponding to positive eigenvalue, such that c*v>=0 Proof: If nonterminating, NT is not empty NT={x:c*A^i*x>0, i=0,1,…} Let NT’=NT+Boundary. NT’ is closed under A Applying Brouwer’s fixed point theorem there exists eigenvector v of A in NT’.
Change into c*v>0 • Add more conditions to have necessary and sufficient conclusion • Generalise to general linear program
Termination – Matrix Eigenvalue Stability – Matrix Eigenvalue • Termination characterization of linear programs is more complex than stability characterization for both continuous- and discrete-time linear systems
As told by Yang Good to use off-line symbolic computation (Yang has developed a very powerful symbolic computation tools, called Bottema and Discoverer, for real algebra, including a complete discrimination system) • The deciding condition becomes 10^4 terms (of Dixon resultant) for 4-dimension, dozens for 3, and several for 2
Invariant Generation • Abstract Interpretation (P. Cousot and R. Cousot POPL77): symbolic execution until a fixed point is reached • Linear Invariants for Linear Programs (Colon, Shankaranarayanan, Sipma CAV03): assume a linear invariant, and solve constraints (maybe nonlinear) on the coefficients of the linear invariant
Reachability • Lafferriere, Pappas and Yovine (JSC 11,2001) • dX/dt = AX+Bu X,B – vectors, A – matrix, u – vector (control input) • X = F(x,u,t) x – vector (initial value of X)
Reachability: state y is reachable from state x, if there exists u and t such that y=F(x,u,t) • Reduced to real algebraic formula (under certain conditions) • Quantifier elimination tools: REDLOG, QEPCAD • An example of the paper impossible to resolve by REDLOG and QEPCAD alone can be done by Yang’s tools easily (as told by Yang)
Interdisciplinary Joint Effort • Decidability for real algebra is most fundamental result with respect to real numbers • Program verification is employing more mathematics, in particular real algebra • Strong in mechanical proving: Wu, Zhang, Yang,… Beautiful tools • Control theory much more mature than CS • We need your support and you can help us