Spring 2015
Program Analysis and Verification
Lecture 4: Axiomatic Semantics I
Roman Manevich
Ben-Gurion University
Agenda
• Basic concepts of correctness
• Axiomatic semantics (pages 175-183)
– Hoare Logic
– Properties of the semantics
– Weakest precondition
2
Tentative syllabus
Semantics
Static
Analysis
Abstract
Interpretation
fundamentals
Analysis
Techniques
Crafting your
own
Natural
Semantics
Automating
Hoare Logic
Lattices
Numerical
Domains
Soot
Structural
semantics
Control Flow
Graphs
Fixed-Points
Alias analysis
From proofs
to abstractions
Axiomatic
Verification
Equation
Systems
Chaotic
Iteration
Interprocedural
Analysis
Systematically
developing
transformers
Collecting
Semantics
Galois
Connections
Shape
Analysis
Domain
constructors
CEGAR
Widening/
Narrowing
3
program correctness
4
Program correctness concepts
• Property = a certain relationship between initial
state and final state
Main focus of
this course
• Partial correctness = properties that hold
if program terminates
• Termination = program always terminates
– i.e., for every input state
partial correctness + termination = total correctness
Other correctness concepts exist:
liveness, resource usage, …
5
Factorial example
Sfac
y := 1; while (x=1) do (y := y*x; x := x–1)
• Factorial partial correctness property =
if the statement terminates then the final
value of y will be the factorial of the initial
value of x
– What if  x < 0?
• Formally, using natural semantics: …?
Sfac ,  ’ implies ’ y = ( x)!
6
Verifying factorial
with natural semantics
7
Natural semantics for While
[assns]
[skipns]
x := a,   [x
Aa]
skip,  
S1,  ’, S2, ’ ’’
[compns]
S1; S2,  ’’
[ifttns]
S1,  ’
if b then S1 else S2, 
[ifffns]
S2,  ’
if b then S1 else S2, 
’
if B b  = tt
’
[whileffns]
while b do S,   
[whilettns]
S,   ’, while b do S, ’
while b do S,  ’’
if B b  = ff
if B b  = ff
’’ if B b  = tt
8
Staged proof
9
Stages
sy
s
sy
(s x)! = s’’ y
s
(s’’ x)!
(s x)! = s’’ y
sx>0
y := y*x; x := x–1
s’’x = 1
s’’
sx>0
while (x=1) do (y := y*x; x := x–1)
s’ y = (s x)!
s
(s’’ x)!
s’’
sx>0
y := 1; while (x=1) do (y := y*x; x := x–1)
s’
10
Inductive proof over iterations
sy
(s x)! =
s’ y
(s’ x)!
sx>0
s (y := y*x; x := x–1) s’
s’ while (x=1) do (y := y*x; x := x–1) s’’
s’ y
s
s’’x = 1
s’ x > 0
while (x=1) do (y := y*x; x := x–1)
s’’
sy
(s x)! = s’’ y
(s’ x)! = s’’ y
(s’’ x)!
s’’x = 1
(s’’ x)!
sx>0
11
First stage
12
Second stage
13
while (x=1) do (y := y*x; x := x–1), s
s’
14
Third stage
15
How easy was that?
• Proof is very laborious
– Need to connect all transitions and argue about
relationships between their states
– Reason: too closely connected to semantics of
programming language
• Proof is long
– Makes it hard to find possible mistakes
• How did we know to find this proof?
– Is there a methodology?
16
I’ll use
operational
semantics
Can you
prove my
program
correct?
Better use
axiomatic
verification
17
One of the oldest surviving fragments of
Euclid's Elements, a textbook used for millennia
to teach proof-writing techniques. The diagram
accompanies Book II, Proposition 5
"P. Oxy. I 29" by Euclid - http://www.math.ubc.ca/~cass/Euclid/papyrus/tha.jpg. Licensed under Public Domain via Wikimedia Commons http://commons.wikimedia.org/wiki/File:P._Oxy._I_29.jpg#/media/File:P._Oxy._I_29.jpg
18
A systematic approach
to program verification
19
Axiomatic verification approach
• What do we need in order to prove that the
program does what it supposed to do?
• Specify the required behavior: express properties
• Compare the behavior with the one obtained by the
operational semantics
• Develop a proof system for showing that the program
satisfies a requirement
• Mechanically use the proof system to show correctness
20
Axiomatic semantics contributors
Robert Floyd
1967: use assertions
as foundation for static
correctness proofs
C.A.R. Hoare
1969: use Floyd’s ideas
to define axiomatic
semantics
“An axiomatic basis for
computer programming”
Edsger W. Dijkstra
Predicate transformer
semantics: weakest
precondition and
strongest postcondition
21
Assertions, a.k.a Hoare triples
{P}C{Q}
precondition
statement
a.k.a command
postcondition
• P and Q are state predicates expressed as logical formulas
– Example: x>0
• If P holds in the initial state, and
if execution of C terminates on that state,
then Q will hold in the state in which C halts
• C is not required to always terminate
{true} while true do skip {false}
22
Total correctness assertions
[P]C[Q]
• If P holds in the initial state,
execution of C must terminate on that state,
and Q will hold in the state in which C halts
23
Specifying correctness
of factorial
24
Factorial example:
specify precondition/postcondition
{?}
y := 1; while (x=1) do (y := y*x; x := x–1)
{?}
25
First attempt
We need a way to
“remember” value of
x before execution
{ x>0 }
y := 1; while (x=1) do (y := y*x; x := x–1)
{ y=x! }
Holds only for value of x at
state after execution finishes
26
Fixed assertion
A logical variable, must not
appear in statement - immutable
{ x=n }
y := 1; while (x=1) do (y := y*x; x := x–1)
{ y=n!
n>0 }
27
The proof outline
{ n!*(n+1) = (n+1)! }
Background
axiom
{ x=n }
y := 1;
{ x>0
y*x!=n!
n x }
while (x=1) do
{ x-1>0
(y*x)*(x-1)!=n!
n (x-1)
}
y := y*x;
{ x-1>0
y*(x-1)!=n!
n (x-1) }
x := x–1
{ y*x!=n!
n>0
x=1 }
28
Formalizing partial
correctness via hoare logic
29
States and predicates
•
– program states (State)
– undefined
• A state predicate P
is a (possibly infinite)
set of states
•  P
P

– P holds in state 
30
FO Logic reminder
• We write A B if for all states 
if  A then  B
– { |  A } { |  B }
– For every predicate A: false
• We write A
– false
B if A
A
B and B
true
A
5=7
• In writing Hoare-style proofs, we will often
replace a predicate A with A’ such that A A’
and A’ is “simpler”
31
Formalizing Hoare triples
Sns C 
=
’
if C, 
else
Q
’
P

C(P)
C
’
• {P}C{Q}
. ( P C,  ’)
alternatively
– Convention:
P for all P

.  P Sns C  Q
–
, ’
’
Q
Why did we choose
natural semantics?
32
Formalizing Hoare triples
Ssos C 
=
’
if C,  * ’
else
Q
P

C(P)
C
’
• {P}C{Q}
. ( P C,  *’)
alternatively
– Convention:
P for all P

.  P Ssos C  Q
–
, ’
’
Q
33
How do we express predicates?
• Extensional approach
– Abstract mathematical functions
P : State {tt, ff}
• Intensional approach
– via language of formulae
34
An assertion language
• Bexp is not expressive enough to express
predicates needed for many proofs
– Extend Bexp
• Allow quantification
– z. …
– z. …
• z. z = kn
• Import well known mathematical concepts
– n!  n  (n-1)   2  1
35
An assertion language
Either a program variables
or a logical variable
a ::= n | x | a1 + a2 | a1 a2 | a1 – a2
A ::= true | false
| a1 = a2 | a1 a2 | A | A1 A2 | A1
| A1 A2 | z. A | z. A
A2
36
Some
FO logic
definitions
before we get
to the rules
37
Free/bound variables
• A variable is said to be bound in a formula
when it occurs in the scope of a quantifier
Otherwise it is said to be free
– i. k=im
– (i+10077)i. j+1=i+3)
• FV(A)  the free variables of A
• Defined inductively on the abstract syntax tree
of A
38
Computing free variables
FV(n) {}
FV(x) {x}
FV(a1+a2) FV(a1 a2) FV(a1-a2) FV(a1)
FV(a2)
FV(true) FV(false) {}
FV(a1=a2) FV(a1 a2) FV(a1) FV(a2)
FV( A) FV(A)
FV(A1 A2) FV(A1 A2) FV(A1 A2)
FV(a1) FV(a2)
FV( z. A)
FV( z. A)
FV(A) \ {z}
39
Substitution
• An expression t is pure (a term) if it does not
contain quantifiers
• A[t/z] denotes the assertion A’ which is the
same as A, except that all instances of the free
variable z are replaced by t
• A i. k=i m
A[5/k] = …?
A[5/i] = …?
40
Calculating substitutions
n[t/z] = n
x[t/z] = x
x[t/x] = t
(a1 + a2)[t/z] = a1[t/z] + a2[t/z]
(a1 a2)[t/z] = a1[t/z] a2[t/z]
(a1 - a2)[t/z] = a1[t/z] - a2[t/z]
41
Calculating substitutions
true[t/x] = true
false[t/x] = false
(a1 = a2)[t/z] = a1[t/z] = a2[t/z]
(a1 a2)[t/z]
= a1[t/z] a2[t/z]
( A)[t/z] = (A[t/z])
(A1 A2)[t/z]
= A1[t/z] A2[t/z]
(A1 A2)[t/z]
= A1[t/z] A2[t/z]
(A1 A2)[t/z]
= A1[t/z] A2[t/z]
(
(
(
(
z. A)[t/z] = z. A
z. A)[t/y] = z. A[t/y]
z. A)[t/z] = z. A
z. A)[t/y] = z. A[t/y]
42
six are
completely
enough
and now…
the rules
43
Axiomatic semantics for While
[assp] { P[a/x] } x := a { P }
Notice similarity
to natural
semantics rules
[skipp] { P } skip { P }
{ P } S1 { Q }, { Q } S2 { R }
[compp]
{ P } S1; S2 { R }
{b
P } S1 { Q }, { b P } S2 { Q
}
[ifp]
{ P } if b then S1 else S2 { Q }
What’s different
about this rule?
[whilep]
[consp]
{b P}S{P}
{ P } while b do S { b
{ P’ } S { Q’ }
{P}S{Q}
P}
if P P’ and Q’ Q
44
Assignment rule
[assp]
{ P[a/x] } x := a { P }
• A “backwards” rule
• x := a always finishes
• Why is this true?
[x Aa]
P
– Recall operational semantics:
[assns]
x:= a, 
[x Aa]
• Exercises: {?} x:=y*z {x<9}
{?} x:=x+1 {x>8}
{?} x:=y*z {w=5}
45
skip rule
[skipp] { P } skip { P }
[skipns] skip, 

46
Composition rule
{ P } S1 { Q }, { Q } S2 { R }
[compp]
{ P } S1; S2 { R }
S1,  ’, S2, ’ ’’
[compns]
S1; S2,  ’’
• Holds when S1 terminates in every state where P
holds and then Q holds
and S2 terminates in every state where Q holds
and then R holds
47
Condition rule
{ b P } S1 { Q }, { b P } S2 { Q }
[ifp]
{ P } if b then S1 else S2 { Q }
[ifttns]
S1,  ’
if b then S1 else S2, 
[ifffns]
S2,  ’
if b then S1 else S2, 
’
’
if B
if B
b  = tt
b  = ff
48
Loop rule
{b P}S{P}
[whilep] { P } while b do S { b
}
[whileffns]
while b do S,   
[whilettns]
S,   ’, while b do S, ’
while b do S,  ’’
if B
’’ if B
P
b  = ff
b  = tt
• Here P is called an invariant for the loop
– Holds before and after each loop iteration
– Finding loop invariants – most challenging part of proofs
• When loop finishes, b is false
49
Rule of consequence
{ P’ } S { Q’ }
[consp]
{P}S{Q}
if P P’ and Q’ Q
• Allows strengthening the precondition and
weakening the postcondition
• The only rule that is not related to a statement
50
Rule of consequence
{ P’ } S { Q’ }
[consp]
{P}S{Q}
if P P’ and Q’ Q
• Why do we need it?
• Allows the following
{y*z<9} x:=y*z {x<9}
{y*z<9 w=5} x:=y*z {x<9}
51
Next lecture:
axiomatic semantics II