Formal Verification, Interactive Theorem Proving and Automated Reasoning
Automated Theorem Proving Lecture 1
34
Automated Theorem Proving Lecture 1
description
Automated Theorem Proving Lecture 1. Given program P and specification S, does P satisfy S?. Program verification is undecidable!. The model checking approach. Create a model of the program in a decidable formalism Verify the model algorithmically Difficulties - PowerPoint PPT Presentation
Transcript of Automated Theorem Proving Lecture 1
Automated Theorem Proving
Lecture 1
Program verification is undecidable!
Given program P and specification S, does P satisfy S?
The model checking approach
• Create a model of the program in a decidable formalism
• Verify the model algorithmically• Difficulties
– Model creation is burden on programmer– The model might be incorrect.
• If verification fails, is the problem in the model or the program?
The axiomatic approach
• Add auxiliary specifications to the program to decompose the verification task into a set of local verification tasks
• Verify each local verification problem• Difficulties
– Auxiliary spec is burden on programmer– Auxiliary spec might be incorrect.
• If verification fails, is the problem with the auxiliary specification or the program?
Theorem Proving and Software
Meets spec/Found Bug
Theorem in a logic
Program
Specification
Semantics
VCgeneration
Validity
Provability(theorem proving)
• Soundness:– If the theorem is valid then the program meets specification– If the theorem is provable then it is valid
Overview of the Next Few Lectures
• From programs to theorems– Verification condition generation
• From theorems to proofs– Theorem provers– Decision procedures
Programs ! Theorems = Axiomatic Semantics
• Consists of:– A language for making assertions about programs– Rules for establishing when assertions hold
• Typical assertions:– During the execution, only non-null pointers are
dereferenced – This program terminates with x = 0
• Partial vs. total correctness assertions– Safety vs. liveness properties– Usually focus on safety (partial correctness)
Hoare Triples
• Partial correctness: { A } s { B}– When you start s in any state that satisfies A – If the execution of s terminates– It does so in a state that satisfies B
• Total correctness: [ A ] s [ B ]– When you start s in any state that satisfies A– The execution of s terminates and– It does so in a state that satisfies B
• Defined inductively on the structure of statements
Hoare Rules
{A} s1 {C} {C} s2 {B}
{ A } s1; s2 {B}
{A Æ E} s1 {B} {A Æ :E} s2 {B}
{A} if E then s1 else s2 {B}
{I Æ E} s {I} I Æ : E ) B
{ I} while E do s {B}
Hoare Rules: Assignment
• Example: { A } x := x + 2 {x >= 5 }. What is A?• General rule:
• Surprising how simple the rule is !• The key is to compute “backwards” the
precondition from the postcondition• Forward rule is more complicated:
{ B[E/x] } x := E {B}
{ A } x := E {9 x’. A[x’/x] Æ x = E[x’/x] }
Weakest preconditions
Dijkstra’s idea: To verify that { A } s { B}
a) Let Pre(s, B) = {A’ | { A’} s { B} }
b) (Pre(s,B), )) is a lattice - false Pre(s,B) - if Pre(s,B) and Pre(s,B), then Pre(s,B) - if Pre(s,B) and Pre(s,B), then Pre(s,B)
c) WP(s, B) = lub(Pre(s, B))
d) Compute WP(s, B) and prove A WP(s, B)
Predicate lattice
false true)
strong weak Pre(s, B)
weakestprecondition: WP(s, B)A
Weakest preconditions
• WP(x := E, B) = B[E/x]
• WP(s1; s2, B) = WP(s1, WP(s2, B))
• WP(if E then s1 else s2, B) = E ) WP(s1, B) Æ : E ) WP(s2, B)
• WP(assert E, B) = E B
Example
returns crequires trueensures c = a bbool or(bool a, bool b) { if (a) c := true else c := b}
Conjecture to be proved:true (a true = a b) (a b = a b)
WP(S, c = a b) = (a true = a b) (a b = a b)
S
Weakest preconditions (Contd.)
• What about loops? • Define a family of weakest preconditions
– WPk(while E do S, B) = weakest precondition from which if the loop terminates in k or fewer iterations, then it terminates in B
WP0 = : E ) B
WPi+1 = WPi (E ) WP(s, WPi))
• WP(while E do S, B) = Æk ¸ 0 WPk = glb {WPk | k ¸ 0}– Hard to compute– Can we find something easier yet sufficient ?
Not quite weakest preconditions
• Recall what we are trying to do:false true)
strong weak Pre(s, B)
weakestprecondition: WP(s, B)A
verification condition: VC(s, B)
• We shall construct a verification condition: VC(s, B)– The loops are annotated with loop invariants !– VC is guaranteed stronger than WP– But hopefully still weaker than A: A ) VC(s, B) ) WP(s, B)
Verification condition generation
• Computed in a manner similar to WP• Except the rule for while: VC(whileI,T E do s, B) =
I Æ ( I ((E ) VC(s, I)) Æ (:E ) B)) )[T0/T]
• I is the loop invariant (provided by the programmer)
• T is the set of loop targets (can be approximated by scanning the loop body)
I holdson entry
I is preserved in an arbitrary iteration
B holds when the loop terminates
returns crequires b >= 0ensures c = a + bint add(int a, int b) { int t; t := b c := a invariant t 0 c = a + b - t while (t > 0) { c := c + 1 t := t - 1 }}
Example
Conjecture to be proved:b 0 VC(A, c = a + b)
VC(B, t 0 c = a + b - t) t - 1 0 c + 1 = a + b – (t – 1)
BL
A
VC(L, c = a + b) t 0 c = a + b – t (t 0 c = a + b – t t > 0 t - 1 0 c + 1 = a + b – (t - 1) t 0 c = a + b)[c0/c,t0/t]
VC(L, c = a + b) t 0 c = a + b – t (t0 0 c0 = a + b – t0 t0 > 0 t0 - 1 0 c0 + 1 = a + b – (t0 - 1) t0 0 c0 = a + b)
VC(A, c = a + b) b 0 a = a + b – b (t0 0 c0 = a + b – t0 t0 > 0 t0 - 1 0 c0 + 1 = a + b – (t0 - 1) t0 0 c0 = a + b)
Invariants Are Not Easy
• Consider the following code from QuickSortint partition(int *a, int L0, int H0, int pivot) {
int L = L0, H = H0;
while(L < H) { while(a[L] < pivot) L ++; while(a[H] > pivot) H --; if(L < H) { swap a[L] and a[H] }
L++; } return L}
• Consider verifying only memory safety• What is the loop invariant for the outer loop ?
Verification conditions (Contd.)
• What about procedure calls?– Annotate each procedure with a
precondition pre and a postcondition post
– VC(f(), B) = pre (post B)
Program verification
• Annotate each procedure with a precondition and a postcondition and each loop with an invariant
• Verify each procedure separately
requires preensures postf() { S;}
Verify that the formula VC(f) pre VC(S, post) is valid
Proving verification conditions
• What is the decision procedure for proving validity of VC(f)?
• Depends on the logic in which VC(f) is expressed
VC(f) pre VC(S, post)
VC(f) pre VC(S, post)
Verification condition logic
• Atoms connected by boolean operators , , ,
• Atoms depend on the program variables and operations on them
– boolean, integer, memory
• Atoms depend on the language of assertions, i.e., program assertions, loop invariants, preconditions and postconditions
– quantification, reachability predicate
Assume each assertion is a quantifier-free boolean combination of expressions over program variables.
• VC(f) is a boolean combination of atoms– Each atom is a relation over terms – Each term is built using functions and logical
constants
• Logical constants are different from program variables– program variables change over time– logical constants are fixed
• The logical constants in VC(f) refer to the values of program variables at the beginning of f.
Case I: Boolean programs
• Boolean-valued variables and boolean operations
Formula := A | | A Atom := bb SymBoolConst
Example
returns crequires trueensures c = a bbool or(bool a, bool b) { if (a) c := true else c := b}
Conjecture to be proved:true (a true = a b) (a b = a b)
VC(S, c = a b) = (a true = a b) (a b = a b)
S
Case II: Arithmetic programs
• In addition, integer-valued variables with affine operations
Formula := A | | A Atom := b | t = 0 | t < 0 | t 0 t Term := c | x | t + t | t – t | ctb SymBoolConst x SymIntConst c {…,-1,0,1,…}
returns crequires b >= 0ensures c = a + bint add(int a, int b) { int t; t := b c := a invariant t 0 c = a + b - t while (t > 0) { c := c + 1 t := t - 1 }}
Example
Conjecture to be proved:b 0 VC(A, c = a + b)
VC(B, t 0 c = a + b - t) t - 1 0 c + 1 = a + b – (t – 1)
BL
A
VC(L, c = a + b) t 0 c = a + b – t (t 0 c = a + b – t t > 0 t - 1 0 c + 1 = a + b – (t - 1) t 0 c = a + b)[c0/c,t0/t]
VC(L, c = a + b) t 0 c = a + b – t (t0 0 c0 = a + b – t0 t0 > 0 t0 - 1 0 c0 + 1 = a + b – (t0 - 1) t0 0 c0 = a + b)
VC(A, c = a + b) b 0 a = a + b – b (t0 0 c0 = a + b – t0 t0 > 0 t0 - 1 0 c0 + 1 = a + b – (t0 - 1) t0 0 c0 = a + b)
Case III: Memory programs
• In addition, a memory with read and write operations– an unbounded set of objects– a finite set of fields in each object– each field contains a boolean value, an integer
value, or a reference to an object• For each field f, two operations Select and
Update– Select(f,o) is the content of the memory at
object o and field f– Update(f,o,v) is a new memory obtained by
updating field f of object o to v
Memory axioms
for all objects o and o’, and memories m: o = o’ Select(Update(m,o,v),o’) = v o o’ Select(Update(m,o,v),o’) = Select(m,o’)
Modeling memory operations
Treat each field f as a map variable:a = b.f a = Select(f,b)a.f = b f = Update(f,a,b)
{ ? } a.f = 5 { a.f + b.f = 10 }
WP(a.f = 5, a.f + b.f = 10) WP(f = Update(f,a,5), Select(f,a) + Select(f,b) = 10) Select(Update(f,a,5),a) + Select(Update(f,a,5),b) = 10
Simplify using memory axiom
Select(Update(f,a,5),a) + Select(Update(f,a,5),b) = 10iff
5 + Select(Update(f,a,5),b) = 10iff
Select(Update(f,a,5),b) = 5iff
a = b 5 = 5 a b Select(f,b) = 5
iffa b Select(f,b) = 5
Formula := A | | A Atom := b | t = 0 | t < 0 | t 0 t Term := c | x | t + t | t – t | ct | Select(m,t)m MemTerm := f | Update(m,t,t)b SymBoolConst x SymIntConst c {…,-1,0,1,…}
Decision procedures
• Boolean programs– Propositional satisfiability
• Arithmetic programs– Propositional satisfiability modulo theory
of linear arithmetic
• Memory programs– Propositional satisfiability modulo theory
of linear arithmetic + arrays
