Computer Science and Artificial Intelligence …...Computer Science and Artificial Intelligence...
Transcript of Computer Science and Artificial Intelligence …...Computer Science and Artificial Intelligence...
![Page 1: Computer Science and Artificial Intelligence …...Computer Science and Artificial Intelligence Laboratory MIT Oct 28, 2015 October 28, 2015 Verifying Programs with Arrays Recap: Weakest](https://reader036.fdocuments.in/reader036/viewer/2022062606/5fe74f3f3596b63fef661ce6/html5/thumbnails/1.jpg)
Computer Science and Artificial Intelligence Laboratory
MIT
Oct 28, 2015
October 28, 2015
Verifying Programs with Arrays
1
![Page 2: Computer Science and Artificial Intelligence …...Computer Science and Artificial Intelligence Laboratory MIT Oct 28, 2015 October 28, 2015 Verifying Programs with Arrays Recap: Weakest](https://reader036.fdocuments.in/reader036/viewer/2022062606/5fe74f3f3596b63fef661ce6/html5/thumbnails/2.jpg)
Recap: Weakest Preconditions
o Weakest predicate P such that ⊨ 𝑃 𝑐 {𝐴} - P weaker than Q iff 𝑄 ⇒ 𝑃
P = 𝑤𝑝𝑐(𝑐, 𝐴) Command Predicate
P
Q
2
![Page 3: Computer Science and Artificial Intelligence …...Computer Science and Artificial Intelligence Laboratory MIT Oct 28, 2015 October 28, 2015 Verifying Programs with Arrays Recap: Weakest](https://reader036.fdocuments.in/reader036/viewer/2022062606/5fe74f3f3596b63fef661ce6/html5/thumbnails/3.jpg)
Recap: Weakest Precondition
o While-loop is tricky
- Let W = 𝑤𝑝𝑐 𝑤ℎ𝑖𝑙𝑒 𝑒 𝑑𝑜 𝑐, 𝐵
- then,
W = 𝑒 ⇒ 𝑤𝑝𝑐 𝑐,𝑊 ∧ ¬𝑒 ⇒ 𝐵
3
![Page 4: Computer Science and Artificial Intelligence …...Computer Science and Artificial Intelligence Laboratory MIT Oct 28, 2015 October 28, 2015 Verifying Programs with Arrays Recap: Weakest](https://reader036.fdocuments.in/reader036/viewer/2022062606/5fe74f3f3596b63fef661ce6/html5/thumbnails/4.jpg)
Recap: Verification Condition
o Stronger than the weakest precondition
o Can be computed by using an invariant
o 𝑉𝐶 𝑤ℎ𝑖𝑙𝑒𝐼 𝑒 𝑑𝑜 𝑐, 𝐵 = 𝐼 ∧ ∀𝑥1, … 𝑥𝑛 𝐼 ⇒ 𝑒 ⇒ 𝑉𝐶 𝑐, 𝐼 ∧ ¬𝑒 ⇒ 𝐵
- Where x_i are variables modified in c.
4
![Page 5: Computer Science and Artificial Intelligence …...Computer Science and Artificial Intelligence Laboratory MIT Oct 28, 2015 October 28, 2015 Verifying Programs with Arrays Recap: Weakest](https://reader036.fdocuments.in/reader036/viewer/2022062606/5fe74f3f3596b63fef661ce6/html5/thumbnails/5.jpg)
The problem with arrays
{true} a[k]=1; a[j]=2; x=a[k]+a[j]; {x=3}
{true} a[k]=1; a[j]=2; {a[k]+a[j]=3} x=a[k]+a[j]; {x=3}
Now what?
Can we use the standard rule for assignment?
𝑤𝑝𝑐(𝑥:= 𝑒, 𝐶) = 𝐶[𝑥 → 𝑒]
5
![Page 6: Computer Science and Artificial Intelligence …...Computer Science and Artificial Intelligence Laboratory MIT Oct 28, 2015 October 28, 2015 Verifying Programs with Arrays Recap: Weakest](https://reader036.fdocuments.in/reader036/viewer/2022062606/5fe74f3f3596b63fef661ce6/html5/thumbnails/6.jpg)
The problem with arrays
{true} a[k]=1; a[j]=2; x=a[k]+a[j]; {x=3}
{true} a[k]=1; a[j]=2; {a[k]+a[j]=3} x=a[k]+a[j]; {x=3}
{true} {1+2=3} a[k]=1; {a[k]+2=3} a[j]=2; {a[k]+a[j]=3} x=a[k]+a[j]; {x=3}
What if k=j?
6
![Page 7: Computer Science and Artificial Intelligence …...Computer Science and Artificial Intelligence Laboratory MIT Oct 28, 2015 October 28, 2015 Verifying Programs with Arrays Recap: Weakest](https://reader036.fdocuments.in/reader036/viewer/2022062606/5fe74f3f3596b63fef661ce6/html5/thumbnails/7.jpg)
Theory of arrays
o Let a be an array
o 𝑎{𝑖 → 𝑒} is a new array whose ith entry has value e
- 𝑎 𝑖 → 𝑒 𝑘 = 𝑎 𝑘 𝑖𝑓 𝑘 ≠ 𝑖 𝑒 𝑖𝑓 𝑘 = 𝑖
o A formula involving TOA can be expanded into a set of
implications.
- Ex. Assume Zero is the zeroed out array
- 𝑍𝑒𝑟𝑜 𝑖 → 5 𝑗 → 7 𝑘 = 5 ⟺ …
7
![Page 8: Computer Science and Artificial Intelligence …...Computer Science and Artificial Intelligence Laboratory MIT Oct 28, 2015 October 28, 2015 Verifying Programs with Arrays Recap: Weakest](https://reader036.fdocuments.in/reader036/viewer/2022062606/5fe74f3f3596b63fef661ce6/html5/thumbnails/8.jpg)
Assignment rule with theory of arrays
⊢ 𝑃 𝑎 → 𝑎 𝑖 → 𝑒 𝑎 𝑖 = 𝑒 {𝑃}
{true} a[k]=1; a[j]=2; {a[k]+a[j]=3} x=a[k]+a[j]; {x=3}
{true} {a{k->1}{j->2}[k]+a{k->1}{j->2}[j]=3} a[k]=1; {a{j->2}[k]+a{j->2}[j]=3} a[j]=2; {a[k]+a[j]=3} x=a[k]+a[j]; {x=3}
8
![Page 9: Computer Science and Artificial Intelligence …...Computer Science and Artificial Intelligence Laboratory MIT Oct 28, 2015 October 28, 2015 Verifying Programs with Arrays Recap: Weakest](https://reader036.fdocuments.in/reader036/viewer/2022062606/5fe74f3f3596b63fef661ce6/html5/thumbnails/9.jpg)
Assignment rule with theory of arrays
⊢ 𝑃 𝑎 → 𝑎 𝑖 → 𝑒 𝑎 𝑖 = 𝑒 {𝑃}
{true} a[k]=1; a[j]=2; {a[k]+a[j]=3} x=a[k]+a[j]; {x=3}
{𝑘 ≠ 𝑗} {a{k->1}{j->2}[k]+a{k->1}{j->2}[j]=3} a[k]=1; {a{j->2}[k]+a{j->2}[j]=3} a[j]=2; {a[k]+a[j]=3} x=a[k]+a[j]; {x=3}
9
![Page 10: Computer Science and Artificial Intelligence …...Computer Science and Artificial Intelligence Laboratory MIT Oct 28, 2015 October 28, 2015 Verifying Programs with Arrays Recap: Weakest](https://reader036.fdocuments.in/reader036/viewer/2022062606/5fe74f3f3596b63fef661ce6/html5/thumbnails/10.jpg)
Arrays and loops
o Consider the following program:
j = i+1 while (j<n) { a[i] = max(a[i],a[j]); j = j+1; }
i
j
n
{∀𝑖≤𝑘<𝑛𝑎0[𝑘] ≤ 𝑎[𝑖]}
{0 ≤ 𝑖 < 𝑛}
A reasonable loop invariant: ∀𝑖≤𝑘<𝑗𝑎0[𝑘] ≤ 𝑎[𝑖]
Initial array
10
![Page 11: Computer Science and Artificial Intelligence …...Computer Science and Artificial Intelligence Laboratory MIT Oct 28, 2015 October 28, 2015 Verifying Programs with Arrays Recap: Weakest](https://reader036.fdocuments.in/reader036/viewer/2022062606/5fe74f3f3596b63fef661ce6/html5/thumbnails/11.jpg)
Arrays and loops
o Let’s try to verify our candidate loop invariant
a[i] = max(a[i],a[j]); j = j+1;
{∀𝑖≤𝑘<𝑗𝑎0[𝑘] ≤ 𝑎[𝑖]}
{∀𝑖≤𝑘<𝑗+1𝑎0[𝑘] ≤ 𝑎[𝑖]}
{∀𝑖≤𝑘<𝑗+1𝑎0[𝑘] ≤ 𝑎[𝑖 → max (𝑎 𝑖 , 𝑎 𝑗 )][𝑖]}
{∀𝑖≤𝑘<𝑗𝑎0[𝑘] ≤ 𝑎[𝑖]}
{∀𝑖≤𝑘<𝑗+1𝑎0[𝑘] ≤ max (𝑎 𝑖 , 𝑎 𝑗 )}
We can’t quite
prove this
implication!
We don’t know that 𝑎0 𝑗 ≤ 𝑎[𝑗]
11
![Page 12: Computer Science and Artificial Intelligence …...Computer Science and Artificial Intelligence Laboratory MIT Oct 28, 2015 October 28, 2015 Verifying Programs with Arrays Recap: Weakest](https://reader036.fdocuments.in/reader036/viewer/2022062606/5fe74f3f3596b63fef661ce6/html5/thumbnails/12.jpg)
A better loop invariant i
j
n
traversed
unchanged
a[i] = max(a[i],a[j]); j = j+1;
{∀𝑖≤𝑘<𝑗𝑎0 𝑘 ≤ 𝑎 𝑖 ∧ ∀𝑗≤𝑘<𝑛𝑎0 𝑘 = 𝑎[𝑘]}
{∀𝑖≤𝑘<𝑗+1𝑎0[𝑘] ≤ 𝑎[𝑖] ∧ ∀𝑗+1≤𝑘<𝑛𝑎0 𝑘 = 𝑎[𝑘]}
{∀𝑖≤𝑘<𝑗+1𝑎0[𝑘] ≤ 𝑎[𝑖 → max (𝑎 𝑖 , 𝑎 𝑗 )][𝑖] ∧ ∀𝑗+1≤𝑘<𝑛𝑎0 𝑘 = 𝑎[𝑖 → max (𝑎 𝑖 , 𝑎 𝑗 )][𝑘]}
{∀𝑖≤𝑘<𝑗𝑎0[𝑘] ≤ 𝑎[𝑖] ∧ ∀𝑗≤𝑘<𝑛𝑎0 𝑘 = 𝑎[𝑘]}
{∀𝑖≤𝑘<𝑗+1𝑎0[𝑘] ≤ max (𝑎 𝑖 , 𝑎 𝑗 ) ∧ ∀𝑗+1≤𝑘<𝑛𝑎0 𝑘 = 𝑘 = 𝑖?… : 𝑎[𝑘]}
We don’t know that 𝑘 ≠ 𝑖
12
![Page 13: Computer Science and Artificial Intelligence …...Computer Science and Artificial Intelligence Laboratory MIT Oct 28, 2015 October 28, 2015 Verifying Programs with Arrays Recap: Weakest](https://reader036.fdocuments.in/reader036/viewer/2022062606/5fe74f3f3596b63fef661ce6/html5/thumbnails/13.jpg)
An even better invariant i
j
n
traversed
unchanged
a[i] = max(a[i],a[j]); j = j+1;
{∀𝑖≤𝑘<𝑗𝑎0 𝑘 ≤ 𝑎 𝑖 ∧ ∀𝑗≤𝑘<𝑛𝑎0 𝑘 = 𝑎 𝑘 ∧ 𝑖 < 𝑗}
{∀𝑖≤𝑘<𝑗+1𝑎0[𝑘] ≤ 𝑎[𝑖] ∧ ∀𝑗+1≤𝑘<𝑛𝑎0 𝑘 = 𝑎[𝑘] ∧ 𝑖 < 𝑗 + 1}
{∀𝑖≤𝑘<𝑗+1𝑎0[𝑘] ≤ 𝑎[𝑖 → max (𝑎 𝑖 , 𝑎 𝑗 )][𝑖] ∧ ∀𝑗+1≤𝑘<𝑛𝑎0 𝑘 = 𝑎[𝑖 → max (𝑎 𝑖 , 𝑎 𝑗 )][𝑘] ∧ 𝑖 < 𝑗 + 1}
{∀𝑖≤𝑘<𝑗𝑎0[𝑘] ≤ 𝑎[𝑖] ∧ ∀𝑗≤𝑘<𝑛𝑎0 𝑘 = 𝑎[𝑘] ∧ 𝑖 < 𝑗}
{∀𝑖≤𝑘<𝑗+1𝑎0[𝑘] ≤ max (𝑎 𝑖 , 𝑎 𝑗 ) ∧ ∀𝑗+1≤𝑘<𝑛𝑎0 𝑘 = 𝑘 = 𝑖?… : 𝑎[𝑘] ∧ 𝑖 < 𝑗}
13
![Page 14: Computer Science and Artificial Intelligence …...Computer Science and Artificial Intelligence Laboratory MIT Oct 28, 2015 October 28, 2015 Verifying Programs with Arrays Recap: Weakest](https://reader036.fdocuments.in/reader036/viewer/2022062606/5fe74f3f3596b63fef661ce6/html5/thumbnails/14.jpg)
Arrays in SMT-LIB
o New constructs you need to know:
o (define-sort A () (Array Int Int))
o (declare-fun a1 () A)
o (select a1 x)
o (store a1 x y)
o (forall ((k Int)) ...)
14
![Page 15: Computer Science and Artificial Intelligence …...Computer Science and Artificial Intelligence Laboratory MIT Oct 28, 2015 October 28, 2015 Verifying Programs with Arrays Recap: Weakest](https://reader036.fdocuments.in/reader036/viewer/2022062606/5fe74f3f3596b63fef661ce6/html5/thumbnails/15.jpg)
Example
o Encode that the invariant from before is preserved by the
loop body
𝐼 ∧ 𝑐𝑜𝑛𝑑 ⇒ 𝑉𝐶 𝑏𝑜𝑑𝑦, 𝐼
o ∀𝑖≤𝑘<𝑗𝑎0 𝑘 ≤ 𝑎 𝑖 ∧ ∀𝑗≤𝑘<𝑛𝑎0 𝑘 = 𝑎 𝑘 ∧ 𝑖 < 𝑗 ∧ 𝑗 < 𝑛 ⇒
∀𝑖≤𝑘<𝑗+1𝑎0[𝑘] ≤ 𝑎[𝑖 → max (𝑎 𝑖 , 𝑎 𝑗 )][𝑖] ∧ ∀𝑗≤𝑘<𝑛𝑎0 𝑘 = 𝑎[𝑖 →
max (𝑎 𝑖 , 𝑎 𝑗 )][𝑘] ∧ 𝑖 < 𝑗 + 1
15
![Page 16: Computer Science and Artificial Intelligence …...Computer Science and Artificial Intelligence Laboratory MIT Oct 28, 2015 October 28, 2015 Verifying Programs with Arrays Recap: Weakest](https://reader036.fdocuments.in/reader036/viewer/2022062606/5fe74f3f3596b63fef661ce6/html5/thumbnails/16.jpg)
Useful links
o Z3 web interface and examples:
o http://rise4fun.com/Z3
o Z3 tutorial:
o http://rise4fun.com/z3/tutorial
16
![Page 17: Computer Science and Artificial Intelligence …...Computer Science and Artificial Intelligence Laboratory MIT Oct 28, 2015 October 28, 2015 Verifying Programs with Arrays Recap: Weakest](https://reader036.fdocuments.in/reader036/viewer/2022062606/5fe74f3f3596b63fef661ce6/html5/thumbnails/17.jpg)
MIT OpenCourseWarehttp://ocw.mit.edu
6.820 Fundamentals of Program AnalysisFall 2015
For information about citing these materials or our Terms of Use, visit: http://ocw.mit.edu/terms.