Spring 2014Program Analysis and Verification

Lecture 5: Axiomatic Semantics II

Roman ManevichBen-Gurion University

2

Syllabus

Semantics

NaturalSemantics

Structural semantics

AxiomaticVerification

StaticAnalysis

AutomatingHoare Logic

AbstractInterpretation fundamentals

Lattices

Galois Connections

Fixed-Points

Widening/Narrowing

Domain constructors

InterproceduralAnalysis

AnalysisTechniques

Numerical Domains

CEGAR

Alias analysis

ShapeAnalysis

Crafting your own

Soot

From proofs to abstractions

Systematically developing

transformers

3

Previously

• Basic notions of correctness• Formalizing Hoare triples• FO logic– Free variables– Substitutions

• Hoare logic rules

4

States and predicates• – program states

– undefined• A state predicate P is a (possibly

infinite) setof states

• P– P holds in state

P

5

Formalizing Hoare triples

• { P } C { Q }– , ’ . (P C, ’) ’Q

alternatively– . (P SnsC ) SnsC Q– Convention: P for all P

. P SnsC Q

P C(P)Q

’C

Sns C =

’ if C, ’ else

6

An assertion language

a ::= n | x | a1 + a2 | a1 a2 | a1 – a2

A ::= true | false| a1 = a2 | a1 a2 | A | A1 A2 | A1 A2| A1 A2 | z. A | z. A

Either a program variablesor a logical variable

7

Free/bound variables

• A variable is said to be bound in a formula when it occurs in the scope of a quantifier. Otherwise it is said to be free– i. k=im– (i+10077)i. j+1=i+3)

• FV(A) the free variables of A• Defined inductively on the abstract syntax tree

of A

8

Free variables

FV(n) {}FV(x) {x}FV(a1+a2) FV(a1a2) FV(a1-a2) FV(a1) FV(a2)FV(true) FV(false) {}FV(a1=a2) FV(a1a2) FV(a1) FV(a2)FV(A) FV(A)FV(A1 A2) FV(A1 A2) FV(A1 A2)

FV(a1) FV(a2) FV(z. A) FV(z. A) FV(A) \ {z}

9

Substitution

• An expression t is pure (a term) if it does not contain quantifiers

• A[t/z] denotes the assertion A’ which is the same as A, except that all instances of the free variable z are replaced by t

• A i. k=imA[5/k] = …? A[5/i] = …?

What if t is not pure?

10

Calculating substitutions

n[t/z] = nx[t/z] = xx[t/x] = t

(a1 + a2)[t/z] = a1[t/z] + a2[t/z](a1 a2)[t/z] = a1[t/z] a2[t/z](a1 - a2)[t/z] = a1[t/z] - a2[t/z]

11

Calculating substitutionstrue[t/x] = truefalse[t/x] = false(a1 = a2)[t/z] = a1[t/z] = a2[t/z] (a1 a2)[t/z] = a1[t/z] a2[t/z] (A)[t/z] = (A[t/z])(A1 A2)[t/z]= A1[t/z] A2[t/z](A1 A2)[t/z] = A1[t/z] A2[t/z] (A1 A2)[t/z] = A1[t/z] A2[t/z]

(z. A)[t/z] = z. A(z. A)[t/y] = z. A[t/y]( z. A)[t/z] = z. A( z. A)[t/y] = z. A[t/y]

12

Today

• The rules• Inference system• Annotating programs with proofs• Properties of the semantics• Weakest precondition calculus

13

FO Logic reminder

• We write A B if for all states if A then B– { | A } { | B }– For every predicate A: false A true

• We write A B if A B and B A– false 5=7

• In writing Hoare-style proofs, we will often replace a predicate A with A’ such that A A’and A’ is “simpler”

14

the rules

six are completely

enough

15

Axiomatic semantics for While { P[a/x] } x := a { P }[assp]

{ P } skip { P }[skipp]

{ P } S1 { Q }, { Q } S2 { R } { P } S1; S2 { R }[compp]

{ b P } S1 { Q }, { b P } S2 { Q } { P } if b then S1 else S2 { Q }[ifp]

{ b P } S { P } { P } while b do S {b P }[whilep]

{ P’ } S { Q’ } { P } S { Q }[consp] if PP’ and Q’Q

Notice similarity to natural semantics rules

What’s different about this rule?

16

Assignment rule

• A “backwards” rule• x := a always finishes• Why is this true?– Recall operational semantics:

• Example: {y*z<9} x:=y*z {x<9}What about {y*z<9w=5} x:=y*z {w=5}?

x := a, [xAa][assns]

[xAa] P

17

skip rule

skip, [skipns]

18

Composition rule

• Holds when S1 terminates in every state where P holds and then Q holdsand S2 terminates in every state where Q holds and then R holds

S1, ’, S2, ’ ’’S1; S2, ’’ [compns]

19

Condition rule

S1, ’ if b then S1 else S2, ’

if B b = tt[ifttns]

S2, ’ if b then S1 else S2, ’

if B b = ff[ifffns]

20

Loop rule

• Here P is called an invariant for the loop– Holds before and after each loop iteration– Finding loop invariants – most challenging part of proofs

• When loop finishes, b is false

while b do S, if B b = ff[whileffns]

S, ’, while b do S, ’ ’’while b do S, ’’

if B b = tt[whilettns]

21

Rule of consequence

• Allows strengthening the precondition and weakening the postcondition

• The only rule that is not related to a statement

22

Rule of consequence

• Why do we need it?• Allows the following

{y*z<9} x:=y*z {x<9} {y*z<9w=5} x:=y*z {x<10}

23

Axiomatic semanticsas an inference system

24

Inference trees

• Similar to derivation trees of natural semantics• Leaves are …?• Internal nodes correspond to …?

25

Inference trees

• Similar to derivation trees of natural semantics• Leaves are …?• Internal nodes correspond to …?• Inference tree is called– Simple if tree is only an axiom– Composite otherwise

26

Provability

• We say that an assertion { P } C { Q } is provable if there exists an inference tree– Written as p { P } C { Q }– Are inference trees unique?

{true} x:=1; x:=x+5 {x0}• Proofs of properties of axiomatic semantics

use induction on the shape of the inference tree– Example: prove p { P } C { true } for any P and C

27

Factorial proof inference tree

W = while (x1) do (y:=y*x; x:=x–1)

INV = x > 0 (y x! = n! n x)

{ INV[x-1/x][y*x/y] } y:=y*x; x:=x–1 {INV}

{ INV[x-1/x] } x:=x-1 {INV}

{ INV } W { x=1 INV }{ INV[1/y] } y:=1 { INV }

{ INV[x-1/x][y*x/y] } y:=y*x { INV[x-1/x] }

{ x1 INV } y:=y*x; x:=x–1 { INV }

[comp]

[cons]

[while]

[cons]{ INV } W { y=n! n>0 }{ x=n } y:=1 { INV }

[cons]

{ x=n } while (x1) do (y:=y*x; x:=x–1) { y=n! n>0 }

[comp]

Goal: { x=n } y:=1; while (x1) do (y:=y*x; x:=x–1) { y=n! n>0 }

will show later

28

Annotating programswith proofs

29

Annotated programs

• A streamlined version of inference trees– Inline inference trees into programs– A kind of “proof carrying code”– Going from annotated program to proof tree is a

linear time translation

30

Annotating composition

• We can inline inference trees into programs• Using proof equivalence of S1; (S2; S3) and (S1; S2); S3

instead writing deep trees, e.g.,

{P} (S1; S2); (S3 ; S4) {Q}{P} (S1; S2) {P’’} {P’’} (S3 ; S4) {Q}

{P} S1 {P’} {P’} S2 {P’’} {P’’} S3 {P’’’} {P’’’} S4 {P’’}

• We can annotate a composition S1; S2;…; Sn by{P1} S1 {P2} S2 … {Pn-1} Sn-1 {Pn}

31

Annotating conditions

{ P }if b then

{ b P }S1

else { b P }

S2

{ Q }

32

Annotating conditions

{ P }if b then

{ b P }S1

{ Q1 }else { b P }

S2

{ Q2 }{ Q }

Usually Q is the result of using the consequence rule, so a more explicit annotation adds the postcondition of each branch

33

Annotating loops

{ P }while b do { b P } S{b P }

34

Annotating loops

{ P }while b do { b P } S { P’ }{b P } { Q }

P’ implies P

b P implies Q

35

Annotating loops

{ P }while b do { b P } S {b P }

Source of confusion

36

Annotating loops – alternative 1

while { P } b do { b P } S{b P }

37

Annotating loops – alternative 2

Inv = { P }while b do { b P } S {b P }

We will take this alternative in our examples and homework assignments

38

Annotating formula transformations

• We often rewrite formulas– To make proofs more readable– Using logical identities– Import theorems

{ }{ ’ } // transformation 1{ ’’ } // transformation 2

39

Annotated programs: factorial{ x=n }y := 1;Inv = { x>0 y*x!=n! nx } while (x=1) do { x-1>0 (y*x)*(x-1)!=n! n(x-1) } y := y*x; { x-1>0 y*(x-1)!=n! n(x-1) } x := x–1{ y*x!=n! n>0 }

• Contrast with proof via natural semantics

• Where did the inductive argument over loop iterations go?

40

Detailed proof steps{ x=n }y := 1;{ x=n y=1 } Inv = { x>0 y*x!=n! nx } while (x=1) do { x1 (x>0 y*x!=n! nx) } { x1 (x>0 (y*x)*(x-1)!=n! nx) } // Factorial { x1 (x>0 (y*x)*(x-1)!=n! n(x-1) } // Cons { x-1>0 (y*x)*(x-1)!=n! n(x-1) } // Cons y := y*x; { x-1>0 y*(x-1)!=n! n(x-1) } x := x–1 { x>0 y*x!=n! nx } { y*x!=n! n>0 }

41

Properties of the semantics

42

Properties of the semanticsEquivalence– What is the analog of program

equivalence in axiomatic verification?

By Cjprice88 (Own work) [CC-BY-SA-3.0 (http://creativecommons.org/licenses/by-sa/3.0)], via Wikimedia Commons

Soundness– Can we prove incorrect properties?

Completeness– Is there something we can’t prove?

43

Provable equivalence

• We say that C1 and C2 are provably equivalent if for all P and Qp { P } C1 { Q } if and only if p { P } C2 { Q }

• Examples:– S; skip and S– S1; (S2; S3) and (S1; S2); S3

44

S1; (S2; S3) is provably equivalent to (S1; S2); S3

{P} S1; (S2; S3) {Q}{P} S1 {P’} {P’} (S2; S3) {Q}

{P’} S2 {P’’} {P’’} S3 {Q}

{P} (S1; S2); S3 {Q}{P} (S1; S2) {P’’} {P’’} S3 {Q}

{P} S1 {P’} {P’} S2 {P’’}

45

Valid assertions

• We say that { P } C { Q } is validif for all states , if P and C, ’then ’Q

• Denoted by p { P } C { Q }

P C(P)Q

’C

46

Soundness and completeness

• The inference system is sound:– p { P } C { Q } implies p { P } C { Q }

• The inference system is complete:– p { P } C { Q } implies p { P } C { Q }

By Cjprice88 (Own work) [CC-BY-SA-3.0 (http://creativecommons.org/licenses/by-sa/3.0)], via Wikimedia Commons

47

Weakest precondition calculus

48

From inference to calculus

• A Hoare-style proof is declarative– You can check that a proof is correct

• Is there a more operative approach to producing proofs?– Weakest precondition calculus– Strongest postcondition calculus

• WP/SP provide limits for Hoare triples• WP helps prove that Hoare logic is relatively

complete

49

Weakest liberal precondition

• A backward-going predicate transformer• The weakest liberal precondition for Q is

wlp(C, Q)if and only if for all states ’if C, ’ then ’ Q

Propositions:1. p { wlp(C, Q) } C { Q }2. If p { P } C { Q } then P wlp(C, Q)

50

Weakest liberal precondition• A backward-going predicate transformer• The weakest liberal precondition for Q is

wlp(C, Q)if and only if for all states ’if C, ’ then ’ Q

P

C(P)

Q

C

wlp(C, Q) C(wlp(C, Q))

51

Strongest postcondition

• A forward-going predicate transformer• The strongest postcondition for P is

’ sp(P, C)if and only if there exists such that P and C, ’

Propositions:1. p { P } C { sp(P, C) }2. If p { P } C { Q } then sp(P, C) Q

52

Predicate transformer semantics• wlp and sp can be seen functions that transform

predicates to other predicates– wlpC : Predicate Predicate

{ P } C { Q } if and only if wlpC Q = P– spC : Predicate Predicate

{ P } C { Q } if and only if spC P = Q

53

Is Hoare logic complete?• Extensional approach: yes• Proving

p { P } C { Q } implies p { P } C { Q }boils down to provingp { wlp(C, Q) } C { Q }

• See proof in book

54

Is Hoare logic complete?• Intentional approach: no• Only as complete as the logic of assertions• Requires that we are able to prove the validity of

assertions that occur in the rule of consequence• Relative completeness of Hoare logic (Cook 1974)

55

Calculating Weakest preconditions

56

Calculating wlp

1. wlp(skip, Q) = Q2. wlp(x := a, Q) = Q[a/x]3. wlp(S1; S2, Q) = wlp(S1, wlp(S2, Q))4. wlp(if b then S1 else S2, Q) =

(b wlp(S1, Q)) (b wlp(S2, Q))

5. wlp(while b do S, Q) = … ?hard to capture

57

Calculating wlp of a loop

wlp(while b do S, Q) =

Idea: we know the following statements are semantically equivalentwhile b do Sif b do (S; while b do S) else skip

Let’s try to substitute and calculate on

wlp(if b do (S; while b do S) else skip, Q) =

(b wlp(S; while b do S, Q)) (b wlp(skip, Q)) =

(b wlp(S, wlp(while b do S, Q))) (b Q)

LoopInv = (b wlp(S, LoopInv)) (b Q) We have a recurrence

The loop invariant

58

Write a specification

{ ? }while (timer > 0) do

timer := timer – 1{ ? }

• “The program should count to zero”

59

Prove the following triple

• LoopInv = (b wlp(S, LoopInv)) (b Q)• Let’s substitute LoopInv with timer0• Show that timer0 is equal to

(timer>0 wlp(timer:=timer-1, timer0)) (timer0 timer=0)= (timer>0 (timer0)[timer-1/timer]) (timer0 timer=0)= (timer>0 timer-10) (timer0 timer=0)= timer>0 timer=0= timer0

{ timer 0 }while (timer > 0) do

timer := timer – 1{ timer = 0 }

60

Issues with wlp-based proofs

• Requires backwards reasoning – not very intuitive

• Backward reasoning is non-deterministic – causes problems when While is extended with dynamically allocated heaps (aliasing)

• Also, a few more rules will be helpful

61

Making the proof systemmore practical

62

Conjunction rule

• Not necessary (for completeness) but practically useful

• Starting point of extending Hoare logic to handle parallelism

• Related to Cartesian abstraction– Will point this out when we learn it

63

More rules exist{ P } C { Q } { P’ } C { Q’ }

{ P P’ } C {Q Q’ }[disjp]

{ P } C { Q } { v. P } C { v. Q }[existp] vFV(C

)

{ P } C { Q } {v. P } C {v. Q }[univp] vFV(C)

{ F } C { F } Mod(C) FV(F)={}[Invp]• Mod(C) = set of variables assigned to in sub-statements of C• FV(F) = free variables of F

Breaks if C is non-deterministic

64

Invariance + Conjunction = Constancy

• Mod(C) = set of variables assigned to in sub-statements of C• FV(F) = free variables of F

{ P } C { Q } { F P } C { F Q }[constancyp] Mod(C) FV(F)={}

Next lecture:axiomatic semantics part 3