Rigorous Software Development CSCI-GA 3033-009

Similar documents
How To Write A Program Verification And Programming Book

PROPERTECHNIQUEOFSOFTWARE INSPECTIONUSING GUARDED COMMANDLANGUAGE

Rigorous Software Engineering Hoare Logic and Design by Contracts

CHAPTER 7 GENERAL PROOF SYSTEMS

Introducing Formal Methods. Software Engineering and Formal Methods

Formal Verification of Software

Constructing Contracts: Making Discrete Mathematics Relevant to Beginning Programmers

Rigorous Software Development CSCI-GA

Automated Theorem Proving - summary of lecture 1

Introduction to formal semantics -

Lecture Notes on Linear Search

[Refer Slide Time: 05:10]

Handout #1: Mathematical Reasoning

CS510 Software Engineering

Software Verification and Testing. Lecture Notes: Temporal Logics

How To Write A Test Engine For A Microsoft Microsoft Web Browser (Php) For A Web Browser For A Non-Procedural Reason)

WESTMORELAND COUNTY PUBLIC SCHOOLS Integrated Instructional Pacing Guide and Checklist Computer Math

Verification of Imperative Programs in Theorema

A Framework for the Semantics of Behavioral Contracts

What's Wrong With Formal Programming Methods? Eric C.R. Hehner

Satisfiability Checking

Rigorous Software Development CSCI-GA

SQL INJECTION ATTACKS By Zelinski Radu, Technical University of Moldova

Chair of Software Engineering. Software Verification. Assertion Inference. Carlo A. Furia

Formal Engineering for Industrial Software Development

2. The Language of First-order Logic

StaRVOOrS: A Tool for Combined Static and Runtime Verification of Java

Semantics and Verification of Software

Functional Programming. Functional Programming Languages. Chapter 14. Introduction

Software Engineering

A Static Analyzer for Large Safety-Critical Software. Considered Programs and Semantics. Automatic Program Verification by Abstract Interpretation

Thomas Jefferson High School for Science and Technology Program of Studies Foundations of Computer Science. Unit of Study / Textbook Correlation

Formally speaking: How to apply OCL

Summary Last Lecture. Automated Reasoning. Outline of the Lecture. Definition sequent calculus. Theorem (Normalisation and Strong Normalisation)

Static Program Transformations for Efficient Software Model Checking

Model Checking: An Introduction

Formalization of the CRM: Initial Thoughts

ML for the Working Programmer

Formal Verification and Linear-time Model Checking

Predicate Logic Review

Scalable Automated Symbolic Analysis of Administrative Role-Based Access Control Policies by SMT solving

Software Engineering using Formal Methods

Predicate logic Proofs Artificial intelligence. Predicate logic. SET07106 Mathematics for Software Engineering

First-Order Logics and Truth Degrees

Peter V. Homeier and David F. Martin. and

Specification and Analysis of Contracts Lecture 1 Introduction

Algorithmic Software Verification

Formal Verification Coverage: Computing the Coverage Gap between Temporal Specifications

Semantic Analysis: Types and Type Checking

Software Model Checking. Equivalence Hierarchy

Chapter 7: Functional Programming Languages

Runtime Verification of Computer Programs and its Application in Programming Education

1 Operational Semantics for While

SPARQL: Un Lenguaje de Consulta para la Web

Fundamentals of Software Engineering

InvGen: An Efficient Invariant Generator

Fixed-Point Logics and Computation

Journal of Mathematics Volume 1, Number 1, Summer 2006 pp

Testing LTL Formula Translation into Büchi Automata

Introduction to Formal Methods. Các Phương Pháp Hình Thức Cho Phát Triển Phần Mềm

! " # The Logic of Descriptions. Logics for Data and Knowledge Representation. Terminology. Overview. Three Basic Features. Some History on DLs

MAT Program Verication: Exercises

We would like to state the following system of natural deduction rules preserving falsity:

Loop Invariants and Binary Search

COMPUTER SCIENCE TRIPOS

Software Modeling and Verification

Predicate logic. Logic in computer science. Logic in Computer Science (lecture) PART II. first order logic

Math 223 Abstract Algebra Lecture Notes

Discrete Mathematics and Probability Theory Fall 2009 Satish Rao, David Tse Note 2

Model Checking II Temporal Logic Model Checking

Relations: their uses in programming and computational specifications

Formal Specifications of Security Policy Models

Development of dynamically evolving and self-adaptive software. 1. Background


A Note on Context Logic

Appendix... B. The Object Constraint

Moving from CS 61A Scheme to CS 61B Java

Mathematical Induction

(LMCS, p. 317) V.1. First Order Logic. This is the most powerful, most expressive logic that we will examine.

logic language, static/dynamic models SAT solvers Verified Software Systems 1 How can we model check of a program or system?

Type Systems. Luca Cardelli. Microsoft Research

Introduction to Programming System Design. CSCI 455x (4 Units)

A Beginner s Guide to Modern Set Theory

A SOUND TYPE SYSTEM FOR SECURE FLOW ANALYSIS

WHAT ARE MATHEMATICAL PROOFS AND WHY THEY ARE IMPORTANT?

Boogie: A Modular Reusable Verifier for Object-Oriented Programs

Neighborhood Data and Database Security

ON FUNCTIONAL SYMBOL-FREE LOGIC PROGRAMS

A Propositional Dynamic Logic for CCS Programs

Regression Verification: Status Report

Transcription:

Rigorous Software Development CSCI-GA 3033-009 Instructor: Thomas Wies Spring 2013 Lecture 11

Semantics of Programming Languages Denotational Semantics Meaning of a program is defined as the mathematical object it computes (e.g., partial functions). Example: Abstract Interpretation Axiomatic Semantics Meaning of a program is defined in terms of its effect on the truth of logical assertions. Example: Hoare Logic (Structural) Operational Semantics Meaning of a program is defined by formalizing the individual computation steps of the program. Example: Labeled Transition Systems

IMP: A Simple Imperative Language An IMP program: p := 0; x := 0; while x < n do x := x + 1; p := p + m;

Syntax of IMP Commands Commands (Com) c ::= skip x := e c 1 ; c 2 if b then c 1 else c 2 while b do c Notes: The typing rules have been embedded in the syntax definition. Other parts are not context-free and need to be checked separately (e.g., all variables are declared). Commands contain all the side-effects in the language. Missing: references, function calls,

Labeled Transition Systems A labeled transition system (LTS) is a structure LTS = (Q, Act,!) where Q is a set of states, Act is a set of actions,! µ Q Act Q is a transition relation. a We write q! q for (q, a, q ) 2!.

Operational Semantics of IMP q skip q <e, q> n x := e q q ++ {x n} c q 1 c q q 2 q c q 1 ; c 2 q c <b, q> true q 1 c q <b, q> false q 2 q if b then c q 1 else c 2 if b then c q q 1 else c 2 q q <b, q> false while b do c q c <b, q> true q q q while b do c q while b do c q q

Axiomatic Semantics An axiomatic semantics consists of: a language for stating assertions about programs; rules for establishing the truth of assertions. Some typical kinds of assertions: This program terminates. If this program terminates, the variables x and y have the same value throughout the execution of the program. The array accesses are within the array bounds. Some typical languages of assertions First-order logic Other logics (temporal, linear) Special-purpose specification languages (Z, Larch, JML)

Assertions for IMP The assertions we make about IMP programs are of the form: {A} c {B} with the meaning that: c If A holds in state q and q! q then B holds in q A is the precondition and B is the postcondition For example: { y x } z := x; z := z + 1 { y < z } is a valid assertion These are called Hoare triples or Hoare assertions

Assertions for IMP {A} c {B} is a partial correctness assertion. It does not imply termination of c. [A] c [B] is a total correctness assertion meaning that If A holds in state q then there exists q such that q! q and B holds in state q Now let s be more formal Formalize the language of assertions, A and B Say when an assertion holds in a state Give rules for deriving valid Hoare triples c

The Assertion Language We use first-order predicate logic with IMP expressions A :: = true false e 1 = e 2 e 1 e 2 A 1 Æ A 2 A 1 Ç A 2 A 1 ) A 2 x.a x.a Note that we are somewhat sloppy and mix the logical variables and the program variables. Implicitly, all IMP variables range over integers. All IMP Boolean expressions are also assertions.

Semantics of Assertions We introduced a language of assertions, we need to assign meanings to assertions. Notation q ² A says that assertion A holds in a given state q. This is well-defined when q is defined on all variables occurring in A. The ² judgment is defined inductively on the structure of assertions. It relies on the semantics of arithmetic expressions from IMP.

Semantics of Assertions q ² true q ² e 1 = e 2 q ² e 1 e 2 always iff <e 1,q> = <e 2,q> iff <e 1,q> <e 2,q> q ² A 1 Æ A 2 iff q ² A 1 and q ² A 2 q ² A 1 Ç A 2 iff q ² A 1 or q ² A 2 q ² A 1 ) A 2 iff q ² A 1 implies q ² A 2 q ² x.a q ² x.a iff 8n2Z. q[x:=n] ² A iff 9n2Z. q[x:=n] ² A

Semantics of Hoare Triples Now we can define formally the meaning of a partial correctness assertion: ² {A} c {B} iff 8q2Q. 8q 2Q. q ² A Æ q! q ) q ² B and the meaning of a total correctness assertion: ² [A] c [B] iff 8q2Q. q ² A ) 9q Q. q! q Æ q ² B or even better: 8q2Q. 8q Q. q ² A Æ q! q ) q ² B Æ 8q2Q. q ² A ) 9q 2Q. q! c q Æ q ² B c c c

Inferring Validity of Assertions Now we have the formal mechanism to decide when {A} c {B} But it is not satisfactory, because ² {A} c {B} is defined in terms of the operational semantics. We practically have to run the program to verify an assertion. Also it is impossible to effectively verify the truth of a x. A assertion (by using the definition of validity) So we define a symbolic technique for deriving valid assertions from others that are known to be valid We start with validity of first-order formulas

Inference Rules We write ` A when A can be inferred from basic axioms. The inference rules for ` A are the usual ones from firstorder logic with arithmetic. Natural deduction style rules: ` A ` B ` A Æ B ` A ` A Ç B ` A[e/x] ` 9 x. A ` B ` A Ç B ` A[a/x] ` 8 x. A ` 9 x. A ` B ` A[a/x]... ` B where a is fresh where a is fresh ` 8 x. A ` A[e/x] ` A ) B ` A ` B ` A... ` B ` A ) B

Inference Rules for Hoare Triples Similarly we write ` {A} c {B} when we can derive the triple using inference rules There is one inference rule for each command in the language. Plus, the rule of consequence ` A ) A ` {A} c {B} ` B ) B ` {A } c {B }

Inference Rules for Hoare Logic One rule for each syntactic construct: ` {A} skip {A} ` {A[e/x]} x:=e {A} ` {A} c 1 {B} ` {B} c 2 {C} ` {A} c 1 ; c 2 {C} ` {A Æ b} c 1 {B} ` {A Æ :b} c 2 {B} ` {A} if b then c 1 else c 2 {B} ` {I Æ b} c {I} ` {I} while b do c {I Æ :b}

Exercise: Hoare Rules Is the following alternative rule for assignment still correct? ` {true} x:=e {x = e}

Hoare Rules For some constructs, multiple rules are possible alternative forward axiom for assignment: ` {A} x:=e {9x 0. x = e[x 0 /x] Æ A[x 0 /x]} alternative rule for while loops: ` I Æ b ) C ` {C} c {I} ` I Æ :b ) B ` {I} while b do c {B} These alternative rules are derivable from the previous rules, plus the rule of consequence.

Example: Conditional D1 :: ` {true Æ y 0} x := 1 {x > 0} D2 :: ` {true Æ y > 0} x := y {x > 0} ` {true} if y 0 then x := 1 else x := y {x > 0} D1 is obtained by consequence and assignment ` {1 > 0} x := 1 {x > 0} ` true Æ y 0 ) 1 > 0 ` {true Æ y 0} x := 1 {x 0} D2 is also obtained by consequence and assignment ` {y > 0} x := y {x > 0} ` true Æ y > 0 ) y > 0 ` {true Æ y > 0} x := y {x > 0}

Example: a simple loop We want to infer that ` {x 0} while x 5 do x := x + 1 {x = 6} Use the rule for while with invariant I x 6 ` x 6 Æ x 5 ) x + 1 6 ` {x + 1 6} x := x + 1 {x 6} ` {x 6 Æ x 5} x := x + 1 {x 6} ` {x 6} while x 5 do x := x + 1 { x 6 Æ x > 5} Then finish-off with the rule of consequence ` x 0 ) x 6 ` x 6 Æ x > 5 ) x = 6 ` {x 6} while... {x 6 Æ x > 5} ` {x 6} while... { x 6 Æ x > 5}

Example: a more interesting program We want to derive that {n 0} p := 0; x := 0; while x < n do x := x + 1; p := p + m {p = n * m}

Example: a more interesting program Only applicable rule (except for rule of consequence): ` {A} c 1 {C} ` {C} c 2 {B} ` {A} c 1 ; c 2 {B} ` {n 0} p:=0; x:=0 {C} `{C} while x < n do (x:=x+1; p:=p+m) {p = n * m} ` {n 0} p:=0; x:=0; while x < n do (x:=x+1; p:=p+m) {p = n * m} A c 1 c 2 B

Example: a more interesting program What is C? Look at the next possible matching rules for c 2! Only applicable rule (except for rule of consequence): ` {I Æ b} c {I} ` {I} while b do c {I Æ :b} We can match {I} with {C} but we cannot match {I Æ :b} and {p = n * m} directly. Need to apply the rule of consequence first! ` {n 0} p:=0; x:=0 {C} `{C} while x < n do (x:=x+1; p:=p+m) {p = n * m} ` {n 0} p:=0; x:=0; while x < n do (x:=x+1; p:=p+m) {p = n * m} A c 1 c 2 B

Example: a more interesting program What is C? Look at the next possible matching rules for c 2! Only applicable rule (except for rule of consequence): ` {I} while b do c {I Æ :b} A I = A = A = C ` {I Æ b} c {I} c ` {n 0} p:=0; x:=0 {C} A B Rule of consequence: ` A ) A ` {A} c {B} ` B ) B ` {A } c {B } `{C} while x < n do (x:=x+1; p:=p+m) {p = n * m} ` {n 0} p:=0; x:=0; while x < n do (x:=x+1; p:=p+m) {p = n * m} c B

Example: a more interesting program What is I? Let s keep it as a placeholder for now! Next applicable rule: ` {A} c 1 {C} ` {C} c 2 {B} ` {A} c 1 ; c 2 {B} A c 1 c 2 B ` {n 0} p:=0; x:=0 {I} `{I Æ x<n} x := x+1; p:=p+m {I} `{I} while x < n do (x:=x+1; p:=p+m) {I Æ x n} ` I Æ x n ) p = n * m `{I} while x < n do (x:=x+1; p:=p+m) {p = n * m} ` {n 0} p:=0; x:=0; while x < n do (x:=x+1; p:=p+m) {p = n * m}

Example: a more interesting program What is C? Look at the next possible matching rules for c 2! Only applicable rule (except for rule of consequence): ` {A[e/x]} x:=e {A} A c 1 c 2 B ` {n 0} p:=0; x:=0 {I} `{I Æ x<n} x := x+1 {C} `{I Æ x<n} x := x+1; p:=p+m {I} `{C} p:=p+m {I} `{I} while x < n do (x:=x+1; p:=p+m) {I Æ x n} ` I Æ x n ) p = n * m `{I} while x < n do (x:=x+1; p:=p+m) {p = n * m} ` {n 0} p:=0; x:=0; while x < n do (x:=x+1; p:=p+m) {p = n * m}

Example: a more interesting program What is C? Look at the next possible matching rules for c 2! Only applicable rule (except for rule of consequence): ` {A[e/x]} x:=e {A} ` {n 0} p:=0; x:=0 {I} `{I Æ x<n} x:=x+1 {I[p+m/p]} `{I[p+m/p} p:=p+m {I} `{I Æ x<n} x:=x+1; p:=p+m {I} `{I} while x < n do (x:=x+1; p:=p+m) {I Æ x n} ` I Æ x n ) p = n * m `{I} while x < n do (x:=x+1; p:=p+m) {p = n * m} ` {n 0} p:=0; x:=0; while x < n do (x:=x+1; p:=p+m) {p = n * m}

Example: a more interesting program Only applicable rule (except for rule of consequence): ` {A[e/x]} x:=e {A} Need rule of consequence to match {I Æ x<n} and {I[x+1/x, p+m/p]} ` {n 0} p:=0; x:=0 {I} `{I Æ x<n} x:=x+1 {I[p+m/p]} `{I[p+m/p} p:=p+m {I} `{I Æ x<n} x:=x+1; p:=p+m {I} `{I} while x < n do (x:=x+1; p:=p+m) {I Æ x n} ` I Æ x n ) p = n * m `{I} while x < n do (x:=x+1; p:=p+m) {p = n * m} ` {n 0} p:=0; x:=0; while x < n do (x:=x+1; p:=p+m) {p = n * m}

Example: a more interesting program Let s just remember the open proof obligations! ` {n 0} p:=0; x:=0 {I} `{I[x+1/x, p+m/p]} x:=x+1 {I[p+m/p]} ` I Æ x < n ) I[x+1/x, p+m/p] `{I Æ x<n} x:=x+1 {I[p+m/p]} `{I[p+m/p} p:=p+m {I} `{I Æ x<n} x:=x+1; p:=p+m {I} `{I} while x < n do (x:=x+1; p:=p+m) {I Æ x n} ` I Æ x n ) p = n * m... `{I} while x < n do (x:=x+1; p:=p+m) {p = n * m} ` {n 0} p:=0; x:=0; while x < n do (x:=x+1; p:=p+m) {p = n * m}

Example: a more interesting program Let s just remember the open proof obligations! ` I Æ x < n ) I[x+1/x, p+m/p] ` {n 0} p:=0; x:=0 {I} ` I Æ x n ) p = n * m Continue with the remaining part of the proof tree, as before. ` n 0 ) I[0/p, 0/x] ` {I[0/p, 0/x]} p:=0 {I[0/x]} ` {n 0} p:=0 {I[0/x]} ` {I[0/x]} x:=0 {I} Now we only need to solve the remaining constraints!... `{I} while x < n do (x:=x+1; p:=p+m) {p = n * m} ` {n 0} p:=0; x:=0; while x < n do (x:=x+1; p:=p+m) {p = n * m}

Example: a more interesting program Find I such that all constraints are simultaneously valid: ` n 0 ) I[0/p, 0/x] ` I Æ x < n ) I[x+1/x, p+m/p] ` I Æ x n ) p = n * m I p = x * m Æ x n ` n 0 ) 0 = 0 * m Æ 0 n ` p = x * m Æ x n Æ x < n ) p+m = (x+1) * m Æ x+1 n ` p = x * n Æ x n Æ x n ) p = n * m All constraints are valid!

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information