1 / 18

CSE 3341.03 Winter 2008 Introduction to Program Verification

CSE 3341.03 Winter 2008 Introduction to Program Verification. symbolic execution continued. well-behaved expression assumption. Exercise 7.9 if (count > 2) flag = adjust(total - 1); else flag = adjust(total - 1); post-condition? how does it depend on the well-behaved expression assumption?.

atalaya-faridoon
Download Presentation

CSE 3341.03 Winter 2008 Introduction to Program Verification

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CSE 3341.03 Winter 2008Introduction to Program Verification symbolic execution continued

  2. well-behaved expression assumption • Exercise 7.9 if (count > 2) flag = adjust(total - 1); else flag = adjust(total - 1); post-condition? how does it depend on the well-behaved expression assumption?

  3. exception raising • use a specification variable to "fill in" a partial function: example: x = 1/n; post-condition: n ≠ 0 implies x = 1/n ?? leaves case n = 0 unspecified better: have n = 0 raise an exception; post-condition: n ≠ 0 and x = 1/n or exceptionRaised Note: specification variable converts a test (run-time) into part of a general assertion

  4. programs as "propositional transformers" • start with a proposition (perhaps “true”) • ‘execute’ a code segment • calculate a resulting proposition symbolic execution maintains a description of the state of computation at each step

  5. assignment statements • if a variable is assigned a new value, we may need its initial value: x = x - y //{x = 'old x' - y} • parallel assignment (corrected from Ch. 8, p. 21:) x1, x2, . . , xk = e1, e2, . . , ek ; means replace xjby old xi in each ek and assign xi = ei , for each xi

  6. parallel assignment • motivation for parallel assignment: x=1 and y=x is the same logically as y=x and x=1 but not if = is sequential assignment • scripting languages with parallel assignment: Python, Perl, Ruby, Windows PowerShell, OCaml and JavaScript (since 1.7) (source: Wikipedia)

  7. symbex • symbex symbolically executes a code fragment containing assignment and conditional statements • handles assignment operators: x += y; • allows A[X] in the assigned expression • gets changed to array(A, X) • why? • doesn't handle parallel assignments

  8. symbex assertions • pre-condition: //{ . . . } . . . • assertion or post-condition: . . . //{ . . . } . . . • current state: //{ false } . .

  9. exercise 8.4 • //{ not b implies v = e } if (b) //{ (not b implies v=e)and b } v = e ; // assert: v=e // -- assertion is verified. //{ (not b implies v=e)and not b or (not b implies old v=e)and v=e and b } • compare post-condition for each case • what does "assuming everything is well-behaved” mean in this specific case?

  10. stronger and weaker • P is stronger (as a condition) than Q if P implies Q and (P xor Q) • P is weaker than Q if Q is stronger than P • simple refinement weakens the pre-condition, strengthens the post-condition • why is this desirable?

  11. strongest • Suppose P is the strongest proposition such that P implies Q • what is P's relation to Q? If R is stronger than (or =) Q, then P is stronger than R, (or = R) i. e., (R implies Q) implies (P implies R)

  12. what does symbex compute? strongest post-condition resulting from executing the code, given the pre-condition • what if P is false? strongest possible proposition, but can't be a (descriptive) post-condition !

  13. symbex in detail • symbex processes a code segment; • interprets its input (up to an end-of-file (^D)) as a sequence of assignment and conditional statements annotated with comments in the form //{ term } • maintains a table of computational states described in terms of the code’s variables • initial value is given by a pre-condition or described as ‘old V’

  14. states and relations • description is complicated by having two parts: • states of variables = "trace table" • values don't involve code variables • current values are substituted for variables • relations among variables

  15. relations and values • relations are either pre-conditions or created by conditional statements: • if(x>0) {y=2; x = 2*x;} • pre-condition to the {} is x > 0 after "y=2;" we have x > 0 and y=2 • now x changes: new description is • 'old x'> 0 and y = 2 and x =2*'old x' what's the post-condition calculated for the if? • x <= 0 or 'old x'> 0 and y = 2 and x =2*'old x'

  16. symbex vs. Java assertions • often we are only interested in some of the variables; insert assertions to verify the (partial) state • difference between these assertions and assertions in Java (version 1.4 and after): • the assertions in Java test the code executing on a specific set of values • assertions in symbex are asserted to be true for all values in the domains of the functions and relations

  17. executing conditionals • p. 26: if ( i != 4 || i != 5) x =no; else x = yes; //{ x = no} • where did //{not i=5 or not i=4} come from? • why is the post-condition verified?

  18. illogical Dan

More Related