1 / 31

Program Verification Using Hoare’s Logic

This chapter discusses the use of Hoare's logic for program verification. It covers various program constructs such as assignments, composition, if-then-else, and while loops, and provides examples and explanations for why the logic works. The chapter also introduces consequence rules and provides guidelines for annotating while programs.

wgreen
Download Presentation

Program Verification Using Hoare’s Logic

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Program VerificationUsing Hoare’s Logic Chapter 7 of Software Reliability Methods Doron Peled Springer-Verlag (2001?)ISBN: 0-387-95106-7

  2. While programs • Assignments y:=t • Composition S1; S2 • If-then-else if e the S1 else S2 fi • While while e do S od

  3. Greatest common divisor {x1>0/\x2>0} y1:=x1; y2:=x2; while ¬(y1=y2) do if y1>y2 then y1:=y1-y2 else y2:=y2-y1 fi od {y1=gcd(x1,x2)}

  4. Why it works? Suppose that y1,y2 are both positive integers. • If y1>y2 then gcd(y1,y2)=gcd(y1-y2,y2) • If y2>y1 then gcd(y1,y2)=gcd(y1,y2-y1) • If y1=y2 then gcd(y1,y2)=y1=y2

  5. Assignment axiom {p[t/y]} y:=t {p} For example: {y+5=10} y:=y+5 {y=10} {y+y<z} x:=y {x+y<z} {2*(y+5)>20} y:=2*(y+5) {y>20} Justification: write p with y’ instead of y, and add the conjunct y’=t. Next, eliminate y’ by replacing y’ by t.

  6. Why axiom works backwards? {p} y:=t {?} Strategy: write p and the conjunct y=t, where y’ replaces y in both p and t. Eliminate y’. {y>5} y:=2*(y+5) {?} {p} y:=t {$y’ (p[y’/y] /\ t[y’/y]=y)} y’>5 /\ y=2*(y’+5) y>20

  7. Composition rule {p} S1 {r}, {r} S2 {q} {p} S1;S2 {q} For example: if the antecedents are 1. {x+1=y+2} x:=x+1 {x=y+2} 2. {x=y+2} y:=y+2 {x=y} Then the consequent is {x+1=y+2} x:=x+1; y:=y+2 {x=y}

  8. More examples {p} S1 {r}, {r} S2 {q} {p} S1;S2 {q} {x1>0/\x2>0} y1:=x1 {gcd(x1,x2)=gcd(y1,x2)/\y1>0/\x2>0} {gcd(x1,x2)=gcd(y1,x2)/\y1>0/\x2>0} y2:=x2 {gcd(x1,x2)=gcd(y1,y2)/\y1>0/\y2>0} {x1>0/\x2>0} y1:=x1 ; y2:=x2 {gcd(x1,x2)=gcd(y1,y2)/\y1>0/\y2>0}

  9. If-then-else rule {p/\e} S1 {q}, {p/\¬e} S2 {q} {p} if e then S1 else S2 fi {q} For example: p is gcd(y1,y2)=gcd(x1,x2)/\y1>0/\y2>0 /\ ¬(y1=y2) e is y1>y2 S1 is y1:=y1-y2 S2 is y2:=y2-y1 q is gcd(y1,y2)=gcd(x1,x2)/\y1>0/\y2>0

  10. While rule _______{p/\e} S {p}_____ {p} while e do S od {p/\¬e} Example: p is {gcd(y1,y2)=gcd(x1,x2)/\y1>0/\y2>0} e is ¬(y1=y2) S is if y1>y2 then y1:=y1-y2 else y2:=y2-y1 fi

  11. Consequence rules • Strengthen a precondition rp, {p} S {q} {r} S {q} • Weaken a postscondition {p} S {q}, qr {p} S {r}

  12. Use of first consequence rule Want to prove {x1>0/\x2>0} y1:=x1 {gcd(x1,x2)=gcd(y1,x2)/\y1>0/\x2>0} First use implication: x1>0/\x2>0 gcd(x1,x2)=gcd(x1,x2)/\x1>0/\x2>0 Then use assignment rule: {gcd(x1,x2)=gcd(x1,x2)/\x1>0/\x2>0} y1:=x1 {gcd(x1,x2)=gcd(y1,x2)/\y1>0/\x2>0}

  13. Combining program {x1>0 /\ x2>0} y1:=x1; y2:=x1; {gcd(x1,x2)=gcd(y1,y2)/\y1>0/\y2>0} while S do if e then S1 else S2 fi od {gcd(x1,x2)=gcd(y1,y2)/\y1>0/\y2>0 /\ y1=y2} Combine the above using concatenation rule

  14. Not completely finished {x1>0/\x2>0} y1:=x1; y2:=x1; while ~(y1=y2) do if e then S1 else S2 fi od {gcd(x1,x2)=gcd(y1,y2) /\ y1>0 /\ y2>0 /\ y1=y2} But we wanted to prove: {x1>0/\x1>0} Prog {y1=gcd(x1,x2)}

  15. Use of second consequence rule {x1>0/\x2>0} Prog {gcd(x1,x2)=gcd(y1,y2)/\y1>0/\y2>0/\y1=y2} And the implication {gcd(x1,x2) = gcd(y1,y2) /\ y1>0 /\ y2>0 /\ y1=y2}  y1=gcd(x1,x2) Thus, {x1>0/\x2>0} Prog {y1=gcd(x1,x2)

  16. {x1>0/\x2>0} y1:=x1; {gcd(x1,x2)=gcd(y1,x2) /\y1>0/\x2>0} y2:=x2; {gcd(x1,x2)=gcd(y1,y2) /\y1>0/\y2>0} while ¬(y1=y2) do {gcd(x1,x2)=gcd(y1,y2)/\ y1>0/\y2>0/\ ¬(y1=y2)} if y1>y2 then y1:=y1-y2 else y2:=y2-y1 fi {gcd(x1,x2)=gcd(y1,y2)/\ y1>0/\y2>0} od {gcd(x1,x2)=gcd(y1,y2)/\ y1>0/\y2>0 /\(y1=y2)} ==> {y1=gcd(x1,x2)} Annotating a while program

  17. {x>=0 /\ y>=0} a:=0; b:=x; while b>=y do b:=b-y; a:=a+1 od. {x=a*y+b/\b>=0/\b<y} Invariant: x=a*y+b /\ b>=0 Another example

  18. Invariant • How to start the proof? Heuristics: Find invariant for each loop. For this example: x=a*y+b/\x>=0 Note: total correctness does not hold for y=0. Total correctness (with y>0) to be proved separately.

  19. (1) {x=a*y+x/\x>=0} b:=x {x=a*y+b/\b>=0} (Assignment) (2) {x=0*y+x/\x>=0} a:=0 {x=a*y+x/\x>=0} (Assignment) (3){x=0*y+x/\x>=0} a:=0;b:=x{x=a*y+b/\x>=0} (Composition (2), (1)) Proof {p[t/y]} y:=t {p} {p}S1{r}, {r} S2{q} {p} S1;S2 {q}

  20. (4){x=(a+1)*y+b/\b>=0} a:=a+1{x=a*y+b/\b>=0} (Assignment) (5){x=(a+1)*y+b-y/\b-y>=0} b:=b-y{x=(a+1)*y+b/\b>=0} (Assignment) (6){x=(a+1)*y+b-y/\b-y>=0} b:=b-y;a:=a+1{x=a*y+b/\b>=0} (Composition (5), (4)) Proof (cont.) {p[t/y]} y:=t {p} {p}S1{r}, {r} S2{q} {p} S1;S2 {q}

  21. While rule {p/\e} S {p} {p} while e do S od {p/\¬e}

  22. Consequence rules • Strengthen a precondition rp, {p} S {q} {r} S {q} • Weaken a postcondition {p} S {q}, qr {p} S {r}

  23. Proof (cont.) (7) x=a*y+b/\b>=0/\b>=y x=(a+1)*y+b-y/\b-y>=0 (Logic) (8) {x=a*y+b/\b>=0/\b>=y} b:=b-y; a:=a+1 {x=a*y+b/\b>=0} (Consequence (6), (7)) (9) {x=a*y+b/\b>=0}while b>=y do b:=b-y; a:=a+1 od {x=a*y+b/\b>=0/\b<y} (while (8))

  24. Proof (cont.) (10) {x=0*y+x/\x>=0} Prog {x=a*y+b/\b>=0/\b<y} (Composition (3), (9)) (11) x>=0/\y>=0 x=0*y+x/\x>=0 (Logic) (12) {x>=0/\y>=0} Prog {x=a*y+b/\b>=0/\b<y} (Consequence)

  25. Soundness Hoare logic is sound in the sense that everything that can be proved is correct! This follows from the fact that each axiom and proof rule preserves soundness.

  26. Completeness A proof system is called complete if every correct assertion can be proved. • Propositional logic is complete. • No deductive system for the standard arithmetic can be complete (Godel).

  27. And for Hoare’s logic? Let S be a program and p its precondition. Then {p} S {false} means that S never terminates when started from p. This is undecidable. Thus, Hoare’s logic cannot be complete.

  28. Weakest prendition, Strongest postcondition • For an assertion p and code S, let post(p,S) be the strongest assertion such that {p}S{post(p,S)} That is, if {p}S{q} then post(p,S)q. • For an assertion q and code S, let pre(S,q) be the weakest assertion such that {pre(S,q)}S{q} That is, if {p}S{q} then ppre(S,q).

  29. Relative completeness • Suppose that either • post(p,S) exists for each p, S, or • pre(S,q) exists for each S, q. • Some oracle decides on pure implications. Then each correct Hoare triple can be proved. What does that mean? The weakness of the proof system stem from the weakness of the (FO) logic, not of Hoare’s proof system.

  30. Extensions Many extensions for Hoare’s proof rules: • Total correctness • Arrays • Subroutines • Concurrent programs • Fairness

  31. Proof rule for total correctness {p/\e/\t=z} S {p/\t<z}, pt>=0 {p} while e do S od {p/\¬e} where z - an int. variable, not appearing in p,t,e,S. t - an int. expression.

More Related