automated theorem proving lecture 1 l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Automated Theorem Proving Lecture 1 PowerPoint Presentation
Download Presentation
Automated Theorem Proving Lecture 1

Loading in 2 Seconds...

play fullscreen
1 / 34

Automated Theorem Proving Lecture 1 - PowerPoint PPT Presentation


  • 417 Views
  • Uploaded on

Automated Theorem Proving Lecture 1. Given program P and specification S, does P satisfy S?. Program verification is undecidable!. The model checking approach. Create a model of the program in a decidable formalism Verify the model algorithmically Difficulties

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Automated Theorem Proving Lecture 1' - Jims


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide2

Given program P and specification S,

does P satisfy S?

Program verification is undecidable!

the model checking approach
The model checking approach
  • Create a model of the program in a decidable formalism
  • Verify the model algorithmically
  • Difficulties
    • Model creation is burden on programmer
    • The model might be incorrect.
  • If verification fails, is the problem in the model or the program?
the axiomatic approach
The axiomatic approach
  • Add auxiliary specifications to the program to decompose the verification task into a set of local verification tasks
  • Verify each local verification problem
  • Difficulties
    • Auxiliary spec is burden on programmer
    • Auxiliary spec might be incorrect.
  • If verification fails, is the problem with the auxiliary specification or the program?
theorem proving and software

Semantics

Program

VC

generation

Provability

(theorem proving)

Validity

Specification

Theorem

in a logic

Theorem Proving and Software
  • Soundness:
    • If the theorem is valid then the program meets specification
    • If the theorem is provable then it is valid

Meets spec/Found Bug

overview of the next few lectures
Overview of the Next Few Lectures
  • From programs to theorems
    • Verification condition generation
  • From theorems to proofs
    • Theorem provers
    • Decision procedures
programs theorems axiomatic semantics
Programs ! Theorems = Axiomatic Semantics
  • Consists of:
    • A language for making assertions about programs
    • Rules for establishing when assertions hold
  • Typical assertions:
    • During the execution, only non-null pointers are dereferenced
    • This program terminates with x = 0
  • Partial vs. total correctness assertions
    • Safety vs. liveness properties
    • Usually focus on safety (partial correctness)
hoare triples
Hoare Triples
  • Partial correctness: { A } s { B}
    • When you start s in any state that satisfies A
    • Ifthe execution of s terminates
    • It does so in a state that satisfies B
  • Total correctness: [ A ] s [ B ]
    • When you start s in any state that satisfies A
    • The execution of s terminates and
    • It does so in a state that satisfies B
  • Defined inductively on the structure of statements
hoare rules assignment
Hoare Rules: Assignment
  • Example: { A } x := x + 2 {x >= 5 }. What is A?
  • General rule:
  • Surprising how simple the rule is !
  • The key is to compute “backwards” the precondition from the postcondition
  • Forward rule is more complicated:
weakest preconditions
Weakest preconditions
  • Dijkstra’s idea: To verify that { A } s { B}
    • Let Pre(s, B) = {A’ | { A’} s { B} }
    • b) (Pre(s,B), )) is a lattice
    • - false  Pre(s,B)
    • - if Pre(s,B) and Pre(s,B), then Pre(s,B)
    • - if Pre(s,B) and Pre(s,B), then Pre(s,B)
    • c) WP(s, B) = lub(Pre(s, B))
  • d) Compute WP(s, B) and prove A  WP(s, B)
predicate lattice

)

false

true

weak

strong

weakest

precondition: WP(s, B)

A

Predicate lattice

Pre(s, B)

weakest preconditions13
Weakest preconditions
  • WP(x := E, B) = B[E/x]
  • WP(s1; s2, B) = WP(s1, WP(s2, B))
  • WP(if E then s1 else s2, B) = E ) WP(s1, B) Æ: E ) WP(s2, B)
  • WP(assert E, B) = E  B
slide14

Example

returns c

requires true

ensures c = a  b

bool or(bool a, bool b) {

if (a)

c := true

else

c := b

}

S

WP(S, c = a  b) = (a  true = a  b)  (a  b = a  b)

Conjecture to be proved:

true  (a  true = a  b)  (a  b = a  b)

weakest preconditions contd
Weakest preconditions (Contd.)
  • What about loops?
  • Define a family of weakest preconditions
    • WPk(while E do S, B) = weakest precondition from which if the loop terminates in k or fewer iterations, then it terminates in B

WP0 = : E ) B

WPi+1 = WPi  (E ) WP(s, WPi))

  • WP(while E do S, B) = Æk ¸ 0 WPk = glb {WPk | k ¸ 0}
    • Hard to compute
    • Can we find something easier yet sufficient ?
not quite weakest preconditions

verification

condition: VC(s, B)

Not quite weakest preconditions
  • Recall what we are trying to do:

)

false

true

Pre(s, B)

weak

strong

weakest

precondition: WP(s, B)

A

  • We shall construct a verification condition: VC(s, B)
    • The loops are annotated with loop invariants !
    • VC is guaranteed stronger than WP
    • But hopefully still weaker than A: A ) VC(s, B) ) WP(s, B)
verification condition generation
Verification condition generation
  • Computed in a manner similar to WP
  • Except the rule for while:

VC(whileI,T E do s, B) =

I Æ ( I  ((E ) VC(s, I)) Æ (:E ) B)) )[T0/T]

  • I is the loop invariant (provided by the programmer)
  • T is the set of loop targets (can be approximated by scanning the loop body)

I is preserved in

an arbitrary iteration

I holds

on entry

B holds when the

loop terminates

slide18

Example

VC(B, t  0  c = a + b - t) 

t - 1  0  c + 1 = a + b – (t – 1)

returns c

requires b >= 0

ensures c = a + b

int add(int a, int b) {

int t;

t := b

c := a

invariant

t  0  c = a + b - t

while (t > 0) {

c := c + 1

t := t - 1

}

}

VC(L, c = a + b) 

t  0 c = a + b – t 

(t  0  c = a + b – t 

 t > 0  t - 1  0 

c + 1 = a + b – (t - 1)

 t  0  c = a + b)[c0/c,t0/t]

VC(L, c = a + b) 

t  0 c = a + b – t 

(t0 0  c0 = a + b – t0

 t0 > 0  t0 - 1  0 

c0 + 1 = a + b – (t0 - 1)

 t0 0  c0 = a + b)

A

L

B

VC(A, c = a + b) 

b  0 a = a + b – b 

(t0 0  c0 = a + b – t0

 t0 > 0  t0 - 1  0 

c0 + 1 = a + b – (t0 - 1)

 t0 0  c0 = a + b)

Conjecture to be proved:

b  0  VC(A, c = a + b)

invariants are not easy
Invariants Are Not Easy
  • Consider the following code from QuickSort

int partition(int *a, int L0, int H0, int pivot) {

int L = L0, H = H0;

while(L < H) {

while(a[L] < pivot) L ++;

while(a[H] > pivot) H --;

if(L < H) { swap a[L] and a[H] }

L++;

}

return L

}

  • Consider verifying only memory safety
  • What is the loop invariant for the outer loop ?
verification conditions contd
Verification conditions (Contd.)
  • What about procedure calls?
    • Annotate each procedure with a precondition pre and a postcondition post
    • VC(f(), B) = pre  (post  B)
program verification
Program verification
  • Annotate each procedure with a precondition and a postcondition and each loop with an invariant
  • Verify each procedure separately

requires pre

ensures post

f() {

S;

}

Verify that the formula

VC(f)  pre  VC(S, post)

is valid

proving verification conditions
Proving verification conditions
  • What is the decision procedure for proving validity of VC(f)?
  • Depends on the logic in which VC(f) is expressed

VC(f)  pre  VC(S, post)

verification condition logic
Verification condition logic

VC(f)  pre  VC(S, post)

  • Atoms connected by boolean operators
    • , , , 
  • Atoms depend on the program variables and operations on them
    • boolean, integer, memory
  • Atoms depend on the language of assertions, i.e., program assertions, loop invariants, preconditions and postconditions
    • quantification, reachability predicate
slide24

Assume each assertion is a quantifier-free boolean

combination of expressions over program variables.

  • VC(f) is a boolean combination of atoms
    • Each atom is a relation over terms
    • Each term is built using functions and logical constants
  • Logical constants are different from program variables
    • program variables change over time
    • logical constants are fixed
  • The logical constants in VC(f) refer to the values of program variables at the beginning of f.
case i boolean programs
Case I: Boolean programs
  • Boolean-valued variables and boolean operations
  •  Formula := A |  |   

A  Atom := b

b  SymBoolConst

slide26

Example

returns c

requires true

ensures c = a  b

bool or(bool a, bool b) {

if (a)

c := true

else

c := b

}

S

VC(S, c = a  b) = (a  true = a  b)  (a  b = a  b)

Conjecture to be proved:

true  (a  true = a  b)  (a  b = a  b)

case ii arithmetic programs
Case II: Arithmetic programs
  • In addition, integer-valued variables with affine operations
  •  Formula := A |   |   

A  Atom := b | t = 0 | t < 0 | t  0

t  Term := c | x | t + t | t – t | ct

b  SymBoolConst

x  SymIntConst

c  {…,-1,0,1,…}

slide28

Example

VC(B, t  0  c = a + b - t) 

t - 1  0  c + 1 = a + b – (t – 1)

returns c

requires b >= 0

ensures c = a + b

int add(int a, int b) {

int t;

t := b

c := a

invariant

t  0  c = a + b - t

while (t > 0) {

c := c + 1

t := t - 1

}

}

VC(L, c = a + b) 

t  0 c = a + b – t 

(t  0  c = a + b – t 

 t > 0  t - 1  0 

c + 1 = a + b – (t - 1)

 t  0  c = a + b)[c0/c,t0/t]

VC(L, c = a + b) 

t  0 c = a + b – t 

(t0 0  c0 = a + b – t0

 t0 > 0  t0 - 1  0 

c0 + 1 = a + b – (t0 - 1)

 t0 0  c0 = a + b)

A

L

B

VC(A, c = a + b) 

b  0 a = a + b – b 

(t0 0  c0 = a + b – t0

 t0 > 0  t0 - 1  0 

c0 + 1 = a + b – (t0 - 1)

 t0 0  c0 = a + b)

Conjecture to be proved:

b  0  VC(A, c = a + b)

case iii memory programs
Case III: Memory programs
  • In addition, a memory with read and write operations
    • an unbounded set of objects
    • a finite set of fields in each object
    • each field contains a boolean value, an integer value, or a reference to an object
  • For each field f, two operations Select and Update
    • Select(f,o) is the content of the memory at object o and field f
    • Update(f,o,v) is a new memory obtained by updating field f of object o to v
memory axioms
Memory axioms

for all objects o and o’, and memories m:

 o = o’  Select(Update(m,o,v),o’) = v

o  o’  Select(Update(m,o,v),o’) = Select(m,o’)

modeling memory operations
Modeling memory operations

Treat each field f as a map variable:

a = b.f a = Select(f,b)

a.f = b f = Update(f,a,b)

{ ? } a.f = 5 { a.f + b.f = 10 }

WP(a.f = 5, a.f + b.f = 10) 

WP(f = Update(f,a,5), Select(f,a) + Select(f,b) = 10) 

Select(Update(f,a,5),a) + Select(Update(f,a,5),b) = 10

simplify using memory axiom
Simplify using memory axiom

Select(Update(f,a,5),a) + Select(Update(f,a,5),b) = 10

iff

5 + Select(Update(f,a,5),b) = 10

iff

Select(Update(f,a,5),b) = 5

iff

 a = b  5 = 5

 a  b  Select(f,b) = 5

iff

a  b  Select(f,b) = 5

slide33

 Formula := A |   |   

A  Atom := b | t = 0 | t < 0 | t  0

t  Term := c | x | t + t | t – t | ct | Select(m,t)

m  MemTerm := f | Update(m,t,t)

b  SymBoolConst

x  SymIntConst

c  {…,-1,0,1,…}

decision procedures
Decision procedures
  • Boolean programs
    • Propositional satisfiability
  • Arithmetic programs
    • Propositional satisfiability modulo theory of linear arithmetic
  • Memory programs
    • Propositional satisfiability modulo theory of linear arithmetic + arrays