1 / 34

ECI 2007: Specification and Verification of Object-Oriented Programs

ECI 2007: Specification and Verification of Object-Oriented Programs. Lecture 4. Proving verification conditions. What is the decision procedure for proving validity of VC(f) ? Depends on the logic in which VC(f) is expressed. VC(f)  pre  VC(S, post). Verification condition logic.

heather
Download Presentation

ECI 2007: Specification and Verification of Object-Oriented Programs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ECI 2007: Specification and Verification of Object-Oriented Programs Lecture 4

  2. Proving verification conditions • What is the decision procedure for proving validity of VC(f)? • Depends on the logic in which VC(f) is expressed VC(f)  pre  VC(S, post)

  3. Verification condition logic VC(f)  pre  VC(S, post) • Atoms connected by boolean operators • , , ,  • Atoms depend on the program variables and operations on them • boolean, integer, memory • Atoms depend on the language of assertions, i.e., program assertions, loop invariants, preconditions and postconditions • quantification, reachability predicate

  4. Assume each assertion is a quantifier-free boolean combination of expressions over program variables. • VC(f) is a boolean combination of atoms • Each atom is a relation over terms • Each term is built using functions and logical constants • Logical constants are different from program variables • program variables change over time • logical constants are fixed • The logical constants in VC(f) refer to the values of program variables at the beginning of f.

  5. Case I: Boolean programs • Boolean-valued variables and boolean operations •  Formula := A |  |    A  Atom := b b  SymBoolConst

  6. Example returns c requires true ensures c = a  b bool or(bool a, bool b) { if (a) c := true else c := b } S VC(S, c = a  b) = (a  true = a  b)  (a  b = a  b) Conjecture to be proved: true  (a  true = a  b)  (a  b = a  b)

  7. Case II: Arithmetic programs • In addition, integer-valued variables with affine operations •  Formula := A |   |    A  Atom := b | t = 0 | t < 0 | t  0 t  Term := c | x | t + t | t – t | ct b  SymBoolConst x  SymIntConst c  {…,-1,0,1,…}

  8. Example VC(B, t  0  c = a + b - t)  t - 1  0  c + 1 = a + b – (t – 1) returns c requires b >= 0 ensures c = a + b int add(int a, int b) { int t; t := b c := a invariant t  0  c = a + b - t while (t > 0) { c := c + 1 t := t - 1 } } VC(L, c = a + b)  t  0 c = a + b – t  (t  0  c = a + b – t   t > 0  t - 1  0  c + 1 = a + b – (t - 1)  t  0  c = a + b)[c0/c,t0/t] VC(L, c = a + b)  t  0 c = a + b – t  (t0 0  c0 = a + b – t0  t0 > 0  t0 - 1  0  c0 + 1 = a + b – (t0 - 1)  t0 0  c0 = a + b) A L B VC(A, c = a + b)  b  0 a = a + b – b  (t0 0  c0 = a + b – t0  t0 > 0  t0 - 1  0  c0 + 1 = a + b – (t0 - 1)  t0 0  c0 = a + b) Conjecture to be proved: b  0  VC(A, c = a + b)

  9. Case III: Memory programs • In addition, a memory with read and write operations • an unbounded set of objects • a finite set of fields in each object • each field contains a boolean value, an integer value, or a reference to an object • For each field f, two operations Select and Update • Select(f,o) is the content of the memory at object o and field f • Update(f,o,v) is a new memory obtained by updating field f of object o to v

  10. Memory axioms for all objects o and o’, and memories m:  o = o’  Select(Update(m,o,v),o’) = v o  o’  Select(Update(m,o,v),o’) = Select(m,o’)

  11. Modeling memory operations Treat each field f as a map variable: a = b.f a = Select(f,b) a.f = b f = Update(f,a,b) { ? } a.f = 5 { a.f + b.f = 10 } WP(a.f = 5, a.f + b.f = 10)  WP(f = Update(f,a,5), Select(f,a) + Select(f,b) = 10)  Select(Update(f,a,5),a) + Select(Update(f,a,5),b) = 10

  12. Simplify using memory axiom Select(Update(f,a,5),a) + Select(Update(f,a,5),b) = 10 iff 5 + Select(Update(f,a,5),b) = 10 iff Select(Update(f,a,5),b) = 5 iff  a = b  5 = 5  a  b  Select(f,b) = 5 iff a  b  Select(f,b) = 5

  13.  Formula := A |   |    A  Atom := b | t = 0 | t < 0 | t  0 t  Term := c | x | t + t | t – t | ct | Select(m,t) m  MemTerm := f | Update(m,t,t) b  SymBoolConst x  SymIntConst c  {…,-1,0,1,…}

  14. Decision procedures • Boolean programs • Propositional satisfiability • Arithmetic programs • Propositional satisfiability modulo theory of linear arithmetic • Memory programs • Propositional satisfiability modulo theory of linear arithmetic + arrays

  15. Decision procedures • Boolean programs • Propositional satisfiability • Arithmetic programs • Propositional satisfiability modulo theory of linear arithmetic • Memory programs • Propositional satisfiability modulo theory of linear arithmetic + arrays

  16. Case I: Boolean programs • Boolean-valued variables and boolean operations •  Formula := b |  |    b  SymBoolConst

  17. SAT • First NP-complete problem (Cook 1972) • Davis-Putnam algorithm (1960) • resolution-based • may use exponential memory • Davis-Logemann-Loveland algorithm (1962) • search-based • basis for all successful modern solvers • Conflict-driven learning and non-chronological backtracking (1996) • resolution strikes back! • Amazing progress • GRASP, SATO, Chaff, ZChaff, BerkMin, …

  18. Conjunctive Normal Form •  CNF Formula ::= c1  c2  … cm • c  Clause ::= l1  l2  … ln • l  Literal ::= b | b • b  SymBoolConst • Unit clause ( l ) • a clause containing a single literal • Empty clause ( ) • a clause containing no literal • equivalent to false

  19. Conversion into CNF • In general, converting  into an equivalent CNF formula may result in an exponential blow-up • We are only interested in satisfiability of  • Convert into an equi-satisfiable CNF formula EQCNF() •  is satisfiable iff EQCNF() is satisfiable • size of EQCNF() is polynomial in size of 

  20. Conversion into CNF • Convert formula  into normal form NF() • NF() is polynomial in  • Convert  = NF() into equisatisfiable CNF formula EQCNF() • EQCNF() is polynomial in 

  21. Normal Form Normal form: NF()   Negated normal form: NNF()   NF(b) = b NNF(b) = b NF() = NNF() NNF() = NF() NF(1  2) = NF(1)  NF(1) NNF(1  2) = NNF(1)  NNF(2)

  22. Equi-satisfiable CNF Let  be a formula in normal form. For each subformula  of : - create a fresh symbol v in SymBoolConst Identify vb with b and vb with b Cl(b) = Cl(b) = true Cl() = Cl()  Cl()  (v v v)  (v  v)  (v  v) Cl() = Cl()  Cl()  (v  v v)  (v  v)  (v  v) EQCNF() = v  Cl()

  23. Resolution c1, c2 independent of b clauses (c1 b) (c2  b) (c1  c2) resolvent resolvent(b, c1 b, c2  b) = c1 c2 = b. (c1 b)  (c2  b)

  24. Theorem   (c1 b)  (c2  b) iff   (c1 b)  (c2  b)  (c1 c2) Adding the resolvent to the set of clauses does not affect the satisfiability of the clause set.

  25. Unit resolution One of the clauses being resolved is a unit clause ( b ) (c2  b) ( c2 ) ( b ) (c2  b) ( c2 ) Derivation of the empty clause (denoted by ) ( b ) ( b ) 

  26. Davis-Putnam algorithm (I) Given clause set C: Rule 1: If a clause (c  l  l) C, replace it with (c  l) Rule 2: If a clause (c  b  b) C, remove it from C Rule 3a: If b does not occur in any clause in C, remove every clause containing b from C Rule 3b: If b does not occur in any clause in C, remove every clause containing b from C

  27. Davis-Putnam algorithm (II) Saturate C w.r.t Rules 1, 2, 3a, and 3b while (C is nonempty) { Pick a variable b appearing in some clause in C C’ = { resolvent(b,c1,c2) | c1,c2 C } Saturate C’ w.r.t. Rules 1, 2, 3a, and 3b if (  C’) return unsatisfiable C = C’ } return satisfiable

  28. Rule 3a (b  c  f) (b  c) Resolve on b (c  c  f) Rule 2 Clause set is empty Satisfiable example (a  b  c) (b  c  f) (b  c)

  29. Unsatisfiable example (a  b) (a b) (a  c) (a  c) Pick b ( a ) (a  c) (a  c) Pick a ( c ) ( c ) Pick c 

  30. Correctness Saturate C w.r.t Rules 1, 2, 3a, and 3b while (C is nonempty) { Pick a variable b appearing in some clause in C C’ = { resolvent(b,c1,c2) | c1,c2 C } Saturate C’ w.r.t. Rules 1, 2, 3a, and 3b if (  C’) return unsatisfiable C = C’ } return satisfiable Two observations: - Each of the rules 1, 2, 3a, and 3b preserve satisfiability - C’ = b. C

  31. Memory explosion Saturate C w.r.t Rules 1, 2, 3a, and 3b while (C is nonempty) { Pick a variable b appearing in some clause in C C’ = { resolvent(b,c1,c2) | c1,c2 C } Saturate C’ w.r.t. Rules 1, 2, 3a, and 3b if (  C’) return unsatisfiable C = C’ } return satisfiable Let n be the number of clauses in the input clause set Number of clauses after i-th iteration of loop: O(n^(2^i))

  32. Davis-Logemann-Loveland algorithm Slides 42-72 of sat_course1.pdf Download from: http://research.microsoft.com/users/lintaoz/SATSolving/satsolving.htm

  33. Davis-Logemann-Loveland algorithm • Eliminates exponential memory requirement • Might still need exponential time

  34. Conflict-driven learning and non-chronological backtracking Slides 2-20 of sat_course2.pdf Download from: http://research.microsoft.com/users/lintaoz/SATSolving/satsolving.htm

More Related