1 / 25

Program Verification -- new recipe for old problem

Program Verification -- new recipe for old problem. Zhou Chaochen Institute of Software, CAS zcc@ios.ac.cn. Computer Science. Computing System – Millions of simple instructions Bio System – DNA (A,T,G,C) Manufacturing vs Evolving Fundamental Issues

rianna
Download Presentation

Program Verification -- new recipe for old problem

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Program Verification -- new recipe for old problem Zhou Chaochen Institute of Software, CAS zcc@ios.ac.cn

  2. Computer Science • Computing System – Millions of simple instructions Bio System – DNA (A,T,G,C) Manufacturing vs Evolving • Fundamental Issues # Computability and Solvability # Algorithm Design and Analysis # Programming Methodology: Correctness, etc

  3. Program Correctness • Test: Debug vs Prove • Verification: Proof and Model Checking • Transformation: Curry-Howard Isomorphism, Intuitionistic Logic, …

  4. Assertion • Program Language – Artificial Language Assignment: x:=x-1 x:=e Loop: while x>0 do x:=x-1 while B do S Sequential Composition: S1;S2 …

  5. Intrinsic Logic Assignment: P(e){x:=e}P(x) x-1>0{x:=x-1}x>0 P(e) – Pre-Condition P(x) – Post-Condition

  6. Loop: If B&I{S}I then I{while B do S}I&~B Due to x>0&x>=0{x:=x-1}x>=0 hence x>=0 {while x>0 do x:=x-1} x>=0&~(x>0) I.e. x>=0{while}x=0 I – Invariant

  7. Sequential Composition: If P{S1}Q1, Q1=>Q2 and Q2{S2}Q, then P{S1;S2}Q … Pre, Post, Inv -- Assertion

  8. Program Verification • Partial Correctness x>=0 {FAC} y=x! If FAC terminates, then … Safety • Total Correctness Termination plus Partial Correctness Liveness (deadlock free, livelock free,…)

  9. Floyd Assertion & Hoare Logic • Robert Floyd: 1978 Turing Award Laureate. 1967 Assigning Meanings to Program. Inductive Assertion Method: Pre- and Post-Assertion • Tony Hoare: 1980 Turing Award Laureate. 1969 An Axiomatic Basis for Computer Programming. Hoare Logic: Pre- and Post-Condition, Invariant

  10. Assertion at Microsoft • Microsoft Office: 250k assertions (ASSERT macro) • Test: Dump instead of Crash (over half effort) • Simplifying Assumption: for the next version (Overflow,…) • Compile Time Check (Size,…) etc • Microsoft Windows: over 1000 different assertion macros • Bill Gates: Trustworthy Computing

  11. Verifying Compiler • A compiler which verifies correctness of program: a major challenge of Computer Science in 21 Century • Include assertions into programming languages (Eiffel, JML,…) • Improve program analysis tools in Industry (PREfix,…) Joint contributions from different mechanised proof technologies: a vast project unprecedented in Computer Science Academy • Legacy and Open Source Movement • IFIP workshop in 2005: Hoare and Misra, Shankar (He Jifeng, Zhang Jian,…) et al

  12. Software Model Checking • Given infinite value domain program is an infinite state system • Finite State Machine: BDD, CTL, 10^(100), … • Real Time System: Infinite State Machine

  13. Infinite State Model Checking • Reduction to Finite State System: Regional Graph (?) • Reduction to Linear Programming, Integer and Mixed Programming, (Zhou, Zhang, Yang and Kesten, Pnueli, Sifakis, Yovine)… Real Algebra (Tarski, Wu, Zhang, Yang, …) • Relation between the above two?

  14. Reduction to Linear Programming • Timed Automaton f (>=30) G B r (<=1) Over any interval greater or equal to 60 Bad states occupy no more than 20% of the interval

  15. A timed behaviour (f,t1),(r,t2),(f,t3) t1>=30, 0<=t2<=1,t3>=30 • Linear Programming Problem Constraints t1>=30, 0<=t2<=1, t3>=30 and t1+t2+t3>=60 Objective function 20*t2-(t1+t2+t3) • Reduce infinite many behaviour to finite many

  16. Program Termination • Ashish Tiwari, SRI (CAV 2004, LNCS 3114) • Undecidable in general • Linear Program while (B*x>b) do x:=A*x+c A,B – real matrices, x,b,c – real vectors • The termination problem for linear program is decidable

  17. P: while c*x>0 do x:=A*x • Intuition If v is an eigenvector of A with positive eigenvalue e, then A*v=e*v by definition, and A^n*v=e^n*v c*e^n*v=e^n*c*v So c*e^n*v has the same sign of c*v, as e>0 • P is not terminating with input x=v, where c*v>0

  18. Theorem: If P is not terminating then there exists a real eigenvector v of A, corresponding to positive eigenvalue, such that c*v>=0 Proof: If nonterminating, NT is not empty NT={x:c*A^i*x>0, i=0,1,…} Let NT’=NT+Boundary. NT’ is closed under A Applying Brouwer’s fixed point theorem there exists eigenvector v of A in NT’.

  19. Change into c*v>0 • Add more conditions to have necessary and sufficient conclusion • Generalise to general linear program

  20. Termination – Matrix Eigenvalue Stability – Matrix Eigenvalue • Termination characterization of linear programs is more complex than stability characterization for both continuous- and discrete-time linear systems

  21. As told by Yang Good to use off-line symbolic computation (Yang has developed a very powerful symbolic computation tools, called Bottema and Discoverer, for real algebra, including a complete discrimination system) • The deciding condition becomes 10^4 terms (of Dixon resultant) for 4-dimension, dozens for 3, and several for 2

  22. Invariant Generation • Abstract Interpretation (P. Cousot and R. Cousot POPL77): symbolic execution until a fixed point is reached • Linear Invariants for Linear Programs (Colon, Shankaranarayanan, Sipma CAV03): assume a linear invariant, and solve constraints (maybe nonlinear) on the coefficients of the linear invariant

  23. Reachability • Lafferriere, Pappas and Yovine (JSC 11,2001) • dX/dt = AX+Bu X,B – vectors, A – matrix, u – vector (control input) • X = F(x,u,t) x – vector (initial value of X)

  24. Reachability: state y is reachable from state x, if there exists u and t such that y=F(x,u,t) • Reduced to real algebraic formula (under certain conditions) • Quantifier elimination tools: REDLOG, QEPCAD • An example of the paper impossible to resolve by REDLOG and QEPCAD alone can be done by Yang’s tools easily (as told by Yang)

  25. Interdisciplinary Joint Effort • Decidability for real algebra is most fundamental result with respect to real numbers • Program verification is employing more mathematics, in particular real algebra • Strong in mechanical proving: Wu, Zhang, Yang,… Beautiful tools • Control theory much more mature than CS • We need your support and you can help us

More Related