Program Verification

1
Program Verification

• Verification of Sequential and Concurrent
  Programs
• -Krzysztof R. Apt
• An Axiomatic Basis for Computer Programming
• -C. A. R. Hoare

Presented by Dengping Zhu
2
Introduction

• Problem How to verify whether or not a program
  carries out its intended function?
• Example (Extended Euclids Algorithm)
• Fun ExEuclid (a, b)
• if b 0 then (a, 1, 0)
• else
• let val (d, x, y) ExEuclid (b, a mod b) in
• (d, y, x (a div b) y)
• end
• Given ambnd, how to prove that this algorithm
  works for all m and n?

3
Introduction

• Floyds approach flow chart assertions
• Take a flow chart for some algorithm
• Label each of the arrows with an assertion about
  the current state when computation traverses this
  arrow
• Prove that for each box, if any one of the
  assertions on the arrow leading into the box is
  true, then all of the assertions on the arrows
  leading away from the box are true after the
  operation.
• Then it follows that all assertions are true
  during any execution of the algorithm (by
  indcution on the number of steps).

4
Introduction
Start
A1 m gt0, ngt0
A2 cmgt0, dngt0, ab0, ab1
a à 0 a à 1 c à m b à 1 b à 0 d à n

A3 ambnd, ambncqdr 0 rltd, gcd(c,d)
gcd(m,n)
q à quotient (c d) r à remainder (c d)
A4 ambndgcd(m,n)
Yes
Stop
A5 ambnd, ambndqdr 0ltrltd,
gcd(c,d)gcd(m,n)
r 0 ?
No
c à d, d à r t à a, a à a, a à t qa t
à b, b à b, b à t - qb
A6 ambnd, ambnc, dgt0 gcd(c,d)gcd(m,n)
5
Hoare Logic

• In 1969, Hoare formalized this idea

P Q R
Precondition
Program
Postcondition
If the assertion P is true before initiation of a
program Q, then the assertion R will be true on
its completion.
6
Schedule

• Define the syntax
• Introduce its operational semantics
• Study the proof theory
• Soundness
• Completeness

We focus on sequential deterministic program.
7
Syntax

• S skip
• u t
• S1 S2
• if B then S1 then S2 fi
• while B do S1 od
• Abbreviation
• if B then S fi if B then S else skip fi

8
Semantics

• State a mapping that assigns every simple and
  array variables of type T a value in the domain
  DT .
• For example Dint , -1, 0, 1,
• ? is a state stands for divergence.
• Semantics is a mapping M S from initial
  states to final states.
• We specify a transition relation ! first, then
  define M S with the help of !.

9
Transition Relation !

• It is a relation between configurations of an
  abstract machine.
• Configuration is simply a pair lt S, ?gt, where S
  is a program and ? is a state.
• For example transition
• lt S, ?gt ! lt R, ?gt
• means executing S one step in a state ? can
  lead to state ? with R being the remainder.

10
Transition Relation !

• ltskip, ?gt ! ltE, ?gt,
• ltu t, ?gt ! ltE, ?u ?(t),
• ltif B then S1 else S2 fi, ?gt ! lts1, ?gt where ? ²
  B,
• ltif B then S1 else S2 fi, ?gt ! lts2, ?gt where ? ²
  B,
• ltwhile B do S od, ?gt ! ltS while B do S od, ?gt
  where ? ² B,
• ltwhile B do S od, ?gt ! ltE, ?gt where ? ² B.

11
Operational Semantics

• Let ! stand for the transitive, reflexive
  closure of !.
• Partial correctness semantics
• M S (?) ? ltS, ?gt ! ltE, ?gt
• Total correctness semantics
• Mtot S (?) M S (?) ? j S can
  diverge from ?

12
Proof Theory

• Correctness formula p S q
• p and q are assertions S is a program
• Define p ? j ? is a state and ? ² p
• Partial correctness
• ² p S q if M S ( p ) µ q
• Total correctness
• ²tot p S q if Mtot S ( p ) µ q

13
Example

• A program S
• a0 1
• a1 0
• While ax ? 0 do x x 1 od
• Need to show that x0 S x1 in the sense of
  partial correctness.
• We can reason in terms of semantics.

14
Example

• Let ? be a state in which x is 0.
• ? stand for ? a0 1 a1 0.
• lt S, ? gt
• ! lt a10 while ax ? 0 do x x1 od, ?
  a0 1 gt
• ! lt while ax ? 0 do x x1 od, ? gt
• ! lt x x1 while ax ? 0 do x x1 od, ? gt
  
• ! lt while ax ? 0 do x x1 od, ?x 1 gt
• ! lt E, ?x 1 gt

15
A Better Approach

• The previous one is not very convenient.
• Why not reason directly on the level of
  correctness formulas?
• Following Hoare, we introduce a proof system PD.
• We can prove partial correctness of deterministic
  programs in a systax-directed manner.

16
Partial Correctness

• Axiom 1 Skip p skip p
• Axiom 2 Assignment pu t u t p
• Rule 3 Composition
• Rule 4 Conditional
• Rule 5 Loop
• Rule 6 Consequence

17
Example

• DIV quo 0 rem x S, where S
• while rem y do rem rem y quo quo 1
  od.
• Wish to show that
• ² x 0 Æ y 0 DIV quo y rem x Æ 0
  rem lt y. (1)
• To prove (1) , we prove
• x 0 Æ y 0 DIV quo y rem x Æ 0 rem
  lt y. (2)
• in PD.
• Choose the loop invariant of S
• P quo y rem x Æ rem 0

18
Example cont

• Three sub-goals
• x 0 Æ y 0 quo 0 rem x p (3)
• p Æ rem y rem rem y quo quo 1 p
  (4)
• Which implies p S p Æ (rem y) (by Loop
  rule) (5)
• p Æ (rem y) ! quo y rem x Æ 0 rem lt
  y (6)
• Applying Composition rule to (3) and (5) ,
• x 0 Æ y 0 DIV p Æ (rem y) (7)
• Then by (6) and (7) , (2) holds (applying
  Consequence rule).

19
Example cont

• Let prove the sub-goal (4) .
• By Assignment axiom
• (quo 1) y rem x Æ rem 0 quo quo 1
  p
• By Assignment Axiom Again
• (quo 1) y (rem y) x Æ rem y 0
• rem rem y (quo 1) y rem x Æ rem
  0
• By Composition rule
• (quo 1) y (rem y) x Æ rem y 0
• rem rem y quo quo 1 p
• p Æ rem y ! (quo 1) y (rem y) x Æ rem
  y 0
• Then (4) holds by Consequence rule.

20
Total Correctness

• We can not establish termination of programs with
  PD. For example DIV diverges when y 0.
• Refine the loop rule Rule 7
• Where t is an integer expression and z is an
  integer
• Variable that does not appear in p, B, t or S.
• t is called a bound function of the loop.

21
Example

• Wish to show that
• ²tot x 0 Æ y gt 0 DIV quo y rem x Æ 0
  rem lt y. (8)
• Thus, we need to prove
• x 0 Æ y gt 0 DIV quo y rem x Æ 0 rem
  lt y. (9)
• in TD.
• loop invariant of S
• p p Æ y gt 0, where P quo y rem x Æ
  rem 0
• Let t rem be the bound function.

22
Example

• We need to prove the following sub-goals
• x 0 Æ y gt 0 quo 0 rem x p (10)
• p Æ rem y rem rem y quo quo 1 p
  (11)
• p Æ rem y Æ rem z rem rem y quo
  quo 1 rem lt z (12)
• p ! rem 0 (13)
• P Æ (rem y) ! quo y rem x Æ 0 rem lt
  y (14)
• By the new Loop rule, (11), (12) and (13) imply
• p S0 p Æ (rem y). The rest of the proof
  is similar to
• that in PD.

23
Soundness

• Question Did we really prove (8) ?
• ² x 0 Æ y gt 0 DIV quo y rem x Æ 0
  rem lt y. (8)
• In fact, we interpreted proof of (9) as (8)
• x 0 Æ y gt 0 DIV quo y rem x Æ 0 rem
  lt y. (9)
• It is correct provided we prove the soundness of
  PD and TD.
• Consider total correctness TD is sound if
• TD ? implies ²tot ?.
• A proof rule is sound for total
  correctness if the truth of ?1, ?, ?k implies the
  truth of ?k1.

24
Soundness

• Theorem The proof system TD is sound for total
  correctness of deterministic program.
• Proof only need to prove that
• All axioms of TD are true
• All proof rules are sound.
• By induction on the length of proofs.

25
Completeness (TD)

• TD is complete for total correctness if
• ²tot ? implies TD ?.
• Weakest precondition wp(S, ?) ? j Mtot S
  (?) µ ?
• (1) wp(skip, q) q
• (2) wp(u t, q) q u t
• (3) wp(S1 S2, q) wp(S1, wp(S2, q))
• (4) wp(if B then S1 else S2 fi, q) (B Æ wp(S1,
  q)) Ç ( B Æ wp(S2, q))
• (5) wp(S, q) Æ B ! wp(S1, wp(S, q)), where S
  while B do S1 od
• (6) wp(S, q) Æ B ! q, where S while B do S1
  od
• (7) ²tot p S q iff p ! wp(S, q)

26
Completeness (TD)

• Theorem TD is complete for total correctness of
  deterministic programs.
• Proof First we prove that for all S and q,
• TD wp(S, q) S q.
• This can be done by induction on the structure of
  S.
• Now suppose ²tot p S q , then by (7), we have
  p ! wpS,q. Thus,
• TD p S q by the consequence rule.