A Simple Framework for Program Verification and its Mechanical Certification in Theorema Tudor Jebelean M˘ ad˘ alina Era¸ scu Research Institute for Symbolic Computation, Johannes Kepler University, Linz, Austria October 2012 1/25
Outline The Theorema System A Meta-Logic for Reasoning about Imperative Programs Syntax Semantics Partial Correctness Termination Proof of Method Total Correctness Existence of the Function Conclusion 2/25
Outline The Theorema System A Meta-Logic for Reasoning about Imperative Programs Syntax Semantics Partial Correctness Termination Proof of Method Total Correctness Existence of the Function Conclusion 3/25
The Theorema System www.theorema.org Aims at computer support for: ◮ constructing mathematical models (logical theories) ◮ defining and testing algorithms ◮ proving – for algorithm verification or synthesis Natural style (human like): ◮ notation – formula appearance ◮ inference rules ◮ proof presentation 4/25
Outline The Theorema System A Meta-Logic for Reasoning about Imperative Programs Syntax Semantics Partial Correctness Termination Proof of Method Total Correctness Existence of the Function Conclusion 5/25
Syntax: Example Program computing the GCD of two numbers using substractions Program["G", G[a, b]], If[a = 0, Return[b]]; If[b = 0, Return[a]]; If[a ≥ b, a := G[a - b, b], a := G[a, b - a]]]; Return[a], Pre → a ≥ 0 ∧ b ≥ 0, Post → IsGCD [ y , a , b ] Program: list of statements (assignment, conditional, return). Contains also terms and formulae from the object theory . 6/25
Syntax The meta-level predicate Π checks the syntactical correctness of the program: ◮ the program contains only valid constructs, ◮ variables are initialized, ◮ every program path contains a Return . Definition 1. Π[ P ] ⇐ ⇒ Π[ { ¯ x } , P ] 2. Π[ V , � Return [ t ] � ⌣ P ] ⇐ ⇒ Vars [ t ] ⊆ V ⇒ � � Vars [ t ] ⊆ V 3. Π[ V , � v : = t � ⌣ P ] ⇐ Π[ V ∪ { v } , P ] Vars [ ϕ ] ⊆ V ⇒ � 4. Π[ V , � If [ ϕ, P T , P F ] � ⌣ P ] ⇐ Π[ V , P T ⌣ P ] Π[ V , P F ⌣ P ] The definition of Π is a set of logical formulae! 7/25
Semantics: Example (1) Semantics ◮ ( a ≥ 0) ∧ ( b ≥ 0) ∧ ( a = 0) Program["G", G[a, b]], = ⇒ If[a = 0, G [ a , b ] = b Return[b]]; If[b = 0, Return[a]]; If[a ≥ b, a := G[a - b, b], a := G[a, b - a]]]; Return[a], Pre → a ≥ 0 ∧ b ≥ 0, Post → IsGCD [ y , a , b ] 8/25
Semantics: Example (2) Semantics ◮ ( a ≥ 0) ∧ ( b ≥ 0) ∧ ( a � = 0) ∧ Program["G", G[a, b]], If[a = 0, ( b = 0) = ⇒ G [ a , b ] = a Return[b]]; If[b = 0, Return[a]]; If[a ≥ b, a := G[a - b, b], a := G[a, b - a]]]; Return[a], Pre → a ≥ 0 ∧ b ≥ 0, Post → IsGCD [ y , a , b ] 9/25
Semantics: Example (3) Semantics ◮ ( a ≥ 0) ∧ ( b ≥ 0) ∧ ( a � = 0) ∧ Program["G", G[a, b]], If[a = 0, ( b � = 0) ∧ ( a ≥ b ) = ⇒ G [ a , b ] = G [ a − b , b ] Return[b]]; If[b = 0, Return[a]]; If[a ≥ b, a := G[a - b, b], a := G[a, b - a]]]; Return[a], Pre → a ≥ 0 ∧ b ≥ 0, Post → IsGCD [ y , a , b ] 10/25
Semantics: Example (4) Semantics ◮ ( a ≥ 0) ∧ ( b ≥ 0) ∧ ( a � = 0) ∧ Program["G", G[a, b]], If[a = 0, ( b � = 0) ∧ ¬ ( a ≥ b ) = ⇒ G [ a , b ] = G [ a , b − a ] Return[b]]; If[b = 0, Return[a]]; If[a ≥ b, a := G[a - b, b], a := G[a, b - a]]]; Return[a], Pre → a ≥ 0 ∧ b ≥ 0, Post → IsGCD [ y , a , b ] 11/25
Semantics The meta-level function Σ creates a formula with the shape: � n � � ∀ p i [¯ x ] ⇒ ( f [¯ x ] = g i [¯ x ]) i =1 x : I P ¯ ◮ This is a logical formula at object level. ◮ This is the implicit definition of the function implemented by the program. ◮ This is the functional program equivalent to the imperative one. Definition � � 1. Σ[ P ] = ∀ I P [ ¯ x 0 ] ⇒ Σ[ { ¯ x → ¯ x 0 } , P ] { ¯ x 0 ← ¯ x } ¯ x 2. Σ[ σ, � Return [ t ] � ⌣ P ] = ( f [ x 0 ] = t σ ) 3. Σ[ σ, � v := t � ⌣ P ] = Σ[ σ ◦ { v → t σ } , P ] 4. Σ[ σ, � If [ ϕ, P T , P F ] � ⌣ P ] = � � ϕσ = ⇒ Σ[ σ, P T ⌣ P ] ¬ ϕσ = ⇒ Σ[ σ, P F ⌣ P ] 12/25
Partial Correctness: Example (1) Verification Conditions ◮ ( a ≥ 0) ∧ ( b ≥ 0) ∧ ( a = 0) Program["G", G[a, b]], = ⇒ If[a = 0, IsGCD [ b , a , b ] Return[b]]; If[b = 0, Return[a]]; If[a ≥ b, a := G[a - b, b], a := G[a, b - a]]]; Return[a], Pre → a ≥ 0 ∧ b ≥ 0, Post → IsGCD [ y , a , b ] 13/25
Partial Correctness: Example (2) Verification Conditions ◮ ( a ≥ 0) ∧ ( b ≥ 0) ∧ ( a � = 0) ∧ Program["G", G[a, b]], If[a = 0, ( b = 0) = ⇒ IsGCD [ a , a , b ] Return[b]]; If[b = 0, Return[a]]; If[a ≥ b, a := G[a - b, b], a := G[a, b - a]]]; Return[a], Pre → a ≥ 0 ∧ b ≥ 0, Post → IsGCD [ y , a , b ] 14/25
Partial Correctness: Example (3) Verification Conditions ◮ ( a ≥ 0) ∧ ( b ≥ 0) ∧ ( a � = 0) ∧ Program["G", G[a, b]], If[a = 0, ( b � = 0) ∧ ( a ≥ b ) = ⇒ a − b ≥ 0 Return[b]]; If[b = 0, ◮ ( a ≥ 0) ∧ ( b ≥ 0) ∧ ( a � = 0) ∧ Return[a]]; ( b � = 0) ∧ ( a ≥ b ) = ⇒ If[a ≥ b, a − b ≥ 0 ∧ b ≥ 0 a := G[a - b, b], ◮ ( a ≥ 0) ∧ ( b ≥ 0) ∧ ( a � = 0) ∧ a := G[a, b - a]]]; ( b � = 0) ∧ ( a ≥ b ) ∧ Return[a], Pre → a ≥ 0 ∧ b ≥ 0, IsGCD [ x , a − b , b ] Post → IsGCD [ y , a , b ] = ⇒ IsGCD [ x , a , b ] 15/25
Partial Correctness The meta-level function Γ generates two kinds of verification conditions: ◮ coherence (safety) conditions; ◮ functional conditions. Definition � � 1. Γ[ P ] = ∀ Γ[ { ¯ x → ¯ x 0 } , I P [¯ x 0 ] , P ] { ¯ x 0 ← ¯ x } x ¯ � � 2. Γ[ σ, Φ , � Return [ γ ] � ⌣ P ] = Φ ⇒ O P [¯ x 0 , γσ ] 3. Γ[ σ, Φ , � Return [ t τ ← u [ γ ] ] � ⌣ P ] = Γ[ σ, Φ , � w := u [ γ ] , Return [ t τ ← w ] � ⌣ P ] 4. Γ[ σ, Φ , � v := γ � ⌣ P ] = Γ[ σ ◦ { v → γσ } , Φ , P ] 16/25
Partial Correctness The meta-level function Γ generates two kinds of verification conditions: ◮ coherence (safety) conditions; ◮ functional conditions. Definition 5. Γ[ σ, Φ , � v := h [ γ ] � ⌣ P ] = � � Φ ⇒ I h [ γσ ] Γ[ σ ◦ { v → h [ γσ ] } , Φ ∧ I h [ γσ ] , P ] 6. Γ[ σ, Φ , � v := g [ γ ] � ⌣ P ] = � � Φ ⇒ I g [ γσ ] Γ[ σ ◦ { v → c } , Φ ∧ I g [ γσ ] ∧ O g [ γσ, c ] , P ] 7. Γ[ σ, Φ , � v := t τ ← u [ γ ] � ⌣ P ] = Γ[ σ, Φ , � w := u [ γ ] , v := t τ ← w � ⌣ P ] 8. Γ[ σ, Φ , � If [ ϕ τ ← u [ γ ] , P T , P F ] � ⌣ P ] = Γ[ σ, Φ , � w := u [ γ ] , If [ ϕ τ ← w , P T , P F ] � ⌣ P ] 9. Γ[ σ, Φ , � If [ ϕ, P T , P F ] � ⌣ P ] = � � Γ[ σ, Φ ∧ ϕσ, P T ⌣ P ] Γ[ σ, Φ ∧ ¬ ϕσ, P F ⌣ P ] 16/25
Termination: Example Program["G", G[a, b]], If[a = 0, Return[b]]; If[b = 0, Return[a]]; If[a ≥ b, a := G[a - b, b], a := G[a, b - a]]]; Return[a], Pre → a ≥ 0 ∧ b ≥ 0, Post → IsGCD [ y , a , b ] Termination Condition a = 0 ⇒ π [ a , b ] b = 0 ⇒ π [ a , b ] � � � � � = π [ a , b ] ∀ ⇒ ∀ ( a � = 0 ∧ b � = 0 ∧ a ≥ b ∧ π [ a − b , b ]) ⇒ π [ a , b ] a , b a , b a ≥ 0 , b ≥ 0 a ≥ 0 , b ≥ 0 ( a � = 0 ∧ b � = 0 ∧ a �≥ b ∧ π [ a , b − a ]) ⇒ π [ a , b ] The termination condition is expressed at object level! 17/25
Termination The meta-level function Θ generates one termination condition. Definition � � 1. Θ[ P ] = x : I P Θ[ { ¯ ∀ x → ¯ x 0 } , T , P ] { ¯ = ⇒ x : I P π [¯ ∀ x ] x 0 ← ¯ x } ¯ ¯ � � 2. Θ[ σ, Φ , � Return [ γ ] � ⌣ P ] = Φ ⇒ π [ ¯ x 0 ] 3. Θ[ σ, Φ , � v := γ � ⌣ P ] = Θ[ σ ◦ { v → γσ } , Φ , P ] 4. Θ[ σ, Φ , � v := h [ γ ] � ⌣ P ] = Θ[ σ ◦ { v → h [ γσ ] } , Φ , P ] 5. Θ[ σ, Φ , � v := f [ γ ] � ⌣ P ] = Θ[ σ ◦ { v → y } , Φ ∧ O P [ γσ, y ] ∧ π [ γσ ] , P ] 6. Θ[ σ, Φ , � v := g [ γ ] � ⌣ P ] = Θ[ σ ◦ { v → y } , Φ ∧ O g [ γσ, y ] , P ] 7. Θ[ σ, Φ , � If [ ϕ, P T , P F ] � ⌣ P ] = � � Θ[ σ, Φ ∧ ϕσ, P T ⌣ P ] Θ[ σ, Φ ∧ ¬ ϕσ, P F ⌣ P ] 18/25
Outline The Theorema System A Meta-Logic for Reasoning about Imperative Programs Syntax Semantics Partial Correctness Termination Proof of Method Total Correctness Existence of the Function Conclusion 19/25
Total Correctness Generic Program Program[‘‘f’’, f[x], If[Q[x], Return[S[x]], Return[C[x,f[R[x]]]] Semantics � Q [ x ] ⇒ ( f [ x ] = S [ x ]) x : I f ∧ ∀ ¬ Q [ x ] ⇒ ( f [ x ] = C [ x , f [ R [ x ]]]) Partial correctness – functional conditions x : I f Q [ x ] ⇒ O f [ x , S [ x ]] ∀ x : I f ¬ Q [ x ] ⇒ ∀ ∀ y ( O f [ R [ x ] , y ] ⇒ O [ x , C [ x , y ]]) Termination � � Q [ x ] ⇒ π [ x ] x : I f ∧ ∀ ⇒ ∀ x : I f π [ x ] ¬ Q [ x ] ∧ π [ R [ x ]] ⇒ π [ x ] The proof of total correctness applies the induction principle (given by the termination condition) to the partial correctness conditions. Take π [ x ] as O f [ x , f [ x ]]. 20/25
Recommend
More recommend
