an improved rule for while loops in deductive program
play

An Improved Rule for While Loops in Deductive Program Verification - PowerPoint PPT Presentation

Dec 17, 2022 •414 likes •989 views

An Improved Rule for While Loops in Deductive Program Verification Bernhard Beckert 1 Steffen Schlager 2 Peter H. Schmitt 2 1 Universit at Koblenz-Landau 2 Universit at Karlsruhe ICFEM 2005, Manchester Beckert, Schlager, Schmitt (

  1. An Improved Rule for While Loops in Deductive Program Verification Bernhard Beckert 1 Steffen Schlager 2 Peter H. Schmitt 2 1 Universit¨ at Koblenz-Landau 2 Universit¨ at Karlsruhe ICFEM 2005, Manchester Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ An Improved Rule for While Loops at Karlsruhe) ICFEM 2005 1 / 18

  2. Outline Preliminaries & Definitions 1 Program logic: Dynamic Logic for Java Programs frames: Modifier Sets State transitions: Updates (Improved) Invariant Rule 2 An Invariant Rule for Total Correctness 3 An Invariant Rule for JavaCard 4 Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ An Improved Rule for While Loops at Karlsruhe) ICFEM 2005 2 / 18

  3. Program Logic – Dynamic Logic for Java Syntax Basis: typed first-order logic Modal operators [ p ] and � p � for each sequential Java program p Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ An Improved Rule for While Loops at Karlsruhe) ICFEM 2005 3 / 18

  4. Program Logic – Dynamic Logic for Java Syntax Basis: typed first-order logic Modal operators [ p ] and � p � for each sequential Java program p Semantics Semantics of p is a partial function Modal operators say something about the final state of p [ p ] φ : If p terminates, then in its final state φ holds (partial correctness) � p � φ : p terminates and in its final state φ holds (total correctness) ψ → [ p ] φ the same as Hoare triple { ψ } p { φ } Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ An Improved Rule for While Loops at Karlsruhe) ICFEM 2005 3 / 18

  5. Signature Signature Signature Σ contains rigid and non-rigid function symbols. ◮ Rigid functions are e.g. + , − , 0 , 1 , . . . ◮ Non-rigid functions are used to model program variables and arrays that are modified by programs, e.g. program variables, arrays, etc. A location is a non-rigid ground term that can be modified by a program, e.g. a [0] = 5; Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ An Improved Rule for While Loops at Karlsruhe) ICFEM 2005 4 / 18

  6. Modifier Sets Specify locations that might be changed by a program Definition (Modifier Set) Let f j a non-rigid function symbol, and t j 1 , . . . , t j n j terms ( j ≥ 1). Then, the set f 1 ( t 1 1 . . . , t 1 f k ( t k 1 . . . , t k { n 1 ) , . . . , n k ) } of pairs is a modifier set. Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ An Improved Rule for While Loops at Karlsruhe) ICFEM 2005 5 / 18

  7. Modifier Sets Specify locations that might be changed by a program Definition (Modifier Set) Let g j be a Dynamic Logic formula, f j a non-rigid function symbol, and t j 1 , . . . , t j n j terms ( j ≥ 1). Then, the set { � g 1 , f 1 ( t 1 1 . . . , t 1 n 1 ) � , . . . , � g k , f k ( t k 1 . . . , t k n k ) � } of pairs is a modifier set. Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ An Improved Rule for While Loops at Karlsruhe) ICFEM 2005 5 / 18

  8. Example Example i=0; j=0; while ( i < length(a)) { a[ i]=0; i=i+1; } Modifier sets for the loop correct: {� true , i � , � true , j � , � 0 ≤ x < length ( a ) , a [ x ] �} Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ An Improved Rule for While Loops at Karlsruhe) ICFEM 2005 6 / 18

  9. Example Example i=0; j=0; while ( i < length(a)) { a[ i]=0; i=i+1; } Modifier sets for the loop correct: {� true , i � , � true , j � , � 0 ≤ x < length ( a ) , a [ x ] �} not correct: {� 0 ≤ x < length ( a ) , a [ x ] �} Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ An Improved Rule for While Loops at Karlsruhe) ICFEM 2005 6 / 18

  10. State Updates Classical DL: state changes represented by substitutions Example � i=0; � φ ↔ φ 0 i Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ An Improved Rule for While Loops at Karlsruhe) ICFEM 2005 7 / 18

  11. State Updates Classical DL: state changes represented by substitutions Example � i=0; � φ ↔ φ 0 i Aliasing in object-oriented languages causes case distinctions Example � Case 1: i . = j a[i] . = 0 → � a[j]=1; � a[i] � . = a[j] � i � . Case 2: = j Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ An Improved Rule for While Loops at Karlsruhe) ICFEM 2005 7 / 18

  12. State Updates Classical DL: state changes represented by substitutions Example � i=0; � φ ↔ φ 0 i Aliasing in object-oriented languages causes case distinctions Example � Case 1: i . = j a[i] . = 0 → � a[j]=1; � a[i] � . = a[j] � i � . Case 2: = j Case distinction not always necessary Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ An Improved Rule for While Loops at Karlsruhe) ICFEM 2005 7 / 18

  13. State Updates Classical DL: state changes represented by substitutions Example � i=0; � φ ↔ φ 0 i Aliasing in object-oriented languages causes case distinctions Example � Case 1: i . = j a[i] . = 0 → � a[j]=1; � a[i] � . = a[j] � i � . Case 2: = j Case distinction not always necessary Idea: collect updates and do not apply until program has disappeared Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ An Improved Rule for While Loops at Karlsruhe) ICFEM 2005 7 / 18

  14. State Updates Classical DL: state changes represented by substitutions Example � i=0; � φ ↔ φ 0 i Aliasing in object-oriented languages causes case distinctions Example � Case 1: i . = j a[i] . = 0 → � a[j]=1; � a[i] � . = a[j] � i � . Case 2: = j Case distinction not always necessary Idea: collect updates and do not apply until program has disappeared Allows simplification before application, updates sometimes cancel out previous ones Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ An Improved Rule for While Loops at Karlsruhe) ICFEM 2005 7 / 18

  15. State Updates Definition (Syntax of Updates) For all non-rigid ground terms l , and all terms v , if φ is a formula, then { l := v } φ is a formula as well. The expressions { l := v } are called updates. Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ An Improved Rule for While Loops at Karlsruhe) ICFEM 2005 8 / 18

  16. State Updates Definition (Syntax of Updates) For all non-rigid ground terms l , and all terms v , if φ is a formula, then { l := v } φ is a formula as well. The expressions { l := v } are called updates. Definition (Semantics of Updates) = { l := v } φ iff s ′ | s | = φ where s ′ coincides with s except for the interpretation of l , which in s ′ has the same value as v in s . Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ An Improved Rule for While Loops at Karlsruhe) ICFEM 2005 8 / 18

  17. Quantified Updates Definition (Syntax of Quantified Updates) Let { f ( t 1 , . . . , t n ) := v } be an update and g a DL formula Then { g , f ( t 1 , . . . , t n ) := v } φ is a DL formula as well. The expression { g , f ( t 1 , . . . , t n ) := v } is called quantified update. Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ An Improved Rule for While Loops at Karlsruhe) ICFEM 2005 9 / 18

  18. Invariant Rule for DL Sequent Calculus Loop Invariant Rule Γ ⊢ U Inv , ∆ Inv ∧ ǫ ⊢ [ α ] Inv Inv ∧ ¬ ǫ ⊢ [ β ] φ Γ ⊢ U [ while ( ǫ ) { α } β ] φ, ∆ Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ An Improved Rule for While Loops at Karlsruhe) ICFEM 2005 10 / 18

  19. Invariant Rule for DL Sequent Calculus Loop Invariant Rule Γ ⊢ U Inv , ∆ Inv ∧ ǫ ⊢ [ α ] Inv Inv ∧ ¬ ǫ ⊢ [ β ] φ Γ ⊢ U [ while ( ǫ ) { α } β ] φ, ∆ Inv holds in the beginning Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ An Improved Rule for While Loops at Karlsruhe) ICFEM 2005 10 / 18

  20. Invariant Rule for DL Sequent Calculus Loop Invariant Rule Γ ⊢ U Inv , ∆ Inv ∧ ǫ ⊢ [ α ] Inv Inv ∧ ¬ ǫ ⊢ [ β ] φ Γ ⊢ U [ while ( ǫ ) { α } β ] φ, ∆ Inv holds in the beginning Inv is in fact an invariant of the loop body Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ An Improved Rule for While Loops at Karlsruhe) ICFEM 2005 10 / 18

  21. Invariant Rule for DL Sequent Calculus Loop Invariant Rule Γ ⊢ U Inv , ∆ Inv ∧ ǫ ⊢ [ α ] Inv Inv ∧ ¬ ǫ ⊢ [ β ] φ Γ ⊢ U [ while ( ǫ ) { α } β ] φ, ∆ Inv holds in the beginning Inv is in fact an invariant of the loop body Inv implies the postcondition if loop terminates Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ An Improved Rule for While Loops at Karlsruhe) ICFEM 2005 10 / 18

  22. Invariant Rule for DL Sequent Calculus Loop Invariant Rule Γ ⊢ U Inv , ∆ Inv ∧ ǫ ⊢ [ α ] Inv Inv ∧ ¬ ǫ ⊢ [ β ] φ Γ ⊢ U [ while ( ǫ ) { α } β ] φ, ∆ Inv holds in the beginning Inv is in fact an invariant of the loop body Inv implies the postcondition if loop terminates Context Γ , ∆ , U must be omitted in 2nd and 3rd premiss Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ An Improved Rule for While Loops at Karlsruhe) ICFEM 2005 10 / 18

Recommend

Why3 What is why3? A platform for deductive program verification What is why3? A platform

Why3 What is why3? A platform for deductive program verification What is why3? A platform

Why3 What is why3? A platform for deductive program verification What is why3? A platform for deductive program verification Made by: Franois Bobot Martin Clochard Lon Gondelman Jean-Christophe Fillitre Claude

98 views • 9 slides
Loops Simone Campanoni simonec@eecs.northwestern.edu Outline Loops Identify loops

Loops Simone Campanoni simonec@eecs.northwestern.edu Outline Loops Identify loops

Loops Simone Campanoni simonec@eecs.northwestern.edu Outline Loops Identify loops Induction variables Loop normalization Impact of optimized code to program Code transformation 1 second 10 seconds How much did we optimize the

1.13k views • 87 slides
Deductive Program Verification with W HY 3 Andrei Paskevich LRI, Universit Paris-Sud

Deductive Program Verification with W HY 3 Andrei Paskevich LRI, Universit Paris-Sud

Deductive Program Verification with W HY 3 Andrei Paskevich LRI, Universit Paris-Sud Toccata, Inria Saclay JCP 2016 1. A short look back 2 / 100 Introduction Software is hard. D ONALD K NUTH ... 1996: Ariane 5 explosion an

1.13k views • 100 slides
STRENGTHENING RULE OF LAW PROGRAME UNDP Global Program on Rule of Law Countries where UNDP

STRENGTHENING RULE OF LAW PROGRAME UNDP Global Program on Rule of Law Countries where UNDP

STRENGTHENING RULE OF LAW PROGRAME UNDP Global Program on Rule of Law Countries where UNDP supports Rule of Law work: 2012 RoL Program currently in more than 100 countries Rule of Law Programme Geographic Coverage Project Period: 2011-

538 views • 24 slides
The Deductive Spreadsheet Iliano Cervesato Deductive Solutions iliano@deductivesolutions.com

The Deductive Spreadsheet Iliano Cervesato Deductive Solutions iliano@deductivesolutions.com

Carnegie Mellon University Pittsburgh, PA 6 July 2006 The Deductive Spreadsheet Iliano Cervesato Deductive Solutions iliano@deductivesolutions.com Preliminaries Requirements Model Functionalities Interface Experiments The

704 views • 45 slides
Tutorial 3 Loops Side Effects 1 CS 136 Spring 2020 Tutorial 3 Loops: for loops &amp;

Tutorial 3 Loops Side Effects 1 CS 136 Spring 2020 Tutorial 3 Loops: for loops &amp;

Tutorial 3 Loops Side Effects 1 CS 136 Spring 2020 Tutorial 3 Loops: for loops &amp; while loops Using a loop to solve a problem is called iteration . while is similar to if statements but while repeatedly loops back and

457 views • 8 slides
Deductive Program Verification with W HY 3 Andrei Paskevich LRI, Universit Paris-Sud

Deductive Program Verification with W HY 3 Andrei Paskevich LRI, Universit Paris-Sud

Deductive Program Verification with W HY 3 Andrei Paskevich LRI, Universit Paris-Sud Toccata, Inria Saclay http://why3.lri.fr/ejcp-2019 JCP 2019 Software is hard. D ONALD K NUTH 2 / 171 Ensure the absence of bugs Several

2k views • 171 slides
Logic as a Tool Chapter 2: Deductive Reasoning in Propositional Logic 2.1 Logical Deductive

Logic as a Tool Chapter 2: Deductive Reasoning in Propositional Logic 2.1 Logical Deductive

Logic as a Tool Chapter 2: Deductive Reasoning in Propositional Logic 2.1 Logical Deductive Systems: an overview Valentin Goranko Stockholm University October 2016 Goranko Deductive systems Goranko Deductive systems Logical consequence:

1.16k views • 28 slides
Topic 15 Indefinite Loops - While Loops &quot;If you cannot grok [understand] the overall

Topic 15 Indefinite Loops - While Loops &quot;If you cannot grok [understand] the overall

Topic 15 Indefinite Loops - While Loops &quot;If you cannot grok [understand] the overall structure of a program while taking a shower [e.g., with no external memory aids], you are not ready to code it.&quot; -Rich Pattis Based on slides for

757 views • 33 slides
Controlling Program Flow Conditionals (If-statement) Loops (while, do-while, for-loops)

Controlling Program Flow Conditionals (If-statement) Loops (while, do-while, for-loops)

Controlling Program Flow Conditionals (If-statement) Loops (while, do-while, for-loops) Switch Statements New Instructions JMP CMP Conditional jumps (branches) Conditional MOV instruction 1 Conditional statements 2

678 views • 44 slides
Program Verifjcation While Loops Alice Gao Lecture 20 Based on work by J. Buss, L. Kari, A.

Program Verifjcation While Loops Alice Gao Lecture 20 Based on work by J. Buss, L. Kari, A.

1/33 Program Verifjcation While Loops Alice Gao Lecture 20 Based on work by J. Buss, L. Kari, A. Lubiw, B. Bonakdarpour, D. Maftuleac, C. Roberts, R. Trefmer, and P. Van Beek 2/33 Outline Program Verifjcation: While Loops Learning Goals

351 views • 33 slides
Loops! Flow of Control: Loops (Savitch, Chapter 4) TOPICS while Loops do while

Loops! Flow of Control: Loops (Savitch, Chapter 4) TOPICS while Loops do while

Loops! Flow of Control: Loops (Savitch, Chapter 4) TOPICS while Loops do while Loops for Loops break Statement continue Statement CS 160, Fall Semester 2012 2 An Example While Loop

446 views • 11 slides
Deductive Program Verification Jean-Christophe Filli atre STOP r = 1 v = u s = 1 u

Deductive Program Verification Jean-Christophe Filli atre STOP r = 1 v = u s = 1 u

Deductive Program Verification Jean-Christophe Filli atre STOP r = 1 v = u s = 1 u = u + v s = s + 1 TEST r n u = 1 r = r + 1 TEST s r A Definition program mathematical + proof statement correctness

823 views • 56 slides
LOOPS Loops Loops Loops! How can we repeat a piece of code without having to write it out over

LOOPS Loops Loops Loops! How can we repeat a piece of code without having to write it out over

Session 6 LOOPS Loops Loops Loops! How can we repeat a piece of code without having to write it out over and over?! With loops! The Game Loop For Loop vs. While Loop For Loops While Loops Start/End are Known Start/End not Always Clear

301 views • 26 slides
Parsing Methods as Deductive Systems from [ Shieber, Schabes, and Pereira. 1993 ] 1. Algorithm =

Parsing Methods as Deductive Systems from [ Shieber, Schabes, and Pereira. 1993 ] 1. Algorithm =

0. Parsing Methods as Deductive Systems from [ Shieber, Schabes, and Pereira. 1993 ] 1. Algorithm = Logic + Control Robert Kowalski Basic Notions 2. A 1 ,...,A k Inference Rule: &lt; side conditions on A 1 , . . . , A k , B &gt; B Derivation

301 views • 14 slides
Logic as a Tool Chapter 2: Deductive Reasoning in Propositional Logic 2.1 Logical Deductive

Logic as a Tool Chapter 2: Deductive Reasoning in Propositional Logic 2.1 Logical Deductive

Logic as a Tool Chapter 2: Deductive Reasoning in Propositional Logic 2.1 Logical Deductive Systems: an overview Valentin Goranko Stockholm University October 2016 Goranko Deductive systems Logical consequence: A 1 , . . . , A n C

70 views • 5 slides
Efficient Deductive Methods for Program Analysis Harald Ganzinger Max-Planck-Institut f ur

Efficient Deductive Methods for Program Analysis Harald Ganzinger Max-Planck-Institut f ur

Efficient Deductive Methods for Program Analysis Harald Ganzinger Max-Planck-Institut f ur Informatik Introduction 2 program analysis from high-level inference rules complexity analysis through general meta-complexity theorems

451 views • 33 slides
An Introduction to Deductive Program Verification Jean-Christophe Filli atre CNRS Sixth

An Introduction to Deductive Program Verification Jean-Christophe Filli atre CNRS Sixth

An Introduction to Deductive Program Verification Jean-Christophe Filli atre CNRS Sixth Summer School on Formal Techniques May 2016 http://why3.lri.fr/ssft-16/ 1 / 145 Software is hard. Don Knuth why? wrong interpretation of

1.97k views • 145 slides
How to Prove Loops to be Correct? Thomas Baar / Mathias Krebs EPFL, Lausanne, Switzerland 4 th

How to Prove Loops to be Correct? Thomas Baar / Mathias Krebs EPFL, Lausanne, Switzerland 4 th

How to Prove Loops to be Correct? Thomas Baar / Mathias Krebs EPFL, Lausanne, Switzerland 4 th KeY-Workshop, June 8-10, 2005, Lkeberg near Gothenburg, Sweden Proving Loops in KeY Induction Rule generates BaseCase StepCase

910 views • 24 slides
Building Java Programs Chapter 5 Lecture 11: while Loops, Fencepost Loops, and Sentinel Loops

Building Java Programs Chapter 5 Lecture 11: while Loops, Fencepost Loops, and Sentinel Loops

Building Java Programs Chapter 5 Lecture 11: while Loops, Fencepost Loops, and Sentinel Loops reading: 5.1 5.2 (Slides adapted from Stuart Reges, Hlne Martin, and Marty Stepp) 1 2 Methods using charAt Write a method

795 views • 20 slides
Deductive Program Verification Jean-Christophe Filli atre CNRS ITP 2018 Oxford, UK July 12,

Deductive Program Verification Jean-Christophe Filli atre CNRS ITP 2018 Oxford, UK July 12,

Deductive Program Verification Jean-Christophe Filli atre CNRS ITP 2018 Oxford, UK July 12, 2018 1 / 32 joint work with Fran cois Bobot Claude March e Guillaume Melquiond Andrei Paskevich 2 / 32 a question for programmers

991 views • 80 slides
Building Java Programs Chapter 5 Lecture 5-1: while Loops, Fencepost Loops, and Sentinel Loops

Building Java Programs Chapter 5 Lecture 5-1: while Loops, Fencepost Loops, and Sentinel Loops

Building Java Programs Chapter 5 Lecture 5-1: while Loops, Fencepost Loops, and Sentinel Loops reading: 5.1 5.2 1 2 A deceptive problem... Write a method printLetters that prints each letter from a word separated by commas. For

516 views • 22 slides
Building Java Programs Chapter 5 Lecture 5-1: while Loops, Fencepost Loops, and Sentinel Loops

Building Java Programs Chapter 5 Lecture 5-1: while Loops, Fencepost Loops, and Sentinel Loops

Building Java Programs Chapter 5 Lecture 5-1: while Loops, Fencepost Loops, and Sentinel Loops reading: 5.1 5.2 1 2 A deceptive problem... Write a method printLetters that prints each letter from a word separated by commas. For

545 views • 20 slides
ARM Assembler Structure / Loops Structure / Loops p. 1/12 Loops Four parts to any loop

ARM Assembler Structure / Loops Structure / Loops p. 1/12 Loops Four parts to any loop

Systems Architecture ARM Assembler Structure / Loops Structure / Loops p. 1/12 Loops Four parts to any loop initialisation init i) body body ii) increment or inc iii) decrement dec exit condition

1k views • 61 slides

More recommend