0 0 Finding Inductive Assertions CS256/Winter 2009 Lecture #8 Top-Down Approach Zohar Manna Assertion propagation we have previously proven χ and we want to prove ϕ but { χ ∧ ϕ } τ { ϕ } is not state-valid for some τ ∈ T . What is the problem? (assuming that ϕ is indeed an invariant) 8-2
Top-Down Approach (Con’d) Precondition of ϕ w.r.t. τ pre ( τ, ϕ ) : ∀ V ′ . ρ τ → ϕ ′ Σ ϕ pre ( τ, ϕ ) τ ϕ ∧ χ ϕ P -accessible a state s satisfies pre ( τ, ϕ ) iff all τ -successors of s satisfy ϕ . Note: Solution: Take the largest set of states that will result s trivially satisfies pre ( τ, ϕ ) if it does not have any τ - in a ϕ -state when τ is taken. How? successors (i.e., τ is not enabled in s ). 8-3 8-4
Properties of pre ( τ, ϕ ) Precondition of ϕ w.r.t. τ (Con’d) By the definition of pre ( τ, ϕ ) , { χ ∧ ϕ ∧ pre ( τ, ϕ ) } τ { ϕ } Example: is guaranteed to be state-valid. V : { x } integer pre ( τ, ϕ ) ρ τ : x > 0 ∧ x ′ = x − 1 ϕ ϕ : x ≥ 2 χ ∧ ϕ τ pre ( τ, ϕ ) : P -accessible 0 ∀ x ′ . x > 0 ∧ x ′ = x − 1 → x ′ ≥ 2 0 ( ϕ ∧ pre ( τ, ϕ )) � �� � � �� � ρ τ ϕ ′ x > 0 → x − 1 ≥ 2 x ≤ 0 ∨ x ≥ 3 But we have to justify adding the conjunct pre ( τ, ϕ ) to the antecedent. j τ j +1 This can be done in two ways: � � x ≤ 0 ∨ x ≥ 3 x ≥ 2 1. Incremental: prove pre ( τ, ϕ ) 2. Strengthening: prove 8-5 8-6
Properties of pre ( τ, ϕ ) (Con’d) Properties of pre ( τ, ϕ ) (Con’d) Definition: A transition τ is said to be self-disabling if for q ϕ ∧ pre ( τ, ϕ ) . q / pre ( τ, ϕ ) . every state s , τ is disabled in all τ -successors of s . Claim: If ϕ is P -invariant then so is pre ( τ, ϕ ) for every Claim: For every assertion ϕ and self-disabling transition τ ∈ T . τ q / ϕ . q ϕ . { ϕ ∧ pre ( τ, ϕ ) } τ { ϕ ∧ pre ( τ, ϕ ) } Proof: Suppose ϕ is P -invariant, but pre ( τ, ϕ ) is not P -invariant. is state-valid. q pre ( τ, ϕ ) Proof: Then there exists a P -accessible state s such that Assume s s q ϕ ∧ pre ( τ, ϕ ) . Then by definition of pre ( τ, ϕ ) , for every s ′ , But then, by the definition of pre ( τ, ϕ ) , there exists a τ -successor of s , τ -successor s ′ of s such that s ′ s ′ Since s is P -accessible, s ′ is also P -accessible, Since τ is self-disabling, τ is disabled in all τ -successors s ′ of s , and so trivially contradicting that ϕ is a P -invariant. s ′ Thus for all τ -successors s ′ of s , s ′ 8-7 8-8
0 Heuristic Example: 0 ( ϕ ∧ pre ( τ, ϕ )) local x : integer where x = 1 If the verification condition ℓ 0 : request x { χ ∧ ϕ } τ { ϕ } ℓ 1 : critical 0 ℓ 2 : release x is not state-valid: Find pre ( τ, ϕ ) and then We want to prove • Strengthening approach: ( at − ℓ 1 → x = 0) strengthen ϕ by adding the conjunct pre ( τ, ϕ ) � �� � ϕ prove or, Problem: • Incremental approach: { at − ℓ 1 → x = 0 } τ ℓ 0 { at − ℓ 1 → x = 0 } prove pre ( τ, ϕ ) is not state-valid. and add pre ( τ, ϕ ) to χ . If we use the above heuristic we get Note: pre ( τ ℓ 0 , ϕ ) = pre ( τ, ϕ ) is not guaranteed to be an inductive invariant, ∀ x ′ , π ′ . ( move ( ℓ 0 , ℓ 1 ) ∧ x > 0 ∧ x ′ = x − 1) so the premises of inv have to be checked again. � �� � ρ ℓ 0 − ℓ 1 → x ′ = 0) → ( at ′ � �� � ϕ ′ 8-9 8-10
Example (Con’d): Substituted form of pre ( τ, ϕ ) pre ( τ ℓ 0 , ϕ ) = ∀ x ′ , π ′ . ( move ( ℓ 0 , ℓ 1 ) ∧ x > 0 ∧ x ′ = x − 1) � �� � Many transition relations have the form ρ ℓ 0 − ℓ 1 → x ′ = 0) → ( at ′ C τ ∧ V ′ = E ρ τ : � �� � ϕ ′ where C τ is the enabled condition of τ . Since And so move ( ℓ 0 , ℓ 1 ) → at − ℓ 0 = t , at ′ − ℓ 1 = t pre ( τ, ϕ ): ∀ V ′ . C τ ∧ V ′ = E → ϕ ′ x ′ = x − 1 ∧ x ′ = 0 → x = 1 can be simplified to ∀ V ′ . C τ → ϕ [ E/V ] it simplifies to replacing all primed variables by its pre ( τ ℓ 0 , ϕ ): at − ℓ 0 ∧ x > 0 → x = 1 corresponding expression, thus the quantifier can be eliminated to obtain Strengthened assertion pre ( τ, ϕ ): C τ → ϕ [ E/V ] ϕ ∧ pre ( τ ℓ 0 , ϕ ): ( at − ℓ 1 → x = 0) ∧ ( at − ℓ 0 → x = 1) what we “guessed” before Show that ϕ ∧ pre ( τ ℓ 0 , ϕ ) is inductive (“strengthening approach”) 8-11 8-12
0 Example: Program mux-pet1(Fig. 2.25) Example: Program mux-pet1 (Fig. 2.25) (Con’d) (Peterson’s Algorithm for mutual exclusion) We want to prove mutual exclusion: ¬ ( at − ℓ 4 ∧ at − m 4 ) local y 1 , y 2 : boolean where y 1 = f , y 2 = f � �� � : integer where s = 1 s ψ ℓ 0 : loop forever do Bottom-up invariants: ℓ 1 : noncritical ϕ 0 : s = 1 ∨ s = 2 ℓ 2 : ( y 1 , s ) := ( t , 1) P 1 :: ϕ 1 : y 1 ↔ at − ℓ 3 .. 5 await ( ¬ y 2 ) ∨ ( s � = 1) ℓ 3 : ϕ 2 : y 2 ↔ at − m 3 .. 5 ℓ 4 : critical ℓ 5 : y 1 := f Problem: the verification conditions � � � � � � { ϕ 0 ∧ ϕ 1 ∧ ϕ 2 ∧ ψ } ℓ 3 { ψ } m 0 : loop forever do { ϕ 0 ∧ ϕ 1 ∧ ϕ 2 ∧ ψ } m 3 { ψ } m 1 : noncritical are not state-valid m 2 : ( y 2 , s ) := ( t , 2) P 2 :: m 3 : await ( ¬ y 1 ) ∨ ( s � = 2) m 4 : critical m 5 : y 2 := f 8-13 8-14
0 Example: Program mux-pet1 (Fig. 2.25) (Con’d) pre ( τ ℓ 3 , ψ ): ∀ π ′ : move ( ℓ 3 , ℓ 4 ) ∧ ( ¬ y 2 ∨ s � = 1) → Example: Program mux-pet1 (Fig. 2.25) (Con’d) � �� � ρ ℓ 3 ¬ ( at ′ − ℓ 4 ∧ at ′ Proof tree: − m 4 ) ¬ ( at − ℓ 4 ∧ at − m 4 ) � �� � ψ ′ since move ( ℓ 3 , ℓ 4 ) implies at ′ − ℓ 4 = t , at ′ − m 4 = at − m 4 0 0 pre ( τ ℓ 3 , ψ ) simplifies to: inv at − ℓ 3 ∧ ( ¬ y 2 ∨ s � = 1) → ¬ at − m 4 Init ℓ 0 ℓ 1 ℓ 2 ℓ 3 ℓ 4 ℓ 5 m 0 m 1 m 2 m 3 m 4 m 5 ϕ 3 : at − ℓ 3 ∧ at − m 4 → y 2 ∧ s = 1 t t t t t t t t t t t not not state- state- pre ( τ m 3 , ψ ): ∀ π ′ . . . . . . valid valid simplifies to: WPC WPC | | ϕ 4 : at − ℓ 4 ∧ at − m 3 → y 1 ∧ s = 2 pre ( τ ℓ 3 , ϕ ) pre ( τ m 3 , ϕ ) inv Show that ϕ 3 : pre ( τ ℓ 3 , ψ ) and ϕ 4 : pre ( τ m 3 , ψ ) are inductive relative to ϕ 0 ∧ ϕ 1 ∧ ϕ 2 . . . . . . . . . . . . t t t t t t (“incremental approach”) t = state-valid (relative to the bottom-up invariants) Then show that ψ is inductive relative to 8-15 8-16 ϕ 0 ∧ . . . ∧ ϕ 4 .
Example: pre may never terminate Step 2: Compute pre ( τ, y ≥ − x ) The transition is x ′ = x + y ∧ y ′ = y y ′ ≥ − x ′ ∀ x ′ , y ′ : → ρ τ : x ′ = x + y ∧ y ′ = y � �� � � �� � pre ′ ρ τ The property is that is y ≥ − x 2 . ϕ : x ≥ 0 In general the precondition The VC is � � τ, y ≥ − x x x ′ = x + y ∧ y ′ = y x ′ ≥ 0 x ≥ 0 � ∧ → pre : y ≥ − n n + 1 � �� � �� � � �� � 0 ϕ ′ ρ τ ϕ which is not state valid. Taking the limit as n approaches infinity, we obtain Step 1: The precondition is y ≥ 0 pre ( τ, x ≥ 0) : ∀ x ′ , y ′ : x ′ = x + y ∧ y ′ = y → x ′ ≥ 0 which is what we want. that is y ≥ − x . Attempting to prove pre ( τ, ϕ ) state valid, the VC x ′ = x + y ∧ y ′ = y y ′ ≥ − x ′ � ∧ y ≥ − x → � �� � �� � � �� � pre ′ ρ τ pre is not state-valid. 8-17 8-18
Example: Program mux-pet1 (Fig. 2.25) Finite-State Algorithmic Verification (Peterson’s Algorithm for mutual exclusion) finite-state program P local y 1 , y 2 : boolean where y 1 = f , y 2 = f : integer where s = 1 s each x ∈ V assumes only finitely many values in all P -computations ℓ 0 : loop forever do ℓ 1 : noncritical ℓ 2 : ( y 1 , s ) := ( t , 1) Therefore, P 1 :: await ( ¬ y 2 ) ∨ ( s � = 1) ℓ 3 : there are only finitely many distinct ℓ 4 : critical P -accessible states. ℓ 5 : y 1 := f Example: � � � � � � mux-pet1 (Fig 2.25) is finite-state program: m 0 : loop forever do s = 1 , 2 m 1 : noncritical y 1 = t , f y 2 = t , f m 2 : ( y 2 , s ) := ( t , 2) P 2 :: π can assume at most 36 different values m 3 : await ( ¬ y 1 ) ∨ ( s � = 2) m 4 : critical m 5 : y 2 := f 8-19 8-20
Recommend
More recommend
