Proving Correctness of Graph Programs Relative to Recursively Nested - PowerPoint PPT Presentation

Proving Correctness of Graph Programs Relative to Recursively Nested Conditions Nils Erik Flick Universität Oldenburg February 2017

Intro Correctness Results Rel. Work Conclusion Extras Outline Correctness and Graph Programs 1 Verification Framework Graph Programs Recursively Nested Conditions Results 2 Weakest Precondition Calculus Proof Calculus Expressive Power Related Concepts 3 Nils Erik Flick Correctness of Graph Programs 2 / 23

Intro Correctness Results Rel. Work Conclusion Extras Framework Graph Programs µ -conditions Verification Framework (Dijkstra) Aim of program verification : development of correct systems by establishing program correctness via logical deduction. ✇❡❛❦❡st ♣r❡❝♦♥❞✐t✐♦♥ P ✭♣r♦❣r❛♠✮ ♣r❡❝♦♥❞✐t✐♦♥ d ✭♣♦st❝♦♥❞✐t✐♦♥✮ ❝❛❧❝✉❧✉s ❱❡r✐✜❝❛t✐♦♥ ♣r♦❝❡ss ♣r♦✈❡r ②❡s✱ ❝♦rr❡❝t c ✭♣r❡❝♦♥❞✐t✐♦♥✮ ♥♦ ✉♥❦♥♦✇♥ Proving correctness of a program P under a specification ( c , d ) . c and d specify state properties. Partial correctness : whenever P is run from a state satisfying c , if P terminates then the resulting state satisfies d . Nils Erik Flick Correctness of Graph Programs 3 / 23

Intro Correctness Results Rel. Work Conclusion Extras Framework Graph Programs µ -conditions Verification Framework (Dijkstra) ✇❡❛❦❡st ♣r❡❝♦♥❞✐t✐♦♥ P ✭♣r♦❣r❛♠✮ ♣r❡❝♦♥❞✐t✐♦♥ d ✭♣♦st❝♦♥❞✐t✐♦♥✮ ❝❛❧❝✉❧✉s ♣r♦✈❡r ②❡s✱ ❝♦rr❡❝t c ✭♣r❡❝♦♥❞✐t✐♦♥✮ ♥♦ ✉♥❦♥♦✇♥ Proving correctness of a program P under a specification ( c , d ) . Checking correctness : compute the weakest precondition Wp P ( d ) : to postcondition d , this assigns precondition such that ⊲ P is correct with respect to ( Wp P ( d ) , d ) ⊲ Any c ′ such that P is correct wrt. ( c ′ , d ) implies Wp P ( d ) Then check whether c ⇒ Wp P ( d ) . Nils Erik Flick Correctness of Graph Programs 3 / 23

Intro Correctness Results Rel. Work Conclusion Extras Framework Graph Programs µ -conditions Graph Programs Graph programs are imperative programs that operate on graphs, for example: � � � � ∅ ֒ → ← Sel ; Del ֓ ; � � � � Add ֒ → ; Uns ← ֓ ∅ Elementary programs: select , unselect , add , delete . Composition: disjunction , sequence , iteration . Nils Erik Flick Correctness of Graph Programs 4 / 23

Intro Correctness Results Rel. Work Conclusion Extras Framework Graph Programs µ -conditions State of the Art: Correctness of Graph Programs We want to prove correctness of graph programs relative to specifications ( c , d ) . Nested graph conditions are expressions like this: � � � � � � ∀ , ∃ ∨ ∃ Unavoidable theoretical limitations: Implication of nested conditions ( c ⇒ c ′ ) is undecidable . Weakest precondition for iteration requires invariant finding, which cannot be fully automatic nor complete. But in practice, verification is often possible. Nils Erik Flick Correctness of Graph Programs 5 / 23

Intro Correctness Results Rel. Work Conclusion Extras Framework Graph Programs µ -conditions Extending Nested Conditions Many properties of interest cannot be expressed by nested conditions, for example: ⊲ Connectedness ⊲ Absence of cycles ⊲ Chains of even, odd or equal length ⊲ Chains of length 4 n (of theoretical interest) ⊲ Balancedness of binary trees (useful!) Recursively nested conditions ( µ -conditions) are nested conditions with recursive specifications. Recursively nested conditions can express all of the above. Nils Erik Flick Correctness of Graph Programs 6 / 23

Intro Correctness Results Rel. Work Conclusion Extras Framework Graph Programs µ -conditions Recursively Nested Conditions Example of a µ -condition: � � � � � ��� ∀ , path ⇒ ∃ , paths � � � � � � �� path = ∃ ∨ ∃ , path � � � � � , paths ′ � �� paths = ∃ ∨ ∃ paths ′ � � � � � , paths ′ � �� = ∃ ∨ ∃ Nils Erik Flick Correctness of Graph Programs 7 / 23

Intro Correctness Results Rel. Work Conclusion Extras Wp Construction Proof Calculus Expressiveness Weakest Precondition Calculus Theorem : the weakest precondition of a µ -condition relative to an iteration-free program is again a µ -condition, which can be computed. In other words, there is a sound construction for weakest preconditions, defined for all iteration-free programs. Method : a construction which transforms a finite µ -condition into a finite µ -condition. Soundness is proven with respect to the semantics. Significance : the weakest precondition calculus is the core of the verification framework. Nils Erik Flick Correctness of Graph Programs 8 / 23

Intro Correctness Results Rel. Work Conclusion Extras Wp Construction Proof Calculus Expressiveness The Proof Calculus K µ (I) Γ ⊢ ∆ Γ ⊢ Θ , A Γ ⊢ Θ , B D, Γ ⊢ ∆ Γ ⊢ Θ , A ∧ B ❚❤✐♥♥✐♥❣ ❯❊❙ ∃ ( a, c ) ∧ d D, D, Γ ⊢ ∆ ∃ ( a, c ∧ ∃ − 1 ( a, d )) A, Γ ⊢ Θ D, Γ ⊢ ∆ A ∧ B, Γ ⊢ Θ ❈♦♥tr❛❝t✐♦♥ ✭❙✉♣♣♦rt✐♥❣✮▲✐❢t ❯❊❆ ∆ , D, E, Γ ⊢ Θ ¬∃ ( a ) ∃ ( b, d ) ∆ , E, D, Γ ⊢ Θ ¬∃ ( m ∗ ) A, Γ ⊢ Θ B, Γ ⊢ Θ ■♥t❡r❝❤❛♥❣❡ A ∨ B, Γ ⊢ Θ ■❢ ∃ m ∈ M ✱ m ◦ b = a ❛♥❞ ✭❛❧❧ s✐♠✐❧❛r❧② ♦♥ s✉❝❝❡❞❡♥t✮ ( m ∗ , b ∗ ) ✐s M ✲♣✉s❤♦✉t ❝♦♠✲ ❖❊❆ ♣❧❡♠❡♥t ♦❢ ( b, m ) ✱ d �≡ ⊥ P❛rt✐❛❧❘❡s♦❧✈❡ Γ ⊢ Θ , D D, ∆ , ⊢ Λ Γ ⊢ Θ , A Γ , ∆ ⊢ Θ , Λ Γ ⊢ Θ , A ∨ B K ❬P❡♥♥❡♠❛♥♥✱ ✷✵✵✾❪ ✭❛❞❛♣t❡❞✮❀ str✉❝t✉r❛❧ ❖❊❙ ❈✉t ✫ ❧♦❣✐❝❛❧ r✉❧❡s Nils Erik Flick Correctness of Graph Programs 9 / 23

Intro Correctness Results Rel. Work Conclusion Extras Wp Construction Proof Calculus Expressiveness The Proof Calculus K µ (II) Rules for handling variables and recursion: ( resp. c ′ ⊢ c ) F : c ⊢ c ′ if Ctx is monotonic (antitonic) in x (C TX ) F ⊎ F ′ : Ctx [ x / c ] ⊢ Ctx [ x / c ′ ] F : Γ ⊢ ∆ , x ( n ) i x ( n − 1 ) ) F : Γ ⊢ ∆ , F i ( � F i ( � x ) is the right hand side for x i in F (U NROLL 1 ) x ( � x ( � n ′ ) )) n ) ) ⊢ � G ( � G ( � � ⊥ ) = � ∀ i ∈ I . H i ( � H ( � ⊥ (E MPTY ) � n ′ <� n ; � � i ∈ I . H i ( � x ) = ⊥ G monotonic. Further structural rules for morphism and nesting manipulation: ∃ ( a ◦ a ′ , c ) ∃ ( a , ι ◦ ι ′ , c ) , ∃ − 1 ( ι , c ) ∃ ( a , ι ′ , ∃ − 1 ( ι , c )) and vice versa, ∃ ( id , id , c ) A ( ι , c ) , ∃ ( a , c ) ∃ ( a , ∃ ( a ′ , c )) , r a ( c ) . c Nils Erik Flick Correctness of Graph Programs 10 / 23

Intro Correctness Results Rel. Work Conclusion Extras Wp Construction Proof Calculus Expressiveness Soundness of K µ Theorem : the proof calculus K µ for refutation of µ -condi- tions is sound. Method : extension of the resolution-like calculus K by a well-founded induction rule. Significance : this is the “prover” part of the verification framework. The proof calculus allows the verification of programs by attempting to prove the implication c ⇒ Wp P ( d ) . Nils Erik Flick Correctness of Graph Programs 11 / 23

Intro Correctness Results Rel. Work Conclusion Extras Wp Construction Proof Calculus Expressiveness Expressiveness of µ -Conditions Theorem : the expressiveness of µ -conditions is the same as first order least fixed point logic, properly extends nested condi- tions and is incomparable to other known formalisms. HR − < > MSO < > FO+lfp = Legend: < > – incomparable; = – equal. Method : by showing the inexpressibility of counterexamples; by translation from and to fixed point logic. Significance : µ -conditions are distinct from other formalisms and describe polynomial-time checkable properties. Nils Erik Flick Correctness of Graph Programs 12 / 23

Intro Correctness Results Rel. Work Conclusion Extras Related Concepts: Notions of Correctness Abstract model checking : temporal logic specification, reduction to finite state space by suitable state abstractions. [Gadducci et al., 1998] [Baldan et al., 2003] [König and Kozioura, 2006] [Rensink and Distefano, 2006] This notion of correctness differs considerably from ours and no direct comparison was attempted. Nils Erik Flick Correctness of Graph Programs 13 / 23

Intro Correctness Results Rel. Work Conclusion Extras Related Concepts: Proof-Based Approaches reference (1) (here) (2) (3) HR ∗ conditions Nested µ - MSO µ µ wlp yes yes yes yes proof calculus complete yes future work Hoare logic theorem prover yes future work (1): [Pennemann, 2009] (2): [Radke, 2016] (3): [Poskitt and Plump, 2014] git: //omega.informatik.uni-oldenburg.de/wptk.git Nils Erik Flick Correctness of Graph Programs 14 / 23