Using a Set Constraint Solver for Program Verifjcation Maximiliano Cristiá Universidad Nacional de Rosario – Argentina Gianfranco Rossi Università degli Studi di Parma – Italy Claudia Frydman Aix-Marseille Université – France 4th HCVS August 2017 Gothenburg - Sweden
Prolog program based on set unifjcation and CLP Rossi et al. 1991; Rossi & Cristiá since 2013 satisfjability solver returns a fjnite representation of all solutions of a given formula declarative programming language fjrst-class entities fjnite, unbounded, untyped, nested, partially specifjed 1 { log } : a constraint solver for set theory { log } is a complete solver for a fragment of set theory solution → assignment of values to the free variables of the formula sets in { log } are
2 set equality (unsatisfjable) log returns false 2 x 1 x 3 A 1 2 set equality { log } : some examples { 1 , 2 ⊔ A } = { 1 , x , 3 } { 1 , 2 ⊔ A } is interpreted as { 1 , 2 } ∪ A { log } returns four solutions x = 2 ∧ A = { 3 } x = 2 ∧ A = { 2 , 3 } x = 2 ∧ A = { 1 , 3 } x = 2 ∧ A = { 1 , 2 , 3 }
set equality set equality (unsatisfjable) 2 { log } : some examples { 1 , 2 ⊔ A } = { 1 , x , 3 } { 1 , 2 ⊔ A } is interpreted as { 1 , 2 } ∪ A { log } returns four solutions x = 2 ∧ A = { 3 } x = 2 ∧ A = { 2 , 3 } x = 2 ∧ A = { 1 , 3 } x = 2 ∧ A = { 1 , 2 , 3 } { 1 , 2 ⊔ A } = { 1 , x , 3 } ∧ x � = 2 { log } returns false
3 nun A B C XX C un B A XX un A B C or un B A C the last formula can also be written as: union is commutative (mathematics) set operators become constraints log returns false nun B A C un A B C union is commutative (negation in log ) to prove it with log enter the negation { log } : some examples A ∪ B = B ∪ A
3 nun A B C XX C un B A XX un A B C or un B A C the last formula can also be written as: union is commutative (mathematics) set operators become constraints { log } : some examples A ∪ B = B ∪ A to prove it with { log } enter the negation union is commutative (negation in { log } ) un ( A , B , C ) ∧ nun ( B , A , C ) { log } returns false
3 nun A B C XX C un B A XX un A B C or un B A C the last formula can also be written as: union is commutative (mathematics) set operators become constraints { log } : some examples A ∪ B = B ∪ A to prove it with { log } enter the negation union is commutative (negation in { log } ) un ( A , B , C ) ∧ nun ( B , A , C ) { log } returns false
union is commutative (mathematics) set operators become constraints the last formula can also be written as: or 3 { log } : some examples A ∪ B = B ∪ A to prove it with { log } enter the negation union is commutative (negation in { log } ) un ( A , B , C ) ∧ nun ( B , A , C ) { log } returns false nun ( A , B , C ) ∧ un ( B , A , C ) un ( A , B , C ) ∧ un ( B , A , XX ) ∧ C � = XX
rimg N 1 B N 2 nrimg R N 3 N 2 binary relations theorem (mathematics) A , B sets; R binary relation binary relations theorem (negation in log ) dres A R N 1 inters A B N 3 relational operators become constraints set and relations can be freely combined log works as an automated theorem prover 4 { log } : some examples ( A ⊳ R )[ B ] = R [ A ∩ B ] ⊳ domain restriction; · [ · ] relational image
binary relations theorem (mathematics) A , B sets; R binary relation relational operators become constraints set and relations can be freely combined log works as an automated theorem prover 4 { log } : some examples ( A ⊳ R )[ B ] = R [ A ∩ B ] ⊳ domain restriction; · [ · ] relational image binary relations theorem (negation in { log } ) dres ( A , R , N 1 ) ∧ rimg ( N 1 , B , N 2 ) ∧ inters ( A , B , N 3 ) ∧ nrimg ( R , N 3 , N 2 )
binary relations theorem (mathematics) A , B sets; R binary relation relational operators become constraints set and relations can be freely combined 4 { log } : some examples ( A ⊳ R )[ B ] = R [ A ∩ B ] ⊳ domain restriction; · [ · ] relational image binary relations theorem (negation in { log } ) dres ( A , R , N 1 ) ∧ rimg ( N 1 , B , N 2 ) ∧ inters ( A , B , N 3 ) ∧ nrimg ( R , N 3 , N 2 ) { log } works as an automated theorem prover
fjrst question second question will it automatically discharge verifjcation conditions of a Hoare framework? third question if so, of what classes of programs? 5 { log } : functional partial program verifjcation is { log } useful for functional partial program verifjcation?
specifjcations & programs set theory is used as the specifjcation language much as in B and Z notations programs are written in an abstract imperative language abstract data types are also available pre-conditions, loop invariants and post-conditions are given Hoare rules apply programs dealing with lists an ADT named List is defjned 6
an ADT for lists end public end adt 7 public adt List ( T ) List () ⊲ constructor add ( T e ) ⊲ appends e to the list fst () T next () ⊲ fst , next , more → abstract iterator Bool more () rpl ( T e ) ⊲ replaces last iterated element with e del () ⊲ empties the list
list subroutines with the List ADT we can write list subroutines list equality skip end while end function 8 function Bool listEq(List s , t) s . fst () ; t . fst () while s . more () ∧ t . more () ∧ s . next () = t . next () do return ¬ s . more () ∧ ¬ t . more ()
list subroutines � end function end while skip and we can annotate subroutines with specifjcations � list equality pre-condition true 9 function Bool listEq(List s , t) s . fst () ; t . fst () invariant s ∈ → ∧ s = s p ∪ s r ∧ s p � s r ∧ t ∈ → ∧ t = t p ∪ t r ∧ t p � t r ∧ s p = t p while s . more () ∧ t . more () ∧ s . next () = t . next () do return ¬ s . more () ∧ ¬ t . more () post-condition ret ⇐ ⇒ s = t
specifjcations � annotations are formulas in our specifjcation language � invariant 10 set theory + binary relations ≈ as in Z and B s ∈ → ∧ s = s p ∪ s r ∧ s p � s r ∧ t ∈ → ∧ t = t p ∪ t r ∧ t p � t r ∧ s p = t p s program variable − → s specifjcation variable s ′ − → value of s in the after state
specifjcations s is a set of ordered pairs t p s p then processed parts are equal inside the loop all these properties are provable from List ’s specifjcation s is partitioned by the iterator � s is a partial function invariant 11 � if s is a List, then s enjoys List’s interface properties: � s ∈ → ∧ s = s p ∪ s r ∧ s p � s r ∧ t ∈ → ∧ t = t p ∪ t r ∧ t p � t r ∧ s p = t p � m , g , b � − → { ( 1 , m ) , ( 2 , g ) , ( 3 , b ) } s ∈ → s = s p ∪ s r ∧ s p � s r s p processed part - s r remaining part
specifjcations if s is a List, then s enjoys List’s interface properties: then processed parts are equal inside the loop all these properties are provable from List ’s specifjcation s is partitioned by the iterator � s is a partial function invariant s is a set of ordered pairs 11 � � s ∈ → ∧ s = s p ∪ s r ∧ s p � s r ∧ t ∈ → ∧ t = t p ∪ t r ∧ t p � t r ∧ s p = t p � m , g , b � − → { ( 1 , m ) , ( 2 , g ) , ( 3 , b ) } s ∈ → s = s p ∪ s r ∧ s p � s r s p processed part - s r remaining part s p = t p
verifjcation conditions Hoare rules are applied to generate verifjcation conditions the most complex verifjcation conditions are if the loop condition holds, then the loop invariant is preserved after each iteration upon termination of the loop its invariant implies the post-condition 12 loop condition ∧ invariant ∧ iteration = ⇒ invariant’ ¬ loop condition ∧ invariant = ⇒ post-condition { log } is used to automatically discharge vc’s
verifjcation condition: an example � [postcondition] � [loop invariant] an example from listEq 13 ( s r = ∅ [ ¬ loop condition] ∨ t r = ∅ ∨ s r = { ( x , y 1 ) ⊔ s 1 r } ∧ t r = { ( x , y 2 ) ⊔ t 1 r } ∧ y 1 � = y 2 ) ∧ s ∈ → ∧ s = s p ∪ s r ∧ s p � s r ∧ t ∈ → ∧ t = t p ∪ t r ∧ t p � t r ∧ s p = t p ⇒ (( s r = ∅ ∧ t r = ∅ ) ⇐ ⇒ s = t ) =
14 this translation is straightforward verifjcation conditions in { log } the negation of vc’s have to be translated into { log } ( s r = ∅ ∨ t r = ∅ ∨ s r = { ( x , y 1 ) ⊔ s 1 r } ∧ t r = { ( x , y 2 ) ⊔ t 1 r } ∧ y 1 � = y 2 ) ∧ pfun ( s ) ∧ un ( s p , s r , s ) ∧ disj ( s p , s r ) ∧ pfun ( t ) ∧ un ( t p , t r , t ) ∧ disj ( t p , t r ) ∧ s p = t p ∧ ( s r = ∅ ∧ t r = ∅ ∧ s � = t ∨ s = t ∧ ( s r � = ∅ ∨ t r � = ∅ ))
List ’s specifjcation List is implemented as a singly-linked list each node of the list is of type Node a simple ADT with two fjelds: next and elem methods: setNext, getNext, setElem, getElem instances of List are modeled as partial functions: 15 instances of Node are modeled as ordered pairs: ( n , e ) { c 1 �→ ( c 2 , e 1 ) , c 2 �→ ( c 3 , e 2 ) , . . . , c n �→ ( null , e n ) } representing the list � e 1 , e 2 , . . . , e n �
Recommend
More recommend