Hoare Logic - University of Waterlooagurfink/stqam/assets/pdf/W08-HoareLogi… · based on slides by Prof. RuzicaPiskacand others. 22. 33 History Program verification is almost as

Hoare Logic

Testing, Quality Assurance, and MaintenanceWinter 2020

Prof. Arie Gurfinkel

based on slides by Prof. Ruzica Piskac and others

2 2

3 3

History

Program verification is almost as old as computer science• e.g., Checking A Large Routine by Alan Turing, 1949

In late 60s, Floyd proposed rules for flow-charts and Hoare for structured languages

Since then, there has been many axiomatic semantics for many substantial languages and many applications / automation• ESC/Java, SLAM, PCC, SPARK/Ada, KeY, Dafny, Viper, SeaHorn, …

4 4

Tony Hoare said…

“Thus the practice of proving programs would seem to lead to solution of three of the most pressing problems in software and programming, namely, reliability, documentation, and compatibility. However, program proving, certainly at present, will be difficult even for programmers of high caliber; and may be applicable only to quite simple program designs.”

-- C.A.R Hoare, An Axiomatic Basis for Computer Programming,1969

5 5

Tony Hoare also said…

“It has been found a serious problem to define these languages [ALGOL, FORTRAN, COBOL] with sufficient rigor to ensure compatibility among all implementations. ... one way to achieve this would be to insist that all implementations of the language shall satisfy the axioms and rules of inference which underlie proofs of properties of programs expressed in the language. In effect, this is equivalent to accepting the axioms and rules of inference as the ultimately definitive specification of the meaning of the language.”

6 6

Axiomatic Semantics

An axiomatic semantics consists of:• a language for stating assertions about programs;• rules for establishing the truth of assertions.

Some typical kinds of assertions:• This program terminates.• If this program terminates, the variables x and y have the same value

throughout the execution of the program.• The array accesses are within the array bounds.

Some typical languages of assertions• First-order logic• Other logics (temporal, linear, separation)• Special-purpose specification languages (Z, Larch, JML)

7 7

Assertions for WHILE

The assertions we make about WHILE programs are of the form:

{A} c {B}with the meaning that:• If A holds in state q and q ! q’

• then B holds in q’

A is the precondition and B is the post-conditionFor example:

{ y ≤ x } z := x; z := z + 1 { y < z }is a valid assertionThese are called Hoare triples or Hoare assertions

8 8

Assertions for WHILE

{A} c {B} is a partial correctness assertion. It does not imply termination of c.• If A holds in state q and there exists q’

such that q ! q’

• then B holds in state q’

[A] c [B] is a total correctness assertion meaning that• If A holds in state q• then there exists q’ such that q ! q’

and B holds in state q’

9 9

Now let’s be more formal

Formalize the language of assertions, A and B

Define when an assertion holds in a state

Define rules for deriving valid Hoare triples

10 10

The Assertion Language

We use first-order predicate logic with WHILE expressions

A :: = true | false | e1 = e2 | e1 ≥ e2| A1 ^ A2 | A1 _ A2 | A1) A2 | ∀x.A | ∃x.A

We are somewhat sloppy and mix the logical variables and the program variables.

Implicitly, all WHILE variables range over integers.

All WHILE Boolean expressions are also assertions.

11 11

Semantics of Assertions

Notation q ⊨ A says that assertion A holds in a given state q.• This is well-defined when q is defined on all variables occurring

in A.

The ⊨ judgment is defined inductively on the structure of assertions.

It relies on the semantics of arithmetic expressions from WHILE.

12 12

Semantics of Assertions

q ⊨ true alwaysq ⊨ e1 = e2 iff <e1,q>⇓ = <e2,q>⇓q ⊨ e1 ≥ e2 iff <e1,q>⇓ ≥ <e2,q>⇓q ⊨ A1 ^ A2 iff q ⊨ A1 and q ⊨ A2

q ⊨ A1 _ A2 iff q ⊨ A1 or q ⊨ A2

q ⊨ A1 ) A2 iff q ⊨ A1 implies q ⊨ A2

q ⊨ ∀x.A iff 8n2Z. q[x:=n] ⊨ Aq ⊨ ∃x.A iff 9n2Z. q[x:=n] ⊨ A

13 13

Semantics of Hoare Triples

Now we can define formally the meaning of a partial correctness assertion:

⊨ {A} c {B} iff8q2Q. 8q’2Q. q ⊨ A ^ q ! q’ ) q’ ⊨ B

and the meaning of a total correctness assertion:

⊨[A] c [B] iff 8q2Q. q ⊨ A ) 9q’∈Q. q ! q’ ^ q’ ⊨ B

c

c

14 14

Examples of Hoare Triples

{ true } x := 5 { }

{ } x := x + 3 { x = y + 3 }

{ } x := x*2 + 3 { x > 1 }

{ x = a } if x < 0 then x := -x { }

{ false } x := 3 { }

{ x > 0 } while x != 0 do x := x - 1 { }

{ x < 0 } while x != 0 do x := x - 1 { }

15 15

Inferring Validity of Assertions

We now have the formal mechanism to decide when {A} c {B}• But it is not satisfactory,• because ⊨ {A} c {B} is defined in terms of the operational

semantics.• We practically have to run the program to verify an assertion.• Thus, it is impossible to effectively verify the truth of a∀x. A assertion (by using the definition of validity)

We need to define a symbolic technique for deriving valid assertions from others that are known to be valid• We start with validity of first-order formulas

16 16

Inference Rules (First Order Logic)

We write ` A when A can be inferred from basic axiomsThe inference rules for ` A are the usual ones from first-order logic with arithmeticNatural deduction style rules:

` A ^ B` A ` B

` A _ B` A

` A _ B` B

` 8 x. A` A[a/x] a is fresh` 8 x. A

` A[e/x] ` A[e/x] ` 9 x. A

` B` A ) B ` A

` B` 9 x. A ` B

` A[a/x] ...a is fresh` A ) B

` B

` A ...

17 17

Inference Rules for Hoare Triples

We write ` {A} c {B} when we can derive the triple using inference rules

There is one inference rule for each command in the language

Plus, the rule of consequence• e.g., strengthen pre-condition, weaken post-condition

` A0 =) A {A} c {B} ` B =) B0

{A0} c {B0}Conseq

18 18

Inference Rules for WHILE language

One rule for each syntactic construct:

` {A} skip {A}

` {A[e/x]} x:=e {A} ` {A} if b then s1 else s2 {B}` {A ^ b} s1 {B} ` {A ^ ¬b} s2 {B}

` {A} s1; s2 {C}` {A} s1 {B} ` {B} s2 {C}

` {I} while b do s {I ^ ¬b}` {I ^ b} s {I}

19 19

Example: Conditional

D1 :: ` {true ^ y ≤ 0} x := 1 {x > 0}D2 :: ` {true ^ y > 0} x := y {x > 0}

` {true} if y ≤ 0 then x := 1 else x := y {x > 0}

D1 is obtained by the rules of consequence and assignment` true ^ y ≤ 0 ) 1 > 0 ` {1 > 0} x := 1 {x > 0}

` {true ^ y ≤ 0} x := 1 {x > 0}

D2 is obtained by the rules of consequence and assignment` true ^ y > 0 ) y > 0 ` {y > 0} x := y {x > 0}

` {true ^ y > 0} x := y {x > 0}

20 20

Complete proof on one slide

21 21

Exercise: Hoare Rules

Is the following alternative rule for assignment still correct?

` {true} x:=e {x = e}

No. The rule is not correct. For example, this is wrong!

22 22

Hoare Rules

For some constructs, multiple rules are possible

alternative “forward axiom” for assignment:

alternative rule for while loops:

These alternative rules are derivable from the previous rules, plus the rule of consequence.

` I ^ b =) C ` {C} c {I} ` I ^ ¬b =) B

` {I} while b do c {B}

` {A} x := e {9x0 · x = e[x0/x] ^A[x0/x]}<latexit sha1_base64="cQaYUeNrFYPf8KB+bcO+q3hlT3M=">AAACPnicbVBNTxsxEPVCC2loIYVjL6NGSJzCpkLio0IKcOFIpQaQ4lXk9U4SK971yvbCRqv9Z1z4C9y49tIDIK4c8YYcWmAkS2/eeyPPvDCVwljfv/Xm5j98XFisfaovff6yvNL4unpqVKY5drmSSp+HzKAUCXatsBLPU40sDiWeheOjSj+7QG2ESn7bSYpBzIaJGAjOrKP6jVN6ETEzAloc0JL+hBxozOxIpcXefgnoGFoAxdxtYiDv+0B5pKyz7QP2XL+ZB0AvMRoiHFQ9bEIe0LLfaPotf1rwFrRnoElmddJv3NBI8SzGxHLJjOm1/dQGBdNWcIllnWYGU8bHbIg9BxMWowmK6f0lrDsmgoHS7iUWpuy/EwWLjZnEoXNWx5nXWkW+p/UyO9gJCpGkmcWEv3w0yCRYBVWYEAmN3MqJA4xr4XYFPmKacesir7sQ2q9Pfgu6P1q7Lf/XVrNzOEujRr6R72SDtMk26ZBjckK6hJMr8ofckXvv2vvrPXiPL9Y5bzazRv4r7+kZIJusxA==</latexit><latexit sha1_base64="cQaYUeNrFYPf8KB+bcO+q3hlT3M=">AAACPnicbVBNTxsxEPVCC2loIYVjL6NGSJzCpkLio0IKcOFIpQaQ4lXk9U4SK971yvbCRqv9Z1z4C9y49tIDIK4c8YYcWmAkS2/eeyPPvDCVwljfv/Xm5j98XFisfaovff6yvNL4unpqVKY5drmSSp+HzKAUCXatsBLPU40sDiWeheOjSj+7QG2ESn7bSYpBzIaJGAjOrKP6jVN6ETEzAloc0JL+hBxozOxIpcXefgnoGFoAxdxtYiDv+0B5pKyz7QP2XL+ZB0AvMRoiHFQ9bEIe0LLfaPotf1rwFrRnoElmddJv3NBI8SzGxHLJjOm1/dQGBdNWcIllnWYGU8bHbIg9BxMWowmK6f0lrDsmgoHS7iUWpuy/EwWLjZnEoXNWx5nXWkW+p/UyO9gJCpGkmcWEv3w0yCRYBVWYEAmN3MqJA4xr4XYFPmKacesir7sQ2q9Pfgu6P1q7Lf/XVrNzOEujRr6R72SDtMk26ZBjckK6hJMr8ofckXvv2vvrPXiPL9Y5bzazRv4r7+kZIJusxA==</latexit><latexit sha1_base64="cQaYUeNrFYPf8KB+bcO+q3hlT3M=">AAACPnicbVBNTxsxEPVCC2loIYVjL6NGSJzCpkLio0IKcOFIpQaQ4lXk9U4SK971yvbCRqv9Z1z4C9y49tIDIK4c8YYcWmAkS2/eeyPPvDCVwljfv/Xm5j98XFisfaovff6yvNL4unpqVKY5drmSSp+HzKAUCXatsBLPU40sDiWeheOjSj+7QG2ESn7bSYpBzIaJGAjOrKP6jVN6ETEzAloc0JL+hBxozOxIpcXefgnoGFoAxdxtYiDv+0B5pKyz7QP2XL+ZB0AvMRoiHFQ9bEIe0LLfaPotf1rwFrRnoElmddJv3NBI8SzGxHLJjOm1/dQGBdNWcIllnWYGU8bHbIg9BxMWowmK6f0lrDsmgoHS7iUWpuy/EwWLjZnEoXNWx5nXWkW+p/UyO9gJCpGkmcWEv3w0yCRYBVWYEAmN3MqJA4xr4XYFPmKacesir7sQ2q9Pfgu6P1q7Lf/XVrNzOEujRr6R72SDtMk26ZBjckK6hJMr8ofckXvv2vvrPXiPL9Y5bzazRv4r7+kZIJusxA==</latexit><latexit sha1_base64="C39OhB+IczRcjLNINXH29e9lt8M=">AAAB2HicbZDNSgMxFIXv1L86Vq1rN8EiuCpTN+pOcOOygmML7VAymTttaCYzJHeEMvQFXLhRfDB3vo3pz0KtBwIf5yTk3hMXSloKgi+vtrW9s7tX3/cPGv7h0XGz8WTz0ggMRa5y04+5RSU1hiRJYb8wyLNYYS+e3i3y3jMaK3P9SLMCo4yPtUyl4OSs7qjZCtrBUmwTOmtowVqj5ucwyUWZoSahuLWDTlBQVHFDUiic+8PSYsHFlI9x4FDzDG1ULcecs3PnJCzNjTua2NL9+aLimbWzLHY3M04T+zdbmP9lg5LS66iSuigJtVh9lJaKUc4WO7NEGhSkZg64MNLNysSEGy7INeO7Djp/N96E8LJ90w4eAqjDKZzBBXTgCm7hHroQgoAEXuDNm3iv3vuqqpq37uwEfsn7+Aap5IoM</latexit><latexit sha1_base64="JmzNoGCnY5E4ZRKP4OtFLuQgxkg=">AAACM3icbVBNT9tAEB1DoTR8NOXaywiExCk4XIBWSCAuHEFqAClrRev1JFmx9lq7a3Bk+Z/1wl/gxpVLDy3qX+g65ECBJ6305r0Z7cyLcyWtC8OHYG7+w8Lix6VPreWV1bXP7S8rF1YXRlBPaKXNVcwtKZlRz0mn6Co3xNNY0WV8fdL4lzdkrNTZDzfJKUr5KJNDKbjz0qB9wW4SbsfIqmNWs+9YIku5G+u8+nZYI3mFVcio9JtYLAchMpFo59sOkfq+3ikjZLeUjAiPmxp3sIxYPWhvhp1wCnxLujOyCTOcDdr3LNGiSClzQnFr+90wd1HFjZNCUd1ihaWci2s+or6nGU/JRtX0/hq3vJLgUBv/ModT9eVExVNrJ2nsO5vj7GuvEd/z+oUb7keVzPLCUSaePxoWCp3GJkxMpCHh1MQTLoz0u6IYc8OF85G3fAjd1ye/Jb3dzkEnPA9hCb7CBmxDF/bgCE7hDHog4Cc8wm/4E9wFv4Kn57Tmglls6/Afgr//AL3pqxs=</latexit><latexit sha1_base64="JmzNoGCnY5E4ZRKP4OtFLuQgxkg=">AAACM3icbVBNT9tAEB1DoTR8NOXaywiExCk4XIBWSCAuHEFqAClrRev1JFmx9lq7a3Bk+Z/1wl/gxpVLDy3qX+g65ECBJ6305r0Z7cyLcyWtC8OHYG7+w8Lix6VPreWV1bXP7S8rF1YXRlBPaKXNVcwtKZlRz0mn6Co3xNNY0WV8fdL4lzdkrNTZDzfJKUr5KJNDKbjz0qB9wW4SbsfIqmNWs+9YIku5G+u8+nZYI3mFVcio9JtYLAchMpFo59sOkfq+3ikjZLeUjAiPmxp3sIxYPWhvhp1wCnxLujOyCTOcDdr3LNGiSClzQnFr+90wd1HFjZNCUd1ihaWci2s+or6nGU/JRtX0/hq3vJLgUBv/ModT9eVExVNrJ2nsO5vj7GuvEd/z+oUb7keVzPLCUSaePxoWCp3GJkxMpCHh1MQTLoz0u6IYc8OF85G3fAjd1ye/Jb3dzkEnPA9hCb7CBmxDF/bgCE7hDHog4Cc8wm/4E9wFv4Kn57Tmglls6/Afgr//AL3pqxs=</latexit><latexit sha1_base64="Utv9MgooEnK5Es6Hi2+v5Z2bAf8=">AAACPnicbVA9T9xAEF0TkpDLl4EyzYhTpFSHLw350El8NJQgYUC6taz1eu5uxdpr7a4Pnyz/M5r8BTpamhQhSkvJ+riCj4y00pv33mhnXlJIYWwQXHlLL5Zfvnq98qbz9t37Dx/91bVjo0rNMeRKKn2aMINS5BhaYSWeFhpZlkg8Sc72Wv1kitoIlR/ZWYFRxsa5GAnOrKNi/5hOU2YmQOsd2tCfUAHNmJ2oov4xaAAdQ2ugWLlNDFRxAJSnyjrbAHDo+s0qAnqO6Rhhp+1hE6qINrHfDXrBvOA56C9AlyzqIPYvaap4mWFuuWTGDPtBYaOaaSu4xKZDS4MF42dsjEMHc5ahier5/Q18dkwKI6Xdyy3M2YcTNcuMmWWJc7bHmadaS/5PG5Z29C2qRV6UFnN+/9GolGAVtGFCKjRyK2cOMK6F2xX4hGnGrYu840LoPz35OQi/9r73gsOgu727SGOFfCIb5Avpky2yTfbJAQkJJxfkmvwhN94v77f31/t3b13yFjPr5FF5t3cfW6zA</latexit><latexit sha1_base64="cQaYUeNrFYPf8KB+bcO+q3hlT3M=">AAACPnicbVBNTxsxEPVCC2loIYVjL6NGSJzCpkLio0IKcOFIpQaQ4lXk9U4SK971yvbCRqv9Z1z4C9y49tIDIK4c8YYcWmAkS2/eeyPPvDCVwljfv/Xm5j98XFisfaovff6yvNL4unpqVKY5drmSSp+HzKAUCXatsBLPU40sDiWeheOjSj+7QG2ESn7bSYpBzIaJGAjOrKP6jVN6ETEzAloc0JL+hBxozOxIpcXefgnoGFoAxdxtYiDv+0B5pKyz7QP2XL+ZB0AvMRoiHFQ9bEIe0LLfaPotf1rwFrRnoElmddJv3NBI8SzGxHLJjOm1/dQGBdNWcIllnWYGU8bHbIg9BxMWowmK6f0lrDsmgoHS7iUWpuy/EwWLjZnEoXNWx5nXWkW+p/UyO9gJCpGkmcWEv3w0yCRYBVWYEAmN3MqJA4xr4XYFPmKacesir7sQ2q9Pfgu6P1q7Lf/XVrNzOEujRr6R72SDtMk26ZBjckK6hJMr8ofckXvv2vvrPXiPL9Y5bzazRv4r7+kZIJusxA==</latexit><latexit sha1_base64="cQaYUeNrFYPf8KB+bcO+q3hlT3M=">AAACPnicbVBNTxsxEPVCC2loIYVjL6NGSJzCpkLio0IKcOFIpQaQ4lXk9U4SK971yvbCRqv9Z1z4C9y49tIDIK4c8YYcWmAkS2/eeyPPvDCVwljfv/Xm5j98XFisfaovff6yvNL4unpqVKY5drmSSp+HzKAUCXatsBLPU40sDiWeheOjSj+7QG2ESn7bSYpBzIaJGAjOrKP6jVN6ETEzAloc0JL+hBxozOxIpcXefgnoGFoAxdxtYiDv+0B5pKyz7QP2XL+ZB0AvMRoiHFQ9bEIe0LLfaPotf1rwFrRnoElmddJv3NBI8SzGxHLJjOm1/dQGBdNWcIllnWYGU8bHbIg9BxMWowmK6f0lrDsmgoHS7iUWpuy/EwWLjZnEoXNWx5nXWkW+p/UyO9gJCpGkmcWEv3w0yCRYBVWYEAmN3MqJA4xr4XYFPmKacesir7sQ2q9Pfgu6P1q7Lf/XVrNzOEujRr6R72SDtMk26ZBjckK6hJMr8ofckXvv2vvrPXiPL9Y5bzazRv4r7+kZIJusxA==</latexit><latexit sha1_base64="cQaYUeNrFYPf8KB+bcO+q3hlT3M=">AAACPnicbVBNTxsxEPVCC2loIYVjL6NGSJzCpkLio0IKcOFIpQaQ4lXk9U4SK971yvbCRqv9Z1z4C9y49tIDIK4c8YYcWmAkS2/eeyPPvDCVwljfv/Xm5j98XFisfaovff6yvNL4unpqVKY5drmSSp+HzKAUCXatsBLPU40sDiWeheOjSj+7QG2ESn7bSYpBzIaJGAjOrKP6jVN6ETEzAloc0JL+hBxozOxIpcXefgnoGFoAxdxtYiDv+0B5pKyz7QP2XL+ZB0AvMRoiHFQ9bEIe0LLfaPotf1rwFrRnoElmddJv3NBI8SzGxHLJjOm1/dQGBdNWcIllnWYGU8bHbIg9BxMWowmK6f0lrDsmgoHS7iUWpuy/EwWLjZnEoXNWx5nXWkW+p/UyO9gJCpGkmcWEv3w0yCRYBVWYEAmN3MqJA4xr4XYFPmKacesir7sQ2q9Pfgu6P1q7Lf/XVrNzOEujRr6R72SDtMk26ZBjckK6hJMr8ofckXvv2vvrPXiPL9Y5bzazRv4r7+kZIJusxA==</latexit><latexit sha1_base64="cQaYUeNrFYPf8KB+bcO+q3hlT3M=">AAACPnicbVBNTxsxEPVCC2loIYVjL6NGSJzCpkLio0IKcOFIpQaQ4lXk9U4SK971yvbCRqv9Z1z4C9y49tIDIK4c8YYcWmAkS2/eeyPPvDCVwljfv/Xm5j98XFisfaovff6yvNL4unpqVKY5drmSSp+HzKAUCXatsBLPU40sDiWeheOjSj+7QG2ESn7bSYpBzIaJGAjOrKP6jVN6ETEzAloc0JL+hBxozOxIpcXefgnoGFoAxdxtYiDv+0B5pKyz7QP2XL+ZB0AvMRoiHFQ9bEIe0LLfaPotf1rwFrRnoElmddJv3NBI8SzGxHLJjOm1/dQGBdNWcIllnWYGU8bHbIg9BxMWowmK6f0lrDsmgoHS7iUWpuy/EwWLjZnEoXNWx5nXWkW+p/UyO9gJCpGkmcWEv3w0yCRYBVWYEAmN3MqJA4xr4XYFPmKacesir7sQ2q9Pfgu6P1q7Lf/XVrNzOEujRr6R72SDtMk26ZBjckK6hJMr8ofckXvv2vvrPXiPL9Y5bzazRv4r7+kZIJusxA==</latexit><latexit sha1_base64="cQaYUeNrFYPf8KB+bcO+q3hlT3M=">AAACPnicbVBNTxsxEPVCC2loIYVjL6NGSJzCpkLio0IKcOFIpQaQ4lXk9U4SK971yvbCRqv9Z1z4C9y49tIDIK4c8YYcWmAkS2/eeyPPvDCVwljfv/Xm5j98XFisfaovff6yvNL4unpqVKY5drmSSp+HzKAUCXatsBLPU40sDiWeheOjSj+7QG2ESn7bSYpBzIaJGAjOrKP6jVN6ETEzAloc0JL+hBxozOxIpcXefgnoGFoAxdxtYiDv+0B5pKyz7QP2XL+ZB0AvMRoiHFQ9bEIe0LLfaPotf1rwFrRnoElmddJv3NBI8SzGxHLJjOm1/dQGBdNWcIllnWYGU8bHbIg9BxMWowmK6f0lrDsmgoHS7iUWpuy/EwWLjZnEoXNWx5nXWkW+p/UyO9gJCpGkmcWEv3w0yCRYBVWYEAmN3MqJA4xr4XYFPmKacesir7sQ2q9Pfgu6P1q7Lf/XVrNzOEujRr6R72SDtMk26ZBjckK6hJMr8ofckXvv2vvrPXiPL9Y5bzazRv4r7+kZIJusxA==</latexit>

23 23

` {I ^ b} s {I}

` {I} while b do s {I ^ ¬b}

24 24

Example: a simple loop

We want to infer that

` {x ≤ 0} while x ≤ 5 do x := x + 1 {x = 6}

Use the rule for while with invariant I ´ x ≤ 6

` x ≤ 6 ^ x ≤ 5 ) x + 1 ≤ 6 ` {x + 1 ≤ 6} x := x + 1 {x ≤ 6}

` {x ≤ 6 ^ x ≤ 5} x := x + 1 {x ≤ 6}

` {x ≤ 6} while x ≤ 5 do x := x + 1 { x ≤ 6 ^ x > 5}

Then finish-off with the rule of consequence` x ≤ 0 ) x ≤ 6 ` x ≤ 6 ^ x > 5 ) x = 6 ` {x ≤ 6} while ... {x ≤ 6 ^ x > 5}

` {x ≤ 0} while ... {x = 6}

25 25

Complete proof on one slide

26 26

Inductive Loop Invariants

Inv is an inductive loop invariant if the following three conditions hold:• (Initiation) Inv holds initially whenever the loop is reached. That is, it is true

of the pre-condition Pre

• (Consecution) Inv is preserved: executing the loop body c from any state satisfying Inv and loop condition b ends in a state satisfying Inv

• (Safety) Inv is strong enough: Inv and the negation of loop condition b imply the desired post-condition Post

` Pre ) Inv ` { Inv ^ b } s { Inv } ` Inv^¬ b ) Post{ Pre } while b do s { Post }

27 27

Proving simple loop using only one rule

We want to infer that

` {x ≤ 0} while x ≤ 5 do x := x + 1 {x = 6}

Using inductive invariant x≤6

x ≤ 0)x≤6 ` {x≤6^x≤5 } x:=x+1 {x≤6} x>5^x ≤ 6 ) x=6{ x ≤ 0 } while x<=5 do x:=x+1 { x=6 }

28 28

Example: a more interesting program

We want to derive that{n ¸ 0}p := 0; x := 0;while x < n do x := x + 1; p := p + m

{p = n * m}

29 29


` {n ¸ 0} p:=0; x:=0; while x < n do (x:=x+1; p:=p+m) {p = n * m}

Only applicable rule (except for rule of consequence):

` {A} c1; c2 {B} ` {A} c1{C} ` {C} c2 {B}

c1 c2 BA

`{C} while x < n do (x:=x+1; p:=p+m) {p = n * m}` {n ¸ 0} p:=0; x:=0 {C}

30 30



What is C?

`{C} while x < n do (x:=x+1; p:=p+m) {p = n * m}` {n ¸ 0} p:=0; x:=0 {C}

Look at the next possible matching rules for c2!


` {I} while b do c {I ^ ¬b}` {I ^ b} c {I}

We can match {I} with {C} but we cannot match {I ^ ¬b} and {p = n * m} directly. Need to apply the rule of consequence

first!

c1 c2 BA

31 31



What is C?

B’A’`{C} while x < n do (x:=x+1; p:=p+m) {p = n * m}` {n ¸ 0} p:=0; x:=0 {C}

Look at the next possible matching rules for c2!


` {I} while b do c {I ^ ¬b}` {I ^ b} c {I}

` A’ ) A ` {A} c’ {B} ` B ) B’` {A’} c’ {B’}

Rule of consequence:

c’

c’A B

I = A = A’ = C

32 32



What is I?

`{I} while x < n do (x:=x+1; p:=p+m) {p = n * m}` {n ¸ 0} p:=0; x:=0 {I}

Let’s keep it as a placeholder for now!

` I ^ x ¸ n ) p = n * m`{I} while x < n do (x:=x+1; p:=p+m) {I ^ x ¸ n}

`{I ^ x<n} x := x+1; p:=p+m {I}

Next applicable rule:

` {A} c1; c2 {B} ` {A} c1{C} ` {C} c2 {B}

BA c1 c2

33 33


` {n ¸ 0} p:=0; x:=0; while x < n do (x:=x+1; p:=p+m) {p = n * m} `{I} while x < n do (x:=x+1; p:=p+m) {p = n * m}` {n ¸ 0} p:=0; x:=0 {I}


`{I ^ x<n} x := x+1; p:=p+m {I}

BA c1 c2`{I ^ x<n} x := x+1 {C}

What is C? Look at the next possible matching rules for c2!Only applicable rule (except for rule of consequence):` {A[e/x]} x:=e {A}

`{C} p:=p+m {I}

34 34




What is C? Look at the next possible matching rules for c2!Only applicable rule (except for rule of consequence):` {A[e/x]} x:=e {A}

`{I[p+m/p} p:=p+m {I}`{I ^ x<n} x:=x+1; p:=p+m {I}

`{I ^ x<n} x:=x+1 {I[p+m/p]}

35 35




`{I ^ x<n} x:=x+1; p:=p+m {I}`{I ^ x<n} x:=x+1 {I[p+m/p]}

Only applicable rule (except for rule of consequence):` {A[e/x]} x:=e {A}

`{I[p+m/p} p:=p+m {I}

Need rule of consequence to match {I ^ x<n} and {I[x+1/x, p+m/p]}

36 36




`{I ^ x<n} x:=x+1; p:=p+m {I}`{I ^ x<n} x:=x+1 {I[p+m/p]} `{I[p+m/p} p:=p+m {I}

` I ^ x < n ) I[x+1/x, p+m/p]

`{I[x+1/x, p+m/p]} x:=x+1 {I[p+m/p]}

Let’s just remember the open proof obligations!

...

37 37



` I ^ x ¸ n ) p = n * m` I ^ x < n ) I[x+1/x, p+m/p]

Let’s just remember the open proof obligations!

...Continue with the remaining part of the proof tree, as before.

` {I[0/x]} x:=0 {I}` {n ¸ 0} p:=0 {I[0/x]}` {I[0/p, 0/x]} p:=0 {I[0/x]}` n ¸ 0 ) I[0/p, 0/x] Now we only need to solve the

remaining constraints!

38 38


` I ^ x ¸ n ) p = n * m` I ^ x < n ) I[x+1/x, p+m/p]

Find I such that all constraints are simultaneously valid:` n ¸ 0 ) I[0/p, 0/x]

I ´ p = x * m ^ x ≤ n

` p = x * m ^ x ≤ n ^ x ¸ n ) p = n * m` p = p * m ^ x ≤ n ^ x < n ) p+m = (x+1) * m ^ x+1 ≤ n` n ¸ 0 ) 0 = 0 * m ^ 0 ≤ n

All constraints are valid!

39 39

Back to the example: What did we just do?!

{n ¸ 0}p := 0; x := 0;while x < n inv p=x*m ^ x≤n do

x := x + 1; p := p + m

{p = n * m}

40 40

Using Hoare Rules

Hoare rules are mostly syntax directed

There are three obstacles to automation of Hoare logic proofs:• When to apply the rule of consequence?• What invariant to use for while?• How do you prove the implications involved in the rule of consequence?

The last one is how theorem proving gets in the picture• This turns out to be doable!• The loop invariants turn out to be the hardest problem!• Should the programmer give them?

41 41

Hoare Logic: Summary

We have a language for asserting properties of programs.

We know when such an assertion is true.

We also have a symbolic method for deriving assertions.

A{A} P {B}

⊨ A⊨ {A} P {B}

` A` {A} P {B}

semantics

soundness

completenesstheorem proving

42 42

Software Size: Operating System

0

10

20

30

40

50

60

70

80

90

100

SLOC

LOC OF AN OPERATING SYSTEM

NT 3.1NT 3.5NT 4.02000XP2003OSXLinux

43 43

Software Size: Software Distribution

0

50

100

150

200

250

300

350

400

450

SLOC

LOC OF A SOFTWARE DISTRIBUTION

NT 3.1NT 3.5NT 4.02000XP2003OSXLinuxDebian

Verification must be automated!

44 44

Software Verification (with Dafny)

programformulas

correct

no

theorem prover

annotations

verifier

Prove formulas automatically!

Documents

Hoare Logic - University of Waterlooagurfink/stqam/assets/pdf/W08-HoareLogi… · based on slides by Prof. RuzicaPiskacand others. 22. 33 History Program verification is almost as