Scribd
Upload
169 views23 pages

Hoare

If P S Q can be proven, then it is certain that P s Q. Program Verification with University of Aarhus. Program Verification with hoare logical.

Uploaded by

Regina Zubair
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
169 views23 pages

Hoare

If P S Q can be proven, then it is certain that P s Q. Program Verification with University of Aarhus. Program Verification with hoare logical.

Uploaded by

Regina Zubair
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 23

Program Verification with

Hoare Logic
Anders Mller

University of Aarhus

http://www.brics.dk/~amoeller/talks/hoare.pdf

Using Assertions in Programming


Assertion: invariant at specific program point dynamic checks, runtime errors (e.g. Java 1.4 assert(exp)) Floyd, 1967:
use assertions as foundation for static correctness proofs specify assertions at every program point correctness reduced to reasoning about individual statements

Program Verification with Hoare Logic

Hoare Logic
Hoare, 1969: use Floyds ideas to define axiomatic semantics (i.e., define the programming language semantics as a proof system)
program statement

Hoare triple:

{P} S {Q}
postcondition - using some predicate logic

precondition

partial correctness: if S is executed in a store initially satisfying P and it terminates, then the final store satisfies Q total correctness: as partial, but also requires termination (we ignore termination and definedness...)
3

Program Verification with Hoare Logic

Hoare Logic for miniTIP


miniTIP: as TIP, but without functions pointers input/output i.e., a core while-language with only pure expressions

Program Verification with Hoare Logic

An Axiom for Assignment

{Q[E/id]} id=E; {Q}


Example: {y+7>42} x=y+7; {x>42}
the most central aspect of imperative languages is reduced to simple syntactic formula substitution! this axiom is backwards - it allows the precondition to be inferred automatically from the statement and the postcondition
Program Verification with Hoare Logic 5

A Proof Rule for Sequence

{P} S1 {R}

{R} S2 {Q}

{P} S1 S2 {Q}

(Apparently) R must be created manually...

Program Verification with Hoare Logic

A Proof Rule for Conditional

{PE} S1 {Q}

{PE} S2 {Q}

{P} if (E) {S1} else {S2} {Q}

Program Verification with Hoare Logic

A Proof Rule for Iteration

{PE} S {P} {P} while (E) {S} {PE}

P is the loop invariant - this is where the main difficulty is! This rule can be extended to handle total correctness...

Program Verification with Hoare Logic

Pre-Strengthening and Post-Weakening

PP

{P} S {Q} {P} S {Q}

QQ

Intuitively, AB means that A is stronger than B

Program Verification with Hoare Logic

Soundness and Completeness


Soundness: if {P} S {Q} can be proven, then it is certain that executing S from a store satisfying P will only terminate in stores satisfying Q Completeness: the converse of soundness

Hoare logic is both sound and complete, provided that the underlying logic is! often, the underlying logic is sound but incomplete (e.g. Peano arithmetic)

Program Verification with Hoare Logic

10

Example: factorial
a logical variable, remembers the initial value

{n {n0 t=n} r=1; {P1} (n while (n0){P2} { r=r*n; {P3} n=nn=n-1; } {r=t!}

P1 n0 t=n r=1 P2 r=t!/n! tn0 r=t!/(nP3 r=t!/(n-1)! tn>0

- Peano arithmetic can be used in the assertions

Program Verification with Hoare Logic

11

Proof Obligations in the Example


{n0 t=n} r=1; {P1} {n {P P1 P2 {P2 n0} r=r*n; {P3} {P n=n{P {P3} n=n-1; {P2} (P2 (n0)) (n r=t!

Program Verification with Hoare Logic

12

Hoare Logic for the full TIP language?


Input/Output expressions?
just convert to separate statements

Functions?
require pre/post-conditions at function declaration the frame problem: to be useful, the pre/post-conditions also need to specify which things do not change

Pointers?
the heap-as-array trick: model *x=y as H[x]=y the global reasoning problem: in the proofs, each heap write appears to affect every heap read

Program Verification with Hoare Logic

13

Dijkstras Weakest Precondition Technique


Dijkstra, 1975: Given a statement S and a postcondition Q, the weakest precondition WP(S,Q) denotes the largest set of stores for which S terminates and the resulting store satisfies Q. WP(id=E;, Q) = Q[E/id] WP(S1 S2, Q) = WP(S1,WP(S2,Q)) WP(if (E) {S1} else {S2 }, Q) = EWP(S1,Q) EWP(S2,Q) WP(while (E) {S}, Q) = k0: Hk where H0 = EQ inductive definition, Hk+1 = H0 WP(S, Hk)
Program Verification with Hoare Logic

this shows that the intermediate assertion comes for free in the sequence rule in Hoare Logic

calls for inductive proofs


14

Strongest Postcondition
WP is a backward predicate transformer SP (strongest postcondition) is forward: SP(P, id=E;) = v: P[v/id] id=E[v/id] ...

{P} S {Q} iff PWP(S,Q)


(if using the total correctness variant)

iff

SP(P,S)Q

Program Verification with Hoare Logic

15

The Pointer Assertion Logic Engine


PALE: a tool for verifying pointer intensive programs, e.g., datatype operations
no memory leaks or dangling pointers no null pointer dereferences datatype invariants preserved

Uses M2L-Tree (Monadic 2nd-order Logic on finite Trees)


a decidable but very expressive logic MONA: a decision procedure based on tree automata suitable for modeling many heap structures heap ~ universe pointer variable x ~ unary predicate x(p) pointer field f ~ binary predicate f(p,q)
Program Verification with Hoare Logic 16

Example: Red-Black Search Trees


A red-black tree is 1. a binary tree whose nodes are red or black and have parent pointers 2. a red node cannot have a red successor 3. the root is black 4. the number of black nodes is the same for all direct paths from the root to a leaf Goal: verify correctness of the insert procedure

Program Verification with Hoare Logic

17

Example: red_black_insert.pale
t,root ,root:Node):Node proc redblackinsert(data t,root:Node):Node { pointer y,x:Node; x = t; treeinsert(x,root ,root); root = treeinsert(x,root); x.color = false; while (x!=root & x.p.color=false) { if (x.p=x.p.p.left) { y = x.p.p.right; if (y!=null & y.color=false) { x.p.color = true; y.color = true; x.p.p.color = false; x = x.p.p; } else { if (x=x.p.right) { x = x.p; ,root); root = leftrotate(x,root); leftrotate(x,root } x.p.color = true; x.p.p.color = false; rightrotate(x.p.p,root ,root); root = rightrotate(x.p.p,root); root.color = true; }} else { x.p.p.left left; y = x.p.p.left; if (y!=null & y.color=false) { x.p.color = true; y.color = true; x.p.p.color = false; x = x.p.p; } else { (x=x.p.left left) if (x=x.p.left) { x = x.p; rightrotate(x,root); rotate(x,root root = rightrotate(x,root); } x.p.color = true; x.p.p.color = false; leftrotate(x.p.p,root); rotate(x.p.p,root root = leftrotate(x.p.p,root); root.color = true; }} root.color = true; return root; }

+ auxiliary procedures leftrotate, rightrotate, and treeinsert (total ~135 lines of program code) Program Verification with Hoare Logic 18

Using Hoare Logic in PALE

1. Require invariants at all while-loops and procedure calls (extra assertions are allowed) 2. Split the program into Hoare triples: {P} S {Q} 3. Verify each triple separately (only loop/call-free code left)
including check for null-pointer dereferences and other memory errors

Note: highly modular, no fixed-point iteration, but requires invariants!

Program Verification with Hoare Logic

19

Verifying the Hoare Triples


Reduce everything to M2L-Tree and use the MONA tool. Use transductions to encode loop-free code:
Store predicates (for program variables and record fields) model the store at each program point Predicate transformation models the semantics of statements Example: x = y.next; x(p) = q. y(q) next(q,p) Verification condition is constructed by expressing the pre- and post-condition using store predicates from end points

Looks like an interpreter, but is essentially Weakest Precondition Sound and complete for individual Hoare triples!

Program Verification with Hoare Logic

20

Example: Red-Black Search Trees


1. Insert invariants and pre- and post-conditions, expressing correctness requirements for red_black_insert and the auxiliary procedures 2. Run the PALE tool

Result: after 9000 tree automaton operations and 50 seconds, PALE replies that
all assertions are valid there can be no memory-related errors

If verification fails, a counterexample is returned!

Program Verification with Hoare Logic

21

PALE Experiments
Benchmark reverse search zip delete insert rotate concat bubblesort_simple bubblesort_boolean bubblesort_full orderedreverse recreverse doublylinked leftrotate rightrotate treeinsert redblackinsert threaded
Program Verification with Hoare Logic

Lines of code 16 12 33 22 33 11 24 43 43 43 24 15 72 30 30 36 57 54

Invariants 1 1 1 0 0 0 0 1 2 2 1 2 1 0 0 1 7 4

Time (sec.) 0.52 0.25 4.58 1.36 2.66 0.22 0.47 2.86 3.37 4.13 0.46 0.34 9.43 4.62 4.68 8.27 35.04 3.38
22

References
An Axiomatic Basis for Computer Programming C.A.R. Hoare, CACM 12(10), 1969 The Science of Programming D. Gries, Springer-Verlag, 1981 The Pointer Assertion Logic Engine A. Mller and M.I. Schwartzbach, PLDI 2001

Program Verification with Hoare Logic

23

You might also like