deductive program verification with w hy 3
play

Deductive Program Verification with W HY 3 Andrei Paskevich LRI, - PowerPoint PPT Presentation

Jul 09, 2023 •284 likes •2k views

Deductive Program Verification with W HY 3 Andrei Paskevich LRI, Universit Paris-Sud Toccata, Inria Saclay http://why3.lri.fr/ejcp-2019 JCP 2019 Software is hard. D ONALD K NUTH 2 / 171 Ensure the absence of bugs Several

  1. Example — ISQRT let ref sum = 1 in let ref count = 0 in while sum � n do count ← count + 1; sum ← sum + 2 * count + 1 done; count What is the result of this expression for a given n ? Informal specification: • at the end, count contains the truncated square root of n • for instance, given n = 42 , the returned value is 6 25 / 171

  2. Hoare triples A statement about program correctness: { P } e { Q } precondition property P expression e postcondition property Q What is the meaning of a Hoare triple? { P } e { Q } if we execute e in a state that satisfies P , then the computation either diverges or terminates in a state that satisfies Q This is partial correctness: we do not prove termination. 26 / 171

  3. Examples Examples of valid Hoare triples for partial correctness: • { x = 1 } x ← x + 2 { x = 3 } • { x = y } x + y { result = 2 y } • {∃ v . x = 4 v } x + 42 {∃ w . result = 2 w } • { true } while true do skip done { false } 27 / 171

  4. Examples Examples of valid Hoare triples for partial correctness: • { x = 1 } x ← x + 2 { x = 3 } • { x = y } x + y { result = 2 y } • {∃ v . x = 4 v } x + 42 {∃ w . result = 2 w } • { true } while true do skip done { false } • after this loop, everything is trivially verified • ergo: not proving termination can be fatal 28 / 171

  5. Examples Examples of valid Hoare triples for partial correctness: • { x = 1 } x ← x + 2 { x = 3 } • { x = y } x + y { result = 2 y } • {∃ v . x = 4 v } x + 42 {∃ w . result = 2 w } • { true } while true do skip done { false } • after this loop, everything is trivially verified • ergo: not proving termination can be fatal In our square root example: { ? } ISQRT { ? } 29 / 171

  6. Examples Examples of valid Hoare triples for partial correctness: • { x = 1 } x ← x + 2 { x = 3 } • { x = y } x + y { result = 2 y } • {∃ v . x = 4 v } x + 42 {∃ w . result = 2 w } • { true } while true do skip done { false } • after this loop, everything is trivially verified • ergo: not proving termination can be fatal In our square root example: { n � 0 } ISQRT { ? } 30 / 171

  7. Examples Examples of valid Hoare triples for partial correctness: • { x = 1 } x ← x + 2 { x = 3 } • { x = y } x + y { result = 2 y } • {∃ v . x = 4 v } x + 42 {∃ w . result = 2 w } • { true } while true do skip done { false } • after this loop, everything is trivially verified • ergo: not proving termination can be fatal In our square root example: { n � 0 } ISQRT { result 2 � n < ( result + 1 ) 2 } 31 / 171

  8. 3. Weakest precondition calculus 32 / 171

  9. Weakest preconditions How can we establish the correctness of a program? One solution: Edsger Dijkstra, 1975 Predicate transformer WP ( e , Q ) expression e postcondition Q computes the weakest precondition P such that { P } e { Q } 33 / 171

  10. Intuition of WP x ← 3 * x * y { x is even } 34 / 171

  11. Intuition of WP { 3 xy is even } x ← 3 * x * y { x is even } 35 / 171

  12. Intuition of WP { 3 xy is even } x ← 3 * x * y { x is even } { Q [ s ] } x ← s { Q [ x ] } 36 / 171

  13. Intuition of WP { 3 xy is even } x ← 3 * x * y { x is even } { Q [ s ] } x ← s { Q [ x ] } { Q } if c then e 1 else e 2 37 / 171

  14. Intuition of WP { 3 xy is even } x ← 3 * x * y { x is even } { Q [ s ] } x ← s { Q [ x ] } { Q } if c then e 1 Q else e 2 Q 38 / 171

  15. Intuition of WP { 3 xy is even } x ← 3 * x * y { x is even } { Q [ s ] } x ← s { Q [ x ] } { Q } if c then P 1 e 1 Q else P 2 e 2 Q 39 / 171

  16. Intuition of WP { 3 xy is even } x ← 3 * x * y { x is even } { Q [ s ] } x ← s { Q [ x ] } { if c then P 1 { Q } if c then P 1 e 1 Q else P 2 } else P 2 e 2 Q 40 / 171

  17. Intuition of WP { 3 xy is even } x ← 3 * x * y { x is even } { Q [ s ] } x ← s { Q [ x ] } { if c then P 1 { Q } if c then P 1 e 1 Q else P 2 } else P 2 e 2 Q { Q } if c then e 41 / 171

  18. Intuition of WP { 3 xy is even } x ← 3 * x * y { x is even } { Q [ s ] } x ← s { Q [ x ] } { if c then P 1 { Q } if c then P 1 e 1 Q else P 2 } else P 2 e 2 Q { Q } if c then P e Q 42 / 171

  19. Intuition of WP { 3 xy is even } x ← 3 * x * y { x is even } { Q [ s ] } x ← s { Q [ x ] } { if c then P 1 { Q } if c then P 1 e 1 Q else P 2 } else P 2 e 2 Q { if c then P { Q } if c then P e Q else Q } 43 / 171

  20. Intuition of WP { 3 xy is even } x ← 3 * x * y { x is even } { Q [ s ] } x ← s { Q [ x ] } { if c then P 1 { Q } if c then P 1 e 1 Q else P 2 } else P 2 e 2 Q { if c then P { Q } if c then P e Q else Q } { Q } while c do e done 44 / 171

  21. Intuition of WP { 3 xy is even } x ← 3 * x * y { x is even } { Q [ s ] } x ← s { Q [ x ] } { if c then P 1 { Q } if c then P 1 e 1 Q else P 2 } else P 2 e 2 Q { if c then P { Q } if c then P e Q else Q } ? { Q } while c do e done 45 / 171

  22. Definition of WP WP ( skip , Q ) ≡ Q WP ( t , Q ) ≡ Q [ result �→ t ] WP ( x ← t , Q ) ≡ Q [ x �→ t ] WP ( e 1 ; e 2 , Q ) ≡ WP ( e 1 , WP ( e 2 , Q )) WP ( let v = e 1 in e 2 , Q ) ≡ WP ( e 1 , WP ( e 2 , Q )[ v �→ result ]) WP ( let ref x = e 1 in e 2 , Q ) ≡ WP ( e 1 , WP ( e 2 , Q )[ x �→ result ]) WP ( if t then e 1 else e 2 , Q ) ≡ ( t → WP ( e 1 , Q )) ∧ ( ¬ t → WP ( e 2 , Q )) 46 / 171

  23. Swimming up the waterfall if odd q then r ← r + p ; p ← p + p ; q ← half q 47 / 171

  24. Swimming up the waterfall if odd q then r ← r + p else skip; p ← p + p ; q ← half q 48 / 171

  25. Swimming up the waterfall if odd q then r ← r + p else skip; p ← p + p ; q ← half q Q [ p , q , r ] 49 / 171

  26. Swimming up the waterfall if odd q then r ← r + p else skip; p ← p + p ; Q [ p , half q , r ] q ← half q Q [ p , q , r ] 50 / 171

  27. Swimming up the waterfall if odd q then r ← r + p else skip; Q [ p + p , half q , r ] p ← p + p ; Q [ p , half q , r ] q ← half q Q [ p , q , r ] 51 / 171

  28. Swimming up the waterfall if odd q then r ← r + p Q [ p + p , half q , r ] else skip; Q [ p + p , half q , r ] p ← p + p ; Q [ p , half q , r ] q ← half q Q [ p , q , r ] 52 / 171

  29. Swimming up the waterfall if odd q then Q [ p + p , half q , r + p ] r ← r + p Q [ p + p , half q , r ] else Q [ p + p , half q , r ] skip; Q [ p + p , half q , r ] p ← p + p ; Q [ p , half q , r ] q ← half q Q [ p , q , r ] 53 / 171

  30. Swimming up the waterfall ( odd q → Q [ p + p , half q , r + p ]) ∧ ( ¬ odd q → Q [ p + p , half q , r ]) if odd q then Q [ p + p , half q , r + p ] r ← r + p Q [ p + p , half q , r ] else Q [ p + p , half q , r ] skip; Q [ p + p , half q , r ] p ← p + p ; Q [ p , half q , r ] q ← half q Q [ p , q , r ] 54 / 171

  31. Definition of WP: loops WP ( while t do e done , Q ) ≡ some invariant property J J : Prop . E J ∧ that holds at the loop entry and is preserved ∀ x 1 ... x k . ( J ∧ t → WP ( e , J )) ∧ after a single iteration, is strong enough to prove Q ( J ∧¬ t → Q ) references modified in e x 1 ... x k We cannot know the values of the modified references after n iterations • therefore, we prove preservation and the post for arbitrary values • the invariant must provide all the needed information about the state 55 / 171

  32. Definition of WP: annotated loops Finding an appropriate invariant is difficult in the general case • this is equivalent to constructing a proof of Q by induction We can ease the task of automated tools by providing annotations: the given invariant J WP ( while t invariant J do e done , Q ) ≡ holds at the loop entry, J ∧ is preserved after ∀ x 1 ... x k . ( J ∧ t → WP ( e , J )) ∧ a single iteration, and suffices to prove Q ( J ∧¬ t → Q ) references modified in e x 1 ... x k 56 / 171

  33. Russian Peasant Multiplication let ref p = a in let ref q = b in let ref r = 0 in while q > 0 invariant J [ p , q , r ] do if odd q then r ← r + p ; p ← p + p ; q ← half q done; r result = a ∗ b 57 / 171

  34. Russian Peasant Multiplication let ref p = a in let ref q = b in let ref r = 0 in while q > 0 invariant J [ p , q , r ] do if odd q then r ← r + p ; p ← p + p ; q ← half q done; r = a ∗ b r 58 / 171

  35. Russian Peasant Multiplication let ref p = a in let ref q = b in let ref r = 0 in while q > 0 invariant J [ p , q , r ] do if odd q then r ← r + p ; p ← p + p ; q ← half q J [ p , q , r ] done; r = a ∗ b r 59 / 171

  36. Russian Peasant Multiplication let ref p = a in let ref q = b in let ref r = 0 in while q > 0 invariant J [ p , q , r ] do ( odd q → J [ p + p , half q , r + p ]) ∧ ( ¬ odd q → J [ p + p , half q , r ]) if odd q then r ← r + p ; p ← p + p ; q ← half q J [ p , q , r ] done; r = a ∗ b r 60 / 171

  37. Russian Peasant Multiplication let ref p = a in let ref q = b in let ref r = 0 in J [ p , q , r ] ∧ ∀ p q r . J [ p , q , r ] → ( q > 0 → ( odd q → J [ p + p , half q , r + p ]) ∧ ( ¬ odd q → J [ p + p , half q , r ])) ∧ ( q � 0 → r = a ∗ b ) while q > 0 invariant J [ p , q , r ] do if odd q then r ← r + p ; p ← p + p ; q ← half q done; r 61 / 171

  38. Russian Peasant Multiplication J [ a , b , 0 ] ∧ ∀ p q r . J [ p , q , r ] → ( q > 0 → ( odd q → J [ p + p , half q , r + p ]) ∧ ( ¬ odd q → J [ p + p , half q , r ])) ∧ ( q � 0 → r = a ∗ b ) let ref p = a in let ref q = b in let ref r = 0 in while q > 0 invariant J [ p , q , r ] do if odd q then r ← r + p ; p ← p + p ; q ← half q done; r 62 / 171

  39. Soundness of WP Theorem For any e and Q, the triple { WP ( e , Q ) } e { Q } is valid. Can be proved by induction on the structure of the program e w.r.t. some reasonable semantics (axiomatic, operational, etc.) Corollary To show that { P } e { Q } is valid, it suffices to prove P → WP ( e , Q ) . This is what W HY 3 does. 63 / 171

  40. 4. Run-time safety 64 / 171

  41. Run-time errors Some operations can fail if their safety preconditions are not met: • arithmetic operations: division par zero, overflows, etc. • memory access: NULL pointers, buffer overruns, etc. • assertions 65 / 171

  42. Run-time errors Some operations can fail if their safety preconditions are not met: • arithmetic operations: division par zero, overflows, etc. • memory access: NULL pointers, buffer overruns, etc. • assertions A correct program must not fail: if we execute e in a state that satisfies P , { P } e { Q } then there will be no run-time errors and the computation either diverges or terminates normally in a state that satisfies Q 66 / 171

  43. Assertions A new kind of expression: ::= ... e fail if R does not hold | assert R The corresponding weakest precondition rule: WP ( assert R , Q ) ≡ R ∧ Q ≡ R ∧ ( R → Q ) The second version is useful in practical deductive verification. 67 / 171

  44. Unsafe operations We could add other partially defined operations to the language: ::= ... e Euclidean division | t div t array access | a [ t ] | ... and define the WP rules for them: WP ( t 1 div t 2 , Q ) ≡ t 2 � = 0 ∧ Q [ result �→ ( t 1 div t 2 )] WP ( a [ t ] , Q ) ≡ 0 � t < | a | ∧ Q [ result �→ a [ t ] ] ... But we would rather let the programmers do it themselves. 68 / 171

  45. 5. Functions and contracts 69 / 171

  46. Subroutines We may want to delegate some functionality to functions: let f ( v 1 : τ 1 ) ... ( v n : τ n ) : ς C = e defined function abstract function val f ( v 1 : τ 1 ) ... ( v n : τ n ) : ς C Function behaviour is specified with a contract: C ::= precondition requires P modified global references writes x 1 ... x k postcondition ensures Q Postcondition Q may refer to the initial value of a global reference: x ◦ let incr_r (v: int): int writes r ensures result = r ◦ ∧ r = r ◦ + v = let u = r in r ← u + v ; u 70 / 171

  47. Subroutines We may want to delegate some functionality to functions: let f ( v 1 : τ 1 ) ... ( v n : τ n ) : ς C = e defined function abstract function val f ( v 1 : τ 1 ) ... ( v n : τ n ) : ς C Function behaviour is specified with a contract: C ::= precondition requires P modified global references writes x 1 ... x k postcondition ensures Q Postcondition Q may refer to the initial value of a global reference: x ◦ Verification condition ( � x are all global references mentioned in f ): x ◦ �→ � VC ( let f ... ) ≡ ∀ � x � v . P → WP ( e , Q )[ � x ] 71 / 171

  48. GOSUB One more expression: ::= ... e function call | f t ... t and its weakest precondition rule: v �→ � WP ( f t 1 ... t n , Q ) ≡ P f [ � t ] ∧ x ◦ �→ � v �→ � ( ∀ � x ∀ result . Q f [ � t ,� w ] → Q )[ � w �→ � x ] precondition of f references modified in f � P f x postcondition of f references used in f � Q f x formal parameters of f fresh variables � � v w Modular proof: when verifying a function call, we only use the function’s contract, not its code. 72 / 171

  49. Examples let max (x y: int) : int ensures { result >= x /\ result >= y } ensures { result = x \/ result = y } = if x >= y then x else y val ref r : int (* declare a global reference *) let incr_r (v: int) : int requires { v > 0 } writes { r } ensures { result = old r /\ r = old r + v } = let u = r in r < u + v; u 73 / 171

  50. 6. Total correctness: termination 74 / 171

  51. Termination Problem: prove that the program terminates for every initial state that satisfies the precondition. It suffices to show that • every loop makes a finite number of iterations • recursive function calls cannot go on indefinitely Solution: prove that every loop iteration and every recursive call decreases a certain value, called variant, with respect to some well-founded order. For example, for signed integers, a practical well-founded order is i < j ∧ 0 � j i ≺ j = 75 / 171

  52. Loop termination A new annotation: ::= ... e | while t invariant J variant t ·≺ do e done The corresponding weakest precondition rule: WP ( while t invariant J variant s ·≺ do e done , Q ) ≡ J ∧ ∀ x 1 ... x k . ( J ∧ t → WP ( e , J ∧ s ≺ w )[ w �→ s ]) ∧ ( J ∧¬ t → Q ) references modified in e x 1 ... x k a fresh variable (the variant at the start of the iteration) w 76 / 171

  53. Termination of recursive functions A new contract clause: let rec f ( v 1 : τ 1 ) ... ( v n : τ n ) : ς requires P f variant s ·≺ writes � x ensures Q f = e For each recursive call of f in e : x ◦ ] ∧ v �→ � v �→ � WP ( f t 1 ... t n , Q ) ≡ P f [ � t ] ∧ s [ � t ] ≺ s [ � x �→ � x ◦ �→ � v �→ � ( ∀ � x ∀ result . Q f [ � t ,� w ] → Q )[ � w �→ � x ] v �→ � s [ � t ] variant at the call site � references used in f x x ◦ ] variant at the start of f fresh variables s [ � x �→ � � w 77 / 171

  54. Mutual recursion Mutually recursive functions must have • their own variant terms • a common well-founded order Thus, if f calls g t 1 ... t n , the variant decrease precondition is x ◦ ] v g �→ � s g [ � t ] ≺ s f [ � x �→ � formal parameters of g � v g v g �→ � variant of g at the call site s g [ � t ] x ◦ ] s f [ � x �→ � variant of f at the start of f 78 / 171

  55. 7. Exceptions 79 / 171

  56. Exceptions as destinations Execution of a program can lead to • divergence — the computation never ends • total correctness ensures against non-termination 80 / 171

  57. Exceptions as destinations Execution of a program can lead to • divergence — the computation never ends • total correctness ensures against non-termination • abnormal termination — the computation fails • partial correctness ensures against run-time errors 81 / 171

  58. Exceptions as destinations Execution of a program can lead to • divergence — the computation never ends • total correctness ensures against non-termination • abnormal termination — the computation fails • partial correctness ensures against run-time errors • normal termination — the computation produces a result • partial correctness ensures conformance to the contract 82 / 171

  59. Exceptions as destinations Execution of a program can lead to • divergence — the computation never ends • total correctness ensures against non-termination • abnormal termination — the computation fails • partial correctness ensures against run-time errors • normal termination — the computation produces a result • partial correctness ensures conformance to the contract • exceptional termination — produces a different kind of result 83 / 171

  60. Exceptions as destinations Execution of a program can lead to • divergence — the computation never ends • total correctness ensures against non-termination • abnormal termination — the computation fails • partial correctness ensures against run-time errors • normal termination — the computation produces a result • partial correctness ensures conformance to the contract • exceptional termination — produces a different kind of result • the contract should also cover exceptional termination 84 / 171

  61. Exceptions as destinations Execution of a program can lead to • divergence — the computation never ends • total correctness ensures against non-termination • abnormal termination — the computation fails • partial correctness ensures against run-time errors • normal termination — the computation produces a result • partial correctness ensures conformance to the contract • exceptional termination — produces a different kind of result • the contract should also cover exceptional termination • each potential exception E gets its own postcondition Q E 85 / 171

  62. Exceptions as destinations Execution of a program can lead to • divergence — the computation never ends • total correctness ensures against non-termination • abnormal termination — the computation fails • partial correctness ensures against run-time errors • normal termination — the computation produces a result • partial correctness ensures conformance to the contract • exceptional termination — produces a different kind of result • the contract should also cover exceptional termination • each potential exception E gets its own postcondition Q E • partial correctness: if E is raised, then Q E holds 86 / 171

  63. Exceptions as destinations Execution of a program can lead to • divergence — the computation never ends • total correctness ensures against non-termination • abnormal termination — the computation fails • partial correctness ensures against run-time errors • normal termination — the computation produces a result • partial correctness ensures conformance to the contract • exceptional termination — produces a different kind of result exception Not_found val binary_search (a: array int) (v: int) : int requires { forall i j. 0 � i � j < length a → a[i] � a[j] } { 0 � result < length a ∧ a[result] = v } ensures { Not_found → forall i. 0 � i < length a → a[i] � = v } raises 87 / 171

  64. Just another semicolon Our language keeps growing: ::= ... e | raise E raise an exception try e with E → e catch an exception | WP handles two postconditions now: WP ( skip , Q , Q E ) ≡ Q 88 / 171

  65. Just another semicolon Our language keeps growing: ::= ... e | raise E raise an exception try e with E → e catch an exception | WP handles two postconditions now: WP ( skip , Q , Q E ) ≡ Q WP ( raise E , Q , Q E ) ≡ Q E 89 / 171

  66. Just another semicolon Our language keeps growing: ::= ... e | raise E raise an exception try e with E → e catch an exception | WP handles two postconditions now: WP ( skip , Q , Q E ) ≡ Q WP ( raise E , Q , Q E ) ≡ Q E WP ( e 1 ; e 2 , Q , Q E ) ≡ WP ( e 1 , WP ( e 2 , Q , Q E ) , Q E ) 90 / 171

  67. Just another semicolon Our language keeps growing: ::= ... e | raise E raise an exception try e with E → e catch an exception | WP handles two postconditions now: WP ( skip , Q , Q E ) ≡ Q WP ( raise E , Q , Q E ) ≡ Q E WP ( e 1 ; e 2 , Q , Q E ) ≡ WP ( e 1 , WP ( e 2 , Q , Q E ) , Q E ) WP ( try e 1 with E → e 2 , Q , Q E ) ≡ WP ( e 1 , Q , WP ( e 2 , Q , Q E )) 91 / 171

  68. Just another let-in Exceptions can carry data: ::= ... e raise E t raise an exception | try e with E v → e catch an exception | Still, all needed mechanisms are already in WP : WP ( t , Q , Q E ) ≡ Q [ result �→ t ] WP ( raise E t , Q , Q E ) ≡ Q E [ result �→ t ] WP ( let v = e 1 in e 2 , Q , Q E ) ≡ WP ( e 1 , WP ( e 2 , Q , Q E )[ v �→ result ] , Q E ) WP ( try e 1 with E v → e 2 , Q , Q E ) ≡ WP ( e 1 , Q , WP ( e 2 , Q , Q E )[ v �→ result ]) 92 / 171

  69. Functions with exceptions A new contract clause: let f ( v 1 : τ 1 ) ... ( v n : τ n ) : ς requires P f writes � x ensures Q f raises E → Q E f = e Verification condition for the function definition: x ◦ �→ � VC ( let f ... ) ≡ ∀ � x � v . P f → WP ( e , Q f , Q E f )[ � x ] Weakest precondition rule for the function call: v �→ � WP ( f t 1 ... t n , Q , Q E ) ≡ P f [ � t ] ∧ x ◦ �→ � v �→ � ( ∀ � x ∀ result . Q f [ � t ,� w ] → Q )[ � w �→ � x ] ∧ x ◦ �→ � v �→ � ( ∀ � x ∀ result . Q E f [ � t ,� w ] → Q E )[ � w �→ � x ] 93 / 171

  70. 8. Ghost code 94 / 171

  71. Ghost code: example Compute a Fibonacci number using a recursive function in O ( n ) : let rec aux (a b n: int): int requires { 0 <= n } requires { } ensures { } variant { n } = if n = 0 then a else aux b (a+b) (n 1) let fib_rec (n: int): int requires { 0 <= n } ensures { result = fib n } = aux 0 1 n (* fib_rec 5 = aux 0 1 5 = aux 1 1 4 = aux 1 2 3 = aux 2 3 2 = aux 3 5 1 = aux 5 8 0 = 5 *) 95 / 171

  72. Ghost code: example Compute a Fibonacci number using a recursive function in O ( n ) : let rec aux (a b n: int): int requires { 0 <= n } requires { exists k. 0 <= k /\ a = fib k /\ b = fib (k+1) } ensures { exists k. 0 <= k /\ a = fib k /\ b = fib (k+1) /\ result = fib (k+n) } variant { n } = if n = 0 then a else aux b (a+b) (n 1) let fib_rec (n: int): int requires { 0 <= n } ensures { result = fib n } = aux 0 1 n (* fib_rec 5 = aux 0 1 5 = aux 1 1 4 = aux 1 2 3 = aux 2 3 2 = aux 3 5 1 = aux 5 8 0 = 5 *) 96 / 171

  73. Ghost code: example Instead of an existential we can use a ghost parameter: let rec aux (a b n: int) (ghost k: int): int requires { 0 <= n } requires { 0 <= k /\ a = fib k /\ b = fib (k+1) } ensures { result = fib (k+n) } variant { n } = if n = 0 then a else aux b (a+b) (n 1) (k+1) let fib_rec (n: int): int requires { 0 <= n } ensures { result = fib n } = aux 0 1 n 0 97 / 171

  74. The spirit of ghost code Ghost code is used to facilitate specification and proof ⇒ the principle of non-interference: We must be able to eliminate the ghost code from a program without changing its outcome. 98 / 171

  75. The spirit of ghost code Ghost code is used to facilitate specification and proof ⇒ the principle of non-interference: We must be able to eliminate the ghost code from a program without changing its outcome. Consequently: • visible code cannot read ghost data • if k is ghost, then ( k + 1 ) is ghost, too 99 / 171

  76. The spirit of ghost code Ghost code is used to facilitate specification and proof ⇒ the principle of non-interference: We must be able to eliminate the ghost code from a program without changing its outcome. Consequently: • visible code cannot read ghost data • if k is ghost, then ( k + 1 ) is ghost, too • ghost code cannot modify visible data • if r is a visible reference, then r ← ghost k is forbidden 100 / 171

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Why3 What is why3? A platform for deductive program verification What is why3? A platform

Why3 What is why3? A platform for deductive program verification What is why3? A platform

Why3 What is why3? A platform for deductive program verification What is why3? A platform for deductive program verification Made by: Franois Bobot Martin Clochard Lon Gondelman Jean-Christophe Fillitre Claude

98 views • 9 slides
Deductive Program Verification with W HY 3 Andrei Paskevich LRI, Universit Paris-Sud

Deductive Program Verification with W HY 3 Andrei Paskevich LRI, Universit Paris-Sud

Deductive Program Verification with W HY 3 Andrei Paskevich LRI, Universit Paris-Sud Toccata, Inria Saclay JCP 2016 1. A short look back 2 / 100 Introduction Software is hard. D ONALD K NUTH ... 1996: Ariane 5 explosion an

1.13k views • 100 slides
Deductive Program Verification Jean-Christophe Filli atre STOP r = 1 v = u s = 1 u

Deductive Program Verification Jean-Christophe Filli atre STOP r = 1 v = u s = 1 u

Deductive Program Verification Jean-Christophe Filli atre STOP r = 1 v = u s = 1 u = u + v s = s + 1 TEST r n u = 1 r = r + 1 TEST s r A Definition program mathematical + proof statement correctness

823 views • 56 slides
An Introduction to Deductive Program Verification Jean-Christophe Filli atre CNRS Sixth

An Introduction to Deductive Program Verification Jean-Christophe Filli atre CNRS Sixth

An Introduction to Deductive Program Verification Jean-Christophe Filli atre CNRS Sixth Summer School on Formal Techniques May 2016 http://why3.lri.fr/ssft-16/ 1 / 145 Software is hard. Don Knuth why? wrong interpretation of

1.97k views • 145 slides
Deductive Program Verification with Why3 Jean-Christophe Filli atre CNRS Tallinn January 15,

Deductive Program Verification with Why3 Jean-Christophe Filli atre CNRS Tallinn January 15,

Deductive Program Verification with Why3 Jean-Christophe Filli atre CNRS Tallinn January 15, 2013 http://why3.lri.fr/tallinn-2013/ 1 / 101 definition program verification + proof conditions specification 2 / 101 this is not new

1.18k views • 101 slides
Deductive Program Verification Jean-Christophe Filli atre CNRS ITP 2018 Oxford, UK July 12,

Deductive Program Verification Jean-Christophe Filli atre CNRS ITP 2018 Oxford, UK July 12,

Deductive Program Verification Jean-Christophe Filli atre CNRS ITP 2018 Oxford, UK July 12, 2018 1 / 32 joint work with Fran cois Bobot Claude March e Guillaume Melquiond Andrei Paskevich 2 / 32 a question for programmers

991 views • 80 slides
Design Verification: Deductive Verification Virendra Singh Associate Professor C omputer A

Design Verification: Deductive Verification Virendra Singh Associate Professor C omputer A

Design Verification: Deductive Verification Virendra Singh Associate Professor C omputer A rchitecture and D ependable S ystems L ab Department of Electrical Engineering Indian Institute of Technology Bombay http://www.ee.iitb.ac.in/~viren/

627 views • 27 slides
Deductive Program Verification with Why3 Jean-Christophe Filli atre CNRS Digicosme Spring

Deductive Program Verification with Why3 Jean-Christophe Filli atre CNRS Digicosme Spring

Deductive Program Verification with Why3 Jean-Christophe Filli atre CNRS Digicosme Spring School April 22, 2013 http://why3.lri.fr/digicosme-spring-school-2013/ 1 / 101 definition program verification + proof conditions specification

1.18k views • 101 slides
Enhancing Automated Program Repair With Deductive Verification Xuan Bach D. Le 1 , Quang-Loc Le 2

Enhancing Automated Program Repair With Deductive Verification Xuan Bach D. Le 1 , Quang-Loc Le 2

Enhancing Automated Program Repair With Deductive Verification Xuan Bach D. Le 1 , Quang-Loc Le 2 , David Lo 1 , Claire Le Goues 3 1 Singapore Management University 2 Singapore University of Technology and Design 3 Carnegie Mellon University 1

368 views • 20 slides
An Improved Rule for While Loops in Deductive Program Verification Bernhard Beckert 1 Steffen

An Improved Rule for While Loops in Deductive Program Verification Bernhard Beckert 1 Steffen

An Improved Rule for While Loops in Deductive Program Verification Bernhard Beckert 1 Steffen Schlager 2 Peter H. Schmitt 2 1 Universit at Koblenz-Landau 2 Universit at Karlsruhe ICFEM 2005, Manchester Beckert, Schlager, Schmitt (

989 views • 56 slides
Challenges In Deductive Software Verification Reiner Hhnle (with Marieke Huisman, U Twente)

Challenges In Deductive Software Verification Reiner Hhnle (with Marieke Huisman, U Twente)

Challenges In Deductive Software Verification Reiner Hhnle (with Marieke Huisman, U Twente) www.se.tu-darmstadt.de TU Darmstadt, Software Engineering Group Many challenges apply to AD in general Deductive Software Verification

165 views • 15 slides
Towards Deductive Compilation: Implementing a Partial Evaluator Via a Software Verification Tool

Towards Deductive Compilation: Implementing a Partial Evaluator Via a Software Verification Tool

Towards Deductive Compilation: Implementing a Partial Evaluator Via a Software Verification Tool Reiner H ahnle (joint work with Richard Bubel and Ran Ji) Chalmers University of Technology Department of Computer Science and Engineering 10

1.11k views • 82 slides
The Why/Krakatoa/Caduceus Platform for Deductive Program Verification Jean-Christophe Filli

The Why/Krakatoa/Caduceus Platform for Deductive Program Verification Jean-Christophe Filli

The Why/Krakatoa/Caduceus Platform for Deductive Program Verification Jean-Christophe Filli atre CNRS Universit e Paris Sud TYPES Summer School August 30th, 2007 TYPES Summer School August 30th, 2007 Jean-Christophe Filli

2.04k views • 181 slides
1 Deductive Verification Extremely powerful Extremely hard One proof can cover very

1 Deductive Verification Extremely powerful Extremely hard One proof can cover very

Methods of Assessing Model Behavior Testing spot checks aspects of real system Simulation spot checks aspects of abstract (model) system Deductive verification Uses axioms and proofs on a mathematical model of

596 views • 21 slides
Deductive Verification of Object-Oriented Software Part A Bernhard Beckert | VTSA,

Deductive Verification of Object-Oriented Software Part A Bernhard Beckert | VTSA,

Deductive Verification of Object-Oriented Software Part A Bernhard Beckert | VTSA, 24.28.08.2015 KIT I NSTITUTE FOR T HEORETICAL C OMPUTER S CIENCE www.kit.edu KIT University of the State of Baden-Wuerttemberg and National Laboratory

1.29k views • 106 slides
Deductive Verification of Object-Oriented Software Part B Bernhard Beckert | VTSA,

Deductive Verification of Object-Oriented Software Part B Bernhard Beckert | VTSA,

Deductive Verification of Object-Oriented Software Part B Bernhard Beckert | VTSA, 24.28.08.2015 KIT I NSTITUTE FOR T HEORETICAL C OMPUTER S CIENCE www.kit.edu KIT University of the State of Baden-Wuerttemberg and National Laboratory

1.82k views • 158 slides
(laser straight) Central MDI &amp; Interaction 1 -Introduction -Feasibility Studies -CDR

(laser straight) Central MDI &amp; Interaction 1 -Introduction -Feasibility Studies -CDR

Tunnel implementations (laser straight) Central MDI &amp; Interaction 1 -Introduction -Feasibility Studies -CDR status -Implementation issues -Plans 2012-16 -Conclusions Several others in the process of World-wide

412 views • 14 slides
GPUs and Python: A Recipe for Lightning-Fast Data Pipelines Craig Warner Christopher Packham

GPUs and Python: A Recipe for Lightning-Fast Data Pipelines Craig Warner Christopher Packham

GPUs and Python: A Recipe for Lightning-Fast Data Pipelines Craig Warner Christopher Packham Stephen Eikenberry Anthony Gonzalez University of Florida 1 Made with OpenOffice.org Astronomical amounts of data! Volume of data produced per

364 views • 14 slides
Power Management in Power Management in Wireless SOCs SOCs Wireless Jan M. Rabaey Scientific

Power Management in Power Management in Wireless SOCs SOCs Wireless Jan M. Rabaey Scientific

Power Management in Power Management in Wireless SOCs SOCs Wireless Jan M. Rabaey Scientific Co-Director BWRC Director GSRC EECS Dept. Univ. of California, Berkeley With contributions of M. Sheets and H. Qin The Leakage Challenge (1) The

597 views • 25 slides
Groking the Linux SPI Subsystem Embedded Linux Conference 2017 Matt Porter Obligatory geek

Groking the Linux SPI Subsystem Embedded Linux Conference 2017 Matt Porter Obligatory geek

Groking the Linux SPI Subsystem Embedded Linux Conference 2017 Matt Porter Obligatory geek reference deobfuscation grok ( /grk/ ) verb to understand intuitively or by empathy, to establish rapport with. Overview What is SPI? SPI

938 views • 47 slides
DATA SCIENCE AND MACHINE LEARNING I ntroduction to GGPLOT Dim itris Fouskakis Associate

DATA SCIENCE AND MACHINE LEARNING I ntroduction to GGPLOT Dim itris Fouskakis Associate

DATA SCIENCE AND MACHINE LEARNING I ntroduction to GGPLOT Dim itris Fouskakis Associate Professor in Applied Statistics, Department of Mathematics, School of Applied Mathematical &amp; Physical Sciences, National Technical University of

865 views • 63 slides
The story of the film so far... (Temporally homogeneous) Markov chains { X 0 , X 1 , . . . } are

The story of the film so far... (Temporally homogeneous) Markov chains { X 0 , X 1 , . . . } are

The story of the film so far... (Temporally homogeneous) Markov chains { X 0 , X 1 , . . . } are characterised by an stochastic transition matrix P , Mathematics for Informatics 4a with entries p ij = P ( X n + 1 = j | X n = i ) for all n The

77 views • 5 slides
Chip Developments of the Bonn Group Hans Krger, Bonn University -1- ASIC Design Projects

Chip Developments of the Bonn Group Hans Krger, Bonn University -1- ASIC Design Projects

Chip Developments of the Bonn Group Hans Krger, Bonn University -1- ASIC Design Projects ATLAS Pixel Detector Hybrid pixel sensors FE-I3 (250nm, current pixel detector) FE-I4 (130nm, Insertable B-layer, current upgrade)

318 views • 13 slides
Unix at 50 Unix V7 at 40 A Brief History of time_t Warner Losh Prehistory: 1950-1969 Bell Labs

Unix at 50 Unix V7 at 40 A Brief History of time_t Warner Losh Prehistory: 1950-1969 Bell Labs

Unix at 50 Unix V7 at 40 A Brief History of time_t Warner Losh Prehistory: 1950-1969 Bell Labs looked to standardize OS for in-house needs in 1957 BESYS developed for its internal needs, but limited In 1964 joined Multics effort with MIT and

582 views • 55 slides

More recommend