program verification
play

Program Verification Notes by Jonathan Buss Based in part on - PowerPoint PPT Presentation

Sep 02, 2023 •198 likes •1.09k views

Program Verification Notes by Jonathan Buss Based in part on materials prepared by B. Bonakdarpour from Huth & Ryan text, and material by Anna Lubiw Additional thanks to D. Maftuleac, R. Trefler, and P. Van Beek Modified by Lila Kari

  1. Program Verification Notes by Jonathan Buss Based in part on materials prepared by B. Bonakdarpour from Huth & Ryan text, and material by Anna Lubiw Additional thanks to D. Maftuleac, R. Trefler, and P. Van Beek Modified by Lila Kari CS245 (Winter 2016) Program verification March 31, 2016 1 / 88

  2. Outline Introduction: What and Why? Pre- and Post-conditions Conditionals while -Loops and Total Correctness CS245 (Winter 2016) Program verification March 31, 2016 2 / 88

  3. Program Verification Reference: Huth & Ryan, Chapter 4 Program correctness : does a given program satisfy its specification—does it do what it is supposed to do? Techniques for showing program correctness: inspection, code walk-throughs testing black box: tests designed independent of code while box: tests designed based on code formal verification CS245 (Winter 2016) Program verification March 31, 2016 3 / 88

  4. Program Verification ” Testing can be a very effective way to show the presence of bugs, but it is hopelessly inadequate for showing their absence.” [E. Dijkstra, 1972.] Testing is not proof! CS245 (Winter 2016) Program verification March 31, 2016 4 / 88

  5. Testing versus Formal Verification Testing: check a program for carefully chosen inputs (e.g., boundary conditions, etc.) in general: cannot be exhaustive Formal verification: formally state a specification (logic, set theory), and prove a program satisfies the specification for all inputs although undecidable (= no algorithm) in general, we will study some useful techniques part of Software Engineering CS245 (Winter 2016) Program verification March 31, 2016 5 / 88

  6. Why Formal Verification? Why formally specify and verify programs? Reduce bugs Safety-critical software or important components (e.g., brakes in cars, nuclear power plants) Documentation necessary for large multi-person, multi-year software projects good documentation facilitates code re-use Current Practice specifying software is widespread practice formally verifying software is less widespread hardware verification is commmon CS245 (Winter 2016) Program verification March 31, 2016 6 / 88

  7. Some Software Bugs Therac-25, X-ray, 1985 overdosing patients during radiation treatment, 5 dead reason : race condition between concurrent tasks AT&T, 1990 long distance service fails for 9 hours reason : wrong BREAK statement in C code Patriot-Scud, 1991 28 dead and 100 injured reason : rounding error Pentium Processor, 1994 error in division algorithm reason: incomplete entries in a look-up table CS245 (Winter 2016) Program verification March 31, 2016 7 / 88

  8. Some Software Bugs Ariane 5, 1996 exploded 37 seconds after takeoff reason: data conversion of a too large number Mars Climate Orbiter, 1999 destroyed on entering atmosphere of Mars reason: mixture of pounds and kilograms Power black-out, 2003 50 million people in Canada and US without power reason: programming error Royal Bank, 2004 financial transactions disrupted for 5 days reason: programming error CS245 (Winter 2016) Program verification March 31, 2016 8 / 88

  9. Some Software Bugs UK Child Support Agency, 2004 overpaid 1.9 million people, underpaid 700,000, cost to taxpayers over $1 billion reason: more than 500 bugs reported Science (a prestigious scientific journal), 2006 retraction of research papers due to erroneous research results reason: program incorrectly flipped the sign (+ to -) on data Toyota Prius, 2007 160,000 hybrid vehicles recalled due to stalling unexpectedly reason: programming error Knight Capital Group, 2012 high-frequency trading system lost $440 million in 30 min reason: programming error CS245 (Winter 2016) Program verification March 31, 2016 9 / 88

  10. Framework for software verification The steps of formal verification: 1 Convert the informal description R of requirements for an application domain into an “equivalent” formula Φ R of some symbolic logic, 2 Write a program P which is meant to realise Φ R in some given programming environment, and 3 Prove that the program P satisfies the formula Φ R . We shall consider only the third part in this course. CS245 (Winter 2016) Program verification March 31, 2016 10 / 88

  11. Core programming language We shall use a subset of C/C++ and Java. It contains their core features: integer and Boolean expressions assignment sequence if-then-else (conditional statements) while -loops for -loops arrays functions and procedures CS245 (Winter 2016) Program verification March 31, 2016 11 / 88

  12. Program States We are verifying imperative, sequential, transformational programs. imperative: sequence of commands which modify the values of variables sequential: no concurrency transformational: given inputs, compute outputs and terminate CS245 (Winter 2016) Program verification March 31, 2016 12 / 88

  13. Imperative programs Imperative programs manipulate variables. The state of a program is the values of the variables at a particular time in the execution of the program. Expressions evaluate relative to the current state of the program. Commands change the state of the program. CS245 (Winter 2016) Program verification March 31, 2016 13 / 88

  14. Example We shall use the following code as an example. Compute the factorial of input x and store in y . y = 1; State at the “ while ” test: z = 0; Initial state s 0 : z =0, y =1 −→ while (z ! = x) { Next state s 1 : z =1, y =1 z = z + 1; State s 2 : z =2, y =2 y = y ∗ z; State s 3 : z =3, y =6 } State s 4 : z =4, y =24 . . . Note: the order of “ z = z + 1 ” and “ y = y * z ” matters! CS245 (Winter 2016) Program verification March 31, 2016 14 / 88

  15. Example We shall use the following code as an example. Compute the factorial of input x and store in y . y = 1; State at the “ while ” test: z = 0; Initial state s 0 : z =0, y =1 −→ while (z ! = x) { Next state s 1 : z =1, y =1 z = z + 1; State s 2 : z =2, y =2 y = y ∗ z; State s 3 : z =3, y =6 } State s 4 : z =4, y =24 . . . Note: the order of “ z = z + 1 ” and “ y = y * z ” matters! CS245 (Winter 2016) Program verification March 31, 2016 15 / 88

  16. Specifications Example. Compute a number y whose square is less than the input x . What if x = − 4? Revised example. If the input x is a positive number, compute a number whose square is less than x . For this, we need information not just about the state after the program executes, but also about the state before it executes. CS245 (Winter 2016) Program verification March 31, 2016 16 / 88

  17. Hoare Triples Our assertions about programs will have the form ( | P | ) — precondition C — program or code ( | Q | ) — postcondition The meaning of the triple ( | P | ) C ( | Q | ) If program C is run starting in a state that satisfies P , then the resulting state after the execution of C will satisfy Q . An assertion ( | P | ) C ( | Q | ) is called a Hoare triple . CS245 (Winter 2016) Program verification March 31, 2016 17 / 88

  18. Syntax of Hoare Triples Conditions P and Q are written in predicate logic of integers Use predicates < , = , functions + , − , ∗ and others derivable from these Tony Hoare (C.A. R. Hoare), b. 1934 famous for Quicksort and program verification CS245 (Winter 2016) Program verification March 31, 2016 18 / 88

  19. Specification of a Program A specification of a program C is a Hoare triple with C as the second component: ( | P | ) C ( | Q | ) . Example. The requirement If the input x is a positive number, compute a number whose square is less than x might be expressed as ( | x > 0 | ) C ( | y · y < x | ) . CS245 (Winter 2016) Program verification March 31, 2016 19 / 88

  20. Specification Is Not Behaviour Note that a triple ( | x > 0 | ) C ( | y ∗ y < x | ) specifies neither a unique program C nor a unique behaviour. C 1 : y = 0 ; C 2 : y = 0 ; while (y * y < x) { y = y + 1 ; } y = y - 1 ; Better postcondition ( y ∗ y < x ) ∧ ∀ z (( z ∗ z < x ) −→ z ≤ y ) CS245 (Winter 2016) Program verification March 31, 2016 20 / 88

  21. Hoare triples We want to develop a notion of proof that will allow us to prove that a program C satisfies the specification given by the precondition P and the postcondition Q . The proof calculus is different from the proof calculus in first-order (predicate) logic, since it is about proving triples, which are built from two different kinds of things: logical formulas: P , Q , and code C CS245 (Winter 2016) Program verification March 31, 2016 21 / 88

  22. Partial correctness A triple ( | P | ) C ( | Q | ) is satisfied under partial correctness, denoted | = par ( | P | ) C ( | Q | ) , if and only if for every state s that satisfies condition P , if execution of C starting from state s terminates in a state s ′ , then state s ′ satisfies condition Q . CS245 (Winter 2016) Program verification March 31, 2016 22 / 88

  23. Partial correctness In particular, the program while true { x = 0; } satisfies all specifications! It is an endless loop and never terminates, but partial correctness only says what must happen if the program terminates. CS245 (Winter 2016) Program verification March 31, 2016 23 / 88

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Program Verification (Rosen, Sections 5.5) TOPICS Program Correctness Preconditions &amp;

Program Verification (Rosen, Sections 5.5) TOPICS Program Correctness Preconditions &amp;

Program Verification (Rosen, Sections 5.5) TOPICS Program Correctness Preconditions &amp; Postconditions Program Verification Assignments Composition Conditionals Loops Proofs about Programs Why

537 views • 36 slides
Program Verification as a Toolbox 2005Now Todays Verification A Brief, Subjective History

Program Verification as a Toolbox 2005Now Todays Verification A Brief, Subjective History

Program Verification as a Toolbox David Cock Is Your System Correct? Verified Systems Program Verification as a Toolbox 2005Now Todays Verification A Brief, Subjective History Toolbox Whats Next? David Cock January 23, 2015 1

432 views • 32 slides
From Program Verification to Program Synthesis Overview Jaak Ristioja March 30, 2010 1 / 91

From Program Verification to Program Synthesis Overview Jaak Ristioja March 30, 2010 1 / 91

From Program Verification to Program Synthesis Overview Jaak Ristioja March 30, 2010 1 / 91 Reference From Program Verification to Program Synthesis. @ POPL10; January 17-23, 2010 Saurabh Srivastava , University of Maryland, College Park

1.21k views • 91 slides
Preparing for Re-Verification Brief Mr. Terrence Moultrie Chief, Verification and Executive

Preparing for Re-Verification Brief Mr. Terrence Moultrie Chief, Verification and Executive

The Center for Verification and Evaluation (CVE) Preparing for Re-Verification Brief Mr. Terrence Moultrie Chief, Verification and Executive Support Services Agenda What is Re-Verification? o Simplified Reverification Program VIP

320 views • 21 slides
Towards full verification of concurrent libraries Viktor Vafeiadis Program verification

Towards full verification of concurrent libraries Viktor Vafeiadis Program verification

Towards full verification of concurrent libraries Viktor Vafeiadis Program verification Programs considered: Small (&lt;100 LOC) Medium (KLOC) Large (MLOC) Simple

577 views • 45 slides
Quo Vadis Program Verification Krzysztof R. Apt CWI, Amsterdam, the Netherlands , University of

Quo Vadis Program Verification Krzysztof R. Apt CWI, Amsterdam, the Netherlands , University of

Quo Vadis Program Verification Krzysztof R. Apt CWI, Amsterdam, the Netherlands , University of Amsterdam Quo Vadis Program Verification p. 1/1 One Page Summary Assertional approach to program verification is here to stay. Gap between

629 views • 19 slides
DIVS DL/ID Verification Systems Verification of Legal Status DIVS Passport Verification

DIVS DL/ID Verification Systems Verification of Legal Status DIVS Passport Verification

DIVS DL/ID Verification Systems Verification of Legal Status DIVS Passport Verification Projects Birth Record Verification State to State Verification DIVS State to State Verification Service (S2S) Program Benefits Mission

349 views • 8 slides
Verification &amp; Validation Verification is getting the system right : Verification and

Verification &amp; Validation Verification is getting the system right : Verification and

Verification &amp; Validation Verification is getting the system right : Verification and Validation Does the program you built do what you designed it to do? Dr. James A. Bednar Validation is getting the right system : jbednar@inf.ed.ac.uk

331 views • 8 slides
Program Verification (6EC version only) Erik Poll Digital Security Radboud University Nijmegen

Program Verification (6EC version only) Erik Poll Digital Security Radboud University Nijmegen

Program Verification (6EC version only) Erik Poll Digital Security Radboud University Nijmegen Overview Program Verification using Verification Condition Generators JML a formal specification language for Java Used for the

620 views • 41 slides
7. Refined Verification Condition Generation Program Verification ETH Zurich, Spring Semester

7. Refined Verification Condition Generation Program Verification ETH Zurich, Spring Semester

7. Refined Verification Condition Generation Program Verification ETH Zurich, Spring Semester 2018 Alexander J. Summers 158 Weakest Preconditions So Far Weakest preconditions provide a means of reducing the question: does a program have

339 views • 16 slides
Why3 What is why3? A platform for deductive program verification What is why3? A platform

Why3 What is why3? A platform for deductive program verification What is why3? A platform

Why3 What is why3? A platform for deductive program verification What is why3? A platform for deductive program verification Made by: Franois Bobot Martin Clochard Lon Gondelman Jean-Christophe Fillitre Claude

98 views • 9 slides
SAT-based verification (BMC, temporal induction) Mary Sheeran, Chalmers SAT-based verification

SAT-based verification (BMC, temporal induction) Mary Sheeran, Chalmers SAT-based verification

SAT-based verification (BMC, temporal induction) Mary Sheeran, Chalmers SAT-based verification now hot Used here in Sweden since 1989 mostly in safety critical applications (railway control program verification) Bounded Model Checking a

468 views • 25 slides
Viktor Vafeiadis Software Analysis &amp; Verification Full functional verification

Viktor Vafeiadis Software Analysis &amp; Verification Full functional verification

Viktor Vafeiadis Software Analysis &amp; Verification Full functional verification Compilers , concurrent programs , theorem provers Program equivalence / Compositional reasoning Compositional compiler verification

266 views • 3 slides
Higher-Order Model Checking: Principles and Applications to Program Verification and Security

Higher-Order Model Checking: Principles and Applications to Program Verification and Security

Higher-Order Model Checking: Principles and Applications to Program Verification and Security Part I: Types and Recursion Schemes for Higher-Order Program Verification Part II: Higher-Order Program Verification and Language-Based Security

836 views • 54 slides
Outline Outline Review of PSP Levels Overview Selecting Verification Methods Design

Outline Outline Review of PSP Levels Overview Selecting Verification Methods Design

Outline Outline Review of PSP Levels Overview Selecting Verification Methods Design Verification Design Standards Design Verification Verification Methods Approaches State Machines Program Tracing Program Correctness

499 views • 3 slides
Abstract Interpretation and Program Verification Supratik Chakraborty IIT Bombay Program

Abstract Interpretation and Program Verification Supratik Chakraborty IIT Bombay Program

Abstract Interpretation and Program Verification Supratik Chakraborty IIT Bombay Program Analysis: An Example int x = 0, y = 0, z ; read(z); IDEAS? while ( f(x, z) &gt; 0) { Run test cases Get code analyzed by if ( g(z, y) &gt;

1.16k views • 76 slides
Evolvable, Biologically Plausible Visual Architectures Aaron Sloman

Evolvable, Biologically Plausible Visual Architectures Aaron Sloman

BMVC01 Manchester University Sep 10-13 2001 Extended version of slides presented on 12 Sept 2001, based on the paper with the same title in Proc. British Machine Vision Conference , 2001, Eds. Tim Cootes &amp; Chris Taylor, Vol 1, pp 313322.

715 views • 59 slides
Integrable Flows for Starlike Curves in Centroaffine Space A. Calini 1 T. Ivey 1 -Beffa 2 G.

Integrable Flows for Starlike Curves in Centroaffine Space A. Calini 1 T. Ivey 1 -Beffa 2 G.

Integrable Flows for Starlike Curves in Centroaffine Space A. Calini 1 T. Ivey 1 -Beffa 2 G. Mar 1 College of Charleston 2 University of Wisconsin, Madison VDM60: Nonlinear Evolution Equations and Linear Algebra Cagliari, Sardinia, Italy.

286 views • 15 slides
Results from the Sorcerer II Global Ocean Sampling Expedition The Sorcerer I I Expedition

Results from the Sorcerer II Global Ocean Sampling Expedition The Sorcerer I I Expedition

Results from the Sorcerer II Global Ocean Sampling Expedition The Sorcerer I I Expedition Global Ocean Sam pling Route www.sorcerer2expedition.org Sam ple Fractionation JTC Sequencer Lab Capacity: 240,000 sequences/day or 80 million

411 views • 16 slides
Mining molecular flexibility: novel tools, novel insights F. Cazals, Inria

Mining molecular flexibility: novel tools, novel insights F. Cazals, Inria

Mining molecular flexibility: novel tools, novel insights F. Cazals, Inria Algorithm-Biology-Structure Joint work with (Methods) R. Tetley, Inria Algorithm-Biology-Structure (Class II fusion) F. Rey, Institut Pasteur Paris Mining

311 views • 29 slides
More On Paths Supplement to Chapter 4, Graph Theory Path definition What is a path? We

More On Paths Supplement to Chapter 4, Graph Theory Path definition What is a path? We

More On Paths Supplement to Chapter 4, Graph Theory Path definition What is a path? We are in in a graph context MOP2 Path definition 2 What is a path? A path is a sequence of nodes n 1 , n 2 , , n p Each

850 views • 65 slides
Data Mining 2018 Frequent Pattern Mining (2) Ad Feelders Universiteit Utrecht October 10, 2018

Data Mining 2018 Frequent Pattern Mining (2) Ad Feelders Universiteit Utrecht October 10, 2018

Data Mining 2018 Frequent Pattern Mining (2) Ad Feelders Universiteit Utrecht October 10, 2018 Ad Feelders ( Universiteit Utrecht ) Data Mining October 10, 2018 1 / 46 Frequent Pattern Mining 1 Item Set Mining 2 Sequence Mining 3 Tree

876 views • 46 slides
Verifying fence elimination optimisations Viktor Vafeiadis, MPI-SWS Francesco Zappa Nardelli,

Verifying fence elimination optimisations Viktor Vafeiadis, MPI-SWS Francesco Zappa Nardelli,

Verifying fence elimination optimisations Viktor Vafeiadis, MPI-SWS Francesco Zappa Nardelli, INRIA http://www.cl.cam.ac.uk/~pes20/CompCertTSO CompCertTSO LTL RTL branch tunnelling const prop. ClightTSO RTL LTL simplify linearize CSE

455 views • 42 slides
Flow Bindings v03 draft-ietf-mext-flow-binding-03.txt George Tsirtsis Hesham(ed.), Nicolas,

Flow Bindings v03 draft-ietf-mext-flow-binding-03.txt George Tsirtsis Hesham(ed.), Nicolas,

Flow Bindings v03 draft-ietf-mext-flow-binding-03.txt George Tsirtsis Hesham(ed.), Nicolas, Gerardo, Koojana July 2009 IETF-75 (Stockholm) Main Diff v02 v03 TSV Directorate Review Added stronger health warning wording against per

687 views • 4 slides

More recommend