Proving Invariances CS256/Spring 2008 — Lecture #6 Zohar Manna Definitions Recall: • the variables of assertion: – free (flexible) system variables V = Y ∪ { π } Chapter 1 where Y are the program variables and π is the control variable Invariance: Proof Methods – quantified (rigid) specification variables q 0 • q ′ is the primed version of q , obtained by replacing each free occurrence of a system variable y ∈ V by its primed version y ′ . • ρ τ is the transition relation of τ , expressing the re- For assertion q and SPL program P lation holding between a state s and any of its τ - successors s ′ ∈ τ ( s ) . show P q (i.e., q is P -invariant) 6-1 6-2 Verification Conditions Verification Conditions (Con’t) (proof obligations) Example: standard verification condition ρ τ : x ≥ 0 ∧ y ′ = x + y ∧ x ′ = x For assertions ϕ, ψ and transition τ , ϕ : y = 3 ψ : y = x + 3 { ϕ } τ { ψ } (“Hoare triple”) stands for the state formula Then { ϕ } τ { ψ } : ρ τ ∧ ϕ → ψ ′ x ≥ 0 ∧ y ′ = x + y ∧ x ′ = x ∧ y = 3 � �� � � �� � ρ τ ϕ → y ′ = x ′ + 3 “Verification condition (VC) of ϕ and ψ � �� � ψ ′ relative to transition τ ” ϕ τ ψ � � j j + 1 6-3 6-4
Verification Conditions (Con’t) Verification Conditions (Con’t) Special Cases • for τ ∈ T in P • while, conditional ρ τ : ρ t τ ∨ ρ f ρ τ ∧ ϕ → ψ ′ { ϕ } τ { ψ } : τ “ τ leads from ϕ to ψ in P ” τ ∧ ϕ → ψ ′ { ϕ } τ t { ψ } : ρ t τ ∧ ϕ → ψ ′ { ϕ } τ f { ψ } : ρ f • for T in P { ϕ }T { ψ } : { ϕ } τ { ψ } for every τ ∈ T { ϕ } τ { ψ } : { ϕ } τ t { ψ } ∧ { ϕ } τ f { ψ } “ T leads from ϕ to ψ in P ” • idle Claim (Verification Condition) ρ τ I ∧ ϕ → ϕ ′ If { ϕ } τ { ψ } is P -state valid, { ϕ } τ I { ϕ } : then every τ -successor of a ϕ -state is a ψ -state. always valid, since ρ τ I → v ′ = v for all v ∈ V , so ϕ ′ = ϕ. 6-5 6-6 Verification Conditions (Con’t) Verification Conditions (Con’t) Substituted Form of Verification Condition Example: ρ τ : x ≥ 0 ∧ y ′ = x + y ∧ x ′ = x Transition relation can be written as C τ ∧ ( V ′ = E ) ρ τ : ϕ : y = 3 ψ : y = x + 3 where C τ : enabling condition V ′ : primed variable list Standard E : expression list x ≥ 0 ∧ y ′ = x + y ∧ x ′ = x ∧ y = 3 � �� � � �� � ρ τ ϕ • The substituted form of → y ′ = x ′ + 3 verification condition { ϕ } τ { ψ } : � �� � ψ ′ C τ ∧ ϕ → ψ [ E/V ] Substituted where x ≥ 0 ∧ y = 3 → x + y = x + 3 ψ [ E/V ] : replace each variable v ∈ V � �� � � �� � � �� � ϕ C τ ψ [ E/V ] in ψ by the corresponding e ∈ E Note : No primed variables! The substituted form of a verification condition is P -state valid iff the standard form is 6-7 6-8
Verification Conditions (Con’t) Simplifying Control Expressions L 1 ⊆ π ∧ π ′ = ( π − L 1 ) ∪ L 2 move ( L 1 , L 2 ): Example: e.g., for L 1 = { ℓ 1 } , L 2 = { ℓ 2 } ℓ 1 ∈ π ∧ π ′ = ( π − { ℓ 1 } ) ∪ { ℓ 2 } ϕ : x = y ψ : x = y + 1 move ( ℓ 1 , ℓ 2 ): Consequences implied by move ( L 1 , L 2 ): ∧ ( x ′ , y ′ ) ρ τ : x ≥ 0 = ( x + 1 , y ) � �� � � �� � � �� � C τ V ′ E • for every [ ℓ ] ∈ L 1 The substituted form of { ϕ } τ { ψ } is at − ℓ = t (i.e., [ ℓ ] ∈ π ) x ≥ 0 ∧ x = y → � �� � � �� � • for every [ ℓ ] ∈ L 2 ϕ C τ at ′ − ℓ = t (i.e., [ ℓ ] ∈ π ′ ) ( x = y + 1)[( x + 1 , y ) / ( x, y )] � �� � ψ [ E/V ] • for every [ ℓ ] ∈ L 1 − L 2 or equivalently at − ℓ = t (i.e., [ ℓ ] ∈ π ) and at ′ − ℓ = f (i.e., [ ℓ ] �∈ π ′ ) x ≥ 0 ∧ x = y → x + 1 = y + 1 • for every ℓ / ∈ L 1 ∪ L 2 − ℓ = at − ℓ (i.e., [ ℓ ] ∈ π, π ′ or [ ℓ ] �∈ π, π ′ ) at ′ q 0 6-9 6-10 0 q Proving invariance properties: P q Proving invariance properties (Con’t) We want to show that for every computation of P This definition suggests a way to prove q Θ σ : s 0 , s 1 , s 2 , . . . invariance properties q : assertion q holds in every state s j , j ≥ 0 , i.e., s j q . 1. Base case: Recall : Prove that q holds initially A sequence σ : s 0 , s 1 , s 2 , . . . is a computation Θ → q if the following hold (from Chapter 0): i.e., q holds at s 0 . 1. Initiality: s 0 2. Inductive step: prove that q is preserved by all transitions 2. Consecution: For each j ≥ 0 , q ∧ ρ τ → q ′ s j +1 is a τ -successor of s j for some τ ∈ T for all τ ∈ T � �� � ( s j +1 ∈ τ ( s j ) ) { q } τ { q } i.e., if q holds at s j , then it holds at every τ -successor 3, 4. Fairness conditions are respected. s j +1 . Note: Truth of safety properties over programs does not depend on fairness conditions. 6-11 6-12
q 0 q q Rule B-INV (basic invariance) Example 1: request-release q 0 Show P q (i.e. q is P -invariant) local x : integer where x = 1 q For assertion q , ℓ 0 : request x B1. P Θ → q ℓ 1 : critical release x ℓ 2 : B2. P { q } T { q } 0 ℓ 3 : q 0 P q where B2 stands for Θ : x = 1 ∧ π = { ℓ 0 } P { q } τ { q } for every τ ∈ T T : { τ I , τ ℓ 0 , τ ℓ 1 , τ ℓ 2 } • The rule states that if we can prove the P -state validity of Θ → q and { q }T { q } Prove then we can conclude that q is P -valid. P x ≥ 0 � �� � • Thus the proof of a temporal property q is reduced to the proof of 1 + |T | using b-inv . first-order verification conditions. 6-13 6-14 Example 1: request-release (Con’t) Example 1: request-release (Con’t) B1: x = 1 ∧ π = { ℓ 0 } → x ≥ 0 � �� � � �� � q Θ holds since x = 1 → x ≥ 0 local x : integer where x = 1 q 0 B2: ℓ 0 : request x ℓ 1 : critical ∧ move ( ℓ 0 , ℓ 1 ) ∧ x > 0 ∧ x ′ = x − 1 → x ′ ≥ 0 τ ℓ 0 : x ≥ 0 � �� � � �� � � �� � ℓ 2 : release x q ρ τℓ 0 q ′ ℓ 3 : holds since x > 0 → x − 1 ≥ 0 q 0 ∧ move ( ℓ 1 , ℓ 2 ) ∧ x ′ = x → x ′ ≥ 0 τ ℓ 1 : x ≥ 0 � �� � � �� � � �� � q ρ τℓ 1 We proved q ′ holds since x ≥ 0 → x ≥ 0 P x ≥ 0 using b-inv . ∧ move ( ℓ 2 , ℓ 3 ) ∧ x ′ = x + 1 → x ′ ≥ 0 τ ℓ 2 : x ≥ 0 � �� � � �� � � �� � q ρ τℓ 2 q ′ holds since x ≥ 0 → x + 1 ≥ 0 Now we want to prove ( at − ℓ 1 → x = 0) P � �� � q 6-15 6-16
q q Strategies for invariance proofs Example 1: request-release (Con’t) q 0 Attempted proof: Rule b-inv (basic invariance) B1: x = 1 ∧ π = { ℓ 0 } → ( at − ℓ 1 → x = 0 ) For assertion q , � �� � � �� � q Θ holds since π = { ℓ 0 } → at − ℓ 1 = f B1. P Θ → q B2. P { q } T { q } B2: { q } τ ℓ 0 { q } ∧ move ( ℓ 0 , ℓ 1 ) ∧ x > 0 ∧ x ′ = x − 1 at − ℓ 1 → x = 0 P q � �� � � �� � ρ τℓ 0 q − ℓ 1 → x ′ = 0 → at ′ • q is inductive if B1 and B2 are (state) valid � �� � q ′ We have move ( ℓ 0 , ℓ 1 ) → at − ℓ 1 = f , at ′ − ℓ 1 = t • By rule b-inv , BUT every inductive assertion q is P -invariant ( f → x = 0) ∧ x > 0 ∧ x ′ = x − 1 → ( t → x ′ = 0) • The converse is not true Cannot prove: not state-valid Example: In request-release at − ℓ 1 → x = 0 What is the problem? is P -invariant, but not inductive We need a stronger rule. 6-17 6-18 Rule b-inv (Con’t) Strategy 1: Strengthening The problem is: Find a stronger assertion ϕ that is inductive and implies the assertion q we want to prove. “The invariant is not inductive” i.e., it is not strong enough to be preserved by all transi- tions. q Another way to look at it is to observe that ϕ τ { q } τ ℓ 0 { q } ���� ���� ���� ���� ���� ���� ���� ���� is not state valid, but it is P -state valid, P -accessible i.e., it is true in all P -accessible states, since in all P -accessible states x = 1 when at location ℓ 0 . This suggests two strategies to overcome this problem: • strengthening Σ • incremental proof In Chapter 2 it will be shown that there always exists such an assertion ϕ . 6-19 6-20
Recommend
More recommend
