Quo Vadis Program Verification Krzysztof R. Apt CWI, Amsterdam, the Netherlands , University of Amsterdam Quo Vadis Program Verification – p. 1/1
One Page Summary Assertional approach to program verification is here to stay. Gap between theory and practice. Needed: verification of already developed OO programs. Grand Challenge: mechanical verification of OO programs that deal with data structures. Quo Vadis Program Verification – p. 2/1
Program Verification Assertional approach Basic Idea: Reason on the level of assertions instead of states. Axioms and proof rules to reason about while programs (Hoare ’69), Example: { p ∧ B } S { p } { p } while B do S od { p ∧ ¬ B } ( p is the loop invariant). Quo Vadis Program Verification – p. 3/1
Some Theoretical Milestones Recursive procedures (Hoare ’71), Arrays (Hoare and Wirth ’73, Gries ’78, De Bakker ’80), Parallel programs (Owicki and Gries, ’76, Lamport (’77)), Distributed programs (Apt, De Roever and Francez, ’80), Notion of completeness (Cook ’78), Impossibility of completeness for ‘full ALGOL ’ (Clarke ’79). Quo Vadis Program Verification – p. 4/1
Drawbacks and Remedies Deterministic programs Specifications in first-order logic can be clumsy or impossible. Remedy: use appropriate specification languages (Z of Abrial ’74, ISO standard: 2002). Correctness proofs are tedious and error-prone. Remedy 1: develop the program together with its correctness proof (Dijkstra ’76). Remedy 2: certify proofs. Another tack: Higher-level system development (Abrial ’96, ’09). Quo Vadis Program Verification – p. 5/1
Mechanical Verification Use a theorem prover /proof assistant. Underlying assumption: the theorem prover is a correct program. Verify mechanically soundness of the used proof systems. Establish correctness of a given program by verifying mechanically its correctness proof in a sound proof system. Quo Vadis Program Verification – p. 6/1
Gap between Theory and Practice Grand Challenge in Program Verification Build a library of provably correct OO programs dealing with data structures. Example: Verify the programs in LEDA: A Platform for Combinatorial and Geometric Computing , Mehlhorn and Näher, ’99. Cambridge University Press, 1034 pages. Main difficulty: these are C++ programs; extensively use classes. Quo Vadis Program Verification – p. 7/1
Verification of OO Programs Initial idea: De Boer, ’91, Presented using program transformation in Verification of Sequential and Concurrent Programs , Apt, De Boer and Olderog, Springer, 2009, 502 pages. Quo Vadis Program Verification – p. 8/1
Main difficulties How to deal with instance variables, transfer of control between caller and callee, void references (calls on null object). Quo Vadis Program Verification – p. 9/1
Approach Carefully choose a kernel language. Provide a syntax-directed transformation of object-oriented programs to the kernel language. Enrich the assertion language to reason about objects. Use this translation to derive the proof rules. Quo Vadis Program Verification – p. 10/1
Details: Kernel Language while programs, basic type Object , object variable this , object constant null , arrays, failure statement if B → S fi , blocks, recursive procedures with parameters. Quo Vadis Program Verification – p. 11/1
Details: Source Language object variables, variable this denotes the currently executing object, object constant null represents void reference, instance variables, method calls: s.m ( t 1 , . . . , t n ) , s - object expression, m - method, method declarations: m ( u 1 , . . . , u n ) :: S , S - method body (recursion allowed). Quo Vadis Program Verification – p. 12/1
Details: Assertion Language Allow global expressions, like this .next.next , where next is an instance object variable. Quo Vadis Program Verification – p. 13/1
Example find :: if val = 0 then return := this else if next � = null then next.find else return := null fi fi val is an instance integer variable, next is an instance object variable, first and return are normal object variables. Intuition: first.find returns the first object that stores 0. The search starts at the object stored in first . Quo Vadis Program Verification – p. 14/1
Transformation: Example Original OO program: find :: if val = 0 then return := this else if next � = null then next.find else return := null fi fi Transformed version (a recursive program): find ( this ) :: if val [ this ] = 0 then return := this else if next [ this ] � = null then if next [ this ] � = null → find ( next [ this ]) fi else return := null fi fi Quo Vadis Program Verification – p. 15/1
Consequences Theorem: Each OO program S and its translation Θ( S ) are semantically equivalent. Conclusion: We can use a proof system for recursive programs to prove correctness of OO programs. Improvement: Proof rules can be formulated as natural proof rules at the ‘source’ level. Theorem: The proof system is sound and complete for partial correctness (ABO ’10). Quo Vadis Program Verification – p. 16/1
Back to the Grand Challenge (1) Missing Features object creation (handled in ABO ’09), access to instance variables of arbitrary objects (handled in ABO ’10), inheritance, subtyping (Pierik and De Boer, ’05), exception handling, . . . Quo Vadis Program Verification – p. 17/1
Back to the Grand Challenge (2) Are Mechanical Proofs Needed? Rules can be unsound. Example: SUBSTITUTION RULE (ABO ’09) { p } S { q } z := ¯ z := ¯ { p [¯ t ] } S { q [¯ t ] } z } ∪ var (¯ where ( { ¯ t )) ∩ change ( S ) = ∅ . Correct version (ABO ’10): z } ∩ var ( S )) ∪ ( var (¯ where ( { ¯ t ) ∩ change ( S )) = ∅ . find program may not terminate for cyclic lists. Quo Vadis Program Verification – p. 18/1
To Do Verification of deterministic programs by means of assertions. No obvious alternative. Focus on libraries of OO programs. Create a catalogue of mechanically certified programs. Side comment: one needs to choose the assertion language and the programming language . . . Quo Vadis Program Verification – p. 19/1
Recommend
More recommend
