Quo Vadis Program Verification Krzysztof R. Apt CWI, Amsterdam, the - - PowerPoint PPT Presentation

Quo Vadis Program Verification

Krzysztof R. Apt

CWI, Amsterdam, the Netherlands, University of Amsterdam

Quo Vadis Program Verification – p. 1/1

One Page Summary

Assertional approach to program verification is here to stay. Gap between theory and practice. Needed: verification of already developed OO programs. Grand Challenge: mechanical verification of OO programs that deal with data structures.

Quo Vadis Program Verification – p. 2/1

Program Verification

Assertional approach Basic Idea: Reason on the level of assertions instead of states. Axioms and proof rules to reason about while programs (Hoare ’69), Example:

{p ∧ B} S {p} {p} while B do S od {p ∧ ¬B}

(p is the loop invariant).

Quo Vadis Program Verification – p. 3/1

Some Theoretical Milestones

Recursive procedures (Hoare ’71), Arrays (Hoare and Wirth ’73, Gries ’78, De Bakker ’80), Parallel programs (Owicki and Gries, ’76, Lamport (’77)), Distributed programs (Apt, De Roever and Francez, ’80), Notion of completeness (Cook ’78), Impossibility of completeness for ‘full ALGOL ’ (Clarke ’79).

Quo Vadis Program Verification – p. 4/1

Drawbacks and Remedies

Deterministic programs Specifications in first-order logic can be clumsy or impossible. Remedy: use appropriate specification languages (Z of Abrial ’74, ISO standard: 2002). Correctness proofs are tedious and error-prone. Remedy 1: develop the program together with its correctness proof (Dijkstra ’76). Remedy 2: certify proofs. Another tack: Higher-level system development (Abrial ’96, ’09).

Quo Vadis Program Verification – p. 5/1

Mechanical Verification

Use a theorem prover /proof assistant. Underlying assumption: the theorem prover is a correct program. Verify mechanically soundness of the used proof systems. Establish correctness of a given program by verifying mechanically its correctness proof in a sound proof system.

Quo Vadis Program Verification – p. 6/1

Gap between Theory and Practice

Grand Challenge in Program Verification Build a library of provably correct OO programs dealing with data structures. Example: Verify the programs in LEDA: A Platform for Combinatorial and Geometric Computing, Mehlhorn and Näher, ’99. Cambridge University Press, 1034 pages. Main difficulty: these are C++ programs; extensively use classes.

Quo Vadis Program Verification – p. 7/1

Verification of OO Programs

Initial idea: De Boer, ’91, Presented using program transformation in Verification of Sequential and Concurrent Programs, Apt, De Boer and Olderog, Springer, 2009, 502 pages.

Quo Vadis Program Verification – p. 8/1

Main difficulties

How to deal with instance variables, transfer of control between caller and callee, void references (calls on null object).

Quo Vadis Program Verification – p. 9/1

Approach

Carefully choose a kernel language. Provide a syntax-directed transformation of object-oriented programs to the kernel language. Enrich the assertion language to reason about objects. Use this translation to derive the proof rules.

Quo Vadis Program Verification – p. 10/1

Details: Kernel Language

while programs, basic type Object,

• bject variable this,
• bject constant null,

arrays, failure statement if B → S fi, blocks, recursive procedures with parameters.

Quo Vadis Program Verification – p. 11/1

Details: Source Language

• bject variables,

variable this denotes the currently executing object,

• bject constant null represents void reference,

instance variables, method calls: s.m(t1, . . . , tn),

s - object expression, m - method,

method declarations: m(u1, . . . , un) :: S,

S - method body (recursion allowed).

Quo Vadis Program Verification – p. 12/1

Details: Assertion Language

Allow global expressions, like

this.next.next,

where next is an instance object variable.

Quo Vadis Program Verification – p. 13/1

Example

find :: if val = 0 then return := this

else if next = null then next.find else return := null fi fi

val is an instance integer variable, next is an instance object variable, first and return are normal object variables.

Intuition: first.find returns the first object that stores 0. The search starts at the object stored in first.

Quo Vadis Program Verification – p. 14/1

Transformation: Example

Original OO program:

find :: if val = 0 then return := this

else if next = null then next.find else return := null fi fi Transformed version (a recursive program):

find(this) :: if val[this] = 0 then return := this

else if next[this] = null then if next[this] = null → find(next[this]) fi else return := null fi fi

Quo Vadis Program Verification – p. 15/1

Consequences

Theorem: Each OO program S and its translation Θ(S) are semantically equivalent. Conclusion: We can use a proof system for recursive programs to prove correctness of OO programs. Improvement: Proof rules can be formulated as natural proof rules at the ‘source’ level. Theorem: The proof system is sound and complete for partial correctness (ABO ’10).

Quo Vadis Program Verification – p. 16/1

Back to the Grand Challenge (1)

Missing Features

• bject creation (handled in ABO ’09),

access to instance variables of arbitrary objects (handled in ABO ’10), inheritance, subtyping (Pierik and De Boer, ’05), exception handling, . . .

Quo Vadis Program Verification – p. 17/1

Back to the Grand Challenge (2)

Are Mechanical Proofs Needed? Rules can be unsound. Example: SUBSTITUTION RULE (ABO ’09)

{p} S {q} {p[¯ z := ¯ t]} S {q[¯ z := ¯ t]}

where ({¯

z} ∪ var(¯ t)) ∩ change(S) = ∅.

Correct version (ABO ’10): where ({¯

z} ∩ var(S)) ∪ (var(¯ t) ∩ change(S)) = ∅. find program may not terminate for cyclic lists.

Quo Vadis Program Verification – p. 18/1

To Do

Verification of deterministic programs by means of assertions. No obvious alternative. Focus on libraries of OO programs. Create a catalogue of mechanically certified programs. Side comment: one needs to choose the assertion language and the programming language . . .

Quo Vadis Program Verification – p. 19/1