Program AnalysisINF414028.09.11Le ture 5INF4140 (28.09.11) Program Analysis Le ture 5 1 / 33

Program orre tnessIs my program orre t?Central question for this and the next le ture.Does the program behave as intended?Surprising behavior?x = 5; {x == 5} < x = x + 1;> {x ==?}Know that x == 5 immediately after �rst assignmentWill this still hold when the se ond assignment is exe uted?Depends on other pro essesWhat will be the �nal value of x?Today: Basi ma hinery for program reasoningNext week: Extending this ma hinery to the on urrent settingINF4140 (28.09.11) Program Analysis Le ture 5 2 / 33

Con urrent exe utionsCon urrent program: Several threads operating on shared variablesParallel updates to x and y : o < x = x ∗ 3;> || < y = y ∗ 2;> o Every on urrent exe ution an be written as a sequen e of atomi operations (gives one history)Two possible histories for the above programGenerally, if n pro esses exe utes m atomi operations ea h:(n ∗m)!m!n If n=3 and m=4:(3 ∗ 4)!4!3 = 34650INF4140 (28.09.11) Program Analysis Le ture 5 3 / 33

How to verify program properties?Testing in reases on�den e in the program orre tness, but does notguarantee orre tnessProgram testing an be a e�e tive way to show the presen e of bugs,but not their absen eOperational reasoning tries all possible exe utions of a programFormal analysis allows to dedu e the orre tness of a program withoutexe uting itSpe i� ation of program behaviorFormal argument that the spe i� ation is orre tINF4140 (28.09.11) Program Analysis Le ture 5 4 / 33

StatesA state onne ts a value to ea h program variable, example:{x == 2 ∧ y == 3}The state spa e of a program is given by the di�erent values that thede lared variables an takeSequential program: one exe ution thread operates on its own statespa eThe state may be hanged by assignmentsExample

{x == 5∧y == 5}x = x ∗ 2;{x == 10∧y == 5}y = y ∗ 2;{x == 10∧y == 10}INF4140 (28.09.11) Program Analysis Le ture 5 5 / 33

Exe utionsGiven the program S : S1;S2; . . . ;Sn;, starting in a state p0:•

p0−→ S1 p1

−→ S2 p2−→

. . .

pn−1−→ Sn pn

−→•where p1, p2, . . . pn are the di�erent states during exe utionCan be do umented by: {p0}S1{p1}S2{p2} . . . {pn−1}Sn{pn}p0, pn gives an external spe i� ation of the program: {p0}S{pn}We often refer to p0 as the initial state and pn as the �nal stateExample (from previous slide){x == 5 ∧ y == 5} x = x ∗ 2; y = y ∗ 2; {x == 10 ∧ y == 10}INF4140 (28.09.11) Program Analysis Le ture 5 6 / 33

AssertionsWant to express more general properties of programs, like{x == y}x = x ∗ 2;y = y ∗ 2;{x == y}If the assertion x == y holds when the program starts, x == y willalso hold when the program terminatesDoes not talk about parti ular values of x and y , but about relationsbetween their valuesAssertions hara terise sets of statesExampleThe assertion x == y des ribes all states where the values of x and y areequal, like {x == −1 ∧ y == −1}, {x == 1 ∧ y == 1}, . . .INF4140 (28.09.11) Program Analysis Le ture 5 7 / 33

AssertionsAn assertion P an be viewed as a set of states where P is true:x == y : All states where x has the same value as yx ≤ y : All states where the value of x is less or equal to the value of yx == 2 ∧ y == 3: Only one state (if x and y are the only variables)true: All statesfalse: No stateExample{x == y}x = x ∗ 2;{x == 2 ∗ y}y = y ∗ 2;{x == y}Then this must also hold for parti ular values of x and y satisfying theinitial assertion, like x == y == 5INF4140 (28.09.11) Program Analysis Le ture 5 8 / 33

Formal analysis of programsEstablish program properties by means of a system for formalreasoningHelp in understanding how a program behavesUseful for program onstru tionLook at logi s for formal analysisFormal systemAxioms: De�nes the meaning of individual program statementsRules: Derive the meaning of a program from the individualstatements in the programINF4140 (28.09.11) Program Analysis Le ture 5 9 / 33

Logi and Formal SystemsOur formal system onsists of:A set of symbols ( onstants, variables,...)A set of formulas (meaningful ombination of symbols)A set of axioms (assumed to be true)A set of rules of the form:H1 H2 . . . HnCWhere ea h Hi is an assumption, and C is the on lusionThe on lusion is true if all the assumptions are trueThe rules des ribes how true formulas an be derived from other trueformulasINF4140 (28.09.11) Program Analysis Le ture 5 10 / 33

SymbolsProgram variables: x , y , z , ...Relation symbols: ≤,≥, . . .Fun tion symbols: +,−, . . ., and onstants 0, 1, 2, . . . , true, falseEquality: ==

INF4140 (28.09.11) Program Analysis Le ture 5 11 / 33

Formulas in First-order logi Meaningful ombination of symbolsAssume that A and B are formulas, then the following are also formulas:¬A means �not A�A ∨ B means �A or B�A ∧ B means �A and B�A ⇒ B means �A implies B�If x is a variable and A is a formula ontaining x , the following are formulas:

∀x : A(x) means �A is true for all values of x�∃x : A(x) means �there is (at least) one value of x su h that A is true�

INF4140 (28.09.11) Program Analysis Le ture 5 12 / 33

Examples of axioms and rulesTypi al axioms:A ∨ ¬AA ⇒ ATypi al rules: A BA ∧ B A A ⇒ BB AA ∨ BExample x == 5 y == 5x == 5 ∧ y == 5 x ≥ 0 x ≥ 0 ⇒ y ≥ 0y ≥ 0x == 5x == 5 ∨ y == 5INF4140 (28.09.11) Program Analysis Le ture 5 13 / 33

Important termsInterpretation: des ribe ea h formula as either true or falseProof: derivation where all leaf nodes are axiomsTheorems: all lines in a proofSoundness (of the logi ): If we an prove some formula P (in thelogi ) then P is trueCompleteness: If a formula P is true, it an be provedINF4140 (28.09.11) Program Analysis Le ture 5 14 / 33

Program Logi (PL)PL lets us express and prove properties about programsFormulas are of the form{P} S {Q}S : program statement(s)P and Q: assertions over program states (in luding ¬,∧,∨, ∃, ∀)P : Pre onditionQ: Post onditionExample

{x == y} x = x ∗ 2;y = y ∗ 2; {x == y}INF4140 (28.09.11) Program Analysis Le ture 5 15 / 33

The proof system PL (Hoare logi )Express and prove program properties{P} S {Q}P ,Q may be seen as a spe i� ation of the program SCode analysis by proving the spe i� ation (in PL)No need to exe ute the ode in order to do the analysisAn interpretation maps triples to true or false

{x == 0} x = x + 1; {x == 1} should be true{x == 0} x = x + 1; {x == 0} should be false

INF4140 (28.09.11) Program Analysis Le ture 5 16 / 33

Reasoning about programsBasi idea: Spe ify what the program is supposed to do (pre- andpost onditions)Pre- and post onditions are given as assertions over the program stateUse PL to �nd a mathemati al argument that the program satis�es itsspe i� ationINF4140 (28.09.11) Program Analysis Le ture 5 17 / 33

InterpretationInterpretation of triples is related to ode exe ution{P} S {Q} is true if

• the initial state of S satis�es P• S terminatesthen Q is true in the �nal state of SExpresses partial orre tness (termination of S is assumed)Example

{x == y} x = x ∗ 2;y = y ∗ 2; {x == y} is trueif the initial state satis�es x == y and the exe ution terminates,then the �nal state will satisfy x == yINF4140 (28.09.11) Program Analysis Le ture 5 18 / 33

ExamplesSome true formulas:{x == 0} x = x + 1; {x == 1}{x == 4} x = 5; {x == 5}{true} x = 5; {x == 5}

{y == 4} x = 5; {y == 4}{x == 4} x = x + 1; {x == 5}

{x == a ∧ y == b} x = x + y ; {x == a+ b ∧ y == b}{x == 4 ∧ y == 7} x = x + 1; {x == 5 ∧ y == 7}

{x == y} x = x + 1; y = y + 1; {x == y}Some formulas that are not true:{x == 0} x = x + 1; {x == 0}{x == 4} x = 5; {x == 4}

{x == y} x = x + 1; y = y − 1; {x == y}{x > y} x = x + 1; y = y + 1; {x < y}INF4140 (28.09.11) Program Analysis Le ture 5 19 / 33

Partial orre tnessThe interpretation assumes termination of {P}S{Q}, but terminationis not proved.The assertions (P , Q) express safety propertiesThe pre- and post onditions restri ts possible states{P} S ; {false} S does not terminate{false} S ; {Q} the program stops before S{P} S ; {true} does not say mu h...{true} S ; {Q} Q holds after S in any ase(provided S terminates)

INF4140 (28.09.11) Program Analysis Le ture 5 20 / 33

Proof system PLThe proof system onsists of axioms and rulesAxioms for basi statements:x = e, skip,...Rules for omposed statements:S1;S2, if, while, await, o...o , ...Theorems in PLOn triple formAll axioms are theoremsThe on lusion of a rule is a theorem, given that all the assumptionsare theorems: H1 H2 . . . HnCINF4140 (28.09.11) Program Analysis Le ture 5 21 / 33

SoundnessIf a triple {P}S{Q} is a theorem in PL, the triple is interpreted as true!Example: we want{x == 0}x = x+ 1{x == 1}to be a theorem (sin e it was interpreted as true),but{x == 0}x = x+ 1{x == 0}should not be a theorem (sin e it was interpreted as false)Soundness: All theorems in PL are trueIf we an use PL to prove some property of a program, then this propertywill hold for all exe utions of the programINF4140 (28.09.11) Program Analysis Le ture 5 22 / 33

Textual substitutionTextual substitution:Px←e means: All o urren es of x in P are repla ed by expression e.Example(x == 1)x ←(x+1) ⇔ x + 1 == 1(x + y == a)y ←(y+x) ⇔ x + (y + x) == a(y == a)x ←(x+y) ⇔ y == aSubstitution propagates into formulas:

(¬A)x ←e ⇔ ¬(Ax←e)(A ∧ B)x ←e ⇔ Ax←e ∧ Bx ←e(A ∨ B)x ←e ⇔ Ax←e ∨ Bx ←eINF4140 (28.09.11) Program Analysis Le ture 5 23 / 33

Remark on textual substitutionPx←eOnly free o urren es of x are substitutedVariables may be bound by quanti�ers (then that variable is not free)Example(∃y : x + y > 0)x←1 ⇔ ∃y : 1+ y > 0(∃x : x + y > 0)x ←1 ⇔ ∃x : x + y > 0(∃x : x + y > 0)y ←x ⇔ ∃z : z + x > 0Correspondingly for ∀

INF4140 (28.09.11) Program Analysis Le ture 5 24 / 33

The assignment axiom � MotivationGiven by ba kward onstru tion over the assignment:Given the post ondition to the assignment, we may derive thepre ondition!What is the pre ondition?{?}x = e{x == 5}If the assignment x = e should terminate in a state where x has the value5, the expression e must have the value 5 before the assignment:

{e == 5} x = e {x == 5}{(x == 5)x←e} x = e {x == 5}INF4140 (28.09.11) Program Analysis Le ture 5 25 / 33

Axiom of assignmentGiven the post ondition, we may onstru t the pre ondition:Axiom for the assignment statement

{Px←e} x = e; {P}If the assignment x = e should lead to a state that satis�es P , the statebefore the assignment must satisfy P where x is repla ed by e.INF4140 (28.09.11) Program Analysis Le ture 5 26 / 33

Proving an assignmentIn order to prove the triple {P}x = e{Q} in PL, we must show that thepre ondition P implies Qx←eP ⇒ Qx←e {Qx ←e}x = e{Q}

{P}x = e{Q}The blue impli ation is a logi al proof obligation. In this ourse we only onvin e ourself that these are true (we do not prove them formally).Qx←e is the largest set of states su h that the assignment isguaranteed to terminate with QWe must show that the set of states P is within this setINF4140 (28.09.11) Program Analysis Le ture 5 27 / 33

Examples true ⇒ 1 == 1{true} x = 1; {x == 1}x == 0 ⇒ x + 1 == 1

{x == 0} x = x + 1; {x == 1}(x == a ∧ y == b) ⇒ x + y == a+ b ∧ y == b

{x == a ∧ y == b} x = x + y ; {x == a+ b ∧ y == b}x == a ⇒ 0 ∗ y + x == a{x == a} q = 0; {q ∗ y + x == a}y > 0 ⇒ y ≥ 0

{y > 0} x = y ; {x ≥ 0}INF4140 (28.09.11) Program Analysis Le ture 5 28 / 33

The skip statementThe skip statement does nothingAxiom:

{P} skip; {P}INF4140 (28.09.11) Program Analysis Le ture 5 29 / 33

PL rulesSequential omposition Consequen e{P} S1; {R} {R} S2; {Q}

{P} S1; S2; {Q}P ′ ⇒ P {P} S ; {Q} Q ⇒ Q ′

{P ′} S {Q ′}Conditional while loop{P ∧ B} S ; {Q} (P ∧ ¬B) ⇒ Q

{P} if (B) S ; {Q}{I ∧ B} S ; {I}

{I} while (B) S ; {I ∧ ¬B}

• Blue: proof obligations the while rule needs a• for loop: exer ise 2.22! loop invariant!

INF4140 (28.09.11) Program Analysis Le ture 5 30 / 33

Sequential omposition and Consequen eBa kward onstru tion over assignments:x == y ⇒ 2 ∗ x == 2 ∗ y{x == y}x = x ∗ 2{x == 2 ∗ y} {(x == y)y ←2∗y}y = y ∗ 2{x == y}

{x == y}x = x ∗ 2; y = y ∗ 2{x == y}Usually we don't bother to write down the assignment axiom:(q ∗ y) + x == a ⇒ ((q + 1) ∗ y) + x − y == a

{(q ∗ y) + x == a}x = x− y;{((q + 1) ∗ y) + x == a}{(q ∗ y) + x == a}x = x− y; q = q+ 1{(q ∗ y) + x == a}

INF4140 (28.09.11) Program Analysis Le ture 5 31 / 33

Logi al variablesDo not o ur in program textUsed only in assertionsMay be used to freeze initial values of variablesMay then talk about these values in the post onditionExample{x == x0} if (x < 0) x = −x {x ≥ 0 ∧ (x == x0 ∨ x == −x0)}where (x == x0 ∨ x == −x0) states thatthe �nal value of x equals the initial value, orthe �nal value of x is the negative of the initial valueINF4140 (28.09.11) Program Analysis Le ture 5 32 / 33

Example: if statementVeri� ation of:{x == x0} if (x < 0) x = −x {x ≥ 0 ∧ (x == x0 ∨ x == −x0)}

{P ∧ B} S {Q} (P ∧ ¬B) ⇒ Q{P} if (B) S {Q}

{P ∧ B}S{Q}:{x == x0 ∧ x < 0}x = −x{x ≥ 0 ∧ (x == x0 ∨ x == −x0)}Ba kward onstru tion (assignment axiom) gives the impli ation:x == x0 ∧ x < 0 ⇒ (−x ≥ 0 ∧ (−x == x0 ∨ −x == −x0))P ∧ ¬B ⇒ Q:x == x0 ∧ x ≥ 0 ⇒ (x ≥ 0 ∧ (x == x0 ∨ x == −x0))INF4140 (28.09.11) Program Analysis Le ture 5 33 / 33