Scribd
Upload
151 views41 pages

Program Design and Verification Techniques

This document provides an overview of a computer-aided program design course at Rice University for Spring 2015. It covers topics like reasoning about programs mathematically, specifying correctness properties, challenges in automated reasoning about programs, and components of the course like logic, verification of finite-state and infinite-state programs, and program synthesis. The document also provides some rules for the class and information about the instructor and TA.

Uploaded by

蘇意喬
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
151 views41 pages

Program Design and Verification Techniques

This document provides an overview of a computer-aided program design course at Rice University for Spring 2015. It covers topics like reasoning about programs mathematically, specifying correctness properties, challenges in automated reasoning about programs, and components of the course like logic, verification of finite-state and infinite-state programs, and program synthesis. The document also provides some rules for the class and information about the instructor and TA.

Uploaded by

蘇意喬
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Computer-Aided Program Design

Spring 2015, Rice University


Unit 1
Swarat Chaudhuri

January 22, 2015

Reasoning about programs

I
I

A program is a mathematical object with rigorous meaning.


It should be possible to prove theorems about programs.

Reasoning about programs

I
I

A program is a mathematical object with rigorous meaning.


It should be possible to prove theorems about programs.
I
I

I
I

The program P always terminates


On each input x such that (x > 0), P terminates and outputs
(x + 5).
There is an input on which P does not terminate.
There is a way to complete the partial program P such that
the resulting program always terminates.

Reasoning about programs

I
I

A program is a mathematical object with rigorous meaning.


It should be possible to prove theorems about programs.
I
I

I
I

The program P always terminates


On each input x such that (x > 0), P terminates and outputs
(x + 5).
There is an input on which P does not terminate.
There is a way to complete the partial program P such that
the resulting program always terminates.

Proof gives us certainty, reliability...


I

. . . to an extent not achieved by testing.

Reasoning about programs: Spot the bug!


int computeCurrentYear (int days) {
/* input: number of days since Jan 1, 1980 */
int year = 1980;
while (days > 365) {
if (isLeapYear(year)){
if (days > 366) {
days = days - 366;
year = year + 1;
}
} else {
days = days - 365;
year = year + 1;
}
}
return year;
}

See [Link] for more details.

Reasoning about programs: Is this program correct?

do {
AcquireSpinLock();
nPacketsOld = nPackets;
req = devExt->WLHV;
if (req && req->status) {
devExt->WLHV = req->Next;
ReleaseSpinLock();
nPackets++;
}
} while (nPackets != nPacketsOld);
ReleaseSpinLock();

Challenges

How to specify correctness properties of programs?

Challenges

How to specify correctness properties of programs?


I
I

Mathematical logic
i, j : i < j A[i] < A[j]

Challenges

How to specify correctness properties of programs?


I
I

Mathematical logic
i, j : i < j A[i] < A[j]

Proofs about programs are complicated and tedious. Wont a


human get them wrong?

Challenges

How to specify correctness properties of programs?


I
I

Mathematical logic
i, j : i < j A[i] < A[j]

Proofs about programs are complicated and tedious. Wont a


human get them wrong?
I

Machine-checked proofs: Proofs must be fully formal, and


checked by an algorithm.
Automatic proofs: The proofs must be generated by an
algorithm.

Automated reasoning about programs

In principle, proving the correctness or incorrectness of a


general program is undecidable.

Automated reasoning about programs

In principle, proving the correctness or incorrectness of a


general program is undecidable.
In practice:
I

Focus on solvable special cases (in particular, finite-state


programs)
Give semi-algorithms rather than algorithms.

Automated reasoning about programs

In principle, proving the correctness or incorrectness of a


general program is undecidable.
In practice:
I

Focus on solvable special cases (in particular, finite-state


programs)
Give semi-algorithms rather than algorithms.

Questions:
I
I

Program verification
Program synthesis

This course: components

Logic
I

Decision procedures for logic

Verification of finite-state programs

Verification of infinite-state programs

Program synthesis

Rules

I
I

No laptops in class.
Attendance is important
I
I
I

No single textbook
Few slides
In-class activities

TA: Keliang He

More information on course webpage:


[Link]

Propositional logic

Let us first consider finite-state systems:


I
I
I

Hardware
Network protocols
Perhaps not software

How do you describe correctness properties of such a system?

Propositional logic: Syntax

Let Prop be a set of propositional variables. A formula F in


propositional logic has the form
F

::= p | F1 | F1 F2 | F1 F2 |
F1 F2 | F1 F2 | > |

where p Prop.
I

In the above, F1 and F2 are subformulas of F .

A literal is a formula of the form p or p, where p Prop.

Propositional logic: Semantics


I

Interpretation I : {P 7 true, Q 7 false, }


I |= F if F evaluates to true under I
I 6|= F
false

Propositional logic: Semantics


I

Interpretation I : {P 7 true, Q 7 false, }


I |= F if F evaluates to true under I
I 6|= F
false
Inductive definition of semantics:
I |= >
I 6|=
I |= F

iff

I 6|= F

I |= F1 F2

iff

I |= F1 and I |= F2

I |= F1 F2

iff

I |= F1 or I |= F2

I |= F1 F2

iff

I 6|= F1 or I |= F2

I |= F1 F2

iff

I |= F1 and I |= F2 ,
or I 6|= F1 and I 6|= F2 .

Using propositional logic

What does the following program do?


bool foo(unsigned int v) {
unsigned int f;
f = v & (v - 1);
return (f == 0);
}

Using propositional logic

What does the following program do?


bool foo(unsigned int v) {
unsigned int f;
f = v & (v - 1);
return (f == 0);
}
Verify this!

Satisfiability

F is satisfiable iff there exists an interpretation I such that


I |= F .

F is valid iff for all interpretations I , I |= F .

Satisfiability

F is satisfiable iff there exists an interpretation I such that


I |= F .

F is valid iff for all interpretations I , I |= F .

F is valid iff F is unsatisfiable.

Can you algorithmically check whether a formula is F is


satisfiable?

Normal Forms
1. Negation Normal Form (NNF)
Negations appear only in literals. (only , , )
2. Disjunctive Normal Form (DNF)
Disjunction of conjunctions of literals
_^
`ij for literals `ij
i

3. Conjunctive Normal Form (CNF)


Conjunction of disjunctions of literals
^_
`ij for literals `ij
i

The Resolution Procedure


Decides the satisfiability of PL formulae in CNF.
Resolution Rule: For clauses C1 and C2 in CNF formula F , derive
resolvent using the following rule:
C1 [P] C2 [P]
C1 [] C2 []
I

Apply resolution and add resolvent to current set of clauses.

If is ever deduced via resolution, then F must be


unsatisfiable, as F is unsatisfiable.

If every possible resolution produces an already-known clause,


then F is satisfiable.

Resolution

Example:
1. (P Q) P Q

Resolution

Example:
1. (P Q) P Q
2. (P Q) Q

Resolution: soundness and completeness

Soundness of resolution: Every unsatisfiability judgment derived by


resolution is correct.
Completeness of resolution: Every correct unsatisfiability judgment
can be derived by resolution.
[Look up the textbook The Calculus of Computation, by Bradley
and Manna.]

Boolean Constraint Propagation (BCP)

Based on unit resolution


`

C [`] clause
C []

where ` = P or ` = P

Boolean Constraint Propagation (BCP)

Based on unit resolution


`

C [`] clause
C []

where ` = P or ` = P

Example:
F : P (P Q) (R Q S)

Davis-Putnam-Logemann-Loveland (DPLL) Algorithm

I
I

Decides the satisfiability of PL formulae in CNF.


Decision Procedure DPLL: Given F in CNF
let rec dpll F =
let F 0 = bcp F in
if F 0 = > then true
else if F 0 = then false
else
let P = choose vars(F 0 ) in
(dpll F 0 {P 7 >}) (dpll F 0 {P 7 })

Davis-Putnam-Logemann-Loveland (DPLL) Algorithm

I
I

Decides the satisfiability of PL formulae in CNF.


Decision Procedure DPLL: Given F in CNF
let rec dpll F =
let F 0 = bcp F in
if F 0 = > then true
else if F 0 = then false
else
let P = choose vars(F 0 ) in
(dpll F 0 {P 7 >}) (dpll F 0 {P 7 })
Optimization:
Dont choose only-positive or only-negative variables for splitting.

DPLL Example

F : (P Q R) (Q R) (Q R) (P Q R)

Exercise

How does DPLL work on the following example?


(P Q R) (Q P R) (R Q)

Exercise

How does DPLL work on the following example?


(P Q R) (Q P R) (R Q)

Solve this example using Z3.

In-class exercise: N-Queens

You are given an N N chessboard. Your goal is to place N


queens on the board so that no queen can hit any other.

Show how to solve this problem using Z3 for N = 4.

Discussion

What about formulas that are not in CNF?

Homework exercise

Use Z3 to check the correctness of


bool foo(unsigned int v) {
unsigned int f;
f = v & (v - 1);
return (f == 0);
}
under 4-bit integers.

Homework exercise

Use Z3 to check the correctness of


bool foo(unsigned int v) {
unsigned int f;
f = v & (v - 1);
return (f == 0);
}
under 4-bit integers.

More precisely, that it checks whether v is a power of 2.

There is a bug!

0 is incorrectly considered to be a power of 2.

There is a bug!

0 is incorrectly considered to be a power of 2.

Fix:
bool foo(unsigned int v) {
unsigned int f;
f = v && !(v & (v - 1));
return (f != 0);
}

See more bit hacks at


[Link]

You might also like