Automated Theorem Proving Lecture 1

1
Automated Theorem ProvingLecture 1
2
Given program P and specification S, does P
satisfy S?
Program verification is undecidable!
3
The model checking approach

• Create a model of the program in a decidable
  formalism
• Verify the model algorithmically
• Difficulties
• Model creation is burden on programmer
• The model might be incorrect.
• If verification fails, is the problem in the
  model or the program?

4
The axiomatic approach

• Add auxiliary specifications to the program to
  decompose the verification task into a set of
  local verification tasks
• Verify each local verification problem
• Difficulties
• Auxiliary spec is burden on programmer
• Auxiliary spec might be incorrect.
• If verification fails, is the problem with the
  auxiliary specification or the program?

5
Theorem Proving and Software
Meets spec/Found Bug

• Soundness
• If the theorem is valid then the program meets
  specification
• If the theorem is provable then it is valid

6
Overview of the Next Few Lectures

• From programs to theorems
• Verification condition generation
• From theorems to proofs
• Theorem provers
• Decision procedures

7
Programs ! Theorems Axiomatic Semantics

• Consists of
• A language for making assertions about programs
• Rules for establishing when assertions hold
• Typical assertions
• During the execution, only non-null pointers are
  dereferenced
• This program terminates with x 0
• Partial vs. total correctness assertions
• Safety vs. liveness properties
• Usually focus on safety (partial correctness)

8
Hoare Triples

• Partial correctness A s B
• When you start s in any state that satisfies A
• If the execution of s terminates
• It does so in a state that satisfies B
• Total correctness A s B
• When you start s in any state that satisfies A
• The execution of s terminates and
• It does so in a state that satisfies B
• Defined inductively on the structure of statements

9
Hoare Rules
10
Hoare Rules Assignment

• Example A x x 2 x gt 5 . What is
  A?
• General rule

• Surprising how simple the rule is !
• The key is to compute backwards the
  precondition from the postcondition
• Forward rule is more complicated

11
Weakest preconditions

• Dijkstras idea To verify that A s B
• Let Pre(s, B) A A s B
• b) (Pre(s,B), )) is a lattice
• - false ? Pre(s,B)
• - if ??Pre(s,B) and ??Pre(s,B), then
  ????Pre(s,B)
• - if ??Pre(s,B) and ??Pre(s,B), then
  ????Pre(s,B)
• c) WP(s, B) lub?(Pre(s, B))
• d) Compute WP(s, B) and prove A ? WP(s, B)

12
Predicate lattice
Pre(s, B)
13
Weakest preconditions

• WP(x E, B) BE/x
• WP(s1 s2, B) WP(s1, WP(s2, B))
• WP(if E then s1 else s2, B)
  
  E ) WP(s1, B) Æ E ) WP(s2, B)
• WP(assert E, B) E ? B

14
Example
returns c requires true ensures c a ? b bool
or(bool a, bool b) if (a) c
true else c b
S
WP(S, c a ? b) (a ? true a ? b) ? (?a ? b
a ? b)
Conjecture to be proved true ? (a ? true a ?
b) ? (?a ? b a ? b)
15
Weakest preconditions (Contd.)

• What about loops?
• Define a family of weakest preconditions
• WPk(while E do S, B) weakest precondition from
  which if the loop terminates in k or fewer
  iterations, then it terminates in B
• WP0 E ) B
• WPi1 WPi ? (E ) WP(s, WPi))
• WP(while E do S, B) Æk 0 WPk glb WPk k
  0
• Hard to compute
• Can we find something easier yet sufficient ?

16
Not quite weakest preconditions

• Recall what we are trying to do

)
false
true
Pre(s, B)
weak
strong
weakest precondition WP(s, B)
A

• We shall construct a verification condition
  VC(s, B)
• The loops are annotated with loop invariants !
• VC is guaranteed stronger than WP
• But hopefully still weaker than A A ) VC(s, B) )
  WP(s, B)

17
Verification condition generation

• Computed in a manner similar to WP
• Except the rule for while
• VC(whileI,T E do s, B)
• I Æ ( I ? ((E ) VC(s, I))
  Æ (E ) B)) )T0/T
• I is the loop invariant (provided by the
  programmer)
• T is the set of loop targets (can be approximated
  by scanning the loop body)

I is preserved in an arbitrary iteration
I holds on entry
B holds when the loop terminates
18
Example
VC(B, t ? 0 ? c a b - t) ? t - 1 ? 0 ? c 1
a b (t 1)
returns c requires b gt 0 ensures c a b int
add(int a, int b) int t t b c
a invariant t ? 0 ? c a b - t
while (t gt 0) c c 1 t t
- 1

• VC(L, c a b) ?
• t ? 0 ? c a b t ?
• (t ? 0 ? c a b t ?
• ? t gt 0 ? t - 1 ? 0 ?
• c 1 a b (t - 1)
• ? t ? 0 ? c a b)c0/c,t0/t

• VC(L, c a b) ?
• t ? 0 ? c a b t ?
• (t0 ? 0 ? c0 a b t0 ?
• ? t0 gt 0 ? t0 - 1 ? 0 ?
• c0 1 a b (t0 - 1)
• ? t0 ? 0 ? c0 a b)

A
L
B

• VC(A, c a b) ?
• b ? 0 ? a a b b ?
• (t0 ? 0 ? c0 a b t0 ?
• ? t0 gt 0 ? t0 - 1 ? 0 ?
• c0 1 a b (t0 - 1)
• ? t0 ? 0 ? c0 a b)

Conjecture to be proved b ? 0 ? VC(A, c a b)
19
Invariants Are Not Easy

• Consider the following code from QuickSort
• int partition(int a, int L0, int H0, int pivot)
  
• int L L0, H H0
• while(L lt H)
• while(aL lt pivot) L
• while(aH gt pivot) H --
• if(L lt H) swap aL and aH
• L
• return L
• Consider verifying only memory safety
• What is the loop invariant for the outer loop ?

20
Verification conditions (Contd.)

• What about procedure calls?
• Annotate each procedure with a precondition pre
  and a postcondition post
• VC(f(), B) pre ? (post ? B)

21
Program verification

• Annotate each procedure with a precondition and a
  postcondition and each loop with an invariant
• Verify each procedure separately

requires pre ensures post f() S
Verify that the formula VC(f) ? pre ? VC(S,
post) is valid
22
Proving verification conditions
VC(f) ? pre ? VC(S, post)

• What is the decision procedure for proving
  validity of VC(f)?
• Depends on the logic in which VC(f) is expressed

23
Verification condition logic
VC(f) ? pre ? VC(S, post)

• Atoms connected by boolean operators
• ?, ?, ?, ?
• Atoms depend on the program variables and
  operations on them
• boolean, integer, memory
• Atoms depend on the language of assertions, i.e.,
  program assertions, loop invariants,
  preconditions and postconditions
• quantification, reachability predicate

24
Assume each assertion is a quantifier-free
boolean combination of expressions over program
variables.

• VC(f) is a boolean combination of atoms
• Each atom is a relation over terms
• Each term is built using functions and logical
  constants
• Logical constants are different from program
  variables
• program variables change over time
• logical constants are fixed
• The logical constants in VC(f) refer to the
  values of program variables at the beginning of f.

25
Case I Boolean programs

• Boolean-valued variables and boolean operations

• ? Formula A ?? ? ? ?
• A ? Atom b
• b ? SymBoolConst

26
Example
returns c requires true ensures c a ? b bool
or(bool a, bool b) if (a) c
true else c b
S
VC(S, c a ? b) (a ? true a ? b) ? (?a ? b
a ? b)
Conjecture to be proved true ? (a ? true a ?
b) ? (?a ? b a ? b)
27
Case II Arithmetic programs

• In addition, integer-valued variables with affine
  operations

• ? Formula A ? ? ? ? ?
• A ? Atom b t 0 t lt 0 t ? 0
• t ? Term c x t t t t ct
• b ? SymBoolConst
• x ? SymIntConst
• c ? ,-1,0,1,

28
Example
VC(B, t ? 0 ? c a b - t) ? t - 1 ? 0 ? c 1
a b (t 1)
returns c requires b gt 0 ensures c a b int
add(int a, int b) int t t b c
a invariant t ? 0 ? c a b - t
while (t gt 0) c c 1 t t
- 1

• VC(L, c a b) ?
• t ? 0 ? c a b t ?
• (t ? 0 ? c a b t ?
• ? t gt 0 ? t - 1 ? 0 ?
• c 1 a b (t - 1)
• ? t ? 0 ? c a b)c0/c,t0/t

• VC(L, c a b) ?
• t ? 0 ? c a b t ?
• (t0 ? 0 ? c0 a b t0 ?
• ? t0 gt 0 ? t0 - 1 ? 0 ?
• c0 1 a b (t0 - 1)
• ? t0 ? 0 ? c0 a b)

A
L
B

• VC(A, c a b) ?
• b ? 0 ? a a b b ?
• (t0 ? 0 ? c0 a b t0 ?
• ? t0 gt 0 ? t0 - 1 ? 0 ?
• c0 1 a b (t0 - 1)
• ? t0 ? 0 ? c0 a b)

Conjecture to be proved b ? 0 ? VC(A, c a b)
29
Case III Memory programs

• In addition, a memory with read and write
  operations
• an unbounded set of objects
• a finite set of fields in each object
• each field contains a boolean value, an integer
  value, or a reference to an object
• For each field f, two operations Select and
  Update
• Select(f,o) is the content of the memory at
  object o and field f
• Update(f,o,v) is a new memory obtained by
  updating field f of object o to v

30
Memory axioms
for all objects o and o, and memories m ? o
o ? Select(Update(m,o,v),o) v ? o ? o ?
Select(Update(m,o,v),o) Select(m,o)
31
Modeling memory operations
Treat each field f as a map variable a b.f
a Select(f,b) a.f b
f Update(f,a,b)
? a.f 5 a.f b.f 10
WP(a.f 5, a.f b.f 10) ? WP(f
Update(f,a,5), Select(f,a) Select(f,b) 10)
? Select(Update(f,a,5),a) Select(Update(f,a,5),b
) 10
32
Simplify using memory axiom
Select(Update(f,a,5),a) Select(Update(f,a,5),b)
10 iff 5 Select(Update(f,a,5),b)
10 iff Select(Update(f,a,5),b) 5 iff
? a b ? 5 5 ? a ? b ? Select(f,b) 5
iff a ? b ? Select(f,b) 5
33

• ? Formula A ? ? ? ? ?
• A ? Atom b t 0 t lt 0 t ? 0
• t ? Term c x t t t t ct
  Select(m,t)
• m ? MemTerm f Update(m,t,t)
• b ? SymBoolConst
• x ? SymIntConst
• c ? ,-1,0,1,

34
Decision procedures

• Boolean programs
• Propositional satisfiability
• Arithmetic programs
• Propositional satisfiability modulo theory of
  linear arithmetic
• Memory programs
• Propositional satisfiability modulo theory of
  linear arithmetic arrays