Generation of Verification Conditions Andreas Podelski November 15, - - PowerPoint PPT Presentation

Generation of Verification Conditions

Andreas Podelski November 15, 2011

mechanization of correctness proof

◮ given a Hoare triple {φ} C {ψ},

a derivation is a sequence of Hoare triples, each Hoare triple is an axiom (skip, update)

• r it is inferred by one of the inference rules (seq, cond, while)

mechanization of correctness proof

◮ given a Hoare triple {φ} C {ψ},

a derivation is a sequence of Hoare triples, each Hoare triple is an axiom (skip, update)

• r it is inferred by one of the inference rules (seq, cond, while)

◮ mechanization:

mechanization of correctness proof

◮ given a Hoare triple {φ} C {ψ},

a derivation is a sequence of Hoare triples, each Hoare triple is an axiom (skip, update)

• r it is inferred by one of the inference rules (seq, cond, while)

◮ mechanization: ◮ construct a derivation assuming that side conditions hold, ◮ and then check side conditions

“discharge the verification condition”

mechanization of correctness proof

◮ given a Hoare triple {φ} C {ψ},

a derivation is a sequence of Hoare triples, each Hoare triple is an axiom (skip, update)

• r it is inferred by one of the inference rules (seq, cond, while)

◮ mechanization: ◮ construct a derivation assuming that side conditions hold, ◮ and then check side conditions

“discharge the verification condition”

◮ if check does not succeed: try another derivation

mechanization of correctness proof

◮ given a Hoare triple {φ} C {ψ},

a derivation is a sequence of Hoare triples, each Hoare triple is an axiom (skip, update)

• r it is inferred by one of the inference rules (seq, cond, while)

◮ mechanization: ◮ construct a derivation assuming that side conditions hold, ◮ and then check side conditions

“discharge the verification condition”

◮ if check does not succeed: try another derivation ◮ next:

deterministic strategy to construct unique derivation

System H (1)

◮ Hoare triple {φ} C {ψ} derivable in H if

exists a derivation using the axioms and inference rules of H

System H (1)

◮ Hoare triple {φ} C {ψ} derivable in H if

exists a derivation using the axioms and inference rules of H

◮ skip

{φ} skip {φ}

System H (1)

◮ Hoare triple {φ} C {ψ} derivable in H if

exists a derivation using the axioms and inference rules of H

◮ skip

{φ} skip {φ}

◮ assignment

{ψ[e/x]} x := e {ψ}

System H (2)

◮ sequential command C ≡ C1 ; C2

{φ} C1 {φ′} {φ′} C {ψ} {φ} C {ψ}

System H (2)

◮ sequential command C ≡ C1 ; C2

{φ} C1 {φ′} {φ′} C {ψ} {φ} C {ψ}

◮ conditional command C ≡ if b then C1 else C2

{φ ∧ b} C1 {ψ} {φ ∧ ¬b} C {ψ} {φ} C {ψ}

System H (3)

◮ while command C ≡ while b do {θ} C0

{θ ∧ b} C0 {θ} {θ} C {θ ∧ ¬b}

System H (3)

◮ while command C ≡ while b do {θ} C0

{θ ∧ b} C0 {θ} {θ} C {θ ∧ ¬b}

◮ strengthen precondition, weaken postcondition

{φ} C {ψ} {φ′} C {ψ′} if φ′ → φ and ψ → ψ′

System H (3)

◮ while command C ≡ while b do {θ} C0

{θ ∧ b} C0 {θ} {θ} C {θ ∧ ¬b}

◮ strengthen precondition, weaken postcondition

{φ} C {ψ} {φ′} C {ψ′} if φ′ → φ and ψ → ψ′

System H (3)

◮ while command C ≡ while b do {θ} C0

{θ ∧ b} C0 {θ} {θ} C {θ ∧ ¬b}

◮ strengthen precondition, weaken postcondition

{φ} C {ψ} {φ′} C {ψ′} if φ′ → φ and ψ → ψ′

◮ Hoare triple derivable in all logicals models in which

implications in side condition are valid

backward construction of derivation

◮ given Hoare triple {φ} C {ψ},

“guess inference rule and guess assumptions” generate Hoare triples from which we could infer {φ} C {ψ} . . . and collect side conditions of inference rule (if any)

backward construction of derivation

◮ given Hoare triple {φ} C {ψ},

“guess inference rule and guess assumptions” generate Hoare triples from which we could infer {φ} C {ψ} . . . and collect side conditions of inference rule (if any)

◮ repeat on generated Hoare triples

to generate new Hoare triples until every Hoare triple is an axiom

mechanize backward inference

◮ given Hoare triple {φ} C {ψ},

from what Hoare triples could we have inferred it? . . . using what inference rule?

mechanize backward inference

◮ given Hoare triple {φ} C {ψ},

from what Hoare triples could we have inferred it? . . . using what inference rule?

◮ next:

go through each form of command C (skip, update, seq, cond, while)

backward inference

◮

??? {φ} skip {ψ}

backward inference

◮

??? {φ} skip {ψ}

◮ derivation can use what axiom and what inference rule?

backward inference

◮

??? {φ} skip {ψ}

◮ derivation can use what axiom and what inference rule? ◮ axiom for skip

{φ} skip {φ}

backward inference

◮

??? {φ} skip {ψ}

◮ derivation can use what axiom and what inference rule? ◮ axiom for skip

{φ} skip {φ}

◮ ‘strengthen precondition, weaken postcondition’ inference rule

{φ} C {ψ} {φ′} C {ψ′} if φ′ → φ and ψ → ψ′

backward inference

◮

??? {φ} skip {ψ}

backward inference

◮

??? {φ} skip {ψ}

◮ possible derivation sequence: axiom for (skip), followed by

weaking of postcondition

{φ} skip {φ} {φ} skip {ψ}

backward inference

◮

??? {φ} skip {ψ}

◮ possible derivation sequence: axiom for (skip), followed by

weaking of postcondition

{φ} skip {φ} {φ} skip {ψ} ◮ side condition: φ → ψ

backward inference

◮

??? {φ} skip {ψ}

◮ possible derivation sequence: axiom for (skip), followed by

weaking of postcondition

{φ} skip {φ} {φ} skip {ψ} ◮ side condition: φ → ψ ◮ possible derivation sequence:

axiom for (skip), followed by strengthening of precondition

{ψ} skip {ψ} {φ} skip {ψ}

backward inference

◮

??? {φ} skip {ψ}

◮ possible derivation sequence: axiom for (skip), followed by

weaking of postcondition

{φ} skip {φ} {φ} skip {ψ} ◮ side condition: φ → ψ ◮ possible derivation sequence:

axiom for (skip), followed by strengthening of precondition

{ψ} skip {ψ} {φ} skip {ψ} ◮ same side condition: φ → ψ

new axiom for skip

◮

{φ} skip {ψ} if φ → ψ

new axiom for skip

◮

{φ} skip {ψ} if φ → ψ

◮ old axiom & strengthening of precondition

new axiom for skip

◮

{φ} skip {ψ} if φ → ψ

◮ old axiom & strengthening of precondition ◮ φ is a precondition for ψ under skip

if and only if φ → ψ is valid

new axiom for skip

◮

{φ} skip {ψ} if φ → ψ

◮ old axiom & strengthening of precondition ◮ φ is a precondition for ψ under skip

if and only if φ → ψ is valid

◮ ψ is the weakest precondition for ψ under skip

new axiom for update

◮

{φ} x := e {ψ} if φ → ψ[e/x]

new axiom for update

◮

{φ} x := e {ψ} if φ → ψ[e/x]

◮ old axiom & strengthening of precondition

new axiom for update

◮

{φ} x := e {ψ} if φ → ψ[e/x]

◮ old axiom & strengthening of precondition ◮ φ is a precondition for ψ under x := e

if and only if φ → ψ[e/x] is valid

new axiom for update

◮

{φ} x := e {ψ} if φ → ψ[e/x]

◮ old axiom & strengthening of precondition ◮ φ is a precondition for ψ under x := e

if and only if φ → ψ[e/x] is valid

◮ ψ[e/x] is the weakest precondition for ψ under x := e

new rule for seq

◮ old rule:

{φ} C1 {θ} {θ} C2 {ψ} {φ} C1 ; C2 {ψ}

new rule for seq

◮ old rule:

{φ} C1 {θ} {θ} C2 {ψ} {φ} C1 ; C2 {ψ}

◮ new rule:

{φ1} C1 {φ2} {φ2} C2 {ψ} {φ} C1 ; C2 {ψ} φ → φ1

new rule for seq

◮ old rule:

{φ} C1 {θ} {θ} C2 {ψ} {φ} C1 ; C2 {ψ}

◮ new rule:

{φ1} C1 {φ2} {φ2} C2 {ψ} {φ} C1 ; C2 {ψ} φ → φ1

◮ let φ2 be the weakest precondition of ψ under C2 and

let φ1 be the weakest precondition of φ2 under C1

new rule for seq

◮ old rule:

{φ} C1 {θ} {θ} C2 {ψ} {φ} C1 ; C2 {ψ}

◮ new rule:

{φ1} C1 {φ2} {φ2} C2 {ψ} {φ} C1 ; C2 {ψ} φ → φ1

◮ let φ2 be the weakest precondition of ψ under C2 and

let φ1 be the weakest precondition of φ2 under C1

◮ φ is a precondition for ψ under C1 ; C2

if and only if φ → φ1 is valid

new rule for seq

◮ old rule:

{φ} C1 {θ} {θ} C2 {ψ} {φ} C1 ; C2 {ψ}

◮ new rule:

{φ1} C1 {φ2} {φ2} C2 {ψ} {φ} C1 ; C2 {ψ} φ → φ1

◮ let φ2 be the weakest precondition of ψ under C2 and

let φ1 be the weakest precondition of φ2 under C1

◮ φ is a precondition for ψ under C1 ; C2

if and only if φ → φ1 is valid

◮ the weakest precondition of ψ under C1 ; C2 is

the weakest precondition of (the weakest precondition of ψ under C2) under C1

new rule for cond

◮ old rule:

{φ ∧ b} C1 {ψ} {φ ∧ ¬b} C2 {ψ} {φ} if b then C1 else C2 {ψ}

new rule for cond

◮ old rule:

{φ ∧ b} C1 {ψ} {φ ∧ ¬b} C2 {ψ} {φ} if b then C1 else C2 {ψ}

◮ new rule:

{φ1} C1 {ψ} {φ2} C2 {ψ} {φ} if b then C1 else C2 {ψ} φ → (¬b∨φ1) and φ → (b∨φ2)

new rule for cond

◮ old rule:

{φ ∧ b} C1 {ψ} {φ ∧ ¬b} C2 {ψ} {φ} if b then C1 else C2 {ψ}

◮ new rule:

{φ1} C1 {ψ} {φ2} C2 {ψ} {φ} if b then C1 else C2 {ψ} φ → (¬b∨φ1) and φ → (b∨φ2)

◮ let φ1 be the weakest precondition of ψ under C1 and

let φ2 be the weakest precondition of ψ under C2

new rule for cond

◮ old rule:

{φ ∧ b} C1 {ψ} {φ ∧ ¬b} C2 {ψ} {φ} if b then C1 else C2 {ψ}

◮ new rule:

{φ1} C1 {ψ} {φ2} C2 {ψ} {φ} if b then C1 else C2 {ψ} φ → (¬b∨φ1) and φ → (b∨φ2)

◮ let φ1 be the weakest precondition of ψ under C1 and

let φ2 be the weakest precondition of ψ under C2

◮ φ is a precondition for ψ under if b then C1 else C2

if and only if φ → ((¬b ∨ φ1) ∧ (b ∨ φ2)) is valid

new rule for cond

◮ old rule:

{φ ∧ b} C1 {ψ} {φ ∧ ¬b} C2 {ψ} {φ} if b then C1 else C2 {ψ}

◮ new rule:

{φ1} C1 {ψ} {φ2} C2 {ψ} {φ} if b then C1 else C2 {ψ} φ → (¬b∨φ1) and φ → (b∨φ2)

◮ let φ1 be the weakest precondition of ψ under C1 and

let φ2 be the weakest precondition of ψ under C2

◮ φ is a precondition for ψ under if b then C1 else C2

if and only if φ → ((¬b ∨ φ1) ∧ (b ∨ φ2)) is valid

◮ the weakest precondition of ψ under if b then C1 else C2 is

the conjunction of ¬b ∨ φ1 and b ∨ φ2

new rule for while

◮ old rule:

{θ ∧ b} C0 {θ} {θ} while b do {θ} C0 {θ ∧ ¬b}

new rule for while

◮ old rule:

{θ ∧ b} C0 {θ} {θ} while b do {θ} C0 {θ ∧ ¬b}

◮ new rule = old rule & strengthening & weakening

{θ ∧ b} C0 {θ} {φ} while b do {θ} C0 {ψ} φ → θ and θ ∧ ¬b → ψ

new rule for while

◮ old rule:

{θ ∧ b} C0 {θ} {θ} while b do {θ} C0 {θ ∧ ¬b}

◮ new rule = old rule & strengthening & weakening

{θ ∧ b} C0 {θ} {φ} while b do {θ} C0 {ψ} φ → θ and θ ∧ ¬b → ψ

◮ ◮ φ is a precondition for ψ under while b do {θ} C0

if and only if φ → θ and θ ∧ ¬b → ψ are valid and {θ ∧ b} C0 {θ}

new rule for while

◮ old rule:

{θ ∧ b} C0 {θ} {θ} while b do {θ} C0 {θ ∧ ¬b}

◮ new rule = old rule & strengthening & weakening

{θ ∧ b} C0 {θ} {φ} while b do {θ} C0 {ψ} φ → θ and θ ∧ ¬b → ψ

◮ ◮ φ is a precondition for ψ under while b do {θ} C0

if and only if φ → θ and θ ∧ ¬b → ψ are valid and {θ ∧ b} C0 {θ}

◮ θ is the weakest precondition for ψ under while b do {θ} C0

weakest precondition wp(C, ψ)

◮ wp(skip, ψ) = ψ

weakest precondition wp(C, ψ)

◮ wp(skip, ψ) = ψ ◮ wp(x := e, ψ) = ψ[e/x]

weakest precondition wp(C, ψ)

◮ wp(skip, ψ) = ψ ◮ wp(x := e, ψ) = ψ[e/x] ◮ wp(C1 ; C2, ψ) = wp(C1, wp(C2, ψ))

weakest precondition wp(C, ψ)

◮ wp(skip, ψ) = ψ ◮ wp(x := e, ψ) = ψ[e/x] ◮ wp(C1 ; C2, ψ) = wp(C1, wp(C2, ψ)) ◮ wp(if b then C1 else C2, ψ) = (¬b ∨ φ1) ∧ (b ∨ φ2)

where φ1 = wp(C1, ψ) φ2 = wp(C2, ψ)

weakest precondition wp(C, ψ)

◮ wp(skip, ψ) = ψ ◮ wp(x := e, ψ) = ψ[e/x] ◮ wp(C1 ; C2, ψ) = wp(C1, wp(C2, ψ)) ◮ wp(if b then C1 else C2, ψ) = (¬b ∨ φ1) ∧ (b ∨ φ2)

where φ1 = wp(C1, ψ) φ2 = wp(C2, ψ)

◮ wp(while b do {θ} C0, ψ) = θ

verification condition

◮ for command C of form: skip, update, seq, cond,

verification condition

◮ for command C of form: skip, update, seq, cond, ◮ to check Hoare triple {φ} C {ψ},

verification condition

◮ for command C of form: skip, update, seq, cond, ◮ to check Hoare triple {φ} C {ψ}, ◮ check validity of verification condition

φ → wp(C, ψ)

verification condition

◮ for command C of form: skip, update, seq, cond, ◮ to check Hoare triple {φ} C {ψ}, ◮ check validity of verification condition

φ → wp(C, ψ)

◮ for command C of form: while b do {θ} C0 ,

verification condition

◮ for command C of form: skip, update, seq, cond, ◮ to check Hoare triple {φ} C {ψ}, ◮ check validity of verification condition

φ → wp(C, ψ)

◮ for command C of form: while b do {θ} C0 , ◮ to check Hoare triple {φ} C {ψ},

verification condition

◮ for command C of form: skip, update, seq, cond, ◮ to check Hoare triple {φ} C {ψ}, ◮ check validity of verification condition

φ → wp(C, ψ)

◮ for command C of form: while b do {θ} C0 , ◮ to check Hoare triple {φ} C {ψ}, ◮ check Hoare triple {θ ∧ b} C0 {θ}

and check validity of two implications φ → θ θ ∧ ¬b → ψ