Formal Program Verification Using Hoare’s Logic

Programming Bug Verification Formal Verification Language Hoare’s Logic Example Correctness Conclusion

Formal Program VerificationUsing Hoare’s Logic

Mahmudul Faisal Al Ameen

July 10, 2014

Mahmudul Faisal Al Ameen — Formal Program Verification 1/62


Contents

1 Programming

2 Bug

3 VerificationDynamic VerificationStatic Verification

4 Formal Verification

5 LanguageExpressionsLanguages

6 Hoare’s Logic

7 Example

8 Correctness

9 Conclusion



Core is Programming

Programming

DigitalFun

SocialNet-

working

MultimediaPro-

ductionEntertainment

Games

SoftwareDevel-opments

SystemSoftware

ApplicationSoftware

E-commerce

System

FirmwireCommunication

System

AnalysisFinance

Statistics History

Linguistics

(Simu/Emu)lation

MultiagentSystem

SoftwareTesting

MathematicalProblem

ArtificialBiologicalElements

Chemistry



Core is Programming

Programming

Digital FunSocial

Networking

Multimedia

ProductionEntertainment

Games

SoftwareDevel-

opments

System

Software

Application

Software

E-commerce

System

FirmwireCommunication

System

AnalysisFinance

Statistics History

Linguistics

(Simu/Emu)lation

Multiagent

System

Software

Testing

Mathematical

Problem

Artificial

Biological

Elements

Chemistry



Catastrophic Software Bug: Cluster (Ariane 5)

Loss: US$1 billion

Cause: Overflow bug



Catastrophic Software Bug: Therac 25

Casualty: At least 6 reported death

When occured: A particular nonstandard sequence ofkeystrokes was entered as – an ”X” to (erroneously) select 25MeV photon mode followed by ”cursor up”

The engineer had reused software from older models.



Catastrophic Software Bug: North AmericaBlackout

Loss: 28,700 MW dropped to 5,716 MW (80% loss)

Cause: Race condition



Catastrophic Software Bug: Smartship USSYorktown

Dead duration: 3 hours

Cause: Divide by Zero



Software Verification

SoftwareVerification

StaticVerifi-cation

Softwaremetricscalcu-lation

Codeconven-

tionsverifi-cation

Anti-patterndetec-tion

Formalverifi-cation

DynamicVerifi-cation

Unittest

Testin thelarge

Moduletest

Integrationtest

Systemtest

Acceptancetest

Functionaltest

Stresstest



Dynamic Verification

DynamicVerifi-cation

Unittest

Testin thelarge

Moduletest

Integrationtest

Systemtest

Acceptancetest

Functionaltest

Stresstest



Dynamic Verification (α-Testing): Prime Tester

.

.

.

1

2

3

0 (no)

1 (yes)

1 (yes)

Prime Tester




.

.

.

7

8

91

1 (yes)

0 (no)

1 (yes)

Prime Tester




.

.

.

100000007

10000008

100000000003

1 (yes)

0 (no)

1 (yes)

Prime Tester



Dynamic Verification (status): Prime Tester

Correct.Hence released as β-version.



Dynamic Verification (β-Testing): Prime Tester

.

.

.

9

15

93

1 (yes)

1 (yes)

1 (yes)

Prime Tester



Dynamic Verification (comments): Prime Tester

Totally incorrect.Bad program.



Dynamic Verification (review): Prime Tester

.

.

.

9

15

93

1 (yes)

1 (yes)

1 (yes)

int isPrime(int x){if(x==1) return 0;

if(x==2) return 1;

if(x % 2 == 0)

return 0;

return 1;

}



Dynamic Verification (fixation): Prime Tester

.

.

.

9

15

93

0 (no)

0 (no)

0 (no)


if(x==2) return 1;

if(x % 2 == 0)

return 0;

if(x % 3 == 0)

return 0;

return 1;

}



Dynamic Verification (happiness): Prime Tester

Programmer is happy. Finalversion is released.



Dynamic Verification (at user): Prime Tester

.

.

.

49

25

35

1 (yes)

1 (yes)

1 (yes)


if(x==2) return 1;

if(x % 2 == 0)

return 0;

if(x % 3 == 0)

return 0;

return 1;

}



Dynamic Verification (impact): Prime Tester

User may in dangeroussituation.



Dynamic Verification (conclusion): Prime Tester

Dynamic verification is notenough always.



Dynamic Verification (correct): Prime Tester

.

.

.

49

25

35

1 (yes)

1 (yes)

1 (yes)


int i = 2;

while(i < x){if(x % i == 0)

return 0;

i = i + 1;

}return 1;

}



Software Verification

StaticVerification

Softwaremetricscalcu-lation

Codeconven-

tionsverifi-cation

Anti-patterndetec-

tion

Formalverifi-cation



Formal Verification

FormalVerification



Notation

P is a program

A is an assertion, a formula of first order logic

b is a boolean expression, that evaluates always to true orfalse

e is an arithmatic expression

x is a variable

+, ×, =, <, ∧, ∨, ¬, → are operators.



Expression

e is x

0 1

e + e e × e

e − e e/e



Boolean Expression

b is e = e e < e

b ∧ b b ∨ b

¬b b → b



Programming Language

P is skip; x := e;

if(b){P

}else{P

}

while(b){P

}

P

P



Assertion Language

A is e = e e < e

¬A A ∧ A

A ∨ A A→ A

∀x(A) ∃x(A)



Hoare’s Logic: An Asserted Program

An asserted program -

ProgramPrecondition Postcondition

means -

Preconditionis true

∧ Program

finished execution

→ Postconditionis true

‘The Asserted Program is true’ means‘if Precondition is true and the Program finished execution thenPostcondition is also true’Note: Precondition and postcondition are assertions.



Axiom: Skip

skipA A

Example:

skipx = 0 x = 0



Axiom: Assignment

x := e;A[x ← e] A

Example (all three are equivalent):

x := x + 1;(x = 1)[x ← x + 1] x = 1

x := x + 1;(x + 1 = 1) x = 1

x := x + 1;x = 0 x = 1



Inference Rule: If

P1A ∧ b B

P2A ∧ ¬b B

if (b){P1

}else{P2

}

A B



Inference Rule: If (Example)

x := 10;(x = 1) ∧ (x > 0) x = 10

x := 100;(x = 1) ∧ ¬(x > 0) x = 10

if (x > 0){x := 10;

}else{x := 100;

}

x = 1 x = 10



Inference Rule: While

PA ∧ b A

while (b){P

}A A ∧ ¬b



Inference Rule: While (Example)

y := y + 1;x := x + 1;

(x = y) ∧ x < 10 x = y

while (x < 10){y := y + 1;x := x + 1;

}

x = y x = y ∧ ¬(x < 10)



Inference Rule: Composition

P1A B

P2B C

P1

P2A C



Inference Rule: Composition (Example)

x:=1;x = 0 ∧ y = 0 x = 1 ∧ y = 0

y:=1;x = 1 ∧ y = 0 x = 1 ∧ y = 1

x:=1;

y:=1;x = 0 ∧ y = 0 x = 1 ∧ y = 1



Inference Rule: Consequence - 1

PA B

skip;A1 A

PA1 B



Inference Rule: Consequence - 1 (Example)

x := x + 1x > 0 x = 2

skip;x = 1 x > 0

x := x + 1x = 1 x = 2



Inference Rule: Consequence - 2

PA B

skip;B B1

PA B1



Inference Rule: Consequence - 2 (Example)

x := x + 1x > 0 x = 2

skip;x = 2 x > 1

x := x + 1x > 0 x > 1



Verification Process: A Bad Program (step 1)

z = a ∧ b = 0

if( z=1 ) { b:=0; }else{

if( z=2 ) { b:=1; }else{

w := z / 2;

if( w × 2 = z ){ b := 0; }else{

w := z / 3;

if(w × 3 = z){ b := 0; }else { b := 1; }

}}

}

A → (b = 1) ∧ ¬A → (b = 0) where

A = ¬(a = 1 ∨ ∃xy((1 < x, y < a) ∧ (x × y = a)))



Using the rule ‘ if’ (step 2)

z = a ∧ b = 0 ∧ z = 1

b:=0;

A → (b = 1) ∧ ¬A → (b = 0) where

A = ¬(a = 1 ∨ ∃xy((1 < x, y < a) ∧ (x × y = a)))

Figure: True by assignment andconsequence

z = a ∧ b = 0 ∧ ¬(z = 1)

if( z=2 ) { b:=1; }else{

w := z / 2;

if( w × 2 = z ){ b := 0; }else{

w := z / 3;

if(w × 3 = z){ b := 0; }else { b := 1; }

}}

A → (b = 1) ∧ ¬A → (b = 0) where

A = ¬(a = 1 ∨ ∃xy((1 < x, y < a) ∧ (x × y = a)))



Using the rule ‘if’ (step 3)

z = a ∧ b = 0 ∧ ¬(z = 1) ∧ (z = 2)

b := 1;

A → (b = 1) ∧ ¬A → (b = 0) where

A = ¬(a = 1 ∨ ∃xy((1 < x, y < a) ∧ (x × y = a)))


z = a ∧ b = 0 ∧ ¬(z = 1) ∧ ¬(z = 2)

w := z / 2;

if( w × 2 = z ){ b := 0; }else{

w := z / 3;

if(w × 3 = z){ b := 0; }else { b := 1; }

}

A → (b = 1) ∧ ¬A → (b = 0) where

A = ¬(a = 1 ∨ ∃xy((1 < x, y < a) ∧ (x × y = a)))



Using the rule ‘composition’ (step 4)

z = a ∧ b = 0 ∧ ¬(z = 1) ∧ ¬(z = 2)

w := z / 2;

z = a ∧ b = 0 ∧ ¬(z = 1) ∧ ¬(z =2) ∧ (w = z/2)


(z = a) ∧ (b = 0)∧¬(z = 1) ∧ ¬(z = 2) ∧ (w = z/2)

if( w × 2 = z ){ b := 0; }else{

w := z / 3;

if(w × 3 = z){ b := 0; }else { b := 1; }

}

A → (b = 1) ∧ ¬A → (b = 0) where

A = ¬(a = 1 ∨ ∃xy((1 < x, y < a) ∧ (x × y = a)))




(z = a) ∧ (b = 0)∧¬(z = 1) ∧ ¬(z = 2) ∧

(w = z/2) ∧ (w × 2 = z)

b := 0;

A → (b = 1) ∧ ¬A → (b = 0) where

A = ¬(a = 1 ∨ ∃xy((1 < x, y < a) ∧ (x × y = a)))


(z = a) ∧ (b = 0)∧¬(z = 1) ∧ ¬(z = 2) ∧ (w =

z/2) ∧ ¬(w × 2 = z)

w := z / 3;

if(w × 3 = z){b := 0;

}else {b := 1;

}

A → (b = 1) ∧ ¬A → (b = 0) where

A = ¬(a = 1 ∨ ∃xy((1 < x, y < a) ∧ (x × y = a)))




(z = a) ∧ (b = 0)∧¬(z = 1) ∧ ¬(z = 2) ∧ (w =

z/2) ∧ ¬(w × 2 = z)

w := z / 3;

(z = a) ∧ (b = 0)∧¬(z = 1) ∧ ¬(z = 2) ∧ w = z/3


(z = a) ∧ (b = 0)∧¬(z = 1) ∧ ¬(z = 2) ∧ w = z/3

if(w × 3 = z){b := 0;

}else {b := 1;

}

A → (b = 1) ∧ ¬A → (b = 0) where

A = ¬(a = 1 ∨ ∃xy((1 < x, y < a) ∧ (x × y = a)))




(z = a) ∧ (b = 0)∧¬(z = 1) ∧ ¬(z = 2) ∧w = z/3 ∧ (w × 3 = z)

b := 0;

A→ (b = 1) ∧ ¬A→ (b = 0)


(z = a) ∧ (b = 0)∧¬(z = 1) ∧ ¬(z = 2) ∧ (w =

z/3) ∧ ¬(w × 3 = z)

b := 1;

A → (b = 1) ∧ ¬A → (b = 0) where

A = ¬(a = 1 ∨ ∃xy((1 < x, y < a) ∧ (x × y = a)))

Figure: This part is false justwhen a = 25

Hence it is proved that the program is incorrect.



Verification Process: A Good Program (step 1)

z = a ∧ b = 0

b := 1;

if(z=1) { b := 0; }else {

i = 2;

while(i < z ∧ b = 1){w := z / i;

if(w × i = z) {b := 0;

} else {i = i + 1;

}}

}

A → (b = 1) ∧ ¬A → (b = 0) where

A = ¬(a = 1 ∨ ∃xy((1 < x, y < a) ∧ (x × y = a)))




z = a ∧ b = 0

b := 1;

z = a ∧ b = 1


z = a ∧ b = 1

if(z=1) { b := 0; }else {

i = 2;

while(i < z ∧ b = 1){w := z / i;

if(w × i = z) {b := 0;

} else {i = i + 1;

}}

}

A → (b = 1) ∧ ¬A → (b = 0) where

A = ¬(a = 1 ∨ ∃xy((1 < x, y < a) ∧ (x × y = a)))




(z = a ∧ b = 0) ∧ (z = 1)

b := 0;

A → (b = 1) ∧ ¬A → (b = 0) where

A = ¬(a = 1 ∨ ∃xy((1 < x, y < a) ∧ (x × y = a)))


(z = a ∧ b = 0) ∧ ¬(z = 1)

i = 2;

while(i < z ∧ b = 1){w := z / i;

if(w × i = z) {b := 0;

} else {i = i + 1;

}}

A → (b = 1) ∧ ¬A → (b = 0) where

A = ¬(a = 1 ∨ ∃xy((1 < x, y < a) ∧ (x × y = a)))




(z = a ∧ b = 0) ∧ ¬(z = 1)

i := 2;

(z = a ∧ b = 0) ∧ ¬(z = 1) ∧ i = 2


(z = a ∧ b = 0) ∧ ¬(z = 1) ∧ i = 2

while(i < z ∧ b = 1){w := z / i;

if(w × i = z) {b := 0;

} else {i = i + 1;

}}

A → (b = 1) ∧ ¬A → (b = 0) where

A = ¬(a = 1 ∨ ∃xy((1 < x, y < a) ∧ (x × y = a)))



Using the rule ‘consequence - 2’ (step 5)

A → (b = 1) ∧ ¬A → (b = 0)∧¬(i < z ∧ b = 1)

skip;

A→ (b = 1) ∧ ¬A→ (b = 0)

Figure: True by skip andconsequence

(z = a ∧ b = 0) ∧ ¬(z = 1) ∧ i = 2

while(i < z ∧ b = 1){w := z / i;

if(w × i = z) {b := 0;

} else {i = i + 1;

}}

A→ (b = 1) ∧ ¬A→ (b = 0)∧¬(i < z ∧ b = 1)



Using the rule ‘consequence - 1’ (step 6)

(z = a ∧ b = 0) ∧ ¬(z = 1) ∧ i = 2

skip;

Loop Invariant

Figure: True by skip andconsequence

Loop Invariant

while(i < z ∧ b = 1){w := z / i;

if(w × i = z) {b := 0;

} else {i = i + 1;

}}

Loop Invariant and ¬(i < z ∧ b = 1)



Using the rule ‘while’ (step 7)

Loop Invariant and i < z ∧ b = 1

w := z / i;

if(w × i = z) {b := 0;

} else {i = i + 1;

}

Loop Invariant



Hoare’s Logic is sound

A provedcorrect

programis

indeedcorrect



Hoare’s Logic is complete

All correctprogram

isprovablein thissystem



Extensions

Hoare’sLogic

+ Re-cursiveProce-dure

SeparationLogic

+ Re-cursiveProce-dure

+InductiveTypes



Renowned People

Sir Tony Hoare Stephen A. Cook Krzysztof R. Apt

John C. Reynolds Makoto Tatsuta



The End?

Thank youfor a realpatience


Formal Program Verification Using Hoare’s Logic

Documents

Transcript of Formal Program Verification Using Hoare’s Logic