CSE 3341.03 Winter 2008 Introduction to Program Verification February 5
-
Upload
garrison-fisher -
Category
Documents
-
view
14 -
download
0
description
Transcript of CSE 3341.03 Winter 2008 Introduction to Program Verification February 5
CSE 3341.03 Winter 2008Introduction to Program Verification
February 5
calculating with simplify
review the simplify algorithm simplify(Expr) = Result
if path_arg(Path, Expr) = Lhs,
% (there is a path in Expr to the sub-expression LHS)
and Lhs ->> Rhs, and
Modified = change_path_arg(Path, Expr, Rhs), and
Result = simplify(Modified)
otherwisesimplify(Expr) = Expr.
in English -- Result is the result of simplifying Expr if there is a path
in Expr to a subterm Lhs,
and there is a rule that
Lhs ->> Rhs, and Modified is the term Expr with the Lhs subterm replaced by Rhs,
otherwise Result is the input Expr
simplify is an interpreter for "rewrite programs" (rules)
how do we enter rules?
|: theory(file).looks for a file named file.simp
|: theory('file.simp').or
|: assert(( rule )).adds the rule at the end of the current list of
rules
playing with simplifyindigo 301 % simplify
Version 1.4.2SWI, January 6, 2007
|:x > 0 implies a+a=a*2.
x>0 implies a+a=a*2 ->>
0<x implies a+a=a*2
Can we simplify further? try using a theory? trace ?
review: use simplify to do calculations on abstract
datatypes - symbolically we represent everything by expressions
(terms) — not objects• example: calculate on stacks, using expressions to
represent the stack objects evaluation of expressions is symbolic
• hence general: X-X ->> 0 means that X-X = 0 for all (symbolic) values of X.
conditional rules conditional rules evaluate relations and
numerical expressions• left ->> right :- condition applies if condition can be shown to
simplify to true,• X > Y ->> true :- X > Y.
condition is true if X, Y are numbers and X is less than Y.• conditional rules use a built-in evaluator, assigned, to
evaluate functions in numerical expressions
• type information such as integer(X)can be used in a conditional rule.
conditional example
|:assert((M*N ->> Product :- Product assigned M*N)).
|: 2*3.
2*3 ->>
6
Check use of assigned in /cs/course/3341/arithmetic.simp.
developing rules to get a proof
exercise 4.1• |:(a + b = b + a) implies a < b < a ->>
false
• find a general rule to complete the proof.
• (replace arithmetic variables (lower-case) with pattern (upper-case) variables)
exercise 4.3, page 12.|: assert((0*X ->> 0)).
|: x*y*0.
x*y*0 ->>
0|: x*0*y.
x*y*0 ->>
0 reconstruct the rules which achieve the simplifications in Sec.
4.4
4.4
|:2*q+q*((a+8-a)-7) + q.
2*q+q* (8-7)+q
2*q+q*1+q
2*q+q+q
2*q+q*2
q*4
2*q+q* (a+8-a-7)+q ->>
q*4
Ch. 5.1: abstract data types now have the tools for verifying some algebraic
calculations given the right theory file , we can do symbolic
calculation on abstract datatypes ADTs are characterized by interrelated
equations "if it quacks like a duck . . ."
Leibnitz law ?
start with stacks
push makes a new stack out of a stack argument and a data item
pop makes a new smaller stack from a stack argument top extracts a data item from a stack
• stacks are actually isomorphic to a simple kind of list• (CONS X List) = add X to the front of List = push X on the stack List
• specific stacks (constants) represented by expressions using push• example: push(z, push(b, nil))• push is the constructor for this datatype.
treat these as functors of terms• push(data, stack)
stack computers
examples: HP calculators
a stack computer will have stack operations or functions defined from push, pop, and top
languages: Forth, Factor Java VM -- see exercise 5.3
examples on p. 49
verification scenario:
evaluate an ADT expression context: ADT defined by axioms in the form of identitiesmethod: input ADT axioms and definitions to the simplify
tool in the form of simplification rules; input an expression to be checked and see if it simplifies to the expected result.
background: mathematical simplification rules. The correctness of the evaluation is relative to the assumed correctness of the simplification rules and the correctness
of the ADT axioms and definitions.
stack calculations
stack function definitions are equations, turn them into rewrite rules and use them to do
symbolic calculation on stacks definitions of plus, times, etc. describe a
stack-based arithmetic calculator
unspecified implementation
Example: over(S) = push(top(pop(S)), S) What does over(S) do?
does it really work by popping S, and pushing the top element of this new stack onto the original S?
implementation is not specified (that's why the datatype is abstract)
what happens if we do an illegal operation?e. g. pop(pop(push(a, nil)))
can we use simplify to detect illegal operations?
a very simple verification scenario
prove (by symbolic calculation) that a certain sequence of operations on an abstract datatype computes a particular mathematical function.
doubling example: • |: theory('stack.simp').• |: plus(dup(push(a, nil))).
• plus(dup(push(a,nil))) ->>• push(a+a,nil)
correctness relies on correctness?
correctness of our verification scenario for expression evaluation rests on correctness of theory files
• doesn't this invalidate the whole idea of verification?
No, theory (.simp) files are general • should be highly re-usable• theories become quickly "bug-free"
• much easier to check than code
• evolve through use to become more comprehensive
verifying a Java stack machine program
what does [Ingram, 1997] refer to? what does the manual tell you about a
bytecode?pop=87 Stack: ..., VAL -> ...
pop2=88 Stack: ..., VAL1, VAL2 -> ...
dup=89 Stack: ..., V -> ..., V, V
what would a verification scenario for the JVM look like?
JVM scenario title: verify JVM bytecode sequence method: input bytecode definitions as rewrite rules,
input bytecode sequence, perhaps as a list [. . , . . . . . ] and initial stack (as an expression) to simplify
confirm the simplification yields desired result.
background: stack axioms, stack operation definitions, and perhaps theorems; additional rewrite rules for processing a list (see Forth exercise)
queues
a new ADT: queues
Exercise 5.3 -- (a) and (b)