program verification -- new recipe for old problem
DESCRIPTION
Program Verification -- new recipe for old problem. Zhou Chaochen Institute of Software, CAS [email protected]. Computer Science. Computing System – Millions of simple instructions Bio System – DNA (A,T,G,C) Manufacturing vs Evolving Fundamental Issues - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Program Verification -- new recipe for old problem](https://reader036.vdocuments.net/reader036/viewer/2022062800/56814299550346895daeca39/html5/thumbnails/1.jpg)
Program Verification -- new recipe for old problem
Zhou Chaochen
Institute of Software, CAS
![Page 2: Program Verification -- new recipe for old problem](https://reader036.vdocuments.net/reader036/viewer/2022062800/56814299550346895daeca39/html5/thumbnails/2.jpg)
Computer Science
• Computing System – Millions of simple instructions
Bio System – DNA (A,T,G,C)
Manufacturing vs Evolving• Fundamental Issues
# Computability and Solvability
# Algorithm Design and Analysis
# Programming Methodology: Correctness, etc
![Page 3: Program Verification -- new recipe for old problem](https://reader036.vdocuments.net/reader036/viewer/2022062800/56814299550346895daeca39/html5/thumbnails/3.jpg)
Program Correctness
• Test: Debug vs Prove
• Verification: Proof and Model Checking
• Transformation: Curry-Howard Isomorphism, Intuitionistic Logic, …
![Page 4: Program Verification -- new recipe for old problem](https://reader036.vdocuments.net/reader036/viewer/2022062800/56814299550346895daeca39/html5/thumbnails/4.jpg)
Assertion
• Program Language – Artificial Language
Assignment: x:=x-1
x:=e
Loop: while x>0 do x:=x-1
while B do S
Sequential Composition: S1;S2
…
![Page 5: Program Verification -- new recipe for old problem](https://reader036.vdocuments.net/reader036/viewer/2022062800/56814299550346895daeca39/html5/thumbnails/5.jpg)
• Intrinsic Logic
Assignment: P(e){x:=e}P(x)
x-1>0{x:=x-1}x>0
P(e) – Pre-Condition
P(x) – Post-Condition
![Page 6: Program Verification -- new recipe for old problem](https://reader036.vdocuments.net/reader036/viewer/2022062800/56814299550346895daeca39/html5/thumbnails/6.jpg)
Loop: If B&I{S}I
then I{while B do S}I&~B
Due to x>0&x>=0{x:=x-1}x>=0
hence x>=0
{while x>0 do x:=x-1}
x>=0&~(x>0)
I.e. x>=0{while}x=0
I – Invariant
![Page 7: Program Verification -- new recipe for old problem](https://reader036.vdocuments.net/reader036/viewer/2022062800/56814299550346895daeca39/html5/thumbnails/7.jpg)
Sequential Composition:If P{S1}Q1, Q1=>Q2 and Q2{S2}Q,then P{S1;S2}Q
…
Pre, Post, Inv -- Assertion
![Page 8: Program Verification -- new recipe for old problem](https://reader036.vdocuments.net/reader036/viewer/2022062800/56814299550346895daeca39/html5/thumbnails/8.jpg)
Program Verification
• Partial Correctness
x>=0 {FAC} y=x!
If FAC terminates, then …
Safety
• Total Correctness
Termination plus Partial Correctness
Liveness (deadlock free, livelock free,…)
![Page 9: Program Verification -- new recipe for old problem](https://reader036.vdocuments.net/reader036/viewer/2022062800/56814299550346895daeca39/html5/thumbnails/9.jpg)
Floyd Assertion & Hoare Logic
• Robert Floyd: 1978 Turing Award Laureate. 1967 Assigning Meanings to Program. Inductive Assertion Method: Pre- and Post-Assertion
• Tony Hoare: 1980 Turing Award Laureate. 1969 An Axiomatic Basis for Computer Programming. Hoare Logic: Pre- and Post-Condition, Invariant
![Page 10: Program Verification -- new recipe for old problem](https://reader036.vdocuments.net/reader036/viewer/2022062800/56814299550346895daeca39/html5/thumbnails/10.jpg)
Assertion at Microsoft
• Microsoft Office: 250k assertions (ASSERT macro)
• Test: Dump instead of Crash (over half effort)
• Simplifying Assumption: for the next version (Overflow,…)
• Compile Time Check (Size,…) etc
• Microsoft Windows: over 1000 different assertion macros
• Bill Gates: Trustworthy Computing
![Page 11: Program Verification -- new recipe for old problem](https://reader036.vdocuments.net/reader036/viewer/2022062800/56814299550346895daeca39/html5/thumbnails/11.jpg)
Verifying Compiler
• A compiler which verifies correctness of program: a major challenge of Computer Science in 21 Century• Include assertions into programming languages (Eiffel, JM
L,…)• Improve program analysis tools in Industry (PREfix,…) Joint contributions from different mechanised proof techn
ologies: a vast project unprecedented in Computer Science Academy
• Legacy and Open Source Movement• IFIP workshop in 2005: Hoare and Misra, Shankar (He Jife
ng, Zhang Jian,…) et al
![Page 12: Program Verification -- new recipe for old problem](https://reader036.vdocuments.net/reader036/viewer/2022062800/56814299550346895daeca39/html5/thumbnails/12.jpg)
Software Model Checking
• Given infinite value domain program is an infinite state system
• Finite State Machine: BDD, CTL, 10^(100), …
• Real Time System: Infinite State Machine
![Page 13: Program Verification -- new recipe for old problem](https://reader036.vdocuments.net/reader036/viewer/2022062800/56814299550346895daeca39/html5/thumbnails/13.jpg)
Infinite State Model Checking
• Reduction to Finite State System: Regional Graph (?)
• Reduction to Linear Programming, Integer and Mixed Programming, (Zhou, Zhang, Yang and Kesten, Pnueli, Sifakis, Yovine)…
Real Algebra (Tarski, Wu, Zhang, Yang, …)
• Relation between the above two?
![Page 14: Program Verification -- new recipe for old problem](https://reader036.vdocuments.net/reader036/viewer/2022062800/56814299550346895daeca39/html5/thumbnails/14.jpg)
Reduction to Linear Programming
• Timed Automaton
GBf (>=30)
r (<=1)
Over any interval greater or equal to 60 Bad statesoccupy no more than 20% of the interval
![Page 15: Program Verification -- new recipe for old problem](https://reader036.vdocuments.net/reader036/viewer/2022062800/56814299550346895daeca39/html5/thumbnails/15.jpg)
• A timed behaviour (f,t1),(r,t2),(f,t3) t1>=30, 0<=t2<=1,t3>=30
• Linear Programming Problem Constraints t1>=30, 0<=t2<=1, t3>=30 and t1+t2+t3>=60 Objective function 20*t2-(t1+t2+t3)
• Reduce infinite many behaviour to finite many
![Page 16: Program Verification -- new recipe for old problem](https://reader036.vdocuments.net/reader036/viewer/2022062800/56814299550346895daeca39/html5/thumbnails/16.jpg)
Program Termination
• Ashish Tiwari, SRI (CAV 2004, LNCS 3114)
• Undecidable in general
• Linear Program while (B*x>b) do x:=A*x+c A,B – real matrices, x,b,c – real vectors
• The termination problem for linear program is decidable
![Page 17: Program Verification -- new recipe for old problem](https://reader036.vdocuments.net/reader036/viewer/2022062800/56814299550346895daeca39/html5/thumbnails/17.jpg)
• P: while c*x>0 do x:=A*x
• Intuition If v is an eigenvector of A with positive eigenvalue e, then A*v=e*v by definition, and A^n*v=e^n*v c*e^n*v=e^n*c*v So c*e^n*v has the same sign of c*v, as e>0
• P is not terminating with input x=v, where c*v>0
![Page 18: Program Verification -- new recipe for old problem](https://reader036.vdocuments.net/reader036/viewer/2022062800/56814299550346895daeca39/html5/thumbnails/18.jpg)
• Theorem: If P is not terminating then there exists a real eigenvector v of A, corresponding to positive eigenv
alue, such that c*v>=0
Proof: If nonterminating, NT is not empty NT={x:c*A^i*x>0, i=0,1,…} Let NT’=NT+Boundary. NT’ is closed under A Applying Brouwer’s fixed point theorem there exists e
igenvector v of A in NT’.
![Page 19: Program Verification -- new recipe for old problem](https://reader036.vdocuments.net/reader036/viewer/2022062800/56814299550346895daeca39/html5/thumbnails/19.jpg)
• Change into c*v>0
• Add more conditions to have necessary and sufficient conclusion
• Generalise to general linear program
![Page 20: Program Verification -- new recipe for old problem](https://reader036.vdocuments.net/reader036/viewer/2022062800/56814299550346895daeca39/html5/thumbnails/20.jpg)
• Termination – Matrix Eigenvalue
Stability – Matrix Eigenvalue
• Termination characterization of linear programs is more complex than stability characterization for both continuous- and discrete-time linear systems
![Page 21: Program Verification -- new recipe for old problem](https://reader036.vdocuments.net/reader036/viewer/2022062800/56814299550346895daeca39/html5/thumbnails/21.jpg)
• As told by Yang
Good to use off-line symbolic computation
(Yang has developed a very powerful symbolic computation tools, called Bottema and Discoverer, for real algebra, including a complete discrimination system)
• The deciding condition becomes 10^4 terms (of Dixon resultant) for 4-dimension, dozens for 3, and several for 2
![Page 22: Program Verification -- new recipe for old problem](https://reader036.vdocuments.net/reader036/viewer/2022062800/56814299550346895daeca39/html5/thumbnails/22.jpg)
Invariant Generation
• Abstract Interpretation (P. Cousot and R. Cousot POPL77): symbolic execution until a fixed point is reached
• Linear Invariants for Linear Programs (Colon, Shankaranarayanan, Sipma CAV03): assume a linear invariant, and solve constraints (maybe nonlinear) on the coefficients of the linear invariant
![Page 23: Program Verification -- new recipe for old problem](https://reader036.vdocuments.net/reader036/viewer/2022062800/56814299550346895daeca39/html5/thumbnails/23.jpg)
Reachability
• Lafferriere, Pappas and Yovine (JSC 11,2001)
• dX/dt = AX+Bu
X,B – vectors, A – matrix, u – vector (control input)
• X = F(x,u,t)
x – vector (initial value of X)
![Page 24: Program Verification -- new recipe for old problem](https://reader036.vdocuments.net/reader036/viewer/2022062800/56814299550346895daeca39/html5/thumbnails/24.jpg)
• Reachability: state y is reachable from state x, if there exists u and t such that y=F(x,u,t)
• Reduced to real algebraic formula (under certain conditions)
• Quantifier elimination tools: REDLOG, QEPCAD
• An example of the paper impossible to resolve by REDLOG and QEPCAD alone can be done by Yang’s tools easily (as told by Yang)
![Page 25: Program Verification -- new recipe for old problem](https://reader036.vdocuments.net/reader036/viewer/2022062800/56814299550346895daeca39/html5/thumbnails/25.jpg)
Interdisciplinary Joint Effort
• Decidability for real algebra is most fundamental result with respect to real numbers
• Program verification is employing more mathematics, in particular real algebra
• Strong in mechanical proving: Wu, Zhang, Yang,… Beautiful tools
• Control theory much more mature than CS
• We need your support and you can help us