VIDE Integrated Environment for Development and Verification of

  • Slides: 27
Download presentation
VIDE Integrated Environment for Development and Verification of Programs

VIDE Integrated Environment for Development and Verification of Programs

Program Correctness • Programs; in a general sense: – statements, expressions, procedures and functions,

Program Correctness • Programs; in a general sense: – statements, expressions, procedures and functions, modules, classes, etc. ; • Specifications; in a general sense: – properties that programs should satisfy • • type-correctness absence of common errors full functional correctness performance properties • Ways of establishing that a program satisfies a specification.

Programs and Specifications • • Flowcharts and inductive assertions (Floyd) While-programs and pre-/post-conditions (Hoare/Dijkstra)

Programs and Specifications • • Flowcharts and inductive assertions (Floyd) While-programs and pre-/post-conditions (Hoare/Dijkstra) Cyclic/reactive programs and intermittent assertions Concurrent programs – safety (deadlock freedom, mutual exclusion) – liveness (termination, non-starvation) • Functional programs and predicates • Lambda terms and types • Logic programs And many more …

Correctness Problems Main correctness problems: • Synthesis: Given a specification S, make a program

Correctness Problems Main correctness problems: • Synthesis: Given a specification S, make a program P satisfying S. • Analysis: Given a program P, find a specification S satisfied by P. • Verification: Given a program P and a specification S, prove that P satisfies S. • Construction: Given a specification S, make a program P according to a method that guarantees that P satisfies S.

Some Approaches and Methods • Decomposition: Given a specification S, decompose it into one

Some Approaches and Methods • Decomposition: Given a specification S, decompose it into one or more sub-specifications S 1, … , Sn • Composition: Given a specification S and subprograms P 1, …, Pn satisfying specifications S 1, …, Sn respectively, compose P 1, …, Pn to a program P satisfying S. • Transformation: Given a program P satisfying a specification S, transform P into a "better" program P 0 by means of correctness preserving transformations. • Refinement: This is usually divided into – Refinement of specification: Given a specification S, construct a more restrictive specification S 0. – Refinement of code: Given a program P satisfying a specification S, construct a more restrictive program P 0 (also satisfying S). – Refinement of data: Given a program P operating on data D, construct an equivalent program P 0 operating on more concrete data D 0. • Correction: Given a specification S and a program P not satisfying S, find a program P 0 which is "close" to P and which satisfies S. • Extraction: Given a specification S and a constructive proof that S can be satisfied, extract a program P (the "witness") from the proof.

Hoare/Dijkstra Small imperative programs S : : = skip x : = E S

Hoare/Dijkstra Small imperative programs S : : = skip x : = E S 1 ; S 2 if B then S 1 else S 2 fi while B do S od

Hoare logic (SKIP) {P} S {P} (ASSN) {Px. E} x : = E {Q}

Hoare logic (SKIP) {P} S {P} (ASSN) {Px. E} x : = E {Q} (SEQ) {P} S 1 {R} S 2 {Q} {P} S 1; S 2 {Q} (IF) {P⋀B} S 1 {Q} {P ⋀ ¬ B} S 2 {Q} {P} if B then S 1 else S 2 fi {Q} (WHILE) {P ⋀ B} S {P} while B do S od {P ⋀ ¬ B} (CONS) P ⇒ P 1 {P 1} S {Q 1} Q 1 ⇒ Q {P} S {Q}

Correctness problems, related to Hoare logic • Synthesis – Given P and Q, make

Correctness problems, related to Hoare logic • Synthesis – Given P and Q, make an S such that {P} S {Q} • Analysis – Given S, find P and Q such that {P} S {Q} • Verification – Given S, P and Q, check whether {P} S {Q} • Construction – Given P and Q, construct S and proof such that {P} S {Q} • …

Example of Analysis Problem Given the following program, determine P and Q: |[ con

Example of Analysis Problem Given the following program, determine P and Q: |[ con N: nat, var f: nat | {P} |[ var i: nat | i, f : = 0, 1; while i ≠ N do f : = f * (i + 1); i : = i+1 od ]| {Q} ]|

Example of Verification Problem Given the following partially annotated program, check whether it satisfies

Example of Verification Problem Given the following partially annotated program, check whether it satisfies its specification. |[ con N: nat, var f: nat | {true} |[ var i: nat | i, f : = 0, 1; {(0 ≤ i ≤ N) ⋀ f = i!} while i ≠ N do f : = f * (i + 1); i : = i+1 od ]| {f = N!} ]|

Example of Program Construction Given the following program specification, construct a program on the

Example of Program Construction Given the following program specification, construct a program on the red dots. |[ con N: nat, var f: nat | {true} • • • {f = N!} ]|

Annotated Program Verification Conditions |[ con N: nat, var f: nat | {true} |[

Annotated Program Verification Conditions |[ con N: nat, var f: nat | {true} |[ con N: nat, var f: nat • • • {f = N!} ]|

Annotated Program Verification Conditions |[ con N: nat, var f: nat | {true} |[

Annotated Program Verification Conditions |[ con N: nat, var f: nat | {true} |[ var i: nat | {true} |[ con N: nat, var f: nat |[ var i: nat; • • • {f = N!} ]|

Annotated Program Verification Conditions |[ con N: nat, var f: nat | {true} |[

Annotated Program Verification Conditions |[ con N: nat, var f: nat | {true} |[ var i: nat | {true} |[ con N: nat, var f: nat |[ var i: nat; • • • {(0 ≤ i ≤ N) ⋀ f = i!} while i ≠ N do {i ≠ N ⋀ (0 ≤ i ≤ N) ⋀ f = i!} • • • {(0 <= i <= N) ⋀ f = i!} od {(0 <= i <= N) ⋀ f = i! ⋀ ¬ (i ≠ N)} • • • {f = N!} ]|

Annotated Program Verification Conditions |[ con N: nat, var f: nat | {true} |[

Annotated Program Verification Conditions |[ con N: nat, var f: nat | {true} |[ var i: nat | {true} |[ con N: nat, var f: nat |[ var i: nat; • • • {(0 ≤ i ≤ N) ⋀ f = i!} while i ≠ N do {i ≠ N ⋀ (0 ≤ i ≤ N) ⋀ f = i!} • • • {(0 <= i <= N) ⋀ f = i!} od {(0 <= i <= N) ⋀ f = i! ⋀ ¬ (i ≠ N)} (Note 2) {f = N!} ]| (Note 2) = • • • : (0 <= i <= N) ⋀ f = i! ⋀ ¬ (i ≠ N) ⇒ f = N!

Annotated Program Verification Conditions |[ con N: nat, var f: nat | {true} |[

Annotated Program Verification Conditions |[ con N: nat, var f: nat | {true} |[ var i: nat | {true} • • • {(0 ≤ N) ⋀ 1 = 0!} i, f : = 0, 1; {(0 ≤ i ≤ N) ⋀ f = i!} while i ≠ N do {i ≠ N ⋀ (0 ≤ i ≤ N) ⋀ f = i!} |[ con N: nat, var f: nat |[ var i: nat; • • • {(0 <= i <= N) ⋀ f = i!} od {(0 <= i <= N) ⋀ f = i! ⋀ ¬ (i ≠ N)} (Note 2) {f = N!} ]| (Note 2) = • • • : (0 <= i <= N) ⋀ f = i! ⋀ ¬ (i ≠ N) ⇒ f = N!

Annotated Program Verification Conditions |[ con N: nat, var f: nat | {true} |[

Annotated Program Verification Conditions |[ con N: nat, var f: nat | {true} |[ var i: nat | {true} (Note 0) {(0 ≤ N) ⋀ 1 = 0!} i, f : = 0, 1; {(0 ≤ i ≤ N) ⋀ f = i!} while i ≠ N do {i ≠ N ⋀ (0 ≤ i ≤ N) ⋀ f = i!} |[ con N: nat, var f: nat |[ var i: nat; (Note 0) = • • • : true ⇒ (0 ≤ N) ⋀ 1 = 0! • • • {(0 <= i <= N) ⋀ f = i!} od {(0 <= i <= N) ⋀ f = i! ⋀ ¬ (i ≠ N)} (Note 2) {f = N!} ]| (Note 2) = • • • : (0 <= i <= N) ⋀ f = i! ⋀ ¬ (i ≠ N) ⇒ f = N!

Annotated Program Verification Conditions |[ con N: nat, var f: nat | {true} |[

Annotated Program Verification Conditions |[ con N: nat, var f: nat | {true} |[ var i: nat | {true} (Note 0) {(0 ≤ N) ⋀ 1 = 0!} i, f : = 0, 1; {(0 ≤ i ≤ N) ⋀ f = i!} while i ≠ N do {i ≠ N ⋀ (0 ≤ i ≤ N) ⋀ f = i!} |[ con N: nat, var f: nat |[ var i: nat; • • • { (0 <= i + 1 <= N) ⋀ f = (i+1)!} i : = i+1 {(0 <= i <= N) ⋀ f = i!} od {(0 <= i <= N) ⋀ f = i! ⋀ ¬ (i ≠ N)} (Note 2) {f = N!} ]| (Note 0) = • • • : true ⇒ (0 ≤ N) ⋀ 1 = 0! (Note 2) = • • • : (0 <= i <= N) ⋀ f = i! ⋀ ¬ (i ≠ N) ⇒ f = N!

IDE (Integrated Development Environment) • Helps in constructing and analyzing source code • Maintains

IDE (Integrated Development Environment) • Helps in constructing and analyzing source code • Maintains consistency in various stages of development • Integrates several development tools, e. g. : – – – – language specific code editor type checking / code completion during editing compiler debugger / monitor of execution browser for properties of procedures / classes /. . . make/build facilities project manager. . . • IDE supports several development modes, but does not enforce them. • Extensible using plug ins

VIDE (Verifying IDE) • Helps in constructing and analyzing code that satisfies specifications •

VIDE (Verifying IDE) • Helps in constructing and analyzing code that satisfies specifications • Maintains consistency between code and specifications in various stages of development • Integrates several development and verification tools: – Some which are also offered by a normal IDE, e. g. : editor, compiler – Some which reappear in a more general form, e. g. : type checker, browser, . . . – Some specific for verification: • • • verification condition generator, runtime assertion checker, proof assistant, automatic prover, invariant generator, . . . • VIDE supports several development and verification modes, but does not enforce them • Extensible using plug-ins

Some Scenarios Level: single block of code • Given P and Q, construct S

Some Scenarios Level: single block of code • Given P and Q, construct S such that {P}S{Q} holds: – plain coding, runtime checking of P and Q – informal stepwise refinement, intermediate assertions, runtime assertion checking (“Eiffel style”) – plain coding, intermediate assertions, post hoc verification (“Perfect Developer style”) – formal stepwise refinement with complete formal verification ("Cocktail style") • Formal development with congruence and refinement calculi • Sandbox execution – monitor values of variables – check whether assertions hold • Invariant reconstruction

Required machinery • Program editor(s) – text, structure, hybrid, (also for specs), … •

Required machinery • Program editor(s) – text, structure, hybrid, (also for specs), … • Language tooling – scanning, parsing, tree building, annotation, flattening, . . . • Context manager – available definitions, assumptions, theories, . . . • Verification tools – verification condition generator, proof assistant, automatic prover, . . .

Existing Tools • Cocktail • PD Perfect Developer (Demo) • …

Existing Tools • Cocktail • PD Perfect Developer (Demo) • …

Research problems • Architecture of a VIDE – Independent but cooperating tools? – Closely

Research problems • Architecture of a VIDE – Independent but cooperating tools? – Closely integrated components? • Integrated language – What kind of program constructs? – What kind of specification constructs? – What kind of logic? • Context management – Theory – Tools • Development styles and methods