-
Notifications
You must be signed in to change notification settings - Fork 24
/
17-VCGen.lhs
220 lines (177 loc) · 6.77 KB
/
17-VCGen.lhs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
### CSE 230: Programming Languages
### Winter 2019
### Wednesday, March 15
##### Instructor: Ranjit Jhala
##### Scribe: Yiming Zhang
We start by looking at the loop
\begin{verbatim}
y := x
while (x != 0):
x = x - 1
y = y - 1
\end{verbatim}
Question: What is the loop invariant for this loop?
1. x = y :
this is true in each iteration and also at the end of the loop
2. What about x != 0 ?
this is not true after the last iteration when x = 1
3. What about x != -1?
what if x = -1 at the start
What is loop invariant?
It must satisfiy several requirements:
1. The loop invariant must be true at the start of the loop
2. The loop invariant must be true in any iteration
3. The loop invariant must be true after the loop
This is also illustrated by
|
(inv) |<-------------------
V |
_____ T |
______| b |________ |
| |_____| | |
F | V |
V _____ |
| c |---
|_____|
where b is the loop condition, c is the loop body, and inv is loop invariant.
--note: it is hard to compute the exact loop invariant, and 70% of PL papers after
about figuring out what the loop invariant is.
For each iteration: {inv && b} c {inv}
After the loop: {inv && not b}
Now we look at the verification condition (vc).
Given preconditon p, some command c, and post condition q, we want to generate vc
such that
\begin{verbatim}
vc valid => legit p c q
\end{verbatim}
Reminder: pre c q is a precondition such that if execute command c, we end up with q true
i.e. by our construction, we have legit (pre c q) c q
Hence, all we need is that p => (pre c q), and we can use consequence to get legit p c q
We need to somehow check the validity of side conditions.
Now we can build a verifier :
\begin{verbatim}
{-@ verify :: p:_ -> c:_ -> q:_ -> Valid (vc' p c q) -> () @-}
verify :: Assertion -> ICom -> Assertion -> Valid -> ()
verify _ _ _ _ = ()
\end{verbatim}
Consider each case:
1. for skip and assign, it is straightforward.
\begin{verbatim}
{-@ lem_skip :: p:_ -> (Legit p Skip p) @-}
lem_skip :: Assertion -> Legit
lem_skip p = \s s' (BSkip {}) -> ()
{-@ lem_asgn :: x:_ -> a:_ -> q:_ ->
Legit (bsubst x a q) (Assign x a) q
@-}
lem_asgn :: Vname -> AExp -> Assertion -> Legit
lem_asgn x a q = \s s' (BAssign {}) -> lem_bsubst x a q s
\end{verbatim}
2. for seq, we need to check
vc c1 (pre c2 q)
vc c2 q
\begin{verbatim}
{-@ lem_seq :: c1:_ -> c2:_ -> p:_ -> q:_ -> r:_
-> Legit p c1 q -> Legit q c2 r
-> Legit p (Seq c1 c2) r
@-}
lem_seq :: Com -> Com -> Assertion -> Assertion -> Assertion -> Legit -> Legit -> Legit
lem_seq c1 c2 p q r l1 l2 = \s s' (BSeq _ _ _ smid _ t1 t2) ->
l1 s smid t1 &&& l2 smid s' t2
\end{verbatim}
3. for if, we compute side condition for c1 and c2. Both must be true so we use and
\begin{verbatim}
{-@ lem_if :: b:_ -> c1:_ -> c2:_ -> p:_ -> q:_
-> Legit (bAnd p b) c1 q
-> Legit (bAnd p (Not b)) c2 q
-> Legit p (If b c1 c2) q
@-}
lem_if :: BExp -> Com -> Com -> Assertion -> Assertion -> Legit -> Legit -> Legit
lem_if b c1 c2 p q l1 l2 = \s s' bs -> case bs of
BIfF _ _ _ _ _ c2_s_s' -> l2 s s' c2_s_s'
BIfT _ _ _ _ _ c1_s_s' -> l1 s s' c1_s_s'
\end{verbatim}
4. for while, we are essentially checking i is a legitimate loop invariant
\begin{verbatim}
{-@ lem_while :: b:_ -> c:_ -> p:_
-> Legit (bAnd p b) c p
-> Legit p (While b c) (bAnd p (Not b))
@-}
lem_while :: BExp -> Com -> Assertion -> Legit -> Legit
lem_while b c p lbody s s' (BWhileF {})
= ()
lem_while b c p lbody s s' (BWhileT _ _ _ smid _ c_s_smid w_smid_s')
= lem_while b c p lbody (smid ? lbody s smid c_s_smid) s' w_smid_s'
\end{verbatim}
Let's look at some examples:
Example 1:
\begin{verbatim}
ex1 :: () -> ()
ex1 _ = verify p c q (\_ -> ())
where
p = tt -- { true }
c = IAssign "x" (N 5) -- x := 50
q = Equal (V "x") (N 5) -- { x == 5 }
\end{verbatim}
We found that
-- p => pre c q /\ vc c q
-- VC = (True => 5 = 5) /\ True
-- pre = 50 == 5
Example 2:
\begin{verbatim}
ex2 :: () -> ()
ex2 _ = verify p c q (\_ -> ())
where
p = Equal (V "x") (N 2) -- { x = 2 }
c = IAssign "x" (Plus (V "x") (N 1)) -- x := x + 1
q = Equal (V "x") (N 3) -- { x = 3 }
-- p => pre c q /\ vc c q
-- VC = (x=2 => x+1=3) /\ True
-- pre = x+1 = 3
\end{verbatim}
Example 3:
\begin{verbatim}
bx2 :: () -> ()
bx2 _ = verify p c q (\_ -> ())
where
p = (V "x" `Equal` V "a")
`bAnd` (V "y" `Equal` V "b") -- { x = a && y = b }
c = IAssign "x" (Plus (V "x") (V "y")) -- x := x + y
`ISeq` IAssign "y" (Minus (V "x") (V "y")) -- y := x - y
`ISeq` IAssign "x" (Minus (V "x") (V "y")) -- x := x - y
q = (V "x" `Equal` V "b") -- { x = b && y = a }
`bAnd` (V "y" `Equal` V "a")
-- vc' = x=a & y=b => (x+y-(x+y-y) =b && (x+y)-y=a) && true & True & true
-- pre = (x+y-(x+y-y) =b && (x+y)-y=a)
-- vc = true & true & true
\end{verbatim}
Example 4:
\begin{verbatim}
ex10 :: () -> ()
ex10 _ = verify p c q (\_ -> ())
where
p = Equal (V "x") (N 1) -- { x = 1 }
c = IWhile i (Not (Leq (V "x") (N 0))) -- WHILE (x > 0) DO
(IAssign "x" (Plus (V "x") (N 1))) -- x := x + 1
q = Equal (V "x") (N 100) -- { x = 100 }
i = undefined -- TODO: In class
-- P => I
-- {I && b} c { I }
-- I && !b => Q
-- x>0 &&& not ( x > 0 ) => Q
-- I := x > 0
\end{verbatim}
Example 5:
\begin{verbatim}
ex9 :: () -> ()
ex9 _ = verify p c q (\_ -> ())
where
p = Equal (V "x") (N 0) -- { x = 0 }
c = IWhile i (Leq (V "x") (N 0)) -- WHILE_i (x <= 0) DO
(IAssign "x" (Plus (V "x") (N 1))) -- x := x + 1
q = Equal (V "x") (N 1) -- { x = 1 }
i = bOr p (Equal (V "x") (N 1))
-- x=0 => (x=0 || x=1)
-- {(x=0 || x=1) /\ x <= 0 } x := x+1 {x=0 || x=1}
-- (x=0|| x=1) /\ x > 0 => x = 1
\end{verbatim}
--note: In final exam, we will prove soundness of vc and we will do it in two steps.