Software Specification: Formal Reasoning with Hoare Logic (cont.)

Software Specification, MEIC @ IST, 2019/20

jff

### At the end of this session, you should be able to: - Explain the difference between forward and backward reasoning - Define a _forward axiom_ for assignment - Discuss how *Hoare Logic* enables program calculation - _Calculate_ simple programs from their specification

## A brief review of last session...

Decorated Programs

Doing proofs in Hoare Logic can feel overly verbose
Decorating programs is a way to informally write down a Hoare Logic proof
- The idea is to insert assertions between every construct that makes the program. For example:

$$ \scriptsize \begin{array}{c} \{ x = 0 \}\\ x := x+1; \\ \{ x = 1 \} \\ x := x+2; \\ \{ x = 3 \} \end{array} $$

Decorated Programs: Skip and Assignment

Skip $$ \scriptsize \begin{array}{c} \{P\}\\ \skipcmd\\ \{P\} \end{array} $$

Assignment $$ \scriptsize \begin{array}{c} \{\subst{Q}{x}{E}\} \\ x := E \\ \{Q\} \end{array} $$

Decorated Programs: Sequential Composition and While loops

Sequential Composition $$ \scriptsize \begin{array}{c} \{P\}\\ C1; \\ \{Q\} \\ C2 \\ \{R\} \end{array} $$

While loops $$ \scriptsize \begin{array}{l} \{P\}\\ \texttt{while}\,\,b\,\,\texttt{do} \\ ~~~~\{P\wedge b\} \\ ~~~~C \\ ~~~~\{P\} \\ \{P\wedge\neg{b}\} \end{array} $$

Decorated Programs: Conditionals and Consequence rules

Conditionals $$ \tiny \begin{array}{l} \{P\} \\ \texttt{if}\,\,b\,\,\texttt{then} \\ ~~~~\{P\wedge b\} \\ ~~~~C1 \\ ~~~~\{Q\}\\ \texttt{else}\\ ~~~~\{P\wedge\neg{b}\} \\ ~~~~C2 \\ ~~~~\{Q\}\\ \{Q\}\\ \end{array} $$

Consequence rules $$ \tiny \begin{array}{l} \{P\}\,\,\rightarrow \\ \{Q\} \end{array} $$

Example: A decorated program

$$ \tiny \begin{array}{l} \{true\} \\ \texttt{if}\,\,x=0\,\,\texttt{then} \\ ~~~~\{true \wedge x=0\}~~\rightarrow \\ ~~~~\{x\le 2\}\\ ~~~~y := 2 \\ ~~~~\{x\le y\}\\ \texttt{else}\\ ~~~~\{true \wedge \neg{(x=0)}\}~~\rightarrow \\ ~~~~\{x\le x+1\}\\ ~~~~y := x+1 \\ ~~~~\{x\le y\}\\ \{x\le y\}\\ \end{array} $$

Verify the following program by decorating it:

$$ \scriptsize \begin{array}{l} \{ x=m \wedge y=n \wedge 0\leq n \}\\ \texttt{while}\,\,0\lt y\,\,\texttt{do \{} \\ ~~~ x := x+1; \\ ~~~ y := y-1 \\ \texttt{\}}\\ \{ x = m+n \} \end{array} $$

Verify the following program by decorating it:

$$ \scriptsize \begin{array}{l} \{ 0\lt M \,\wedge\, 0\lt N\}\\ x:=M;\,\,y:=N;\\ \texttt{while}\,\,x\neq y\,\,\texttt{do \{} \\ ~~~ \texttt{if}\,\,\,x\lt y\,\,\,\texttt{then} \\ ~~~~~~~~~ y := y-x; \\ ~~~ \texttt{else} \\ ~~~~~~~~~ x := x-y; \\ \texttt{\}}\\ \{ x = y = GCD(M,N) \} \end{array} $$

Invariants

To reason about loops, we need to identify loop invariants, which might be difficult!
For example, $\scriptsize j\ge 1$ is an invariant of the loop: $$\scriptsize i:=1;\,j:=1;\,\whileloop{i\lt n}{j:=j{+}i;\,i:=i{+}1}$$ but we cannot prove $$\scriptsize \ht{j\ge 1 \,\wedge\, i\lt n}{j:=j{+}i;\,i:=i{+}1}{j\ge 1}$$
We need to strengthen the invariant: $\scriptsize j\ge 1 \,\wedge\, i\ge 1$

Invariant-Based Programming

When developing algorithms, it might help to formulate an invariant first and then use it to guide all other steps.

This is the standard practice in formal program derivation.

Forward Reasoning

Suppose we initially know (or assume) that $w > 0$

// w > 0
x := 17;
// w > 0 and x = 17
y := 42;
// w > 0 and x = 17 and y = 42
z := w + x + y
// w > 0 and x = 17 and y = 42 and z > 59

Then we can deduce a few facts about the resulting state (e.g. $z > 59$)

Backward Reasoning

Suppose we want $z < 0$ at the end

// w + 17 + 42 < 0
x := 17;
// w + x + 42 < 0
y := 42;
// w + x + y < 0
z := w + x + y
// z < 0

Then the initial state must satisfy $w < -59$

Side Note: Forward Assignment

Note that the Assignment Axiom that we introduce works backwards: $$ \izero{Asgn}{\ht{\subst{Q}{x}{E}}{x:=E}{Q}} $$
This naturally raises the question: how could we formulate a forward version of this axiom?

Side Note: Forward Assignment

Based on our examples, perhaps the following can be used? $$ \izero{AgFw}{\ht{P}{x:=E}{P \,\wedge\, x=E}} $$
Example: $\scriptsize\ht{w > 0}{x:=17}{w>0 \wedge x=17}$
No! Example: $\scriptsize\ht{w > 0}{x:=x+1}{w>0 \wedge x=x+1}$

Side Note: Forward Assignment

What about the following rule? $$ \izero{AgFw}{\ht{P}{x:=E}{\subst{P}{x}{E}}} $$
No! Example: $\scriptsize\ht{x=0}{x:=1}{1=0}$
It's easy to check that if we use $\subst{P}{E}{x}$, similar problems arise.

Side Note: Forward Assignment

We can use the following rule, due to Floyd: $$ \izero{AgFw}{\ht{P}{x:=E}{\exists v \cdot x=\subst{E}{x}{v} \wedge \subst{P}{x}{v}}} $$
Example: $\scriptsize\ht{x=0}{x:=1}{\exists v \cdot x=1 \wedge v=0}$
Backward and forward rules are equivalent, but it is more difficult to use the forward rule (we have to find the variable $v$).

Side Note: Forward Assignment

The previous discussion shows that it is easy to have wrong intuitions about the assignment axiom.
This shows the importance of having a rigorous means of establishing the validity of axioms and rules.
We can define a formal semantics for our language and then prove that the axioms and rules are sound.

Formal Semantics

In this course, we won't study the topic of formal semantics in detail.

This is done, for example, in the MSc course Programming Languages.

Forward vs Backward Reasoning

Forward Reasoning is more intuitive for most people
- Helps in understanding what follows from initial assumptions
- Useful for ensuring that an invariant is mantained
- However, it might introduce irrelevant facts
Backward Reasoning is usually more helpful
- Helps in understanding what should happen
- Crucial in Program Derivation!

Program Derivation

Usually, in practice, we start with a specification of what we need to implement
- Example: "develop an algorithm that sorts an array of integers"
The axioms and rules of Hoare Logic can help us guide the development process.
- Edsger W. Dijkstra was one of the pioneers of formal program derivation (aka program calculation)

First example: Multiple Assignments

Calculate non-zero $A$ and $B$ such that: $$\scriptsize\ht{x+y=M}{x,y := x+A,y+B}{x+y=M}$$
Using the assignment axiom, we have $$\scriptsize\ht{(x+A)+(y+B)=M}{x,y := x+A,y+B}{x+y=M}$$
We thus need to calculate non-zero $A$ and $B$ such that $\,\,\,\,\,\scriptsize x+y=M \,\,\rightarrow\,\,(x+A)+(y+B)=M$

First example: Multiple Assignments

We thus need to calculate non-zero $A$ and $B$ such that $\,\,\,\,\,\scriptsize x+y=M \,\,\rightarrow\,\,(x+A)+(y+B)=M$
A possible calculation is: $$\scriptsize \begin{array}{llr} & (x+A)+(y+B)=M &\\ = & (x+y)+(A+B)=M & \textrm{(associativity)}\\ = & M +(A+B)=M & \textrm{(assumption $x+y=M$)}\\ = & A+B = 0 & \textrm{(arithmetic)}\\ \leftarrow & A=1 \wedge B=-1 & \textrm{(strengthening)}\\ \end{array} $$

First example: Multiple Assignments

We thus have: $$\scriptsize\ht{x+y=M}{x,y := x+1,y-1}{x+y=M}$$
We could have made other choices for $A$ and $B$, but the main point is that we did not guess what the assignments would be: instead, we calculated them.

A useful programming technique

Suppose that we want to develop an algorithm that establishes $P \wedge Q$. One way achieving this is to find some command $C$ such that: $$ \ht{P}{\whileloop{\neg{Q}}{C}}{P \wedge Q} $$
In words: we choose one of the conjuncts for the loop invariant and the negation of the other for the loop condition.

Smaller problem

The problem is now reduced to the development of some $C$ that satisfies: $$\ht{P \wedge \neg{Q}}{C}{P}$$

Exercise (Integer Division)

Calculate an algorithm that takes two positive numbers $A$ and $B$ and computes $A \div B$ (quotient) and $A \bmod B$ (remainder).

Obviously, we assume that these operators are not available in our language. Let's assume we only have addition and subtraction available.

(PDF slides with incremental solution)

Exercise (Exponentiation)

Calculate an algorithm that takes two natural numbers $A$ and $B$ and computes $A^B$. More formally:

$$ \ht{A\ge 0 \,\,\wedge\,\, B\ge 0}{\,\,\textrm{Compute $r$}\,\,}{r = A^B} $$

Your algorithm should use addition and multiplication.

Hoare Logic in verification tools

The general approach for Hoare-style formal verification:

A programmer annotates source code
A tool analyses the code and attempts to show that all the assertions given can be derived using the rules of Hoare Logic
The tool may be able to do this unassisted
If not, it emits verification conditions, purely logical assertions that need to be checked
These may be passed on to an automated theorem prover, or some other decision procedure
In extreme cases verification conditions may not be solved automatically and require interactive theorem proving by an expert or the provision of extra hints

Mechanised Verification

This is what we will explore in more detail in the next few sessions. The tool we will use is Dafny.

Take Away Messages

Hoare Logic is a formalism to prove program correctness. It combines two beautiful ideas:
- a natural way of writing down specifications of programs
- a compositional proof technique for proving that programs are correct with respect to such specifications
The focus of this part of the course is program verification
- We now have a better idea of how we can put into practice Hoare Logic (and the methodology Design by Contract)
- We will follow a pragmatic approach, using the tool Dafny

### After this session, you should now be able to: - Explain the difference between forward and backward reasoning - Define a _forward axiom_ for assignment - Discuss how *Hoare Logic* enables program calculation - _Calculate_ simple programs from their specification

## Next time... - We will start studying Dafny - The goal is to discuss the central concepts using case studies - I recommend you to bring a laptop to the lectures, so that we can have practical and interactive sessions

Credits

These slides use the framework reveal.js and were produced using vim and Ubuntu.
Some slides and examples are based on material available online by Ian Sommerville, Vasco T. Vasconcelos, Ian Stark, and Simão Melo de Sousa.