interactivetheoremproverswithinthesameframework.Additionally,thispaper - PDF document

interactivetheoremproverswithinthesameframework.Additionally,thispaperprovidesanicebenchmarkforpeopledevelopingtoolsforthevericationofCprograms;theymayconsiderreningourproofintoaproofoftheCcodeabove.Thispaperisorganizedasfollows.Section2\unobfuscates"theprogram,explainingthealgorithmanditsdata.Section3brie yintroducesWhy3,atoolwhichtakesannotatedcodeasinputandproducesvericationconditionsinthenativesyntaxofseveralexistingprovers.Section4detailsthevericationprocess,namelythelogicalannotationsinsertedintheprogramandthemethodsusedtodischargetheresultingvericationconditions.WeconcludewithadiscussioninSection5.Annotatedsourcecodeandproofsareavailableonlineathttp://why3.lri.fr/queens/.Proofscanbereplayedinabatchmode.2UnobfuscationBeforeweentertheformalvericationprocess,werstexplainthisobfuscatedCprogram.Thecodeisdividedintoarecursivefunctiont,whichtakesthreeintegersasargumentsandreturnsaninteger,andamainfunctionwhichreadsanintegerfromstandardinput,callsfunctiontandprintstheresultonstandardoutput.Withaddedtypedeclarationsandabitofindentation,functiontreadsasfollows:intt(inta,intb,intc){intd=0,e=a&~b&~c,f=1;if(a)for(f=0;d=(e-=d)&-e;f+=t(a-d,(b+d)*2,(c+d)/2));returnf;}Theassignmentd=(e-=d)&-edoesnotstrictlyconformwithANSICstandard,becauseitassumesthattheinnerassignmente-=disperformedbeforeevaluating-e.Thisisnotguaranteedandthecompilermayfreelychoosebetweenbothpossibleevaluationstrategies.ItiseasytoturnthecodeinlegalC:sincedisinitializedto0,wecansafelymoveassignmente-=dtotheendoftheloopbody.Thenwedonotneedtheinitializationd=0anymore2.Thesecondmodicationwemakeistoreplacethemainfunctionwithaqueensfunctionfrominttoint,sinceweareonlyinterestedintheintegerfunctionandnotininput-outputs.WeendupwiththecodegiveninFig.1.Ourgoalistoshowthatqueens(n)isindeedthenumberofsolutionstothen-queensproblem.Letusnowexplainthealgorithmanditsdata.Thisisabacktrackingalgo-rithmwhichllstherowsofthechessboardoneatatime.Moreprecisely,eachcalltotenumeratesallpossiblepositionsforaqueenonthecurrentrowinsidetheforloopand,foreachofthem,recursivelycallsttolltheremainingrows.Thenumberofsolutionsisaccumulatedinfandreturned.Thekeyideaistouseintegersassetsor,equivalently,asbitvectors:ibelongstothe\set"xifandonlyifthei-thbitofxisset.Accordingtothistrick,programvariablesa,b,c, 2Thisevenreducesthesizeoftheoriginalcode. q q q q q q q q q q q q q q a=111001012,a=f0;2;5;6;7gb=011010002,b=f3;5;6g q q q q q q q q q q c=000010012,c=f0;3ga&~b&~c=100001002,anbnc=f2;7gFig.3.Interpretationofvariablesa,b,andcassets.row.Initially,acontainsallpossiblepositions,thatisa=f0;1;:::;n�1g.Ifwehavefoundonesolution,abecomesempty,thenwereturn1.Otherwise,wehavetoconsiderallpossiblepositionsonthecurrentrow.Setsbandcrespectivelycontainthepositionstobeavoidedbecausetheyareonanascending(resp.descending)diagonalofaqueenonpreviousrows.Thuse=anbncpreciselycontainsthepositionstobeconsideredforthecurrentrow.Theyareallexaminedoneatatimebyrepeatedlyremovingthesmallestelementfrome,whichissettod.Thennextrowsareconsideredbyarecursivecalltotwitha,bandcbeingupdatedaccordingtothechoiceofcolumndforthecurrentrow:disremovedfromthesetofpossiblecolumns(anfdg),addedtothesetofascendingdiagonalswhichisshifted(succ(b[fdg),andsimilarlyaddedtothesetofdescendingdiagonalswhichisshiftedtheotherway(pred(c[fdg)).Thevaluesofa,bandcareillustratedinFig.3forn=8onacongurationwhere3rowsarealreadyset(columnsarenumberedfromrighttoleft,startingfrom0).3OverviewofWhy3 le.why le.mlw WhyML VCgen Why transform/translate print/run Coq Alt-Ergo CVC3 Z3etc. Why3isasetoftoolsforprogramverica-tion.Basically,itiscomposedoftwoparts,whicharedepictedtotheright:alogicallan-guagecalledWhywithaninfrastructuretotranslateittoexistingtheoremprovers;andaprogramminglanguagecalledWhyMLwithavericationconditiongenerator.ThelogicofWhy3isapolymorphicrst-orderlogicwithalgebraicdatatypesandin-ductivepredicates[5].Logicaldeclarationsareorganizedinsmallunitscalledtheories.Inthefollowing,weusetwosuchtheoriesfrom Programsareannotatedusingpre-andpostconditions,loopinvariants,andvariantstoensuretermination.Vericationconditionsarecomputedusingaweakestpreconditioncalculusandthenpassedtotheback-endofWhy3tobesenttotheoremprovers.4VericationWefocushereonthevericationofthecodeinFig.4.(ThevericationoftheoriginalCcodeinFig.1isdiscussedattheendofthispaper.)Weneedtoprovethreepropertiesregardingthiscode:itdoesnotfail,itterminates,anditindeedcomputesthenumberofsolutionstothen-queensproblem.Therstpropertyisimmediatesincethereisnodivision,noarrayaccess,oranysimilaroperationthatcouldfail.Wewillconsiderterminationlater,aspartofthevericationprocess(Sec.4.2).Letusrstfocusonthespecication.4.1SpecicationWeneedtoexpressthatthevaluereturnedbyacalltoqueensnisindeedthenumberofsolutionstothen-queensproblem.Aswehaveseen,theprogramisbuildingsolutionsonebyone.Thuswehavetoprovethatitndsallsolutions,onlysolutionsandthatitdoesnotndthesamesolutiontwice.Thereisamajordicultyhere:theprogramisnotstoringanything,noteventhecurrentsolutionbeingbuilt.Howcanwestatepropertiesaboutthesolutionsbeingfound? q q q q q q q q Onesolutionistouseghostcode,thatisadditionalcodenotparticipatinginthecomputationofthenalresultbutpotentiallyaccessingtheprogramdata.Thisghostcodewillllanarraywithallsolutions.Onesolutionisrepresentedbyanarrayofnintegers.Eachcellgivesthecolumnassignedtothequeenonthecorrespondingrow.Forinstance,thearray 5 2 4 6 0 3 1 7 correspondstothesolutionofthe8-queensproblemdisplayedtotheright.Rowsarenumberedfromtoptobottomandcolumnsfromrighttoleft|thelatterfollowstheusualconventionofdisplayingleastsignicantbitstotheright,asinFig.3.Arraysusedinghostcodedonotreallyhavetobe\true"arrays:thereisneedneitherforeciency,norforarrayboundchecking.ThuswecanmodelsucharraysusingpurelyapplicativemapsfromWhy3'sstandardlibrary.Thuswesimplydenetypesolution=mapintintWeintroduceaglobalvariablecoltorecordthecurrentsolutionundercon-struction,aswellasaglobalvariablektorecordthenextrowtobelled:valcol:refsolution(*solutionunderconstruction*)valk:refint(*nextrowinthecurrentsolution*)Thesetofallsolutionsfoundsofarisrecordedintoanotherarray.Ithastypetypesolutions=mapintsolution 0 4 7 5 2 6 1 3 0 5 7 2 6 3 1 4 0 6 3 5 7 1 4 2 0 6 4 7 1 3 5 2 1 3 5 7 2 0 6 4 ... Forinstance,therstvesolutionsforn=8aredisplayedtotheright.Todenethelexicographicorder,werstdenethepropertyfortwoarraystohaveacommonprexoflengthi:predicateeq prefix(tu:mapint)(i:int)=8k:int.0ki!t[k]=u[k]Wemakethisapolymorphicpredicate,toreuseitonbothsolutionsandarraysofsolutions.Thenitiseasytodenethelexicographicorderoversolutions:predicatelt sol(s1s2:solution)=9i:int.0in^eq prefixs1s2i^s1[i]s2[i]Finally,weintroducetwoconvenientshortcutsfortheforthcomingspecications.Equalityoftwosolutionsisdenedusingeq prefix:predicateeq sol(tu:solution)=eq prefixtunThepropertyforanarrayofsolutionsstobesortedinincreasingorderbetweenindexaincludedandindexbexcludedisdenedinanobviousway:predicatesorted(s:solutions)(ab:int)=8ij:int.aijb!lt sols[i]s[j]Thiscompletesthesetofdenitionsneededtospecifythecode'sbehavior.Thefullspecicationforfunctionqueens(lines14{15)isthefollowing4:letqueens(q:int)=f0q=n^!s=0^!k=0gt(belowq)emptyemptyfresult=!s^sorted!sol0!s^8u:solution.solutionu$(9i:int.0iresult^eq solu!sol[i])g(S)Thepreconditionrequiresbothsandktobeinitiallyequaltozero.Thepostcon-ditionstatesthatthereturnedvalueisequaltothenumberofsolutionsstoredinarraysol,thatis!s.Additionally,itstatesthatarraysolissortedandthatanarrayuisasolutionifandonlyifitappearsinsol.Atthispoint,thereadershouldbeconvincedthatspecication(S)isindeedexpressingthatthisprogramiscomputingthenumberofsolutionstothen-queensproblem.Thisisslightlysubtle,sincetheabsenceofduplicatedsolutionsisnotimmediate:itisonlyaprovableconsequenceofsolbeingsorted.Ourproofincludesthispropertyasalemma.4.2CorrectnessProofWenowhavetoprovethatfunctionqueensterminatesandobeysspecication(S)above.Asawarm-up,letusproveterminationrst. 4Thecodewithallannotationsisgivenintheappendix. Thenitsaysthatallsolutionsfoundinthisrunoft,thatisbetweentheinitialandnalvaluesofs,mustbesortedinincreasingorder:f...sorted!sol(old!s)!s^...g(Q2)Additionally,thesenewsolutionsmustbeexactlythesolutionsextendingtherstkrowsofarraycol:f...(8u:solution.solutionu^eq prefix!colu!k$9i:int.old!si!s^eq solu!sol[i])^...g(Q3)Finally,therstkrowsofcolmustnotbemodied,andsoarethesolutionsthatwerecontainedinsolpriortothecalltot:f...eq prefix(old!col)!col!k^eq prefix(old!sol)!sol(old!s)g(Q4)Withsuchpre-andpostconditionforfunctiont,functionqueenscanbeprovedcorrecteasily(vericationconditionsaredischargedautomatically).Thelaststepinthespecicationprocessistocomeupwithaloopinvariantforfunctiont(lines5{9).Itshouldbestrongenoughtoestablishpostconditions(Q1){(Q4).Wealreadycameupwithinvariant(I1)toensuretermination.Toensurepostcondition(Q1),thereisanobviousinvariantregardingsandk:f...!f=!s-at!s'L0^!k=at!k'L^...g(I2)Notationat!s'Lisusedtorefertothevalueofsattheprogrampointdesignatedbylabel'L.Thislabelisintroducedbeforethewhilekeywordatline5(thislabelappearsinthecodegivenintheappendix).Onekeypropertytoensurethatsolutionsarefoundinincreasingorderforlt solisthatwetraverseelementsofeinincreasingorder,byrepeatedextrac-tionofitsminimumelement.Thismustbeturnedintoaloopinvariant.Itstatesthatelementsofealreadyconsideredareallsmallerthanelementsofeyettobeconsidered:f...(8ij:int.memi(diff(at!e'L)!e)!memj!e!ij)^...g(I3)Additionally,wemustmaintainthatsolutionsfoundinthisrunoft,thatisbetweentheinitialvalueofsanditscurrentvalue,aresortedinincreasingorder:f...sorted!sol(at!s'L)!s^...g(I4)Wealsohavetomaintainproperty(P3),sincearraycolismodiedbyrecursivecallstot:f...partial solution!k!col^...g(I5)Themostcomplexpartoftheloopinvariantissurelythefollowing,whichisneededtoensurepostcondition(Q3).Itstatesthatthesolutionsfoundsofarinthisrunoffunctiontareexactlythoseextendingtherstkrowsofcolwithanelementofealreadyprocessed: toillustrateseveralkeyfeaturessuchasuseraxiomatizationsorcombineduseofinteractiveandautomatedtheoremprovers.Weconcludethispaperwithseveraldiscussions.Originality.ThevericationcompetitionorganizedduringVSTTE2010[9]alreadyincludedaproblemrelatedtothen-queensproblem.Itwassimpler,though,sincethecodetobeveriedonlyhadtochecktheexistenceofatleastonesolution(andtoreturnone,ifany).Ghostcode.Thiscasestudyisyetanotherexampleofwhereghostcodeisusefulinverication[12].Inthisparticularcase,theprogramisenumeratingthesolutionstoaproblem,butdoesnotstoreanyofthem,noteventhecurrentone.Thusweenrichedthecodewithnewstatementssothatarichspecicationispossible.ThereiscurrentlynosupportforghostcodeinWhy3;weplantoaddthisfeatureinthefuture.Inparticular,thiswillincludeacheckthat(1)ghostcodeisnotmodifyingtheprogramdata,and(2)theprogramisnotaccessingtheghostdata.Inthisproof,wehaveonlyperformedthisvericationmanually.VericationoftheoriginalCcode.WehavenotveriedtheoriginalCcode,onlyitsabstractionintoWhyML.Regardingthecodestructure,thisisnotreallyanissue,sinceallCfeaturesinvolved(recursivefunction,whileloop,mutablevariables)areavailableinWhyMLaswell.Regardingthecodedata,onthecontrary,ourproofdidnotconsidertheuseofintegersasbitvectors;weusedsetsinstead.Ourpurposewastofocusonthespecicationofthealgorithm.Nowthatwehavecomeupwithasuitablespecication,wecouldreneourproofintoaproofoftheoriginalCcode.Apossiblerouteistointroduceafunctionsymbol,saybits,thatturnsanintegerintothesetof1-bitsinitstwo'scomplementrepresentation.Thenwecanmechanicallytranslatealltheannotations,replacingawithbitsa,bwithbitsb,andsoon.Theonlychangeintheannotationsislikelytobeanextrapreconditionstatingthattheupperbitsofcarezeros(otherwise,onescouldbeerroneouslyintroducedbythedivisionsbytwo).Theproofthenrequiresextralemmastojustifythetricksusedinthecode.Forinstance,alemmawillshowthat,undersuitableconditionsonx,wehavebits(x&-x)=singleton(min elt(bitsx)).Abitvectorlibrarywithtwo'scomplementinterpretationsiscurrentlyunderdevelopmentinWhy3;weconsiderreningourproofalongthelineswejustsketchedinafuturework.Last,translatingtheresultingproofintoavericationtoolforCprograms,suchasVCC[6]orFrama-C[8],shouldbestraightforward.Itwouldbeinterestingtoseewhichlevelofproofautomationcanbeachieved.Over ows.Therearetwokindsofintegerover owsinthisprogram,dependingontheuseofintegersasbitvectorsorascounters.Regardingintegersusedasbitvectors,wecaneasilycopewiththeboundednessofintegersbyimposing 5.FrancoisBobot,Jean-ChristopheFilli^atre,ClaudeMarche,andAndreiPaskevich.Why3:Shepherdyourherdofprovers.InBoogie2011:FirstInternationalWork-shoponIntermediateVericationLanguages,Wroc law,Poland,August2011.6.ErnieCohen,MarkusDahlweid,MarkHillebrand,DirkLeinenbach,Micha lMoskal,ThomasSanten,WolframSchulte,andStephanTobies.VCC:ApracticalsystemforverifyingconcurrentC.InTheoremProvinginHigherOrderLogics(TPHOLs),volume5674ofLectureNotesinComputerScience.Springer,2009.7.TechnischeUniversitatDresden.Theworldrecordtothen-queenspuzzle(n=26).http://queens.inf.tu-dresden.de/,2009.8.TheFrama-CplatformforstaticanalysisofCprograms,2008.http://www.frama-c.cea.fr/.9.VladimirKlebanov,PeterMuller,NatarajanShankar,GaryT.Leavens,ValentinWustholz,EyadAlkassar,RobArthan,DerekBronish,RodChapman,ErnieCohen,MarkHillebrand,BartJacobs,K.RustanM.Leino,RosemaryMona-han,FrankPiessens,NadiaPolikarpova,TomRidge,JanSmans,StephanTobies,ThomasTuerk,MattiasUlbrich,andBenjaminWei.The1stVeriedSoftwareCompetition:Experiencereport.InMichaelButlerandWolframSchulte,editors,Proceedings,17thInternationalSymposiumonFormalMethods(FM2011),volume6664ofLNCS.Springer,2011.Materialsavailableatwww.vscomp.org.10.DonaldE.Knuth.TheArtofComputerProgramming,volume4A:CombinatorialAlgorithms,Part1.Addison-WesleyProfessional,1stedition,2011.11.DonaldR.Morrison.PATRICIA|PracticalAlgorithmToRetrieveInformationCodedinAlphanumeric.J.ACM,15(4):514{534,1968.12.SusanOwickiandDavidGries.Verifyingpropertiesofparallelprograms:Anaxiomaticapproach.CommunicationsoftheACM,19(5):279{285,may1976.13.TheCoqDevelopmentTeam.TheCoqProofAssistantReferenceManual{VersionV8.3,2010.http://coq.inria.fr.14.HenryS.Warren.Hackers'sDelight.Addison-Wesley,2003.AAnnotatedSourceCodeThisistheannotatedsourcecodefortheprograminFig.4.letrect(abc:setint)variantfcardinalag=f0!k^!k+cardinala=n^!s0^(8i:int.memia$(0in^8j:int.0j!k!!col[j]6=i))^(8i:int.i0!not(memib)$(8j:int.0j!k!!col[j]6=i+j-!k))^(8i:int.i0!not(memic)$(8j:int.0j!k!!col[j]6=i+!k-j))^partial solution!k!colgifnot(is emptya)thenbeginlete=ref(diff(diffab)c)inletf=ref0in'L:whilenot(is empty!e)doinvariantf