Table Of ContentUndergraduate Topics in Computer Science
UndergraduateTopicsinComputerScience(UTiCS)delivershigh-qualityinstructionalcontentforun-
dergraduatesstudyinginallareasofcomputingandinformationscience.Fromcorefoundationaland
theoreticalmaterialtofinal-yeartopicsandapplications,UTiCSbookstakeafresh,concise,andmod-
ernapproachandareidealforself-studyorforaone-ortwo-semestercourse.Thetextsareallauthored
byestablishedexpertsintheirfields,reviewedbyaninternationaladvisoryboard,andcontainnumer-
ousexamplesandproblems.Manyincludefullyworkedsolutions.
Forfurthervolumes:
www.springer.com/series/7592
José Bacelar Almeida Maria João Frade
Jorge Sousa Pinto Sim! ão Melo de Sousa !
!
Rigorous
Software
Development
An Introduction to
Program Verification
Dr.JoséBacelarAlmeida Dr.JorgeSousaPinto
Depto.Informática Depto.Informática
UniversidadedoMinho UniversidadedoMinho
CampusdeGualtar CampusdeGualtar
Braga4710-057 Braga4710-057
Portugal Portugal
jba@di.uminho.pt jsp@di.uminho.pt
Dr.MariaJoãoFrade Dr.SimãoMelodeSousa
Depto.Informática Depto.Informática
UniversidadedoMinho UniversidadeBeiraInterior
CampusdeGualtar ruaMarquesd’AvilaeBolama
Braga4710-057 Covilhã6201-001
Portugal Portugal
mjf@di.uminho.pt desousa@di.ubi.pt
Serieseditor
IanMackie
Advisoryboard
SamsonAbramsky, UniversityofOxford,Oxford,UK
ChrisHankin, ImperialCollegeLondon,London,UK
DexterKozen, CornellUniversity,Ithaca,USA
AndrewPitts, UniversityofCambridge,Cambridge,UK
HanneRiisNielson, TechnicalUniversityofDenmark,Lungby,Denmark
StevenSkiena, StonyBrookUniversity,StonyBrooks,USA
IainStewart, UniversityofDurham,Durham,UK
ISSN1863-7310
ISBN978-0-85729-017-5 e-ISBN978-0-85729-018-2
DOI10.1007/978-0-85729-018-2
SpringerLondonDordrechtHeidelbergNewYork
BritishLibraryCataloguinginPublicationData
AcataloguerecordforthisbookisavailablefromtheBritishLibrary
©Springer-VerlagLondonLimited2011
Apartfromanyfairdealingforthepurposesofresearchorprivatestudy,orcriticismorreview,asper-
mittedundertheCopyright,DesignsandPatentsAct1988,thispublicationmayonlybereproduced,
storedortransmitted,inanyformorbyanymeans,withthepriorpermissioninwritingofthepublish-
ers,orinthecaseofreprographicreproductioninaccordancewiththetermsoflicensesissuedbythe
CopyrightLicensingAgency.Enquiriesconcerningreproductionoutsidethosetermsshouldbesentto
thepublishers.
Theuseofregisterednames,trademarks,etc.,inthispublicationdoesnotimply,evenintheabsenceofa
specificstatement,thatsuchnamesareexemptfromtherelevantlawsandregulationsandthereforefree
forgeneraluse.
Thepublishermakesnorepresentation,expressorimplied,withregardtotheaccuracyoftheinformation
containedinthisbookandcannotacceptanylegalresponsibilityorliabilityforanyerrorsoromissions
thatmaybemade.
Printedonacid-freepaper
SpringerispartofSpringerScience+BusinessMedia(www.springer.com)
Preface
Ithasbecomecommonsensethatproblemsinsoftwaremayhavecatastrophiccon-
sequences, ranging from economic to human safety aspects. This has led to the
development of software norms that prescribe the use of particular development
methods. These norms advise the use of validation techniques, and at the highest
levelsofcertification,ofmathematicalvalidation.
Program verification is the area of computer science that studies mathematical
methodsforcheckingthataprogramconformstoitsspecification.Itispartofthe
broaderareaofformalmethods,whichgroupstogetherveryheterogeneousrigorous
approachestosystemsandsoftwaredevelopment.Programverificationisconcerned
withpropertiesofcode,whichcanbestudiedinmorethanoneway.Frommethods
based on logic, in particular the combined use of a program logic and first-order
theories,tootherapproacheslikesoftwaremodelchecking;abstractinterpretation;
andsymbolicexecution.
This book is a self-contained introduction to program verification using logic-
basedmethods,assumingonlybasicknowledgeofstandardmathematicalconcepts
thatshouldbefamiliartoanycomputersciencestudent.Itincludesaself-contained
introductiontopropositionallogicandfirst-orderreasoningwiththeories,followed
byastudyofprogramverificationthatcombinestheoreticalandpracticalaspects—
fromaprogramlogictotheuseofarealistictoolfortheverificationofCprograms,
throughthegenerationofverificationconditionsandthetreatmentoferrors.
Morespecifically,westartwithanoverviewofpropositional(Chap.3)andfirst-
order(Chap.4)logic,andthengoon(Chap.5)toestablishasettingfortheverifica-
tion of sequential programs, buildingon the axiomaticsemantics (based on Hoare
logic)ofagenericWhilelanguage,whosebehaviourisspecifiedusingpreconditions
andpostconditions.
It is then shown how a set of first-order proof obligations, usually known as
verificationconditions,canbemechanicallygeneratedfromaprogramandaspec-
ification that the program is required to satisfy (Chap. 6). Concrete programming
languages can be obtained by instantiating the language of program expressions,
which we illustrate with a language of integer expressions and then a language of
integer-typearrays.
v
vi Preface
This setting is then adapted to cover the treatment of safety properties of pro-
grams,byexplicitlyincorporatinginthesemanticsthepossibilityofruntimeerrors
occurring.Thesetofgeneratedverificationconditionsisextendedtoguardagainst
that possibility (Chap. 7). This is illustrated in the concrete languages with arith-
meticerrorsandout-of-boundsarrayaccesses.
Finally the setting is extended to allow for the specification and verification
ofprogramsconsistingofmutually-recursiveprocedures,basedonannotationsin-
cludedinthecode,usuallyknownascontracts(Chap.8).Theideahereisthateach
procedure has its own public specification, called a contract in this context, and
when reasoning individually about the correctness of an individual procedure one
canassumethatallproceduresarecorrectwithrespecttotheirrespectivespecifica-
tions.
The last part of the book illustrates the specification (Chap. 9) and verification
(Chap. 10) of programs of a real-world programming language. We have chosen
to use the ACSL specification language for C programs, and the Frama-C/Jessie
toolfortheirverification.Itisimportanttounderstandthatthesearebeingactively
developedasthisbookiswritten,butwedobelievethatthecoreofthespecification
languageandverificationtoolswillremainunchanged.
Our emphasis is on the integrated presentation, and on making explicit the bits
of the story that may be harder to grasp. Program verification already has a long
historybutremainsaveryactiveresearchfield,andthisbookcontainssomemate-
rial that as far as we can tell can only be found in research papers. The approach
followed has logic at its core, and the theories that support the reasoning (which
may include user-supplied parts) are always explicitly referred. The generation of
verificationconditionsisperformedbyanalgorithmthatissynthesizedfromHoare
logic in a step-by-step fashion. The important topic of specification adaptation is
also covered, since it is essential to the treatment of procedures. Finally, we de-
velopageneralframeworkfortheverificationofcontract-basedmutually-recursive
procedures, which is an important step towards understanding the use of modern
verificationtoolsbasedoncontracts.
Thebookwillpreparereaderstouseverificationmethodsinpractice,whichwe
findcannotbedonecorrectlywithonlyasuperficialunderstandingofwhatisgoing
on. Although verification methods tend to be progressively easier to use, software
engineerscangreatlybenefitfromanunderstandingofwhytheverificationmethods
andtoolsaresound,aswellaswhattheirlimitationsare,andhowtheyareimple-
mented. Readers will also be capable of constructing their own verification plat-
formsforspecificlanguages—butitmustbesaidatthispointthatoneofthemost
challengingaspects,thetreatmentofheap-baseddynamicdatastructuresbasedon
amemorymodel—iscompletelyleftout.
Asmentionedbefore,programverificationbelongstowhatareusuallydescribed
as formal methods for the development of software. Chapter 1 motivates the im-
portanceofprogramverification,andexplainshowformalapproachestosoftware
developmentandvalidationaremoreandmoreimportantinthesoftwareindustry.
Chapter2offersanoverviewofformalmethodsthatwillhopefullygivethereadera
moregeneralcontextforunderstandingtheprogramverificationtechniquescovered
intherestofthebook.
Preface vii
NotestotheInstructor Thebookassumesknowledgeofthebasicmathematical
concepts(likesets,functions,andrelations)thatareusuallytaughtinintroductory
courses on mathematics for computer science students. No knowledge of logical
conceptsisassumed.
The accompanying website for this book is http://www.di.uminho.pt/rsd-book,
where teaching material, solutions to selected exercises, source code, and links to
usefulonlineresourcescanbefound.
Acknowledgments The authors are indebted to their students and colleagues at
thedepartmentsofInformaticsoftheuniversitiesofMinhoandBeiraInterior,who
have provided feedback and comments on drafts of several chapters. The idea of
writing this book came up when the third author was on leave at the Department
ofComputerScienceoftheUniversityofPorto(FacultyofScience),whichkindly
providedawelcomingenvironmentforwritingthefirstdraftchapters.
Contents
1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.1 AFormalApproachtoSoftwareEngineering . . . . . . . . . . . . 1
1.1.1 TestandSimulation-BasedReliability . . . . . . . . . . . 2
1.1.2 AnAlternativeApproach:FormalMethods . . . . . . . . . 3
1.1.3 Requirements:Functional,Security,andSafety . . . . . . . 4
1.2 FormalMethodsandIndustrialNorms . . . . . . . . . . . . . . . 5
1.3 FromClassicSoftwareEngineeringtoFormalSoftwareEngineering 7
1.4 ThisBook . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2 AnOverviewofFormalMethodsToolsandTechniques. . . . . . . . 15
2.1 TheCentralProblem . . . . . . . . . . . . . . . . . . . . . . . . . 16
2.1.1 SomeExistingFormalMethodsTaxonomies . . . . . . . . 16
2.1.2 ThisOverview . . . . . . . . . . . . . . . . . . . . . . . . 17
2.2 SpecifyingandAnalysing . . . . . . . . . . . . . . . . . . . . . . 17
2.2.1 Model-BasedSpecification . . . . . . . . . . . . . . . . . 18
2.2.2 AlgebraicSpecification . . . . . . . . . . . . . . . . . . . 24
2.2.3 DeclarativeModelling . . . . . . . . . . . . . . . . . . . . 25
2.3 SpecifyingandProving . . . . . . . . . . . . . . . . . . . . . . . 26
2.3.1 LogicinaNutshell. . . . . . . . . . . . . . . . . . . . . . 27
2.3.2 ProofTools. . . . . . . . . . . . . . . . . . . . . . . . . . 30
2.3.3 ModelChecking . . . . . . . . . . . . . . . . . . . . . . . 31
2.3.4 ProgramLogicsandProgramAnnotation . . . . . . . . . . 32
2.4 SpecifyingandDeriving . . . . . . . . . . . . . . . . . . . . . . . 33
2.4.1 Refinement . . . . . . . . . . . . . . . . . . . . . . . . . . 34
2.4.2 Extraction . . . . . . . . . . . . . . . . . . . . . . . . . . 36
2.4.3 Execution . . . . . . . . . . . . . . . . . . . . . . . . . . 36
2.5 SpecifyingandTransforming . . . . . . . . . . . . . . . . . . . . 36
2.6 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
2.6.1 AreFormalMethodsToolsReadyforIndustry? . . . . . . 38
2.6.2 IsIndustryReadytoUseFormalMethods? . . . . . . . . . 39
ix
x Contents
2.7 ToLearnMore . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
3 PropositionalLogic . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
3.1 Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
3.2 Semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
3.3 ProofSystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
3.4 SoundnessandCompleteness . . . . . . . . . . . . . . . . . . . . 61
3.5 ValidityChecking:SemanticMethods . . . . . . . . . . . . . . . 64
3.5.1 NormalFormsinPropositionalLogic . . . . . . . . . . . . 65
3.5.2 ValidityofCNFFormulas . . . . . . . . . . . . . . . . . . 68
3.5.3 SatisfiabilityofCNFFormulas . . . . . . . . . . . . . . . 69
3.6 ValidityChecking:DeductiveMethods . . . . . . . . . . . . . . . 71
3.7 ToLearnMore . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
3.8 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
4 First-OrderLogic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
4.1 Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
4.2 Semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
4.3 ProofSystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
4.4 SoundnessandCompleteness . . . . . . . . . . . . . . . . . . . . 100
4.5 ValidityChecking . . . . . . . . . . . . . . . . . . . . . . . . . . 102
4.5.1 NegationandPrenexNormalForms. . . . . . . . . . . . . 102
4.5.2 Herbrand/SkolemNormalFormsandSemi-Decidability . . 104
4.5.3 DecidableFragments . . . . . . . . . . . . . . . . . . . . 108
4.6 VariationsandExtensions . . . . . . . . . . . . . . . . . . . . . . 109
4.6.1 First-OrderLogicwithEquality . . . . . . . . . . . . . . . 109
4.6.2 Many-SortedFirst-OrderLogic . . . . . . . . . . . . . . . 110
4.6.3 Second-OrderLogic . . . . . . . . . . . . . . . . . . . . . 113
4.7 First-OrderTheories . . . . . . . . . . . . . . . . . . . . . . . . . 115
4.7.1 Equality . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
4.7.2 NaturalNumbers. . . . . . . . . . . . . . . . . . . . . . . 118
4.7.3 Integers . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
4.7.4 Arrays . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
4.7.5 OtherTheories . . . . . . . . . . . . . . . . . . . . . . . . 121
4.7.6 CombiningTheories . . . . . . . . . . . . . . . . . . . . . 121
4.8 ToLearnMore . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
4.9 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
5 HoareLogic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
5.1 AnnotatedWhilePrograms . . . . . . . . . . . . . . . . . . . . . 130
5.1.1 ProgramSemantics . . . . . . . . . . . . . . . . . . . . . 131
5.1.2 TheWhileint ProgrammingLanguage . . . . . . . . . . . . 134
5.2 SpecificationsandHoareTriples . . . . . . . . . . . . . . . . . . 136
