Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
sav08:lecture04 [2008/03/02 22:30] vkuncak |
sav08:lecture04 [2008/03/04 19:18] vkuncak |
||
|---|---|---|---|
| Line 15: | Line 15: | ||
| [[Backward VCG]] | [[Backward VCG]] | ||
| - | We next look at proof rules for loops, assuming loop invariants are given. | + | We continue with verification-condition generation in [[lecture05]]. |
| - | [[Hoare Logic Rule for Loops]] | ||
| - | |||
| - | We next look at a program semantics that has explicit error conditions, and that gives nice rules for weakest preconditions. | ||
| - | |||
| - | [[Assert and Error Conditions]] | ||
| - | |||
| - | We next discuss a particular approach for generating verification conditions that admits simpler loop invariants. | ||
| - | |||
| - | [[ESC/Java Loop Desugaring]] | ||
| - | |||
| - | [[Practical Aspects of VCG]] | ||
| - | |||
| - | === Further reading === | ||
| - | |||
| - | * [[Calculus of Computation Textbook]], Chapter 5 (Program Correctness: Mechanics) | ||
| - | |||
| - | ==== Annotations in Control-Flow Graphs ==== | ||
| - | |||
| - | * [[http://research.microsoft.com/~leino/papers/krml157.pdf|Weakest preconditions for unstructured programs]] | ||
| - | |||
| - | ==== Loop Unrolling ==== | ||
| - | |||
| - | |||
| - | ===== Size of verification conditions ===== | ||
| - | * one-point rule for equality | ||
| - | * introducing fresh names for branches | ||
| - | * general-purpose simplifications | ||
| - | * concolic testing idea | ||
| - | |||
| - | * [[http://doi.acm.org/10.1145/360204.360220|Avoiding exponential explosion: generating compact verification conditions]] | ||
| - | * [[http://www.cs.utexas.edu/users/sandip/publications/symbolic-lpar/main.html|Verification Condition Generation via Theorem Proving]] | ||
| - | * [[http://osl.cs.uiuc.edu/~ksen/cute/|CUTE Tool]] | ||
| - | |||
| - | ===== Asserts and errors for nice wp definition ===== | ||
| - | |||
| - | assert(F) = irrecoverable error if $F$ is false, terminates execution. | ||
| - | |||
| - | wp computes conditions sufficient for errors not to happen. | ||
| - | |||
| - | Postconditions are just asserts at the end of the program. | ||
| - | |||
| - | How to build a system with relations where at the same time | ||
| - | wp(assert(F),Q) = (F & Q) | ||
| - | wp(assume(F),Q) = (F --> Q) | ||
| - | |||
| - | Then | ||
| - | wp(assert(false); assume(false),Q) = false | ||
| - | wp(assume(false); assume(false),Q) = true | ||
| - | so cannot have $\mbox{assume(false)} = \emptyset$ any more. | ||
| - | |||
| - | Sketch of how this can be done is in [[:sav07_homework 4|a homework from last year]]. | ||
| - | |||
| - | ===== Havoc and ESC/Java Loop Transformation ===== | ||
| - | |||
| - | [[:sav07_lecture_4#more_on_wp|Notes on wp from last year]] | ||