Roberto Bruni, Roberto Giacobazzi, Roberta Gori, Francesco Ranzato
{"title":"A Correctness and Incorrectness Program Logic","authors":"Roberto Bruni, Roberto Giacobazzi, Roberta Gori, Francesco Ranzato","doi":"https://dl.acm.org/doi/10.1145/3582267","DOIUrl":null,"url":null,"abstract":"<p>Abstract interpretation is a well-known and extensively used method to extract over-approximate program invariants by a sound program analysis algorithm. Soundness means that no program errors are lost and it is, in principle, guaranteed by construction. Completeness means that the abstract interpreter reports no false alarms for all possible inputs, but this is extremely rare because it needs a very precise analysis. We introduce a weaker notion of completeness, called <i>local completeness</i>, which requires that no false alarms are produced only relatively to some fixed program inputs. Based on this idea, we introduce a program logic, called Local Completeness Logic for an abstract domain <i>A</i>, for proving both the correctness and incorrectness of program specifications. Our proof system, which is parameterized by an abstract domain <i>A</i>, combines over- and under-approximating reasoning. In a provable triple ⊦<sub><i>A</i></sub> [<i>p</i>] 𝖼 [<i>q</i>], 𝖼 is a program, <i>q</i> is an under-approximation of the strongest post-condition of 𝖼 on input <i>p</i> such that their abstractions in <i>A</i> coincide. This means that <i>q</i> is never too coarse, namely, under some mild assumptions, <i>the abstract interpretation of 𝖼 does not yield false alarms for the input <i>p</i> iff <i>q</i> has no alarm</i>. Therefore, proving ⊦<sub><i>A</i></sub> [<i>p</i>] 𝖼 [<i>q</i>] not only ensures that all the alarms raised in <i>q</i> are true ones, but also that if <i>q</i> does not raise alarms, then 𝖼 is correct. We also prove that if <i>A</i> is the straightforward abstraction making all program properties equivalent, then our program logic coincides with O’Hearn’s incorrectness logic, while for any other abstraction, contrary to the case of incorrectness logic, our logic can also establish program correctness.</p>","PeriodicalId":50022,"journal":{"name":"Journal of the ACM","volume":"40 4","pages":""},"PeriodicalIF":2.3000,"publicationDate":"2023-03-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of the ACM","FirstCategoryId":"94","ListUrlMain":"https://doi.org/https://dl.acm.org/doi/10.1145/3582267","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE","Score":null,"Total":0}
引用次数: 0
Abstract
Abstract interpretation is a well-known and extensively used method to extract over-approximate program invariants by a sound program analysis algorithm. Soundness means that no program errors are lost and it is, in principle, guaranteed by construction. Completeness means that the abstract interpreter reports no false alarms for all possible inputs, but this is extremely rare because it needs a very precise analysis. We introduce a weaker notion of completeness, called local completeness, which requires that no false alarms are produced only relatively to some fixed program inputs. Based on this idea, we introduce a program logic, called Local Completeness Logic for an abstract domain A, for proving both the correctness and incorrectness of program specifications. Our proof system, which is parameterized by an abstract domain A, combines over- and under-approximating reasoning. In a provable triple ⊦A [p] 𝖼 [q], 𝖼 is a program, q is an under-approximation of the strongest post-condition of 𝖼 on input p such that their abstractions in A coincide. This means that q is never too coarse, namely, under some mild assumptions, the abstract interpretation of 𝖼 does not yield false alarms for the input p iff q has no alarm. Therefore, proving ⊦A [p] 𝖼 [q] not only ensures that all the alarms raised in q are true ones, but also that if q does not raise alarms, then 𝖼 is correct. We also prove that if A is the straightforward abstraction making all program properties equivalent, then our program logic coincides with O’Hearn’s incorrectness logic, while for any other abstraction, contrary to the case of incorrectness logic, our logic can also establish program correctness.
期刊介绍:
The best indicator of the scope of the journal is provided by the areas covered by its Editorial Board. These areas change from time to time, as the field evolves. The following areas are currently covered by a member of the Editorial Board: Algorithms and Combinatorial Optimization; Algorithms and Data Structures; Algorithms, Combinatorial Optimization, and Games; Artificial Intelligence; Complexity Theory; Computational Biology; Computational Geometry; Computer Graphics and Computer Vision; Computer-Aided Verification; Cryptography and Security; Cyber-Physical, Embedded, and Real-Time Systems; Database Systems and Theory; Distributed Computing; Economics and Computation; Information Theory; Logic and Computation; Logic, Algorithms, and Complexity; Machine Learning and Computational Learning Theory; Networking; Parallel Computing and Architecture; Programming Languages; Quantum Computing; Randomized Algorithms and Probabilistic Analysis of Algorithms; Scientific Computing and High Performance Computing; Software Engineering; Web Algorithms and Data Mining