<h1 align="center">Trabalho 4 - Verificação Formal de Software</h1>
<h3 align="center">Janeiro, 2022</h3>

Inês Pires Presa - A90355  
Tiago dos Santos Silva Peixoto Carriço - A91695

## Descrição do Problema

Pretende-se verificar a correção total do seguinte programa usando a metodologia dos invariantes e a metodologia do "single assignement unfolding":


```python
assume m >= 0 and n >= 0 and r == 0 and x == m and y == n 
0: while y > 0:
1:    if y & 1 == 1: 
          y , r  = y-1 , r+x
2:    x , y = x<<1  ,  y>>1
3: assert r == m * n
```




## Provar por indução a terminação do programa

Pretendemos provar uma propriedade de animação por indução, para isso começaremos por modelar o programa com FOTS e de seguida teremos de descobrir um variante que satisfaça as condições:
- O variante nunca é negativo, ou seja, $G\ (V(s) \ge 0)$
- O variante descresce sempre (estritamente) ou atinge o valor 0, ou seja, $G\ (\forall s' . \mathit{trans}(s,s') \rightarrow (V(s') < V(s) \vee V(s') = 0))$
- Quando o variante é 0 verifica-se necessariamente $\phi$, ou seja, $G\ (V(s)=0 \rightarrow \phi(s))$

### Modelação do programa com FOTS

O estado inicial é caracterizado pelo seguinte predicado:

$$
\mathit{pc} = 0 \wedge m \ge 0 \wedge n \ge 0 \wedge r = 0 \wedge x = m \wedge y = n
$$

As transições possíveis no FOTS são caracterizadas pelo seguinte predicado:

$$
(\mathit{pc} = 0 \wedge y > 0 \wedge \mathit{pc'} = 1 \wedge y' = y \wedge m' = m \wedge n' = n \wedge x' = x \wedge r' = r)
\\ \vee \\ 
(\mathit{pc} = 0 \wedge y \le 0 \wedge \mathit{pc'} = 3 \wedge y' = y \wedge m' = m \wedge n' = n \wedge x' = x \wedge r' = r)
\\ \vee \\ 
(\mathit{pc} = 1 \wedge y \space \& \space  1 = 1 \wedge \mathit{pc'} = 2 \wedge y' = y - 1 \wedge m' = m \wedge n' = n \wedge x' = x \wedge r' = r + x)\\ \vee \\ 
(\mathit{pc} = 1 \wedge y \space \& \space  1 \neq 1 \wedge \mathit{pc'} = 2 \wedge y' = y \wedge m' = m \wedge n' = n \wedge x' = x \wedge r' = r)
\\ \vee \\ 
(\mathit{pc} = 2 \wedge \mathit{pc'} = 0 \wedge y' = y >> 1 \wedge m' = m \wedge n' = n \wedge x' = x << 1 \wedge r' = r)
\\ \vee \\ 
(\mathit{pc} = 3 \wedge \mathit{pc'} = 3 \wedge y' = y \wedge m' = m \wedge n' = n \wedge x' = x \wedge r' = r \wedge r = m \cdot  n)
$$

In [None]:
#!pip install z3-solver

In [37]:
from z3 import *

Funções:
- `declare(i)` - gera uma cópia das variáveis do estado
- `init(state)` - testa se um estado é inicial
- `trans(curr, prox)` - testa se um par de estados é uma transição válida.

In [59]:
def declare(i):
    state = {}
    state['pc'] = BitVec('pc_'+str(i), 16)
    state['x'] = BitVec('x_'+str(i), 16)
    state['y'] = BitVec('y_'+str(i), 16)
    state['r'] = BitVec('r_'+str(i), 16)
    state['m'] = BitVec('m_'+str(i), 16)
    state['n'] = BitVec('n_'+str(i), 16)
    return state

def init(state):
    return And(state['pc'] == 0, state['m'] >= 0, state['n'] >= 0, state['r'] == 0, state['x'] == state['m'], state['y'] == state['n'])

def trans(curr, prox):
    t_0_1 = And(curr['pc'] == 0, prox['pc'] == 1, curr['y'] > 0 , prox['y'] == curr['y'], prox['n'] == curr['n'], prox['m'] == curr['m'], prox['r'] == curr['r'], prox['x'] == curr['x'])
    t_0_3 = And(curr['pc'] == 0, prox['pc'] == 3, curr['y'] <= 0, prox['y'] == curr['y'], prox['n'] == curr['n'], prox['m'] == curr['m'], prox['r'] == curr['r'], prox['x'] == curr['x'])

    t_1_2 = Or(
            And(curr['pc'] == 1, prox['pc'] == 2, curr['y'] & 1 == 1, prox['n'] == curr['n'], prox['m'] == curr['m'], prox['x'] == curr['x'], prox['y'] == curr['y'] - 1, prox['r'] == curr['r'] + curr['x']),
            And(curr['pc'] == 1, prox['pc'] == 2, curr['y'] & 1 == 1, prox['y'] == curr['y'], prox['n'] == curr['n'], prox['m'] == curr['m'], prox['r'] == curr['r'], prox['x'] == curr['x'])
    )

    t_2_0 = And(curr['pc'] == 2, prox['pc'] == 0, prox['n'] == curr['n'], prox['m'] == curr['m'], prox['r'] == curr['r'], prox['x'] == curr['x'] << 1, prox['y'] == curr['y'] >> 1)

    t_3_3 = And(curr['pc'] == 3, prox['pc'] == 3, prox['y'] == curr['y'], prox['n'] == curr['n'], prox['m'] == curr['m'], prox['x'] == curr['x'], curr['r'] == prox['r'], curr['r'] == curr['m'] * curr['n'])

    return Or(t_0_1, t_0_3, t_1_2, t_2_0, t_3_3)



## 

In [61]:
def variante(state):
      return BV2Int(state['y']) - BV2Int(state['pc']) + 3

def variante_positivo(state):
      return (variante(state) >= 0)

def kinduction_always(declare,init,trans,inv,k):
    # completar
    trace = [declare(i) for i in range(k+1)]

    # testar inv para o estados iniciais
    s = Solver()
    s.add(init(trace[0])) 

    for i in range(k-1):
      s.add(trans(trace[i], trace[i+1]))
    s.add(Or([ Not(inv(trace[i])) for i in range(k) ]))
    if s.check() == sat:
      m = s.model()
      print("(1) Propriedade falha em pelo menos 1 dos k primeiros estados")
      for v in trace[0]:
        print(v,"=", m[trace[0][v]])
      return m

    # testar o passo indutivo
    s = Solver()
    for i in range(k):
      s.add(trans(trace[i], trace[i+1]))
      s.add(inv(trace[i]))
    s.add(Not(inv(trace[k])))
    if s.check() == sat:
      m = s.model()
      print("(2) O passo indutivo falha")
      for v in trace[0]:
        print(v,"=", m[trace[0][v]])
      return m

    print("A propriedade é válida.")

kinduction_always(declare,init,trans,variante_positivo,3)

A propriedade é válida.


In [62]:
x =  10
y =  15
r = 0

from tabulate import tabulate

headers = ['pc', 'x', 'y', 'r']
tabela = []
while y > 0:
    l = [0, x, y, r]
    tabela.append(l)
    if y & 1 == 1:
        y , r  = y-1 , r+x
        l = [1, x, y, r]
        tabela.append(l)
    x , y = x<<1  ,  y>>1
    l = [2, x, y, r]
    tabela.append(l)
l = [3, x, y, r]
tabela.append(l)  

print(tabulate(tabela, headers))

  pc    x    y    r
----  ---  ---  ---
   0   10   15    0
   1   10   14   10
   2   20    7   10
   0   20    7   10
   1   20    6   30
   2   40    3   30
   0   40    3   30
   1   40    2   70
   2   80    1   70
   0   80    1   70
   1   80    0  150
   2  160    0  150
   3  160    0  150


 ## Codifique usando a LPA a forma recursiva deste programa
 
 $$W\quad\equiv\quad \{\,\mathsf{assume}\,b\;;\;S\;;\;W\,\}\;\;\|\;\;\{\,\mathsf{assume}\,\neg b\,\}$$

In [None]:
# assume m >= 0 and n >= 0 and r == 0 and x == m and y == n 

x = x0 = 10
y = y0 = 15
r = 0

# x0 * y0 = x * y + r and y >= 0

while y > 0:
    print(f'x={x}, y={y}, r={r}, {x0 * y0 == x*y+r and y >= 0}')
    if y & 1 == 1:
        y , r  = y-1 , r+x
        print(f'x={x}, y={y}, r={r}, {x0 * y0 == x*y+r and y >= 0}')
    x , y = x<<1  ,  y>>1
    
print(f'x={x}, y={y}, r={r}, {x0 * y0 == x*y+r and y >= 0}')

#WPC

$
\begin{array}{l}
[{\sf skip}] = True \\
[{\sf assume}\:\phi] = True \\
[{\sf assert}\:\phi] = \phi \\
[ x = e ] = True \\
[(C_1 || C_2)] = [C_1] \wedge [C_2] \\
\\
[{\sf skip}\, ; C] = [C] \\
[{\sf assume}\:\phi\, ; C] = \phi \to [C] \\
[{\sf assert}\:\phi\, ; C] = \phi \wedge [C] \\
[ x = e \, ; C] = [C][e/x] \\
[(C_1 || C_2)\, ; C] = [(C_1 ; C) || (C_2 ; C)]
\end{array}
$

```python
assume m >= 0 and n >= 0 and r == 0 and x == m and y == n 
0: while y > 0:
1:    if y & 1 == 1: 
          y , r  = y-1 , r+x
2:    x , y = x<<1  ,  y>>1
3: assert r == m * n
```

```python
S = (assume (y & 1 == 1); y = y - 1; r = r + x || assume (y & 1 != 1); skip); x = x<<1; y = y>>1;
W = {assume y > 0; (assume (y & 1 == 1); y = y - 1; r = r + x || assume (y & 1 != 1); skip); x = x<<1; y = y>>1;; W} || {assume not (y > 0)}
```

$$
\begin{array}{l}
[\,{\sf assume}\;\phi\; ;{{\sf assert}\; \theta\; ; \sf havoc }\;\vec{x} \; ; (\,({\sf assume }\; b \wedge \theta \; ; \; C \; ; {\sf assert}\;\theta \; ; {\sf assume}\; \mathit{False}) \: || \:
{\sf assume}\; \neg b \wedge \theta \,)\; ; {\sf assert} \; \psi \,] \\ = \\
\phi \to \theta \wedge \forall \vec{x}. \, (\,(b \wedge \theta \to [C\;; {\sf assert}\; \theta ]) \wedge (\neg b \wedge \theta \to \psi )\,)
\end{array}
$$

```python
[assume pre; assert invariante; havoc x,y,r ; ((assume (b and invariante); C; assert invariante; assume False)
||
assume ((not b) and invariante)); assert pos]
=
pre -> inv and forall (x, y, r) . ((b and inv -> [C; assert inv]) and (not b and inv -> pos))
=
pre -> inv and forall (x, y, r) . ((y > 0 and inv -> [
  (assume (y & 1 == 1); y = y - 1; r = r + x || assume (y & 1 != 1); skip);
  x = x<<1;
  y = y>>1;
  assert inv
  ]) 
  and (not y > 0 and inv -> pos))
=
pre -> inv and forall (x, y, r) . ((y > 0 and inv -> ([
  assume (y & 1 == 1); y = y - 1; r = r + x;
  x = x<<1;
  y = y>>1;
  assert inv
  ] || [
  assume (y & 1 != 1); skip;
  x = x<<1;
  y = y>>1;
  assert inv
  ])) 
  and (not y > 0 and inv -> pos))
=
pre -> inv and forall (x, y, r) . ((y > 0 and inv -> (
  (y & 1 == 1) -> [
  y = y - 1;
  r = r + x;
  x = x<<1;
  y = y>>1;
  assert inv
  ] and 
  (y & 1 != 1) -> [
  x = x<<1;
  y = y>>1;
  assert inv
  ])) 
  and (not y > 0 and inv -> pos))
=
pre -> inv and forall (x, y, r) . ((y > 0 and inv -> (
  (y & 1 == 1) -> [
  x = x<<1;
  y = y>>1;
  assert inv
  ] [y-1 / y] [r+x / r] and 
  (y & 1 != 1) -> [
  x = x<<1;
  y = y>>1;
  assert inv
  ] )) 
  and (not y > 0 and inv -> pos))
=
pre -> inv and forall (x, y, r) . ((y > 0 and inv -> (
  (y & 1 == 1) -> [
  assert inv
  ] [y-1 / y] [r+x / r] [x<<1 / x] [y>>1 / y] and 
  (y & 1 != 1) -> [
  assert inv
  ] [x<<1 / x] [y>>1 / y] )) 
  and (not y > 0 and inv -> pos))
=
pre -> inv and forall (x, y, r) . ((y > 0 and inv -> (
  (y & 1 == 1) -> inv [y-1 / y] [r+x / r] [x<<1 / x] [y>>1 / y] and 
  (y & 1 != 1) -> inv [x<<1 / x] [y>>1 / y] )) 
  and (not y > 0 and inv -> pos))
```

In [None]:
def prove(f):
    s = Solver()
    s.add(Not(f))
    r = s.check()
    if r == unsat:
        print("Proved")
    else:
        print("Failed to prove")
        m = s.model()
        for v in m:
            print(v,'=', m[v])

In [None]:
#pre -> inv and forall (x, y, r) . ((y > 0 and inv -> ((y & 1 == 1) -> inv [y-1 / y] [r+x / r] [x<<1 / x] [y>>1 / y] and (y & 1 != 1) -> inv [x<<1 / x] [y>>1 / y] )) and (not y > 0 and inv -> pos))

x, y, r, m, n = BitVecs("x y r m n", 8)

pre = And(m >= 0, n >= 0, r == 0, x == m, y == n)
pos = (r == m * n)

# m * n = x * y + r and y >= 0
inv = And(y >= 0, m * n == x * y + r)

# (y & 1 == 1) -> inv [y-1 / y] [r+x / x] [x<<1 / r] [y>>1 / y]
#if_true = Implies(y & 1 == 1, substitute(substitute(substitute(substitute(inv, (r,r+x)), (y, y-1)), (x, x<<1)), (y, y>>1)))
if_true = Implies(y & 1 == 1, substitute(substitute(substitute(substitute(inv, (y, y>>1)), (x, x<<1)), (r,r+x)), (y, y-1)))

# (y & 1 != 1) -> inv [x<<1 / x] [y>>1 / y]
#if_false = Implies(y & 1 != 1, substitute(substitute(inv, (x, x<<1)),(y, y>>1)))
if_false = Implies(y & 1 != 1, substitute(substitute(inv, (y, y>>1)),(x, x<<1)))

#vc = Implies(pre, And(inv, ForAll([x,y,r], And( Implies(And(y > 0, inv), And(if_true, if_false)) , And(Not(y > 0), Implies(inv, pos)) ))))

#pre -> inv and forall (x,y,r) . ((y > 0 and inv -> if_true and if_false) and (not y > 0 and inv -> pos))
vc = Implies(pre, And(inv, ForAll([x,y,r], And( Implies(And(y > 0, inv), And(if_true, if_false)) , Implies(And(Not(y > 0), inv), pos)))) )

prove(vc)

In [1]:
from pysmt.shortcuts import *
from pysmt.typing import *

# Auxiliares
def prime(v):
    return Symbol("next(%s)" % v.symbol_name(), v.symbol_type())
def fresh(v):
    return FreshSymbol(typename=v.symbol_type(),template=v.symbol_name()+"_%d")

# A classe "Sigle Assignment Unfold"
class SAU(object):
    """Trivial representation of a while cycle and its unfolding."""
    def __init__(self, variables, pre , pos, control, trans, sname="z3"):
              
        self.variables = variables       # variables   
        self.pre = pre                   # pre-condition as a predicate in "variables"
        self.pos = pos                   # pos-condition as a predicate in "variables"
        self.control = control           # cycle control as a predicate in "variables"
        self.trans = trans               # cycle body as a binary transition relation 
                                         # in "variables" and "prime variables"
        
        self.prime_variables = [prime(v) for v in self.variables]
        self.frames = [And([Not(control),pos])]  
                 # inializa com uma só frame: a da terminação do ciclo
        
        self.solver = Solver(name=sname)

    def new_frame(self):        
        freshs = [fresh(v) for v in self.variables]    
        b = self.control
        S = self.trans.substitute(dict(zip(self.prime_variables,freshs)))
        W = self.frames[-1].substitute(dict(zip(self.variables,freshs)))
        
        self.frames.append(And([b , ForAll(freshs, Implies(S, W))]))
        
    def unfold(self,bound=0):
        n = 0
        while True:
            if n > bound:
                print("falha: número de tentativas ultrapassa o limite %d "%bound)
                break
            
            f = Or(self.frames)
            if self.solver.solve([self.pre,Not(f)]):  
                self.new_frame()
                n += 1
            else:
                print("sucesso na tentativa %d "%n)
                break   

In [36]:
bits = 16
np = 6

# constantes auxiliares
zero = SBV(0, width=bits)
um   = SBV(1, width=bits)
N    = SBV(np, width=bits)

# O ciclo
x  = Symbol("x", BVType(bits))
m  = Symbol("m", BVType(bits))
n  = Symbol("n", BVType(bits))
y  = Symbol("y", BVType(bits))
r  = Symbol("r", BVType(bits))
variables = [x,m,n,r,y]

pre  =  And([GE(m, zero), GE(n, zero), Equals(r, zero), Equals(x, m), Equals(y, n), LT(m, N), LT(n, N)])     # pré-condição    
pos  =  Equals(r,m * n)              # pós-condição
cond =  GT(y, zero)                # condição de controlo do ciclo
trans = And([Implies(Equals(y & um, um), And(Equals(prime(y), y - um), Equals(prime(r), r + x))), Equals(prime(x), x << um), Equals(prime(y), y >> um)])

W = SAU(variables, pre, pos, cond, trans)

#Run
W.unfold(np)

PysmtTypeError: The formula '(((0_16 <= m) & (0_16 <= n) & (r = 0_16) & (x = m) & (y = n) & (m < 6_16) & (n < 6_16)) & (! ((! (... < ...)) & (r = (... * ...)))))' is not well-formed