Software Verification 1 Deductive Verification Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität und Fraunhofer Institut für Rechnerarchitektur und Softwaretechnik

Folie 2 H. Schlingloff, Software Verification I Talk announcement John Wickerson: Ribbon Proofs for Hoare Logic Proofs in Hoare Logic are usually presented in the form of a "proof outline", in which the program code is interspersed with lots of assertions about the state. Large proof outlines are highly repetitive, and can be very hard to read. This talk introduces a new diagrammatic presentation, called the "ribbon proof", which is far more scalable, flexible and human-intelligible than the proof outline. Friday, , 10:00 Fraunhofer FIRST, 4 th floor (register at clerk)

Folie 3 H. Schlingloff, Software Verification I Concept Language we add the following new constructs to the language of while-programs  {  1 ||  2 } or, more generally, {  1 ||... ||  n }  await (b)  ; semantics  parallel (interleaved) execution of the  i  blocking wait until condition is satisfied; program fragment within await is noninterruptable for simplicity, assignments are atomic actions

Folie 4 H. Schlingloff, Software Verification I A realistic example a=n; b=0; c=1; { while (a!=n-k) {c=c*a; a--;} || while (b!=k) {b++; await (a+b<=n); c=c/b;} } program calculates binomial coefficient

Folie 5 H. Schlingloff, Software Verification I Invariants for Parallel Programs Assume  is a formula such that {  }  {  } for every subprogram  of {  1 ||  2 }. Then {  } {  1 ||  2 } {  } Example: a=0;  : {a++;  : || a--;  :}  : Invariant a==0+  -  (or, more explicit: ( ¬  ¬  a==0   a==0   ¬  a==1  ¬  a==-1) ) int n=0; { for (int i = 0; i<100; i++) n++; || for (int j = 0; j<100; j++) n--;} Invariant n=i-j

Folie 6 H. Schlingloff, Software Verification I Problem with Invariant Method Non-compositionality: In order to show {  }{  1 ||  2 }{  } it is not sufficient to show {  }{  1 }{  } and {  }{  2 }{  } Sequential composition rule (seq): if ⊢ {  }  1 {  } and ⊢ {  }  2 {  }, then {  }{  1 ;  2 }{  } ? if ⊢ {  1 }  1 {  1 } and ⊢ {  2 }  2 {  2 }, then {  1   2 }{  1 ||  2 }{  1   2 }

Folie 7 H. Schlingloff, Software Verification I Hoare-Rule for Parallel Programs Susan Owicki, 1975: If ⊢ {  1 }  1 {  1 } and ⊢ {  2 }  2 {  2 }, then ⊢ {  1  2 } {  1 ||  2 } {  1  2 }, if the proofs of {  1 }  1 {  1 } and {  2 }  2 {  2 } are interference free Two proofs are interference-free, if for any two Hoare triples {  a }  a {  a } in {  1 }  1 {  1 } and {  b }  b {  b } in {  2 }  2 {  2 } it holds that {  a  b }  a {  b } Example: {x=0  x=2} x++ {x=1  x=3} interferes with {x=0} x+=2 {x=2} but not with {x=0  x=1} x+=2 {x=2  x=3}

Folie 8 H. Schlingloff, Software Verification I Hoare-Owicki-Proof {x==0  x==-1} x++ {x==1  x==0} {x==0  x==1} x-- {x==-1  x==0} Interference freedom:  {x==0  x==-1  x==0  x==1} x++ {x==0  x==1}  {x==0  x==1  x==0  x==-1} x-- {x==0  x==-1} Therefore, {x==0  x==-1  x==0  x==1} {x++||x--} {x==1  x==0  x==-1  x==0} {x==0} {x++||x--} {x==0} Proof does not work for {x==0} {h=x; h++; x=h; || h=x; h--; x=h;} {x==0}

Folie 9 H. Schlingloff, Software Verification I Proof (scetch) of example program a=n; b=0; c=1; // calculate n over k { while (a!=n-k) {c=c*a; a--;} || while (b!=k) {b++; await (a+b<=n); c=c/b;} } Idea: at the await it holds that c=(n*(n-1)*...*(n-j+1)/1*2*...*(i-1) a=n-j, b=i If a+b<=n, then i<=j. In this case, c is divisible by j:  n is divisible by 1  n*(n-1) is divisible by 2  n*(n-1)*(n-2) is divisible by 2 and 3  n*(n-1)*(n-2)*(n-3) is divisible by 1*2*3*

Folie 10 H. Schlingloff, Software Verification I Further Properties of Parallel Programs Termination: as in sequential case Fairness: b=1; {b=0; || while(b) skip} Mutual exclusion: always not both in c1 and c2  {while (1) {await(b) b=0; c1; b=1; nc1;} || while(1) {await(b) b=0; c2; b=1; nc2; }}  generalized: reader-writer-problem deadlock freedom, livelock freedom Two main classes of properties:  safety: all reachable states satisfy some invariant - “something bad never happens”  liveness: eventual reachability of states - “something good eventually happens”

Folie 11 H. Schlingloff, Software Verification I Outlook Software Verification 2 Automated Verification modeling model checking abstract interpretation abstraction refinement test generation