Software Verification 1 Deductive Verification Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität und Fraunhofer Institut für Rechnerarchitektur und Softwaretechnik

Folie 2 H. Schlingloff, Software Verification I Nochmal: Lehrevaluation Verpflichtend für die HU, im Interesse der Studierenden Zeitraum: bis online:  Passwort (Token): inf-ws Verbesserung der Sicherheit durch sogenanntes Captcha  Completely Automated Public Turing test to tell Computers and Humans Apart Bei Rückfragen: Dr. Elke Warmuth, Studiendekanin  Tel ,

Folie 3 H. Schlingloff, Software Verification I Contracts weakest preconditions and strongest postconditions are related to the require-ensure-paradigm (also assume-guarantee-paradigm): requires  ensures  */ void foo(...)  ; is equivalent to (  wp( ,  ))  (sp( ,  )  ) such a statement is called contract  use of contract: {  [x 1 :=t 1,..., x n :=t n ]} foo(t 1,...,t n ) {  }

Folie 4 H. Schlingloff, Software Verification I Example with contracts int min (int a, int b) if (a<b) min=a else min=b; {a>=min  b>=min  (a=min  b=min)} {T}{x = 5; y = 7; z = min (x, y)} {z==5} proof: { x = 5; y = 7; a = x; b = y;} {a==5  b==7} {if (a<b) min=a else min=b;} {a==5  b==7  a>=min  b>=min  (a=min  b=min)} {min==5} {z = min;} {z==5}

Folie 5 H. Schlingloff, Software Verification I Parameter Passing Call by value  value of actual parameter is passed Call by reference  address of actual parameter is passed Call by value-result  value is passed, result is copied back Call by result  no value, but copying of result Call by name  name of actual parameter is passed

Folie 6 H. Schlingloff, Software Verification I Example void strange (int x) { x+=2; a[i] = 4; i = 1; x+=2; } a = [1, 1]; i = 0; //a[0], a[1] strange(a[i]); reference: a=[6, 1] value: a=[4, 1] result: a=[?, 1] value-result: a=[5, 1] name: a=[4, 3]

Folie 7 H. Schlingloff, Software Verification I Recursive Functions Example int pow(int a, int b){ if (b==0) return 1 else if (b%2==1) return a*pow(a,b-1) else return pow(a*a, b/2); How to define the semantics? How to verify correctness? How to prove termination?

Folie 8 H. Schlingloff, Software Verification I Semantics denotational: least fixed points of functionals operational: substitution rule, e.g. in lambda- calculus (beta-reduction) pow(5,2) = if (2==0) return 1 else if (2%2==1) return 5*pow(5,2-1) else return pow(5*5, 2/2) =pow(25,1) = if (1==0) return 1 else if (1%2==1) return 25*pow(25,1-1) else return pow(25*25, 1/2) = 25*pow(25,0) = 25* if (0==0) return 1 else... =

Folie 9 H. Schlingloff, Software Verification I Replacement Possibilities if there are several occurrences of a recursive function, which one to replace?  example term: f = g(f(x 0,f(x 1,x 2 )),f(f(x 3,x 4 ),f(x 5,x 6 ))) leftmost-innermost: g(f(x 0,f(x 1,x 2 )),f(f(x 3,x 4 ),f(x 5,x 6 ))) parallel-innermost: g(f(x 0,f(x 1,x 2 )),f(f(x 3,x 4 ),f(x 5,x 6 ))) leftmost: g(f(x 0,f(x 1,x 2 )),f(f(x 3,x 4 ),f(x 5,x 6 ))) parallel-outermost: g(f(x 0,f(x 1,x 2 )),f(f(x 3,x 4 ),f(x 5,x 6 ))) free-argument: g(f(x 0,f(x 1,x 2 )),f(f(x 3,x 4 ),f(x 5,x 6 ))) full-substitution : g(f(x 0,f(x 1,x 2 )),f(f(x 3,x 4 ),f(x 5,x 6 ))) Differences in the result?

Folie 10 H. Schlingloff, Software Verification I Church-Rosser-Property “Diamond property”: if t 0  t 1 and t 0  t 2, then there is a t 3 such that t 1  t 3 and t 2  t 3  here  is repeated replacement by any rule Consequence: if computation terminates with result x according to replacement rule A and result y according to replacement rule B, then x=y Example:  int fun(int x, int y) { if (x==0) return 1 else return fun (x-1, fun(x-y, y))}  fun(2,1) = ?  fun(3,2) = ?

Folie 11 H. Schlingloff, Software Verification I Axiomatic – Proof Rules for Recursion Correctness: ⊢ int f() {  } {} {  }  requires  ensures  Example:  int pow(int a, int b) {b>0}{...}{pow=a**b}  can be used in the verification of f!