Axiomatic Verification II Software Testing and Verification Lecture Notes 18 Prepared by Stephen M. Thebaut, Ph.D. University of Florida
Axiomatic Verification II Reasoning about iteration (while loops) Strong correctness and proving termination
Review of Proof Rules Before proceeding to while loops, let’s capture our previous reasoning about sequencing, selection statements, and state condition replacement in appropriate rules of inference (ROI). ROI for Sequencing: {P} S1 {R}, {R} S2 {Q} {P} S1; S2 {Q}
Review of Proof Rules (cont’d) ROI for if_then_else statement: {P Л b } S1 {Q}, {P Л b} S2 {Q} {P} if b then S1 else S2 {Q} ROI for if_then statement: {P Л b } S {Q}, (P Л b) Q {P} if b then S {Q}
Review of Proof Rules (cont’d) ROI for State Condition Replacement†: K P, {P} S {Q}, Q W {K} S {W} † Also known as the consequence rule.
Reasoning about Iteration Consider the assertion: {P} while b do S {Q} What are the necessary conditions for this assertion to hold?
Necessary Conditions: while_do So, we know that {P} while b do S {Q} will hold if the following conditions hold: Case 0: (P Л b) Q Case 1: {P Л b} S {K1}, (K1 Л b) Q Case 2: {K1 Л b} S {K2}, (K2 Л b) Q … Case N: {KN-1 Л b} S {KN}, (KN Л b) Q … Great! But who has the time to show that an infinite number of conditions hold?
Reasoning about Iteration (cont’d) To eliminate the infinite sequence of conditions, replace each Ki with I (where I Ki for every i). Then the conditions above become: Case 0: (P Л b) Q Case 1: {P Л b} S {I}, (I Л b) Q All other Cases: {I Л b} S {I} To simplify, require further that P I. Then the four conditions reduce to three: P I, {I Л b} S {I}, (I Л b) Q
Reasoning about Iteration (cont’d) Thus, a ROI for the while_do statement is: P I, {I Л b} S {I}, (I Л b) Q {P} while b do S {Q} where the three antecedents are sometimes given the names initialization, preservation, and finalization, respectively. The assertion “I” in this context is informally referred to as an Invariant, or more precisely as a Q-adequate loop invariant.
Invariants and Q-adequate invariants A loop invariant is a Boolean-valued predicate that satisfies initialization and preservation. A Q-adequate loop invariant is a loop invariant that also satisfies finalization. Note that there may be an arbitrary number of valid loop invariants. For example, true is a trivial loop invariant for any while loop. The stronger the invariant, the more one can conclude from it together with b.
Example 3 Use the Q-adequate invariant I: Z=XJ to prove: {true} Z := X J := 1 while J<>Y do Z := Z+X J := J+1 end_while {Z=XY} Initialization: P I Preservation: {I Л b} S {I} Finalization: (I Л b) Q
Example 3 Use the Q-adequate invariant I: Z=XJ to prove: {true} Z := X J := 1 while J<>Y do Z := Z+X J := J+1 end_while {Z=XY} Initialization: P I What is “P”? (Z=X Л J=1) P
Example 3 Use the Q-adequate invariant I: Z=XJ to prove: {true} Z := X J := 1 while J<>Y do Z := Z+X J := J+1 end_while {Z=XY} Initialization: P I What is “P”? (Z=X Л J=1) Does (Z=X Л J=1) Z=XJ? X=X(1) P
Example 3 Use the Q-adequate invariant I: Z=XJ to prove: {true} Z := X J := 1 while J<>Y do Z := Z+X J := J+1 end_while {Z=XY} Initialization: P I What is “P”? (Z=X Л J=1) Does (Z=X Л J=1) Z=XJ? Yep! P
Example 3 Use the Q-adequate invariant I: Z=XJ to prove: {true} Z := X J := 1 while J<>Y do Z := Z+X J := J+1 end_while {Z=XY} Initialization: P I
Example 3 Use the Q-adequate invariant I: Z=XJ to prove: {true} Z := X J := 1 while J<>Y do Z := Z+X J := J+1 end_while {Z=XY} Initialization: P I Preservation: {I Л b} S {I} {Z=XJ Л JY} Z := Z+X {Z=X(J+1) Л JY} J := J+1 {Z=X((J-1)+1) Л J-1Y} Z=XJ b S
Example 3 Use the Q-adequate invariant I: Z=XJ to prove: {true} Z := X J := 1 while J<>Y do Z := Z+X J := J+1 end_while {Z=XY} Initialization: P I Preservation: {I Л b} S {I}
Example 3 Use the Q-adequate invariant I: Z=XJ to prove: {true} Z := X J := 1 while J<>Y do Z := Z+X J := J+1 end_while {Z=XY} Initialization: P I Preservation: {I Л b} S {I} Finalization: (I Л b) Q
Example 3 Use the Q-adequate invariant I: Z=XJ to prove: {true} Z := X J := 1 while J<>Y do Z := Z+X J := J+1 end_while {Z=XY} Initialization: P I Preservation: {I Л b} S {I} Finalization: (I Л b) Q Does (Z=XJ Л J=Y) Z=XY? XJ=X(J) Yep!
Example 3 Use the Q-adequate invariant I: Z=XJ to prove: {true} Z := X J := 1 while J<>Y do Z := Z+X J := J+1 end_while {Z=XY} Initialization: P I Preservation: {I Л b} S {I} Finalization: (I Л b) Q
Heuristics for Identifying “I” Hypothesize a predicate that reflects the incre-mental progress made toward satisfying Q with each iteration. Check finalization. If necessary, refine the pre-dicate so as to be just strong enough to imply Q on termination (i.e., when b becomes false). Check initialization. If necessary, refine the pre-dicate so as to be just weak enough to be implied by P and return to step (2). Check preservation. If necessary, refine the pre-dicate so as to ensure preservation with respect to S and return to step (2).
finish true false true strengthen false true weaken false false refine Hypothesize I true Finalization ? false true strengthen Initialization ? false true weaken Preservation ? false false finish Initialization ? refine true false Preservation ? true
Example 4 Synthesize a Q-adequate invariant and prove: Nope! Sum := 0 J := 1 while J<=N do Sum := Sum + X[J] J := J+1 end_while {Sum = X[i]} Hypothesized I: Does finalization hold? I.e., does J-1 Sum = X[i] i=1 J-1 (Sum = X[i] Л J>N) i=1 N N Sum = X[i]? Nope! i=1 i=1
Example 4 Synthesize a Q-adequate invariant and prove: Sum := 0 J := 1 while J<=N do Sum := Sum + X[J] J := J+1 end_while {Sum = X[i]} Hypothesized I: (try #2) Does finalization hold? I.e., does J-1 Sum = X[i] Л JN+1 i=1 J-1 (Sum = X[i] Л JN+1 Л J>N) i=1 N N Sum = X[i]? i=1 i=1 Yep!
Example 4 Synthesize a Q-adequate invariant and prove: Sum := 0 J := 1 while J<=N do Sum := Sum + X[J] J := J+1 end_while {Sum = X[i]} Hypothesized I: (try #2) Finalization J-1 Sum = X[i] Л JN+1 i=1 N i=1
Example 4 Does initialization Synthesize a Q-adequate invariant and prove: {N1} Sum := 0 J := 1 while J<=N do Sum := Sum + X[J] J := J+1 end_while {Sum = X[i]} Hypothesized I: (try #2) Does initialization hold? I.e., does J-1 Sum = X[i] Л JN+1 i=1 (N1 Л Sum=0 Л J=1) J-1 (Sum = X[i] Л JN+1)? N i=1 i=1 Yep!
Example 4 Initialization Synthesize a Q-adequate invariant and prove: {N1} Sum := 0 J := 1 while J<=N do Sum := Sum + X[J] J := J+1 end_while {Sum = X[i]} Hypothesized I: (try #2) Finalization Initialization J-1 Sum = X[i] Л JN+1 i=1 N i=1
Example 4 Synthesize a Q-adequate invariant and prove: Sum := 0 J := 1 while J<=N do Sum := Sum + X[J] J := J+1 end_while {Sum = X[i]} Hypothesized I: (try #2) Does preservation hold? J-1 Sum = X[i] Л JN+1 i=1 J-1 {Sum = X[i] Л JN+1 Л JN} i=1 Sum := Sum + X[J] J N {Sum = X[i] Л JN} i=1 i=1 J := J+1 J-1 {Sum = X[i] Л J-1N} = {I} i=1
Example 4 Initialization Preservation Synthesize a Q-adequate invariant and prove: {N1} Sum := 0 J := 1 while J<=N do Sum := Sum + X[J] J := J+1 end_while {Sum = X[i]} Hypothesized I: (try #2) Finalization Initialization Preservation J-1 Sum = X[i] Л JN+1 i=1 N i=1
Strong Correctness Program S is said to be strongly correct with respect to pre-condition P and post-condition Q iff: {P} S {Q} (i.e., S is weakly correct with respect to P and Q), and P implies that S will terminate.
Strong Correctness (cont’d) Is it possible to prove that a program will terminate? Are there programs for which termination is undecidable? To write a program which should terminate but doesn’t is a minor sin. To write a program for which termination is undecidable is a major sin. –Harlan Mills
Let’s Pause for a Moment… I remember, as a young boy, watching small, brown frogs jump from Lilly pad to Lilly pad in the pond behind our house. They seemed to never tire of this…
Proving Termination – the Method of Well-Founded Sets† For each program loop, identify a measure based on one or more program variables that satisfies the following properties: decreases (or increases) with each iteration is bounded from below (or above), and can assume only a finite number of values before reaching the bound †A well-founded set (S, >) consists of a set of elements S and an ordering > defined on the elements, such that there can be no infinite descending sequences of elements.
Proving Termination – the Method of Well-Founded Sets (cont’d) Example: consider a linear search of an unordered list for the value K: {true} Found := false J := 1 while (J<=N and (not Found)) do Found := (K=X[J]) J := J+1 end_while {(Found Л K=X[J-1]) V (Found Л i∈{1,…,N}• KX[i])}
Proving Termination – the Method of Well-Founded Sets (cont’d) Proof of termination: Measure: “J” J increases with each iteration since J:=J+1 is executed with each iteration and J does not otherwise change. J is bounded from above (by N+1) since if J exceeds N, J<=N will evaluate to false and the loop must terminate.
Proving Termination – the Method of Well-Founded Sets (cont’d) Proof of termination: (cont’d) Since J increases by an integral amount with each iteration, it can assume only a finite number of values before reaching N+1: {1, 2,…, N, N+1}. Therefore, by the Method of Well-Founded Sets, the loop must terminate.
Exercise The weak correctness of the assertion below was established earlier. Can the Method of Well-Founded Sets be used to prove the program will terminate? {true} Z := X J := 1 while J<>Y do Z := Z+X J := J+1 end_while {Z=XY}
A while_do ROI for strong correctness We can incorporate a termination term, t, in the while loop ROI. Let t denote a whole number† which decreases with each iteration and implies termination when less than or equal to 0: PI, (IЛb)(t>0), {IЛbЛt=N} S {IЛt<N}, (IЛb)Q {P} while b do S {Q} strongly † Any well-founded ordering may be used for the domain of t.
Problem Set 5: Axiomatic Verification Note especially... Problem 4: deriving and using a suitable Rule of Inference for the “repeat_until” construct, and Problem 6: alternative, hypothesized Rules of Inference for the “while” construct...are they valid or not?
Axiomatic Verification II Software Testing and Verification Lecture Notes 18 Prepared by Stephen M. Thebaut, Ph.D. University of Florida