Axiomatic Verification I Software Testing and Verification Lecture 17 Prepared by Stephen M. Thebaut, Ph.D. University of Florida
Axiomatic Verification I Introduction Weak correctness predicate Assignment statements Sequencing Selection statements
Introduction What is Axiomatic Verification†? A formal method of reasoning about the functional correctness of a structured, sequential program by tracing its state changes from an initial (i.e., pre-) condition to a final (i.e., post-) condition according to a set of self-evident rules (i.e., axioms). † Also know as “Hoare logic” or “Floyd-Hoare logic.”
Introduction (cont’d) What is its primary goal? To provide a means for “proving” (and in some cases, “disproving”) the functional correctness of a sequential program with respect to its (formal) specification.
Introduction (cont’d) What are the benefits of studying axiomatic verification? Understanding its limitations. Deeper insights into programming and program structures. Criteria for judging both programs and programming languages. The ability to formally verify small (or parts of large) sequential programs.
Introduction (cont’d) Bottom line: even if you never attempt to “prove” a program correct outside this course, the study of formal verification should change the way you write and read programs. There are two ways of constructing a software design: One way is to make it so simple that there are obviously no deficiencies, and the other way is to make it so complicated that there are no obvious deficiencies. The first method is far more difficult. –Tony Hoare
Weak Correctness Predicate To prove that program S is (“weakly” or “partially”) correct with respect to pre-condition P and post-condition Q, it is sufficient to show: {P} S {Q}. Interpretation of {P} S {Q}: “if the input (initial state) satisfies pre-condition P and (if) program S executes and terminates, then the output (final state) must satisfy post-condition Q.”
Weak Correctness Predicate (cont’d) Truth table interpretation: P (before S executes) S terminates Q (after S executes) {P} S {Q} T YES must be T could be F F Don’t Care T* NO N/A * In this case, {P} S {Q} is said to be “vacuously true.”
Weak Correctness Predicate (cont’d) Truth table interpretation: P (before S executes) S terminates Q (after S executes) {P} S {Q} T YES must be T could be F F Don’t Care T* NO N/A * In this case, {P} S {Q} is said to be “vacuously true.”
Weak Correctness Predicate (cont’d) Truth table interpretation: P (before S executes) S terminates Q (after S executes) {P} S {Q} T YES must be T could be F F Don’t Care T* NO N/A * In this case, {P} S {Q} is said to be “vacuously true.”
Weak Correctness Predicate (cont’d) Truth table interpretation: P (before S executes) S terminates Q (after S executes) {P} S {Q} T YES must be T could be F F Don’t Care T* NO N/A * In this case, {P} S {Q} is said to be “vacuously true.”
Weak Correctness Predicate (cont’d) Note that {P} S {Q} is really just a “double conditional” of the form: (A Л B) C where A is “P holds before executing S”, B is “S terminates”, and C is “Q holds after executing S”. Therefore, the one and only case for which {P} S {Q} is false is: “Q could be false if S terminates, given that P held before S executes.”
Weak Correctness Predicate (cont’d) What are the truth values of the following assertions? (1) {x=1} y := x+1 {y>0}
Weak Correctness Predicate (cont’d) What are the truth values of the following assertions? (1) {x=1} y := x+1 {y>0} True, because if P holds initially, Q must hold when S terminates
Weak Correctness Predicate (cont’d) What are the truth values of the following assertions? (2) {x>0} x := x-1 {x>0}
Weak Correctness Predicate (cont’d) What are the truth values of the following assertions? (2) {x>0} x := x-1 {x>0} False, because Q may not hold when S terminates given that P holds initially.
Weak Correctness Predicate (cont’d) What are the truth values of the following assertions? (3) {1=2} k := 5 {k<0}
Weak Correctness Predicate (cont’d) What are the truth values of the following assertions? (3) {1=2} k := 5 {k<0} True (vacuously), since P cannot hold before S executes.
Weak Correctness Predicate (cont’d) What are the truth values of the following assertions? (4) {true} while x <> 5 do x := x-1 {x=5} (Hint: When will S terminate?)
Weak Correctness Predicate (cont’d) What are the truth values of the following assertions? (4) {true} while x <> 5 do x := x-1 {x=5} (Hint: When will S terminate?) True, since Q must hold if S terminates.
Weak Correctness Predicate (cont’d) We now consider techniques for proving that such assertions hold for structured programs comprised of assignment statements, if-then (-else) statements, and while loops. (Why these constructs?)
Reasoning about Assignment Statements For each of the following pre-conditions, P, and assignment statements, S, identify a “strong” post-condition, Q, such that {P} S {Q} would hold. A “strong” post-condition captures all after-execution state information of interest. However, we won’t bother with assertions such as X=X’ (“the final value of X is the same as the initial value of X”) for the time being.
Reasoning about Assignment Statements (cont’d) {P} S {Q} {J=6} K := 3 J := J+2 {A<B} Min := A {A<B Л B<C} D := C {X<0} Y := -X {X[I]=J} I := I+1 {X[I-1]=J} J := J+1
Reasoning about Assignment Statements (cont’d) {P} S {Q} {J=6} K := 3 J := J+2 {A<B} Min := A {A<B Л B<C} D := C {X<0} Y := -X {X[I]=J} I := I+1 {X[I-1]=J} J := J+1
Reasoning about Assignment Statements (cont’d) {P} S {Q} {J=6} K := 3 {K=3} J := J+2 {A<B} Min := A {A<B Л B<C} D := C {X<0} Y := -X {X[I]=J} I := I+1 {X[I-1]=J} J := J+1
Reasoning about Assignment Statements (cont’d) {P} S {Q} {J=6} K := 3 {J=6 Л K=3} J := J+2 {A<B} Min := A {A<B Л B<C} D := C {X<0} Y := -X {X[I]=J} I := I+1 {X[I-1]=J} J := J+1
Reasoning about Assignment Statements (cont’d) {P} S {Q} {J=6} K := 3 {J=6 Л K=3} J := J+2 {A<B} Min := A {A<B Л B<C} D := C {X<0} Y := -X {X[I]=J} I := I+1 {X[I-1]=J} J := J+1
Reasoning about Assignment Statements (cont’d) {P} S {Q} {J=6} K := 3 {J=6 Л K=3} J := J+2 {J=8} {A<B} Min := A {A<B Л B<C} D := C {X<0} Y := -X {X[I]=J} I := I+1 {X[I-1]=J} J := J+1
Reasoning about Assignment Statements (cont’d) {P} S {Q} {J=6} K := 3 {J=6 Л K=3} J := J+2 {J=8} {A<B} Min := A {A<B Л B<C} D := C {X<0} Y := -X {X[I]=J} I := I+1 {X[I-1]=J} J := J+1
Reasoning about Assignment Statements (cont’d) {P} S {Q} {J=6} K := 3 {J=6 Л K=3} J := J+2 {J=8} {A<B} Min := A {A<B Л Min=A} {A<B Л B<C} D := C {X<0} Y := -X {X[I]=J} I := I+1 {X[I-1]=J} J := J+1
Reasoning about Assignment Statements (cont’d) {P} S {Q} {J=6} K := 3 {J=6 Л K=3} J := J+2 {J=8} {A<B} Min := A {A<B Л Min=A} {A<B Л B<C} D := C {X<0} Y := -X {X[I]=J} I := I+1 {X[I-1]=J} J := J+1
Reasoning about Assignment Statements (cont’d) {P} S {Q} {J=6} K := 3 {J=6 Л K=3} J := J+2 {J=8} {A<B} Min := A {A<B Л Min=A} {A<B Л B<C} D := C {A<B Л B<C Л D=C} {X<0} Y := -X {X[I]=J} I := I+1 {X[I-1]=J} J := J+1
Reasoning about Assignment Statements (cont’d) {P} S {Q} {J=6} K := 3 {J=6 Л K=3} J := J+2 {J=8} {A<B} Min := A {A<B Л Min=A} {A<B Л B<C} D := C {A<B Л B<C Л D=C} {X<0} Y := -X {X[I]=J} I := I+1 {X[I-1]=J} J := J+1
Reasoning about Assignment Statements (cont’d) {P} S {Q} {J=6} K := 3 {J=6 Л K=3} J := J+2 {J=8} {A<B} Min := A {A<B Л Min=A} {A<B Л B<C} D := C {A<B Л B<C Л D=C} {X<0} Y := -X {X[I]=J} I := I+1 {X[I-1]=J} J := J+1
Reasoning about Assignment Statements (cont’d) {P} S {Q} {J=6} K := 3 {J=6 Л K=3} J := J+2 {J=8} {A<B} Min := A {A<B Л Min=A} {A<B Л B<C} D := C {A<B Л B<C Л D=C} {X<0} Y := -X {X<0 Л Y>0} {X[I]=J} I := I+1 {X[I-1]=J} J := J+1
Reasoning about Assignment Statements (cont’d) {P} S {Q} {J=6} K := 3 {J=6 Л K=3} J := J+2 {J=8} {A<B} Min := A {A<B Л Min=A} {A<B Л B<C} D := C {A<B Л B<C Л D=C} {X<0} Y := -X {X<0 Л Y=-X} {X[I]=J} I := I+1 {X[I-1]=J} J := J+1
Reasoning about Assignment Statements (cont’d) {P} S {Q} {J=6} K := 3 {J=6 Л K=3} J := J+2 {J=8} {A<B} Min := A {A<B Л Min=A} {A<B Л B<C} D := C {A<B Л B<C Л D=C} {X<0} Y := -X {X<0 Л Y=-X} {X[I]=J} I := I+1 {X[I-1]=J} J := J+1
Reasoning about Assignment Statements (cont’d) {P} S {Q} {J=6} K := 3 {J=6 Л K=3} J := J+2 {J=8} {A<B} Min := A {A<B Л Min=A} {A<B Л B<C} D := C {A<B Л B<C Л D=C} {X<0} Y := -X {X<0 Л Y=-X} {X[I]=J} I := I+1 {X[I-1]=J} J := J+1
Illustrative Example 17 X: ___ ___ ___ ___ ___ ___ ___ 1 2 3 4 5 6 7 1 2 3 4 5 6 7 {X[I]=J} J = 17, I = 4 I := I+1 17 X: ___ ___ ___ ___ ___ ___ ___ 1 2 3 4 5 6 7 {X[I-1]=J} J = 17, I = 4 5
Reasoning about Assignment Statements (cont’d) {P} S {Q} {J=6} K := 3 {J=6 Л K=3} J := J+2 {J=8} {A<B} Min := A {A<B Л Min=A} {A<B Л B<C} D := C {A<B Л B<C Л D=C} {X<0} Y := -X {X<0 Л Y=-X} {X[I]=J} I := I+1 {X[I-1]=J} J := J+1
Reasoning about Assignment Statements (cont’d) {P} S {Q} {J=6} K := 3 {J=6 Л K=3} J := J+2 {J=8} {A<B} Min := A {A<B Л Min=A} {A<B Л B<C} D := C {A<B Л B<C Л D=C} {X<0} Y := -X {X<0 Л Y=-X} {X[I]=J} I := I+1 {X[I-1]=J} J := J+1 {X[I-1]=J-1}
Illustrative Example 17 X: ___ ___ ___ ___ ___ ___ ___ 1 2 3 4 5 6 7 1 2 3 4 5 6 7 {X[I-1]=J} J = 17, I = 5 J := J+1 17 X: ___ ___ ___ ___ ___ ___ ___ 1 2 3 4 5 6 7 {X[I-1]=J-1} J = 17 18, I = 5
Reasoning about Assignment Statements (cont’d) For each of the following post-conditions, Q, and assignment statements, S, identify a “weak” pre-condition, P, such that {P} S {Q} would hold. (A “weak” pre-condition reflects only what needs to be true initially.)
Reasoning about Assignment Statements (cont’d) {P} S {Q} I := 4 {J=7 Л I=4} {I=4} {I=17} I := I+2 {I>6} Y := X+3 {Y=10} {Y<8}
Reasoning about Assignment Statements (cont’d) {P} S {Q} {J=7Л I=4} I := 4 {J=7 Л I=4} {I=4} {I=17} I := I+2 {I>6} Y := X+3 {Y=10} {Y<8}
Reasoning about Assignment Statements (cont’d) {P} S {Q} {J=7} I := 4 {J=7 Л I=4} {I=4} {I=17} I := I+2 {I>6} Y := X+3 {Y=10} {Y<8}
Reasoning about Assignment Statements (cont’d) {P} S {Q} {J=7} I := 4 {J=7 Л I=4} {I=4} {I=17} I := I+2 {I>6} Y := X+3 {Y=10} {Y<8}
Reasoning about Assignment Statements (cont’d) {P} S {Q} {J=7} I := 4 {J=7 Л I=4} {K=17} {I=4} {I=17} I := I+2 {I>6} Y := X+3 {Y=10} {Y<8}
Reasoning about Assignment Statements (cont’d) {P} S {Q} {J=7} I := 4 {J=7 Л I=4} {true} {I=4} {I=17} I := I+2 {I>6} Y := X+3 {Y=10} {Y<8}
Reasoning about Assignment Statements (cont’d) {P} S {Q} {J=7} I := 4 {J=7 Л I=4} {true} {I=4} {I=17} I := I+2 {I>6} Y := X+3 {Y=10} {Y<8}
Reasoning about Assignment Statements (cont’d) {P} S {Q} {J=7} I := 4 {J=7 Л I=4} {true} {I=4} {false} {I=17} I := I+2 {I>6} Y := X+3 {Y=10} {Y<8}
Reasoning about Assignment Statements (cont’d) {P} S {Q} {J=7} I := 4 {J=7 Л I=4} {true} {I=4} {false} {I=17} I := I+2 {I>6} Y := X+3 {Y=10} {Y<8}
Reasoning about Assignment Statements (cont’d) {P} S {Q} {J=7} I := 4 {J=7 Л I=4} {true} {I=4} {false} {I=17} {I>4} I := I+2 {I>6} Y := X+3 {Y=10} {Y<8}
Reasoning about Assignment Statements (cont’d) {P} S {Q} {J=7} I := 4 {J=7 Л I=4} {true} {I=4} {false} {I=17} {I>4} I := I+2 {I>6} Y := X+3 {Y=10} {Y<8}
Reasoning about Assignment Statements (cont’d) {P} S {Q} {J=7} I := 4 {J=7 Л I=4} {true} {I=4} {false} {I=17} {I>4} I := I+2 {I>6} {X=7} Y := X+3 {Y=10} {Y<8}
Reasoning about Assignment Statements (cont’d) {P} S {Q} {J=7} I := 4 {J=7 Л I=4} {true} {I=4} {false} {I=17} {I>4} I := I+2 {I>6} {X=7} Y := X+3 {Y=10} {Y<8}
Reasoning about Assignment Statements (cont’d) {P} S {Q} {J=7} I := 4 {J=7 Л I=4} {true} {I=4} {false} {I=17} {I>4} I := I+2 {I>6} {X=7} Y := X+3 {Y=10} {X<5} {Y<8}
When does ({P} S {Q}) ({K} S {W})? We just determined that {J=7} I := 4 {J=7 Л I=4} holds. We can deduce from this that {J=7} I := 4 {J=7} also holds since {J=7 Л I=4} is stronger than {J=7}. That is, because: {J=7 Л I=4} {J=7}
When does ({P} S {Q}) ({K} S {W})? (cont’d) Similarly, if we know that {J=7} I := 4 {J=7 Л I=4} holds, it follows that {J=7 Л K=17} I := 4 {J=7 Л I=4} also holds since {J=7} is weaker than {J=7 Л K=17}. That is, because: {J=7 Л K=17} {J=7}
When does ({P} S {Q}) ({K} S {W})? (cont’d) Thus, we can replace pre-conditions with ones that are stronger, and post-conditions with ones that are weaker. Note that if A B, we say that A is stronger than B, or equivalently, that B is weaker than A.
Practice quiz question… In general, which would be the better marketing strategy for increasing your software sales…advertising the software as having a strong pre-condition and a weak post-condition, or vice-versa? Give a concrete example which illustrates your answer.
Reasoning about Sequencing Suppose that we know {X[I]=J} I := I+1 {X[I-1]=J} and we know {X[I-1]=J} J := J+1 {X[I-1]=J-1}.
Reasoning about Sequencing Suppose that we know {X[I]=J} I := I+1 {X[I-1]=J} and we know {X[I-1]=J} J := J+1 {X[I-1]=J-1}.
Reasoning about Sequencing Suppose that we know {X[I]=J} I := I+1 {X[I-1]=J} and we know {X[I-1]=J} J := J+1 {X[I-1]=J-1}. Then it follows that {X[I]=J} I := I +1 {X[I-1]=J} J := J+1 {X[I-1]=J-1}
Reasoning about Sequencing (cont’d) In general: if you know {P} S1 {R} and you know {R} S2 {Q} then you know {P} S1; S2 {Q}.
Example 1 Prove the assertion: {A=5} B := A+2; C := B-A; D := A-C {A=5 Л D=3}
Example 1 Prove the assertion: {A=5} B := A+2; C := B-A; D := A-C {A=5 Л D=3} {A=5} B := A+2;
Example 1 Prove the assertion: {A=5} B := A+2; C := B-A; D := A-C {A=5 Л D=3} {A=5} B := A+2; {A=5 Л B=7}
Example 1 Prove the assertion: {A=5} B := A+2; C := B-A; D := A-C {A=5 Л D=3} {A=5} B := A+2; {A=5 Л B=7} C := B-A;
Example 1 Prove the assertion: {A=5} B := A+2; C := B-A; D := A-C {A=5 Л D=3} {A=5} B := A+2; {A=5 Л B=7} C := B-A; {A=5 Л B=7 Л C=2}
Example 1 Prove the assertion: {A=5} B := A+2; C := B-A; D := A-C {A=5 Л D=3} {A=5} B := A+2; {A=5 Л B=7} C := B-A; {A=5 Л B=7 Л C=2} D := A-C
Example 1 Prove the assertion: {A=5} B := A+2; C := B-A; D := A-C {A=5 Л D=3} {A=5} B := A+2; {A=5 Л B=7} C := B-A; {A=5 Л B=7 Л C=2} D := A-C {A=5 Л B=7 Л C=2 Л D=3}
Example 1 ? Prove the assertion: {A=5} B := A+2; C := B-A; D := A-C {A=5 Л D=3} {A=5} B := A+2; {A=5 Л B=7} C := B-A; {A=5 Л B=7 Л C=2} D := A-C {A=5 Л B=7 Л C=2 Л D=3} ?
Example 1 ? Prove the assertion: {A=5} B := A+2; C := B-A; D := A-C {A=5 Л D=3} {A=5} B := A+2; {A=5 Л B=7} C := B-A; {A=5 Л B=7 Л C=2} D := A-C {A=5 Л B=7 Л C=2 Л D=3} {A=5 Л D=3} ?
Example 1 Prove the assertion: {A=5} B := A+2; C := B-A; D := A-C {A=5 Л D=3} {A=5} B := A+2; {A=5 Л B=7} C := B-A; {A=5 Л B=7 Л C=2} D := A-C {A=5 Л B=7 Л C=2 Л D=3} {A=5 Л D=3}
Reasoning about If_then_else Statements Consider the assertion: {P} if b then S1 else S2 {Q} What are the necessary conditions for this assertion to hold?
Necessary Conditions: If_then_else {P} T F b S1 S2 {Q}
Necessary Conditions: If_then_else {P} {P Л b } S1 {Q} T F b S1 S2 {Q}
Necessary Conditions: If_then_else {P} {P Л b } S1 {Q} T F b S1 S2 {Q}
Necessary Conditions: If_then_else {P} {P Л b } S1 {Q} T F b S1 S2 {P Л b} S2 {Q} {Q}
Necessary Conditions: If_then_else {P} {P Л b } S1 {Q} T F b “and” or “or” S1 S2 {P Л b} S2 {Q} {Q}
Necessary Conditions: If_then_else {P} {P Л b } S1 {Q} T F b and S1 S2 {P Л b} S2 {Q} {Q}
Reasoning about If_then Statements Consider the assertion: {P} if b then S {Q} What are the necessary conditions for this assertion to hold?
Necessary Conditions: If_then {P} T b F S {Q}
Necessary Conditions: If_then {P} {P Л b } S {Q} T b F S {Q}
Necessary Conditions: If_then {P} {P Л b } S {Q} T b and F S {Q}
Necessary Conditions: If_then {P} {P Л b } S {Q} T b and F S (P Л b) Q {Q}
Example 2 Prove the assertion: {Z=B} if A>B then Z := A {Z=Max(A,B)}
Example 2 Prove the assertion: {Z=B} if A>B then Z := A {Z=Max(A,B)} P b S Q
Example 2 Prove the assertion: {Z=B} if A>B then Z := A {Z=Max(A,B)} (1) {P Л b } S {Q}: (2) (P Л b) Q: P b S Q
Example 2 Prove the assertion: {Z=B} if A>B then Z := A {Z=Max(A,B)} (1) {P Л b } S {Q}: {Z=B Л A>B} Z := A { ? } (2) (P Л b) Q: P b S Q
Example 2 Prove the assertion: {Z=B} if A>B then Z := A {Z=Max(A,B)} (1) {P Л b } S {Q}: {Z=B Л A>B} Z := A {Z=A Л A>B} (2) (P Л b) Q: P b S Q
Example 2 Prove the assertion: {Z=B} if A>B then Z := A {Z=Max(A,B)} (1) {P Л b } S {Q}: {Z=B Л A>B} Z := A {Z=A Л A>B} Q (2) (P Л b) Q: P b S Q
Example 2 Prove the assertion: {Z=B} if A>B then Z := A {Z=Max(A,B)} (1) {P Л b } S {Q}: {Z=B Л A>B} Z := A {Z=A Л A>B} Q (2) (P Л b) Q: (Z=B Л AB) ? P b S Q
Example 2 Prove the assertion: {Z=B} if A>B then Z := A {Z=Max(A,B)} (1) {P Л b } S {Q}: {Z=B Л A>B} Z := A {Z=A Л A>B} Q (2) (P Л b) Q: (Z=B Л AB) Q P b S Q
Proof Rules Before proceeding to while loops, let’s capture our previous reasoning about sequencing, selection statements, and state condition replacement in appropriate rules of inference (ROI). ROI for Sequencing: {P} S1 {R}, {R} S2 {Q} {P} S1; S2 {Q} (cont'd)
Proof Rules (cont’d) ROI for if_then_else statement: {P Л b } S1 {Q}, {P Л b} S2 {Q} {P} if b then S1 else S2 {Q} ROI for if_then statement: {P Л b } S {Q}, (P Л b) Q {P} if b then S {Q} (cont'd)
Proof Rules (cont’d) ROI for State Condition Replacement†: K P, {P} S {Q}, Q W {K} S {W} † Also known as the consequence rule.
Coming Up Next… Reasoning about iteration (while loops) Strong correctness and proving termination
Axiomatic Verification I Software Testing and Verification Lecture 17 Prepared by Stephen M. Thebaut, Ph.D. University of Florida