Functional Verification IV: Revisiting Loop Invariants

Slides:



Advertisements
Similar presentations
In this episode of The Verification Corner, Rustan Leino talks about Loop Invariants. He gives a brief summary of the theoretical foundations and shows.
Advertisements

Functional Verification III Prepared by Stephen M. Thebaut, Ph.D. University of Florida Software Testing and Verification Lecture Notes 23.
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
Axiomatic Verification I Prepared by Stephen M. Thebaut, Ph.D. University of Florida Software Testing and Verification Lecture 17.
ISBN Chapter 3 Describing Syntax and Semantics.
1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.
1 The RSA Algorithm Supplementary Notes Prepared by Raymond Wong Presented by Raymond Wong.
Describing Syntax and Semantics
Copyright © Cengage Learning. All rights reserved.
Reading and Writing Mathematical Proofs
Exam 2 Help Session Prepared by Stephen M. Thebaut, Ph.D. University of Florida Software Testing and Verification.
1 Inference Rules and Proofs (Z); Program Specification and Verification Inference Rules and Proofs (Z); Program Specification and Verification.
Proofs of Correctness: An Introduction to Axiomatic Verification Prepared by Stephen M. Thebaut, Ph.D. University of Florida CEN 5035 Software Engineering.
Recursive Algorithms &
13 Aug 2013 Program Verification. Proofs about Programs Why make you study logic? Why make you do proofs? Because we want to prove properties of programs.
September 29, 2009Theory of Computation Lecture 7: Primitive Recursive Functions III 1 Some Primitive Recursive Functions Example 3: h(x) = x! Here are.
CSE 311: Foundations of Computing Fall 2013 Lecture 8: Proofs and Set theory.
CSC3315 (Spring 2009)1 CSC 3315 Languages & Compilers Hamid Harroud School of Science and Engineering, Akhawayn University
Functional Verification I Prepared by Stephen M. Thebaut, Ph.D. University of Florida Software Testing and Verification Lecture Notes 21.
White-Box Testing Techniques I Prepared by Stephen M. Thebaut, Ph.D. University of Florida Software Testing and Verification Lecture 7.
Axiomatic Verification II Prepared by Stephen M. Thebaut, Ph.D. University of Florida Software Testing and Verification Lecture Notes 18.
The Foundations: Logic and Proofs
Chapter 7. Propositional and Predicate Logic
Functional Verification III
(State) Model-Based Approaches I Software Specification Lecture 35
Copyright © Cengage Learning. All rights reserved.
Chapter 5 Induction and Recursion
White-Box Testing Techniques II
Prepared by Stephen M. Thebaut, Ph.D. University of Florida
ELEMENTARY NUMBER THEORY AND METHODS OF PROOF
Functional Verification IV: Revisiting Loop Invariants
Predicate Transforms II
Functional Verification IV: Revisiting Loop Invariants
Functional Verification III
4. The Postulates of Quantum Mechanics 4A. Revisiting Representations
Formal Program Specification
White-Box Testing Techniques II
Copyright © Cengage Learning. All rights reserved.
The Foundations: Logic and Proofs
Functional Verification I
CSE 311 Foundations of Computing I
Exercise Solutions: Functional Verification
Formal Program Specification
Exercise Solutions: Functional Verification
Axiomatic Verification II
White-Box Testing Techniques III
CSE 311: Foundations of Computing
Functional Verification I
White-Box Testing Techniques I
Axiomatic Verification II
Negations of quantifiers
Axiomatic Verification I
Chapter 7. Propositional and Predicate Logic
Proofs of Correctness: An Introduction to Axiomatic Verification
Functional Verification II
Functional Verification IV: Revisiting Loop Invariants
Axiomatic Verification I
Predicate Transforms I
Black-Box Testing Techniques II
Prepared by Stephen M. Thebaut, Ph.D. University of Florida
Functional Verification III
Predicate Transforms II
Functional Verification III
Chapter 11: Further Topics in Algebra
Copyright © Cengage Learning. All rights reserved.
Copyright © Cengage Learning. All rights reserved.
Predicate Transforms I
Prepared by Stephen M. Thebaut, Ph.D. University of Florida
Copyright © Cengage Learning. All rights reserved.
Formal Program Specification
Presentation transcript:

Functional Verification IV: Revisiting Loop Invariants Software Testing and Verification Lecture Notes 24 Prepared by Stephen M. Thebaut, Ph.D. University of Florida

Previously… Iteration Recursion Lemma (IRL) Termination predicate: term(f,P) Correctness conditions for while_do statement Correctness conditions for repeat_until statement Subgoal Induction

Topics Thinking about invariants again Invariant Status Theorem (IST): q(X) An important corollary Interesting properties of q(X) While Loop Initialization Utility of IST

Thinking about invariants again In Lecture Notes #18 we considered heuristics for synthesizing Q-adequate loop invariants. In Lecture Notes #23, it was observed that a loop computing a function maintains an important property of state across iterations: the function value of the current state, X, is the same as the function value of the initial state, X0. That is: f(X)=f(X0). We now expand on this observation and show that this property represents the weakest f-adequate loop invariant† over D(f)! † To be defined shortly...

Thinking about invariants again Consider the following assertion, where z0 and y0 represent the initial values of z and y, respectively: {true} while z<>0 do y := y+1 z := z−1 end_while {z=0 Л y=y0+z0} Can you identify a Q-adequate invariant, I, that could be used to prove this...?

Thinking about invariants again Consider the following assertion, where z0 and y0 represent the initial values of z and y, respectively: {true} while z<>0 do y := y+1 z := z−1 end_while {z=0 Л y=y0+z0} Can you identify a Q-adequate invariant, I, that could be used to prove this...? Consider I: y = y0+(z0-z) This can be rewritten as: y+z = y0+z0

Thinking about invariants again {true} while z<>0 do y := y+1 z := z−1 end_while {z=0 Л y=y0+z0} Now, independent of the given pre- and post-conditions, what function, f, is computed by the loop? Consider I: y = y0+(z0-z) This can be rewritten as: y+z = y0+z0

Thinking about invariants again {true} while z<>0 do y := y+1 z := z−1 end_while {z=0 Л y=y0+z0} Now, independent of the given pre- and post-conditions, what function, f, is computed by the loop? (z≥0  y,z := y+z,0) Consider I: y = y0+(z0-z) This can be rewritten as: y+z = y0+z0

Thinking about invariants again {true} while z<>0 do y := y+1 z := z−1 end_while {z=0 Л y=y0+z0} So, for f = (z≥0  y,z := y+z,0), what is the relationship between f and the specified post-condition? Consider I: y = y0+(z0-z) This can be rewritten as: y+z = y0+z0

Thinking about invariants again {true} while z<>0 do y := y+1 z := z−1 end_while {z=0 Л y=y0+z0} So, for f = (z≥0  y,z := y+z,0), what is the relationship between f and the specified post-condition? z=fz(X0)=0 Л y=fy(X0)=y0+z0. (This can be written more simply as just X=f(X0), where “X” is shorthand for “y,z”.) Consider I: y = y0+(z0-z) This can be rewritten as: y+z = y0+z0

Thinking about invariants again {true} while z<>0 do y := y+1 z := z−1 end_while {z=0 Л y=y0+z0} But note that a specified post-condition is not an innate property of a program as is the program’s actual function! It just so happens that where f is defined, Q ≡ X=f(X0) in this particular case... Consider I: y = y0+(z0-z) This can be rewritten as: y+z = y0+z0

Thinking about invariants again {true} while z<>0 do y := y+1 z := z−1 end_while {z=0 Л y=y0+z0} Getting back now to our Q-adequate invariant, I, where f = (z≥0  y,z := y+z,0)... Recall that the IRL implies that after each iteration of the loop, the function value of the current state, X, must be the same as the function value of the initial state, X0. That is, f(X)=f(X0). Consider I: y = y0+(z0-z) This can be rewritten as: y+z = y0+z0

Thinking about invariants again {true} while z<>0 do y := y+1 z := z−1 end_while {z=0 Л y=y0+z0} Thus, f(X)=f(X0) captures a recurring relationship between the values of variables on entry to a loop (denoted by X0), and their values after every iteration of a loop (denoted by X) computing f. What, then, is this relationship for the function (z≥0  y,z := y+z,0)? Consider I: y = y0+(z0-z) This can be rewritten as: y+z = y0+z0

Thinking about invariants again {true} while z<>0 do y := y+1 z := z−1 end_while {z=0 Л y=y0+z0} Where f is defined, fy(X)=y+z and fy(X0)=y0+z0. Similarly, fz(X)=0 and fz(X0)=0. Setting f(X) equal to f(X0) for each variable gives: 0=0 Л y+z=y0+z0 † That is, for z≥0. Consider I: y = y0+(z0-z) This can be rewritten as: y+z = y0+z0 †

Thinking about invariants again {true} while z<>0 do y := y+1 z := z−1 end_while {z=0 Л y=y0+z0} Where f is defined, fy(X)=y+z and fy(X0)=y0+z0. Similarly, fz(X)=0 and fz(X0)=0. Setting f(X) equal to f(X0) for each variable gives: 0=0 Л y+z=y0+z0 ≡ I † That is, for z≥0. Consider I: y = y0+(z0-z) This can be rewritten as: y+z = y0+z0 †

Thinking about invariants again {true} while z<>0 do y := y+1 z := z−1 end_while {z=0 Л y=y0+z0} Thus, setting f(X) equal to f(X0) results in a Q-adequate loop invariant that could (by definition) be used with the while loop ROI to prove the given assertion! Are you not awestruck? But remember: the specified post-condition conveniently corresponds to the program’s actual function in this case. Consider I: y = y0+(z0-z) This can be rewritten as: y+z = y0+z0

Invariant Status Theorem (IST) Let f = [while p do g]. If X0D(f), XD(f), and q(X)=( f(X)=f(X0) ), then q is an invariant of while p do g; i.e., it has the following properties: q(X0) is true, and ( q(X) Л p(X) )  qog(X). In addition, q(X) is an f-adequate invariant; i.e., ( q(X) Л ¬p(X) )  ( X=f(X0) ) This represents the final state values as a function, f, of the initial state values.

Invariant Status Theorem (cont’d) Proof. q(X0) is true: q(X) =( f(X)=f(X0) ), so q(X0)=( f(X0)=f(X0) ) = true as desired. (Note that based on the definition of q(X), this property is a tautology.)

Invariant Status Theorem (cont’d) Proof. (cont’d) ( q(X) Л p(X) )  qog(X): For XD(f) we know p(X)  ( f(X)=fog(X) ) by the Iteration Recursion Lemma. Since q(X)=( f(X)=f(X0) ) by definition, it follows that: ( q(X) Л p(X) )  ( fog(X)=f(X0) ).

Invariant Status Theorem (cont’d) Proof. (cont’d) But the right-hand side of ( q(X) Л p(X) )  ( fog(X)=f(X0) ) is just ( f(g(X))=f(X0) ) = q(g(X)) = qog(X) Therefore, ( q(X) Л p(X) )  qog(X) as desired.

Invariant Status Theorem (cont’d) Proof. (cont’d) ( q(X) Л ¬p(X) )  ( X=f(X0) ): If ¬p(X), then f(X) = I by definition of the while construct. This can be rewritten as f(X) = X. And since q(X) = ( f(X)=f(X0) ), it follows that: ( ¬p(X) Л q(X) )  ( X=f(X0) ) as desired.

An important corollary... IST Corollary. Let f = [while p do g]. If X0D(f), XD(f), and q(X)= ( f(X)=f(X0) ), then q is an f-adequate invariant of ANY program of the form while p do g for which properties (2) and (3) of the IST hold: ( q(X) Л p(X) )  qog(X) ( q(X) Л ¬p(X) )  ( X=f(X0) ) Thus, verifying these properties for a given while_do statement, K, and intended function, f, for which term(f,K) has already been shown, constitutes a proof that f = [K].

Informal interpretation of IST and its corollary as ROI’s Where K is a while loop… IST: f = [K] ───────────────────────────── (term(f,K) Л) q is an f-adequate invariant of K Corollary: ───────────────────────────────

Example 1 Consider the following assertion, where a0 and b0 represent the initial values of a and b, respectively: {true} while a<>0 do b := b*a a := a−1 end_while {a=0 Л b=b0a0!} What function, f, is computed by the while loop? (a≥0  a,b := 0,ba!)

Example 1 (cont’d) For f = (a≥0  a,b := 0,ba!), an invariant q(X)=( f(X)=f(X0) ) can be derived by tabu-lating f(X) and f(X0) for each member of the data space, X: X f(X) f(X0) a 0 0 b ba! b0a0! and equating components of f(X) and f(X0): 0 = 0 ba! = b0a0!

Example 1 (cont’d) We can rewrite the second equation as: b = b0(a0!/a!) and use it as an invariant to prove the given assertion using the while loop Rule of Infer-ence. When combined with a≥0 (specifying the domain of f) we get: q = ( b = b0(a0!/a!) Л a≥0 )

Interesting properties of q(X) In the context of functional verification, loop invariants are generally a function of the current values of program variables (denoted by X), AND their values on entry to the loop (denoted by X0). Many f-adequate invariants may exist for a given loop, so what criteria might be used to determine which is the best to use? In general, we want f-adequate invariants to be as weak as possible. The weaker an invariant is (while still being f-adequate), the easier it will be to use.

Interesting properties of q(X) (cont’d) Claim: q(X)=( f(X)=f(X0) ) is the weakest f-adequate loop invariant over D(f) in the sense that it is implied by all others. Proof: Let I(X) be any f-adequate loop invariant for (while p do g) over D(f), and let X0,X1,...,Xn be the states associated with the loop in D(f). Since Xn=f(X), we know I(f(X)) and ¬p(f(X)). And since I(X) is f-adequate ( I(X) Л ¬p(X)  X=f(X0) ), it follows that ( I(f(X)) Л ¬p(f(X))  f(X)=f(X0) ). Therefore, for all X in D(f), I(X)  q(X) as claimed. (See Part 3, “The Loop Invariant f(X0)=f(X),” of the Dunlop/Basili paper.)

Interesting properties of q(X) (cont’d) To expand on the unique nature of q(X), note that the set of states satisfying f(X)=f(X0) includes ALL intermediate states that could possibly be generated by ANY while loop that computes f! Thus, q(X) is strong (i.e., specific) enough to describe the net effect of the loop on the input set D(f), but sufficiently weak (i.e., general) that it may offer no hint about the method used to achieve the effect.

Interesting properties of q(X) (cont’d) Recall the program: while z<>0 do y := y+1 z := z−1 end_while The function computed is: f = (z≥0  y,z := y+z,0) and from the IST, the weakest f-adequate invariant over D(f) is: q(X)  ( y+z = y0+z0 Л z≥0 ) Consider the sample {y0,z0} input: {2,4}. The loop then pro-duces the series of states {2,4}, {3,3}, {4,2}, {5,1}, {6,0}. q(X), of course, agrees with these states, but it also agrees with {-3,9}! This implies that some loop that computes f could produce the intermediate state {-3,9} while mapping {2,4} to {6,0}. We further conclude that no loop that computes f could pro-duce {4,4} as an intermediate state from the input {2,4}.

Interesting properties of q(X) (cont’d) Consider a more “concrete” (wood, aluminum, etc.) illustration of q’s properties... Let f represent a general mapping from an initial building construction state (e.g., a vacant lot) to a final construction state (a finished building). Let P be a specific, step-by-step, iterative construction process that produces a finished building in accordance with f.

Interesting properties of q(X) (cont’d) In particular, suppose that from an initial building state, Svac: P produces the series of (successor) states: where Sfin represents a finished building. vac     X K T fin Y

Interesting properties of q(X) (cont’d) Now, let q(S)=( f(S)=f(S0) ) where S0 is the initial building state, S is the current building state, and S, S0 are in D(f). It follows, then, that q agrees with the series of states produced by P. That is: q(Svac), q(SX), q(SK), q(ST), q(SY), q(Sfin) But suppose q also holds for another state in D(f): Z

Interesting properties of q(X) (cont’d) This would imply that some other iterative construction process, P’, that also results in a finished building in accordance with f, could produce SZ in the process of producing Sfin starting from Svac! Finally, suppose that q does NOT hold for SE: E

Interesting properties of q(X) (cont’d) This would imply that no iterative construction process that results in a finished building in accordance with f could produce SE from the initial state Svac!

While Loop Initialization In many situations, a loop invariant may hold by virtue of its initialization. In particular, given f = [while p do g], X0  D(f) a limited f-adequate invariant of the initialized while loop: h; while p do g is: qh(X) = ( f(X)=foh(X0) )

While Loop Initialization (cont’d) Such an invariant has the following properties: qhoh(X0) is true, and (qh(X) Л p(X) )  qhog(X), and (qh(X) Л ¬p(X) )  ( X=foh(X0) )

Example 2 Consider the assertion: {n≥0} p := 1 k := 0 while k<>n do p := p*2 k := k+1 end_while {p=2n} What function, h, is computed by the loop initialization?

Example 2 Consider the assertion: {n≥0} p := 1 k := 0 while k<>n do p := p*2 k := k+1 end_while {p=2n} What function, h, is computed by the loop initialization? (p,k := 1,0)

Example 2 Consider the assertion: {n≥0} p := 1 k := 0 while k<>n do p := p*2 k := k+1 end_while {p=2n} What function, f, is computed by the while loop?

Example 2 Consider the assertion: {n≥0} p := 1 k := 0 while k<>n do p := p*2 k := k+1 end_while {p=2n} What function, f, is computed by the while loop? (k≤n  p,k := p2n−k,n)

Example 2 (cont’d) X f(X) foh(X0) p k For f = (k≤n  p,k := p2n−k,n), and h = (p,k := 1,0), an invariant qh(X)=( ( f(X)=foh(X0) ) can be derived by tabulating f(X) and foh(X0) for each member of the data space: and equating components of f(X) and foh(X0): X f(X) foh(X0) p k

Example 2 (cont’d) X f(X) foh(X0) p p2n−k (1)2n0−0 k n n0 For f = (k≤n  p,k := p2n−k,n), and h = (p,k := 1,0), an invariant qh(X)=( ( f(X)=foh(X0) ) can be derived by tabulating f(X) and foh(X0) for each member of the data space: and equating components of f(X) and foh(X0): X f(X) foh(X0) p p2n−k (1)2n0−0 k n n0 p2n−k = (1)2n0−0 n = n0

Example 2 (cont’d) When combined, these equations yield the invariant: p=2k which can be used with the while loop Rule of Inference to prove the given assertion. When the condition k≤n (specifying the domain of f) is included, we get: q = ( p=2k Л k≤n )

Exercise Recall that in Example 3 of Lecture Notes #18, we proved the assertion below using the invariant I: Z=XJ. {true} Z := X J := 1 while J<>Y do Z := Z+X J := J+1 end_while {Z=XY}

Exercise (cont’d) Derive a limited invariant for the initialized while loop using the Invariant Status Theorem.

Topics Thinking about invariants again Invariant Status Theorem (IST): q(X) An important corollary Interesting properties of q(X) While Loop Initialization Utility of IST

Utility of Invariant Status Theorem Does the IST eliminate the need for heuristics to synthesize Q-adequate loop invariants? Unfortunately, no. The derivation of q(X) requires knowledge of the program function, f. Further-more, if the specified post-condition, Q, is not of the form X=f(X0), the translation between Q and f may not be obvious. Finally, if Q is weaker than f, then q(X) will be stronger than needed and may, therefore, be more cumbersome to use than some weaker Q-adequate invariant.

Utility of Invariant Status Theorem (cont’d) None of the functions considered so far has used conditional rules.† How does one deter-mine q(X) for intended functions of the form f = (p1  r1 | p2  r2 | … | pk  rk) ? This can be tedious since the rule employed to deter- mine f(X0) for every initial state X0 plus those rules employed to determine f(X) for each of X0’s successor states must be considered. The problem is analogous to that encountered in showing p(X)  ( f(X)=fog(X) ) when the rule for f on the left-hand side of the equality may be different than that on the right-hand side of the equality (i.e., after applying g). † Other than simple functions of the form (p  r).

Utility of Invariant Status Theorem (cont’d) Would verifying the properties of q(X) for a given while_do statement, K, and hypothesized function, f, for which term(f,K) has been shown, constitute a proof that f = [K]? Yes, properties (2) and (3) of the IST are equivalent to the 2nd and 3rd while_do correctness conditions when using q(X) as the predicate. This is because ( q(X) Л p(X) )  qog(X) follows from p(X)  ( f(X)=fog(X) ), and ( q(X) Л ¬p(X) )  ( X=f(X0) ) follows from ¬p(X)  ( f(X) = I ). Also, since q(X) is the weakest f-adequate loop invariant for K, it is generally the “easiest” invariant over D(f) that can be used to verify that the loop computes f.

Utility of Invariant Status Theorem (cont’d) For some additional important and interesting insights into the nature of q(X), functions, and both iterative and non-iterative program con-structs, be sure to see problems 8 and 9 in Problem Set 7!

Summary Thinking about invariants again Invariant Status Theorem (IST): q(X) An important corollary Interesting properties of q(X) While Loop Initialization Utility of IST

Functional Verification IV: Revisiting Loop Invariants Software Testing and Verification Lecture Notes 24 Prepared by Stephen M. Thebaut, Ph.D. University of Florida