A Tutorial on Functional Program Verification TR #10-26 September 2010, revised August 2011 Yoonsik Cheon Melisa Vela Presented by Aditi Barua 1

Functional program verification Formal program verification technique Based on Cleanroom Software Engineering Involves: Viewing program as a mathematical function (code function) Documenting function that computes the expected behavior of the code(intended function) Comparing the intended function and the code function. Introduction 2

Advantages Requires minimal mathematical background. Reflects the way programmers verify correctness of program. Helps one to be proficient with other verification technique. 3

Writing Intended Function & Code Function Program as mathematical function from one state to another Initial state : {x->10, sum->100} sum=sum + x; Final state :{x->10, sum->110} 4

Concurrent Assignment Notation to express function that only states changes in input state. [x 1, x 2,…, x n := e 1, e 2, …, e n ] Each x i ’s new value is e i Evaluated concurrently at initial state Program’s variables do not appear remain same. Example: 1) sum= sum + x; [sum: = sum +x] 2) x = x + y; y = x - y;[x, y: = y, x] x = x - y; 5

Conditional Concurrent Assignment Different functions for different conditions. Conditions are evaluated in initial state. Conditions are evaluated sequentially. If multiple conditions hold, function for first matched condition is picked. Example: [x>0 -> sign : = 1 |x sign :=-1 |else -> sign := 0] 6

Special Symbols and keywords Identity function denoted by I [n > maxSize -> n:= maxSize| else -> I] undefined: [n > 0 -> avg:= sum/n| else -> undefined] anything [sum, i := sum + ∑ j=i…a.length-1 a[j], anything] while(i<a.length){ sum = + a[i]; i++; } 7

Verifying Correctness Verification involves showing two properties: dom of f ⊆ dom of p where f=intended function, p= code function. (p(x) = f(x) for x ∈ dom(f)) Assignment Statement Code function and intended function is often x=x+1; 8

Verifying Correctness Sequential Composition Annotated code [n > 0 → sum, avg := sum+a, (sum+a)/n] sum = sum + a; avg = sum / n; Proof of correctness [sum := sum + a]; [n != 0 → avg := sum=n] ≡ [n!= 0 → sum; avg := sum + a;(sum + a)/n] ⊑ [n > 0 → sum; avg := sum + a;(sum + a)/n] 9

Sequential Composition(Cont.) Trace table x = x + 1; y = 2 * x; z = x * y; x = x + 1; y = 3 * x; Statementsxyz x = x + 1;x+1 y = 2 * x;2*(x+1) z = x * y;(x+1)*2(x+1) x = x + 1;x+2 y = 3 * x;3(x+2) [x, y, z := x+2, 3(x+2), 2x 2 +4x+2] 10

Sequential Composition(Cont.) Modular Verification Annotated code [f0] [f1] S1; [f2] S2; Proof of correctness (f1;f2 ⊑ f0). (S1 ⊑ f1) (S2 ⊑ f2) 11

Conditional Trace table p = a * r; if (a < b) b = b - a; else b = b - p; StatementConditionpb p = a * r; if (a < b) b = b - a; a<ba * rb-a p = a * r; if (a < b) b = b - p; a>=ba * r;b- (a*r) [a < b → p, b := a*r, b-a | a ≥ b → p, b := a*r, b-(a*r)] Conditional Statement 12

Case Analysis Annotated code [f] if (B) S1; else S2; Proof of correctness (B ⇒ S1 ⊑ f) (¬B ⇒ S2 ⊑ f) Conditional Statement(Cont.) 13

[f1] while (B) S [f1] if (B) { S while (B) S } Verifying Iteration [f1] if (B) { S [f1] } More involved as there is no known algorithm to calculate code function for whole statements. Solution: Proof by Induction Intended function is the induction hypothesis. 14

Annotated code Verifying Iteration(Cont.) Using induction to prove correctness of while statement. Proof of correctness Need to discharge following three proof obligations: 1) Termination of the loop 2) Basis step: ¬(i < a:length) ⇒ I ⊑ f1 3) Induction step: i < a:length ⇒ f2;f1 ⊑ f1 and the correctness of f2 and its code [f1] if (B) { S [f1] } [f1] while (B) S 15

Initialized Loop Uninitialized loop is a Generalization of initialized loop. Loop preceded with initialization computes something useful. Example: f 1 :[sum, i := sum + ∑ j=i…a.length-1 a[j], anything]*/ while(i<a.length){ 2 : [sum,I := sum + a[i], i+1] sum = + a[i]; i++; } 16

Verification of Initialized Loop Annotated code [f0] [f1] S1 [f2] while (B) { [f3] S2 } Proof of correctness Discharging the following proof obligations: 1 ) f1;f2 ⊑ f0. 2) S1 ⊑ f1. 3) while (B) S2 ⊑ f2, which requires the following subproofs. a) Termination of the loop. b) Basis step: ¬B ⇒ I ⊑ f2. c) Induction step: B ⇒ f3;f2 ⊑ f2 and S2 ⊑ f3. 17

Exercise Annotate with intended function while (i < a.length) { if (a[i] > k) { r++; } i++; } 18

Solution // f 1 : [r, i := r + ∑ j=i…a.length-1 (a[j] > 0 ? 1 : 0), anything] while (i < a.length) { // f 2 : [r, i := a[i] > 0 ? r + 1 : r, i + 1] // [r := a[i] > 0 ? r + 1 : r] if (a[i] > k) { [r:=r+1] r++; } [i:= i+1] i++; } 19

Reference Yoonsik Cheon and Melisa Vela. A Tutorial on Functional Program Verification, Technical Report 10-26, Department of Computer Science, University of Texas at El Paso, El Paso, TX, September