TAP: Tests and Proofs, 12 February Testing and Verifying Invariant Based Programs in the SOCOS Environment Ralph-Johan Back, Johannes Eriksson and Magnus Myreen Åbo Akademi University Turku, Finland Turku Centre for Computer Science Centre for Reliable Software Technology

Approaches Program code Contracts Invariants Verification conditions “a posteriori verification”“constructive approach”“invariant based programming”

Example: Sort an array! A=A0 A: Int[N] Sorted(A,0,N) A: Int[N] Permutation(A,A0) Start with a pre-/postcondition specification

Example: Sort an array! A=A0 Sorted(A,0,N) A: Int[N] Permutation(A,A0) Extract common invariant

Construct a loop Example: Sort an array! A=A0Sorted(A,0,N) A: Int[N] k: Int 0≤k≤N Sorted(A,0,k) ∀i,j:Int 0≤i<k ∧ k≤j<N ⇒ A[i]≤A[j] Permutation(A,A0) 0kN sortedunsorted less than or equal to all A[k..N-1] ! LOOP

Add initial transition Example: Sort an array! A=A0Sorted(A,0,N) A: Int[N] Permutation(A,A0) k: Int 0≤k≤N Sorted(A,0,k) ∀i,j:Int 0≤i<k ∧ k≤j<N ⇒ A[i]≤A[j] k:=0 A: Int[N] ⇒ 0: Int 0≤0≤N Sorted(A,0,0) ∀i,j:Int 0≤i<0 ∧ 0≤j<N ⇒ A[i]≤A[j] A: Int[N] Permutation(A,A0) ✔ A=A0 ✔ ✔ ✔ ✔ ✔ What needs to be checked?

Example: Sort an array! A=A0Sorted(A,0,N) A: Int[N] Permutation(A,A0) k: Int 0≤k≤N Sorted(A,0,k) ∀i,j:Int 0≤i<k ∧ k≤j<N ⇒ A[i]≤A[j] k:=0 [k=N] Add exit transition Trivial: Sorted(A,0,k) ∧ k=N ⇒ Sorted(A,0,N)

Example: Sort an Array! A=A0Sorted(A,0,N) A: Int[N] Permutation(A,A0) k: Int 0≤k≤N Sorted(A,0,k) ∀i,j:Int 0≤i<k ∧ k≤j<N ⇒ A[i]≤A[j] k:=0 [k=N] [k<N] m:=min(A,k,N); A:=A[ k←A[m], m←A[k] ]; k:=k+1 Add loop transition A: Int[N] Permutation(A,A0) k: Int 0≤k≤N Sorted(A,0,k) ∀i,j:Int 0≤i<k ∧ k≤j<N ⇒ A[i]≤A[j] A’: Int[N] Permutation(A’,A0) k+1: Int 0≤k+1≤N Sorted(A’,0,k+1) ∀i,j:Int 0≤i<k+1 ∧ k+1≤j<N ⇒ A’[i]≤A’[j] k<N m=min(A,k,N) ∧ A’= A[ k←A[m], m←A[k] ] ⇒ BELIEVE ME

Example: Sort an Array! A=A0Sorted(A,0,N) A: Int[N] Permutation(A,A0) k: Int 0≤k≤N Sorted(A,0,k) ∀i,j:Int 0≤i<k ∧ k≤j<N ⇒ A[i]≤A[j] k:=0 [k=N] [k<N] A:=Swap(A,k,min(A,k,N)); k:=k+1 0≤N-k Add a termination function Variant decreases: N-(k+1) < N-k Bounded from below: 0≤k≤N ⇒ 0≤N-k

TAP: Tests and Proofs, 12 February The SOCOS Tool ● “Software COnstruction Site” ● An editor for invariant diagrams ● Higher-order specifications and formal semantics ● Goal: higher assurance Testing: Find common errors Extended static checking: Find common errors and insufficient (too weak) invariants Interactive proofs: Total correctness

TAP: Tests and Proofs, 12 February SOCOS User Interface

TAP: Tests and Proofs, 12 February Program Constructs ● Procedures with pre- and postconditions ● Statements – if.. fi, assignment, assertion, procedure call ● Simple data types – integers, booleans – strings, arrays ● Data invariants

Testing/Debugging

TAP: Tests and Proofs, 12 February Formal Verification ● Verification conditions can be generated for the whole program, or for a single procedure/transition/situation ● Verification conditions are generated and sent to external proof tools ● Three types of verification conditions: – Consistency (for transitions) – Completeness (for situations) – Termination (for loops)

TAP: Tests and Proofs, 12 February Consistency ● Each transition should establish its target: I 1 ⇒ wp(S,I 2 )

TAP: Tests and Proofs, 12 February Completeness (liveness) ● At least one transition from each (non-terminal) situation should be enabled: magic I ⇒ wp(S*,False) I if … fi

TAP: Tests and Proofs, 12 February Termination ● Every transition in a cycle must not increase V : (for all j) I j ∧ V=V 0 ⇒ wp(S j,0≤V≤V 0 ) I k ∧ V=V 0 ⇒ wp(S k,0≤V < V 0 ) (for some k) IkIk I k+1 ● At least one transition must decrease V :

TAP: Tests and Proofs, 12 February Backends Testing Diagram is converted to a Python program, with run-time evaluation of invariants Testing Diagram is converted to a Python program, with run-time evaluation of invariants Static Checking Verification conditions are sent to Simplify, a fully automatic prover Static Checking Verification conditions are sent to Simplify, a fully automatic prover Full Verification PVS is used for full verification of the final components Full Verification PVS is used for full verification of the final components Higher assurance→

Conclusion and Future Work ● Specifications and invariants main building blocks ● Correct programs can be developed incrementally ● Currently used in teaching program semantics ● Future work – Scalability: refinement, object-orientation – Larger case studies – Background checking – Test case generation

Thank You