Software Verification 1 Deductive Verification Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität und Fraunhofer Institut für Rechnerarchitektur und Softwaretechnik

Folie 2 H. Schlingloff, Software Verification I Lehrevaluation Verpflichtend für die HU, im Interesse der Studierenden Zeitraum: bis online:  Passwort (Token): inf-ws Verbesserung der Sicherheit durch sogenanntes Captcha  Completely Automated Public Turing test to tell Computers and Humans Apart Bei Rückfragen: Dr. Elke Warmuth, Studiendekanin  Tel ,

Folie 3 H. Schlingloff, Software Verification I Pre- and Postconditions Dijkstra: wp-calculus (weakest precondition)  characterize the “weakest” formula which makes a Hoare- triple valid   =wp( .  ) iff ⊢    and ⊢ (  '  ) for every  ’ for which ⊢  ’      =wlp( .  ) iff ⊢ {  }  {  } and ⊢ (  '  ) for every  ’ for which ⊢ {  ’}  {  } (weakest liberal precondition, see later) Example: wp(x++, x==7) = (x==6) Dijkstra gives a set of rules for wp which can be seen as notational variant of Hoare logic

Folie 4 H. Schlingloff, Software Verification I wp(skip,  ) =  wp(x=t,  ) =  [x:=t] wp({  1 ;  2 },  ) = wp(  1, wp(  2,  )) wp(if (b)  1 else  2,  ) = ((b  wp(  1,  ))  (¬b  wp(  2,  ))) wp(while (b) ,  ) =  z  (z)   z((b  (z))   z’ (z’<z  wp( ,  (z’)))   z((¬b  (z))   ) where  is a loop variant and < a wfo, z new var. ! This is a non-constructive definition ! Existence???

Folie 5 H. Schlingloff, Software Verification I Examples wp(x=x-3, x>7) = x>7 [x:=x-3] = x-3>7 = x>10 wp({x*=2; x-=3}, x>7) = wp(x*=2, wp(x-=3, x>7)) = wp(x*=2, x>10) = x>5 wp(if(a =b) = ((a =b)  (a>=b  wp(skip, a>=b)) =((a =b)  (a>=b  a>=b)) = T wp(while (i>0) i--, i==0) = i>=

Folie 6 H. Schlingloff, Software Verification I Partial Correctness Weakest liberal precondition wlp( ,  ) wlp(while (b) ,  ) =   ((b  )  wlp( ,  ))  ((¬b  )   ) Dijkstra also used nondeterministic programs („guarded commands“)  guarded-command-program ::= while-program | guarded-command  guarded-command ::= b : e | b : e [] guarded-command  b: condition, e: guarded-command-program

Folie 7 H. Schlingloff, Software Verification I Strongest Postconditions Dual to weakest precondition: the strongest formula which can be guaranteed to hold after execution  =sp( ,  ) iff ⊢    and ⊢ (    ') for every  ’ for which ⊢    ’  sp(x=t,  )=  z (x==t[x:=z]   [x:=z]) (z new)  e.g. sp(x=x-3, x>7) =  z (x==z-3  z>7) = x>4 Pre- and postconditions are important in the presence of methods and procedures

Folie 8 H. Schlingloff, Software Verification I Functions and Procedures while-Programs: whileProg ::= skip | V=T | {whileProg; whileProg} | if (FOL - ) whileProg else whileProg | while (FOL - ) whileProg T is the set of terms in the signature  =( D, F, R ) Now: extended signature  ’=(D  {void}, F  F ’, R ) If f is of type void, then f(x 1,...x n ) is an (imperative) program term ::= F(T,..., T) | F ’ (T,..., T) for each f  F’ there must be a declaration: decl ::= type F’ ( V,... V); whileProg V in decl are called formal parameters T in terms are called actual parameters

Folie 9 H. Schlingloff, Software Verification I No alias: formal parameters should be pairwise different No scoping: formal parameters must be different from program variables return statement as assignment to the function name If a function or procedure name occurs directly or indirectly in the call graph of its declaration, it is called recursive  for the time being: no recursion There are various ways to pass actual parameters for formal ones (value, reference, name,...)  for the time being, we use only call-by-value  passing value w to formal parameter v has the same effect as the assignment v=w at the entry of the procedure or function

Folie 10 H. Schlingloff, Software Verification I Example int min (int a, int b) if (a<b) min=a else min=b; int max (int a, int b) if (a>b) max=a else max=b; int gcd(int a, int b) while (a!=b) { c = max(a,b)-min(a,b); a = min(a,b); b = c; }

Folie 11 H. Schlingloff, Software Verification I Example int min (int a, int b) if (a<b) min=a else min=b; {x = 5; y = 7; z = min (x, y)} is equivalent to { x = 5; y = 7; a = x; b = y; if (a<b) min=a else min=b; z = min; } need pre- and postconditions to show assertions

Folie 12 H. Schlingloff, Software Verification I Example int min (int a, int b) if (a<b) min=a else min=b; {a<=min  b<=min  (a=min  b=min)} int max (int a, int b) if (a>b) max=a else max=b; {a>=max  b>=max  (a=min  b=min)} int gcd(int a, int b) {a==m>0  b==n>0} while (a!=b) { c = max(a,b)-min(a,b); a = min(a,b); b = c; } gcd = a; {gcd|m  gcd|n ...} }

Folie 13 H. Schlingloff, Software Verification I Contracts weakest preconditions and strongest postconditions are related to the require-ensure-paradigm (also called assume-guarantee-paradigm): requires  ensures  */ void foo(...)  ; is equivalent to (  wp( ,  ))  (sp( ,  )  ) such a statement is called contract  use of contract: {  [x 1 :=t 1,..., x n :=t n ]} foo(t 1,...,t n ) {  }