Program verification: flowchart programs Book: chapter 7

History Verification of flowchart programs: Floyd, 1967 Hoares logic: Hoare, 1969 Linear Temporal Logic: Pnueli, Krueger, 1977 Model Checking: Clarke & Emerson, 1981

Program Verification Predicate (first order) logic. Partial correctness, Total correctness Flowchart programs Invariants, annotated programs Well founded ordering (for termination) Hoares logic

Predicate (first order logic) Variables, functions, predicates Terms Formulas (assertions)

Signature Variables: v1, x, y18 Each variable represents a value of some given domain (int, real, string, …). Function symbols: f(_,_), g2(_), h(_,_,_). Each function has an arity (number of paramenters), a domain for each parameter, and a range. f:int*int->int (e.g., addition), g:real->real (e.g., square root) A constant is a predicate with arity 0. Relation symbols: R(_,_), Q(_). Each relation has an arity, and a domain for each parameter. R : real*real (e.g., greater than). Q : int (e.g., is a prime).

Terms Terms are objects that have values. Each variable is a term. Applying a function with arity n to n terms results in a new term. Examples: v1, 5.0, f(v1,5.0), g2(f(v1,5.0)) More familiar notation: sqr(v1+5.0)

Formulas Applying predicates to terms results in a formula. R(v1,5.0), Q(x) More familiar notation: v1>5.0 One can combine formulas with the boolean operators (and, or, not, implies). R(v1,5.0)->Q(x) x>1 -> x*x>x One can apply existentail and universal quantification to formulas. x Q(X) x1 R(x1,5.0) X Y R(x,y)

A model, A proofs A model gives a meaning (semantics) to a first order formula: A relation for each relation symbol. A function for each function symbol. A value for each variable. An important concept in first order logic is that of a proof. We assume the ability to prove that a formula holds for a given model. Example proof rule (MP) :

Flowchart programs Input variables: X=x1,x2,…,xl Program variables: Y=y1,y2,…,ym Output variables: Z=z1,z2,…,zn start halt Y=f(X) Z=h(X,Y)

Assignments and tests Y=g(X,Y)t(X,Y) FT

start halt (y1,y2)=(0,x1) y2>=x2 (y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2) Initial condition Initial condition: the values for the input variables for which the program must work. x1>=0 /\ x2>0 F T

start halt (y1,y2)=(0,x1) y2>=x2 (y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2) The input-output claim The relation between the values of the input and the output variables at termination. x1=z1*x2+z2 /\ 0<=z2<x2 FT

Partial correctness, Termination, Total correctness Patial correctness: if the initial condition holds and the program terminates then the input-output claim holds. Termination: if the initial condition holds, the program terminates. Total correctness: if the initial condition holds, the program terminates and the input-output claim holds.

start halt (y1,y2)=(0,x1) y2>=x2 (y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2) Subtle point: The program is partially correct with respect to x1>=0/\x2>=0 and totally correct with respect to x1>=0/\x2>0 T F

start halt (y1,y2)=(0,x1) y2>=x2 (y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2) Annotating a scheme Assign an assertion for each pair of nodes. The assertion expresses the relation between the variable when the program counter is located between these nodes. A B CD E FT

Annotating a scheme with invariants A): x1>=0 /\ x2>=0 B): x1=y1*x2+y2 /\ y2>=0 C): x1=y1*x2+y2 /\ y2>=0 /\ y2>=x2 D):x1=y1*x2+y2 /\ y2>=0 /\ y2<x2 E):x1=z1*x2+z2 /\ 0<=z2<x2 Notice: (A) is the initial condition, is the input-output condition. start halt (y1,y2)=(0,x1) y2>=x2 (y1,y2)=(y1+1,y2-x2)(z1,z2)=(y1,y2) A B CD E F T

Verification conditions: assignment A) B) [Y\g(X,Y)] A): x1>=0 /\ x2>=0 B): x1=y1*x2+y2 /\ y2>=0 B) [Y\g(X,Y)] = x1=0*x2+x1 /\ x1>=0 (y1,y2)=(0,x1) A B A B Y=g(X,Y)

(y1,y2)=(y1+1,y2-x2) Second assignment C): x1=y1*x2+y2 /\ y2>=0 /\ y2>=x2 B): x1=y1*x2+y2 /\ y2>=0 B)[Y\g(X,Y]: x1=(y1+1)*x2+y2- x2 /\ y2-x2>=0 C B

(z1,z2)=(y1,y2) Third assignment D):x1=y1*x2+y2 /\ y2>=0 /\ y2<x2 E): x1=z1*x2+z2 /\ 0<=z2<x2 E)[Z\g(X,Y]: x1=y1*x2+y2 /\ 0<=y2<x2 E D

Verification conditions: tests B) /\ t(X,Y) C) B) /\¬t(X,Y) D) B): x1=y1*x2+y2 /\y2>=0 C): x1=y1*x2+y2 /\ y2>=0 /\ y2>=x2 D):x1=y1*x2+y2 /\ y2>=0 /\ y2<x2 y2>=x2 B C D B C D t(X,Y) F T FT

Exercise: prove partial correctness Initial condition: x>=0 Input-output claim: z=x! start halt (y1,y2)=(0,1) y1=x (y1,y2)=(y1+1,(y1+1)*y2)z=y2 TF

Annotating a scheme Assign an assertion for each pair of nodes. The assertion expresses the relation between the variable when the program counter is located between these nodes. start halt (y1,y2)=(0,x1) y2>=x2 (y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2) A B CD E falsetrue

Annotating a scheme with invariants A): x1>=0 /\ x2>=0 B): x1=y1*x2+y2 /\ y2>=0 C): x1=y1*x2+y2 /\ y2>=0 /\ y2>=x2 D):x1=y1*x2+y2 /\ y2>=0 /\ y2<x2 E):x1=z1*x2+z2 /\ 0<=z2<x2 Notice: (A) is the initial condition, E is the input-output condition. start halt (y1,y2)=(0,x1) y2>=x2 (y1,y2)=(y1+1,y2-x2)(z1,z2)=(y1,y2) A B CD E false true

Verification conditions: assignment A) B) [Y\g(X,Y)] A): x1>=0 /\ x2>=0 B): x1=y1*x2+y2 /\ y2>=0 B) [Y\g(X,Y)] = x1=0*x2+x1 /\ x1>=0 A B (y1,y2)=(0,x1) A B Y=g(X,Y)

Assignment condition (y1,y2)=(0,x1) A B y1=2 y1=x1 2=x1

Another way to understand condition (y1,y2)=(0,x1) A B y1=2 y1=x1 Use two versions of variables: before assignment and after. E.g., y1 and y1, respectively. postcondition: y1=x1 assignment: y1=2 precondition: 2=x1 2=x1

Assignment condition (y1,y2)=(0,x1) A B y1=y1+5 y1=10 y1=5

Assignment condition (y1,y2)=(0,x1) A B y1=y1+5 y1=10 y1=5 Postcondition: y1=10 Assignment: y1=y1+5 Precondition: y1+5=10, I.e., y1=5

Verification conditions: assignment B): x1=y1*x2+y2 /\ y2 >=0 Assignment: y1=0 /\ y2=x1 B) [Y\g(X,Y)] = x1=0*x2+x1 /\ x1>=0 (or simply x1>=0) A B (y1,y2)=(0,x1) A): x1>=0 /\ x2>=0

Second assignment Precondition: B): x1=y1*x2+y2 /\ y2>=0 Assignment: y1=y1+1/\y2=y2-x2 Postcondition: B)[Y\g(X,Y)]: x1=(y1+1)*x2+y2-x2 /\ y2-x2>=0 (y1,y2)=(y1+1,y2-x2) C B

Second assignment C): x1=y1*x2+y2 /\ y2>=0 /\ y2>=x2 B): x1=y1*x2+y2 /\ y2>=0 B)[Y\g(X,Y)]: x1=(y1+1)*x2+y2-x2 /\ y2-x2>=0 C B

(z1,z2)=(y1,y2) Third assignment D):x1=y1*x2+y2 /\ y2>=0 /\ y2<x2 E):x1=z1*x2+z2 /\ 0<=z2<x2 E)[Z\g(X,Y]: x1=y1*x2+y2 /\ 0<=y2<x2 E D

Verification conditions: tests B) /\ t(X,Y)) C) ( B) /\ ¬t(X,Y)) D) B): x1=y1*x2+y2 /\ y2>=0 C): x1=y1*x2+y2 /\ y2>=0 /\ y2>=x2 D):x1=y1*x2+y2 /\ y2>=0 /\ y2<x2 y2>=x2 B C D B C D t(X,Y) false true falsetrue

Exercize: prove partial correctness Initial condition: x>=0 Input-output claim: z=x! start halt (y1,y2)=(0,1) y1=x (y1,y2)=(y1+1,(y2+1)y2)z=y2 truefalse

What have we achieved? For each statement S that appears between points X and Y we showed that if the control is in X when (X) holds and S is executed, then (Y) holds. Initially, we know that (A) holds. The above two conditions can be combined into an induction on the number of statements that were executed: If after n steps we are at point X, then (X) holds.

Another example (A) : x>=0 (F) : z^2<=x<(z+1)^2 z is the biggest number that is not greater than sqrt x. start (y1,y2,y3)=(0,0,1) A halt y2>x (y1,y3)=(y1+1,y3+2)z=y1 B C D F truefalse E y2=y2+y3

Some insight …+(2n+1)=(n+1)^2 y2 accumulates the above sum, until it is bigger than x. y3 ranges over odd numbers 1,3,5,… y1 is n-1. start (y1,y2,y3)=(0,0,1) A halt y2>x (y1,y3)=(y1+1,y3+2)z=y1 B C D F truefalse E y2=y2+y3

Invariants It is sufficient to have one invariant for every loop (cycle in the programs graph). We will have (C)=y1^2<=x /\ y2=(y1+1)^2 /\ y3=2*y1+1 start (y1,y2,y3)=(0,0,1) A halt y2>x (y1,y3)=(y1+1,y3+2)z=y1 B C D F truefalse E y2=y2+y3

Obtaining (B) By backwards substitution in (C). (C)=y1^2<=x /\ y2=(y1+1)^2 /\ y3=2*y1+1 (B)=y1^2<=x /\ y2+y3=(y1+1)^2 /\ y3=2*y1+1 start (y1,y2,y3)=(0,0,1) A halt y2>x (y1,y3)=(y1+1,y3+2)z=y1 B C D F truefalse E y2=y2+y3

Check assignment condition (A)=x>=0 (B)=y1^2<=x /\ y2+y3=(y1+1)^2 /\ y3=2*y1+1 (B) relativized is 0^2<=x /\ 0+1=(0+1)^2 /\ 1=2*0+1 Simplified: x>=0 start (y1,y2,y3)=(0,0,1) A halt y2>x (y1,y3)=(y1+1,y3+2)z=y1 B C D F truefalse E y2=y2+y3

Obtaining (D) By backwards substitution in (B). (B)=y1^2<=x /\ y2+y3=(y1+1)^2 /\ y3=2*y1+1 (D)=(y1+1)^2<=x /\ y2+y3+2=(y1+2)^2 /\ y3+2=2*(y1+1)+1 start (y1,y2,y3)=(0,0,1) A halt y2>x (y1,y3)=(y1+1,y3+2)z=y1 B C D F truefalse E y2=y2+y3

Checking (C)=y1^2<=x /\ y2=(y1+1)^2 /\ y3=2*y1+1 (C)/\y2<=x) (D) (D)=(y1+1)^2<=x /\ y2+y3+2=(y1+2)^2 /\ y3+2=2*(y1+1)+1 start (y1,y2,y3)=(0,0,1) A halt y2>x (y1,y3)=(y1+1,y3+2)z=y1 B C D F truefalse E y2=y2+y3

y1^2<=x /\ y2=(y1+1)^2 /\ y3=2*y1+1 /\y2<=x (y1+1)^2<=x /\ y2+y3+2=(y1+2)^2 /\ y3+2=2*(y1+1)+1 y1^2<=x /\ y2=(y1+1)^2 /\ y3=2*y1+1 /\y2<=x (y1+1)^2<=x /\ y2+y3+2=(y1+2)^2 /\ y3+2=2*(y1+1)+1 y1^2<=x /\ y2=(y1+1)^2 /\ y3=2*y1+1 /\y2<=x (y1+1)^2<=x /\ y2+y3+2=(y1+2)^2 /\ y3+2=2*(y1+1)+1

Not finished! Still needs to: Calculate (E) by substituting backwards from (F). Check that (C)/\y2>x (E) start (y1,y2,y3)=(0,0,1) A halt y2>x (y1,y3)=(y1+1,y3+2)z=y1 B C D F truefalse E y2=y2+y3

Proving termination

Well-founded sets Partially ordered set (W,<): If a<b and b<c then a<c (transitivity). If a<b then not b<a (asymmetry). Not a<a (irreflexivity). Well-founded set (W,<): Partially ordered. No infinite decreasing chain a1>a2>a3>…

Examples for well founded sets Natural numbers with the bigger than relation. Finite sets with the set inclusion relation. Strings with the substring relation. Tuples with alphabetic order: (a1,b1)>(a2,b2) iff a1>a2 or [a1=a2 and b1>b2]. (a1,b1,c1)>(a2,b2,c2) iff a1>a2 or [a1=a2 and b1>b2] or [a1=a2 and b1=b2 and c1>c2].

Why does the program terminate y2 starts as x1. Each time the loop is executed, y2 is decremented. y2 is natural number The loop cannot be entered again when y2<x2. start halt (y1,y2)=(y1+1,y2-x2)(z1,z2)=(y1,y2) (y1,y2)=(0,x1) A B D E false y2>=x2 C true

Proving termination Choose a well-founded set (W,<). Attach a function u(N) to each point N. Annotate the flowchart with invariants, and prove their consistency conditions. Prove that (N) (u(N) in W).

How not to stay in a loop? Show that u(M)>=u(N). At least once in each loop, show that u(M)>u(N). S M N T N M

How not to stay in a loop? For stmt: (M) (u(M)>=u(N)rel) For test (true side): ( (M)/\test) (u(M)>=u(N)) For test (false side): ( (M)/\¬test) (u(M)>=u(L)) stmt M N test N M true L false

What did we achieve? There are finitely many control points. The value of the function u cannot increase. If we return to the same control point, the value of u must decrease (its a loop!). The value of u can decrease only a finite number of times.

Why does the program terminate u(A)=x1 u(B)=y2 u(C)=y2 u(D)=y2 u(E)=z2 W: naturals > : greater than start halt (y1,y2)=(y1+1,y2-x2)(z1,z2)=(y1,y2) (y1,y2)=(0,x1) A B D E false y2>=x2 C true

Recall partial correctness annotation A): x1>=0 /\ x2>=0 B): x1=y1*x2+y2 /\ y2>=0 C): x1=y1*x2+y2 /\ y2>=0 /\ y2>=x2 D):x1=y1*x2+y2 /\ y2>=0 /\ y2<x2 E):x1=z1*x2+z2 /\ 0<=z2<x2 start halt (y1,y2)=(0,x1) y2>=x2 (y1,y2)=(y1+1,y2-x2)(z1,z2)=(y1,y2) A B CD E false true

Strengthen for termination A): x1>=0 /\ x2>0 B): x1=y1*x2+y2 /\ y2>=0/\x2>0 C): x1=y1*x2+y2 /\ y2>=0 /\ y2>=x2/\x2>0 D):x1=y1*x2+y2 /\ y2>=0 /\ y2 0 E):x1=z1*x2+z2 /\ 0<=z2<x2 This proves that u(M) is natural for each point M. start halt (y1,y2)=(0,x1) y2>=x2 (y1,y2)=(y1+1,y2-x2)(z1,z2)=(y1,y2) A B CD E falsetrue

We shall show: u(A)=x1 u(B)=y2 u(C)=y2 u(D)=y2 u(E)=z2 u(A)>=u(B) u(B)>=u(C) u(C)>u(B) u(B)>=u(D) u(D)>=u(E) start halt (y1,y2)=(y1+1,y2-x2)(z1,z2)=(y1,y2) (y1,y2)=(0,x1) A B D E false y2>=x2 C true

Proving decrement C): x1=y1*x2+y2 /\ y2>=0 /\ y2>=x2/\x2>0 u(C)=y2 u(B)=y2 u(B)rel=y2-x2 C) y2>y2-x2 (notice that C) x2>0) start halt (y1,y2)=(0,x1) y2>=x2 (y1,y2)=(y1+1,y2-x2)(z1,z2)=(y1,y2) A B CD E falsetrue

Integer square prog. (C)=y1^2<=x /\ y2=(y1+1)^2 /\ y3=2*y1+1 (B)=y1^2<=x /\ y2+y3=(y1+1)^2 /\y3=2*y1+1 start (y1,y2,y3)=(0,0,1) A halt y2>x (y1,y3)=(y1+1,y3+2)z=y1 B C D F truefalse E y2=y2+y3

u(A)=x+1 u(B)=x-y2+1 u(C)=max(0,x-y2) u(D)=x-y2+1 u(E)=u(F)=0 u(A)>=u(B) u(B)>u(C) u(C)>=u(D) u(D)>=u(B) Need some invariants, i.e., y2 0 at points B and D, and y3>0 at point C. start (y1,y2,y3)=(0,0,1) A halt y2>x (y1,y3)=(y1+1,y3+2)z=y1 B C D F truefalse E y2=y2+y3