Software Verification 1 Deductive Verification Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität und Fraunhofer Institut für Rechnerarchitektur und Softwaretechnik

Folie 2 H. Schlingloff, Software Verification I Where are we? Einführung Aussagenlogik Prädikatenlogik einfache Funktionskontrakte Schleifeninvarianten und Terminierung Prädikate und logische Funktionen Spezifikation von Datentypen Parallele Programme, Deadlocks, Livelocks Objektorientierte Programme

Folie 3 H. Schlingloff, Software Verification I Termination Hoare-Tripel: {  }  {  } if  holds before the execution of , then  holds afterwards (1) ⊢ {Τ} skip {Τ}(skip) (2) ⊢ {Τ  Τ} skip {Τ}(1, imp1) (3) ⊢ {Τ} while (Τ) skip {Τ   }(2,whi) (4) ⊢ {Τ} while (Τ) skip {  }(3, imp2) I.e., if T holds before the execution of while (Τ) skip, then  holds afterwards I.e., after the execution of while (Τ) skip anything holds

Folie 4 H. Schlingloff, Software Verification I {T}  {  }: if  terminates, then  holds afterwards Hoare logic incapable of formulating statements about termination Total correctness of  with respect to  :  {T}  {  }   terminates Notation    Clearly, if  contains no loops, then {  }  {  } implies    How to prove termination of loops?

Folie 5 H. Schlingloff, Software Verification I Well-founded orders A binary relation < is called a strict partial order iff it is  irreflexive: ¬ x<x  transitive: x<y  y<z  x<z  asymmetric: x<y  ¬ y<x A partial order is called total order iff it is  total:  xy (x<y  y<x) A strict partial order is called well-founded iff  there is no infinite descending chain, i.e., no infinite set {x 0, x 1, x 2, x 3,...} such that x 0 >x 1 >x 2 >x 3...  equivalently, if every non-empty set S has a minimal element (i.e.,  S   x  S  y  x (x<y)) A well-founded total order is called a well-order

Folie 6 H. Schlingloff, Software Verification I Well-orderings natural numbers, < integers - x<y iff |x|<|y| or |x|=|y| and x<y pairs - ? strings - ? binary trees - ? rational numbers - ? real matrices - ? Counterexamples?

Folie 7 H. Schlingloff, Software Verification I Transfinite induction Let  (n) be any statement, where n  M and < is a well-founded partial order on M If for all x  M it holds that if  (y) for all y<x, then  (x) then  (n) for all n  M  x ((  y<x   ( y ) )   ( x ) )   n  ( n )

Folie 8 H. Schlingloff, Software Verification I Proof  x ((  y<x   ( y ) )   ( x ) )   n  ( n ) Assume for contradiction that  x ((  y<x   ( y ) )   ( x ) ), i.e.,  x (¬  ( x )  (  y<x  ¬  ( y ) )) and that  x 0 ¬  (x 0 ). Then  x 1 <x 0  ¬  ( x 1 ) ) Therefore  x 2 <x 1  ¬  ( x 2 ) ) etc. Continuing, we get an infinite descending chain of elements, contradicting well-foundedness

Folie 9 H. Schlingloff, Software Verification I Special Cases natural induction:  (0)   x (  ( x ) )   ( x+1 ) )   n  ( n ) mathematical induction: Let M be finitely generated, i.e., there are constructor-functions f 1,...,f n and M 0  M such that all x  M can be written as x=f(f(...(x 0 )..), where each f is a constructor function and x 0  M 0  if  (x 0 ) for all x 0  M 0 and  (  ( x )   ( f ( x )) ) for all x  M and all constructor functions f  then  ( x ) for all x  M

Folie 10 H. Schlingloff, Software Verification I Termination proofs Let (M,<) be a well-founded order and  (z) be a formula involving z  M if ⊢    (z 0 ) for some z 0  M and ⊢  (z)  b    (z’)   ¬b  for some z’<z, then ⊢  while (b)   ¬b   (z) is called variant of the loop

Folie 11 H. Schlingloff, Software Verification I Special case (Termination only) if ⊢    (z) for some z  M, and ⊢  (z)  b    (z’)  for some z’<z, and ⊢ (  (z)  ¬b   ), then ⊢  while (b)   if ⊢  (z) for some z  M and ⊢  (z)    (z’)  ¬b  for some z’<z then ⊢  T  while (b)   T 

Folie 12 H. Schlingloff, Software Verification I Example proof Show ⊢  a>=0  while (a>0) a--  T  well-founded ordering: natural numbers (N 0,<);  (z) = (a==z)  (z)=(floor(a)==z) (i)a>=0  (a==z) for some z  N 0 a>=0  (floor(a)==z) for some z  N 0 (ii) ⊢  a==z  a--  a==z-1  ⊢  floor(a)==z  a--  floor(a)==z-1  Would this proof hold for float a?

Folie 13 H. Schlingloff, Software Verification I Termination of gcd {a==m>0  b==n>0} while (a!=b) if (a>b) a=a-b else b=b-a {a==b==gcd(m,n)} We want to show that ⊢  a==m>0  b==n>0    T  Variant  (z) = (z==a+b); wfo: N 0 Show: ⊢  (z)  if...  (z’)  for some z’<z Proof: let z’=z-min(a,b)

Folie 14 H. Schlingloff, Software Verification I A more intricate example  = {b=1; while (a<=100 || b!=1) if (a<=100) {a+=11; b++;} else {a-=10; b--;} a-=10; } Show: ⊢  0<a<=100    a==91 