Software Verification 1 Deductive Verification Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität und Fraunhofer Institut für offene Kommunikationssysteme FOKUS
Folie 2 H. Schlingloff, Software-Verifikation I Before and after the questions... Can you explain the wp-calculus? What is wp (x+=4, x<21)? How to determine wp(while (b) , )? What is a guarded command? Why is it useful? What is a contract?
Folie 3 H. Schlingloff, Software-Verifikation I Contracts weakest preconditions and strongest postconditions are related to the require-ensure-paradigm (also called assume- guarantee-paradigm): void foo(...) requires ensures ; is equivalent to ( wp( , )) (sp( , ) ) such a statement is called contract use of contract: { [x 1 :=t 1,..., x n :=t n ]} foo(t 1,...,t n ) { }
Folie 4 H. Schlingloff, Software-Verifikation I Example with contracts int min (int a, int b) if (a<b) min=a else min=b; {a>=min b>=min (a=min b=min)} {T}{x = 5; y = 7; z = min (x, y)} {z==5} proof: { x = 5; y = 7; a = x; b = y;} {a==5 b==7} {if (a<b) min=a else min=b;} {a==5 b==7 a>=min b>=min (a=min b=min)} {min==5} {z = min;} {z==5}
Folie 5 H. Schlingloff, Software-Verifikation I Parameter Passing Call by value value of actual parameter is passed Call by reference address of actual parameter is passed Call by value-result value is passed, result is copied back Call by result no value, but copying of result Call by name name of actual parameter is passed
Folie 6 H. Schlingloff, Software-Verifikation I Example void strange (int x) { x+=2; a[i] = 4; i = 1; x+=2; } a = [1, 1]; i = 0; //a[0], a[1] strange(a[i]); reference: a=[6, 1] value: a=[4, 1] result: a=[?, 1] value-result: a=[5, 1] name: a=[4, 3]
Folie 7 H. Schlingloff, Software-Verifikation I Recursive Functions Example int pow(int a, int b){ if (b==0) return 1 else if (b%2==1) return a*pow(a,b-1) else return pow(a*a, b/2); How to define the semantics? How to verify correctness? How to prove termination?
Folie 8 H. Schlingloff, Software-Verifikation I Semantics denotational: least fixed points of functionals operational: substitution rule, e.g. in lambda- calculus (beta-reduction) pow(5,2) = if (2==0) return 1 else if (2%2==1) return 5*pow(5,2-1) else return pow(5*5, 2/2) =pow(25,1) = if (1==0) return 1 else if (1%2==1) return 25*pow(25,1-1) else return pow(25*25, 1/2) = 25*pow(25,0) = 25* if (0==0) return 1 else... = 25
Folie 9 H. Schlingloff, Software-Verifikation I Replacement Possibilities if there are several occurrences of a recursive function, which one to replace? example term: f = g(f(x 0,f(x 1,x 2 )),f(f(x 3,x 4 ),f(x 5,x 6 ))) leftmost-innermost: g(f(x 0,f(x 1,x 2 )),f(f(x 3,x 4 ),f(x 5,x 6 ))) parallel-innermost: g(f(x 0,f(x 1,x 2 )),f(f(x 3,x 4 ),f(x 5,x 6 ))) leftmost: g(f(x 0,f(x 1,x 2 )),f(f(x 3,x 4 ),f(x 5,x 6 ))) parallel-outermost: g(f(x 0,f(x 1,x 2 )),f(f(x 3,x 4 ),f(x 5,x 6 ))) free-argument: g(f(x 0,f(x 1,x 2 )),f(f(x 3,x 4 ),f(x 5,x 6 ))) full-substitution : g(f(x 0,f(x 1,x 2 )),f(f(x 3,x 4 ),f(x 5,x 6 ))) Differences in the result?
Folie 10 H. Schlingloff, Software-Verifikation I Church-Rosser-Property “Diamond property”: if t 0 t 1 and t 0 t 2, then there is a t 3 such that t 1 t 3 and t 2 t 3 here is repeated replacement by any rule Consequence: if computation terminates with result x according to replacement rule A and result y according to replacement rule B, then x=y Example: int fun(int x, int y) { if (x==0) return 1 else return fun (x-1, fun(x-y, y))} fun(2,1) = ? fun(3,2) = ?
Folie 11 H. Schlingloff, Software-Verifikation I Axiomatic – Proof Rules for Recursion Correctness: ⊢ int f() { } {} { } requires ensures Example: int pow(int a, int b) {b>0}{...}{pow=a**b} can be used in the verification of f!
Folie 12 H. Schlingloff, Software-Verifikation I Example: Fibonacci in Dafny function fib(n: nat): nat { if n == 0 then 0 else if n == 1 then 1 else fib(n - 1) + fib(n – 2)} method ComputeFib(n: nat) returns (b: nat) ensures b == fib(n) { var i := 1; var a := 0; b := 1; while i < n { a, b := b, a + b; i := i + 1; }