Download presentation
Presentation is loading. Please wait.
Published byVernon Porter Modified over 8 years ago
1
Axiomatic Verification II Prepared by Stephen M. Thebaut, Ph.D. University of Florida Software Testing and Verification Lecture Notes 18
2
Axiomatic Verification II Reasoning about iteration (while loops) Strong correctness and proving termination
3
Review of Proof Rules Before proceeding to while loops, let’s capture our previous reasoning about sequencing, selection statements, and state condition replacement in appropriate rules of inference (ROI). ROI for Sequencing: {P} S 1 {R}, {R} S 2 {Q} {P} S 1 ; S 2 {Q}
4
Review of Proof Rules (cont’d) ROI for if_then_else statement: {P Л b } S 1 {Q}, {P Л b} S 2 {Q} {P} if b then S 1 else S 2 {Q} ROI for if_then statement: {P Л b } S {Q}, (P Л b) Q {P} if b then S {Q}
5
Review of Proof Rules (cont’d) ROI for State Condition Replacement † : K P, {P} S {Q}, Q W {K} S {W} † Also known as the CONSEQUENCE rule.
6
Reasoning about Iteration Consider the assertion: {P} while b do S {Q} What are the necessary conditions for this assertion to hold?
7
Necessary Conditions: while_do Case 0: (P Л b) Q Case 1: {P Л b} S {K 1 }, (K 1 Л b) Q Case 2: {K 1 Л b} S {K 2 }, (K 2 Л b) Q Case N: {K N-1 Л b} S {K N }, (K N Л b) Q … … So, we know that {P} while b do S {Q} will hold if the following conditions hold: Great! But who has the time to show that an infinite number of conditions hold?
8
Reasoning about Iteration (cont’d) To eliminate the infinite sequence of conditions, replace each K i with I (where I K i for every i). Then the conditions above become: Case 0: (P Л b) Q Case 1: {P Л b} S { I }, ( I Л b) Q All other Cases: { I Л b} S { I }, To simplify, require further that P I. Then the four conditions reduce to three: P I, { I Л b} S { I }, ( I Л b) Q
9
Reasoning about Iteration (cont’d) Thus, a ROI for the while_do statement is: P I, { I Л b} S { I }, ( I Л b) Q {P} while b do S {Q} where the three antecedents are sometimes given the names initialization, preservation, and finalization, respectively. The assertion “ I ” in this context is informally referred to as an Invariant, or more precisely as a Q-adequate loop invariant.
10
Invariants and Q-adequate invariants A loop invariant is a Boolean-valued predicate that satisfies initialization and preservation. A Q-adequate loop invariant is a loop invariant that also satisfies finalization. Note that there may be an arbitrary number of valid loop invariants. For example, TRUE is a trivial loop invariant for any while loop. The stronger the invariant, the more one can conclude from it together with b.
11
Example 3 {true} Z X J 1 while J<>Y do Z Z+X J J+1 end_while {Z=XY} Initialization: P I Preservation: { I Л b} S { I } Finalization: ( I Л b) Q Use the Q-adequate invariant I : Z=XJ to prove:
12
Example 3 {true} Z X J 1 while J<>Y do Z Z+X J J+1 end_while {Z=XY} Initialization: P I What is “P”? (Z=X Л J=1) P Use the Q-adequate invariant I : Z=XJ to prove:
13
Example 3 {true} Z X J 1 while J<>Y do Z Z+X J J+1 end_while {Z=XY} Initialization: P I What is “P”? (Z=X Л J=1) Does (Z=X Л J=1) Z=XJ ? Z=X XJ=X P Use the Q-adequate invariant I : Z=XJ to prove:
14
Example 3 {true} Z X J 1 while J<>Y do Z Z+X J J+1 end_while {Z=XY} Initialization: P I What is “P”? (Z=X Л J=1) Does (Z=X Л J=1) Z=XJ ? Yep! P Use the Q-adequate invariant I : Z=XJ to prove:
15
Example 3 {true} Z X J 1 while J<>Y do Z Z+X J J+1 end_while {Z=XY} Initialization: P I Use the Q-adequate invariant I : Z=XJ to prove:
16
Example 3 {true} Z X J 1 while J<>Y do Z Z+X J J+1 end_while {Z=XY} Initialization: P I Preservation: { I Л b} S { I } {Z=XJ Л J Y} Z Z+X {Z=X( J +1) Л J Y} J J+1 {Z=X(( J-1 )+1) Л J-1 Y} Z=XJ b S Use the Q-adequate invariant I : Z=XJ to prove:
17
Example 3 {true} Z X J 1 while J<>Y do Z Z+X J J+1 end_while {Z=XY} Initialization: P I Preservation: { I Л b} S { I } Use the Q-adequate invariant I : Z=XJ to prove:
18
Example 3 {true} Z X J 1 while J<>Y do Z Z+X J J+1 end_while {Z=XY} Initialization: P I Preservation: { I Л b} S { I } Finalization: ( I Л b) Q Use the Q-adequate invariant I : Z=XJ to prove:
19
Example 3 {true} Z X J 1 while J<>Y do Z Z+X J J+1 end_while {Z=XY} Initialization: P I Preservation: { I Л b} S { I } Finalization: ( I Л b) Q Does (Z=XJ Л J=Y) Z=XY ? Z=XJ Z=XY Yep! Use the Q-adequate invariant I : Z=XJ to prove:
20
Example 3 {true} Z X J 1 while J<>Y do Z Z+X J J+1 end_while {Z=XY} Initialization: P I Preservation: { I Л b} S { I } Finalization: ( I Л b) Q Use the Q-adequate invariant I : Z=XJ to prove:
21
Heuristics for Identifying “ I ” 1.Hypothesize a predicate that reflects the incre- mental progress made toward satisfying Q with each iteration. 2.Check finalization. If necessary, refine the pre- dicate so as to be just strong enough to imply Q on termination (i.e., when b becomes false). 3.Check initialization. If necessary, refine the pre- dicate so as to be just weak enough to be implied by P and return to step (2). 4.Check preservation. If necessary, refine the pre- dicate so as to ensure preservation with respect to S and return to step (2).
22
false Finalization ? strengthen Initialization ? weaken Initialization ? false true false Preservation ? refine Preservation ? true false finish Hypothesize I
23
Example 4 {N 1} Sum 0 J 1 while J<=N do Sum Sum + X[J] J := J+1 end_while { Sum = X[i]} Hypothesized I : Does finalization hold? I.e., does N i=1 Sum = X[i] J-1 i=1 ( Sum = X[i] Л J>N) J-1 i=1 Sum = X[i] ? Nope! N i=1 Synthesize a Q-adequate invariant and prove:
24
Example 4 {N 1} Sum 0 J 1 while J<=N do Sum Sum + X[J] J := J+1 end_while { Sum = X[i]} Hypothesized I : ( try #2) Does finalization hold? I.e., does N i=1 Sum = X[i] Л J N+1 J-1 i=1 ( Sum = X[i] Л J N+1 Л J>N) J-1 i=1 Sum = X[i] ? N i=1 Yep! Synthesize a Q-adequate invariant and prove:
25
Example 4 {N 1} Sum 0 J 1 while J<=N do Sum Sum + X[J] J := J+1 end_while { Sum = X[i]} Hypothesized I : ( try #2) Finalization N i=1 Sum = X[i] Л J N+1 J-1 i=1 Synthesize a Q-adequate invariant and prove:
26
Example 4 {N 1} Sum 0 J 1 while J<=N do Sum Sum + X[J] J := J+1 end_while { Sum = X[i]} Hypothesized I : ( try #2) Does initialization hold? I.e., does N i=1 Sum = X[i] Л J N+1 J-1 i=1 (N 1 Л Sum =0 Л J=1) ( Sum = X[i] Л J N+1) ? J-1 i=1 Yep! Synthesize a Q-adequate invariant and prove:
27
Example 4 {N 1} Sum 0 J 1 while J<=N do Sum Sum + X[J] J := J+1 end_while { Sum = X[i]} Hypothesized I : ( try #2) Finalization Initialization N i=1 Sum = X[i] Л J N+1 J-1 i=1 Synthesize a Q-adequate invariant and prove:
28
Example 4 {N 1} Sum 0 J 1 while J<=N do Sum Sum + X[J] J := J+1 end_while { Sum = X[i]} Hypothesized I : ( try #2) Does preservation hold? N i=1 Sum = X[i] Л J N+1 J-1 i=1 { Sum = X[i] Л J N+1 Л J N} J-1 i=1 Sum Sum + X[J] { Sum = X[i] Л J N} J i=1 J := J+1 { Sum = X[i] Л J-1 N} = { I } J-1 i=1 Synthesize a Q-adequate invariant and prove:
29
Example 4 {N 1} Sum 0 J 1 while J<=N do Sum Sum + X[J] J := J+1 end_while { Sum = X[i]} Hypothesized I : ( try #2) Finalization Initialization Preservation N i=1 Sum = X[i] Л J N+1 J-1 i=1 Synthesize a Q-adequate invariant and prove:
30
Strong Correctness Program S is said to be strongly correct with respect to pre-condition P and post- condition Q if: 1.{P} S {Q} (i.e., S is weakly correct with respect to P and Q ), and 2.P implies that S will terminate.
31
Strong Correctness (cont’d) Is it possible to prove that a program will terminate? Are there programs for which termination is undecidable? To write a program which should terminate but doesn’t is a minor sin. To write a program for which termination is undecidable is a major sin. –Harlan Mills
32
Let’s Pause for a Moment… I remember, as a young boy, watching small, brown frogs jump from Lilly pad to Lilly pad in the pond behind our house. They seemed to never tire of this…
33
Proving Termination – the Method of Well-Founded Sets † For each program loop, identify a measure based on one or more program variables that satisfies the following properties: 1.decreases (or increases) with each iteration 2.is bounded from below (or above), and 3.can assume only a finite number of values before reaching the bound † A well-founded set (S, >) consists of a set of elements S and an ordering > defined on the elements, such that there can be no infinite descending sequences of elements.
34
Proving Termination – the Method of Well-Founded Sets (cont’d) Example: consider a linear search of an unordered list for the value K: {true} Found false J 1 while (J<=N and ( not Found )) do Found (K=X[J]) J J+1 end_while {( Found Л K=X[J-1]) V ( Found Л i ∈ {1,…,N} K X[i])}
35
Proving Termination – the Method of Well-Founded Sets (cont’d) Proof of termination: Measure: “J” 1.J increases with each iteration since J J+1 is executed with each iteration and J does not otherwise change. 2.J is bounded from above ( by N+1) since if J exceeds N, J<=N will evaluate to false and the loop must terminate.
36
Proving Termination – the Method of Well-Founded Sets (cont’d) Proof of termination: (cont’d) 3.Since J increases by an integral amount with each iteration, it can assume only a finite number of values before reaching N+1: {1, 2,…, N, N+1}. Therefore, by the Method of Well-Founded Sets, the loop must terminate.
37
Exercise The weak correctness of the assertion below was established earlier. Can the Method of Well-Founded Sets be used to prove the program will terminate? {true} Z X J 1 while J<>Y do Z Z+X J J+1 end_while {Z=XY}
38
A while_do ROI for strong correctness We can incorporate a termination term, t, in the while loop ROI. Let t denote a whole number † which decreases with each iteration and implies termination when less than or equal to 0: P I, ( I Лb) ( t >0), { I ЛbЛ t=N } S { I Л t<N }, ( I Л b) Q {P} while b do S {Q} strongly † Any well-founded ordering may be used for the domain of t.
39
Problem Set 5: Axiomatic Verification Note especially... –Problem 4: deriving and using a suitable Rule of Inference for the “repeat_until” construct, and –Problem 6: alternative, hypothesized Rules of Inference for the “while” construct...are they valid or not?
40
Axiomatic Verification II Prepared by Stephen M. Thebaut, Ph.D. University of Florida Software Testing and Verification Lecture Notes 18
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.