Functional Verification IV: Revisiting Loop Invariants

Functional Verification IV: Revisiting Loop Invariants
Software Testing and Verification Lecture Notes 24 Prepared by Stephen M. Thebaut, Ph.D. University of Florida

Last Time… Iteration Recursion Lemma (IRL)
Termination predicate: term(f,P) Correctness conditions for while_do statement Sufficient correctness conditions Correctness conditions for repeat_until statement Subgoal Induction

Today’s Topics Thinking about invariants again
Invariant Status Theorem (IST) While Loop Initialization Utility of IST

Thinking about invariants again
In Lecture Notes #18 we considered heuristics for synthesizing Q-adequate loop invariants. In Lecture Notes #23, it was observed that a loop computing a function maintains an important property of state across iterations: the function value of the current state, X, is the same as the function value of the initial state, X0. That is: f(X)=f(X0). We now expand on this observation and show that this property represents the weakest f-adequate loop invariant† over D(f)! † To be defined shortly...

Flashback to LN #18... finish true false true strengthen false true
Hypothesize I Flashback to LN #18... true Finalization ? false true strengthen Initialization ? false true weaken Preservation ? false false finish Initialization ? refine true false Preservation ? true

Flashback to LN # 23... As f = [while p do g] = [if p then g;f end_if], it follows that f(X0) = f(X1) = ... = f(Xn) = Xn More generally, after each iteration of the loop, the function value of the current state, X, must be the same as the function value of the initial state, X0. That is: f(X) = f(X0) We will revisit this observation in connection with Mill’s Invariant Status Theorem shortly.

Consider the following assertion, where z0 and y0 represent the initial values of z and y, respectively: {true} while z<>0 do y := y+1 z := z−1 end_while {z=0 Л y=y0+z0}

Consider the following assertion, where z0 and y0 represent the initial values of z and y, respectively: {true} while z<>0 do y := y+1 z := z−1 end_while {z=0 Л y=y0+z0} Can you identify a Q-adequate invariant, I, that could be used to prove this...?

Consider the following assertion, where z0 and y0 represent the initial values of z and y, respectively: {true} while z<>0 do y := y+1 z := z−1 end_while {z=0 Л y=y0+z0} Can you identify a Q-adequate invariant, I, that could be used to prove this...? Consider I: y = y0+(z0-z) This can be rewritten as:

Consider the following assertion, where z0 and y0 represent the initial values of z and y, respectively: {true} while z<>0 do y := y+1 z := z−1 end_while {z=0 Л y=y0+z0} Can you identify a Q-adequate invariant, I, that could be used to prove this...? Consider I: y = y0+(z0-z) This can be rewritten as: y+z = y0+z0

{true} while z<>0 do y := y+1 z := z−1 end_while {z=0 Л y=y0+z0} Now, independent of the given pre- and post-conditions, what function, f, is computed by the loop? Consider I: y = y0+(z0-z) This can be rewritten as: y+z = y0+z0

{true} while z<>0 do y := y+1 z := z−1 end_while {z=0 Л y=y0+z0} Now, independent of the given pre- and post-conditions, what function, f, is computed by the loop? (z≥0  y,z := ?,?) Consider I: y = y0+(z0-z) This can be rewritten as: y+z = y0+z0

{true} while z<>0 do y := y+1 z := z−1 end_while {z=0 Л y=y0+z0} Now, independent of the given pre- and post-conditions, what function, f, is computed by the loop? (z≥0  y,z := y+z,0) Consider I: y = y0+(z0-z) This can be rewritten as: y+z = y0+z0

{true} while z<>0 do y := y+1 z := z−1 end_while {z=0 Л y=y0+z0} So, for f = (z≥0  y,z := y+z,0), what is the relationship between f and the specified post-condition? Consider I: y = y0+(z0-z) This can be rewritten as: y+z = y0+z0

{true} while z<>0 do y := y+1 z := z−1 end_while {z=0 Л y=y0+z0} So, for f = (z≥0  y,z := y+z,0), what is the relationship between f and the specified post-condition? z=fz(X0)=0 Л y=fy(X0)=y0+z0. (This can be written more simply as just X=f(X0), where “X” is shorthand for “y,z”.) Consider I: y = y0+(z0-z) This can be rewritten as: y+z = y0+z0

{true} while z<>0 do y := y+1 z := z−1 end_while {z=0 Л y=y0+z0} But note that a specified post-condition is not an innate property of a program as is the program’s actual function! It just so happens that where f is defined, Q ≡ X=f(X0) in this particular case... Consider I: y = y0+(z0-z) This can be rewritten as: y+z = y0+z0

{true} while z<>0 do y := y+1 z := z−1 end_while {z=0 Л y=y0+z0} Getting back now to our Q-adequate invariant, I, where f = (z≥0  y,z := y+z,0)... Recall that the IRL implies that after each iteration of the loop, the function value of the current state, X, must be the same as the function value of the initial state, X0. That is, f(X)=f(X0). Consider I: y = y0+(z0-z) This can be rewritten as: y+z = y0+z0

{true} while z<>0 do y := y+1 z := z−1 end_while {z=0 Л y=y0+z0} Thus, f(X)=f(X0) captures a constant relationship between the values of variables on entry to a loop (denoted by X0), and their values after every iteration of a loop (denoted by X) computing f. What, then, is this relationship for the function (z≥0  y,z := y+z,0)? Consider I: y = y0+(z0-z) This can be rewritten as: y+z = y0+z0

{true} while z<>0 do y := y+1 z := z−1 end_while {z=0 Л y=y0+z0} Where f is defined, fy(X)=y+z and fy(X0)=y0+z0. Similarly, fz(X)=0 and fz(X0)=0. Setting f(X) equal to f(X0) for each variable gives: 0=0 Л y+z=y0+x0 † That is, for z≥0. Consider I: y = y0+(z0-z) This can be rewritten as: y+z = y0+z0 †

{true} while z<>0 do y := y+1 z := z−1 end_while {z=0 Л y=y0+z0} Where f is defined, fy(X)=y+z and fy(X0)=y0+z0. Similarly, fz(X)=0 and fz(X0)=0. Setting f(X) equal to f(X0) for each variable gives: 0=0 Л y+z=y0+z0 † That is, for z≥0. Consider I: y = y0+(z0-z) This can be rewritten as: y+z = y0+z0 †

{true} while z<>0 do y := y+1 z := z−1 end_while {z=0 Л y=y0+z0} Where f is defined, fy(X)=y+z and fy(X0)=y0+z0. Similarly, fz(X)=0 and fz(X0)=0. Setting f(X) equal to f(X0) for each variable gives: 0=0 Л y+z=y0+z0 ≡ I † That is, for z≥0. Consider I: y = y0+(z0-z) This can be rewritten as: y+z = y0+z0 †

{true} while z<>0 do y := y+1 z := z−1 end_while {z=0 Л y=y0+z0} Thus, setting f(X) equal to f(X0) results in a Q-adequate loop invariant that could (by definition) be used with the while loop ROI to prove the given assertion! Consider I: y = y0+(z0-z) This can be rewritten as: y+z = y0+z0

{true} while z<>0 do y := y+1 z := z−1 end_while {z=0 Л y=y0+z0} Thus, setting f(X) equal to f(X0) results in a Q-adequate loop invariant that could (by definition) be used with the while loop ROI to prove the given assertion! Are you not awestruck? Consider I: y = y0+(z0-z) This can be rewritten as: y+z = y0+z0

{true} while z<>0 do y := y+1 z := z−1 end_while {z=0 Л y=y0+z0} Thus, setting f(X) equal to f(X0) results in a Q-adequate loop invariant that could (by definition) be used with the while loop ROI to prove the given assertion! Are you not awestruck? But remember: the specified post-condition conveniently corresponds to the program’s actual function in this case. Consider I: y = y0+(z0-z) This can be rewritten as: y+z = y0+z0

Invariant Status Theorem (IST)
Let f = [while p do g]. If X0D(f), XD(f), and q(X)=( f(X)=f(X0) ), then q is an invariant of while p do g; i.e., it has the following properties:

Let f = [while p do g]. If X0D(f), XD(f), and q(X)=( f(X)=f(X0) ), then q is an invariant of while p do g; i.e., it has the following properties: q(X0) is true, and

Let f = [while p do g]. If X0D(f), XD(f), and q(X)=( f(X)=f(X0) ), then q is an invariant of while p do g; i.e., it has the following properties: q(X0) is true, and ( q(X) Л p(X) )  qog(X).

Let f = [while p do g]. If X0D(f), XD(f), and q(X)=( f(X)=f(X0) ), then q is an invariant of while p do g; i.e., it has the following properties: q(X0) is true, and ( q(X) Л p(X) )  qog(X). In addition, q(X) is an f-adequate invariant; i.e.,

Let f = [while p do g]. If X0D(f), XD(f), and q(X)=( f(X)=f(X0) ), then q is an invariant of while p do g; i.e., it has the following properties: q(X0) is true, and ( q(X) Л p(X) )  qog(X). In addition, q(X) is an f-adequate invariant; i.e., ( q(X) Л ¬p(X) )  ( X=f(X0) )

Let f = [while p do g]. If X0D(f), XD(f), and q(X)=( f(X)=f(X0) ), then q is an invariant of while p do g; i.e., it has the following properties: q(X0) is true, and ( q(X) Л p(X) )  qog(X). In addition, q(X) is an f-adequate invariant; i.e., ( q(X) Л ¬p(X) )  ( X=f(X0) ) This represents the final state values as a function, f, of the initial state values.

Invariant Status Theorem (cont’d)
Proof. q(X0) is true:

Proof. q(X0) is true: q(X) =( f(X)=f(X0) ), so q(X0)=( f(X0)=f(X0) )

Proof. q(X0) is true: q(X) =( f(X)=f(X0) ), so q(X0)=( f(X0)=f(X0) ) = true as desired.

Proof. q(X0) is true: q(X) =( f(X)=f(X0) ), so q(X0)=( f(X0)=f(X0) ) = true as desired. (Note that based on the definition of q(X), this property is a tautology.)

Proof. (cont’d) ( q(X) Л p(X) )  qog(X):

Proof. (cont’d) ( q(X) Л p(X) )  qog(X): For XD(f) we know p(X)  ( f(X)=fog(X) ) by the Iteration Recursion Lemma.

Proof. (cont’d) ( q(X) Л p(X) )  qog(X): For XD(f) we know p(X)  ( f(X)=fog(X) ) by the Iteration Recursion Lemma. Since q(X)=( f(X)=f(X0) ) by definition, it follows that:

Proof. (cont’d) ( q(X) Л p(X) )  qog(X): For XD(f) we know p(X)  ( f(X)=fog(X) ) by the Iteration Recursion Lemma. Since q(X)=( f(X)=f(X0) ) by definition, it follows that: ( q(X) Л p(X) )  ( fog(X)=f(X0) ).

Proof. (cont’d) But the right-hand side of ( q(X) Л p(X) )  ( fog(X)=f(X0) ) is just ( f(g(X))=f(X0) ) = q(g(X)) = qog(X) Therefore, ( q(X) Л p(X) )  qog(X) as desired.

Proof. (cont’d) ( q(X) Л ¬p(X) )  ( X=f(X0) ):

Proof. (cont’d) ( q(X) Л ¬p(X) )  ( X=f(X0) ): If ¬p(X), then f(X) = I by definition of the while construct. This can be rewritten as f(X) = X.

Proof. (cont’d) ( q(X) Л ¬p(X) )  ( X=f(X0) ): If ¬p(X), then f(X) = I by definition of the while construct. This can be rewritten as f(X) = X. And since q(X) = ( f(X)=f(X0) ), it follows that:

Proof. (cont’d) ( q(X) Л ¬p(X) )  ( X=f(X0) ): If ¬p(X), then f(X) = I by definition of the while construct. This can be rewritten as f(X) = X. And since q(X) = ( f(X)=f(X0) ), it follows that: ( ¬p(X) Л q(X) )  ( X=f(X0) ) as desired.

An important corollary...
IST Corollary. Let f = [while p do g]. If X0D(f), XD(f), and q(X)= ( f(X)=f(X0) ), then q is an f-adequate invariant of ANY program of the form while p do g for which properties (2) and (3) of the IST hold: ( q(X) Л p(X) )  qog(X) ( q(X) Л ¬p(X) )  ( X=f(X0) ) Thus, verifying these properties for a given while_do statement, K, and intended function, f, for which term(f,K) has already been shown, constitutes a proof that f = [K].

Example 1 Consider the following assertion, where a0 and b0 represent the initial values of a and b, respectively: {true} while a<>0 do b := b*a a := a−1 end_while {a=0 Л b=b0a0!} What function, f, is computed by the while loop?

Example 1 Consider the following assertion, where a0 and b0 represent the initial values of a and b, respectively: {true} while a<>0 do b := b*a a := a−1 end_while {a=0 Л b=b0a0!} What function, f, is computed by the while loop? (a≥0  a,b := 0,ba!)

Example 1 (cont’d) For f = (a≥0  a,b := 0,ba!), an invariant q(X)=( f(X)=f(X0) ) can be derived by tabu-lating f(X) and f(X0) for each member of the data space, X: X f(X) f(X0) a b and equating components of f(X) and f(X0):

Example 1 (cont’d) For f = (a≥0  a,b := 0,ba!), an invariant q(X)=( f(X)=f(X0) ) can be derived by tabu-lating f(X) and f(X0) for each member of the data space, X: X f(X) f(X0) a 0 b and equating components of f(X) and f(X0):

Example 1 (cont’d) For f = (a≥0  a,b := 0,ba!), an invariant q(X)=( f(X)=f(X0) ) can be derived by tabu-lating f(X) and f(X0) for each member of the data space, X: X f(X) f(X0) a b and equating components of f(X) and f(X0):

Example 1 (cont’d) For f = (a≥0  a,b := 0,ba!), an invariant q(X)=( f(X)=f(X0) ) can be derived by tabu-lating f(X) and f(X0) for each member of the data space, X: X f(X) f(X0) a b ba! b0a0! and equating components of f(X) and f(X0):

Example 1 (cont’d) For f = (a≥0  a,b := 0,ba!), an invariant q(X)=( f(X)=f(X0) ) can be derived by tabu-lating f(X) and f(X0) for each member of the data space, X: X f(X) f(X0) a b ba! b0a0! and equating components of f(X) and f(X0): 0 = 0 ba! = b0a0!

Example 1 (cont’d) We can rewrite the second equation as:
b = b0(a0!/a!) and use it as an invariant to prove the given assertion using the while loop Rule of Infer-ence. When combined with a≥0 (specifying the domain of f) we get: q = ( b = b0(a0!/a!) Л a≥0 )

Another interesting property of q(X)
In the context of functional verification, loop invariants are generally a function of the current values of program variables (denoted by X), AND their values on entry to the loop (denoted by X0). Many f-adequate invariants may exist for a given loop, so what criteria might be used to determine which is the best to use? In general, we want f-adequate invariants to be as weak as possible. The weaker an invariant is (while still being f-adequate), the easier it will be to use.

Another interesting property of q(X) (cont’d)
Claim: q(X)=( f(X)=f(X0) ) is the weakest f-adequate loop invariant over D(f) in the sense that it is implied by all others. Proof: Let I(X) be any f-adequate loop invariant for (while p do g) over D(f), and let X0,X1,...,Xn be the states associated with the loop in D(f). Since Xn=f(X), we know I(f(X)) and ¬p(f(X)). And since I(X) is f-adequate ( I(X) Л ¬p(X)  X=f(X0) ), it follows that ( I(f(X)) Л ¬p(f(X))  f(X)=f(X0) ). Therefore, for all X in D(f), I(X)  q(X) as claimed. (See Part 3, “The Loop Invariant f(X0)=f(X),” of the Dunlop/Basili paper.)

To expand on the unique nature of q(X), note that the set of states satisfying f(X)=f(X0) includes ALL intermediate states that could possibly be generated by ANY while loop that computes f! Thus, q(X) is strong (i.e., specific) enough to describe the net effect of the loop on the input set D(f), but sufficiently weak (i.e., general) that it may offer no hint about the method used to achieve the effect.

Recall the program: while z<>0 do y := y+1 z := z−1 end_while

Recall the program: while z<>0 do y := y+1 z := z−1 end_while The function computed is: f = (z≥0  y,z := y+z,0) and from the IST, the weakest f-adequate invariant over D(f) is: q(X)  ( y+z = y0+z0 Л z≥0 ) Consider the sample {y0,z0} input: {2,4}. The loop then pro-duces the series of states {2,4}, {3,3}, {4,2}, {5,1}, {6,0}. q(X), of course, agrees with these states, but it also agrees with {-3,9}! This implies that some loop that computes f could produce the intermediate state {-3,9} while mapping {2,4} to {6,0}. We further conclude that no loop that computes f could pro-duce {4,4} as an intermediate state from the input {2,4}.

Consider a more “concrete” (wood, aluminum, etc.) illustration of q’s properties... Let f represent a general mapping from an initial building construction state (e.g., a vacant lot) to a final construction state (a finished building). Let P be a specific, step-by-step, iterative construction process that produces a finished building in accordance with f.

In particular, suppose that from an initial building state, Svac: P produces the series of (successor) states: where Sfin represents a finished building. vac

In particular, suppose that from an initial building state, Svac: P produces the series of (successor) states: where Sfin represents a finished building. vac     X K T fin Y

Now, let q(S)=( f(S)=f(S0) ) where S0 is the initial building state, S is the current building state, and S, S0 are in D(f). It follows, then, that q agrees with the series of states produced by P. That is: q(Svac), q(SX), q(SK), q(ST), q(SY), q(Sfin) But suppose q also holds for another state in D(f):

Now, let q(S)=( f(S)=f(S0) ) where S0 is the initial building state, S is the current building state, and S, S0 are in D(f). It follows, then, that q agrees with the series of states produced by P. That is: q(Svac), q(SX), q(SK), q(ST), q(SY), q(Sfin) But suppose q also holds for another state in D(f): Z

This would imply that some other iterative construction process, P’, that also results in a finished building in accordance with f, could produce SZ in the process of producing Sfin starting from Svac! Finally, suppose that q does NOT hold for SE:

This would imply that some other iterative construction process, P’, that also results in a finished building in accordance with f, could produce SZ in the process of producing Sfin starting from Svac! Finally, suppose that q does NOT hold for SE: E

This would imply that no iterative construction process that results in a finished building in accordance with f could produce SE from the initial state Svac!

While Loop Initialization
In many situations, a loop invariant may hold by virtue of its initialization. In particular, given f = [while p do g], X0  D(f) a limited f-adequate invariant of the initialized while loop: h; while p do g is: qh(X) = ( f(X)=foh(X0) )

While Loop Initialization (cont’d)
Such an invariant has the following properties: qhoh(X0) is true, and (qh(X) Л p(X) )  qhog(X), and (qh(X) Л ¬p(X) )  ( X=foh(X0) )

Example 2 Consider the assertion: {n≥0} p := 1 k := 0
while k<>n do p := p*2 k := k+1 end_while {p=2n} What function, h, is computed by the loop initialization?

while k<>n do p := p*2 k := k+1 end_while {p=2n} What function, h, is computed by the loop initialization? (p,k := 1,0)

while k<>n do p := p*2 k := k+1 end_while {p=2n} What function, f, is computed by the while loop?

while k<>n do p := p*2 k := k+1 end_while {p=2n} What function, f, is computed by the while loop? (k≤n  p,k := ?,?)

while k<>n do p := p*2 k := k+1 end_while {p=2n} What function, f, is computed by the while loop? (k≤n  p,k := ?,n)

while k<>n do p := p*2 k := k+1 end_while {p=2n} What function, f, is computed by the while loop? (k≤n  p,k := p2n−k,n)

Example 2 (cont’d) X f(X) foh(X0) p k
For f = (k≤n  p,k := p2n−k,n), and h = (p,k := 1,0), an invariant qh(X)=( ( f(X)=foh(X0) ) can be derived by tabulating f(X) and foh(X0) for each member of the data space: and equating components of f(X) and foh(X0): X f(X) foh(X0) p k

Example 2 (cont’d) X f(X) foh(X0) p ? k
For f = (k≤n  p,k := p2n−k,n), and h = (p,k := 1,0), an invariant qh(X)=( ( f(X)=foh(X0) ) can be derived by tabulating f(X) and foh(X0) for each member of the data space: and equating components of f(X) and foh(X0): X f(X) foh(X0) p ? k

Example 2 (cont’d) X f(X) foh(X0) p p2n−k k
For f = (k≤n  p,k := p2n−k,n), and h = (p,k := 1,0), an invariant qh(X)=( ( f(X)=foh(X0) ) can be derived by tabulating f(X) and foh(X0) for each member of the data space: and equating components of f(X) and foh(X0): X f(X) foh(X0) p p2n−k k

Example 2 (cont’d) X f(X) foh(X0) p p2n−k ? k
For f = (k≤n  p,k := p2n−k,n), and h = (p,k := 1,0), an invariant qh(X)=( ( f(X)=foh(X0) ) can be derived by tabulating f(X) and foh(X0) for each member of the data space: and equating components of f(X) and foh(X0): X f(X) foh(X0) p p2n−k ? k

Example 2 (cont’d) X f(X) foh(X0) p p2n−k (1)2n0−0 k
For f = (k≤n  p,k := p2n−k,n), and h = (p,k := 1,0), an invariant qh(X)=( ( f(X)=foh(X0) ) can be derived by tabulating f(X) and foh(X0) for each member of the data space: and equating components of f(X) and foh(X0): X f(X) foh(X0) p p2n−k (1)2n0−0 k

Example 2 (cont’d) X f(X) foh(X0) p p2n−k (1)2n0−0 k ?
For f = (k≤n  p,k := p2n−k,n), and h = (p,k := 1,0), an invariant qh(X)=( ( f(X)=foh(X0) ) can be derived by tabulating f(X) and foh(X0) for each member of the data space: and equating components of f(X) and foh(X0): X f(X) foh(X0) p p2n−k (1)2n0−0 k ?

Example 2 (cont’d) X f(X) foh(X0) p p2n−k (1)2n0−0 k n
For f = (k≤n  p,k := p2n−k,n), and h = (p,k := 1,0), an invariant qh(X)=( ( f(X)=foh(X0) ) can be derived by tabulating f(X) and foh(X0) for each member of the data space: and equating components of f(X) and foh(X0): X f(X) foh(X0) p p2n−k (1)2n0−0 k n

Example 2 (cont’d) X f(X) foh(X0) p p2n−k (1)2n0−0 k n ?
For f = (k≤n  p,k := p2n−k,n), and h = (p,k := 1,0), an invariant qh(X)=( ( f(X)=foh(X0) ) can be derived by tabulating f(X) and foh(X0) for each member of the data space: and equating components of f(X) and foh(X0): X f(X) foh(X0) p p2n−k (1)2n0−0 k n ?

Example 2 (cont’d) X f(X) foh(X0) p p2n−k (1)2n0−0 k n n0
For f = (k≤n  p,k := p2n−k,n), and h = (p,k := 1,0), an invariant qh(X)=( ( f(X)=foh(X0) ) can be derived by tabulating f(X) and foh(X0) for each member of the data space: and equating components of f(X) and foh(X0): X f(X) foh(X0) p p2n−k (1)2n0−0 k n n0

Example 2 (cont’d) X f(X) foh(X0) p p2n−k (1)2n0−0 k n n0
For f = (k≤n  p,k := p2n−k,n), and h = (p,k := 1,0), an invariant qh(X)=( ( f(X)=foh(X0) ) can be derived by tabulating f(X) and foh(X0) for each member of the data space: and equating components of f(X) and foh(X0): X f(X) foh(X0) p p2n−k (1)2n0−0 k n n0 p2n−k = (1)2n0−0 n = n0

Example 2 (cont’d) When combined, these equations yield the invariant:
p=2k which can be used with the while loop Rule of Inference to prove the given assertion. When the condition k≤n (specifying the domain of f) is included, we get: q = ( p=2k Л k≤n )

Exercise Recall that in Example 3 of Lecture Notes #18, we proved the assertion below using the invariant I: Z=XJ. {true} Z := X J := 1 while J<>Y do Z := Z+X J := J+1 end_while {Z=XY}

Exercise (cont’d) Derive a limited invariant for the initialized while loop using the Invariant Status Theorem.

Utility of Invariant Status Theorem
Does the IST eliminate the need for heuristics to synthesize Q-adequate loop invariants?

Utility of Invariant Status Theorem
Does the IST eliminate the need for heuristics to synthesize Q-adequate loop invariants? Unfortunately, no. The derivation of q(X) requires knowledge of the program function, f. Further-more, if the specified post-condition, Q, is not of the form X=f(X0), the translation between Q and f may not be obvious. Finally, if Q is weaker than f, then q(X) will be stronger than needed and may, therefore, be more cumbersome to use than some weaker Q-adequate invariant.

Utility of Invariant Status Theorem (cont’d)
None of the functions considered so far has used conditional rules.† How does one deter-mine q(X) for intended functions of the form f = (p1  r1 | p2  r2 | … | pk  rk) ? † Other than simple functions of the form (p  r).

None of the functions considered so far has used conditional rules.† How does one deter-mine q(X) for intended functions of the form f = (p1  r1 | p2  r2 | … | pk  rk) ? This can be tedious since the rule employed to determine f(X0) for every initial state X0 plus those rules employed to determine f(X) for each of X0’s successor states must be considered. The problem is analogous to that encountered in showing p(X)  ( f(X)=fog(X) ) when the rule for f on the left-hand side of the equality may be different than that on the right-hand side of the equality (i.e., after applying g). † Other than simple functions of the form (p  r).

Would verifying the properties of q(X) for a given while_do statement, K, and hypothesized function, f, for which term(f,K) has been shown, constitute a proof that f = [K]?

Would verifying the properties of q(X) for a given while_do statement, K, and hypothesized function, f, for which term(f,K) has been shown, constitute a proof that f = [K]? Yes, properties (2) and (3) of the IST are equivalent to the 2nd and 3rd while_do correctness conditions when using q(X) as the predicate. This is because ( q(X) Л p(X) )  qog(X) follows from p(X)  ( f(X)=fog(X) ), and ( q(X) Л ¬p(X) )  ( X=f(X0) ) follows from ¬p(X)  ( f(X) = I ). Also, since q(X) is the weakest f-adequate loop invariant for K, it is generally the “easiest” invariant over D(f) that can be used to verify that the loop computes f.

For some additional important and interesting insights into the nature of q(X), functions, and both iterative and non-iterative program con-structs, be sure to see problems 8 and 9 in Problem Set 7!

Summary Thinking about invariants again Invariant Status Theorem (IST)
While Loop Initialization Utility of IST

Functional Verification IV: Revisiting Loop Invariants
Software Testing and Verification Lecture Notes 24 Prepared by Stephen M. Thebaut, Ph.D. University of Florida

Functional Verification IV: Revisiting Loop Invariants

Similar presentations

Presentation on theme: "Functional Verification IV: Revisiting Loop Invariants"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Functional Verification IV: Revisiting Loop Invariants

Similar presentations

Presentation on theme: "Functional Verification IV: Revisiting Loop Invariants"— Presentation transcript:

Similar presentations

About project

Feedback