Functional Verification III

Functional Verification III
Software Testing and Verification Lecture Notes 23 Prepared by Stephen M. Thebaut, Ph.D. University of Florida

Previously… Correctness conditions and working correctness questions:
sequencing decision statements

Today’s Topics Iteration Recursion Lemma (IRL)
Termination predicate: term(f,P) Correctness conditions for while_do statement Correctness conditions for repeat_until statement Subgoal Induction

Iteration Recursion Lemma (IRL)
The IRL reduces the verification of programs with loops to a question of termination and the verification of loop-free programs by converting iteration to recursion. For while loops, the Lemma states: f = [while p do g] = [if p then g;f end_if] (note recursion)

Iteration Recursion Lemma (cont’d)
F p f = T g

F p T F p g f = = T g F p T g

F p T F F p p g f = = = T T g g F p T f g

F p T F F F p p p g f = = = = T T T g g g;f F p T f g

Rather than verify directly that f is the program function of K = while p do g which can be very difficult, it is sufficient to prove that 1. K terminates for all X  D(f), and that 2. f is the program function of Q = if p then g;f end_if because [K] = [Q].

An important implication of the IRL
Suppose for “input” X0 the while loop terminates after n iterations with “output” Xn. Furthermore, let X1, X2, ..., Xn-1 be the intermediate states generated by the loop. Then  0≤i<n, we know: p(Xi) (when g executes 1 or more times), Xi+1=g(Xi), and ¬p(Xn).

An important implication of the IRL (cont’d)
As f = [while p do g] = [if p then g;f end_if], it follows that f(X0) = f(X1) = ... = f(Xn) = Xn More generally, after each iteration of the loop, the function value of the current state, X, must be the same as the function value of the initial state, X0. That is: f(X) = f(X0) We will revisit this observation in connection with Mill’s Invariant Status Theorem later.

Illustrative Example of IRL
To further illustrate the fact that [while p do g] = [if p then g;f end_if] consider a concrete example...

To further illustrate the fact that [while p do g] = [if p then g;f end_if] consider a concrete example... Let K = while y>0 do x,y := x+1,y−1 p g

To further illustrate the fact that [while p do g] = [if p then g;f end_if] consider a concrete example... Let K = while y>0 do x,y := x+1,y−1 Claim: K is function equivalent to Q = if y>0 then x,y := x+1,y−1;k end_if where, by definition, k = [K]. p g p k o g

Illustrative Example of IRL (cont’d)
Case (y>0): For K = while y>0 do x,y := x+1,y−1, the loop body executes y times before the predicate y>0 becomes false. By observation, then, the final value of x is x0+(1)y0 = x0+y0 and the final value of y is 0. Thus, (y>0) => k = (x,y := x+y,0)

Case (y>0): For K = while y>0 do x,y := x+1,y−1, the loop body executes y times before the predicate y>0 becomes false. By observation, then, the final value of x is x0+(1)y0 = x0+y0 and the final value of y is 0. Thus, (y>0) => k = (x,y := x+y,0) Also, note that when y=0 initially, k = I = (x,y := x,y) = (x,y := x+0,y) = (x,y := x+y,0)

Case (y>0): For K = while y>0 do x,y := x+1,y−1, the loop body executes y times before the predicate y>0 becomes false. By observation, then, the final value of x is x0+(1)y0 = x0+y0 and the final value of y is 0. Thus, (y>0) => k = (x,y := x+y,0) Also, note that when y=0 initially, k = I = (x,y := x,y) = (x,y := x+0,y) = (x,y := x+y,0) Therefore, (y≥0) => k = (x,y := x+y,0)

Case (y>0): (cont’d) [Q] is a composition of two functions, i.e., k o g, and may be determined by direct substitution. For y>0 initially, y will be greater than OR EQUAL to 0 after executing the loop body, but since we know (y≥0) => k = (x,y := x+y,0), we have [Q] = (x,y := x+y,0) o (x,y := x+1,y−1)

Case (y>0): (cont’d) [Q] is a composition of two functions, i.e., k o g, and may be determined by direct substitution. For y>0 initially, y will be greater than OR EQUAL to 0 after executing the loop body, but since we know (y≥0) => k = (x,y := x+y,0), we have [Q] = (x,y := x+y,0) o (x,y := x+1,y−1) = (x,y := (x+1)+(y−1),0)

Case (y>0): (cont’d) [Q] is a composition of two functions, i.e., k o g, and may be determined by direct substitution. For y>0 initially, y will be greater than OR EQUAL to 0 after executing the loop body, but since we know (y≥0) => k = (x,y := x+y,0), we have [Q] = (x,y := x+y,0) o (x,y := x+1,y−1) = (x,y := (x+1)+(y−1),0) = (x,y := x+y,0)

Case (y>0): (cont’d) [Q] is a composition of two functions, i.e., k o g, and may be determined by direct substitution. For y>0 initially, y will be greater than OR EQUAL to 0 after executing the loop body, but since we know (y≥0) => k = (x,y := x+y,0), we have [Q] = (x,y := x+y,0) o (x,y := x+1,y−1) = (x,y := (x+1)+(y−1),0) = (x,y := x+y,0) = k (the function computed by K)

Case (y>0): (cont’d) [Q] is a composition of two functions, i.e., k o g, and may be determined by direct substitution. For y>0 initially, y will be greater than OR EQUAL to 0 after executing the loop body, but since we know (y≥0) => k = (x,y := x+y,0), we have [Q] = (x,y := x+y,0) o (x,y := x+1,y−1) = (x,y := (x+1)+(y−1),0) = (x,y := x+y,0) = k (the function computed by K) Thus, [Q] = [K] when y>0.

Case (y≤0): Since the predicate (y>0) fails, both K and Q do nothing, and are therefore equivalent. Thus, [Q] = I = [K] when y≤0.

Case (y≤0): Since the predicate (y>0) fails, both K and Q do nothing, and are therefore equivalent. Thus, [Q] = I = [K] when y≤0. Therefore, K is function equivalent to Q.

Termination Predicate
The correctness of a looping program P depends, in part, on termination. Consideration is limited to programs whose termination can be established and the following predicate is defined: term(f,P)  ‘‘P terminates for every initial state X  D(f)’’

Before we continue… Take out a piece of paper and a pen/pencil.
Without looking back in the lecture notes, write down the correctness conditions for: f = [if p then g]

if_then Correctness Conditions
Correctness conditions for f = [if p then g]: Prove: p  (f = g) Л ¬p  (f = I)

if_then Correctness Conditions
Correctness conditions for f = [if p then g]: Prove: p  (f = g) Л ¬p  (f = I) So, aside from proving termination over the domain of f, what are the two corresponding conditions for: f = [while p do g] = [if p then fog] ?

while_do Correctness Conditions
Correctness conditions for f = [K] = [while p do G] (where K is closed for the domain of f†, and g = [G]): Prove: term(f,K) Л p  (f = f o g) Л ¬p  (f = I) †A while loop is closed for a set of data states S  [XS Л p(X)  g(X)S]

while_do Correctness Conditions (cont’d)
Working correctness questions: Is loop termination guaranteed for any argument of f ? When p is true does f equal f composed with g? When p is false does f equal Identity?

while_do Example Prove f = [T] where, for integers x, y, and z:
f = (y≥0  z,y := z+xy,0) and T is: while y<>0 do z := z+x y := y−1 end_while

while_do Example Prove f = [T] where, for integers x, y, and z:
f = (y≥0  z,y := z+xy,0) and T is: while y<>0 do z := z+x y := y−1 end_while p G

while_do Example (cont’d)
Proof: T is closed for D(f) and g = [G] = (z,y := z+x,y−1) by observation

Proof: T is closed for D(f) and g = [G] = (z,y := z+x,y−1) by observation term(f,T)?

Proof: T is closed for D(f) and g = [G] = (z,y := z+x,y−1) by observation term(f,T)? f = (y≥0  z,y := z+xy,0) and T is: while y<>0 do z := z+x y := y−1 end_while So, does y≥0 initially  T will terminate?

Proof: T is closed for D(f) and g = [G] = (z,y := z+x,y−1) by observation term(f,T)? √ (Prove this…)

Proof: T is closed for D(f) and g = [G] = (z,y := z+x,y−1) by observation term(f,T)? √ (Prove this…) Does (y=0)  ( f = I )? ¬p

Proof: T is closed for D(f) and g = [G] = (z,y := z+x,y−1) by observation term(f,T)? √ (Prove this…) Does (y=0)  ( f = I )? ¬p ( Recall: f = (y≥0  z,y := z+xy,0) )

Proof: T is closed for D(f) and g = [G] = (z,y := z+x,y−1) by observation term(f,T)? √ (Prove this…) Does (y=0)  ( f = I )? (y=0)  ( f = (z,y := z+x(0),0) ) ( Recall: f = (y≥0  z,y := z+xy,0) )

Proof: T is closed for D(f) and g = [G] = (z,y := z+x,y−1) by observation term(f,T)? √ (Prove this…) Does (y=0)  ( f = I )? (y=0)  ( f = (z,y := z+x(0),0) = (z,y := z,0) )

Proof: T is closed for D(f) and g = [G] = (z,y := z+x,y−1) by observation term(f,T)? √ (Prove this…) Does (y=0)  ( f = I )? (y=0)  ( f = (z,y := z+x(0),0) = (z,y := z,0) ) (y=0)  ( I = (z,y := z,0) )

Proof: T is closed for D(f) and g = [G] = (z,y := z+x,y−1) by observation term(f,T)? √ (Prove this…) Does (y=0)  ( f = I )? √ (y=0)  ( f = (z,y := z+x(0),0) = (z,y := z,0) ) (y=0)  ( I = (z,y := z,0) )

Does (y0)  ( f = f o g )? p

Does (y0)  ( f = f o g )? case a: Does (y<0)  ( f = f o g )?

Does (y0)  ( f = f o g )? case a: Does (y<0)  ( f = f o g )? ( Recall: f = (y≥0  z,y := z+xy,0) )

Does (y0)  ( f = f o g )? case a: Does (y<0)  ( f = f o g )? (y<0)  ( f = undefined ) ( Recall: f = (y≥0  z,y := z+xy,0) )

Does (y0)  ( f = f o g )? case a: Does (y<0)  ( f = f o g )? (y<0)  ( f = undefined ) (y<0)  ( f o g = f o (z,y := z+x,y−1) ) ( Recall: f = (y≥0  z,y := z+xy,0) )

Does (y0)  ( f = f o g )? case a: Does (y<0)  ( f = f o g )? (y<0)  ( f = undefined ) (y<0)  ( f o g = f o (z,y := z+x,y−1) ) What is f when applied after g decrements the initially negative value of y? ( Recall: f = (y≥0  z,y := z+xy,0) )

Does (y0)  ( f = f o g )? case a: Does (y<0)  ( f = f o g )? (y<0)  ( f = undefined ) (y<0)  ( f o g = undefined o (z,y := z+x,y−1) ) since y<0  gy(y<0)<0 ( Recall: f = (y≥0  z,y := z+xy,0) )

Does (y0)  ( f = f o g )? case a: Does (y<0)  ( f = f o g )? (y<0)  ( f = undefined ) (y<0)  ( f o g = undefined o (z,y := z+x,y−1) = undefined )

Does (y0)  ( f = f o g )? case a: Does (y<0)  ( f = f o g )? √ (y<0)  ( f = undefined ) (y<0)  ( f o g = undefined o (z,y := z+x,y−1) = undefined )

Does (y0)  ( f = f o g )? case b: Does (y>0)  ( f = f o g )?

Does (y0)  ( f = f o g )? case b: Does (y>0)  ( f = f o g )? ( Recall: f = (y≥0  z,y := z+xy,0) )

Does (y0)  ( f = f o g )? case b: Does (y>0)  ( f = f o g )? (y>0)  ( f = (z,y := z+xy,0) ) ( Recall: f = (y≥0  z,y := z+xy,0) )

Does (y0)  ( f = f o g )? case b: Does (y>0)  ( f = f o g )? (y>0)  ( f = (z,y := z+xy,0) ) (y>0)  ( f o g = f o (z,y := z+x,y−1) ) ( Recall: f = (y≥0  z,y := z+xy,0) )

Does (y0)  ( f = f o g )? case b: Does (y>0)  ( f = f o g )? (y>0)  ( f = (z,y := z+xy,0) ) (y>0)  ( f o g = f o (z,y := z+x,y−1) ) Again, what is f when applied after g decrements the initially positive value of y? ( Recall: f = (y≥0  z,y := z+xy,0) )

Does (y0)  ( f = f o g )? case b: Does (y>0)  ( f = f o g )? (y>0)  ( f = (z,y := z+xy,0) ) (y>0)  ( f o g = (z,y := z+xy,0) o (z,y := z+x,y−1) ) since y>0  gy(y>0)≥0 ( Recall: f = (y≥0  z,y := z+xy,0) )

Does (y0)  ( f = f o g )? case b: Does (y>0)  ( f = f o g )? (y>0)  ( f = (z,y := z+xy,0) ) (y>0)  ( f o g = (z,y := z+xy,0) o (z,y := z+x,y−1) = (z,y := (z+x)+x(y−1),0) )

Does (y0)  ( f = f o g )? case b: Does (y>0)  ( f = f o g )? (y>0)  ( f = (z,y := z+xy,0) ) (y>0)  ( f o g = (z,y := z+xy,0) o (z,y := z+x,y−1) = (z,y := (z+x)+x(y−1),0) = (z,y := z+xy,0) )

Does (y0)  ( f = f o g )? case b: Does (y>0)  ( f = f o g )? √ (y>0)  ( f = (z,y := z+xy,0) ) (y>0)  ( f o g = (z,y := z+xy,0) o (z,y := z+x,y−1) = (z,y := (z+x)+x(y−1),0) = (z,y := z+xy,0) )

Does (y0)  ( f = f o g )? √ case b: Does (y>0)  ( f = f o g )? √ (y>0)  ( f = (z,y := z+xy,0) ) (y>0)  ( f o g = (z,y := z+xy,0) o (z,y := z+x,y−1) = (z,y := (z+x)+x(y−1),0) = (z,y := z+xy,0) )

Does (y0)  ( f = f o g )? √ case b: Does (y>0)  ( f = f o g )? √ (y>0)  ( f = (z,y := z+xy,0) ) (y>0)  ( f o g = (z,y := z+xy,0) o (z,y := z+x,y−1) = (z,y := (z+x)+x(y−1),0) = (z,y := z+xy,0) ) Therefore, f = [T].

Note that to determine what fog is for the two cases of p (y<>0) being true, we could have also composed the full definition of f with g, i.e. (y≥0  z,y := z+xy,0) o (z,y := z+x,y−1) = (y≥1  z,y := z+xy,0) which reduces to undefined when y<0, and to (z,y := z+xy,0) when y>0. This eliminates the need to argue what f is after applying g on a case-by-case basis in proofs (as in “…f is undefined in this case since y<0  gy(y<0)<0”).

Exercise 1 For program M below, where all variables are integers, hypothesize a function f for [M] and prove f = [M]. while i<n do t := t*x i := i+1 end_while

repeat_until Statement
What are the correctness conditions for f = [R] = [repeat g until p]? g f = T p F

repeat_until Statement (cont’d)
An IRL for repeat_until statements: f = [repeat g until p] = [g; if ¬p then f]

“Proof” by Picture g f = T p F

“Proof” by Picture g g T f = = p T p F F g T p F

“Proof” by Picture g g g T f = = = T p p T p F F F g f T p F

“Proof” by Picture g g g g f = = = = p p ¬p p g f f p T T F T F F T F

repeat_until Statement (cont’d)
Therefore, it is sufficient to verify that 1. R terminates for all X  D(f), and that 2. f is the program function of Q = g; if ¬p then f end_if because [R] = [Q].

repeat_until Correctness Conditions
Correctness conditions for f = [R] = [repeat G until p] (where R is closed for the domain of f†, and g = [G]): Prove: term(f,R) Л (p o g)  (f = g) Л ¬(p o g)  (f = f o g) †A repeat_until loop is closed for a set of data states S  [XS Л ¬pog(X)  g(X)S]

repeat_until Correctness Conditions (cont’d)
Working correctness questions: Is loop termination guaranteed for any argument of f ? When p o g is true does f equal g? When p o g is false does f equal f o g?

Exercise 2 For program R below, where all variables are integers, hypothesize a function r for [R] and prove r = [R]. repeat: x := x−1 y := y+2 until x=0

Subgoal Induction “Subgoal induction” is a proof method pro- posed by Morris and Wegbreit† that can be viewed as a generalization of Mill’s approach for verifying the correctness of while loops. It uses a variation of the Iteration Recursion Lemma (IRL) to identify relatively simple correctness conditions for a while loop surrounded by pre- and post-processing code. †Morris, James & Ben Wegbreit, “Subgoal Induction,” CACM, Volume 20, No. 4, April 1977.

Subgoal Induction (cont’d)
The key observation underlying the method is: v = [while p do g end_while; t] ≡ [if p then g;v else t end_if_else] The function equivalence of these programs, like that asserted in the IRL, is perhaps best illustrated graphically...

F p v = T g t

F p T F p g t v = = T g t F p T g t

F p T F F p p g t v = = = T T g t g t F p T v g t

F p T F F F p p p g t v = = = = T T T g t g t g;v t F p T v g t

Suppose, now, that compound program K is: h; while p do g end_while; t and that v = [while p do g end_while; t]. From the functional equivalence illustrated above and the fact that K = h;v, it therefore follows that: [K] = v o h = [if p then g;v else t end_if_else] o h

Recall the correctness conditions for r = [if p then g else t]: (1) p  (r=g) and (2) ¬p  (r=t). Thus, the correctness conditions for f = [K] = [h; while p do g end_while; t] are: (1) term(f,K), (2) p  (v=vog), (3) ¬p  (v=t), and (4) f=voh where v = [while p do g end_while; t].

Subgoal induction vs. functional verification
How does subgoal induction differ from the program decomposition strategy described by Mills? To show f = [h; while p do g end_while; t] using Mill’s approach, an intermediate hypothesis and “sub-proof” for the loop is required, whereas t is part of the intermediate hypothesis in the subgoal induction case. Note that if t is the identify function, the two strategies are identical.

Subgoal induction vs. functional verification (cont’d)
But if h is the identify function, then subgoal induction has an advantage since treating the loop and t as a whole results in a more efficient proof. The key difference is that Mill’s approach is based on the functional equivalence of a while loop to a recursive if_then statement, while subgoal induction is based on the functional equivalence of a while loop + post-processing code to a recursive if_then_else statement.

Subgoal Induction Example
Use subgoal induction to prove f = [K] where, for integers x, y, and z: f = (x≥0  x,y,z := 0,2x,2x) and K is: y := 1 while x<>0 do y := y*2 x := x-1 end_while z := y

Subgoal Induction Example
Use subgoal induction to prove f = [K] where, for integers x, y, and z: f = (x≥0  x,y,z := 0,2x,2x) and K is: y := H while x<>0 do y := y*2 x := x-1 end_while z := y T G

Subgoal Induction Example (cont’d)
We need to show: (1) term(f,K), (2) p  (v=vog), (3) ¬p  (v=t), and (4) f=voh But first, we must hypothesize a function for v (our “intermediate hypothesis”): v = [while x<>0 do g end_while; z := y]

What is the function, v, of this program? while x<>0 do y := y*2 x := x-1 end_while z := y

What is the function, v, of this program? while x<>0 do y := y*2 x := x-1 end_while z := y x>0  x,y,z := ?, ? , ? )

What is the function, v, of this program? while x<>0 do y := y*2 x := x-1 end_while z := y x>0  x,y,z := 0, ? , ?

What is the function, v, of this program? while x<>0 do y := y*2 x := x-1 end_while z := y x>0  x,y,z := 0, y2x, ?

What is the function, v, of this program? while x<>0 do y := y*2 x := x-1 end_while z := y x>0  x,y,z := 0, y2x, y2x

What is the function, v, of this program? while x<>0 do y := y*2 x := x-1 end_while z := y x>0  x,y,z := 0, y2x, y2x x=0  x,y,z := ?, ?, ?

What is the function, v, of this program? while x<>0 do y := y*2 x := x-1 end_while z := y x>0  x,y,z := 0, y2x, y2x x=0  x,y,z := x, y, y

What is the function, v, of this program? while x<>0 do y := y*2 x := x-1 end_while z := y x>0  x,y,z := 0, y2x, y2x x=0  x,y,z := x, y, y := 0, y2x, y2x

What is the function, v, of this program? while x<>0 do y := y*2 x := x-1 end_while z := y x>0  x,y,z := 0, y2x, y2x x=0  x,y,z := x, y, y := 0, y2x, y2x x<0  ?

What is the function, v, of this program? while x<>0 do y := y*2 x := x-1 end_while z := y x>0  x,y,z := 0, y2x, y2x x=0  x,y,z := x, y, y := 0, y2x, y2x x<0  undefined

What is the function, v, of this program? while x<>0 do y := y*2 x := x-1 end_while z := y x>0  x,y,z := 0, y2x, y2x x=0  x,y,z := x, y, y := 0, y2x, y2x x<0  undefined Therefore, v is hypothesized to be: (x≥0  x,y,z := 0, y2x, y2x)

Returning to the four correctness conditions: (1) term(f,K), (2) p  (v=vog), (3) ¬p  (v=t), and (4) f=voh

Returning to the four correctness conditions: (1) term(f,K), (2) p  (v=vog), (3) ¬p  (v=t), and (4) f=voh (1) Does K terminate for all x≥0? y := 1 while x<>0 do y := y*2 x := x-1 end_while z := y

Returning to the four correctness conditions: (1) term(f,K), (2) p  (v=vog), (3) ¬p  (v=t), and (4) f=voh (1) Does K terminate for all x≥0? YES y := 1 while x<>0 do y := y*2 x := x-1 end_while z := y (Prove this using the Method of Well-Founded Sets.)

Returning to the four correctness conditions: (1) term(f,K), (2) p  (v=vog), (3) ¬p  (v=t), and (4) f=voh (2) Does (x0)  ( v = v o g )? p

Returning to the four correctness conditions: (1) term(f,K), (2) p  (v=vog), (3) ¬p  (v=t), and (4) f=voh (2) Does (x0)  ( v = v o g )? case a: Does (x<0)  ( v = v o g )?

Returning to the four correctness conditions: (1) term(f,K), (2) p  (v=vog), (3) ¬p  (v=t), and (4) f=voh (2) Does (x0)  ( v = v o g )? case a: Does (x<0)  ( v = v o g )? ( Recall: hypoth. v = (x≥0  x,y,z := 0, y2x, y2x) )

Returning to the four correctness conditions: (1) term(f,K), (2) p  (v=vog), (3) ¬p  (v=t), and (4) f=voh (2) Does (x0)  ( v = v o g )? case a: Does (x<0)  ( v = v o g )? (x<0)  ( v = undefined ) ( Recall: hypoth. v = (x≥0  x,y,z := 0, y2x, y2x) )

Returning to the four correctness conditions: (1) term(f,K), (2) p  (v=vog), (3) ¬p  (v=t), and (4) f=voh (2) Does (x0)  ( v = v o g )? case a: Does (x<0)  ( v = v o g )? (x<0)  ( v = undefined ) (x<0)  ( v o g = v o (x,y := x-1,2y) ( Recall: hypoth. v = (x≥0  x,y,z := 0, y2x, y2x) )

Returning to the four correctness conditions: (1) term(f,K), (2) p  (v=vog), (3) ¬p  (v=t), and (4) f=voh (2) Does (x0)  ( v = v o g )? case a: Does (x<0)  ( v = v o g )? (x<0)  ( v = undefined ) (x<0)  ( v o g = ? o (x,y := x-1,2y) ( Recall: hypoth. v = (x≥0  x,y,z := 0, y2x, y2x) )

Returning to the four correctness conditions: (1) term(f,K), (2) p  (v=vog), (3) ¬p  (v=t), and (4) f=voh (2) Does (x0)  ( v = v o g )? case a: Does (x<0)  ( v = v o g )? (x<0)  ( v = undefined ) (x<0)  ( v o g = undefined o (x,y := x-1,2y) since x<0  ( gx(x<0) < 0 ) ( Recall: hypoth. v = (x≥0  x,y,z := 0, y2x, y2x) )

Returning to the four correctness conditions: (1) term(f,K), (2) p  (v=vog), (3) ¬p  (v=t), and (4) f=voh (2) Does (x0)  ( v = v o g )? case a: Does (x<0)  ( v = v o g )? (x<0)  ( v = undefined ) (x<0)  ( v o g = undefined o (x,y := x-1,2y) = undefined ) ( Recall: hypoth. v = (x≥0  x,y,z := 0, y2x, y2x) )

Returning to the four correctness conditions: (1) term(f,K), (2) p  (v=vog), (3) ¬p  (v=t), and (4) f=voh (2) Does (x0)  ( v = v o g )? case a: Does (x<0)  ( v = v o g )? YES (x<0)  ( v = undefined ) (x<0)  ( v o g = undefined o (x,y := x-1,2y) = undefined ) ( Recall: hypoth. v = (x≥0  x,y,z := 0, y2x, y2x) )

Returning to the four correctness conditions: (1) term(f,K), (2) p  (v=vog), (3) ¬p  (v=t), and (4) f=voh (2) Does (x0)  ( v = v o g )? case b: Does (x>0)  ( v = v o g )? ( Recall: hypoth. v = (x≥0  x,y,z := 0, y2x, y2x) )

Returning to the four correctness conditions: (1) term(f,K), (2) p  (v=vog), (3) ¬p  (v=t), and (4) f=voh (2) Does (x0)  ( v = v o g )? case b: Does (x>0)  ( v = v o g )? (x>0)  ( v = (x,y,z := 0, y2x, y2x) ) ( Recall: hypoth. v = (x≥0  x,y,z := 0, y2x, y2x) )

Returning to the four correctness conditions: (1) term(f,K), (2) p  (v=vog), (3) ¬p  (v=t), and (4) f=voh (2) Does (x0)  ( v = v o g )? case b: Does (x>0)  ( v = v o g )? (x>0)  ( v = (x,y,z := 0, y2x, y2x) ) (x>0)  ( v o g = v o (x,y := x-1,2y) ( Recall: hypoth. v = (x≥0  x,y,z := 0, y2x, y2x) )

Returning to the four correctness conditions: (1) term(f,K), (2) p  (v=vog), (3) ¬p  (v=t), and (4) f=voh (2) Does (x0)  ( v = v o g )? case b: Does (x>0)  ( v = v o g )? (x>0)  ( v = (x,y,z := 0, y2x, y2x) ) (x>0)  ( v o g = ? o (x,y := x-1,2y) ( Recall: hypoth. v = (x≥0  x,y,z := 0, y2x, y2x) )

Returning to the four correctness conditions: (1) term(f,K), (2) p  (v=vog), (3) ¬p  (v=t), and (4) f=voh (2) Does (x0)  ( v = v o g )? case b: Does (x>0)  ( v = v o g )? (x>0)  ( v = (x,y,z := 0, y2x, y2x) ) (x>0)  ( v o g = (x,y,z := 0, y2x, y2x) o (x,y := x-1,2y) since x>0  ( gx(x>0) ≥ 0 ) ( Recall: hypoth. v = (x≥0  x,y,z := 0, y2x, y2x) )

Returning to the four correctness conditions: (1) term(f,K), (2) p  (v=vog), (3) ¬p  (v=t), and (4) f=voh (2) Does (x0)  ( v = v o g )? case b: Does (x>0)  ( v = v o g )? (x>0)  ( v = (x,y,z := 0, y2x, y2x) ) (x>0)  ( v o g = (x,y,z := 0, y2x, y2x) o (x,y := x-1,2y) = (x,y,z := 0, 2y2x-1, 2y2x-1) ( Recall: hypoth. v = (x≥0  x,y,z := 0, y2x, y2x) )

Returning to the four correctness conditions: (1) term(f,K), (2) p  (v=vog), (3) ¬p  (v=t), and (4) f=voh (2) Does (x0)  ( v = v o g )? case b: Does (x>0)  ( v = v o g )? (x>0)  ( v = (x,y,z := 0, y2x, y2x) ) (x>0)  ( v o g = (x,y,z := 0, y2x, y2x) o (x,y := x-1,2y) = (x,y,z := 0, 2y2x-1, 2y2x-1) = (x,y,z := 0, y2x, y2x) ) ( Recall: hypoth. v = (x≥0  x,y,z := 0, y2x, y2x) )

Returning to the four correctness conditions: (1) term(f,K), (2) p  (v=vog), (3) ¬p  (v=t), and (4) f=voh (2) Does (x0)  ( v = v o g )? case b: Does (x>0)  ( v = v o g )? YES (x>0)  ( v = (x,y,z := 0, y2x, y2x) ) (x>0)  ( v o g = (x,y,z := 0, y2x, y2x) o (x,y := x-1,2y) = (x,y,z := 0, 2y2x-1, 2y2x-1) = (x,y,z := 0, y2x, y2x) ) ( Recall: hypoth. v = (x≥0  x,y,z := 0, y2x, y2x) )

Returning to the four correctness conditions: (1) term(f,K), (2) p  (v=vog), (3) ¬p  (v=t), and (4) f=voh (2) Does (x0)  ( v = v o g )? YES case b: Does (x>0)  ( v = v o g )? YES (x>0)  ( v = (x,y,z := 0, y2x, y2x) ) (x>0)  ( v o g = (x,y,z := 0, y2x, y2x) o (x,y := x-1,2y) = (x,y,z := 0, 2y2x-1, 2y2x-1) = (x,y,z := 0, y2x, y2x) ) ( Recall: hypoth. v = (x≥0  x,y,z := 0, y2x, y2x) )

Returning to the four correctness conditions: (1) term(f,K), (2) p  (v=vog), (3) ¬p  (v=t), and (4) f=voh (3) Does (x=0)  ( v = t )? ¬p

Returning to the four correctness conditions: (1) term(f,K), (2) p  (v=vog), (3) ¬p  (v=t), and (4) f=voh (3) Does (x=0)  ( v = t )? (x=0)  ( v = (x,y,z := 0, y20, y20) ) ( Recall: hypoth. v = (x≥0  x,y,z := 0, y2x, y2x) )

Returning to the four correctness conditions: (1) term(f,K), (2) p  (v=vog), (3) ¬p  (v=t), and (4) f=voh (3) Does (x=0)  ( v = t )? (x=0)  ( v = (x,y,z := 0, y20, y20) ) = (x,y,z := 0, y, y) ) ( Recall: hypoth. v = (x≥0  x,y,z := 0, y2x, y2x) )

Returning to the four correctness conditions: (1) term(f,K), (2) p  (v=vog), (3) ¬p  (v=t), and (4) f=voh (3) Does (x=0)  ( v = t )? (x=0)  ( v = (x,y,z := 0, y20, y20) ) = (x,y,z := 0, y, y) ) (x=0)  ( t = (x,y,z := 0, y, y) ) ( Recall: hypoth. v = (x≥0  x,y,z := 0, y2x, y2x) )

Returning to the four correctness conditions: (1) term(f,K), (2) p  (v=vog), (3) ¬p  (v=t), and (4) f=voh (3) Does (x=0)  ( v = t )? YES (x=0)  ( v = (x,y,z := 0, y20, y20) ) = (x,y,z := 0, y, y) ) (x=0)  ( t = (x,y,z := 0, y, y) ) ( Recall: hypoth. v = (x≥0  x,y,z := 0, y2x, y2x) )

Returning to the four correctness conditions: (1) term(f,K), (2) p  (v=vog), (3) ¬p  (v=t), and (4) f=voh (4) Does f = v o h ?

Returning to the four correctness conditions: (1) term(f,K), (2) p  (v=vog), (3) ¬p  (v=t), and (4) f=voh (4) Does f = v o h ? f = (x≥0  x,y,z := 0,2x,2x)

Returning to the four correctness conditions: (1) term(f,K), (2) p  (v=vog), (3) ¬p  (v=t), and (4) f=voh (4) Does f = v o h ? f = (x≥0  x,y,z := 0,2x,2x) ( Recall: hypoth. v = (x≥0  x,y,z := 0, y2x, y2x) )

Returning to the four correctness conditions: (1) term(f,K), (2) p  (v=vog), (3) ¬p  (v=t), and (4) f=voh (4) Does f = v o h ? f = (x≥0  x,y,z := 0,2x,2x) voh = (x≥0  x,y,z := 0, y2x, y2x) o (x,y,z := x,1,z) ( Recall: hypoth. v = (x≥0  x,y,z := 0, y2x, y2x) )

Returning to the four correctness conditions: (1) term(f,K), (2) p  (v=vog), (3) ¬p  (v=t), and (4) f=voh (4) Does f = v o h ? f = (x≥0  x,y,z := 0,2x,2x) voh = (x≥0  x,y,z := 0, y2x, y2x) o (x,y,z := x,1,z) = (x≥0  x,y,z := 0, (1)2x, (1)2x) ( Recall: hypoth. v = (x≥0  x,y,z := 0, y2x, y2x) )

Returning to the four correctness conditions: (1) term(f,K), (2) p  (v=vog), (3) ¬p  (v=t), and (4) f=voh (4) Does f = v o h ? f = (x≥0  x,y,z := 0,2x,2x) voh = (x≥0  x,y,z := 0, y2x, y2x) o (x,y,z := x,1,z) = (x≥0  x,y,z := 0, (1)2x, (1)2x) = (x≥0  x,y,z := 0, 2x, 2x) ( Recall: hypoth. v = (x≥0  x,y,z := 0, y2x, y2x) )

Returning to the four correctness conditions: (1) term(f,K), (2) p  (v=vog), (3) ¬p  (v=t), and (4) f=voh (4) Does f = v o h ? YES f = (x≥0  x,y,z := 0,2x,2x) voh = (x≥0  x,y,z := 0, y2x, y2x) o (x,y,z := x,1,z) = (x≥0  x,y,z := 0, (1)2x, (1)2x) = (x≥0  x,y,z := 0, 2x, 2x) ( Recall: hypoth. v = (x≥0  x,y,z := 0, y2x, y2x) )

Returning to the four correctness conditions: (1) term(f,K), (2) p  (v=vog), (3) ¬p  (v=t), and (4) f=voh Therefore, for f = (x≥0  x,y,z := 0,2x,2x) and K: y := 1 while x<>0 do y := y*2 x := x-1 end_while z := y we conclude, by subgoal induction, that f = [K].

Summary Iteration Recursion Lemma (IRL)

Coming up next… Thinking about invariants again
Invariant Status Theorem (IST) While Loop Initialization Utility of IST

Functional Verification III
Software Testing and Verification Lecture Notes 23 Prepared by Stephen M. Thebaut, Ph.D. University of Florida

Functional Verification III

Similar presentations

Presentation on theme: "Functional Verification III"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Functional Verification III

Similar presentations

Presentation on theme: "Functional Verification III"— Presentation transcript:

Similar presentations

About project

Feedback