Presentation is loading. Please wait.

Presentation is loading. Please wait.

9.7.2015 Software Verification 1 Deductive Verification Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität und Fraunhofer Institut.

Similar presentations


Presentation on theme: "9.7.2015 Software Verification 1 Deductive Verification Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität und Fraunhofer Institut."— Presentation transcript:

1 9.7.2015 Software Verification 1 Deductive Verification Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität und Fraunhofer Institut für offene Kommunikationssysteme FOKUS

2 Folie 2 H. Schlingloff, Software-Verifikation I Contracted questions... What is a function contract? Why is it necessary for verification? Which parameter passing mechanisms do you know? Can you explain the Church-Rosser property? What is the semantics of a recursive function?  denotational?  operational?  axiomatic?

3 Folie 3 H. Schlingloff, Software-Verifikation I Parallelism increasing importance (multicore processors) in C, parallelism by multithreading  unfortunately not standardized  POSIX: pthread_create (name, function, args)  pthread_join, pthread_exit,... key issue: synchronization hard to understand, error-prone

4 Folie 4 H. Schlingloff, Software-Verifikation I Multithreading in Java class TicTac implements Runnable{ static int summe = 0; Thread faden; private int wer; public TicTac(int w) { faden = new Thread(this); wer=w; } public void run() { for(int i=1; i<100; i++) { if(wer==1) summe = summe + 1; else summe = summe - 1; } public static void main(String[] args) { TicTac tic = new TicTac(1); TicTac tac = new TicTac(2); tic.faden.start(); tac.faden.start(); try {tic.faden.join(); tac.faden.join(); } catch (Exception e) {} System.out.println("Summe=" + summe); } Ergebnis ???

5 Folie 5 H. Schlingloff, Software-Verifikation I Concept Language we add the following new constructs to the language of while-programs  {  1 ||  2 } or, more generally, {  1 ||... ||  n }  await (b)  ; semantics  parallel (interleaved) execution of the  i  blocking wait until condition is satisfied; program fragment within await is noninterruptable for simplicity, assignments are atomic actions  semaphore-concept (Dijkstra), monitor-concept (Hoare)  “test-and-set”-operation in processor hardware

6 Folie 6 H. Schlingloff, Software-Verifikation I Examples int n=0; { for (int i = 0; i<100; i++) n++; || for (int i = 0; i<100; i++) n--; } int n=0; int l, r; {for (int i = 0; i<100; i++) {l=n; l++; n=l;} || for (int i = 0; i<100; i++) {r=n; r--; n=r;}} int n=0; {for (int i = 0; i<100; i++) await (true) {l=n; l++; n=l;} || for (int i = 0; i<100; i++) await (true) {r=n; r--; n=r;}}

7 Folie 7 H. Schlingloff, Software-Verifikation I More Examples a=0; {a*=a; a-=5; || a=2*a+3; a=1-a;} a=0; {a++; || a--;} {a=0; a++; || a=0; a--} a=0; {await (a>=0); a++; || await (a<=0); a--} a=0; {await (a>=0) a++; || await (a<=0) a--}

8 Folie 8 H. Schlingloff, Software-Verifikation I A realistic example a=n; b=0; c=1; { while (a!=n-k) {c=c*a; a--;} || while (b!=k) {b++; await (a+b<=n); c=c/b;} } program calculates binomial coefficient

9 Folie 9 H. Schlingloff, Software-Verifikation I Interleaving Semantics A state of the program consists of  an assignment of values to variables  a set of program counters (depending on the number of parallel components), and SOS-rules for parallel programs  if (U,I,V) ⊨ b and ( , V)  * (skip,V’), then (await (b) , V)  (skip,V’)  if (  1, V)  (  1 ’,V’), then ({  1 ||  2 }, V)  ({  1 ’ ||  2 },V’) if (  2, V)  (  2 ’,V’), then ({  1 ||  2 }, V)  ({  1 ||  2 ’},V’) ({skip || skip}, V)  (skip,V) In general, several possible executions! (tree of possibilities)

10 Folie 10 H. Schlingloff, Software-Verifikation I A realistic example a=n; b=0; c=1;  :{  1: while (a!=n-k) {  2: c=c*a;  3: a--; }  4: ||  1: while (b!=k) {  2: b++;  3: await (a+b<=n);  4: c=c/b; }  5: }

11 Folie 11 H. Schlingloff, Software-Verifikation I Deadlocks a=0; b=0; {await (a!=0) || await (b!=0)} a=0; b=0; {await (a==1) b=1 || await (b==1) a=1} prt=T; dsk=T; {await (prt) prt=F; await(dsk) dsk=F; foo; prt=T; dsk=T; || await (dsk) dsk=F; await(prt) prt=F; bar; prt=T; dsk=T;}

12 Folie 12 H. Schlingloff, Software-Verifikation I Invariants for Parallel Programs Assume  is a formula such that {  }  {  } for every subprogram  of {  1 ||  2 }. Then {  } {  1 ||  2 } {  } Example: a=0;  : {a++;  : || a--;  :}  : Invariant a==0+  -  (or, more explicit: ( ¬  ¬  a==0   a==0   ¬  a==1  ¬  a==-1) ) int n=0; { for (int i = 0; i<100; i++) n++; || for (int j = 0; j<100; j++) n--;} Invariant n=i-j

13 Folie 13 H. Schlingloff, Software-Verifikation I Problem with Invariant Method Non-compositionality: In order to show {  }{  1 ||  2 }{  } it is not sufficient to show {  }{  1 }{  } and {  }{  2 }{  } Sequential composition rule (seq): if ⊢ {  }  1 {  } and ⊢ {  }  2 {  }, then {  }{  1 ;  2 }{  } ? if ⊢ {  1 }  1 {  1 } and ⊢ {  2 }  2 {  2 }, then {  1   2 }{  1 ||  2 }{  1   2 }

14 Folie 14 H. Schlingloff, Software-Verifikation I Hoare-Rule for Parallel Programs Susan Owicki, 1975: If ⊢ {  1 }  1 {  1 } and ⊢ {  2 }  2 {  2 }, then ⊢ {  1  2 } {  1 ||  2 } {  1  2 }, if the proofs of {  1 }  1 {  1 } and {  2 }  2 {  2 } are interference free Two proofs are interference-free, if for any two Hoare triples {  a }  a {  a } in {  1 }  1 {  1 } and {  b }  b {  b } in {  2 }  2 {  2 } it holds that {  a  b }  a {  b } Example: {x=0  x=2} x++ {x=1  x=3} interferes with {x=0} x+=2 {x=2} but not with {x=0  x=1} x+=2 {x=2  x=3}

15 Folie 15 H. Schlingloff, Software-Verifikation I Hoare-Owicki-Proof {x==0  x==-1} x++ {x==1  x==0} {x==0  x==1} x-- {x==-1  x==0} Interference freedom:  {x==0  x==-1  x==0  x==1} x++ {x==0  x==1}  {x==0  x==1  x==0  x==-1} x-- {x==0  x==-1} Therefore, {x==0  x==-1  x==0  x==1} {x++||x--} {x==1  x==0  x==-1  x==0} {x==0} {x++||x--} {x==0} Proof does not work for {x==0} {h=x; h++; x=h; || h=x; h--; x=h;} {x==0}

16 Folie 16 H. Schlingloff, Software-Verifikation I Proof (scetch) of example program a=n; b=0; c=1; // calculate n over k { while (a!=n-k) {c=c*a; a--;} || while (b!=k) {b++; await (a+b<=n); c=c/b;} } Idea: at the await it holds that c=(n*(n-1)*...*(n-j+1)/1*2*...*(i-1) a=n-j, b=i If a+b<=n, then i<=j. In this case, c is divisible by j:  n is divisible by 1  n*(n-1) is divisible by 2  n*(n-1)*(n-2) is divisible by 2 and 3  n*(n-1)*(n-2)*(n-3) is divisible by 1*2*3*4


Download ppt "9.7.2015 Software Verification 1 Deductive Verification Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität und Fraunhofer Institut."

Similar presentations


Ads by Google