1. 11.6.2015 Software Verification 1 Deductive Verification Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität und Fraunhofer Institut für offene Kommunikationssysteme FOKUS

2. Folie 2 H. Schlingloff, Software-Verifikation I Invariably: Starter Questions … What is an invariant? How is it used in verification? Is the set of invariants of a loop recursive? … or recursively enumerable? Is there any decidable invariant? How to construct an invariant for a given loop? E.g. {i=0; while (i<n) {i++}} E.g. {i=0; while (i<n) {i++; j--}} E.g. {i=0; while (i<n) {i++; j+=i}}

3. Folie 3 H. Schlingloff, Software-Verifikation I While [] -Programs While-Programs are Turing-complete, but not very convenient to use Missing: arrays, pointers, data structures, functions & procedures, modules, inheritance, … Today: arrays and search Introduce array type X[n], where X is any type and n is any integer set V [] of indexed program variables: if i is a program variable of type Int and a is an array variable of type X[n], then a[i] is an indexed program variable of type X while [] Prog: Indexed program variables can be used in terms and expressions wherever “normal” program variables are allowed Semantics: An array variable a: X[n] is evaluated as a partial function V( a ): Int  X  {undef} V( a )(x) = undef if x < 0 or x ≥ n V( a[i] ) = V( a ) (V( i ))

4. Folie 4 H. Schlingloff, Software-Verifikation I Example: Binary Search Input: a sorted array x:Int[n] (i.e.,  i (x[i-1]<x[i]) ) and a value a to search for Result: index i s.t. x[j] =a for i<=j<n  : i=0; k=n; while (i<k) { s=(i+k-1)/2; // integer division if (a>x[s]) i=s+1 else k=s }  : i=0; k=n; while (i<k) { s=(i+k-1)/2; // integer division if (a>x[s]) i=s+1 else k=s } Correctness: Show {n>=0   i(0<i<n  (x[i-1]<x[i])}  {0 =a} >=a<a x: i >=a<a x: iks

5. Folie 5 H. Schlingloff, Software-Verifikation I Invariant for Binary Search x is sorted   0 :  i(0<i<n  (x[i-1]<x[i]) i is changed such that   1 : 0<=i<=n   j(0<=j<i  x[j]<a) k is changed such that   2 : 0 =a) additionally   3 : i<=k Let  =  0   1   2   3

6. Folie 6 H. Schlingloff, Software-Verifikation I Hoare Proof for Binary Search {n>=0   i(0<i<n  (x[i-1]<x[i])} i=0; k=n; {  } while (i<k) { {   i<k} s=(i+k-1)/2; //integer division if (a>x[s]) i=s+1 else k=s {  } } {   i>=k} {i=k  0 =a)} {0 =a)}

7. Folie 7 H. Schlingloff, Software-Verifikation I  : 0 =a) {   i<k} s=(i+k-1)/2; {   i<k  s==(i+k-1)/2} if (a>x[s]) i=s+1 else k=s {  } holds since {   i x[s]} {  [i:=s+1]} i=s+1 {  } {   i<k  s==(i+k-1)/2  a<=x[s]} {  [k:=s]} k=s {  } proof: see next

8. Folie 8 H. Schlingloff, Software-Verifikation I  : 0 =a) Show:   i<k  s=(i+k-1)/2  x[s]<a   [i:=s+1]   i<k  s=(i+k-1)/2  x[s]<a  0<= s+1 <= k <= n   j(0<=j< s +1  x[j]<a)   i<k  s=(i+k-1)/2  x[s]<a  (i+k+1)/2 <= k   j(0<=j<= (i+k-1)/2  x[j]<a) holds since i<k  i+k<k+k  i+k+1<=2*k  (i+k+1)/2<=k x[s]<a  j=s  x[j]<a  0  x[s]<a  j<s  x[j]<a

9. Folie 9 H. Schlingloff, Software-Verifikation I Haha Binary Search in Haha

10. Folie 10 H. Schlingloff, Software-Verifikation I Last Example: Bubblesort Given an array x [0..n-1] of integers, the task is to sort x Bubblesort repeatedly exchanges “unordered” elements in x, e.g.:  6 – 3 – 8 – 4 – 1  3 – 6 – 8 – 4 – 1  3 – 6 – 4 – 8 – 1  3 – 6 – 4 – 1 – 8  3 – 4 – 6 – 1 – 8  3 – 4 – 1 – 6 – 8  3 – 1 – 4 – 6 – 8  etc.

11. Folie 11 H. Schlingloff, Software-Verifikation I Bubblesort Algorithm  :  : i=n;  : while (i>1) {  : i=i-1; k=0;  : while (k!=i){  : k++;  : if (x[k-1]>x[k]) swap(x[k-1], x[k])  : }  : }  :

12. Folie 12 H. Schlingloff, Software-Verifikation I Specification of Sortedness x is sorted  sorted(x):  i(0<i<n  x[i-1] <= x[i]) x is a permutation of the input array ? For sake of simplicity:  assume all elements in x are pairwise unequal: diff(x):  i,j(0<=i != j<n  (x[i]!=x[j])}  in this case, x is a permutation of y iff perm(x,y):  a(  i x[i]==a   i y[i]==a) Specification {x==y  diff(x)}  {sorted(x)  perm(x,y)}

13. Folie 13 H. Schlingloff, Software-Verifikation I Invariant for Bubblesort Invariant for loop at  : after first iteration: x[n-1] at correct position after second iteration: x[n-1] and x[n-2] at correct position after third iteration: x[n-1].. x[n-3] at correct position... ordered(x, i):1<=i<=n   j(i<=j<n  x[j-1] < x[j])   j(0<=j<i <n  x[j] <= x[i]) then we have:  ordered(x, n)  T  ordered(x, 1)  sorted(x) I  : diff(x)  perm(x,y)  ordered(x,i)

14. Folie 14 H. Schlingloff, Software-Verifikation I Proof of Outer Loop x==y  diff(x)  perm(x,y)  : x==y  diff(x)   : x==y  diff(x)  i==n x==y  diff(x)  i==n  diff(x)  perm(x,y)  ordered(x,i)  : x==y  diff(x)   : I   : I    : I   (i 1)   : I  perm(x,y)  ordered(x,i)  (i<=1)  perm(x,y)  sorted(x)  : I    : sorted(x)  perm(x,y)  : x==y  diff(x)   : perm(x,y)  sorted(x) that is, {x==y  diff(x)}  {sorted(x)  perm(x,y)}

15. Folie 15 H. Schlingloff, Software-Verifikation I Inner Invariant It remains to show:  : I   (i>1)   : I  Invariant for loop at  : perm(x,y)  ordered(x,i+1) remains stable goal of the inner loop: maximal element from x[0]...x[i-1] is moved to x[i-1] after each step: 0 =x[j]) I  : perm(x,y)  ordered(x,i+1)  0 =x[j])

16. Folie 16 H. Schlingloff, Software-Verifikation I Proof of Inner Invariant  : I   (i>1)   : perm(x,y)  ordered(x,i+1)  k==0 perm(x,y)  ordered(x,i+1)  k==0  I   : I   (i>1)   : I   : I    : I   (k==i), provided that  : I   (k!=i)   : I  I   (k==i)  perm(x,y)  ordered(x,i+1)   j(0 =x[j])  : I   (i>1)   : I  it remains to show:  : I   (k!=i)   : I  perm(x,y) remains unchanged ordered(x,i+1) is not modified  : 0 =x[j])  k!=i   : 0 =x[j])  : I   (k!=i)   : 0 =x[j])