Download presentation
Presentation is loading. Please wait.
1
25.6.2015 Software Verification 1 Deductive Verification Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität und Fraunhofer Institut für offene Kommunikationssysteme FOKUS
2
Folie 2 H. Schlingloff, Software-Verifikation I Terminal Questions … What is the meaning of „total correctness“? Why can‘t Hoare-rules prove termination? Why is it hard to prove termination? What is a well-founded ordering? Example? Another example? A counterexample? Can you formulate an induction principle? What is a variant? How is it used to prove termination? Could you prove termination of McCarthy‘s 91-function?
3
Folie 3 H. Schlingloff, Software-Verifikation I John McCarthy’s 91-Function = {b=1; while (a<=100 || b!=1) if (a<=100) {a+=11; b++;} else {a-=10; b--;} a-=10; } Show: ⊢ 0<a<=100 a==91
4
Folie 4 H. Schlingloff, Software-Verifikation I We do the termination part only. Hint for the invariant: (0<b<=11 & 0<a<=111 & (a<=101 | b!=1)) wfo: N 0 ; Variant: (z) = (z==1111+111b-11a-1); if 0<a<=100 & b==1, we have z N 0 Assume within the while-loop (z) & (a<=100 | b!=1)) Case a<=100: {a+=11; b++} gives z-10==1111+111(b+1)-11(a+11)-1 Case a>100: {a-=10; b--;} gives z-1==1111+111(b-1)-11(a-10)-1 Thus, in both cases there exists z’<z such that (z’) holds
5
Folie 5 H. Schlingloff, Software-Verifikation I Magic method McC91(x:nat) returns (y:nat) requires 0<x<=100 ensures y==91 { var a, b := x, 1; while (a<=100 || b!=1) if (a<=100) {a:=a+11; b:=b+1;} else {a:=a-10; b:=b-1;} y:=a-10; }
6
Folie 6 H. Schlingloff, Software-Verifikation I Finding Variants is Hard Try this one: Mersenne = {n=0; k=0; while (k<48) {n++; if (isprim((2**n)-1)) k++}}... and apply for the Fields-medal if successful
7
Folie 7 H. Schlingloff, Software-Verifikation I Proof of Termination Proof Rule if ⊢ (z) for some z M and ⊢ (z) (z’) ¬b for some z’<z then program while (b) terminates Assume not. Then there is an infinite execution ; ; ;... such that b holds before and after each Then there is an infinite descending chain z 0, z 1, z 2,... such that z 0 =z and z i+1 <z i Thus, M is not a wfo.
8
Folie 8 H. Schlingloff, Software-Verifikation I Binary Search Program : i=0; k=n; while (i<k) { s=i+(k-i-1)/2; //integer division if (a>x[s]) i=s+1 else k=s } Show n>=0 i(0<i<n (x[i-1]<x[i]) 0 =a no-show
9
Folie 9 H. Schlingloff, Software-Verifikation I Variant (z)? while (i<k)... suggest (z) = (z=k-i) ⊢ (z) b (z’) ¬b for some z’<z what is a well-founded order for z? can we guarantee that z N 0 ? Example: (assume k>0, j>0) {i=k; while (i!=0) i-=j} terminates iff k%j==0 Assume k%j==0; wfo: (z) = (z=i/j); z N 0 {i=k; while (i>=0) i-=j} terminates always. Proof? no-show
10
Folie 10 H. Schlingloff, Software-Verifikation I Transforming Variants We have to show: ⊢ (z) (z’) ¬b Most important case: ⊢ z=t(x) x=f(x) z’=t(x) ¬b Let z’=t(f(t -1 (z))) ⊢ z=t(x) t -1 (z)=x since t -1 (t(x))=x ⊢ t -1 (z)=x t(f(t -1 (z)))=t(f(x)) ⊢ t(f(t -1 (z)))=t(f(x)) x=f(x) t(f(t -1 (z)))=t(x) (ass) Therefore, ⊢ z=t(x) x=f(x) t(f(t -1 (z)))=t(x) Ex.: ⊢ z=i+k i=i-j z’=i+k for z’=z-j no-show
11
Folie 11 H. Schlingloff, Software-Verifikation I Proof for Binary Search Termination Solution for binary search: z=(k-i) N 0 ? Show 0<=i<=k<=n is invariant (omitted) Let (z)= (k-i=z) k-i=z i=i+(k-i-1)/2+1 k-i=z’ for z’ = (z-1)/2 - 1 < z Proof: let t(i) = k-i t(z) = k-z t -1 (z)= (k-z) f(i) = i+(k-i-1)/2+1 t(f(t -1 (z))) = k-((k-z) +(k- (k-z) -1)/2+1) = (z-1)/2-1 k-i=z k=i+(k-i-1)/2 k-i=z’ for z’= i+((z+i)-i-1)/2-i=(z-1)/2 <z no-show
12
Folie 12 H. Schlingloff, Software-Verifikation I Pre- and Postconditions Dijkstra: wp-calculus (weakest precondition) characterize the “weakest” formula which makes a Hoare- triple valid =wp( . ) iff ⊢ and ⊢ ( ' ) for every ’ for which ⊢ ’ =wlp( . ) iff ⊢ { } { } and ⊢ ( ' ) for every ’ for which ⊢ { ’} { } Example: wp(x++, x==7) = (x==6) Dijkstra gives a set of rules for wp which can be seen as notational variant of Hoare logic
13
Folie 13 H. Schlingloff, Software-Verifikation I wp(skip, ) = wp(x=t, ) = [x:=t] wp({ 1 ; 2 }, ) = wp( 1, wp( 2, )) wp(if (b) 1 else 2, ) = ((b wp( 1, )) (¬b wp( 2, ))) wp(while (b) , ) = z (z) z((b (z)) z’ (z’<z wp( , (z’))) z((¬b (z)) ) where is a loop variant and < a wfo, z new var. ! This is a non-constructive definition ! Existence???
14
Folie 14 H. Schlingloff, Software-Verifikation I Examples wp(x=x-3, x>7) = x>7 [x:=x-3] = x-3>7 = x>10 wp({x*=2; x-=3}, x>7) = wp(x*=2, wp(x-=3, x>7)) = wp(x*=2, x>10) = x>5 wp(if(a =b) = ((a =b) (a>=b wp(skip, a>=b)) =((a =b) (a>=b a>=b)) = T wp(while (i>0) i--, i==0) = i>=0
15
Folie 15 H. Schlingloff, Software-Verifikation I Partial Correctness Weakest liberal precondition wlp( , ) wlp(while (b) , ) = ((b ) wlp( , )) ((¬b ) ) Dijkstra also used nondeterministic programs („guarded commands“) guarded-command-program ::= while-program | guarded-command guarded-command ::= b : e | b : e [] guarded-command b: condition, e: guarded-command-program
16
Folie 16 H. Schlingloff, Software-Verifikation I Strongest Postconditions Dual to weakest precondition: the strongest formula which can be guaranteed to hold after execution =sp( , ) iff ⊢ and ⊢ ( ') for every ’ for which ⊢ ’ sp(x=t, )= z (x==t[x:=z] [x:=z]) (z new) e.g. sp(x=x-3, x>7) = z (x==z-3 z>7) = x>4 Pre- and postconditions are important in the presence of methods and procedures
17
Folie 17 H. Schlingloff, Software-Verifikation I Functions and Procedures while-Programs: whileProg ::= skip | V=T | {whileProg; whileProg} | if (FOL - ) whileProg else whileProg | while (FOL - ) whileProg T is the set of terms in the signature =( D, F, R ) Now: extended signature ’=(D {void}, F F ’, R ) If f is of type void, then f(x 1,...x n ) is an (imperative) program term ::= F(T,..., T) | F ’ (T,..., T) for each f F’ there must be a declaration: decl ::= type F’ ( V,... V); whileProg V in decl are called formal parameters T in terms are called actual parameters
18
Folie 18 H. Schlingloff, Software-Verifikation I No alias: formal parameters should be pairwise different No scoping: formal parameters must be different from program variables return statement as assignment to the function name If a function or procedure name occurs directly or indirectly in the call graph of its declaration, it is called recursive for the time being: no recursion; Dafny allows recursion! There are various ways to pass actual parameters for formal ones (value, reference, name,...) for the time being, we use only call-by-value passing value w to formal parameter v has the same effect as the assignment v=w at the entry of the procedure or function
19
Folie 19 H. Schlingloff, Software-Verifikation I Example int min (int a, int b) if (a<b) min=a else min=b; int max (int a, int b) if (a>b) max=a else max=b; int gcd(int a, int b) while (a!=b) { c = max(a,b)-min(a,b); a = min(a,b); b = c; }
20
Folie 20 H. Schlingloff, Software-Verifikation I Example int min (int a, int b) if (a<b) min=a else min=b; {x = 5; y = 7; z = min (x, y)} is equivalent to { x = 5; y = 7; a = x; b = y; if (a<b) min=a else min=b; z = min; } need pre- and postconditions to show assertions.
21
Folie 21 H. Schlingloff, Software-Verifikation I Example int min (int a, int b) if (a<b) min=a else min=b; {a<=min b<=min (a=min b=min)} int max (int a, int b) if (a>b) max=a else max=b; {a>=max b>=max (a=min b=min)} int gcd(int a, int b) {a==m>0 b==n>0} while (a!=b) { c = max(a,b)-min(a,b); a = min(a,b); b = c; } gcd = a; {gcd|m gcd|n ...} }
22
Folie 22 H. Schlingloff, Software-Verifikation I Contracts weakest preconditions and strongest postconditions are related to the require-ensure-paradigm (also called assume- guarantee-paradigm): void foo(...) requires ensures ; is equivalent to ( wp( , )) (sp( , ) ) such a statement is called contract use of contract: { [x 1 :=t 1,..., x n :=t n ]} foo(t 1,...,t n ) { }
23
Folie 23 H. Schlingloff, Software-Verifikation I Example with contracts int min (int a, int b) if (a<b) min=a else min=b; {a>=min b>=min (a=min b=min)} {T}{x = 5; y = 7; z = min (x, y)} {z==5} proof: { x = 5; y = 7; a = x; b = y;} {a==5 b==7} {if (a<b) min=a else min=b;} {a==5 b==7 a>=min b>=min (a=min b=min)} {min==5} {z = min;} {z==5}
Similar presentations
