Download presentation
Presentation is loading. Please wait.
Published byEustace Parks Modified over 9 years ago
1
5.1.2012 Software Verification 1 Deductive Verification Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität und Fraunhofer Institut für Rechnerarchitektur und Softwaretechnik
2
Folie 2 H. Schlingloff, Software Verification I Where are we? Einführung Aussagenlogik Prädikatenlogik einfache Funktionskontrakte Schleifeninvarianten und Terminierung Prädikate und logische Funktionen Spezifikation von Datentypen Parallele Programme, Deadlocks, Livelocks Objektorientierte Programme 5.1.2012
3
Folie 3 H. Schlingloff, Software Verification I Termination Hoare-Tripel: { } { } if holds before the execution of , then holds afterwards (1) ⊢ {Τ} skip {Τ}(skip) (2) ⊢ {Τ Τ} skip {Τ}(1, imp1) (3) ⊢ {Τ} while (Τ) skip {Τ }(2,whi) (4) ⊢ {Τ} while (Τ) skip { }(3, imp2) I.e., if T holds before the execution of while (Τ) skip, then holds afterwards I.e., after the execution of while (Τ) skip anything holds 5.1.2012
4
Folie 4 H. Schlingloff, Software Verification I {T} { }: if terminates, then holds afterwards Hoare logic incapable of formulating statements about termination Total correctness of with respect to : {T} { } terminates Notation Clearly, if contains no loops, then { } { } implies How to prove termination of loops? 5.1.2012
5
Folie 5 H. Schlingloff, Software Verification I Well-founded orders A binary relation < is called a strict partial order iff it is irreflexive: ¬ x<x transitive: x<y y<z x<z asymmetric: x<y ¬ y<x A partial order is called total order iff it is total: xy (x<y y<x) A strict partial order is called well-founded iff there is no infinite descending chain, i.e., no infinite set {x 0, x 1, x 2, x 3,...} such that x 0 >x 1 >x 2 >x 3... equivalently, if every non-empty set S has a minimal element (i.e., S x S y x (x<y)) A well-founded total order is called a well-order 5.1.2012
6
Folie 6 H. Schlingloff, Software Verification I Well-orderings natural numbers, < integers - x<y iff |x|<|y| or |x|=|y| and x<y pairs - ? strings - ? binary trees - ? rational numbers - ? real matrices - ? Counterexamples? 5.1.2012
7
Folie 7 H. Schlingloff, Software Verification I Transfinite induction Let (n) be any statement, where n M and < is a well-founded partial order on M If for all x M it holds that if (y) for all y<x, then (x) then (n) for all n M x (( y<x ( y ) ) ( x ) ) n ( n ) 5.1.2012
8
Folie 8 H. Schlingloff, Software Verification I Proof x (( y<x ( y ) ) ( x ) ) n ( n ) Assume for contradiction that x (( y<x ( y ) ) ( x ) ), i.e., x (¬ ( x ) ( y<x ¬ ( y ) )) and that x 0 ¬ (x 0 ). Then x 1 <x 0 ¬ ( x 1 ) ) Therefore x 2 <x 1 ¬ ( x 2 ) ) etc. Continuing, we get an infinite descending chain of elements, contradicting well-foundedness 5.1.2012
9
Folie 9 H. Schlingloff, Software Verification I Special Cases natural induction: (0) x ( ( x ) ) ( x+1 ) ) n ( n ) mathematical induction: Let M be finitely generated, i.e., there are constructor-functions f 1,...,f n and M 0 M such that all x M can be written as x=f(f(...(x 0 )..), where each f is a constructor function and x 0 M 0 if (x 0 ) for all x 0 M 0 and ( ( x ) ( f ( x )) ) for all x M and all constructor functions f then ( x ) for all x M 5.1.2012
10
Folie 10 H. Schlingloff, Software Verification I Termination proofs Let (M,<) be a well-founded order and (z) be a formula involving z M if ⊢ (z 0 ) for some z 0 M and ⊢ (z) b (z’) ¬b for some z’<z, then ⊢ while (b) ¬b (z) is called variant of the loop 5.1.2012
11
Folie 11 H. Schlingloff, Software Verification I Special case (Termination only) if ⊢ (z) for some z M, and ⊢ (z) b (z’) for some z’<z, and ⊢ ( (z) ¬b ), then ⊢ while (b) if ⊢ (z) for some z M and ⊢ (z) (z’) ¬b for some z’<z then ⊢ T while (b) T 5.1.2012
12
Folie 12 H. Schlingloff, Software Verification I Example proof Show ⊢ a>=0 while (a>0) a-- T well-founded ordering: natural numbers (N 0,<); (z) = (a==z) (z)=(floor(a)==z) (i)a>=0 (a==z) for some z N 0 a>=0 (floor(a)==z) for some z N 0 (ii) ⊢ a==z a-- a==z-1 ⊢ floor(a)==z a-- floor(a)==z-1 Would this proof hold for float a? 5.1.2012
13
Folie 13 H. Schlingloff, Software Verification I Termination of gcd {a==m>0 b==n>0} while (a!=b) if (a>b) a=a-b else b=b-a {a==b==gcd(m,n)} We want to show that ⊢ a==m>0 b==n>0 T Variant (z) = (z==a+b); wfo: N 0 Show: ⊢ (z) if... (z’) for some z’<z Proof: let z’=z-min(a,b) 5.1.2012
14
Folie 14 H. Schlingloff, Software Verification I A more intricate example = {b=1; while (a<=100 || b!=1) if (a<=100) {a+=11; b++;} else {a-=10; b--;} a-=10; } Show: ⊢ 0<a<=100 a==91 5.1.2012
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.