25.6.2015 software verification 1 deductive verification prof. dr. holger schlingloff institut für...

25.6.2015

Software Verification 1Deductive Verification

Prof. Dr. Holger SchlingloffInstitut für Informatik der Humboldt Universität

und

Fraunhofer Institut für offene Kommunikationssysteme FOKUS

http://www.hu-berlin.de/index.html

Folie 2H. Schlingloff, Software-Verifikation I

Terminal Questions …

• What is the meaning of „total correctness“?

• Why can‘t Hoare-rules prove termination?

• Why is it hard to prove termination?

• What is a well-founded ordering?

• Example?

• Another example?

• A counterexample?

• Can you formulate an induction principle?

• What is a variant?

• How is it used to prove termination?

• Could you prove termination of McCarthy‘s 91-function?


John McCarthy’s 91-Function

={b=1; while (a<=100 || b!=1) if (a<=100) {a+=11; b++;} else {a-=10; b--;} a-=10; }

Show: ⊢ 0<a<=100 a==91


• We do the termination part only.

• Hint for the invariant:

(0<b<=11 & 0<a<=111 & (a<=101 | b!=1))• wfo: N0; Variant: (z) = (z==1111+111b-11a-1);

if 0<a<=100 & b==1, we have zN0

• Assume within the while-loop (z) & (a<=100 | b!=1)) Case a<=100: {a+=11; b++} gives

z-10==1111+111(b+1)-11(a+11)-1 Case a>100: {a-=10; b--;} gives

z-1==1111+111(b-1)-11(a-10)-1

• Thus, in both cases there exists z’<z such that (z’) holds


Magic

method McC91(x:nat) returns (y:nat)

requires 0<x<=100ensures y==91{ var a, b := x, 1; while (a<=100 || b!=1) if (a<=100) {a:=a+11; b:=b+1;} else {a:=a-10; b:=b-1;} y:=a-10;}


Finding Variants is Hard

• Try this one:

Mersenne = {n=0; k=0; while (k<48) {n++; if (isprim((2**n)-1)) k++}}

• ... and apply for the Fields-medal if successful


Proof of Termination Proof Rule

• if ⊢ (z) for some zM and⊢ (z) (z’) ¬b for some z’<zthen program while (b) terminates

•Assume not. Then there is an infinite execution ; ; ; ...

such that b holds before and after each Then there is an infinite descending chain z0,

z1, z2, ... such that z0=z and zi+1<zi

Thus, M is not a wfo.


Binary Search Program

:i=0; k=n;while (i<k) { s=i+(k-i-1)/2; //integer division if (a>x[s]) i=s+1 else k=s} Show

n>=0 i(0<i<n (x[i-1]<x[i])

0<=i<=n j(0<=j<i x[j]<a j(i<=j<n x[j]>=a

no-show


•Variant (z)?

•while (i<k) ... suggest (z) = (z=k-i) ⊢ (z)b (z’) ¬b for some z’<z what is a well-founded order for z?

can we guarantee that zN0 ?

•Example: (assume k>0, j>0)

{i=k; while (i!=0) i-=j} terminates iff k%j==0 Assume k%j==0; wfo: (z) = (z=i/j); zN0 {i=k; while (i>=0) i-=j} terminates always.

Proof?no-show


Transforming Variants

We have to show: ⊢ (z) (z’) ¬bMost important case: ⊢ z=t(x) x=f(x) z’=t(x) ¬b

Let z’=t(f(t-1(z)))

⊢ z=t(x) t-1(z)=x since t-1(t(x))=x⊢ t-1(z)=x t(f(t-1(z)))=t(f(x))⊢ t(f(t-1(z)))=t(f(x)) x=f(x) t(f(t-1(z)))=t(x) (ass)

Therefore, ⊢ z=t(x) x=f(x) t(f(t-1(z)))=t(x)

• Ex.: ⊢ z=i+k i=i-j z’=i+k for z’=z-jno-show


Proof for Binary Search Termination

• Solution for binary search: z=(k-i)N0 ? Show 0<=i<=k<=n is invariant (omitted)

Let (z)= (k-i=z) k-i=z i=i+(k-i-1)/2+1 k-i=z’ for

z’ = (z-1)/2 - 1 < zProof: let t(i) = k-i t(z) = k-z t-1(z)= (k-z)f(i) = i+(k-i-1)/2+1 t(f(t-1(z))) = k-((k-z) +(k- (k-z) -1)/2+1) = (z-1)/2-

1

k-i=z k=i+(k-i-1)/2 k-i=z’ forz’= i+((z+i)-i-1)/2-i=(z-1)/2 <z

no-show


Pre- and Postconditions

• Dijkstra: wp-calculus (weakest precondition) characterize the “weakest” formula which makes a

Hoare-triple valid =wp(.) iff ⊢ and

⊢(') for every ’ for which ⊢’ =wlp(.) iff ⊢{}{} and

⊢(') for every ’ for which ⊢{’} {}

• Example: wp(x++, x==7) = (x==6)

• Dijkstra gives a set of rules for wp which can be seen as notational variant of Hoare logic


• wp(skip, ) = • wp(x=t, ) = [x:=t]

• wp({1; 2}, ) = wp(1, wp(2, ))

• wp(if (b) 1 else 2, ) =((b wp(1, )) (¬b wp(2, )))

• wp(while (b) , ) = z (z) z((b(z)) z’ (z’<z wp(, (z’))) z((¬b(z)) )

where is a loop variant and < a wfo, z new var.! This is a non-constructive definition ! Existence???


Examples

• wp(x=x-3, x>7) = x>7 [x:=x-3] = x-3>7 = x>10

• wp({x*=2; x-=3}, x>7) = wp(x*=2, wp(x-=3, x>7)) = wp(x*=2, x>10) = x>5

• wp(if(a<b) a=b, a>=b) = ((a<b wp(a=b, a>=b) (a>=b wp(skip, a>=b))=((a<b b>=b) (a>=b a>=b)) = T

• wp(while (i>0) i--, i==0) = i>=0


Partial Correctness

• Weakest liberal precondition wlp(,)

• wlp(while (b) , ) = ((b) wlp(, )) ((¬b) )

• Dijkstra also used nondeterministic programs („guarded commands“) guarded-command-program ::= while-program |

guarded-command guarded-command ::= b : e | b : e [] guarded-command b: condition, e: guarded-command-program


Strongest Postconditions

• Dual to weakest precondition: the strongest formula which can be guaranteed to hold after execution =sp(, ) iff ⊢ and

⊢( ') for every ’ for which ⊢ ’

• sp(x=t, )= z (x==t[x:=z] [x:=z]) (z new) e.g. sp(x=x-3, x>7) = z (x==z-3 z>7) = x>4

• Pre- and postconditions are important in the presence of methods and procedures


Functions and Procedures

• while-Programs:• whileProg ::= skip | V=T | {whileProg; whileProg} |

if (FOL-) whileProg else whileProg | while (FOL-) whileProg

• T is the set of terms in the signature =(D, F, R)

• Now: extended signature ’=(D{void}, FF’,R)

• If f is of type void, then f(x1,...xn) is an (imperative) program

• term ::= F(T, ..., T) | F’(T, ..., T)

• for each f F’ there must be a declaration:• decl ::= type F’ (V, ... V); whileProg

• V in decl are called formal parameters• T in terms are called actual parameters


• No alias: formal parameters should be pairwise different

• No scoping: formal parameters must be different from program variables

• return statement as assignment to the function name

• If a function or procedure name occurs directly or indirectly in the call graph of its declaration, it is called recursive for the time being: no recursion; Dafny allows recursion!

• There are various ways to pass actual parameters for formal ones (value, reference, name, ...) for the time being, we use only call-by-value passing value w to formal parameter v has the same effect as

the assignment v=w at the entry of the procedure or function


Example

int min (int a, int b) if (a<b) min=a else

min=b;

int max (int a, int b) if (a>b) max=a else

max=b;

int gcd(int a, int b)

while (a!=b) { c = max(a,b)-min(a,b); a = min(a,b); b = c; }

}


Example

int min (int a, int b) if (a<b) min=a else min=b;{x = 5; y = 7; z = min (x, y)}

is equivalent to{ x = 5; y = 7; a = x; b = y; if (a<b) min=a else min=b;z = min; }

need pre- and postconditions to show assertions.


Example

int min (int a, int b) if (a<b) min=a else

min=b; {a<=min b<=min

(a=min b=min)}

int max (int a, int b) if (a>b) max=a else

max=b; {a>=max b>=max

(a=min b=min)}

int gcd(int a, int b) {a==m>0 b==n>0} while (a!=b) { c = max(a,b)-min(a,b); a = min(a,b); b = c; } gcd = a; {gcd|m gcd|n ...}}


Contracts

• weakest preconditions and strongest postconditions are related to the require-ensure-paradigm (also called assume-guarantee-paradigm):void foo(...) requires

ensures ;is equivalent to

(wp(,)) (sp(, ))

• such a statement is called contract use of contract:

{[x1:=t1, ..., xn:=tn]} foo(t1,...,tn) {}


Example with contracts

int min (int a, int b) if (a<b) min=a else min=b;{a>=min b>=min (a=min b=min)}{T}{x = 5; y = 7; z = min (x, y)} {z==5}

proof:{ x = 5; y = 7; a = x; b = y;}{a==5 b==7}{if (a<b) min=a else min=b;}{a==5 b==7 a>=min b>=min (a=min b=min)}{min==5}{z = min;}{z==5}

25.6.2015 software verification 1 deductive verification prof. dr. holger schlingloff institut für...

Documents

termination of mccarthys

software verification

meaning of total correctness

deductive verificationprof

induction principle