Hoare style program verification
This presentation is the property of its rightful owner.
Sponsored Links
1 / 30

Hoare-style program verification PowerPoint PPT Presentation


  • 110 Views
  • Uploaded on
  • Presentation posted in: General

Hoare-style program verification. K. Rustan M. Leino Guest lecturer. Rob DeLine’s CSE 503, Software Engineering University of Washington 28 Apr 2004. Review. { P } skip { P } { P[w:=E] } w:=E { P } { P ∧B } assert B { P }

Download Presentation

Hoare-style program verification

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Hoare style program verification

Hoare-style program verification

K. Rustan M. LeinoGuest lecturer

Rob DeLine’s CSE 503, Software EngineeringUniversity of Washington28 Apr 2004


Review

Review

  • {P} skip {P}

  • {P[w:=E]} w:=E {P}

  • {P∧B} assert B {P}

  • if {P} S {Q} and {Q} T {R},then {P} S ; T {R}

  • if {P∧B} S {R} and {P∧¬B} T {R},then {P} if B then S else T end {R}


Loops

Loops

To prove

{P} while B do S end {Q}

prove

{P}{J}while B do{J ∧ B}{0 ≦ vf}{J ∧ B∧ vf=VF} S {J ∧ vf<VF}end{J ∧¬B}{Q}


Example array sum

Example: Array sum

{0≦N}

k := 0; s := 0;

while k ≠ N do

s:=s+a[k] ; k:=k+1

end

{s = (Σi | 0≦i<N ・ a[i])}


Example array sum1

Example: Array sum

{0≦N}

{0≦N} k := 0; s := 0; {J}while k ≠ N do{J ∧ k≠N}{0 ≦ vf}{J ∧ k≠N ∧ vf=VF}s:=s+a[k] ; k:=k+1{J ∧ vf<VF}end{J ∧¬(k≠N)}{s = (Σi | 0≦i<N ・ a[i])}

k := 0; s := 0;

while k ≠ N do

s:=s+a[k] ; k:=k+1

end

{s = (Σi | 0≦i<N ・ a[i])}


Example array sum2

Example: Array sum

{0≦N} k := 0; s := 0; {J}while k ≠ N do{J ∧ k≠N}{0 ≦ vf}{J ∧ k≠N ∧ vf=VF}s:=s+a[k] ; k:=k+1{J ∧ vf<VF}end{J ∧¬(k≠N)}{s = (Σi | 0≦i<N ・ a[i])}


Example array sum3

Example: Array sum

{0≦N} k := 0; s := 0; {J}while k ≠ N do{J ∧ k≠N}{0 ≦ vf}{J ∧ k≠N ∧ vf=VF}s:=s+a[k] ; k:=k+1{J ∧ vf<VF}end{J ∧ k=N}{s = (Σi | 0≦i<N ・ a[i])}

  • J: s = (Σi | 0≦i<k ・ a[i])

    ∧ 0 ≦ k ≦ N

  • vf: N-k


Example array sum initialization

Example: Array sum—Initialization

{0≦N}

{0 = (Σi | 0≦i<0 ・ a[i]) ∧ 0≦0≦N}

k := 0;

{0 = (Σi | 0≦i<k ・ a[i]) ∧ 0≦k≦N}

s := 0;

{s = (Σi | 0≦i<k ・ a[i]) ∧ 0≦k≦N}


Example array sum invariance

Example: Array sum—Invariance

{s = (Σi | 0≦i<k ・ a[i]) ∧ 0≦k≦N ∧ k≠N∧ N-k=VF}

{s+a[k] = (Σi | 0≦i<k ・ a[i])+a[k] ∧ 0≦k<N∧ N-k-1<VF}

s := s + a[k];

{s = (Σi | 0≦i<k ・ a[i])+a[k] ∧ 0≦k<N∧ N-k-1<VF}

{s = (Σi | 0≦i<k+1 ・ a[i]) ∧ 0≦k+1≦N∧ N-(k+1)<VF}

k := k+1;

{s = (Σi | 0≦i<k ・ a[i]) ∧ 0≦k≦N ∧ N-k<VF}


In class exercise computing cubes

In-class exercise: computing cubes

{0≦N}

k := 0; r := 0; s := 1; t := 6;while k≠N doa[k] := r;r := r + s;s := s + t;t := t + 6;k := k + 1end

{(∀i | 0≦i<N ・ a[i] = i3)}


Computing cubes guessing the invariant

Computing cubes—Guessing the invariant

  • From the postcondition(∀i | 0≦i<N ・ a[i] = i3)and the negation of the guardk=Nguess the invariant(∀i | 0≦i<k ・ a[i] = i3) ∧ 0≦k≦N

  • From this invariant and variant function N-k, it follows that the loop terminates


Computing cubes maintaining the invariant

Computing cubes—Maintaining the invariant

while k≠N do

{(∀i | 0≦i<k ・ a[i] = i3) ∧ 0≦k≦N ∧ k≠N}

{(∀i | 0≦i<k ・ a[i] = i3) ∧ r=k3 ∧ 0≦k<N}

a[k] := r;r := r + s;s := s + t;t := t + 6;

{(∀i | 0≦i<k ・ a[i] = i3) ∧ a[k]=k3 ∧ 0≦k<N}

{(∀i | 0≦i<k+1 ・ a[i] = i3) ∧ 0≦k+1≦N}

k := k + 1

{(∀i | 0≦i<k ・ a[i] = i3) ∧ 0≦k≦N}

end

Add this to the invariant, and then try to prove that it is maintained


Computing cubes maintaining the invariant1

Computing cubes—Maintaining the invariant

while k≠N do

{r = k3 ∧ …}

{r + s = k3 + 3*k2 + 3*k + 1}

a[k] := r;r := r + s;s := s + t;t := t + 6;

{r = k3 + 3*k2 + 3*k + 1}

{r = (k+1)3}

k := k + 1

{r = k3}

end

Add s = 3*k2 + 3*k + 1 to the invariant, and then try to prove that it is maintained


Computing cubes maintaining the invariant2

Computing cubes—Maintaining the invariant

while k≠N do

{s = 3*k2 + 3*k + 1 ∧ …}

{s + t = 3*k2 + 6*k + 3 + 3*k + 3 + 1}

a[k] := r;r := r + s;s := s + t;t := t + 6;

{s = 3*k2 + 6*k + 3 + 3*k + 3 + 1}

{s = 3*(k+1)2 + 3*(k+1) + 1}

k := k + 1

{s = 3*k2 + 3*k + 1}

end

Add t = 6*k + 6 to the invariant, and then try to prove that it is maintained


Computing cubes maintaining the invariant3

Computing cubes—Maintaining the invariant

while k≠N do

{t = 6*k + 6 ∧ …}

{t + 6 = 6*k + 6 + 6}

a[k] := r;r := r + s;s := s + t;t := t + 6;

{t = 6*k + 6 + 6}

{t = 6*(k+1) + 6}

k := k + 1

{t = 6*k + 6}

end


Computing cubes establishing the invariant

Computing cubes—Establishing the invariant

{0≦N}

{(∀i | 0≦i<0 ・ a[i] = i3) ∧0≦0≦N ∧0 = 03 ∧1 = 3*02 + 3*0 + 1 ∧6 = 6*0 + 6}

k := 0; r := 0; s := 1; t := 6;

{(∀i | 0≦i<k ・ a[i] = i3) ∧ 0≦k≦N ∧r = k3 ∧s = 3*k2 + 3*k + 1 ∧t = 6*k + 6}


In class exercise computing cubes answers

In-class exercise: computing cubes—Answers

  • Invariant:(∀i | 0≦i<k ・ a[i] = i3) ∧0 ≦ k ≦ N ∧r = k3 ∧s = 3*k2 + 3*k + 1 ∧t = 6*k + 6

  • Variant function:N-k


Other common invariants

Other common invariants

  • k is the number of nodes traversed so far

  • the current value of n does not exceed the initial value of n

  • all array elements with an index less than j are smaller than x

  • the number of processes whose program counter is inside the critical section is at most one

  • the only principals that know the key K are A and B


Belgian chocolate

Belgian chocolate

  • How many breaks do you need to make 50 individual pieces from a 10x5 Belgian chocolate bar?

  • Note: Belgian chocolate is so thick that you can't break two pieces at once.

  • Invariant: #pieces = 1 + #breaks


Loop proof obligations a closer look

Loop proof obligations—a closer look

To prove

{P} while B do S end {Q}

find invariant J and variant function vf such that:

  • invariant initially: P ⇒ J

  • invariant maintained: {J ∧ B} S {J}

  • invariant sufficient: J ∧¬B ⇒ Q

  • vf well-founded

  • vf bounded: J ∧ B ⇒ 0 ≦ vf

  • vf decreases: {J ∧ B∧ vf=VF} S {vf<VF}

Are all of these conditions needed?


Loop proof obligations invariant holds initially

Loop proof obligations—invariant holds initially

{0≦N} k := N; s := 0; {J}while k ≠ N do{J ∧ k≠N}{0 ≦ vf}{J ∧ k≠N ∧ vf=VF}s:=s+a[k] ; k:=k+1{J ∧ vf<VF}end{J ∧¬(k≠N)}{s = (Σi | 0≦i<N ・ a[i])}

J: s = (Σi | 0≦i<k ・ a[i]) ∧ 0≦k≦Nvf: N-k


Loop proof obligations invariant is maintained

Loop proof obligations—invariant is maintained

{0≦N} k := 0; s := 0; {J}while k ≠ N do{J ∧ k≠N}{0 ≦ vf}{J ∧ k≠N ∧ vf=VF}s:=s+a[k] ; k:=k+2{J ∧ vf<VF}end{J ∧¬(k≠N)}{s = (Σi | 0≦i<N ・ a[i])}

J: s = (Σi | 0≦i<k ・ a[i]) ∧ 0≦k≦Nvf: N-k


Loop proof obligations invariant is sufficient

Loop proof obligations—invariant is sufficient

{0≦N} k := 0; s := 0; {J}while k ≠ N do{J ∧ k≠N}{0 ≦ vf}{J ∧ k≠N ∧ vf=VF} k:=k+1{J ∧ vf<VF}end{J ∧¬(k≠N)}{s = (Σi | 0≦i<N ・ a[i])}

J:0≦k≦Nvf: N-k


Loop proof obligations variant function is well founded

Loop proof obligations—variant function is well-founded

{0≦N} k := 0; s := 0; r := 1.0; {J}while k ≠ N do{J ∧ k≠N}{0 ≦ vf}{J ∧ k≠N ∧ vf=VF}r := r / 2.0;{J ∧ vf<VF}end{J ∧¬(k≠N)}{s = (Σi | 0≦i<N ・ a[i])}

J: s=(Σi | 0≦i<k ・ a[i]) ∧ 0≦rvf: r


Loop proof obligations variant function is bounded

Loop proof obligations—variant function is bounded

{0≦N} k := 0; s := 0; {J}while k ≠ N do{J ∧ k≠N}{0 ≦ vf}{J ∧ k≠N ∧ vf=VF}k:=k-1{J ∧ vf<VF}end{J ∧¬(k≠N)}{s = (Σi | 0≦i<N ・ a[i])}

J: s = (Σi | 0≦i<k ・ a[i]) ∧ k≦Nvf: k


Loop proof obligations variant function decreases

Loop proof obligations—variant function decreases

{0≦N} k := 0; s := 0; {J}while k ≠ N do{J ∧ k≠N}{0 ≦ vf}{J ∧ k≠N ∧ vf=VF}skip{J ∧ vf<VF}end{J ∧¬(k≠N)}{s = (Σi | 0≦i<N ・ a[i])}

J: s = (Σi | 0≦i<k ・ a[i]) ∧ 0≦k≦Nvf: N-k


Ranges in invariants

Ranges in invariants

{0≦N} k := 0; s := 0; {J}while k ≠ N do{J ∧ k≠N}{0 ≦ vf}{J ∧ k≠N ∧ vf=VF}s:=s+a[k] ; k:=k+1{J ∧ vf<VF}end{J ∧¬(k≠N)}{s = (Σi | 0≦i<N ・ a[i])}

J: s = (Σi | 0≦i<k ・ a[i]) ∧ 0≦k≦Nvf: N-k

Where are these used?


Ranges lower bound

Ranges: lower bound

{s = (Σi | 0≦i<k ・ a[i]) ∧ 0≦k≦N ∧ k≠N∧ N-k=VF}

{s+a[k] = (Σi | 0≦i<k ・ a[i])+a[k] ∧ 0≦k<N∧ N-k-1<VF}

s := s + a[k];

{s = (Σi | 0≦i<k ・ a[i])+a[k] ∧ 0≦k<N∧ N-k-1<VF}

{s = (Σi | 0≦i<k+1 ・ a[i]) ∧ 0≦k+1≦N∧ N-(k+1)<VF}

k := k+1;

{s = (Σi | 0≦i<k ・ a[i]) ∧ 0≦k≦N ∧ N-k<VF}

This step uses 0≦k


Ranges upper bound

Ranges: upper bound

{0≦N} k := 0; s := 0; {J}while k≠N do{J ∧ k≠N}{0 ≦ vf}{J ∧ k≠N ∧ vf=VF}s:=s+a[k] ; k:=k+1{J ∧ vf<VF}end{J ∧¬(k≠N)}{s = (Σi | 0≦i<N ・ a[i])}

J: s = (Σi | 0≦i<k ・ a[i]) ∧ 0≦k≦Nvf: N-k

This step uses k≦N


Ranges upper bound1

Ranges: upper bound

{0≦N} k := 0; s := 0; {J}while k < N do{J ∧ k<N}{0 ≦ vf}{J ∧ k<N ∧ vf=VF}s:=s+a[k] ; k:=k+1{J ∧ vf<VF}end{J ∧¬(k<N)}{s = (Σi | 0≦i<N ・ a[i])}

J: s = (Σi | 0≦i<k ・ a[i]) ∧ 0≦k≦Nvf: N-k

Even with < instead of ≠

this step still needs k≦N


  • Login