1 / 11

Software Verification 1 Deductive Verification

Software Verification 1 Deductive Verification. Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität und Fraunhofer Institut für Rechnerarchitektur und Softwaretechnik. Nochmal: Lehrevaluation. Verpflichtend für die HU, im Interesse der Studierenden

fabian
Download Presentation

Software Verification 1 Deductive Verification

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Software Verification 1Deductive Verification Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität und Fraunhofer Institut für Rechnerarchitektur und Softwaretechnik

  2. Nochmal: Lehrevaluation • Verpflichtend für die HU, im Interesse der Studierenden • Zeitraum: 16.01. bis 27.01.2012 • online: https://evaluation.hu-berlin.de/evaluation/ • Passwort (Token): inf-ws-11-12 • Verbesserung der Sicherheit durch sogenanntes Captcha • Completely Automated Public Turing test to tell Computers and Humans Apart • Bei Rückfragen: Dr. Elke Warmuth, Studiendekanin • Tel. 2093 5830, E-Mail: warmuth@math.hu-berlin.de

  3. Contracts • weakest preconditions and strongest postconditions are related to the require-ensure-paradigm (also assume-guarantee-paradigm): /*@ requires ensures  */void foo(...) ; is equivalent to (wp(,))  (sp(, )) • such a statement is called contract • use of contract: {[x1:=t1, ..., xn:=tn]} foo(t1,...,tn) {}

  4. Example with contracts int min (int a, int b) if (a<b) min=a else min=b; {a>=min  b>=min  (a=min  b=min)} {T}{x = 5; y = 7; z = min (x, y)} {z==5} proof: { x = 5; y = 7; a = x; b = y;} {a==5  b==7} {if (a<b) min=a else min=b;} {a==5  b==7 a>=min  b>=min  (a=min  b=min)} {min==5} {z = min;} {z==5}

  5. Parameter Passing • Call by value • value of actual parameter is passed • Call by reference • address of actual parameter is passed • Call by value-result • value is passed, result is copied back • Call by result • no value, but copying of result • Call by name • name of actual parameter is passed

  6. Example void strange (int x) { x+=2; a[i] = 4; i = 1; x+=2; } a = [1, 1]; i = 0; //a[0], a[1] strange(a[i]); reference: a=[6, 1] value: a=[4, 1] result: a=[?, 1] value-result: a=[5, 1] name: a=[4, 3]

  7. Recursive Functions • Example int pow(int a, int b){ if (b==0) return 1 else if (b%2==1) return a*pow(a,b-1) else return pow(a*a, b/2); • How to define the semantics? • How to verify correctness? • How to prove termination?

  8. Semantics • denotational: least fixed points of functionals • operational: substitution rule, e.g. in lambda-calculus (beta-reduction) pow(5,2) = if (2==0) return 1 else if (2%2==1) return 5*pow(5,2-1) else return pow(5*5, 2/2) =pow(25,1) = if (1==0) return 1 else if (1%2==1) return 25*pow(25,1-1) else return pow(25*25, 1/2) = 25*pow(25,0) = 25* if (0==0) return 1 else... = 25

  9. Replacement Possibilities • if there are several occurrences of a recursive function, which one to replace? • example term: f = g(f(x0,f(x1,x2)),f(f(x3,x4),f(x5,x6))) • leftmost-innermost: g(f(x0,f(x1,x2)),f(f(x3,x4),f(x5,x6))) • parallel-innermost:g(f(x0,f(x1,x2)),f(f(x3,x4),f(x5,x6))) • leftmost:g(f(x0,f(x1,x2)),f(f(x3,x4),f(x5,x6))) • parallel-outermost:g(f(x0,f(x1,x2)),f(f(x3,x4),f(x5,x6))) • free-argument:g(f(x0,f(x1,x2)),f(f(x3,x4),f(x5,x6))) • full-substitution: g(f(x0,f(x1,x2)),f(f(x3,x4),f(x5,x6))) Differences in the result?

  10. Church-Rosser-Property • “Diamond property”: if t0 t1 and t0  t2, then there is a t3 such that t1  t3 and t2  t3 • here  is repeated replacement by any rule • Consequence: if computation terminates with result x according to replacement rule A and result y according to replacement rule B, then x=y • Example: • int fun(int x, int y){ if (x==0) return 1 else return fun (x-1, fun(x-y, y))} • fun(2,1) = ? • fun(3,2) = ?

  11. Axiomatic – Proof Rules for Recursion • Correctness: ⊢ int f() {} {} {} • requires  ensures  • Example: • int pow(int a, int b){b>0}{...}{pow=a**b} •  can be used in the verification of f!

More Related