1 / 11

Software Verification 1 Deductive Verification

Software Verification 1 Deductive Verification. Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität und Fraunhofer Institut für Rechnerarchitektur und Softwaretechnik. Termination proof rule. Let (M,<) be a well-founded order and  (z) be a formula involving z M

huela
Download Presentation

Software Verification 1 Deductive Verification

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Software Verification 1Deductive Verification Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität und Fraunhofer Institut für Rechnerarchitektur und Softwaretechnik

  2. Termination proof rule • Let (M,<) be a well-founded order and (z) be a formula involving zM • if ⊢   (z0) for some z0M and ⊢ (z)b  (z’)  ¬b for some z’<z, then ⊢  while (b) ¬b • (z) is called variant of the loop(special case: (z) = (z=t(x)), here t(x) is called the variant)

  3. Termination - a more intricate example = {b=1; while (a<=100 | b!=1) if (a<=100) {a+=11; b++;} else {a-=10; b--;} a-=10; } Show: ⊢0<a<=100  a==91

  4. We do the termination part only. • Hint for the invariant: • (0<b<=11 & 0<a<=111 & (a<=101 | b!=1)) • wfo: N0; Variant: (z) = (z==1111+111b-11a-1); • if 0<a<=100 & b==1, we have zN0 • Assume within the while-loop (z) & (a<=100 | b!=1)) • Case a<=100: {a+=11; b++} gives z-10==1111+111(b+1)-11(a+11)-1 • Case a>100: {a-=10; b--;} gives z-1==1111+111(b-1)-11(a-10)-1 • Thus, in both cases there exists z’<z such that (z’) holds

  5. Finding Variants is Hard • Try this one: Mersenne = {n=0; k=0; while (k<48) {n++; if (isprim((2**n)-1)) k++}} • ... and apply for the Fields-medal if successful

  6. Proof of Termination Proof Rule • if ⊢ (z) for some zM and ⊢ (z)  (z’) ¬b for some z’<z then program while (b)  terminates • Assume not. • Then there is an infinite execution ; ; ; ... such that b holds before and after each  • Then there is an infinite descending chain z0, z1, z2, ... such that z0=z and zi+1<zi • Thus, M is not a wfo.

  7. Binary Search Program : i=0; k=n; while (i<k) { s=i+(k-i-1)/2; //integer division if (a>x[s]) i=s+1 else k=s } Show n>=0  i(0<i<n  (x[i-1]<x[i])   0<=i<=n  j(0<=j<i  x[j]<a  j(i<=j<n  x[j]>=a 

  8. Variant (z)? • while (i<k) ... suggest (z) = (z=k-i) • ⊢ (z)b  (z’)  ¬b for some z’<z • what is a well-founded order for z?can we guarantee that zN0 ? • Example: (assume k>0, j>0) • {i=k; while (i!=0) i-=j} terminates iff k%j==0 • Assume k%j==0; wfo: (z) = (z=i/j); zN0 • {i=k; while (i>=0) i-=j} terminates always. Proof?

  9. Transforming Variants We have to show: ⊢ (z)  (z’) ¬b Most important case: ⊢ z=t(x) x=f(x) z’=t(x) ¬b Let z’=t(f(t-1(z))) ⊢ z=t(x)  t-1(z)=x since t-1(t(x))=x ⊢ t-1(z)=x  t(f(t-1(z)))=t(f(x)) ⊢ t(f(t-1(z)))=t(f(x)) x=f(x) t(f(t-1(z)))=t(x) (ass) Therefore, ⊢ z=t(x) x=f(x) t(f(t-1(z)))=t(x) • Ex.: ⊢ z=i+k i=i-j z’=i+k for z’=z-j

  10. Proof for Binary Search Termination • Solution for binary search: z=(k-i)N0 ? • Show 0<=i<=k<=n is invariant (omitted) Let (z)= (k-i=z) • k-i=zi=i+(k-i-1)/2+1 k-i=z’ for z’ = (z-1)/2 - 1 < z Proof: let t(i) = k-i  t(z) = k-z  t-1(z)= (k-z) f(i) = i+(k-i-1)/2+1 t(f(t-1(z)))= k-((k-z) +(k- (k-z) -1)/2+1) = (z-1)/2-1 • k-i=zk=i+(k-i-1)/2 k-i=z’ for z’= i+((z+i)-i-1)/2-i=(z-1)/2 <z

  11. Pre- and Postconditions • Dijkstra: wp-calculus (weakest precondition) • characterize the “weakest” formula which makes a Hoare-triple valid • =wp(.) iff ⊢   and⊢(') for every ’ for which ⊢’   • =wlp(.) iff ⊢{}{} and⊢(') for every ’ for which ⊢{’}  {} • Example: wp(x++, x==7) = (x==6) • Dijkstra gives a set of rules for wp which can be seen as notational variant of Hoare logic

More Related