html5-img
1 / 157

Functional Verification III

Functional Verification III. Software Testing and Verification Lecture Notes 23. Prepared by Stephen M. Thebaut, Ph.D. University of Florida. Previously…. Correctness conditions and working correctness questions: sequencing decision statements. Today’s Topics.

afram
Download Presentation

Functional Verification III

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Functional Verification III Software Testing and Verification Lecture Notes 23 Prepared by Stephen M. Thebaut, Ph.D. University of Florida

  2. Previously… • Correctness conditions and working correctness questions: • sequencing • decision statements

  3. Today’s Topics • Iteration Recursion Lemma (IRL) • Termination predicate: term(f,P) • Correctness conditions for while_do statement • Sufficient correctness conditions • Correctness conditions for repeat_until statement • Subgoal Induction

  4. Today’s Topics • Iteration Recursion Lemma (IRL) • Termination predicate: term(f,P) • Correctness conditions for while_do statement • Sufficient correctness conditions • Correctness conditions for repeat_until statement • Subgoal Induction

  5. Iteration Recursion Lemma (IRL) • The IRL reduces the verification of programs with loops to a question of termination and the verification of loop-free programs by converting iteration to recursion. • For while loops, the Lemma states: f = [while p do g] = [if p then g;f end_if] (note recursion)

  6. Iteration Recursion Lemma (cont’d) F p f = T g

  7. Iteration Recursion Lemma (cont’d) F p T F p g f = = T g F p T g

  8. Iteration Recursion Lemma (cont’d) F p T F F p p g f = = = T T g g F p T f g

  9. Iteration Recursion Lemma (cont’d) F p T F F F p p p g f = = = = T T T g g;f g F p T f g

  10. Iteration Recursion Lemma (cont’d) • Rather than verify directly that f is the program function of K = while p do g which can be very difficult, it is sufficient to prove that 1. K terminates for all X D(f), and that 2. f is the program function of Q = if p then g;f end_if because [K] = [Q].

  11. An important implication of the IRL • Suppose for “input” X0 the while loop term-inates after n iterations with “output” Xn. • Furthermore, let X1, X2, ..., Xn-1 be the in-termediate states generated by the loop. • Then  0≤i<n, we know: • p(Xi), • Xi+1=g(Xi), and • ¬p(Xn).

  12. An important implication of the IRL (cont’d) • As f= [while p do g]= [if p then g;fend_if], it follows that f(X0) = f(X1) = ... = f(Xn) = Xn • More generally, after each iteration of the loop, the function value of the current state, X, must be the same as the function value of the initial state, X0. That is: f(X) = f(X0) • We will revisit this observation in connection with Mill’s Invariant Status Theorem later.

  13. Illustrative Example of IRL • To further illustrate the fact that [while p do g] = [if p then g;f end_if] consider a concrete example...

  14. Illustrative Example of IRL • To further illustrate the fact that [while p do g] = [if p then g;f end_if] consider a concrete example... • Let K = while y>0 do x,y := x+1,y−1 g p

  15. Illustrative Example of IRL • To further illustrate the fact that [while p do g] = [if p then g;f end_if] consider a concrete example... • Let K = while y>0 do x,y := x+1,y−1 • Claim: Kis function equivalent to Q = if y>0 then x,y := x+1,y−1;k end_if where, by definition, k = [K]. g p p k o g

  16. Illustrative Example of IRL (cont’d) Case (y>0): For K = while y>0 do x,y := x+1,y−1, the loop body executes y times before the predicate y>0 becomes false. By observation, then, the final value of x is x0+(1)y0 = x0+y0 and the final value of y is 0. Thus, (y>0) => k = (x,y := x+y,0)

  17. Illustrative Example of IRL (cont’d) Case (y>0): For K = while y>0 do x,y := x+1,y−1, the loop body executes y times before the predicate y>0 becomes false. By observation, then, the final value of x is x0+(1)y0 = x0+y0 and the final value of y is 0. Thus, (y>0) => k = (x,y := x+y,0) Also, note that when y=0 initially, k = I = (x,y := x,y) = (x,y := x+0,y) = (x,y := x+y,0)

  18. Illustrative Example of IRL (cont’d) Case (y>0): For K = while y>0 do x,y := x+1,y−1, the loop body executes y times before the predicate y>0 becomes false. By observation, then, the final value of x is x0+(1)y0 = x0+y0 and the final value of y is 0. Thus, (y>0) => k = (x,y := x+y,0) Also, note that when y=0 initially, k = I = (x,y := x,y) = (x,y := x+0,y) = (x,y := x+y,0) Therefore, (y≥0) => k = (x,y := x+y,0)

  19. Illustrative Example of IRL (cont’d) Case (y>0): (cont’d) [Q] is a composition of two functions, i.e., k o g, and may be determined by direct substitution. For y>0 initially, y will be greater than OR EQUAL to 0 after executing the loop body, but since we know (y≥0) => k = (x,y := x+y,0), we have [Q] = (x,y := x+y,0) o (x,y := x+1,y−1)

  20. Illustrative Example of IRL (cont’d) Case (y>0): (cont’d) [Q] is a composition of two functions, i.e., k o g, and may be determined by direct substitution. For y>0 initially, y will be greater than OR EQUAL to 0 after executing the loop body, but since we know (y≥0) => k = (x,y := x+y,0), we have [Q] = (x,y := x+y,0) o (x,y := x+1,y−1)

  21. Illustrative Example of IRL (cont’d) Case (y>0): (cont’d) [Q] is a composition of two functions, i.e., k o g, and may be determined by direct substitution. For y>0 initially, y will be greater than OR EQUAL to 0 after executing the loop body, but since we know (y≥0) => k = (x,y := x+y,0), we have [Q] = (x,y := x+y,0) o (x,y := x+1,y−1) = (x,y := (x+1)+(y−1),0)

  22. Illustrative Example of IRL (cont’d) Case (y>0): (cont’d) [Q] is a composition of two functions, i.e., k o g, and may be determined by direct substitution. For y>0 initially, y will be greater than OR EQUAL to 0 after executing the loop body, but since we know (y≥0) => k = (x,y := x+y,0), we have [Q] = (x,y := x+y,0) o (x,y := x+1,y−1) = (x,y := (x+1)+(y−1),0) = (x,y := x+y,0)

  23. Illustrative Example of IRL (cont’d) Case (y>0): (cont’d) [Q] is a composition of two functions, i.e., k o g, and may be determined by direct substitution. For y>0 initially, y will be greater than OR EQUAL to 0 after executing the loop body, but since we know (y≥0) => k = (x,y := x+y,0), we have [Q] = (x,y := x+y,0) o (x,y := x+1,y−1) = (x,y := (x+1)+(y−1),0) = (x,y := x+y,0) = k (the function computed by K)

  24. Illustrative Example of IRL (cont’d) Case (y>0): (cont’d) [Q] is a composition of two functions, i.e., k o g, and may be determined by direct substitution. For y>0 initially, y will be greater than OR EQUAL to 0 after executing the loop body, but since we know (y≥0) => k = (x,y := x+y,0), we have [Q] = (x,y := x+y,0) o (x,y := x+1,y−1) = (x,y := (x+1)+(y−1),0) = (x,y := x+y,0) = k (the function computed by K) Thus, [Q] = [K] when y>0.

  25. Illustrative Example of IRL (cont’d) Case (y≤0): Since the predicate (y>0) fails, both K and Q do nothing, and are therefore equivalent. Thus, [Q] = I = [K] when y≤0.

  26. Illustrative Example of IRL (cont’d) Case (y≤0): Since the predicate (y>0) fails, both K and Q do nothing, and are therefore equivalent. Thus, [Q] = I = [K] when y≤0. Therefore,K is function equivalent to Q.

  27. Today’s Topics • Iteration Recursion Lemma (IRL) • Termination predicate: term(f,P) • Correctness conditions for while_do statement • Sufficient correctness conditions • Correctness conditions for repeat_until statement • Subgoal Induction

  28. Termination Predicate • The correctness of a looping program P depends, in part, on termination. • Consideration is limited to programs whose termination can be established and the following predicate is defined: term(f,P) ‘‘P terminates for every initial state X D(f)’’

  29. Before we continue… • Take out a piece of paper and a pen/pencil. • Without looking back in the lecture notes, write down the complete correctness con-ditionsfor: f = [if p then g]

  30. if_then Correctness Conditions • Complete correctness conditions for f = [if p then g]: Prove: p (f = g) Л ¬p (f = I)

  31. if_then Correctness Conditions • Complete correctness conditions for f = [if p then g]: Prove: p (f = g) Л ¬p (f = I) • So, aside from proving termination over the domain of f, what are the two corresponding conditions for: f = [while p do g] = [if p then fog] ?

  32. if_then Correctness Conditions • Complete correctness conditions for f = [if p then g]: Prove: p (f = g) Л ¬p (f = I) • So, aside from proving termination over the domain of f, what are the two corresponding conditions for: f = [while p do g] = [if p then fog] ?

  33. Today’s Topics • Iteration Recursion Lemma (IRL) • Termination predicate: term(f,P) • Correctness conditions for while_do statement • Sufficient correctness conditions • Correctness conditions for repeat_until statement • Subgoal Induction

  34. while_do Correctness Conditions • Complete correctness conditions for f = [K] = [while p do G] (where g = [G] has already been shown): Prove: term(f,K)Л p (f = f o g) Л ¬p(f = I)

  35. while_do Correctness Conditions (cont’d) • Working correctness questions: • Is loop termination guaranteed for any argument of f ? • When p is true does f equal f composed with g? • When p is false does f equal Identity?

  36. while_do Example • Prove f = [T] where, for integers x, y, and z: f = (y≥0  z,y := z+xy,0) and T is: while y<>0 do z := z+x y := y−1 end_while

  37. while_do Example • Prove f = [T] where, for integers x, y, and z: f = (y≥0  z,y := z+xy,0) and T is: while y<>0 do z := z+x y := y−1 end_while p G

  38. while_do Example (cont’d) • Proof: g = [G] = (z,y := z+x,y−1) by observation

  39. while_do Example (cont’d) • Proof: g = [G] = (z,y := z+x,y−1) by observation • term(f,T)?

  40. while_do Example (cont’d) • Proof: g = [G] = (z,y := z+x,y−1) by observation • term(f,T)? f = (y≥0  z,y := z+xy,0) and T is: while y<>0 do z := z+x y := y−1 end_while So, does y≥0 initially  T will terminate?

  41. while_do Example (cont’d) • Proof: g = [G] = (z,y := z+x,y−1) by observation • term(f,T)?√ (Prove this…)

  42. while_do Example (cont’d) • Proof: g = [G] = (z,y := z+x,y−1) by observation • term(f,T)?√ (Prove this…) • Does (y=0)  ( f = I )? ¬p

  43. while_do Example (cont’d) • Proof: g = [G] = (z,y := z+x,y−1) by observation • term(f,T)?√ (Prove this…) • Does (y=0)  ( f = I )? ¬p ( Recall: f = (y≥0 z,y := z+xy,0) )

  44. while_do Example (cont’d) • Proof: g = [G] = (z,y := z+x,y−1) by observation • term(f,T)?√ (Prove this…) • Does (y=0)  ( f = I )? (y=0)  ( f = (z,y := z+x(0),0) ( Recall: f = (y≥0 z,y := z+xy,0) )

  45. while_do Example (cont’d) • Proof: g = [G] = (z,y := z+x,y−1) by observation • term(f,T)?√ (Prove this…) • Does (y=0)  ( f = I )? (y=0)  ( f = (z,y := z+x(0),0) = (z,y := z,0) )

  46. while_do Example (cont’d) • Proof: g = [G] = (z,y := z+x,y−1) by observation • term(f,T)?√ (Prove this…) • Does (y=0)  ( f = I )? (y=0)  ( f = (z,y := z+x(0),0) = (z,y := z,0) ) (y=0)  ( I = (z,y := z,0) )

  47. while_do Example (cont’d) • Proof: g = [G] = (z,y := z+x,y−1) by observation • term(f,T)?√ (Prove this…) • Does (y=0)  ( f = I )? (y=0)  ( f = (z,y := z+x(0),0) = (z,y := z,0) ) (y=0)  ( I = (z,y := z,0) )

  48. while_do Example (cont’d) • Proof: g = [G] = (z,y := z+x,y−1) by observation • term(f,T)?√ (Prove this…) • Does (y=0)  ( f = I )? √ (y=0)  ( f = (z,y := z+x(0),0) = (z,y := z,0) ) (y=0)  ( I = (z,y := z,0) )

  49. while_do Example (cont’d) • Does (y0)  ( f = f o g )? p

  50. while_do Example (cont’d) • Does (y0)  ( f = f o g )? case a: Does (y<0)  ( f = f o g )?

More Related