# Functional Verification I - PowerPoint PPT Presentation Download Presentation Functional Verification I

Functional Verification I Download Presentation ## Functional Verification I

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
##### Presentation Transcript

1. Functional Verification I Software Testing and Verification Lecture Notes 21 Prepared by Stephen M. Thebaut, Ph.D. University of Florida

2. Overview of Functional Verification Topics Lecture Notes #21 - Functional Verification I • Introduction • Verifying correctness in program reading, writing, and validation • Complete and sufficient correctness • Compound programs and the Axiom of Replacement Lecture Notes #22 - Functional Verification II • Correctness conditions and working correctness questions: sequencing and decision statements

3. Overview of Functional Verification Topics Lecture Notes #23 - Functional Verification III • Iteration Recursion Lemma (IRL) (Very Cool!) • Termination predicate • Correctness conditions for while_do statement • Sufficient correctness conditions • Correctness conditions for repeat_until statement • Subgoal Induction Lecture Notes #24 – Functional Verification IV • Invariant Status Theorem (EXTREMELY Cool!) • While Loop Initialization

4. Today’s Topics: • Introduction • Verifying correctness in program reading, writing, and validation • Complete and sufficient correctness • Compound programs and the Axiom of Replacement

5. Introduction • What is functional verification? A methodology originally developed by Mills for verifying program correctness with respect to an intended function specification. It represents a viable alternative to the axiomatic verification method developed by Hoare and Floyd.

6. Introduction (cont’d) • References: Linger, Mills, & Witt, Structured Programming: Theory and Practice, Addison-Wesley, 1979. Dunlop & Basili, “A Comparative Analysis of Functional Correctness,” Computing Surveys, Vol. 14, No. 2, June 1982.† Linger, “Cleanroom Software Engineering for Zero-Defect Software,” Proceedings, 15th Int. Conf. on Soft. Eng. (1993), IEEE Computer Society Press.† † Required readings.

7. Tasks in Program Reading, Writing, and Verification • Program Reading: • Abstract a given program construct (e.g., an if_then_ else statement) into a hypothesized function f. • To confirm that your understanding of the program is correct, show: f = [if p then G else H]

8. Tasks in Program Reading, Writing, and Verification (cont’d) • Program Writing: • Expand a given function finto a hypothesized program construct (e.g., an if_then_else statement). • To confirm that your expansion of f into a program is correct, show: f = [if p then G else H]

9. Tasks in Program Reading, Writing, and Verification (cont’d) • Program Verification: • You are given both function f and its hypothesized program expansion (e.g., an if_then_ else statement). • To confirm the correctness of the hypothesized program expansion with respect to f, show: f = [if p then G else H]

10. Tasks in Program Reading, Writing, and Verification (cont’d) • In all three cases, the final task is to confirm the equivalence (or subset relationship) of two expressions, each representing the function of a program.

11. Complete and Sufficient Correctness • Given a function f and a program P (claimed to implement f ), correctness is concerned with one of two questions: • Is f = [P] ? (“Is f equivalent to the function computed by P ?”) – A question of complete correctness. • Is f  [P] ? (“Is f a subset of the function computed by P ?”) – A question ofsufficient correctness.

12. Complete and Sufficient Correctness (cont’d) • In the case of complete correctness,P computes the correct values of f for arguments in D(f) only; [P]is undefined (P does not terminate) for arguments outside D(f). • In the case ofsufficient correctness,P may compute values from arguments not in D(f). • Note that, by definition, f = [P] impliesf  [P]

13. Correctness Relationships (X,Y)f(X,Y)[P] (X,Y)f  (X,Y)[P] [P] f f [P] (X,Y)f (X,Y)[P] (X,Y)f (X,Y)[P] [P], f [P] f

14. Example • For integers x,y consider the function: f = (y≥0  x,y := x+y,0) and the programs: P1 = while y>0 do x,y := x+1,y-1 P2 = while y<>0 do x,y := x+1,y-1 Use heuristics to hypothesize functions for P1and P2 and compare these to f.

15. Example (cont’d) • Consider P1 = while y>0 do x,y := x+1,y-1 y>0  y=0  y<0  f = (y≥0  x,y := x+y,0)

16. Example (cont’d) • Consider P2 = while y<>0 do x,y := x+1,y-1 y>0  y=0  y<0  f = (y≥0  x,y := x+y,0)

17. Example (cont’d) • Both programs satisfy sufficient correctness. (Both correctly compute f(x,y) for y≥0.) • Only P2 satisfies complete correctness. (P1 terminates for negative y.)

18. Defensive Programming: Handling Invalid Inputs • f and P can be redefinedto handle invalid inputs: f’ = (y≥0  x,y,z := x+y,0,z | true  x,y,z := x,y,‘error’) P’ = if y<0 then z := ‘error’ else while y>0 do x,y := x+1,y-1 end_while end_if_then_else • Does f’ = [P’] ?

19. Exercise “Identify” function: x,y := x,y • Given P = if x>=y then x,y := y,x f1 = (x>y  x,y := y,x | true  I) f2 = (x>y x,y := y,x | x<y  I) f3 = (x≠y x,y := y,x) • Fill in the following “correctness table”: P C=Complete (and Sufficient) S=Sufficient (only) N=Neither f1 f2 f3

20. Compound Programs and the Axiom of Replacement • The algebraic structure of compound program P permits decomposition into a hierarchy of abstractions. • The proof of correctness of P is thereby decomposed into a proof of correctness of each such abstraction.

21. Compound Programs and the Axiom of Replacement (cont’d) • For example, to show that compound program Fimplements function f, where F = if p then Gelse H and G, H are themselves programs: • hypothesize functions g, h and attempt to prove g = [G] and h = [H]

22. Compound Programs and the Axiom of Replacement (cont’d) • If successful, use the Axiom of Replacementto reduce the problem to proving f = if p then gelse h • If successful again, you will have proved f = [F]

23. Compound Programs and the Axiom of Replacement (cont’d) • Thus, the Axiom of Replacement allows one to prove the correctness of complex programs in a bottom-up, incremental fashion. • In the next lecture, we consider correctness conditions for sequencing and decision statements.

24. Functional Verification I Software Testing and Verification Lecture Notes 21 Prepared by Stephen M. Thebaut, Ph.D. University of Florida