1 / 17

Formal Verification

Formal Verification. Formal verification is one of the three main defect detection techniques: Testing Review/Inspection Formal Verification A technique to verify the “ correctness of a program or detail design” against the formal specification. √. √.

xander-riddle
Download Presentation

Formal Verification

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Formal Verification • Formal verification is one of the three main defect detection techniques: • Testing • Review/Inspection • Formal Verification • A technique to verify the “correctness of a program or detail design” against the formal specification √ √

  2. Formal (Verification & Validation) Proof • In order to conduct formal proof, we need 2 steps: • Construction of formal specification (the expected behavior and properties of the system are represented in formal models. • Performing formal transformation (analyze the code or detail design against the formal specification via some “correctness” proof)

  3. Introduction to Logical Proof • A proof : is a sequence of logical arguments where the “premises combined together” implies the “conclusion.” • A simple example of hypothetical syllogism (logical argument) P -> Q ( P implies Q) is true Q-> R is true P -> R must be true (this one is sometimes known as modus ponens) • A simple example of disjunctive syllogism P or Q Not P Q premises conclusion premises conclusion

  4. Premises and Conclusion • What are premises and conclusion? • They are “assertions” or “statements” about something. • Using this notion of premises and conclusion, we will make assertions about computation/system in the form of • Preconditions (premises) • Post-conditions (conclusions)

  5. A Programming Statement “Example” • Show that “right after” the execution of the statement: “ if X > Max then X:= Max ; ” that it is impossible for the condition, X>Max, to be true . • Proof: (before and after execution conditions are given) • Let P stand for “X > Max” (before execution condition) • Let Q stand for “ X = Max” (after execution condition) • Let R stand for “X > Max” (after execution condition) • P is either true or false • assume P is false, then the statement is never executed and R is also false or ( not P -> not R because P is the same as R). • assume P is true, then X is set to Max and Q becomes true. If P is true then Q becomes true or (P ->Q). If Q is true then R must be false or (Q -> not R). Thus using hypothetical syllogism of (P->Q and Q-> not R, we have P-> not R). • So (not P -> not R) AND ( P -> not R); that gives us not R. • This says that it is impossible for X>Max to be true right after the execution of the statement.

  6. Program Correctness Proofs • Preliminary Concepts: • the state of a system is “usually” given by the values of the variables of the system • preconditions indicate the initial state prior to the execution of the code • post-conditions indicate the state after the execution of the code • to show different pieces of code work “correctly”, one must (1)divide the pieces of code into individual statements and (2)“convert” the precondition (“initial state”) of each statement into post-condition of that statement which in turn becomes the precondition of the following statement

  7. Preliminary Concepts Code A Code C Code B Post-condition which becomes Precondition for Code C Post-condition which becomes Precondition for Code B Precondition for Code A (usually states of some variable) Post-condition for code C Example : the precondition for a SQRT(x) function is that input, x, is greater than or equal to 0 (requirement); the post- condition is the desired positive square root of x (also requirement)

  8. Preliminary Concepts (cont.) • An assertion is a statement regarding the state(s). • A piece of code is considered correct if all the precondition assertions will lead to the post-condition assertions once the code is executed. • Note that “correctness” may not address whether the precondition and post-condition assertions themselves are what the designers or users “really had in mind.”

  9. Hoare Triple • Definition : If C is a piece or a set of code-statements and {P} is a precondition assertion and {Q} is a post-condition assertion, then the expression {P} C {Q} is called the Hoare Triple. (Tony Hoare is a UK Computer Scientist, well know for his Quick Sort algorithm and many other contributions.) • Example of Hoare Triple: • consider the pseudo-code statements • Integer x, y, z ; • z := y; • y := x; • x := z; • let “A” be initial value of x and “B” be the initial value of y. • then the following is an example of a “correct” Hoare Triple • {x=A, y=B}z:=y; y:=x; x:=z {x=B, y=A}

  10. Correctness Definition • Definition : If C is some code with precondition {P} and post-condition {Q}, then {P}C{Q} is said to be partially correct if the final state of C satisfies {Q} provided that the initial state satisfies {P}. C is also considered partially correct if there is no final state ! (that is, if C is non-terminating !) • Definition : If {P}C{Q} is partially correct and C terminates, then {P}C{Q} is said to be totally correct. • Note : Partial correctness and total correctness differ only in termination. Thus they differ only in “looping” or “recursive” programs.

  11. Thinking Pre and Post Conditions • Finding a “typical” novice programming error • assume x contained A, and y contained B initially • consider sequence of code for “exchanging values” : x:= y ; y := x ; (a non-programmer coding mistake) • precondition {P} for x:=y is (x=A, y=B) • post condition (Q} for x:=y is (x=B) • precondition {P} for y:= x is (x=B) • post condition {Q} for y:= x is (y=x=B ) • Combining the code we have : • {x=A, y=B} x:=y; y:=x {x=B, y=B} • this is NOT the post-condition the programmer intended to get. • ** Had the programmer formally stated the post condition to be {x=B, y=A}, which is the intent, then we could say the above code isincorrect. **

  12. Pre and Post Condition Rules • Definition : If R and S are two assertions, then R is said to be stronger than S if R -> S (R implies S). • Example : • the assertion i < 0 is stronger than the assertion i < 1 because i < 0 implies that i < 1 ( i < 0 is true implies that i < 1 is true) • draw the set and subset diagram to get a better “feel.” • Note that if R is stronger than S, then all states that satisfy R will satisfy S. But there is at least one state that satisfies S which will not satisfy R. So the number of states that satisfies S is larger than that of R. Thus one may view the notion of “stronger” as “more selective” because less states will satisfy the stronger condition. • Of course, if R is strongerthan S, then S is weaker than R

  13. Precondition Strengthening • Rule 1: If P’ is stronger than P and if {P}C{Q} triple is correct, then with the strengthened precondition assertion, {P’}C{Q} triple is also correct • Example : • if {P}C{Q} is correct, for P which is (x>0), then for P’, which asserts (x>2), the triple {P’}C{Q} will also be correct. • Rule 1 - More formally : • P’ -> P (strengthening p to p’) • {P}C{Q} • {P’}C{Q} • Example : if {x <5} x:= x+1 {x < 6} is correct, then strengthening {P} to {x < 3} should give us {x<3} x:=x+1 {x<6} as also correct because : • {x<3} -> {x<5} • {x<5} x := x+1 {x<6} • {x<3} x := x+1 {x<6}

  14. Post Condition Weakening • Rule 2: If Q -> Q’ and {P}C{Q} triple is correct then {P}C{Q’} triple is correct • Rule 2 : Formally we have: • {P}C{Q} • Q -> Q’ • {P}C{Q’} • Example : • If { } max := b {max=b} then { } max:=b {max >= b} • { } max := b {max =b} • {max = b} -> {max >= b} • { } max:=b {max >=b }

  15. Conjunction (AND) and Disjunction (OR) Rules • Rule 3: If C is a piece of code, {P}C{Q} AND {P’}C{Q’} are correct (note that both of the conditions have to be True simultaneously), then {P AND P’} C {Q AND Q’} is also correct • Formally : • {P} C {Q} • {P’} C {Q’} • {P AND P’} C {Q AND Q’} • Rule 4:If C is a piece of code, {P}C{Q} AND {P’}C{Q’}, then {P OR P’} C {Q OR Q’} is also correct • Formally : • {P} C {Q} • {P’} C {Q’} • {P OR P’} C {Q OR Q’}

  16. Example using Conjunction Rule & more • Problem : given the following Hoare Triples: • { } x:= x+1 { x = x+1 } AND [note that x:= x + 1 has multiple meanings here !] • {x>0} x:= x +1 {x > 0} • show that {x>0} x:=x+1 {x > -1} • Proof : (a little more detailed than needed) • a) using conjunction rule, we get {x>0} x:= x+ 1 {x=x+1 AND x>0} • b) using the weakening the post-condition rule, we have {x=x+1 and x>0} -> {x>0}; thus the conjunction triple {x>0} x:=x+1 {x=x+1 AND x>0} also imply that {x>0} x:=x+1 {x>0} is correct by weakening the post condition • Furthermore {x > 0 } -> { x > - 1} (or x > 0 is stronger than x > -1) • Therefore we have {x>0} x := x+1 {x>-1} (by weakening the post condition) • Alternatively : note that the weakening of post condition can be achieved through dropping x=x+1 and also directly weakening x > 0 to x > -1.

  17. More Rules (for your fun) • Assignment Rule: {Pxy} y := exp {Q} ; replace “y” in Q by “exp” and get a result in P Example: {P} y = x+1 {y >0}, then {P, x+1> 0} y=x+1 {y>0} • Concatenation Rule: {P} S1 {Q}, {Q} S2 {R} {P} S1;S2 {R} • Conditional Rule (a): Conditional Rule (b): {P & B} S1 {Q}, {P & ¬B} S2 {Q} {P & B} S {Q}, {P & ¬B} => {Q} {P} if B then S1 else S2 {Q} {P} if B then S {Q} • Loop Rule: { P & B } S {P}_____ {P} while B do S {P & ¬B}

More Related