View
28
Download
0
Category
Preview:
DESCRIPTION
Software Verification 1 Deductive Verification. Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität und Fraunhofer Institut für Rechnerarchitektur und Softwaretechnik. Termination proof rule. Let (M,
Citation preview
12.1.2012
Software Verification 1Deductive Verification
Prof. Dr. Holger SchlingloffInstitut für Informatik der Humboldt Universität
und
Fraunhofer Institut für Rechnerarchitektur und Softwaretechnik
Folie 2H. Schlingloff, Software Verification I
Termination proof rule
• Let (M,<) be a well-founded order and (z) be a formula involving zM
• if ⊢ (z0) for some z0M and
⊢ (z)b (z’) ¬b for some z’<z, then ⊢ while (b) ¬b
(z) is called variant of the loop
(special case: (z) = (z=t(x)), here t(x) is called the variant)
12.1.2012
Folie 3H. Schlingloff, Software Verification I
Termination - a more intricate example
={b=1; while (a<=100 | b!=1) if (a<=100) {a+=11; b++;} else {a-=10; b--;} a-=10; }
Show: ⊢ 0<a<=100 a==91
12.1.2012
Folie 4H. Schlingloff, Software Verification I
• We do the termination part only.
• Hint for the invariant:
(0<b<=11 & 0<a<=111 & (a<=101 | b!=1))• wfo: N0; Variant: (z) = (z==1111+111b-11a-1);
if 0<a<=100 & b==1, we have zN0
• Assume within the while-loop (z) & (a<=100 | b!=1)) Case a<=100: {a+=11; b++} gives
z-10==1111+111(b+1)-11(a+11)-1 Case a>100: {a-=10; b--;} gives
z-1==1111+111(b-1)-11(a-10)-1
• Thus, in both cases there exists z’<z such that (z’) holds
12.1.2012
Folie 5H. Schlingloff, Software Verification I
Finding Variants is Hard
• Try this one:
Mersenne = {n=0; k=0; while (k<48) {n++; if (isprim((2**n)-1)) k++}}
• ... and apply for the Fields-medal if successful
12.1.2012
Folie 6H. Schlingloff, Software Verification I
Proof of Termination Proof Rule
• if ⊢ (z) for some zM and⊢ (z) (z’) ¬b for some z’<zthen program while (b) terminates
•Assume not. Then there is an infinite execution ; ; ; ...
such that b holds before and after each Then there is an infinite descending chain z0,
z1, z2, ... such that z0=z and zi+1<zi
Thus, M is not a wfo.12.1.2012
Folie 7H. Schlingloff, Software Verification I
Binary Search Program
:i=0; k=n;while (i<k) { s=i+(k-i-1)/2; //integer division if (a>x[s]) i=s+1 else k=s} Show
n>=0 i(0<i<n (x[i-1]<x[i])
0<=i<=n j(0<=j<i x[j]<a j(i<=j<n x[j]>=a
12.1.2012
Folie 8H. Schlingloff, Software Verification I
•Variant (z)?
•while (i<k) ... suggest (z) = (z=k-i) ⊢ (z)b (z’) ¬b for some z’<z what is a well-founded order for z?
can we guarantee that zN0 ?
•Example: (assume k>0, j>0)
{i=k; while (i!=0) i-=j} terminates iff k%j==0 Assume k%j==0; wfo: (z) = (z=i/j); zN0 {i=k; while (i>=0) i-=j} terminates always.
Proof?12.1.2012
Folie 9H. Schlingloff, Software Verification I
Transforming Variants
We have to show: ⊢ (z) (z’) ¬bMost important case: ⊢ z=t(x) x=f(x) z’=t(x) ¬b
Let z’=t(f(t-1(z)))
⊢ z=t(x) t-1(z)=x since t-1(t(x))=x⊢ t-1(z)=x t(f(t-1(z)))=t(f(x))⊢ t(f(t-1(z)))=t(f(x)) x=f(x) t(f(t-1(z)))=t(x) (ass)
Therefore, ⊢ z=t(x) x=f(x) t(f(t-1(z)))=t(x)
• Ex.: ⊢ z=i+k i=i-j z’=i+k for z’=z-j12.1.2012
Folie 10H. Schlingloff, Software Verification I
Proof for Binary Search Termination
• Solution for binary search: z=(k-i)N0 ? Show 0<=i<=k<=n is invariant (omitted)
Let (z)= (k-i=z) k-i=z i=i+(k-i-1)/2+1 k-i=z’ for
z’ = (z-1)/2 - 1 < zProof: let t(i) = k-i t(z) = k-z t-1(z)= (k-z)f(i) = i+(k-i-1)/2+1 t(f(t-1(z))) = k-((k-z) +(k- (k-z) -1)/2+1) = (z-1)/2-
1
k-i=z k=i+(k-i-1)/2 k-i=z’ forz’= i+((z+i)-i-1)/2-i=(z-1)/2 <z
12.1.2012
Folie 11H. Schlingloff, Software Verification I
Pre- and Postconditions
• Dijkstra: wp-calculus (weakest precondition) characterize the “weakest” formula which makes a
Hoare-triple valid =wp(.) iff ⊢ and
⊢(') for every ’ for which ⊢’ =wlp(.) iff ⊢{}{} and
⊢(') for every ’ for which ⊢{’} {}
• Example: wp(x++, x==7) = (x==6)
• Dijkstra gives a set of rules for wp which can be seen as notational variant of Hoare logic
12.1.2012
Recommended