Upload
rufina
View
45
Download
1
Embed Size (px)
DESCRIPTION
Functional Program Verification. CS 4311 A. M. Stavely, Toward Zero Defect Programming, Addison-Wesley, 1999. Y. Cheon and M. Vela, A Tutorial on Functional Program Verification , Technical Report 10-26, Dept. of Computer Science, University of Texas at El Paso, El Paso, TX, September 2010. - PowerPoint PPT Presentation
Citation preview
11111
Functional Program Verification
CS 4311
A. M. Stavely, Toward Zero Defect Programming, Addison-Wesley, 1999.Y. Cheon and M. Vela, A Tutorial on Functional Program Verification,
Technical Report 10-26, Dept. of Computer Science, University of Texas at El Paso, El Paso, TX, September 2010
222
Outline Non-testing techniques for V&V Overview of functional verification Program as functions Intended functions Verification
Assignment statement Sequential composition Conditional statement Iterative statement
33
Non-testing Techniques for V&V
(Pairs, 2 minutes) V&V Definitions and examples from the class project?
Sec. 13.4 of Vliet 2008(Manual Testing Techniques)
44
Non-testing Techniques for V&V
(Pairs, 2 minutes) V&V Definitions and examples?
Code reviews Reading
If you can’t read it, neither can the people maintaining it Walkthrough
Team effort (group of 3-5, e.g., designer, moderator, secretary) Manual simulation lead by designer Focus on discovering faults, not on fixing them
Inspection Looking for specific faults (e.g., using check lists) E.g., uninitialized variables
Sec. 13.4 of Vliet 2008(Manual Testing Techniques)
55
Non-testing V&V (Cont.)
Correctness proof Hoare logic Functional program verification
Model checking Correct by construction
Refinement calculus Model driven development
Sec. 13.4 of Vliet 2008(Manual Testing Techniques)
66
Overview of Functional Verification
Key ideas View programs as mathematical functions Write specifications as mathematical functions Compare two functions for correctness verification
Characteristics Based on sets and functions <-> logic (Hoare) Forward reasoning <-> backward reasoning Match informal reasoning
77
Programs as Functions
Values of x and y after execution?
// pre-state: {(x,10), (y,20)}x = x + y;y = x – y;x = x – y;// post-state: {(x,?), (y,?)}
88
Programs as Functions
Values of x and y after execution?
// pre-state: {(x,10), (y,20)}x = x + y;y = x – y;x = x – y;// post-state: {(x,?), (y,?)}
State changing function (or state transformer) Function on program states Map one program state to another {(x,3), (y,5)}
…{(x,6), (y,4)}
pre-state
{(x,5), (y,3)}…
{(x,4), (y,6)}
post-state
99
Concurrent Assignment Notation for express state changing functions
[x1, x2, …, xn := e1, e2, …, en]
Evaluate ei’s in the pre-state at the same time Assign them to xi’s at the same time The values of other state variables remain the same (frame
axiom).
// [x, y := y, x]x = x + y;y = x – y;x = x – y;
1010
Conditional Concurrent Assignment
Different functions based on some conditions
[x > 0 -> sign := 1 | x < 0 -> sign := -1 | else -> sign := 0]
Conditions evaluated sequentially from the first to the last in the pre-state
Keyword “else” interpreted as “true”
[n > maxSize -> n := maxSize | else -> I]
[n > 0 -> avg := sum / n | else -> undefined]
Identity function
Partial function
1111
Exercise Write a (conditional) concurrent assignment to describe
the function computed by the following code.
if (n > maxSize) { n = maxSize;}avg = sum / n;
1212
Intended Functions
Intended function: function describing our intention of code Specification for the code
Code function: function computed by code Actual behavior implemented by the code
// [sum, i := sum + j=1a.length-1a[j], anything]
while (i < a.length) { sum += a[i]; i++; }
Don’t care about the
final value.
1313
Exercise Write intended functions for the following code
(a) sum = sum + a; avg = sum / n;
(b) if (a[i] == k) { l = i; }
(c) while (i < a.length) {if (a[i] == k) {
l = i;}i++;
}
1414
Annotating Code Why?
To facilitate correctness verification How?
Annotate every section of code with intended function
// f0: [r := largest value in a] // f1 : [r, i := a[0], 1] r = a[0]
int i = 1;
// f2 : [r, i := max of r and largest in a[i..], anything]while (i < a.length) {
// f3 : [r, i := max of r and a[i], i+1] if (a[i] > r) { r = a[i]; }
i++; }
1515
Exercise
Annotate the following code with intended functions
c = 0;int i = 0;while (i < a.length) { if (a[i] == n) { c++; } i++;}
161616
Outline Non-testing techniques for V&V Overview of functional verification Program as functions Intended functions Verification
Assignment statement Sequential composition Conditional statement Iterative statement
17
Functional Verification Process
1. Write specifications of code as functions, called intended functions
2. Calculate functions computed by code, called code functions
3. Compare code functions (p) with intended functions (f), i.e., p is correct with respect to ( ) ⊑f if: dom p dom f p(x) = f(x) for every x dom f
Why notdom p = dom f ?
18
Verification of
Assignment Statement
Often straightforward Often identical code and intended functions
// [x := x + 1]x = x + 1;
// [n > 0 -> avg := sum / n]avg = sum / n;
More work done by code
19
Verification of
Sequential Composition
Compose code functions
// [n > 0 -> sum, avg := sum + a, (sum + a) / n] sum = sum + a; avg = sum / n;
[sum := sum + a]; [n 0 -> avg := sum / n] [n 0 -> sum, avg := sum + a; (sum + a) /
n] ⊑ [n > 0 -> sum, avg := sum + a; (sum + a) / n]
20
Trace Table Calculate code function by tracing state changes
made by statements
statement x y z
x = x + 1 x+1
y = 2 * x 2*(x+1)
z = x + y (x+1) + 2*(x+1)
x = x + 1 x+2
x = 3 * x 3*(x+2)
x = x + 1;
y = 2 * x;
z = x + y;
x = x + 1;
x = 3 * x;
[x, y, z := 3*(x+2), 2*(x+1), (x+1) + 2*(x+1)]
2121
Exercise Use a trace table to calculate the function computed by
the following code.
rate = 0.5;years++;interest = balance * rate / 100;balance = balance + interest;
22
Modular Verification
Can use intended functions in place of code functions for verification
// [f0] // [f1]
S1
// [f2] S2
Proof obligations f1; f2 f⊑ 0
S1 is correct with respect to f1 (S1 f⊑ 1) S2 is correct with respect to f2 (S2 f⊑ 2)
23
Verification of
Conditional Statement Calculate code functions using conditional trace tables
statement condition p b
p = a * r a * r
if (a < b) a < b
b = b - a b - a
p = a * r a * r
if (a < b) a >= b
b = b - p b – (a * r)
p = a * r;
if (a < b)
b = b – a;
else
b = b – p;
[a < b -> p, b := a * r, b – a
| a >= b -> p, b := a *r, b – (a*r)]
24
Verification of
Conditional Statement (Cont.) Case analysis on conditions
// [f]
if (B) S1 else S2
Proof obligations When B holds, S1 is correct with respect to f (B S1 f)⊑
When B doesn’t hold, S2 is correct with respect to f ( B S2 f)⊑
25
Example
Proof by case analysis When x > y
x – y |x - y|, thus [z != 0 -> r := (x - y)/z] f When !(x > y)
y – x |x - y|, thus [z != 0 -> r := (y - x)/z] f
Therefore, if … else … f⊑
// f: [z != 0 -> r := |x - y| / z]if (x > y) r = (x - y) / z; else r = (y - x) / z;
2626
Exercise
Derive proof obligations for an if statement without an else part.
// [f]if (B) S
2727
Exercise Write an intended function for the following code and
prove the correctness of the code with respect to the intended function
if (n > maxSize) { n = maxSize;
} sum = sum + a; avg = sum / n;
28
Verification of
Iteration Statement No known way of calculating code function, so proof by induction
// [f] while (B) S
Proof obligations B doesn’t hold, identity function is correct with respect to f (B I f)⊑ If B holds, S followed by f is correct with respect to f (B S;f f)⊑ Termination for total correctness
Loop variant: expression with value increased/decreased on iterations
// [f] if (B) { S while (B) S }
// [f] if (B) { S [f] }
Assuming f is correct
29
Example
Proof obligations Termination: loop variant, a.length - i Basis: (i < a.length) I f1⊑ Induction: i < a.length f2; f1 f1 and refinement of f2⊑
Proof of basisf1 ≡ [sum, i := sum + j=i
a.length-1a[j], anything]
≡ [sum, i := sum + 0, anything] (because i >= a.length)
≡ [sum, i := sum, anything]
⊒ [sum, i := sum, i] = I
// f1: [sum, i := sum + j=ia.length-1a[j], anything]
while (i < a.length) { // f2: [sum, i := sum + a[i], i+1]
sum += a[i]; i++; }
30
Example
Proof induction step
i < a.length f2; f1 f1⊑
f2; f1 ≡ [sum, i := sum + a[i], i + 1];
[sum, i := sum + j=ia.length-1a[j], anything]
≡ [sum, i := sum + a[i] + j=i+1a.length-1a[j], anything]
≡ [sum, i := sum + j=ia.length-1a[j], anything]
≡ f1
// f1: [sum, i := sum + j=ia.length-1a[j], anything]
while (i < a.length) { // f2: [sum, i := sum + a[i], i+1]
sum += a[i]; i++; }
3131
Exercise Prove the termination of the following loop.
while (low <= high) {
int mid = (low + high) / 2;
if (a[mid] < x)
low = mid + 1;
else if (a[mid] > x)
high = mid - 1;
else
high = low - 1;
}
32
Initialized Loops
Loop seldom used in isolation Preceded by initialization Together compute something useful Loop’s function more general
// [f0] // [f1] S1
// [f2] while (B) { // [f3] S2 }
Proof obligations f1; f2 f0⊑ S1 f1⊑ while (B) S2 f2, requiring⊑
Termination Basis Step: B I f2⊑ Induction: B S2;f2 f2⊑
33
Example // f0: [r := largest value in a] // f1 : [r, i := a[0], 1] r = a[0]
int i = 1;
// f2 : [r, i := max of r and largest in a[i..], ?]while (i < a.length) {
// f3 : [r, i := max of r and a[i], i+1] if (a[i] > r) { r = a[i]; }
i++; }
Proof obligations f1; f2 ⊑ f0
Refinement of f1
Refinement of f2 Termination of the loop Basis: (i < a.length) I ⊑ f2 Induction: i < a.length f3; f2 ⊑ f2
Refinement of f3
34
Example (Cont.)
Proof of f1; f2 ⊑ f0
f1; f2 [r, i := a[0], 1];
[r, i := max of r and largest in a[i..], ?]
[r, i := max a[0] and largest in a[1..], ?]
[r, i := largest value in a, ?]
⊑ [r := largest value in a]
f0
See handout for other proofs.
3535
Exercise Write intended functions for the following while loops in isolation.
(a) while (i < a.length) { if (a[i] > 0) {
sum += a[i]; } i++; }
(b) while (n > 1) { n = n – 2;
}
3636
Exercise Prove the correctness of the following code.
// [r := n!]r = 1;int i = n;while (i > 1) { r = r * i; i--;}