Functional Verification III

Functional Verification III

Prepared by

Stephen M. Thebaut, Ph.D.

University of Florida

Software Testing and Verification

Lecture Notes 23

Previously…

• Correctness conditions and working correctness questions:

– sequencing

– decision statements

Today’s Topics

• Iteration Recursion Lemma (IRL)

• Termination predicate: term(f,P)

• Correctness conditions for while_do statement

• Sufficient correctness conditions

• Correctness conditions for repeat_until statement

• Subgoal Induction

Iteration Recursion Lemma (IRL)

• The IRL reduces the verification of programs with loops to a question of termination and the verification of loop-free programs by converting iteration to recursion.

• For while loops, the Lemma states:

f = [while p do g] = [if p then g;f end_if]

(note recursion)

Iteration Recursion Lemma (cont’d)

p

g

T

F

p

g

T

F

p

g

T

F

p

g

T

F

f = = =

f

p

g;f

T

F

=

Iteration Recursion Lemma (cont’d)

• Rather than verify directly that f is the program function of

K = while p do g

which can be very difficult, it is sufficient to prove that

1. K terminates for all X D(f), and that

2. f is the program function of

Q = if p then g;f end_if

because [K] = [Q].

An important implication of the IRL

• Suppose for “input” X0 the while loop term-inates after n iterations with “output” Xn.

• Furthermore, let X1, X2, ..., Xn-1 be the in-termediate states generated by the loop.

• Then 0≤i<n, we know:

– p(Xi),

– Xi+1=g(Xi), and

– ¬p(Xn).

An important implication of the IRL (cont’d)

• As f = [while p do g] = [if p then g;f end_if], it follows that

f(X0) = f(X1) = ... = f(Xn) = Xn

• More generally, after each iteration of the loop, the function value of the current state, X, must be the same as the function value of the initial state, X0. That is:

f(X) = f(X0)

• We will revisit this observation in connection with Mill’s Invariant Status Theorem later.

Illustrative Example of IRL

• To further illustrate the fact that

[while p do g] = [if p then g;f end_if]

consider a concrete example...

• Let K = while y>0 do x,y := x+1,y−1

• Claim: K is function equivalent to

Q = if y>0 then x,y := x+1,y−1;k end_if

where, by definition, k = [K].

p g

p k o g

Illustrative Example of IRL (cont’d)

Case (y>0):

For K = while y>0 do x,y := x+1,y−1, the loop body executes y times before the predicate y>0 becomes false. By observation, then, the final value of x is x0+(1)y0 = x0+y0 and the final value of y is 0. Thus,

(y>0) => k = (x,y := x+y,0)

Also, note that when y=0 initially,

k = I = (x,y := x,y) = (x,y := x+0,y)

= (x,y := x+y,0)

Therefore, (y≥0) => k = (x,y := x+y,0)


Case (y>0): (cont’d)

[Q] is a composition of two functions, i.e., k o g, and may be determined by direct substitution.

For y>0 initially, y will be greater than OR EQUAL to 0 after executing the loop body, but since we know (y≥0) => k = (x,y := x+y,0), we have

[Q] = (x,y := x+y,0) o (x,y := x+1,y−1) = (x,y := (x+1)+(y−1),0) = (x,y := x+y,0) = k (the function computed by K)

Thus, [Q] = [K] when y>0.


Case (y≤0):

Since the predicate (y>0) fails, both K and Q do nothing, and are therefore equivalent.

Thus, [Q] = I = [K] when y≤0.

Therefore, K is function equivalent to Q.

Termination Predicate

• The correctness of a looping program P depends, in part, on termination.

• Consideration is limited to programs whose termination can be established and the following predicate is defined:

term(f,P) ‘‘P terminates for every initial state X D(f)’’

Before we continue…

• Take out a piece of paper and a pen/pencil.

• Without looking back in the lecture notes, write down the complete correctness con-ditions for:

f = [if p then g]

if_then Correctness Conditions

• Complete correctness conditions for f = [if p then g]:

Prove: p (f = g) Л

¬p (f = I)

• So, aside from proving termination over the domain of f, what are the two corresponding conditions for:

f = [while p do g] = [if p then fog] ?

while_do Correctness Conditions

• Complete correctness conditions for

f = [K] = [while p do G]

(where g = [G] has already been shown):

Prove:

term(f,K) Л

p (f = f o g) Л

¬p (f = I)

while_do Correctness Conditions (cont’d)

• Working correctness questions:

– Is loop termination guaranteed for any argument of f ?

– When p is true does f equal f composed with g?

– When p is false does f equal Identity?

while_do Example

• Prove f = [T] where, for integers x, y, and z:

f = (y≥0 z,y := z+xy,0)

and T is:

while y<>0 do z := z+x y := y−1 end_while

p

G

while_do Example (cont’d)

• Proof:

g = [G] = (z,y := z+x,y−1) by observation

– term(f,T)?

f = (y≥0 z,y := z+xy,0)

and T is:

while y<>0 do z := z+x y := y−1end_while

So, does y≥0 initially T will terminate?


• Proof:


– term(f,T)? √ (Prove this…)


• Proof:



– Does (y=0) ( f = I )?¬p

( Recall: f = (y≥0 z,y := z+xy,0) )


• Proof:



– Does (y=0) ( f = I )? √

(y=0) ( f = (z,y := z+x(0),0)

= (z,y := z,0) )

(y=0) ( I = (z,y := z,0) )


– Does (y0) ( f = f o g )?p


– Does (y0) ( f = f o g )?

case a: Does (y<0) ( f = f o g )?

(y<0) ( f = undefined )

(y<0) ( f o g = f o (z,y := z+x,y−1)

What is f when applied after g decrements the initially negative value of y?

( Recall: f = (y≥0 z,y := z+xy,0) )


– Does (y0) ( f = f o g )?



(y<0) ( f o g = undefined o (z,y := z+x,y−1)

since y<0 gy(y<0)<0

( Recall: f = (y≥0 z,y := z+xy,0) )


– Does (y0) ( f = f o g )?




= undefined )


– Does (y0) ( f = f o g )?

case a: Does (y<0) ( f = f o g )? √



= undefined )


– Does (y0) ( f = f o g )?

case b: Does (y>0) ( f = f o g )?

( Recall: f = (y≥0 z,y := z+xy,0) )

– Does (y0) ( f = f o g )?


(y>0) ( f = (z,y := z+xy,0) )

(y>0) ( f o g = f o (z,y := z+x,y−1)

Again, what is f when applied after g decrements the initially positive value of y?

( Recall: f = (y≥0 z,y := z+xy,0) )



– Does (y0) ( f = f o g )?


(y>0) ( f = (z,y := z+xy,0) )

(y>0) ( f o g = (z,y := z+xy,0) o (z,y := z+x,y−1)

since y>0 gy(y>0)≥0

( Recall: f = (y≥0 z,y := z+xy,0) )


– Does (y0) ( f = f o g )?


(y>0) ( f = (z,y := z+xy,0) )


= (z,y := (z+x)+x(y−1),0)

= (z,y := z+xy,0) )


– Does (y0) ( f = f o g )?


(y>0) ( f = (z,y := z+xy,0) )


= (z,y := (z+x)+x(y−1),0)

= (z,y := z+xy,0) )

We could have also composed the full, conditional definition off with g, i.e. (y≥0 z,y := z+xy,0) o (z,y := z+x,y−1) to yield(y≥1 z,y := z+xy,0) which is just (z,y := z+xy,0) when y>0.


– Does (y0) ( f = f o g )? √

case b: Does (y>0) ( f = f o g )? √

(y>0) ( f = (z,y := z+xy,0) )


= (z,y := (z+x)+x(y−1),0)

= (z,y := z+xy,0) )

Therefore, f = [T].

Exercise 1

• For program M below, where all variables are integers, hypothesize a function f for [M] and prove f = [M].

while i<n do t := tx i := i+1 end_while

Sufficient Correctness Conditions

• Given the complete correctness conditions for f = [H] = [while p do g]:

Prove:

term(f,H) Л

p (f = f o g) Л

¬p (f = I)

Sufficient Correctness Conditions (cont’d)

What are the sufficient correctness conditions for f [H] = [while p do g]?

Prove:

f’ = [H] for some f’ Л

f f’

Sufficient Correctness Conditions (cont’d)

What are the sufficient correctness conditions for f [H] (for ANY program, H)?

Prove:

f’ = [H] for some f’ Л

f f’

repeat_until Statement

• What are the complete correctness conditions for f = [R] = [repeat g until p]?

p

g

F

T

f =

repeat_until Statement (cont’d)

• An IRL for repeat_until statements:

f = [repeat g until p] = [g; if ¬p then f]

“Proof” by Picture

p

g

F

T

f =

p

g

F

T

= p

g

T

F

=

f

p

g

T

F

=

f

¬p

g

F

T

repeat_until Statement (cont’d)

• Therefore, it is sufficient to verify that

1. R terminates for all X D(f), and that

2. f is the program function of

Q = g; if ¬p then f end_if

because [R] = [Q].

repeat_until Correctness Conditions

• Complete correctness conditions for

f = [R] = [repeat G until p]

(where g = [G] has already been shown):

Prove:

term(f,R) Л

(p o g) (f = g) Л ¬(p o g) (f = f o g)

repeat_until Correctness Conditions (cont’d)

• Working correctness questions:

– Is loop termination guaranteed for any argument of f ?

– When p o g is true does f equal g?

– When p o g is false does f equal f o g?

Exercise 2

• For program R below, where all variables are integers, hypothesize a function r for [R] and prove r = [R].

repeat: x := x−1 y := y+2until x=0

Subgoal Induction

• “Subgoal induction” is a proof method pro-posed by Morris and Wegbreit† that can be viewed as a generalization of (while loop) functional verification.

• It uses a variation of the Iteration Recursion Lemma (IRL) to identify relatively simple correctness conditions for a while loop surrounded by pre- and post-processing code.

†Morris, James & Ben Wegbreit, “Subgoal Induction,” CACM, Volume 20, No. 4, April 1977.

Subgoal Induction (cont’d)

• The key observation underlying the method is:

v = [while p do g end_while; t]≡

[if p then g;v else t end_if_else]

• The function equivalence of these programs, like that asserted in the IRL, is perhaps best illustrated graphically...


p

g

T

F

p

T

F

p

T

F

p

T

F

= =

v

p

g;v

T

F

=

t t

g t

g t

g t

v =


• Suppose, now, that compound program K is:

h; while p do g end_while; t

and that v = [while p do g end_while; t].

• From the functional equivalence illustrated above and the fact that K = h;v, it therefore follows that:

[K] = v o h

= [if p then g;v else t end_if_else] o h


• Recall the complete correctness conditions for r = [if p then g else t]:

(1) p (r=g) and (2) ¬p (r=t).

• Thus, the complete correctness conditions for

f = [K] = [h; while p do g end_while; t]

are: (1) term(f,K), (2) p (v=vog),

(3) ¬p (v=t), and (4) f=voh

where v = [while p do g end_while; t].

Subgoal induction vs. functional verification

• How does subgoal induction differ from the program decomposition strategy employed in functional verification?

To show f = [h; while p do g end_while; t] using functional verification, an intermediate hypothesis and “sub-proof” for the loop is required, whereas t is part of the intermediate hypothesis in the subgoal induction case.

• Note that if t is the identify function, the two strategies are identical.

Subgoal induction vs. functional verification (cont’d)

• But, if h is the identify function, then subgoal induction has an advantage since intended function f (if given) can then be used as the intermediate hypothesis. (In this case, treating the loop and t as a whole results in a more efficient proof.)

Subgoal Induction Example

• Use subgoal induction to prove f = [K] where, for integers x, y, and z:

f = (x≥0 x,y,z := 0,2x,2x)

and K is: y := 1 H

while x<>0 do y := y2 x := x-1 end_while

z := y T

G

Subgoal Induction Example (cont’d)

We need to show:

(1) term(f,K), (2) p (v=vog),

(3) ¬p (v=t), and (4) f=voh

But first, we must hypothesize a function for v (our “intermediate hypothesis”):

v = [while x<>0 do g end_while; z := y]


What is the function, v, of this program?

while x<>0 do y := y2 x := x-1end_whilez := y


What is the function, v, of this program?

while x<>0 do y := y2 x := x-1end_whilez := y

x>0 x,y,z := 0, y2x, y2x x=0 x,y,z := x, y, y

:= 0, y2x, y2x

x<0 undefined

Therefore, v is hypothesized to be:

(x≥0 x,y,z := 0, y2x, y2x)


Returning to the four correctness conditions:

(1) term(f,K), (2) p (v=vog),

(3) ¬p (v=t), and (4) f=voh



(1) term(f,K), (2) p (v=vog),

(3) ¬p (v=t), and (4) f=voh

(1) Does K terminate for all x≥0? YES

y := 1 while x<>0 do

y := y2 x := x-1 end_while

z := y

(Prove this using the Method of Well-Founded Sets.)



(1) term(f,K), (2) p (v=vog),

(3) ¬p (v=t), and (4) f=voh

(2) Does (x0) ( v = v o g )?p



(1) term(f,K), (2) p (v=vog),

(3) ¬p (v=t), and (4) f=voh

(2) Does (x0) ( v = v o g )?

case a: Does (x<0) ( v = v o g )? YES

(x<0) ( v = undefined ) (x<0) ( v o g = undefined o (x,y := x-1,2y)

= undefined )

( Recall: hypoth. v = (x≥0 x,y,z := 0, y2x, y2x) )



(1) term(f,K), (2) p (v=vog),

(3) ¬p (v=t), and (4) f=voh

(2) Does (x0) ( v = v o g )? YES

case b: Does (x>0) ( v = v o g )? YES

(x>0) ( v = (x,y,z := 0, y2x, y2x) ) (x>0) ( v o g = (x,y,z := 0, y2x, y2x) o

(x,y := x-1,2y) = (x,y,z := 0, 2y2x-1, 2y2x-1) = (x,y,z := 0, y2x, y2x) )




(1) term(f,K), (2) p (v=vog),

(3) ¬p (v=t), and (4) f=voh

(3) Does (x=0) ( v = t )? YES

(x=0) ( v = (x,y,z := 0, y20, y20) ) = (x,y,z := 0, y, y) )

(x=0) ( t = (x,y,z := 0, y, y) )




(1) term(f,K), (2) p (v=vog),

(3) ¬p (v=t), and (4) f=voh

(4) Does f = v o h ?



(1) term(f,K), (2) p (v=vog),

(3) ¬p (v=t), and (4) f=voh

(4) Does f = v o h ? YES

f = (x≥0 x,y,z := 0,2x,2x)

voh = (x≥0 x,y,z := 0, y2x, y2x) o (x,y,z := x,1,z) = (x≥0 x,y,z := 0, (1)2x, (1)2x) = (x≥0 x,y,z := 0, 2x, 2x)




(1) term(f,K), (2) p (v=vog),

(3) ¬p (v=t), and (4) f=voh

Therefore, for f = (x≥0 x,y,z := 0,2x,2x) and K:

y := 1 while x<>0 do

y := y2 x := x-1 end_while

z := y

we conclude, by subgoal induction, that f = [K].

Summary

• Iteration Recursion Lemma (IRL)

• Termination predicate: term(f,P)

• Correctness conditions for while_do statement

• Sufficient correctness conditions

• Correctness conditions for repeat_until statement

• Subgoal Induction

Coming up next…

• Thinking about invariants again

• Invariant Status Theorem (IST)

• While Loop Initialization

• Utility of IST

Functional Verification III

Prepared by

Stephen M. Thebaut, Ph.D.

University of Florida

Software Testing and Verification

Lecture Notes 23

Documents

Functional Verification III