copyright 2003-04, doron peled and cesare tinelli. these notes are based on a set of lecture notes...
Post on 14-Dec-2015
219 Views
Preview:
TRANSCRIPT
Copyright 2003-04, Doron Peled and Cesare Tinelli.
These notes are based on a set of lecture notes originally developed by Doron Peled at the University of Warwick. These notes are copyrighted materials and may not be used in other course settings outside of the University of Iowa in their current form or modified form without the express written permission of the copyright holders. During this course, students are prohibited from selling notes to or being paid for taking notes by any person or commercial firm without the express written permission of the copyright holders.
Verification of Flowchart Programs
The University of Iowa22c:296 Automated Software Verification
History
Verification of flowchart programs: Floyd, 1967 Hoare’s logic: Hoare, 1969 Linear Temporal Logic: Pnueli, Krueger, 1977 Model Checking: Clarke & Emerson, 1981
Program Verification
Predicate (first order) logic. Partial correctness, Total correctness Flowchart programs Invariants, annotated programs Well founded ordering (for
termination) Hoare’s logic
Signature
Variables: v1, x, y18Each variable represents a value of some given
domain (int, real, string, …). Function symbols: f(_,_), g2(_), h(_,_,_).Each function has an arity (number of
paramenters), a domain for each parameter, and a range.
f:int*int->int (e.g., addition), g:real->real (e.g., square root)
A constant is a predicate with arity 0. Relation symbols: R(_,_), Q(_).Each relation has an arity, and a domain for each
parameter.R : real*real (e.g., greater than).Q : int (e.g., is a prime).
Terms
Terms are objects that have values. Each variable is a term. Applying a function with arity n to n
terms results in a new term.Examples: v1, 5.0, f(v1,5.0),
g2(f(v1,5.0))
More familiar notation: sqr(v1+5.0)
Formulas
Applying predicates to terms results in a formula.
R(v1,5.0), Q(x)More familiar notation: v1>5.0 One can combine formulas with the
boolean operators (and, or, not, implies).
R(v1,5.0)->Q(x)x>1 -> x*x>x One can apply existential and universal
quantification to formulas.x Q(X) x1 R(x1,5.0) X Y R(x,y)
Models, Proofs
A model gives a meaning (semantics) to a first order formula: A relation for each relation symbol. A function for each function symbol. A value for each variable.
An important concept in first order logic is that of a proof. We assume the ability to prove that a formula holds for a given model.
Example proof rule (MP) :
Flowchart programs
Input variables: X=x1,x2,…,xlProgram variables: Y=y1,y2,…,ymOutput variables: Z=z1,z2,…,zn
start
haltY=f(X)
Z=h(X,Y)
start
halt
(y1,y2)=(0,x1)
y2>=x2
(y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2)
Initial condition
Initial condition: the values for the input variables for which the program must work.
x1>=0 /\ x2>0
FT
start
halt
(y1,y2)=(0,x1)
y2>=x2
(y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2)
The input-output claim
The relation between the values of the input and the output variables at termination.
x1=z1*x2+z2 /\ 0<=z2<x2
FT
Partial correctness, Termination, Total correctness
Partial correctness: if the initial condition holds and the program terminates then the input-output claim holds.
Termination: if the initial condition holds, the program terminates.
Total correctness: if the initial condition holds, the program terminates and the input-output claim holds.
start
halt
(y1,y2)=(0,x1)
y2>=x2
(y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2)
Subtle point:
The program ispartially correct
withrespect tox1>=0/\x2>=0and totally correctwith respect tox1>=0/\x2>0
T F
start
halt
(y1,y2)=(0,x1)
y2>=x2
(y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2)
Annotating a scheme
Assign an assertion for each pair of nodes. The assertion expresses the relation between the variable when the program counter is located between these nodes.
A
B
C D
E
FT
Annotating a scheme with invariants
A): x1>=0 /\ x2>=0B): x1=y1*x2+y2 /\
y2>=0C): x1=y1*x2+y2 /\
y2>=0 /\ y2>=x2D):x1=y1*x2+y2 /\
y2>=0 /\ y2<x2E):x1=z1*x2+z2 /\ 0<=z2<x2Notice: (A) is the initial
condition, is the input-output condition.
start
halt
(y1,y2)=(0,x1)
y2>=x2
(y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2)
A
B
C D
E
FT
Verification conditions: assignment
A) B) [g(X,Y)/Y]
A): x1>=0 /\ x2>=0B): x1=y1*x2+y2 /\ y2>=0
B) [g(X,Y )/Y] =x1=0*x2+x1 /\ x1>=0
(y1,y2)=(0,x1)
A
B
A
B
(y1,y2)=(0,x1)
Y=g(X,Y)
(y1,y2)=(y1+1,y2-x2)
Second assignment
C): x1=y1*x2+y2 /\ y2>=0 /\ y2>=x2B): x1=y1*x2+y2 /\ y2>=0
B)[g(X,Y)/Y]: x1=(y1+1)*x2+y2-x2 /\ y2-x2>=0
C
B
(z1,z2)=(y1,y2)
Third assignment
D): x1=y1*x2+y2 /\ y2>=0 /\ y2<x2
E): x1=z1*x2+z2 /\ 0<=z2<x2
E)[g(X,Y)/Z]: x1=y1*x2+y2 /\ 0<=y2<x2
E
D
Verification conditions: tests
B) /\ t(X,Y) C)B) /\¬t(X,Y) D)
B): x1=y1*x2+y2 /\ y2>=0
C): x1=y1*x2+y2 /\ y2>=0 /\ y2>=x2D): x1=y1*x2+y2 /\ y2>=0 /\ y2<x2
y2>=x2
B
C
D
B
C
Dt(X,Y)
FT
FT
Exercise: prove partial correctness
Initial condition: x>=0
Input-output claim:
z=x!
start
halt
(y1,y2)=(0,1)
y1=x
(y1,y2)=(y1+1,(y1+1)*y2) z=y2
TF
Another way to understand assignment conditions
(y1,y2)=(0,x1)
A
B
y1=2
y1=x1
Use two versions of variables: before assignment and after. E.g., y1 and y1’, respectively.
postcondition: y1’=x1assignment: y1’=2precondition: 2=x1
2=x1
Assignment condition
(y1,y2)=(0,x1)
A
B
y1=y1+5
y1=10
y1=5Postcondition: y1’=10
Assignment: y1’=y1+5
Precondition: y1+5=10, I.e., y1=5
Verification conditions: assignment
B): x1=y1’*x2+y2’ /\ y2’ >=0
Assignment: y1’=0 /\ y2’=x1
B) [g(X,Y)/Y] =x1=0*x2+x1 /\ x1>=0(or simply x1>=0)
A
B
(y1,y2)=(0,x1)
A): x1>=0 /\ x2>=0
Second assignment
Precondition:B): x1=y1*x2+y2 /\ y2>=0
Assignment:y1’=y1+1/\y2’=y2-x2
Postcondition:B)[g(X,Y)/Y]: x1=(y1+1)*x2+y2-x2 /\ y2-
x2>=0
(y1,y2)=(y1+1,y2-x2)
C
B
What have we achieved?
For each statement S that appears between points X and Y we showed that if the control is in X when (X) holds and S is executed, then (Y) holds.
Initially, we know that (A) holds. The above two conditions can be combined
into an induction on the number of statements that were executed: If after n steps we are at point X, then (X)
holds.
Another example
(A) : x>=0
(F) : z^2<=x<(z+1)^2
z is the largest natural number that is not greater than sqrt x.
start
(y1,y2,y3)=(0,0,1)
A
halt
y2>x
(y1,y3)=(y1+1,y3+2) z=y1
B
C
D
F
truefalse
E
y2=y2+y3
Some insight
1+3+5+…+(2n+1)=(n+1)^2
y2 accumulates theabove sum, untilit is larger than x.
y3 ranges over oddnumbers 1,3,5,…
y1 is n-1.
start
(y1,y2,y3)=(0,0,1)
A
halt
y2>x
(y1,y3)=(y1+1,y3+2) z=y1
B
C
D
F
truefalse
E
y2=y2+y3
Invariants
It is sufficient to have one invariant for every loop(cycle in the program’sgraph).
We will have(C)=y1^2<=x /\ y2=(y1+1)^2 /\ y3=2*y1+1
start
(y1,y2,y3)=(0,0,1)
A
halt
y2>x
(y1,y3)=(y1+1,y3+2) z=y1
B
C
D
F
truefalse
E
y2=y2+y3
Obtaining (B)
By backwards substitution in (C).
(C)=y1^2<=x /\ y2=(y1+1)^2 /\ y3=2*y1+1
(B)=y1^2<=x /\ y2+y3=(y1+1)^2 /\ y3=2*y1+1
start
(y1,y2,y3)=(0,0,1)
A
halt
y2>x
(y1,y3)=(y1+1,y3+2) z=y1
B
C
D
F
truefalse
E
y2=y2+y3
Check assignment condition
(A)=x>=0(B)=y1^2<=x /\ y2+y3=(y1+1)^2 /\ y3=2*y1+1(B) relativized is 0^2<=x /\ 0+1=(0+1)^2 /\ 1=2*0+1Simplified: x>=0
start
(y1,y2,y3)=(0,0,1)
A
halt
y2>x
(y1,y3)=(y1+1,y3+2) z=y1
B
C
D
F
truefalse
E
y2=y2+y3
Obtaining (D)
By backwards substitution in
(B).
(B)=y1^2<=x /\ y2+y3=(y1+1)^2 /\ y3=2*y1+1
(D)=(y1+1)^2<=x /\ y2+y3+2=(y1+2)^2 /\ y3+2=2*(y1+1)+1
start
(y1,y2,y3)=(0,0,1)
A
halt
y2>x
(y1,y3)=(y1+1,y3+2) z=y1
B
C
D
F
truefalse
E
y2=y2+y3
Checking
(C)=y1^2<=x /\ y2=(y1+1)^2 /\ y3=2*y1+1
(C)/\y2<=x) (D)
(D)=(y1+1)^2<=x /\ y2+y3+2=(y1+2)^2 /\ y3+2=2*(y1+1)+1
start
(y1,y2,y3)=(0,0,1)
A
halt
y2>x
(y1,y3)=(y1+1,y3+2) z=y1
B
C
D
F
truefalse
E
y2=y2+y3
y1^2<=x /\
y2=(y1+1)^2 /\ y3=2*y1+1 /\y2<=x (y1+1)^2<=x /\
y2+y3+2=(y1+2)^2 /\
y3+2=2*(y1+1)+1y1^2<=x /\ y2=(y1+1)^2 /\ y3=2*y1+1 /\y2<=x (y1+1)^2<=x /\ y2+y3+2=(y1+2)^2
/\ y3+2=2*(y1+1)+1
y1^2<=x /\
y2=(y1+1)^2 /\
y3=2*y1+1 /\y2<=x (y1+1)^2<=x /\
y2+y3+2=(y1+2)^2 /\
y3+2=2*(y1+1)+1
Not finished!
Still needs to:
Calculate (E) bysubstituting backwardsfrom (F).
Check that(C)/\y2>x(E)
start
(y1,y2,y3)=(0,0,1)
A
halt
y2>x
(y1,y3)=(y1+1,y3+2) z=y1
B
C
D
F
truefalse
E
y2=y2+y3
Well-founded sets
Partially ordered set (W,>): If a>b and b>c then a>c (transitivity). If a>b then not b>a (asymmetry). Not a>a (irreflexivity).
Well-founded set (W,>): Partially ordered. No infinite decreasing chain a1>a2>a3>…
Examples for well founded sets Natural numbers with the larger than (>)
relation. Finite sets with the set inclusion ()
relation. Strings with the superstring relation. Tuples with lexicographic ordering:
(a1,b1)>(a2,b2) iff a1>a2 or [a1=a2 and b1>b2].
(a1,b1,c1)>(a2,b2,c2) iff a1>a2 or [a1=a2 and b1>b2] or [a1=a2 and b1=b2 and c1>c2].
Why this program terminates
y2 starts as x1. Each time the loop is
executed, y2 is decremented.
y2 is natural number The loop cannot be
entered again when y2<x2.
start
halt
(y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2)
(y1,y2)=(0,x1)
A
B
D
E
falsey2>=x2
C
true
Proving termination
Choose a well-founded set (W,>). Attach a function u(N) to each
point N. Annotate the flowchart with
invariants, and prove their consistency conditions.
Prove that (N) (u(N) in W).
How not to stay in a loop?
Show that u(M)>=u(N).
At least once in each loop, show that u(M)>u(N).
S
M
N
TN
M
How not to stay in a loop?
For assmt: (M)(u(M)>=u(rel(N))
For test (true side):((M)/\test)(u(M)>=u(N))
For test (false side):((M)/\
¬test)(u(M)>=u(L))
assmt
M
N
test
N
M
true
L
false
What did we achieve?
There are finitely many control points. The value of the function u cannot
increase. If we return to the same control point,
the value of u must decrease (its a loop!).
The value of u can decrease only a finite number of times.
Why this program terminates
u(A)=x1u(B)=y2u(C)=y2u(D)=y2u(E)=z2
W: naturals> : greater than
start
halt
(y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2)
(y1,y2)=(0,x1)
A
B
D
E
falsey2>=x2
C
true
Recall partial correctness annotation
A): x1>=0 /\ x2>=0B): x1=y1*x2+y2 /\
y2>=0C): x1=y1*x2+y2 /\
y2>=0 /\ y2>=x2D):x1=y1*x2+y2 /\
y2>=0 /\ y2<x2E):x1=z1*x2+z2 /\ 0<=z2<x2
start
halt
(y1,y2)=(0,x1)
y2>=x2
(y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2)
A
B
C D
E
falsetrue
Strengthen for termination
A): x1>=0 /\ x2>0B): x1=y1*x2+y2 /\
y2>=0 /\ x2>0C): x1=y1*x2+y2 /\
y2>=0 /\ y2>=x2/\x2>0D):x1=y1*x2+y2 /\
y2>=0 /\ y2<x2 /\ x2>0E):x1=z1*x2+z2 /\ 0<=z2<x2This proves that u(M) is
natural for each point M.
start
halt
(y1,y2)=(0,x1)
y2>=x2
(y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2)
A
B
C D
E
falsetrue
We shall show:
u(A)=x1u(B)=y2u(C)=y2u(D)=y2u(E)=z2u(A)>=u(B)u(B)>=u(C)u(C)>u(B)u(B)>=u(D)u(D)>=u(E)
start
halt
(y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2)
(y1,y2)=(0,x1)
A
B
D
E
falsey2>=x2
C
true
Proving decrement
C): x1=y1*x2+y2 /\ y2>=0 /\ y2>=x2/\x2>0
u(C)=y2u(B)=y2u(rel(B))=y2-x2
C) y2>y2-x2(notice that C) x2>0)
start
halt
(y1,y2)=(0,x1)
y2>=x2
(y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2)
A
B
C D
E
falsetrue
Integer square prog.
(C)=y1^2<=x /\ y2=(y1+1)^2 /\ y3=2*y1+1
(B)=y1^2<=x /\ y2+y3=(y1+1)^2 /\y3=2*y1+1
start
(y1,y2,y3)=(0,0,1)
A
halt
y2>x
(y1,y3)=(y1+1,y3+2) z=y1
B
C
D
F
truefalse
E
y2=y2+y3
top related