cse 3341.03 winter 2008 introduction to program verification
DESCRIPTION
CSE 3341.03 Winter 2008 Introduction to Program Verification. extending pre-condition calculation to loops. reasoning about actions (Sec. 9.4). wp as a form of debugging: suppose we observe an undesireable result: what caused it? calculate the wp to diagnose the cause of the fault - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: CSE 3341.03 Winter 2008 Introduction to Program Verification](https://reader035.vdocument.in/reader035/viewer/2022070405/56813e11550346895da7f1c0/html5/thumbnails/1.jpg)
CSE 3341.03 Winter 2008Introduction to Program Verification
extending pre-condition calculation to loops
![Page 2: CSE 3341.03 Winter 2008 Introduction to Program Verification](https://reader035.vdocument.in/reader035/viewer/2022070405/56813e11550346895da7f1c0/html5/thumbnails/2.jpg)
reasoning about actions (Sec. 9.4)
wp as a form of debugging: suppose we observe an undesireable result:
what caused it?• calculate the wp to diagnose the cause of
the fault confirm a theory about what could have
happened (see Exercise 9.10)
![Page 3: CSE 3341.03 Winter 2008 Introduction to Program Verification](https://reader035.vdocument.in/reader035/viewer/2022070405/56813e11550346895da7f1c0/html5/thumbnails/3.jpg)
a quick review
if W = wp(S, Q) and {P}S{Q}, what's the relationship between W and P?
Why is wp(S, not Q ) not equivalent to not wp(S, Q ) ?
Give a counter-example.
![Page 4: CSE 3341.03 Winter 2008 Introduction to Program Verification](https://reader035.vdocument.in/reader035/viewer/2022070405/56813e11550346895da7f1c0/html5/thumbnails/4.jpg)
Ex. 9.14 if A implies B, then wp(S, A) implies wp(S, B)
proof?
is {wp(S, A)} S {B} true?
if wp(S, A) is a pre-condition for B, what does this imply about wp(S, B) ?
![Page 5: CSE 3341.03 Winter 2008 Introduction to Program Verification](https://reader035.vdocument.in/reader035/viewer/2022070405/56813e11550346895da7f1c0/html5/thumbnails/5.jpg)
while-statements define wp("while (B) do S", Q) =
there exists n ≥ 0 such that Pn
where P0 = (not B) and Q,
and Pn = B and wp(S, Pn-1) .
P1 is pre-condition for the loop running exactly once and then B is false.
Pn is pre-condition for the loop running n times and then halting.
technically correct, but not helpful.
if we haven't found Pn, do we keep looking or give up?
![Page 6: CSE 3341.03 Winter 2008 Introduction to Program Verification](https://reader035.vdocument.in/reader035/viewer/2022070405/56813e11550346895da7f1c0/html5/thumbnails/6.jpg)
halting problem
if the loop terminates, some Pn must be true but there is no general algorithm for determining whether an arbitrary loop halts (cf. the halting problem for TMs)
![Page 7: CSE 3341.03 Winter 2008 Introduction to Program Verification](https://reader035.vdocument.in/reader035/viewer/2022070405/56813e11550346895da7f1c0/html5/thumbnails/7.jpg)
conditional correctness
figuring out a pre-condition which holds IF the statement halts shows the loop is conditionally correct wrt the pre- and post-conditions
![Page 8: CSE 3341.03 Winter 2008 Introduction to Program Verification](https://reader035.vdocument.in/reader035/viewer/2022070405/56813e11550346895da7f1c0/html5/thumbnails/8.jpg)
invariance theorem (or an axiom for "while(B) S")
Let W = “while (B) S”.
If I and B implies wp(S, I) and I and not B implies Q,
then I and wp(W, true) implies wp(W, Q),
so {I and wp(“while (B) S”, true) }
while (B) S {Q}.
![Page 9: CSE 3341.03 Winter 2008 Introduction to Program Verification](https://reader035.vdocument.in/reader035/viewer/2022070405/56813e11550346895da7f1c0/html5/thumbnails/9.jpg)
3 while-problems
pre(“while(B) S;”, Q) three aspects:
finding an invariant relating a pre-condition to B, S, and Q proving the loop halts for some input states
![Page 10: CSE 3341.03 Winter 2008 Introduction to Program Verification](https://reader035.vdocument.in/reader035/viewer/2022070405/56813e11550346895da7f1c0/html5/thumbnails/10.jpg)
find an invariant if a problem is too hard to have practical solutions, we
weaken our requirements we accept some pre-condition, rather than insisting on the weakest (most general)
for W = “while(B) S”
pre(W, Q) = some invariant I for the loop body S, defined by
I and B implies wp(S, I) -- why do we want this? I and not B implies Q - why is this appropriate?
see diagram in 9.6
![Page 11: CSE 3341.03 Winter 2008 Introduction to Program Verification](https://reader035.vdocument.in/reader035/viewer/2022070405/56813e11550346895da7f1c0/html5/thumbnails/11.jpg)
![Page 12: CSE 3341.03 Winter 2008 Introduction to Program Verification](https://reader035.vdocument.in/reader035/viewer/2022070405/56813e11550346895da7f1c0/html5/thumbnails/12.jpg)
exercise 9.15
give a pre-condition for the do-while statement:
do S while (B);
//{Goal} ?
![Page 13: CSE 3341.03 Winter 2008 Introduction to Program Verification](https://reader035.vdocument.in/reader035/viewer/2022070405/56813e11550346895da7f1c0/html5/thumbnails/13.jpg)
define {P} “do S while (B);” {Q} =
{P} “S; while(B) S;” {Q}
![Page 14: CSE 3341.03 Winter 2008 Introduction to Program Verification](https://reader035.vdocument.in/reader035/viewer/2022070405/56813e11550346895da7f1c0/html5/thumbnails/14.jpg)
while example
|: while (i < n)
|: //{ x = i*i and y = 2*i - 1}
|: {y = y+2; x = x + y ; i = i + 1;
|: //{ x = n*n }
![Page 15: CSE 3341.03 Winter 2008 Introduction to Program Verification](https://reader035.vdocument.in/reader035/viewer/2022070405/56813e11550346895da7f1c0/html5/thumbnails/15.jpg)
proof-obligation(s)?
x=i*i and y=2*i-1 may not be an invariant.
Cannot verify i*2-1=y and i*i=x and i<n implies i*i+i*2+1=y+x+2 and i*2+1=y+2
// PRE: i*2-1=y and i*i=x and not i<n implies n*n=x
![Page 16: CSE 3341.03 Winter 2008 Introduction to Program Verification](https://reader035.vdocument.in/reader035/viewer/2022070405/56813e11550346895da7f1c0/html5/thumbnails/16.jpg)
searching for an invariant find a loop-invariant for the following code segment
while ( x<>0 ) {x := x-1; y := y+1; }
which holds as a precondition for the goal {y = 'old x' + 'old y'} if the
loop terminates.
how can wp show that your invariant is a precondition for the goal. ? i. e., what's the specific proof-obligation?
is the computed precondition always true initially? Explain.
![Page 17: CSE 3341.03 Winter 2008 Introduction to Program Verification](https://reader035.vdocument.in/reader035/viewer/2022070405/56813e11550346895da7f1c0/html5/thumbnails/17.jpg)
double loopz = 0; while (y != 0) //{ x * y + z = 'old x' * 'old y'}
{ while (even(y))
//{ x * y + z = 'old x' * 'old y' and not(y = 0)}
{ y = y div 2; x = x * 2;}
z = z + x; y = y - 1;
} //{z='old x' * 'old y'}
x*y+z=old x *old y and not y=0 may not be an invariant. (for the inner loop)Cannot verify y * x+z=old y*old x and not y=0 and even(y) implies y div
2*x*2+z=old y*old x and not y div 2=0 [ can you help wp prove any of this?]
![Page 18: CSE 3341.03 Winter 2008 Introduction to Program Verification](https://reader035.vdocument.in/reader035/viewer/2022070405/56813e11550346895da7f1c0/html5/thumbnails/18.jpg)
PRE is calculated as true - what had to be proved?
x*y + z = 'old x' * 'old y' and not y = 0 implies pre(inner-
loop, x*y + z = 'old x' * 'old y' and not y = 0) so wp proved:
x*y + z = 'old x' * 'old y' and not y = 0 implies x*y + z = 'old x' * 'old y' and not y = 0
which simplifies to true.
![Page 19: CSE 3341.03 Winter 2008 Introduction to Program Verification](https://reader035.vdocument.in/reader035/viewer/2022070405/56813e11550346895da7f1c0/html5/thumbnails/19.jpg)
adding a variant
variant is like a kitchen timer
counts down to 0, which triggers an exit from the loop
![Page 20: CSE 3341.03 Winter 2008 Introduction to Program Verification](https://reader035.vdocument.in/reader035/viewer/2022070405/56813e11550346895da7f1c0/html5/thumbnails/20.jpg)
![Page 21: CSE 3341.03 Winter 2008 Introduction to Program Verification](https://reader035.vdocument.in/reader035/viewer/2022070405/56813e11550346895da7f1c0/html5/thumbnails/21.jpg)
computing x**m
//{ k = 0 and y = 1}
while(k < m)
//{invariant(y = x**k) and variant(m-k)}
{ y = y*x; k = k+1;}
//{ y = x**m }
![Page 22: CSE 3341.03 Winter 2008 Introduction to Program Verification](https://reader035.vdocument.in/reader035/viewer/2022070405/56813e11550346895da7f1c0/html5/thumbnails/22.jpg)
invariant and variant proof-obligations
y=x**k may not be an invariant.
Cannot verify
x**k=y and k<m implies x** (k+1)=y*x
m-k may not terminate loop.
Cannot verify x**k=y and m-k<=0 implies not k<m.
![Page 23: CSE 3341.03 Winter 2008 Introduction to Program Verification](https://reader035.vdocument.in/reader035/viewer/2022070405/56813e11550346895da7f1c0/html5/thumbnails/23.jpg)
possible pre-condition?
// PRE: x**k=y and not k<m implies x**m=y
Initial condition may not be compatible with the goal.
Cannot prove y=1 and k=0 implies (x**k=y and not k<m implies x**m=y).
![Page 24: CSE 3341.03 Winter 2008 Introduction to Program Verification](https://reader035.vdocument.in/reader035/viewer/2022070405/56813e11550346895da7f1c0/html5/thumbnails/24.jpg)
how to solve the 3*n + 1 problem?
p. 53: //{n > 0} while(n > 1) { if even(n)) n = n div 2; else n = 3*n + 1; } //{ n = 1}
an easy invariant: n > 0 check it achieves the goal if the loop halts:
n > 0 and not n > 1 implies n = 1
but no variant known
if the loop were computable by simple recursion, there would be a variant. Why?