![Page 1: Software Verification 1 Deductive Verification](https://reader036.vdocument.in/reader036/viewer/2022082819/56813bd7550346895da4ff69/html5/thumbnails/1.jpg)
12.1.2012
Software Verification 1Deductive Verification
Prof. Dr. Holger SchlingloffInstitut für Informatik der Humboldt Universität
und
Fraunhofer Institut für Rechnerarchitektur und Softwaretechnik
![Page 2: Software Verification 1 Deductive Verification](https://reader036.vdocument.in/reader036/viewer/2022082819/56813bd7550346895da4ff69/html5/thumbnails/2.jpg)
Folie 2H. Schlingloff, Software Verification I
Termination proof rule
• Let (M,<) be a well-founded order and (z) be a formula involving zM
• if ⊢ (z0) for some z0M and
⊢ (z)b (z’) ¬b for some z’<z, then ⊢ while (b) ¬b
(z) is called variant of the loop
(special case: (z) = (z=t(x)), here t(x) is called the variant)
12.1.2012
![Page 3: Software Verification 1 Deductive Verification](https://reader036.vdocument.in/reader036/viewer/2022082819/56813bd7550346895da4ff69/html5/thumbnails/3.jpg)
Folie 3H. Schlingloff, Software Verification I
Termination - a more intricate example
={b=1; while (a<=100 | b!=1) if (a<=100) {a+=11; b++;} else {a-=10; b--;} a-=10; }
Show: ⊢ 0<a<=100 a==91
12.1.2012
![Page 4: Software Verification 1 Deductive Verification](https://reader036.vdocument.in/reader036/viewer/2022082819/56813bd7550346895da4ff69/html5/thumbnails/4.jpg)
Folie 4H. Schlingloff, Software Verification I
• We do the termination part only.
• Hint for the invariant:
(0<b<=11 & 0<a<=111 & (a<=101 | b!=1))• wfo: N0; Variant: (z) = (z==1111+111b-11a-1);
if 0<a<=100 & b==1, we have zN0
• Assume within the while-loop (z) & (a<=100 | b!=1)) Case a<=100: {a+=11; b++} gives
z-10==1111+111(b+1)-11(a+11)-1 Case a>100: {a-=10; b--;} gives
z-1==1111+111(b-1)-11(a-10)-1
• Thus, in both cases there exists z’<z such that (z’) holds
12.1.2012
![Page 5: Software Verification 1 Deductive Verification](https://reader036.vdocument.in/reader036/viewer/2022082819/56813bd7550346895da4ff69/html5/thumbnails/5.jpg)
Folie 5H. Schlingloff, Software Verification I
Finding Variants is Hard
• Try this one:
Mersenne = {n=0; k=0; while (k<48) {n++; if (isprim((2**n)-1)) k++}}
• ... and apply for the Fields-medal if successful
12.1.2012
![Page 6: Software Verification 1 Deductive Verification](https://reader036.vdocument.in/reader036/viewer/2022082819/56813bd7550346895da4ff69/html5/thumbnails/6.jpg)
Folie 6H. Schlingloff, Software Verification I
Proof of Termination Proof Rule
• if ⊢ (z) for some zM and⊢ (z) (z’) ¬b for some z’<zthen program while (b) terminates
•Assume not. Then there is an infinite execution ; ; ; ...
such that b holds before and after each Then there is an infinite descending chain z0,
z1, z2, ... such that z0=z and zi+1<zi
Thus, M is not a wfo.12.1.2012
![Page 7: Software Verification 1 Deductive Verification](https://reader036.vdocument.in/reader036/viewer/2022082819/56813bd7550346895da4ff69/html5/thumbnails/7.jpg)
Folie 7H. Schlingloff, Software Verification I
Binary Search Program
:i=0; k=n;while (i<k) { s=i+(k-i-1)/2; //integer division if (a>x[s]) i=s+1 else k=s} Show
n>=0 i(0<i<n (x[i-1]<x[i])
0<=i<=n j(0<=j<i x[j]<a j(i<=j<n x[j]>=a
12.1.2012
![Page 8: Software Verification 1 Deductive Verification](https://reader036.vdocument.in/reader036/viewer/2022082819/56813bd7550346895da4ff69/html5/thumbnails/8.jpg)
Folie 8H. Schlingloff, Software Verification I
•Variant (z)?
•while (i<k) ... suggest (z) = (z=k-i) ⊢ (z)b (z’) ¬b for some z’<z what is a well-founded order for z?
can we guarantee that zN0 ?
•Example: (assume k>0, j>0)
{i=k; while (i!=0) i-=j} terminates iff k%j==0 Assume k%j==0; wfo: (z) = (z=i/j); zN0 {i=k; while (i>=0) i-=j} terminates always.
Proof?12.1.2012
![Page 9: Software Verification 1 Deductive Verification](https://reader036.vdocument.in/reader036/viewer/2022082819/56813bd7550346895da4ff69/html5/thumbnails/9.jpg)
Folie 9H. Schlingloff, Software Verification I
Transforming Variants
We have to show: ⊢ (z) (z’) ¬bMost important case: ⊢ z=t(x) x=f(x) z’=t(x) ¬b
Let z’=t(f(t-1(z)))
⊢ z=t(x) t-1(z)=x since t-1(t(x))=x⊢ t-1(z)=x t(f(t-1(z)))=t(f(x))⊢ t(f(t-1(z)))=t(f(x)) x=f(x) t(f(t-1(z)))=t(x) (ass)
Therefore, ⊢ z=t(x) x=f(x) t(f(t-1(z)))=t(x)
• Ex.: ⊢ z=i+k i=i-j z’=i+k for z’=z-j12.1.2012
![Page 10: Software Verification 1 Deductive Verification](https://reader036.vdocument.in/reader036/viewer/2022082819/56813bd7550346895da4ff69/html5/thumbnails/10.jpg)
Folie 10H. Schlingloff, Software Verification I
Proof for Binary Search Termination
• Solution for binary search: z=(k-i)N0 ? Show 0<=i<=k<=n is invariant (omitted)
Let (z)= (k-i=z) k-i=z i=i+(k-i-1)/2+1 k-i=z’ for
z’ = (z-1)/2 - 1 < zProof: let t(i) = k-i t(z) = k-z t-1(z)= (k-z)f(i) = i+(k-i-1)/2+1 t(f(t-1(z))) = k-((k-z) +(k- (k-z) -1)/2+1) = (z-1)/2-
1
k-i=z k=i+(k-i-1)/2 k-i=z’ forz’= i+((z+i)-i-1)/2-i=(z-1)/2 <z
12.1.2012
![Page 11: Software Verification 1 Deductive Verification](https://reader036.vdocument.in/reader036/viewer/2022082819/56813bd7550346895da4ff69/html5/thumbnails/11.jpg)
Folie 11H. Schlingloff, Software Verification I
Pre- and Postconditions
• Dijkstra: wp-calculus (weakest precondition) characterize the “weakest” formula which makes a
Hoare-triple valid =wp(.) iff ⊢ and
⊢(') for every ’ for which ⊢’ =wlp(.) iff ⊢{}{} and
⊢(') for every ’ for which ⊢{’} {}
• Example: wp(x++, x==7) = (x==6)
• Dijkstra gives a set of rules for wp which can be seen as notational variant of Hoare logic
12.1.2012