12.1.2012

Software Verification 1Deductive Verification

Prof. Dr. Holger SchlingloffInstitut für Informatik der Humboldt Universität

und

Fraunhofer Institut für Rechnerarchitektur und Softwaretechnik

Folie 2H. Schlingloff, Software Verification I

Termination proof rule

• Let (M,<) be a well-founded order and (z) be a formula involving zM

• if ⊢ (z0) for some z0M and

⊢ (z)b (z’) ¬b for some z’<z, then ⊢ while (b) ¬b

(z) is called variant of the loop

(special case: (z) = (z=t(x)), here t(x) is called the variant)

12.1.2012

Folie 3H. Schlingloff, Software Verification I

Termination - a more intricate example

={b=1; while (a<=100 | b!=1) if (a<=100) {a+=11; b++;} else {a-=10; b--;} a-=10; }

Show: ⊢ 0<a<=100 a==91

12.1.2012

Folie 4H. Schlingloff, Software Verification I

• We do the termination part only.

• Hint for the invariant:

(0<b<=11 & 0<a<=111 & (a<=101 | b!=1))• wfo: N0; Variant: (z) = (z==1111+111b-11a-1);

if 0<a<=100 & b==1, we have zN0

• Assume within the while-loop (z) & (a<=100 | b!=1)) Case a<=100: {a+=11; b++} gives

z-10==1111+111(b+1)-11(a+11)-1 Case a>100: {a-=10; b--;} gives

z-1==1111+111(b-1)-11(a-10)-1

• Thus, in both cases there exists z’<z such that (z’) holds

12.1.2012

Folie 5H. Schlingloff, Software Verification I

Finding Variants is Hard

• Try this one:

Mersenne = {n=0; k=0; while (k<48) {n++; if (isprim((2**n)-1)) k++}}

• ... and apply for the Fields-medal if successful

12.1.2012

Folie 6H. Schlingloff, Software Verification I

Proof of Termination Proof Rule

• if ⊢ (z) for some zM and⊢ (z) (z’) ¬b for some z’<zthen program while (b) terminates

•Assume not. Then there is an infinite execution ; ; ; ...

such that b holds before and after each Then there is an infinite descending chain z0,

z1, z2, ... such that z0=z and zi+1<zi

Thus, M is not a wfo.12.1.2012

Folie 7H. Schlingloff, Software Verification I

Binary Search Program

:i=0; k=n;while (i<k) { s=i+(k-i-1)/2; //integer division if (a>x[s]) i=s+1 else k=s} Show

n>=0 i(0<i<n (x[i-1]<x[i])

0<=i<=n j(0<=j<i x[j]<a j(i<=j<n x[j]>=a

12.1.2012

Folie 8H. Schlingloff, Software Verification I

•Variant (z)?

•while (i<k) ... suggest (z) = (z=k-i) ⊢ (z)b (z’) ¬b for some z’<z what is a well-founded order for z?

can we guarantee that zN0 ?

•Example: (assume k>0, j>0)

{i=k; while (i!=0) i-=j} terminates iff k%j==0 Assume k%j==0; wfo: (z) = (z=i/j); zN0 {i=k; while (i>=0) i-=j} terminates always.

Proof?12.1.2012

Folie 9H. Schlingloff, Software Verification I

Transforming Variants

We have to show: ⊢ (z) (z’) ¬bMost important case: ⊢ z=t(x) x=f(x) z’=t(x) ¬b

Let z’=t(f(t-1(z)))

⊢ z=t(x) t-1(z)=x since t-1(t(x))=x⊢ t-1(z)=x t(f(t-1(z)))=t(f(x))⊢ t(f(t-1(z)))=t(f(x)) x=f(x) t(f(t-1(z)))=t(x) (ass)

Therefore, ⊢ z=t(x) x=f(x) t(f(t-1(z)))=t(x)

• Ex.: ⊢ z=i+k i=i-j z’=i+k for z’=z-j12.1.2012

Folie 10H. Schlingloff, Software Verification I

Proof for Binary Search Termination

• Solution for binary search: z=(k-i)N0 ? Show 0<=i<=k<=n is invariant (omitted)

Let (z)= (k-i=z) k-i=z i=i+(k-i-1)/2+1 k-i=z’ for

z’ = (z-1)/2 - 1 < zProof: let t(i) = k-i t(z) = k-z t-1(z)= (k-z)f(i) = i+(k-i-1)/2+1 t(f(t-1(z))) = k-((k-z) +(k- (k-z) -1)/2+1) = (z-1)/2-

1

k-i=z k=i+(k-i-1)/2 k-i=z’ forz’= i+((z+i)-i-1)/2-i=(z-1)/2 <z

12.1.2012

Folie 11H. Schlingloff, Software Verification I

Pre- and Postconditions

• Dijkstra: wp-calculus (weakest precondition) characterize the “weakest” formula which makes a

Hoare-triple valid =wp(.) iff ⊢ and

⊢(') for every ’ for which ⊢’ =wlp(.) iff ⊢{}{} and

⊢(') for every ’ for which ⊢{’} {}

• Example: wp(x++, x==7) = (x==6)

• Dijkstra gives a set of rules for wp which can be seen as notational variant of Hoare logic

12.1.2012