visions of verification
DESCRIPTION
Visions of Verification. Bruce W. Weide, et al. Computer Science and Engineering The Ohio State University http://www.cse.ohio-state.edu/rsrg. Outline. Design-by-Contract Testing vs. Verification Steps Toward Verification Conclusions. Modular reasoning boundary. uses. implements. - PowerPoint PPT PresentationTRANSCRIPT
Visions of VerificationVisions of Verification
Bruce W. Weide, Bruce W. Weide, et al.et al.
Computer Science and EngineeringComputer Science and Engineering
The Ohio State UniversityThe Ohio State University
http://www.cse.ohio-state.edu/rsrghttp://www.cse.ohio-state.edu/rsrg
22
OutlineOutline
1.1. Design-by-ContractDesign-by-Contract
2.2. Testing vs. VerificationTesting vs. Verification
3.3. Steps Toward VerificationSteps Toward Verification
4.4. ConclusionsConclusions
33
ModularModularreasoningreasoningboundaryboundary
uses
implements
uses
implements
uses
1. Design-by-Contract1. Design-by-Contract
implements
44
A Contract A Contract
Mathematical modelsMathematical models for values of all types for values of all types of variables ("objects")of variables ("objects")
PreconditionsPreconditions and and postconditionspostconditions for all for all exported operations ("methods")exported operations ("methods")
55
Example Contract Example Contract contractcontract List_Template ( List_Template (typetype Item) Item)typetype List List is modeled byis modeled by
(left: (left: string ofstring of Item, Item, right: right: string ofstring of Item) Item)exemplarexemplar p pinitialization ensuresinitialization ensures p = (< >, < >)p = (< >, < >)
// operations// operationsendend List_Template List_Template
66
Example Operation Example Operation
operationoperation Remove Remove((updatesupdates p: List, p: List, replacesreplaces x: Item) x: Item)
requiresrequires||p.rightp.right|| > 0 > 0
ensuresensures##p = (p.left, <x> * p.right)p = (p.left, <x> * p.right)
77
List_Template Operations List_Template Operations
Insert (Insert (updatesupdates p: List, p: List, altersalters x: Item) x: Item)Remove (Remove (updatesupdates p: List, p: List, replacesreplaces x: Item) x: Item)Advance (Advance (updatesupdates p: List) p: List)Move_To_Start (Move_To_Start (updatesupdates p: List) p: List)Move_To_Finish (Move_To_Finish (updatesupdates p: List) p: List)Left_Length (Left_Length (restoresrestores p: List): Integer p: List): IntegerRight_Length (Right_Length (restoresrestores p: List): Integer p: List): Integer
88
A Contract Realization A Contract Realization
Representation data structuresRepresentation data structures for all types for all types it implementsit implements
Code for algorithmsCode for algorithms for all operations it for all operations it implementsimplements
Loop invariantsLoop invariants, , representation invariantsrepresentation invariants, , abstraction relationsabstraction relations as needed as needed
99
A Contract Enhancement A Contract Enhancement
enhancementenhancement Reversal_Capability Reversal_Capabilityforfor List_Template List_Template
operationoperation Reverse ( Reverse (updatesupdates p: List) p: List)requiresrequires |p.left| = 0|p.left| = 0ensuresensures p = (p = (reversereverse (#p.right), < >) (#p.right), < >)
endend Reversal_Capability Reversal_Capability
1010
An Enhancement Realization An Enhancement Realization realizationrealization Dubious Dubious
forfor Reversal_Capability Reversal_Capabilityprocedureprocedure Reverse ( Reverse (updatesupdates p: List) p: List)
decreasingdecreasing |p.right| |p.right|ifif Right_Length (p) > 0 Right_Length (p) > 0 thenthen
variablevariable x: Item x: Item Remove (p, x)Remove (p, x) Reverse (p)Reverse (p) Insert (p, x)Insert (p, x)end ifend if
endend Reverse Reverseendend Dubious Dubious
1111
ModularModularreasoningreasoningboundaryboundary
2. Testing vs. Verification2. Testing vs. Verification
uses
implements
implements
uses
uses
List_Template
Reversal_Capability
Dubious
Is thisIs thisclaim valid?claim valid?
1212
TestingTesting
Objective: to show code is Objective: to show code is incorrectincorrectApproach:Approach:
Select a small finite number of test casesSelect a small finite number of test casesRun code on test casesRun code on test casesCompare behavior to that specified by contractCompare behavior to that specified by contract
Possible outcomes:Possible outcomes:"Code "Code is incorrectis incorrect"""Code "Code may be correct for test casesmay be correct for test cases""
"Darn!""Darn!"
1313
VerificationVerificationObjective: to show code is Objective: to show code is correctcorrect
Approach:Approach:Generate verification conditionsGenerate verification conditions
Mathematically prove verification conditionsMathematically prove verification conditions
Possible outcomes:Possible outcomes:"Code "Code is correct in all casesis correct in all cases""
"Code "Code is incorrect (and here is the bug!)is incorrect (and here is the bug!)""
"Sorry, "Sorry, can't tell because of incompletenesscan't tell because of incompleteness""
Automatically?Automatically?Hoare'sHoare's
"verifying"verifyingcompiler"compiler"
"Darn!""Darn!"
1414
is incorrect(here!)
is correct
AutomatedTheoremProver
Verifying Compiler
VerificationConditionGenerator
1515
3. Steps Toward Verification3. Steps Toward Verification
Can show code correct
Can show code incorrect
Can find substitution bugs
Can pinpoint bugs
Modular
Automated
Practical
Testing VerificationDEET
1616
What is DEET?What is DEET?
N,N-diethyl-m-toluamideN,N-diethyl-m-toluamideNEJMNEJM 2002: "DEET is best bug repellant" 2002: "DEET is best bug repellant"
DDetecting etecting EErrors rrors EEfficiently without fficiently without TTestingestingApproaching all advantages of verification— Approaching all advantages of verification— except showing that code is correctexcept showing that code is correct—by…—by…
Trying to show that code is Trying to show that code is incorrectincorrect
1717
Step 1: Generate VCsStep 1: Generate VCs
Between each pair of statements in code:Between each pair of statements in code:What What path conditionpath condition can get us here? can get us here?
What can we What can we assumeassume here? here?
What do we need to What do we need to confirmconfirm here? here?
1818
ifif Right_Length (p) > 0 Right_Length (p) > 0 thenthen
variablevariable x: Item x: Item
Remove (p, x)Remove (p, x)
Reverse (p)Reverse (p)
Insert (p, x)Insert (p, x)
end ifend if
00 P: trueP: true
11 P: |pP: |p00.right| > 0.right| > 0
22 P: |pP: |p00.right| > 0.right| > 0
33 P: |pP: |p00.right| > 0.right| > 0
44 P: |pP: |p00.right| > 0.right| > 0
55 P: trueP: true
1919
ifif Right_Length (p) > 0 Right_Length (p) > 0 thenthen
variablevariable x: Item x: Item
Remove (p, x)Remove (p, x)
Reverse (p)Reverse (p)
Insert (p, x)Insert (p, x)
end ifend if
00 A: |pA: |p00.left| = 0.left| = 0
11 A: INIT(xA: INIT(x11) and p) and p11 = p = p00
22 A: pA: p22.left = p.left = p11.left and.left and
p p11.right = <x.right = <x22> * p> * p22.right.right
33 A: xA: x33 = x = x22 and and
p p33 = (reverse(p = (reverse(p22), < >)), < >)
44 A: pA: p44 = (p = (p33.left,.left,
<x<x33> * p> * p33.right).right)
55 A: if |pA: if |p00.right| > 0 then.right| > 0 then
p p5 5 = p= p44 else p else p5 5 = p= p00
2020
ifif Right_Length (p) > 0 Right_Length (p) > 0 thenthen
variablevariable x: Item x: Item
Remove (p, x)Remove (p, x)
Reverse (p)Reverse (p)
Insert (p, x)Insert (p, x)
end ifend if
00 C: trueC: true
11 C: |pC: |p11.right| > 0.right| > 0
22 C: |pC: |p22.left| = 0 and.left| = 0 and
|p |p22.right| < |p.right| < |p00.right|.right|
33 C: trueC: true
44 C: trueC: true
55 C: pC: p55 = (reverse(p = (reverse(p00.right), .right),
< >)< >)
2121
Constructing the VCsConstructing the VCs
Sound and relatively complete proof system Sound and relatively complete proof system [Krone 88, Heym 95] combines P, A, and C [Krone 88, Heym 95] combines P, A, and C assertions into assertions into verification conditionsverification conditions, each , each of which must be provedof which must be proved
For each For each ii, VC, VCii must be true must be true for all values for all values
of the variables:of the variables:
( ( ( (0≤0≤jj≤≤ii(P(Pjj A Ajj))) ))) (P (Pii C Cii))
may be used tomay be used toconfirm what isconfirm what isneeded in state ineeded in state i
All of mathematics…All of mathematics…
plus all assumptionsplus all assumptionsthrough state i…through state i…
2222
Step 2: Generate Error HypothesesStep 2: Generate Error Hypotheses
Negation of VCNegation of VCii is is error hypothesis EHerror hypothesis EHii::
PPii ( (0≤0≤jj≤≤ii(P(Pjj A Ajj)) )) CCii
If If there existsthere exists a satisfying assignment of values a satisfying assignment of values to the variables of EHto the variables of EHii, then VC, then VCii cannot be true cannot be true
for allfor all values of the variables values of the variables
Such an assignment is a Such an assignment is a witnesswitness to the to the incorrectness of the codeincorrectness of the code
2323
Finding a WitnessFinding a Witness
Problem:Problem: Proving an EH with an automated Proving an EH with an automated theorem prover is really no easier than theorem prover is really no easier than proving a VC…proving a VC…
2424
Step 3: Restrict Scope of VariablesStep 3: Restrict Scope of Variables
"Small scope hypothesis""Small scope hypothesis" [Jackson 00] says [Jackson 00] says that many program errors are revealed by that many program errors are revealed by "small" witnesses"small" witnesses
Original (infinite)Original (infinite)state spacestate space
Restricted (small, finite)Restricted (small, finite)state spacestate space
2525
A New Version of the ProblemA New Version of the Problem
Restrict Restrict ItemItem variables to a single value variables to a single value
Restrict Restrict string of Itemstring of Item variables to variables to two values: empty string, or length onetwo values: empty string, or length one
Result of finiteness: EH can be rewritten as Result of finiteness: EH can be rewritten as a a propositionalpropositional formula for which a formula for which a satisfying assignmentsatisfying assignment is a witness to is a witness to incorrect codeincorrect code
2626
Sample ClausesSample Clauses
|p|p22.left| = 0.left| = 0 becomes: becomes:
len_p2_left_equals_zerolen_p2_left_equals_zero
Also needed (among many other facts from Also needed (among many other facts from mathematics):mathematics):len_p2_left_equals_zero len_p2_left_equals_zero
p2_left_equals_emptyp2_left_equals_empty
2727
Another SampleAnother Sample
pp11 = p = p00 becomes:becomes:((p1_left_equals_empty ((p1_left_equals_empty p0_left_equals_empty) p0_left_equals_empty) (p1_right_equals_empty (p1_right_equals_empty p0_right_equals_empty)) p0_right_equals_empty)) ((p1_left_equals_s1 ((p1_left_equals_s1 p0_left_equals_s1) p0_left_equals_s1) (p1_right_equals_s1 (p1_right_equals_s1 p0_right_equals_s1)) p0_right_equals_s1)) ... ...
2828
Step 4: Search for WitnessesStep 4: Search for Witnesses
SAT solverSAT solver used [Küchlin, used [Küchlin, et al.et al. 01] 01] directly handles non-CNF formulasdirectly handles non-CNF formulasSolver shows EH for example given here to Solver shows EH for example given here to be (uniquely) satisfiablebe (uniquely) satisfiable
Computation time: less than a secondComputation time: less than a second
Witness explicitly describes value of each Witness explicitly describes value of each variable at each state in the program, variable at each state in the program, making it easy to debug incorrect codemaking it easy to debug incorrect code
2929
4. Conclusions4. Conclusions
Many variations should be explored:Many variations should be explored:How should quantifiers be handled?How should quantifiers be handled?
Should simplification be done with original Should simplification be done with original EHs, or by the SAT solver?EHs, or by the SAT solver?
Can restricted scopes of variable values be Can restricted scopes of variable values be incrementally enlarged without starting over?incrementally enlarged without starting over?
Can a more general computer algebra system be Can a more general computer algebra system be used in place of a SAT solver? used in place of a SAT solver?
3030
ConclusionsConclusions
Verifying compiler is not beyond the realm Verifying compiler is not beyond the realm of possibilityof possibility
But theorem provers must be improved But theorem provers must be improved significantly to achieve it!significantly to achieve it!
Combining current verification technology Combining current verification technology with a "testing psychology" may be a viable with a "testing psychology" may be a viable intermediate step intermediate step
Questions?Questions?
http://www.cse.ohio-state.edu/rsrghttp://www.cse.ohio-state.edu/rsrg
Visions of VerificationVisions of Verification