09 - program verification
TRANSCRIPT
Programverificationand testing
www.tudorgirba.com
Ariane 5 flight 501
Therac-25 accidents
Pentium FDIV bug
Testing Verification run the program with a set of inputs andcheck the output for defects
formally prove thatthe programhas no defects
Example:
max of 2 natural numbers
Example:
max of 2 natural numbers
if (x ≥ y) max := xelse max := y
Example:
max of 2 natural numbers
if (x ≥ y) max := xelse max := y
x = 2y = 3
Example:
max of 2 natural numbers
if (x ≥ y) max := xelse max := y
x = 2y = 3
max = 3
Example:
max of 2 natural numbers
Example:
max of 2 natural numbers
if (x ≥ y) max := xelse max := y
Example:
max of 2 natural numbers
if (x ≥ y) max := xelse max := y
(x ≥ 0 ∧ y ≥ 0)
Example:
max of 2 natural numbers
if (x ≥ y) max := xelse max := y
(x ≥ 0 ∧ y ≥ 0)
(max ≥ x) ∧(max ≥ y) ∧(max = x ∨ max = y)
computerinformation information
computation
{P} {Q}
S
precondition postcondition
program
{P} {Q}S
[P] [Q]S
Partial correctness
Total correctness
Skip
Abort
{Q} Skip {Q}
{P} Abort {False}
Assignment {Q[x/E]} x := E {Q}
Example
S: x := x + 1
P: (x > 1)
Example
S: x := x + 1
P: (x > 1)
Q: (x > 2)
Example
S: x := x + 2
Q: (x = y)
Example
S: x := x + 2
P: (x = y - 2)
Q: (x = y)
Sequence{P} S1;S2 {R}
{P} S1 {Q} , {Q} S2 {R}
Conditional{P} if B then S1 else S2 {Q}
{P∧B} S1 {Q} , {P∧¬B} S2 {Q}
While loop{P} while B do S end {Q}
P ⇒ I ∧ ({I∧B} S {I}) , (I ∧ ¬B ⇒ Q)
While loop{P} while B do S end {Q}
P ⇒ I ∧ ({I∧B} S {I}) , (I ∧ ¬B ⇒ Q)
I = property which stays true before and after every loop
0. initial condition: P ⇒ I;
1. iterative (inductive) condition: {I ∧ B} s {I};2. final condition: I ∧ ¬B ⇒ Q
Loop invariant I
Example:
Quotient and remainder
of dividing 2 integers
S: quo := 0; rem := x; while (y ≤ rem) do rem = rem − y; quo = quo + 1 end
P: (x ≥ 0) ∧ (y > 0)
Q: (quo ∗ y + rem = x) ∧ (0 ≤ rem < y)
Example: binary search
while (lo < hi) {
m = (lo + hi) / 2;
if (n > m)
lo = m + 1;
else
hi = m;
}
n = lo;
Example: binary search
while (lo < hi) {/*I: lo <= n ∧ n <= hi*/
m = (lo + hi) / 2;
if (n > m) /* in both cases: lo <= n ∧ n <= hi */
lo = m + 1; /* n > m => n >= m+1 => n >= lo */
else
hi = m; /* !(n < m) => n <= m => n <= hi */
} /* I stays true */
n = lo; /* lo<=n ∧ n<=hi ∧ !(lo<hi) => lo==n ∧ n==hi */
I: lo <= n ∧ n <= hi
∀ {P} S {Q} :: P ⇒ wp(S,Q)
Weakest Precondition wp(S, Q)
1. Compute wp(S, Q)
2. Prove P ⇒ wp(S, Q)
Verification of {P} S {Q}
Assignment
wp(x:=A, Q) = Qx←A
Array Assignment
wp(a[x]:=A, Q) = Qa←a′
Assignment
wp(x:=A, Q) = Qx←A
wp(x:=5,x+y=6) = 5+y = 6wp(x:=x+1,x+y=6) = x+1+y = 6
Array Assignment
wp(a[x]:=A, Q) = Qa←a′
Assignment
wp(x:=A, Q) = Qx←A
wp(x:=5,x+y=6) = 5+y = 6wp(x:=x+1,x+y=6) = x+1+y = 6
Array Assignment
wp(a[x]:=A, Q) = Qa←a′
wp(a[1]:=x+1, a[1]=a[2]) = a′[1]=a′[2] = x+1=a[2]
where a′[1] = x +1, a′[i] = a[i], ∀ i ≠ 1
Sequencing
wp(S1; S2, Q)= wp(S1, wp(S2, Q))
Sequencing
wp(S1; S2, Q)= wp(S1, wp(S2, Q))
wp(x:=x+1;y:=y+x,y>10)
Sequencing
wp(S1; S2, Q)= wp(S1, wp(S2, Q))
= wp(x:=x+1,wp(y:=y+x,y>10)) = wp(x:=x+1, y+x>10) = y+x+1>10
wp(x:=x+1;y:=y+x,y>10)
Conditional
wp(if (B) then S1 else S2, Q) = (B ⇒ wp(S1, Q)) ∧ (¬B ⇒ wp(S2, Q))
Conditional
wp(if (B) then S1 else S2, Q) = (B ⇒ wp(S1, Q)) ∧ (¬B ⇒ wp(S2, Q))
Q: (max ≥ x) ∧ (max ≥ y) ∧ (max = x ∨ max = y)
Conditional
wp(if (B) then S1 else S2, Q) = (B ⇒ wp(S1, Q)) ∧ (¬B ⇒ wp(S2, Q))
Q: (max ≥ x) ∧ (max ≥ y) ∧ (max = x ∨ max = y)
(x≥y ⇒ wp(max:=x, Q))∧(x<y ⇒ wp(max:=y, Q) =
Conditional
wp(if (B) then S1 else S2, Q) = (B ⇒ wp(S1, Q)) ∧ (¬B ⇒ wp(S2, Q))
Q: (max ≥ x) ∧ (max ≥ y) ∧ (max = x ∨ max = y)
(x≥y ⇒ wp(max:=x, Q))∧(x<y ⇒ wp(max:=y, Q) =
(x≥y ⇒ Qmax←x) ∧ (x<y ⇒ Qmax←y) =
Conditional
wp(if (B) then S1 else S2, Q) = (B ⇒ wp(S1, Q)) ∧ (¬B ⇒ wp(S2, Q))
Q: (max ≥ x) ∧ (max ≥ y) ∧ (max = x ∨ max = y)
(x≥y ⇒ wp(max:=x, Q))∧(x<y ⇒ wp(max:=y, Q) =
(x≥y ⇒ Qmax←x) ∧ (x<y ⇒ Qmax←y) =
(x≥y ⇒ ((x≥x) ∧ (x≥y) ∧ (x=x ∨ x=y)) ∧
Conditional
wp(if (B) then S1 else S2, Q) = (B ⇒ wp(S1, Q)) ∧ (¬B ⇒ wp(S2, Q))
Q: (max ≥ x) ∧ (max ≥ y) ∧ (max = x ∨ max = y)
(x≥y ⇒ wp(max:=x, Q))∧(x<y ⇒ wp(max:=y, Q) =
(x≥y ⇒ Qmax←x) ∧ (x<y ⇒ Qmax←y) =
(x≥y ⇒ ((x≥x) ∧ (x≥y) ∧ (x=x ∨ x=y)) ∧
((x<y ⇒ ((y≥x) ∧ (y≥y) ∧ (y=x ∨ y=y))
While loop
L = while (B) do S endwp(L,Q)= I ∧ ∀y, ((B ∧ I) ⇒ wp(S, I ∧ x < y))
∀y, ((¬B ∧ I) ⇒ Q)
While loop
L = while (B) do S endwp(L,Q)= I ∧ ∀y, ((B ∧ I) ⇒ wp(S, I ∧ x < y))
∀y, ((¬B ∧ I) ⇒ Q)
I = property which stays true before and after every loop
0. P ⇒ I;
1. I∧B ⇒ wp(s, I);
2. I∧¬B ⇒ Q.
Loop verification
Example:
Quotient and remainder
of dividing 2 integers
S: quo := 0; rem := x;
while (y ≤ rem) do rem = rem − y; quo = quo + 1 end
P: (x≥0) ∧ (y>0)
Q: (quo∗y+rem=x) ∧ (0≤rem<y)
Example:
Quotient and remainder
of dividing 2 integers
S: quo := 0; rem := x;
while (y ≤ rem) do rem = rem − y; quo = quo + 1 end
P: (x≥0) ∧ (y>0)
Q: (quo∗y+rem=x) ∧ (0≤rem<y)
I: (quo∗y+rem=x) ∧ (rem≥0) ∧ (y>0) ∧ (x≥0)
Example:
verification conditions
(x ≥ 0) ∧ (y > 0) ⇒ (x = x) ∧ (x ≥ 0) ∧ (x ≥ 0) ∧ (y > 0)
(x=rem+y∗quo) ∧ (x≥0) ∧ (rem≥0) ∧ (y>0) ∧ (y≤rem) ⇒ (x = (rem − y) + y ∗ (quo + 1)) ∧ x ≥ 0 ∧ rem − y ≥ 0 ∧ y > 0
(x=rem+y∗quo) ∧ (x≥0) ∧ (rem≥0) ∧ (y>0) ∧ (y>rem) ⇒ (x = rem + y ∗ quo) ∧ (0 ≤ rem < y)
P: (x≥0) ∧ (y>0)
Q: (quo∗y+rem=x) ∧ (0≤rem<y)I: (quo∗y+rem=x) ∧ (rem≥0) ∧ (y>0) ∧ (x≥0)
{P} {Q}
S
precondition postcondition
program
Tudor Gîrbawww.tudorgirba.com
creativecommons.org/licenses/by/3.0/