11.6.2015 Software Verification 1 Deductive Verification Prof. Dr. Holger Schlingloff Institut für...
-
Upload
shon-french -
Category
Documents
-
view
220 -
download
0
Transcript of 11.6.2015 Software Verification 1 Deductive Verification Prof. Dr. Holger Schlingloff Institut für...
11.6.2015
Software Verification 1Deductive Verification
Prof. Dr. Holger SchlingloffInstitut für Informatik der Humboldt Universität
und
Fraunhofer Institut für offene Kommunikationssysteme FOKUS
Folie 2H. Schlingloff, Software-Verifikation I
Invariably: Starter Questions …
• What is an invariant? How is it used in verification?
• Is the set of invariants of a loop recursive?
• … or recursively enumerable?
• Is there any decidable invariant?
• How to construct an invariant for a given loop?
• E.g. {i=0; while (i<n) {i++}}
• E.g. {i=0; while (i<n) {i++; j--}}
• E.g. {i=0; while (i<n) {i++; j+=i}}
Folie 3H. Schlingloff, Software-Verifikation I
While[]-Programs
• While-Programs are Turing-complete, but not very convenient to use
• Missing: arrays, pointers, data structures, functions & procedures, modules, inheritance, …
• Today: arrays and search
• Introduce array type X[n], where X is any type and n is any integer
• set V [] of indexed program variables: if i is a program variable of type Int and a is an array variable of type X[n], then a[i] is an indexed program variable of type X
• while[]Prog: Indexed program variables can be used in terms and expressions wherever “normal” program variables are allowed
• Semantics: An array variable a: X[n]is evaluated as a partial function V(a): Int X{undef} • V(a)(x) = undef if x < 0 or x ≥ n
• V(a[i]) = V(a) (V(i))
Folie 4H. Schlingloff, Software-Verifikation I
Example: Binary Search
• Input: a sorted array x:Int[n] (i.e., i (x[i-1]<x[i]) )and a value a to search for
• Result: index i s.t. x[j]<a for 0<=j<i and x[j]>=a for i<=j<n
:
i=0; k=n;
while (i<k) {
s=(i+k-1)/2; //integer division
if (a>x[s]) i=s+1
else k=s
}
:
i=0; k=n;
while (i<k) {
s=(i+k-1)/2; //integer division
if (a>x[s]) i=s+1
else k=s
}Correctness: Show{n>=0 i(0<i<n (x[i-1]<x[i])}
{0<=i<=n j(0<=j<i x[j]<a j(i<=j<n
x[j]>=a}
>=a<ax:
i
>=a<ax:
i ks
Folie 5H. Schlingloff, Software-Verifikation I
Invariant for Binary Search
• x is sorted 0 : i(0<i<n (x[i-1]<x[i])
• i is changed such that 1 : 0<=i<=n j(0<=j<i x[j]<a)
• k is changed such that 2 : 0<=k<=n j(k<=j<n x[j]>=a)
• additionally 3 : i<=k
Let = 0 1 2 3
Folie 6H. Schlingloff, Software-Verifikation I
Hoare Proof for Binary Search
{n>=0 i(0<i<n (x[i-1]<x[i])}i=0; k=n;{}while (i<k) { { i<k} s=(i+k-1)/2; //integer division if (a>x[s]) i=s+1 else k=s {}}{ i>=k}{i=k 0<=i<=n j(0<=j<i x[j]<a) j(k<=j<n x[j]>=a)}{0<=i<=n j(0<=j<i x[j]<a j(i<=j<n x[j]>=a)}
Folie 7H. Schlingloff, Software-Verifikation I
: 0 <= i <= k <= n j(0<=j<i x[j]<a) j(k<=j<n x[j]>=a) { i<k} s=(i+k-1)/2;{ i<k s==(i+k-1)/2}if (a>x[s]) i=s+1else k=s{}
holds since { i<k s==(i+k-1)/2 a>x[s]} {[i:=s+1]} i=s+1 {} { i<k s==(i+k-1)/2 a<=x[s]} {[k:=s]} k=s {}proof: see next
Folie 8H. Schlingloff, Software-Verifikation I
: 0 <= i <= k <= n j(0<=j<i x[j]<a) j(k<=j<n x[j]>=a)
Show: i<k s=(i+k-1)/2 x[s]<a [i:=s+1] i<k s=(i+k-1)/2 x[s]<a
0<= s+1 <= k <= n j(0<=j< s +1 x[j]<a) i<k s=(i+k-1)/2 x[s]<a
(i+k+1)/2 <= k j(0<=j<= (i+k-1)/2 x[j]<a)
holds since i<k i+k<k+k i+k+1<=2*k (i+k+1)/2<=k x[s]<a j=s x[j]<a 0 x[s]<a j<s x[j]<a
Folie 10H. Schlingloff, Software-Verifikation I
Last Example: Bubblesort
• Given an array x [0..n-1] of integers, the task is to sort x
• Bubblesort repeatedly exchanges “unordered” elements in x, e.g.: 6 – 3 – 8 – 4 – 1 3 – 6 – 8 – 4 – 1 3 – 6 – 8 – 4 – 1 3 – 6 – 4 – 8 – 1 3 – 6 – 4 – 1 – 8 3 – 6 – 4 – 1 – 8 3 – 4 – 6 – 1 – 8 3 – 4 – 1 – 6 – 8 3 – 1 – 4 – 6 – 8 etc.
Folie 11H. Schlingloff, Software-Verifikation I
Bubblesort Algorithm
:: i=n;: while (i>1) { : i=i-1; k=0; : while (k!=i){ : k++; : if (x[k-1]>x[k]) swap(x[k-1], x[k]) : }: }:
Folie 12H. Schlingloff, Software-Verifikation I
Specification of Sortedness
• x is sorted sorted(x): i(0<i<n x[i-1] <= x[i])
• x is a permutation of the input array ?
• For sake of simplicity: assume all elements in x are pairwise unequal:
diff(x): i,j(0<=i != j<n (x[i]!=x[j])} in this case, x is a permutation of y iff
perm(x,y): a(i x[i]==a i y[i]==a)
• Specification{x==y diff(x)} {sorted(x) perm(x,y)}
Folie 13H. Schlingloff, Software-Verifikation I
Invariant for Bubblesort
Invariant for loop at :after first iteration: x[n-1] at correct positionafter second iteration: x[n-1] and x[n-2] at correct positionafter third iteration: x[n-1] .. x[n-3] at correct position
...ordered(x, i): 1<=i<=n
j(i<=j<n x[j-1] < x[j]) j(0<=j<i <n x[j] <= x[i])
then we have: ordered(x, n) T ordered(x, 1) sorted(x)
I: diff(x) perm(x,y) ordered(x,i)
Folie 14H. Schlingloff, Software-Verifikation I
Proof of Outer Loop
x==y diff(x) perm(x,y): x==y diff(x) : x==y diff(x) i==n x==y diff(x) i==n diff(x) perm(x,y) ordered(x,i): x==y diff(x) : I
: I : I (i<=1) provided that : I (i>1) : Iperm(x,y) ordered(x,i) (i<=1) perm(x,y) sorted(x): I : sorted(x) perm(x,y)
: x==y diff(x) : perm(x,y) sorted(x)
that is, {x==y diff(x)} {sorted(x) perm(x,y)}
Folie 15H. Schlingloff, Software-Verifikation I
Inner Invariant
It remains to show: : I (i>1) : I
Invariant for loop at : perm(x,y) ordered(x,i+1) remains stable
goal of the inner loop: maximal element from x[0]...x[i-1] is moved to x[i-1]
after each step: 0<=k<=i j(0<=j<=k x[k]>=x[j])
I: perm(x,y) ordered(x,i+1) 0<=k<=i j(0<=j<=k x[k]>=x[j])
Folie 16H. Schlingloff, Software-Verifikation I
Proof of Inner Invariant
: I (i>1) : perm(x,y) ordered(x,i+1) k==0
perm(x,y) ordered(x,i+1) k==0 I: I (i>1) : I
: I : I (k==i), provided that : I (k!=i) : I
I (k==i) perm(x,y) ordered(x,i+1) j(0<=j<=i x[i]>=x[j])
: I (i>1) : I
it remains to show: : I (k!=i) : I
• perm(x,y) remains unchanged
• ordered(x,i+1) is not modified : 0<=k<=i j(0<=j<=k x[k]>=x[j]) k!=i
: 0<=k<=i j(0<=j<=k-1 x[k-1]>=x[j]) : I (k!=i) : 0<=k<=i j(0<=j<=k x[k]>=x[j])