11111

Functional Program Verification

CS 4311

A. M. Stavely, Toward Zero Defect Programming, Addison-Wesley, 1999.Y. Cheon and M. Vela, A Tutorial on Functional Program Verification,

Technical Report 10-26, Dept. of Computer Science, University of Texas at El Paso, El Paso, TX, September 2010

222

Outline Non-testing techniques for V&V Overview of functional verification Program as functions Intended functions Verification

Assignment statement Sequential composition Conditional statement Iterative statement

33

Non-testing Techniques for V&V

(Pairs, 2 minutes) V&V Definitions and examples from the class project?

Sec. 13.4 of Vliet 2008(Manual Testing Techniques)

44

Non-testing Techniques for V&V

(Pairs, 2 minutes) V&V Definitions and examples?

Code reviews Reading

If you can’t read it, neither can the people maintaining it Walkthrough

Team effort (group of 3-5, e.g., designer, moderator, secretary) Manual simulation lead by designer Focus on discovering faults, not on fixing them

Inspection Looking for specific faults (e.g., using check lists) E.g., uninitialized variables

Sec. 13.4 of Vliet 2008(Manual Testing Techniques)

55

Non-testing V&V (Cont.)

Correctness proof Hoare logic Functional program verification

Model checking Correct by construction

Refinement calculus Model driven development

Sec. 13.4 of Vliet 2008(Manual Testing Techniques)

66

Overview of Functional Verification

Key ideas View programs as mathematical functions Write specifications as mathematical functions Compare two functions for correctness verification

Characteristics Based on sets and functions <-> logic (Hoare) Forward reasoning <-> backward reasoning Match informal reasoning

77

Programs as Functions

Values of x and y after execution?

// pre-state: {(x,10), (y,20)}x = x + y;y = x – y;x = x – y;// post-state: {(x,?), (y,?)}

88

Programs as Functions

Values of x and y after execution?

// pre-state: {(x,10), (y,20)}x = x + y;y = x – y;x = x – y;// post-state: {(x,?), (y,?)}

State changing function (or state transformer) Function on program states Map one program state to another {(x,3), (y,5)}

…{(x,6), (y,4)}

pre-state

{(x,5), (y,3)}…

{(x,4), (y,6)}

post-state

99

Concurrent Assignment Notation for express state changing functions

[x1, x2, …, xn := e1, e2, …, en]

Evaluate ei’s in the pre-state at the same time Assign them to xi’s at the same time The values of other state variables remain the same (frame

axiom).

// [x, y := y, x]x = x + y;y = x – y;x = x – y;

1010

Conditional Concurrent Assignment

Different functions based on some conditions

[x > 0 -> sign := 1 | x < 0 -> sign := -1 | else -> sign := 0]

Conditions evaluated sequentially from the first to the last in the pre-state

Keyword “else” interpreted as “true”

[n > maxSize -> n := maxSize | else -> I]

[n > 0 -> avg := sum / n | else -> undefined]

Identity function

Partial function

1111

Exercise Write a (conditional) concurrent assignment to describe

the function computed by the following code.

if (n > maxSize) { n = maxSize;}avg = sum / n;

1212

Intended Functions

Intended function: function describing our intention of code Specification for the code

Code function: function computed by code Actual behavior implemented by the code

// [sum, i := sum + j=1a.length-1a[j], anything]

while (i < a.length) { sum += a[i]; i++; }

Don’t care about the

final value.

1313

Exercise Write intended functions for the following code

(a) sum = sum + a; avg = sum / n;

(b) if (a[i] == k) { l = i; }

(c) while (i < a.length) {if (a[i] == k) {

l = i;}i++;

}

1414

Annotating Code Why?

To facilitate correctness verification How?

Annotate every section of code with intended function

// f0: [r := largest value in a] // f1 : [r, i := a[0], 1] r = a[0]

int i = 1;

// f2 : [r, i := max of r and largest in a[i..], anything]while (i < a.length) {

// f3 : [r, i := max of r and a[i], i+1] if (a[i] > r) { r = a[i]; }

i++; }

1515

Exercise

Annotate the following code with intended functions

c = 0;int i = 0;while (i < a.length) { if (a[i] == n) { c++; } i++;}

161616

Outline Non-testing techniques for V&V Overview of functional verification Program as functions Intended functions Verification

Assignment statement Sequential composition Conditional statement Iterative statement

17

Functional Verification Process

1. Write specifications of code as functions, called intended functions

2. Calculate functions computed by code, called code functions

3. Compare code functions (p) with intended functions (f), i.e., p is correct with respect to ( ) ⊑f if: dom p dom f p(x) = f(x) for every x dom f

Why notdom p = dom f ?

18

Verification of

Assignment Statement

Often straightforward Often identical code and intended functions

// [x := x + 1]x = x + 1;

// [n > 0 -> avg := sum / n]avg = sum / n;

More work done by code

19

Verification of

Sequential Composition

Compose code functions

// [n > 0 -> sum, avg := sum + a, (sum + a) / n] sum = sum + a; avg = sum / n;

[sum := sum + a]; [n 0 -> avg := sum / n] [n 0 -> sum, avg := sum + a; (sum + a) /

n] ⊑ [n > 0 -> sum, avg := sum + a; (sum + a) / n]

20

Trace Table Calculate code function by tracing state changes

made by statements

statement x y z

x = x + 1 x+1

y = 2 * x 2*(x+1)

z = x + y (x+1) + 2*(x+1)

x = x + 1 x+2

x = 3 * x 3*(x+2)

x = x + 1;

y = 2 * x;

z = x + y;

x = x + 1;

x = 3 * x;

[x, y, z := 3*(x+2), 2*(x+1), (x+1) + 2*(x+1)]

2121

Exercise Use a trace table to calculate the function computed by

the following code.

rate = 0.5;years++;interest = balance * rate / 100;balance = balance + interest;

22

Modular Verification

Can use intended functions in place of code functions for verification

// [f0] // [f1]

S1

// [f2] S2

Proof obligations f1; f2 f⊑ 0

S1 is correct with respect to f1 (S1 f⊑ 1) S2 is correct with respect to f2 (S2 f⊑ 2)

23

Verification of

Conditional Statement Calculate code functions using conditional trace tables

statement condition p b

p = a * r a * r

if (a < b) a < b

b = b - a b - a

p = a * r a * r

if (a < b) a >= b

b = b - p b – (a * r)

p = a * r;

if (a < b)

b = b – a;

else

b = b – p;

[a < b -> p, b := a * r, b – a

| a >= b -> p, b := a *r, b – (a*r)]

24

Verification of

Conditional Statement (Cont.) Case analysis on conditions

// [f]

if (B) S1 else S2

Proof obligations When B holds, S1 is correct with respect to f (B S1 f)⊑

When B doesn’t hold, S2 is correct with respect to f ( B S2 f)⊑

25

Example

Proof by case analysis When x > y

x – y |x - y|, thus [z != 0 -> r := (x - y)/z] f When !(x > y)

y – x |x - y|, thus [z != 0 -> r := (y - x)/z] f

Therefore, if … else … f⊑

// f: [z != 0 -> r := |x - y| / z]if (x > y) r = (x - y) / z; else r = (y - x) / z;

2626

Exercise

Derive proof obligations for an if statement without an else part.

// [f]if (B) S

2727

Exercise Write an intended function for the following code and

prove the correctness of the code with respect to the intended function

if (n > maxSize) { n = maxSize;

} sum = sum + a; avg = sum / n;

28

Verification of

Iteration Statement No known way of calculating code function, so proof by induction

// [f] while (B) S

Proof obligations B doesn’t hold, identity function is correct with respect to f (B I f)⊑ If B holds, S followed by f is correct with respect to f (B S;f f)⊑ Termination for total correctness

Loop variant: expression with value increased/decreased on iterations

// [f] if (B) { S while (B) S }

// [f] if (B) { S [f] }

Assuming f is correct

29

Example

Proof obligations Termination: loop variant, a.length - i Basis: (i < a.length) I f1⊑ Induction: i < a.length f2; f1 f1 and refinement of f2⊑

Proof of basisf1 ≡ [sum, i := sum + j=i

a.length-1a[j], anything]

≡ [sum, i := sum + 0, anything] (because i >= a.length)

≡ [sum, i := sum, anything]

⊒ [sum, i := sum, i] = I

// f1: [sum, i := sum + j=ia.length-1a[j], anything]

while (i < a.length) { // f2: [sum, i := sum + a[i], i+1]

sum += a[i]; i++; }

30

Example

Proof induction step

i < a.length f2; f1 f1⊑

f2; f1 ≡ [sum, i := sum + a[i], i + 1];

[sum, i := sum + j=ia.length-1a[j], anything]

≡ [sum, i := sum + a[i] + j=i+1a.length-1a[j], anything]

≡ [sum, i := sum + j=ia.length-1a[j], anything]

≡ f1

// f1: [sum, i := sum + j=ia.length-1a[j], anything]

while (i < a.length) { // f2: [sum, i := sum + a[i], i+1]

sum += a[i]; i++; }

3131

Exercise Prove the termination of the following loop.

while (low <= high) {

int mid = (low + high) / 2;

if (a[mid] < x)

low = mid + 1;

else if (a[mid] > x)

high = mid - 1;

else

high = low - 1;

}

32

Initialized Loops

Loop seldom used in isolation Preceded by initialization Together compute something useful Loop’s function more general

// [f0] // [f1] S1

// [f2] while (B) { // [f3] S2 }

Proof obligations f1; f2 f0⊑ S1 f1⊑ while (B) S2 f2, requiring⊑

Termination Basis Step: B I f2⊑ Induction: B S2;f2 f2⊑

33

Example // f0: [r := largest value in a] // f1 : [r, i := a[0], 1] r = a[0]

int i = 1;

// f2 : [r, i := max of r and largest in a[i..], ?]while (i < a.length) {

// f3 : [r, i := max of r and a[i], i+1] if (a[i] > r) { r = a[i]; }

i++; }

Proof obligations f1; f2 ⊑ f0

Refinement of f1

Refinement of f2 Termination of the loop Basis: (i < a.length) I ⊑ f2 Induction: i < a.length f3; f2 ⊑ f2

Refinement of f3

34

Example (Cont.)

Proof of f1; f2 ⊑ f0

f1; f2 [r, i := a[0], 1];

[r, i := max of r and largest in a[i..], ?]

[r, i := max a[0] and largest in a[1..], ?]

[r, i := largest value in a, ?]

⊑ [r := largest value in a]

f0

See handout for other proofs.

3535

Exercise Write intended functions for the following while loops in isolation.

(a) while (i < a.length) { if (a[i] > 0) {

sum += a[i]; } i++; }

(b) while (n > 1) { n = n – 2;

}

3636

Exercise Prove the correctness of the following code.

// [r := n!]r = 1;int i = n;while (i > 1) { r = r * i; i--;}