Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17....
Transcript of Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17....
![Page 1: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/1.jpg)
Axiomatic Verification I
Prepared by
Stephen M. Thebaut, Ph.D.
University of Florida
Software Testing and Verification
Lecture 17
![Page 2: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/2.jpg)
Axiomatic Verification I
• Introduction
• Weak correctness predicate
• Assignment statements
• Sequencing
• Selection statements
![Page 3: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/3.jpg)
Introduction
• What is Axiomatic Verification†?
A formal method of reasoning about the functional correctness of a structured, sequential program by tracing its state changes from an initial (i.e., pre-) condition to a final (i.e., post-) condition according to a set of self-evident rules (i.e., axioms).
† Also know as “Hoare logic” or “Floyd-Hoare logic.”
![Page 4: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/4.jpg)
Introduction (cont’d)
• What is its primary goal?
To provide a means for “proving” (and in some cases, “disproving”) the functional correctness of a sequential program with respect to its (formal) specification.
![Page 5: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/5.jpg)
Introduction (cont’d)
• What are the benefits of studying axiomatic verification?
– Understanding its limitations.
– Deeper insights into programming and program structures.
– Criteria for judging both programs and programming languages.
– The ability to formally verify small (or parts of large) sequential programs.
![Page 6: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/6.jpg)
Introduction (cont’d)
• Bottom line: even if you never attempt to “prove” a program correct outside this course, the study of formal verification should change the way you write and read programs.
There are two ways of constructing a software
design: One way is to make it so simple that
there are obviously no deficiencies, and the
other way is to make it so complicated that
there are no obvious deficiencies. The first
method is far more difficult. –Tony Hoare
![Page 7: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/7.jpg)
Weak Correctness Predicate
• To prove that program S is (“weakly” or
“partially”) correct with respect to pre-condition P and post-condition Q, it is sufficient to show: {P} S {Q}.
• Interpretation of {P} S {Q}: “if the input (initial state) satisfies pre-condition P and (if) program S executes and terminates, then the output (final state) must satisfy post-condition Q.”
![Page 8: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/8.jpg)
Weak Correctness Predicate (cont’d)
P (before S
executes)
S
terminates
Q (after S
executes)
{P} S {Q}
T YES must be T T
T YES could be F F
F Don’t Care Don’t Care T*
Don’t Care NO N/A T*
* In this case, {P} S {Q} is said to be “vacuously true.”
• Truth table interpretation:
![Page 9: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/9.jpg)
Weak Correctness Predicate (cont’d)
• Truth table interpretation:
P (before S
executes)
S
terminates
Q (after S
executes)
{P} S {Q}
T YES must be T T
T YES could be F F
F Don’t Care Don’t Care T*
Don’t Care NO N/A T*
* In this case, {P} S {Q} is said to be “vacuously true.”
![Page 10: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/10.jpg)
Weak Correctness Predicate (cont’d)
• Truth table interpretation:
P (before S
executes)
S
terminates
Q (after S
executes)
{P} S {Q}
T YES must be T T
T YES could be F F
F Don’t Care Don’t Care T*
Don’t Care NO N/A T*
* In this case, {P} S {Q} is said to be “vacuously true.”
![Page 11: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/11.jpg)
Weak Correctness Predicate (cont’d)
• Truth table interpretation:
P (before S
executes)
S
terminates
Q (after S
executes)
{P} S {Q}
T YES must be T T
T YES could be F F
F Don’t Care Don’t Care T*
Don’t Care NO N/A T*
* In this case, {P} S {Q} is said to be “vacuously true.”
![Page 12: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/12.jpg)
Weak Correctness Predicate (cont’d)
• Note that {P} S {Q} is really just a “double conditional” of the form:
(A Л B) C
where A is “P holds before executing S”, B is “S terminates”, and C is “Q holds after executing S”.
• Therefore, the one and only case for which {P} S {Q} is false is: “Q could be false if S terminates, given that P held before S executes.”
![Page 13: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/13.jpg)
Weak Correctness Predicate (cont’d)
• What are the truth values of the following assertions?
(1) {x=1} y := x+1 {y>0}
![Page 14: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/14.jpg)
Weak Correctness Predicate (cont’d)
• What are the truth values of the following assertions?
(1) {x=1} y := x+1 {y>0}
True, because if P holds initially, Q must hold when S terminates
![Page 15: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/15.jpg)
Weak Correctness Predicate (cont’d)
• What are the truth values of the following assertions?
(2) {x>0} x := x-1 {x>0}
![Page 16: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/16.jpg)
Weak Correctness Predicate (cont’d)
• What are the truth values of the following assertions?
(2) {x>0} x := x-1 {x>0}
False, because Q may not hold when S
terminates given that P holds initially.
![Page 17: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/17.jpg)
Weak Correctness Predicate (cont’d)
• What are the truth values of the following assertions?
(3) {1=2} k := 5 {k<0}
![Page 18: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/18.jpg)
Weak Correctness Predicate (cont’d)
• What are the truth values of the following assertions?
(3) {1=2} k := 5 {k<0}
True (vacuously), since P cannot hold before S
executes.
![Page 19: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/19.jpg)
Weak Correctness Predicate (cont’d)
• What are the truth values of the following assertions?
(4) {true} while x <> 5 do x := x-1 {x=5}
(Hint: When will S terminate?)
![Page 20: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/20.jpg)
Weak Correctness Predicate (cont’d)
• What are the truth values of the following assertions?
(4) {true} while x <> 5 do x := x-1 {x=5}
(Hint: When will S terminate?)
True, since Q must hold if S terminates.
![Page 21: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/21.jpg)
Weak Correctness Predicate (cont’d)
• We now consider techniques for proving that such assertions hold for structured programs comprised of assignment statements, if-then (-else) statements, and while loops. (Why these constructs?)
![Page 22: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/22.jpg)
Reasoning about Assignment
Statements
• For each of the following pre-conditions, P,and assignment statements, S, identify a “strong” post-condition, Q, such that {P} S {Q}
would hold.
• A “strong” post-condition captures all after-execution state information of interest.
• However, we won’t bother with assertions such as X=X’ (“the final value of X is the same as the initial value of X”) for the time being.
![Page 23: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/23.jpg)
Reasoning about Assignment
Statements (cont’d){P} S {Q}
{J=6} K := 3
{J=6} J := J+2
{A<B} Min := A
{A<B Л B<C} D := C
{X<0} Y := -X
{X[I]=J} I := I+1
{X[I-1]=J} J := J+1
![Page 24: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/24.jpg)
Reasoning about Assignment
Statements (cont’d){P} S {Q}
{J=6} K := 3 {J=6}
{J=6} J := J+2
{A<B} Min := A
{A<B Л B<C} D := C
{X<0} Y := -X
{X[I]=J} I := I+1
{X[I-1]=J} J := J+1
![Page 25: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/25.jpg)
Reasoning about Assignment
Statements (cont’d){P} S {Q}
{J=6} K := 3 {K=3}
{J=6} J := J+2
{A<B} Min := A
{A<B Л B<C} D := C
{X<0} Y := -X
{X[I]=J} I := I+1
{X[I-1]=J} J := J+1
![Page 26: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/26.jpg)
Reasoning about Assignment
Statements (cont’d){P} S {Q}
{J=6} K := 3 {J=6 Л K=3}
{J=6} J := J+2
{A<B} Min := A
{A<B Л B<C} D := C
{X<0} Y := -X
{X[I]=J} I := I+1
{X[I-1]=J} J := J+1
![Page 27: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/27.jpg)
Reasoning about Assignment
Statements (cont’d){P} S {Q}
{J=6} K := 3 {J=6 Л K=3}
{J=6} J := J+2
{A<B} Min := A
{A<B Л B<C} D := C
{X<0} Y := -X
{X[I]=J} I := I+1
{X[I-1]=J} J := J+1
![Page 28: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/28.jpg)
Reasoning about Assignment
Statements (cont’d){P} S {Q}
{J=6} K := 3 {J=6 Л K=3}
{J=6} J := J+2 {J=8}
{A<B} Min := A
{A<B Л B<C} D := C
{X<0} Y := -X
{X[I]=J} I := I+1
{X[I-1]=J} J := J+1
![Page 29: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/29.jpg)
{P} S {Q}
{J=6} K := 3 {J=6 Л K=3}
{J=6} J := J+2 {J=8}
{A<B} Min := A
{A<B Л B<C} D := C
{X<0} Y := -X
{X[I]=J} I := I+1
{X[I-1]=J} J := J+1
Reasoning about Assignment
Statements (cont’d)
![Page 30: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/30.jpg)
Reasoning about Assignment
Statements (cont’d){P} S {Q}
{J=6} K := 3 {J=6 Л K=3}
{J=6} J := J+2 {J=8}
{A<B} Min := A {A<B Л Min=A}
{A<B Л B<C} D := C
{X<0} Y := -X
{X[I]=J} I := I+1
{X[I-1]=J} J := J+1
![Page 31: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/31.jpg)
Reasoning about Assignment
Statements (cont’d){P} S {Q}
{J=6} K := 3 {J=6 Л K=3}
{J=6} J := J+2 {J=8}
{A<B} Min := A {A<B Л Min=A}
{A<B Л B<C} D := C
{X<0} Y := -X
{X[I]=J} I := I+1
{X[I-1]=J} J := J+1
![Page 32: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/32.jpg)
Reasoning about Assignment
Statements (cont’d){P} S {Q}
{J=6} K := 3 {J=6 Л K=3}
{J=6} J := J+2 {J=8}
{A<B} Min := A {A<B Л Min=A}
{A<B Л B<C} D := C {A<B Л B<C Л D=C}
{X<0} Y := -X
{X[I]=J} I := I+1
{X[I-1]=J} J := J+1
![Page 33: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/33.jpg)
Reasoning about Assignment
Statements (cont’d){P} S {Q}
{J=6} K := 3 {J=6 Л K=3}
{J=6} J := J+2 {J=8}
{A<B} Min := A {A<B Л Min=A}
{A<B Л B<C} D := C {A<B Л B<C Л D=C}
{X<0} Y := -X
{X[I]=J} I := I+1
{X[I-1]=J} J := J+1
![Page 34: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/34.jpg)
Reasoning about Assignment
Statements (cont’d){P} S {Q}
{J=6} K := 3 {J=6 Л K=3}
{J=6} J := J+2 {J=8}
{A<B} Min := A {A<B Л Min=A}
{A<B Л B<C} D := C {A<B Л B<C Л D=C}
{X<0} Y := -X {X<0}
{X[I]=J} I := I+1
{X[I-1]=J} J := J+1
![Page 35: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/35.jpg)
Reasoning about Assignment
Statements (cont’d){P} S {Q}
{J=6} K := 3 {J=6 Л K=3}
{J=6} J := J+2 {J=8}
{A<B} Min := A {A<B Л Min=A}
{A<B Л B<C} D := C {A<B Л B<C Л D=C}
{X<0} Y := -X {X<0 Л Y>0}
{X[I]=J} I := I+1
{X[I-1]=J} J := J+1
![Page 36: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/36.jpg)
Reasoning about Assignment
Statements (cont’d){P} S {Q}
{J=6} K := 3 {J=6 Л K=3}
{J=6} J := J+2 {J=8}
{A<B} Min := A {A<B Л Min=A}
{A<B Л B<C} D := C {A<B Л B<C Л D=C}
{X<0} Y := -X {X<0 Л Y=-X}
{X[I]=J} I := I+1
{X[I-1]=J} J := J+1
![Page 37: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/37.jpg)
Reasoning about Assignment
Statements (cont’d){P} S {Q}
{J=6} K := 3 {J=6 Л K=3}
{J=6} J := J+2 {J=8}
{A<B} Min := A {A<B Л Min=A}
{A<B Л B<C} D := C {A<B Л B<C Л D=C}
{X<0} Y := -X {X<0 Л Y=-X}
{X[I]=J} I := I+1
{X[I-1]=J} J := J+1
![Page 38: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/38.jpg)
Reasoning about Assignment
Statements (cont’d){P} S {Q}
{J=6} K := 3 {J=6 Л K=3}
{J=6} J := J+2 {J=8}
{A<B} Min := A {A<B Л Min=A}
{A<B Л B<C} D := C {A<B Л B<C Л D=C}
{X<0} Y := -X {X<0 Л Y=-X}
{X[I]=J} I := I+1 {X[I-1]=J}
{X[I-1]=J} J := J+1
![Page 39: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/39.jpg)
Illustrative Example
{X[I]=J}
X: ___ ___ ___ ___ ___ ___ ___
1 2 3 4 5 6 7
17
J = 17, I = 4
I := I+1
{X[I-1]=J}
X: ___ ___ ___ ___ ___ ___ ___
1 2 3 4 5 6 7
17
J = 17, I = 4 5
![Page 40: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/40.jpg)
Reasoning about Assignment
Statements (cont’d){P} S {Q}
{J=6} K := 3 {J=6 Л K=3}
{J=6} J := J+2 {J=8}
{A<B} Min := A {A<B Л Min=A}
{A<B Л B<C} D := C {A<B Л B<C Л D=C}
{X<0} Y := -X {X<0 Л Y=-X}
{X[I]=J} I := I+1 {X[I-1]=J}
{X[I-1]=J} J := J+1
![Page 41: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/41.jpg)
Reasoning about Assignment
Statements (cont’d){P} S {Q}
{J=6} K := 3 {J=6 Л K=3}
{J=6} J := J+2 {J=8}
{A<B} Min := A {A<B Л Min=A}
{A<B Л B<C} D := C {A<B Л B<C Л D=C}
{X<0} Y := -X {X<0 Л Y=-X}
{X[I]=J} I := I+1 {X[I-1]=J}
{X[I-1]=J} J := J+1 {X[I-1]=J-1}
![Page 42: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/42.jpg)
Illustrative Example
{X[I-1]=J}
X: ___ ___ ___ ___ ___ ___ ___
1 2 3 4 5 6 7
17
J = 17, I = 5
J := J+1
{X[I-1]=J-1}
X: ___ ___ ___ ___ ___ ___ ___
1 2 3 4 5 6 7
17
J = 17 18, I = 5
![Page 43: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/43.jpg)
Reasoning about Assignment
Statements (cont’d)
• For each of the following post-conditions, Q,
and assignment statements, S, identify a“weak” pre-condition, P, such that {P} S {Q}
would hold.
(A “weak” pre-condition reflects only what
needs to be true initially.)
![Page 44: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/44.jpg)
Reasoning about Assignment
Statements (cont’d)
{P} S {Q}
I := 4 {J=7 Л I=4}
I := 4 {I=4}
I := 4 {I=17}
I := I+2 {I>6}
Y := X+3 {Y=10}
Y := X+3 {Y<8}
![Page 45: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/45.jpg)
Reasoning about Assignment
Statements (cont’d)
{P} S {Q}
{J=7ЛI=4}
I := 4 {J=7 Л I=4}
I := 4 {I=4}
I := 4 {I=17}
I := I+2 {I>6}
Y := X+3 {Y=10}
Y := X+3 {Y<8}
![Page 46: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/46.jpg)
Reasoning about Assignment
Statements (cont’d)
{P} S {Q}
{J=7} I := 4 {J=7 Л I=4}
I := 4 {I=4}
I := 4 {I=17}
I := I+2 {I>6}
Y := X+3 {Y=10}
Y := X+3 {Y<8}
![Page 47: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/47.jpg)
Reasoning about Assignment
Statements (cont’d)
{P} S {Q}
{J=7} I := 4 {J=7 Л I=4}
I := 4 {I=4}
I := 4 {I=17}
I := I+2 {I>6}
Y := X+3 {Y=10}
Y := X+3 {Y<8}
![Page 48: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/48.jpg)
Reasoning about Assignment
Statements (cont’d)
{P} S {Q}
{J=7} I := 4 {J=7 Л I=4}
{K=17} I := 4 {I=4}
I := 4 {I=17}
I := I+2 {I>6}
Y := X+3 {Y=10}
Y := X+3 {Y<8}
![Page 49: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/49.jpg)
Reasoning about Assignment
Statements (cont’d)
{P} S {Q}
{J=7} I := 4 {J=7 Л I=4}
{true} I := 4 {I=4}
I := 4 {I=17}
I := I+2 {I>6}
Y := X+3 {Y=10}
Y := X+3 {Y<8}
![Page 50: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/50.jpg)
Reasoning about Assignment
Statements (cont’d)
{P} S {Q}
{J=7} I := 4 {J=7 Л I=4}
{true} I := 4 {I=4}
I := 4 {I=17}
I := I+2 {I>6}
Y := X+3 {Y=10}
Y := X+3 {Y<8}
![Page 51: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/51.jpg)
Reasoning about Assignment
Statements (cont’d)
{P} S {Q}
{J=7} I := 4 {J=7 Л I=4}
{true} I := 4 {I=4}
{false} I := 4 {I=17}
I := I+2 {I>6}
Y := X+3 {Y=10}
Y := X+3 {Y<8}
![Page 52: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/52.jpg)
Reasoning about Assignment
Statements (cont’d)
{P} S {Q}
{J=7} I := 4 {J=7 Л I=4}
{true} I := 4 {I=4}
{false} I := 4 {I=17}
I := I+2 {I>6}
Y := X+3 {Y=10}
Y := X+3 {Y<8}
![Page 53: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/53.jpg)
Reasoning about Assignment
Statements (cont’d)
{P} S {Q}
{J=7} I := 4 {J=7 Л I=4}
{true} I := 4 {I=4}
{false} I := 4 {I=17}
{I>4} I := I+2 {I>6}
Y := X+3 {Y=10}
Y := X+3 {Y<8}
![Page 54: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/54.jpg)
Reasoning about Assignment
Statements (cont’d)
{P} S {Q}
{J=7} I := 4 {J=7 Л I=4}
{true} I := 4 {I=4}
{false} I := 4 {I=17}
{I>4} I := I+2 {I>6}
Y := X+3 {Y=10}
Y := X+3 {Y<8}
![Page 55: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/55.jpg)
Reasoning about Assignment
Statements (cont’d)
{P} S {Q}
{J=7} I := 4 {J=7 Л I=4}
{true} I := 4 {I=4}
{false} I := 4 {I=17}
{I>4} I := I+2 {I>6}
{X=7} Y := X+3 {Y=10}
Y := X+3 {Y<8}
![Page 56: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/56.jpg)
Reasoning about Assignment
Statements (cont’d)
{P} S {Q}
{J=7} I := 4 {J=7 Л I=4}
{true} I := 4 {I=4}
{false} I := 4 {I=17}
{I>4} I := I+2 {I>6}
{X=7} Y := X+3 {Y=10}
Y := X+3 {Y<8}
![Page 57: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/57.jpg)
Reasoning about Assignment
Statements (cont’d)
{P} S {Q}
{J=7} I := 4 {J=7 Л I=4}
{true} I := 4 {I=4}
{false} I := 4 {I=17}
{I>4} I := I+2 {I>6}
{X=7} Y := X+3 {Y=10}
{X<5} Y := X+3 {Y<8}
![Page 58: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/58.jpg)
When does ({P} S {Q}) ({K} S {W})?
• We just determined that
{J=7} I := 4 {J=7 Л I=4}
holds.
• We can deduce from this that
{J=7} I := 4 {J=7}
also holds since {J=7 Л I=4} is stronger than{J=7}. That is, because:
{J=7 Л I=4} {J=7}
![Page 59: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/59.jpg)
When does ({P} S {Q}) ({K} S {W})?
(cont’d)
• Similarly, if we know that
{J=7} I := 4 {J=7 Л I=4}
holds, it follows that
{J=7 Л K=17} I := 4 {J=7 Л I=4}
also holds since {J=7} is weaker than{J=7 Л K=17}. That is, because:
{J=7 Л K=17} {J=7}
![Page 60: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/60.jpg)
When does ({P} S {Q}) ({K} S {W})?
(cont’d)
• Thus, we can replace pre-conditions with ones that are stronger, and post-conditions with ones that are weaker.
• Note that if A B, we say that A is strongerthan B, or equivalently, that B is weakerthan A.
![Page 61: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/61.jpg)
Practice quiz question…
• In general, which would be the better marketing strategy for increasing your software sales…advertising the software as having a strong pre-condition and a weakpost-condition, or vice-versa? Give a concrete example which illustrates your answer.
![Page 62: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/62.jpg)
Reasoning about Sequencing
• Suppose that we know
{X[I]=J} I := I+1 {X[I-1]=J}
and we know
{X[I-1]=J} J := J+1 {X[I-1]=J-1}.
![Page 63: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/63.jpg)
Reasoning about Sequencing
• Suppose that we know
{X[I]=J} I := I+1 {X[I-1]=J}
and we know
{X[I-1]=J} J := J+1 {X[I-1]=J-1}.
![Page 64: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/64.jpg)
Reasoning about Sequencing
• Suppose that we know
{X[I]=J} I := I+1 {X[I-1]=J}
and we know
{X[I-1]=J} J := J+1 {X[I-1]=J-1}.
Then it follows that
{X[I]=J}
I := I +1
{X[I-1]=J}
J := J+1
{X[I-1]=J-1}
![Page 65: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/65.jpg)
Reasoning about Sequencing
(cont’d)
• In general: if you know {P} S1 {R} and you know {R} S2 {Q} then you know {P} S1; S2 {Q}.
![Page 66: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/66.jpg)
Example 1
• Prove the assertion:
{A=5} B := A+2; C := B-A; D := A-C {A=5 Л D=3}
![Page 67: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/67.jpg)
Example 1
• Prove the assertion:
{A=5} B := A+2; C := B-A; D := A-C {A=5 Л D=3}
{A=5}
B := A+2;
![Page 68: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/68.jpg)
Example 1
• Prove the assertion:
{A=5} B := A+2; C := B-A; D := A-C {A=5 Л D=3}
{A=5}
B := A+2;
{A=5 Л B=7}
![Page 69: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/69.jpg)
Example 1
• Prove the assertion:
{A=5} B := A+2; C := B-A; D := A-C {A=5 Л D=3}
{A=5}
B := A+2;
{A=5 Л B=7}
C := B-A;
![Page 70: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/70.jpg)
Example 1
• Prove the assertion:
{A=5} B := A+2; C := B-A; D := A-C {A=5 Л D=3}
{A=5}
B := A+2;
{A=5 Л B=7}
C := B-A;
{A=5 Л B=7 Л C=2}
![Page 71: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/71.jpg)
Example 1
• Prove the assertion:
{A=5} B := A+2; C := B-A; D := A-C {A=5 Л D=3}
{A=5}
B := A+2;
{A=5 Л B=7}
C := B-A;
{A=5 Л B=7 Л C=2}
D := A-C
![Page 72: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/72.jpg)
Example 1
• Prove the assertion:
{A=5} B := A+2; C := B-A; D := A-C {A=5 Л D=3}
{A=5}
B := A+2;
{A=5 Л B=7}
C := B-A;
{A=5 Л B=7 Л C=2}
D := A-C
{A=5 Л B=7 Л C=2 Л D=3}
![Page 73: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/73.jpg)
Example 1
• Prove the assertion:
{A=5} B := A+2; C := B-A; D := A-C {A=5 Л D=3}
{A=5}
B := A+2;
{A=5 Л B=7}
C := B-A;
{A=5 Л B=7 Л C=2}
D := A-C
{A=5 Л B=7 Л C=2 Л D=3}
?
![Page 74: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/74.jpg)
Example 1
• Prove the assertion:
{A=5} B := A+2; C := B-A; D := A-C {A=5 Л D=3}
{A=5}
B := A+2;
{A=5 Л B=7}
C := B-A;
{A=5 Л B=7 Л C=2}
D := A-C
{A=5 Л B=7 Л C=2 Л D=3} {A=5 Л D=3}
?
![Page 75: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/75.jpg)
Example 1
• Prove the assertion:
{A=5} B := A+2; C := B-A; D := A-C {A=5 Л D=3}
{A=5}
B := A+2;
{A=5 Л B=7}
C := B-A;
{A=5 Л B=7 Л C=2}
D := A-C
{A=5 Л B=7 Л C=2 Л D=3} {A=5 Л D=3}
![Page 76: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/76.jpg)
Reasoning about If_then_else
Statements
• Consider the assertion:
{P} if b then S1 else S2 {Q}
• What are the necessary conditions for this assertion to hold?
b
S1S2
{P}
{Q}
T F
![Page 77: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/77.jpg)
Necessary Conditions: If_then_else
b
S1S2
{P}
{Q}
T F
![Page 78: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/78.jpg)
Necessary Conditions: If_then_else
b
S1S2
{P}
{Q}
T F{P Л b } S1 {Q}
![Page 79: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/79.jpg)
Necessary Conditions: If_then_else
b
S1S2
{P}
{Q}
T F{P Л b } S1 {Q}
![Page 80: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/80.jpg)
Necessary Conditions: If_then_else
b
S1S2
{P}
{Q}
T F{P Л b } S1 {Q}
{P Л b} S2 {Q}
![Page 81: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/81.jpg)
Necessary Conditions: If_then_else
b
S1S2
{P}
{Q}
T F{P Л b } S1 {Q}
{P Л b} S2 {Q}
“and” or “or”
![Page 82: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/82.jpg)
Necessary Conditions: If_then_else
b
S1S2
{P}
{Q}
T F{P Л b } S1 {Q}
{P Л b} S2 {Q}
and
![Page 83: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/83.jpg)
Reasoning about If_then Statements
• Consider the assertion:
{P} if b then S {Q}
• What are the necessary conditions for this assertion to hold?
b
S
{Q}
T
F
{P}
![Page 84: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/84.jpg)
Necessary Conditions: If_then
b
S
{P}
{Q}
T
F
![Page 85: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/85.jpg)
Necessary Conditions: If_then
b
S
{P}
{Q}
T{P Л b } S {Q}
F
![Page 86: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/86.jpg)
Necessary Conditions: If_then
b
S
{P}
{Q}
T{P Л b } S {Q}
andF
![Page 87: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/87.jpg)
Necessary Conditions: If_then
b
S
{P}
{Q}
T{P Л b } S {Q}
(P Л b) Q
andF
![Page 88: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/88.jpg)
Example 2
• Prove the assertion:
{Z=B} if A>B then Z := A {Z=Max(A,B)}
![Page 89: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/89.jpg)
Example 2
• Prove the assertion:
{Z=B} if A>B then Z := A {Z=Max(A,B)}
P b S Q
![Page 90: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/90.jpg)
Example 2
• Prove the assertion:
{Z=B} if A>B then Z := A {Z=Max(A,B)}
(1) {P Л b } S {Q}:
(2) (P Л b) Q:
P b S Q
![Page 91: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/91.jpg)
Example 2
• Prove the assertion:
{Z=B} if A>B then Z := A {Z=Max(A,B)}
(1) {P Л b } S {Q}:
{Z=B Л A>B} Z := A { ? }
(2) (P Л b) Q:
P b S Q
![Page 92: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/92.jpg)
Example 2
• Prove the assertion:
{Z=B} if A>B then Z := A {Z=Max(A,B)}
(1) {P Л b } S {Q}:
{Z=B Л A>B} Z := A {Z=A Л A>B}
(2) (P Л b) Q:
P b S Q
![Page 93: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/93.jpg)
Example 2
• Prove the assertion:
{Z=B} if A>B then Z := A {Z=Max(A,B)}
(1) {P Л b } S {Q}:
{Z=B Л A>B} Z := A {Z=A Л A>B} Q
(2) (P Л b) Q:
P b S Q
![Page 94: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/94.jpg)
Example 2
• Prove the assertion:
{Z=B} if A>B then Z := A {Z=Max(A,B)}
(1) {P Л b } S {Q}:
{Z=B Л A>B} Z := A {Z=A Л A>B} Q
(2) (P Л b) Q:
(Z=B Л AB) ?
P b S Q
![Page 95: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/95.jpg)
Example 2
• Prove the assertion:
{Z=B} if A>B then Z := A {Z=Max(A,B)}
(1) {P Л b } S {Q}:
{Z=B Л A>B} Z := A {Z=A Л A>B} Q
(2) (P Л b) Q:
(Z=B Л AB) Q
P b S Q
![Page 96: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/96.jpg)
Proof Rules
• Before proceeding to while loops, let’s capture our previous reasoning about sequencing, selection statements, and state condition replacement in appropriate rules of inference (ROI).
ROI for Sequencing:
{P} S1 {R}, {R} S2 {Q}
{P} S1; S2 {Q}
(cont'd)
![Page 97: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/97.jpg)
Proof Rules (cont’d)
ROI for if_then_else statement:
{P Л b } S1 {Q}, {P Л b} S2 {Q}
{P} if b then S1 else S2 {Q}
ROI for if_then statement:
{P Л b } S {Q}, (P Л b) Q
{P} if b then S {Q}
(cont'd)
![Page 98: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/98.jpg)
Proof Rules (cont’d)
ROI for State Condition Replacement†:
K P, {P} S {Q}, Q W
{K} S {W}
† Also known as the CONSEQUENCE rule.
![Page 99: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/99.jpg)
Coming Up Next…
• Reasoning about iteration (while loops)
• Strong correctness and proving termination
![Page 100: Software Testing and Verification Lecture 17 - cise.ufl.edu Testing and Verification Lecture 17. Axiomatic Verification I • Introduction • Weak correctness predicate • Assignment](https://reader030.fdocuments.net/reader030/viewer/2022032712/5b2e761b7f8b9ad76e8c7c82/html5/thumbnails/100.jpg)
Axiomatic Verification I
Prepared by
Stephen M. Thebaut, Ph.D.
University of Florida
Software Testing and Verification
Lecture 17