09 - program verification
TRANSCRIPT
![Page 1: 09 - Program verification](https://reader031.vdocuments.us/reader031/viewer/2022020122/554f3f71b4c905cd048b5335/html5/thumbnails/1.jpg)
Programverificationand testing
www.tudorgirba.com
![Page 2: 09 - Program verification](https://reader031.vdocuments.us/reader031/viewer/2022020122/554f3f71b4c905cd048b5335/html5/thumbnails/2.jpg)
Ariane 5 flight 501
![Page 3: 09 - Program verification](https://reader031.vdocuments.us/reader031/viewer/2022020122/554f3f71b4c905cd048b5335/html5/thumbnails/3.jpg)
Therac-25 accidents
![Page 4: 09 - Program verification](https://reader031.vdocuments.us/reader031/viewer/2022020122/554f3f71b4c905cd048b5335/html5/thumbnails/4.jpg)
Pentium FDIV bug
![Page 5: 09 - Program verification](https://reader031.vdocuments.us/reader031/viewer/2022020122/554f3f71b4c905cd048b5335/html5/thumbnails/5.jpg)
![Page 6: 09 - Program verification](https://reader031.vdocuments.us/reader031/viewer/2022020122/554f3f71b4c905cd048b5335/html5/thumbnails/6.jpg)
Testing Verification run the program with a set of inputs andcheck the output for defects
formally prove thatthe programhas no defects
![Page 7: 09 - Program verification](https://reader031.vdocuments.us/reader031/viewer/2022020122/554f3f71b4c905cd048b5335/html5/thumbnails/7.jpg)
Example:
max of 2 natural numbers
![Page 8: 09 - Program verification](https://reader031.vdocuments.us/reader031/viewer/2022020122/554f3f71b4c905cd048b5335/html5/thumbnails/8.jpg)
Example:
max of 2 natural numbers
if (x ≥ y) max := xelse max := y
![Page 9: 09 - Program verification](https://reader031.vdocuments.us/reader031/viewer/2022020122/554f3f71b4c905cd048b5335/html5/thumbnails/9.jpg)
Example:
max of 2 natural numbers
if (x ≥ y) max := xelse max := y
x = 2y = 3
![Page 10: 09 - Program verification](https://reader031.vdocuments.us/reader031/viewer/2022020122/554f3f71b4c905cd048b5335/html5/thumbnails/10.jpg)
Example:
max of 2 natural numbers
if (x ≥ y) max := xelse max := y
x = 2y = 3
max = 3
![Page 11: 09 - Program verification](https://reader031.vdocuments.us/reader031/viewer/2022020122/554f3f71b4c905cd048b5335/html5/thumbnails/11.jpg)
Example:
max of 2 natural numbers
![Page 12: 09 - Program verification](https://reader031.vdocuments.us/reader031/viewer/2022020122/554f3f71b4c905cd048b5335/html5/thumbnails/12.jpg)
Example:
max of 2 natural numbers
if (x ≥ y) max := xelse max := y
![Page 13: 09 - Program verification](https://reader031.vdocuments.us/reader031/viewer/2022020122/554f3f71b4c905cd048b5335/html5/thumbnails/13.jpg)
Example:
max of 2 natural numbers
if (x ≥ y) max := xelse max := y
(x ≥ 0 ∧ y ≥ 0)
![Page 14: 09 - Program verification](https://reader031.vdocuments.us/reader031/viewer/2022020122/554f3f71b4c905cd048b5335/html5/thumbnails/14.jpg)
Example:
max of 2 natural numbers
if (x ≥ y) max := xelse max := y
(x ≥ 0 ∧ y ≥ 0)
(max ≥ x) ∧(max ≥ y) ∧(max = x ∨ max = y)
![Page 15: 09 - Program verification](https://reader031.vdocuments.us/reader031/viewer/2022020122/554f3f71b4c905cd048b5335/html5/thumbnails/15.jpg)
computerinformation information
computation
![Page 16: 09 - Program verification](https://reader031.vdocuments.us/reader031/viewer/2022020122/554f3f71b4c905cd048b5335/html5/thumbnails/16.jpg)
{P} {Q}
S
precondition postcondition
program
![Page 17: 09 - Program verification](https://reader031.vdocuments.us/reader031/viewer/2022020122/554f3f71b4c905cd048b5335/html5/thumbnails/17.jpg)
{P} {Q}S
[P] [Q]S
Partial correctness
Total correctness
![Page 18: 09 - Program verification](https://reader031.vdocuments.us/reader031/viewer/2022020122/554f3f71b4c905cd048b5335/html5/thumbnails/18.jpg)
Skip
Abort
{Q} Skip {Q}
{P} Abort {False}
Assignment {Q[x/E]} x := E {Q}
![Page 19: 09 - Program verification](https://reader031.vdocuments.us/reader031/viewer/2022020122/554f3f71b4c905cd048b5335/html5/thumbnails/19.jpg)
Example
S: x := x + 1
P: (x > 1)
![Page 20: 09 - Program verification](https://reader031.vdocuments.us/reader031/viewer/2022020122/554f3f71b4c905cd048b5335/html5/thumbnails/20.jpg)
Example
S: x := x + 1
P: (x > 1)
Q: (x > 2)
![Page 21: 09 - Program verification](https://reader031.vdocuments.us/reader031/viewer/2022020122/554f3f71b4c905cd048b5335/html5/thumbnails/21.jpg)
Example
S: x := x + 2
Q: (x = y)
![Page 22: 09 - Program verification](https://reader031.vdocuments.us/reader031/viewer/2022020122/554f3f71b4c905cd048b5335/html5/thumbnails/22.jpg)
Example
S: x := x + 2
P: (x = y - 2)
Q: (x = y)
![Page 23: 09 - Program verification](https://reader031.vdocuments.us/reader031/viewer/2022020122/554f3f71b4c905cd048b5335/html5/thumbnails/23.jpg)
Sequence{P} S1;S2 {R}
{P} S1 {Q} , {Q} S2 {R}
Conditional{P} if B then S1 else S2 {Q}
{P∧B} S1 {Q} , {P∧¬B} S2 {Q}
![Page 24: 09 - Program verification](https://reader031.vdocuments.us/reader031/viewer/2022020122/554f3f71b4c905cd048b5335/html5/thumbnails/24.jpg)
While loop{P} while B do S end {Q}
P ⇒ I ∧ ({I∧B} S {I}) , (I ∧ ¬B ⇒ Q)
![Page 25: 09 - Program verification](https://reader031.vdocuments.us/reader031/viewer/2022020122/554f3f71b4c905cd048b5335/html5/thumbnails/25.jpg)
While loop{P} while B do S end {Q}
P ⇒ I ∧ ({I∧B} S {I}) , (I ∧ ¬B ⇒ Q)
I = property which stays true before and after every loop
0. initial condition: P ⇒ I;
1. iterative (inductive) condition: {I ∧ B} s {I};2. final condition: I ∧ ¬B ⇒ Q
Loop invariant I
![Page 26: 09 - Program verification](https://reader031.vdocuments.us/reader031/viewer/2022020122/554f3f71b4c905cd048b5335/html5/thumbnails/26.jpg)
Example:
Quotient and remainder
of dividing 2 integers
S: quo := 0; rem := x; while (y ≤ rem) do rem = rem − y; quo = quo + 1 end
P: (x ≥ 0) ∧ (y > 0)
Q: (quo ∗ y + rem = x) ∧ (0 ≤ rem < y)
![Page 27: 09 - Program verification](https://reader031.vdocuments.us/reader031/viewer/2022020122/554f3f71b4c905cd048b5335/html5/thumbnails/27.jpg)
Example: binary search
while (lo < hi) {
m = (lo + hi) / 2;
if (n > m)
lo = m + 1;
else
hi = m;
}
n = lo;
![Page 28: 09 - Program verification](https://reader031.vdocuments.us/reader031/viewer/2022020122/554f3f71b4c905cd048b5335/html5/thumbnails/28.jpg)
Example: binary search
while (lo < hi) {/*I: lo <= n ∧ n <= hi*/
m = (lo + hi) / 2;
if (n > m) /* in both cases: lo <= n ∧ n <= hi */
lo = m + 1; /* n > m => n >= m+1 => n >= lo */
else
hi = m; /* !(n < m) => n <= m => n <= hi */
} /* I stays true */
n = lo; /* lo<=n ∧ n<=hi ∧ !(lo<hi) => lo==n ∧ n==hi */
I: lo <= n ∧ n <= hi
![Page 29: 09 - Program verification](https://reader031.vdocuments.us/reader031/viewer/2022020122/554f3f71b4c905cd048b5335/html5/thumbnails/29.jpg)
∀ {P} S {Q} :: P ⇒ wp(S,Q)
Weakest Precondition wp(S, Q)
![Page 30: 09 - Program verification](https://reader031.vdocuments.us/reader031/viewer/2022020122/554f3f71b4c905cd048b5335/html5/thumbnails/30.jpg)
1. Compute wp(S, Q)
2. Prove P ⇒ wp(S, Q)
Verification of {P} S {Q}
![Page 31: 09 - Program verification](https://reader031.vdocuments.us/reader031/viewer/2022020122/554f3f71b4c905cd048b5335/html5/thumbnails/31.jpg)
Assignment
wp(x:=A, Q) = Qx←A
Array Assignment
wp(a[x]:=A, Q) = Qa←a′
![Page 32: 09 - Program verification](https://reader031.vdocuments.us/reader031/viewer/2022020122/554f3f71b4c905cd048b5335/html5/thumbnails/32.jpg)
Assignment
wp(x:=A, Q) = Qx←A
wp(x:=5,x+y=6) = 5+y = 6wp(x:=x+1,x+y=6) = x+1+y = 6
Array Assignment
wp(a[x]:=A, Q) = Qa←a′
![Page 33: 09 - Program verification](https://reader031.vdocuments.us/reader031/viewer/2022020122/554f3f71b4c905cd048b5335/html5/thumbnails/33.jpg)
Assignment
wp(x:=A, Q) = Qx←A
wp(x:=5,x+y=6) = 5+y = 6wp(x:=x+1,x+y=6) = x+1+y = 6
Array Assignment
wp(a[x]:=A, Q) = Qa←a′
wp(a[1]:=x+1, a[1]=a[2]) = a′[1]=a′[2] = x+1=a[2]
where a′[1] = x +1, a′[i] = a[i], ∀ i ≠ 1
![Page 34: 09 - Program verification](https://reader031.vdocuments.us/reader031/viewer/2022020122/554f3f71b4c905cd048b5335/html5/thumbnails/34.jpg)
Sequencing
wp(S1; S2, Q)= wp(S1, wp(S2, Q))
![Page 35: 09 - Program verification](https://reader031.vdocuments.us/reader031/viewer/2022020122/554f3f71b4c905cd048b5335/html5/thumbnails/35.jpg)
Sequencing
wp(S1; S2, Q)= wp(S1, wp(S2, Q))
wp(x:=x+1;y:=y+x,y>10)
![Page 36: 09 - Program verification](https://reader031.vdocuments.us/reader031/viewer/2022020122/554f3f71b4c905cd048b5335/html5/thumbnails/36.jpg)
Sequencing
wp(S1; S2, Q)= wp(S1, wp(S2, Q))
= wp(x:=x+1,wp(y:=y+x,y>10)) = wp(x:=x+1, y+x>10) = y+x+1>10
wp(x:=x+1;y:=y+x,y>10)
![Page 37: 09 - Program verification](https://reader031.vdocuments.us/reader031/viewer/2022020122/554f3f71b4c905cd048b5335/html5/thumbnails/37.jpg)
Conditional
wp(if (B) then S1 else S2, Q) = (B ⇒ wp(S1, Q)) ∧ (¬B ⇒ wp(S2, Q))
![Page 38: 09 - Program verification](https://reader031.vdocuments.us/reader031/viewer/2022020122/554f3f71b4c905cd048b5335/html5/thumbnails/38.jpg)
Conditional
wp(if (B) then S1 else S2, Q) = (B ⇒ wp(S1, Q)) ∧ (¬B ⇒ wp(S2, Q))
Q: (max ≥ x) ∧ (max ≥ y) ∧ (max = x ∨ max = y)
![Page 39: 09 - Program verification](https://reader031.vdocuments.us/reader031/viewer/2022020122/554f3f71b4c905cd048b5335/html5/thumbnails/39.jpg)
Conditional
wp(if (B) then S1 else S2, Q) = (B ⇒ wp(S1, Q)) ∧ (¬B ⇒ wp(S2, Q))
Q: (max ≥ x) ∧ (max ≥ y) ∧ (max = x ∨ max = y)
(x≥y ⇒ wp(max:=x, Q))∧(x<y ⇒ wp(max:=y, Q) =
![Page 40: 09 - Program verification](https://reader031.vdocuments.us/reader031/viewer/2022020122/554f3f71b4c905cd048b5335/html5/thumbnails/40.jpg)
Conditional
wp(if (B) then S1 else S2, Q) = (B ⇒ wp(S1, Q)) ∧ (¬B ⇒ wp(S2, Q))
Q: (max ≥ x) ∧ (max ≥ y) ∧ (max = x ∨ max = y)
(x≥y ⇒ wp(max:=x, Q))∧(x<y ⇒ wp(max:=y, Q) =
(x≥y ⇒ Qmax←x) ∧ (x<y ⇒ Qmax←y) =
![Page 41: 09 - Program verification](https://reader031.vdocuments.us/reader031/viewer/2022020122/554f3f71b4c905cd048b5335/html5/thumbnails/41.jpg)
Conditional
wp(if (B) then S1 else S2, Q) = (B ⇒ wp(S1, Q)) ∧ (¬B ⇒ wp(S2, Q))
Q: (max ≥ x) ∧ (max ≥ y) ∧ (max = x ∨ max = y)
(x≥y ⇒ wp(max:=x, Q))∧(x<y ⇒ wp(max:=y, Q) =
(x≥y ⇒ Qmax←x) ∧ (x<y ⇒ Qmax←y) =
(x≥y ⇒ ((x≥x) ∧ (x≥y) ∧ (x=x ∨ x=y)) ∧
![Page 42: 09 - Program verification](https://reader031.vdocuments.us/reader031/viewer/2022020122/554f3f71b4c905cd048b5335/html5/thumbnails/42.jpg)
Conditional
wp(if (B) then S1 else S2, Q) = (B ⇒ wp(S1, Q)) ∧ (¬B ⇒ wp(S2, Q))
Q: (max ≥ x) ∧ (max ≥ y) ∧ (max = x ∨ max = y)
(x≥y ⇒ wp(max:=x, Q))∧(x<y ⇒ wp(max:=y, Q) =
(x≥y ⇒ Qmax←x) ∧ (x<y ⇒ Qmax←y) =
(x≥y ⇒ ((x≥x) ∧ (x≥y) ∧ (x=x ∨ x=y)) ∧
((x<y ⇒ ((y≥x) ∧ (y≥y) ∧ (y=x ∨ y=y))
![Page 43: 09 - Program verification](https://reader031.vdocuments.us/reader031/viewer/2022020122/554f3f71b4c905cd048b5335/html5/thumbnails/43.jpg)
While loop
L = while (B) do S endwp(L,Q)= I ∧ ∀y, ((B ∧ I) ⇒ wp(S, I ∧ x < y))
∀y, ((¬B ∧ I) ⇒ Q)
![Page 44: 09 - Program verification](https://reader031.vdocuments.us/reader031/viewer/2022020122/554f3f71b4c905cd048b5335/html5/thumbnails/44.jpg)
While loop
L = while (B) do S endwp(L,Q)= I ∧ ∀y, ((B ∧ I) ⇒ wp(S, I ∧ x < y))
∀y, ((¬B ∧ I) ⇒ Q)
I = property which stays true before and after every loop
0. P ⇒ I;
1. I∧B ⇒ wp(s, I);
2. I∧¬B ⇒ Q.
Loop verification
![Page 45: 09 - Program verification](https://reader031.vdocuments.us/reader031/viewer/2022020122/554f3f71b4c905cd048b5335/html5/thumbnails/45.jpg)
Example:
Quotient and remainder
of dividing 2 integers
S: quo := 0; rem := x;
while (y ≤ rem) do rem = rem − y; quo = quo + 1 end
P: (x≥0) ∧ (y>0)
Q: (quo∗y+rem=x) ∧ (0≤rem<y)
![Page 46: 09 - Program verification](https://reader031.vdocuments.us/reader031/viewer/2022020122/554f3f71b4c905cd048b5335/html5/thumbnails/46.jpg)
Example:
Quotient and remainder
of dividing 2 integers
S: quo := 0; rem := x;
while (y ≤ rem) do rem = rem − y; quo = quo + 1 end
P: (x≥0) ∧ (y>0)
Q: (quo∗y+rem=x) ∧ (0≤rem<y)
I: (quo∗y+rem=x) ∧ (rem≥0) ∧ (y>0) ∧ (x≥0)
![Page 47: 09 - Program verification](https://reader031.vdocuments.us/reader031/viewer/2022020122/554f3f71b4c905cd048b5335/html5/thumbnails/47.jpg)
Example:
verification conditions
(x ≥ 0) ∧ (y > 0) ⇒ (x = x) ∧ (x ≥ 0) ∧ (x ≥ 0) ∧ (y > 0)
(x=rem+y∗quo) ∧ (x≥0) ∧ (rem≥0) ∧ (y>0) ∧ (y≤rem) ⇒ (x = (rem − y) + y ∗ (quo + 1)) ∧ x ≥ 0 ∧ rem − y ≥ 0 ∧ y > 0
(x=rem+y∗quo) ∧ (x≥0) ∧ (rem≥0) ∧ (y>0) ∧ (y>rem) ⇒ (x = rem + y ∗ quo) ∧ (0 ≤ rem < y)
P: (x≥0) ∧ (y>0)
Q: (quo∗y+rem=x) ∧ (0≤rem<y)I: (quo∗y+rem=x) ∧ (rem≥0) ∧ (y>0) ∧ (x≥0)
![Page 48: 09 - Program verification](https://reader031.vdocuments.us/reader031/viewer/2022020122/554f3f71b4c905cd048b5335/html5/thumbnails/48.jpg)
{P} {Q}
S
precondition postcondition
program
![Page 49: 09 - Program verification](https://reader031.vdocuments.us/reader031/viewer/2022020122/554f3f71b4c905cd048b5335/html5/thumbnails/49.jpg)
Tudor Gîrbawww.tudorgirba.com
creativecommons.org/licenses/by/3.0/