5.1.2012 software verification 1 deductive verification prof. dr. holger schlingloff institut für...

5.1.2012

Software Verification 1Deductive Verification

Prof. Dr. Holger SchlingloffInstitut für Informatik der Humboldt Universität

und

Fraunhofer Institut für Rechnerarchitektur und Softwaretechnik

http://www.hu-berlin.de/index.html

Folie 2H. Schlingloff, Software Verification I

Where are we?

• Einführung

• Aussagenlogik

• Prädikatenlogik

• einfache Funktionskontrakte

• Schleifeninvarianten und Terminierung

• Prädikate und logische Funktionen

• Spezifikation von Datentypen

• Parallele Programme, Deadlocks, Livelocks

• Objektorientierte Programme

5.1.2012


Termination

• Hoare-Tripel: {} {}if holds before the execution of , then holds afterwards

(1) ⊢ {Τ} skip {Τ} (skip)(2) ⊢ {Τ Τ} skip {Τ} (1, imp1)(3) ⊢ {Τ} while (Τ) skip {Τ } (2,whi)(4) ⊢ {Τ} while (Τ) skip {} (3, imp2)

I.e., if T holds before the execution of while (Τ) skip, then holds afterwards

I.e., after the execution of while (Τ) skip anything holds5.1.2012


{T} {}: if terminates, then holds afterwards

• Hoare logic incapable of formulating statements about termination

• Total correctness of with respect to : {T} {} terminates

• Notation • Clearly, if contains no loops, then

{} {} implies • How to prove termination of loops?

5.1.2012


Well-founded orders

• A binary relation < is called a strict partial order iff it is irreflexive: ¬ x<x transitive: x<y y<z x<z asymmetric: x<y ¬ y<x

• A partial order is called total order iff it is total: xy (x<y y<x)

• A strict partial order is called well-founded iff there is no infinite descending chain,

i.e., no infinite set {x0, x1, x2, x3, ...} such that x0>x1>x2>x3 ...

equivalently, if every non-empty set S has a minimal element(i.e., S xS yx (x<y))

• A well-founded total order is called a well-order 5.1.2012


Well-orderings

•natural numbers, <

• integers - x<y iff |x|<|y| or |x|=|y| and x<y

•pairs - ?

•strings - ?

•binary trees - ?

• rational numbers - ?

• real matrices - ?Counterexamples?

5.1.2012


Transfinite induction

•Let (n) be any statement, where nM and < is a well-founded partial order on M

If for all xM it holds thatif (y) for all y<x, then (x)

then (n) for all nM

x ((y<x (y)) (x)) n (n)

5.1.2012


Proof

x ((y<x (y)) (x)) n (n)

• Assume for contradiction that x ((y<x (y)) (x)), i.e., x (¬(x) (y<x ¬ (y)))and that x0 ¬(x0).

• Then x1<x0 ¬(x1))

• Therefore x2<x1 ¬(x2)) etc.

• Continuing, we get an infinite descending chain of elements, contradicting well-foundedness

5.1.2012


Special Cases

• natural induction: (0) x ((x)) (x+1)) n (n)

• mathematical induction:Let M be finitely generated, i.e., there are constructor-functions f1,...,fn and M0M such that all xM can be written as x=f(f(...(x0)..), where each f is a constructor function and x0M0

if (x0) for all x0M0 and ((x) (f(x))) for all xM and all constructor functions f then (x) for all xM

5.1.2012


Termination proofs

•Let (M,<) be a well-founded order and (z) be a formula involving zM

• if ⊢ (z0) for some z0M and

⊢ (z)b (z’) ¬b for some z’<z, then ⊢ while (b) ¬b

(z) is called variant of the loop5.1.2012


Special case (Termination only)

• if ⊢ (z) for some zM, and⊢ (z) b (z’) for some z’<z, and ⊢ ((z) ¬b ),then ⊢ while (b)

• if ⊢ (z) for some zM and⊢ (z) (z’) ¬b for some z’<zthen ⊢ T while (b) T

5.1.2012


Example proof

•Show ⊢ a>=0 while (a>0) a-- T

•well-founded ordering: natural numbers (N0,<); (z) = (a==z) (z)=(floor(a)==z)

(i) a>=0 (a==z) for some zN0

a>=0 (floor(a)==z) for some zN0

(ii) ⊢ a==z a-- a==z-1⊢ floor(a)==z a-- floor(a)==z-1

Would this proof hold for float a?5.1.2012


Termination of gcd

{a==m>0 b==n>0}while (a!=b) if (a>b) a=a-b else b=b-a{a==b==gcd(m,n)}

We want to show that ⊢ a==m>0 b==n>0 T Variant (z) = (z==a+b); wfo: N0

Show: ⊢ (z) if... (z’) for some z’<zProof: let z’=z-min(a,b)

5.1.2012


A more intricate example

={b=1; while (a<=100 || b!=1) if (a<=100) {a+=11; b++;} else {a-=10; b--;} a-=10; }

Show: ⊢ 0<a<=100 a==91

5.1.2012

5.1.2012 software verification 1 deductive verification prof. dr. holger schlingloff institut für...

Documents