View
216
Download
0
Category
Preview:
Citation preview
5.1.2012
Software Verification 1Deductive Verification
Prof. Dr. Holger SchlingloffInstitut für Informatik der Humboldt Universität
und
Fraunhofer Institut für Rechnerarchitektur und Softwaretechnik
Folie 2H. Schlingloff, Software Verification I
Where are we?
• Einführung
• Aussagenlogik
• Prädikatenlogik
• einfache Funktionskontrakte
• Schleifeninvarianten und Terminierung
• Prädikate und logische Funktionen
• Spezifikation von Datentypen
• Parallele Programme, Deadlocks, Livelocks
• Objektorientierte Programme
5.1.2012
Folie 3H. Schlingloff, Software Verification I
Termination
• Hoare-Tripel: {} {}if holds before the execution of , then holds afterwards
(1) ⊢ {Τ} skip {Τ} (skip)(2) ⊢ {Τ Τ} skip {Τ} (1, imp1)(3) ⊢ {Τ} while (Τ) skip {Τ } (2,whi)(4) ⊢ {Τ} while (Τ) skip {} (3, imp2)
I.e., if T holds before the execution of while (Τ) skip, then holds afterwards
I.e., after the execution of while (Τ) skip anything holds5.1.2012
Folie 4H. Schlingloff, Software Verification I
{T} {}: if terminates, then holds afterwards
• Hoare logic incapable of formulating statements about termination
• Total correctness of with respect to : {T} {} terminates
• Notation • Clearly, if contains no loops, then
{} {} implies • How to prove termination of loops?
5.1.2012
Folie 5H. Schlingloff, Software Verification I
Well-founded orders
• A binary relation < is called a strict partial order iff it is irreflexive: ¬ x<x transitive: x<y y<z x<z asymmetric: x<y ¬ y<x
• A partial order is called total order iff it is total: xy (x<y y<x)
• A strict partial order is called well-founded iff there is no infinite descending chain,
i.e., no infinite set {x0, x1, x2, x3, ...} such that x0>x1>x2>x3 ...
equivalently, if every non-empty set S has a minimal element(i.e., S xS yx (x<y))
• A well-founded total order is called a well-order 5.1.2012
Folie 6H. Schlingloff, Software Verification I
Well-orderings
•natural numbers, <
• integers - x<y iff |x|<|y| or |x|=|y| and x<y
•pairs - ?
•strings - ?
•binary trees - ?
• rational numbers - ?
• real matrices - ?Counterexamples?
5.1.2012
Folie 7H. Schlingloff, Software Verification I
Transfinite induction
•Let (n) be any statement, where nM and < is a well-founded partial order on M
If for all xM it holds thatif (y) for all y<x, then (x)
then (n) for all nM
x ((y<x (y)) (x)) n (n)
5.1.2012
Folie 8H. Schlingloff, Software Verification I
Proof
x ((y<x (y)) (x)) n (n)
• Assume for contradiction that x ((y<x (y)) (x)), i.e., x (¬(x) (y<x ¬ (y)))and that x0 ¬(x0).
• Then x1<x0 ¬(x1))
• Therefore x2<x1 ¬(x2)) etc.
• Continuing, we get an infinite descending chain of elements, contradicting well-foundedness
5.1.2012
Folie 9H. Schlingloff, Software Verification I
Special Cases
• natural induction: (0) x ((x)) (x+1)) n (n)
• mathematical induction:Let M be finitely generated, i.e., there are constructor-functions f1,...,fn and M0M such that all xM can be written as x=f(f(...(x0)..), where each f is a constructor function and x0M0
if (x0) for all x0M0 and ((x) (f(x))) for all xM and all constructor functions f then (x) for all xM
5.1.2012
Folie 10H. Schlingloff, Software Verification I
Termination proofs
•Let (M,<) be a well-founded order and (z) be a formula involving zM
• if ⊢ (z0) for some z0M and
⊢ (z)b (z’) ¬b for some z’<z, then ⊢ while (b) ¬b
(z) is called variant of the loop5.1.2012
Folie 11H. Schlingloff, Software Verification I
Special case (Termination only)
• if ⊢ (z) for some zM, and⊢ (z) b (z’) for some z’<z, and ⊢ ((z) ¬b ),then ⊢ while (b)
• if ⊢ (z) for some zM and⊢ (z) (z’) ¬b for some z’<zthen ⊢ T while (b) T
5.1.2012
Folie 12H. Schlingloff, Software Verification I
Example proof
•Show ⊢ a>=0 while (a>0) a-- T
•well-founded ordering: natural numbers (N0,<); (z) = (a==z) (z)=(floor(a)==z)
(i) a>=0 (a==z) for some zN0
a>=0 (floor(a)==z) for some zN0
(ii) ⊢ a==z a-- a==z-1⊢ floor(a)==z a-- floor(a)==z-1
Would this proof hold for float a?5.1.2012
Folie 13H. Schlingloff, Software Verification I
Termination of gcd
{a==m>0 b==n>0}while (a!=b) if (a>b) a=a-b else b=b-a{a==b==gcd(m,n)}
We want to show that ⊢ a==m>0 b==n>0 T Variant (z) = (z==a+b); wfo: N0
Show: ⊢ (z) if... (z’) for some z’<zProof: let z’=z-min(a,b)
5.1.2012
Folie 14H. Schlingloff, Software Verification I
A more intricate example
={b=1; while (a<=100 || b!=1) if (a<=100) {a+=11; b++;} else {a-=10; b--;} a-=10; }
Show: ⊢ 0<a<=100 a==91
5.1.2012
Recommended