Embed Size (px)
Citation preview
11.6.2015
Software Verification 1Deductive Verification
Prof. Dr. Holger SchlingloffInstitut für Informatik der Humboldt Universität
und
Fraunhofer Institut für offene Kommunikationssysteme FOKUS
Folie 2H. Schlingloff, Software-Verifikation I
Invariably: Starter Questions …
• What is an invariant? How is it used in verification?
• Is the set of invariants of a loop recursive?
• … or recursively enumerable?
• Is there any decidable invariant?
• How to construct an invariant for a given loop?
• E.g. {i=0; while (i<n) {i++}}
• E.g. {i=0; while (i<n) {i++; j--}}
• E.g. {i=0; while (i<n) {i++; j+=i}}
Folie 3H. Schlingloff, Software-Verifikation I
While[]-Programs
• While-Programs are Turing-complete, but not very convenient to use
• Missing: arrays, pointers, data structures, functions & procedures, modules, inheritance, …
• Today: arrays and search
• Introduce array type X[n], where X is any type and n is any integer
• set V [] of indexed program variables: if i is a program variable of type Int and a is an array variable of type X[n], then a[i] is an indexed program variable of type X
• while[]Prog: Indexed program variables can be used in terms and expressions wherever “normal” program variables are allowed
• Semantics: An array variable a: X[n]is evaluated as a partial function V(a): Int X{undef} • V(a)(x) = undef if x < 0 or x ≥ n
• V(a[i]) = V(a) (V(i))
Folie 4H. Schlingloff, Software-Verifikation I
Example: Binary Search
• Input: a sorted array x:Int[n] (i.e., i (x[i-1]<x[i]) )and a value a to search for
• Result: index i s.t. x[j]<a for 0<=j<i and x[j]>=a for i<=j<n
:
i=0; k=n;
while (i<k) {
s=(i+k-1)/2; //integer division
if (a>x[s]) i=s+1
else k=s
}
:
i=0; k=n;
while (i<k) {
s=(i+k-1)/2; //integer division
if (a>x[s]) i=s+1
else k=s
}Correctness: Show{n>=0 i(0<i<n (x[i-1]<x[i])}
{0<=i<=n j(0<=j<i x[j]<a j(i<=j<n
x[j]>=a}
>=a<ax:
i
>=a<ax:
i ks
Folie 5H. Schlingloff, Software-Verifikation I
Invariant for Binary Search
• x is sorted 0 : i(0<i<n (x[i-1]<x[i])
• i is changed such that 1 : 0<=i<=n j(0<=j<i x[j]<a)
• k is changed such that 2 : 0<=k<=n j(k<=j<n x[j]>=a)
• additionally 3 : i<=k
Let = 0 1 2 3
Folie 6H. Schlingloff, Software-Verifikation I
Hoare Proof for Binary Search
{n>=0 i(0<i<n (x[i-1]<x[i])}i=0; k=n;{}while (i<k) { { i<k} s=(i+k-1)/2; //integer division if (a>x[s]) i=s+1 else k=s {}}{ i>=k}{i=k 0<=i<=n j(0<=j<i x[j]<a) j(k<=j<n x[j]>=a)}{0<=i<=n j(0<=j<i x[j]<a j(i<=j<n x[j]>=a)}
Folie 7H. Schlingloff, Software-Verifikation I
: 0 <= i <= k <= n j(0<=j<i x[j]<a) j(k<=j<n x[j]>=a) { i<k} s=(i+k-1)/2;{ i<k s==(i+k-1)/2}if (a>x[s]) i=s+1else k=s{}
holds since { i<k s==(i+k-1)/2 a>x[s]} {[i:=s+1]} i=s+1 {} { i<k s==(i+k-1)/2 a<=x[s]} {[k:=s]} k=s {}proof: see next
Folie 8H. Schlingloff, Software-Verifikation I
: 0 <= i <= k <= n j(0<=j<i x[j]<a) j(k<=j<n x[j]>=a)
Show: i<k s=(i+k-1)/2 x[s]<a [i:=s+1] i<k s=(i+k-1)/2 x[s]<a
0<= s+1 <= k <= n j(0<=j< s +1 x[j]<a) i<k s=(i+k-1)/2 x[s]<a
(i+k+1)/2 <= k j(0<=j<= (i+k-1)/2 x[j]<a)
holds since i<k i+k<k+k i+k+1<=2*k (i+k+1)/2<=k x[s]<a j=s x[j]<a 0 x[s]<a j<s x[j]<a
Folie 9H. Schlingloff, Software-Verifikation I
Haha
Binary Search in Haha
Folie 10H. Schlingloff, Software-Verifikation I
Last Example: Bubblesort
• Given an array x [0..n-1] of integers, the task is to sort x
• Bubblesort repeatedly exchanges “unordered” elements in x, e.g.: 6 – 3 – 8 – 4 – 1 3 – 6 – 8 – 4 – 1 3 – 6 – 8 – 4 – 1 3 – 6 – 4 – 8 – 1 3 – 6 – 4 – 1 – 8 3 – 6 – 4 – 1 – 8 3 – 4 – 6 – 1 – 8 3 – 4 – 1 – 6 – 8 3 – 1 – 4 – 6 – 8 etc.
Folie 11H. Schlingloff, Software-Verifikation I
Bubblesort Algorithm
:: i=n;: while (i>1) { : i=i-1; k=0; : while (k!=i){ : k++; : if (x[k-1]>x[k]) swap(x[k-1], x[k]) : }: }:
Folie 12H. Schlingloff, Software-Verifikation I
Specification of Sortedness
• x is sorted sorted(x): i(0<i<n x[i-1] <= x[i])
• x is a permutation of the input array ?
• For sake of simplicity: assume all elements in x are pairwise unequal:
diff(x): i,j(0<=i != j<n (x[i]!=x[j])} in this case, x is a permutation of y iff
perm(x,y): a(i x[i]==a i y[i]==a)
• Specification{x==y diff(x)} {sorted(x) perm(x,y)}
Folie 13H. Schlingloff, Software-Verifikation I
Invariant for Bubblesort
Invariant for loop at :after first iteration: x[n-1] at correct positionafter second iteration: x[n-1] and x[n-2] at correct positionafter third iteration: x[n-1] .. x[n-3] at correct position
...ordered(x, i): 1<=i<=n
j(i<=j<n x[j-1] < x[j]) j(0<=j<i <n x[j] <= x[i])
then we have: ordered(x, n) T ordered(x, 1) sorted(x)
I: diff(x) perm(x,y) ordered(x,i)
Folie 14H. Schlingloff, Software-Verifikation I
Proof of Outer Loop
x==y diff(x) perm(x,y): x==y diff(x) : x==y diff(x) i==n x==y diff(x) i==n diff(x) perm(x,y) ordered(x,i): x==y diff(x) : I
: I : I (i<=1) provided that : I (i>1) : Iperm(x,y) ordered(x,i) (i<=1) perm(x,y) sorted(x): I : sorted(x) perm(x,y)
: x==y diff(x) : perm(x,y) sorted(x)
that is, {x==y diff(x)} {sorted(x) perm(x,y)}
Folie 15H. Schlingloff, Software-Verifikation I
Inner Invariant
It remains to show: : I (i>1) : I
Invariant for loop at : perm(x,y) ordered(x,i+1) remains stable
goal of the inner loop: maximal element from x[0]...x[i-1] is moved to x[i-1]
after each step: 0<=k<=i j(0<=j<=k x[k]>=x[j])
I: perm(x,y) ordered(x,i+1) 0<=k<=i j(0<=j<=k x[k]>=x[j])
Folie 16H. Schlingloff, Software-Verifikation I
Proof of Inner Invariant
: I (i>1) : perm(x,y) ordered(x,i+1) k==0
perm(x,y) ordered(x,i+1) k==0 I: I (i>1) : I
: I : I (k==i), provided that : I (k!=i) : I
I (k==i) perm(x,y) ordered(x,i+1) j(0<=j<=i x[i]>=x[j])
: I (i>1) : I
it remains to show: : I (k!=i) : I
• perm(x,y) remains unchanged
• ordered(x,i+1) is not modified : 0<=k<=i j(0<=j<=k x[k]>=x[j]) k!=i
: 0<=k<=i j(0<=j<=k-1 x[k-1]>=x[j]) : I (k!=i) : 0<=k<=i j(0<=j<=k x[k]>=x[j])
