25.6.2015 Software Verification 1 Deductive Verification Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität und Fraunhofer Institut

25.6.2015

Software Verification 1Deductive Verification

Prof. Dr. Holger SchlingloffInstitut für Informatik der Humboldt Universität

und

Fraunhofer Institut für offene Kommunikationssysteme FOKUS

http://www.hu-berlin.de/index.html

Folie 2H. Schlingloff, Software-Verifikation I

Terminal Questions …

• What is the meaning of „total correctness“?

• Why can‘t Hoare-rules prove termination?

• Why is it hard to prove termination?

• What is a well-founded ordering?

• Example?

• Another example?

• A counterexample?

• Can you formulate an induction principle?

• What is a variant?

• How is it used to prove termination?

• Could you prove termination of McCarthy‘s 91-function?


John McCarthy’s 91-Function

={b=1; while (a<=100 || b!=1) if (a<=100) {a+=11; b++;} else {a-=10; b--;} a-=10; }

Show: ⊢ 0<a<=100 a==91


• We do the termination part only.

• Hint for the invariant:

(0<b<=11 & 0<a<=111 & (a<=101 | b!=1))• wfo: N0; Variant: (z) = (z==1111+111b-11a-1);

if 0<a<=100 & b==1, we have zN0

• Assume within the while-loop (z) & (a<=100 | b!=1)) Case a<=100: {a+=11; b++} gives

z-10==1111+111(b+1)-11(a+11)-1 Case a>100: {a-=10; b--;} gives

z-1==1111+111(b-1)-11(a-10)-1

• Thus, in both cases there exists z’<z such that (z’) holds


Magic

method McC91(x:nat) returns (y:nat)

requires 0<x<=100ensures y==91{ var a, b := x, 1; while (a<=100 || b!=1) if (a<=100) {a:=a+11; b:=b+1;} else {a:=a-10; b:=b-1;} y:=a-10;}


Finding Variants is Hard

• Try this one:

Mersenne = {n=0; k=0; while (k<48) {n++; if (isprim((2**n)-1)) k++}}

• ... and apply for the Fields-medal if successful


Proof of Termination Proof Rule

• if ⊢ (z) for some zM and⊢ (z) (z’) ¬b for some z’<zthen program while (b) terminates

•Assume not. Then there is an infinite execution ; ; ; ...

such that b holds before and after each Then there is an infinite descending chain z0,

z1, z2, ... such that z0=z and zi+1<zi

Thus, M is not a wfo.


Binary Search Program

:i=0; k=n;while (i<k) { s=i+(k-i-1)/2; //integer division if (a>x[s]) i=s+1 else k=s} Show

n>=0 i(0<i<n (x[i-1]<x[i])

0<=i<=n j(0<=j<i x[j]<a j(i<=j<n x[j]>=a

no-show


•Variant (z)?

•while (i<k) ... suggest (z) = (z=k-i) ⊢ (z)b (z’) ¬b for some z’<z what is a well-founded order for z?

can we guarantee that zN0 ?

•Example: (assume k>0, j>0)

{i=k; while (i!=0) i-=j} terminates iff k%j==0 Assume k%j==0; wfo: (z) = (z=i/j); zN0 {i=k; while (i>=0) i-=j} terminates always.

Proof?no-show


Transforming Variants

We have to show: ⊢ (z) (z’) ¬bMost important case: ⊢ z=t(x) x=f(x) z’=t(x) ¬b

Let z’=t(f(t-1(z)))

⊢ z=t(x) t-1(z)=x since t-1(t(x))=x⊢ t-1(z)=x t(f(t-1(z)))=t(f(x))⊢ t(f(t-1(z)))=t(f(x)) x=f(x) t(f(t-1(z)))=t(x) (ass)

Therefore, ⊢ z=t(x) x=f(x) t(f(t-1(z)))=t(x)

• Ex.: ⊢ z=i+k i=i-j z’=i+k for z’=z-jno-show


Proof for Binary Search Termination

• Solution for binary search: z=(k-i)N0 ? Show 0<=i<=k<=n is invariant (omitted)

Let (z)= (k-i=z) k-i=z i=i+(k-i-1)/2+1 k-i=z’ for

z’ = (z-1)/2 - 1 < zProof: let t(i) = k-i t(z) = k-z t-1(z)= (k-z)f(i) = i+(k-i-1)/2+1 t(f(t-1(z))) = k-((k-z) +(k- (k-z) -1)/2+1) = (z-1)/2-

1

k-i=z k=i+(k-i-1)/2 k-i=z’ forz’= i+((z+i)-i-1)/2-i=(z-1)/2 <z

no-show


Pre- and Postconditions

• Dijkstra: wp-calculus (weakest precondition) characterize the “weakest” formula which makes a

Hoare-triple valid =wp(.) iff ⊢ and

⊢(') for every ’ for which ⊢’ =wlp(.) iff ⊢{}{} and

⊢(') for every ’ for which ⊢{’} {}

• Example: wp(x++, x==7) = (x==6)

• Dijkstra gives a set of rules for wp which can be seen as notational variant of Hoare logic


• wp(skip, ) = • wp(x=t, ) = [x:=t]

• wp({1; 2}, ) = wp(1, wp(2, ))

• wp(if (b) 1 else 2, ) =((b wp(1, )) (¬b wp(2, )))

• wp(while (b) , ) = z (z) z((b(z)) z’ (z’<z wp(, (z’))) z((¬b(z)) )

where is a loop variant and < a wfo, z new var.! This is a non-constructive definition ! Existence???


Examples

• wp(x=x-3, x>7) = x>7 [x:=x-3] = x-3>7 = x>10

• wp({x*=2; x-=3}, x>7) = wp(x*=2, wp(x-=3, x>7)) = wp(x*=2, x>10) = x>5

• wp(if(a<b) a=b, a>=b) = ((a<b wp(a=b, a>=b) (a>=b wp(skip, a>=b))=((a<b b>=b) (a>=b a>=b)) = T

• wp(while (i>0) i--, i==0) = i>=0


Partial Correctness

• Weakest liberal precondition wlp(,)

• wlp(while (b) , ) = ((b) wlp(, )) ((¬b) )

• Dijkstra also used nondeterministic programs („guarded commands“) guarded-command-program ::= while-program |

guarded-command guarded-command ::= b : e | b : e [] guarded-command b: condition, e: guarded-command-program


Strongest Postconditions

• Dual to weakest precondition: the strongest formula which can be guaranteed to hold after execution =sp(, ) iff ⊢ and

⊢( ') for every ’ for which ⊢ ’

• sp(x=t, )= z (x==t[x:=z] [x:=z]) (z new) e.g. sp(x=x-3, x>7) = z (x==z-3 z>7) = x>4

• Pre- and postconditions are important in the presence of methods and procedures


Functions and Procedures

• while-Programs:• whileProg ::= skip | V=T | {whileProg; whileProg} |

if (FOL-) whileProg else whileProg | while (FOL-) whileProg

• T is the set of terms in the signature =(D, F, R)

• Now: extended signature ’=(D{void}, FF’,R)

• If f is of type void, then f(x1,...xn) is an (imperative) program

• term ::= F(T, ..., T) | F’(T, ..., T)

• for each f F’ there must be a declaration:• decl ::= type F’ (V, ... V); whileProg

• V in decl are called formal parameters• T in terms are called actual parameters


• No alias: formal parameters should be pairwise different

• No scoping: formal parameters must be different from program variables

• return statement as assignment to the function name

• If a function or procedure name occurs directly or indirectly in the call graph of its declaration, it is called recursive for the time being: no recursion; Dafny allows recursion!

• There are various ways to pass actual parameters for formal ones (value, reference, name, ...) for the time being, we use only call-by-value passing value w to formal parameter v has the same effect as

the assignment v=w at the entry of the procedure or function


Example

int min (int a, int b) if (a<b) min=a else

min=b;

int max (int a, int b) if (a>b) max=a else

max=b;

int gcd(int a, int b)

while (a!=b) { c = max(a,b)-min(a,b); a = min(a,b); b = c; }

}


Example

int min (int a, int b) if (a<b) min=a else min=b;{x = 5; y = 7; z = min (x, y)}

is equivalent to{ x = 5; y = 7; a = x; b = y; if (a<b) min=a else min=b;z = min; }

need pre- and postconditions to show assertions.


Example

int min (int a, int b) if (a<b) min=a else

min=b; {a<=min b<=min

(a=min b=min)}

int max (int a, int b) if (a>b) max=a else

max=b; {a>=max b>=max

(a=min b=min)}

int gcd(int a, int b) {a==m>0 b==n>0} while (a!=b) { c = max(a,b)-min(a,b); a = min(a,b); b = c; } gcd = a; {gcd|m gcd|n ...}}


Contracts

• weakest preconditions and strongest postconditions are related to the require-ensure-paradigm (also called assume-guarantee-paradigm):void foo(...) requires

ensures ;is equivalent to

(wp(,)) (sp(, ))

• such a statement is called contract use of contract:

{[x1:=t1, ..., xn:=tn]} foo(t1,...,tn) {}


Example with contracts

int min (int a, int b) if (a<b) min=a else min=b;{a>=min b>=min (a=min b=min)}{T}{x = 5; y = 7; z = min (x, y)} {z==5}

proof:{ x = 5; y = 7; a = x; b = y;}{a==5 b==7}{if (a<b) min=a else min=b;}{a==5 b==7 a>=min b>=min (a=min b=min)}{min==5}{z = min;}{z==5}

Documents

25.6.2015 Software Verification 1 Deductive Verification Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität und Fraunhofer Institut