Software Verification 1 Deductive Verification

8.12.2011

Software Verification 1Deductive Verification

Prof. Dr. Holger SchlingloffInstitut für Informatik der Humboldt Universität

und

Fraunhofer Institut für Rechnerarchitektur und Softwaretechnik

http://www.hu-berlin.de/index.html

Folie 2H. Schlingloff, Software Verification I

Example: Binary Search

•Extend the notion of “program variable” to indexed variables (v[i] for 1=1..n)

• Input: a sorted array x[0..n-1] (i (x[i-1]<x[i]) and a value a to search for

•Result: index i s.t. a>x[j] for 0<=jx[s]) i=s+1 else k=s}

1.12.2011

Show{n>=0 i(0<i<n (x[i-1]<x[i])}

{0<=i<=n j(0<=j=a}


Invariant for Binary Search

• x is sorted 0 : i(0<i<n (x[i-1]<x[i])

• i is changed such that 1 : 0<=i<=n j(0<=j=a)

• additionally 3 : i<=k

Let = 0 1 2 3

8.12.2011


Hoare Proof for Binary Search

{n>=0 i(0<i<n (x[i-1]<x[i])}i=0; k=n;{}while (i<k) { { i<k} s=(i+k-1)/2; //integer division if (a>x[s]) i=s+1 else k=s {}}{ i>=k}{i=k 0<=i<=n j(0<=j=a)}{0<=i<=n j(0<=j=a)}

8.12.2011


: 0 <= i <= k <= n j(0<=j=a) { i<k} s=(i+k-1)/2;{ i<k s==(i+k-1)/2}if (a>x[s]) i=s+1else k=s{}

holds since { i<k s=(i+k-1)/2 a>x[s]} {[i:=s+1]} i=s+1 {} { i<k s=(i+k-1)/2 a<=x[s]} {[k:=s]} k=s {}proof: see next

8.12.2011


: 0 <= i <= k <= n j(0<=j=a)

Show: i<k s=(i+k-1)/2 x[s]<a [i:=s+1] i<k s=(i+k-1)/2 x[s]<a

0<= s+1 <= k <= n j(0<=j< s +1 x[j]<a) i<k s=(i+k-1)/2 x[s]<a

(i+k+1)/2 <= k j(0<=j<= (i+k-1)/2 x[j]<a)

holds since i<k i+k<k+k i+k+1<=2*k (i+k+1)/2<=k x[s]<a j=s x[j]<a 0 x[s]<a j<s x[j]<a

8.12.2011


Last Example: Bubblesort

• Given an array x [0..n-1] of integers, the task is to sort x

• Bubblesort repeatedly exchanges “unordered” elements in x, e.g.: 6 – 3 – 8 – 4 – 1 3 – 6 – 8 – 4 – 1 3 – 6 – 8 – 4 – 1 3 – 6 – 4 – 8 – 1 3 – 6 – 4 – 1 – 8 3 – 6 – 4 – 1 – 8 3 – 4 – 6 – 1 – 8 3 – 4 – 1 – 6 – 8 3 – 1 – 4 – 6 – 8 etc.

8.12.2011


Bubblesort Algorithm

:: i=n;: while (i>1) { : i=i-1; k=0; : while (k!=i){ : k++; : if (x[k-1]>x[k]) swap(x[k-1], x[k]) : }: }:

8.12.2011


Specification of Sortedness

• x is sorted sorted(x): i(0<i<n x[i-1] <= x[i])

• x is a permutation of the input array ?

• For sake of simplicity: assume all elements in x are pairwise unequal:

diff(x): i,j(0<=i != j<n (x[i]!=x[j])} in this case, x is a permutation of y iff

perm(x,y): a(i x[i]==a i y[i]==a)

• Specification{x==y diff(x)} {sorted(x) perm(x,y)}

8.12.2011


Invariant for Bubblesort

Invariant for loop at :after first iteration: x[n-1] at correct positionafter second iteration: x[n-1] and x[n-2] at correct positionafter third iteration: x[n-1] .. x[n-3] at correct position

...ordered(x, i): 1<=i<=n

j(i<=j<n x[j-1] < x[j]) j(0<=j<i <n x[j] <= x[i])

then we have: ordered(x, n) T ordered(x, 1) sorted(x)

I: diff(x) perm(x,y) ordered(x,i)

8.12.2011


Proof of Outer Loop

x==y diff(x) perm(x,y): x==y diff(x) : x==y diff(x) i==n x==y diff(x) i==n diff(x) perm(x,y) ordered(x,i): x==y diff(x) : I

: I : I (i<=1) provided that : I (i>1) : Iperm(x,y) ordered(x,i) (i<=1) perm(x,y) sorted(x): I : sorted(x) perm(x,y)

: x==y diff(x) : perm(x,y) sorted(x)

that is, {x==y diff(x)} {sorted(x) perm(x,y)}

8.12.2011


Inner Invariant

It remains to show: : I (i>1) : I

Invariant for loop at : perm(x,y) ordered(x,i+1) remains stable

goal of the inner loop: maximal element from x[0]...x[i-1] is moved to x[i-1]

after each step: 0<=k<=i j(0<=j<=k x[k]>=x[j])

I: perm(x,y) ordered(x,i+1) 0<=k<=i j(0<=j<=k x[k]>=x[j])

8.12.2011


Proof of Inner Invariant

: I (i>1) : perm(x,y) ordered(x,i+1) k==0

perm(x,y) ordered(x,i+1) k==0 I: I (i>1) : I

: I : I (k==i), provided that : I (k!=i) : I

I (k==i) perm(x,y) ordered(x,i+1) j(0<=j<=i x[i]>=x[j])

: I (i>1) : I

it remains to show: : I (k!=i) : I

• perm(x,y) remains unchanged

• ordered(x,i+1) is not modified : 0<=k<=i j(0<=j<=k x[k]>=x[j]) k!=i

: 0<=k<=i j(0<=j<=k-1 x[k-1]>=x[j]) : I (k!=i) : 0<=k<=i j(0<=j<=k x[k]>=x[j])

8.12.2011

Documents

Software Verification 1 Deductive Verification