1 / 20

Presented by Aditi Barua

A Tutorial on Functional Program Verification TR #10-26 September 2010, revised August 2011 Yoonsik Cheon Melisa Vela. Presented by Aditi Barua. Introduction. Functional program verification Formal program verification technique Based on Cleanroom Software Engineering Involves :

clara
Download Presentation

Presented by Aditi Barua

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Tutorial on Functional Program VerificationTR #10-26September 2010, revised August 2011Yoonsik Cheon Melisa Vela Presented by Aditi Barua

  2. Introduction Functional program verification • Formal program verification technique • Based on Cleanroom Software Engineering • Involves: • Viewing program as a mathematical function (code function) • Documenting function that computes the expected behavior of the code(intended function) • Comparing the intended function and the code function .

  3. Advantages • Requires minimal mathematical background. • Reflects the way programmers verify correctness of program. • Helps one to be proficient with other verification technique.

  4. Writing Intended Function & Code Function • Program as mathematical function from one state to another Initial state : {x->10, sum->100} sum=sum + x; Final state :{x->10, sum->110}

  5. Concurrent Assignment • Notation to express function that only states changes in input state. • [x1, x2,…, xn := e1, e2, …, en] • Each xi’s new value is ei • Evaluated concurrently at initial state • Program’s variables do not appear remain same. • Example: 1) sum= sum + x; [sum: = sum +x] 2) x = x + y; y = x - y; [x, y: = y, x] x = x - y;

  6. Conditional Concurrent Assignment • Different functions for different conditions. • Conditions are evaluated in initial state. • Conditions are evaluated sequentially. • If multiple conditions hold, function for first matched condition is picked. Example: [x>0 -> sign : = 1 |x < 0 -> sign :=-1 |else -> sign := 0]

  7. Special Symbols and keywords • Identity function denoted by I • [n > maxSize-> n:= maxSize| else -> I] • undefined: • [n > 0 ->avg:= sum/n| else ->undefined] • anything • [sum, i := sum + ∑j=i…a.length-1a[j], anything] while(i<a.length){ sum = + a[i]; i++; }

  8. Verifying Correctness • Verification involves showing two properties: • dom of f ⊆ dom of p where f=intended function, p= code function. • (p(x) = f(x) for x ∈ dom(f)) • Assignment Statement • Code function and intended function is often same. @//[x:=x+1] x=x+1;

  9. Verifying Correctness Proof of correctness [sum := sum + a]; [n != 0 → avg := sum=n] ≡ [n!= 0 → sum; avg := sum + a;(sum + a)/n] ⊑ [n > 0 → sum; avg := sum + a;(sum + a)/n] • Sequential Composition Annotated code //@ [n > 0 → sum, avg := sum+a, (sum+a)/n] sum = sum + a; avg = sum / n;

  10. Sequential Composition(Cont.) • Trace table x = x + 1; y = 2 * x; z = x * y; x = x + 1; y = 3 * x; [x, y, z := x+2, 3(x+2), 2x2+4x+2]

  11. Sequential Composition(Cont.) Proof of correctness • (f1;f2 ⊑ f0). • (S1 ⊑ f1) • (S2 ⊑ f2) • Modular Verification Annotated code //@ [f0] //@ [f1] S1; //@ [f2] S2;

  12. Conditional Statement • Conditional Trace table p = a * r; if (a < b) b = b - a; else b = b - p; [a < b → p, b := a*r, b-a | a ≥ b → p, b := a*r, b-(a*r)]

  13. Conditional Statement(Cont.) Proof of correctness • (B ⇒ S1 ⊑ f) • (¬B ⇒ S2 ⊑ f) • Case Analysis Annotated code //@ [f] if (B) S1; else S2;

  14. Verifying Iteration • More involved as there is no known algorithm to calculate code function for whole statements. • Solution: Proof by Induction • Intended function is the induction hypothesis. //@ [f1] while (B) S //@ [f1] if (B) { S while (B) S } //@ [f1] if (B) { S [f1] }

  15. Verifying Iteration(Cont.) • Using induction to prove correctness of while statement. Annotated code Proof of correctness • Need to discharge following three proof obligations: 1) Termination of the loop 2) Basis step: ¬(i < a:length) ⇒ I ⊑ f1 3) Induction step: i < a:length ⇒ f2;f1 ⊑ f1 and the correctness of f2 and its code //@ [f1] if (B) { //@[f2] S[f1] } //@ [f1] while (B) //@[f2] S

  16. Initialized Loop • Uninitialized loop is a • Generalization of initialized loop. • Loop preceded with initialization computes something useful. • Example: /*@ f1:[sum, i := sum + ∑j=i…a.length-1a[j], anything]*/ while(i<a.length){ //@f2 : [sum,I := sum + a[i], i+1] sum = + a[i]; i++; }

  17. Verification of Initialized Loop Proof of correctness • Discharging the following proof obligations: 1) f1;f2 ⊑ f0. 2) S1 ⊑ f1. 3) while (B) S2 ⊑ f2, which requires the following subproofs. a) Termination of the loop. b) Basis step: ¬B ⇒ I ⊑ f2. c) Induction step: B ⇒ f3;f2 ⊑ f2 and S2 ⊑ f3. • Annotated code //@ [f0] //@ [f1] S1 //@ [f2] while (B) { //@ [f3] S2 }

  18. Exercise • Annotate with intended function while (i < a.length) { if (a[i] > k) { r++; } i++; }

  19. Solution // f1: [r, i := r + ∑j=i…a.length-1(a[j] > 0 ? 1 : 0), anything] while (i < a.length) { // f2:[r , i := a[i] > 0 ? r + 1 : r, i + 1] // [r := a[i] > 0 ? r + 1 : r] if (a[i] > k) { [r:=r+1] r++; } [i:= i+1] i++; }

  20. Reference • Yoonsik Cheon and Melisa Vela. A Tutorial on Functional Program Verification, Technical Report 10-26, Department of Computer Science, University of Texas at El Paso, El Paso, TX, September 2010.

More Related