Download
1 / 11
110 likes | 275 Views
Software Verification 1 Deductive Verification. Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität und Fraunhofer Institut für Rechnerarchitektur und Softwaretechnik. Hoare calculus. ⊢ { [v:=t] } v=t { } (ass) ⊢ { } skip { } (usually omitted)
E N D
Software Verification 1Deductive Verification Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität und Fraunhofer Institut für Rechnerarchitektur und Softwaretechnik
Hoare calculus • ⊢ {[v:=t]} v=t {} (ass) • ⊢ {} skip {} (usually omitted) • if ⊢ {}1{}and ⊢ {} 2{}, then {} {1; 2}{} (seq) • if ⊢ { b} 1{} and ⊢ { ¬b} 2{}, then ⊢ {}if (b) 1 else 2 {} (ite) • if ⊢ { b} {}, then ⊢ {}while (b) { ¬b} (whi) • If ⊢ (’ ) and ⊢ {} {}, then ⊢ {’} {} (imp1) • If ⊢ {} {} and ⊢ ( ’), then ⊢ {} {’} (imp2) • the semantics (meaning) of a program is the set of all derivable Hoare-tripels {} {}
Examples • {x==17} x++ {x==18} • {x==17} y=x+1 {y==18} • {x==17} {x++; y=x+1} {y==19} • {a==m b==n}if (a<=b) c = a else c = b{c==min(m,n)} • {a==m>0 b==n>0} while (a!=0) {c = a; a = b%a; b = c} {b==gcd(m,n)}
Sample proof: exponentiation Consider the following while-program {c==1; while(b!=0){ if (b%2==0){b=b/2; a=a*a} else {b=b-1; c=c*a} } } We want to show that ⊢ {a==m b==n} {c==m**n}
Sample proof: exponentiation (1) ⊢ {a==m b==n} c=1 {a==m b==n c==1} (ass) (2) ⊢ {a==m b==n} c=1 {c*a**b==m**n} (imp,1) (3) ⊢ {c*(a*a)**(b/2)==m**n} b=b/2 {c*(a*a)**b==m**n} (ass) (4) ⊢ {c*a**b==m**n} b=b/2 {c*(a*a)**b==m**n} (3,imp) (5) ⊢ {c*(a*a)**b==m**n} a=a*a {c*a**b==m**n} (ass) (6) ⊢ {c*a**b==m**n} {b=b/2; a=a*a} {c*a**b==m**n} (seq,4,5) (7) ⊢ {c*a*a**(b-1)==m**n} b==b-1 {c*a*a**b==m**n} (ass) (8) ⊢ {c*a**b==m**n} b==b-1 {c*a*a**b==m**n} (7,imp) (9) ⊢ {c*a*a**b==m**n} c==c*a {c*a**b==m**n} (ass) (10) ⊢ {c*a**b==m**n} {b==b-1; c==c*a} {c*a**b==m**n} (seq,8,9) (11) ⊢ {c*a**b==m**n b%2==0} {b=b/2; a=a*a} {c*a**b==m**n} (6,imp) (12) ⊢ {c*a**b==m**n b%2!=0} {b==b-1; c==c*a} {c*a**b==m**n} (10,imp)
Sample proof: exponentiation (2) ⊢ {a==m b==n} c=1 {c*a**b==m**n} (imp,1) (11) ⊢ {c*a**b==m**n b%2==0} {b=b/2; a=a*a} {c*a**b==m**n} (12) ⊢ {c*a**b==m**n b%2!=0} {b==b-1; c==c*a} {c*a**b==m**n} (13) ⊢ {c*a**b==m**n} if(b%2==0) {b=b/2; a=a*a} else {b==b-1; c==c*a} {c*a**b==m**n} (ite,11,12) (14) ⊢ {c*a**b==m**n b!=0} if ... {c*a**b==m**n} (imp,13) (15) ⊢ {c*a**b==m**n} while (b!=0) if ... {c*a**b==m**n b==0} (whi,14) (16) ⊢ {a==m b==n} {c=1; while (b!=0) if ...} {c*a**b==m**n b==0} (seq,2,15) (17) ⊢ {a==m b==n} {c==m**n} (imp,16)
Other notation • else { • {c*a**b=m**n b!=0 b%2!=0} • b=b-1; • {c*a*a**b=m**n } • c=c*a • {c*a**b=m**n } • } • {c*a**b=m**n } • } • {c*a**b=m**n b==0} • } • {c==m**n} {a==m b==n} {c==1; {a==m b==n c==1} {c*a**b=m**n} while(b!=0){ {c*a**b=m**n b!=0} if (b%2==0){ {c*a**b=m**n b!=0 b%2==0} b=b/2; {c*(a*a)**b=m**n} a=a*a {c*a**b=m**n} } {c*a**b=m**n}
A more complex example: gcd {a==m>0 b==n>0} while (a!=b) if (a>b) a=a-b else b=b-a {a==b==gcd(m,n)} where a==gcd(m,n) iff a|m a|n x (x|m x|n ⇒ x<=a) What we need to know from math is (x < y) gcd (x, y) == gcd (x, y − x) (x > y) gcd (x, y) == gcd (x, x − y) (x == y) gcd (x, y) == x
show gcd(x,y)==gcd(x,y−x) (x < y) gcd (x, y) == gcd (x, y − x) If x<y, then y-x>0, hence gcd(x,y-x) is well-defined. If z|x and z|y then z|(y-x): x=z*x’, y=z*y’ y-x=z*(y’-x’) If z|x and z|(y-x) then z|y: x=z*x’, (y-x)=z*(y-x)’ x+(y-x)=y=z*(x’+(y-x)’) Hence {z: z|x z|y} == {z: z|x z|(y-x)} Which means gcd (x, y) == gcd (x, y − x)
Hoare proof for gcd {a==m>0 b==n>0} {gcd(a,b)==gcd(m,n)} while (a!=b) {gcd(a,b)==gcd(m,n) a!=b} if (a>b) {gcd(a,b)==gcd(m,n)a>ba!=b} {gcd(a-b,b)==gcd(m,n)} a=a-b {gcd(a,b)==gcd(m,n)} else • {gcd(a,b)==gcd(m,n)a<=ba!=b} {gcd(a,b-a)==gcd(m,n)} b=b-a {gcd(a,b)==gcd(m,n)} {gcd(a,b)==gcd(m,n)} {a==b gcd(a,b)==gcd(m,n)} {a==b==gcd(m,n)}
gcd, Alternative Version {a==m>0 b==n>0} while (a!=0) {c = a; a = b%a; b = c} {b==gcd(m,n)} Proof: homework!
