530 likes | 693 Views
Functional Verification IV: Revisiting Loop Invariants. Software Testing and Verification Lecture Notes 24. Prepared by Stephen M. Thebaut, Ph.D. University of Florida. Last Time…. Iteration Recursion Lemma (IRL) Termination predicate: term (f,P)
E N D
Functional Verification IV: Revisiting Loop Invariants Software Testing and Verification Lecture Notes 24 Prepared by Stephen M. Thebaut, Ph.D. University of Florida
Last Time… • Iteration Recursion Lemma (IRL) • Termination predicate: term(f,P) • Correctness conditions for while_do statement • Sufficient correctness conditions • Correctness conditions for repeat_until statement • Subgoal Induction
Today’s Topics • Thinking about invariants again • Invariant Status Theorem (IST) • While Loop Initialization • Utility of IST
Thinking about invariants again • In Lecture Notes #18 we considered heuristics for synthesizing Q-adequate loop invariants. • In Lecture Notes #23, it was observed that a loop computing a function maintains an important property of state across iterations: the function value of the current state,X, is the same as the function value of the initial state,X0. That is: f(X)=f(X0). • We now expand on this observation and show that this property represents the weakest f-adequate loop invariant†over D(f)! † To be defined shortly...
Thinking about invariants again • Consider the following assertion, where z0 and y0 represent the initial values of z and y, respectively: {true} while z<>0 do y := y+1 z := z−1 end_while {z=0 Л y=y0+z0} Can you identify a Q-adequate invariant, I, that could be used to prove this...?
Thinking about invariants again • Consider the following assertion, where z0 and y0 represent the initial values of z and y, respectively: {true} while z<>0 do y := y+1 z := z−1 end_while {z=0 Л y=y0+z0} Can you identify a Q-adequate invariant, I, that could be used to prove this...? Consider I: y = y0+(z0-z) This can be rewritten as: y+z = y0+z0
Thinking about invariants again • {true} while z<>0 do y := y+1 z := z−1 end_while {z=0 Л y=y0+z0} Now, independent of the given pre- and post-conditions, what function, f, is computed by the loop? Consider I: y = y0+(z0-z) This can be rewritten as: y+z = y0+z0
Thinking about invariants again • {true} while z<>0 do y := y+1 z := z−1 end_while {z=0 Л y=y0+z0} Now, independent of the given pre- and post-conditions, what function, f, is computed by the loop? (z≥0 y,z := y+z,0) Consider I: y = y0+(z0-z) This can be rewritten as: y+z = y0+z0
Thinking about invariants again • {true} while z<>0 do y := y+1 z := z−1 end_while {z=0 Л y=y0+z0} So, for f = (z≥0 y,z := y+z,0),what is the relationship between f and the specified post-condition? Consider I: y = y0+(z0-z) This can be rewritten as: y+z = y0+z0
Thinking about invariants again • {true} while z<>0 do y := y+1 z := z−1 end_while {z=0Лy=y0+z0} So, for f = (z≥0 y,z := y+z,0),what is the relationship between f and the specified post-condition? z=fz(X0)=0Лy=fy(X0)=y0+z0. (This can be written more simply as just X=f(X0),where “X” is shorthand for “y,z”.) Consider I: y = y0+(z0-z) This can be rewritten as: y+z = y0+z0
Thinking about invariants again • {true} while z<>0 do y := y+1 z := z−1 end_while {z=0 Л y=y0+z0} But note that a specifiedpost-condition is not an innate property of a program as is the program’s actualfunction! It just so happens that where f is defined, Q ≡ X=f(X0) in this particular case... Consider I: y = y0+(z0-z) This can be rewritten as: y+z = y0+z0
Thinking about invariants again • {true} while z<>0 do y := y+1 z := z−1 end_while {z=0 Л y=y0+z0} Getting back now to our Q-adequate invariant, I, where f = (z≥0 y,z := y+z,0)... Recall that the IRL implies that after each iteration of the loop, the function value of the current state, X, must be the same as the function value of the initial state, X0. That is, f(X)=f(X0). Consider I: y = y0+(z0-z) This can be rewritten as: y+z = y0+z0
Thinking about invariants again • {true} while z<>0 do y := y+1 z := z−1 end_while {z=0 Л y=y0+z0} Thus, f(X)=f(X0) captures a constant relationship between the values of variables on entry to a loop (denoted by X0), and their values after every iteration of a loop (denoted by X) computing f. What, then, is this relationship for the function (z≥0 y,z := y+z,0)? Consider I: y = y0+(z0-z) This can be rewritten as: y+z = y0+z0
Thinking about invariants again • {true} while z<>0 do y := y+1 z := z−1 end_while {z=0 Л y=y0+z0} Where f is defined, fy(X)=y+z and fy(X0)=y0+z0. Similarly, fz(X)=0 and fz(X0)=0. Setting f(X) equal to f(X0) for each variable gives: 0=0 Лy+z=y0+z0 †That is, for z≥0. Consider I: y = y0+(z0-z) This can be rewritten as: y+z = y0+z0 †
Thinking about invariants again • {true} while z<>0 do y := y+1 z := z−1 end_while {z=0 Л y=y0+z0} Where f is defined, fy(X)=y+z and fy(X0)=y0+z0. Similarly, fz(X)=0 and fz(X0)=0. Setting f(X) equal to f(X0) for each variable gives: 0=0 Лy+z=y0+z0≡I †That is, for z≥0. Consider I: y = y0+(z0-z) This can be rewritten as: y+z = y0+z0 †
Thinking about invariants again • {true} while z<>0 do y := y+1 z := z−1 end_while {z=0 Л y=y0+z0} Thus, setting f(X) equal to f(X0) results in a Q-adequate loop invariant that could (by definition) be used with the while loop ROI to prove the given assertion! Are you not awestruck? But remember: the specified post-condition conveniently corresponds to the program’s actual function in this case. Consider I: y = y0+(z0-z) This can be rewritten as: y+z = y0+z0
Invariant Status Theorem (IST) • Theorem. Let f = [while p do g]. If X0D(f), XD(f), and q(X)=( f(X)=f(X0) ), then q is an invariant of while p do g; i.e., it has the following properties: • q(X0)is true, and • ( q(X)Лp(X) ) qog(X). In addition, q(X)is an f-adequate invariant; i.e., • ( q(X) Л ¬p(X) ) ( X=f(X0) ) This represents the final state values as a function, f, of the initial state values.
Invariant Status Theorem (cont’d) • Proof. • q(X0) is true: q(X)=( f(X)=f(X0) ), so q(X0)=( f(X0)=f(X0) ) = true as desired. (Note that based on the definition of q(X), this property is a tautology.)
Invariant Status Theorem (cont’d) • Proof. (cont’d) • ( q(X) Лp(X) ) qog(X): For XD(f)we know p(X) ( f(X)=fog(X) ) by the Iteration Recursion Lemma. Since q(X)=( f(X)=f(X0) ) by definition, it follows that: (q(X) Лp(X) ) ( fog(X)=f(X0) ).
Invariant Status Theorem (cont’d) • Proof. (cont’d) But the right-hand side of ( q(X)Лp(X)) ( fog(X)=f(X0) ) is just ( f(g(X))=f(X0) ) = q(g(X)) = qog(X) Therefore, ( q(X)Лp(X) ) qog(X) as desired.
Invariant Status Theorem (cont’d) • Proof. (cont’d) • ( q(X)Л ¬p(X) ) ( X=f(X0) ): If ¬p(X), then f(X)=I by definition of the while construct. This can be rewritten as f(X)= X. And sinceq(X)= ( f(X)=f(X0) ), it follows that: ( ¬p(X) Лq(X) ) ( X=f(X0) ) as desired.
An important corollary... • IST Corollary. Let f = [while p do g]. If X0D(f), XD(f), and q(X)= ( f(X)=f(X0) ), then q is an f-adequate invariant of ANY program of the form while p do g for which properties (2) and (3) of the IST hold: • ( q(X)Лp(X) ) qog(X) • ( q(X) Л ¬p(X) ) ( X=f(X0) ) • Thus, verifying these properties for a given while_do statement, K, and intended function, f, for which term(f,K) has already been shown, constitutes a proof that f = [K].
Example 1 • Consider the following assertion, where a0 and b0 represent the initial values of a and b, respectively: {true} while a<>0 do b := b*a a := a−1 end_while {a=0 Л b=b0a0!} What function, f, is computed by the while loop? (a≥0 a,b := 0,ba!)
Example 1 (cont’d) • For f = (a≥0 a,b := 0,ba!), an invariant q(X)=( f(X)=f(X0) ) can be derived by tabu-lating f(X)and f(X0)for each member of the data space, X: X f(X) f(X0) a 0 0 b ba! b0a0! and equating components of f(X)and f(X0): 0 = 0 ba! = b0a0!
Example 1 (cont’d) • We can rewrite the second equation as: b = b0(a0!/a!) and use it as an invariant to prove the given assertion using the while loop Rule of Infer-ence. • When combined with a≥0 (specifying the domain of f) we get: q = ( b = b0(a0!/a!)Л a≥0 )
Another interesting property of q(X) • In the context of functional verification, loop invariants are generally a function of the current values of program variables (denoted by X), AND their values on entry to the loop (denoted by X0). • Many f-adequate invariants may exist for a given loop, so what criteria might be used to determine which is the best to use? In general, we want f-adequate invariants to be as weak as possible. The weaker an invariant is (while still being f-adequate), the easier it will be to use.
Another interesting property of q(X) (cont’d) • Claim: q(X)=( f(X)=f(X0) ) is the weakestf-adequate loop invariant over D(f) in the sense that it is implied by all others. • Proof: Let I(X) be anyf-adequate loop invariant for (while p do g) over D(f), and let X0,X1,...,Xnbe the states associated with the loop in D(f). Since Xn=f(X), we know I(f(X)) and ¬p(f(X)). And since I(X) is f-adequate ( I(X) Л ¬p(X) X=f(X0) ), it follows that ( I(f(X))Л¬p(f(X)) f(X)=f(X0) ). Therefore, for all X in D(f), I(X) q(X) as claimed. (See Part 3, “The Loop Invariant f(X0)=f(X),” of the Dunlop/Basili paper.)
Another interesting property of q(X) (cont’d) • To expand on the unique nature of q(X), note that the set of states satisfying f(X)=f(X0) includes ALL intermediate states that could possibly be generated by ANY while loop that computes f! • Thus, q(X) is strong (i.e., specific) enough to describe the net effect of the loop on the input set D(f), but sufficiently weak (i.e., general) that it may offer no hint about the method used to achieve the effect.
Another interesting property of q(X) (cont’d) The function computed is: f = (z≥0 y,z := y+z,0) and from the IST, the weakest f-adequate invariant over D(f) is: q(X) ( y+z = y0+z0 Лz≥0 ) Recall the program: while z<>0 do y := y+1 z := z−1 end_while Consider the sample {y0,z0} input: {2,4}. The loop then pro-duces the series of states {2,4}, {3,3}, {4,2}, {5,1}, {6,0}. q(X), of course, agrees with these states, but it also agrees with {-3,9}! This implies that some loop that computes f couldproduce the intermediate state {-3,9} while mapping {2,4} to {6,0}. We further conclude that no loop that computes f could pro-duce {4,4} as an intermediate state from the input {2,4}.
Another interesting property of q(X) (cont’d) • Consider a more “concrete” (wood, aluminum, etc.) illustration of q’s properties... • Let f represent a general mapping from an initial building construction state (e.g., a vacant lot) to a final construction state (a finished building). • Let P be a specific, step-by-step, iterative construction process that produces a finished building in accordance with f.
Another interesting property of q(X) (cont’d) • In particular, suppose that from an initial building state, Svac: P produces the series of (successor) states: where Sfin represents a finished building. vac fin X K T Y
Another interesting property of q(X) (cont’d) • Now, let q(S)=( f(S)=f(S0) ) where S0 is the initial building state, S is the current building state, and S, S0are in D(f). • It follows, then, that qagrees with the series of states produced by P. That is: q(Svac), q(SX), q(SK), q(ST), q(SY), q(Sfin) • But suppose qalso holds for another state in D(f): Z
Another interesting property of q(X) (cont’d) • This would imply that some other iterative construction process, P’, that also results in a finished building in accordance with f, could produce SZ in the process of producing Sfin starting from Svac! • Finally, suppose that q does NOT hold for SE: E
Another interesting property of q(X) (cont’d) • This would imply thatno iterative construction process that results in a finished building in accordance with f could produce SE from the initial state Svac!
While Loop Initialization • In many situations, a loop invariant may hold by virtue of its initialization. In particular, given f = [while p do g], X0 D(f) a limited f-adequate invariantof the initialized while loop: h; while p do g is: qh(X)= ( f(X)=foh(X0) )
While Loop Initialization (cont’d) • Such an invariant has the following properties: • qhoh(X0)is true, and • (qh(X)Лp(X)) qhog(X), and • (qh(X)Л¬p(X)) ( X=foh(X0))
Example 2 • Consider the assertion: {n≥0} p := 1 k := 0 while k<>n do p := p*2 k := k+1 end_while {p=2n} What function, h, is computed by the loop initialization?
Example 2 • Consider the assertion: {n≥0} p := 1 k := 0 while k<>n do p := p*2 k := k+1 end_while {p=2n} What function, h, is computed by the loop initialization? (p,k := 1,0)
Example 2 • Consider the assertion: {n≥0} p := 1 k := 0 while k<>n do p := p*2 k := k+1 end_while {p=2n} What function, f, is computed by the while loop?
Example 2 • Consider the assertion: {n≥0} p := 1 k := 0 while k<>n do p := p*2 k := k+1 end_while {p=2n} What function, f, is computed by the while loop? (k≤n p,k := p2n−k,n)
Example 2 (cont’d) • For f = (k≤n p,k := p2n−k,n), and h = (p,k := 1,0), an invariant qh(X)=( ( f(X)=foh(X0) ) can be derived by tabulating f(X)and foh(X0)for each member of the data space: and equating components of f(X)and foh(X0): X f(X) foh(X0) p k
Example 2 (cont’d) • For f = (k≤n p,k := p2n−k,n), and h = (p,k := 1,0), an invariant qh(X)=( ( f(X)=foh(X0) ) can be derived by tabulating f(X)and foh(X0)for each member of the data space: and equating components of f(X)and foh(X0): X f(X) foh(X0) p p2n−k(1)2n0−0 k n n0 p2n−k= (1)2n0−0 n = n0
Example 2 (cont’d) • When combined, these equations yield the invariant: p=2k which can be used with the while loop Rule of Inference to prove the given assertion. • When the condition k≤n (specifying the domain of f)is included, we get: q = ( p=2k Лk≤n )
Exercise • Recall that in Example 3 of Lecture Notes #18, we proved the assertion below using the invariant I: Z=XJ. {true} Z := X J := 1 while J<>Y do Z := Z+X J := J+1 end_while {Z=XY}
Exercise (cont’d) • Derive a limited invariant for the initialized while loop using the Invariant Status Theorem.
Today’s Topics • Thinking about invariants again • Invariant Status Theorem (IST) • While Loop Initialization • Utility of IST
Utility of Invariant Status Theorem • Does the IST eliminate the need for heuristics to synthesize Q-adequate loop invariants? Unfortunately, no. The derivation of q(X) requires knowledge of the program function, f. Further-more, if the specified post-condition, Q, is not of the form X=f(X0), the translation between Q and f may not be obvious. Finally, if Q is weaker than f, then q(X) will be stronger than needed and may, therefore, be more cumbersome to use than some weaker Q-adequate invariant.
Utility of Invariant Status Theorem (cont’d) • None of the functions considered so far has used conditional rules.† How does one deter-mine q(X) for intended functions of the form f = (p1 r1 | p2 r2 | … | pk rk) ? This can be tedious since the rule employed to deter-mine f(X0) for every initial state X0 plus those rules employed to determine f(X) for each of X0’ssuccessor states must be considered. The problem is analogous to that encountered in showing p(X) ( f(X)=fog(X) ) when the rule for f on the left-hand side of the equality may be different than that on the right-hand side of the equality (i.e., after applying g). †Other than simple functions of the form (p r).
Utility of Invariant Status Theorem (cont’d) • Would verifying the properties of q(X) for a given while_do statement, K, and hypothesized function, f, for which term(f,K) has been shown, constitute a proof that f = [K]? Yes, properties (2) and (3) of the IST are equivalent to the 2nd and 3rd while_do correctness conditions when using q(X) as the predicate. This is because ( q(X)Лp(X) ) qog(X) follows from p(X) ( f(X)=fog(X) ), and ( q(X)Л ¬p(X) ) ( X=f(X0) ) follows from ¬p(X) ( f(X)= I ). Also, since q(X) is the weakest f-adequate loop invariant for K, it is generally the “easiest” invariant over D(f) that can be used to verify that the loop computes f.
Utility of Invariant Status Theorem (cont’d) • For some additional important and interesting insights into the nature of q(X), functions, and both iterative and non-iterative program con-structs, be sure to see problems 8 and 9 in Problem Set 7!