1 / 59

Program verification: flowchart programs

Program verification: flowchart programs. Book: chapter 7. History. Verification of flowchart programs: Floyd, 1967 Hoare’s logic: Hoare, 1969 Linear Temporal Logic: Pnueli, Krueger, 1977 Model Checking: Clarke & Emerson, 1981. Program Verification. Predicate (first order) logic.

miyo
Download Presentation

Program verification: flowchart programs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Program verification: flowchart programs Book: chapter 7

  2. History • Verification of flowchart programs: Floyd, 1967 • Hoare’s logic: Hoare, 1969 • Linear Temporal Logic: Pnueli, Krueger, 1977 • Model Checking: Clarke & Emerson, 1981

  3. Program Verification • Predicate (first order) logic. • Partial correctness, Total correctness • Flowchart programs • Invariants, annotated programs • Well founded ordering (for termination) • Hoare’s logic

  4. Predicate (first order logic) • Variables, functions, predicates • Terms • Formulas (assertions)

  5. Signature • Variables: v1, x, y18 Each variable represents a value of some given domain (int, real, string, …). • Function symbols: f(_,_), g2(_), h(_,_,_). Each function has an arity (number of paramenters), a domain for each parameter, and a range. f:int*int->int (e.g., addition), g:real->real (e.g., squareroot) A constant is a predicate with arity 0. • Relation symbols: R(_,_), Q(_). Each relation has an arity, and a domain for each parameter. R : real*real (e.g., greater than). Q : int (e.g., is a prime).

  6. Terms • Terms are objects that have values. • Each variable is a term. • Applying a function with arity n to n terms results in a new term. Examples: v1, 5.0, f(v1,5.0), g2(f(v1,5.0)) More familiar notation: sqr(v1+5.0)

  7. Formulas • Applying predicates to terms results in a formula. R(v1,5.0), Q(x) More familiar notation: v1>5.0 • One can combine formulas with the boolean operators (and, or, not, implies). R(v1,5.0)->Q(x) x>1 -> x*x>x • One can apply existentail and universal quantification to formulas. x Q(X) x1 R(x1,5.0) X Y R(x,y)

  8. A model, A proofs • A model gives a meaning (semantics) to a first order formula: • A relation for each relation symbol. • A function for each function symbol. • A value for each variable. • An important concept in first order logic is that of a proof. We assume the ability to prove that a formula holds for a given model. • Example proof rule (MP) : 

  9. Flowchart programs Input variables: X=x1,x2,…,xl Program variables: Y=y1,y2,…,ym Output variables: Z=z1,z2,…,zn start Z=h(X,Y) Y=f(X) halt

  10. Assignments and tests T F Y=g(X,Y) t(X,Y)

  11. start (y1,y2)=(0,x1) y2>=x2 (y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2) halt Initial condition Initial condition: the values for the input variables for which the program must work. x1>=0 /\ x2>0 F T

  12. The input-output claim start The relation between the values of the input and the output variables at termination. x1=z1*x2+z2 /\ 0<=z2<x2 (y1,y2)=(0,x1) y2>=x2 T F (y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2) halt

  13. Partial correctness, Termination, Total correctness • Patial correctness: if the initial condition holds and the program terminates then the input-output claim holds. • Termination: if the initial condition holds, the program terminates. • Total correctness: if the initial condition holds, the program terminates and the input-output claim holds.

  14. Subtle point: start The program is partially correct with respect to x1>=0/\x2>=0 and totally correct with respect to x1>=0/\x2>0 (y1,y2)=(0,x1) y2>=x2 F T (y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2) halt

  15. Annotating a scheme start A Assign an assertion for each pair of nodes. The assertion expresses the relation between the variable when the program counter is located between these nodes. (y1,y2)=(0,x1) B T F y2>=x2 C D (y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2) E halt

  16. start A (y1,y2)=(0,x1) B y2>=x2 C D (y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2) E halt Annotating a scheme with invariants A): x1>=0 /\ x2>=0 B): x1=y1*x2+y2 /\ y2>=0 C): x1=y1*x2+y2 /\ y2>=0 /\ y2>=x2 D):x1=y1*x2+y2 /\ y2>=0 /\ y2<x2 E):x1=z1*x2+z2 /\ 0<=z2<x2 Notice: (A) is the initial condition, is the input-output condition. T F

  17. Verification conditions: assignment A A) B) [Y\g(X,Y)] A): x1>=0 /\ x2>=0 B): x1=y1*x2+y2 /\ y2>=0 B) [Y\g(X,Y)] = x1=0*x2+x1 /\ x1>=0 Y=g(X,Y) (y1,y2)=(0,x1) B A (y1,y2)=(0,x1) B

  18. Second assignment C): x1=y1*x2+y2 /\ y2>=0 /\ y2>=x2 B): x1=y1*x2+y2 /\ y2>=0 B)[Y\g(X,Y]: x1=(y1+1)*x2+y2-x2 /\ y2-x2>=0 C (y1,y2)=(y1+1,y2-x2) B

  19. Third assignment D):x1=y1*x2+y2 /\ y2>=0 /\ y2<x2 E):x1=z1*x2+z2 /\ 0<=z2<x2 E)[Z\g(X,Y]: x1=y1*x2+y2 /\ 0<=y2<x2 D (z1,z2)=(y1,y2) E

  20. Verification conditions: tests B T F B) /\ t(X,Y) C) B) /\¬t(X,Y) D) B): x1=y1*x2+y2 /\y2>=0 C): x1=y1*x2+y2 /\ y2>=0 /\ y2>=x2 D):x1=y1*x2+y2 /\ y2>=0 /\ y2<x2 t(X,Y) C D B T F y2>=x2 C D

  21. Initial condition: x>=0 Input-output claim: z=x! Exercise: prove partial correctness start (y1,y2)=(0,1) F T y1=x (y1,y2)=(y1+1,(y1+1)*y2) z=y2 halt

  22. start A (y1,y2)=(0,x1) B true false y2>=x2 C D (y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2) E halt Annotating a scheme Assign an assertion for each pair of nodes. The assertion expresses the relation between the variable when the program counter is located between these nodes.

  23. start A (y1,y2)=(0,x1) B y2>=x2 C D (y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2) E halt Annotating a scheme with invariants A): x1>=0 /\ x2>=0 B): x1=y1*x2+y2 /\ y2>=0 C): x1=y1*x2+y2 /\ y2>=0 /\ y2>=x2 D):x1=y1*x2+y2 /\ y2>=0 /\ y2<x2 E):x1=z1*x2+z2 /\ 0<=z2<x2 Notice: (A) is the initial condition, Eis the input-output condition. true false

  24. A Y=g(X,Y) (y1,y2)=(0,x1) B Verification conditions: assignment A) B) [Y\g(X,Y)] A): x1>=0 /\ x2>=0 B): x1=y1*x2+y2 /\ y2>=0 B) [Y\g(X,Y)] = x1=0*x2+x1 /\ x1>=0 A (y1,y2)=(0,x1) B

  25. Assignment condition 2=x1 A (y1,y2)=(0,x1) y1=2 B y1=x1

  26. Use two versions of variables: before assignment and after. E.g., y1 and y1’, respectively. postcondition: y1’=x1 assignment: y1’=2 precondition: 2=x1 Another way to understand condition 2=x1 A (y1,y2)=(0,x1) y1=2 B y1=x1

  27. Assignment condition y1=5 A (y1,y2)=(0,x1) y1=y1+5 B y1=10

  28. Postcondition: y1’=10 Assignment: y1’=y1+5 Precondition: y1+5=10, I.e., y1=5 Assignment condition y1=5 A (y1,y2)=(0,x1) y1=y1+5 B y1=10

  29. A (y1,y2)=(0,x1) B Verification conditions: assignment A): x1>=0 /\ x2>=0 B): x1=y1’*x2+y2’ /\ y2’ >=0 Assignment: y1’=0 /\ y2’=x1 B) [Y\g(X,Y)] = x1=0*x2+x1 /\ x1>=0 (or simply x1>=0)

  30. C (y1,y2)=(y1+1,y2-x2) B Second assignment Precondition: B): x1=y1*x2+y2 /\ y2>=0 Assignment: y1’=y1+1/\y2’=y2-x2 Postcondition: B)[Y\g(X,Y)]: x1=(y1+1)*x2+y2-x2 /\ y2-x2>=0

  31. Second assignment C): x1=y1*x2+y2 /\ y2>=0 /\ y2>=x2 B): x1=y1*x2+y2 /\ y2>=0 B)[Y\g(X,Y)]: x1=(y1+1)*x2+y2-x2 /\ y2-x2>=0 C (y1,y2)=(y1+1,y2-x2) B

  32. Third assignment D):x1=y1*x2+y2 /\ y2>=0 /\ y2<x2 E):x1=z1*x2+z2 /\ 0<=z2<x2 E)[Z\g(X,Y]: x1=y1*x2+y2 /\ 0<=y2<x2 D (z1,z2)=(y1,y2) E

  33. Verification conditions: tests B true false (B) /\ t(X,Y)) C) (B) /\ ¬t(X,Y)) D) B): x1=y1*x2+y2 /\ y2>=0 C): x1=y1*x2+y2 /\ y2>=0 /\ y2>=x2 D):x1=y1*x2+y2 /\ y2>=0 /\ y2<x2 t(X,Y) C D B true false y2>=x2 C D

  34. Initial condition: x>=0 Input-output claim: z=x! Exercize: prove partial correctness start (y1,y2)=(0,1) false true y1=x (y1,y2)=(y1+1,(y2+1)y2) z=y2 halt

  35. What have we achieved? • For each statement S that appears between points X and Y we showed that if the control is in X when (X) holds and S is executed, then (Y) holds. • Initially, we know that (A) holds. • The above two conditions can be combined into an induction on the number of statements that were executed: • If after n steps we are at point X, then (X) holds.

  36. (A) : x>=0 (F) : z^2<=x<(z+1)^2 z is the biggest number that is not greater than sqrt x. Another example start A (y1,y2,y3)=(0,0,1) B y2=y2+y3 C false true y2>x D E (y1,y3)=(y1+1,y3+2) z=y1 F halt

  37. 1+3+5+…+(2n+1)=(n+1)^2 y2 accumulates the above sum, until it is bigger than x. y3 ranges over odd numbers 1,3,5,… y1 is n-1. Some insight start A (y1,y2,y3)=(0,0,1) B y2=y2+y3 C false true y2>x D E (y1,y3)=(y1+1,y3+2) z=y1 F halt

  38. It is sufficient to have one invariant for every loop (cycle in the program’s graph). We will have (C)=y1^2<=x /\ y2=(y1+1)^2 /\ y3=2*y1+1 Invariants start A (y1,y2,y3)=(0,0,1) B y2=y2+y3 C false true y2>x D E (y1,y3)=(y1+1,y3+2) z=y1 F halt

  39. By backwards substitution in (C). (C)=y1^2<=x /\ y2=(y1+1)^2 /\ y3=2*y1+1 (B)=y1^2<=x /\ y2+y3=(y1+1)^2 /\ y3=2*y1+1 Obtaining (B) start A (y1,y2,y3)=(0,0,1) B y2=y2+y3 C false true y2>x D E (y1,y3)=(y1+1,y3+2) z=y1 F halt

  40. (A)=x>=0 (B)=y1^2<=x /\ y2+y3=(y1+1)^2 /\ y3=2*y1+1 (B) relativized is 0^2<=x /\ 0+1=(0+1)^2 /\ 1=2*0+1 Simplified: x>=0 Check assignment condition start A (y1,y2,y3)=(0,0,1) B y2=y2+y3 C false true y2>x D E (y1,y3)=(y1+1,y3+2) z=y1 F halt

  41. By backwards substitution in (B). (B)=y1^2<=x /\ y2+y3=(y1+1)^2 /\ y3=2*y1+1 (D)=(y1+1)^2<=x /\ y2+y3+2=(y1+2)^2 /\ y3+2=2*(y1+1)+1 Obtaining (D) start A (y1,y2,y3)=(0,0,1) B y2=y2+y3 C false true y2>x D E (y1,y3)=(y1+1,y3+2) z=y1 F halt

  42. (C)=y1^2<=x /\ y2=(y1+1)^2 /\ y3=2*y1+1 (C)/\y2<=x) (D) (D)=(y1+1)^2<=x /\ y2+y3+2=(y1+2)^2 /\ y3+2=2*(y1+1)+1 Checking start A (y1,y2,y3)=(0,0,1) B y2=y2+y3 C false true y2>x D E (y1,y3)=(y1+1,y3+2) z=y1 F halt

  43. y1^2<=x /\ y2=(y1+1)^2 /\ y3=2*y1+1 /\y2<=x  (y1+1)^2<=x /\ y2+y3+2=(y1+2)^2 /\ y3+2=2*(y1+1)+1 y1^2<=x /\ y2=(y1+1)^2 /\ y3=2*y1+1 /\y2<=x  (y1+1)^2<=x /\ y2+y3+2=(y1+2)^2 /\ y3+2=2*(y1+1)+1 y1^2<=x /\ y2=(y1+1)^2 /\ y3=2*y1+1 /\y2<=x (y1+1)^2<=x /\ y2+y3+2=(y1+2)^2 /\ y3+2=2*(y1+1)+1

  44. Still needs to: Calculate (E) by substituting backwards from (F). Check that (C)/\y2>x(E) Not finished! start A (y1,y2,y3)=(0,0,1) B y2=y2+y3 C false true y2>x D E (y1,y3)=(y1+1,y3+2) z=y1 F halt

  45. Proving termination

  46. Well-founded sets • Partially ordered set (W,<): • If a<b and b<c then a<c (transitivity). • If a<b then not b<a (asymmetry). • Nota<a (irreflexivity). • Well-founded set (W,<): • Partially ordered. • No infinite decreasing chain a1>a2>a3>…

  47. Examples for well founded sets • Natural numbers with the bigger than relation. • Finite sets with the set inclusion relation. • Strings with the substring relation. • Tuples with alphabetic order: • (a1,b1)>(a2,b2) iff a1>a2 or [a1=a2 and b1>b2]. • (a1,b1,c1)>(a2,b2,c2) iff a1>a2 or [a1=a2 and b1>b2] or [a1=a2 and b1=b2 and c1>c2].

  48. y2 starts as x1. Each time the loop is executed, y2 is decremented. y2 is natural number The loop cannot be entered again when y2<x2. A (y1,y2)=(0,x1) B true y2>=x2 C Why does the program terminate start false D (y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2) E halt

  49. Proving termination • Choose a well-founded set (W,<). • Attach a function u(N) to each point N. • Annotate the flowchart with invariants, and prove their consistency conditions. • Prove that j(N)  (u(N) in W).

  50. Show that u(M)>=u(N). At least once in each loop, show that u(M)>u(N). M T N How not to stay in a loop? M S N

More Related