1 / 21

CSE 3341.03 Winter 2008 Introduction to Program Verification

CSE 3341.03 Winter 2008 Introduction to Program Verification. calculating with wp. symbex: swap example (p. 30). //{ X = 'old X' and Y = 'old Y' } void swap(X, Y); //{ X = 'old Y' and Y = 'old X' } //{ true } swap(&a, &b);

warner
Download Presentation

CSE 3341.03 Winter 2008 Introduction to Program Verification

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CSE 3341.03 Winter 2008Introduction to Program Verification calculating with wp

  2. symbex: swap example (p. 30) //{ X = 'old X' and Y = 'old Y' } void swap(X, Y); //{ X = 'old Y' and Y = 'old X' } //{ true } swap(&a, &b); ... cannot show true implies OLD(b)=b and OLD(a)=a for swap(&a, &b). // assert: old b=a // -- assertion is verified. how? //{ old b=a and old a=b } • symbex can show that if the swap pre-condition is satisfied (instantiated with a and b), then the conclusion 'old a' = b is valid, but cannot prove a = 'old a' and b = 'old b'.

  3. "we're trying to prove that the pre-condition for the swap procedure is satisfied. In this context, that follows from the fact that 'OLD'(X) = X ->> true before the swap procedure is executed." But this violates the intended interpretation of rewrite rules. (The rule is a 'timeless' mathematical equality.) Solution: either assume the desired pre-conditionfor a "manual" proof, or assert the pre-condition for the specific call swap(&a, &b).

  4. assert a pre-condition • alternative: add //{'old a' = a and 'old b' = b } as a pre-condition //{ a = 'old a' and b = 'old b' } swap(&a,&b); // assert: old b=a // -- assertion is verified. //{ old b=a and old a=b }

  5. why weakest post-condition? • if we can calculate wp(S, Q), we can test any other proposition directly, using just logic and axioms, without further calculation: • (P implies wp(S, Q)) implies {P} S {Q}. why? see p. 35-36 (if (P implies wp(S, Q)) then P is a pre-condition)

  6. wp: the bigger picture • working backwards from goal to initial state: • goal-directed backward chaining cf. stimulus-response, forward chaining • important concept in AI: • if-then is "blind"; • based on what is true at the moment; • doesn't need representation • selecting an action, based on goal uses a represention of what is not true at the moment • more "intelligent"

  7. the null statement • wp(";", Q) = Q is this a theorem? a definition, an axiom? • we could extend wp to create new statement types wp("swap(A, B);", A = X and B = Y ) º A = Y and B = X.

  8. calculating wp • conditional statements: • wp(“if (B)S1else S2”, Q)º B and wp(S1, Q) or not B and wp(S2, Q) • wp(“if (B)S1”, Q)º B and wp(S1, Q) or not B and Q using implication?

  9. Exercise 9.1 • substitute definition of wp("if(B) S", Q) into wp(“if (B)S”, Q) iff (B implies wp(S, Q)) and (not B implies Q) and rewrite it as a proposition that can be checked by wang: • (b and wp(s, q) or not b and q) iff (b implies wp(s, q) and (not b implies q)

  10. switch statement: exercise 9.2 • wp(“switch(C){ case L1:S1; break; case L2:S2 ;break; . . . caseLn:Sn ;break; default S}”, Q) º • C=L1 and wp(S1, Q) or . . . • C=Lnand wp(Sn, Q) or . . . ?

  11. assignment statement: examples • wp(“R = Exp;” Q) = Q[Exp / R]) • wp(“x = f(y)”, x**2 - y /x > 0) = ? = f(y)**2 - y/f(y) > 0 • wp(“x = x*3”, odd(x)) = odd(x*3) ->> odd(x).

  12. exercise 9.3 • ? wp(“a[i+3] = 7;”, a[4] = x) = (i = 1 and x = 7) what’s wrong here? • correct answer: wp(“a[i+3] = 7;”, a[4] = x) = wp(“a = change(a, i+3, 7);” array(a, 4) = x) • now use the rule for assignment to calculate the wp: (array(a, 4) = x)[change(a, i+3, 7)/a] = (array(change(a, i+3, 7), 4) = x) = (i + 3 = 4 and x = 7) or (x = array(a, i+3))

  13. wp does it correctly • compare with what wp calculates: // PRE: (i+3=4 implies x=7) and (not i+3=4 implies array(a, i+3)=x) • ->> (i=1 implies x=7)and (not i=1 implies array(a, i+3)=x)

  14. wp's input loop • a note on using wp • input loop designed differently than symbex • symbex input loops on the statements in a single code segment • wp loops on multiple code segments • allows you to experiment and explore within wp • don’t have to repeatedly re-execute wp and reload the files. • so ^D causes a prompt for the next input • How to escape? • a 2nd ^D, or enter “stop”

  15. examples % wp (^D's not shown) |:x = (x=1); y = y+1; % S (code) |://{ x = y} % Q (goal) |: // PRE: (y+1=x)=1 % wp(S, Q) |:x = x+1; y = y+1; |://{ x = y } |: // PRE: y+1=x+1 |:x = (x-y)*(x+y); |://{x + y**2 <> 0} |: // PRE: x*x<>0

  16. array references |: b[i] = i; % b = change(b, i, i); |: //{ b[b[i]] = i } |: ^D // PRE: true |:a[x] = a[x+1]; |://{ a[0] = 0} |: // PRE: array(change(a, x, array(a, x+1)), 0)=0

  17. impossible goal |:x =1; //{x = 0} // PRE: false % how was this computed? Goal is impossible.

  18. Exercise 9.7 |:if(m < y) m = y; // {m = max(m, y)} |: % is this correct? // PRE: y<=y and m<y or y<=m and not m<y ->> ?

  19. exercise 9.9(a) |://{ r = n*n } n= n+1; r= '??'; //{ r = n*n } |: // PRE: n*n+n*2+1= ?? Initial condition may not be compatible with the goal. Cannot prove n*n=r implies n*n+n*2+1= ??. |://{ r = n*n } n= n+1; r= n*n+n*2+1; //{ r = n*n } |: // PRE: n*2*2+n*n+2+1=n*n+n*2 ->> ? Initial condition may not be compatible with the goal. Cannot prove n*n=r implies n*2*2+n*n+2+1=n*n+n*2.

  20. exercise 9.9(a) continued |://{ r = n*n and n = -3/2} n= n+1; r= n*n+n*2+1; //{ r = n*n } |: // PRE: n*2*2+n*n+2+1=n*n+n*2 Initial condition is compatible with the goal. what was proved? why not (as in the text example): "Initial condition achieves the goal."?

  21. termination (p. 45) • interpret {P} as {computational states s: P is true in s}. What can we say about {P} if {P} S {true}? Suppose, for some initial state s,wp(S, true) is false -- but this contradicts the definition of wp(S, P), so wp(S, true) is true in all and only those initial states in which S terminates.

More Related