1 / 14

Software Verification 1 Deductive Verification

Software Verification 1 Deductive Verification. Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität und Fraunhofer Institut für Rechnerarchitektur und Softwaretechnik. Example: Binary Search.

winfred-smith
Download Presentation

Software Verification 1 Deductive Verification

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Software Verification 1Deductive Verification Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität und Fraunhofer Institut für Rechnerarchitektur und Softwaretechnik

  2. Example: Binary Search • Extend the notion of “program variable” to indexed variables (v[i] for 1=1..n) • Input: a sorted array x[0..n-1] (i (x[i-1]<x[i]) and a value a to search for • Result: index i s.t. a>x[j] for 0<=j<i and a<=x[j] for i<=j<n

  3. Binary Search Program : i=0; k=n; while (i<k) { s=(i+k-1)/2; //integer division if (a>x[s]) i=s+1 else k=s } Show {n>=0  i(0<i<n  (x[i-1]<x[i])}  {0<=i<=n  j(0<=j<i  x[j]<a  j(i<=j<n  x[j]>=a}

  4. Invariant for Binary Search • x is sorted • 0 : i(0<i<n  (x[i-1]<x[i]) • i is changed such that • 1 : 0<=i<=n  j(0<=j<i  x[j]<a) • k is changed such that • 2 : 0<=k<=n  j(k<=j<n  x[j]>=a) • additionally • 3 : i<=k Let  = 0  1  2  3

  5. Hoare Proof for Binary Search {n>=0  i(0<i<n  (x[i-1]<x[i])} i=0; k=n; {} while (i<k) { {  i<k} s=(i+k-1)/2; //integer division if (a>x[s]) i=s+1 else k=s {} } {  i>=k} {i=k  0<=i<=n  j(0<=j<i  x[j]<a)  j(k<=j<n  x[j]>=a)} {0<=i<=n  j(0<=j<i  x[j]<a  j(i<=j<n  x[j]>=a)}

  6. : 0 <= i <= k <= n  j(0<=j<i  x[j]<a)  j(k<=j<n  x[j]>=a) {  i<k} s=(i+k-1)/2; {  i<k  s==(i+k-1)/2} if (a>x[s]) i=s+1 else k=s {} holds since {  i<k  s=(i+k-1)/2  a>x[s]} {[i:=s+1]} i=s+1 {} {  i<k  s=(i+k-1)/2  a<=x[s]} {[k:=s]} k=s {} proof: see next

  7. : 0 <= i <= k <= n  j(0<=j<i  x[j]<a)  j(k<=j<n  x[j]>=a) Show:   i<k  s=(i+k-1)/2  x[s]<a  [i:=s+1]   i<k  s=(i+k-1)/2  x[s]<a  0<= s+1 <= k <= n  j(0<=j<s +1  x[j]<a)   i<k  s=(i+k-1)/2  x[s]<a  (i+k+1)/2<= k  j(0<=j<=(i+k-1)/2  x[j]<a) holds since i<k  i+k<k+k  i+k+1<=2*k  (i+k+1)/2<=k x[s]<a  j=s  x[j]<a 0 x[s]<a  j<s  x[j]<a

  8. Last Example: Bubblesort • Given an array x [0..n-1] of integers, the task is to sort x • Bubblesort repeatedly exchanges “unordered” elements in x, e.g.: • 6 – 3 – 8 – 4 – 1 • 3 – 6 – 8 – 4 – 1 • 3 – 6 – 8 – 4 – 1 • 3 – 6 – 4 – 8 – 1 • 3 – 6 – 4 – 1 – 8 • 3 – 6 – 4 – 1 – 8 • 3 – 4 – 6 – 1 – 8 • 3 – 4 – 1 – 6 – 8 • 3 – 1 – 4 – 6 – 8 • etc.

  9. Bubblesort Algorithm : :i=n; :while (i>1) { :i=i-1; k=0; :while (k!=i){ :k++; :if (x[k-1]>x[k]) swap(x[k-1], x[k]) :} :} :

  10. Specification of Sortedness • x is sorted • sorted(x): i(0<i<n  x[i-1] <= x[i]) • x is a permutation of the input array ? • For sake of simplicity: • assume all elements in x are pairwise unequal: diff(x): i,j(0<=i != j<n  (x[i]!=x[j])} • in this case, x is a permutation of y iff perm(x,y): a(i x[i]==a  i y[i]==a) • Specification {x==y  diff(x)}  {sorted(x)  perm(x,y)}

  11. Invariant for Bubblesort Invariant for loop at : after first iteration: x[n-1] at correct position after second iteration: x[n-1] and x[n-2] at correct position after third iteration: x[n-1] .. x[n-3] at correct position ... ordered(x, i): 1<=i<=n  j(i<=j<n  x[j-1] < x[j])  j(0<=j<i <n x[j] <= x[i]) then we have: • ordered(x, n)  T • ordered(x, 1)  sorted(x) I: diff(x)  perm(x,y)  ordered(x,i)

  12. Proof of Outer Loop x==y  diff(x)  perm(x,y) : x==y  diff(x)  : x==y  diff(x)  i==n x==y  diff(x)  i==n  diff(x)  perm(x,y)  ordered(x,i) : x==y  diff(x)  : I : I  : I  (i<=1) provided that : I  (i>1)  : I perm(x,y)  ordered(x,i)  (i<=1)  perm(x,y)  sorted(x) : I  : sorted(x)  perm(x,y) : x==y  diff(x)  : perm(x,y)  sorted(x) that is, {x==y  diff(x)}  {sorted(x)  perm(x,y)}

  13. Inner Invariant It remains to show: : I  (i>1)  : I Invariant for loop at : perm(x,y)  ordered(x,i+1) remains stable goal of the inner loop: maximal element from x[0]...x[i-1] is moved to x[i-1] after each step: 0<=k<=i  j(0<=j<=k x[k]>=x[j]) I: perm(x,y)  ordered(x,i+1)  0<=k<=i  j(0<=j<=k x[k]>=x[j])

  14. Proof of Inner Invariant : I  (i>1)  : perm(x,y)  ordered(x,i+1)  k==0 perm(x,y)  ordered(x,i+1)  k==0  I : I  (i>1)  : I : I  : I  (k==i), provided that : I  (k!=i)  : I I  (k==i)  perm(x,y)  ordered(x,i+1)  j(0<=j<=i x[i]>=x[j]) : I  (i>1)  : I it remains to show: : I  (k!=i)  : I • perm(x,y) remains unchanged • ordered(x,i+1) is not modified • : 0<=k<=i  j(0<=j<=k x[k]>=x[j])  k!=i  : 0<=k<=i  j(0<=j<=k-1 x[k-1]>=x[j]) • : I  (k!=i)  : 0<=k<=i  j(0<=j<=k x[k]>=x[j])

More Related