Functional Program Verification CS 4311 A. M. Stavely, Toward Zero Defect Programming, Addison-Wesley, 1999. Y. Cheon and M. Vela, A Tutorial on Functional Program Verification, Technical Report 10-26, Dept. of Computer Science, University of Texas at El Paso, El Paso, TX, September 2010 1 1 1 1

Outline Non-testing techniques for V&V Overview of functional verification Program as functions Intended functions Verification Assignment statement Sequential composition Conditional statement Iterative statement 2 2

Non-testing Techniques for V&V Sec. 13.4 of Vliet 2008 (Manual Testing Techniques) Non-testing Techniques for V&V (Pairs, 2 minutes) V&V Definitions and examples from the class project? 3

Non-testing Techniques for V&V Sec. 13.4 of Vliet 2008 (Manual Testing Techniques) Non-testing Techniques for V&V (Pairs, 2 minutes) V&V Definitions and examples? Code reviews Reading If you can’t read it, neither can the people maintaining it Walkthrough Team effort (group of 3-5, e.g., designer, moderator, secretary) Manual simulation lead by designer Focus on discovering faults, not on fixing them Inspection Looking for specific faults (e.g., using check lists) E.g., uninitialized variables 4

Non-testing V&V (Cont.) Sec. 13.4 of Vliet 2008 (Manual Testing Techniques) Non-testing V&V (Cont.) Correctness proof Hoare logic Functional program verification Model checking Correct by construction Refinement calculus Model driven development 5

Overview of Functional Verification Key ideas View programs as mathematical functions Write specifications as mathematical functions Compare two functions for correctness verification Characteristics Based on sets and functions <-> logic (Hoare) Forward reasoning <-> backward reasoning Match informal reasoning 6

Programs as Functions Values of x and y after execution? // pre-state: {(x,10), (y,20)} x = x + y; y = x – y; x = x – y; // post-state: {(x,?), (y,?)} 7

Programs as Functions Values of x and y after execution? // pre-state: {(x,10), (y,20)} x = x + y; y = x – y; x = x – y; // post-state: {(x,?), (y,?)} State changing function (or state transformer) Function on program states Map one program state to another {(x,3), (y,5)} … {(x,6), (y,4)} pre-state {(x,5), (y,3)} {(x,4), (y,6)} post-state 8

Concurrent Assignment Notation for express state changing functions [x1, x2, …, xn := e1, e2, …, en] Evaluate ei’s in the pre-state at the same time Assign them to xi’s at the same time The values of other state variables remain the same (frame axiom). // [x, y := y, x] x = x + y; y = x – y; x = x – y; 9

Conditional Concurrent Assignment Different functions based on some conditions [x > 0 -> sign := 1 | x < 0 -> sign := -1 | else -> sign := 0] Conditions evaluated sequentially from the first to the last in the pre-state Keyword “else” interpreted as “true” Identity function [n > maxSize -> n := maxSize | else -> I] [n > 0 -> avg := sum / n | else -> undefined] Partial function 10

Exercise Write a (conditional) concurrent assignment to describe the function computed by the following code. if (n > maxSize) { n = maxSize; } avg = sum / n; 11

Don’t care about the final value. Intended Functions Intended function: function describing our intention of code Specification for the code Code function: function computed by code Actual behavior implemented by the code // [sum, i := sum + j=1a.length-1a[j], anything] while (i < a.length) { sum += a[i]; i++; } Don’t care about the final value. 12

Exercise Write intended functions for the following code (a) sum = sum + a; avg = sum / n; (b) if (a[i] == k) { l = i; } (c) while (i < a.length) { if (a[i] == k) { i++; 13

Annotating Code Why? How? To facilitate correctness verification Annotate every section of code with intended function // f0: [r := largest value in a] // f1 : [r, i := a[0], 1] r = a[0] int i = 1; // f2 : [r, i := max of r and largest in a[i..], anything] while (i < a.length) { // f3 : [r, i := max of r and a[i], i+1] if (a[i] > r) { r = a[i]; } i++; } 14

Exercise Annotate the following code with intended functions c = 0; int i = 0; while (i < a.length) { if (a[i] == n) { c++; } i++; 15

Outline Non-testing techniques for V&V Overview of functional verification Program as functions Intended functions Verification Assignment statement Sequential composition Conditional statement Iterative statement 16 16

Functional Verification Process Write specifications of code as functions, called intended functions Calculate functions computed by code, called code functions Compare code functions (p) with intended functions (f), i.e., p is correct with respect to (⊑) f if: dom p  dom f p(x) = f(x) for every x  dom f Why not dom p = dom f ?

Verification of Assignment Statement Often straightforward Often identical code and intended functions // [x := x + 1] x = x + 1; // [n > 0 -> avg := sum / n] avg = sum / n; More work done by code

Verification of Sequential Composition Compose code functions // [n > 0 -> sum, avg := sum + a, (sum + a) / n] sum = sum + a; avg = sum / n; [sum := sum + a]; [n  0 -> avg := sum / n]  [n  0 -> sum, avg := sum + a; (sum + a) / n] ⊑ [n > 0 -> sum, avg := sum + a; (sum + a) / n]

Trace Table Calculate code function by tracing state changes made by statements x = x + 1; y = 2 * x; z = x + y; x = 3 * x; statement x y z x = x + 1 x+1 y = 2 * x 2*(x+1) z = x + y (x+1) + 2*(x+1) x+2 x = 3 * x 3*(x+2) [x, y, z := 3*(x+2), 2*(x+1), (x+1) + 2*(x+1)]

Exercise Use a trace table to calculate the function computed by the following code. rate = 0.5; years++; interest = balance * rate / 100; balance = balance + interest; 21

Modular Verification Can use intended functions in place of code functions for verification // [f0] // [f1] S1 // [f2] S2 Proof obligations f1; f2 ⊑ f0 S1 is correct with respect to f1 (S1 ⊑ f1) S2 is correct with respect to f2 (S2 ⊑ f2)

Verification of Conditional Statement Calculate code functions using conditional trace tables statement condition p b p = a * r a * r if (a < b) a < b b = b - a b - a a >= b b = b - p b – (a * r) p = a * r; if (a < b) b = b – a; else b = b – p; [a < b -> p, b := a * r, b – a | a >= b -> p, b := a *r, b – (a*r)]

Verification of Conditional Statement (Cont.) Case analysis on conditions // [f] if (B) S1 else S2 Proof obligations When B holds, S1 is correct with respect to f (B  S1 ⊑ f) When B doesn’t hold, S2 is correct with respect to f ( B  S2 ⊑ f)

Example Proof by case analysis // f: [z != 0 -> r := |x - y| / z] When x > y x – y  |x - y|, thus [z != 0 -> r := (x - y)/z]  f When !(x > y) y – x  |x - y|, thus [z != 0 -> r := (y - x)/z]  f Therefore, if … else … ⊑ f // f: [z != 0 -> r := |x - y| / z] if (x > y) r = (x - y) / z; else r = (y - x) / z;

Exercise Derive proof obligations for an if statement without an else part. // [f] if (B) S 26

Exercise Write an intended function for the following code and prove the correctness of the code with respect to the intended function if (n > maxSize) { n = maxSize; } sum = sum + a; avg = sum / n; 27

Verification of Iteration Statement No known way of calculating code function, so proof by induction // [f] while (B) S // [f] if (B) { S while (B) S } // [f] if (B) { S [f] } Assuming f is correct Proof obligations B doesn’t hold, identity function is correct with respect to f (B  I ⊑ f) If B holds, S followed by f is correct with respect to f (B  S;f ⊑ f) Termination for total correctness Loop variant: expression with value increased/decreased on iterations

Example Proof obligations Proof of basis // f1: [sum, i := sum + j=ia.length-1a[j], anything] while (i < a.length) { // f2: [sum, i := sum + a[i], i+1] sum += a[i]; i++; } Proof obligations Termination: loop variant, a.length - i Basis: (i < a.length)  I ⊑ f1 Induction: i < a.length  f2; f1 ⊑ f1 and refinement of f2 Proof of basis f1 ≡ [sum, i := sum + j=ia.length-1a[j], anything] ≡ [sum, i := sum + 0, anything] (because i >= a.length) ≡ [sum, i := sum, anything] ⊒ [sum, i := sum, i] = I

Example Proof induction step i < a.length  f2; f1 ⊑ f1 // f1: [sum, i := sum + j=ia.length-1a[j], anything] while (i < a.length) { // f2: [sum, i := sum + a[i], i+1] sum += a[i]; i++; } Proof induction step i < a.length  f2; f1 ⊑ f1 f2; f1 ≡ [sum, i := sum + a[i], i + 1]; [sum, i := sum + j=ia.length-1a[j], anything] ≡ [sum, i := sum + a[i] + j=i+1a.length-1a[j], anything] ≡ [sum, i := sum + j=ia.length-1a[j], anything] ≡ f1

Exercise Prove the termination of the following loop. while (low <= high) { int mid = (low + high) / 2; if (a[mid] < x) low = mid + 1; else if (a[mid] > x) high = mid - 1; else high = low - 1; } 31

Initialized Loops Loop seldom used in isolation Proof obligations Preceded by initialization Together compute something useful Loop’s function more general // [f0] // [f1] S1 // [f2] while (B) { // [f3] S2 } Proof obligations f1; f2 ⊑ f0 S1 ⊑ f1 while (B) S2 ⊑ f2, requiring Termination Basis Step: B  I ⊑ f2 Induction: B  S2;f2 ⊑ f2

Example Proof obligations f1; f2 ⊑ f0 Refinement of f1 // f0: [r := largest value in a] // f1 : [r, i := a[0], 1] r = a[0] int i = 1; // f2 : [r, i := max of r and largest in a[i..], ?] while (i < a.length) { // f3 : [r, i := max of r and a[i], i+1] if (a[i] > r) { r = a[i]; } i++; } Proof obligations f1; f2 ⊑ f0 Refinement of f1 Refinement of f2 Termination of the loop Basis:  (i < a.length)  I ⊑ f2 Induction: i < a.length  f3; f2 ⊑ f2 Refinement of f3

Example (Cont.) Proof of f1; f2 ⊑ f0 f1; f2  [r, i := a[0], 1]; [r, i := max of r and largest in a[i..], ?]  [r, i := max a[0] and largest in a[1..], ?]  [r, i := largest value in a, ?] ⊑ [r := largest value in a]  f0 See handout for other proofs.

Exercise Write intended functions for the following while loops in isolation. (a) while (i < a.length) { if (a[i] > 0) { sum += a[i]; } i++; (b) while (n > 1) { n = n – 2; 35

Exercise Prove the correctness of the following code. // [r := n!] int i = n; while (i > 1) { r = r * i; i--; } 36