Functional Verification III Prepared by Stephen M. Thebaut, Ph.D. University of Florida Software Testing and Verification Lecture Notes 23

Previously… Correctness conditions and working correctness questions: –sequencing –decision statements

Today’s Topics Iteration Recursion Lemma (IRL) Termination predicate: term(f,P) Correctness conditions for while_do statement Sufficient correctness conditions Correctness conditions for repeat_until statement Subgoal Induction

Iteration Recursion Lemma (IRL) The IRL reduces the verification of programs with loops to a question of termination and the verification of loop- free programs by converting iteration to recursion. For while loops, the Lemma states: f = [while p do g] = [if p then g;f end_if] (note recursion)

Iteration Recursion Lemma (cont’d) p g T F p g T F p g T F p g T F f = = = f p g;f T F =

Iteration Recursion Lemma (cont’d) Rather than verify directly that f is the program function of K = while p do g which can be very difficult, it is sufficient to prove that 1. K terminates for all X  D(f), and that 2. f is the program function of Q = if p then g;f end_if because [K] = [Q].

An important implication of the IRL Suppose for “input” X 0 the while loop term- inates after n iterations with “output” X n. Furthermore, let X 1, X 2,..., X n-1 be the in- termediate states generated by the loop. Then  0≤i<n, we know: – p(X i ), – X i+1 =g(X i ), and – ¬p(X n ).

An important implication of the IRL (cont’d) As f = [while p do g] = [if p then g;f end_if], it follows that f(X 0 ) = f(X 1 ) =... = f(X n ) = X n More generally, after each iteration of the loop, the function value of the current state, X, must be the same as the function value of the initial state, X 0. That is: f(X) = f(X 0 ) We will revisit this observation in connection with Mill’s Invariant Status Theorem later.

Illustrative Example of IRL To further illustrate the fact that [while p do g] = [if p then g;f end_if] consider a concrete example... Let K = while y>0 do x,y := x+1,y−1 Claim: K is function equivalent to Q = if y>0 then x,y := x+1,y−1;k end_if where, by definition, k = [K]. p g p k o g

Illustrative Example of IRL (cont’d) Case (y>0): For K = while y>0 do x,y := x+1,y−1, the loop body executes y times before the predicate y>0 becomes false. By observation, then, the final value of x is x 0 +(1)y 0 = x 0 +y 0 and the final value of y is 0. Thus, (y>0) => k = (x,y := x+y,0) Also, note that when y=0 initially, k = I = (x,y := x,y) = (x,y := x+0,y) = (x,y := x+y,0) Therefore, (y≥0) => k = (x,y := x+y,0)

Illustrative Example of IRL (cont’d) Case (y>0): (cont’d) [Q] is a composition of two functions, i.e., k o g, and may be determined by direct substitution. For y>0 initially, y will be greater than OR EQUAL to 0 after executing the loop body, but since we know (y≥0) => k = (x,y := x+y,0), we have [Q] = (x,y := x+y,0) o (x,y := x+1,y−1) = (x,y := (x+1)+(y−1),0) = (x,y := x+y,0) = k (the function computed by K) Thus, [Q] = [K] when y>0.

Illustrative Example of IRL (cont’d) Case (y≤0): Since the predicate (y>0) fails, both K and Q do nothing, and are therefore equivalent. Thus, [Q] = I = [K] when y≤0. Therefore, K is function equivalent to Q.

Termination Predicate The correctness of a looping program P depends, in part, on termination. Consideration is limited to programs whose termination can be established and the following predicate is defined: term(f,P)  ‘‘P terminates for every initial state X  D(f)’’

Before we continue… Take out a piece of paper and a pen/pencil. Without looking back in the lecture notes, write down the complete correctness con- ditions for: f = [if p then g]

if_then Correctness Conditions Complete correctness conditions for f = [if p then g]: Prove: p  (f = g) Л ¬p  (f = I) So, aside from proving termination over the domain of f, what are the two corresponding conditions for: f = [while p do g] = [if p then fog] ?

while_do Correctness Conditions Complete correctness conditions for f = [K] = [while p do G] (where g = [G] has already been shown): Prove: term(f,K) Л p  (f = f o g) Л ¬p  (f = I)

while_do Correctness Conditions (cont’d) Working correctness questions: –Is loop termination guaranteed for any argument of f ? –When p is true does f equal f composed with g? –When p is false does f equal Identity?

while_do Example Prove f = [T] where, for integers x, y, and z: f = (y≥0  z,y := z+xy,0) and T is: while y<>0 do z := z+x y := y−1 end_while p G

while_do Example (cont’d) Proof: g = [G] = (z,y := z+x,y−1) by observation –term(f,T)? f = (y≥0  z,y := z+xy,0) and T is: while y<>0 do z := z+x y := y−1 end_while So, does y≥0 initially  T will terminate?

while_do Example (cont’d) Proof: g = [G] = (z,y := z+x,y−1) by observation –term(f,T)? √ (Prove this…)

while_do Example (cont’d) Proof: g = [G] = (z,y := z+x,y−1) by observation –term(f,T)? √ (Prove this…) –Does (y=0)  ( f = I )? ¬p¬p ( Recall: f = (y≥0  z,y := z+xy,0) )

while_do Example (cont’d) Proof: g = [G] = (z,y := z+x,y−1) by observation –term(f,T)? √ (Prove this…) –Does (y=0)  ( f = I )? √ (y=0)  ( f = (z,y := z+x(0),0) = (z,y := z,0) ) (y=0)  ( I = (z,y := z,0) )

while_do Example (cont’d) –Does (y  0)  ( f = f o g )? p

while_do Example (cont’d) –Does (y  0)  ( f = f o g )? case a: Does (y<0)  ( f = f o g )? (y<0)  ( f = undefined ) (y<0)  ( f o g = f o (z,y := z+x,y−1) What is f when applied after g decrements the initially negative value of y? ( Recall: f = (y≥0  z,y := z+xy,0) )

while_do Example (cont’d) –Does (y  0)  ( f = f o g )? case a: Does (y<0)  ( f = f o g )? (y<0)  ( f = undefined ) (y<0)  ( f o g = undefined o (z,y := z+x,y−1) since y<0  g y (y<0)<0 ( Recall: f = (y≥0  z,y := z+xy,0) )

while_do Example (cont’d) –Does (y  0)  ( f = f o g )? case a: Does (y<0)  ( f = f o g )? (y<0)  ( f = undefined ) (y<0)  ( f o g = undefined o (z,y := z+x,y−1) = undefined )

while_do Example (cont’d) –Does (y  0)  ( f = f o g )? case a: Does (y<0)  ( f = f o g )? √ (y<0)  ( f = undefined ) (y<0)  ( f o g = undefined o (z,y := z+x,y−1) = undefined )

while_do Example (cont’d) –Does (y  0)  ( f = f o g )? case b: Does (y>0)  ( f = f o g )? ( Recall: f = (y≥0  z,y := z+xy,0) )

–Does (y  0)  ( f = f o g )? case b: Does (y>0)  ( f = f o g )? (y>0)  ( f = (z,y := z+xy,0) ) (y>0)  ( f o g = f o (z,y := z+x,y−1) Again, what is f when applied after g decrements the initially positive value of y? ( Recall: f = (y≥0  z,y := z+xy,0) ) while_do Example (cont’d)

–Does (y  0)  ( f = f o g )? case b: Does (y>0)  ( f = f o g )? (y>0)  ( f = (z,y := z+xy,0) ) (y>0)  ( f o g = (z,y := z+xy,0) o (z,y := z+x,y−1) since y>0  g y (y>0)≥0 ( Recall: f = (y≥0  z,y := z+xy,0) )

while_do Example (cont’d) –Does (y  0)  ( f = f o g )? case b: Does (y>0)  ( f = f o g )? (y>0)  ( f = (z,y := z+xy,0) ) (y>0)  ( f o g = (z,y := z+xy,0) o (z,y := z+x,y−1) = (z,y := (z+x)+x(y−1),0) = (z,y := z+xy,0) )

while_do Example (cont’d) –Does (y  0)  ( f = f o g )? case b: Does (y>0)  ( f = f o g )? (y>0)  ( f = (z,y := z+xy,0) ) (y>0)  ( f o g = (z,y := z+xy,0) o (z,y := z+x,y−1) = (z,y := (z+x)+x(y−1),0) = (z,y := z+xy,0) ) We could have also composed the full, conditional definition of f with g, i.e. (y≥0  z,y := z+xy,0) o (z,y := z+x,y−1) to yield (y≥1  z,y := z+xy,0) which is just (z,y := z+xy,0) when y>0.

while_do Example (cont’d) –Does (y  0)  ( f = f o g )? √ case b: Does (y>0)  ( f = f o g )? √ (y>0)  ( f = (z,y := z+xy,0) ) (y>0)  ( f o g = (z,y := z+xy,0) o (z,y := z+x,y−1) = (z,y := (z+x)+x(y−1),0) = (z,y := z+xy,0) ) Therefore, f = [T].

Exercise 1 For program M below, where all variables are integers, hypothesize a function f for [M] and prove f = [M]. while i<n do t := tx i := i+1 end_while

Sufficient Correctness Conditions Given the complete correctness conditions for f = [H] = [while p do g]: Prove: term(f,H) Л p  (f = f o g) Л ¬p  (f = I)

Sufficient Correctness Conditions (cont’d) What are the sufficient correctness conditions for f  [H] = [while p do g]? Prove: f’ = [H] for some f’ Л f  f’

Sufficient Correctness Conditions (cont’d) What are the sufficient correctness conditions for f  [H] (for ANY program, H)? Prove: f’ = [H] for some f’ Л f  f’

repeat_until Statement What are the complete correctness conditions for f = [R] = [repeat g until p]? p g F T f =

repeat_until Statement (cont’d) An IRL for repeat_until statements: f = [repeat g until p] = [g; if ¬p then f]

“Proof” by Picture p g F T f = p g F T = p g T F = f p g T F = f ¬p¬p g F T

repeat_until Statement (cont’d) Therefore, it is sufficient to verify that 1. R terminates for all X  D(f), and that 2. f is the program function of Q = g; if ¬p then f end_if because [R] = [Q].

repeat_until Correctness Conditions Complete correctness conditions for f = [R] = [repeat G until p] (where g = [G] has already been shown): Prove: term(f,R) Л (p o g)  (f = g) Л ¬(p o g)  (f = f o g)

repeat_until Correctness Conditions (cont’d) Working correctness questions: –Is loop termination guaranteed for any argument of f ? –When p o g is true does f equal g? –When p o g is false does f equal f o g?

Exercise 2 For program R below, where all variables are integers, hypothesize a function r for [R] and prove r = [R]. repeat: x := x−1 y := y+2 until x=0

Subgoal Induction “Subgoal induction” is a proof method pro- posed by Morris and Wegbreit † that can be viewed as a generalization of (while loop) functional verification. It uses a variation of the Iteration Recursion Lemma (IRL) to identify relatively simple correctness conditions for a while loop surrounded by pre- and post-processing code. † Morris, James & Ben Wegbreit, “Subgoal Induction,” CACM, Volume 20, No. 4, April 1977.

Subgoal Induction (cont’d) The key observation underlying the method is: v = [while p do g end_while; t] ≡ [if p then g;v else t end_if_else] The function equivalence of these programs, like that asserted in the IRL, is perhaps best illustrated graphically...

Subgoal Induction (cont’d) p g T F p T F p T F p T F = = v p g;v T F = t t g t g t g t v =

Subgoal Induction (cont’d) Suppose, now, that compound program K is: h; while p do g end_while; t and that v = [while p do g end_while; t]. From the functional equivalence illustrated above and the fact that K = h;v, it therefore follows that: [K] = v o h = [if p then g;v else t end_if_else] o h

Subgoal Induction (cont’d) Recall the complete correctness conditions for r = [if p then g else t]: (1) p  (r=g) and (2) ¬p  (r=t). Thus, the complete correctness conditions for f = [K] = [h; while p do g end_while; t] are: (1) term(f,K), (2) p  (v=v o g), (3) ¬p  (v=t), and (4) f=v o h where v = [while p do g end_while; t].

Subgoal induction vs. functional verification How does subgoal induction differ from the program decomposition strategy employed in functional verification? To show f = [h; while p do g end_while; t] using functional verification, an intermediate hypothesis and “sub-proof” for the loop is required, whereas t is part of the intermediate hypothesis in the subgoal induction case. Note that if t is the identify function, the two strategies are identical.

Subgoal induction vs. functional verification (cont’d) But, if h is the identify function, then subgoal induction has an advantage since intended function f (if given) can then be used as the intermediate hypothesis. (In this case, treating the loop and t as a whole results in a more efficient proof.)

Subgoal Induction Example Use subgoal induction to prove f = [K] where, for integers x, y, and z: f = (x≥0  x,y,z := 0,2 x,2 x ) and K is: y := 1 H while x<>0 do y := y2 x := x-1 end_while z := y T G

Subgoal Induction Example (cont’d) We need to show: (1) term(f,K), (2) p  (v=v o g), (3) ¬p  (v=t), and (4) f=v o h But first, we must hypothesize a function for v (our “intermediate hypothesis”): v = [while x<>0 do g end_while; z := y]

Subgoal Induction Example (cont’d) What is the function, v, of this program? while x<>0 do y := y2 x := x-1 end_while z := y

Subgoal Induction Example (cont’d) What is the function, v, of this program? while x<>0 do y := y2 x := x-1 end_while z := y x>0  x,y,z := 0, y2 x, y2 x x=0  x,y,z := x, y, y := 0, y2 x, y2 x x<0  undefined Therefore, v is hypothesized to be: (x≥0  x,y,z := 0, y2 x, y2 x )

Subgoal Induction Example (cont’d) Returning to the four correctness conditions: (1) term(f,K), (2) p  (v=vog), (3) ¬p  (v=t), and (4) f=voh

Subgoal Induction Example (cont’d) Returning to the four correctness conditions: (1) term(f,K), (2) p  (v=vog), (3) ¬p  (v=t), and (4) f=voh (1) Does K terminate for all x≥0? YES y := 1 while x<>0 do y := y2 x := x-1 end_while z := y (Prove this using the Method of Well-Founded Sets.)

Subgoal Induction Example (cont’d) Returning to the four correctness conditions: (1) term(f,K), (2) p  (v=vog), (3) ¬p  (v=t), and (4) f=voh (2) Does (x  0)  ( v = v o g )? p

Subgoal Induction Example (cont’d) Returning to the four correctness conditions: (1) term(f,K), (2) p  (v=vog), (3) ¬p  (v=t), and (4) f=voh (2) Does (x  0)  ( v = v o g )? case a: Does (x<0)  ( v = v o g )? YES (x<0)  ( v = undefined ) (x<0)  ( v o g = undefined o (x,y := x-1,2y) = undefined ) ( Recall: hypoth. v = (x≥0  x,y,z := 0, y2 x, y2 x ) )

Subgoal Induction Example (cont’d) Returning to the four correctness conditions: (1) term(f,K), (2) p  (v=vog), (3) ¬p  (v=t), and (4) f=voh (2) Does (x  0)  ( v = v o g )? YES case b: Does (x>0)  ( v = v o g )? YES (x>0)  ( v = (x,y,z := 0, y2 x, y2 x ) ) (x>0)  ( v o g = (x,y,z := 0, y2 x, y2 x ) o (x,y := x-1,2y) = (x,y,z := 0, 2y2 x-1, 2y2 x-1 ) = (x,y,z := 0, y2 x, y2 x ) ) ( Recall: hypoth. v = (x≥0  x,y,z := 0, y2 x, y2 x ) )

Subgoal Induction Example (cont’d) Returning to the four correctness conditions: (1) term(f,K), (2) p  (v=vog), (3) ¬p  (v=t), and (4) f=voh (3) Does (x=0)  ( v = t )? YES (x=0)  ( v = (x,y,z := 0, y2 0, y2 0 ) ) = (x,y,z := 0, y, y) ) (x=0)  ( t = (x,y,z := 0, y, y) ) ( Recall: hypoth. v = (x≥0  x,y,z := 0, y2 x, y2 x ) )

Subgoal Induction Example (cont’d) Returning to the four correctness conditions: (1) term(f,K), (2) p  (v=vog), (3) ¬p  (v=t), and (4) f=voh (4) Does f = v o h ?

Subgoal Induction Example (cont’d) Returning to the four correctness conditions: (1) term(f,K), (2) p  (v=vog), (3) ¬p  (v=t), and (4) f=voh (4) Does f = v o h ? YES f = (x≥0  x,y,z := 0,2 x,2 x ) voh = (x≥0  x,y,z := 0, y2 x, y2 x ) o (x,y,z := x,1,z) = (x≥0  x,y,z := 0, (1)2 x, (1)2 x ) = (x≥0  x,y,z := 0, 2 x, 2 x ) ( Recall: hypoth. v = (x≥0  x,y,z := 0, y2 x, y2 x ) )

Subgoal Induction Example (cont’d) Returning to the four correctness conditions: (1) term(f,K), (2) p  (v=vog), (3) ¬p  (v=t), and (4) f=voh Therefore, for f = (x≥0  x,y,z := 0,2 x,2 x ) and K: y := 1 while x<>0 do y := y2 x := x-1 end_while z := y we conclude, by subgoal induction, that f = [K].

Summary Iteration Recursion Lemma (IRL) Termination predicate: term(f,P) Correctness conditions for while_do statement Sufficient correctness conditions Correctness conditions for repeat_until statement Subgoal Induction

Coming up next… Thinking about invariants again Invariant Status Theorem (IST) While Loop Initialization Utility of IST

Functional Verification III Prepared by Stephen M. Thebaut, Ph.D. University of Florida Software Testing and Verification Lecture Notes 23