Download presentation

Presentation is loading. Please wait.

Published byEthan Suarez Modified over 4 years ago

1
Hoare-style program verification K. Rustan M. Leino Guest lecturer Rob DeLines CSE 503, Software Engineering University of Washington 28 Apr 2004

2
Review {P} skip {P} {P[w:=E]} w:=E {P} {PB} assert B {P} if {P} S {Q} and {Q} T {R}, then {P} S ; T {R} if {PB} S {R} and {PB} T {R}, then {P} if B then S else T end {R}

3
Loops To prove {P} while B do S end {Q} prove {P} {J} while B do {J B} {0 vf} {J B vf=VF} S {J vf<VF} end {J B} {Q}

4
Example: Array sum {0N} k := 0; s := 0; while k N do s:=s+a[k] ; k:=k+ 1 end {s = (Σi | 0i<N a[i])}

5
{0N} k := 0; s := 0; {J} while k N do {J kN} {0 vf} {J kN vf=VF} s:=s+a[k] ; k:=k+ 1 {J vf<VF} end {J (kN)} {s = (Σi | 0i<N a[i])} Example: Array sum {0N} k := 0; s := 0; while k N do s:=s+a[k] ; k:=k+ 1 end {s = (Σi | 0i<N a[i])}

6
Example: Array sum {0N} k := 0; s := 0; {J} while k N do {J kN} {0 vf} {J kN vf=VF} s:=s+a[k] ; k:=k+ 1 {J vf<VF} end {J (kN)} {s = (Σi | 0i<N a[i])}

7
Example: Array sum {0N} k := 0; s := 0; {J} while k N do {J kN} {0 vf} {J kN vf=VF} s:=s+a[k] ; k:=k+ 1 {J vf<VF} end {J k=N} {s = (Σi | 0i<N a[i])} J: s = (Σi | 0i<k a[i]) 0 k N vf: N-k

8
{0N} {0 = (Σi | 0i<0 a[i]) 00N} k := 0; {0 = (Σi | 0i<k a[i]) 0kN} s := 0; {s = (Σi | 0i<k a[i]) 0kN} Example: Array sum Initialization

9
Example: Array sum Invariance {s = (Σi | 0i<k a[i]) 0kN kN N-k=VF} {s+a[k] = (Σi | 0i<k a[i])+a[k] 0k<N N-k- 1 <VF} s := s + a[k]; {s = (Σi | 0i<k a[i])+a[k] 0k<N N-k- 1 <VF} {s = (Σi | 0i<k+ 1 a[i]) 0k+ 1 N N-(k+ 1 )<VF} k := k+ 1 ; {s = (Σi | 0i<k a[i]) 0kN N-k<VF}

10
In-class exercise: computing cubes {0N} k := 0; r := 0; s := 1; t := 6; while kN do a[k] := r; r := r + s; s := s + t; t := t + 6; k := k + 1 end {(i | 0i<N a[i] = i 3 )}

11
Computing cubes Guessing the invariant From the postcondition (i | 0i<N a[i] = i 3 ) and the negation of the guard k=N guess the invariant (i | 0i<k a[i] = i 3 ) 0kN From this invariant and variant function N-k, it follows that the loop terminates

12
Computing cubes Maintaining the invariant while kN do {(i | 0i<k a[i] = i 3 ) 0kN kN} {(i | 0i<k a[i] = i 3 ) r=k 3 0k<N} a[k] := r; r := r + s; s := s + t; t := t + 6; {(i | 0i<k a[i] = i 3 ) a[k]=k 3 0k<N} {(i | 0i<k+ 1 a[i] = i 3 ) 0k+ 1 N} k := k + 1 {(i | 0i<k a[i] = i 3 ) 0kN} end Add this to the invariant, and then try to prove that it is maintained

13
Computing cubes Maintaining the invariant while kN do {r = k 3 …} {r + s = k 3 + 3*k 2 + 3*k + 1} a[k] := r; r := r + s; s := s + t; t := t + 6; {r = k 3 + 3*k 2 + 3*k + 1} {r = (k+ 1 ) 3 } k := k + 1 {r = k 3 } end Add s = 3*k 2 + 3*k + 1 to the invariant, and then try to prove that it is maintained

14
Computing cubes Maintaining the invariant while kN do {s = 3*k 2 + 3*k + 1 …} {s + t = 3*k 2 + 6*k + 3 + 3*k + 3 + 1} a[k] := r; r := r + s; s := s + t; t := t + 6; {s = 3*k 2 + 6*k + 3 + 3*k + 3 + 1} {s = 3*(k+1) 2 + 3*(k+1) + 1} k := k + 1 {s = 3*k 2 + 3*k + 1} end Add t = 6*k + 6 to the invariant, and then try to prove that it is maintained

15
Computing cubes Maintaining the invariant while kN do {t = 6*k + 6 …} {t + 6 = 6*k + 6 + 6} a[k] := r; r := r + s; s := s + t; t := t + 6; {t = 6*k + 6 + 6} {t = 6*(k+1) + 6} k := k + 1 {t = 6*k + 6} end

16
Computing cubes Establishing the invariant {0N} {(i | 0i<0 a[i] = i 3 ) 00N 0 = 0 3 1 = 3*0 2 + 3*0 + 1 6 = 6*0 + 6} k := 0; r := 0; s := 1; t := 6; {(i | 0i<k a[i] = i 3 ) 0kN r = k 3 s = 3*k 2 + 3*k + 1 t = 6*k + 6}

17
In-class exercise: computing cubes Answers Invariant: (i | 0i<k a[i] = i 3 ) 0 k N r = k 3 s = 3*k 2 + 3*k + 1 t = 6*k + 6 Variant function: N-k

18
Other common invariants k is the number of nodes traversed so far the current value of n does not exceed the initial value of n all array elements with an index less than j are smaller than x the number of processes whose program counter is inside the critical section is at most one the only principals that know the key K are A and B

19
Belgian chocolate How many breaks do you need to make 50 individual pieces from a 10x5 Belgian chocolate bar? Note: Belgian chocolate is so thick that you can't break two pieces at once. Invariant: #pieces = 1 + #breaks

20
Loop proof obligations a closer look To prove {P} while B do S end {Q} find invariant J and variant function vf such that: – invariant initially: P J – invariant maintained: {J B} S {J} – invariant sufficient: J B Q – vf well-founded – vf bounded: J B 0 vf – vf decreases: {J B vf=VF} S {vf<VF} Are all of these conditions needed?

21
{0N} k := N; s := 0; {J} while k N do {J kN} {0 vf} {J kN vf=VF} s:=s+a[k] ; k:=k+ 1 {J vf<VF} end {J (kN)} {s = (Σi | 0i<N a[i])} J: s = (Σi | 0i<k a[i]) 0kN vf: N-k Loop proof obligations invariant holds initially

22
{0N} k := 0; s := 0; {J} while k N do {J kN} {0 vf} {J kN vf=VF} s:=s+a[k] ; k:=k+ 2 {J vf<VF} end {J (kN)} {s = (Σi | 0i<N a[i])} J: s = (Σi | 0i<k a[i]) 0kN vf: N-k Loop proof obligations invariant is maintained

23
Loop proof obligations invariant is sufficient {0N} k := 0; s := 0; {J} while k N do {J kN} {0 vf} {J kN vf=VF} k:=k+ 1 {J vf<VF} end {J (kN)} {s = (Σi | 0i<N a[i])} J: 0kN vf: N-k

24
Loop proof obligations variant function is well-founded {0N} k := 0; s := 0; r := 1.0 ; {J} while k N do {J kN} {0 vf} {J kN vf=VF} r := r / 2.0 ; {J vf<VF} end {J (kN)} {s = (Σi | 0i<N a[i])} J: s=(Σi | 0i<k a[i]) 0r vf: r

25
Loop proof obligations variant function is bounded {0N} k := 0; s := 0; {J} while k N do {J kN} {0 vf} {J kN vf=VF} k:=k- 1 {J vf<VF} end {J (kN)} {s = (Σi | 0i<N a[i])} J: s = (Σi | 0i<k a[i]) kN vf: k

26
Loop proof obligations variant function decreases {0N} k := 0; s := 0; {J} while k N do {J kN} {0 vf} {J kN vf=VF} skip {J vf<VF} end {J (kN)} {s = (Σi | 0i<N a[i])} J: s = (Σi | 0i<k a[i]) 0kN vf: N-k

27
Ranges in invariants {0N} k := 0; s := 0; {J} while k N do {J kN} {0 vf} {J kN vf=VF} s:=s+a[k] ; k:=k+ 1 {J vf<VF} end {J (kN)} {s = (Σi | 0i<N a[i])} J: s = (Σi | 0i<k a[i]) 0kN vf: N-k Where are these used?

28
Ranges: lower bound {s = (Σi | 0i<k a[i]) 0kN kN N-k=VF} {s+a[k] = (Σi | 0i<k a[i])+a[k] 0k<N N-k- 1 <VF} s := s + a[k]; {s = (Σi | 0i<k a[i])+a[k] 0k<N N-k- 1 <VF} {s = (Σi | 0i<k+ 1 a[i]) 0k+ 1 N N-(k+ 1 )<VF} k := k+ 1 ; {s = (Σi | 0i<k a[i]) 0kN N-k<VF} This step uses 0k

29
Ranges: upper bound {0N} k := 0; s := 0; {J} while kN do {J kN} {0 vf} {J kN vf=VF} s:=s+a[k] ; k:=k+ 1 {J vf<VF} end {J (kN)} {s = (Σi | 0i<N a[i])} J: s = (Σi | 0i<k a[i]) 0kN vf: N-k This step uses kN

30
Ranges: upper bound {0N} k := 0; s := 0; {J} while k < N do {J k<N} {0 vf} {J k<N vf=VF} s:=s+a[k] ; k:=k+ 1 {J vf<VF} end {J (k<N)} {s = (Σi | 0i<N a[i])} J: s = (Σi | 0i<k a[i]) 0kN vf: N-k this step still needs kN Even with < instead of

Similar presentations

OK

Spec# John Lefor Program Manager Developer Division, Microsoft.

Spec# John Lefor Program Manager Developer Division, Microsoft.

© 2018 SlidePlayer.com Inc.

All rights reserved.

To make this website work, we log user data and share it with processors. To use this website, you must agree to our Privacy Policy, including cookie policy.

Ads by Google