Download presentation
Presentation is loading. Please wait.
Published byKaitlynn Swim Modified over 9 years ago
1
TAP: Tests and Proofs, 12 February 20071 Testing and Verifying Invariant Based Programs in the SOCOS Environment Ralph-Johan Back, Johannes Eriksson and Magnus Myreen Åbo Akademi University Turku, Finland Turku Centre for Computer Science Centre for Reliable Software Technology
2
Approaches Program code Contracts Invariants Verification conditions “a posteriori verification”“constructive approach”“invariant based programming”
3
Example: Sort an array! A=A0 A: Int[N] Sorted(A,0,N) A: Int[N] Permutation(A,A0) Start with a pre-/postcondition specification
4
Example: Sort an array! A=A0 Sorted(A,0,N) A: Int[N] Permutation(A,A0) Extract common invariant
5
Construct a loop Example: Sort an array! A=A0Sorted(A,0,N) A: Int[N] k: Int 0≤k≤N Sorted(A,0,k) ∀i,j:Int 0≤i<k ∧ k≤j<N ⇒ A[i]≤A[j] Permutation(A,A0) 0kN sortedunsorted less than or equal to all A[k..N-1] ! LOOP
6
Add initial transition Example: Sort an array! A=A0Sorted(A,0,N) A: Int[N] Permutation(A,A0) k: Int 0≤k≤N Sorted(A,0,k) ∀i,j:Int 0≤i<k ∧ k≤j<N ⇒ A[i]≤A[j] k:=0 A: Int[N] ⇒ 0: Int 0≤0≤N Sorted(A,0,0) ∀i,j:Int 0≤i<0 ∧ 0≤j<N ⇒ A[i]≤A[j] A: Int[N] Permutation(A,A0) ✔ A=A0 ✔ ✔ ✔ ✔ ✔ What needs to be checked?
7
Example: Sort an array! A=A0Sorted(A,0,N) A: Int[N] Permutation(A,A0) k: Int 0≤k≤N Sorted(A,0,k) ∀i,j:Int 0≤i<k ∧ k≤j<N ⇒ A[i]≤A[j] k:=0 [k=N] Add exit transition Trivial: Sorted(A,0,k) ∧ k=N ⇒ Sorted(A,0,N)
8
Example: Sort an Array! A=A0Sorted(A,0,N) A: Int[N] Permutation(A,A0) k: Int 0≤k≤N Sorted(A,0,k) ∀i,j:Int 0≤i<k ∧ k≤j<N ⇒ A[i]≤A[j] k:=0 [k=N] [k<N] m:=min(A,k,N); A:=A[ k←A[m], m←A[k] ]; k:=k+1 Add loop transition A: Int[N] Permutation(A,A0) k: Int 0≤k≤N Sorted(A,0,k) ∀i,j:Int 0≤i<k ∧ k≤j<N ⇒ A[i]≤A[j] A’: Int[N] Permutation(A’,A0) k+1: Int 0≤k+1≤N Sorted(A’,0,k+1) ∀i,j:Int 0≤i<k+1 ∧ k+1≤j<N ⇒ A’[i]≤A’[j] k<N m=min(A,k,N) ∧ A’= A[ k←A[m], m←A[k] ] ⇒ BELIEVE ME
9
Example: Sort an Array! A=A0Sorted(A,0,N) A: Int[N] Permutation(A,A0) k: Int 0≤k≤N Sorted(A,0,k) ∀i,j:Int 0≤i<k ∧ k≤j<N ⇒ A[i]≤A[j] k:=0 [k=N] [k<N] A:=Swap(A,k,min(A,k,N)); k:=k+1 0≤N-k Add a termination function Variant decreases: N-(k+1) < N-k Bounded from below: 0≤k≤N ⇒ 0≤N-k
10
TAP: Tests and Proofs, 12 February 200710 The SOCOS Tool ● “Software COnstruction Site” ● An editor for invariant diagrams ● Higher-order specifications and formal semantics ● Goal: higher assurance Testing: Find common errors Extended static checking: Find common errors and insufficient (too weak) invariants Interactive proofs: Total correctness
11
TAP: Tests and Proofs, 12 February 200711 SOCOS User Interface
12
TAP: Tests and Proofs, 12 February 200712 Program Constructs ● Procedures with pre- and postconditions ● Statements – if.. fi, assignment, assertion, procedure call ● Simple data types – integers, booleans – strings, arrays ● Data invariants
13
Testing/Debugging
14
TAP: Tests and Proofs, 12 February 200714 Formal Verification ● Verification conditions can be generated for the whole program, or for a single procedure/transition/situation ● Verification conditions are generated and sent to external proof tools ● Three types of verification conditions: – Consistency (for transitions) – Completeness (for situations) – Termination (for loops)
15
TAP: Tests and Proofs, 12 February 200715 Consistency ● Each transition should establish its target: I 1 ⇒ wp(S,I 2 )
16
TAP: Tests and Proofs, 12 February 200716 Completeness (liveness) ● At least one transition from each (non-terminal) situation should be enabled: magic.................. I ⇒ wp(S*,False) I if … fi
17
TAP: Tests and Proofs, 12 February 200717 Termination ● Every transition in a cycle must not increase V : (for all j) I j ∧ V=V 0 ⇒ wp(S j,0≤V≤V 0 ) I k ∧ V=V 0 ⇒ wp(S k,0≤V < V 0 ) (for some k) IkIk I k+1 ● At least one transition must decrease V :
18
TAP: Tests and Proofs, 12 February 200718 Backends Testing Diagram is converted to a Python program, with run-time evaluation of invariants Testing Diagram is converted to a Python program, with run-time evaluation of invariants Static Checking Verification conditions are sent to Simplify, a fully automatic prover Static Checking Verification conditions are sent to Simplify, a fully automatic prover Full Verification PVS is used for full verification of the final components Full Verification PVS is used for full verification of the final components Higher assurance→
19
Conclusion and Future Work ● Specifications and invariants main building blocks ● Correct programs can be developed incrementally ● Currently used in teaching program semantics ● Future work – Scalability: refinement, object-orientation – Larger case studies – Background checking – Test case generation
20
Thank You http://mde.abo.fi/SOCOS
Similar presentations
© 2025 SlidePlayer.com Inc.
All rights reserved.