Folie 1 - Institut für Informatik

Software Verification 1
Deductive Verification
Prof. Dr. Holger Schlingloff
Institut für Informatik der Humboldt Universität
und
Fraunhofer Institut für offene Kommunikationssysteme FOKUS
11.6.2015
Invariably: Starter Questions …
•
•
•
•
•
•
•
•
What is an invariant? How is it used in verification?
Is the set of invariants of a loop recursive?
… or recursively enumerable?
Is there any decidable invariant?
How to construct an invariant for a given loop?
E.g. {i=0; while (i<n) {i++}}
E.g. {i=0; while (i<n) {i++; j--}}
E.g. {i=0; while (i<n) {i++; j+=i}}
H. Schlingloff, Software-Verifikation I
Folie 2
[]
While -Programs
• While-Programs are Turing-complete, but not very convenient to use
• Missing: arrays, pointers, data structures, functions & procedures,
modules, inheritance, …
• Today: arrays and search
• Introduce array type X[n], where X is any type and n is any integer
• set V [] of indexed program variables: if i is a program variable of type
Int and a is an array variable of type X[n], then a[i] is an indexed
program variable of type X
• while[]Prog: Indexed program variables can be used in terms and
expressions wherever “normal” program variables are allowed
• Semantics: An array variable a: X[n]is evaluated as a partial function
V(a): Int  X{undef}
• V(a)(x) = undef if x < 0 or x ≥ n
• V(a[i]) = V(a) (V(i))
H. Schlingloff, Software-Verifikation I
Folie 3
Example: Binary Search
• Input: a sorted array x:Int[n] (i.e., i (x[i-1]<x[i]) )
and a value a to search for
• Result: index i s.t. x[j]<a for 0<=j=a for i<=j<n
:
i=0; k=n;
while (i<k) {
s=(i+k-1)/2; //integer division
if (a>x[s]) i=s+1
else k=s
}
Correctness: Show
<a
x:
>=a
i
<a
x:
i
>=a
s
k
{n>=0  i(0<i<n  (x[i-1]<x[i])}

{0<=i<=n  j(0<=j=a}
H. Schlingloff, Software-Verifikation I
Folie 4
Invariant for Binary Search
• x is sorted
 0 : i(0<i<n  (x[i-1]<x[i])
• i is changed such that
 1 : 0<=i<=n  j(0<=j=a)
• additionally
 3 : i<=k
Let  = 0  1  2  3
H. Schlingloff, Software-Verifikation I
Folie 5
Hoare Proof for Binary Search
{n>=0  i(0<i<n  (x[i-1]<x[i])}
i=0; k=n;
{}
while (i<k) {
{  i<k}
s=(i+k-1)/2; //integer division
if (a>x[s]) i=s+1
else k=s
{}
}
{  i>=k}
{i=k  0<=i<=n  j(0<=j=a)}
{0<=i<=n  j(0<=j=a)}
H. Schlingloff, Software-Verifikation I
Folie 6
: 0 <= i <= k <= n  j(0<=j=a)
{  i<k}
s=(i+k-1)/2;
{  i<k  s==(i+k-1)/2}
if (a>x[s]) i=s+1
else k=s
{}
holds since
{  i<k  s==(i+k-1)/2  a>x[s]} {[i:=s+1]} i=s+1 {}
{  i<k  s==(i+k-1)/2  a<=x[s]} {[k:=s]} k=s {}
proof: see next
H. Schlingloff, Software-Verifikation I
Folie 7
: 0 <= i <= k <= n  j(0<=j=a)
Show:
  i<k  s=(i+k-1)/2  x[s]<a  [i:=s+1]
  i<k  s=(i+k-1)/2  x[s]<a 
0<= s+1 <= k <= n  j(0<=j< s +1  x[j]<a)
  i<k  s=(i+k-1)/2  x[s]<a 
(i+k+1)/2 <= k  j(0<=j<= (i+k-1)/2  x[j]<a)
holds since
i<k  i+k<k+k  i+k+1<=2*k  (i+k+1)/2<=k
x[s]<a  j=s  x[j]<a
0  x[s]<a  j<s  x[j]<a
H. Schlingloff, Software-Verifikation I
Folie 8
Haha
Binary Search
in Haha
H. Schlingloff, Software-Verifikation I
Folie 9
Last Example: Bubblesort
• Given an array x [0..n-1] of integers, the task is to sort x
• Bubblesort repeatedly exchanges “unordered” elements in x,
e.g.:










6–3
3–6
3–6
3–6
3–6
3–6
3–4
3–4
3–1
etc.
–
–
–
–
–
–
–
–
–
8
8
8
4
4
4
6
1
4
–
–
–
–
–
–
–
–
–
4
4
4
8
1
1
1
6
6
–
–
–
–
–
–
–
–
–
1
1
1
1
8
8
8
8
8
H. Schlingloff, Software-Verifikation I
Folie 10
Bubblesort Algorithm
:
: i=n;
: while (i>1) {
: i=i-1; k=0;
: while (k!=i){
: k++;
: if (x[k-1]>x[k]) swap(x[k-1], x[k])
: }
: }
:
H. Schlingloff, Software-Verifikation I
Folie 11
Specification of Sortedness
• x is sorted
 sorted(x): i(0<i<n  x[i-1] <= x[i])
• x is a permutation of the input array ?
• For sake of simplicity:
 assume all elements in x are pairwise unequal:
diff(x): i,j(0<=i != j<n  (x[i]!=x[j])}
 in this case, x is a permutation of y iff
perm(x,y): a(i x[i]==a  i y[i]==a)
• Specification
{x==y  diff(x)}  {sorted(x)  perm(x,y)}
H. Schlingloff, Software-Verifikation I
Folie 12
Invariant for Bubblesort
Invariant for loop at :
after first iteration: x[n-1] at correct position
after second iteration: x[n-1] and x[n-2] at correct position
after third iteration: x[n-1] .. x[n-3] at correct position
...
ordered(x, i): 1<=i<=n 
j(i<=j<n  x[j-1] < x[j]) 
j(0<=j<i <n x[j] <= x[i])
then we have:
 ordered(x, n)  T
 ordered(x, 1)  sorted(x)
I: diff(x)  perm(x,y)  ordered(x,i)
H. Schlingloff, Software-Verifikation I
Folie 13
Proof of Outer Loop
x==y  diff(x)  perm(x,y)
: x==y  diff(x)  : x==y  diff(x)  i==n
x==y  diff(x)  i==n  diff(x)  perm(x,y)  ordered(x,i)
: x==y  diff(x)  : I
: I  : I  (i<=1)
provided that
: I  (i>1)  : I
perm(x,y)  ordered(x,i)  (i<=1)  perm(x,y)  sorted(x)
: I  : sorted(x)  perm(x,y)
: x==y  diff(x)  : perm(x,y)  sorted(x)
that is, {x==y  diff(x)}  {sorted(x)  perm(x,y)}
H. Schlingloff, Software-Verifikation I
Folie 14
Inner Invariant
It remains to show: : I  (i>1)  : I
Invariant for loop at :
perm(x,y)  ordered(x,i+1) remains stable
goal of the inner loop:
maximal element from x[0]...x[i-1] is moved to x[i-1]
after each step: 0<=k<=i  j(0<=j<=k x[k]>=x[j])
I: perm(x,y)  ordered(x,i+1)  0<=k<=i  j(0<=j<=k x[k]>=x[j])
H. Schlingloff, Software-Verifikation I
Folie 15
Proof of Inner Invariant
: I  (i>1)  : perm(x,y)  ordered(x,i+1)  k==0
perm(x,y)  ordered(x,i+1)  k==0  I
: I  (i>1)  : I
: I  : I  (k==i), provided that : I  (k!=i)  : I
I  (k==i)  perm(x,y)  ordered(x,i+1)  j(0<=j<=i x[i]>=x[j])
: I  (i>1)  : I
it remains to show: : I  (k!=i)  : I
• perm(x,y) remains unchanged
• ordered(x,i+1) is not modified
• : 0<=k<=i  j(0<=j<=k x[k]>=x[j])  k!=i 
: 0<=k<=i  j(0<=j<=k-1 x[k-1]>=x[j])
• : I  (k!=i)  : 0<=k<=i  j(0<=j<=k x[k]>=x[j])
H. Schlingloff, Software-Verifikation I
Folie 16

Download Report

Folie 1 - Institut für Informatik

Paperzz.com

Your Paperzz