Functional Verification III
Software Testing and Verification
Lecture Notes 23
Prepared by
Stephen M. Thebaut, Ph.D.
University of Florida
Previously…
• Correctness conditions and working
correctness questions:
– sequencing
– decision statements
Today’s Topics
• Iteration Recursion Lemma (IRL)
• Termination predicate: term(f,P)
• Correctness conditions for while_do
statement
• Correctness conditions for repeat_until
statement
• Subgoal Induction
Iteration Recursion Lemma (IRL)
• The IRL reduces the verification of
programs with loops to a question of
termination and the verification of loopfree programs by converting iteration to
recursion.
• For while loops, the Lemma states:
f = [while p do g] = [if p then g;f end_if]
(note recursion)
Iteration Recursion Lemma (cont’d)
F
p
F
p
f=
T
g
T
=
p
g
=
F
p
T
g
F
T
g
f
F
p
=
T
g;f
Iteration Recursion Lemma (cont’d)
• Rather than verify directly that f is the
program function of
K = while p do g
which can be very difficult, it is sufficient to
prove that
1. K terminates for all X  D(f), and that
2. f is the program function of
Q = if p then g;f end_if
because [K] = [Q].
An important implication of the IRL
• Suppose for “input” X0 the while loop terminates after n iterations with “output” Xn.
• Furthermore, let X1, X2, ..., Xn-1 be the intermediate states generated by the loop.
• Then  0≤i<n, we know:
– p(Xi) (when g executes 1 or more times),
– Xi+1=g(Xi), and
– ¬p(Xn).
An important implication of the IRL (cont’d)
• As f = [while p do g] = [if p then g;f end_if],
it follows that
f(X0) = f(X1) = ... = f(Xn) = Xn
• More generally, after each iteration of the
loop, the function value of the current state,
X, must be the same as the function value of
the initial state, X0. That is:
f(X) = f(X0)
• We will revisit this observation in connection
with Mill’s Invariant Status Theorem later.
Illustrative Example of IRL
• To further illustrate the fact that
[while p do g] = [if p then g;f end_if]
consider a concrete example...
• Let K = while y>0 do x,y := x+1,y−1
p
g
• Claim: K is function equivalent to
Q = if y>0 then x,y := x+1,y−1;k end_if
p
kog
where, by definition, k = [K].
Illustrative Example of IRL (cont’d)
Case (y>0):
For K = while y>0 do x,y := x+1,y−1, the loop
body executes y times before the predicate y>0
becomes false. By observation, then, the final
value of x is x0+(1)y0 = x0+y0 and the final value
of y is 0. Thus,
(y>0) => k = (x,y := x+y,0)
Also, note that when y=0 initially,
k = I = (x,y := x,y) = (x,y := x+0,y)
= (x,y := x+y,0)
Therefore, (y≥0) => k = (x,y := x+y,0)
Illustrative Example of IRL (cont’d)
Case (y>0): (cont’d)
[Q] is a composition of two functions, i.e., k o g,
and may be determined by direct substitution.
For y>0 initially, y will be greater than OR
EQUAL to 0 after executing the loop body, but
since we know (y≥0) => k = (x,y := x+y,0),
we have
[Q] = (x,y := x+y,0) o (x,y := x+1,y−1)
= (x,y := (x+1)+(y−1),0)
= (x,y := x+y,0)
= k (the function computed by K)
Thus, [Q] = [K] when y>0.
Illustrative Example of IRL (cont’d)
Case (y≤0):
Since the predicate (y>0) fails, both K and Q do
nothing, and are therefore equivalent.
Thus, [Q] = I = [K] when y≤0.
Therefore, K is function equivalent to Q.
Termination Predicate
• The correctness of a looping program P
depends, in part, on termination.
• Consideration is limited to programs whose
termination can be established and the
following predicate is defined:
term(f,P)  ‘‘P terminates for every
initial state X  D(f)’’
Before we continue…
• Take out a piece of paper and a pen/pencil.
• Without looking back in the lecture notes,
write down the correctness conditions for:
f = [if p then g]
if_then Correctness Conditions
• Correctness conditions for f = [if p then g]:
Prove: p  (f = g) Л
¬p  (f = I)
• So, aside from proving termination over the domain
of f, what are the two corresponding conditions for:
f = [while p do g] = [if p then fog] ?
while_do Correctness Conditions
• Correctness conditions for
f = [K] = [while p do G]
(where K is closed for the domain of f †, and
g = [G]):
Prove:
term(f,K) Л
p  (f = f o g) Л
¬p  (f = I)
†A while loop is closed for a set of data states S  [XS p(X)  g(X)S]
while_do Correctness Conditions
(cont’d)
• Working correctness questions:
– Is loop termination guaranteed for
any argument of f ?
– When p is true does f equal f
composed with g?
– When p is false does f equal Identity?
while_do Example
• Prove f = [T] where, for integers x, y,
and z:
f = (y≥0  z,y := z+xy,0)
and T is:
p
while y<>0 do
z := z+x
y := y−1 G
end_while
while_do Example (cont’d)
• Proof:
T is closed for D(f ) a n d g = [G] =
(z,y := z+x,y−1) by observation
– term(f,T)?
f = (y≥0  z,y := z+xy,0)
and T is:
while y<>0 do
z := z+x
y := y−1
end_while
So, does y≥0 initially  T will terminate?
while_do Example (cont’d)
• Proof:
T is closed for D(f ) a n d g = [G] =
(z,y := z+x,y−1) by observation
– term(f,T)? √
(Prove this…)
while_do Example (cont’d)
• Proof:
T is closed for D(f ) a n d g = [G] =
(z,y := z+x,y−1) by observation
– term(f,T)? √
(Prove this…)
– Does (y=0)  ( f = I )?
¬p
( Recall: f = (y≥0  z,y := z+xy,0) )
while_do Example (cont’d)
• Proof:
T is closed for D(f ) a n d g = [G] =
(z,y := z+x,y−1) by observation
– term(f,T)? √
(Prove this…)
– Does (y=0)  ( f = I )? √
(y=0)  ( f = (z,y := z+x(0),0)
= (z,y := z,0) )
(y=0)  ( I = (z,y := z,0) )
while_do Example (cont’d)
– Does (y0)  ( f = f o g )?
p
while_do Example (cont’d)
– Does (y0)  ( f = f o g )?
case a: Does (y<0)  ( f = f o g )?
(y<0)  ( f = undefined )
(y<0)  ( f o g = f o (z,y := z+x,y−1)
What is f when applied after g decrements the
initially negative value of y?
( Recall: f = (y≥0  z,y := z+xy,0) )
while_do Example (cont’d)
– Does (y0)  ( f = f o g )?
case a: Does (y<0)  ( f = f o g )?
(y<0)  ( f = undefined )
(y<0)  ( f o g = undefined o
(z,y := z+x,y−1)
since y<0  gy(y<0)<0
( Recall: f = (y≥0  z,y := z+xy,0) )
while_do Example (cont’d)
– Does (y0)  ( f = f o g )?
case a: Does (y<0)  ( f = f o g )?
(y<0)  ( f = undefined )
(y<0)  ( f o g = undefined o
(z,y := z+x,y−1)
= undefined )
while_do Example (cont’d)
– Does (y0)  ( f = f o g )?
case a: Does (y<0)  ( f = f o g )? √
(y<0)  ( f = undefined )
(y<0)  ( f o g = undefined o
(z,y := z+x,y−1)
= undefined )
while_do Example (cont’d)
– Does (y0)  ( f = f o g )?
case b: Does (y>0)  ( f = f o g )?
( Recall: f = (y≥0  z,y := z+xy,0) )
while_do Example (cont’d)
– Does (y0)  ( f = f o g )?
case b: Does (y>0)  ( f = f o g )?
(y>0)  ( f = (z,y := z+xy,0) )
(y>0)  ( f o g = f o (z,y := z+x,y−1)
Again, what is f when applied after g decrements
the initially positive value of y?
( Recall: f = (y≥0  z,y := z+xy,0) )
while_do Example (cont’d)
– Does (y0)  ( f = f o g )?
case b: Does (y>0)  ( f = f o g )?
(y>0)  ( f = (z,y := z+xy,0) )
(y>0)  ( f o g = (z,y := z+xy,0) o
(z,y := z+x,y−1)
since y>0  gy(y>0)≥0
( Recall: f = (y≥0  z,y := z+xy,0) )
while_do Example (cont’d)
– Does (y0)  ( f = f o g )?
case b: Does (y>0)  ( f = f o g )?
(y>0)  ( f = (z,y := z+xy,0) )
(y>0)  ( f o g = (z,y := z+xy,0) o
(z,y := z+x,y−1)
= (z,y := (z+x)+x(y−1),0)
= (z,y := z+xy,0) )
while_do Example (cont’d)
– Does (y0)  ( f = f o g )?
case b: Does (y>0)  ( f = f o g )?
(y>0)  ( f = (z,y := z+xy,0) )
(y>0)  ( f o g = (z,y := z+xy,0) o
(z,y := z+x,y−1)
= (z,y := (z+x)+x(y−1),0)
= (z,y := z+xy,0) )
We could have also composed the full, conditional definition of
f with g, i.e. (y≥0  z,y := z+xy,0) o (z,y := z+x,y−1) to yield
(y≥1  z,y := z+xy,0) which is just (z,y := z+xy,0) when y>0.
while_do Example (cont’d)
– Does (y0)  ( f = f o g )? √
case b: Does (y>0)  ( f = f o g )? √
(y>0)  ( f = (z,y := z+xy,0) )
(y>0)  ( f o g = (z,y := z+xy,0) o
(z,y := z+x,y−1)
= (z,y := (z+x)+x(y−1),0)
= (z,y := z+xy,0) )
Therefore, f = [T].
Exercise 1
• For program M below, where all variables are
integers, hypothesize a function f for [M] and
prove f = [M].
while i<n do
t := t*x
i := i+1
end_while
repeat_until Statement
• What are the correctness conditions for f = [R]
= [repeat g until p]?
g
f=
p
F
T
repeat_until Statement (cont’d)
• An IRL for repeat_until statements:
f = [repeat g until p] = [g; if ¬p then f]
“Proof” by Picture
g
g
g
=
f=
p
F
T
T
p
=
=
¬p
F
g
F
T
p
F
p
g
f
T
T
f
F
repeat_until Statement (cont’d)
• Therefore, it is sufficient to verify that
1. R terminates for all X  D(f), and that
2. f is the program function of
Q = g; if ¬p then f end_if
because [R] = [Q].
repeat_until Correctness Conditions
• Correctness conditions for
f = [R] = [repeat G until p]
(where R is closed for the domain of f †, and
g = [G]):
Prove:
term(f,R) Л
(p o g)  (f = g) Л
¬(p o g)  (f = f o g)
†A repeat_until loop is closed for a set of data states S  [XS ¬pog(X) 
g(X)S]
repeat_until Correctness Conditions
(cont’d)
• Working correctness questions:
– Is loop termination guaranteed for any
argument of f ?
– When p o g is true does f equal g?
– When p o g is false does f equal f o g?
Exercise 2
• For program R below, where all variables
are integers, hypothesize a function r for
[R] and prove r = [R].
repeat:
x := x−1
y := y+2
until x=0
Subgoal Induction
• “Subgoal induction” is a proof method proposed by Morris and Wegbreit† that can be
viewed as a generalization of (while loop)
functional verification.
• It uses a variation of the Iteration Recursion
Lemma (IRL) to identify relatively simple
correctness conditions for a while loop
surrounded by pre- and post-processing
code.
†Morris, James & Ben Wegbreit, “Subgoal Induction,”
CACM, Volume 20, No. 4, April 1977.
Subgoal Induction (cont’d)
• The key observation underlying the method
is:
v = [while p do g end_while; t]
≡
[if p then g;v else t end_if_else]
• The function equivalence of these programs,
like that asserted in the IRL, is perhaps best
illustrated graphically...
Subgoal Induction (cont’d)
F
p
F
p
v=
T
=
T
g
t
g
t
F
p
T
g
t
F
p
=
p
=
T
g
v
F
t
T
g;v
t
Subgoal Induction (cont’d)
• Suppose, now, that compound program K is:
h; while p do g end_while; t
and that v = [while p do g end_while; t].
• From the functional equivalence illustrated
above and the fact that K = h;v, it therefore
follows that:
[K] = v o h
= [if p then g;v else t end_if_else] o h
Subgoal Induction (cont’d)
• Recall the correctness conditions for
r = [if p then g else t]:
(1) p  (r=g) and (2) ¬p  (r=t).
• Thus, the correctness conditions for
f = [K] = [h; while p do g end_while; t]
are:
(1) term(f,K), (2) p  (v=vog),
(3) ¬p  (v=t), and (4) f=voh
where v = [while p do g end_while; t].
Subgoal induction vs. functional
verification
• How does subgoal induction differ from the
program decomposition strategy employed in
functional verification†?
To show f = [h; while p do g end_while; t]
using functional verification, an intermediate
hypothesis and “sub-proof” for the loop is
required, whereas t is part of the intermediate
hypothesis in the subgoal induction case.
• Note that if t is the identify function, the two
strategies are identical.
† I.e., functional verification as originally proposed by Mills.
Subgoal induction vs. functional
verification (cont’d)
• But, if h is the identify function, then subgoal
induction has an advantage since intended
function f (if given) can then be used as the
intermediate hypothesis. (In this case, treating
the loop and t as a whole results in a more
efficient proof.)
Subgoal Induction Example
• Use subgoal induction to prove f = [K] where,
for integers x, y, and z:
f = (x≥0  x,y,z := 0,2x,2x)
and K is:
y := 1
H
while x<>0 do
y := y*2
G
x := x-1
end_while
z := y
T
Subgoal Induction Example (cont’d)
We need to show:
(1) term(f,K), (2) p  (v=vog),
(3) ¬p  (v=t), and (4) f=voh
But first, we must hypothesize a function for v
(our “intermediate hypothesis”):
v = [while x<>0 do g end_while; z := y]
Subgoal Induction Example (cont’d)
What is the function, v, of this program?
while x<>0 do
y := y*2
x := x-1
end_while
z := y
Subgoal Induction Example (cont’d)
What is the function, v, of this program?
while x<>0 do
y := y*2
x := x-1
end_while
z := y
x>0  x,y,z := 0, y2x, y2x
x=0  x,y,z := x, y, y
:= 0, y2x, y2x
x<0  undefined
Therefore, v is hypothesized to be:
x
x
(x≥0  x,y,z := 0, y2 , y2 )
Subgoal Induction Example (cont’d)
Returning to the four correctness conditions:
(1) term(f,K), (2) p  (v=vog),
(3) ¬p  (v=t), and (4) f=voh
Subgoal Induction Example (cont’d)
Returning to the four correctness conditions:
(1) term(f,K), (2) p  (v=vog),
(3) ¬p  (v=t), and (4) f=voh
(1) Does K terminate for all x≥0? YES
y := 1
while x<>0 do
y := y*2
x := x-1
end_while
z := y
(Prove this using the Method of Well-Founded Sets.)
Subgoal Induction Example (cont’d)
Returning to the four correctness conditions:
(1) term(f,K), (2) p  (v=vog),
(3) ¬p  (v=t), and (4) f=voh
(2) Does (x0)  ( v = v o g )?
p
Subgoal Induction Example (cont’d)
Returning to the four correctness conditions:
(1) term(f,K), (2) p  (v=vog),
(3) ¬p  (v=t), and (4) f=voh
(2) Does (x0)  ( v = v o g )?
case a: Does (x<0)  ( v = v o g )? YES
(x<0)  ( v = undefined )
(x<0)  ( v o g = undefined o (x,y := x-1,2y)
= undefined )
( Recall: hypoth. v = (x≥0  x,y,z := 0, y2x, y2x) )
Subgoal Induction Example (cont’d)
Returning to the four correctness conditions:
(1) term(f,K), (2) p  (v=vog),
(3) ¬p  (v=t), and (4) f=voh
(2) Does (x0)  ( v = v o g )? YES
case b: Does (x>0)  ( v = v o g )? YES
(x>0)  ( v = (x,y,z := 0, y2x, y2x) )
(x>0)  ( v o g = (x,y,z := 0, y2x, y2x) o
(x,y := x-1,2y)
= (x,y,z := 0, 2y2x-1, 2y2x-1)
= (x,y,z := 0, y2x, y2x) )
( Recall: hypoth. v = (x≥0  x,y,z := 0, y2x, y2x) )
Subgoal Induction Example (cont’d)
Returning to the four correctness conditions:
(1) term(f,K), (2) p  (v=vog),
(3) ¬p  (v=t), and (4) f=voh
(3) Does (x=0)  ( v = t )? YES
(x=0)  ( v = (x,y,z := 0, y20, y20) )
= (x,y,z := 0, y, y) )
(x=0)  ( t = (x,y,z := 0, y, y) )
( Recall: hypoth. v = (x≥0  x,y,z := 0, y2x, y2x) )
Subgoal Induction Example (cont’d)
Returning to the four correctness conditions:
(1) term(f,K), (2) p  (v=vog),
(3) ¬p  (v=t), and (4) f=voh
(4) Does f = v o h ?
Subgoal Induction Example (cont’d)
Returning to the four correctness conditions:
(1) term(f,K), (2) p  (v=vog),
(3) ¬p  (v=t), and (4) f=voh
(4) Does f = v o h ? YES
f = (x≥0  x,y,z := 0,2x,2x)
voh = (x≥0  x,y,z := 0, y2x, y2x) o (x,y,z := x,1,z)
= (x≥0  x,y,z := 0, (1)2x, (1)2x)
= (x≥0  x,y,z := 0, 2x, 2x)
( Recall: hypoth. v = (x≥0  x,y,z := 0, y2x, y2x) )
Subgoal Induction Example (cont’d)
Returning to the four correctness conditions:
(1) term(f,K), (2) p  (v=vog),
(3) ¬p  (v=t), and (4) f=voh
x
x
Therefore, for f = (x≥0  x,y,z := 0,2 ,2 ) and K:
y := 1
while x<>0 do
y := y*2
x := x-1
end_while
z := y
we conclude, by subgoal induction, that f = [K].
Summary
• Iteration Recursion Lemma (IRL)
• Termination predicate: term(f,P)
• Correctness conditions for while_do
statement
• Correctness conditions for repeat_until
statement
• Subgoal Induction
Coming up next…
• Thinking about invariants again
• Invariant Status Theorem (IST)
• While Loop Initialization
• Utility of IST
Functional Verification III
Software Testing and Verification
Lecture Notes 23
Prepared by
Stephen M. Thebaut, Ph.D.
University of Florida