Functional Program
Verification
CS 4311
A. M. Stavely, Toward Zero Defect Programming, Addison-Wesley, 1999.
Y. Cheon and M. Vela, A Tutorial on Functional Program Verification,
Technical Report 10-26, Dept. of Computer Science, University of
Texas at El Paso, El Paso, TX, September 2010
1
Outline





Non-testing techniques for V&V
Overview of functional verification
Program as functions
Intended functions
Verification
 Assignment
statement
 Sequential composition
 Conditional statement
 Iterative statement
2
2
Sec. 13.4 of Vliet 2008
(Manual Testing Techniques)
Non-testing Techniques for V&V

(Pairs, 2 minutes) V&V
 Definitions
and examples from the class project?
3
Sec. 13.4 of Vliet 2008
(Manual Testing Techniques)
Non-testing Techniques for V&V

(Pairs, 2 minutes) V&V


Definitions and examples?
Code reviews

Reading


Walkthrough




If you can’t read it, neither can the people maintaining it
Team effort (group of 3-5, e.g., designer, moderator, secretary)
Manual simulation lead by designer
Focus on discovering faults, not on fixing them
Inspection


Looking for specific faults (e.g., using check lists)
E.g., uninitialized variables
4
Sec. 13.4 of Vliet 2008
(Manual Testing Techniques)
Non-testing V&V (Cont.)

Correctness proof
 Hoare
logic
 Functional program verification


Model checking
Correct by construction
 Refinement
calculus
 Model driven development
5
Overview of Functional Verification

Key ideas
 View
programs as mathematical functions
 Write specifications as mathematical functions
 Compare two functions for correctness verification

Characteristics
 Based
on sets and functions <-> logic (Hoare)
 Forward reasoning <-> backward reasoning
 Match informal reasoning
6
Programs as Functions

Values of x and y after execution?
// pre-state: {(x,10), (y,20)}
x = x + y;
y = x – y;
x = x – y;
// post-state: {(x,?), (y,?)}
7
Programs as Functions

Values of x and y after execution?
// pre-state: {(x,10), (y,20)}
x = x + y;
y = x – y;
x = x – y;
// post-state: {(x,?), (y,?)}

State changing function (or state transformer)


Function on program states
Map one program state to another
{(x,3), (y,5)}
…
{(x,6), (y,4)}
pre-state
{(x,5), (y,3)}
…
{(x,4), (y,6)}
post-state
8
Concurrent Assignment

Notation for express state changing functions
[x1, x2, …, xn := e1, e2, …, en]



Evaluate ei’s in the pre-state at the same time
Assign them to xi’s at the same time
The values of other state variables remain the same (frame
axiom).
// [x, y := y, x]
x = x + y;
y = x – y;
x = x – y;
9
Conditional Concurrent Assignment

Different functions based on some conditions
[x > 0 -> sign := 1
| x < 0 -> sign := -1
| else -> sign := 0]


Conditions evaluated sequentially from the first to the last in the
pre-state
Keyword “else” interpreted as “true”
[n > maxSize -> n := maxSize | else -> I]
Identity
function
[n > 0 -> avg := sum / n | else -> undefined]
Partial
function
10
Exercise

Write a (conditional) concurrent assignment to describe
the function computed by the following code.
if (n > maxSize) {
n = maxSize;
}
avg = sum / n;
11
Intended Functions

Intended function: function describing our
intention of code
 Specification

for the code
Code function: function computed by code
 Actual
behavior implemented by the code
// [sum, i := sum + j=1a.length-1a[j], anything]
while (i < a.length) {
sum += a[i];
i++;
}
Don’t care
about the final
value.
12
Exercise

Write intended functions for the following code
(a) sum = sum + a;
avg = sum / n;
(b) if (a[i] == k) {
l = i;
}
(c) while (i < a.length) {
if (a[i] == k) {
l = i;
}
i++;
}
13
Annotating Code

Why?


To facilitate correctness verification
How?

Annotate every section of code with intended function
// f0: [r := largest value in a]
// f1 : [r, i := a[0], 1]
r = a[0]
int i = 1;
// f2 : [r, i := max of r and largest in a[i..], anything]
while (i < a.length) {
// f3 : [r, i := max of r and a[i], i+1]
if (a[i] > r) { r = a[i]; }
i++;
}
14
Exercise

Annotate the following code with intended functions
c = 0;
int i = 0;
while (i < a.length) {
if (a[i] == n) {
c++;
}
i++;
}
15
Outline





Non-testing techniques for V&V
Overview of functional verification
Program as functions
Intended functions
Verification
 Assignment
statement
 Sequential composition
 Conditional statement
 Iterative statement
16
16
Functional Verification Process
1.
2.
3.
Write specifications of code as functions, called
intended functions
Calculate functions computed by code, called
code functions
Compare code functions (p) with intended
functions (f), i.e., p is correct with respect to (⊑)
f if:


dom p  dom f
p(x) = f(x) for every x  dom f
Why not
dom p = dom f ?
17
Verification of
Assignment Statement


Often straightforward
Often identical code and intended functions
// [x := x + 1]
x = x + 1;
// [n > 0 -> avg := sum / n]
avg = sum / n;
More work done
by code
18
Verification of
Sequential Composition

Compose code functions
// [n > 0 -> sum, avg := sum + a, (sum + a) / n]
sum = sum + a;
avg = sum / n;
[sum := sum + a];
[n  0 -> avg := sum / n]
 [n  0 -> sum, avg := sum + a; (sum + a) / n]
⊑ [n > 0 -> sum, avg := sum + a; (sum + a) / n]
19
Trace Table

Calculate code function by tracing state changes
made by statements
statement
x=x+1
x
y
z
x+1
y=2*x
2*(x+1)
z=x+y
x = x + 1;
y = 2 * x;
z = x + y;
x = x + 1;
x = 3 * x;
(x+1) + 2*(x+1)
x=x+1
x+2
x=3*x
3*(x+2)
[x, y, z := 3*(x+2), 2*(x+1), (x+1) + 2*(x+1)]
20
Exercise

Use a trace table to calculate the function computed by
the following code.
rate = 0.5;
years++;
interest = balance * rate / 100;
balance = balance + interest;
21
Modular Verification

Can use intended functions in place of code functions for
verification
// [f0]
// [f1]
S1
// [f2]
S2

Proof obligations
 f1; f2 ⊑ f0
 S1 is correct

with respect to f1 (S1 ⊑ f1)
S2 is correct with respect to f2 (S2 ⊑ f2)
22
Verification of
Conditional Statement

Calculate code functions using conditional trace tables
statement
condition
p=a*r
if (a < b)
p
a*r
a<b
b=b-a
b-a
p=a*r
if (a < b)
b=b-p
b
a*r
p = a * r;
if (a < b)
b = b – a;
else
b = b – p;
a >= b
b – (a * r)
[a < b -> p, b := a * r, b – a
| a >= b -> p, b := a *r, b – (a*r)]
23
Verification of
Conditional Statement (Cont.)

Case analysis on conditions
// [f]
if (B) S1 else S2

Proof obligations


When B holds, S1 is correct with respect to f (B  S1 ⊑ f)
When B doesn’t hold, S2 is correct with respect to f ( B  S2 ⊑ f)
24
Example
// f: [z != 0 -> r := |x - y| / z]
if (x > y) r = (x - y) / z; else r = (y - x) / z;

Proof by case analysis
 When
x>y
x – y  |x - y|, thus [z != 0 -> r := (x - y)/z]  f
 When !(x > y)
y – x  |x - y|, thus [z != 0 -> r := (y - x)/z]  f
Therefore, if … else … ⊑ f
25
Exercise

Derive proof obligations for an if statement without an
else part.
// [f]
if (B) S
26
Exercise

Write an intended function for the following code and
prove the correctness of the code with respect to the
intended function
if (n > maxSize) {
n = maxSize;
}
sum = sum + a;
avg = sum / n;
27
Verification of
Iteration Statement

No known way of calculating code function, so proof by induction
// [f]
while (B) S

// [f]
if (B) {
S
while (B) S
}
// [f]
if (B) {
S
[f]
}
Assuming f
is correct
Proof obligations
B doesn’t hold, identity function is correct with respect to f (B  I ⊑ f)
 If B holds, S followed by f is correct with respect to f (B  S;f ⊑ f)
 Termination for total correctness
Loop variant: expression with value increased/decreased on iterations

28
Example

Proof obligations




// f1: [sum, i := sum + j=ia.length-1a[j], anything]
while (i < a.length) {
// f2: [sum, i := sum + a[i], i+1]
sum += a[i];
i++;
}
Termination: loop variant, a.length - i
Basis: (i < a.length)  I ⊑ f1
Induction: i < a.length  f2; f1 ⊑ f1 and refinement of f2
Proof of basis
f1 ≡ [sum, i := sum + j=ia.length-1a[j], anything]
≡ [sum, i := sum + 0, anything] (because i >= a.length)
≡ [sum, i := sum, anything]
⊒ [sum, i := sum, i] = I
29
Example

// f1: [sum, i := sum + j=ia.length-1a[j], anything]
while (i < a.length) {
// f2: [sum, i := sum + a[i], i+1]
sum += a[i];
i++;
}
Proof induction step
i < a.length  f2; f1 ⊑ f1
f2; f1 ≡ [sum, i := sum + a[i], i + 1];
[sum, i := sum + j=ia.length-1a[j], anything]
≡ [sum, i := sum + a[i] + j=i+1a.length-1a[j], anything]
≡ [sum, i := sum + j=ia.length-1a[j], anything]
≡ f1
30
Exercise

Prove the termination of the following loop.
while (low <= high) {
int mid = (low + high) / 2;
if (a[mid] < x)
low = mid + 1;
else if (a[mid] > x)
high = mid - 1;
else
high = low - 1;
}
31
Initialized Loops

Loop seldom used in isolation




Preceded by initialization
Together compute something useful
Loop’s function more general
Proof obligations



f1; f2 ⊑ f0
S1 ⊑ f1
while (B) S2 ⊑ f2, requiring
// [f0]
// [f1]
S1
// [f2]
while (B) {
// [f3]
S2
}

Termination
 Basis Step: B  I ⊑ f2
 Induction: B  S2;f2 ⊑ f2
32
Example

Proof obligations



// f2 : [r, i := max of r and largest in a[i..], ?]
while (i < a.length) {
// f3 : [r, i := max of r and a[i], i+1]
if (a[i] > r) { r = a[i]; }
i++;
}
f1; f2 ⊑ f0
Refinement of f1
Refinement of f2




// f0: [r := largest value in a]
// f1 : [r, i := a[0], 1]
r = a[0]
int i = 1;
Termination of the loop
Basis:  (i < a.length)  I ⊑ f2
Induction: i < a.length  f3; f2 ⊑ f2
Refinement of f3
33
Example (Cont.)

Proof of f1; f2 ⊑ f0
f1; f2  [r, i := a[0], 1];
[r, i := max of r and largest in a[i..], ?]
 [r, i := max a[0] and largest in a[1..], ?]
 [r, i := largest value in a, ?]
⊑ [r := largest value in a]
 f0
See handout for other proofs.
34
Exercise

Write intended functions for the following while loops in isolation.
(a) while (i < a.length) {
if (a[i] > 0) {
sum += a[i];
}
i++;
}
(b) while (n > 1) {
n = n – 2;
}
35
Exercise

Prove the correctness of the following code.
// [r := n!]
r = 1;
int i = n;
while (i > 1) {
r = r * i;
i--;
}
36