Software Verification 1
Deductive Verification
Prof. Dr. Holger Schlingloff
Institut für Informatik der Humboldt Universität
und
Fraunhofer Institut für Rechnerarchitektur und Softwaretechnik
19.1.2012
Lehrevaluation
• Verpflichtend für die HU, im Interesse der Studierenden
• Zeitraum: 16.01. bis 27.01.2012
• online: https://evaluation.hu-berlin.de/evaluation/
 Passwort (Token): inf-ws-11-12
• Verbesserung der Sicherheit durch sogenanntes Captcha
 Completely Automated Public Turing test to tell Computers and
Humans Apart
• Bei Rückfragen: Dr. Elke Warmuth, Studiendekanin
 Tel. 2093 5830, E-Mail: [email protected]
H. Schlingloff, Software Verification I
19.1.2012
Folie 2
Pre- and Postconditions
• Dijkstra: wp-calculus (weakest precondition)
 characterize the “weakest” formula which makes a Hoaretriple valid
 =wp(.) iff ⊢   and
⊢(') for every ’ for which ⊢’  
 =wlp(.) iff ⊢{}{} and
⊢(') for every ’ for which ⊢{’}  {}
(weakest liberal precondition, see later)
• Example: wp(x++, x==7) = (x==6)
• Dijkstra gives a set of rules for wp which can be
seen as notational variant of Hoare logic
H. Schlingloff, Software Verification I
19.1.2012
Folie 3
•
•
•
•
•
wp(skip, ) = 
wp(x=t, ) = [x:=t]
wp({1; 2}, ) = wp(1, wp(2, ))
wp(if (b) 1 else 2, ) =
((b  wp(1, ))  (¬b  wp(2, )))
wp(while (b) , ) = z (z) 
z((b(z))  z’ (z’<z  wp(, (z’))) 
z((¬b(z))  )
where  is a loop variant and < a wfo, z new var.
! This is a non-constructive definition ! Existence???
H. Schlingloff, Software Verification I
19.1.2012
Folie 4
Examples
• wp(x=x-3, x>7) = x>7 [x:=x-3] = x-3>7 = x>10
• wp({x*=2; x-=3}, x>7) = wp(x*=2, wp(x-=3, x>7))
•
•
= wp(x*=2, x>10) = x>5
wp(if(a<b) a=b, a>=b) = ((a<b  wp(a=b, a>=b)
 (a>=b  wp(skip, a>=b))
=((a<b  b>=b)  (a>=b  a>=b)) = T
wp(while (i>0) i--, i==0) = i>=0
H. Schlingloff, Software Verification I
19.1.2012
Folie 5
Partial Correctness
• Weakest liberal precondition wlp(,)
• wlp(while (b) , ) =  
((b)  wlp(, )) 
((¬b)  )
• Dijkstra also used nondeterministic programs
(„guarded commands“)
 guarded-command-program ::= while-program |
guarded-command
 guarded-command ::= b : e | b : e [] guarded-command
 b: condition, e: guarded-command-program
H. Schlingloff, Software Verification I
19.1.2012
Folie 6
Strongest Postconditions
• Dual to weakest precondition: the strongest formula
which can be guaranteed to hold after execution
• =sp(, ) iff ⊢   and
⊢(   ') for every ’ for which ⊢   ’
• sp(x=t, )= z (x==t[x:=z]  [x:=z]) (z new)
 e.g. sp(x=x-3, x>7) = z (x==z-3  z>7) = x>4
• Pre- and postconditions are important in the
presence of methods and procedures
H. Schlingloff, Software Verification I
19.1.2012
Folie 7
Functions and Procedures
• while-Programs:
• whileProg ::= skip | V=T | {whileProg; whileProg} |
if (FOL-) whileProg else whileProg |
while (FOL-) whileProg
• T is the set of terms in the signature =(D, F, R)
• Now: extended signature ’=(D{void}, FF’,R)
• If f is of type void, then f(x1,...xn) is an (imperative) program
•
• term ::= F(T, ..., T) | F’(T, ..., T)
for each f F’ there must be a declaration:
• decl ::= type F’ (V, ... V); whileProg
• V in decl are called formal parameters
• T in terms are called actual parameters
H. Schlingloff, Software Verification I
19.1.2012
Folie 8
• No alias: formal parameters should be pairwise different
• No scoping: formal parameters must be different from
•
•
program variables
return statement as assignment to the function name
If a function or procedure name occurs directly or indirectly in
the call graph of its declaration, it is called recursive
 for the time being: no recursion
• There are various ways to pass actual parameters for formal
ones (value, reference, name, ...)
 for the time being, we use only call-by-value
 passing value w to formal parameter v has the same effect as the
assignment v=w at the entry of the procedure or function
H. Schlingloff, Software Verification I
19.1.2012
Folie 9
Example
int min (int a, int b)
if (a<b) min=a else min=b;
int gcd(int a, int b)
while (a!=b) {
c = max(a,b)-min(a,b);
a = min(a,b);
b = c;
}
int max (int a, int b)
if (a>b) max=a else max=b;
}
H. Schlingloff, Software Verification I
19.1.2012
Folie 10
Example
int min (int a, int b)
if (a<b) min=a else min=b;
{x = 5; y = 7; z = min (x, y)}
is equivalent to
{ x = 5; y = 7; a = x; b = y;
if (a<b) min=a else min=b;
z = min; }
need pre- and postconditions to show assertions.
H. Schlingloff, Software Verification I
19.1.2012
Folie 11
Example
int min (int a, int b)
if (a<b) min=a else min=b;
{a<=min  b<=min 
(a=min  b=min)}
int max (int a, int b)
if (a>b) max=a else max=b;
{a>=max  b>=max 
(a=min  b=min)}
H. Schlingloff, Software Verification I
int gcd(int a, int b)
{a==m>0  b==n>0}
while (a!=b) {
c = max(a,b)-min(a,b);
a = min(a,b);
b = c;
}
gcd = a;
{gcd|m  gcd|n  ...}
}
19.1.2012
Folie 12
Contracts
• weakest preconditions and strongest postconditions
are related to the require-ensure-paradigm (also
called assume-guarantee-paradigm):
/*@ requires 
ensures  */
void foo(...) ;
is equivalent to
(wp(,))  (sp(, ))
• such a statement is called contract
 use of contract:
{[x1:=t1, ..., xn:=tn]} foo(t1,...,tn) {}
H. Schlingloff, Software Verification I
19.1.2012
Folie 13