19.1.2012 Software Verification 1 Deductive Verification Prof. Dr. Holger Schlingloff Institut für...
-
Upload
pearl-stevenson -
Category
Documents
-
view
212 -
download
0
Transcript of 19.1.2012 Software Verification 1 Deductive Verification Prof. Dr. Holger Schlingloff Institut für...
![Page 1: 19.1.2012 Software Verification 1 Deductive Verification Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität und Fraunhofer Institut.](https://reader035.fdocuments.in/reader035/viewer/2022080914/56649cfe5503460f949cefdc/html5/thumbnails/1.jpg)
19.1.2012
Software Verification 1Deductive Verification
Prof. Dr. Holger SchlingloffInstitut für Informatik der Humboldt Universität
und
Fraunhofer Institut für Rechnerarchitektur und Softwaretechnik
![Page 2: 19.1.2012 Software Verification 1 Deductive Verification Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität und Fraunhofer Institut.](https://reader035.fdocuments.in/reader035/viewer/2022080914/56649cfe5503460f949cefdc/html5/thumbnails/2.jpg)
Folie 2H. Schlingloff, Software Verification I
Lehrevaluation
• Verpflichtend für die HU, im Interesse der Studierenden
• Zeitraum: 16.01. bis 27.01.2012
• online: https://evaluation.hu-berlin.de/evaluation/ Passwort (Token): inf-ws-11-12
• Verbesserung der Sicherheit durch sogenanntes Captcha Completely Automated Public Turing test to tell Computers
and Humans Apart
• Bei Rückfragen: Dr. Elke Warmuth, Studiendekanin Tel. 2093 5830, E-Mail: [email protected]
19.1.2012
![Page 3: 19.1.2012 Software Verification 1 Deductive Verification Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität und Fraunhofer Institut.](https://reader035.fdocuments.in/reader035/viewer/2022080914/56649cfe5503460f949cefdc/html5/thumbnails/3.jpg)
Folie 3H. Schlingloff, Software Verification I
Pre- and Postconditions
• Dijkstra: wp-calculus (weakest precondition) characterize the “weakest” formula which makes a
Hoare-triple valid =wp(.) iff ⊢ and
⊢(') for every ’ for which ⊢’ =wlp(.) iff ⊢{}{} and
⊢(') for every ’ for which ⊢{’} {}(weakest liberal precondition, see later)
• Example: wp(x++, x==7) = (x==6)
• Dijkstra gives a set of rules for wp which can be seen as notational variant of Hoare logic
19.1.2012
![Page 4: 19.1.2012 Software Verification 1 Deductive Verification Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität und Fraunhofer Institut.](https://reader035.fdocuments.in/reader035/viewer/2022080914/56649cfe5503460f949cefdc/html5/thumbnails/4.jpg)
Folie 4H. Schlingloff, Software Verification I
• wp(skip, ) = • wp(x=t, ) = [x:=t]
• wp({1; 2}, ) = wp(1, wp(2, ))
• wp(if (b) 1 else 2, ) =((b wp(1, )) (¬b wp(2, )))
• wp(while (b) , ) = z (z) z((b(z)) z’ (z’<z wp(, (z’))) z((¬b(z)) )
where is a loop variant and < a wfo, z new var.! This is a non-constructive definition ! Existence???
19.1.2012
![Page 5: 19.1.2012 Software Verification 1 Deductive Verification Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität und Fraunhofer Institut.](https://reader035.fdocuments.in/reader035/viewer/2022080914/56649cfe5503460f949cefdc/html5/thumbnails/5.jpg)
Folie 5H. Schlingloff, Software Verification I
Examples
• wp(x=x-3, x>7) = x>7 [x:=x-3] = x-3>7 = x>10
• wp({x*=2; x-=3}, x>7) = wp(x*=2, wp(x-=3, x>7)) = wp(x*=2, x>10) = x>5
• wp(if(a<b) a=b, a>=b) = ((a<b wp(a=b, a>=b) (a>=b wp(skip, a>=b))=((a<b b>=b) (a>=b a>=b)) = T
• wp(while (i>0) i--, i==0) = i>=0
19.1.2012
![Page 6: 19.1.2012 Software Verification 1 Deductive Verification Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität und Fraunhofer Institut.](https://reader035.fdocuments.in/reader035/viewer/2022080914/56649cfe5503460f949cefdc/html5/thumbnails/6.jpg)
Folie 6H. Schlingloff, Software Verification I
Partial Correctness
• Weakest liberal precondition wlp(,)
• wlp(while (b) , ) = ((b) wlp(, )) ((¬b) )
• Dijkstra also used nondeterministic programs („guarded commands“) guarded-command-program ::= while-program |
guarded-command guarded-command ::= b : e | b : e [] guarded-command b: condition, e: guarded-command-program
19.1.2012
![Page 7: 19.1.2012 Software Verification 1 Deductive Verification Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität und Fraunhofer Institut.](https://reader035.fdocuments.in/reader035/viewer/2022080914/56649cfe5503460f949cefdc/html5/thumbnails/7.jpg)
Folie 7H. Schlingloff, Software Verification I
Strongest Postconditions
• Dual to weakest precondition: the strongest formula which can be guaranteed to hold after execution =sp(, ) iff ⊢ and
⊢( ') for every ’ for which ⊢ ’
• sp(x=t, )= z (x==t[x:=z] [x:=z]) (z new) e.g. sp(x=x-3, x>7) = z (x==z-3 z>7) = x>4
• Pre- and postconditions are important in the presence of methods and procedures
19.1.2012
![Page 8: 19.1.2012 Software Verification 1 Deductive Verification Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität und Fraunhofer Institut.](https://reader035.fdocuments.in/reader035/viewer/2022080914/56649cfe5503460f949cefdc/html5/thumbnails/8.jpg)
Folie 8H. Schlingloff, Software Verification I
Functions and Procedures
• while-Programs:• whileProg ::= skip | V=T | {whileProg; whileProg} |
if (FOL-) whileProg else whileProg | while (FOL-) whileProg
• T is the set of terms in the signature =(D, F, R)
• Now: extended signature ’=(D{void}, FF’,R)
• If f is of type void, then f(x1,...xn) is an (imperative) program
• term ::= F(T, ..., T) | F’(T, ..., T)
• for each f F’ there must be a declaration:• decl ::= type F’ (V, ... V); whileProg
• V in decl are called formal parameters• T in terms are called actual parameters
19.1.2012
![Page 9: 19.1.2012 Software Verification 1 Deductive Verification Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität und Fraunhofer Institut.](https://reader035.fdocuments.in/reader035/viewer/2022080914/56649cfe5503460f949cefdc/html5/thumbnails/9.jpg)
Folie 9H. Schlingloff, Software Verification I
• No alias: formal parameters should be pairwise different
• No scoping: formal parameters must be different from program variables
• return statement as assignment to the function name
• If a function or procedure name occurs directly or indirectly in the call graph of its declaration, it is called recursive for the time being: no recursion
• There are various ways to pass actual parameters for formal ones (value, reference, name, ...) for the time being, we use only call-by-value passing value w to formal parameter v has the same effect as
the assignment v=w at the entry of the procedure or function19.1.2012
![Page 10: 19.1.2012 Software Verification 1 Deductive Verification Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität und Fraunhofer Institut.](https://reader035.fdocuments.in/reader035/viewer/2022080914/56649cfe5503460f949cefdc/html5/thumbnails/10.jpg)
Folie 10H. Schlingloff, Software Verification I
Example
int min (int a, int b) if (a<b) min=a else
min=b;
int max (int a, int b) if (a>b) max=a else
max=b;
int gcd(int a, int b)
while (a!=b) { c = max(a,b)-min(a,b); a = min(a,b); b = c; }
}
19.1.2012
![Page 11: 19.1.2012 Software Verification 1 Deductive Verification Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität und Fraunhofer Institut.](https://reader035.fdocuments.in/reader035/viewer/2022080914/56649cfe5503460f949cefdc/html5/thumbnails/11.jpg)
Folie 11H. Schlingloff, Software Verification I
Example
int min (int a, int b) if (a<b) min=a else min=b;{x = 5; y = 7; z = min (x, y)}
is equivalent to{ x = 5; y = 7; a = x; b = y; if (a<b) min=a else min=b;z = min; }
need pre- and postconditions to show assertions.
19.1.2012
![Page 12: 19.1.2012 Software Verification 1 Deductive Verification Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität und Fraunhofer Institut.](https://reader035.fdocuments.in/reader035/viewer/2022080914/56649cfe5503460f949cefdc/html5/thumbnails/12.jpg)
Folie 12H. Schlingloff, Software Verification I
Example
int min (int a, int b) if (a<b) min=a else
min=b; {a<=min b<=min
(a=min b=min)}
int max (int a, int b) if (a>b) max=a else
max=b; {a>=max b>=max
(a=min b=min)}
int gcd(int a, int b) {a==m>0 b==n>0} while (a!=b) { c = max(a,b)-min(a,b); a = min(a,b); b = c; } gcd = a; {gcd|m gcd|n ...}}
19.1.2012
![Page 13: 19.1.2012 Software Verification 1 Deductive Verification Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität und Fraunhofer Institut.](https://reader035.fdocuments.in/reader035/viewer/2022080914/56649cfe5503460f949cefdc/html5/thumbnails/13.jpg)
Folie 13H. Schlingloff, Software Verification I
Contracts
• weakest preconditions and strongest postconditions are related to the require-ensure-paradigm (also called assume-guarantee-paradigm):
/*@ requires ensures */void foo(...) ;
is equivalent to(wp(,)) (sp(, ))
• such a statement is called contract use of contract:
{[x1:=t1, ..., xn:=tn]} foo(t1,...,tn) {}19.1.2012