Software Specification, Verification and Validation CIS 775 - PowerPoint PPT Presentation

1 / 48

About This Presentation

Title:

Software Specification, Verification and Validation CIS 775

Description:

Based on formal logic (first order predicate calculus) ... Used to formally prove a property (post-condition) of the state (the values of ... – PowerPoint PPT presentation

Number of Views:159

Avg rating:3.0/5.0

Slides: 49

Provided by: tri5499

Category:

more less

Transcript and Presenter's Notes

Title: Software Specification, Verification and Validation CIS 775

1
Software Specification, Verification and
Validation (CIS 775)

Elsa L Gunter
4303 GITC
NJIT, http//www.cs.njit.edu/elsa/775-spring2004

2
Axiomatic Semantics

Also called Floyd-Hoare Logic
Based on formal logic (first order predicate
calculus)
Axiomatic Semantics is a logical system built
from axioms and inference rules
Mainly suited to simple imperative programming
languages

3
Axiomatic Semantics

Used to formally prove a property
(post-condition) of the state (the values of the
program variables) after the execution of
program, assuming another property
(pre-condition) of the state before execution

4
Axiomatic Semantics

Goal Derive statements of form
P C Q
P , Q logical statements about state, P
precondition, Q postcondition, C program
Example x 1 x x 1 x 2

5
Axiomatic Semantics

Approach For each type of language statement,
give an axiom or inference rule stating how to
derive assertions of form
P C Q
where C is a statement of that type
Compose axioms and inference rules to build
proofs for complex programs

6
Axiomatic Semantics

An expression P C Q is a partial correctness
statement
For total correctness must also prove that C
terminates (i.e. doesnt run forever)
Written P C Q

7
Language

We will give rules for simple imperative language
ltcommandgt
ltvariablegt lttermgt
ltcommandgt ltcommandgt
if ltstatementgt then ltcommandgt else
ltcommandgt
while ltstatementgt do ltcommand
Could add more features, like for-loops

8
Substitution

Notation Pe/v fairly standard, book uses Pv
? e
Meaning Replace every v in P by e
Example
(x 2)x ? y 1 ((y 1) 2)

9
The Assignment Rule

Px ? e x e P
Examples
? x y x 2

10
The Assignment Rule

Px ? e x e P
Examples
_ 2 x y x 2

11
The Assignment Rule

Px ? e x e P
Examples
y 2 x y x 2

12
The Assignment Rule

Px ? e x e P
Examples
y 2 x y x 2
y 2 x 2 y x
x 1 n 1 x x 1 x n 1
2 2 x 2 x 2

13
The Assignment Rule Your Turn

What is the weakest precondition of x x y x
y w x?
(x y) y w (x y)
x x y
x y w x

?
14
The Assignment Rule Your Turn

What is the weakest precondition of x x y x
y w x?
(x y) y w (x y)
x x y
x y w x

15
Precondition Strengthening

P ? P P C Q
P C Q
Meaning If we can show that P implies P (P?
P) and we can show that P C Q, then we know
that P C Q
P is stronger than P means P ? P

16
Precondition Strengthening

Examples
x 3 ? x lt 7 x lt 7 x x 3 x lt 10
x 3 x x 3 x lt 10
True ? 2 2 2 2 x 2 x 2
True x 2 x 2
xn ? x1n1 x1n1 xx1 xn1
xn xx1 xn1

17
Which Inferences Are Correct?

x gt 0 x lt 5 x x x x lt 25
x 3 x x x x lt 25
x 3 x x x x lt 25
x gt 0 x lt 5 x x x x lt 25
x x lt 25 x x x x lt 25
x gt 0 x lt 5 x x x x lt 25

18
Which Inferences Are Correct?

x gt 0 x lt 5 x x x x lt 25
x 3 x x x x lt 25
x 3 x x x x lt 25
x gt 0 x lt 5 x x x x lt 25
x x lt 25 x x x x lt 25
x gt 0 x lt 5 x x x x lt 25

19
Sequencing

P C1 Q Q C2 R
P C1 C2 R
Example
z z z z x z x z z z
x z z z y z x z y z
z z z z x z y z x z y z

20
Sequencing

P C1 Q Q C2 R
P C1 C2 R
Example
z z z z x z x z z z
x z z z y z x z y z
z z z z x z y z x z y z

21
Postcondition Weakening

P C Q Q ? Q
P C Q
Example
z z z z x z y z x z y z
(x z y z) ? (x y)
z z z z x z y z x y

22
If Then Else

P and B C1 Q P and (not B) C2 Q
P if B then C1 else C2 Q
Example Want
ya
if x lt 0 then y y-x else y yx
yax
Have to show
(1) yaxlt0 yy-x yax and (4)
yanot(xlt0) yyx yax

23
yaxlt0 yy-x yax

(3) (yaxxlt0)?(yax)
(2) y-xax yy-x yax
yaxlt0 yy-x yax
Reduces to (2) and (3) by Precondition
Strengthening
Follows from assignment axiom
Because xlt0 ? x -x

24
yanot(xlt0) yyx yax

(6) (yaxnot(xlt0))?(ya-x)
(5) yxax yyx yax
(4) yanot(xlt0) yyx yax
(4) Reduces to (5) and (6) by Precondition
Strengthening
(5) Follows from assignment axiom
(6) Because not(xlt0) ? x x

25
If then else

(1) yaxlt0yy-xyax .
(4) yanot(xlt0)yyxyax .
ya
if x lt 0 then y y-x else y yx
yax
By the if_then_else rule

26
While

We need a rule to be able to make assertions
about while loops.
Inference rule because we can only draw
conclusions if we know something about the body
Lets start with
? C ?
? while B do C P

27
While

The loop may never be executed, so if we want P
to hold after, it had better hold before, so
lets try
? C ?
P while B do C P

28
While

If all we know is P when we enter the while
loop, then we all we know when we enter the body
is (P and B)
If we need to know P when we finish the while
loop, we had better know it when we finish the
loop body
P and B C P
P while B do C P

29
While

We can strengthen the previous rule because we
also know that when the loop is finished, not P
also holds
Final while rule
P and B C P
P while B do C P and not B

30
While

P and B C P
P while B do C P and not B
P satisfying this rule is called a loop invariant
because it must hold before and after the each
iteration of the loop

31
While

While rule generally needs to be used together
with precondition strengthening and postcondition
weakening
There is NO algorithm for computing the correct
P it requires intuition and an understanding of
why the program works

32
Example