Hoare-style program verification - PowerPoint PPT Presentation

1 / 30
About This Presentation
Title:

Hoare-style program verification

Description:

Hoare-style program verification K. Rustan M. Leino Guest lecturer Rob DeLine s CSE 503, Software Engineering University of Washington 28 Apr 2004 – PowerPoint PPT presentation

Number of Views:27
Avg rating:3.0/5.0
Slides: 31
Provided by: researchM6
Category:

less

Transcript and Presenter's Notes

Title: Hoare-style program verification


1
Hoare-style program verification
  • K. Rustan M. LeinoGuest lecturer

Rob DeLines CSE 503, Software EngineeringUnivers
ity of Washington28 Apr 2004
2
Review
  • P skip P
  • PwE wE P
  • P?B assert B P
  • if P S Q and Q T R,then P S T
    R
  • if P?B S R and P??B T R,then P if
    B then S else T end R

3
Loops
  • To prove
  • P while B do S end Q
  • prove
  • P J while B do J ? B 0 ? vf J ? B
    ? vfVF S J ? vfltVF end J ??B Q

4
Example Array sum
0?N
k 0 s 0
while k ? N do
ssak kk1
end
s (Si 0?iltN ? ai)
5
Example Array sum
  • 0?N k 0 s 0 Jwhile k ? N do J ?
    k?N 0 ? vf J ? k?N ? vfVF ssak
    kk1 J ? vfltVFendJ ??(k?N) s (Si
    0?iltN ? ai)

0?N
k 0 s 0
while k ? N do
ssak kk1
end
s (Si 0?iltN ? ai)
6
Example Array sum
  • 0?N k 0 s 0 Jwhile k ? N do J ?
    k?N 0 ? vf J ? k?N ? vfVF ssak
    kk1 J ? vfltVFendJ ??(k?N) s (Si
    0?iltN ? ai)

7
Example Array sum
  • 0?N k 0 s 0 Jwhile k ? N do J ?
    k?N 0 ? vf J ? k?N ? vfVF ssak
    kk1 J ? vfltVFendJ ? kN s (Si
    0?iltN ? ai)
  • J s (Si 0?iltk ? ai)
  • ? 0 ? k ? N
  • vf N-k

8
Example Array sumInitialization
  • 0?N
  • 0 (Si 0?ilt0 ? ai) ? 0?0?N
  • k 0
  • 0 (Si 0?iltk ? ai) ? 0?k?N
  • s 0
  • s (Si 0?iltk ? ai) ? 0?k?N

9
Example Array sumInvariance
  • s (Si 0?iltk ? ai) ? 0?k?N ? k?N? N-kVF
  • sak (Si 0?iltk ? ai)ak ? 0?kltN?
    N-k-1ltVF
  • s s ak
  • s (Si 0?iltk ? ai)ak ? 0?kltN? N-k-1ltVF
  • s (Si 0?iltk1 ? ai) ? 0?k1?N?
    N-(k1)ltVF
  • k k1
  • s (Si 0?iltk ? ai) ? 0?k?N ? N-kltVF

10
In-class exercise computing cubes
  • 0?N
  • k 0 r 0 s 1 t 6 while k?N
    do ak r r r s s s t t t
    6 k k 1 end
  • (?i 0?iltN ? ai i3)

11
Computing cubesGuessing the invariant
  • From the postcondition (?i 0?iltN ? ai
    i3)and the negation of the guard kNguess the
    invariant (?i 0?iltk ? ai i3) ? 0?k?N
  • From this invariant and variant function N-k, it
    follows that the loop terminates

12
Computing cubesMaintaining the invariant
  • while k?N do
  • (?i 0?iltk ? ai i3) ? 0?k?N ? k?N
  • (?i 0?iltk ? ai i3) ? rk3 ? 0?kltN
  • ak rr r ss s tt t 6
  • (?i 0?iltk ? ai i3) ? akk3 ? 0?kltN
  • (?i 0?iltk1 ? ai i3) ? 0?k1?N
  • k k 1
  • (?i 0?iltk ? ai i3) ? 0?k?N
  • end

Add this to the invariant, and then try to prove
that it is maintained
13
Computing cubesMaintaining the invariant
  • while k?N do
  • r k3 ?
  • r s k3 3k2 3k 1
  • ak rr r ss s tt t 6
  • r k3 3k2 3k 1
  • r (k1)3
  • k k 1
  • r k3
  • end

Add s 3k2 3k 1 to the invariant, and
then try to prove that it is maintained
14
Computing cubesMaintaining the invariant
  • while k?N do
  • s 3k2 3k 1 ?
  • s t 3k2 6k 3 3k 3 1
  • ak rr r ss s tt t 6
  • s 3k2 6k 3 3k 3 1
  • s 3(k1)2 3(k1) 1
  • k k 1
  • s 3k2 3k 1
  • end

Add t 6k 6 to the invariant, and then
try to prove that it is maintained
15
Computing cubesMaintaining the invariant
  • while k?N do
  • t 6k 6 ?
  • t 6 6k 6 6
  • ak rr r ss s tt t 6
  • t 6k 6 6
  • t 6(k1) 6
  • k k 1
  • t 6k 6
  • end

16
Computing cubesEstablishing the invariant
  • 0?N
  • (?i 0?ilt0 ? ai i3) ? 0?0?N ?0 03 ?1
    302 30 1 ?6 60 6
  • k 0 r 0 s 1 t 6
  • (?i 0?iltk ? ai i3) ? 0?k?N ?r k3 ?s
    3k2 3k 1 ?t 6k 6

17
In-class exercise computing cubesAnswers
  • Invariant (?i 0?iltk ? ai i3) ? 0 ? k ? N
    ? r k3 ? s 3k2 3k 1 ? t 6k 6
  • Variant function N-k

18
Other common invariants
  • k is the number of nodes traversed so far
  • the current value of n does not exceed the
    initial value of n
  • all array elements with an index less than j are
    smaller than x
  • the number of processes whose program counter is
    inside the critical section is at most one
  • the only principals that know the key K are A and
    B

19
Belgian chocolate
  • How many breaks do you need to make 50 individual
    pieces from a 10x5 Belgian chocolate bar?
  • Note Belgian chocolate is so thick that you
    can't break two pieces at once.
  • Invariant pieces 1 breaks

20
Loop proof obligationsa closer look
  • To prove
  • P while B do S end Q
  • find invariant J and variant function vf such
    that
  • invariant initially P ? J
  • invariant maintained J ? B S J
  • invariant sufficient J ??B ? Q
  • vf well-founded
  • vf bounded J ? B ? 0 ? vf
  • vf decreases J ? B ? vfVF S vfltVF

Are all of these conditions needed?
21
Loop proof obligationsinvariant holds initially
0?N k N s 0 Jwhile k ? N do J ?
k?N 0 ? vf J ? k?N ? vfVF ssak
kk1 J ? vfltVFendJ ??(k?N) s (Si
0?iltN ? ai) J s (Si 0?iltk ? ai) ?
0?k?Nvf N-k
22
Loop proof obligationsinvariant is maintained
0?N k 0 s 0 Jwhile k ? N do J ?
k?N 0 ? vf J ? k?N ? vfVF ssak
kk2 J ? vfltVFendJ ??(k?N) s (Si
0?iltN ? ai) J s (Si 0?iltk ? ai) ?
0?k?Nvf N-k
23
Loop proof obligationsinvariant is sufficient
0?N k 0 s 0 Jwhile k ? N do J ?
k?N 0 ? vf J ? k?N ? vfVF
kk1 J ? vfltVFendJ ??(k?N) s (Si
0?iltN ? ai) J 0?k?Nvf N-k
24
Loop proof obligationsvariant function is
well-founded
0?N k 0 s 0 r 1.0 Jwhile k ? N
do J ? k?N 0 ? vf J ? k?N ? vfVF r
r / 2.0 J ? vfltVFendJ ??(k?N) s (Si
0?iltN ? ai) J s(Si 0?iltk ? ai) ?
0?rvf r
25
Loop proof obligationsvariant function is
bounded
0?N k 0 s 0 Jwhile k ? N do J ?
k?N 0 ? vf J ? k?N ? vfVF kk-1 J ?
vfltVFendJ ??(k?N) s (Si 0?iltN ?
ai) J s (Si 0?iltk ? ai) ? k?Nvf k
26
Loop proof obligationsvariant function decreases
0?N k 0 s 0 Jwhile k ? N do J ?
k?N 0 ? vf J ? k?N ? vfVF skip J ?
vfltVFendJ ??(k?N) s (Si 0?iltN ?
ai) J s (Si 0?iltk ? ai) ? 0?k?Nvf
N-k
27
Ranges in invariants
0?N k 0 s 0 Jwhile k ? N do J ?
k?N 0 ? vf J ? k?N ? vfVF ssak
kk1 J ? vfltVFendJ ??(k?N) s (Si
0?iltN ? ai) J s (Si 0?iltk ? ai) ?
0?k?Nvf N-k
Where are these used?
28
Ranges lower bound
  • s (Si 0?iltk ? ai) ? 0?k?N ? k?N? N-kVF
  • sak (Si 0?iltk ? ai)ak ? 0?kltN?
    N-k-1ltVF
  • s s ak
  • s (Si 0?iltk ? ai)ak ? 0?kltN? N-k-1ltVF
  • s (Si 0?iltk1 ? ai) ? 0?k1?N?
    N-(k1)ltVF
  • k k1
  • s (Si 0?iltk ? ai) ? 0?k?N ? N-kltVF

This step uses 0?k
29
Ranges upper bound
0?N k 0 s 0 Jwhile k?N do J ? k?N
0 ? vf J ? k?N ? vfVF ssak
kk1 J ? vfltVFendJ ??(k?N) s (Si
0?iltN ? ai) J s (Si 0?iltk ? ai) ?
0?k?Nvf N-k
This step uses k?N
30
Ranges upper bound
0?N k 0 s 0 Jwhile k lt N do J ?
kltN 0 ? vf J ? kltN ? vfVF ssak
kk1 J ? vfltVFendJ ??(kltN) s (Si
0?iltN ? ai) J s (Si 0?iltk ? ai) ?
0?k?Nvf N-k
Even with lt instead of ?
this step still needs k?N
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Hoare-style program verification" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!