Axiomatic Verification I - PowerPoint PPT Presentation

Loading...

PPT – Axiomatic Verification I PowerPoint presentation | free to download - id: 1c853f-ZDc1Z



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Axiomatic Verification I

Description:

A formal method of reasoning about the functional correctness of a structured, ... To provide a means for 'proving' (and in some cases, 'disproving') the ... – PowerPoint PPT presentation

Number of Views:33
Avg rating:3.0/5.0
Slides: 40
Provided by: CISE9
Learn more at: http://www.cise.ufl.edu
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Axiomatic Verification I


1
Axiomatic Verification I
Software Testing and Verification Lecture 17
  • Prepared by
  • Stephen M. Thebaut, Ph.D.
  • University of Florida

2
Axiomatic Verification I
  • Introduction
  • Weak correctness predicate
  • Assignment statements
  • Sequencing
  • Selection statements

3
Introduction
  • What is Axiomatic Verification?
  • A formal method of reasoning about the
    functional correctness of a structured,
    sequential program by tracing its state changes
    from an initial (i.e., pre-) condition to a final
    (i.e., post-) condition according to a set of
    self-evident rules (i.e., axioms).
  • Also know as Hoare logic or Floyd-Hoare
    logic.

4
Introduction (contd)
  • What is its primary goal?
  • To provide a means for proving (and in some
    cases, disproving) the functional correctness
    of a sequential program with respect to its
    (formal) specification.

5
Introduction (contd)
  • What are the benefits of studying axiomatic
    verification?
  • Understanding its limitations.
  • Deeper insights into programming and program
    structures.
  • Criteria for judging both programs and
    programming languages.
  • The ability to formally verify small (or parts of
    large) sequential programs.

6
Introduction (contd)
  • Bottom line even if you never attempt to prove
    a program correct outside this course, the study
    of formal verification should change the way you
    write and read programs.
  • There are two ways of constructing a software
    design One way is to make it so simple that
    there are obviously no deficiencies, and the
    other way is to make it so complicated that there
    are no obvious deficiencies. The first method is
    far more difficult. Tony Hoare

7
Weak Correctness Predicate
  • To prove that program S is (weakly or
    partially) correct with respect to
    pre-condition P and post-condition Q, it is
    sufficient to show P S Q.
  • Interpretation of P S Q if the input
    (initial state) satisfies pre-condition P and
    (if) program S executes and terminates, then the
    output (final state) will satisfy post-condition
    Q.

8
Weak Correctness Predicate (contd)
  • Truth table interpretation

P (before S executes) S terminates Q (after S executes) P S Q
T YES must be T T
T YES could be F F
F Dont Care Dont Care T
Dont Care NO N/A T
In this case, P S Q is said to be
vacuously true.
9
Weak Correctness Predicate (contd)
  • Note that P S Q is really just a double
    conditional of the form
  • (A ? B) ? C
  • where A is P holds before executing S, B is S
    terminates, and C is Q holds after executing
    S.
  • Therefore, the one and only case for which P S
    Q is false is Q could be false if S
    terminates, given that P held before S executes.

10
Weak Correctness Predicate (contd)
  • What are the truth values of the following
    assertions?
  • (1) x1 y x1 ygt0

11
Weak Correctness Predicate (contd)
  • What are the truth values of the following
    assertions?
  • (2) xgt0 x x-1 xgt0

12
Weak Correctness Predicate (contd)
  • What are the truth values of the following
    assertions?
  • (3) 12 k 5 klt0

13
Weak Correctness Predicate (contd)
  • What are the truth values of the following
    assertions?
  • (4) true while x ltgt 5 do x x-1 x5
  • (Hint When will S terminate?)

14
Weak Correctness Predicate (contd)
  • We now consider techniques for proving that such
    assertions hold for structured programs comprised
    of assignment statements, if-then (-else)
    statements, and while loops. (Why these
    constructs?)

15
Reasoning about Assignment Statements
  • For each of the following pre-conditions, P, and
    assignment statements, S, identify a strong
    post-condition, Q, such that P S Q would
    hold.
  • A strong post-condition captures all
    after-execution state information of interest.
  • However, we wont bother with assertions such as
    XX (the final value of X is the same as the
    initial value of X) for the time being.

16
Reasoning about Assignment Statements (contd)
P S Q
J6 K 3
J6 J J2
AltB Min A
AltB ? BltC D C
Xlt0 Y -X
XIJ I I1
XI-1J J J1
17
Illustrative Example
17
X ___ ___ ___ ___ ___ ___ ___
1 2 3 4 5 6
7
XIJ
J 17, I 4
I I1
17
X ___ ___ ___ ___ ___ ___ ___
1 2 3 4 5 6
7
XI-1J
J 17, I 4 5
18
Illustrative Example
17
X ___ ___ ___ ___ ___ ___ ___
1 2 3 4 5 6
7
XI-1J
J 17, I 5
J J1
17
X ___ ___ ___ ___ ___ ___ ___
1 2 3 4 5 6
7
XI-1J-1
J 17 18, I 5
19
Reasoning about Assignment Statements (contd)
  • For each of the following post-conditions, Q, and
    assignment statements, S, identify a weak
    pre-condition, P, such that P S Q would hold.
  • (A weak pre-condition reflects only what needs
    to be true initially.)

20
Reasoning about Assignment Statements (contd)
P S Q
I 4 J7 ? I4
I 4 I4
I 4 I17
I I2 Igt6
Y X3 Y10
Y X3 Ylt8
21
When does (P S Q) ? (K S W)?
  • We just determined that
  • J7 I 4 J7 ? I4
  • holds.
  • We can deduce from this that
  • J7 I 4 J7
  • also holds since J7 ? I4 is stronger than
    J7. That is, because
  • J7 ? I4 ? J7.

22
When does (P S Q) ? (K S W)? (contd)
  • Similarly, if we know that
  • J7 I 4 J7 ? I4
  • holds, it follows that
  • J7 ? K17 I 4 J7 ? I4
  • also holds since J7 is weaker than J7 ?
    K17. That is, because
  • J7 ? K17 ? J7.

23
When does (P S Q) ? (K S W)? (contd)
  • Thus, we can replace pre-conditions with ones
    that are stronger, and post-conditions with ones
    that are weaker.
  • Note that if A ? B, we say that A is stronger
    than B, or equivalently, that B is weaker than A.

24
Practice quiz question
  • In general, which would be the better marketing
    strategy for increasing your software
    salesadvertising the software as having a strong
    pre-condition and a weak post-condition, or
    vice-versa? Give a concrete example which
    illustrates your answer.

25
Reasoning about Sequencing
  • Suppose that we know
  • XIJ I I1 XI-1J
  • and we know
  • XI-1J J J1 XI-1J-1.
  • Then it follows that
  • XIJ
  • I I 1
  • XI-1J
  • J J1
  • XI-1J-1

26
Reasoning about Sequencing (contd)
  • In general if you know P S1 R and you know
    R S2 Q then you know P S1 S2 Q.

27
Example 1
  • Prove the assertion
  • A5 B A2 C B-A D A-C A5 ? D3

28
Reasoning about If_then_else Statements
  • Consider the assertion
  • P if b then S1 else S2 Q
  • What are the necessary conditions for this
    assertion to hold?

29
Necessary Conditions If_then_else
P
T
F
b
S2
S1
Q
30
Necessary Conditions If_then_else
P
T
F
b
S2
S1
Q
31
Reasoning about If_then Statements
  • Consider the assertion
  • P if b then S Q
  • What are the necessary conditions for this
    assertion to hold?

32
Necessary Conditions If_then
P
T
b
F
S
Q
33
Necessary Conditions If_then
P
T
b
F
S
Q
34
Example 2
  • Prove the assertion
  • ZB if AgtB then Z A ZMax(A,B)

35
Proof Rules
  • Before proceeding to while loops, lets capture
    our previous reasoning about sequencing,
    selection statements, and state condition
    replacement in appropriate rules of inference
    (ROI).
  • ROI for Sequencing
  • P S1 R, R S2 Q
  • P S1 S2 Q

36
Proof Rules (contd)
  • ROI for if_then_else statement
  • P ? b S1 Q, P ? ?b S2 Q
  • P if b then S1 else S2 Q
  • ROI for if_then statement
  • P ? b S Q, (P ? ?b) ? Q
  • P if b then S Q

37
Proof Rules (contd)
  • ROI for State Condition Replacement
  • K ? P, P S Q, Q ? W
  • K S W
  • Also known as the consequence rule.

38
Coming Up Next
  • Reasoning about iteration (while loops)
  • Strong correctness and proving termination

39
Axiomatic Verification I
Software Testing and Verification Lecture 17
  • Prepared by
  • Stephen M. Thebaut, Ph.D.
  • University of Florida
About PowerShow.com