Loading...

PPT – Axiomatic Verification I PowerPoint presentation | free to download - id: 1c853f-ZDc1Z

The Adobe Flash plugin is needed to view this content

Axiomatic Verification I

Software Testing and Verification Lecture 17

- Prepared by
- Stephen M. Thebaut, Ph.D.
- University of Florida

Axiomatic Verification I

- Introduction
- Weak correctness predicate
- Assignment statements
- Sequencing
- Selection statements

Introduction

- What is Axiomatic Verification?
- A formal method of reasoning about the

functional correctness of a structured,

sequential program by tracing its state changes

from an initial (i.e., pre-) condition to a final

(i.e., post-) condition according to a set of

self-evident rules (i.e., axioms). - Also know as Hoare logic or Floyd-Hoare

logic.

Introduction (contd)

- What is its primary goal?
- To provide a means for proving (and in some

cases, disproving) the functional correctness

of a sequential program with respect to its

(formal) specification.

Introduction (contd)

- What are the benefits of studying axiomatic

verification? - Understanding its limitations.
- Deeper insights into programming and program

structures. - Criteria for judging both programs and

programming languages. - The ability to formally verify small (or parts of

large) sequential programs.

Introduction (contd)

- Bottom line even if you never attempt to prove

a program correct outside this course, the study

of formal verification should change the way you

write and read programs. - There are two ways of constructing a software

design One way is to make it so simple that

there are obviously no deficiencies, and the

other way is to make it so complicated that there

are no obvious deficiencies. The first method is

far more difficult. Tony Hoare

Weak Correctness Predicate

- To prove that program S is (weakly or

partially) correct with respect to

pre-condition P and post-condition Q, it is

sufficient to show P S Q. - Interpretation of P S Q if the input

(initial state) satisfies pre-condition P and

(if) program S executes and terminates, then the

output (final state) will satisfy post-condition

Q.

Weak Correctness Predicate (contd)

- Truth table interpretation

P (before S executes) S terminates Q (after S executes) P S Q

T YES must be T T

T YES could be F F

F Dont Care Dont Care T

Dont Care NO N/A T

In this case, P S Q is said to be

vacuously true.

Weak Correctness Predicate (contd)

- Note that P S Q is really just a double

conditional of the form - (A ? B) ? C
- where A is P holds before executing S, B is S

terminates, and C is Q holds after executing

S. - Therefore, the one and only case for which P S

Q is false is Q could be false if S

terminates, given that P held before S executes.

Weak Correctness Predicate (contd)

- What are the truth values of the following

assertions? - (1) x1 y x1 ygt0

Weak Correctness Predicate (contd)

- What are the truth values of the following

assertions? - (2) xgt0 x x-1 xgt0

Weak Correctness Predicate (contd)

- What are the truth values of the following

assertions? - (3) 12 k 5 klt0

Weak Correctness Predicate (contd)

- What are the truth values of the following

assertions? - (4) true while x ltgt 5 do x x-1 x5
- (Hint When will S terminate?)

Weak Correctness Predicate (contd)

- We now consider techniques for proving that such

assertions hold for structured programs comprised

of assignment statements, if-then (-else)

statements, and while loops. (Why these

constructs?)

Reasoning about Assignment Statements

- For each of the following pre-conditions, P, and

assignment statements, S, identify a strong

post-condition, Q, such that P S Q would

hold. - A strong post-condition captures all

after-execution state information of interest. - However, we wont bother with assertions such as

XX (the final value of X is the same as the

initial value of X) for the time being.

Reasoning about Assignment Statements (contd)

P S Q

J6 K 3

J6 J J2

AltB Min A

AltB ? BltC D C

Xlt0 Y -X

XIJ I I1

XI-1J J J1

Illustrative Example

17

X ___ ___ ___ ___ ___ ___ ___

1 2 3 4 5 6

7

XIJ

J 17, I 4

I I1

17

X ___ ___ ___ ___ ___ ___ ___

1 2 3 4 5 6

7

XI-1J

J 17, I 4 5

Illustrative Example

17

X ___ ___ ___ ___ ___ ___ ___

1 2 3 4 5 6

7

XI-1J

J 17, I 5

J J1

17

X ___ ___ ___ ___ ___ ___ ___

1 2 3 4 5 6

7

XI-1J-1

J 17 18, I 5

Reasoning about Assignment Statements (contd)

- For each of the following post-conditions, Q, and

assignment statements, S, identify a weak

pre-condition, P, such that P S Q would hold. - (A weak pre-condition reflects only what needs

to be true initially.)

Reasoning about Assignment Statements (contd)

P S Q

I 4 J7 ? I4

I 4 I4

I 4 I17

I I2 Igt6

Y X3 Y10

Y X3 Ylt8

When does (P S Q) ? (K S W)?

- We just determined that
- J7 I 4 J7 ? I4
- holds.
- We can deduce from this that
- J7 I 4 J7
- also holds since J7 ? I4 is stronger than

J7. That is, because - J7 ? I4 ? J7.

When does (P S Q) ? (K S W)? (contd)

- Similarly, if we know that
- J7 I 4 J7 ? I4
- holds, it follows that
- J7 ? K17 I 4 J7 ? I4
- also holds since J7 is weaker than J7 ?

K17. That is, because - J7 ? K17 ? J7.

When does (P S Q) ? (K S W)? (contd)

- Thus, we can replace pre-conditions with ones

that are stronger, and post-conditions with ones

that are weaker. - Note that if A ? B, we say that A is stronger

than B, or equivalently, that B is weaker than A.

Practice quiz question

- In general, which would be the better marketing

strategy for increasing your software

salesadvertising the software as having a strong

pre-condition and a weak post-condition, or

vice-versa? Give a concrete example which

illustrates your answer.

Reasoning about Sequencing

- Suppose that we know
- XIJ I I1 XI-1J
- and we know
- XI-1J J J1 XI-1J-1.
- Then it follows that
- XIJ
- I I 1
- XI-1J
- J J1
- XI-1J-1

Reasoning about Sequencing (contd)

- In general if you know P S1 R and you know

R S2 Q then you know P S1 S2 Q.

Example 1

- Prove the assertion
- A5 B A2 C B-A D A-C A5 ? D3

Reasoning about If_then_else Statements

- Consider the assertion
- P if b then S1 else S2 Q
- What are the necessary conditions for this

assertion to hold?

Necessary Conditions If_then_else

P

T

F

b

S2

S1

Q

Necessary Conditions If_then_else

P

T

F

b

S2

S1

Q

Reasoning about If_then Statements

- Consider the assertion
- P if b then S Q
- What are the necessary conditions for this

assertion to hold?

Necessary Conditions If_then

P

T

b

F

S

Q

Necessary Conditions If_then

P

T

b

F

S

Q

Example 2

- Prove the assertion
- ZB if AgtB then Z A ZMax(A,B)

Proof Rules

- Before proceeding to while loops, lets capture

our previous reasoning about sequencing,

selection statements, and state condition

replacement in appropriate rules of inference

(ROI). - ROI for Sequencing
- P S1 R, R S2 Q
- P S1 S2 Q

Proof Rules (contd)

- ROI for if_then_else statement
- P ? b S1 Q, P ? ?b S2 Q
- P if b then S1 else S2 Q
- ROI for if_then statement
- P ? b S Q, (P ? ?b) ? Q
- P if b then S Q

Proof Rules (contd)

- ROI for State Condition Replacement
- K ? P, P S Q, Q ? W
- K S W
- Also known as the consequence rule.

Coming Up Next

- Reasoning about iteration (while loops)
- Strong correctness and proving termination

Axiomatic Verification I

Software Testing and Verification Lecture 17

- Prepared by
- Stephen M. Thebaut, Ph.D.
- University of Florida