Loading...

PPT – Software Verification 1 Deductive Verification PowerPoint presentation | free to view - id: 7c20cb-ZjdhM

The Adobe Flash plugin is needed to view this content

Software Verification 1 Deductive Verification

- Prof. Dr. Holger Schlingloff
- Institut für Informatik der Humboldt Universität
- und
- Fraunhofer Institut für offene Kommunikationssyste

me FOKUS

Contracted questions ...

- What is a function contract?
- Why is it necessary for verification?
- Which parameter passing mechanisms do you know?
- Can you explain the Church-Rosser property?
- What is the semantics of a recursive function?
- denotational?
- operational?
- axiomatic?

Parallelism

- increasing importance (multicore processors)
- in C, parallelism by multithreading
- unfortunately not standardized
- POSIX pthread_create (name, function, args)
- pthread_join, pthread_exit, ...
- key issue synchronization
- hard to understand, error-prone

Multithreading in Java

- class TicTac implements Runnable
- static int summe 0
- Thread faden
- private int wer
- public TicTac(int w)
- faden new Thread(this)
- werw
- public void run()
- for(int i1 ilt100 i)
- if(wer1) summe summe 1
- else summe summe - 1

public static void main(String args)

TicTac tic new TicTac(1) TicTac tac new

TicTac(2) tic.faden.start()

tac.faden.start() try tic.faden.join()

tac.faden.join() catch (Exception

e) System.out.println("Summe" summe)

Ergebnis ???

Concept Language

- we add the following new constructs to the

language of while-programs - ?1 ?2 or, more generally, ?1 ...

?n - await (b) ?
- semantics
- parallel (interleaved) execution of the ?i
- blocking wait until condition is satisfied

program fragment within await is

noninterruptable - for simplicity, assignments are atomic actions
- semaphore-concept (Dijkstra), monitor-concept

(Hoare) - test-and-set-operation in processor hardware

Examples

- int n0 for (int i 0 ilt100 i)

n for (int i 0 ilt100 i) n-- - int n0 int l, r for (int i 0 ilt100 i)

ln l nl for (int i 0 ilt100 i)

rn r-- nr - int n0 for (int i 0 ilt100 i) await

(true) ln l nl for (int i 0 ilt100

i) await (true) rn r-- nr

More Examples

- a0 aa a-5 a2a3 a1-a
- a0 a a--
- a0 a a0 a--
- a0 await (agt0) a await (alt0) a--
- a0 await (agt0) a await (alt0) a--

A realistic example

- an b0 c1
- while (a!n-k) cca a--
- while (b!k) b await (abltn) cc/b
- program calculates binomial coefficient

Interleaving Semantics

- A state of the program consists of
- an assignment of values to variables
- a set of program counters (depending on the

number of parallel components), and - SOS-rules for parallel programs
- if (U,I,V) ? b and (?, V)? (skip,V), then

(await (b) ?, V)? (skip,V) - if (?1, V)? (?1,V), then (?1 ? 2, V)?

(?1 ?2,V) if (?2, V)? (?2,V), then (?1

? 2, V)? (?1 ?2,V) (skip skip,

V)? (skip,V) - In general, several possible executions! (tree of

possibilities)

A realistic example

- an b0 c1
- ?
- ?1 while (a!n-k)
- ?2 cca
- ?3 a--
- ?4
- ?1 while (b!k)
- ?2 b
- ?3 await (abltn)
- ?4 cc/b
- ?5

Deadlocks

- a0 b0 await (a!0) await (b!0)
- a0 b0 await (a1) b1 await (b1) a1
- prtT dskT await (prt) prtF await(dsk)

dskF foo prtT dskT await (dsk) dskF

await(prt) prtF bar prtT dskT

Invariants for Parallel Programs

- Assume ? is a formula such that ? ? ? for

every subprogram ? of ?1 ?2 . Then ?

?1 ?2 ? - Example a0 ? a ? a-- ? ?
- Invariant a0?-? (or, more explicit

(????a0 ? ????a0 ? ????a1 ? ????a-1)

) - int n0 for (int i 0 ilt100 i) n

for (int j 0 jlt100 j) n-- - Invariant ni-j

Problem with Invariant Method

- Non-compositionality In order to show ? ?1

?2 ? it is not sufficient to show ?

?1? and ??2 ? - Sequential composition rule (seq) if ? ? ?1

? and ? ? ?2 ?, then ??1 ?2? - ? if ? ?1 ?1 ?1 and ? ?2 ?2 ?2, then ?1

? ?2?1 ?2?1 ? ?2

Hoare-Rule for Parallel Programs

- Susan Owicki, 1975 If ? ?1 ?1 ?1 and ? ?2

?2 ?2, then ? ?1??2 ?1 ?2 ?1??2, if

the proofs of ?1 ?1 ?1 and ?2 ?2 ?2 are

interference free - Two proofs are interference-free, if for any two

Hoare triples ?a ?a ?a in ?1 ?1 ?1

and ?b ?b ?b in ?2 ?2 ?2 it holds

that ?a??b ?a ?b - Example x0 ? x2 x x1 ? x3 interferes

with x0 x2 x2 but not with x0 ? x1

x2 x2 ? x3

Hoare-Owicki-Proof

- x0 ? x-1 x x1 ? x0 x0 ? x1

x-- x-1 ? x0 - Interference freedom
- x0 ? x-1 ? x0 ? x1 x x0 ? x1
- x0 ? x1 ? x0 ? x-1 x-- x0 ? x-1
- Therefore, x0 ? x-1 ? x0 ? x1

xx-- x1 ? x0 ? x-1 ? x0 x0

xx-- x0 - Proof does not work for x0 hx h xh

hx h-- xh x0

Proof (scetch) of example program

- an b0 c1 // calculate n over k
- while (a!n-k) cca a--
- while (b!k) b await (abltn) cc/b
- Idea at the await it holds that c(n(n-1)...(n

-j1)/12...(i-1) an-j, bi - If abltn, then iltj. In this case, c is

divisible by j - n is divisible by 1
- n(n-1) is divisible by 2
- n(n-1)(n-2) is divisible by 2 and 3
- n(n-1)(n-2)(n-3) is divisible by 1234