Programverificationand testing          www.tudorgirba.com
1       ne 5 fl ight 50Aria
-25 ac cidentsTherac
g   tium F DIV buPen
Testing                        Verificationrun the program                formally prove thatwith a set of inputs and      ...
:       E xample mbers                    u           atural nmax of 2 n
if (x ≥ y)	 max := xelse	 max := y                              :                    E xample mbers                       ...
x = 2y = 3if (x ≥ y)	 max := xelse	 max := y                              :                    E xample mbers             ...
x = 2y = 3if (x ≥ y)	 max := xelse	 max := ymax = 3                              :                    E xample mbers      ...
:       E xample mbers                    u           atural nmax of 2 n
if (x ≥ y)	 max := xelse	 max := y                              :                    E xample mbers                       ...
(x ≥ 0 ∧ y ≥ 0)if (x ≥ y)	 max := xelse	 max := y                                   :                         E xample mbe...
(x ≥ 0 ∧ y ≥ 0)if (x ≥ y)	 max := xelse	 max := y(max ≥ x) ∧(max ≥ y) ∧(max = x ∨ max = y)                                ...
computationinformation                 information              computer
program                  S    {P}                      {Q}precondition             postcondition
Partial correctness  {P}   S   {Q}  [P]   S   [Q]Total correctness
Skip                {Q} Skip {Q}Abort             {P} Abort {False}Assignment             {Q[x/E]} x := E {Q}
P: (x > 1)S: x := x + 1                      le                Examp
P: (x > 1)S: x := x + 1Q: (x > 2)                      le                Examp
S: x := x + 2Q: (x = y)                      le                Examp
P: (x = y - 2)S: x := x + 2Q: (x = y)                       le                 Examp
{P} S1 {Q} , {Q} S2 {R}Sequence                     {P} S1;S2 {R}              {P∧B} S1 {Q} , {P∧¬B} S2 {Q}Conditional    ...
P   I ∧ ({I∧B} S {I}) , (I ∧ ¬B   Q)While loop                   {P} while B do S end {Q}
P     I ∧ ({I∧B} S {I}) , (I ∧ ¬B   Q)While loop                                        {P} while B do S end {Q}Loop invar...
P: (x ≥ 0) ∧ (y > 0)S: quo := 0;   rem := x;   while (y ≤ rem) do    rem = rem − y;    quo = quo + 1   endQ: (quo ∗ y + re...
while (lo < hi) { m = (lo + hi) / 2; if (n > m) 	 	             	   lo = m + 1;		  else   hi = m;	 	 	}	 	 	 	 	 	 	n = lo...
I: lo <= n ∧ n <= hiwhile (lo < hi) {	 lo <= n ∧ n <= hi*/                  /*I: m = (lo + hi) / 2; if (n > m) 	 	 /*  in ...
Weakest Precondition wp(S, Q)∀ {P} S {Q} :: P        wp(S,Q)
Verification of {P} S {Q}1. Compute wp(S, Q)2. Prove P         wp(S, Q)
Assignmentwp(x:=A, Q) = Qx←AArray Assignmentwp(a[x]:=A, Q) = Qa←a′
Assignmentwp(x:=A, Q) = Qx←Awp(x:=5,x+y=6)   = 5+y = 6wp(x:=x+1,x+y=6) = x+1+y = 6Array Assignmentwp(a[x]:=A, Q) = Qa←a′
Assignmentwp(x:=A, Q) = Qx←Awp(x:=5,x+y=6)      = 5+y = 6wp(x:=x+1,x+y=6) = x+1+y = 6Array Assignmentwp(a[x]:=A, Q) = Qa←a...
Sequencingwp(S1; S2, Q)	 wp(S1, wp(S2, Q))             =
Sequencingwp(S1; S2, Q)	 wp(S1, wp(S2, Q))             =	wp(x:=x+1;y:=y+x,y>10)
Sequencingwp(S1; S2, Q)	 wp(S1, wp(S2, Q))             =	wp(x:=x+1;y:=y+x,y>10)	 	 	 	 	 	 	 = wp(x:=x+1,wp(y:=y+x,y>10)) ...
Conditionalwp(if (B) then S1 else S2, Q)	 =              (B    wp(S1, Q)) ∧ (¬B   wp(S2, Q))
Conditionalwp(if (B) then S1 else S2, Q)	 =                  (B      wp(S1, Q)) ∧ (¬B       wp(S2, Q))Q: (max ≥ x) ∧ (max ...
Conditionalwp(if (B) then S1 else S2, Q)	 =                  (B      wp(S1, Q)) ∧ (¬B       wp(S2, Q))Q: (max ≥ x) ∧ (max ...
Conditionalwp(if (B) then S1 else S2, Q)	 =                     (B     wp(S1, Q)) ∧ (¬B      wp(S2, Q))Q: (max ≥ x) ∧ (max...
Conditionalwp(if (B) then S1 else S2, Q)	 =                        (B     wp(S1, Q)) ∧ (¬B      wp(S2, Q))Q: (max ≥ x) ∧ (...
Conditionalwp(if (B) then S1 else S2, Q)	 =                        (B     wp(S1, Q)) ∧ (¬B      wp(S2, Q))Q: (max ≥ x) ∧ (...
While loopL = while (B) do S endwp(L,Q)	 I ∧        =             ∀y, ((B ∧ I)    wp(S, I ∧   x < y))             ∀y, ((¬B...
While loopL = while (B) do S endwp(L,Q)	 I ∧        =                      ∀y, ((B ∧ I)          wp(S, I ∧       x < y))  ...
P: (x≥0) ∧ (y>0)S: quo := 0;   rem := x;   while (y ≤ rem) do    rem = rem − y;    quo = quo + 1   endQ: (quo∗y+rem=x) ∧ (...
P: (x≥0) ∧ (y>0)S: quo := 0;   rem := x;I: (quo∗y+rem=x) ∧ (rem≥0) ∧ (y>0) ∧ (x≥0)   while (y ≤ rem) do    rem = rem − y; ...
P: (x≥0) ∧ (y>0)I: (quo∗y+rem=x) ∧ (rem≥0) ∧ (y>0) ∧ (x≥0)Q: (quo∗y+rem=x) ∧ (0≤rem<y)(x ≥ 0) ∧ (y > 0)  (x = x) ∧ (x ≥ 0)...
program                  S    {P}                      {Q}precondition             postcondition
Tudor Gîrba        www.tudorgirba.comcreativecommons.org/licenses/by/3.0/
09 - Program verification
Upcoming SlideShare
Loading in...5
×

09 - Program verification

630

Published on

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
630
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
4
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

09 - Program verification

  1. 1. Programverificationand testing www.tudorgirba.com
  2. 2. 1 ne 5 fl ight 50Aria
  3. 3. -25 ac cidentsTherac
  4. 4. g tium F DIV buPen
  5. 5. Testing Verificationrun the program formally prove thatwith a set of inputs and the programcheck the output for defects has no defects
  6. 6. : E xample mbers u atural nmax of 2 n
  7. 7. if (x ≥ y) max := xelse max := y : E xample mbers u atural n max of 2 n
  8. 8. x = 2y = 3if (x ≥ y) max := xelse max := y : E xample mbers u atural n max of 2 n
  9. 9. x = 2y = 3if (x ≥ y) max := xelse max := ymax = 3 : E xample mbers u atural n max of 2 n
  10. 10. : E xample mbers u atural nmax of 2 n
  11. 11. if (x ≥ y) max := xelse max := y : E xample mbers u atural n max of 2 n
  12. 12. (x ≥ 0 ∧ y ≥ 0)if (x ≥ y) max := xelse max := y : E xample mbers u atural n max of 2 n
  13. 13. (x ≥ 0 ∧ y ≥ 0)if (x ≥ y) max := xelse max := y(max ≥ x) ∧(max ≥ y) ∧(max = x ∨ max = y) : E xample mbers u atural n max of 2 n
  14. 14. computationinformation information computer
  15. 15. program S {P} {Q}precondition postcondition
  16. 16. Partial correctness {P} S {Q} [P] S [Q]Total correctness
  17. 17. Skip {Q} Skip {Q}Abort {P} Abort {False}Assignment {Q[x/E]} x := E {Q}
  18. 18. P: (x > 1)S: x := x + 1 le Examp
  19. 19. P: (x > 1)S: x := x + 1Q: (x > 2) le Examp
  20. 20. S: x := x + 2Q: (x = y) le Examp
  21. 21. P: (x = y - 2)S: x := x + 2Q: (x = y) le Examp
  22. 22. {P} S1 {Q} , {Q} S2 {R}Sequence {P} S1;S2 {R} {P∧B} S1 {Q} , {P∧¬B} S2 {Q}Conditional {P} if B then S1 else S2 {Q}
  23. 23. P I ∧ ({I∧B} S {I}) , (I ∧ ¬B Q)While loop {P} while B do S end {Q}
  24. 24. P I ∧ ({I∧B} S {I}) , (I ∧ ¬B Q)While loop {P} while B do S end {Q}Loop invariant II = property which stays true before and after every loop0. initial condition: P I;1. iterative (inductive) condition: {I ∧ B} s {I};2. final condition: I ∧ ¬B Q
  25. 25. P: (x ≥ 0) ∧ (y > 0)S: quo := 0; rem := x; while (y ≤ rem) do rem = rem − y; quo = quo + 1 endQ: (quo ∗ y + rem = x) ∧ (0 ≤ rem < y) : E xample inder n d rema s Qu otient a 2 integer ng o f dividi
  26. 26. while (lo < hi) { m = (lo + hi) / 2; if (n > m) lo = m + 1; else hi = m; } n = lo; ch : bina ry sear E xample
  27. 27. I: lo <= n ∧ n <= hiwhile (lo < hi) { lo <= n ∧ n <= hi*/ /*I: m = (lo + hi) / 2; if (n > m) /* in both cases: lo <= n ∧ n <= hi */ lo = m + 1; /* n > m => n >= m+1 => n >= lo */ else hi = m; /* !(n < m) => n <= m => n <= hi */} /* I stays true */n = lo; /* lo<=n ∧ n<=hi ∧ !(lo<hi) => lo==n ∧ n==hi */ ch : bina ry sear E xample
  28. 28. Weakest Precondition wp(S, Q)∀ {P} S {Q} :: P wp(S,Q)
  29. 29. Verification of {P} S {Q}1. Compute wp(S, Q)2. Prove P wp(S, Q)
  30. 30. Assignmentwp(x:=A, Q) = Qx←AArray Assignmentwp(a[x]:=A, Q) = Qa←a′
  31. 31. Assignmentwp(x:=A, Q) = Qx←Awp(x:=5,x+y=6) = 5+y = 6wp(x:=x+1,x+y=6) = x+1+y = 6Array Assignmentwp(a[x]:=A, Q) = Qa←a′
  32. 32. Assignmentwp(x:=A, Q) = Qx←Awp(x:=5,x+y=6) = 5+y = 6wp(x:=x+1,x+y=6) = x+1+y = 6Array Assignmentwp(a[x]:=A, Q) = Qa←a′wp(a[1]:=x+1, a[1]=a[2]) = a′[1]=a′[2] where a′[1] = x +1, a′[i] = a[i], ∀ i ≠ 1 = x+1=a[2]
  33. 33. Sequencingwp(S1; S2, Q) wp(S1, wp(S2, Q)) =
  34. 34. Sequencingwp(S1; S2, Q) wp(S1, wp(S2, Q)) = wp(x:=x+1;y:=y+x,y>10)
  35. 35. Sequencingwp(S1; S2, Q) wp(S1, wp(S2, Q)) = wp(x:=x+1;y:=y+x,y>10) = wp(x:=x+1,wp(y:=y+x,y>10)) wp(x:=x+1, y+x>10) = = y+x+1>10
  36. 36. Conditionalwp(if (B) then S1 else S2, Q) = (B wp(S1, Q)) ∧ (¬B wp(S2, Q))
  37. 37. Conditionalwp(if (B) then S1 else S2, Q) = (B wp(S1, Q)) ∧ (¬B wp(S2, Q))Q: (max ≥ x) ∧ (max ≥ y) ∧ (max = x ∨ max = y)
  38. 38. Conditionalwp(if (B) then S1 else S2, Q) = (B wp(S1, Q)) ∧ (¬B wp(S2, Q))Q: (max ≥ x) ∧ (max ≥ y) ∧ (max = x ∨ max = y)(x≥y wp(max:=x, Q))∧(x<y wp(max:=y, Q) =
  39. 39. Conditionalwp(if (B) then S1 else S2, Q) = (B wp(S1, Q)) ∧ (¬B wp(S2, Q))Q: (max ≥ x) ∧ (max ≥ y) ∧ (max = x ∨ max = y)(x≥y wp(max:=x, Q))∧(x<y wp(max:=y, Q) = (x≥y Qmax←x) ∧ (x<y Qmax←y) =
  40. 40. Conditionalwp(if (B) then S1 else S2, Q) = (B wp(S1, Q)) ∧ (¬B wp(S2, Q))Q: (max ≥ x) ∧ (max ≥ y) ∧ (max = x ∨ max = y)(x≥y wp(max:=x, Q))∧(x<y wp(max:=y, Q) = (x≥y Qmax←x) ∧ (x<y Qmax←y) = (x≥y ((x≥x) ∧ (x≥y) ∧ (x=x ∨ x=y)) ∧
  41. 41. Conditionalwp(if (B) then S1 else S2, Q) = (B wp(S1, Q)) ∧ (¬B wp(S2, Q))Q: (max ≥ x) ∧ (max ≥ y) ∧ (max = x ∨ max = y)(x≥y wp(max:=x, Q))∧(x<y wp(max:=y, Q) = (x≥y Qmax←x) ∧ (x<y Qmax←y) = (x≥y ((x≥x) ∧ (x≥y) ∧ (x=x ∨ x=y)) ∧ ((x<y ((y≥x) ∧ (y≥y) ∧ (y=x ∨ y=y))
  42. 42. While loopL = while (B) do S endwp(L,Q) I ∧ = ∀y, ((B ∧ I) wp(S, I ∧ x < y)) ∀y, ((¬B ∧ I) Q)
  43. 43. While loopL = while (B) do S endwp(L,Q) I ∧ = ∀y, ((B ∧ I) wp(S, I ∧ x < y)) ∀y, ((¬B ∧ I) Q)Loop verificationI = property which stays true before and after every loop0. P I;1. I∧B wp(s, I);2. I∧¬B Q.
  44. 44. P: (x≥0) ∧ (y>0)S: quo := 0; rem := x; while (y ≤ rem) do rem = rem − y; quo = quo + 1 endQ: (quo∗y+rem=x) ∧ (0≤rem<y) : E xample inder n d rema s Qu otient a 2 integer ng o f dividi
  45. 45. P: (x≥0) ∧ (y>0)S: quo := 0; rem := x;I: (quo∗y+rem=x) ∧ (rem≥0) ∧ (y>0) ∧ (x≥0) while (y ≤ rem) do rem = rem − y; quo = quo + 1 endQ: (quo∗y+rem=x) ∧ (0≤rem<y) : E xample inder n d rema s Qu otient a 2 integer ng o f dividi
  46. 46. P: (x≥0) ∧ (y>0)I: (quo∗y+rem=x) ∧ (rem≥0) ∧ (y>0) ∧ (x≥0)Q: (quo∗y+rem=x) ∧ (0≤rem<y)(x ≥ 0) ∧ (y > 0) (x = x) ∧ (x ≥ 0) ∧ (x ≥ 0) ∧ (y > 0)(x=rem+y∗quo) ∧ (x≥0) ∧ (rem≥0) ∧ (y>0) ∧ (y≤rem) (x = (rem − y) + y ∗ (quo + 1)) ∧ x ≥ 0 ∧ rem − y ≥ 0 ∧ y > 0(x=rem+y∗quo) ∧ (x≥0) ∧ (rem≥0) ∧ (y>0) ∧ (y>rem) (x = rem + y ∗ quo) ∧ (0 ≤ rem < y) : E xample tions n condi ve rificatio
  47. 47. program S {P} {Q}precondition postcondition
  48. 48. Tudor Gîrba www.tudorgirba.comcreativecommons.org/licenses/by/3.0/
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×