1 / 36

Functional Program Verification

Functional Program Verification. CS 4311 A. M. Stavely, Toward Zero Defect Programming, Addison-Wesley, 1999. Y. Cheon and M. Vela, A Tutorial on Functional Program Verification , Technical Report 10-26, Dept. of Computer Science, University of Texas at El Paso, El Paso, TX, September 2010.

rufina
Télécharger la présentation

Functional Program Verification

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Functional Program Verification CS 4311 A. M. Stavely, Toward Zero Defect Programming, Addison-Wesley, 1999. Y. Cheon and M. Vela, A Tutorial on Functional Program Verification, Technical Report 10-26, Dept. of Computer Science, University of Texas at El Paso, El Paso, TX, September 2010 1 1 1 1

  2. Outline • Non-testing techniques for V&V • Overview of functional verification • Program as functions • Intended functions • Verification • Assignment statement • Sequential composition • Conditional statement • Iterative statement 2 2

  3. Sec. 13.4 of Vliet 2008 (Manual Testing Techniques) Non-testing Techniques for V&V • (Pairs, 2 minutes) V&V • Definitions and examples from the classproject? 3

  4. Non-testing Techniques for V&V (Pairs, 2 minutes) V&V Definitions and examples? Code reviews Reading If you can’t read it, neither can the people maintaining it Walkthrough Team effort (group of 3-5, e.g., designer, moderator, secretary) Manual simulation lead by designer Focus on discovering faults, not on fixing them Inspection Looking for specific faults (e.g., using check lists) E.g., uninitialized variables Sec. 13.4 of Vliet 2008 (Manual Testing Techniques) 4

  5. Non-testing V&V (Cont.) Correctness proof Hoare logic Functional program verification Model checking Correct by construction Refinement calculus Model driven development Sec. 13.4 of Vliet 2008 (Manual Testing Techniques) 5

  6. Overview of Functional Verification Key ideas View programs as mathematical functions Write specifications as mathematical functions Compare two functions for correctness verification Characteristics Based on sets and functions <-> logic (Hoare) Forward reasoning <-> backward reasoning Match informal reasoning 6

  7. Programs as Functions Values of x and y after execution? // pre-state: {(x,10), (y,20)} x = x + y; y = x – y; x = x – y; // post-state: {(x,?), (y,?)} 7

  8. Programs as Functions Values of x and y after execution? {(x,3), (y,5)} … {(x,6), (y,4)} {(x,5), (y,3)} … {(x,4), (y,6)} post-state pre-state // pre-state: {(x,10), (y,20)} x = x + y; y = x – y; x = x – y; // post-state: {(x,?), (y,?)} • State changing function (or state transformer) • Function on program states • Map one program state to another 8

  9. Concurrent Assignment Notation for express state changing functions [x1, x2, …, xn := e1, e2, …, en] Evaluate ei’s in the pre-state at the same time Assign them to xi’s at the same time The values of other state variables remain the same (frame axiom). // [x, y := y, x] x = x + y; y = x – y; x = x – y; 9

  10. Conditional Concurrent Assignment Different functions based on some conditions [x > 0 -> sign := 1 | x < 0 -> sign := -1 | else -> sign := 0] Conditions evaluated sequentially from the first to the last in the pre-state Keyword “else” interpreted as “true” Identity function [n > maxSize -> n := maxSize | else -> I] [n > 0 -> avg := sum / n | else -> undefined] Partial function 10

  11. Exercise Write a (conditional) concurrent assignment to describe the function computed by the following code. if (n > maxSize) { n = maxSize; } avg = sum / n; 11

  12. Intended Functions Intended function: function describing our intention of code Specification for the code Code function: function computed by code Actual behavior implemented by the code // [sum, i := sum + j=1a.length-1a[j], anything] while (i < a.length) { sum += a[i]; i++; } Don’t care about the final value. 12

  13. Exercise Write intended functions for the following code (a) sum = sum + a; avg = sum / n; (b) if (a[i] == k) { l = i; } (c) while (i < a.length) { if (a[i] == k) { l = i; } i++; } 13

  14. Annotating Code Why? To facilitate correctness verification How? Annotate every section of code with intended function // f0: [r := largest value in a] // f1 : [r, i := a[0], 1] r = a[0] int i = 1; // f2 : [r, i := max of r and largest in a[i..], anything] while (i < a.length) { // f3 : [r, i := max of r and a[i], i+1] if (a[i] > r) { r = a[i]; } i++; } 14

  15. Exercise Annotate the following code with intended functions c = 0; int i = 0; while (i < a.length) { if (a[i] == n) { c++; } i++; } 15

  16. Outline • Non-testing techniques for V&V • Overview of functional verification • Program as functions • Intended functions • Verification • Assignment statement • Sequential composition • Conditional statement • Iterative statement 16 16

  17. Functional Verification Process • Write specifications of code as functions, called intended functions • Calculate functions computed by code, called code functions • Compare code functions (p) with intended functions (f), i.e., p is correct with respect to (⊑) f if: • dom p dom f • p(x) = f(x) for every x dom f Why not dom p= dom f ?

  18. Verification ofAssignment Statement • Often straightforward • Often identical code and intended functions // [x := x + 1] x = x + 1; // [n > 0 -> avg := sum / n] avg = sum / n; More work done by code

  19. Verification ofSequential Composition • Compose code functions // [n > 0 -> sum, avg := sum + a, (sum + a) / n] sum = sum + a; avg = sum / n; [sum := sum + a]; [n  0 -> avg := sum / n]  [n  0 -> sum, avg := sum + a; (sum + a) / n] ⊑ [n > 0 -> sum, avg := sum + a; (sum + a) / n]

  20. Trace Table • Calculate code function by tracing state changes made by statements x = x + 1; y = 2 * x; z = x + y; x = x + 1; x = 3 * x; [x, y, z := 3*(x+2), 2*(x+1), (x+1) + 2*(x+1)]

  21. Exercise Use a trace table to calculate the function computed by the following code. rate = 0.5; years++; interest = balance * rate / 100; balance = balance + interest; 21

  22. Modular Verification • Can use intended functions in place of code functions for verification // [f0] // [f1] S1 // [f2] S2 • Proof obligations • f1; f2 ⊑ f0 • S1 is correct with respect to f1 (S1 ⊑ f1) • S2 is correct with respect to f2 (S2 ⊑ f2)

  23. Verification ofConditional Statement • Calculate code functions using conditional trace tables p = a * r; if (a < b) b = b – a; else b = b – p; [a < b -> p, b := a * r, b – a | a >= b -> p, b := a *r, b – (a*r)]

  24. Verification ofConditional Statement (Cont.) • Case analysis on conditions // [f] if (B) S1else S2 • Proof obligations • When B holds, S1 is correct with respect to f (B  S1 ⊑ f) • When B doesn’t hold, S2 is correct with respect to f ( B  S2 ⊑ f)

  25. Example • Proof by case analysis • When x > y x – y  |x - y|, thus [z != 0 -> r := (x - y)/z]  f • When !(x > y) y – x  |x - y|, thus [z != 0 -> r := (y - x)/z]  f Therefore, if … else … ⊑ f // f: [z != 0 -> r := |x - y| / z] if (x > y) r = (x - y) / z; else r = (y - x) / z;

  26. Exercise Derive proof obligations for an if statement without an else part. // [f] if (B) S 26

  27. Exercise Write an intended function for the following code and prove the correctness of the code with respect to the intended function if (n > maxSize) { n = maxSize; } sum = sum + a; avg = sum / n; 27

  28. Verification ofIteration Statement • No known way of calculating code function, so proof by induction // [f] if (B) { S [f] } // [f] if (B) { S while (B) S } // [f] while (B) S Assuming f is correct • Proof obligations • B doesn’t hold, identity function is correct with respect to f (B I ⊑ f) • If B holds, S followed by f is correct with respect to f (B  S;f ⊑ f) • Termination for total correctness • Loop variant: expression with value increased/decreased on iterations

  29. Example // f1: [sum, i := sum + j=ia.length-1a[j], anything] while (i < a.length) { // f2: [sum, i := sum + a[i], i+1] sum += a[i]; i++; } • Proof obligations • Termination: loop variant, a.length - i • Basis: (i < a.length)I ⊑ f1 • Induction: i < a.length f2; f1 ⊑ f1 and refinement of f2 • Proof of basis f1 ≡ [sum, i := sum + j=ia.length-1a[j], anything] ≡ [sum, i := sum + 0, anything] (because i >= a.length) ≡ [sum, i := sum, anything] ⊒ [sum, i := sum, i] = I

  30. Example // f1: [sum, i := sum + j=ia.length-1a[j], anything] while (i < a.length) { // f2: [sum, i := sum + a[i], i+1] sum += a[i]; i++; } • Proof induction step i < a.length f2; f1 ⊑ f1 f2; f1 ≡ [sum, i := sum + a[i], i + 1]; [sum, i := sum + j=ia.length-1a[j], anything] ≡ [sum, i := sum + a[i] + j=i+1a.length-1a[j], anything] ≡ [sum, i := sum + j=ia.length-1a[j], anything] ≡ f1

  31. Exercise Prove the termination of the following loop. while (low <= high) { int mid = (low + high) / 2; if (a[mid] < x) low = mid + 1; elseif (a[mid] > x) high = mid - 1; else high = low - 1; } 31

  32. Initialized Loops • Loop seldom used in isolation • Preceded by initialization • Together compute something useful • Loop’s function more general // [f0] // [f1] S1 // [f2] while (B) { // [f3] S2 } • Proof obligations • f1; f2 ⊑ f0 • S1 ⊑ f1 • while (B) S2 ⊑ f2, requiring • Termination • Basis Step: B I ⊑ f2 • Induction: B  S2;f2 ⊑ f2

  33. Example Proof obligations f1; f2 ⊑ f0 Refinement of f1 Refinement of f2 Termination of the loop Basis:  (i < a.length) I ⊑ f2 Induction: i < a.length f3; f2 ⊑ f2 Refinement of f3 // f0: [r := largest value in a] // f1 : [r, i := a[0], 1] r = a[0] int i = 1; // f2 : [r, i := max of r and largest in a[i..], ?] while (i < a.length) { // f3 : [r, i := max of r and a[i], i+1] if (a[i] > r) { r = a[i]; } i++; }

  34. Example (Cont.) • Proof of f1; f2 ⊑ f0 f1; f2 [r, i := a[0], 1]; [r, i := max of r and largest in a[i..], ?]  [r, i := max a[0] and largest in a[1..], ?]  [r, i := largest value in a, ?] ⊑ [r := largest value in a] f0 See handout for other proofs.

  35. Exercise Write intended functions for the following while loops in isolation. (a) while (i < a.length) { if (a[i] > 0) { sum += a[i]; } i++; } (b) while (n > 1) { n = n – 2; } 35

  36. Exercise Prove the correctness of the following code. // [r := n!] r = 1; int i = n; while (i > 1) { r = r * i; i--; } 36

More Related