Title: Software Specification, Verification and Validation CIS 775
1Software Specification, Verification and
Validation (CIS 775)
- Elsa L Gunter
- 4303 GITC
- NJIT, http//www.cs.njit.edu/elsa/775-spring2004
2Termination
- Find a measure function m(x1,,xn) over variables
in the state to some set with a well-founded
order ? - For each B?(x1,,xn) (e1,,en)
- m(x1,,xn) (x1,xn)? (e1,en) ltm (x1,,xn)
3Flowchart programs
- Input variables Xx1,x2,,xl
- Program variables Yy1,y2,,ym
- Output variables Zz1,z2,,zn
- Directed graph with labeled nodes (and edges)
4Start and End
start
halt
5Assignments and tests
F
T
Yg(X,Y)
t(X,Y)
6Initial condition
- Initial condition the values for the input
variables for which the program must work. - x1gt0 /\ x2gt0
F
T
7The input-output claim
start
- The relation between the values of the input and
the output variables at termination. - x1z1x2z2 /\
- 0ltz2 /\ z2ltx2
(y1,y2)(0,x1)
y2gtx2
F
T
(y1,y2)(y11,y2-x2)
(z1,z2)(y1,y2)
halt
8Total versus Partial Correctness
start
- The program is
- partially correct with
- respect to
- x1gt0/\x2gt0
- and totally correct
- with respect to
- x1gt0/\x2gt0
(y1,y2)(0,x1)
y2gtx2
F
T
(y1,y2)(y11,y2-x2)
(z1,z2)(y1,y2)
halt
9Annotating a scheme
start
A
- Assign an assertion for each edge. The
assertion expresses the relation between the
variable when the program counter is located
between the nodes on the edge.
(y1,y2)(0,x1)
B
F
T
y2gtx2
C
D
(y1,y2)(y11,y2-x2)
(z1,z2)(y1,y2)
E
halt
10Annotating a scheme with invariants
start
- ??A) x1gt0 /\ x2gt0
- ??B1) x1 y2 /\ y2gt0 /\ y1 0
- ??B2) x1y1x2y2 /\ y2gt0
- ??C) x1y1x2y2 /\ y2gt0 /\ y2gtx2
- ??D)x1y1x2y2 /\ y2gt0 /\ y2ltx2
- ??E)x1z1x2z2 /\
- 0ltz2ltx2
A
(y1,y2)(0,x1)
B2
B1
F
T
y2gtx2
C
D
(y1,y2)(y11,y2-x2)
(z1,z2)(y1,y2)
E
Notice ?(A) is the initial condition, ?????is
the input-output condition.
halt
11Annotating a scheme with invariants
- ??A) x1gt0 /\ x2gt0
- ??B) x1y1x2y2 /\ y2gt0
- ??C) x1y1x2y2 /\ y2gt0 /\ y2gtx2
- ??D)x1y1x2y2 /\ y2gt0 /\ y2ltx2
- ??E)x1z1x2z2 /\
- 0ltz2ltx2
true
false
12Verification conditions assignment
A
- ??A) ???B1) Y\g(X,Y)
- ??A) x1gt0 /\ x2gt0
- ??B1) x1 y2 /\ y2gt0 /\ y1 0
- ??B) Y\g(X,Y)
- ???x1x1 /\ x1gt0 /\ 0 0
- Need
- x1gt0 /\ x2gt0 ? x1x1 /\ x1gt0 /\ 0 0
Yg(X,Y)
(y1,y2)(0,x1)
B
A
(y1,y2)(0,x1)
B1
13Second assignment
- ??C) x1y1x2y2 /\ y2gt0 /\ y2gtx2
- ??B) x1y1x2y2 /\ y2gt0
- ??B)Y\g(X,Y x1(y11)x2y2-x2 /\ y2-x2gt0
C
(y1,y2)(y11,y2-x2)
B
14Third assignment
- ??D)x1y1x2y2 /\ y2gt0 /\ y2ltx2
- ??E)x1z1x2z2 /\ 0ltz2ltx2
- ??E)Z\g(X,Y x1y1x2y2 /\ 0lty2ltx2
D
(z1,z2)(y1,y2)
E
15Verification conditions tests
B
T
F
t(X,Y)
- ??B) /\ t(X,Y) ? ??C)
- ??B) /\t(X,Y) ? ??D)
- ??B) x1y1x2y2 /\y2gt0
- ??C) x1y1x2y2 /\ y2gt0 /\ y2gtx2
- ??D)x1y1x2y2 /\ y2gt0 /\ y2ltx2
C
D
B
F
T
y2gtx2
D
C
16Exercise prove partial correctness
start
(y1,y2)(0,1)
- Initial condition
- xgt0
- Input-output claim
- zx!
T
F
y1x
(y1,y2)(y11,(y11)y2)
zy2
halt
17(No Transcript)
18Verification conditions assignment
- ??A) ? ??B) Y\g(X,Y)
- ??A) x1gt0 /\ x2gt0
- ??B) x1y1x2y2 /\ y2gt0
- ??B) Y\g(X,Y)
- ???x10x2x1 /\ x1gt0
A
(y1,y2)(0,x1)
B
19Assignment condition
2x1
A
(y1,y2)(0,x1)
y12
B
y1x1
20Another way to understand condition
- Use two versions of variables before assignment
and after. E.g., y1 and y1, respectively. - postcondition y1x1
- assignment y12
- precondition 2x1
2x1
A
(y1,y2)(0,x1)
y12
B
y1x1
21Assignment condition
y15
A
(y1,y2)(0,x1)
y1y15
B
y110
22Assignment condition
- Postcondition y110
- Assignment y1y15
- Precondition y1510, I.e., y15
y15
A
(y1,y2)(0,x1)
y1y15
B
y110
23Verification conditions assignment
- ??B) x1y1x2y2 /\ y2 gt0
- Assignment y10 /\ y2x1
- ??B) Y\g(X,Y)
- ???x10x2x1 /\ x1gt0
- (or simply x1gt0)
??A) x1gt0 /\ x2gt0
24Second assignment
- Precondition
- ??B) x1y1x2y2 /\ y2gt0
- Assignment
- y1y11/\y2y2-x2
- Postcondition
- ??B)Y\g(X,Y) x1(y11)x2y2-x2 /\ y2-x2gt0
25Second assignment
- ??C) x1y1x2y2 /\ y2gt0 /\ y2gtx2
- ??B) x1y1x2y2 /\ y2gt0
- ??B)Y\g(X,Y) x1(y11)x2y2-x2 /\ y2-x2gt0
C
(y1,y2)(y11,y2-x2)
B
26Third assignment
- ??D)x1y1x2y2 /\ y2gt0 /\ y2ltx2
- ??E)x1z1x2z2 /\
- 0ltz2ltx2
- ??E)Z\g(X,Y x1y1x2y2 /\ 0lty2ltx2
D
(z1,z2)(y1,y2)
E
27Verification conditions tests
B
true
false
- (??B) /\ t(X,Y)) ? ??C)
- (??B) /\ t(X,Y)) ? ??D)
- ??B) x1y1x2y2 /\ y2gt0
- ??C) x1y1x2y2 /\ y2gt0 /\ y2gtx2
- ??D)x1y1x2y2 /\ y2gt0 /\ y2ltx2
t(X,Y)
C
D
B
false
true
y2gtx2
D
C
28Exercize prove partial correctness
start
- Initial condition
- xgt0
- Input-output claim
- zx!
(y1,y2)(0,1)
true
false
y1x
(y1,y2)(y11,(y21)y2)
zy2
halt
29What have we achieved?
- For each statement S that appears between points
X and Y we showed that if the control is in X
when ?(X) holds and S is executed, then ?(Y)
holds. - Initially, we know that ?(A) holds.
- The above two conditions can be combined into an
induction on the number of statements that were
executed - If after n steps we are at point X, then ?(X)
holds.
30Another example
start
A
(y1,y2,y3)(0,0,1)
- ?(A) xgt0
- ?(F) z2ltxlt(z1)2
- z is the biggest number
- that is not greater
- than sqrt x.
B
y2y2y3
C
true
false
y2gtx
D
E
(y1,y3)(y11,y32)
zy1
F
halt
31Some insight
start
A
(y1,y2,y3)(0,0,1)
- 135(2n1)(n1)2
- y2 accumulates the
- above sum, until
- it is bigger than x.
- y3 ranges over odd
- numbers 1,3,5,
- y1 is n-1.
B
y2y2y3
C
true
false
y2gtx
D
E
(y1,y3)(y11,y32)
zy1
F
halt
32Invariants
start
A
(y1,y2,y3)(0,0,1)
- It is sufficient to have one
- invariant for every loop
- (cycle in the programs
- graph).
- We will have
- ?(C)y12ltx /\
- y2(y11)2 /\
- y32y11
B
y2y2y3
C
true
false
y2gtx
D
E
(y1,y3)(y11,y32)
zy1
F
halt
33Obtaining ?(B)
start
A
(y1,y2,y3)(0,0,1)
- By backwards substitution in ?(C).
- ?(C)y12ltx /\
- y2(y11)2 /\
- y32y11
- ?(B)y12ltx /\
- y2y3(y11)2 /\
- y32y11
B
y2y2y3
C
true
false
y2gtx
D
E
(y1,y3)(y11,y32)
zy1
F
halt
34Check assignment condition
start
A
(y1,y2,y3)(0,0,1)
- ?(A)xgt0
- ?(B)y12ltx /\
- y2y3(y11)2 /\
- y32y11
- ?(B) relativized is
- 02ltx /\
- 01(01)2 /\
- 1201
- Simplified xgt0
B
y2y2y3
C
true
false
y2gtx
D
E
(y1,y3)(y11,y32)
zy1
F
halt
35Obtaining ?(D)
start
A
(y1,y2,y3)(0,0,1)
- By backwards substitution in
- ?(B).
- ?(B)y12ltx /\
- y2y3(y11)2 /\
- y32y11
- ?(D)(y11)2ltx /\
- y2y32(y12)2 /\
- y322(y11)1
B
y2y2y3
C
true
false
y2gtx
D
E
(y1,y3)(y11,y32)
zy1
F
halt
36Checking
start
A
(y1,y2,y3)(0,0,1)
- ?(C)y12ltx /\
- y2(y11)2 /\
- y32y11
- ??(C)/\y2ltx) ? ?(D)
- ?(D)(y11)2ltx /\
- y2y32(y12)2 /\
- y322(y11)1
B
y2y2y3
C
true
false
y2gtx
D
E
(y1,y3)(y11,y32)
zy1
F
halt
37 y12ltx /\ y2(y11)2 /\ y32y11 /\y2ltx
? (y11)2ltx /\ y2y32(y12)2 /\
y322(y11)1
- y12ltx /\
- y2(y11)2 /\
- y32y11 /\y2ltx ?
- (y11)2ltx /\
- y2y32(y12)2 /\
- y322(y11)1
- y12ltx /\
- y2(y11)2 /\
- y32y11 /\y2ltx ?
- (y11)2ltx /\
- y2y32(y12)2 /\
- y322(y11)1
38Not finished!
start
A
(y1,y2,y3)(0,0,1)
- Still needs to
- Calculate ?(E) by
- substituting backwards
- from ?(F).
- Check that
- ?(C)/\y2gtx??(E)
B
y2y2y3
C
true
false
y2gtx
D
E
(y1,y3)(y11,y32)
zy1
F
halt
39Proving termination
40Well-founded sets
- Partially ordered set (W,lt)
- If altb and bltc then altc (transitivity).
- If altb then not blta (asymmetry).
- Not alta (irreflexivity).
- Well-founded set (W,lt)
- Partially ordered.
- No infinite decreasing chain a1gta2gta3gt
41Examples for well founded sets
- Natural numbers with the bigger than relation.
- Finite sets with the set inclusion relation.
- Strings with the substring relation.
- Tuples with alphabetic order
- (a1,b1)gt(a2,b2) iff a1gta2 or a1a2 and b1gtb2.
- (a1,b1,c1)gt(a2,b2,c2) iff a1gta2 or a1a2 and
b1gtb2 or a1a2 and b1b2 and c1gtc2.
42Why does the program terminate
start
- y2 starts as x1.
- Each time the loop is executed, y2 is
decremented. - y2 is natural number
- The loop cannot be entered again
when y2ltx2.
false
D
(y1,y2)(y11,y2-x2)
(z1,z2)(y1,y2)
E
halt
43Proving termination
- Choose a well-founded set (W,lt).
- Attach a function u(N) to each point N.
- Annotate the flowchart with invariants, and prove
their consistency conditions. - Prove that j(N) ? (u(N) in W).
44How not to stay in a loop?
- Show that u(M)gtu(N).
- At least once in each loop, show that u(M)gtu(N).
M
S
N
45How not to stay in a loop?
- For stmt
- j(M)?(u(M)gtu(N)rel)
- For test (true side)
- (j(M)/\test)?(u(M)gtu(N))
- For test (false side)
- (j(M)/\test)?(u(M)gtu(L))
M
stmt
N
M
true
false
test
N
L
46What did we achieve?
- There are finitely many control points.
- The value of the function u cannot increase.
- If we return to the same control point, the value
of u must decrease (its a loop!). - The value of u can decrease only a finite number
of times.
47Why does the program terminate
start
- u(A)x1
- u(B)y2
- u(C)y2
- u(D)y2
- u(E)z2
- W naturals
- gt greater than
false
D
(y1,y2)(y11,y2-x2)
(z1,z2)(y1,y2)
E
halt
48Recall partial correctness annotation
- j(A) x1gt0 /\ x2gt0
- j(B) x1y1x2y2 /\ y2gt0
- j(C) x1y1x2y2 /\ y2gt0 /\ y2gtx2
- j(D)x1y1x2y2 /\ y2gt0 /\ y2ltx2
- j(E)x1z1x2z2 /\
- 0ltz2ltx2
true
false
49Strengthen for termination
- j(A) x1gt0 /\ x2gt0
- j(B) x1y1x2y2 /\ y2gt0/\x2gt0
- j(C) x1y1x2y2 /\ y2gt0 /\ y2gtx2/\x2gt0
- j(D)x1y1x2y2 /\ y2gt0 /\ y2ltx2/\x2gt0
- j(E)x1z1x2z2 /\
- 0ltz2ltx2
- This proves that u(M) is natural for each point
M.
false
true
50We shall show
start
- u(A)x1
- u(B)y2
- u(C)y2
- u(D)y2
- u(E)z2
- u(A)gtu(B)
- u(B)gtu(C)
- u(C)gtu(B)
- u(B)gtu(D)
- u(D)gtu(E)
false
D
(y1,y2)(y11,y2-x2)
(z1,z2)(y1,y2)
E
halt
51Proving decrement
- j(C) x1y1x2y2 /\ y2gt0 /\ y2gtx2/\x2gt0
- u(C)y2
- u(B)y2
- u(B)rely2-x2
- j(C) ? y2gty2-x2
- (notice that j(C) ? x2gt0)
false
true
52Integer square prog.
start
A
(y1,y2,y3)(0,0,1)
- j(C)y12ltx /\
- y2(y11)2 /\
- y32y11
- j(B)y12ltx /\
- y2y3(y11)2
- /\y32y11
B
y2y2y3
C
true
false
y2gtx
D
E
(y1,y3)(y11,y32)
zy1
F
halt
53 - u(A)x1
- u(B)x-y21
- u(C)max(0,x-y2)
- u(D)x-y21
- u(E)u(F)0
- u(A)gtu(B)
- u(B)gtu(C)
- u(C)gtu(D)
- u(D)gtu(B)
- Need some invariants,
- i.e., y2ltx/\y3gt0
- at points B and D,
- and y3gt0 at point C.