Program verification: flowchart programs

1
Program verification flowchart programs
Book chapter 7
2
History

• Verification of flowchart programs Floyd, 1967
• Hoares logic Hoare, 1969
• Linear Temporal Logic Pnueli, Krueger, 1977
• Model Checking Clarke Emerson, 1981

3
Program Verification

• Predicate (first order) logic.
• Partial correctness, Total correctness
• Flowchart programs
• Invariants, annotated programs
• Well founded ordering (for termination)
• Hoares logic

4
Predicate (first order logic)

• Variables, functions, predicates
• Terms
• Formulas (assertions)

5
Signature

• Variables v1, x, y18
• Each variable represents a value of some given
  domain (int, real, string, ).
• Function symbols f(_,_), g2(_), h(_,_,_).
• Each function has an arity (number of
  paramenters), a domain for each parameter, and a
  range.
• fintint-gtint (e.g., addition), greal-gtreal
  (e.g., square root)
• A constant is a predicate with arity 0.
• Relation symbols R(_,_), Q(_).
• Each relation has an arity, and a domain for each
  parameter.
• R realreal (e.g., greater than).
• Q int (e.g., is a prime).

6
Terms

• Terms are objects that have values.
• Each variable is a term.
• Applying a function with arity n to n terms
  results in a new term.
• Examples v1, 5.0, f(v1,5.0), g2(f(v1,5.0))
• More familiar notation sqr(v15.0)

7
Formulas

• Applying predicates to terms results in a
  formula.
• R(v1,5.0), Q(x)
• More familiar notation v1gt5.0
• One can combine formulas with the boolean
  operators (and, or, not, implies).
• R(v1,5.0)-gtQ(x)
• xgt1 -gt xxgtx
• One can apply existentail and universal
  quantification to formulas.
• ?x Q(X) ?x1 R(x1,5.0) ?X ?Y R(x,y)

8
A model, A proofs

• A model gives a meaning (semantics) to a first
  order formula
• A relation for each relation symbol.
• A function for each function symbol.
• A value for each variable.
• An important concept in first order logic is that
  of a proof. We assume the ability to prove that a
  formula holds for a given model.
• Example proof rule (MP) ???????????

9
Flowchart programs

• Input variables Xx1,x2,,xl
• Program variables Yy1,y2,,ym
• Output variables Zz1,z2,,zn

start
Zh(X,Y)
Yf(X)
halt
10
Assignments and tests
F
T
Yg(X,Y)
t(X,Y)
11
Initial condition

• Initial condition the values for the input
  variables for which the program must work.
• x1gt0 /\ x2gt0

F
T
12
The input-output claim
start

• The relation between the values of the input and
  the output variables at termination.
• x1z1x2z2 /\
• 0ltz2ltx2

(y1,y2)(0,x1)
y2gtx2
F
T
(y1,y2)(y11,y2-x2)
(z1,z2)(y1,y2)
halt
13
Partial correctness, Termination, Total
correctness

• Patial correctness if the initial condition
  holds and the program terminates then the
  input-output claim holds.
• Termination if the initial condition holds, the
  program terminates.
• Total correctness if the initial condition
  holds, the program terminates and the
  input-output claim holds.

14
Subtle point
start

• The program is
• partially correct with
• respect to
• x1gt0/\x2gt0
• and totally correct
• with respect to
• x1gt0/\x2gt0

(y1,y2)(0,x1)
y2gtx2
F
T
(y1,y2)(y11,y2-x2)
(z1,z2)(y1,y2)
halt
15
Annotating a scheme
start
A

• Assign an assertion for each pair of nodes.
  The assertion expresses the relation between the
  variable when the program counter is located
  between these nodes.

(y1,y2)(0,x1)
B
F
T
y2gtx2
C
D
(y1,y2)(y11,y2-x2)
(z1,z2)(y1,y2)
E
halt
16
Annotating a scheme with invariants

• ??A) x1gt0 /\ x2gt0
• ??B) x1y1x2y2 /\ y2gt0
• ??C) x1y1x2y2 /\ y2gt0 /\ y2gtx2
• ??D)x1y1x2y2 /\ y2gt0 /\ y2ltx2
• ??E)x1z1x2z2 /\
• 0ltz2ltx2
• Notice ?(A) is the initial condition, ?????is
  the input-output condition.

T
F
17
Verification conditions assignment
A

• ??A) ???B) Y\g(X,Y)
• ??A) x1gt0 /\ x2gt0
• ??B) x1y1x2y2 /\ y2gt0
• ??B) Y\g(X,Y)
• ???x10x2x1 /\ x1gt0

Yg(X,Y)
(y1,y2)(0,x1)
B
A
(y1,y2)(0,x1)
B
18
Second assignment

• ??C) x1y1x2y2 /\ y2gt0 /\ y2gtx2
• ??B) x1y1x2y2 /\ y2gt0
• ??B)Y\g(X,Y x1(y11)x2y2-x2 /\ y2-x2gt0

C
(y1,y2)(y11,y2-x2)
B
19
Third assignment

• ??D)x1y1x2y2 /\ y2gt0 /\ y2ltx2
• ??E)x1z1x2z2 /\ 0ltz2ltx2
• ??E)Z\g(X,Y x1y1x2y2 /\ 0lty2ltx2

D
(z1,z2)(y1,y2)
E
20
Verification conditions tests
B
T
F
t(X,Y)

• ??B) /\ t(X,Y) ? ??C)
• ??B) /\t(X,Y) ? ??D)
• ??B) x1y1x2y2 /\y2gt0
• ??C) x1y1x2y2 /\ y2gt0 /\ y2gtx2
• ??D)x1y1x2y2 /\ y2gt0 /\ y2ltx2

C
D
B
F
T
y2gtx2
D
C
21
Exercise prove partial correctness
start
(y1,y2)(0,1)

• Initial condition
• xgt0
• Input-output claim
• zx!

T
F
y1x
(y1,y2)(y11,(y11)y2)
zy2
halt
22
Annotating a scheme

• Assign an assertion for each pair of nodes.
  The assertion expresses the relation between the
  variable when the program counter is located
  between these nodes.

23
Annotating a scheme with invariants

• ??A) x1gt0 /\ x2gt0
• ??B) x1y1x2y2 /\ y2gt0
• ??C) x1y1x2y2 /\ y2gt0 /\ y2gtx2
• ??D)x1y1x2y2 /\ y2gt0 /\ y2ltx2
• ??E)x1z1x2z2 /\
• 0ltz2ltx2
• Notice ?(A) is the initial condition, ??E??is
  the input-output condition.

true
false
24
Verification conditions assignment

• ??A) ? ??B) Y\g(X,Y)
• ??A) x1gt0 /\ x2gt0
• ??B) x1y1x2y2 /\ y2gt0
• ??B) Y\g(X,Y)
• ???x10x2x1 /\ x1gt0

A
(y1,y2)(0,x1)
B
25
Assignment condition
2x1
A
(y1,y2)(0,x1)
y12
B
y1x1
26
Another way to understand condition

• Use two versions of variables before assignment
  and after. E.g., y1 and y1, respectively.
• postcondition y1x1
• assignment y12
• precondition 2x1

2x1
A
(y1,y2)(0,x1)
y12
B
y1x1
27
Assignment condition
y15
A
(y1,y2)(0,x1)
y1y15
B
y110
28
Assignment condition

• Postcondition y110
• Assignment y1y15
• Precondition y1510, I.e., y15

y15
A
(y1,y2)(0,x1)
y1y15
B
y110
29
Verification conditions assignment

• ??B) x1y1x2y2 /\ y2 gt0
• Assignment y10 /\ y2x1
• ??B) Y\g(X,Y)
• ???x10x2x1 /\ x1gt0
• (or simply x1gt0)

??A) x1gt0 /\ x2gt0
30
Second assignment

• Precondition
• ??B) x1y1x2y2 /\ y2gt0
• Assignment
• y1y11/\y2y2-x2
• Postcondition
• ??B)Y\g(X,Y) x1(y11)x2y2-x2 /\ y2-x2gt0

31
Second assignment

• ??C) x1y1x2y2 /\ y2gt0 /\ y2gtx2
• ??B) x1y1x2y2 /\ y2gt0
• ??B)Y\g(X,Y) x1(y11)x2y2-x2 /\ y2-x2gt0

C
(y1,y2)(y11,y2-x2)
B
32
Third assignment

• ??D)x1y1x2y2 /\ y2gt0 /\ y2ltx2
• ??E)x1z1x2z2 /\
• 0ltz2ltx2
• ??E)Z\g(X,Y x1y1x2y2 /\ 0lty2ltx2

D
(z1,z2)(y1,y2)
E
33
Verification conditions tests
B
true
false

• (??B) /\ t(X,Y)) ? ??C)
• (??B) /\ t(X,Y)) ? ??D)
• ??B) x1y1x2y2 /\ y2gt0
• ??C) x1y1x2y2 /\ y2gt0 /\ y2gtx2
• ??D)x1y1x2y2 /\ y2gt0 /\ y2ltx2

t(X,Y)
C
D
B
false
true
y2gtx2
D
C
34
Exercize prove partial correctness
start

• Initial condition
• xgt0
• Input-output claim
• zx!

(y1,y2)(0,1)
true
false
y1x
(y1,y2)(y11,(y21)y2)
zy2
halt
35
What have we achieved?

• For each statement S that appears between points
  X and Y we showed that if the control is in X
  when ?(X) holds and S is executed, then ?(Y)
  holds.
• Initially, we know that ?(A) holds.
• The above two conditions can be combined into an
  induction on the number of statements that were
  executed
• If after n steps we are at point X, then ?(X)
  holds.

36
Another example
start
A
(y1,y2,y3)(0,0,1)

• ?(A) xgt0
• ?(F) z2ltxlt(z1)2
• z is the biggest number
• that is not greater
• than sqrt x.

B
y2y2y3
C
true
false
y2gtx
D
E
(y1,y3)(y11,y32)
zy1
F
halt
37
Some insight
start
A
(y1,y2,y3)(0,0,1)

• 135(2n1)(n1)2
• y2 accumulates the
• above sum, until
• it is bigger than x.
• y3 ranges over odd
• numbers 1,3,5,
• y1 is n-1.

B
y2y2y3
C
true
false
y2gtx
D
E
(y1,y3)(y11,y32)
zy1
F
halt
38
Invariants
start
A
(y1,y2,y3)(0,0,1)

• It is sufficient to have one
• invariant for every loop
• (cycle in the programs
• graph).
• We will have
• ?(C)y12ltx /\
• y2(y11)2 /\
• y32y11

B
y2y2y3
C
true
false
y2gtx
D
E
(y1,y3)(y11,y32)
zy1
F
halt
39
Obtaining ?(B)
start
A
(y1,y2,y3)(0,0,1)

• By backwards substitution in ?(C).
• ?(C)y12ltx /\
• y2(y11)2 /\
• y32y11
• ?(B)y12ltx /\
• y2y3(y11)2 /\
• y32y11

B
y2y2y3
C
true
false
y2gtx
D
E
(y1,y3)(y11,y32)
zy1
F
halt
40
Check assignment condition
start
A
(y1,y2,y3)(0,0,1)

• ?(A)xgt0
• ?(B)y12ltx /\
• y2y3(y11)2 /\
• y32y11
• ?(B) relativized is
• 02ltx /\
• 01(01)2 /\
• 1201
• Simplified xgt0

B
y2y2y3
C
true
false
y2gtx
D
E
(y1,y3)(y11,y32)
zy1
F
halt
41
Obtaining ?(D)
start
A
(y1,y2,y3)(0,0,1)

• By backwards substitution in
• ?(B).
• ?(B)y12ltx /\
• y2y3(y11)2 /\
• y32y11
• ?(D)(y11)2ltx /\
• y2y32(y12)2 /\
• y322(y11)1

B
y2y2y3
C
true
false
y2gtx
D
E
(y1,y3)(y11,y32)
zy1
F
halt
42
Checking
start
A
(y1,y2,y3)(0,0,1)

• ?(C)y12ltx /\
• y2(y11)2 /\
• y32y11
• ??(C)/\y2ltx) ? ?(D)
• ?(D)(y11)2ltx /\
• y2y32(y12)2 /\
• y322(y11)1

B
y2y2y3
C
true
false
y2gtx
D
E
(y1,y3)(y11,y32)
zy1
F
halt
43
y12ltx /\ y2(y11)2 /\ y32y11 /\y2ltx
? (y11)2ltx /\ y2y32(y12)2 /\
y322(y11)1

• y12ltx /\
• y2(y11)2 /\
• y32y11 /\y2ltx ?
• (y11)2ltx /\
• y2y32(y12)2 /\
• y322(y11)1

• y12ltx /\
• y2(y11)2 /\
• y32y11 /\y2ltx ?
• (y11)2ltx /\
• y2y32(y12)2 /\
• y322(y11)1

44
Not finished!
start
A
(y1,y2,y3)(0,0,1)

• Still needs to
• Calculate ?(E) by
• substituting backwards
• from ?(F).
• Check that
• ?(C)/\y2gtx??(E)

B
y2y2y3
C
true
false
y2gtx
D
E
(y1,y3)(y11,y32)
zy1
F
halt
45
Proving termination
46
Well-founded sets

• Partially ordered set (W,lt)
• If altb and bltc then altc (transitivity).
• If altb then not blta (asymmetry).
• Not alta (irreflexivity).
• Well-founded set (W,lt)
• Partially ordered.
• No infinite decreasing chain a1gta2gta3gt

47
Examples for well founded sets

• Natural numbers with the bigger than relation.
• Finite sets with the set inclusion relation.
• Strings with the substring relation.
• Tuples with alphabetic order
• (a1,b1)gt(a2,b2) iff a1gta2 or a1a2 and b1gtb2.
• (a1,b1,c1)gt(a2,b2,c2) iff a1gta2 or a1a2 and
  b1gtb2 or a1a2 and b1b2 and c1gtc2.

48
Why does the program terminate
start

• y2 starts as x1.
• Each time the loop is executed, y2 is
  decremented.
• y2 is natural number
• The loop cannot be entered again
  when y2ltx2.

false
D
(y1,y2)(y11,y2-x2)
(z1,z2)(y1,y2)
E
halt
49
Proving termination

• Choose a well-founded set (W,lt).
• Attach a function u(N) to each point N.
• Annotate the flowchart with invariants, and prove
  their consistency conditions.
• Prove that j(N) ? (u(N) in W).

50
How not to stay in a loop?

• Show that u(M)gtu(N).
• At least once in each loop, show that u(M)gtu(N).

M
S
N
51
How not to stay in a loop?
M

• For stmt
• j(M)?(u(M)gtu(N)rel)
• For test (true side)
• (j(M)/\test)?(u(M)gtu(N))
• For test (false side)
• (j(M)/\test)?(u(M)gtu(L))

stmt
N
M
true
false
test
N
L
52
What did we achieve?

• There are finitely many control points.
• The value of the function u cannot increase.
• If we return to the same control point, the value
  of u must decrease (its a loop!).
• The value of u can decrease only a finite number
  of times.

53
Why does the program terminate
start

• u(A)x1
• u(B)y2
• u(C)y2
• u(D)y2
• u(E)z2
• W naturals
• gt greater than

false
D
(y1,y2)(y11,y2-x2)
(z1,z2)(y1,y2)
E
halt
54
Recall partial correctness annotation

• j(A) x1gt0 /\ x2gt0
• j(B) x1y1x2y2 /\ y2gt0
• j(C) x1y1x2y2 /\ y2gt0 /\ y2gtx2
• j(D)x1y1x2y2 /\ y2gt0 /\ y2ltx2
• j(E)x1z1x2z2 /\
• 0ltz2ltx2

true
false
55
Strengthen for termination

• j(A) x1gt0 /\ x2gt0
• j(B) x1y1x2y2 /\ y2gt0/\x2gt0
• j(C) x1y1x2y2 /\ y2gt0 /\ y2gtx2/\x2gt0
• j(D)x1y1x2y2 /\ y2gt0 /\ y2ltx2/\x2gt0
• j(E)x1z1x2z2 /\
• 0ltz2ltx2
• This proves that u(M) is natural for each point
  M.

false
true
56
We shall show
start

• u(A)x1
• u(B)y2
• u(C)y2
• u(D)y2
• u(E)z2
• u(A)gtu(B)
• u(B)gtu(C)
• u(C)gtu(B)
• u(B)gtu(D)
• u(D)gtu(E)

false
D
(y1,y2)(y11,y2-x2)
(z1,z2)(y1,y2)
E
halt
57
Proving decrement

• j(C) x1y1x2y2 /\ y2gt0 /\ y2gtx2/\x2gt0
• u(C)y2
• u(B)y2
• u(B)rely2-x2
• j(C) ? y2gty2-x2
• (notice that j(C) ? x2gt0)

false
true
58
Integer square prog.
start
A
(y1,y2,y3)(0,0,1)

• j(C)y12ltx /\
• y2(y11)2 /\
• y32y11
• j(B)y12ltx /\
• y2y3(y11)2
• /\y32y11

B
y2y2y3
C
true
false
y2gtx
D
E
(y1,y3)(y11,y32)
zy1
F
halt
59

• u(A)x1
• u(B)x-y21
• u(C)max(0,x-y2)
• u(D)x-y21
• u(E)u(F)0
• u(A)gtu(B)
• u(B)gtu(C)
• u(C)gtu(D)
• u(D)gtu(B)
• Need some invariants,
• i.e., y2ltx/\y3gt0
• at points B and D,
• and y3gt0 at point C.