Скачать презентацию Agenda q TA Wenhua Wang 10 00 Скачать презентацию Agenda q TA Wenhua Wang 10 00

92e2d9e753330c0a800f8adda84bfde5.ppt

  • Количество слайдов: 28

Agenda q TA: Wenhua Wang, 10: 00 – 11: 30 am Mon & Wed, Agenda q TA: Wenhua Wang, 10: 00 – 11: 30 am Mon & Wed, NH 239, wenhua. wang@mavs. uta. edu q Quick Review q Finish Logic Review q Program Proof Formal Methods in Software Engineering 1

Quick Review q What are the syntactic objects we can use in first -order Quick Review q What are the syntactic objects we can use in first -order logic? Formal Methods in Software Engineering 2

Deductive Verification q Introduction q Hoare’s Logic q An Example Proof q Summary Formal Deductive Verification q Introduction q Hoare’s Logic q An Example Proof q Summary Formal Methods in Software Engineering 3

Deductive Verification. . . is to formally verify the correctness of a program using Deductive Verification. . . is to formally verify the correctness of a program using a proof system. Given a program P and an initial condition I, this approach proves that the expected final condition is the logical consequence of executing P from I. Formal Methods in Software Engineering 4

Program Correctness q Partial correctness: If the initial condition holds, and if the program Program Correctness q Partial correctness: If the initial condition holds, and if the program terminates, then the input-output claim holds. q Termination: If the initial condition holds, then the program terminates q Total correctness: If the initial condition holds, then the program terminates, and the input-output claim holds. Formal Methods in Software Engineering 5

Benefits q Establishes or enhances the correctness of a program § § Finding errors Benefits q Establishes or enhances the correctness of a program § § Finding errors in the code and correct them A better understanding of the verified algorithm q Identifies invariants that can be used to check code consistency during the different development stages. q A proof system can be used as a formalism to formally define the semantics of a language. Formal Methods in Software Engineering 6

Limitations q Can’t be completely automated § often requires a great deal of domain Limitations q Can’t be completely automated § often requires a great deal of domain expertise q Highly time-consuming § only performed on key algorithms q Errors may crop into the proof § who will verify the verifier? q Has limited scalability § difficult to verify large programs Formal Methods in Software Engineering 7

Deductive Verification q Introduction q Hoare Logic q An Example Proof q Summary Formal Deductive Verification q Introduction q Hoare Logic q An Example Proof q Summary Formal Methods in Software Engineering 8

While Program A while program consists of three types of statements: S : : While Program A while program consists of three types of statements: S : : = v: = e | S ; S | if p then S else S fi | while p do S Formal Methods in Software Engineering 9

Hoare Triple A Hoare Triple is written as {p} S {q}, where S is Hoare Triple A Hoare Triple is written as {p} S {q}, where S is a program segment, and p and q are two first order formulas. The meaning of {p} S {q} is as follows: If execution of S starts with a state satisfying p, and if S terminates, then a state satisfying q is reached. Formal Methods in Software Engineering 10

Assignment Axiom {p[e/v]} v: = e {p} For example: {y+5=10} y: =y+5 {y=10} {y+y<z} Assignment Axiom {p[e/v]} v: = e {p} For example: {y+5=10} y: =y+5 {y=10} {y+y20} y: =2*(y+5) {y>20} Formal Methods in Software Engineering 11

Composition Rule {p} S 1 {r}, {r} S 2 {q} {p} S 1; S Composition Rule {p} S 1 {r}, {r} S 2 {q} {p} S 1; S 2 {q} For example: if the antecedents are 1. {x+1=y+2} x: =x+1 {x=y+2} 2. {x=y+2} y: =y+2 {x=y} Then the consequent is {x+1=y+2} x: =x+1; y: =y+2 {x=y} Formal Methods in Software Engineering 12

If-Then-Else Rule {p c } S 1 {q}, {p c } S 2 {q} If-Then-Else Rule {p c } S 1 {q}, {p c } S 2 {q} {p} if c then S 1 else S 2 fi {q} If the antecedents are 1: {(y 1 > 0 y 2 > 0 y 1 != y 2) (y 1 > y 2)} y 1 : = y 1 – y 2 {y 1 > 0 y 2 > 0} 2: {(y 1 > 0 y 2 > 0 y 1 != y 2) (y 1 > y 2)} y 2 : = y 2 – y 1 {y 1 > 0 y 2 > 0} Then the consequent is: {(y 1 > 0 y 2 > 0 y 1 != y 2)} if y 1 > y 2 then y 1 : = y 1 – y 2 else y 2 : = y 2 – y 1 {y 1 > 0 y 2 > 0} Formal Methods in Software Engineering 13

While Rule (1) The while rule uses an invariant, which needs to hold before While Rule (1) The while rule uses an invariant, which needs to hold before and after each iteration. {p c } S {p} while c do S end {p c } Formal Methods in Software Engineering 14

While Rule (2) {(y 1 > 0 y 2 > 0) y 1 != While Rule (2) {(y 1 > 0 y 2 > 0) y 1 != y 2} if y 1 > y 2 then y 1 : = y 1 – y 2 else y 2 : = y 2 – y 1 {y 1 > 0 y 2 > 0} while y 1 != y 2 do if y 1 > y 2 then y 1 : = y 1 – y 2 else y 2 : = y 2 – y 1 end {y 1 > 0 y 2 > 0} {y 1 == y 2} Formal Methods in Software Engineering 15

Strengthening Rule This rule is used to strengthen a precondition: p r, {r} S Strengthening Rule This rule is used to strengthen a precondition: p r, {r} S {q} {p} S {q} Note that this rule is often used together with the assignment axiom: To prove {p} v : = e {q}, we show that p q [e/v]. Formal Methods in Software Engineering 16

Weakening Rule This rule is used to weaken a postcondition: {p} S {r}, r Weakening Rule This rule is used to weaken a postcondition: {p} S {r}, r q {p} S {q} Formal Methods in Software Engineering 17

Deductive Verification q Introduction q Hoare Logic q An Example Proof q Summary Formal Deductive Verification q Introduction q Hoare Logic q An Example Proof q Summary Formal Methods in Software Engineering 18

The Program Below is an program that computes the integer division of x 1 The Program Below is an program that computes the integer division of x 1 by x 2. {x 1 >= 0 x 2 > 0} y 1 : = 0; S 1 y 2 : = x 1; while y 2 >= x 2 do y 1 : = y 1 + 1; S 2 S 3 y 2 : = y 2 – x 2; end {x 1 y 1 x 2 + y 2 >= 0 y 2 < x 2} Formal Methods in Software Engineering 19

A Proof Tree 1 Sequential Composition 2 Sequential Composition 3 Strengthening 4 Assignment 5 A Proof Tree 1 Sequential Composition 2 Sequential Composition 3 Strengthening 4 Assignment 5 Strengthening 6 Assignment 7 while 8 Sequential Composition 9 Strengthening 11 Assignment 10 Assignment Formal Methods in Software Engineering 20

Proof Steps (1) q Goal 1. Sequential Composition {x 1 >= 0 x 2 Proof Steps (1) q Goal 1. Sequential Composition {x 1 >= 0 x 2 > 0} S 1 {x 1 y 1 x 2 + y 2 >= 0} S 2 {x 1 y 1 x 2 + y 2 >= 0 y 2 < x 2} {x 1 >= 0 x 2 > 0} S 1 ; S 2 {x 1 y 1 x 2 + y 2 >= 0 y 2 < x 2} q Goal 2. Sequential Composition {x 1 >= 0 x 2 > 0} y 1 : = 0 {x 1 >= 0 x 2 > 0 y 1 0} y 2 : = x 1 {x 1 y 1 x 2 + y 2 >= 0} {x 1 >= 0 x 2 > 0} S 1 {x 1 y 1 x 2 + y 2 >= 0} Formal Methods in Software Engineering 21

Proof Steps (2) q Goal 3. Strengthening {x 1 >= 0 x 2 > Proof Steps (2) q Goal 3. Strengthening {x 1 >= 0 x 2 > 0} {x 1 >= 0 x 2 > 0 0 0} y 1 : = 0 {x 1 >= 0 x 2 > 0 y 1 0} {x 1 >= 0 x 2 > 0} y 1 : = 0 {x 1 >= 0 x 2 > 0 y 1 0} q Goal 4. Assignment {x 1 >= 0 x 2 > 0 0 0} y 1 : = 0 {x 1 >= 0 x 2 > 0 y 1 0} Formal Methods in Software Engineering 22

Proof Steps (3) q Goal 5. Strengthening {x 1 >= 0 x 2 > Proof Steps (3) q Goal 5. Strengthening {x 1 >= 0 x 2 > 0 y 1 0} {x 1 y 1 x 2 + x 1 >= 0} y 2 : = x 1 {x 1 y 1 x 2 + y 2 >= 0} {x 1 >= 0 x 2 > 0 y 1 0} y 2 : = x 1 {x 1 y 1 x 2 + y 2 >= 0} q Goal 6. Assignment {x 1 y 1 x 2 + x 1 >= 0} y 2 : = x 1 {x 1 y 1 x 2 + y 2 >= 0} Formal Methods in Software Engineering 23

Proof Steps (4) q Goal 7. While {x 1 y 1 x 2 + Proof Steps (4) q Goal 7. While {x 1 y 1 x 2 + y 2 >= 0 y 2 >= x 2} S 3 {x 1 y 1 x 2 + y 2 >= 0} S 2 {x 1 y 1 x 2 + y 2 >= 0 y 2 < x 2} q Goal 8. Sequential Composition {x 1 y 1 x 2 + y 2 >= x 2} y 1 : = y 1 + 1 {x 1 y 1 x 2 + y 2 – x 2 >= 0} y 2 : = y 2 – x 2 {x 1 y 1 x 2 + y 2 >= 0} {x 1 y 1 x 2 + y 2 >= x 2} S 3 {x 1 y 1 x 2 + y 2 >= 0} Formal Methods in Software Engineering 24

Proof Steps (5) q Goal 9. Strengthening {x 1 y 1 x 2 + Proof Steps (5) q Goal 9. Strengthening {x 1 y 1 x 2 + y 2 >= x 2} -> {x 1 (y 1 + 1) x 2 + y 2 – x 2 >= 0} y 1 : = y 1 + 1 {x 1 y 1 x 2 + y 2 – x 2 >= 0} {x 1 y 1 x 2 + y 2 >= x 2} y 1 : = y 1 + 1 {x 1 y 1 x 2 + y 2 – x 2 >= 0} q Goal 10. Assignment {x 1 (y 1 + 1) x 2 + y 2 – x 2 >= 0} y 1 : = y 1 + 1 {x 1 y 1 x 2 + y 2 – x 2 >= 0} q Goal 11. Assignment {x 1 y 1 x 2 + y 2 – x 2 >= 0} y 2 : = y 2 – x 2 {x 1 y 1 x 2 + y 2 – x 2 y 2 >= 0} Formal Methods in Software Engineering 25

Annotation { x 1 >= 0 x 2 > 0 } y 1 : Annotation { x 1 >= 0 x 2 > 0 } y 1 : = 0; {x 1 >= 0 x 2 > 0 y 1 0} y 2 : = x 1; {x 1 y 1 x 2 + y 2 >= 0} while y 2 >= x 2 do {x 1 y 1 x 2 + y 2 >= x 2} y 1 : = y 1 + 1; {x 1 y 1 x 2 + y 2 – x 2 >= 0} y 2 : = y 2 – x 2; {x 1 y 1 x 2 + y 2 >= 0} end {x 1 y 1 x 2 + y 2 >= 0 y 2 < x 2} Formal Methods in Software Engineering 26

Deductive Verification q Introduction q Hoare Logic q An Example Proof q Summary Formal Deductive Verification q Introduction q Hoare Logic q An Example Proof q Summary Formal Methods in Software Engineering 27

Summary q Deductive verification can establish and/or enhance the correctness of a program. q Summary q Deductive verification can establish and/or enhance the correctness of a program. q The verification process is highly time-consuming, and can’t be completely automated. q The key to apply Hoare’s logic is to find the right “loop invariants”. q The proof process is usually conducted using backward reasoning. Formal Methods in Software Engineering 28