Software Specification, Verification and Validation CIS 775

1
Software Specification, Verification and
Validation (CIS 775)

• Elsa L Gunter
• 4303 GITC
• NJIT, http//www.cs.njit.edu/elsa/775-spring2004

2
Termination

• Find a measure function m(x1,,xn) over variables
  in the state to some set with a well-founded
  order ?
• For each B?(x1,,xn) (e1,,en)
• m(x1,,xn) (x1,xn)? (e1,en) ltm (x1,,xn)

3
Flowchart programs

• Input variables Xx1,x2,,xl
• Program variables Yy1,y2,,ym
• Output variables Zz1,z2,,zn
• Directed graph with labeled nodes (and edges)

4
Start and End
start
halt
5
Assignments and tests
F
T
Yg(X,Y)
t(X,Y)
6
Initial condition

• Initial condition the values for the input
  variables for which the program must work.
• x1gt0 /\ x2gt0

F
T
7
The input-output claim
start

• The relation between the values of the input and
  the output variables at termination.
• x1z1x2z2 /\
• 0ltz2 /\ z2ltx2

(y1,y2)(0,x1)
y2gtx2
F
T
(y1,y2)(y11,y2-x2)
(z1,z2)(y1,y2)
halt
8
Total versus Partial Correctness
start

• The program is
• partially correct with
• respect to
• x1gt0/\x2gt0
• and totally correct
• with respect to
• x1gt0/\x2gt0

(y1,y2)(0,x1)
y2gtx2
F
T
(y1,y2)(y11,y2-x2)
(z1,z2)(y1,y2)
halt
9
Annotating a scheme
start
A

• Assign an assertion for each edge. The
  assertion expresses the relation between the
  variable when the program counter is located
  between the nodes on the edge.

(y1,y2)(0,x1)
B
F
T
y2gtx2
C
D
(y1,y2)(y11,y2-x2)
(z1,z2)(y1,y2)
E
halt
10
Annotating a scheme with invariants
start

• ??A) x1gt0 /\ x2gt0
• ??B1) x1 y2 /\ y2gt0 /\ y1 0
• ??B2) x1y1x2y2 /\ y2gt0
• ??C) x1y1x2y2 /\ y2gt0 /\ y2gtx2
• ??D)x1y1x2y2 /\ y2gt0 /\ y2ltx2
• ??E)x1z1x2z2 /\
• 0ltz2ltx2

A
(y1,y2)(0,x1)
B2
B1
F
T
y2gtx2
C
D
(y1,y2)(y11,y2-x2)
(z1,z2)(y1,y2)
E
Notice ?(A) is the initial condition, ?????is
the input-output condition.
halt
11
Annotating a scheme with invariants

• ??A) x1gt0 /\ x2gt0
• ??B) x1y1x2y2 /\ y2gt0
• ??C) x1y1x2y2 /\ y2gt0 /\ y2gtx2
• ??D)x1y1x2y2 /\ y2gt0 /\ y2ltx2
• ??E)x1z1x2z2 /\
• 0ltz2ltx2

true
false
12
Verification conditions assignment
A

• ??A) ???B1) Y\g(X,Y)
• ??A) x1gt0 /\ x2gt0
• ??B1) x1 y2 /\ y2gt0 /\ y1 0
• ??B) Y\g(X,Y)
• ???x1x1 /\ x1gt0 /\ 0 0
• Need
• x1gt0 /\ x2gt0 ? x1x1 /\ x1gt0 /\ 0 0

Yg(X,Y)
(y1,y2)(0,x1)
B
A
(y1,y2)(0,x1)
B1
13
Second assignment

• ??C) x1y1x2y2 /\ y2gt0 /\ y2gtx2
• ??B) x1y1x2y2 /\ y2gt0
• ??B)Y\g(X,Y x1(y11)x2y2-x2 /\ y2-x2gt0

C
(y1,y2)(y11,y2-x2)
B
14
Third assignment

• ??D)x1y1x2y2 /\ y2gt0 /\ y2ltx2
• ??E)x1z1x2z2 /\ 0ltz2ltx2
• ??E)Z\g(X,Y x1y1x2y2 /\ 0lty2ltx2

D
(z1,z2)(y1,y2)
E
15
Verification conditions tests
B
T
F
t(X,Y)

• ??B) /\ t(X,Y) ? ??C)
• ??B) /\t(X,Y) ? ??D)
• ??B) x1y1x2y2 /\y2gt0
• ??C) x1y1x2y2 /\ y2gt0 /\ y2gtx2
• ??D)x1y1x2y2 /\ y2gt0 /\ y2ltx2

C
D
B
F
T
y2gtx2
D
C
16
Exercise prove partial correctness
start
(y1,y2)(0,1)

• Initial condition
• xgt0
• Input-output claim
• zx!

T
F
y1x
(y1,y2)(y11,(y11)y2)
zy2
halt
17
(No Transcript)
18
Verification conditions assignment

• ??A) ? ??B) Y\g(X,Y)
• ??A) x1gt0 /\ x2gt0
• ??B) x1y1x2y2 /\ y2gt0
• ??B) Y\g(X,Y)
• ???x10x2x1 /\ x1gt0

A
(y1,y2)(0,x1)
B
19
Assignment condition
2x1
A
(y1,y2)(0,x1)
y12
B
y1x1
20
Another way to understand condition

• Use two versions of variables before assignment
  and after. E.g., y1 and y1, respectively.
• postcondition y1x1
• assignment y12
• precondition 2x1

2x1
A
(y1,y2)(0,x1)
y12
B
y1x1
21
Assignment condition
y15
A
(y1,y2)(0,x1)
y1y15
B
y110
22
Assignment condition

• Postcondition y110
• Assignment y1y15
• Precondition y1510, I.e., y15

y15
A
(y1,y2)(0,x1)
y1y15
B
y110
23
Verification conditions assignment

• ??B) x1y1x2y2 /\ y2 gt0
• Assignment y10 /\ y2x1
• ??B) Y\g(X,Y)
• ???x10x2x1 /\ x1gt0
• (or simply x1gt0)

??A) x1gt0 /\ x2gt0
24
Second assignment

• Precondition
• ??B) x1y1x2y2 /\ y2gt0
• Assignment
• y1y11/\y2y2-x2
• Postcondition
• ??B)Y\g(X,Y) x1(y11)x2y2-x2 /\ y2-x2gt0

25
Second assignment

• ??C) x1y1x2y2 /\ y2gt0 /\ y2gtx2
• ??B) x1y1x2y2 /\ y2gt0
• ??B)Y\g(X,Y) x1(y11)x2y2-x2 /\ y2-x2gt0

C
(y1,y2)(y11,y2-x2)
B
26
Third assignment

• ??D)x1y1x2y2 /\ y2gt0 /\ y2ltx2
• ??E)x1z1x2z2 /\
• 0ltz2ltx2
• ??E)Z\g(X,Y x1y1x2y2 /\ 0lty2ltx2

D
(z1,z2)(y1,y2)
E
27
Verification conditions tests
B
true
false

• (??B) /\ t(X,Y)) ? ??C)
• (??B) /\ t(X,Y)) ? ??D)
• ??B) x1y1x2y2 /\ y2gt0
• ??C) x1y1x2y2 /\ y2gt0 /\ y2gtx2
• ??D)x1y1x2y2 /\ y2gt0 /\ y2ltx2

t(X,Y)
C
D
B
false
true
y2gtx2
D
C
28
Exercize prove partial correctness
start

• Initial condition
• xgt0
• Input-output claim
• zx!

(y1,y2)(0,1)
true
false
y1x
(y1,y2)(y11,(y21)y2)
zy2
halt
29
What have we achieved?

• For each statement S that appears between points
  X and Y we showed that if the control is in X
  when ?(X) holds and S is executed, then ?(Y)
  holds.
• Initially, we know that ?(A) holds.
• The above two conditions can be combined into an
  induction on the number of statements that were
  executed
• If after n steps we are at point X, then ?(X)
  holds.

30
Another example
start
A
(y1,y2,y3)(0,0,1)

• ?(A) xgt0
• ?(F) z2ltxlt(z1)2
• z is the biggest number
• that is not greater
• than sqrt x.

B
y2y2y3
C
true
false
y2gtx
D
E
(y1,y3)(y11,y32)
zy1
F
halt
31
Some insight
start
A
(y1,y2,y3)(0,0,1)

• 135(2n1)(n1)2
• y2 accumulates the
• above sum, until
• it is bigger than x.
• y3 ranges over odd
• numbers 1,3,5,
• y1 is n-1.

B
y2y2y3
C
true
false
y2gtx
D
E
(y1,y3)(y11,y32)
zy1
F
halt
32
Invariants
start
A
(y1,y2,y3)(0,0,1)

• It is sufficient to have one
• invariant for every loop
• (cycle in the programs
• graph).
• We will have
• ?(C)y12ltx /\
• y2(y11)2 /\
• y32y11

B
y2y2y3
C
true
false
y2gtx
D
E
(y1,y3)(y11,y32)
zy1
F
halt
33
Obtaining ?(B)
start
A
(y1,y2,y3)(0,0,1)

• By backwards substitution in ?(C).
• ?(C)y12ltx /\
• y2(y11)2 /\
• y32y11
• ?(B)y12ltx /\
• y2y3(y11)2 /\
• y32y11

B
y2y2y3
C
true
false
y2gtx
D
E
(y1,y3)(y11,y32)
zy1
F
halt
34
Check assignment condition
start
A
(y1,y2,y3)(0,0,1)

• ?(A)xgt0
• ?(B)y12ltx /\
• y2y3(y11)2 /\
• y32y11
• ?(B) relativized is
• 02ltx /\
• 01(01)2 /\
• 1201
• Simplified xgt0

B
y2y2y3
C
true
false
y2gtx
D
E
(y1,y3)(y11,y32)
zy1
F
halt
35
Obtaining ?(D)
start
A
(y1,y2,y3)(0,0,1)

• By backwards substitution in
• ?(B).
• ?(B)y12ltx /\
• y2y3(y11)2 /\
• y32y11
• ?(D)(y11)2ltx /\
• y2y32(y12)2 /\
• y322(y11)1

B
y2y2y3
C
true
false
y2gtx
D
E
(y1,y3)(y11,y32)
zy1
F
halt
36
Checking
start
A
(y1,y2,y3)(0,0,1)

• ?(C)y12ltx /\
• y2(y11)2 /\
• y32y11
• ??(C)/\y2ltx) ? ?(D)
• ?(D)(y11)2ltx /\
• y2y32(y12)2 /\
• y322(y11)1

B
y2y2y3
C
true
false
y2gtx
D
E
(y1,y3)(y11,y32)
zy1
F
halt
37
y12ltx /\ y2(y11)2 /\ y32y11 /\y2ltx
? (y11)2ltx /\ y2y32(y12)2 /\
y322(y11)1

• y12ltx /\
• y2(y11)2 /\
• y32y11 /\y2ltx ?
• (y11)2ltx /\
• y2y32(y12)2 /\
• y322(y11)1

• y12ltx /\
• y2(y11)2 /\
• y32y11 /\y2ltx ?
• (y11)2ltx /\
• y2y32(y12)2 /\
• y322(y11)1

38
Not finished!
start
A
(y1,y2,y3)(0,0,1)

• Still needs to
• Calculate ?(E) by
• substituting backwards
• from ?(F).
• Check that
• ?(C)/\y2gtx??(E)

B
y2y2y3
C
true
false
y2gtx
D
E
(y1,y3)(y11,y32)
zy1
F
halt
39
Proving termination
40
Well-founded sets

• Partially ordered set (W,lt)
• If altb and bltc then altc (transitivity).
• If altb then not blta (asymmetry).
• Not alta (irreflexivity).
• Well-founded set (W,lt)
• Partially ordered.
• No infinite decreasing chain a1gta2gta3gt

41
Examples for well founded sets

• Natural numbers with the bigger than relation.
• Finite sets with the set inclusion relation.
• Strings with the substring relation.
• Tuples with alphabetic order
• (a1,b1)gt(a2,b2) iff a1gta2 or a1a2 and b1gtb2.
• (a1,b1,c1)gt(a2,b2,c2) iff a1gta2 or a1a2 and
  b1gtb2 or a1a2 and b1b2 and c1gtc2.

42
Why does the program terminate
start

• y2 starts as x1.
• Each time the loop is executed, y2 is
  decremented.
• y2 is natural number
• The loop cannot be entered again
  when y2ltx2.

false
D
(y1,y2)(y11,y2-x2)
(z1,z2)(y1,y2)
E
halt
43
Proving termination

• Choose a well-founded set (W,lt).
• Attach a function u(N) to each point N.
• Annotate the flowchart with invariants, and prove
  their consistency conditions.
• Prove that j(N) ? (u(N) in W).

44
How not to stay in a loop?

• Show that u(M)gtu(N).
• At least once in each loop, show that u(M)gtu(N).

M
S
N
45
How not to stay in a loop?

• For stmt
• j(M)?(u(M)gtu(N)rel)
• For test (true side)
• (j(M)/\test)?(u(M)gtu(N))
• For test (false side)
• (j(M)/\test)?(u(M)gtu(L))

M
stmt
N
M
true
false
test
N
L
46
What did we achieve?

• There are finitely many control points.
• The value of the function u cannot increase.
• If we return to the same control point, the value
  of u must decrease (its a loop!).
• The value of u can decrease only a finite number
  of times.

47
Why does the program terminate
start

• u(A)x1
• u(B)y2
• u(C)y2
• u(D)y2
• u(E)z2
• W naturals
• gt greater than

false
D
(y1,y2)(y11,y2-x2)
(z1,z2)(y1,y2)
E
halt
48
Recall partial correctness annotation

• j(A) x1gt0 /\ x2gt0
• j(B) x1y1x2y2 /\ y2gt0
• j(C) x1y1x2y2 /\ y2gt0 /\ y2gtx2
• j(D)x1y1x2y2 /\ y2gt0 /\ y2ltx2
• j(E)x1z1x2z2 /\
• 0ltz2ltx2

true
false
49
Strengthen for termination

• j(A) x1gt0 /\ x2gt0
• j(B) x1y1x2y2 /\ y2gt0/\x2gt0
• j(C) x1y1x2y2 /\ y2gt0 /\ y2gtx2/\x2gt0
• j(D)x1y1x2y2 /\ y2gt0 /\ y2ltx2/\x2gt0
• j(E)x1z1x2z2 /\
• 0ltz2ltx2
• This proves that u(M) is natural for each point
  M.

false
true
50
We shall show
start

• u(A)x1
• u(B)y2
• u(C)y2
• u(D)y2
• u(E)z2
• u(A)gtu(B)
• u(B)gtu(C)
• u(C)gtu(B)
• u(B)gtu(D)
• u(D)gtu(E)

false
D
(y1,y2)(y11,y2-x2)
(z1,z2)(y1,y2)
E
halt
51
Proving decrement

• j(C) x1y1x2y2 /\ y2gt0 /\ y2gtx2/\x2gt0
• u(C)y2
• u(B)y2
• u(B)rely2-x2
• j(C) ? y2gty2-x2
• (notice that j(C) ? x2gt0)

false
true
52
Integer square prog.
start
A
(y1,y2,y3)(0,0,1)

• j(C)y12ltx /\
• y2(y11)2 /\
• y32y11
• j(B)y12ltx /\
• y2y3(y11)2
• /\y32y11

B
y2y2y3
C
true
false
y2gtx
D
E
(y1,y3)(y11,y32)
zy1
F
halt
53

• u(A)x1
• u(B)x-y21
• u(C)max(0,x-y2)
• u(D)x-y21
• u(E)u(F)0
• u(A)gtu(B)
• u(B)gtu(C)
• u(C)gtu(D)
• u(D)gtu(B)
• Need some invariants,
• i.e., y2ltx/\y3gt0
• at points B and D,
• and y3gt0 at point C.