Title: Functional Verification IV: Revisiting Loop Invariants
1Functional Verification IV Revisiting Loop
Invariants
Software Testing and Verification Lecture Notes
24
- Prepared by
- Stephen M. Thebaut, Ph.D.
- University of Florida
2Last Time
- Iteration Recursion Lemma (IRL)
- Termination predicate term(f,P)
- Correctness conditions for while_do statement
- Sufficient correctness conditions
- Correctness conditions for repeat_until statement
- Subgoal Induction
3Todays Topics
- Thinking about invariants again
- Invariant Status Theorem (IST)
- While Loop Initialization
- Utility of IST
4Todays Topics
- Thinking about invariants again
- Invariant Status Theorem (IST)
- While Loop Initialization
- Utility of IST
5Thinking about invariants again
- In Lecture Notes 18 we considered heuristics for
synthesizing Q-adequate loop invariants. - In Lecture Notes 23, it was observed that a loop
computing a function maintains an important
property of state across iterations the function
value of the current state, X, is the same as the
function value of the initial state, X0. That is
f(X)f(X0). - We now expand on this observation and show that
this property represents the weakest f-adequate
loop invariant over D(f)! - To be defined shortly...
-
-
-
6Hypothesize I
Flashback to LN 18...
true
Finalization ?
false
true
Initialization ?
strengthen
false
true
Preservation ?
weaken
false
finish
false
refine
Initialization ?
true
false
Preservation ?
true
7Thinking about invariants again
- In Lecture Notes 18 we considered heuristics for
synthesizing Q-adequate loop invariants. - In Lecture Notes 23, it was observed that a loop
computing a function maintains an important
property of state across iterations the function
value of the current state, X, is the same as the
function value of the initial state, X0. That is
f(X)f(X0). - We now expand on this observation and show that
this property represents the weakest f-adequate
loop invariant over D(f)! - To be defined shortly...
-
-
-
8Thinking about invariants again
- In Lecture Notes 18 we considered heuristics for
synthesizing Q-adequate loop invariants. - In Lecture Notes 23, it was observed that a loop
computing a function maintains an important
property of state across iterations the function
value of the current state, X, is the same as the
function value of the initial state, X0. That is
f(X)f(X0). - We now expand on this observation and show that
this property represents the weakest f-adequate
loop invariant over D(f)! - To be defined shortly...
-
-
-
9Flashback to LN 23...
- As f while p do g if p then gf end_if,
it follows that - f(X0) f(X1) ... f(Xn) Xn
- More generally, after each iteration of the loop,
the function value of the current state, X, must
be the same as the function value of the initial
state, X0. That is - f(X) f(X0)
- We will revisit this observation in connection
with Mills Invariant Status Theorem shortly.
10Thinking about invariants again
- In Lecture Notes 18 we considered heuristics for
synthesizing Q-adequate loop invariants. - In Lecture Notes 23, it was observed that a loop
computing a function maintains an important
property of state across iterations the function
value of the current state, X, is the same as the
function value of the initial state, X0. That is
f(X)f(X0). - We now expand on this observation and show that
this property represents the weakest f-adequate
loop invariant over D(f)! - To be defined shortly...
-
-
-
11Thinking about invariants again
- In Lecture Notes 18 we considered heuristics for
synthesizing Q-adequate loop invariants. - In Lecture Notes 23, it was observed that a loop
computing a function maintains an important
property of state across iterations the function
value of the current state, X, is the same as the
function value of the initial state, X0. That is
f(X)f(X0). - We now expand on this observation and show that
this property represents the weakest f-adequate
loop invariant over D(f)! - To be defined shortly...
-
-
-
12Thinking about invariants again
- Consider the following assertion, where z0 and y0
represent the initial values of z and y,
respectively - true
- while zltgt0 do
- y y1
- z z-1
- end_while
- z0 ? yy0z0
13Thinking about invariants again
- Consider the following assertion, where z0 and y0
represent the initial values of z and y,
respectively - true
- while zltgt0 do
- y y1
- z z-1
- end_while
- z0 ? yy0z0
- Can you identify a Q-adequate invariant, I, that
could be used to prove this...?
14Thinking about invariants again
- Consider the following assertion, where z0 and y0
represent the initial values of z and y,
respectively - true
- while zltgt0 do
- y y1
- z z-1
- end_while
- z0 ? yy0z0
- Can you identify a Q-adequate invariant, I, that
could be used to prove this...?
Consider I y y0(z0-z) This can be rewritten
as
15Thinking about invariants again
- Consider the following assertion, where z0 and y0
represent the initial values of z and y,
respectively - true
- while zltgt0 do
- y y1
- z z-1
- end_while
- z0 ? yy0z0
- Can you identify a Q-adequate invariant, I, that
could be used to prove this...?
Consider I y y0(z0-z) This can be rewritten
as yz y0z0
16Thinking about invariants again
- true
- while zltgt0 do
- y y1
- z z-1
- end_while
- z0 ? yy0z0
- Now, independent of the given pre- and
post-conditions, what function, f, is computed by
the loop?
Consider I y y0(z0-z) This can be rewritten
as yz y0z0
17Thinking about invariants again
- true
- while zltgt0 do
- y y1
- z z-1
- end_while
- z0 ? yy0z0
- Now, independent of the given pre- and
post-conditions, what function, f, is computed by
the loop? - (z0 ? y,z ?,?)
Consider I y y0(z0-z) This can be rewritten
as yz y0z0
18Thinking about invariants again
- true
- while zltgt0 do
- y y1
- z z-1
- end_while
- z0 ? yy0z0
- Now, independent of the given pre- and
post-conditions, what function, f, is computed by
the loop? - (z0 ? y,z yz,0)
Consider I y y0(z0-z) This can be rewritten
as yz y0z0
19Thinking about invariants again
- true
- while zltgt0 do
- y y1
- z z-1
- end_while
- z0 ? yy0z0
- So, for f (z0 ? y,z yz,0), what is the
relationship between f and the specified
post-condition?
Consider I y y0(z0-z) This can be rewritten
as yz y0z0
20Thinking about invariants again
- true
- while zltgt0 do
- y y1
- z z-1
- end_while
- z0 ? yy0z0
- So, for f (z0 ? y,z yz,0), what is the
relationship between f and the specified
post-condition? zfz(X0)0 ? yfy(X0)y0z0. - (This can be written more simply as just
Xf(X0), where X is shorthand for y,z.)
Consider I y y0(z0-z) This can be rewritten
as yz y0z0
21Thinking about invariants again
- true
- while zltgt0 do
- y y1
- z z-1
- end_while
- z0 ? yy0z0
- So, for f (z0 ? y,z yz,0), what is the
relationship between f and the specified
post-condition? zfz(X0)0 ? yfy(X0)y0z0. - (This can be written more simply as just
Xf(X0), where X is shorthand for y,z.)
Consider I y y0(z0-z) This can be rewritten
as yz y0z0
22Thinking about invariants again
- true
- while zltgt0 do
- y y1
- z z-1
- end_while
- z0 ? yy0z0
- But note that a specified post-condition is not
an innate property of a program as is the
programs actual function! It just so happens
that where f is defined, Q Xf(X0) in this
particular case...
Consider I y y0(z0-z) This can be rewritten
as yz y0z0
23Thinking about invariants again
- true
- while zltgt0 do
- y y1
- z z-1
- end_while
- z0 ? yy0z0
- Getting back now to our Q-adequate invariant, I,
where f (z0 ? y,z yz,0)... - Recall that the IRL implies that after each
iteration of the loop, the function value of the
current state, X, must be the same as the
function value of the initial state, X0. That is,
f(X)f(X0).
Consider I y y0(z0-z) This can be rewritten
as yz y0z0
24Thinking about invariants again
- true
- while zltgt0 do
- y y1
- z z-1
- end_while
- z0 ? yy0z0
- Getting back now to our Q-adequate invariant, I,
where f (z0 ? y,z yz,0)... - Recall that the IRL implies that after each
iteration of the loop, the function value of the
current state, X, must be the same as the
function value of the initial state, X0. That is,
f(X)f(X0).
Consider I y y0(z0-z) This can be rewritten
as yz y0z0
25Thinking about invariants again
- true
- while zltgt0 do
- y y1
- z z-1
- end_while
- z0 ? yy0z0
- Thus, f(X)f(X0) captures a constant
relationship between the values of variables on
entry to a loop (denoted by X0), and their values
after every iteration of a loop (denoted by X)
computing f. - What, then, is this relationship for the
function (z0 ? y,z yz,0)?
Consider I y y0(z0-z) This can be rewritten
as yz y0z0
26Thinking about invariants again
- true
- while zltgt0 do
- y y1
- z z-1
- end_while
- z0 ? yy0z0
- Thus, f(X)f(X0) captures a constant
relationship between the values of variables on
entry to a loop (denoted by X0), and their values
after every iteration of a loop (denoted by X)
computing f. - What, then, is this relationship for the
function (z0 ? y,z yz,0)? -
Consider I y y0(z0-z) This can be rewritten
as yz y0z0
27Thinking about invariants again
- true
- while zltgt0 do
- y y1
- z z-1
- end_while
- z0 ? yy0z0
- Where f is defined, fy(X)yz and fy(X0)y0z0.
- Similarly, fz(X)0 and fz(X0)0.
- Setting f(X) equal to f(X0) for each variable
gives - 00 ? yzy0x0
- That is, for z0.
Consider I y y0(z0-z) This can be rewritten
as yz y0z0
28Thinking about invariants again
- true
- while zltgt0 do
- y y1
- z z-1
- end_while
- z0 ? yy0z0
- Where f is defined, fy(X)yz and fy(X0)y0z0.
- Similarly, fz(X)0 and fz(X0)0.
- Setting f(X) equal to f(X0) for each variable
gives - 00 ? yzy0x0
- That is, for z0.
Consider I y y0(z0-z) This can be rewritten
as yz y0z0
29Thinking about invariants again
- true
- while zltgt0 do
- y y1
- z z-1
- end_while
- z0 ? yy0z0
- Where f is defined, fy(X)yz and fy(X0)y0z0.
- Similarly, fz(X)0 and fz(X0)0.
- Setting f(X) equal to f(X0) for each variable
gives - 00 ? yzy0z0
- That is, for z0.
Consider I y y0(z0-z) This can be rewritten
as yz y0z0
30Thinking about invariants again
- true
- while zltgt0 do
- y y1
- z z-1
- end_while
- z0 ? yy0z0
- Where f is defined, fy(X)yz and fy(X0)y0z0.
- Similarly, fz(X)0 and fz(X0)0.
- Setting f(X) equal to f(X0) for each variable
gives - 00 ? yzy0z0 I
- That is, for z0.
Consider I y y0(z0-z) This can be rewritten
as yz y0z0
31Thinking about invariants again
- true
- while zltgt0 do
- y y1
- z z-1
- end_while
- z0 ? yy0z0
- Thus, setting f(X) equal to f(X0) results in a
Q-adequate loop invariant that could (by
definition) be used with the while loop ROI to
prove the given assertion!
Consider I y y0(z0-z) This can be rewritten
as yz y0z0
32Thinking about invariants again
- true
- while zltgt0 do
- y y1
- z z-1
- end_while
- z0 ? yy0z0
- Thus, setting f(X) equal to f(X0) results in a
Q-adequate loop invariant that could (by
definition) be used with the while loop ROI to
prove the given assertion! - Are you not awestruck?
Consider I y y0(z0-z) This can be rewritten
as yz y0z0
33Thinking about invariants again
- true
- while zltgt0 do
- y y1
- z z-1
- end_while
- z0 ? yy0z0
- Thus, setting f(X) equal to f(X0) results in a
Q-adequate loop invariant that could (by
definition) be used with the while loop ROI to
prove the given assertion! - Are you not awestruck?
- But remember the specified post-condition
conveniently corresponds to the programs actual
function in this case.
Consider I y y0(z0-z) This can be rewritten
as yz y0z0
34Todays Topics
- Thinking about invariants again
- Invariant Status Theorem (IST)
- While Loop Initialization
- Utility of IST
35Invariant Status Theorem (IST)
- Theorem.
- Let f while p do g. If X0?D(f), X?D(f), and
q(X)( f(X)f(X0) ), then q is an invariant of
while p do g i.e., it has the following
properties
36Invariant Status Theorem (IST)
- Theorem.
- Let f while p do g. If X0?D(f), X?D(f), and
q(X)( f(X)f(X0) ), then q is an invariant of
while p do g i.e., it has the following
properties - q(X0) is true, and
37Invariant Status Theorem (IST)
- Theorem.
- Let f while p do g. If X0?D(f), X?D(f), and
q(X)( f(X)f(X0) ), then q is an invariant of
while p do g i.e., it has the following
properties - q(X0) is true, and
- ( q(X) ? p(X) ) ? qog(X).
38Invariant Status Theorem (IST)
- Theorem.
- Let f while p do g. If X0?D(f), X?D(f), and
q(X)( f(X)f(X0) ), then q is an invariant of
while p do g i.e., it has the following
properties - q(X0) is true, and
- ( q(X) ? p(X) ) ? qog(X).
- In addition, q(X) is an f-adequate invariant
i.e.,
39Invariant Status Theorem (IST)
- Theorem.
- Let f while p do g. If X0?D(f), X?D(f), and
q(X)( f(X)f(X0) ), then q is an invariant of
while p do g i.e., it has the following
properties - q(X0) is true, and
- ( q(X) ? p(X) ) ? qog(X).
- In addition, q(X) is an f-adequate invariant
i.e., - ( q(X) ? p(X) ) ? ( Xf(X0) )
40Invariant Status Theorem (IST)
- Theorem.
- Let f while p do g. If X0?D(f), X?D(f), and
q(X)( f(X)f(X0) ), then q is an invariant of
while p do g i.e., it has the following
properties - q(X0) is true, and
- ( q(X) ? p(X) ) ? qog(X).
- In addition, q(X) is an f-adequate invariant
i.e., - ( q(X) ? p(X) ) ? ( Xf(X0) )
This represents the final state values as a
function, f, of the initial state values.
41Invariant Status Theorem (contd)
42Invariant Status Theorem (contd)
- Proof.
- q(X0) is true
- q(X) ( f(X)f(X0) ), so
- q(X0)( f(X0)f(X0) )
43Invariant Status Theorem (contd)
- Proof.
- q(X0) is true
- q(X) ( f(X)f(X0) ), so
- q(X0)( f(X0)f(X0) )
- true
- as desired.
44Invariant Status Theorem (contd)
- Proof.
- q(X0) is true
- q(X) ( f(X)f(X0) ), so
- q(X0)( f(X0)f(X0) )
- true
- as desired.
- (Note that based on the definition of q(X), this
property is a tautology.)
45Invariant Status Theorem (contd)
- Proof. (contd)
- ( q(X) ? p(X) ) ? qog(X)
46Invariant Status Theorem (contd)
- Proof. (contd)
- ( q(X) ? p(X) ) ? qog(X)
- For X?D(f) we know
- p(X) ? ( f(X)fog(X) )
- by the Iteration Recursion Lemma.
47Invariant Status Theorem (contd)
- Proof. (contd)
- ( q(X) ? p(X) ) ? qog(X)
- For X?D(f) we know
- p(X) ? ( f(X)fog(X) )
- by the Iteration Recursion Lemma. Since
- q(X)( f(X)f(X0) )
- by definition, it follows that
48Invariant Status Theorem (contd)
- Proof. (contd)
- ( q(X) ? p(X) ) ? qog(X)
- For X?D(f) we know
- p(X) ? ( f(X)fog(X) )
- by the Iteration Recursion Lemma. Since
- q(X)( f(X)f(X0) )
- by definition, it follows that
- ( q(X) ? p(X) ) ? ( fog(X)f(X0) ).
49Invariant Status Theorem (contd)
- Proof. (contd)
- But the right-hand side of
- ( q(X) ? p(X) ) ? ( fog(X)f(X0) )
- is just
- ( f(g(X))f(X0) ) q(g(X))
- qog(X)
- Therefore,
- ( q(X) ? p(X) ) ? qog(X)
- as desired.
50Invariant Status Theorem (contd)
- Proof. (contd)
- But the right-hand side of
- ( q(X) ? p(X) ) ? ( fog(X)f(X0) )
- is just
- ( f(g(X))f(X0) ) q(g(X))
- qog(X)
- Therefore,
- ( q(X) ? p(X) ) ? qog(X)
- as desired.
51Invariant Status Theorem (contd)
- Proof. (contd)
- ( q(X) ? p(X) ) ? ( Xf(X0) )
52Invariant Status Theorem (contd)
- Proof. (contd)
- ( q(X) ? p(X) ) ? ( Xf(X0) )
- If p(X), then f(X) I by definition of the
while construct. This can be rewritten as f(X)
X.
53Invariant Status Theorem (contd)
- Proof. (contd)
- ( q(X) ? p(X) ) ? ( Xf(X0) )
- If p(X), then f(X) I by definition of the
while construct. This can be rewritten as f(X)
X. - And since q(X) ( f(X)f(X0) ), it follows
- that
54Invariant Status Theorem (contd)
- Proof. (contd)
- ( q(X) ? p(X) ) ? ( Xf(X0) )
- If p(X), then f(X) I by definition of the
while construct. This can be rewritten as f(X)
X. - And since q(X) ( f(X)f(X0) ), it follows
- that
- ( p(X) ? q(X) ) ? ( Xf(X0) )
- as desired.
55An important corollary...
- IST Corollary.
- Let f while p do g. If X0?D(f), X?D(f), and
q(X) - ( f(X)f(X0) ), then q is an f-adequate
invariant of ANY program of the form while p do g
for which properties (2) and (3) of the IST hold - ( q(X) ? p(X) ) ? qog(X)
- ( q(X) ? p(X) ) ? ( Xf(X0) )
- Thus, verifying these properties for a given
while_do statement, K, and intended function, f,
for which term(f,K) has already been shown,
constitutes a proof that f K.
56Example 1
- Consider the following assertion, where a0 and b0
represent the initial values of a and b,
respectively - true
- while altgt0 do
- b ba
- a a-1
- end_while
- a0 ? bb0a0!
What function, f, is computed by the while loop?
57Example 1
- Consider the following assertion, where a0 and b0
represent the initial values of a and b,
respectively - true
- while altgt0 do
- b ba
- a a-1
- end_while
- a0 ? bb0a0!
What function, f, is computed by the while loop?
58Example 1
- Consider the following assertion, where a0 and b0
represent the initial values of a and b,
respectively - true
- while altgt0 do
- b ba
- a a-1
- end_while
- a0 ? bb0a0!
What function, f, is computed by the while loop?
(a0 ? a,b 0,ba!)
59Example 1 (contd)
- For f (a0 ? a,b 0,ba!), an invariant q(X)(
f(X)f(X0) ) can be derived by tabu-lating f(X)
and f(X0) for each member of the data space, X - X f(X) f(X0)
- a
- b
- and equating components of f(X) and f(X0)
60Example 1 (contd)
- For f (a0 ? a,b 0,ba!), an invariant q(X)(
f(X)f(X0) ) can be derived by tabu-lating f(X)
and f(X0) for each member of the data space, X - X f(X) f(X0)
- a 0
- b
- and equating components of f(X) and f(X0)
61Example 1 (contd)
- For f (a0 ? a,b 0,ba!), an invariant q(X)(
f(X)f(X0) ) can be derived by tabu-lating f(X)
and f(X0) for each member of the data space, X - X f(X) f(X0)
- a 0 0
- b
- and equating components of f(X) and f(X0)
62Example 1 (contd)
- For f (a0 ? a,b 0,ba!), an invariant q(X)(
f(X)f(X0) ) can be derived by tabu-lating f(X)
and f(X0) for each member of the data space, X - X f(X) f(X0)
- a 0 0
- b ba! b0a0!
- and equating components of f(X) and f(X0)
63Example 1 (contd)
- For f (a0 ? a,b 0,ba!), an invariant q(X)(
f(X)f(X0) ) can be derived by tabu-lating f(X)
and f(X0) for each member of the data space, X - X f(X) f(X0)
- a 0 0
- b ba! b0a0!
- and equating components of f(X) and f(X0)
- 0 0
- ba! b0a0!
64Example 1 (contd)
- We can rewrite the second equation as
- b b0(a0!/a!)
- and use it as an invariant to prove the given
assertion using the while loop Rule of
Infer-ence. - When combined with a0 (specifying the domain of
f) we get - q ( b b0(a0!/a!) ? a0 )
65Example 1 (contd)
- We can rewrite the second equation as
- b b0(a0!/a!)
- and use it as an invariant to prove the given
assertion using the while loop Rule of
Infer-ence. - When combined with a0 (specifying the domain of
f) we get - q ( b b0(a0!/a!) ? a0 )
66Another interesting property of q(X)
- In the context of functional verification, loop
invariants are generally a function of the
current values of program variables (denoted by
X), AND their values on entry to the loop
(denoted by X0). - Many f-adequate invariants may exist for a given
loop, so what criteria might be used to determine
which is the best to use? - In general, we want f-adequate invariants to be
as weak as possible. The weaker an invariant is
(while still being f-adequate), the easier it
will be to use.
67Another interesting property of q(X)
- In the context of functional verification, loop
invariants are generally a function of the
current values of program variables (denoted by
X), AND their values on entry to the loop
(denoted by X0). - Many f-adequate invariants may exist for a given
loop, so what criteria might be used to determine
which is the best to use? - In general, we want f-adequate invariants to be
as weak as possible. The weaker an invariant is
(while still being f-adequate), the easier it
will be to use.
68Another interesting property of q(X)
- In the context of functional verification, loop
invariants are generally a function of the
current values of program variables (denoted by
X), AND their values on entry to the loop
(denoted by X0). - Many f-adequate invariants may exist for a given
loop, so what criteria might be used to determine
which is the best to use? - In general, we want f-adequate invariants to be
as weak as possible. The weaker an invariant is
(while still being f-adequate), the easier it
will be to use.
69Another interesting property of q(X) (contd)
- Claim q(X)( f(X)f(X0) ) is the weakest
f-adequate loop invariant over D(f) in the sense
that it is implied by all others. - Proof Let I(X) be any f-adequate loop invariant
for (while p do g) over D(f), and let
X0,X1,...,Xn be the states associated with the
loop in D(f). Since Xnf(X), we know I(f(X)) and
p(f(X)). And since I(X) is f-adequate ( I(X) ?
p(X) ? Xf(X0) ), it follows that ( I(f(X)) ?
p(f(X)) ? f(X)f(X0) ). Therefore, for all X in
D(f), I(X) ? q(X) as claimed. - (See Part 3, The Loop Invariant f(X0)f(X),
- of the Dunlop/Basili paper.)
70Another interesting property of q(X) (contd)
- Claim q(X)( f(X)f(X0) ) is the weakest
f-adequate loop invariant over D(f) in the sense
that it is implied by all others. - Proof Let I(X) be any f-adequate loop invariant
for (while p do g) over D(f), and let
X0,X1,...,Xn be the states associated with the
loop in D(f). Since Xnf(X), we know I(f(X)) and
p(f(X)). And since I(X) is f-adequate ( I(X) ?
p(X) ? Xf(X0) ), it follows that ( I(f(X)) ?
p(f(X)) ? f(X)f(X0) ). Therefore, for all X in
D(f), I(X) ? q(X) as claimed. - (See Part 3, The Loop Invariant f(X0)f(X),
- of the Dunlop/Basili paper.)
71Another interesting property of q(X) (contd)
- Claim q(X)( f(X)f(X0) ) is the weakest
f-adequate loop invariant over D(f) in the sense
that it is implied by all others. - Proof Let I(X) be any f-adequate loop invariant
for (while p do g) over D(f), and let
X0,X1,...,Xn be the states associated with the
loop in D(f). Since Xnf(X), we know I(f(X)) and
p(f(X)). And since I(X) is f-adequate ( I(X) ?
p(X) ? Xf(X0) ), it follows that ( I(f(X)) ?
p(f(X)) ? f(X)f(X0) ). Therefore, for all X in
D(f), I(X) ? q(X) as claimed. - (See Part 3, The Loop Invariant f(X0)f(X),
- of the Dunlop/Basili paper.)
72Another interesting property of q(X) (contd)
- To expand on the unique nature of q(X), note that
the set of states satisfying f(X)f(X0) includes
ALL intermediate states that could possibly be
generated by ANY while loop that computes f! - Thus, q(X) is strong (i.e., specific) enough to
describe the net effect of the loop on the input
set D(f), but sufficiently weak (i.e., general)
that it may offer no hint about the method used
to achieve the effect.
73Another interesting property of q(X) (contd)
- To expand on the unique nature of q(X), note that
the set of states satisfying f(X)f(X0) includes
ALL intermediate states that could possibly be
generated by ANY while loop that computes f! - Thus, q(X) is strong (i.e., specific) enough to
describe the net effect of the loop on the input
set D(f), but sufficiently weak (i.e., general)
that it may offer no hint about the method used
to achieve the effect.
74Another interesting property of q(X) (contd)
- Recall the program
- while zltgt0 do
- y y1
- z z-1
- end_while
75Another interesting property of q(X) (contd)
- Recall the program
- while zltgt0 do
- y y1
- z z-1
- end_while
The function computed is f (z0 ? y,z
yz,0) and from the IST, the weakest f-adequate
invariant over D(f) is q(X) ? ( yz y0z0 ?
z0 )
Consider the sample y0,z0 input 2,4. The
loop then pro-duces the series of states 2,4,
3,3, 4,2, 5,1, 6,0. q(X), of course,
agrees with these states, but it also agrees with
-3,9! This implies that some loop that
computes f could produce the intermediate state
-3,9 while mapping 2,4 to 6,0. We further
conclude that no loop that computes f could
pro-duce 4,4 as an intermediate state from the
input 2,4.
76Another interesting property of q(X) (contd)
- Recall the program
- while zltgt0 do
- y y1
- z z-1
- end_while
The function computed is f (z0 ? y,z
yz,0) and from the IST, the weakest f-adequate
invariant over D(f) is q(X) ? ( yz y0z0 ?
z0 )
Consider the sample y0,z0 input 2,4. The
loop then pro-duces the series of states 2,4,
3,3, 4,2, 5,1, 6,0. q(X), of course,
agrees with these states, but it also agrees with
-3,9! This implies that some loop that
computes f could produce the intermediate state
-3,9 while mapping 2,4 to 6,0. We further
conclude that no loop that computes f could
pro-duce 4,4 as an intermediate state from the
input 2,4.
77Another interesting property of q(X) (contd)
- Recall the program
- while zltgt0 do
- y y1
- z z-1
- end_while
The function computed is f (z0 ? y,z
yz,0) and from the IST, the weakest f-adequate
invariant over D(f) is q(X) ? ( yz y0z0 ?
z0 )
Consider the sample y0,z0 input 2,4. The
loop then pro-duces the series of states 2,4,
3,3, 4,2, 5,1, 6,0. q(X), of course,
agrees with these states, but it also agrees with
-3,9! This implies that some loop that
computes f could produce the intermediate state
-3,9 while mapping 2,4 to 6,0. We further
conclude that no loop that computes f could
pro-duce 4,4 as an intermediate state from the
input 2,4.
78Another interesting property of q(X) (contd)
- Recall the program
- while zltgt0 do
- y y1
- z z-1
- end_while
The function computed is f (z0 ? y,z
yz,0) and from the IST, the weakest f-adequate
invariant over D(f) is q(X) ? ( yz y0z0 ?
z0 )
Consider the sample y0,z0 input 2,4. The
loop then pro-duces the series of states 2,4,
3,3, 4,2, 5,1, 6,0. q(X), of course,
agrees with these states, but it also agrees with
-3,9! This implies that some loop that
computes f could produce the intermediate state
-3,9 while mapping 2,4 to 6,0. We further
conclude that no loop that computes f could
pro-duce 4,4 as an intermediate state from the
input 2,4.
79Another interesting property of q(X) (contd)
- Recall the program
- while zltgt0 do
- y y1
- z z-1
- end_while
The function computed is f (z0 ? y,z
yz,0) and from the IST, the weakest f-adequate
invariant over D(f) is q(X) ? ( yz y0z0 ?
z0 )
Consider the sample y0,z0 input 2,4. The
loop then pro-duces the series of states 2,4,
3,3, 4,2, 5,1, 6,0. q(X), of course,
agrees with these states, but it also agrees with
-3,9! This implies that some loop that
computes f could produce the intermediate state
-3,9 while mapping 2,4 to 6,0. We further
conclude that no loop that computes f could
pro-duce 4,4 as an intermediate state from the
input 2,4.
80Another interesting property of q(X) (contd)
- Consider a more concrete (wood, aluminum, etc.)
illustration of qs properties... - Let f represent a general mapping from an initial
building construction state (e.g., a vacant lot)
to a final construction state (a finished
building). - Let P be a specific, step-by-step, iterative
construction process that produces a finished
building in accordance with f.
81Another interesting property of q(X) (contd)
- Consider a more concrete (wood, aluminum, etc.)
illustration of qs properties... - Let f represent a general mapping from an initial
building construction state (e.g., a vacant lot)
to a final construction state (a finished
building). - Let P be a specific, step-by-step, iterative
construction process that produces a finished
building in accordance with f.
82Another interesting property of q(X) (contd)
- Consider a more concrete (wood, aluminum, etc.)
illustration of qs properties... - Let f represent a general mapping from an initial
building construction state (e.g., a vacant lot)
to a final construction state (a finished
building). - Let P be a specific, step-by-step, iterative
construction process that produces a finished
building in accordance with f.
83Another interesting property of q(X) (contd)
- In particular, suppose that from an initial
building state, Svac - P produces the series of (successor) states
- where Sfin represents a finished building.
vac
84Another interesting property of q(X) (contd)
- In particular, suppose that from an initial
building state, Svac - P produces the series of (successor) states
- where Sfin represents a finished building.
vac
?
?
?
?
fin
X
K
T
Y
85Another interesting property of q(X) (contd)
- Now, let q(S)( f(S)f(S0) ) where S0 is the
initial building state, S is the current building
state, and S, S0 are in D(f). - It follows, then, that q agrees with the series
of states produced by P. That is - q(Svac), q(SX), q(SK), q(ST), q(SY), q(Sfin)
- But suppose q also holds for another state in
D(f)
86Another interesting property of q(X) (contd)
- Now, let q(S)( f(S)f(S0) ) where S0 is the
initial building state, S is the current building
state, and S, S0 are in D(f). - It follows, then, that q agrees with the series
of states produced by P. That is - q(Svac), q(SX), q(SK), q(ST), q(SY), q(Sfin)
- But suppose q also holds for another state in
D(f)
87Another interesting property of q(X) (contd)
- Now, let q(S)( f(S)f(S0) ) where S0 is the
initial building state, S is the current building
state, and S, S0 are in D(f). - It follows, then, that q agrees with the series
of states produced by P. That is - q(Svac), q(SX), q(SK), q(ST), q(SY), q(Sfin)
- But suppose q also holds for another state in
D(f)
Z
88Another interesting property of q(X) (contd)
- This would imply that some other iterative
construction process, P, that also results in a
finished building in accordance with f, could
produce SZ in the process of producing Sfin
starting from Svac! - Finally, suppose that q does NOT hold for SE
89Another interesting property of q(X) (contd)
- This would imply that some other iterative
construction process, P, that also results in a
finished building in accordance with f, could
produce SZ in the process of producing Sfin
starting from Svac! - Finally, suppose that q does NOT hold for SE
E
90Another interesting property of q(X) (contd)
- This would imply that no iterative construction
process that results in a finished building in
accordance with f could produce SE from the
initial state Svac!
91Todays Topics
- Thinking about invariants again
- Invariant Status Theorem (IST)
- While Loop Initialization
- Utility of IST
92While Loop Initialization
- In many situations, a loop invariant may hold by
virtue of its initialization. In particular,
given - f while p do g, X0 ? D(f)
- a limited f-adequate invariant of the
initialized while loop - h while p do g
- is
- qh(X) ( f(X)foh(X0) )
93While Loop Initialization (contd)
- Such an invariant has the following properties
- qhoh(X0) is true, and
- (qh(X) ? p(X) ) ? qhog(X), and
- (qh(X) ? p(X) ) ? ( Xfoh(X0) )
94Example 2
- Consider the assertion
- n0
- p 1
- k 0
- while kltgtn do
- p p2
- k k1
- end_while
- p2n
What function, h, is computed by the loop
initialization?
95Example 2
- Consider the assertion
- n0
- p 1
- k 0
- while kltgtn do
- p p2
- k k1
- end_while
- p2n
What function, h, is computed by the loop
initialization?
96Example 2
- Consider the assertion
- n0
- p 1
- k 0
- while kltgtn do
- p p2
- k k1
- end_while
- p2n
What function, h, is computed by the loop
initialization?
(p,k 1,0)
97Example 2
- Consider the assertion
- n0
- p 1
- k 0
- while kltgtn do
- p p2
- k k1
- end_while
- p2n
What function, f, is computed by the while loop?
98Example 2
- Consider the assertion
- n0
- p 1
- k 0
- while kltgtn do
- p p2
- k k1
- end_while
- p2n
What function, f, is computed by the while loop?
(kn ? p,k ?,?)
99Example 2
- Consider the assertion
- n0
- p 1
- k 0
- while kltgtn do
- p p2
- k k1
- end_while
- p2n
What function, f, is computed by the while loop?
(kn ? p,k ?,n)
100Example 2
- Consider the assertion
- n0
- p 1
- k 0
- while kltgtn do
- p p2
- k k1
- end_while
- p2n
What function, f, is computed by the while loop?
(kn ? p,k p2n-k,n)
101Example 2 (contd)
- For f (kn ? p,k p2n-k,n), and h (p,k
1,0), an invariant qh(X)( ( f(X)foh(X0) ) can
be derived by tabulating f(X) and foh(X0) for
each member of the data space -
-
- and equating components of f(X) and foh(X0)
X f(X) foh(X0) p k
102Example 2 (contd)
- For f (kn ? p,k p2n-k,n), and h (p,k
1,0), an invariant qh(X)( ( f(X)foh(X0) ) can
be derived by tabulating f(X) and foh(X0) for
each member of the data space -
-
- and equating components of f(X) and foh(X0)
X f(X) foh(X0) p ? k
103Example 2 (contd)
- For f (kn ? p,k p2n-k,n), and h (p,k
1,0), an invariant qh(X)( ( f(X)foh(X0) ) can
be derived by tabulating f(X) and foh(X0) for
each member of the data space -
-
- and equating components of f(X) and foh(X0)
X f(X) foh(X0) p p2n-k k
104Example 2 (contd)
- For f (kn ? p,k p2n-k,n), and h (p,k
1,0), an invariant qh(X)( ( f(X)foh(X0) ) can
be derived by tabulating f(X) and foh(X0) for
each member of the data space -
-
- and equating components of f(X) and foh(X0)
X f(X) foh(X0) p p2n-k ? k
105Example 2 (contd)
- For f (kn ? p,k p2n-k,n), and h (p,k
1,0), an invariant qh(X)( ( f(X)foh(X0) ) can
be derived by tabulating f(X) and foh(X0) for
each member of the data space -
-
- and equating components of f(X) and foh(X0)
X f(X) foh(X0) p p2n-k (1)2n0-0 k
106Example 2 (contd)
- For f (kn ? p,k p2n-k,n), and h (p,k
1,0), an invariant qh(X)( ( f(X)foh(X0) ) can
be derived by tabulating f(X) and foh(X0) for
each member of the data space -
-
- and equating components of f(X) and foh(X0)
X f(X) foh(X0) p p2n-k (1)2n0-0 k
?
107Example 2 (contd)
- For f (kn ? p,k p2n-k,n), and h (p,k
1,0), an invariant qh(X)( ( f(X)foh(X0) ) can
be derived by tabulating f(X) and foh(X0) for
each member of the data space -
-
- and equating components of f(X) and foh(X0)
X f(X) foh(X0) p p2n-k (1)2n0-0 k
n
108Example 2 (contd)
- For f (kn ? p,k p2n-k,n), and h (p,k
1,0), an invariant qh(X)( ( f(X)foh(X0) ) can
be derived by tabulating f(X) and foh(X0) for
each member of the data space -
-
- and equating components of f(X) and foh(X0)
X f(X) foh(X0) p p2n-k (1)2n0-0 k
n ?
109Example 2 (contd)
- For f (kn ? p,k p2n-k,n), and h (p,k
1,0), an invariant qh(X)( ( f(X)foh(X0) ) can
be derived by tabulating f(X) and foh(X0) for
each member of the data space -
-
- and equating components of f(X) and foh(X0)
X f(X) foh(X0) p p2n-k (1)2n0-0 k
n n0
110Example 2 (contd)
- For f (kn ? p,k p2n-k,n), and h (p,k
1,0), an invariant qh(X)( ( f(X)foh(X0) ) can
be derived by tabulating f(X) and foh(X0) for
each member of the data space -
-
- and equating components of f(X) and foh(X0)
X f(X) foh(X0) p p2n-k (1)2n0-0 k
n n0
p2n-k (1)2n0-0 n n0
111Example 2 (contd)
- When combined, these equations yield the
invariant - p2k
- which can be used with the while loop Rule of
Inference to prove the given assertion. - When the condition kn (specifying the domain of
f) is included, we get - q ( p2k ? kn )
112Exercise
- Recall that in Example 3 of Lecture Notes 18, we
proved the assertion below using the invariant I
ZXJ.
true Z X J 1 while
JltgtY do Z ZX J J1
end_while ZXY
113Exercise (contd)
- Derive a limited invariant for the initialized
while loop using the Invariant Status Theorem.
114Todays Topics
- Thinking about invariants again
- Invariant Status Theorem (IST)
- While Loop Initialization
- Utility of IST
115Utility of Invariant Status Theorem
- Does the IST eliminate the need for heuristics to
synthesize Q-adequate loop invariants?
116Utility of Invariant Status Theorem
- Does the IST eliminate the need for heuristics to
synthesize Q-adequate loop invariants? - Unfortunately, no. The derivation of q(X)
requires knowledge of the program function, f.
Further-more, if the specified post-condition, Q,
is not of the form Xf(X0), the translation
between Q and f may not be obvious. Finally, if Q
is weaker than f, then q(X) will be stronger than
needed and may, therefore, be more cumbersome to
use than some weaker Q-adequate invariant.
117Utility of Invariant Status Theorem (contd)
- None of the functions considered so far has used
conditional rules. How does one deter-mine q(X)
for intended functions of the form - f (p1 ? r1 p2 ? r2 pk ? rk) ?
Other than simple functions of the form (p ?
r).
118Utility of Invariant Status Theorem (contd)
- None of the functions considered so far has used
conditional rules. How does one deter-mine q(X)
for intended functions of the form - f (p1 ? r1 p2 ? r2 pk ? rk) ?
- This can be tedious since the rule employed to
deter-mine f(X0) for every initial state X0 plus
those rules employed to determine f(X) for each
of X0s successor states must be considered. The
problem is analogous to that encountered in
showing p(X) ? ( f(X)fog(X) ) when the rule for
f on the left-hand side of the equality may be
different than that on the right-hand side of the
equality (i.e., after applying g).
Other than simple functions of the form (p ?
r).
119Utility of Invariant Status Theorem (contd)
- Would verifying the properties of q(X) for a
given while_do statement, K, and hypothesized
function, f, for which term(f,K) has been shown,
constitute a proof that f K?
120Utility of Invariant Status Theorem (contd)
- Would verifying the properties of q(X) for a
given while_do statement, K, and hypothesized
function, f, for which term(f,K) has been shown,
constitute a proof that f K? - Yes, properties (2) and (3) of the IST are
equivalent to the 2nd and 3rd while_do
correctness conditions when using q(X) as the
predicate. This is because ( q(X) ? p(X) ) ?
qog(X) follows from p(X) ? ( f(X)fog(X) ), and (
q(X) ? p(X) ) ? ( Xf(X0) ) follows from p(X) ?
( f(X) I ). - Also, since q(X) is the weakest f-adequate loop
invariant for K, it is generally the easiest
invariant over D(f) that can be used to verify
that the loop computes f.
121Utility of Invariant Status Theorem (contd)
- For some additional important and interesting
insights into the nature of q(X), functions, and
both iterative and non-iterative program
con-structs, be sure to see problems 8 and 9 in
Problem Set 7!
122Summary
- Thinking about invariants again
- Invariant Status Theorem (IST)
- While Loop Initialization
- Utility of IST
123Functional Verification IV Revisiting Loop
Invariants
Software Testing and Verification Lecture Notes
24
- Prepared by
- Stephen M. Thebaut, Ph.D.
- University of Florida