Functional Verification IV: Revisiting Loop Invariants - PowerPoint PPT Presentation

1 / 123
About This Presentation
Title:

Functional Verification IV: Revisiting Loop Invariants

Description:

Functional Verification IV: Revisiting Loop Invariants Software Testing and Verification Lecture Notes 24 Prepared by Stephen M. Thebaut, Ph.D. University of Florida – PowerPoint PPT presentation

Number of Views:140
Avg rating:3.0/5.0
Slides: 124
Provided by: smt52
Learn more at: https://www.cise.ufl.edu
Category:

less

Transcript and Presenter's Notes

Title: Functional Verification IV: Revisiting Loop Invariants


1
Functional Verification IV Revisiting Loop
Invariants
Software Testing and Verification Lecture Notes
24
  • Prepared by
  • Stephen M. Thebaut, Ph.D.
  • University of Florida

2
Last Time
  • Iteration Recursion Lemma (IRL)
  • Termination predicate term(f,P)
  • Correctness conditions for while_do statement
  • Sufficient correctness conditions
  • Correctness conditions for repeat_until statement
  • Subgoal Induction

3
Todays Topics
  • Thinking about invariants again
  • Invariant Status Theorem (IST)
  • While Loop Initialization
  • Utility of IST

4
Todays Topics
  • Thinking about invariants again
  • Invariant Status Theorem (IST)
  • While Loop Initialization
  • Utility of IST

5
Thinking about invariants again
  • In Lecture Notes 18 we considered heuristics for
    synthesizing Q-adequate loop invariants.
  • In Lecture Notes 23, it was observed that a loop
    computing a function maintains an important
    property of state across iterations the function
    value of the current state, X, is the same as the
    function value of the initial state, X0. That is
    f(X)f(X0).
  • We now expand on this observation and show that
    this property represents the weakest f-adequate
    loop invariant over D(f)!
  • To be defined shortly...

6
Hypothesize I
Flashback to LN 18...
true
Finalization ?
false
true
Initialization ?
strengthen
false
true
Preservation ?
weaken
false
finish
false
refine
Initialization ?
true
false
Preservation ?
true
7
Thinking about invariants again
  • In Lecture Notes 18 we considered heuristics for
    synthesizing Q-adequate loop invariants.
  • In Lecture Notes 23, it was observed that a loop
    computing a function maintains an important
    property of state across iterations the function
    value of the current state, X, is the same as the
    function value of the initial state, X0. That is
    f(X)f(X0).
  • We now expand on this observation and show that
    this property represents the weakest f-adequate
    loop invariant over D(f)!
  • To be defined shortly...

8
Thinking about invariants again
  • In Lecture Notes 18 we considered heuristics for
    synthesizing Q-adequate loop invariants.
  • In Lecture Notes 23, it was observed that a loop
    computing a function maintains an important
    property of state across iterations the function
    value of the current state, X, is the same as the
    function value of the initial state, X0. That is
    f(X)f(X0).
  • We now expand on this observation and show that
    this property represents the weakest f-adequate
    loop invariant over D(f)!
  • To be defined shortly...

9
Flashback to LN 23...
  • As f while p do g if p then gf end_if,
    it follows that
  • f(X0) f(X1) ... f(Xn) Xn
  • More generally, after each iteration of the loop,
    the function value of the current state, X, must
    be the same as the function value of the initial
    state, X0. That is
  • f(X) f(X0)
  • We will revisit this observation in connection
    with Mills Invariant Status Theorem shortly.

10
Thinking about invariants again
  • In Lecture Notes 18 we considered heuristics for
    synthesizing Q-adequate loop invariants.
  • In Lecture Notes 23, it was observed that a loop
    computing a function maintains an important
    property of state across iterations the function
    value of the current state, X, is the same as the
    function value of the initial state, X0. That is
    f(X)f(X0).
  • We now expand on this observation and show that
    this property represents the weakest f-adequate
    loop invariant over D(f)!
  • To be defined shortly...

11
Thinking about invariants again
  • In Lecture Notes 18 we considered heuristics for
    synthesizing Q-adequate loop invariants.
  • In Lecture Notes 23, it was observed that a loop
    computing a function maintains an important
    property of state across iterations the function
    value of the current state, X, is the same as the
    function value of the initial state, X0. That is
    f(X)f(X0).
  • We now expand on this observation and show that
    this property represents the weakest f-adequate
    loop invariant over D(f)!
  • To be defined shortly...

12
Thinking about invariants again
  • Consider the following assertion, where z0 and y0
    represent the initial values of z and y,
    respectively
  • true
  • while zltgt0 do
  • y y1
  • z z-1
  • end_while
  • z0 ? yy0z0

13
Thinking about invariants again
  • Consider the following assertion, where z0 and y0
    represent the initial values of z and y,
    respectively
  • true
  • while zltgt0 do
  • y y1
  • z z-1
  • end_while
  • z0 ? yy0z0
  • Can you identify a Q-adequate invariant, I, that
    could be used to prove this...?

14
Thinking about invariants again
  • Consider the following assertion, where z0 and y0
    represent the initial values of z and y,
    respectively
  • true
  • while zltgt0 do
  • y y1
  • z z-1
  • end_while
  • z0 ? yy0z0
  • Can you identify a Q-adequate invariant, I, that
    could be used to prove this...?

Consider I y y0(z0-z) This can be rewritten
as
15
Thinking about invariants again
  • Consider the following assertion, where z0 and y0
    represent the initial values of z and y,
    respectively
  • true
  • while zltgt0 do
  • y y1
  • z z-1
  • end_while
  • z0 ? yy0z0
  • Can you identify a Q-adequate invariant, I, that
    could be used to prove this...?

Consider I y y0(z0-z) This can be rewritten
as yz y0z0
16
Thinking about invariants again
  • true
  • while zltgt0 do
  • y y1
  • z z-1
  • end_while
  • z0 ? yy0z0
  • Now, independent of the given pre- and
    post-conditions, what function, f, is computed by
    the loop?

Consider I y y0(z0-z) This can be rewritten
as yz y0z0
17
Thinking about invariants again
  • true
  • while zltgt0 do
  • y y1
  • z z-1
  • end_while
  • z0 ? yy0z0
  • Now, independent of the given pre- and
    post-conditions, what function, f, is computed by
    the loop?
  • (z0 ? y,z ?,?)

Consider I y y0(z0-z) This can be rewritten
as yz y0z0
18
Thinking about invariants again
  • true
  • while zltgt0 do
  • y y1
  • z z-1
  • end_while
  • z0 ? yy0z0
  • Now, independent of the given pre- and
    post-conditions, what function, f, is computed by
    the loop?
  • (z0 ? y,z yz,0)

Consider I y y0(z0-z) This can be rewritten
as yz y0z0
19
Thinking about invariants again
  • true
  • while zltgt0 do
  • y y1
  • z z-1
  • end_while
  • z0 ? yy0z0
  • So, for f (z0 ? y,z yz,0), what is the
    relationship between f and the specified
    post-condition?

Consider I y y0(z0-z) This can be rewritten
as yz y0z0
20
Thinking about invariants again
  • true
  • while zltgt0 do
  • y y1
  • z z-1
  • end_while
  • z0 ? yy0z0
  • So, for f (z0 ? y,z yz,0), what is the
    relationship between f and the specified
    post-condition? zfz(X0)0 ? yfy(X0)y0z0.
  • (This can be written more simply as just
    Xf(X0), where X is shorthand for y,z.)

Consider I y y0(z0-z) This can be rewritten
as yz y0z0
21
Thinking about invariants again
  • true
  • while zltgt0 do
  • y y1
  • z z-1
  • end_while
  • z0 ? yy0z0
  • So, for f (z0 ? y,z yz,0), what is the
    relationship between f and the specified
    post-condition? zfz(X0)0 ? yfy(X0)y0z0.
  • (This can be written more simply as just
    Xf(X0), where X is shorthand for y,z.)

Consider I y y0(z0-z) This can be rewritten
as yz y0z0
22
Thinking about invariants again
  • true
  • while zltgt0 do
  • y y1
  • z z-1
  • end_while
  • z0 ? yy0z0
  • But note that a specified post-condition is not
    an innate property of a program as is the
    programs actual function! It just so happens
    that where f is defined, Q Xf(X0) in this
    particular case...

Consider I y y0(z0-z) This can be rewritten
as yz y0z0
23
Thinking about invariants again
  • true
  • while zltgt0 do
  • y y1
  • z z-1
  • end_while
  • z0 ? yy0z0
  • Getting back now to our Q-adequate invariant, I,
    where f (z0 ? y,z yz,0)...
  • Recall that the IRL implies that after each
    iteration of the loop, the function value of the
    current state, X, must be the same as the
    function value of the initial state, X0. That is,
    f(X)f(X0).

Consider I y y0(z0-z) This can be rewritten
as yz y0z0
24
Thinking about invariants again
  • true
  • while zltgt0 do
  • y y1
  • z z-1
  • end_while
  • z0 ? yy0z0
  • Getting back now to our Q-adequate invariant, I,
    where f (z0 ? y,z yz,0)...
  • Recall that the IRL implies that after each
    iteration of the loop, the function value of the
    current state, X, must be the same as the
    function value of the initial state, X0. That is,
    f(X)f(X0).

Consider I y y0(z0-z) This can be rewritten
as yz y0z0
25
Thinking about invariants again
  • true
  • while zltgt0 do
  • y y1
  • z z-1
  • end_while
  • z0 ? yy0z0
  • Thus, f(X)f(X0) captures a constant
    relationship between the values of variables on
    entry to a loop (denoted by X0), and their values
    after every iteration of a loop (denoted by X)
    computing f.
  • What, then, is this relationship for the
    function (z0 ? y,z yz,0)?

Consider I y y0(z0-z) This can be rewritten
as yz y0z0
26
Thinking about invariants again
  • true
  • while zltgt0 do
  • y y1
  • z z-1
  • end_while
  • z0 ? yy0z0
  • Thus, f(X)f(X0) captures a constant
    relationship between the values of variables on
    entry to a loop (denoted by X0), and their values
    after every iteration of a loop (denoted by X)
    computing f.
  • What, then, is this relationship for the
    function (z0 ? y,z yz,0)?

Consider I y y0(z0-z) This can be rewritten
as yz y0z0
27
Thinking about invariants again
  • true
  • while zltgt0 do
  • y y1
  • z z-1
  • end_while
  • z0 ? yy0z0
  • Where f is defined, fy(X)yz and fy(X0)y0z0.
  • Similarly, fz(X)0 and fz(X0)0.
  • Setting f(X) equal to f(X0) for each variable
    gives
  • 00 ? yzy0x0
  • That is, for z0.

Consider I y y0(z0-z) This can be rewritten
as yz y0z0

28
Thinking about invariants again
  • true
  • while zltgt0 do
  • y y1
  • z z-1
  • end_while
  • z0 ? yy0z0
  • Where f is defined, fy(X)yz and fy(X0)y0z0.
  • Similarly, fz(X)0 and fz(X0)0.
  • Setting f(X) equal to f(X0) for each variable
    gives
  • 00 ? yzy0x0
  • That is, for z0.

Consider I y y0(z0-z) This can be rewritten
as yz y0z0

29
Thinking about invariants again
  • true
  • while zltgt0 do
  • y y1
  • z z-1
  • end_while
  • z0 ? yy0z0
  • Where f is defined, fy(X)yz and fy(X0)y0z0.
  • Similarly, fz(X)0 and fz(X0)0.
  • Setting f(X) equal to f(X0) for each variable
    gives
  • 00 ? yzy0z0
  • That is, for z0.

Consider I y y0(z0-z) This can be rewritten
as yz y0z0

30
Thinking about invariants again
  • true
  • while zltgt0 do
  • y y1
  • z z-1
  • end_while
  • z0 ? yy0z0
  • Where f is defined, fy(X)yz and fy(X0)y0z0.
  • Similarly, fz(X)0 and fz(X0)0.
  • Setting f(X) equal to f(X0) for each variable
    gives
  • 00 ? yzy0z0 I
  • That is, for z0.

Consider I y y0(z0-z) This can be rewritten
as yz y0z0

31
Thinking about invariants again
  • true
  • while zltgt0 do
  • y y1
  • z z-1
  • end_while
  • z0 ? yy0z0
  • Thus, setting f(X) equal to f(X0) results in a
    Q-adequate loop invariant that could (by
    definition) be used with the while loop ROI to
    prove the given assertion!

Consider I y y0(z0-z) This can be rewritten
as yz y0z0
32
Thinking about invariants again
  • true
  • while zltgt0 do
  • y y1
  • z z-1
  • end_while
  • z0 ? yy0z0
  • Thus, setting f(X) equal to f(X0) results in a
    Q-adequate loop invariant that could (by
    definition) be used with the while loop ROI to
    prove the given assertion!
  • Are you not awestruck?

Consider I y y0(z0-z) This can be rewritten
as yz y0z0
33
Thinking about invariants again
  • true
  • while zltgt0 do
  • y y1
  • z z-1
  • end_while
  • z0 ? yy0z0
  • Thus, setting f(X) equal to f(X0) results in a
    Q-adequate loop invariant that could (by
    definition) be used with the while loop ROI to
    prove the given assertion!
  • Are you not awestruck?
  • But remember the specified post-condition
    conveniently corresponds to the programs actual
    function in this case.

Consider I y y0(z0-z) This can be rewritten
as yz y0z0
34
Todays Topics
  • Thinking about invariants again
  • Invariant Status Theorem (IST)
  • While Loop Initialization
  • Utility of IST

35
Invariant Status Theorem (IST)
  • Theorem.
  • Let f while p do g. If X0?D(f), X?D(f), and
    q(X)( f(X)f(X0) ), then q is an invariant of
    while p do g i.e., it has the following
    properties

36
Invariant Status Theorem (IST)
  • Theorem.
  • Let f while p do g. If X0?D(f), X?D(f), and
    q(X)( f(X)f(X0) ), then q is an invariant of
    while p do g i.e., it has the following
    properties
  • q(X0) is true, and

37
Invariant Status Theorem (IST)
  • Theorem.
  • Let f while p do g. If X0?D(f), X?D(f), and
    q(X)( f(X)f(X0) ), then q is an invariant of
    while p do g i.e., it has the following
    properties
  • q(X0) is true, and
  • ( q(X) ? p(X) ) ? qog(X).

38
Invariant Status Theorem (IST)
  • Theorem.
  • Let f while p do g. If X0?D(f), X?D(f), and
    q(X)( f(X)f(X0) ), then q is an invariant of
    while p do g i.e., it has the following
    properties
  • q(X0) is true, and
  • ( q(X) ? p(X) ) ? qog(X).
  • In addition, q(X) is an f-adequate invariant
    i.e.,

39
Invariant Status Theorem (IST)
  • Theorem.
  • Let f while p do g. If X0?D(f), X?D(f), and
    q(X)( f(X)f(X0) ), then q is an invariant of
    while p do g i.e., it has the following
    properties
  • q(X0) is true, and
  • ( q(X) ? p(X) ) ? qog(X).
  • In addition, q(X) is an f-adequate invariant
    i.e.,
  • ( q(X) ? p(X) ) ? ( Xf(X0) )

40
Invariant Status Theorem (IST)
  • Theorem.
  • Let f while p do g. If X0?D(f), X?D(f), and
    q(X)( f(X)f(X0) ), then q is an invariant of
    while p do g i.e., it has the following
    properties
  • q(X0) is true, and
  • ( q(X) ? p(X) ) ? qog(X).
  • In addition, q(X) is an f-adequate invariant
    i.e.,
  • ( q(X) ? p(X) ) ? ( Xf(X0) )

This represents the final state values as a
function, f, of the initial state values.
41
Invariant Status Theorem (contd)
  • Proof.
  • q(X0) is true

42
Invariant Status Theorem (contd)
  • Proof.
  • q(X0) is true
  • q(X) ( f(X)f(X0) ), so
  • q(X0)( f(X0)f(X0) )

43
Invariant Status Theorem (contd)
  • Proof.
  • q(X0) is true
  • q(X) ( f(X)f(X0) ), so
  • q(X0)( f(X0)f(X0) )
  • true
  • as desired.

44
Invariant Status Theorem (contd)
  • Proof.
  • q(X0) is true
  • q(X) ( f(X)f(X0) ), so
  • q(X0)( f(X0)f(X0) )
  • true
  • as desired.
  • (Note that based on the definition of q(X), this
    property is a tautology.)

45
Invariant Status Theorem (contd)
  • Proof. (contd)
  • ( q(X) ? p(X) ) ? qog(X)

46
Invariant Status Theorem (contd)
  • Proof. (contd)
  • ( q(X) ? p(X) ) ? qog(X)
  • For X?D(f) we know
  • p(X) ? ( f(X)fog(X) )
  • by the Iteration Recursion Lemma.

47
Invariant Status Theorem (contd)
  • Proof. (contd)
  • ( q(X) ? p(X) ) ? qog(X)
  • For X?D(f) we know
  • p(X) ? ( f(X)fog(X) )
  • by the Iteration Recursion Lemma. Since
  • q(X)( f(X)f(X0) )
  • by definition, it follows that

48
Invariant Status Theorem (contd)
  • Proof. (contd)
  • ( q(X) ? p(X) ) ? qog(X)
  • For X?D(f) we know
  • p(X) ? ( f(X)fog(X) )
  • by the Iteration Recursion Lemma. Since
  • q(X)( f(X)f(X0) )
  • by definition, it follows that
  • ( q(X) ? p(X) ) ? ( fog(X)f(X0) ).

49
Invariant Status Theorem (contd)
  • Proof. (contd)
  • But the right-hand side of
  • ( q(X) ? p(X) ) ? ( fog(X)f(X0) )
  • is just
  • ( f(g(X))f(X0) ) q(g(X))
  • qog(X)
  • Therefore,
  • ( q(X) ? p(X) ) ? qog(X)
  • as desired.

50
Invariant Status Theorem (contd)
  • Proof. (contd)
  • But the right-hand side of
  • ( q(X) ? p(X) ) ? ( fog(X)f(X0) )
  • is just
  • ( f(g(X))f(X0) ) q(g(X))
  • qog(X)
  • Therefore,
  • ( q(X) ? p(X) ) ? qog(X)
  • as desired.

51
Invariant Status Theorem (contd)
  • Proof. (contd)
  • ( q(X) ? p(X) ) ? ( Xf(X0) )

52
Invariant Status Theorem (contd)
  • Proof. (contd)
  • ( q(X) ? p(X) ) ? ( Xf(X0) )
  • If p(X), then f(X) I by definition of the
    while construct. This can be rewritten as f(X)
    X.

53
Invariant Status Theorem (contd)
  • Proof. (contd)
  • ( q(X) ? p(X) ) ? ( Xf(X0) )
  • If p(X), then f(X) I by definition of the
    while construct. This can be rewritten as f(X)
    X.
  • And since q(X) ( f(X)f(X0) ), it follows
  • that

54
Invariant Status Theorem (contd)
  • Proof. (contd)
  • ( q(X) ? p(X) ) ? ( Xf(X0) )
  • If p(X), then f(X) I by definition of the
    while construct. This can be rewritten as f(X)
    X.
  • And since q(X) ( f(X)f(X0) ), it follows
  • that
  • ( p(X) ? q(X) ) ? ( Xf(X0) )
  • as desired.

55
An important corollary...
  • IST Corollary.
  • Let f while p do g. If X0?D(f), X?D(f), and
    q(X)
  • ( f(X)f(X0) ), then q is an f-adequate
    invariant of ANY program of the form while p do g
    for which properties (2) and (3) of the IST hold
  • ( q(X) ? p(X) ) ? qog(X)
  • ( q(X) ? p(X) ) ? ( Xf(X0) )
  • Thus, verifying these properties for a given
    while_do statement, K, and intended function, f,
    for which term(f,K) has already been shown,
    constitutes a proof that f K.

56
Example 1
  • Consider the following assertion, where a0 and b0
    represent the initial values of a and b,
    respectively
  • true
  • while altgt0 do
  • b ba
  • a a-1
  • end_while
  • a0 ? bb0a0!

What function, f, is computed by the while loop?
57
Example 1
  • Consider the following assertion, where a0 and b0
    represent the initial values of a and b,
    respectively
  • true
  • while altgt0 do
  • b ba
  • a a-1
  • end_while
  • a0 ? bb0a0!

What function, f, is computed by the while loop?
58
Example 1
  • Consider the following assertion, where a0 and b0
    represent the initial values of a and b,
    respectively
  • true
  • while altgt0 do
  • b ba
  • a a-1
  • end_while
  • a0 ? bb0a0!

What function, f, is computed by the while loop?
(a0 ? a,b 0,ba!)
59
Example 1 (contd)
  • For f (a0 ? a,b 0,ba!), an invariant q(X)(
    f(X)f(X0) ) can be derived by tabu-lating f(X)
    and f(X0) for each member of the data space, X
  • X f(X) f(X0)
  • a
  • b
  • and equating components of f(X) and f(X0)

60
Example 1 (contd)
  • For f (a0 ? a,b 0,ba!), an invariant q(X)(
    f(X)f(X0) ) can be derived by tabu-lating f(X)
    and f(X0) for each member of the data space, X
  • X f(X) f(X0)
  • a 0
  • b
  • and equating components of f(X) and f(X0)

61
Example 1 (contd)
  • For f (a0 ? a,b 0,ba!), an invariant q(X)(
    f(X)f(X0) ) can be derived by tabu-lating f(X)
    and f(X0) for each member of the data space, X
  • X f(X) f(X0)
  • a 0 0
  • b
  • and equating components of f(X) and f(X0)

62
Example 1 (contd)
  • For f (a0 ? a,b 0,ba!), an invariant q(X)(
    f(X)f(X0) ) can be derived by tabu-lating f(X)
    and f(X0) for each member of the data space, X
  • X f(X) f(X0)
  • a 0 0
  • b ba! b0a0!
  • and equating components of f(X) and f(X0)

63
Example 1 (contd)
  • For f (a0 ? a,b 0,ba!), an invariant q(X)(
    f(X)f(X0) ) can be derived by tabu-lating f(X)
    and f(X0) for each member of the data space, X
  • X f(X) f(X0)
  • a 0 0
  • b ba! b0a0!
  • and equating components of f(X) and f(X0)
  • 0 0
  • ba! b0a0!

64
Example 1 (contd)
  • We can rewrite the second equation as
  • b b0(a0!/a!)
  • and use it as an invariant to prove the given
    assertion using the while loop Rule of
    Infer-ence.
  • When combined with a0 (specifying the domain of
    f) we get
  • q ( b b0(a0!/a!) ? a0 )

65
Example 1 (contd)
  • We can rewrite the second equation as
  • b b0(a0!/a!)
  • and use it as an invariant to prove the given
    assertion using the while loop Rule of
    Infer-ence.
  • When combined with a0 (specifying the domain of
    f) we get
  • q ( b b0(a0!/a!) ? a0 )

66
Another interesting property of q(X)
  • In the context of functional verification, loop
    invariants are generally a function of the
    current values of program variables (denoted by
    X), AND their values on entry to the loop
    (denoted by X0).
  • Many f-adequate invariants may exist for a given
    loop, so what criteria might be used to determine
    which is the best to use?
  • In general, we want f-adequate invariants to be
    as weak as possible. The weaker an invariant is
    (while still being f-adequate), the easier it
    will be to use.

67
Another interesting property of q(X)
  • In the context of functional verification, loop
    invariants are generally a function of the
    current values of program variables (denoted by
    X), AND their values on entry to the loop
    (denoted by X0).
  • Many f-adequate invariants may exist for a given
    loop, so what criteria might be used to determine
    which is the best to use?
  • In general, we want f-adequate invariants to be
    as weak as possible. The weaker an invariant is
    (while still being f-adequate), the easier it
    will be to use.

68
Another interesting property of q(X)
  • In the context of functional verification, loop
    invariants are generally a function of the
    current values of program variables (denoted by
    X), AND their values on entry to the loop
    (denoted by X0).
  • Many f-adequate invariants may exist for a given
    loop, so what criteria might be used to determine
    which is the best to use?
  • In general, we want f-adequate invariants to be
    as weak as possible. The weaker an invariant is
    (while still being f-adequate), the easier it
    will be to use.

69
Another interesting property of q(X) (contd)
  • Claim q(X)( f(X)f(X0) ) is the weakest
    f-adequate loop invariant over D(f) in the sense
    that it is implied by all others.
  • Proof Let I(X) be any f-adequate loop invariant
    for (while p do g) over D(f), and let
    X0,X1,...,Xn be the states associated with the
    loop in D(f). Since Xnf(X), we know I(f(X)) and
    p(f(X)). And since I(X) is f-adequate ( I(X) ?
    p(X) ? Xf(X0) ), it follows that ( I(f(X)) ?
    p(f(X)) ? f(X)f(X0) ). Therefore, for all X in
    D(f), I(X) ? q(X) as claimed.
  • (See Part 3, The Loop Invariant f(X0)f(X),
  • of the Dunlop/Basili paper.)

70
Another interesting property of q(X) (contd)
  • Claim q(X)( f(X)f(X0) ) is the weakest
    f-adequate loop invariant over D(f) in the sense
    that it is implied by all others.
  • Proof Let I(X) be any f-adequate loop invariant
    for (while p do g) over D(f), and let
    X0,X1,...,Xn be the states associated with the
    loop in D(f). Since Xnf(X), we know I(f(X)) and
    p(f(X)). And since I(X) is f-adequate ( I(X) ?
    p(X) ? Xf(X0) ), it follows that ( I(f(X)) ?
    p(f(X)) ? f(X)f(X0) ). Therefore, for all X in
    D(f), I(X) ? q(X) as claimed.
  • (See Part 3, The Loop Invariant f(X0)f(X),
  • of the Dunlop/Basili paper.)

71
Another interesting property of q(X) (contd)
  • Claim q(X)( f(X)f(X0) ) is the weakest
    f-adequate loop invariant over D(f) in the sense
    that it is implied by all others.
  • Proof Let I(X) be any f-adequate loop invariant
    for (while p do g) over D(f), and let
    X0,X1,...,Xn be the states associated with the
    loop in D(f). Since Xnf(X), we know I(f(X)) and
    p(f(X)). And since I(X) is f-adequate ( I(X) ?
    p(X) ? Xf(X0) ), it follows that ( I(f(X)) ?
    p(f(X)) ? f(X)f(X0) ). Therefore, for all X in
    D(f), I(X) ? q(X) as claimed.
  • (See Part 3, The Loop Invariant f(X0)f(X),
  • of the Dunlop/Basili paper.)

72
Another interesting property of q(X) (contd)
  • To expand on the unique nature of q(X), note that
    the set of states satisfying f(X)f(X0) includes
    ALL intermediate states that could possibly be
    generated by ANY while loop that computes f!
  • Thus, q(X) is strong (i.e., specific) enough to
    describe the net effect of the loop on the input
    set D(f), but sufficiently weak (i.e., general)
    that it may offer no hint about the method used
    to achieve the effect.

73
Another interesting property of q(X) (contd)
  • To expand on the unique nature of q(X), note that
    the set of states satisfying f(X)f(X0) includes
    ALL intermediate states that could possibly be
    generated by ANY while loop that computes f!
  • Thus, q(X) is strong (i.e., specific) enough to
    describe the net effect of the loop on the input
    set D(f), but sufficiently weak (i.e., general)
    that it may offer no hint about the method used
    to achieve the effect.

74
Another interesting property of q(X) (contd)
  • Recall the program
  • while zltgt0 do
  • y y1
  • z z-1
  • end_while

75
Another interesting property of q(X) (contd)
  • Recall the program
  • while zltgt0 do
  • y y1
  • z z-1
  • end_while

The function computed is f (z0 ? y,z
yz,0) and from the IST, the weakest f-adequate
invariant over D(f) is q(X) ? ( yz y0z0 ?
z0 )
Consider the sample y0,z0 input 2,4. The
loop then pro-duces the series of states 2,4,
3,3, 4,2, 5,1, 6,0. q(X), of course,
agrees with these states, but it also agrees with
-3,9! This implies that some loop that
computes f could produce the intermediate state
-3,9 while mapping 2,4 to 6,0. We further
conclude that no loop that computes f could
pro-duce 4,4 as an intermediate state from the
input 2,4.
76
Another interesting property of q(X) (contd)
  • Recall the program
  • while zltgt0 do
  • y y1
  • z z-1
  • end_while

The function computed is f (z0 ? y,z
yz,0) and from the IST, the weakest f-adequate
invariant over D(f) is q(X) ? ( yz y0z0 ?
z0 )
Consider the sample y0,z0 input 2,4. The
loop then pro-duces the series of states 2,4,
3,3, 4,2, 5,1, 6,0. q(X), of course,
agrees with these states, but it also agrees with
-3,9! This implies that some loop that
computes f could produce the intermediate state
-3,9 while mapping 2,4 to 6,0. We further
conclude that no loop that computes f could
pro-duce 4,4 as an intermediate state from the
input 2,4.
77
Another interesting property of q(X) (contd)
  • Recall the program
  • while zltgt0 do
  • y y1
  • z z-1
  • end_while

The function computed is f (z0 ? y,z
yz,0) and from the IST, the weakest f-adequate
invariant over D(f) is q(X) ? ( yz y0z0 ?
z0 )
Consider the sample y0,z0 input 2,4. The
loop then pro-duces the series of states 2,4,
3,3, 4,2, 5,1, 6,0. q(X), of course,
agrees with these states, but it also agrees with
-3,9! This implies that some loop that
computes f could produce the intermediate state
-3,9 while mapping 2,4 to 6,0. We further
conclude that no loop that computes f could
pro-duce 4,4 as an intermediate state from the
input 2,4.
78
Another interesting property of q(X) (contd)
  • Recall the program
  • while zltgt0 do
  • y y1
  • z z-1
  • end_while

The function computed is f (z0 ? y,z
yz,0) and from the IST, the weakest f-adequate
invariant over D(f) is q(X) ? ( yz y0z0 ?
z0 )
Consider the sample y0,z0 input 2,4. The
loop then pro-duces the series of states 2,4,
3,3, 4,2, 5,1, 6,0. q(X), of course,
agrees with these states, but it also agrees with
-3,9! This implies that some loop that
computes f could produce the intermediate state
-3,9 while mapping 2,4 to 6,0. We further
conclude that no loop that computes f could
pro-duce 4,4 as an intermediate state from the
input 2,4.
79
Another interesting property of q(X) (contd)
  • Recall the program
  • while zltgt0 do
  • y y1
  • z z-1
  • end_while

The function computed is f (z0 ? y,z
yz,0) and from the IST, the weakest f-adequate
invariant over D(f) is q(X) ? ( yz y0z0 ?
z0 )
Consider the sample y0,z0 input 2,4. The
loop then pro-duces the series of states 2,4,
3,3, 4,2, 5,1, 6,0. q(X), of course,
agrees with these states, but it also agrees with
-3,9! This implies that some loop that
computes f could produce the intermediate state
-3,9 while mapping 2,4 to 6,0. We further
conclude that no loop that computes f could
pro-duce 4,4 as an intermediate state from the
input 2,4.
80
Another interesting property of q(X) (contd)
  • Consider a more concrete (wood, aluminum, etc.)
    illustration of qs properties...
  • Let f represent a general mapping from an initial
    building construction state (e.g., a vacant lot)
    to a final construction state (a finished
    building).
  • Let P be a specific, step-by-step, iterative
    construction process that produces a finished
    building in accordance with f.

81
Another interesting property of q(X) (contd)
  • Consider a more concrete (wood, aluminum, etc.)
    illustration of qs properties...
  • Let f represent a general mapping from an initial
    building construction state (e.g., a vacant lot)
    to a final construction state (a finished
    building).
  • Let P be a specific, step-by-step, iterative
    construction process that produces a finished
    building in accordance with f.

82
Another interesting property of q(X) (contd)
  • Consider a more concrete (wood, aluminum, etc.)
    illustration of qs properties...
  • Let f represent a general mapping from an initial
    building construction state (e.g., a vacant lot)
    to a final construction state (a finished
    building).
  • Let P be a specific, step-by-step, iterative
    construction process that produces a finished
    building in accordance with f.

83
Another interesting property of q(X) (contd)
  • In particular, suppose that from an initial
    building state, Svac
  • P produces the series of (successor) states
  • where Sfin represents a finished building.

vac
84
Another interesting property of q(X) (contd)
  • In particular, suppose that from an initial
    building state, Svac
  • P produces the series of (successor) states
  • where Sfin represents a finished building.

vac
?
?
?
?
fin
X
K
T
Y
85
Another interesting property of q(X) (contd)
  • Now, let q(S)( f(S)f(S0) ) where S0 is the
    initial building state, S is the current building
    state, and S, S0 are in D(f).
  • It follows, then, that q agrees with the series
    of states produced by P. That is
  • q(Svac), q(SX), q(SK), q(ST), q(SY), q(Sfin)
  • But suppose q also holds for another state in
    D(f)

86
Another interesting property of q(X) (contd)
  • Now, let q(S)( f(S)f(S0) ) where S0 is the
    initial building state, S is the current building
    state, and S, S0 are in D(f).
  • It follows, then, that q agrees with the series
    of states produced by P. That is
  • q(Svac), q(SX), q(SK), q(ST), q(SY), q(Sfin)
  • But suppose q also holds for another state in
    D(f)

87
Another interesting property of q(X) (contd)
  • Now, let q(S)( f(S)f(S0) ) where S0 is the
    initial building state, S is the current building
    state, and S, S0 are in D(f).
  • It follows, then, that q agrees with the series
    of states produced by P. That is
  • q(Svac), q(SX), q(SK), q(ST), q(SY), q(Sfin)
  • But suppose q also holds for another state in
    D(f)

Z
88
Another interesting property of q(X) (contd)
  • This would imply that some other iterative
    construction process, P, that also results in a
    finished building in accordance with f, could
    produce SZ in the process of producing Sfin
    starting from Svac!
  • Finally, suppose that q does NOT hold for SE

89
Another interesting property of q(X) (contd)
  • This would imply that some other iterative
    construction process, P, that also results in a
    finished building in accordance with f, could
    produce SZ in the process of producing Sfin
    starting from Svac!
  • Finally, suppose that q does NOT hold for SE

E
90
Another interesting property of q(X) (contd)
  • This would imply that no iterative construction
    process that results in a finished building in
    accordance with f could produce SE from the
    initial state Svac!

91
Todays Topics
  • Thinking about invariants again
  • Invariant Status Theorem (IST)
  • While Loop Initialization
  • Utility of IST

92
While Loop Initialization
  • In many situations, a loop invariant may hold by
    virtue of its initialization. In particular,
    given
  • f while p do g, X0 ? D(f)
  • a limited f-adequate invariant of the
    initialized while loop
  • h while p do g
  • is
  • qh(X) ( f(X)foh(X0) )

93
While Loop Initialization (contd)
  • Such an invariant has the following properties
  • qhoh(X0) is true, and
  • (qh(X) ? p(X) ) ? qhog(X), and
  • (qh(X) ? p(X) ) ? ( Xfoh(X0) )

94
Example 2
  • Consider the assertion
  • n0
  • p 1
  • k 0
  • while kltgtn do
  • p p2
  • k k1
  • end_while
  • p2n

What function, h, is computed by the loop
initialization?
95
Example 2
  • Consider the assertion
  • n0
  • p 1
  • k 0
  • while kltgtn do
  • p p2
  • k k1
  • end_while
  • p2n

What function, h, is computed by the loop
initialization?
96
Example 2
  • Consider the assertion
  • n0
  • p 1
  • k 0
  • while kltgtn do
  • p p2
  • k k1
  • end_while
  • p2n

What function, h, is computed by the loop
initialization?
(p,k 1,0)
97
Example 2
  • Consider the assertion
  • n0
  • p 1
  • k 0
  • while kltgtn do
  • p p2
  • k k1
  • end_while
  • p2n

What function, f, is computed by the while loop?
98
Example 2
  • Consider the assertion
  • n0
  • p 1
  • k 0
  • while kltgtn do
  • p p2
  • k k1
  • end_while
  • p2n

What function, f, is computed by the while loop?
(kn ? p,k ?,?)
99
Example 2
  • Consider the assertion
  • n0
  • p 1
  • k 0
  • while kltgtn do
  • p p2
  • k k1
  • end_while
  • p2n

What function, f, is computed by the while loop?
(kn ? p,k ?,n)
100
Example 2
  • Consider the assertion
  • n0
  • p 1
  • k 0
  • while kltgtn do
  • p p2
  • k k1
  • end_while
  • p2n

What function, f, is computed by the while loop?
(kn ? p,k p2n-k,n)
101
Example 2 (contd)
  • For f (kn ? p,k p2n-k,n), and h (p,k
    1,0), an invariant qh(X)( ( f(X)foh(X0) ) can
    be derived by tabulating f(X) and foh(X0) for
    each member of the data space
  • and equating components of f(X) and foh(X0)

X f(X) foh(X0) p k
102
Example 2 (contd)
  • For f (kn ? p,k p2n-k,n), and h (p,k
    1,0), an invariant qh(X)( ( f(X)foh(X0) ) can
    be derived by tabulating f(X) and foh(X0) for
    each member of the data space
  • and equating components of f(X) and foh(X0)

X f(X) foh(X0) p ? k
103
Example 2 (contd)
  • For f (kn ? p,k p2n-k,n), and h (p,k
    1,0), an invariant qh(X)( ( f(X)foh(X0) ) can
    be derived by tabulating f(X) and foh(X0) for
    each member of the data space
  • and equating components of f(X) and foh(X0)

X f(X) foh(X0) p p2n-k k
104
Example 2 (contd)
  • For f (kn ? p,k p2n-k,n), and h (p,k
    1,0), an invariant qh(X)( ( f(X)foh(X0) ) can
    be derived by tabulating f(X) and foh(X0) for
    each member of the data space
  • and equating components of f(X) and foh(X0)

X f(X) foh(X0) p p2n-k ? k
105
Example 2 (contd)
  • For f (kn ? p,k p2n-k,n), and h (p,k
    1,0), an invariant qh(X)( ( f(X)foh(X0) ) can
    be derived by tabulating f(X) and foh(X0) for
    each member of the data space
  • and equating components of f(X) and foh(X0)

X f(X) foh(X0) p p2n-k (1)2n0-0 k

106
Example 2 (contd)
  • For f (kn ? p,k p2n-k,n), and h (p,k
    1,0), an invariant qh(X)( ( f(X)foh(X0) ) can
    be derived by tabulating f(X) and foh(X0) for
    each member of the data space
  • and equating components of f(X) and foh(X0)

X f(X) foh(X0) p p2n-k (1)2n0-0 k
?

107
Example 2 (contd)
  • For f (kn ? p,k p2n-k,n), and h (p,k
    1,0), an invariant qh(X)( ( f(X)foh(X0) ) can
    be derived by tabulating f(X) and foh(X0) for
    each member of the data space
  • and equating components of f(X) and foh(X0)

X f(X) foh(X0) p p2n-k (1)2n0-0 k
n

108
Example 2 (contd)
  • For f (kn ? p,k p2n-k,n), and h (p,k
    1,0), an invariant qh(X)( ( f(X)foh(X0) ) can
    be derived by tabulating f(X) and foh(X0) for
    each member of the data space
  • and equating components of f(X) and foh(X0)

X f(X) foh(X0) p p2n-k (1)2n0-0 k
n ?

109
Example 2 (contd)
  • For f (kn ? p,k p2n-k,n), and h (p,k
    1,0), an invariant qh(X)( ( f(X)foh(X0) ) can
    be derived by tabulating f(X) and foh(X0) for
    each member of the data space
  • and equating components of f(X) and foh(X0)

X f(X) foh(X0) p p2n-k (1)2n0-0 k
n n0

110
Example 2 (contd)
  • For f (kn ? p,k p2n-k,n), and h (p,k
    1,0), an invariant qh(X)( ( f(X)foh(X0) ) can
    be derived by tabulating f(X) and foh(X0) for
    each member of the data space
  • and equating components of f(X) and foh(X0)

X f(X) foh(X0) p p2n-k (1)2n0-0 k
n n0
p2n-k (1)2n0-0 n n0
111
Example 2 (contd)
  • When combined, these equations yield the
    invariant
  • p2k
  • which can be used with the while loop Rule of
    Inference to prove the given assertion.
  • When the condition kn (specifying the domain of
    f) is included, we get
  • q ( p2k ? kn )

112
Exercise
  • Recall that in Example 3 of Lecture Notes 18, we
    proved the assertion below using the invariant I
    ZXJ.

true Z X J 1 while
JltgtY do Z ZX J J1
end_while ZXY
113
Exercise (contd)
  • Derive a limited invariant for the initialized
    while loop using the Invariant Status Theorem.

114
Todays Topics
  • Thinking about invariants again
  • Invariant Status Theorem (IST)
  • While Loop Initialization
  • Utility of IST

115
Utility of Invariant Status Theorem
  • Does the IST eliminate the need for heuristics to
    synthesize Q-adequate loop invariants?

116
Utility of Invariant Status Theorem
  • Does the IST eliminate the need for heuristics to
    synthesize Q-adequate loop invariants?
  • Unfortunately, no. The derivation of q(X)
    requires knowledge of the program function, f.
    Further-more, if the specified post-condition, Q,
    is not of the form Xf(X0), the translation
    between Q and f may not be obvious. Finally, if Q
    is weaker than f, then q(X) will be stronger than
    needed and may, therefore, be more cumbersome to
    use than some weaker Q-adequate invariant.

117
Utility of Invariant Status Theorem (contd)
  • None of the functions considered so far has used
    conditional rules. How does one deter-mine q(X)
    for intended functions of the form
  • f (p1 ? r1 p2 ? r2 pk ? rk) ?

Other than simple functions of the form (p ?
r).
118
Utility of Invariant Status Theorem (contd)
  • None of the functions considered so far has used
    conditional rules. How does one deter-mine q(X)
    for intended functions of the form
  • f (p1 ? r1 p2 ? r2 pk ? rk) ?
  • This can be tedious since the rule employed to
    deter-mine f(X0) for every initial state X0 plus
    those rules employed to determine f(X) for each
    of X0s successor states must be considered. The
    problem is analogous to that encountered in
    showing p(X) ? ( f(X)fog(X) ) when the rule for
    f on the left-hand side of the equality may be
    different than that on the right-hand side of the
    equality (i.e., after applying g).

Other than simple functions of the form (p ?
r).
119
Utility of Invariant Status Theorem (contd)
  • Would verifying the properties of q(X) for a
    given while_do statement, K, and hypothesized
    function, f, for which term(f,K) has been shown,
    constitute a proof that f K?

120
Utility of Invariant Status Theorem (contd)
  • Would verifying the properties of q(X) for a
    given while_do statement, K, and hypothesized
    function, f, for which term(f,K) has been shown,
    constitute a proof that f K?
  • Yes, properties (2) and (3) of the IST are
    equivalent to the 2nd and 3rd while_do
    correctness conditions when using q(X) as the
    predicate. This is because ( q(X) ? p(X) ) ?
    qog(X) follows from p(X) ? ( f(X)fog(X) ), and (
    q(X) ? p(X) ) ? ( Xf(X0) ) follows from p(X) ?
    ( f(X) I ).
  • Also, since q(X) is the weakest f-adequate loop
    invariant for K, it is generally the easiest
    invariant over D(f) that can be used to verify
    that the loop computes f.

121
Utility of Invariant Status Theorem (contd)
  • For some additional important and interesting
    insights into the nature of q(X), functions, and
    both iterative and non-iterative program
    con-structs, be sure to see problems 8 and 9 in
    Problem Set 7!

122
Summary
  • Thinking about invariants again
  • Invariant Status Theorem (IST)
  • While Loop Initialization
  • Utility of IST

123
Functional Verification IV Revisiting Loop
Invariants
Software Testing and Verification Lecture Notes
24
  • Prepared by
  • Stephen M. Thebaut, Ph.D.
  • University of Florida
Write a Comment
User Comments (0)
About PowerShow.com