Intro Verifica Programmi
Intro Verifica Programmi
Intro Verifica Programmi
to Axiomatic Verification
Introduction
Weak correctness predicate
Assignment statements
Sequencing
Selection statements
Iteration
1
Introduction
What is Axiomatic Verification?
A formal method of reasoning about the
functional correctness of a structured,
sequential program by tracing its state
changes from an initial (i.e., pre-) condition
to a final (i.e., post-) condition according to
a set of self-evident rules (i.e., axioms).
What is its primary goal?
To provide a means for “proving” (or
“disproving”) the functional correctness of a
sequential program with respect to its
(formal) specification.
2
1
Introduction (cont.)
2
Weak Correctness Predicate (cont.)
3
Weak Correctness Predicate (cont.)
Thus, {P} S {Q} is true unless Q
could be false if S terminates,
given that P held before S executes.
What are the truth values of the
following assertions?
(4) {true} while x <> 5 do x := x-1 {x=5}
(Hint: When will S terminate?)
4
Reasoning about Assignment
Statements
For each of the following pre-
conditions, P, and assignment
statements, S, identify a “strong”
post-condition, Q, such that {P} S {Q}
would hold.
A “strong” post-condition captures all
after-execution state information of
interest.
We ignore propositions such as X=X’
(“the final value of X is the same as
the initial value of X”).
9
{P} S {Q}
{J=6} K := 3
{J=6} J := J+2
{A<B} Min := A
{X<0} Y := -X
10
5
Reasoning about Assignment
Statements (cont.)
11
{P} S {Q}
I := 4 {J=7 Λ I=4}
I := 4 {I=4}
I := 4 {I=17}
Y := X+3 {Y=10}
12
6
When does
({P} S {Q}) ⇒ ({K} S {W})?
13
When does
({P} S {Q}) ⇒ ({K} S {W})?
14
7
When does
({P} S {Q}) ⇒ ({K} S {W})?
In general:
if you know {P} S1 {R} and
you know {R} S2 {Q}
then you know {P} S1; S2 {Q}.
16
8
Example 1
17
T F
b
S1 S2
{Q}
9
Reasoning about If_then
Statements
{P}
Consider the assertion:
T
{P} if b then S {Q} b
F
S
19
Example 2
Prove the assertion:
20
10
Proof Rules
Before proceeding to while loops, let’s
capture our previous reasoning about
sequencing, selection statements, and
state condition replacement in
appropriate rules of inference.
21
22
11
Proof Rules (cont.)
K ⇒ P, {P} S {Q}, Q ⇒ W
{K} S {W}
23
S
What are the necessary
conditions for this
{Q}
assertion to hold?
24
12
Consider a Loop “Invariant” - I
{P} Suppose I holds initially…
I
F
b
IЛb T
I Л ¬b and implies Q
S when and if the
loop finally
is preserved by S… terminates…
I {Q}
P ⇒ I, {I Λ b} S {I}, (I Λ ¬b) ⇒ Q
{P} while b do S {Q}
13
Example 3
Use the invariant I: Z=XJ to prove:
{true} Initialization: P ⇒ I
Z := X Preservation: {I Λ b} S {I}
J := 1 Finalization: (I Λ ¬b) ⇒ Q
while J<>Y do
Z := Z+X
J := J+1
end_while
{Z=XY}
27
Example 3
Use the invariant I: Z=XJ to prove:
{true}
Initialization: P ⇒ I
Z := X
J := 1 What is “P” ?
P
while J<>Y do (Z=X Λ J=1)
Z := Z+X Does
J := J+1
end_while (Z=X Λ J=1) ⇒ Z=XJ ?
{Z=XY} Yes!
28
14
Example 3
Use the invariant I: Z=XJ to prove:
Initialization: P ⇒ I √
{true} Preservation: {I Λ b} S {I}
Z := X b {Z=XJ Λ J ≠Y}
J := 1 Z := Z+X
while J<>Y do {Z=X(J+1) Λ J ≠Y}
Z := Z+X J := J+1
J := J+1 S {Z=X((J-1)+1) Λ J-1≠Y}
end_while ⇒ Z=XJ
{Z=XY}
29
Example 3
Use the invariant I: Z=XJ to prove:
Initialization: P ⇒ I √
{true}
Preservation: {I Λ b} S {I} √
Z := X
J := 1 Finalization: (I Λ ¬b) ⇒ Q
while J<>Y do
Z := Z+X Does (Z=XJ Λ J=Y) ⇒ Z=XY?
J := J+1
end_while Yes!
{Z=XY}
30
15
Example 3
Use the invariant I: Z=XJ to prove:
{true} Initialization: P ⇒ I √
Z := X Preservation: {I Λ b} S {I} √
J := 1 Finalization: (I Λ ¬b) ⇒ Q √
while J<>Y do
Z := Z+X
J := J+1
end_while
{Z=XY}
31
32
16
Some Limitations of Formal
Verification (cont.)
In addition, a formal specification:
may be expensive to produce
may be incorrect and/or incomplete
normally reflects functional
requirements only
Will the proof process be manual
or automatic? Who will prove the
proof?
33
17