Formal Verification! Prof. Leon Osterweil! Computer Science 520/620! Spring 2011!

Similar documents
Formal Verification! Prof. Leon Osterweil! Computer Science 520/620! Spring 2012!

Analysis! Some Examples of Relations!

Static Analysis! Prof. Leon J. Osterweil! CS 520/620! Fall 2012! Characteristics of! System to be! built must! match required! characteristics!

Coding and Testing. The Coding Phase. Coding Goal: Create code that can be executed on a computer! What makes a programming language good?

Testing! Prof. Leon Osterweil! CS 520/620! Spring 2013!

Basic Verification Strategy

Coding and Unit Testing! The Coding Phase! Coding vs. Code! Coding! Overall Coding Language Trends!

Coding and Testing. Class Schedule rest of semester

Lectures 20, 21: Axiomatic Semantics

Semantics. There is no single widely acceptable notation or formalism for describing semantics Operational Semantics

Outline. Introduction. 2 Proof of Correctness. 3 Final Notes. Precondition P 1 : Inputs include

Introduction to Axiomatic Semantics

Chapter 3 (part 3) Describing Syntax and Semantics

Lecture 5 - Axiomatic semantics

! Use of formal notations. ! in software system descriptions. ! for a broad range of effects. ! and varying levels of use. !

6. Hoare Logic and Weakest Preconditions

CIS 890: Safety Critical Systems

Introduction to Axiomatic Semantics (1/2)

Programming Languages Third Edition

Part II. Hoare Logic and Program Verification. Why specify programs? Specification and Verification. Code Verification. Why verify programs?

Chapter 3. Describing Syntax and Semantics ISBN

Program Verification. Aarti Gupta

Introduction to Axiomatic Semantics (1/2)

SEQUENCES, MATHEMATICAL INDUCTION, AND RECURSION

Distributed Systems Programming (F21DS1) Formal Verification

Harvard School of Engineering and Applied Sciences CS 152: Programming Languages

SEQUENCES, MATHEMATICAL INDUCTION, AND RECURSION

Hoare Logic. COMP2600 Formal Methods for Software Engineering. Rajeev Goré

System Correctness. EEC 421/521: Software Engineering. System Correctness. The Problem at Hand. A system is correct when it meets its requirements

Reasoning About Imperative Programs. COS 441 Slides 10

Correctness of specifications. Correctness. Correctness of specifications (2) Example of a Correctness Proof. Testing versus Correctness Proofs

The Formal Semantics of Programming Languages An Introduction. Glynn Winskel. The MIT Press Cambridge, Massachusetts London, England

3.4 Deduction and Evaluation: Tools Conditional-Equational Logic

CITS5501 Software Testing and Quality Assurance Formal methods

Symbolic Evaluation/Execution

Formal Methods. CITS5501 Software Testing and Quality Assurance

Symbolic Execution and Proof of Properties

Chapter 3. Describing Syntax and Semantics

Spark verification features

Lecture 1 Contracts : Principles of Imperative Computation (Fall 2018) Frank Pfenning

Reading Assignment. Symbolic Evaluation/Execution. Move from Dynamic Analysis to Static Analysis. Move from Dynamic Analysis to Static Analysis

Chapter 1. Introduction

Hoare triples. Floyd-Hoare Logic, Separation Logic

Discrete Mathematics Lecture 4. Harper Langston New York University

An Annotated Language

Lecture 1 Contracts. 1 A Mysterious Program : Principles of Imperative Computation (Spring 2018) Frank Pfenning

Lecture Notes on Contracts

Program Verification. Program Verification 307/434

Runtime Checking and Test Case Generation for Python

Chapter 3. Describing Syntax and Semantics

Lecture 11 Lecture 11 Nov 5, 2014

Three General Principles of QA. COMP 4004 Fall Notes Adapted from Dr. A. Williams

COMP 507: Computer-Aided Program Design

VS 3 : SMT Solvers for Program Verification

AXIOMS OF AN IMPERATIVE LANGUAGE PARTIAL CORRECTNESS WEAK AND STRONG CONDITIONS. THE AXIOM FOR nop

Specification and Analysis of Contracts Tutorial

How invariants help writing loops Author: Sander Kooijmans Document version: 1.0

1. true / false By a compiler we mean a program that translates to code that will run natively on some machine.

introduction to Programming in C Department of Computer Science and Engineering Lecture No. #40 Recursion Linear Recursion

Reading assignment: Reviews and Inspections

Software Testing. Software Testing

Chapter 3. Semantics. Topics. Introduction. Introduction. Introduction. Introduction

Theorem proving. PVS theorem prover. Hoare style verification PVS. More on embeddings. What if. Abhik Roychoudhury CS 6214

STABILITY AND PARADOX IN ALGORITHMIC LOGIC

Static verification of program running time

The divide and conquer strategy has three basic parts. For a given problem of size n,

Foundations: Syntax, Semantics, and Graphs

Proof Carrying Code(PCC)

Page 1. Reading assignment: Reviews and Inspections. Foundations for SE Analysis. Ideally want general models. Formal models

Chapter 3. Describing Syntax and Semantics ISBN

REQUIREMENTS ANALYSIS. What versus how

Module 3. Requirements Analysis and Specification. Version 2 CSE IIT, Kharagpur

Verification Condition Generation via Theorem Proving

Hoare Logic: Proving Programs Correct

Critical Analysis of Computer Science Methodology: Theory

Static Analysis! Summary of Dynamic Testing! Some References for Testing! Prof. Leon J. Osterweil! CS 520/620! Spring 2013! DEVELOPMENT PHASES!

MONIKA HEINER.

Part 5. Verification and Validation

Introduction to Dynamic Analysis

Checking Program Properties with ESC/Java

Lecture Notes on Ints

PROPER TECHNIQUE OF SOFTWARE INSPECTION USING GUARDED COMMAND LANGUAGE

Formal Specification. Objectives

Compilation and Program Analysis (#11) : Hoare triples and shape analysis

Behavioral Equivalence

CSC Advanced Object Oriented Programming, Spring Specification

School of Computer & Communication Sciences École Polytechnique Fédérale de Lausanne

Advances in Programming Languages

COS 320. Compiling Techniques

Lecture 10 Design by Contract

Warm-Up Problem. Let be a set of well-formed Predicate logic formulas. Let be well-formed Predicate logic formulas. Prove or disprove the following.

CS 161 Computer Security

Program Analysis. Program Analysis

Proving the Correctness of Distributed Algorithms using TLA

Testing. Prof. Clarkson Fall Today s music: Wrecking Ball by Miley Cyrus

Arguing for program correctness and writing correct programs

Static Analysis! Prof. Leon J. Osterweil! CS 520/620! Spring 2013! Characteristics of! System to be! built must! match required! characteristics!

On Meaning Preservation of a Calculus of Records

To be or not programmable Dimitri Papadimitriou, Bernard Sales Alcatel-Lucent April 2013 COPYRIGHT 2011 ALCATEL-LUCENT. ALL RIGHTS RESERVED.

CSC 501 Semantics of Programming Languages

Transcription:

Formal Verification! Prof. Leon Osterweil! Computer Science 520/620! Spring 2011! Relations and Analysis! A software product consists of! A collection of (types of) artifacts! Related to each other by myriad Relations! The relations are essentially desiderata! At least initially! Before the product can be trusted, the relations need to be verified/confirmed! That is the role of analysis! Does the software do what it is supposed to do?! What are its capabilities and its strengths?! What is the nature of the artifact(s) that have been built?! What can I count on?! What should I worry about?!

Requirements Spec.! Design! Hi Level! consistent! views! Low! level! Test Plan! Code! Some Examples of Relations! Executing this code must compute this function! This code must conform to that design element! This compiled code came from this compiler! This design element addresses those requirements! These lower level requirements are elaborations of these higher level requirements! This is the date by which that test must be passed! Component invocations conform to component abstract interface specifications! Documentation describes the actual system! ETC..!

Some Examples of Relations! Executing this code must compute this function! This code must conform to that design element! This compiled code came from this compiler! This design element addresses those requirements! These lower level requirements are elaborations of these higher level requirements! This is the date by which that test must be passed! Component invocations conform to component abstract interface specifications! Documentation describes the actual system! ETC..! Requirements Spec.!?????!??!???!?? Test Plan!?!???? Design! Hi Level!???!???? Low! level! Code!

Evaluation of Static Analysis! Strengths:! Can demonstrate the absence of faults! Proofs can be automatically generated and proven! Algorithms are fast (low-order polynomial)! No need to generate test data! You know when you are done! Weaknesses! Behavior specification is a model with inaccuracies!» Not all paths are executable! Only certain classes of faults analyzable!» Mostly sequence specific!» Weak on functionality! Symbolic Execution! Specification of Intent: Formulae, functions! Specification of Behavior: Functions derived from annotated flowgraph, symbol table! Annotate nodes with function(s) computed there! Specify path to be studied! Compute function(s) computed as composition(s) of functions at path nodes, constraints of path edges! Comparison: Solving simultaneous constraints; symbolic algebra! Results: Demonstrations that given paths computed the right function(s)!

Symbolic Execution! Specification of " Intended Behavior " Function" to be" Computed" Specification of " Actual Behavior" Formula" Inferred from" Actual Code" Functional" Equivalence" Theorem Prover" Proofs of" Functional" Correctness" Comparison of Behavior to Intent" Example Symbolic Representation! 1: input A,B 2: A>0? 3: C :=0 4: C := A*B 5: B>0? 6: X := C*(A+2*A) 7: X := A+B 8: output X P1: (1,2,4,5,6,8)!! n: path values path condition!!1: A=a, B=b true!! 2: a 0!! 4: C=a*b!! 5: a 0 b>0!! 6: X = a*b*(a+2*a)!! 8: out 3*a**2*b! Path condition: a 0 b>0! Variable values! A: a! B: b! C: a*b! X: 3*a**2*b!

Example Symbolic Representation! 1: input A,B 2: A>0? 3: C :=0 4: C := A*B 5: B>0? 6: X := C*(A+2*A) 7: X := A+B 8: output X P2: (1,2,4,5,7,8)!! n: path values path condition!!1: A=a, B=b true!! 2: a 0!! 4: C=a*b!! 5: a 0 b 0!! 7: X = a+b!! 8: out a+b! Path condition: a 0 b 0! Variable values! A: a! B: b! C: a*b! X: a+b! Example Symbolic Representation! 1: input A,B 2: A>0? 3: C :=0 4: C := A*B 5: B>0? 6: X := C*(A+2*A) 7: X := A+B 8: output X P1: (1,2,3,5,7,8)!! n: path values path condition!!1: A=a, B=b true!! 2: a>0!! 3: C= 0!! 5: a>0 b 0!! 7: X = a+b!! 8: out a+b! Path condition: a>0 b 0! Variable values! A: a! B: b! C: 0! X: a+b!

Applications of Symbolic Evaluation! Symbolic Testing! examination of path domain and computation for detecting failures! especially useful for scientific applications! Path and Test Data Selection! select paths to cover structure and determine feasibility of condition! select data to satisfy path condition or revealing condition! Debugging! examine symbolic representation for faulty data manipulation! Verification! prove consistency of specification assertions! inductive assertion method for proving correctness!...!» {I} S {O}...! Proof of Correctness! Intent! Usually specification of functionality! What function(s) does the software compute?! Sometimes accuracy, timing,...! Behavior! Inferred from semantically rich program model! Generally requires most of semantics of programming language! Generally uses symbolic execution! Comparison! Use of formal mathematics (eg. predicate logic)! Probably source of misleading name: PROOF of correctness!» Proof is probably OK!» Correctness is dangerously misleading!

Intent! Proof of Correctness! XXXXXXXXXXXXXXXXXXXXXXXXXXX! FORMAL VERIFICATION! Usually specification of functionality! What function(s) does the software compute?! Sometimes accuracy, timing,...! Behavior! Inferred from semantically rich program model! Generally requires most of semantics of programming language! Generally uses symbolic execution! Comparison! Use of formal mathematics (eg. predicate logic)! Probably source of misleading name: PROOF of correctness!» Proof is probably OK!» Correctness is dangerously misleading! Floyd Method of Inductive Assertions! Show that each program fragment behaves as intended! Use induction to prove that all sequences of executable fragments behave as intended! Show that the program must terminate!

Assertion-Based Testing! Zoom in on internal workings of the program! Examine behaviors at internal program locations while the program is executing! Augments examining only final outputs! Assertions: Specifications of intended relations among the values of program variables! Development of increasingly elaborate assertion languages! Often: Checking relations between code and design! Comparison: Runtime evaluation of assertions! Facilities for programming reactions to violations! Also useful as a debugging aid! Inserted by" Tester" <code sequence>" X := Y;" Time := Y * 2.0 * T;" ASSERT Time > 0.0;" <rest of code>" Automatically " processed" into" if ~(Time > 0.0) Then" "Assertion_violation_handler;"

Assertion-Based Dynamic Testing! Specification of " Intended Behavior " Specification of " Actual Behavior" Functional" Behavior" Assertions" Intermediate" Execution " Results " Runtime " Assertion" Checking" Reports on" Internal Failures" Comparison of Behavior to Intent" Specification of " Intended Behavior " Formal Verification! Specification of " Actual Behavior" Final and" Intermediate" 1st-Order Logic" Assertions" Symbolic" Execution " of Path" Segments" First-Order Logic" Theorems and" Proofs" Comparison of Behavior to Intent" Proof of the" Absence of" All Functional" Faults"

Use of Assertions! Assertion: Specification of a condition that is intended to be true at a specific given site in the program text! Floyd's Method assertions are written in Predicate Logic! In Floyd's Method there are three types of assertions! Initial, As: Sited at the program initial statement! Final, AF: Sited at the program final statement! Intermediate Ai: Often called a "loop invariants! Sited at various program locations subject to the rule:! EVERY LOOP ITERATION (CFG CYCLE) SHALL PASS THRU! THE SITE OF AT LEAST ONE INTERMEDIATE ASSERTION! Net Effect: Every program execution sequence is divided! into a finite number of segments of non-looping code! bounded on each end by a predicate logic assertion! Specification of " Intended Behavior " Formal Verification! Specification of " Actual Behavior" Final and" Intermediate" 1st-Order Logic" Assertions" Symbolic" Execution " of Path" Segments" First-Order Logic" Theorems and" Proofs" Comparison of Behavior to Intent" Proof of the" Absence of" All Functional" Faults"

Mathematical Induction! Goal: prove that a given property holds for all elements of a set! Approach:! (initial step) show property holds for "first" element! (induction step) show that if property holds for element i, then it must also hold for element i + i! Often used when direct analytic techniques are too hard or complex! Example: How many edges in C n! Theorem:! let C n = (V n, E n ) be a complete, unordered graph on n nodes,!!!!then E n = n * (n-1)/2!

Initial Step! show the property is true for C1:! graph has one node, 0 edges! E1 = n(n-1)/2 = 1(0)/2 = 0! Induction Step! assume true for Cn: En = n(n-1)/2! graph Cn+1 has one more node, but n more edges (one from the new node to each of the n old nodes)! so, En+1 = n(n-1)/2 + n! = n(n-1)/2 +2n/2 = (n(n-1)+2n)/2! = (n(n-1+2))/2 = n(n+1)/2! = (n+1) ((n+1)-1)/2! = (n+1)(n)/2!

Floydʼs Method of inductive assertions (informal description)! Place assertions at the start, final, and intermediate points in the code.! Any path is composed of sequences of program fragments all of which:! start with an assertion! are followed by some assertion free code! and end with an assertion eg. (As =) A0, C1, A1, C2, A2, An-1, Cn-1, An, Cn, An+1(=Af)! Show that for any executable path, if Ai is assumed true for any Ai and code Ci is executed, then Ai+1 must always be true! Induction in Floydʼs Method! Initially! Verify that the Initial Assertion is correct! Induction on length of execution path! Prove that function computed by all execution paths of length L + 1 are correct! Provided that all execution paths of length L compute the correct function! Inductive step is the hard one (as usual)! Proof relies on the fact that there are only a (relatively) small number of path segments in any program.!

Pictorially! intermediate assertions initial assertion A i! C i! STRAIGHT-LINE CODE! A i+1! final assertion Must be sure:! assuming A i, then executing Code C i,! necessarily A i+1! by forward substitution! A i! A i+1! C i! STRAIGHT-LINE CODE!

Why does this work?! suppose P = arbitrary path through the program! can denote it by! P = A s C 1 A 1 C 2 A 2...C n A F! where! A s -!Initial assertion! A F -!Final assertion! A i -!Intermediate assertions! C i -!Loop free, uninterrupted,!!!straight-line code! If it has been shown that! i, 1 i < n: A i C i A i+1! Then, by induction! A s... A f! Loop Invariants (Loop Breakers)! Problem: infinite number of paths! Must find a way to deal with loops! Solution: Assertion, Ai, that is! True for any number of loop iterations! connects up to adjacent assertions! Such an assertion:! Is invariant with respect to loop iterations! Must be embedded in (break) every loop! A loop invariant must capture the essence! Of the work that the loop is to perform!

Schematic Example of a Loop Invariant! Ai is a loop invariant because of its relation to other assertions:!!!note THAT:! A I, false branch, => A I! A I, true branch, => A I!! BUT ALSO:! Initial assertion A s to A I => A I! A I, false branch, => final assertion A F! A I, true branch, => final assertion A F! A s " A F! A I " false! true! Floydʼs Method (carefully stated)! Specify initial, final assertions to capture intent! Intermediate assertions "cut" every program loop! For each pair of assertions with an executable (assertionfree) path from the first to the second,! Assume that the first assertion is true! Show that for all (assertion-free, executable) paths from the first assertion to the second, that the second assertion is true! This establishes partial correctness! Show that the program terminates! This establishes total correctness!

Floyd-Hoare axiomatic proof method! Assertions are preconditions and postconditions on some statement or sequence of statements! Goal: For all adjacent assertion pairs, P and Q, If P (the precondition) is true before S is executed, and then S is executed, then Q (the postcondition) must be true Notation: P{S}Q Floyd-Hoare axiomatic proof method! As in Floyd's inductive assertion method, we construct a sequence of assertions, each of which can be inferred from previously proved assertions and the rules and axioms about the statements and operations of the program To prove P{S}Q, we need some axioms and rules about the programming language!

Hoare axioms and proof rules! Take a simple programming language that deals only with integers and has the following types of constructs:! assignment statement!!!!x:= f! composition of a sequence of statements!!! S1, S2! conditional (alternative statements)!!!!if B then S1 else S2! iteration!!!!while B do S! Axioms and proof rules! axiom of assignment! P {x:=f} Q,! where Q is obtained from P by substituting f for all occurences of x in P (symbolic execution)!! rule of composition! P {S1, S2 } Q => P{S1}P1 P1{S2}Q! Using Hoare's notation, this is written as! P{S1}P1, P1{S2}Q! P {S1,S2} Q!

Proof Rules (continued)! rule for the alternative statement! P{if B then S1 else S2 }Q!!!!!!P{B S1}Q P{~B S2}Q! Hoare's notation!! P{B S1}Q, P{~B S2}Q! P{if B then S1 else S2 }Q! Proof rules (continued}! rules of consequence! [P {S} Q Q R] P {S} R! [P {S} Q R P] R {S} Q! Hoare's notation! P {S} R, R Q! P {S} Q! P R, R {S} Q! P {S} Q!

An Example: Wensley's Algorithm! Procedure Wensley (P: input, Q: input, E: input, Y: output); --assume 0 P<Q, 0< E! Declare P, Q, E, Y, A, B, D real;! A :=0.0; B :=Q / 2.0; D :=1.0; Y := 0.0;! Do_While (D>=E)! If (P - A - B >= 0.0) then {Y := Y+(D / 2.0); A := A+B};! B :=B / 2.0; D := D / 2.0;! End_do;! End Wensley;! Wensleyʼs Algorithm! Input P, Q, E A 0.0 B Q/2 D 1.0 Y 0.0 A0! AF! AI! D E P-A-B 0.0 Y Y+(D/2.0) A A+B B B/2.0 D D/2.0

What does Wensley's algorithm do?! Approximating P/Q (=Y) with error E! On the kth iteration of the loop! A k = a 1 Q2-1 + a 2 Q2-2 +... + a k Q2 -k a i {0,1}! B k = Q2 -k! D k = 2 -k! Y k = a 1 2-1 + a 2 2-2 +... + a k 2 -k a i {0,1}! Input P, Q, E A 0.0 B Q/2 D 1.0 Y 0.0 D E A0! AI! AF! P-A-B 0.0 Y Y+(D/2.0) A A+B B B/2.0 D D/2.0 What does Wensley's algorithm do?! since 0 P/Q<1, then P/Q can be estimated as a sum of the series a 1 2-1 + a 2 2-2 +... + a k 2 -k!!a i {0,1}! therefore! Y k is the computed value of the quotient! given Y k, A k is the computed dividend P! D k is the computed error! P-(A k + B k ) says when to add 2 -(k+1) to Y k+1 (a k+1 = 1)! B k = 2 -(k+1) * Q!

Assertions! Initial:!A 0 : {(0 P<Q) (0< E)}! computed quotient! Final:!A F : {((P/Q-E)<Y (P/Q))}! Intermediate:!!!A I : {(A=Q*Y) (B=Q*(D/2))!! (k 0, k integer D=2 -k )!!! ((P/Q)-D)<Y (P/Q)}! computed error! Y is within the computed error D of P/Q! Summary of Four Lemmas Needed! Input P, Q, E I.!Initial assertion, A0, to AI! II.!AI, false branch, to AI! III.! AI, true branch, to AI! IV.! AI, to AF, final assertion! A 0.0 B Q/2 D 1.0 Y 0.0 D E P-A-B 0.0 A0! AI! AF! Y Y+(D/2.0) A A+B B B/2.0 D D/2.0 Lemmas called verification conditions

A 0 : Initial Assertion! Lemma I: A 0 to A I! code { (0 P < Q) (0 < E)! Input P, Q, E! A 0;! B Q/2;! D 1;! Y 0;! A I :! A = Q * Y! B = Q * D/2! D = 2 -k, k = 0! P/Q - D < Y P/Q! Input P, Q, E A 0.0 B Q/2 D 1.0 Y 0.0 A0" A" 1" Lemma I: A 0 to A I! A 0 : Initial Assertion! (0 P < Q) Λ (0 < E) { Input P, Q, E! code A 0;! B Q/2;! D 1;! Y 0; A 1 :! A = Q * Y! B = Q * D/2! D = 2 -k,k=0! P/Q - D < Y P/Q! Proof:! 1) A = 0; Q *Y = Q * 0 = 0!A = Q *Y! 2) B = Q/2 = Q * 1/2 = Q*D/2! 3) D = 1 = 2-0! 4) P/Q - 1 < Y = 0 P/Q because 0 P/Q < 1 given by input assertion!

Lemma II: A I, false branch, A I A I :! A = Q * Y! B = Q * D/2! D = 2 -k for some integer k! P/Q - D < Y P/Q! D E [constraint]! } code P - A - B < 0 [constraint]!!b B/2!!D D/2! D E A" I" P-A-B 0.0 B B/2.0 D D/2.0 AI: A = Q * Y!!B = Q * D/2!!D = 2 -(k+1)! P/Q - D < Y P/Q! Proof of lemma II! Need to establish that A1 is a correct relation among variable values after loop execution, based on assumption that A1 was correct among variable values before loop execution! Notation:! A, B, D, Y are original values of variables" Aʼ, Bʼ, Dʼ, Yʼ are values " "after loop execution" Symbolic execution gives:! Aʼ = A, Bʼ= B/2; Dʼ = D/2; Yʼ = Y" D E A" I" P-A-B 0.0 B B/2.0 D D/2.0

A = Q * Y! B = Q * D/2! D = 2 -k for some integer k! P/Q - D < Y P/Q! Proof of Lemma II! (Symbolic execution shows Aʼ = A, Bʼ= B/2; Dʼ = D/2; Yʼ = Y)! Proof:! 1) Aʼ = A = Q * Y = Q * Yʼ D E [constraint]! P - A - B < 0 [constraint]!!b B/2!!D D/2! Aʼ = Q * Yʼ!!Bʼ = Q * Dʼ/2!!Dʼ = 2 -(k+1) for some integer k!!p/q - Dʼ < Yʼ P/Q! } 2) Bʼ= B/2= (Q * D/2)/2 =(Q * 2Dʼ/2)/2 = Q*Dʼ/2 3) Dʼ = D/2= 2 -k /2 = 2 -k-1 =2 -(k+1) 4) a)p-a-b < 0 (constraint )! P - Q * Y - Q * D/2 < 0! P/Q - Y - D/2 < 0 (uses Q > 0)! P/Q - D/2 < Y! but Dʼ = D/2, so P/Q - Dʼ < Yʼ! b)y P/Q => Yʼ P/Q! Lemma III: AI; True branch; AI! AI: A = Q * Y! B = Q * D/2! D = 2 -k for some integer k! P/Q - D < Y P/Q! D E [constraint]! P - A - B 0 [constraint]!!y Y+(D/2.0)!!A A+B!!B B/2!!D D/2! AI: Aʼʼ = Q * Yʼʼ!!Bʼʼ = Q * Dʼʼ/2!!Dʼʼ = 2 -(k+1) for some integer k!!p/q - Dʼʼ < Yʼʼ P/Q! D E P-A-B 0.0 B B/2.0 D D/2.0 A" 1" A" F" Y Y+(D/2.0) A A+B From symbolic execution we know:! Aʼʼ = A + B; Bʼʼ = B / 2; Dʼʼ = D / 2; Yʼʼ = Y + D / 2;! We also know: P - A - B 0 and D E!

AI: A = Q * Y! B = Q * D/2! D = 2 -k for some integer k! P/Q - D < Y P/Q! D E [constraint]! P - A - B 0 [constraint]!!y Y+(D/2.0)!!A A+B!!B B/2!!D D/2! AI: Aʼʼ = Q * Yʼʼ!!Bʼʼ = Q * Dʼʼ/2!!Dʼʼ = 2 -(k+1) for some integer k!!p/q - Dʼʼ < Yʼʼ P/Q! Proof Lemma III! From symbolic execution we know:! Aʼʼ = A + B; Bʼʼ = B / 2; Dʼʼ = D / 2; Yʼʼ = Y + D / 2;! We also know: P - A - B 0 and D E! Proof:! 1) Aʼʼ = A + B = Q*Y + Q*(D/2) = Q(Y + D/2) =Q * Yʼʼ 2) Bʼʼ = B/2 = Q * D/2/2 = Q * Dʼʼ/2 3) Dʼʼ= D/2 = 2 (-K-1) = 2 -(k+1) 4) a) P - A - B 0 P - Q *Y - Q * (D/2) 0! P/Q - D/2 Y P/Q - D/2 Yʼʼ - D/2! P/Q Yʼʼ!!! b) P/Q - D < Y P/Q - D < Yʼʼ - D/2! P/Q - D/2 < Yʼʼ P/Q - Dʼʼ <Yʼʼ! Lemma IV AI,AF AI, false, AF! AI" AF" D E

Lemma IV! A I : (A=Q*Y) (B=Q*(D/2)) (k 0, k integer D=2 -k )!!! ((P/Q)-D)<Y (P/Q)! D < E ] code! A F: ((P/Q-E)<Y (P/Q))! Proof:! Given ((P/Q)-D)<Y (P/Q) and (D < E)! ((P/Q)-E)<((P/Q)-D)<Y (P/Q) A F! This is only partial correctness! Must also prove termination! In general, can not prove termination! For most programs, can usually do it by showing that each loop must terminate For our example: given that (E>0) observe that D decreases on each iteration and E does not change Thus, eventually D<E and the loop terminates! Input P, Q, E A 0.0 B Q/2 D 1.0 Y 0.0 D E P-A-B 0.0 A0! AI! AF! Y Y+(D/2.0) A A+B B B/2.0 D D/2.0

Observations! Proofs are long, tedious & often hard! Assertions are hard to get right! Invariants are difficult to get right.! need to be invariant, but also need to support overall proof strategy! Proofs themselves often require deep program insight! Often require axioms about the domain! Deeper Issues! Unsuccessful proof attempt???! incorrect software! incorrect assertions! incorrect placement of assertions! inept prover! any combination (or all) of the above! Although failed proofs often indicate which of the above is likely to be the problem (especially to an astute prover)!

Deeper Issues! Undecidability of Predicate calculus -- no way to be sure when you have a false theorem! There is no sure way to know when you should quit trying to prove a theorem (and change something)! Proofs are generally much longer than the software being verified! Suggests that errors in the proof are more likely than errors in the software being verified! Mathematics as a "social process"! Belief in a proof is a social process! Informally describe proof! Distribute an informal write-up to colleagues! Formal write-up is refereed! Accepted paper gets read by wider audience! Proof/Theorem is used! Increases confidence! Despite this, mathematical proofs are often wrong!

Specification Problem! Real programs are not captured by simple mathematical algorithms! E.g. This software correctly identifies faces! Error processing issues! User interface issues! Resulting specifications are! Large! Mathematically unappealing! Probably not complete! Hard to capture intent! Specification Problem! Specification & program are not independent representations! Proof not 'mathematically' sound! Very labor intensive! Loop invariants - usually manual! Input and output assertions - manual! Verification conditions - can be automated!

Software Tools Can Help! Proof Checkers:! Scrutinize the steps of a proof and determine if they are sound! Identify the rule(s) of inference, axiom(s), etc. needed to justify each step! How to know if the proof checker is right (verify it? with what?...)! Software Tools Can Help! Verification Assistants! Facilitate precise expression of assertions! Accept rules of inference! Accept axioms! Construct statements of needed lemmas! Check proofs! Assist in construction of proofs (theorem provers)!

Human/computer collaboration! Most successful -- human/computer collaboration!» Human architects the proof!» Computer attempts the proof (generally by exhaustive search of space of possible axioms and inferences at each step)!» Human intervention after computer has tried for a while! Current Status:! Have verified some non-trivial programs or important parts of programs! e.g., protocol verification! Improved theorem provers! Improved specification languages! Verification and testing/analysis research now viewed more as a continuum testing--> finite state verification--> verifications!

Summary! Verification has had a very positive impact on software engineering! major argument for structured programming!» Dijkstra's "goto's considered harmful" letter!» one-in one-out structures easier to reason about! major impetus for abstract data types!» centralized all changes to a data structures!» input/output assertions for all operations! Formal Development! Start with assertions, develop software artifacts to fulfill them! A top-down approach! Very popular in Europe: A hard sell in the U.S.! Need to prove lemmas in higher level software dictates the functional requirements (eg. input/output assertion) pairs of lower level software artifacts.! Also suggests the use of libraries of reusable verified software artifacts for commonly needed utilities! This is Component-based software development!

Integration of Testing Analysis and Formal Methods! Testing! --Is dynamic in nature, entailing execution of the program! --Requires skillful selection of test data to assure good! exercising of the program! --Can show program executing in usage environment! --Can support arbitrarily detailed examination of virtually! any program characteristics and behavior! --Is generally not suitable for showing absence of faults! Analysis! --Is static, operating on abstract program representations! --Supports definitive demonstration of absence of faults! --Generally only for certain selected classes of faults! Formal Methods! --Most through, rigorous, mathematical! --Apply primarily to checking functional characteristics! --Most human and cost intensive! The types of capabilities are complementary; suggests need for skillful integration! Definitive reasoning benefits from both static and dynamic analysis techniques! Religious wars of the 70ʼs! Need testing to validate the ground truth! Need static analysis to evaluate more than just what can be examined with testing! Testing and analysis techniques currently being developed to work together! Testing -> Bug -> property -> verification -> counter examples -> feasibility analysis -> test cases -> testing!

DEVOLOP! CODE! CODE! STATIC! ANALYSIS FOR! CODE FLAWS! PATHS WITH FLAWS! SYMBOLIC! EXECUTION! ERRORS! ERROR FEEDBACK (FIX ERRORS)! ERRORS! FOUND! NO! ERRORS! FOUND! CODE! ERRORS! ERRORS! FULLY! INSTRUMENTED! CODE! DYNAMIC! TESTING! DEVELOP! ASSERTIONS! INSERT! TEST! PROBES! STATIC! ANALYSIS FOR! PROBE REMOVAL! SYMBOLIC! EXECUTION! CONSTRAINT! SOLUTION! CODE WITH! SOME PROBES! REMOVED! PATH! SELECTION! PATHS! THROUGH! PROBES! VERIFICATION FEEDBACK (GET MORE COMPLETE ASSERTIONS)! Testing & Analysis Process Architecture! No Need To Restrict this only to Code! Much of this is applicable to non-code artifacts! Payoffs from detecting faults is greater the earlier it takes place! How to apply this to non-code?!

DEVELOPMENT PHASES! Requirements! Specification! Architecting! Implementation! Designing! Coding! System Test! Plan! Software Sys.! Test Plan! TEST PLANNING! Integration! Test Plan! Unit! Test! Plan! System! Testing! Software! Sys Testing! Integration! Testing! Unit Testing! TESTING PHASES!

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback