Software Testing and Verification Lecture Notes 21 · Software Testing and Verification Lecture Notes 21. Overview of Functional Verification Topics Lecture Notes #21 - Functional

Functional Verification I

Prepared by

Stephen M. Thebaut, Ph.D.

University of Florida

Software Testing and Verification

Lecture Notes 21

Overview of Functional Verification Topics

Lecture Notes #21 - Functional Verification I

• Introduction

• Tasks in program reading, writing, and verification

• Complete and sufficient correctness

• Compound programs and the Axiom of Replacement

Lecture Notes #22 - Functional Verification II

• Correctness conditions and working correctness questions: sequencing and decision statements

Lecture Notes #23 - Functional Verification III

• Iteration Recursion Lemma (IRL) (Very Cool!)

• Termination predicate: term(f,P)

• Correctness conditions for while_do statement

• Correctness conditions for repeat_until statement

• Subgoal Induction

Overview of Functional Verification Topics

Overview of Functional Verification Topics

Lecture Notes #24 - Functional Verification IV

• Thinking about invariants again

• Invariant Status Theorem: q(X) (EXTREMELY Cool!)

– An important corollary

– Interesting properties of q(X)

• While Loop Initialization

• Utility of IST

Topics:

• Introduction

• Tasks in program reading, writing, and verification

• Complete and sufficient correctness

• Compound programs and the Axiom of Replacement

Topics:

• Introduction

• Verifying correctness in program reading, writing, and validation

• Complete and sufficient correctness

• Compound programs and the Axiom of Replacement

Introduction

• What is functional verification?

A methodology originally developed by Mills for verifying program correctness with respect to an intended function specification.

It represents a viable alternative to the axiomatic verification method developed by Hoare and Floyd.

Introduction (cont’d)

• References:

Linger, Mills, & Witt, Structured Programming: Theory and Practice, Addison-Wesley, 1979.

Dunlop & Basili, “A Comparative Analysis of Functional Correctness,” Computing Surveys,

Vol. 14, No. 2, June 1982.†

Linger, “Cleanroom Software Engineering for Zero-Defect Software,” Proceedings, 15th Int. Conf. on Soft. Eng. (1993), IEEE Computer Society Press.†

† Required readings.

Topics:

• Introduction

• Tasks in program reading, writing, and verification

• Complete and sufficient correctness

• Compound programs and the Axiom of Replacement

Tasks in Program Reading, Writing, and

Verification

• Program Reading:

– Abstract a given program construct(e.g., an if_then_ else statement) into a hypothesized function f.

– To confirm that your understanding of the program is correct, show:

Tasks in Program Reading, Writing, and

Verification

• Program Reading:

– Abstract a given program construct(e.g., an if_then_ else statement) into a hypothesized function f.

– To confirm that your understanding of the program is correct, show:

f = [if p then G else H]

Tasks in Program Reading, Writing, and

Verification (cont’d)

• Program Writing:

– Expand a given function f into a hypothesized program construct (e.g., an if_then_else statement).

– To confirm that your expansion of finto a program is correct, show:

Tasks in Program Reading, Writing, and

Verification (cont’d)

• Program Writing:

– Expand a given function f into a hypothesized program construct (e.g., an if_then_else statement).

– To confirm that your expansion of finto a program is correct, show:

f = [if p then G else H]

Tasks in Program Reading, Writing, and

Verification (cont’d)

• Program Verification:

– You are given both function f and its hypothesized program expansion (e.g., an if_then_ else statement).

– To confirm the correctness of the hypothesized program expansion with respect to f, show:

Tasks in Program Reading, Writing, and

Verification (cont’d)

• Program Verification:

– You are given both function f and its hypothesized program expansion (e.g., an if_then_ else statement).

– To confirm the correctness of the hypothesized program expansion with respect to f, show:

f = [if p then G else H]

Tasks in Program Reading, Writing, and

Verification (cont’d)

• In all three cases, the final task is to confirm the equivalence (or more typically, subset relationship) of two expressions, each representing the function of a program, i.e., confirmthat f = [P] or f [P].

Topics:

• Introduction

• Tasks in program reading, writing, and verification

• Complete and sufficient correctness

• Compound programs and the Axiom of Replacement

Complete and Sufficient

Correctness

• Given a function f and a program P (claimed to implement f ) , correctness is concerned with one of two questions:

Complete and Sufficient

Correctness

• Given a function f and a program P (claimed to implement f ) , correctness is concerned with one of two questions:

1. Is f = [P] ? (“Is f equivalent to the function computed by P ?”) – A question of complete correctness.

Complete and Sufficient

Correctness

• Given a function f and a program P (claimed to implement f ) , correctness is concerned with one of two questions:

1. Is f = [P] ? (“Is f equivalent to the function computed by P ?”) – A question of complete correctness.

2. Is f [P] ? (“Is f a subset of the function computed by P ?”) – A question of sufficient correctness.

Complete and Sufficient

Correctness (cont’d)

• In the case of complete correctness, P computes the correct values of f for arguments in D(f) only; [P] is undefined (P does not terminate) for arguments outside D(f).

• In the case of sufficient correctness, Pmay compute values from arguments not in D(f).

• Note that, by definition,

f = [P] implies f [P]

(X,Y)f (X,Y)[P]

Correctness Relationships

f

[P] f

[P]

[P], f f[P]

(X,Y)f (X,Y)[P]

(X,Y)f (X,Y)[P] (X,Y)f (X,Y)[P]

(X,Y)f (X,Y)[P]

Correctness Relationships

f

[P] f

[P]

[P], f f[P]

(X,Y)f (X,Y)[P]

(X,Y)f (X,Y)[P] (X,Y)f (X,Y)[P]

Sufficient (only)

(X,Y)f (X,Y)[P]

Correctness Relationships

f

[P] f

[P]

[P], f f[P]

(X,Y)f (X,Y)[P]

(X,Y)f (X,Y)[P] (X,Y)f (X,Y)[P]

Sufficient (only)

(X,Y)f (X,Y)[P]

Correctness Relationships

f

[P] f

[P]

[P], f f[P]

(X,Y)f (X,Y)[P]

(X,Y)f (X,Y)[P] (X,Y)f (X,Y)[P]

Complete/Sufficient

Sufficient (only)

(X,Y)f (X,Y)[P]

Correctness Relationships

f

[P] f

[P]

[P], f f[P]

(X,Y)f (X,Y)[P]

(X,Y)f (X,Y)[P] (X,Y)f (X,Y)[P]

Complete/Sufficient

Sufficient (only)

(X,Y)f (X,Y)[P]

Correctness Relationships

f

[P] f

[P]

[P], f f[P]

(X,Y)f (X,Y)[P]

(X,Y)f (X,Y)[P] (X,Y)f (X,Y)[P]

Neither

Complete/Sufficient

Sufficient (only)

(X,Y)f (X,Y)[P]

Correctness Relationships

f

[P] f

[P]

[P], f f[P]

(X,Y)f (X,Y)[P]

(X,Y)f (X,Y)[P] (X,Y)f (X,Y)[P]

Neither

Complete/Sufficient

Sufficient (only)

(X,Y)f (X,Y)[P]

Correctness Relationships

f

[P] f

[P]

[P], f f[P]

(X,Y)f (X,Y)[P]

(X,Y)f (X,Y)[P] (X,Y)f (X,Y)[P]

Neither

Complete/Sufficient

Sufficient (only)

Neither

Example

• For integers x,y consider the function:

f = (y≥0 x,y := x+y,0)

and the programs:

P1 = while y>0 do x,y := x+1,y-1

P2 = while y<>0 do x,y := x+1,y-1

Example

• For integers x,y consider the function:

f = (y≥0 x,y := x+y,0)

and the programs:

P1 = while y>0 do x,y := x+1,y-1

P2 = while y<>0 do x,y := x+1,y-1

Use heuristics to hypothesize functions for P1 and P2 and compare these to f.

Example (cont’d)

• Consider

P1 = while y>0 do x,y := x+1,y-1

f = (y≥0 x,y := x+y,0)

Example (cont’d)

• Consider

P1 = while y>0 do x,y := x+1,y-1

y>0 x,y := ?,?

f = (y≥0 x,y := x+y,0)

Example (cont’d)

• Consider

P1 = while y>0 do x,y := x+1,y-1

y>0 x,y := ?,?

f = (y≥0 x,y := x+y,0)

Example (cont’d)

• Consider

P1 = while y>0 do x,y := x+1,y-1

y>0 x,y := ?,0

f = (y≥0 x,y := x+y,0)

Example (cont’d)

• Consider

P1 = while y>0 do x,y := x+1,y-1

y>0 x,y := ?,0

f = (y≥0 x,y := x+y,0)

Example (cont’d)

• Consider

P1 = while y>0 do x,y := x+1,y-1

y>0 x,y := x+(1)y,0

f = (y≥0 x,y := x+y,0)

Example (cont’d)

• Consider

P1 = while y>0 do x,y := x+1,y-1

y>0 x,y := x+(1)y,0

:= x+y,0

f = (y≥0 x,y := x+y,0)

Example (cont’d)

• Consider

P1 = while y>0 do x,y := x+1,y-1

y>0 x,y := x+(1)y,0

:= x+y,0

f = (y≥0 x,y := x+y,0)

√

Example (cont’d)

• Consider

P1 = while y>0 do x,y := x+1,y-1

y>0 x,y := x+(1)y,0

:= x+y,0

y=0 x,y := ?,?

f = (y≥0 x,y := x+y,0)

Example (cont’d)

• Consider

P1 = while y>0 do x,y := x+1,y-1

y>0 x,y := x+(1)y,0

:= x+y,0

y=0 x,y := x,y

f = (y≥0 x,y := x+y,0)

Example (cont’d)

• Consider

P1 = while y>0 do x,y := x+1,y-1

y>0 x,y := x+(1)y,0

:= x+y,0

y=0 x,y := x,y

:= x+y,0 (since y=0)

f = (y≥0 x,y := x+y,0)

Example (cont’d)

• Consider

P1 = while y>0 do x,y := x+1,y-1

y>0 x,y := x+(1)y,0

:= x+y,0

y=0 x,y := x,y

:= x+y,0

f = (y≥0 x,y := x+y,0)

√

Example (cont’d)

• Consider

P1 = while y>0 do x,y := x+1,y-1

y>0 x,y := x+(1)y,0

:= x+y,0

y=0 x,y := x,y

:= x+y,0

y<0 x,y := ?,?

f = (y≥0 x,y := x+y,0)

Example (cont’d)

• Consider

P1 = while y>0 do x,y := x+1,y-1

y>0 x,y := x+(1)y,0

:= x+y,0

y=0 x,y := x,y

:= x+y,0

y<0 x,y := x,y

f = (y≥0 x,y := x+y,0)

Example (cont’d)

• Consider

P1 = while y>0 do x,y := x+1,y-1

y>0 x,y := x+(1)y,0

:= x+y,0

y=0 x,y := x,y

:= x+y,0

y<0 x,y := x,y

f = (y≥0 x,y := x+y,0)

So, is f = [P1]?

Example (cont’d)

• Consider

P1 = while y>0 do x,y := x+1,y-1

y>0 x,y := x+(1)y,0

:= x+y,0

y=0 x,y := x,y

:= x+y,0

y<0 x,y := x,y

f = (y≥0 x,y := x+y,0)

So, is f = [P1]? no

Example (cont’d)

• Consider

P1 = while y>0 do x,y := x+1,y-1

y>0 x,y := x+(1)y,0

:= x+y,0

y=0 x,y := x,y

:= x+y,0

y<0 x,y := x,y

f = (y≥0 x,y := x+y,0)

Is f [P1]?

Example (cont’d)

• Consider

P1 = while y>0 do x,y := x+1,y-1

y>0 x,y := x+(1)y,0

:= x+y,0

y=0 x,y := x,y

:= x+y,0

y<0 x,y := x,y

f = (y≥0 x,y := x+y,0)

Is f [P1]? yes

Example (cont’d)

• Consider

P2 = while y<>0 do x,y := x+1,y-1

f = (y≥0 x,y := x+y,0)

Example (cont’d)

• Consider

P2 = while y<>0 do x,y := x+1,y-1

y>0 x,y := x+(1)y,0

f = (y≥0 x,y := x+y,0)

Example (cont’d)

• Consider

P2 = while y<>0 do x,y := x+1,y-1

y>0 x,y := x+(1)y,0

:= x+y,0

f = (y≥0 x,y := x+y,0)

Example (cont’d)

• Consider

P2 = while y<>0 do x,y := x+1,y-1

y>0 x,y := x+(1)y,0

:= x+y,0

f = (y≥0 x,y := x+y,0)

√

Example (cont’d)

• Consider

P2 = while y<>0 do x,y := x+1,y-1

y>0 x,y := x+(1)y,0

:= x+y,0

y=0 x,y := x,y

f = (y≥0 x,y := x+y,0)

Example (cont’d)

• Consider

P2 = while y<>0 do x,y := x+1,y-1

y>0 x,y := x+(1)y,0

:= x+y,0

y=0 x,y := x,y

:= x+y,0

f = (y≥0 x,y := x+y,0)

Example (cont’d)

• Consider

P2 = while y<>0 do x,y := x+1,y-1

y>0 x,y := x+(1)y,0

:= x+y,0

y=0 x,y := x,y

:= x+y,0

f = (y≥0 x,y := x+y,0)

√

Example (cont’d)

• Consider

P2 = while y<>0 do x,y := x+1,y-1

y>0 x,y := x+(1)y,0

:= x+y,0

y=0 x,y := x,y

:= x+y,0

y<0 x,y := ?,?

f = (y≥0 x,y := x+y,0)

Example (cont’d)

• Consider

P2 = while y<>0 do x,y := x+1,y-1

y>0 x,y := x+(1)y,0

:= x+y,0

y=0 x,y := x,y

:= x+y,0

y<0 infinite loop (i.e., “undefined”)

f = (y≥0 x,y := x+y,0)

Example (cont’d)

• Consider

P2 = while y<>0 do x,y := x+1,y-1

y>0 x,y := x+(1)y,0

:= x+y,0

y=0 x,y := x,y

:= x+y,0

y<0 infinite loop

f = (y≥0 x,y := x+y,0)

So, is f = [P2]?

Example (cont’d)

• Consider

P2 = while y<>0 do x,y := x+1,y-1

y>0 x,y := x+(1)y,0

:= x+y,0

y=0 x,y := x,y

:= x+y,0

y<0 infinite loop

f = (y≥0 x,y := x+y,0)

So, is f = [P2]? yes

Example (cont’d)

• Consider

P2 = while y<>0 do x,y := x+1,y-1

y>0 x,y := x+(1)y,0

:= x+y,0

y=0 x,y := x,y

:= x+y,0

y<0 infinite loop

f = (y≥0 x,y := x+y,0)

Is f [P2]?

Example (cont’d)

• Consider

P2 = while y<>0 do x,y := x+1,y-1

y>0 x,y := x+(1)y,0

:= x+y,0

y=0 x,y := x,y

:= x+y,0

y<0 infinite loop

f = (y≥0 x,y := x+y,0)

Is f [P2]? yes

Example (cont’d)

• Both programs satisfy sufficient correctness.(Both correctly compute f(x,y) for y≥0.)

• Only P2 satisfies complete correctness. (P1

terminates for negative y.)

Example (cont’d)

• Both programs satisfy sufficient correctness.(Both correctly compute f(x,y) for y≥0.)

• Only P2 satisfies complete correctness. (P1

terminates for negative y.)

But would YOUR MOM approve of writing “misbehaving” programs like P2 ?

Defensive Programming: Handling

Invalid Inputs

• f and P can be redefined to handle invalid inputs:

f’ = (y≥0 x,y,z := x+y,0,z |true x,y,z := x,y,‘error’)

P’ = if y<0 then z := ‘error’ else

while y>0 dox,y := x+1,y-1

end_whileend_if_then_else

• Does f’ = [P’] ?

Exercise

• Given

P = if x>=y then x,y := y,x

f1 = (x>y x,y := y,x | true I)

f2 = (x>y x,y := y,x | x<y I)

f3 = (x≠y x,y := y,x)

• Fill in the following “correctness table”:

f1

f2

P

f3

“Identity” function:x,y := x,y

C=Complete (and Sufficient)

S=Sufficient (only)

N=Neither

Conventional meaning of “P computes f”

• Henceforth, we will follow the lead of Dunlop and Basili (“A Comparative Analysis of Functional Correctness”) and adopt the convention of asserting “P computes f” if and only if f is a subsetof [P].

• That is, for “P to compute f,” no explicit require-ment is made concerning the behavior of P on inputs outside the domain of f.

• Thus, “P computes f,” which we will now write informally as “f=[P],” should henceforth be inter-preted as an assertion of sufficient correctness.

Topics:

• Introduction

• Tasks in program reading, writing, and verification

• Complete and sufficient correctness

• Compound programs and the Axiom of Replacement

Compound Programs and the

Axiom of Replacement

• The algebraic structure of compound program P permits decomposition into a hierarchy of abstractions.

• The proof of correctness of P is thereby decomposed into a proof of correctness of each such abstraction.

Compound Programs and the

Axiom of Replacement (cont’d)

• For example, to show that compound program F implements function f, where

F = if p then G else H

and G, H are themselves programs:

– hypothesize functions g, h and attempt to prove

g = [G] and h = [H]

Compound Programs and the

Axiom of Replacement (cont’d)

– If successful, use the Axiom of Replacement to reduce the problem to proving

f = if p then g else h

– If successful again, you will have proved

f = [F]

Compound Programs and the

Axiom of Replacement (cont’d)

• Thus, the Axiom of Replacement allows one to prove the correctness of complex programs in a bottom-up, incremental fashion.

• In the next lecture, we consider correctness conditions for sequencing and decision statements.

Summary:

• Introduction

• Tasks in program reading, writing, and verification

• Complete and sufficient correctness

• Compound programs and the Axiom of Replacement

Functional Verification I

Prepared by

Stephen M. Thebaut, Ph.D.

University of Florida

Software Testing and Verification

Lecture Notes 21