CSE 3341.03 Winter 2008 Introduction to Program Verification

CSE 3341.03 Winter 2008Introduction to Program Verification

calculating with wp

symbex: swap example (p. 30)//{ X = 'old X' and Y = 'old Y' }void swap(X, Y);//{ X = 'old Y' and Y = 'old X' }//{ true } swap(&a, &b); ... cannot show true implies OLD(b)=b and OLD(a)=a for swap(&a, &b). // assert: old b=a // -- assertion is verified. how?

//{ old b=a and old a=b } symbex can show that if the swap pre-condition is satisfied (instantiated with a and

b), then the conclusion 'old a' = b is valid, but cannot prove a = 'old a' and b = 'old b'.

"we're trying to prove that the pre-condition for the swap procedure is satisfied. In this context, that follows from the fact that 'OLD'(X) = X ->> true

before the swap procedure is executed."But this violates the intended interpretation of rewrite rules. (The rule

is a 'timeless' mathematical equality.)

Solution: either assume the desired pre-conditionfor a "manual" proof, or assert the pre-condition for the specific call swap(&a, &b).

assert a pre-condition alternative: add //{'old a' = a and 'old b' = b } as a pre-

condition

//{ a = 'old a' and b = 'old b' } swap(&a,&b); // assert: old b=a // -- assertion is verified.

//{ old b=a and old a=b }

why weakest post-condition? if we can calculate wp(S, Q), we can test

any other proposition directly, using just logic and axioms, without further calculation:

(P implies wp(S, Q)) implies {P} S {Q}.why? see p. 35-36

(if (P implies wp(S, Q)) then P is a pre-condition)

wp: the bigger picture working backwards from goal to initial state:

goal-directed backward chainingcf. stimulus-response, forward chaining

important concept in AI: if-then is "blind";

• based on what is true at the moment;• doesn't need representation

selecting an action, based on goal uses a represention of what is not true at the moment

• more "intelligent"

the null statement wp(";", Q) = Q

is this a theorem? a definition, an axiom?

we could extend wp to create new statement typeswp("swap(A, B);", A = X and B = Y )

A = Y and B = X.

calculating wp conditional statements:

wp(“if (B) S1 else S2”, Q)

B and wp(S1, Q) or not B and wp(S2, Q)

wp(“if (B) S1”, Q)

B and wp(S1, Q) or not B and Q

using implication?

Exercise 9.1 substitute definition of wp("if(B) S", Q) into

wp(“if (B)S”, Q) iff (B implies wp(S, Q)) and (not B implies Q)

and rewrite it as a proposition that can be checked by wang:

(b and wp(s, q) or not b and q) iff (b implies

wp(s, q) and (not b implies q)

switch statement: exercise 9.2 wp(“switch (C) {

case L1:S1; break;

case L2:S2 ; break;

. . . case Ln:Sn ; break;

default S}”, Q) C=L1 and wp(S1, Q) or . . .

C=Ln and wp(Sn, Q) or

assignment statement: examples wp(“R = Exp;” Q) = Q[Exp / R]) wp(“x = f(y)”, x**2 - y /x > 0) = ?

= f(y)**2 - y/f(y) > 0

wp(“x = x*3”, odd(x)) = odd(x*3) ->> odd(x).

exercise 9.3 ? wp(“a[i+3] = 7;”, a[4] = x) = (i = 1 and x = 7)what’s wrong here?

correct answer:wp(“a[i+3] = 7;”, a[4] = x) = wp(“a = change(a, i+3, 7);”

array(a, 4) = x)

now use the rule for assignment to calculate the wp:(array(a, 4) = x)[change(a, i+3, 7)/a] =(array(change(a, i+3, 7), 4) = x) =(i + 3 = 4 and x = 7) or (x = array(a, i+3))

wp does it correctly compare with what wp calculates:

// PRE: (i+3=4 implies x=7) and (not i+3=4 implies array(a, i+3)=x)

->> (i=1 implies x=7)and (not i=1 implies array(a, i+3)=x)

wp's input loop a note on using wp

input loop designed differently than symbex• symbex input loops on the statements in a single

code segment wp loops on multiple code segments

• allows you to experiment and explore within wp• don’t have to repeatedly re-execute wp and reload

the files.• so ^D causes a prompt for the next input• How to escape?

• a 2nd ^D, or enter “stop”

examples % wp (^D's not shown) |:x = (x=1); y = y+1; % S (code)|://{ x = y} % Q (goal)|:// PRE: (y+1=x)=1 % wp(S, Q)

|:x = x+1; y = y+1;|://{ x = y }|:// PRE: y+1=x+1

|:x = (x-y)*(x+y);|://{x + y**2 <> 0}|:// PRE: x*x<>0

array references|: b[i] = i; % b = change(b, i, i);|: //{ b[b[i]] = i } |: ^D

// PRE: true

|:a[x] = a[x+1];|://{ a[0] = 0}|:// PRE: array(change(a, x, array(a, x+1)), 0)=0

impossible goal|:x =1; //{x = 0}

// PRE: false % how was this computed?Goal is impossible.

Exercise 9.7|:if(m < y) m = y; // {m = max(m, y)}|: % is this correct?

// PRE: y<=y and m<y or y<=m and not m<y

->> ?

exercise 9.9(a)|://{ r = n*n } n= n+1; r= '??'; //{ r = n*n } |:// PRE: n*n+n*2+1= ??Initial condition may not be compatible with the goal.Cannot prove n*n=r implies n*n+n*2+1= ??.

|://{ r = n*n } n= n+1; r= n*n+n*2+1; //{ r = n*n }|:// PRE: n*2*2+n*n+2+1=n*n+n*2 ->> ?Initial condition may not be compatible with the goal.Cannot prove n*n=r implies n*2*2+n*n+2+1=n*n+n*2.

exercise 9.9(a) continued|://{ r = n*n and n = -3/2} n= n+1; r= n*n+n*2+1; //{ r = n*n }|:// PRE: n*2*2+n*n+2+1=n*n+n*2Initial condition is compatible with the goal.

what was proved?why not (as in the text example): "Initial condition achieves

the goal."?

termination (p. 45) interpret {P} as {computational states s: P

is true in s}. What can we say about {P} if {P} S {true}?

Suppose, for some initial state s,wp(S, true) is false -- but this contradicts the definition of wp(S, P), so wp(S, true) is true in all and only those initial states in which S terminates.