Introduction to Software

Verification

Orna Grumberg

Lectures Material
winter 2017-18
Lecture 2
 Part 1 of the course

Program Correctness
• Non-automated
• Verifies program with possibly
infinite number of states
• Refers to the programs as
input-output transformation

3
Ingredients for Formal Verification

1. Specification language
• With formal semantics

2. Programming language
• with formal semantics

3. Proof rules
• For proving “Program P has the property $”
 More notations
• z - bottom : the undefined value

• val(
) denotes the final state of
computation  (if exists)
– val() = k if  = (1, …, k)
– val() = z if  = (1,2,…)
•  is an infinite computation

•  ~ q(x̅ ) if q(x̅ ) is true when free variables

in q are replaced with matching values in 
 Partial Correctness
• For every computation  and every
state 0 :

(0 ~ q1(x̅ ) and val((P, 0)) ≠ z) u

val((P, 0)) ~ q2(x̅ )

• Notation: {q1}P{q2}
 Total Correctness

• For every computation  and every

state 0 :

0 ~ q1(x̅ ) u
val((P, 0)) ~ q2(x̅ )

• Notation: <q1>P<q2>
 Logical Variables in Specifications
Add fresh variables which are
– not part of the program and therefore
– their value does not change during the execution
of the program

Convention:
Use logical variable X to preserve the value of
variable x

Assertions q1 ,q2 are defined over x̅ that includes

program variables as well as logical variables
Ingredients for Formal Verification

1. Specification language
• With formal semantics

2. Programming language
• with formal semantics

3. Proof rules
• For proving “Program P has the property $”
 “Programming language”

• Program are described as flowcharts

• The “programming language” is called
PLF
 Flowchart: Example
Pidiv::

 : start

 : (q,r) ≔ (0,x₁)

T F

: r≥x₂

: (q,r) ≔ (q+1,r-x₂)
∗ : halt

 Flowcharts: Syntax
Commands
1. Start – program entry point

2. Assignment – 
≔, where ̅ is a list of pairwise distinct
program variables, and ̅ is a list (of the same length as ̅ )
of expressions over program variables
E.g (x,y):=(y-1,x⋅y)

3. Test – a Boolean expression B(̅ ) over the program

variables

4. Halt – an exit point of the program

Each command has a distinct label
∈  , where 

is a finite set of labels for program P
 Flowcharts: Syntax (cont.)

A program P∈PLF is a finite directed

graph with labeled commands as nodes,
satisfying the following restrictions:

• A start node is unique, has no predecessors

and only one successor
• A halt node has no successors
• An assignment node has exactly one successor
 Flowcharts: Syntax (cont.)

• A test node has two successors, with two

labeled edges, one with T and the other with F
• Every node resides on a directed path from a
start node to a halt node
• Different nodes have different labels, where
– l0 labels the start node
– l* labels the halt node
 Paths in flowcharts

• A path in a flowchart program P is a

sequence of consecutive nodes in the
graph
• A path is full if it begins with a start
node, and ends with a halt node
• A path is maximal if it is full or infinite
Operational semantics of flowcharts

•  - program state
– assignment for all program variables

• Configuration of a program is a pair

C=<
,> such that
–
∈ is a flowchart label (value of the
program counter) and
–  is a state
Operational semantics of flowcharts

• A configuration is halting if
=
∗

• A configuration is initial if
=
 ,
denoted 
 Relation t Over Configurations
<
,> t <
′,′> iff the node labeled
 is a
successor of the node labeled
, and one of the
following holds:

•
is the start node and ′ = 

•
is a node with test B(̅ ),  ⊨ (), the
edge from
to
′ is labeled with T, and
 = 
•
is a node with test B(̅ ),  ⊨ ¬ (
), the
edge from
to
′ is labeled with F, and
 = 
 Relation t Over Configurations
•
is an assignment 
≔ and   = [xr(e)]

Explanation:
Let ̅ = (x1, …,xn), ̅ = (e1, …,en) then
– ′(y) =  # for y ≠ xi
– ′(xi) = (ei)

Example: (x,y) := (x+1, y⋅x)

σ(x)=2, σ(y)=5, σ(z)=7
σ’(x)=3, σ’(y)=10, σ’(z)=7
 Relation t Over Configurations
• t* marks the transitive closure of t

• Computation from configuration C is

denoted (C)
• (C) = C0,C1,… is a maximal sequence of
configurations such that C=C0 and for
every iú0, Ci t Ci+1
• If (C) is finite, it ends with a halting
configuration
 Definition of val() - revisited
• val((C)) =
’ if C t
* (l , ’)
*
z if (C) is infinite

• The meaning or semantics of a

program P is:
M[P]() = val((P,))
Ingredients for Formal Verification

1. Specification language
• With formal semantics

2. Programming language
• with formal semantics

3. Proof rules
• For proving “Program P has the property $”
In order to define the proof method we
need the following definitions

• Let $ be a finite path in P, we associate

with $ two semantic characteristics
 Semantic characteristics

• A reachability condition is a condition

on states at the beginning of $ that
guarantees that control will traverse $.

• It is denoted by %& 

 Semantic characteristics

• A state transformation is a sequence

of expressions over ̅ , describing for
each xi , its value at the end of $

• It is denoted by '& 

 Computing R!( ) and T!( )
Let $ =
() , … ,
(, be a finite path in P.
Starting from m=k down to m=0:

Initially
-./ ̅ = ̅ 0./ ̅ = 123
 Computing R!( ) and T!( )
Given 0.45 ̅ and -.45 ̅

1. For start in
(6

-.4 ̅ = -.45 ̅ 0.4 ̅ = 0.45 ̅
Type equation here.
2. For E
 ≔  in
(6
-.4 ̅ = -.45 ̅ # ← ̅
G.4 ̅ = G.45 ̅ [# ← ̅ ]
 Computing R!( ) and T!( )
Given 0.45 ̅ and -.45 ̅

3. For ) in
(6
(
-.4 ̅ = -.45 ̅
– If
(6JK is the T-son of
(6 0.4 ̅ = 0.45 ̅ ∧ (
)
– If
(6JK is the F-son of
(6 0.4 ̅ = 0.45 ̅ ∧ ¬ (
)
 Semantic characteristics:
example
Let the initial state be:   = 2,  # = 3.
If -. , # = # + 1, 
then
/  =  # + 1 = 4, / # =   = 2

If R!(̅ ) = x> y
Then, since 2>3 is false, the path τ will not
be traversed from the initial state
 Semantic characteristics

Lemma:
For a finite path $ =
() , … ,
(, in P and
a state  ,
• $ is traversed from  iff  ⊨ 0. ̅
• If the path ends at
(, with state /
then / =  ̅ ← -. ̅
 Floyd Proof Rule for Partial Correctness

To prove {q₁}P{q₂} :

1. Choose a set of cut points such that:

i. start and halt are cut points
ii. every cycle in the graph of P contains at least one
cut point

2. For every cut point
find an inductive

assertion RS ̅ , such that RS) ̅ = T (̅ ),
RS∗ ̅ = T (̅ )
A basic path
,
 is a path from
to
′
such that
,
′ are cut points, and those are
the only cut points in the path
 Floyd Proof Rule for Partial Correctness
(cont.)

3. For every basic path U =
,
 prove:

∀̅ RS ̅ ∧ 0W ̅ → RSY -W ̅

If we successfully applied the proof rule

for some invariants we will write
⊢[ \] ^ \_
 Floyd Proof Rule for Partial Correctness
(cont.)

Remark:
We have reduced a proof of {q₁}P{q₂} to a proof in
first order logic.

We will assume that every assertion is provable

iff it is true (in ℤ)
• We have an oracle of all true FOL statements
 Proof: Example

Pidiv::

 : start T (̅ )

 : (q,r) ≔ (0,x₁)

R(̅ )
T
: r≥x₂ F

: (q,r) ≔ (q+1,r-x₂)
∗ : halt T (̅ )

 Proof: Example

We need to show:
T ̅ ∧ 0S) Sa ̅ → R -S)Sa ̅
R ̅ ∧ 0Sa Sa ̅ → R -SaSa ̅
R ̅ ∧ 0Sa S∗ ̅ → T -SaS∗ ̅

We choose
b  ,  , T, 2, c , c =
 = c ∧  = c ∧ (c = Tc + 2) ∧ 2 ≥ 0
We assume all variables are in ℤ
 Proof: Example

Where,
T  ,  , T, 2, c , c =
 = c ∧  = c ∧  ≥ 0 ∧  > 0
T  ,  , T, 2, c , c =
(c = Tc + 2) ∧ 0 ≤ 2 < c
We assume all variables are in ℤ
 Proof: Example
For example for the basic path
,
=
,
,

we have:
0SaSa ̅ = h ≥ _
-SaSa  ,  , T, 2, c , c =  ,  , \ + ], h − _ , c , c

So we need to prove:
 = c ∧  = c ∧ c = Tc + 2 ∧ 2 ≥ 0 ∧ h ≥ _

 = c ∧  = c ∧
→
c = (\ + ])c + (h − _ ) ∧ h − _ ≥ 0
 Floyd Proof Rule for Partial
Correctness

Soundness of Floyd proof system (F):

If dF { q₁ } P { q₂ }
then Ñ { q₁ } P { q₂ }