# Based Programs in theSOCOS

Λογισμικό & κατασκευή λογ/κού

7 Νοε 2013 (πριν από 4 χρόνια και 8 μήνες)

114 εμφανίσεις

TAP: Tests and Proofs, 12 February 2007

1

Testing and Verifying Invariant
Based Programs in the

SOCOS

Environment

Ralph
-
Johan Back,
Johannes Eriksson

and Magnus Myreen

Turku, Finland

Turku Centre
for
Computer Science

Centre for Reliable
Software Technology

Approaches

Program code

Contracts

Invariants

Verification
conditions

“a posteriori

verification”

“constructive approach”

“invariant based programming”

Example: Sort an array!

A=A0

A: Int[N]

Sorted(A,0,N)

A: Int[N]

Permutation(A,A0)

-
/postcondition specification

Example: Sort an array!

A=A0

Sorted(A,0,N)

A: Int[N]

A: Int[N]

Permutation(A,A0)

Extract common invariant

Construct a loop

Example: Sort an array!

A=A0

Sorted(A,0,N)

A: Int[N]

k: Int

0≤k≤N

Sorted(A,0,k)

∀i,j:Int • 0≤i<k ∧ k≤j<N ⇒ A[i]≤A[j]

Permutation(A,A0)

0

k

N

sorted

unsorted

less than or equal
to all A[k..N
-
1] !

LOOP

Example: Sort an array!

A=A0

Sorted(A,0,N)

A: Int[N]

Permutation(A,A0)

k: Int

0≤k≤N

Sorted(A,0,k)

∀i,j:Int • 0≤i<k ∧ k≤j<N ⇒ A[i]≤A[j]

k:=0

A: Int[N]

0: Int

0≤0≤N

Sorted(A,0,0)

∀i,j:Int • 0≤i<0 ∧ 0≤j<N ⇒ A[i]≤A[j]

A: Int[N]

Permutation(A,A0)

A=A0

What needs to be checked?

Example: Sort an array!

A=A0

Sorted(A,0,N)

A: Int[N]

Permutation(A,A0)

k: Int

0≤k≤N

Sorted(A,0,k)

∀i,j:Int • 0≤i<k ∧ k≤j<N ⇒ A[i]≤A[j]

k:=0

[k=N]

Trivial
:

Sorted(A,0,k) ∧ k=N

⇒ Sorted(A,0,N)

Example: Sort an Array!

A=A0

Sorted(A,0,N)

A: Int[N]

Permutation(A,A0)

k: Int

0≤k≤N

Sorted(A,0,k)

∀i,j:Int • 0≤i<k ∧ k≤j<N ⇒ A[i]≤A[j]

k:=0

[k=N]

[k<N]

m:=min(A,k,N);

A:=A[ k←A[m], m←A[k] ];

k:=k+1

A: Int[N]

Permutation(A,A0)

k: Int

0≤k≤N

Sorted(A,0,k)

∀i,j:Int • 0≤i<k ∧ k≤j<N ⇒ A[i]≤A[j]

A’: Int[N]

Permutation(A’,A0)

k+1: Int

0≤k+1≤N

Sorted(A’,0,k+1)

∀i,j:Int • 0≤i<k+1 ∧ k+1≤j<N ⇒ A’[i]≤A’[j]

k<N

m=min(A,k,N) ∧ A’= A[ k←A[m], m←A[k] ]

Example: Sort an Array!

A=A0

Sorted(A,0,N)

A: Int[N]

Permutation(A,A0)

k: Int

0≤k≤N

Sorted(A,0,k)

∀i,j:Int • 0≤i<k ∧ k≤j<N ⇒ A[i]≤A[j]

k:=0

[k=N]

[k<N]

A:=Swap(A,k,min(A,k,N));

k:=k+1

0≤N
-
k

Variant decreases:

N
-
(k+1) < N
-
k

Bounded from
below:

0≤k≤N ⇒ 0≤N
-
k

TAP: Tests and Proofs, 12 February 2007

10

The SOCOS Tool

S
oftware
CO
nstruction
S
ite”

An editor for
invariant diagrams

Higher
-
order specifications and formal semantics

Goal: higher assurance

Testing
:

Find
common
errors

Extended static
checking
:

Find common
errors and
insufficient (too
weak) invariants

Interactive
proofs
:

Total
correctness

TAP: Tests and Proofs, 12 February 2007

11

SOCOS User Interface

TAP: Tests and Proofs, 12 February 2007

12

Program Constructs

Procedures with pre
-

and postconditions

Statements

if

..
fi
, assignment, assertion, procedure call

Simple data types

integers, booleans

strings, arrays

Data invariants

Testing/Debugging

TAP: Tests and Proofs, 12 February 2007

14

Formal Verification

Verification conditions can be generated for the whole
program, or for a single procedure/transition/situation

Verification conditions are generated and sent to external
proof tools

Three types of verification conditions:

Consistency

(for transitions)

Completeness

(for situations)

Termination

(for loops)

TAP: Tests and Proofs, 12 February 2007

15

Consistency

Each transition should establish its target:

I
1
I
2
S
I
1

wp(S,
I
2
)

TAP: Tests and Proofs, 12 February 2007

16

Completeness (liveness)

At least one transition from each (non
-
terminal) situation
should be enabled:

magic

magic

magic

magic

S
*
.

.

.

.

.

.

.

.

.

I

wp(S*,False)

I

if … fi

if … fi

if … fi

TAP: Tests and Proofs, 12 February 2007

17

Termination

Every transition in a cycle must
not increase

V
:

V
V
V
S
k
(for all j)

I
j

V
=
V
0

wp(S
j
,
0

V

V
0
)

I
k

V
=
V
0

wp(S
k
,
0

V
<
V
0
)

(for some k)

I
k

I
k+1

At least one transition must
decrease
V
:

TAP: Tests and Proofs, 12 February 2007

18

Backends

Testing

Diagram is
converted to a
Python

program, with
run
-
time
evaluation of
invariants

Static Checking

Verification
conditions are
sent to
Simplify
,
a fully automatic
prover

Full Verification

PVS

is used for
full verification
of the final
components

Higher assurance→

Conclusion and Future Work

Specifications and invariants main building blocks

Correct programs can be developed incrementally

Currently used in teaching program semantics

Future work

Scalability: refinement, object
-
orientation

Larger case studies

Background checking

Test case generation

Thank You

http://mde.abo.fi/SOCOS