Based Programs in theSOCOS

gorgeousvassalΛογισμικό & κατασκευή λογ/κού

7 Νοε 2013 (πριν από 4 χρόνια και 2 μέρες)

101 εμφανίσεις

TAP: Tests and Proofs, 12 February 2007

1

Testing and Verifying Invariant
Based Programs in the

SOCOS

Environment

Ralph
-
Johan Back,
Johannes Eriksson

and Magnus Myreen


Åbo Akademi University

Turku, Finland

Turku Centre
for
Computer Science

Centre for Reliable
Software Technology

Approaches

Program code

Contracts

Invariants

Verification
conditions

“a posteriori

verification”

“constructive approach”

“invariant based programming”

Example: Sort an array!

A=A0

A: Int[N]

Sorted(A,0,N)

A: Int[N]

Permutation(A,A0)

Start with a pre
-
/postcondition specification

Example: Sort an array!

A=A0

Sorted(A,0,N)

A: Int[N]

A: Int[N]

Permutation(A,A0)

Extract common invariant

Construct a loop

Example: Sort an array!

A=A0

Sorted(A,0,N)

A: Int[N]

k: Int

0≤k≤N

Sorted(A,0,k)

∀i,j:Int • 0≤i<k ∧ k≤j<N ⇒ A[i]≤A[j]

Permutation(A,A0)

0

k

N

sorted

unsorted

less than or equal
to all A[k..N
-
1] !

LOOP

Add initial transition

Example: Sort an array!

A=A0

Sorted(A,0,N)

A: Int[N]

Permutation(A,A0)

k: Int

0≤k≤N

Sorted(A,0,k)

∀i,j:Int • 0≤i<k ∧ k≤j<N ⇒ A[i]≤A[j]

k:=0

A: Int[N]



0: Int

0≤0≤N

Sorted(A,0,0)

∀i,j:Int • 0≤i<0 ∧ 0≤j<N ⇒ A[i]≤A[j]

A: Int[N]

Permutation(A,A0)



A=A0











What needs to be checked?

Example: Sort an array!

A=A0

Sorted(A,0,N)

A: Int[N]

Permutation(A,A0)

k: Int

0≤k≤N

Sorted(A,0,k)

∀i,j:Int • 0≤i<k ∧ k≤j<N ⇒ A[i]≤A[j]

k:=0

[k=N]

Add exit transition

Trivial
:

Sorted(A,0,k) ∧ k=N

⇒ Sorted(A,0,N)

Example: Sort an Array!

A=A0

Sorted(A,0,N)

A: Int[N]

Permutation(A,A0)

k: Int

0≤k≤N

Sorted(A,0,k)

∀i,j:Int • 0≤i<k ∧ k≤j<N ⇒ A[i]≤A[j]

k:=0

[k=N]

[k<N]

m:=min(A,k,N);

A:=A[ k←A[m], m←A[k] ];

k:=k+1

Add loop transition

A: Int[N]

Permutation(A,A0)

k: Int

0≤k≤N

Sorted(A,0,k)

∀i,j:Int • 0≤i<k ∧ k≤j<N ⇒ A[i]≤A[j]

A’: Int[N]

Permutation(A’,A0)

k+1: Int

0≤k+1≤N

Sorted(A’,0,k+1)

∀i,j:Int • 0≤i<k+1 ∧ k+1≤j<N ⇒ A’[i]≤A’[j]

k<N

m=min(A,k,N) ∧ A’= A[ k←A[m], m←A[k] ]



Example: Sort an Array!

A=A0

Sorted(A,0,N)

A: Int[N]

Permutation(A,A0)

k: Int

0≤k≤N

Sorted(A,0,k)

∀i,j:Int • 0≤i<k ∧ k≤j<N ⇒ A[i]≤A[j]

k:=0

[k=N]

[k<N]

A:=Swap(A,k,min(A,k,N));

k:=k+1

0≤N
-
k

Add a termination function



Variant decreases:

N
-
(k+1) < N
-
k


Bounded from
below:

0≤k≤N ⇒ 0≤N
-
k



TAP: Tests and Proofs, 12 February 2007

10

The SOCOS Tool



S
oftware
CO
nstruction
S
ite”


An editor for
invariant diagrams


Higher
-
order specifications and formal semantics


Goal: higher assurance

Testing
:

Find
common
errors

Extended static
checking
:

Find common
errors and
insufficient (too
weak) invariants

Interactive
proofs
:

Total
correctness

TAP: Tests and Proofs, 12 February 2007

11

SOCOS User Interface

TAP: Tests and Proofs, 12 February 2007

12

Program Constructs


Procedures with pre
-

and postconditions


Statements


if

..
fi
, assignment, assertion, procedure call


Simple data types


integers, booleans


strings, arrays


Data invariants

Testing/Debugging

TAP: Tests and Proofs, 12 February 2007

14

Formal Verification


Verification conditions can be generated for the whole
program, or for a single procedure/transition/situation


Verification conditions are generated and sent to external
proof tools


Three types of verification conditions:


Consistency

(for transitions)


Completeness

(for situations)


Termination

(for loops)

TAP: Tests and Proofs, 12 February 2007

15

Consistency


Each transition should establish its target:

I
1
I
2
S
I
1


wp(S,
I
2
)

TAP: Tests and Proofs, 12 February 2007

16

Completeness (liveness)


At least one transition from each (non
-
terminal) situation
should be enabled:

magic

magic

magic

magic

S
*
.

.

.

.

.

.

.

.

.

I


wp(S*,False)

I

if … fi

if … fi

if … fi

TAP: Tests and Proofs, 12 February 2007

17

Termination


Every transition in a cycle must
not increase

V
:

V
V
V
S
k
(for all j)

I
j

V
=
V
0



wp(S
j
,
0

V

V
0
)

I
k

V
=
V
0



wp(S
k
,
0

V
<
V
0
)

(for some k)

I
k

I
k+1


At least one transition must
decrease
V
:

TAP: Tests and Proofs, 12 February 2007

18

Backends

Testing

Diagram is
converted to a
Python

program, with
run
-
time
evaluation of
invariants

Static Checking

Verification
conditions are
sent to
Simplify
,
a fully automatic
prover

Full Verification

PVS

is used for
full verification
of the final
components

Higher assurance→

Conclusion and Future Work


Specifications and invariants main building blocks


Correct programs can be developed incrementally


Currently used in teaching program semantics


Future work


Scalability: refinement, object
-
orientation


Larger case studies


Background checking


Test case generation


Thank You


http://mde.abo.fi/SOCOS