Topic Area Code Quality Assurance: Content Content • Introduction and Vocabulary • Formal Program Verification VL 14 • Test case, test suite, test execution. • Proof System PD . . • Positive and negative outcomes. Softwaretechnik / Software-Engineering . • The Verifier for Concurrent C • Limits of Software Testing VL 15 • Assertions, Modular Verification, VCC • Glass-Box Testing . Lecture 17: Wrapup & Questions . • Runtime-Verification . • Statement-, branch-, term- coverage . • Assertions , LSC-Observers • Testing: Rest VL 16 • Reviews • When to stop testing? • Model-based testing 2017-07-24 • Roles and artefacts • Testing in the development process . • Review procedure . . • Stronger and weaker variants • Program Verification • partial and total correctness , • Code QA Techniques Revisited Prof. Dr. Andreas Podelski, Dr. Bernd Westphal • Proof System PD . • Test , Runtime-Verification , Review , • Other Approaches VL 17 • Static Checking , Formal Verification Albert-Ludwigs-Universität Freiburg, Germany – 17 – 2017-07-24 – Sblockcontent – • Runtime verification . – 17 – 2017-07-24 – Scontent – . • Do’s and Don’ts in Code QA – 17 – 2017-07-24 – main – . • Review . • Dependability • Software quality assurance wrap-up 2 /69 3 /69 Recall: Deterministic Programs, Correctness Proof-System PD (for sequential, deterministic programs) Deterministic Programs Example (i) h skip , � i � h E, � i E ; S � S ; E � S (ii) h u := t, � i � h E, � [ u := � ( t )] i h S 1 , � i � h S 2 , � i (iii) h S 1 ; S, � i � h S 2 ; S, � i Syntax : (iv) h if B then S 1 else S 2 � , � i � h S 1 , � i , if � | = B , Axiom 1: Skip-Statement Rule 4: Conditional Statement (v) h if B then S 1 else S 2 � , � i � h S 2 , � i , if � 6| = B , S := skip | u := t | S 1 ; S 2 | if B then S 1 else S 2 � | while B do S 1 od (vi) h while B do S od , � i � h S ; while B do S od , � i , if � | = B , (vii) h while B do S od , � i � h E, � i , if � 6| = B , where u � V is a variable , t is a type-compatible expression , B is a Boolean expression . { p ∧ B } S 1 { q } , { p ∧ ¬ B } S 2 { q } , { p } skip { p } Semantics : (is induced by the following transition relation) — � : V � D ( V ) Consider program (i) h skip , � i � h E, � i { p } if B then S 1 else S 2 fi { q } S � a [0] := 1; a [1] := 0; while a [ x ] 6 = 0 do x := x + 1 od (ii) h u := t, � i � h E, � [ u := � ( t )] i and a state � with � | = x = 0 . h S 1 , � i � h S 2 , � i (iii) h S 1 ; S, � i � h S 2 ; S, � i ( ii ) , ( iii ) (iv) h if B then S 1 else S 2 � , � i � h S 1 , � i , if � | = B , h S, � i � � � � � � � h a [1] := 0; while a [ x ] 6 = 0 do x := x + 1 od , � [ a [0] := 1] i Proof-System PD Axiom 2: Assignment ( ii ) , ( iii ) h while a [ x ] 6 = 0 do x := x + 1 od , � � i (v) h if B then S 1 else S 2 � , � i � h S 2 , � i , if � 6| = B , � � � � � � � Rule 5: While-Loop ( vi ) � � � � h x := x + 1; while a [ x ] 6 = 0 do x := x + 1 od , � � i (vi) h while B do S od , � i � h S ; while B do S od , � i , if � | = B , ( ii ) , ( iii ) � � � � � � � h while a [ x ] 6 = 0 do x := x + 1 od , � � [ x := 1] i (vii) h while B do S od , � i � h E, � i , if � 6| = B , ( vii ) � � � � h E, � � [ x := 1] i { p [ u := t ] } u := t { p } { p ∧ B } S { p } E denotes the empty program ; define E ; S � S ; E � S . – 16 – 2017-07-20 – Swhile – – 16 – 2017-07-20 – Swhile – where � � = � [ a [0] := 1][ a [1] := 0] . Note : the first component of h S, � i is a program ( structural operational semantics (SOS)). { p } while B do S od { p ∧ ¬ B } 21 /54 22 /54 Rule 3: Sequential Composition Input/Output Semantics of Deterministic Programs Correctness of Deterministic Programs Rule 6: Consequence { p } S 1 { r } , { r } S 2 { q } Definition. Definition. Let S be a deterministic program. Let S be a program over variables V , and p and q Boolean expressions over V . p → p 1 , { p 1 } S { q 1 } , q 1 → q { p } S 1 ; S 2 { q } (i) The semantics of partial correctness is the function (i) The correctness formula { p } S { q } (“Hoare triple”) { p } S { q } M � S � : � � 2 � holds in the sense of partial correctness , with M � S � ( � ) = { � | h S, � i � � h E, � i} . denoted by | = { p } S { q } , if and only if (ii) The semantics of total correctness is the function M � S � ( � p � ) � � q � . M tot � S � : � � 2 � � We say S is partially correct wrt. p and q . � { � } (ii) A correctness formula with M tot � S � ( � ) = M � S � ( � ) � { � | S can diverge from � } . { p } S { q } � is an error state representing divergence . holds in the sense of total correctness , denoted by | = tot { p } S { q } , if and only if Theorem. PD is correct (“sound”) and (relative) complete for partial correctness of determin- – 17 – 2017-07-24 – Srecall – M tot � S � ( � p � ) � � q � . – 17 – 2017-07-24 – main – – 16 – 2017-07-20 – Scorrectness – – 17 – 2017-07-24 – Spd – istic programs, i.e. ⊢ PD { p } S { q } if and only if | = { p } S { q } . Note : M tot � S � ( � ) has exactly one element, M � S � ( � ) at most one. – 16 – 2017-07-20 – Swhile – We say S is totally correct wrt. p and q . Example : M � S 1 � ( � ) = M tot � S 1 � ( � ) = { � | � ( x ) = � ( x ) � � ( y ) = � ( x ) 2 } , � � � . (Recall: S 1 � y := x ; y := ( x � 1) · x + y ) 25 /54 27 /54 4 /69 5 /69 6 /69
Recommend
More recommend
