Strengthening vs. Incremental Proof

Temporal Verification of Reactive Systems: Safety

Info icon This preview shows pages 1–4. Sign up to view the full content.

CS256/Winter 2007 — Lecture #7 Zohar Manna 7-1 Strengthening vs. Incremental Proof Comparing the Strategies We want to prove 0 q , but q is not inductive. We have two options: 1 Strengthening Strengthen it to q ϕ . Prove 0 ( q ϕ ) and deduce 0 q . 2 Incremental First prove 0 ϕ and then prove 0 q relative to ϕ . Resulting verification conditions: 1 I1. Θ q ϕ I2. { q ϕ } T { q ϕ } 2 I1’. Θ ϕ I2’. { ϕ } T { ϕ } 0 ϕ I1”. Θ q I2”. { q ϕ } T { q } 0 q 7-2 Strengthening vs. Incremental Proof (Con’t) 1 is strictly more powerful than 2 . 2 implies 1 since ρ τ ϕ ϕ 0 | {z } I2’ ρ τ q ϕ q 0 | {z } I2” [ ρ τ q ϕ q 0 ϕ 0 | {z } I2 ] In practice, 2 is often more useful than 1 allows breaking down the proof in more manage- able pieces smaller verification conditions more intuitive 7-3 Strengthening vs. Incremental Proof (Con’t) Example: local x : integer where x = 1 0 : loop forever do h 1 : x := x + 1 i Show q 1 : at - 0 x > 0 q 2 : at - 1 x > 0 both are P -valid neither of them is inductive but q 1 q 2 is inductive! 7-4
Image of page 1

Info icon This preview has intentionally blurred sections. Sign up to view the full version.

Combining the Strategies Rule inc-inv : (incremental invariance) For assertions q , ϕ , χ 1 ,. . . , χ k I0. P q 0 χ 1 , . . . , 0 χ k I1. P q ( k ^ i =1 χ i ) ϕ q I2. P q Θ ϕ I3. P q n ( k ^ i =1 χ i ) ϕ o T { ϕ } P q 0 q If ϕ satisfies I2 and I3, we say that ϕ is inductive relative to χ 1 , . . . χ k 7-5 Combining the Strategies (Con’t) Note that Θ must be stronger than all the χ i ’s (i.e., P q Θ χ i ) and so P q k ^ i =1 χ i Θ ϕ iff P q Θ ϕ From now on, we usually omit “ P q ” and “ P q ”. 7-6 Detecting Trivial Verification Conditions { ϕ } T { ϕ } Don’t check every τ ∈ T . Ignore { ϕ } τ I { ϕ } always true Ignore { ϕ } τ { ϕ } if τ does not modify any variable in ϕ For { ϕ } τ { ϕ } where ϕ : p q ρ τ p q | {z } ϕ p 0 q 0 | {z } ϕ 0 Consider only τ ’s that validate p or falsify q 7-7 Finding Inductive Assertions Two methods: 1. Bottom-up: based on the program text only algorithmic guaranteed to produce an inductive invariant 2. Top-down: guided by the property we want to prove heuristic not guaranteed to produce an inductive invariant 7-8
Image of page 2
Finding Inductive Assertions Bottom-Up Approach Transition-validated assertions: 1 : [ while c do S ]; 2 : at - 2 → ¬ c if no statement parallel to 2 can modify variables in c 1 : y := e ;
Image of page 3

Info icon This preview has intentionally blurred sections. Sign up to view the full version.

Image of page 4
This is the end of the preview. Sign up to access the rest of the document.
  • '
  • NoProfessor
  • Yi, i=1, D. E. Marsh, linear invariants, ne + nf

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern