*This preview shows
pages
1–10. Sign up
to
view the full content.*

This
** preview**
has intentionally

**sections.**

*blurred***to view the full version.**

*Sign up*This
** preview**
has intentionally

**sections.**

*blurred***to view the full version.**

*Sign up*This
** preview**
has intentionally

**sections.**

*blurred***to view the full version.**

*Sign up*This
** preview**
has intentionally

**sections.**

*blurred***to view the full version.**

*Sign up*This
** preview**
has intentionally

**sections.**

*blurred***to view the full version.**

*Sign up*
**Unformatted text preview: **CS256/Winter 2007 — Lecture #8 Zohar Manna 8-1 Finding Inductive Assertions Top-Down Approach Assertion propagation we have previously proven χ and we want to prove ϕ but { χ ∧ ϕ } τ { ϕ } is not state-valid for some τ ∈ T . What is the problem? (assuming that ϕ is indeed an invariant) 8-2 Top-Down Approach (Con’d) Σ ϕ τ ϕ ∧ χ P-accessible Solution: Take the largest set of states that will result in a ϕ-state when τ is taken. How? 8-3 Precondition of ϕ w.r.t. τ pre ( τ, ϕ ) : ∀ V . ρ τ → ϕ pre ( τ, ϕ ) ϕ a state s satisfies pre ( τ, ϕ ) iff all τ-successors of s satisfy ϕ . Note: s trivially satisfies pre ( τ, ϕ ) if it does not have any τ- successors (i.e., τ is not enabled in s ). 8-4 Precondition of ϕ w.r.t. τ (Con’d) Example: V : { x } integer ρ τ : x > ∧ x = x- 1 ϕ : x ≥ 2 pre ( τ, ϕ ) : ∀ x . x > ∧ x = x- 1 | {z } ρ τ → x ≥ 2 | {z } ϕ x > → x- 1 ≥ 2 x ≤ ∨ x ≥ 3 j τ j +1 p p x ≤ ∨ x ≥ 3 x ≥ 2 8-5 Properties of pre ( τ, ϕ ) By the definition of pre ( τ, ϕ ) , { χ ∧ ϕ ∧ pre ( τ, ϕ ) } τ { ϕ } is guaranteed to be state-valid. ϕ ϕ ∧ χ τ P-accessible But we have to justify adding the conjunct pre ( τ, ϕ ) to the antecedent. This can be done in two ways: 1. Incremental: prove pre ( τ, ϕ ) 2. Strengthening: prove ( ϕ ∧ pre ( τ, ϕ )) 8-6 Properties of pre ( τ, ϕ ) (Con’d) Claim: If ϕ is P-invariant then so is pre ( τ, ϕ ) for every τ ∈ T . Proof: Suppose ϕ is P-invariant, but pre ( τ, ϕ ) is not P-invariant. Then there exists a P-accessible state s such that s q / pre ( τ, ϕ ) . But then, by the definition of pre ( τ, ϕ ) , there exists a τ-successor s of s such that s q / ϕ . Since s is P-accessible, s is also P-accessible, contradicting that ϕ is a P-invariant. 8-7 Properties of pre ( τ, ϕ ) (Con’d) Definition: A transition τ is said to be self-disabling if for every state s , τ is disabled in all τ-successors of s . Claim: For every assertion ϕ and self-disabling transition τ { ϕ ∧ pre ( τ, ϕ ) } τ { ϕ ∧ pre ( τ, ϕ ) } is state-valid. Proof: Assume s q ϕ ∧ pre ( τ, ϕ ) . Then by definition of pre ( τ, ϕ ) , for every s , τ-successor of s , s q ϕ . Since τ is self-disabling, τ is disabled in all τ-successors s of s , and so trivially s q pre ( τ, ϕ ) Thus for all τ-successors s of s , s q ϕ ∧ pre ( τ, ϕ ) . 8-8 Heuristic If the verification condition { χ ∧ ϕ } τ { ϕ } is not state-valid: Find pre ( τ, ϕ ) and then • Strengthening approach: strengthen ϕ by adding the conjunct pre ( τ, ϕ ) prove ( ϕ ∧ pre ( τ, ϕ )) or, • Incremental approach: prove pre ( τ, ϕ ) and add pre ( τ, ϕ ) to χ ....

View
Full
Document