This preview has intentionally blurred sections. Sign up to view the full version.
View Full DocumentThis preview has intentionally blurred sections. Sign up to view the full version.
View Full Document
Unformatted text preview: CS256/Winter 2007 — Lecture #8 Zohar Manna 81 Finding Inductive Assertions TopDown Approach Assertion propagation we have previously proven χ and we want to prove ϕ but { χ ∧ ϕ } τ { ϕ } is not statevalid for some τ ∈ T . What is the problem? (assuming that ϕ is indeed an invariant) 82 TopDown Approach (Con’d) Σ ϕ τ ϕ ∧ χ Paccessible Solution: Take the largest set of states that will result in a ϕstate when τ is taken. How? 83 Precondition of ϕ w.r.t. τ pre ( τ, ϕ ) : ∀ V . ρ τ → ϕ pre ( τ, ϕ ) ϕ a state s satisfies pre ( τ, ϕ ) iff all τsuccessors of s satisfy ϕ . Note: s trivially satisfies pre ( τ, ϕ ) if it does not have any τ successors (i.e., τ is not enabled in s ). 84 Precondition of ϕ w.r.t. τ (Con’d) Example: V : { x } integer ρ τ : x > ∧ x = x 1 ϕ : x ≥ 2 pre ( τ, ϕ ) : ∀ x . x > ∧ x = x 1  {z } ρ τ → x ≥ 2  {z } ϕ x > → x 1 ≥ 2 x ≤ ∨ x ≥ 3 j τ j +1 p p x ≤ ∨ x ≥ 3 x ≥ 2 85 Properties of pre ( τ, ϕ ) By the definition of pre ( τ, ϕ ) , { χ ∧ ϕ ∧ pre ( τ, ϕ ) } τ { ϕ } is guaranteed to be statevalid. ϕ ϕ ∧ χ τ Paccessible But we have to justify adding the conjunct pre ( τ, ϕ ) to the antecedent. This can be done in two ways: 1. Incremental: prove pre ( τ, ϕ ) 2. Strengthening: prove ( ϕ ∧ pre ( τ, ϕ )) 86 Properties of pre ( τ, ϕ ) (Con’d) Claim: If ϕ is Pinvariant then so is pre ( τ, ϕ ) for every τ ∈ T . Proof: Suppose ϕ is Pinvariant, but pre ( τ, ϕ ) is not Pinvariant. Then there exists a Paccessible state s such that s q / pre ( τ, ϕ ) . But then, by the definition of pre ( τ, ϕ ) , there exists a τsuccessor s of s such that s q / ϕ . Since s is Paccessible, s is also Paccessible, contradicting that ϕ is a Pinvariant. 87 Properties of pre ( τ, ϕ ) (Con’d) Definition: A transition τ is said to be selfdisabling if for every state s , τ is disabled in all τsuccessors of s . Claim: For every assertion ϕ and selfdisabling transition τ { ϕ ∧ pre ( τ, ϕ ) } τ { ϕ ∧ pre ( τ, ϕ ) } is statevalid. Proof: Assume s q ϕ ∧ pre ( τ, ϕ ) . Then by definition of pre ( τ, ϕ ) , for every s , τsuccessor of s , s q ϕ . Since τ is selfdisabling, τ is disabled in all τsuccessors s of s , and so trivially s q pre ( τ, ϕ ) Thus for all τsuccessors s of s , s q ϕ ∧ pre ( τ, ϕ ) . 88 Heuristic If the verification condition { χ ∧ ϕ } τ { ϕ } is not statevalid: Find pre ( τ, ϕ ) and then • Strengthening approach: strengthen ϕ by adding the conjunct pre ( τ, ϕ ) prove ( ϕ ∧ pre ( τ, ϕ )) or, • Incremental approach: prove pre ( τ, ϕ ) and add pre ( τ, ϕ ) to χ ....
View
Full Document
 Graph of a function, Precondition

Click to edit the document details