- Understanding what formal methods are, and why they are useful.
- Understanding the concepts of soundness and completeness.
- Reviewing first-order predicate logic – operators, properties and simple proofs.
Introduction
formal methods
- A formal specification
- A formal proof
一,Correctness
二,Specification in Dafny
Precondition: requires #前置条件
Postdondition: ensures #后置条件
三,Assert
Assertions can be used for debugging.
method Triple(x:int) returns(r:int)
ensures r==3*x
{
if x > 0{
var y := Double(x);
r := x+y;
}else{
var y := Double(-x);
r:=x-y;
}
assert r==10*x; % error
assert r<5;
assert false; % error
} 自己的理解 r<5; correct?
当一个assert 出现错误时,后面再判断assert 会假设上一个错误的断言是正确的。所以(r==10*x && r== 3*x) ==> r==0 ==> r<5。
assert r==10*x; //error
assert r==0;
assert r<5;
assert false; //errorassert false; 一般情况都是 error。但是如果上面互斥的两个错误,那么后面的assert false; 是true,在这种情况下,再写任何assert 都是true。
assert r == 10*x; //error
assert r != 10*x; //error
assert false;
assert r == 33;
assert r == r+1;
assert r == -1;所以在 assert false;//error or true ,后面的 assert都是正确的。
3.1.exercises 1.2
function F():int{
29
}
method M() retuens (r:int){
r:=29;
}
method Caller(){
var a := F();
var b := M();
assert a == 29; // CORRECT
assert b == 29; // error
} assert a== 29; is correct because we reason function by definition in stead of specification.
assert b== 29; is error we consider specification only.
NOTE.1
methods are opeque #不透明的
functions are transparent #透明的
3.2.exercises 1.2
method Index(n:int) returns (i:int)
requires 1 <= n
ensures 0 <= i < n
{
i := n/2;
}
mehod Caller(){
var x:= Index(50);
var y:= Index(50);
assert x==y; //fail
} assert x==y fail specification it is not precise enough.
NOTE.2 While the specification allows any value, the implementation can be and most often is deterministic. This important idea is called underspecification.
四,Function
4.1.Function definition
function Average(a:int, b:int):int{
(a+b)/2}
a) No output parameters.
b) Expression, not a statement.
c) Functions are transparent #透明. We reason by definition, not a specification.
4.2.Ghost Function
ghost function Fib(n:nat):nat{
if n < 2 then n else Fib(n - 2) + Fib(n - 1)}
method ComputerFib(n:nat) returns(r:nat)
ensures r == Fib(n)
{
r:=Fib(n); %error
} a) nat == non-negative integers (0,1,2)
b) ghost indicates the function won't be compiled
c) be used in specifications only
NOTE.3 断言,前置条件,后置条件都是ghost。
4.3.Partial Function
function Average(a:int, b:int):int
requires a >= 0 && b >= 0
{(a+b)/2} the call r := Average(2*x, 4*x) has an implicit instruction to check the precondition
assert 2*x >= 0 && 4*x >=0
五,Soundness VS Completeness
The Dafny verifer is sound but not complete.
sound: can prove correct-->correct (sometimes cannot but correct)
complete: cannot prove correct-->incorrect
六,First-order Predicate Logic
6.1.short-circuiting
e.g. d > 0 && a== c/d (√)
a == c/d && d > 0(×)
6.2.常用logic
A ==> B == !A||B
A ==> (B ==> C) == (A && B) ==> C
A ==> (B && C) == (A ==> B) && (A ==> C)
true ==> A == A A==>true == true
false==> A == true A==>false == !A
A||(B&&C) == (A||B) && (A||C)
A&&(B||C) == (A&&B) || (A&&C)
七,Summary
主要讲了 dafny 的一些基本功能(method function assert),理解各个功能的作用。最后讲了 predicate logic laws,会在后面的求weakest precondition 用到。
扫一扫
844
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
