Heuristic Methods for Mechanically Deriving Inductive Assertions
نویسنده
چکیده
Current methods f o r mechanical program v e r i f i c a t i o n r e q u i r e a complete p red i ca te s p e c i f i c a t i o n on each l o o p . Because t h i s i s ted ious and e r r o r p r o n e , producing a program w i t h complete, c o r r e c t p red i ca tes i s reasonably d i f f i c u l t and would be f a c i l i t a t e d by machine ass i s t ance . This paper d iscusses h e u r i s t i c methods f o r mechanica l ly d e r i v i n g loop p r e d i cates from t h e i r boundary c o n d i t i o n s and f o r mechanica l ly comple t ing p a r t i a l l y s p e c i f i e d loop p r e d i c a t e s . I n t r o d u c t i o n Mechanical v e r i f i c a t i o n o f program cor rec tness i s d e s i r a b l e and p o s s i b l e . 1 Given a program, a f i r s t o r d e r ax io tna t i za t i on o f i t s semant ics, and p red i ca tes on the i n p u t , o u t p u t , and each l o o p , v e r i f i c a t i o n o f the ou tpu t p r e d i c a t e i s a mechanical p rocess , ( c . f . [2] and [3] f o r recent su r veys ) . I npu t and ou tpu t p red i ca tes are necessary and n a t u r a l f o r a programmer to supp ly . However, comple te ly s p e c i f y i n g the p red i ca tes on loops i s t e d i o u s , e r r o r p r o n e , and redundant . I t i s ted ious due to the l a r g e amount o f s te reo typed d e t a i l r e q u i r e d . I t i s e r r o r p r o n e * p a r t l y because of the tedium and p a r t l y because the n o t a t i o n i s l ess n a t u r a l than t h a t f o r p rocedura l s t eps . I t i s redundant s ince the p red i ca tes repeat i n f o r m a t i o n which i s man i fes t in the program. The purpose o f t h i s paper i s to show t h a t loop p red i ca tes can be de r i ved mechan ica l l y * * and t h a t p a r t i a l l y s p e c i f i e d loop p red i ca tes can be completed mechan ica l l y . *An example may lend some weight of exper ience . In h i s t h e s i s 4 , K ing presents n ine programs submi t ted to the v e r i f i e r ; the most complex o f these (Example 9) has an i n c o r r e c t loop p r e d i c a t e , i . e . the i n d u c t i v e a s s e r t i o n i s too weak to be c o n s i s t e n t o r to imp ly the des i red ou tpu t p r e d i c a t e . (Since the theorem prover r e j e c t e d the loop p r e d i c a t e due to an i n a b i l i t y to handle m u l t i p l e q u a n t i f i c a t i o n , the p r e d i c a t e e r r o r was over looked . ) * * I n one sense, t h i s i s t r i v i a l . A l l w e l l formed p r e d i c a t e expressions f o r each loop can be enumerated and p roo fs of co r rec tness d o v e t a i l e d u n t i l one succeeds. I f every v a l i d theorem o f the sub jec t domain i s p rovab le , t h i s w i l l e v e n t u a l l y v e r i f y the program; o the rw i se , mechanical v e r i f i c a t i o n i s no t poss ib l e i n g e n e r a l . Such a procedure i s , however, compu ta t i ona l l y i n t r a c t i b l e . tA l so a t Harvard U n i v e r s i t y , Cambridge, Mass. E lspas , Green, L e v i t t , and Wald inger 5 have independent ly worked on t h i s problem us ing d i f f e r e n c e equat ions as an a i d to s p e c i f y i n g a s s e r t i o n s . Cooper has p r e v i o u s l y s t u d i e d the problem and observed t h a t an i n d u c t i v e a s s e r t i o n can be ob ta ined by hand by c o n s t r u c t i n g the f i r s t few terms i n the loop expansion, which g e n e r a l l y shows what the i n f i n i t e un ion must be . Our method uses a d i f f e r e n t approach. To generate loop p red i ca tes where none are s u p p l i e d , the ou tpu t p red i ca te i s dragged backward through the program and mod i f i ed when pass ing through program u n i t s , to produce t r i a l loop p r e d i c a t e s . T r i a l l oop p red i ca tes which are loop i n c o n s i s t e n t are mod i f i ed accord ing t o va r ious h e u r i s t i c s , t o generate b e t t e r t r i a l p r e d i c a t e s . Hence, i t i s a l so p o s s i b l e to accept a programmer-suppl ied i n d u c t i v e a s s e r t i o n which g ives the " e s s e n t i a l " idea o f some loop and mechanica l ly f i l l i n the d e t a i l s to a r r i v e a t a complete, c o r r e c t loop p r e d i c a t e . Many of the h e u r i s t i c s are domain s p e c i f i c , t h i s paper uses i n t e g e r s and i n t ege r a r rays as the sub jec t domain. The paper i s d i v i d e d i n t o f i v e s e c t i o n s . Sec t ion 2 i l l u s t r a t e s our approach w i t h two s imple examples. Sec t ion 3 d iscusses the genera l method, domain-independent h e u r i s t i c s , and h e u r i s t i c s s p e c i f i c t o the i n t e g e r s . Sec t ion 4 t r e a t s a number of complex examples to show how the h e u r i s t i c s are used and e x h i b i t t h e i r c o u p l i n g . Sec t ion 5 d iscusses implementat ion and a p p l i c a t i o n o f t h i s method. N o t a t i o n . Throughout, a s imple f l o w c h a r t language i s used. The i n p u t p red i ca te i s denoted by o; the ou tpu t p red i ca te by w. Unprimed (primed) v a r i a b l e s and p red ica tes denote values and p red i ca tes on these va lues be fo re ( a f t e r ) c o n t r o l f lows through a se t o f f l o w c h a r t boxes. The t r a n s f o r m a t i o n due to a f l o w c h a r t path A ^ i A £ 2 ' * A i n i s denoted by 6 { i i , i , , . . . £ ) . ' l ' 2
منابع مشابه
A Quantifier-Elimination Based Heuristic for Automatically Generating Inductive Assertions for Programs
A method using quantifier-elimination is proposed for automatically generating program invariants/inductive assertions. Given a program, inductive assertions, hypothesized as parameterized formulas in a theory, are associated with program locations. Parameters in inductive assertions are discovered by generating constraints on parameters by ensuring that an inductive assertion is indeed preserv...
متن کاملMultiple-Instance Learning Based Heuristics for Mining Chemical Compound Structure
Inductive Logic Programming (ILP) is a combination of inductive learning and first-order logic aiming to learn first-order hypotheses from training examples. ILP has a serious bottleneck in an intractably enormous hypothesis search space. This makes existing approaches perform poorly on large-scale real-world datasets. In this research, we propose a technique to make the system handle an enormo...
متن کاملInduction and Revision of Terminologies
Description Logics (DLs) and derived markup languages are a standard for representing ontological knowledge bases which can be a powerful tool for supporting other services, such as reasoning and retrieval. Such languages are generally endowed with well-founded semantics and reasoning services investigated in the DLs field [1]. In this context, we examine the problem of the induction and refine...
متن کاملApplications of Unskolemization
This dissertation describes a novel method for deriving logical consequences of first-order formulas using resolution and unskolemization. A complete unskolemization algorithm is given and its properties analyzed. This method is then applied to a number of different fields, namely program verification, machine learning, and mathematical induction. The foremost problem in automating program veri...
متن کاملAssertion based Inductive Verification Methods for Logic Programs
This paper is an overview of our results on the application of abstract interpretation concepts to the derivation of a verification method for logic programs. These include the systematic design of semantics modeling various proof methods and the characterization of assertions as abstract domains. We first apply the verification framework defined in [5] to derive inductive sufficient conditions...
متن کاملVerification Constraint Problems with Strengthening
The deductive method reduces verification of safety properties of programs to, first, proposing inductive assertions and, second, proving the validity of the resulting set of first-order verification conditions. We discuss the transition from verification conditions to verification constraints that occurs when the deductive method is applied to parameterized assertions instead of fixed expressi...
متن کامل