Program verification involves formally proving that a program satisfies certain properties, such as having no defects, by establishing that the program meets its specification. This is done by defining preconditions and postconditions and using weakest preconditions to reason about how the program transforms states. Testing involves running a program with sample inputs and checking that the outputs are as expected to find defects empirically.

1. Program
verification
and testing
www.tudorgirba.com

2. 1
ne 5 fl ight 50
Aria

3. -25 ac cidents
Therac

4. g
tium F DIV bu
Pen

6. Testing Verification
run the program formally prove that
with a set of inputs and the program
check the output for defects has no defects

7. :
E xample mbers
u
atural n
max of 2 n

8. if (x ≥ y)
max := x
else
max := y
:
E xample mbers
u
atural n
max of 2 n

9. x = 2
y = 3
if (x ≥ y)
max := x
else
max := y
:
E xample mbers
u
atural n
max of 2 n

10. x = 2
y = 3
if (x ≥ y)
max := x
else
max := y
max = 3
:
E xample mbers
u
atural n
max of 2 n

11. :
E xample mbers
u
atural n
max of 2 n

12. if (x ≥ y)
max := x
else
max := y
:
E xample mbers
u
atural n
max of 2 n

13. (x ≥ 0 ∧ y ≥ 0)
if (x ≥ y)
max := x
else
max := y
:
E xample mbers
u
atural n
max of 2 n

14. (x ≥ 0 ∧ y ≥ 0)
if (x ≥ y)
max := x
else
max := y
(max ≥ x) ∧
(max ≥ y) ∧
(max = x ∨ max = y)
:
E xample mbers
u
atural n
max of 2 n

15. computation
information information
computer

16. program
S
{P} {Q}
precondition postcondition

17. Partial correctness
{P} S {Q}
[P] S [Q]
Total correctness

18. Skip
{Q} Skip {Q}
Abort
{P} Abort {False}
Assignment
{Q[x/E]} x := E {Q}

19. P: (x > 1)
S: x := x + 1
le
Examp

20. P: (x > 1)
S: x := x + 1
Q: (x > 2)
le
Examp

21. S: x := x + 2
Q: (x = y)
le
Examp

22. P: (x = y - 2)
S: x := x + 2
Q: (x = y)
le
Examp

23. {P} S1 {Q} , {Q} S2 {R}
Sequence
{P} S1;S2 {R}
{P∧B} S1 {Q} , {P∧¬B} S2 {Q}
Conditional
{P} if B then S1 else S2 {Q}

24. P I ∧ ({I∧B} S {I}) , (I ∧ ¬B Q)
While loop
{P} while B do S end {Q}

25. P I ∧ ({I∧B} S {I}) , (I ∧ ¬B Q)
While loop
{P} while B do S end {Q}
Loop invariant I
I = property which stays true before and after every loop
0. initial condition: P I;
1. iterative (inductive) condition: {I ∧ B} s {I};
2. final condition: I ∧ ¬B Q

26. P: (x ≥ 0) ∧ (y > 0)
S: quo := 0;
rem := x;
while (y ≤ rem) do
rem = rem − y;
quo = quo + 1
end
Q: (quo ∗ y + rem = x) ∧
(0 ≤ rem < y) :
E xample inder
n d rema s
Qu otient a 2 integer
ng
o f dividi

27. while (lo < hi) {
m = (lo + hi) / 2;
if (n > m)
lo = m + 1;
else
hi = m;
}
n = lo;
ch
: bina ry sear
E xample

28. I: lo <= n ∧ n <= hi
while (lo < hi) { lo <= n ∧ n <= hi*/
/*I:
m = (lo + hi) / 2;
if (n > m) /*
in both cases: lo <= n ∧ n <= hi */
lo = m + 1; /* n > m => n >= m+1 => n >= lo */
else
hi = m; /* !(n < m) => n <= m => n <= hi */
} /* I stays true */
n = lo; /*
lo<=n ∧ n<=hi ∧
!(lo<hi) => lo==n ∧ n==hi */
ch
: bina ry sear
E xample

29. Weakest Precondition wp(S, Q)
∀ {P} S {Q} :: P wp(S,Q)

30. Verification of {P} S {Q}
1. Compute wp(S, Q)
2. Prove P wp(S, Q)

31. Assignment
wp(x:=A, Q) = Qx←A
Array Assignment
wp(a[x]:=A, Q) = Qa←a′

32. Assignment
wp(x:=A, Q) = Qx←A
wp(x:=5,x+y=6) = 5+y = 6
wp(x:=x+1,x+y=6) = x+1+y = 6
Array Assignment
wp(a[x]:=A, Q) = Qa←a′

33. Assignment
wp(x:=A, Q) = Qx←A
wp(x:=5,x+y=6) = 5+y = 6
wp(x:=x+1,x+y=6) = x+1+y = 6
Array Assignment
wp(a[x]:=A, Q) = Qa←a′
wp(a[1]:=x+1, a[1]=a[2]) = a′[1]=a′[2] where a′[1] = x +1, a′[i] = a[i], ∀ i ≠ 1
= x+1=a[2]

34. Sequencing
wp(S1; S2, Q) wp(S1, wp(S2, Q))
=

35. Sequencing
wp(S1; S2, Q) wp(S1, wp(S2, Q))
=
wp(x:=x+1;y:=y+x,y>10)

36. Sequencing
wp(S1; S2, Q) wp(S1, wp(S2, Q))
=
wp(x:=x+1;y:=y+x,y>10)
= wp(x:=x+1,wp(y:=y+x,y>10))
wp(x:=x+1, y+x>10)
=
= y+x+1>10

37. Conditional
wp(if (B) then S1 else S2, Q) =
(B wp(S1, Q)) ∧ (¬B wp(S2, Q))

38. Conditional
wp(if (B) then S1 else S2, Q) =
(B wp(S1, Q)) ∧ (¬B wp(S2, Q))
Q: (max ≥ x) ∧ (max ≥ y) ∧ (max = x ∨ max = y)

39. Conditional
wp(if (B) then S1 else S2, Q) =
(B wp(S1, Q)) ∧ (¬B wp(S2, Q))
Q: (max ≥ x) ∧ (max ≥ y) ∧ (max = x ∨ max = y)
(x≥y wp(max:=x, Q))∧(x<y wp(max:=y, Q) =

40. Conditional
wp(if (B) then S1 else S2, Q) =
(B wp(S1, Q)) ∧ (¬B wp(S2, Q))
Q: (max ≥ x) ∧ (max ≥ y) ∧ (max = x ∨ max = y)
(x≥y wp(max:=x, Q))∧(x<y wp(max:=y, Q) =
(x≥y Qmax←x) ∧ (x<y Qmax←y) =

41. Conditional
wp(if (B) then S1 else S2, Q) =
(B wp(S1, Q)) ∧ (¬B wp(S2, Q))
Q: (max ≥ x) ∧ (max ≥ y) ∧ (max = x ∨ max = y)
(x≥y wp(max:=x, Q))∧(x<y wp(max:=y, Q) =
(x≥y Qmax←x) ∧ (x<y Qmax←y) =
(x≥y ((x≥x) ∧ (x≥y) ∧ (x=x ∨ x=y)) ∧

42. Conditional
wp(if (B) then S1 else S2, Q) =
(B wp(S1, Q)) ∧ (¬B wp(S2, Q))
Q: (max ≥ x) ∧ (max ≥ y) ∧ (max = x ∨ max = y)
(x≥y wp(max:=x, Q))∧(x<y wp(max:=y, Q) =
(x≥y Qmax←x) ∧ (x<y Qmax←y) =
(x≥y ((x≥x) ∧ (x≥y) ∧ (x=x ∨ x=y)) ∧
((x<y ((y≥x) ∧ (y≥y) ∧ (y=x ∨ y=y))

43. While loop
L = while (B) do S end
wp(L,Q) I ∧
=
∀y, ((B ∧ I) wp(S, I ∧ x < y))
∀y, ((¬B ∧ I) Q)

44. While loop
L = while (B) do S end
wp(L,Q) I ∧
=
∀y, ((B ∧ I) wp(S, I ∧ x < y))
∀y, ((¬B ∧ I) Q)
Loop verification
I = property which stays true before and after every loop
0. P I;
1. I∧B wp(s, I);
2. I∧¬B Q.

45. P: (x≥0) ∧ (y>0)
S: quo := 0;
rem := x;
while (y ≤ rem) do
rem = rem − y;
quo = quo + 1
end
Q: (quo∗y+rem=x) ∧ (0≤rem<y)
:
E xample inder
n d rema s
Qu otient a 2 integer
ng
o f dividi

46. P: (x≥0) ∧ (y>0)
S: quo := 0;
rem := x;
I: (quo∗y+rem=x) ∧ (rem≥0) ∧ (y>0) ∧ (x≥0)
while (y ≤ rem) do
rem = rem − y;
quo = quo + 1
end
Q: (quo∗y+rem=x) ∧ (0≤rem<y)
:
E xample inder
n d rema s
Qu otient a 2 integer
ng
o f dividi

47. P: (x≥0) ∧ (y>0)
I: (quo∗y+rem=x) ∧ (rem≥0) ∧ (y>0) ∧ (x≥0)
Q: (quo∗y+rem=x) ∧ (0≤rem<y)
(x ≥ 0) ∧ (y > 0)
(x = x) ∧ (x ≥ 0) ∧ (x ≥ 0) ∧ (y > 0)
(x=rem+y∗quo) ∧ (x≥0) ∧ (rem≥0) ∧ (y>0) ∧ (y≤rem)
(x = (rem − y) + y ∗ (quo + 1)) ∧
x ≥ 0 ∧ rem − y ≥ 0 ∧ y > 0
(x=rem+y∗quo) ∧ (x≥0) ∧ (rem≥0) ∧ (y>0) ∧ (y>rem)
(x = rem + y ∗ quo) ∧ (0 ≤ rem < y)
:
E xample tions
n condi
ve rificatio

48. program
S
{P} {Q}
precondition postcondition

49. Tudor Gîrba
www.tudorgirba.com
creativecommons.org/licenses/by/3.0/