versionesc
esc 时间:2021-02-23 阅读:()
ESCJavaStaticAnalysisSpectrumPowerCostTypecheckingData-flowanalysisModelcheckingProgramverificationAutomatedManualESCIsThisProgramCorrectintsquare(intn)intk=0,r=0,s=1;while(k!
=n)r=r+s;s=s+2;k=k+1;returnr;}TypecheckingnotenoughtocheckthisNeitherisdata-flowanalysis,normodelcheckingProgramVerificationProgramverificationisthemostpowerfulstaticanalysismethodCanreasonaboutallpropertiesofprogramsCannotfullyautomateBut…Canautomatecertainparts(ESC/Java)TeacheshowtoreasonaboutprogramsinasystematicwaySpecifyingProgramsBeforewecheckaprogramwemustspecifywhatitdoesWeneedformalspecificationsEnglishcommentsarenotenoughWeuselogicnotationTheoryofpre-andpost-conditionsStatePredicatesApredicateisabooleanexpressionontheprogramstate(e.
g.
,variables,objectfields)Examples:x==8x=0)UsingPredicatestoSpecifyProgramsWefocusfirstonhowtospecifyastatementHoaretripleforstatementS{P}S{Q}SaysthatifSisstartedinastatethatsatisfiesP,andSterminates,thenitterminatesinQThisistheliberalversion,whichdoesn'tcareaboutterminationStrictversion:ifSisstartedinastatethatsatisfiesPthenSterminatesinQpreconditionpostconditionHoareTriples.
Examples.
{true}x=12{x==12}{y>=0}x=12{x==12}{true}x=12{x>=0}(Programssatisfymanypossiblespecifications){x=0}x=fact(n){x==n!
}{true}a=0;if(x!
=0){a=2*x;}{a==2*x}ComputingHoareTriplesWecomputethetriplesusingrulesOneruleforeachstatementkindRulesforcomposedstatementsAssignmentAssignmentisthesimplestoperationandthetrickiestonetoreasonabout!
{y>=2}x=5{}{x==y}x=x+1x=5{x==y}{}x=x+1{x==y}{}x=x+1{x2+y2==z2}{x2+y2==z2}x=x+1{}AssignmentRuleRuleforassignment{Q[x:=E]}x=E{Q}Examples:{12==12}x=12{x==12}{12>=0}x=12{x>=0x=x+1{x>=0}{x>=1}x=x+1{}QwithxreplacedbyEx==12withxreplacedby12RelaxingSpecificationsConsider{x>=1}x=x+1{x>=2}Itisverytightspecification.
WecanrelaxitExample:{x>=5}x=x+1{x>=2}(sincex>=5)x+1>=2)x=E{P}ifP)Q[x:=E]{Q}Assignments:forwardandbackwardTwowaystolookattherules:Backward:givenpost-condition,whatispre-conditionForward:givenpre-condition,whatispost-conditionx=E{}{Q}x=E{P}{}Assignments:forwardandbackwardTwowaystolookattherules:Backward:givenpost-condition,whatispre-conditionForward:givenpre-condition,whatispost-conditionx=E{Q[x:=E]}{Q}x=E{P}{}Assignments:forwardandbackwardTwowaystolookattherules:Backward:givenpost-condition,whatispre-conditionForward:givenpre-condition,whatispost-conditionx=E{Q[x:=E]}{Q}x=E{P}Exampleofrunningitforward{x==y}x=x+1{}Exampleofrunningitforward{x==y}x=x+1{}ForwardorBackwardForwardreasoningKnowthepreconditionWanttoknowwhatpostconditonthecodeestablishesBackwardreasoningKnowwhatwewanttocodetoestablishMustfindinwhatpreconditionthishappensBackwardisusedmostoftenStartwithwhatyouwanttoverifyInsteadofverifyingeverythingthecodedoesWeakestpreconditionwp(S,Q)istheweakestPsuchthat{P}S{Q}Orderonpredicates:Strong)Weakwpreturnsthe"best"possiblepredicatewp(x:=E,Q)=Q[x:=E]Ingeneral:S{P}ifP)wp(S,Q){Q}WeakestpreconditionThispointstoaverificationalgorithm:Givenfunctionbodyannotatedwithpre-conditionPandpost-conditionQ:ComputewpofQwithrespecttofunctonbodyAskatheoremprovertoshowthatPimpliesthewpThewpfunctionwewilluseisliberal(Pdoesnotguaranteetermination)Ifusingbothstrictandliberalinthesamecontext,theusualnotationiswlptheliberalversionandwpforthestrictoneStrongestpreconditionsp(S,P)isthestrongestQsuchthat{P}S{Q}Recall:Strong)Weakspreturnsthe"best"possiblepredicatesp(x:=E,P)=…Ingeneral:S{P}{Q}ifsp(S,P))QStrongestpostconditionStrongestpostconditionandweakestpreconditionsaresymmetricThispointstoanequivalentverificationalgorithm:Givenfunctionbodyannotatedwithpre-conditionPandpost-conditionQ:ComputespofPwithrespecttofunctonbodyAskatheoremprovertoshowthatthespimpliesQComposingSpecificationsIf{P}S1{R}and{R}S2{Q}then{P}S1;S2{Q}Example:x=x-1;y=y-1{x>=y}ComposingSpecificationsIf{P}S1{R}and{R}S2{Q}then{P}S1;S2{Q}Example:x=x-1;y=y-1{x>=y}Intermsofwpandspwp(S1;S2,Q)=wp(S1,wp(S2,Q))sp(S1;S2,P)=sp(S2,sp(S1,P))ConditionalsRulefortheconditional(flowgraph)Example:E{P}{P1}ifP&&E)P1TF{P2}ifP&&!
E)P2x==0{x>=0}TF{x==0}sincex>=0&&x==0)x==0{x>=1}sincex>=0&&x!
=0)x>=1Conditionals:ForwardandBackwardRecall:rulefortheconditionalForward:givenP,findP1andP2pickP1tobeP&&E,andP2tobeP&&!
EBackward:givenP1andP2,findPpickPtobe(P1&&E)||(P2&&!
E)OrpickPtobe(E)P1)&&(!
E)P2)E{P}{P1}providedP&&E)P1TF{P2}providedP&&!
E)P2JoinsRuleforthejoin:Forward:pickPtobeP1||P2Backward:pickP1,P2tobeP{P1}{P2}{P}providedP1)PandP2)PReviewE{P}{P1}ifP&&E)P1TF{P2}ifP&&!
E)P2{P1}{P2}{P}ifP1)PandP2)Px=E{P}{Q}ifP)Q[x:=E]ImplicationisalwaysinthedirectionofthecontrolflowReview:forwardE{P}{P&&E}TF{P&&!
E}{P1}{P2}{P1||P2}x=E{P}{\exists…}Review:backwardE{(E)P1)&&(!
E)P2)}{P1}TF{P2}{P}{P}{P}x=E{Q[x:=E]}{Q}Example:Absolutevaluestaticintabs(intx)//@ensures\result>=0{if(x0)c-returnx;}x0c--TFExample:Absolutevaluex0c--TFExample:Absolutevaluex0c--TFInSimplifyIMPLIESTRUE(AND(IMPLIES(c0)0x)0)IMPLIES(=x0)AND(IMPLIES(>c0)(>=x0)IMPLIES(=x0))))))1:Valid.
>Sofar…FrameworkforcheckingpreandpostconditionsofcomputationswithoutloopsSupposewewanttocheckthatsomeconditionholdsinsidethecomputation,ratherthanattheendstaticintabs(intx){if(x0)c-returnx;}Saywewanttocheckthatx>0hereAsserts{Q&&E}assert(E){Q}Backward:wp(assert(E),Q)=Q&&EForward:sp(assert(E),P)=assert(E)QQ&&Eassert(E)PExample:Absolutevaluewithassertstaticintabs(intx){if(x0)if(c>0)c-returnx;}x0)TFc>0c--TFExample:Absolutevaluewithassertx0)TFc>0c--TFExample:Absolutevaluewithassertx0)TFc>0c--TFAddingthepostconditionbackinx0)TFc>0c--TFAddingthepostconditionbackinx0)TFc>0c--TFAnotherExample:DoubleLocking"Anattempttore-acquireanacquiredlockorreleaseareleasedlockwillcauseadeadlock.
"Callstolockandunlockmustalternate.
locklockunlockunlockLockingRulesWeassumethatthebooleanpredicatelockedsaysifthelockisheldornot{!
locked&&P[locked:=true]}lock{P}lockbehavesasassert(!
locked);locked=true{locked&&P[locked:=false]}unlock{P}unlockbehavesasassert(locked);locked=falseLockingExample…lock…x==0…unlockx==0TT{!
L&&P[L:=true]}lock{P}{L&&P[L:=false]}unlock{P}{!
L}{!
L}LockingExample…lock…x==0…unlockx==0TT{!
L&&P[L:=true]}lock{P}{L&&P[L:=false]}unlock{P}{!
L}{!
L}LockingExample:forwarddirection…lock…x==0…unlock{!
locked}{!
locked&&x==0}{!
locked&&x0}x==0TT{!
locked&&x==0}{locked&&x==0}{locked=(x==0)}{locked&&x==0}{!
locked&&(x==0)}{!
locked&&x0}{!
locked}
=n)r=r+s;s=s+2;k=k+1;returnr;}TypecheckingnotenoughtocheckthisNeitherisdata-flowanalysis,normodelcheckingProgramVerificationProgramverificationisthemostpowerfulstaticanalysismethodCanreasonaboutallpropertiesofprogramsCannotfullyautomateBut…Canautomatecertainparts(ESC/Java)TeacheshowtoreasonaboutprogramsinasystematicwaySpecifyingProgramsBeforewecheckaprogramwemustspecifywhatitdoesWeneedformalspecificationsEnglishcommentsarenotenoughWeuselogicnotationTheoryofpre-andpost-conditionsStatePredicatesApredicateisabooleanexpressionontheprogramstate(e.
g.
,variables,objectfields)Examples:x==8x=0)UsingPredicatestoSpecifyProgramsWefocusfirstonhowtospecifyastatementHoaretripleforstatementS{P}S{Q}SaysthatifSisstartedinastatethatsatisfiesP,andSterminates,thenitterminatesinQThisistheliberalversion,whichdoesn'tcareaboutterminationStrictversion:ifSisstartedinastatethatsatisfiesPthenSterminatesinQpreconditionpostconditionHoareTriples.
Examples.
{true}x=12{x==12}{y>=0}x=12{x==12}{true}x=12{x>=0}(Programssatisfymanypossiblespecifications){x=0}x=fact(n){x==n!
}{true}a=0;if(x!
=0){a=2*x;}{a==2*x}ComputingHoareTriplesWecomputethetriplesusingrulesOneruleforeachstatementkindRulesforcomposedstatementsAssignmentAssignmentisthesimplestoperationandthetrickiestonetoreasonabout!
{y>=2}x=5{}{x==y}x=x+1x=5{x==y}{}x=x+1{x==y}{}x=x+1{x2+y2==z2}{x2+y2==z2}x=x+1{}AssignmentRuleRuleforassignment{Q[x:=E]}x=E{Q}Examples:{12==12}x=12{x==12}{12>=0}x=12{x>=0x=x+1{x>=0}{x>=1}x=x+1{}QwithxreplacedbyEx==12withxreplacedby12RelaxingSpecificationsConsider{x>=1}x=x+1{x>=2}Itisverytightspecification.
WecanrelaxitExample:{x>=5}x=x+1{x>=2}(sincex>=5)x+1>=2)x=E{P}ifP)Q[x:=E]{Q}Assignments:forwardandbackwardTwowaystolookattherules:Backward:givenpost-condition,whatispre-conditionForward:givenpre-condition,whatispost-conditionx=E{}{Q}x=E{P}{}Assignments:forwardandbackwardTwowaystolookattherules:Backward:givenpost-condition,whatispre-conditionForward:givenpre-condition,whatispost-conditionx=E{Q[x:=E]}{Q}x=E{P}{}Assignments:forwardandbackwardTwowaystolookattherules:Backward:givenpost-condition,whatispre-conditionForward:givenpre-condition,whatispost-conditionx=E{Q[x:=E]}{Q}x=E{P}Exampleofrunningitforward{x==y}x=x+1{}Exampleofrunningitforward{x==y}x=x+1{}ForwardorBackwardForwardreasoningKnowthepreconditionWanttoknowwhatpostconditonthecodeestablishesBackwardreasoningKnowwhatwewanttocodetoestablishMustfindinwhatpreconditionthishappensBackwardisusedmostoftenStartwithwhatyouwanttoverifyInsteadofverifyingeverythingthecodedoesWeakestpreconditionwp(S,Q)istheweakestPsuchthat{P}S{Q}Orderonpredicates:Strong)Weakwpreturnsthe"best"possiblepredicatewp(x:=E,Q)=Q[x:=E]Ingeneral:S{P}ifP)wp(S,Q){Q}WeakestpreconditionThispointstoaverificationalgorithm:Givenfunctionbodyannotatedwithpre-conditionPandpost-conditionQ:ComputewpofQwithrespecttofunctonbodyAskatheoremprovertoshowthatPimpliesthewpThewpfunctionwewilluseisliberal(Pdoesnotguaranteetermination)Ifusingbothstrictandliberalinthesamecontext,theusualnotationiswlptheliberalversionandwpforthestrictoneStrongestpreconditionsp(S,P)isthestrongestQsuchthat{P}S{Q}Recall:Strong)Weakspreturnsthe"best"possiblepredicatesp(x:=E,P)=…Ingeneral:S{P}{Q}ifsp(S,P))QStrongestpostconditionStrongestpostconditionandweakestpreconditionsaresymmetricThispointstoanequivalentverificationalgorithm:Givenfunctionbodyannotatedwithpre-conditionPandpost-conditionQ:ComputespofPwithrespecttofunctonbodyAskatheoremprovertoshowthatthespimpliesQComposingSpecificationsIf{P}S1{R}and{R}S2{Q}then{P}S1;S2{Q}Example:x=x-1;y=y-1{x>=y}ComposingSpecificationsIf{P}S1{R}and{R}S2{Q}then{P}S1;S2{Q}Example:x=x-1;y=y-1{x>=y}Intermsofwpandspwp(S1;S2,Q)=wp(S1,wp(S2,Q))sp(S1;S2,P)=sp(S2,sp(S1,P))ConditionalsRulefortheconditional(flowgraph)Example:E{P}{P1}ifP&&E)P1TF{P2}ifP&&!
E)P2x==0{x>=0}TF{x==0}sincex>=0&&x==0)x==0{x>=1}sincex>=0&&x!
=0)x>=1Conditionals:ForwardandBackwardRecall:rulefortheconditionalForward:givenP,findP1andP2pickP1tobeP&&E,andP2tobeP&&!
EBackward:givenP1andP2,findPpickPtobe(P1&&E)||(P2&&!
E)OrpickPtobe(E)P1)&&(!
E)P2)E{P}{P1}providedP&&E)P1TF{P2}providedP&&!
E)P2JoinsRuleforthejoin:Forward:pickPtobeP1||P2Backward:pickP1,P2tobeP{P1}{P2}{P}providedP1)PandP2)PReviewE{P}{P1}ifP&&E)P1TF{P2}ifP&&!
E)P2{P1}{P2}{P}ifP1)PandP2)Px=E{P}{Q}ifP)Q[x:=E]ImplicationisalwaysinthedirectionofthecontrolflowReview:forwardE{P}{P&&E}TF{P&&!
E}{P1}{P2}{P1||P2}x=E{P}{\exists…}Review:backwardE{(E)P1)&&(!
E)P2)}{P1}TF{P2}{P}{P}{P}x=E{Q[x:=E]}{Q}Example:Absolutevaluestaticintabs(intx)//@ensures\result>=0{if(x0)c-returnx;}x0c--TFExample:Absolutevaluex0c--TFExample:Absolutevaluex0c--TFInSimplifyIMPLIESTRUE(AND(IMPLIES(c0)0x)0)IMPLIES(=x0)AND(IMPLIES(>c0)(>=x0)IMPLIES(=x0))))))1:Valid.
>Sofar…FrameworkforcheckingpreandpostconditionsofcomputationswithoutloopsSupposewewanttocheckthatsomeconditionholdsinsidethecomputation,ratherthanattheendstaticintabs(intx){if(x0)c-returnx;}Saywewanttocheckthatx>0hereAsserts{Q&&E}assert(E){Q}Backward:wp(assert(E),Q)=Q&&EForward:sp(assert(E),P)=assert(E)QQ&&Eassert(E)PExample:Absolutevaluewithassertstaticintabs(intx){if(x0)if(c>0)c-returnx;}x0)TFc>0c--TFExample:Absolutevaluewithassertx0)TFc>0c--TFExample:Absolutevaluewithassertx0)TFc>0c--TFAddingthepostconditionbackinx0)TFc>0c--TFAddingthepostconditionbackinx0)TFc>0c--TFAnotherExample:DoubleLocking"Anattempttore-acquireanacquiredlockorreleaseareleasedlockwillcauseadeadlock.
"Callstolockandunlockmustalternate.
locklockunlockunlockLockingRulesWeassumethatthebooleanpredicatelockedsaysifthelockisheldornot{!
locked&&P[locked:=true]}lock{P}lockbehavesasassert(!
locked);locked=true{locked&&P[locked:=false]}unlock{P}unlockbehavesasassert(locked);locked=falseLockingExample…lock…x==0…unlockx==0TT{!
L&&P[L:=true]}lock{P}{L&&P[L:=false]}unlock{P}{!
L}{!
L}LockingExample…lock…x==0…unlockx==0TT{!
L&&P[L:=true]}lock{P}{L&&P[L:=false]}unlock{P}{!
L}{!
L}LockingExample:forwarddirection…lock…x==0…unlock{!
locked}{!
locked&&x==0}{!
locked&&x0}x==0TT{!
locked&&x==0}{locked&&x==0}{locked=(x==0)}{locked&&x==0}{!
locked&&(x==0)}{!
locked&&x0}{!
locked}
CheapWindowsVPS:7个机房可选全场5折,1Gbps不限流量每月4.5美元
CheapWindowsVPS是一家成立于2007年的老牌国外主机商,顾名思义,一个提供便宜的Windows系统VPS主机(同样也支持安装Linux系列的哈)的商家,可选数据中心包括美国洛杉矶、达拉斯、芝加哥、纽约、英国伦敦、法国、新加坡等等,目前商家针对VPS主机推出5折优惠码,优惠后最低4GB内存套餐月付仅4.5美元。下面列出几款VPS主机配置信息。CPU:2cores内存:4GB硬盘:60G...
简单测评v5.net的美国cn2云服务器:电信双程cn2+联通AS9929+移动直连
v5.net一直做独立服务器这块儿的,自从推出云服务器(VPS)以来站长一直还没有关注过,在网友的提醒下弄了个6G内存、2核、100G SSD的美国云服务器来写测评,主机测评给大家趟雷,让你知道v5.net的美国云服务器效果怎么样。本次测评数据仅供参考,有兴趣的还是亲自测试吧! 官方网站:https://v5.net/cloud.html 从显示来看CPU是e5-2660(2.2GHz主频),...
UCloud云服务器低至年59元
最近我们是不是在讨论较多的是关于K12教育的问题,培训机构由于资本的介入确实让家长更为焦虑,对于这样的整改我们还是很支持的。实际上,在云服务器市场中,我们也看到内卷和资本的力量,各大云服务商竞争也是相当激烈,更不用说个人和小公司服务商日子确实不好过。今天有看到UCloud发布的夏季促销活动,直接提前和双十一保价挂钩。这就是说,人家直接在暑假的时候就上线双十一的活动。早年的双十一活动会提前一周到十天...
esc为你推荐
-
网络明星哪个知道这个网络明星叫什么?vista系统重装Vista系统的重装的步骤,有系统恢复盘arm开发板arm开发板是干什么用的,是用在什么领域方面的数码资源网哪个网站可以直接在线做照片?功能要齐全的`如何建立一个网站如何建立一个网站?保护气球为什么会那么害怕气球创维云电视功能创维电视怎么用,我买了个创维云电视,现在不知道怎么用手机往电视上传照片,谁能解答以下,发邮件怎么发如何发邮件?blogcnblogcn网页无法正常显示,直接跳转http://www.7t7t.com/7?网站地图制作如何制作一个网站地图?