versionesc
esc 时间:2021-02-23 阅读:()
ESCJavaStaticAnalysisSpectrumPowerCostTypecheckingData-flowanalysisModelcheckingProgramverificationAutomatedManualESCIsThisProgramCorrectintsquare(intn)intk=0,r=0,s=1;while(k!
=n)r=r+s;s=s+2;k=k+1;returnr;}TypecheckingnotenoughtocheckthisNeitherisdata-flowanalysis,normodelcheckingProgramVerificationProgramverificationisthemostpowerfulstaticanalysismethodCanreasonaboutallpropertiesofprogramsCannotfullyautomateBut…Canautomatecertainparts(ESC/Java)TeacheshowtoreasonaboutprogramsinasystematicwaySpecifyingProgramsBeforewecheckaprogramwemustspecifywhatitdoesWeneedformalspecificationsEnglishcommentsarenotenoughWeuselogicnotationTheoryofpre-andpost-conditionsStatePredicatesApredicateisabooleanexpressionontheprogramstate(e.
g.
,variables,objectfields)Examples:x==8x=0)UsingPredicatestoSpecifyProgramsWefocusfirstonhowtospecifyastatementHoaretripleforstatementS{P}S{Q}SaysthatifSisstartedinastatethatsatisfiesP,andSterminates,thenitterminatesinQThisistheliberalversion,whichdoesn'tcareaboutterminationStrictversion:ifSisstartedinastatethatsatisfiesPthenSterminatesinQpreconditionpostconditionHoareTriples.
Examples.
{true}x=12{x==12}{y>=0}x=12{x==12}{true}x=12{x>=0}(Programssatisfymanypossiblespecifications){x=0}x=fact(n){x==n!
}{true}a=0;if(x!
=0){a=2*x;}{a==2*x}ComputingHoareTriplesWecomputethetriplesusingrulesOneruleforeachstatementkindRulesforcomposedstatementsAssignmentAssignmentisthesimplestoperationandthetrickiestonetoreasonabout!
{y>=2}x=5{}{x==y}x=x+1x=5{x==y}{}x=x+1{x==y}{}x=x+1{x2+y2==z2}{x2+y2==z2}x=x+1{}AssignmentRuleRuleforassignment{Q[x:=E]}x=E{Q}Examples:{12==12}x=12{x==12}{12>=0}x=12{x>=0x=x+1{x>=0}{x>=1}x=x+1{}QwithxreplacedbyEx==12withxreplacedby12RelaxingSpecificationsConsider{x>=1}x=x+1{x>=2}Itisverytightspecification.
WecanrelaxitExample:{x>=5}x=x+1{x>=2}(sincex>=5)x+1>=2)x=E{P}ifP)Q[x:=E]{Q}Assignments:forwardandbackwardTwowaystolookattherules:Backward:givenpost-condition,whatispre-conditionForward:givenpre-condition,whatispost-conditionx=E{}{Q}x=E{P}{}Assignments:forwardandbackwardTwowaystolookattherules:Backward:givenpost-condition,whatispre-conditionForward:givenpre-condition,whatispost-conditionx=E{Q[x:=E]}{Q}x=E{P}{}Assignments:forwardandbackwardTwowaystolookattherules:Backward:givenpost-condition,whatispre-conditionForward:givenpre-condition,whatispost-conditionx=E{Q[x:=E]}{Q}x=E{P}Exampleofrunningitforward{x==y}x=x+1{}Exampleofrunningitforward{x==y}x=x+1{}ForwardorBackwardForwardreasoningKnowthepreconditionWanttoknowwhatpostconditonthecodeestablishesBackwardreasoningKnowwhatwewanttocodetoestablishMustfindinwhatpreconditionthishappensBackwardisusedmostoftenStartwithwhatyouwanttoverifyInsteadofverifyingeverythingthecodedoesWeakestpreconditionwp(S,Q)istheweakestPsuchthat{P}S{Q}Orderonpredicates:Strong)Weakwpreturnsthe"best"possiblepredicatewp(x:=E,Q)=Q[x:=E]Ingeneral:S{P}ifP)wp(S,Q){Q}WeakestpreconditionThispointstoaverificationalgorithm:Givenfunctionbodyannotatedwithpre-conditionPandpost-conditionQ:ComputewpofQwithrespecttofunctonbodyAskatheoremprovertoshowthatPimpliesthewpThewpfunctionwewilluseisliberal(Pdoesnotguaranteetermination)Ifusingbothstrictandliberalinthesamecontext,theusualnotationiswlptheliberalversionandwpforthestrictoneStrongestpreconditionsp(S,P)isthestrongestQsuchthat{P}S{Q}Recall:Strong)Weakspreturnsthe"best"possiblepredicatesp(x:=E,P)=…Ingeneral:S{P}{Q}ifsp(S,P))QStrongestpostconditionStrongestpostconditionandweakestpreconditionsaresymmetricThispointstoanequivalentverificationalgorithm:Givenfunctionbodyannotatedwithpre-conditionPandpost-conditionQ:ComputespofPwithrespecttofunctonbodyAskatheoremprovertoshowthatthespimpliesQComposingSpecificationsIf{P}S1{R}and{R}S2{Q}then{P}S1;S2{Q}Example:x=x-1;y=y-1{x>=y}ComposingSpecificationsIf{P}S1{R}and{R}S2{Q}then{P}S1;S2{Q}Example:x=x-1;y=y-1{x>=y}Intermsofwpandspwp(S1;S2,Q)=wp(S1,wp(S2,Q))sp(S1;S2,P)=sp(S2,sp(S1,P))ConditionalsRulefortheconditional(flowgraph)Example:E{P}{P1}ifP&&E)P1TF{P2}ifP&&!
E)P2x==0{x>=0}TF{x==0}sincex>=0&&x==0)x==0{x>=1}sincex>=0&&x!
=0)x>=1Conditionals:ForwardandBackwardRecall:rulefortheconditionalForward:givenP,findP1andP2pickP1tobeP&&E,andP2tobeP&&!
EBackward:givenP1andP2,findPpickPtobe(P1&&E)||(P2&&!
E)OrpickPtobe(E)P1)&&(!
E)P2)E{P}{P1}providedP&&E)P1TF{P2}providedP&&!
E)P2JoinsRuleforthejoin:Forward:pickPtobeP1||P2Backward:pickP1,P2tobeP{P1}{P2}{P}providedP1)PandP2)PReviewE{P}{P1}ifP&&E)P1TF{P2}ifP&&!
E)P2{P1}{P2}{P}ifP1)PandP2)Px=E{P}{Q}ifP)Q[x:=E]ImplicationisalwaysinthedirectionofthecontrolflowReview:forwardE{P}{P&&E}TF{P&&!
E}{P1}{P2}{P1||P2}x=E{P}{\exists…}Review:backwardE{(E)P1)&&(!
E)P2)}{P1}TF{P2}{P}{P}{P}x=E{Q[x:=E]}{Q}Example:Absolutevaluestaticintabs(intx)//@ensures\result>=0{if(x0)c-returnx;}x0c--TFExample:Absolutevaluex0c--TFExample:Absolutevaluex0c--TFInSimplifyIMPLIESTRUE(AND(IMPLIES(c0)0x)0)IMPLIES(=x0)AND(IMPLIES(>c0)(>=x0)IMPLIES(=x0))))))1:Valid.
>Sofar…FrameworkforcheckingpreandpostconditionsofcomputationswithoutloopsSupposewewanttocheckthatsomeconditionholdsinsidethecomputation,ratherthanattheendstaticintabs(intx){if(x0)c-returnx;}Saywewanttocheckthatx>0hereAsserts{Q&&E}assert(E){Q}Backward:wp(assert(E),Q)=Q&&EForward:sp(assert(E),P)=assert(E)QQ&&Eassert(E)PExample:Absolutevaluewithassertstaticintabs(intx){if(x0)if(c>0)c-returnx;}x0)TFc>0c--TFExample:Absolutevaluewithassertx0)TFc>0c--TFExample:Absolutevaluewithassertx0)TFc>0c--TFAddingthepostconditionbackinx0)TFc>0c--TFAddingthepostconditionbackinx0)TFc>0c--TFAnotherExample:DoubleLocking"Anattempttore-acquireanacquiredlockorreleaseareleasedlockwillcauseadeadlock.
"Callstolockandunlockmustalternate.
locklockunlockunlockLockingRulesWeassumethatthebooleanpredicatelockedsaysifthelockisheldornot{!
locked&&P[locked:=true]}lock{P}lockbehavesasassert(!
locked);locked=true{locked&&P[locked:=false]}unlock{P}unlockbehavesasassert(locked);locked=falseLockingExample…lock…x==0…unlockx==0TT{!
L&&P[L:=true]}lock{P}{L&&P[L:=false]}unlock{P}{!
L}{!
L}LockingExample…lock…x==0…unlockx==0TT{!
L&&P[L:=true]}lock{P}{L&&P[L:=false]}unlock{P}{!
L}{!
L}LockingExample:forwarddirection…lock…x==0…unlock{!
locked}{!
locked&&x==0}{!
locked&&x0}x==0TT{!
locked&&x==0}{locked&&x==0}{locked=(x==0)}{locked&&x==0}{!
locked&&(x==0)}{!
locked&&x0}{!
locked}
=n)r=r+s;s=s+2;k=k+1;returnr;}TypecheckingnotenoughtocheckthisNeitherisdata-flowanalysis,normodelcheckingProgramVerificationProgramverificationisthemostpowerfulstaticanalysismethodCanreasonaboutallpropertiesofprogramsCannotfullyautomateBut…Canautomatecertainparts(ESC/Java)TeacheshowtoreasonaboutprogramsinasystematicwaySpecifyingProgramsBeforewecheckaprogramwemustspecifywhatitdoesWeneedformalspecificationsEnglishcommentsarenotenoughWeuselogicnotationTheoryofpre-andpost-conditionsStatePredicatesApredicateisabooleanexpressionontheprogramstate(e.
g.
,variables,objectfields)Examples:x==8x=0)UsingPredicatestoSpecifyProgramsWefocusfirstonhowtospecifyastatementHoaretripleforstatementS{P}S{Q}SaysthatifSisstartedinastatethatsatisfiesP,andSterminates,thenitterminatesinQThisistheliberalversion,whichdoesn'tcareaboutterminationStrictversion:ifSisstartedinastatethatsatisfiesPthenSterminatesinQpreconditionpostconditionHoareTriples.
Examples.
{true}x=12{x==12}{y>=0}x=12{x==12}{true}x=12{x>=0}(Programssatisfymanypossiblespecifications){x=0}x=fact(n){x==n!
}{true}a=0;if(x!
=0){a=2*x;}{a==2*x}ComputingHoareTriplesWecomputethetriplesusingrulesOneruleforeachstatementkindRulesforcomposedstatementsAssignmentAssignmentisthesimplestoperationandthetrickiestonetoreasonabout!
{y>=2}x=5{}{x==y}x=x+1x=5{x==y}{}x=x+1{x==y}{}x=x+1{x2+y2==z2}{x2+y2==z2}x=x+1{}AssignmentRuleRuleforassignment{Q[x:=E]}x=E{Q}Examples:{12==12}x=12{x==12}{12>=0}x=12{x>=0x=x+1{x>=0}{x>=1}x=x+1{}QwithxreplacedbyEx==12withxreplacedby12RelaxingSpecificationsConsider{x>=1}x=x+1{x>=2}Itisverytightspecification.
WecanrelaxitExample:{x>=5}x=x+1{x>=2}(sincex>=5)x+1>=2)x=E{P}ifP)Q[x:=E]{Q}Assignments:forwardandbackwardTwowaystolookattherules:Backward:givenpost-condition,whatispre-conditionForward:givenpre-condition,whatispost-conditionx=E{}{Q}x=E{P}{}Assignments:forwardandbackwardTwowaystolookattherules:Backward:givenpost-condition,whatispre-conditionForward:givenpre-condition,whatispost-conditionx=E{Q[x:=E]}{Q}x=E{P}{}Assignments:forwardandbackwardTwowaystolookattherules:Backward:givenpost-condition,whatispre-conditionForward:givenpre-condition,whatispost-conditionx=E{Q[x:=E]}{Q}x=E{P}Exampleofrunningitforward{x==y}x=x+1{}Exampleofrunningitforward{x==y}x=x+1{}ForwardorBackwardForwardreasoningKnowthepreconditionWanttoknowwhatpostconditonthecodeestablishesBackwardreasoningKnowwhatwewanttocodetoestablishMustfindinwhatpreconditionthishappensBackwardisusedmostoftenStartwithwhatyouwanttoverifyInsteadofverifyingeverythingthecodedoesWeakestpreconditionwp(S,Q)istheweakestPsuchthat{P}S{Q}Orderonpredicates:Strong)Weakwpreturnsthe"best"possiblepredicatewp(x:=E,Q)=Q[x:=E]Ingeneral:S{P}ifP)wp(S,Q){Q}WeakestpreconditionThispointstoaverificationalgorithm:Givenfunctionbodyannotatedwithpre-conditionPandpost-conditionQ:ComputewpofQwithrespecttofunctonbodyAskatheoremprovertoshowthatPimpliesthewpThewpfunctionwewilluseisliberal(Pdoesnotguaranteetermination)Ifusingbothstrictandliberalinthesamecontext,theusualnotationiswlptheliberalversionandwpforthestrictoneStrongestpreconditionsp(S,P)isthestrongestQsuchthat{P}S{Q}Recall:Strong)Weakspreturnsthe"best"possiblepredicatesp(x:=E,P)=…Ingeneral:S{P}{Q}ifsp(S,P))QStrongestpostconditionStrongestpostconditionandweakestpreconditionsaresymmetricThispointstoanequivalentverificationalgorithm:Givenfunctionbodyannotatedwithpre-conditionPandpost-conditionQ:ComputespofPwithrespecttofunctonbodyAskatheoremprovertoshowthatthespimpliesQComposingSpecificationsIf{P}S1{R}and{R}S2{Q}then{P}S1;S2{Q}Example:x=x-1;y=y-1{x>=y}ComposingSpecificationsIf{P}S1{R}and{R}S2{Q}then{P}S1;S2{Q}Example:x=x-1;y=y-1{x>=y}Intermsofwpandspwp(S1;S2,Q)=wp(S1,wp(S2,Q))sp(S1;S2,P)=sp(S2,sp(S1,P))ConditionalsRulefortheconditional(flowgraph)Example:E{P}{P1}ifP&&E)P1TF{P2}ifP&&!
E)P2x==0{x>=0}TF{x==0}sincex>=0&&x==0)x==0{x>=1}sincex>=0&&x!
=0)x>=1Conditionals:ForwardandBackwardRecall:rulefortheconditionalForward:givenP,findP1andP2pickP1tobeP&&E,andP2tobeP&&!
EBackward:givenP1andP2,findPpickPtobe(P1&&E)||(P2&&!
E)OrpickPtobe(E)P1)&&(!
E)P2)E{P}{P1}providedP&&E)P1TF{P2}providedP&&!
E)P2JoinsRuleforthejoin:Forward:pickPtobeP1||P2Backward:pickP1,P2tobeP{P1}{P2}{P}providedP1)PandP2)PReviewE{P}{P1}ifP&&E)P1TF{P2}ifP&&!
E)P2{P1}{P2}{P}ifP1)PandP2)Px=E{P}{Q}ifP)Q[x:=E]ImplicationisalwaysinthedirectionofthecontrolflowReview:forwardE{P}{P&&E}TF{P&&!
E}{P1}{P2}{P1||P2}x=E{P}{\exists…}Review:backwardE{(E)P1)&&(!
E)P2)}{P1}TF{P2}{P}{P}{P}x=E{Q[x:=E]}{Q}Example:Absolutevaluestaticintabs(intx)//@ensures\result>=0{if(x0)c-returnx;}x0c--TFExample:Absolutevaluex0c--TFExample:Absolutevaluex0c--TFInSimplifyIMPLIESTRUE(AND(IMPLIES(c0)0x)0)IMPLIES(=x0)AND(IMPLIES(>c0)(>=x0)IMPLIES(=x0))))))1:Valid.
>Sofar…FrameworkforcheckingpreandpostconditionsofcomputationswithoutloopsSupposewewanttocheckthatsomeconditionholdsinsidethecomputation,ratherthanattheendstaticintabs(intx){if(x0)c-returnx;}Saywewanttocheckthatx>0hereAsserts{Q&&E}assert(E){Q}Backward:wp(assert(E),Q)=Q&&EForward:sp(assert(E),P)=assert(E)QQ&&Eassert(E)PExample:Absolutevaluewithassertstaticintabs(intx){if(x0)if(c>0)c-returnx;}x0)TFc>0c--TFExample:Absolutevaluewithassertx0)TFc>0c--TFExample:Absolutevaluewithassertx0)TFc>0c--TFAddingthepostconditionbackinx0)TFc>0c--TFAddingthepostconditionbackinx0)TFc>0c--TFAnotherExample:DoubleLocking"Anattempttore-acquireanacquiredlockorreleaseareleasedlockwillcauseadeadlock.
"Callstolockandunlockmustalternate.
locklockunlockunlockLockingRulesWeassumethatthebooleanpredicatelockedsaysifthelockisheldornot{!
locked&&P[locked:=true]}lock{P}lockbehavesasassert(!
locked);locked=true{locked&&P[locked:=false]}unlock{P}unlockbehavesasassert(locked);locked=falseLockingExample…lock…x==0…unlockx==0TT{!
L&&P[L:=true]}lock{P}{L&&P[L:=false]}unlock{P}{!
L}{!
L}LockingExample…lock…x==0…unlockx==0TT{!
L&&P[L:=true]}lock{P}{L&&P[L:=false]}unlock{P}{!
L}{!
L}LockingExample:forwarddirection…lock…x==0…unlock{!
locked}{!
locked&&x==0}{!
locked&&x0}x==0TT{!
locked&&x==0}{locked&&x==0}{locked=(x==0)}{locked&&x==0}{!
locked&&(x==0)}{!
locked&&x0}{!
locked}
Hostodo:$34.99/年KVM-2.5GB/25G NVMe/8TB/3个数据中心
Hostodo在九月份又发布了两款特别套餐,开设在美国拉斯维加斯、迈阿密和斯波坎机房,基于KVM架构,采用NVMe SSD高性能磁盘,最低1.5GB内存8TB月流量套餐年付34.99美元起。Hostodo是一家成立于2014年的国外VPS主机商,主打低价VPS套餐且年付为主,基于OpenVZ和KVM架构,美国三个地区机房,支持支付宝或者PayPal、加密货币等付款。下面列出这两款主机配置信息。CP...
RepriseHosting:$27.97/月-L5640,16G内存,1TB硬盘,10TB月流量,西雅图机房
RepriseHosting是成立于2012年的国外主机商,提供独立服务器租用和VPS主机等产品,数据中心在美国西雅图和拉斯维加斯机房。商家提供的独立服务器以较低的价格为主,目前针对西雅图机房部分独立服务器提供的优惠仍然有效,除了价格折扣外,还免费升级内存和带宽,商家支持使用支付宝或者PayPal、信用卡等付款方式。配置一 $27.97/月CPU:Intel Xeon L5640内存:16GB(原...
ZoeCloud:香港BGP云服务器,1GB内存/20GB SSD空间/2TB流量/500Mbps/KVM,32元/月
zoecloud怎么样?zoecloud是一家国人商家,5月成立,暂时主要提供香港BGP KVM VPS,线路为AS41378,并有首发永久8折优惠:HKBGP20OFF。目前,解锁香港区 Netflix、Youtube Premium ,但不保证一直解锁,谢绝以不是原生 IP 理由退款。不保证中国大陆连接速度,建议移动中转使用,配合广州移动食用效果更佳。点击进入:zoecloud官方网站地址zo...
esc为你推荐
-
人人时光机五月天的专辑都有哪些?申请证书求高手教下怎么申请证书苹果5怎么越狱苹果5怎么越狱?奇虎论坛奇虎问答是什么创维云电视功能很喜欢创维云电视,它到底有哪些独特功能?人人逛街包公免费逛街打一成语srv记录如何解析一个SRV域名的ipsrv记录如何验证是否为域控制器创建了 SRV DNS 记录虚拟机软件下载谁有好的虚拟机软件?怎么上传音乐怎么上传音乐到网上