Duminda WijesekeraSWSE 623 - Program Correctness1 SWSE 623 Program Correctness -Pre-condition,...

Duminda Wijesekera SWSE 623 - Program Correctness 1

SWSE 623

Program Correctness-Pre-condition, Post-conditions and Loop invariants


Basic Definitions• Partial Correctness with respect to predicates:

– If program P starts satisfying predicate A, and P terminates, then the terminating state satisfies B.

• Termination with respect to predicates: – If program P starts in a state satisfying predicate A,

then it will terminate in a state satisfying B.

• Total correctness: – If program P starts in a state satisfying A, then it will

terminate in a state satisfying B. Notation: {A} P {B}


Weakest Pre-condition and Strongest Post-condition

• Weakest Precondition: If a predicate QQ satisfying following conditions is a weakest pre-condition.

– {QQ} S {R}– For every Q satisfying {Q} S {R} then Q => QQ

• Strongest Post-condition: If a predicate RR satisfies following, it is a strongest post-condition.

– {Q} S {RR}– For every R satisfying {Q} S {R}, then RR => R


Axiomatic Method of Tony Hoare• Rules of predicate logic are enriched by adding

more rules corresponding to program constructs.• Assignment Axiom:

– {p(e/x)} ( x:= e ){ p}

• Composition Rule:– {p} S { r} {r} S’ {q} {p} (S; S’) {q}

• Conditional Rule:– {p ^ r} S {q} {p ^ ~r} S’ {q}

{p} (If (r) then S else S’} {q}


Hoare Axioms - Continued

• While Rule: {p ^ r } S {p}

{p} (while r do S) {p ^ ~r }

• Consequence Rule: p -> q {q} H {r} r -> s

{p} H {r}


Soundness and Completeness of Hoare’s Axiomatic System

• Theorem: Hoare calculus is Sound– I.e. if |- {p} S {q} then |= {p} S {q}– We will not go through the proof, but similar to

soundness of predicate calculus.

• Fact: Hoare calculus is NOT complete. – I.e. if |= {p} S {q} then |- {p} S {q} is FLASE!– Counter example: {true} ( x:= 1) { x=1} is true in

every model, but cannot be proved !


Issues Related to Incompleteness

• The problem with the incompleteness lies in finding a weakest pre-condition for while loops.

• Theorem: (Cook –1978) If in an interpretation, every while loop has a weakest pre-condition, then Hoare calculus is complete with respect to that interpretation. – (Referred to as Cook’s relative completeness theorem)

• Give examples of using each rule.


Sequencing Rule• Rule: {p} S {q} {q} S’ {r}

{p} (S : S’) {r}

• To use this rule, take the form

WP( S;S’, R) = WP( S, WP(S’, R))

• Example: Calculate – WP( (t:=x;x:=y;y:=t) x=1 ^ y=2)– =WP((t:=x;x:=y),WP(y:=t, (x=1^y=2))) – =WP((t:=x;x:=y), (2=t ^x=1))– =WP((t:=x),(1=y^2=t)) = (1=y)^(2=x)


Conditional Statement• {p ^ r} S {R} {p ^ ~r} S’ {R}

{p} (If (r) then S else S’} {R} • Example: WP((if x>=y then z:=x else z:=y), z =max(x,y))

• Let R=z=max{x,y}= (z=x^x>=y)V(z=y^y>x)• Claim p=T. Need to show

– {p^(x>=y)} (z:=x) {R}• WP((z:=x), R) = ((x=x)^(x>=y))V((x=y)^(y>x))=(x>=y).• Hence p^(x>=y) -> (x>=y).

– {p^(x <y)} (z:=y) {R}• WP((Z:=Y), R) =

((y=x)^(x>=y))V((y=y)^(Y>X))=(Y=X)V(Y>X)=(Y>=X).• Now notice that {p^(x<y)} =(Y>X) -> (y>=X)


Suggestions for using the Conditional Rule

• Suppose we have to show – {Q} (If (r) then S else S’} {R}, using the rule– {p ^ r} S {q} {p ^ ~r} S’ {R}

{p} (If (r) then S else S’} {R} • Compute the Wp for alternatives, I.e.

– Wp(S, R) and Wp(S’, R)

• Then prove – p^(r ) -> Wp(S,R) and P^(~r) -> Wp(S’,R)– Q -> (p^r) and Q -> (p^(~r))


Analyzing Loops• {p ^ r } S {p}

{p} (while r do S) {p ^ ~r }• In using this rule, there is no way to guarantee termination of the

loop, unless r is false. In order to compute an upper bound on the number of loop iterations, Gries has added a bounding function

• Rule: With loop invariant p and bounding function t• If

– (p^ (~r)) -> (t=0) : Says that if guard fails then looping has ended.– {p ^ r } S {p} : Says that P is a loop invariant.– (p^r) -> (t >0) : Says that if the guard is true then won’t end looping.– t decreases with each iteration

• Then– {p} (while r do S) {p ^ ~r }


Using Looping Rules• To show {Q} s’; (while r do S) {R} using

loop invariance P and counting function t show:– {Q} s’ {p}

– (p^ (~r)) -> R : Says that if guard fails then looping has ended.

– {p ^ r } S {p} : Says that P is a loop invariant.

– (p^r) -> (t >0) : Says that if the guard is true then won’t end looping.

– t decreases with each iteration


Example: Exponentiation• Want to show {Q} S {R} where

Q = (0 <= b)

R = (z = a**b)

S = (z:=1; x:=a; y:=b);

( while (y =/=0) do {

If odd(y) then ( z:=z*x; y:=y-1) end

else (x:=x*x; y:=y div 2) end-if } od)

• Use loop invariant P = {(y>=0)^(z*(x**y)=a**b)}

• Bounding function = y


Example Continued: Proof Obligations

0. {Q} (z:=1; x:=a; y:=b) {P}. I.e. {0=<b} (z:=1; x:=a; y:=b) {(y>=0)^(z*(x**y)=a**b)}

1. P^(~(y=/=0)) -> R. I.e.{(y>=0)^(z*(x**y)=a**b)}^(y=0) -> (z = a**b)

2. {P^(y=/=0)} S {P} I.e. that P is a loop invariant

3. P^(y=/=0) -> (y>0)

4. Each iteration of the loop decreases the bound function y


0. Proving {Q} (z:=1; x:=a; y:=b) {P}

• Wp((z:=1; x:=a; y:=b), (0=<y^(z*(x**y)=a**b))

• Wp((z:=1;x:=a), (0=<b^(z*(x**b)=a**b))

• Wp(z:=1,(0=<b^(z*(a**b)=a**b)))

• (0=<b) == Q


1. Proving P^(~(y=/=0)) -> R

• {(y>=0)^(z*(x**y)=a**b)}^(y=0) -> (z = a**b)

• {(y>=0)^(z*(x**y)=a**b)}^(y=0)-> z*(x**0)=a**b)

• (Z*1=a**b) -> (z=a**b) – this is true!


2. Proving {P^(y=/=0)} S {P}• Need to prove:

{(0<y)^(z*(x**y)=a**b)} S {(0=<y)^(z*(x**y)=a**b}

• Notice that S is the conditional statement:

– If odd(y) then ( z:=z*x; y:=y-1)

– Else (x:=x*x; y:=y div 2) endif }• Hence we need to show:

2.1 - {(0<y)^(z*(x**y)=a**b)^odd(y)} ( z:=z*x; y:=y-1) {P}

2.2 - {(0<y)^(z*(x**y)=a**b)^even(y)} (x:=x*x; y:=y div 2) {p}


2.1: Proving{(0<y)^(z*(x**y)=a**b)ôdd(y)} ( z:=z*x; y:=y-1) {P}

• Wp((z:=z*x; y:=y-1), (0<y)^(z*(x**y)=a**b)}

• Wp((z:=z*x), (0<y-1)^(z*(x**(y-1)=a**b))• (1<y)^(z*x*(x**(y-1)=a**b)• (1<y)^(z*(x**y)=a**b)

Now notice that (0<y)ôdd(y) -> (1<y)• Hence we get that

– (0<y)^(z*(x**y)=a**b)ôdd(y) -> (1<y)^(z*(x**y)=a**b)

– This completes the proof of the If branch!


2.2: Proving{(0<y)^(z*(x**y)=a**b)^even(y)} (x:=x*x; y:=y div 2) {p}

• Wp((x:=x*x; y:=y div 2), {(0=<y)^(z*(x**y)=a**b)})

• Wp(((x:=x*x), {(0=< y div 2)^(z*(x**(y div 2)=a**b)})• (0=< y div 2)^(z*(x*x)**(y div 2) = a**b)• (0=<y div 2)^(z**y = a**b)

Notice now that (0<y) ^ even(y) -> (2=<y)

-> (0 =< y div 2)• Hence we have

– {(0<y)^(z*(x**y)=a**b)^even(y)} (x:=x*x; y:=y div 2) {p}

– This completes the proof obligation for the else branch!


3. Proving (P^(y=/=0))-> (y>0)

• Notice P is (0=<y)^(z*(x**y)=a**b)

• Hence P^(y=/=0) -> (y>0)


4. Proving Properties of the Counting Function

• Need to show that “y”decreases with each iteration– If in the beginning of iteration odd(y), then

• Y :=Y-1, hence Y decreases

– If in the beginning of iteration ~odd(y), then• Y := Y div 2, and Y > (Y div 2), hence Y decreases


Summary: Structure of the Completed Proof{Q}S11{P1} {P1}S12{P2}

{Q}(S11;S12){P2} {P2}S13{P}

{Q} S1 {P}

{P^r^r1}S21{P} {P^r^~r1}S21{P}

{P^r}S2{RP}

{P^~r}->R (Iteration Decreases Y) (P^r -> (Y>0))

{Q} S {R}


Giese’s Guideline for Developing a Loop from Given Invariant P and Bound Function t

Step1: Develop initialization to validate P

Step2: Develop loop guard B to satisfy (P^~B->R)

Step3:Verify (P^ B) -> (t>0)

Step4:Develop loop body to progress towards goal

I.e. find a way to decrease bound function t.

Step5:Modify loop body to make P a loop invariant


Properties of WP• Wp(S, False) = False• Wp(S, Q)^Wp(S, R) = Wp(S, Q^R)• If Q-> R then Wp(S,Q) -> Wp(S,R)• For deterministic programs S,

Wp(S, QvR) = Wp(S, Q)vWp(S, R)• Wp(skip, R) = R, where skip does nothing.

• Wp(abort, R) = False, where abort never executes.• Wp(S1;S2, R) = Wp(S1 Wp(S2,R))• Wp((S1;S2);S3, R) Wp(S1;(S2;S3), R)

Duminda WijesekeraSWSE 623 - Program Correctness1 SWSE 623 Program Correctness -Pre-condition,...

Documents

Transcript of Duminda WijesekeraSWSE 623 - Program Correctness1 SWSE 623 Program Correctness -Pre-condition,...