Program Correctness
-
Upload
garrett-slater -
Category
Documents
-
view
13 -
download
2
description
Transcript of Program Correctness
![Page 1: Program Correctness](https://reader036.fdocuments.us/reader036/viewer/2022082817/56812aa7550346895d8e693a/html5/thumbnails/1.jpg)
Program Correctness
![Page 2: Program Correctness](https://reader036.fdocuments.us/reader036/viewer/2022082817/56812aa7550346895d8e693a/html5/thumbnails/2.jpg)
2
Program Verification
• An object is a finite state machine: – Its attribute values are its state.
– Its methods optionally:• Transition it from 1 state to another;
• Produce a return value.
• We deal with static methods: Functions.
• The discussion can be extended to objects.
![Page 3: Program Correctness](https://reader036.fdocuments.us/reader036/viewer/2022082817/56812aa7550346895d8e693a/html5/thumbnails/3.jpg)
3
• Let function f: I O, where
– I is the set of valid input
– O is the set of valid output
• Let program P compute f.
• If i I, P(i) = f(i), then P correctly computes f.
• If I is an int, then |I| > 1 billion.
• Idea: Prove that P computes f without testing.
![Page 4: Program Correctness](https://reader036.fdocuments.us/reader036/viewer/2022082817/56812aa7550346895d8e693a/html5/thumbnails/4.jpg)
4
Partial Correctness
An initial assertion states the properties of valid input.
A final assertion states the properties of valid output.
Let program [segment] S have:
initial assertion p
final assertion q.
If
(p is true for S’s input S terminates) q is true for S’s output
then
S is partially correct with respect to p & q, denoted pSq.
![Page 5: Program Correctness](https://reader036.fdocuments.us/reader036/viewer/2022082817/56812aa7550346895d8e693a/html5/thumbnails/5.jpg)
5
Correctness
• A program [segment] is correct when:
– It is partially correct.
– It terminates on all valid input.
• Initial & final assertions specify the function.
• N.B.
– Humans create the specification.
– A specification thus is a source of error.
– If specifying a function is more error-prone then programming it,
then “Houston, we have a problem.”
![Page 6: Program Correctness](https://reader036.fdocuments.us/reader036/viewer/2022082817/56812aa7550346895d8e693a/html5/thumbnails/6.jpg)
6
Is this Java segment correct?
assert ( y >= 0 );
int x = y*y;
x *= x*x;
assert x == y*y*y*y*y*y;
1. Let p be the initial assertion: y >= 0.
2. Let q be the final assertion: x == y6.
3. If p, then 1. x == y2 after the 1st statement,
2. x == y2 *y2 *y2 after the 2nd statement.
Is the above proof correct?
![Page 7: Program Correctness](https://reader036.fdocuments.us/reader036/viewer/2022082817/56812aa7550346895d8e693a/html5/thumbnails/7.jpg)
7
Is this Java segment correct?
assert ( y >= 0 ) && ( Math.pow(y, 6) <= Integer.MAX_VALUE );
int x = y*y;
x *= x*x;
assert x == y*y*y*y*y*y;
1. Let p & q be the initial & final assertion, respectively.
2. If p, then
1. x == y2 after the 1st statement,
2. x == y2 *y2 *y2 after the 2nd statement
3. no overflow occurs.
![Page 8: Program Correctness](https://reader036.fdocuments.us/reader036/viewer/2022082817/56812aa7550346895d8e693a/html5/thumbnails/8.jpg)
8
Rules of Inference
• Let segment S be segment S1 followed by
segment S2, written S = S1;S2.
• Composition inference rule:
( pS1q qS2r ) pS1;S2r
“If p is true and S1 & S2 terminate, then r is true.”
![Page 9: Program Correctness](https://reader036.fdocuments.us/reader036/viewer/2022082817/56812aa7550346895d8e693a/html5/thumbnails/9.jpg)
9
Conditional Statements
Suppose we have a segment of the form:if ( condition )
S
where condition is booelan & S is a segment.
Let p & q be initial & final assertions.
( p condition )Sq
( p condition ) q__________________
p if ( condition ) S q.
![Page 10: Program Correctness](https://reader036.fdocuments.us/reader036/viewer/2022082817/56812aa7550346895d8e693a/html5/thumbnails/10.jpg)
10
Suppose we have a segment of the form:if ( condition )
S1
else
S2
( p condition )S1q
( p condition )S2q_______________________
p if ( condition ) S1 else S2 q.
![Page 11: Program Correctness](https://reader036.fdocuments.us/reader036/viewer/2022082817/56812aa7550346895d8e693a/html5/thumbnails/11.jpg)
11
Loop Invariants
Suppose we have a segment of the form:while ( condition )
S
If assertion p is true whenever S is executed, it is a loop invariant.
Let p be a loop invariant.
(p condition )Sp
______________________________
p while condition S( condition p).
![Page 12: Program Correctness](https://reader036.fdocuments.us/reader036/viewer/2022082817/56812aa7550346895d8e693a/html5/thumbnails/12.jpg)
12
procedure int multiply( int m, int n ) // assume int is unbounded
boolean p = true, q = false, r = false, s = false, t = false;
assert p; // p represents: int m, n;
int a = ( n < 0 ) ? –n : n;
assert q = ( p && a == Math.abs( n ) );
int k = 0, x = 0;
assert r = ( q && k == 0 && x == 0 );
while ( k < a )
x += m;
k++;
assert k <= a && x == m*k;
assert s = ( x == m*a && a == Math.abs( n ) );
int product = ( n < 0 ) ? –x : x;
assert t = ( product == n*m );
return product;
![Page 13: Program Correctness](https://reader036.fdocuments.us/reader036/viewer/2022082817/56812aa7550346895d8e693a/html5/thumbnails/13.jpg)
13
Correctness Proof Framework
1. Show that p q r s t.
2. Conclude that p t.
3. Show that all program segments terminate.
4. Conclude that the program is correct.
Again, we omitted overflow considerations.
![Page 14: Program Correctness](https://reader036.fdocuments.us/reader036/viewer/2022082817/56812aa7550346895d8e693a/html5/thumbnails/14.jpg)
14
Characters
• ≥ ≡ ~
• ≈• • Ω Θ
• Σ•