1 / 20

Pre/Post Condition Logic

Pre/Post Condition Logic. 03/06/2013. Agenda. Hoare’s Logic Overview Application to Pre/Post Conditions. Hoare Logic. Prove partial correctness of computer programs Prove termination separately Hoare triple { P } C { Q } P and Q are assertions P = precondition Q = postcondition

adelle
Download Presentation

Pre/Post Condition Logic

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Pre/Post Condition Logic 03/06/2013

  2. Agenda • Hoare’s Logic Overview • Application to Pre/Post Conditions

  3. Hoare Logic • Prove partial correctness of computer programs • Prove termination separately • Hoare triple • {P} C {Q} • P and Q are assertions • P = precondition • Q = postcondition • C is a command • When P holds a state before C is executed, then Q will hold after (or C does not terminate)

  4. Hoare Logic • Partially correct • Assuming precondition is true before function executes • Postcondition is true after function executes • Totally correct • Precondition is true • Function guaranteed to terminate • Postcondition is true • Total correctness = Partial correctness + termination

  5. Hoare Logic • Rules • Empty statement • {P} skip {P} • Skip statement doesn’t change program state • Assignment • {x = 5} x := x * 2 {x > 0} • Clearly correct, but not precise • x > 5 && x < 20 is better as a postcondition • {∃x, y . (y > 0) ∧ (n = xy)} n := n * (n + 1) {∃x, y . (n = xy)} • With quantifiers • To me, seems to be basic predicate logic as applied to programming constructs

  6. Hoare Logic • Example r := 1; i := 0; while i < m do r := r * n; i := i + 1

  7. Hoare Logic • Example Prove that function computes nth power of m, and leaves result in r r := 1; i := 0; while i < m do r := r * n; i := i + 1

  8. Hoare Logic • Postcondition definition Postcondition: r = nm r := 1; i := 0; while i < m do r := r * n; i := i + 1

  9. Hoare Logic • Defining pre- and postconditions • Determine precondition(s) • Must have m >= 0 • No provision for dividing by n • 00 • Precondition: m >= 0 && n > 0 r := 1; i := 0; while i < m do r := r * n; i := i + 1

  10. Hoare Logic • Next step would be to generate a proof to ensure specification is correct • Get into SAT solvers, etc.

  11. Application • Based on Hoare’s logic syntax, the sorting algorithms had pre/postconditions added void call_sort(struct Sorter* sorter_) { if (sorter_->sort_fn != NULL) { sorter_->sort_fn(sorter_->numbers_, 0, SIZE-1); } } Composing in wrapper

  12. Application • Based on Hoare’s logic syntax, the sorting algorithms had pre/postconditions added // preconditions: sorter_ != NULL // preconditions: sorter_.numbers_ = array of integers // preconditions: sorter_.sort_fn != NULL // postconditions: sorter_.numbers_[0] <= ... <= // sorter_.numbers_[SIZE-1] void call_sort(struct Sorter* sorter_) { if (sorter_->sort_fn != NULL) { sorter_->sort_fn(sorter_->numbers_, 0, SIZE-1); } }

  13. Application • Based on Hoare’s logic syntax, the sorting algorithms had pre/postconditions added Ensure incoming array is not unassigned // preconditions: sorter_ != NULL // preconditions: sorter_.numbers_ = array of integers // preconditions: sorter_.sort_fn != NULL // postconditions: sorter_.numbers_[0] <= ... <= // sorter_.numbers_[SIZE-1] void call_sort(struct Sorter* sorter_) { if (sorter_->sort_fn != NULL) { sorter_->sort_fn(sorter_->numbers_, 0, SIZE-1); } }

  14. Application • Based on Hoare’s logic syntax, the sorting algorithms had pre/postconditions added Array type // preconditions: sorter_ != NULL // preconditions: sorter_.numbers_ = array of integers // preconditions: sorter_.sort_fn != NULL // postconditions: sorter_.numbers_[0] <= ... <= // sorter_.numbers_[SIZE-1] void call_sort(struct Sorter* sorter_) { if (sorter_->sort_fn != NULL) { sorter_->sort_fn(sorter_->numbers_, 0, SIZE-1); } }

  15. Application • Based on Hoare’s logic syntax, the sorting algorithms had pre/postconditions added Precondition that function pointer must be active // preconditions: sorter_ != NULL // preconditions: sorter_.numbers_ = array of integers // preconditions: sorter_.sort_fn != NULL // postconditions: sorter_.numbers_[0] <= ... <= // sorter_.numbers_[SIZE-1] void call_sort(struct Sorter* sorter_) { if (sorter_->sort_fn != NULL) { sorter_->sort_fn(sorter_->numbers_, 0, SIZE-1); } }

  16. Application • Based on Hoare’s logic syntax, the sorting algorithms had pre/postconditions added Postcondition that the array must be sorted in ascending order // preconditions: sorter_ != NULL // preconditions: sorter_.numbers_ = array of integers // preconditions: sorter_.sort_fn != NULL // postconditions: sorter_.numbers_[0] <= ... <= // sorter_.numbers_[SIZE-1] void call_sort(struct Sorter* sorter_) { if (sorter_->sort_fn != NULL) { sorter_->sort_fn(sorter_->numbers_, 0, SIZE-1); } }

  17. Application • Based on Hoare’s logic syntax, the sorting algorithms had pre/postconditions added No postcondition for what type of array…. // preconditions: sorter_ != NULL // preconditions: sorter_.numbers_ = array of integers // preconditions: sorter_.sort_fn != NULL // postconditions: sorter_.numbers_[0] <= ... <= // sorter_.numbers_[SIZE-1] void call_sort(struct Sorter* sorter_) { if (sorter_->sort_fn != NULL) { sorter_->sort_fn(sorter_->numbers_, 0, SIZE-1); } }

  18. Application • The majority of the other examples boiled down to the same thing • Incoming array • Outgoing sorted array

  19. Thoughts • Tool could be written in Python to automatically parse pre/postconditions • Easy to use for text parsing • Also pull out method signature • Format and send output/objects to Puppy for use in algorithm • Initial pass could verify overall correctness of logical syntax • Could be called as an entry point into the developed tool • (We could also leverage some of the STL/Boost libraries as well if the preference is to stick with a single language)

  20. References • Hoare, Charles Antony Richard. "An axiomatic basis for computer programming." Communications of the ACM 12.10 (1969): 576-580. • http://www.cs.cmu.edu/~aldrich/courses/654-sp09/notes/3-hoare-notes.pdf • http://en.wikipedia.org/wiki/Hoare_logic • http://www.cse.iitb.ac.in/~supratik/courses/cs615/msri_ss08.pdf

More Related