Program Correctness

Program Correctness

Program Verification • An object is a finite state machine: • Its attribute values are its state. • Its methods optionally: • Transition it from 1 state to another; • Produce a return value. • We deal with static methods: Functions. • The discussion can be extended to objects.

Let function f: I  O, where • I is the set of valid input • O is the set of valid output • Let program P compute f. • If  i  I, P(i) = f(i), then Pcorrectly computes f. • If I is an int, then |I| > 1 billion. • Idea: Prove that P computes fwithout testing.

Partial Correctness An initial assertion states the properties of valid input. A final assertion states the properties of valid output. Let program [segment]S have: initial assertion p final assertion q. If (p is true for S’s input  S terminates)  q is true for S’s output then S is partially correctwith respect to p & q, denoted p{S}q.

Correctness • A program [segment] is correct when: • It is partially correct. • It terminates on all valid input. • Initial & final assertions specify the function. • N.B. • Humans create the specification. • A specification thus is a source of error. • If specifying a function is more error-prone then programming it, then “Houston, we have a problem.”

Is this Java segment correct? assert ( y >= 0 ); int x = y*y; x *= x*x; assert x == y*y*y*y*y*y; • Let p be the initial assertion: y >= 0. • Let q be the final assertion: x == y6. • If p, then • x == y2 after the 1st statement, • x == y2 *y2 *y2 after the 2nd statement. Is the above proof correct?

Is this Java segment correct? assert ( y >= 0 ) && ( Math.pow(y, 6) <= Integer.MAX_VALUE ); int x = y*y; x *= x*x; assert x == y*y*y*y*y*y; • Let p & q be the initial & final assertion, respectively. • If p, then • x == y2 after the 1st statement, • x == y2 *y2 *y2 after the 2nd statement • no overflow occurs.

Rules of Inference • Let segment S be segment S1 followed by segment S2, written S = S1;S2. • Composition inference rule: ( p{S1}q  q{S2}r )  p{S1;S2}r “If p is true and S1 & S2 terminate, then r is true.”

Conditional Statements Suppose we have a segment of the form: if ( condition ) S where condition is booelan & S is a segment. Let p & q be initial & final assertions. ( p  condition ){S}q ( p   condition )  q __________________ p{ if ( condition ) S }q.

Suppose we have a segment of the form: if ( condition ) S1 else S2 ( p  condition ){S1}q ( p   condition ){S2}q _______________________ p{ if ( condition ) S1 else S2 }q.

Loop Invariants Suppose we have a segment of the form: while ( condition ) S If assertion p is true whenever S is executed, it is a loop invariant. Let p be a loop invariant. (p  condition ){S}p ______________________________ p { while condition S}( condition  p).

procedure int multiply( int m, int n ) { // assume int is unbounded boolean p = true, q = false, r = false, s = false, t = false; assert p; // p represents: int m, n; inta = ( n < 0 ) ? –n : n; assert q = ( p && a == Math.abs( n ) ); int k = 0, x = 0; assert r = ( q && k == 0 && x == 0 ); while ( k < a ) { x += m; k++; assert k <= a && x == m*k; } assert s = ( x == m*a && a == Math.abs( n ) ); int product = ( n < 0 ) ? –x : x; assert t = ( product == n*m ); return product; }

Correctness Proof Framework • Show that p{ }q { }r{ }s{ }t. • Conclude that p{ }t. • Show that all program segments terminate. • Conclude that the program is correct. Again, we omitted overflow considerations.

Characters •   ≥ ≡ ~ ┌ ┐ └ ┘ •        ≈ •    •  Ω Θ •      Σ •        

Program Correctness