1 / 24

SWSE 623

SWSE 623. Program Correctness -Pre-condition, Post-conditions and Loop invariants. Basic Definitions. Partial Correctness with respect to predicates: If program P starts satisfying predicate A, and P terminates , then the terminating state satisfies B.

isleen
Download Presentation

SWSE 623

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SWSE 623 Program Correctness -Pre-condition, Post-conditions and Loop invariants SWSE 623 - Program Correctness

  2. Basic Definitions • Partial Correctness with respect to predicates: • If program P starts satisfying predicate A, and P terminates, then the terminating state satisfies B. • Termination with respect to predicates: • If program P starts in a state satisfying predicate A, then it will terminate in a state satisfying B. • Total correctness: • If program P starts in a state satisfying A, then it will terminate in a state satisfying B. Notation: {A} P {B} SWSE 623 - Program Correctness

  3. Weakest Pre-condition and Strongest Post-condition • Weakest Precondition: If a predicate QQ satisfying following conditions is a weakest pre-condition. • {QQ} S {R} • For every Q satisfying {Q} S {R} then Q => QQ • Strongest Post-condition: If a predicate RR satisfies following, it is a strongest post-condition. • {Q} S {RR} • For every R satisfying {Q} S {R}, then RR => R SWSE 623 - Program Correctness

  4. Axiomatic Method of Tony Hoare • Rules of predicate logic are enriched by adding more rules corresponding to program constructs. • Assignment Axiom: • {p(e/x)} ( x:= e ){ p} • Composition Rule: • {p} S { r} {r} S’ {q} {p} (S; S’) {q} • Conditional Rule: • {p ^ r} S {q} {p ^ ~r} S’ {q} {p} (If (r) then S else S’} {q} SWSE 623 - Program Correctness

  5. Hoare Axioms - Continued • While Rule: {p ^ r } S {p} {p} (while r do S) {p ^ ~r } • Consequence Rule: p -> q {q} H {r} r -> s {p} H {r} SWSE 623 - Program Correctness

  6. Soundness and Completeness of Hoare’s Axiomatic System • Theorem: Hoare calculus is Sound • I.e. if |- {p} S {q} then |= {p} S {q} • We will not go through the proof, but similar to soundness of predicate calculus. • Fact: Hoare calculus is NOT complete. • I.e. if |= {p} S {q} then |- {p} S {q} is FLASE! • Counter example: {true} ( x:= 1) { x=1} is true in every model, but cannot be proved ! SWSE 623 - Program Correctness

  7. Issues Related to Incompleteness • The problem with the incompleteness lies in finding a weakest pre-condition for while loops. • Theorem: (Cook –1978) If in an interpretation, every while loop has a weakest pre-condition, then Hoare calculus is complete with respect to that interpretation. – (Referred to as Cook’s relative completeness theorem) • Give examples of using each rule. SWSE 623 - Program Correctness

  8. Sequencing Rule • Rule: {p} S {q} {q} S’ {r} {p} (S : S’) {r} • To use this rule, take the form WP( S;S’, R) = WP( S, WP(S’, R)) • Example: Calculate • WP( (t:=x;x:=y;y:=t) x=1 ^ y=2) • =WP((t:=x;x:=y),WP(y:=t, (x=1^y=2))) • =WP((t:=x;x:=y), (2=t ^x=1)) • =WP((t:=x),(1=y^2=t)) = (1=y)^(2=x) SWSE 623 - Program Correctness

  9. Conditional Statement • {p ^ r} S {R} {p ^ ~r} S’ {R} {p} (If (r) then S else S’} {R} • Example:WP((if x>=y then z:=x else z:=y), z =max(x,y)) • Let R=z=max{x,y}= (z=x^x>=y)V(z=y^y>x) • Claim p=T. Need to show • {p^(x>=y)} (z:=x) {R} • WP((z:=x), R) = ((x=x)^(x>=y))V((x=y)^(y>x))=(x>=y). • Hence p^(x>=y) -> (x>=y). • {p^(x <y)} (z:=y) {R} • WP((Z:=Y), R) = ((y=x)^(x>=y))V((y=y)^(Y>X))=(Y=X)V(Y>X)=(Y>=X). • Now notice that {p^(x<y)} =(Y>X) -> (y>=X) SWSE 623 - Program Correctness

  10. Suggestions for using the Conditional Rule • Suppose we have to show • {Q} (If (r) then S else S’} {R}, using the rule • {p ^ r} S {q} {p ^ ~r} S’ {R} {p} (If (r) then S else S’} {R} • Compute the Wp for alternatives, I.e. • Wp(S, R) and Wp(S’, R) • Then prove • p^(r ) -> Wp(S,R) and P^(~r) -> Wp(S’,R) • Q -> (p^r) and Q -> (p^(~r)) SWSE 623 - Program Correctness

  11. Analyzing Loops • {p ^ r } S {p} {p} (while r do S) {p ^ ~r } • In using this rule, there is no way to guarantee termination of the loop, unless r is false. In order to compute an upper bound on the number of loop iterations, Gries has added a bounding function • Rule: With loop invariant p and bounding function t • If • (p^ (~r)) -> (t=0) : Says that if guard fails then looping has ended. • {p ^ r } S {p} : Says that P is a loop invariant. • (p^r) -> (t >0) : Says that if the guard is true then won’t end looping. • t decreases with each iteration • Then • {p} (while r do S) {p ^ ~r } SWSE 623 - Program Correctness

  12. Using Looping Rules • To show {Q} s’; (while r do S) {R} using loop invariance P and counting function t show: • {Q} s’ {p} • (p^ (~r)) -> R : Says that if guard fails then looping has ended. • {p ^ r } S {p} : Says that P is a loop invariant. • (p^r) -> (t >0) : Says that if the guard is true then won’t end looping. • t decreases with each iteration SWSE 623 - Program Correctness

  13. Example: Exponentiation • Want to show {Q} S {R} where Q = (0 <= b) R = (z = a**b) S = (z:=1; x:=a; y:=b); ( while (y =/=0) do { If odd(y) then ( z:=z*x; y:=y-1) end else (x:=x*x; y:=y div 2) end-if } od) • Use loop invariant P = {(y>=0)^(z*(x**y)=a**b)} • Bounding function = y SWSE 623 - Program Correctness

  14. Example Continued: Proof Obligations 0. {Q} (z:=1; x:=a; y:=b) {P}. I.e. {0=<b} (z:=1; x:=a; y:=b) {(y>=0)^(z*(x**y)=a**b)} 1. P^(~(y=/=0)) -> R. I.e. {(y>=0)^(z*(x**y)=a**b)}^(y=0) -> (z = a**b) 2. {P^(y=/=0)} S {P} I.e. that P is a loop invariant 3. P^(y=/=0) -> (y>0) 4. Each iteration of the loop decreases the bound function y SWSE 623 - Program Correctness

  15. 0. Proving {Q} (z:=1; x:=a; y:=b) {P} • Wp((z:=1; x:=a; y:=b), (0=<y^(z*(x**y)=a**b)) • Wp((z:=1;x:=a), (0=<b^(z*(x**b)=a**b)) • Wp(z:=1,(0=<b^(z*(a**b)=a**b))) • (0=<b) == Q SWSE 623 - Program Correctness

  16. 1. Proving P^(~(y=/=0)) -> R • {(y>=0)^(z*(x**y)=a**b)}^(y=0) -> (z = a**b) • {(y>=0)^(z*(x**y)=a**b)}^(y=0)-> z*(x**0)=a**b) • (Z*1=a**b) -> (z=a**b) – this is true! SWSE 623 - Program Correctness

  17. 2. Proving {P^(y=/=0)} S {P} • Need to prove: {(0<y)^(z*(x**y)=a**b)} S {(0=<y)^(z*(x**y)=a**b} • Notice that S is the conditional statement: • If odd(y) then ( z:=z*x; y:=y-1) • Else (x:=x*x; y:=y div 2) endif } • Hence we need to show: 2.1 - {(0<y)^(z*(x**y)=a**b)^odd(y)} ( z:=z*x; y:=y-1) {P} 2.2 - {(0<y)^(z*(x**y)=a**b)^even(y)} (x:=x*x; y:=y div 2) {p} SWSE 623 - Program Correctness

  18. 2.1: Proving{(0<y)^(z*(x**y)=a**b)^odd(y)} ( z:=z*x; y:=y-1) {P} • Wp((z:=z*x; y:=y-1), (0<y)^(z*(x**y)=a**b)} • Wp((z:=z*x), (0<y-1)^(z*(x**(y-1)=a**b)) • (1<y)^(z*x*(x**(y-1)=a**b) • (1<y)^(z*(x**y)=a**b) Now notice that (0<y)^odd(y) -> (1<y) • Hence we get that • (0<y)^(z*(x**y)=a**b)^odd(y) -> (1<y)^(z*(x**y)=a**b) • This completes the proof of the If branch! SWSE 623 - Program Correctness

  19. 2.2: Proving{(0<y)^(z*(x**y)=a**b)^even(y)} (x:=x*x; y:=y div 2) {p} • Wp((x:=x*x; y:=y div 2), {(0=<y)^(z*(x**y)=a**b)}) • Wp(((x:=x*x), {(0=< y div 2)^(z*(x**(y div 2)=a**b)}) • (0=< y div 2)^(z*(x*x)**(y div 2) = a**b) • (0=<y div 2)^(z**y = a**b) Notice now that (0<y) ^ even(y) -> (2=<y) -> (0 =< y div 2) • Hence we have • {(0<y)^(z*(x**y)=a**b)^even(y)} (x:=x*x; y:=y div 2) {p} • This completes the proof obligation for the else branch! SWSE 623 - Program Correctness

  20. 3. Proving (P^(y=/=0))-> (y>0) • Notice P is (0=<y)^(z*(x**y)=a**b) • Hence P^(y=/=0) -> (y>0) SWSE 623 - Program Correctness

  21. 4. Proving Properties of the Counting Function • Need to show that “y”decreases with each iteration • If in the beginning of iteration odd(y), then • Y :=Y-1, hence Y decreases • If in the beginning of iteration ~odd(y), then • Y := Y div 2, and Y > (Y div 2), hence Y decreases SWSE 623 - Program Correctness

  22. Summary: Structure of the Completed Proof {Q}S11{P1} {P1}S12{P2} {Q}(S11;S12){P2} {P2}S13{P} {Q} S1 {P} {P^r^r1}S21{P} {P^r^~r1}S21{P} {P^r}S2{RP} {P^~r}->R (Iteration Decreases Y) (P^r -> (Y>0)) {Q} S {R} SWSE 623 - Program Correctness

  23. Giese’s Guideline for Developing a Loop from Given Invariant P and Bound Function t Step1: Develop initialization to validate P Step2: Develop loop guard B to satisfy (P^~B->R) Step3:Verify (P^ B) -> (t>0) Step4:Developloopbody to progress towards goal I.e. find a way to decrease bound function t. Step5:Modify loop body to make P a loop invariant SWSE 623 - Program Correctness

  24. Properties of WP • Wp(S, False) = False • Wp(S, Q)^Wp(S, R) = Wp(S, Q^R) • If Q-> R then Wp(S,Q) -> Wp(S,R) • For deterministic programs S, Wp(S, QvR) = Wp(S, Q)vWp(S, R) • Wp(skip, R) = R, where skip does nothing. • Wp(abort, R) = False, where abort never executes. • Wp(S1;S2, R) = Wp(S1 Wp(S2,R)) • Wp((S1;S2);S3, R) Wp(S1;(S2;S3), R) SWSE 623 - Program Correctness

More Related