Predicate Transforms II

Predicate Transforms II Software Testing and Verification Lecture Notes 20 Prepared by Stephen M. Thebaut, Ph.D. University of Florida

Predicate Transforms II • Transform rules for while loops: • Weakest pre-conditions (wp’s) • Weakest liberal pre-conditions (wlp’s) • Relationships between wp’s and wlp’s with loop invariants • Strongest post-conditions (sp’s) • On the power of axiomatic verification and the relative usefulness of predicate transforms (when dealing with loops)

wp Rule for while_do Statement • In order for the program while b do Sto terminate in state Q, it is necessary that: 0. b is initially false and Q holds, OR 1. b is initially true and after executing S, ¬b and Q hold, OR 2. b is initially true and after executing S, b is still true, and after executing S a second time, ¬b and Q hold, OR . . .

wp Rule for while_do Statement (cont’d) Thus, we can write wp(while b do S, Q)  H0V H1 V H2 V… where H0 ¬b Л Q H1 b Л wp(S, ¬b Л Q) H2 b Л wp(S, b Л wp(S, ¬b Л Q)) . . .

wp Rule for while_do Statement (cont’d) Equivalently, we can write wp(while b do S, Q) H0 V H1 V H2 V… where H0 ¬b Л Q H1 b Л wp(S, H0) H2 b Л wp(S, H1) Hi b Л wp(S, Hi-1) … …

Something to think about… • How do these terms compare to the (infinite) set of necessary conditions derived for the while_do ROI?

FLASHBACK to Lecture Notes #18… Something to think about… (cont'd) So, we know that{P} while b do S {Q}will hold if the following conditions hold: Case 0: (P Лb) Q Case 1: {P Л b} S {K1}, (K1 Лb)  Q Case 2: {K1Л b} S {K2}, (K2 Лb)  Q … Case N: {KN-1 Л b} S {KN}, (KN Лb)  Q …

Something to think about… (cont'd) • What is the relationship between wp(while b do S, Q) and an invariant, I, for which initialization, preservation, and finalization hold? We'll come back to this question later...

Example • For what initial values of i, n, and t will the following program terminate with t=xn? while i <= n do t := t*x i := i+1 end_while How about i=1, t=1, and n=2? Can you think of any others? For example... {i=1 Л t=1 Л n≥1}? {i=3 Л t=x Лn=1}? {i=2 Л t=x Лn=5}?

Example (cont’d) • Find the wp of this program with respect to the post-condition {t=xn}. (Attempt to find a regularity in terms that allows a closed-form expression.)

Example (cont’d) while i <= n do t := t*x i := i+1 end_while H0 ¬b Л Q = H1 b Л wp(S, H0) = = = H2 b Л wp(S, H1) = = =

Example (cont’d) while i <= n do t := t*x i := i+1 end_while H0 ¬b Л Q = i>n Лt=xn H1 b Л wp(S, H0) = i≤n Л wp(S, i>n Лt=xn) = i≤n Л i+1>n Лtx=xn = i=n Лt=xn-1 H2 b Л wp(S, H1) = i≤n Л wp(S, i=n Лt=xn-1) = i≤n Л i+1=n Лtx=xn-1 = i=n-1 Лt=xn-2

Example (cont’d) while i <= n do t := t*x i := i+1 end_while H3 b Л wp(S, H2) = = = . . . Hk b Л wp(S, Hk-1) = =

Example (cont’d) while i <= n do t := t*x i := i+1 end_while H3 b Л wp(S, H2) = i≤n Л wp(S, i=n-1 Лt=xn-2) = i≤n Л i+1=n-1 Лtx=xn-2) = i=n-2 Лt=xn-3 . . . Hk b Л wp(S, Hk-1) = i=n-(k-1) Лt=xn-k = i=n-k+1 Лt=xn-k

Example (cont’d) Thus, we have: H0 = i>n Лt=xn Hk=i=n-k+1 Лt=xn-k(for all k>0) and since i=n-k+1n-k=i-1 = i≤nЛt=xi-1 (where i≤n for all k>0) Therefore, wp H0 V H1 V H2 V ... = (i>n Лt=xn) V (i≤n Лt=xi-1)

Example (cont’d) • So, given that the wp is (i>n Лt=xn) V (i≤nЛt=xi-1) which of the following initial states will result in the program terminating with t=xn? {i=1 Л t=1 Л n≥1}? {i=3 Л t=x Л n=1}? {i=2 Л t=x Л n=5}? (1>(1,2,…) Л1=x(1,2,…)) V (1≤(1,2,…) Л1=x1-1) √

Example (cont’d) • So, given that the wp is (i>n Лt=xn) V (i≤nЛt=xi-1) which of the following initial states will result in the program terminating with t=xn? {i=1 Л t=1 Л n≥1}? {i=3 Л t=x Л n=1}? {i=2 Л t=x Л n=5}? (3>1 Лx=x1) V (3≤1 Лx=x3-1) √ √

Example (cont’d) • So, given that the wp is (i>n Лt=xn) V (i≤nЛt=xi-1) which of the following initial states will result in the program terminating with t=xn? {i=1 Л t=1 Л n≥1}? {i=3 Л t=x Л n=1}? {i=2 Л t=x Л n=5}? (2>5 Лx=x5) V (2≤5 Лx=x2-1) √ √ √

Example (cont’d) • So, given that the wp is (i>n Лt=xn) V (i≤nЛt=xi-1) which of the following initial states will result in the program terminating with t=xn? {i=1 Л t=1 Л n≥1}? {i=3 Л t=x Л n=1}? {i=2 Л t=x Л n=5}? √ √ √

wlp Rule for while_do Statement • In order for the program while b do Sto either terminate in state Q, or not term-inate at all, it is necessary that: • Q will hold on program termination, OR • the program will not terminate. Therefore, wlp(while b do S, Q) ≡ wp(while b do S, Q) V ¬wp(while b do S, true) (Note: wp(M, true) is the weakest pre-condition ensuring termination of program M.)

Example • Use the wlp rule for while_do statements to determine the weakest liberal pre-condition for the following program with respect to post-condition t=x5. while i<>3 do t := t*x i := i+1 end_while

Step 1: determine wp with respect to Q while i<>3 do t := t*x i := i+1 end_while H0 ¬b Л Q = H1 b Л wp(S, H0) = = = . . . Hk b Л wp(S, Hk-1) = . . .

Step 1: determine wp with respect to Q while i<>3 do t := t*x i := i+1 end_while H0 ¬b Л Q = i=3 Лt=x5 H1 b Л wp(S, H0) = i≠3 Л wp(S, i=3 Лt=x5) = i≠3 Л i+1=3 Лtx=x5 = i=2Лt=x4 . . . Hk b Л wp(S, Hk-1) = i=3-k Лt=x5-k . . .

Step 1: determine wp with respect to Q Thus, we have: H0 = i=3 Лt=x5 Hk=i=3-k Лt=x5-k (for all k>0) and since i=3-k => 5-k=i+2 = i<3 Лt=xi+2 (where i<3 for all k>0) Therefore, the wp w.r.t. Q, H0 V H1 V H2 V... is: i≤3 Лt=xi+2

Step 2: determine wp with respect to true while i<>3 do t := t*x i := i+1 end_while H0 ¬b Л true = H1 b Л wp(S, H0) = = = . . . Hk b Л wp(S, Hk-1) = . . .

Step 2: determine wp with respect to true while i<>3 do t := t*x i := i+1 end_while H0 ¬b Л true = i=3 H1 b Л wp(S, H0) = i≠3 Л wp(S, i=3) = i≠3 Л i+1=3 = i=2 . . . Hk b Л wp(S, Hk-1) = i=3-k . . .

Step 2: determine wp with respect to true Thus, we have: H0 = i=3 Hk= i=3-k (for all k>0) = i<3 Therefore, the wp w.r.t. true, H0 V H1 V H2 V... is: i≤3

Step 3: combine wp’s into one disjunct Thus, wlp(while i<>3 do t := t*x; i := i+1, t=x5) = (i≤3 Лt=xi+2) V i>3 Exercise: In light of this, for which of the following initial states is the program weakly correct with respect to t=x5? {i=1 Л t=1 Л x=1}? {i=2 Л t=x Л x=2}? {i=5 Л t=8 Л x=3}?

Loop Invariants and w(l)p’s • In general, are loops guaranteed to terminate when: P  wp ? P  wlp ? • For while loops, does {w(l)p Л b} S {w(l)p} ? • Does (w(l)p Л ¬b)  Q ?

{wp Л b} S {wp} ???

{wp Л b} = {[H0 V H1 V …] Л b} = {[(¬b Л Q) V (b Л wp(S, H0)) V(b Л wp(S, H1)) V …] Л b} = {(b Л wp(S, H0)) V(b Л wp(S, H1)) V …} = {H1 V H2 V …} S {H0 V H1 V …} ={wp} Similarly, it can be shown that {wlp Л b} S {wlp}.

Loop Invariants and w(l)p’s • In general, are loops guaranteed to terminate when: P  wp ? P  wlp ? • For while loops, does {w(l)p Л b} S {w(l)p} ? • Does (w(l)p Л ¬b)  Q ?

{wp Л ¬b} {[(¬b Л Q) V (b Л wp(S, H0)) V(b Л wp(S, H1)) V …]Л ¬b} {(¬b Л Q)}  Q Similarly, it is easy to show that {wlpЛ ¬b}  Q.

Loop Invariants and w(l)p’s • In general, are loops guaranteed to terminate when: P  wp ? yes P  wlp ? no • For while loops, does {w(l)p Л b} S {w(l)p} ? yes • Does (w(l)p Л ¬b)  Q ? yes _________________________ wp weakest whileloop invariant which guarantees termination! wlp weakest whileloop invariant which does NOT guarantee termination!

sp Rule for while_do Statement • What is the strongest condition on the final state of program while b do S given that P holds initially? (Note that the post-condition is undefined when the program does not terminate.) • Recall our derivation of the while loop Rule of Inference from Lecture Notes #18 (Axiomatic Verification II). (flashback follows...)

Necessary Conditions: while_do So, we know that {P} while b do S {Q} will hold if the following conditions hold: Case 0: (P Лb) Q Case 1: {P Л b} S {K1}, (K1 Лb)  Q Case 2: {K1Л b} S {K2}, (K2 Лb)  Q … Case N: {KN-1 Л b} S {KN}, (KN Лb)  Q … Great! But who has the time to show that an infinite number of conditions hold?

sp Rule for while_do Statement • In order to eliminate the infinite sequence of necessary conditions, we replaced each Ki with I (a loop invariant.) • But for i≥1, Kiis just the strongest post-condition of S with respect to (Ki-1Л b), where K0 = P.

sp Rule for while_do Statement Thus, if the loop terminates, sp(while b do S, P) = ¬b Л(K0 V K1 V K2 V ...) where K0 P K1 sp(S, b ЛP) K2 sp(S, b Лsp(S, b ЛP)) K3 sp(S, b Лsp(S, b Лsp(S, b ЛP))) . . .

sp Rule for while_do Statement Equivalently, we can write: on termination, sp(while b do S, P) = ¬b Л(K0 V K1 V K2 V ...) where K0 P K1 sp(S, b ЛK0) K2 sp(S, b ЛK1) KN  sp(S, b ЛKN-1) … …

{true} Z := X J := 1 while J<>Y do Z := Z+X J := J+1 end_while {Z=XY} Example Use the Strongest Post-condition ROI to prove:

{true} Z := X J := 1 while J<>Y do Z := Z+X J := J+1 end_while {Z=XY} We need to show: sp(T, Z=X ЛJ=1)  Z=XY where T is: while J<>Y do Z := Z+X J := J+1 end_while if T terminates. Example Use the Strongest Post-condition ROI to prove: T

Example (cont’d) K0 P = K1sp(S, b ЛK0) = = K2sp(S, b ЛK1) = = {true} Z := X J := 1 while J<>Y do Z := Z+X J := J+1 end_while {Z=XY}

Example (cont’d) K0 P = Z=X ЛJ=1 K1sp(S, b ЛK0) = Z=Z’+X Л J=J’+1 ЛJ’≠Y Л Z’=X ЛJ’=1 = Z=2X ЛJ=2Л Y≠1 K2sp(S, b ЛK1) = Z=Z’+X Л J=J’+1 ЛJ’≠YЛ Z’=2X ЛJ’=2 Л Y≠1 = Z=3X ЛJ=3ЛY≠1ЛY≠2 {true} Z := X J := 1 while J<>Y do Z := Z+X J := J+1 end_while {Z=XY}

Example (cont’d) K3sp(S, b ЛK2) = . . . KNsp(S, b ЛKN-1) = . . . {true} Z := X J := 1 while J<>Y do Z := Z+X J := J+1 end_while {Z=XY}

Example (cont’d) K3sp(S, b ЛK2) = Z=4X ЛJ=4ЛY≠1Л Y≠2Л Y≠3 . . . KNsp(S, b ЛKN-1) = Z=(N+1)X ЛJ=N+1Л Y≠1ЛY≠2Л ...ЛY≠N . . . {true} Z := X J := 1 while J<>Y do Z := Z+X J := J+1 end_while {Z=XY}

Example (cont’d) Thus, when T terminates (i.e., when Y≥1), sp(T, Z=X ЛJ=1) = J=YЛ[(Z=X ЛJ=1) V (Z=2X Л J=2 Л Y≠1) V (Z=3X Л J=3 Л Y≠1 Л Y≠2) V ...] => [(Z=XY ЛY=1) V (Z=XY Л Y=2) V ...] => (Z=XY ЛY≥1) => Q (i.e., Z=XY)

Predicate Transforms II