Proving Program Correctness

1
Proving Program Correctness

• The Axiomatic Approach

2
What is Correctness?

• Correctness
• partial correctness termination
• Partial correctness
• Program implements its specification

3
Proving Partial Correctness

• Goal prove that program is partially correct
• Approach model computation with predicates
• Predicates are boolean functions over program
  state
• Simple example
• odd(x) a x odd(a)
• Generally P S Q, where
• P ? precondition
• Q ? postcondition
• S ? Programming language statement

4
Proof System

• Two elements of proof system
• Axioms capture the effect of prog. lang. stmts.
• Inference rules compose axioms to build up
  proofs of entire program behavior
• Lets start by discussing inference rules and
  then well return to discussing axioms

5
Composition

• Rule
• Consider two predicates
• odd(x1) x x1 odd(x)
• odd(x) a x odd(a)
• What is the effect of executing both stmts?
• odd(x1) x x1 a x odd(a)

6
Consequence 1

• Rule
• Ex
• odd(x) a x odd(a) and
• Postcondition ? a ? 4
• What can we say about this program?

7
Consequence 2

• Rule
• Ex
• Precondition ? x1 and
• odd(x) a x odd(a)
• What can we say about this program?

8
Axioms

• Axioms explain the effect of executing a single
  statement
• Axioms will be derived backwards.
• Start with postcondition and determine what
  conditions must be true on entry to stmt.

9
Assignment Axiom

• Rule
• Replace all free occurences of x with y
• e.g., odd(x) a x odd(a)

10
Conditional Stmt 1 Axiom

• Rule

P
Bif
P ? ?Bif
P ? Bif
S
Q
11
Conditional Stmt 1

• Example
• if even(x) then
• x x 1
• odd(x) ? x gt 3

• else part
• (?? ? ?even(x) ? (odd(x) ? xgt3)
• then part
• odd(x1) ? xgt2 x x1 odd(x) ? x gt 3
• (?? ? even(x)) ? (odd(x1) ? xgt2)
• P ? ((odd(x1) ? xgt2) ? x gt3)
• x gt 3 works as well.

12
Conditional Stmt 2 Axiom

• Rule

P
Bif
P ? ?Bif
P ? Bif
S2
S1
Q
13
Conditional Stmt 2 Axiom

• Example
• if x lt 0 then
• x -x y x
• else
• y x
• y x

• Then part
• x x y x y x
• -x x x -x x x
• ( ?? ? x lt0) ? -x x
• Else part
• x x yxyx
• ( ?? ? (x lt 0)) ? x x
• P ? (-x x) ? (xx)

14
While Loop Axiom

• Rule
• Infinite number of paths, so we need one
  predicate for that captures the effect of S
• P is called an invariant

P
Bif
S
P ? ?B
15
While Loop Axiom

• Example
• IN ? B ? 0
• a A
• b B
• y 0
• while b gt 0 do
• y y a
• b b - 1
• OUT ? y AB

• INV ? y ab AB ? b ? 0
• Bw ? b gt 0
• Show INV ? Bw ? OUT
• y ab AB ? b ? 0 ? (b gt 0)
• y ab AB ? b 0
• y AB
• So INV ? Bw ? OUT
• Establish IN ? INV
• ab AB ? b ? 0 y0 INV
• aB AB ? B ? 0 b B .
• AB AB ? B ? 0 a A .
• So IN aAbBy0 INV

16
While Loop Axiom

• Need to show
• INV ? Bw loop body INV
• ya(b-1) AB ? b-1 ? 0 b b - 1 INV
• yaa(b-1) AB ? b-1 ? 0 y ya .
• y ab AB ? b-1 ? 0 loop body INV
• y ab AB ? b ? 0 ? b gt 0 ? y ab AB ? b-1 ?
  0,
• So
• IN lines 1-3 INV,
• INV while loop INV ? Bw , and
• INV ? Bw ? OUT
• Therefore
• IN program OUT

17
Total correctness

• After you have shown partial correctness
• Need to prove that program terminates
• Usually a progress argument. Last program
• Loop terminates if b ? 0
• b starts positive and is decremented by 1 every
  iteration
• So loop must eventually terminate