Program Correctness

1
Program Correctness an introduction
2
Program Correctness
How do you do that?

• How can we be sure that a program/algorithm
  always
• produces the correct result?
• Test it on sample input
• Test boundary conditions
• Test it on all possible inputs
• Prove it correct
• can we automate this?
• Use rules of inference, mathematical induction

3
Program Correctness
Correct, what does that mean?

• A program is correct if
• it produces correct output for all possible
  inputs
• this is called partial correctness
• it terminates
• An initial assertion gives the properties of the
  input
• A final assertion gives the properties of the
  output
• The initial and final assertions must be given
• otherwise we cannot check correctness

4
Program Correctness
Partially Correct?

• A program, or program segment, S is partially
  correct if
• with respect to initial assertion p and final
  assertion q
• whenever p is true for the input and S
  terminates
• then q is true for the output.
• pSq indicates
• program, or program segment S is partially
  correct
• with respect to initial assertion p and final
  assertion q
• pSq is called a Hoare triple

Note partial correctness only states that the
program produces the correct results
if it terminates. It does not
prove that the program terminates
5
Program Correctness
Tony Hoare
6
Program Correctness
A very simple example

• Program segment S is as follows
• y2 z x y
• Initial assertion
• p x 1
• Final assertion
• q z 3
• Prove pSq
• assume p
• x initially has the value 1
• y is assigned the value 2
• z is then assigned the value x y
• that is equal to 1 2 which is 3
• Therefore S is correct with respect to p and q

7
Program Correctness
Decompose your program

• We can split our program into parts
  (subprograms) and prove
• that each of these parts (subprograms) is correct
• Split S into subprograms S1 and S2
• S is then S1 followed by S2
• S S1S2
• Assume
• p is the initial assertion of S1,
• q is the final assertion of S1
• q is the initial assertion of S2
• r is the final assertion of S2
• Further assume we have established
• pS1q and qS2r
• It follows that
• if p is true and S1 executes and terminates then
  q is true
• if q is true and S2 executes and terminates then
  r is true
• Therefore if p is true and S executes and
  terminates r is true

8
Program Correctness
A new rule of inference The Composition Rule
9
Program Correctness
Simple Conditional Statement

• Assume program segment is as follows
• if cond then S
• S is executed if cond is true
• S is not executed if cond is false
• To verify that the segment above is true with
  respect to
• initial assertion p
• final assertion q
• Show that
• when p is true, and cond is true and S executes,
  q is true
• when p is true and cond is false and S does not
  execute, q is true

10
Program Correctness
The simple condition rule of inference
11
Program Correctness
An example of a simple conditional

• Program segment S is as follows
• if x gt y then x y
• Initial assertion
• p is True
• Final assertion
• q y ? x (y is greater than or equal to x)
• Consider cond true (x gt y) and cond false
  (x ? y)
• (1) p and x gt y
• the assignment x y is made
• consequently y ? x
• therefore q holds
• (2) p and x ? y
• no assignment is made
• y ? x
• therefore q holds

12
Program Correctness
Conditional Statement

• Assume program segment is as follows
• if cond then S1 else S2
• S1 is executed if cond is true
• S2 is executed if cond is false
• To verify that the segment above is true with
  respect to
• initial assertion p
• final assertion q
• Show that
• when p is true, and cond is true and S1
  executes, q is true
• when p is true, and cond is false and S2
  executes, q is true

13
Program Correctness
The condition rule of inference
14
Program Correctness
An example of a conditional

• Program segment S is as follows
• if x lt 0 then abs -x else abs x
• Initial assertion
• p is True
• Final assertion
• q abs x
• Consider the cases when cond true and when
  cond false
• (1) p and x lt 0
• the assignment abs -x is made
• consequently abs x
• therefore q holds
• (2) p and x ? 0
• consequently abs x, and again abs is x
• therefore q holds
• Therefore S is correct with respect to p and q

15
Program Correctness
While Loop (loop invariants)

• Assume program segment is as follows
• while cond do S
• S is repeatedly executed while cond is true
• S is repeatedly executed until cond is false
• An assertion that remains true each time S is
  executed is required
• this is the loop invariant
• p is a loop invariant if
• (p and cond)Sp
• is true
• To verify that the segment above is true with
  respect to
• loop invariant p
• Show that
• p is true before S is executed
• p is true and cond is false on termination of
  the loop

16
Program Correctness
The loop invariant rule of inference
17
Program Correctness
An example of a loop invariant
i 1 fact 1 while i lt n do begin
i i 1 fact fact i end

• Prove segment terminates with fact n!
• a loop invariant is required

• let p be proposition p fact i! and i lt n
• let S be the segment i i1 fact fact
  i
• Prove that p is a loop invariant, using
  mathematical induction
• Basis Step initially i fact 1 i! and 1
  lt n
• Inductive Step
• assume p is true and 1 lt i lt n and fact i!
• after executing loop
• i was incremented by 1, i.e. i 1
• therefore i ? n
• fact i!(i 1)
• therefore fact (i1)! and i has been
  incremented
• Therefore p is a loop invariant

18
Program Correctness
An example of a loop invariant
i 1 fact 1 while i lt n do begin
i i 1 fact fact i end

• Therefore p is a loop invariant
• Therefore the assumption
• p and (i lt n)Sp is true
• Therefore it follows that
• pwhile iltn do Si gt n and p is true

• The while loop terminates
• i starts at 1, assuming n ? 0
• i is incremented inside loop
• eventually i will equal n

Therefore the program segment is correct
19
Program Correctness
An example, min(x,y)

• Program segment S is as follows
• if x lt y then min x else min y
• Initial assertion
• p is True
• Final assertion
• q (x ? y and min x) or (x gt y and min y)
• Consider three cases
• (1) p and x lt y
• min is set to x
• (x ? y and min x)
• (2) p and x y
• min is set to y, which equals x
• (x ? y and min x)
• (3) p and x gt y
• min is set to y
• (x gt y and min y)

Question 4
20
Program Correctness
An example, ?

• Initial assertion
• p is True
• Final assertion
• q x ? y
• Consider two cases
• (1) p and x ? y
• S is not executed
• q is true
• (2) p and x gt y
• x x y
• y x - y
• (x y) - y
• x
• x x - y
• (x y) - x
• y
• x and y are now swapped, so y is now greater
  than x

if x gt y then begin x x y y x - y
x x - y end
21
Program Correctness
So?

• For each program segment S we need
• an initial assertion p
• a final assertion q
• If it is a loop
• we need to establish a loop invariant p
• We need to apply the appropriate rules of
  inference
• Generally we need to decompose program
• It takes time, it aint easy
• Could we automate the process?
• For partial correctness
• For correctness
• What do we do in an industrial setting