SWSE 623

1
SWSE 623

• Program Correctness
• -Pre-condition, Post-conditions and Loop
  invariants

2
Basic Definitions

• Partial Correctness with respect to predicates
• If program P starts satisfying predicate A, and P
  terminates, then the terminating state satisfies
  B.
• Termination with respect to predicates
• If program P starts in a state satisfying
  predicate A, then it will terminate in a state
  satisfying B.
• Total correctness
• If program P starts in a state satisfying A, then
  it will terminate in a state satisfying B.
  Notation A P B

3
Weakest Pre-condition and Strongest
Post-condition

• Weakest Precondition If a predicate QQ
  satisfying following conditions is a weakest
  pre-condition.
• QQ S R
• For every Q satisfying Q S R then Q gt QQ
• Strongest Post-condition If a predicate RR
  satisfies following, it is a strongest
  post-condition.
• Q S RR
• For every R satisfying Q S R, then RR gt R

4
Axiomatic Method of Tony Hoare

• Rules of predicate logic are enriched by adding
  more rules corresponding to program constructs.
• Assignment Axiom
• p(e/x) ( x e ) p
• Composition Rule
• p S r r S q
• p (S S) q
• Conditional Rule
• p r S q
  p r S q
• p (If (r) then S else S q

5
Hoare Axioms - Continued

• While Rule
• p r S p
• p (while r do S) p r
• Consequence Rule
• p -gt q q H r r -gt s
• p H r

6
Soundness and Completeness of Hoares Axiomatic
System

• Theorem Hoare calculus is Sound
• I.e. if - p S q then p S q
• We will not go through the proof, but similar to
  soundness of predicate calculus.
• Fact Hoare calculus is NOT complete.
• I.e. if p S q then - p S q is FLASE!
• Counter example true ( x 1) x1 is true
  in every model, but cannot be proved !

7
Issues Related to Incompleteness

• The problem with the incompleteness lies in
  finding a weakest pre-condition for while loops.
• Theorem (Cook 1978) If in an interpretation,
  every while loop has a weakest pre-condition,
  then Hoare calculus is complete with respect to
  that interpretation. (Referred to as Cooks
  relative completeness theorem)
• Give examples of using each rule.

8
Sequencing Rule

• Rule p S q q S r
• p (S S) r
• To use this rule, take the form
• WP( SS, R) WP( S, WP(S, R))
• Example Calculate
• WP( (txxyyt) x1 y2)
• WP((txxy),WP(yt, (x1y2)))
• WP((txxy), (2t x1))
• WP((tx),(1y2t)) (1y)(2x)

9
Conditional Statement

• p r S R p r S R
• p (If (r) then S else S R
• Example WP((if xgty then zx else zy), z
  max(x,y))
• Let Rzmaxx,y (zxxgty)V(zyygtx)
• Claim pT. Need to show
• p(xgty) (zx) R
• WP((zx), R) ((xx)(xgty))V((xy)(ygtx))(xgty
  ).
• Hence p(xgty) -gt (xgty).
• p(x lty) (zy) R
• WP((ZY), R) ((yx)(xgty))V((yy)(YgtX))(YX)
  V(YgtX)(YgtX).
• Now notice that p(xlty) (YgtX) -gt (ygtX)

10
Suggestions for using the Conditional Rule

• Suppose we have to show
• Q (If (r) then S else S R, using the rule
• p r S q p r S R
• p (If (r) then S else S R
• Compute the Wp for alternatives, I.e.
• Wp(S, R) and Wp(S, R)
• Then prove
• p(r ) -gt Wp(S,R) and P(r) -gt Wp(S,R)
• Q -gt (pr) and Q -gt (p(r))

11
Analyzing Loops

• p r S p
• p (while r do S) p r
• In using this rule, there is no way to guarantee
  termination of the loop, unless r is false. In
  order to compute an upper bound on the number of
  loop iterations, Gries has added a bounding
  function
• Rule With loop invariant p and bounding
  function t
• If
• (p (r)) -gt (t0) Says that if guard fails
  then looping has ended.
• p r S p Says that P is a loop invariant.
• (pr) -gt (t gt0) Says that if the guard is true
  then wont end looping.
• t decreases with each iteration
• Then
• p (while r do S) p r

12
Using Looping Rules

• To show Q s (while r do S) R using loop
  invariance P and counting function t show
• Q s p
• (p (r)) -gt R Says that if guard fails then
  looping has ended.
• p r S p Says that P is a loop invariant.
• (pr) -gt (t gt0) Says that if the guard is true
  then wont end looping.
• t decreases with each iteration

13
Example Exponentiation

• Want to show Q S R where
• Q (0 lt b)
• R (z ab)
• S (z1 xa yb)
• ( while (y /0) do
• If odd(y) then ( zzx yy-1) end
• else (xxx yy div 2) end-if od)
• Use loop invariant
• P (ygt0)(z(xy)ab)
• Bounding function y

14
Example Continued Proof Obligations

• 0. Q (z1 xa yb) P. I.e.
• 0ltb (z1 xa yb) (ygt0)(z(xy)ab)
  
• 1. P((y/0)) -gt R. I.e.
• (ygt0)(z(xy)ab)(y0) -gt (z ab)
• 2. P(y/0) S P I.e. that P is a loop
  invariant
• 3. P(y/0) -gt (ygt0)
• 4. Each iteration of the loop decreases the
  bound function y

15
0. Proving Q (z1 xa yb) P

• Wp((z1 xa yb), (0lty(z(xy)ab))
• Wp((z1xa), (0ltb(z(xb)ab))
• Wp(z1,(0ltb(z(ab)ab)))
• (0ltb) Q

16
1. Proving P((y/0)) -gt R

• (ygt0)(z(xy)ab)(y0) -gt (z ab)
• (ygt0)(z(xy)ab)(y0)-gt z(x0)ab)
• (Z1ab) -gt (zab) this is true!

17
2. Proving P(y/0) S P

• Need to prove
• (0lty)(z(xy)ab) S (0lty)(z(xy)ab
• Notice that S is the conditional statement
• If odd(y) then ( zzx yy-1)
• Else (xxx yy div 2) endif
• Hence we need to show
• 2.1 - (0lty)(z(xy)ab)odd(y) ( zzx
  yy-1) P
• 2.2 - (0lty)(z(xy)ab)even(y) (xxx
  yy div 2) p

18
2.1 Proving(0lty)(z(xy)ab)odd(y) (
zzx yy-1) P

• Wp((zzx yy-1), (0lty)(z(xy)ab)
• Wp((zzx), (0lty-1)(z(x(y-1)ab))
• (1lty)(zx(x(y-1)ab)
• (1lty)(z(xy)ab)
• Now notice that (0lty)odd(y) -gt (1lty)
• Hence we get that
• (0lty)(z(xy)ab)odd(y) -gt
  (1lty)(z(xy)ab)
• This completes the proof of the If branch!

19
2.2 Proving(0lty)(z(xy)ab)even(y)
(xxx yy div 2) p

• Wp((xxx yy div 2), (0lty)(z(xy)ab))
  
• Wp(((xxx), (0lt y div 2)(z(x(y div
  2)ab))
• (0lt y div 2)(z(xx)(y div 2) ab)
• (0lty div 2)(zy ab)
• Notice now that (0lty) even(y) -gt (2lty)
• -gt (0 lt y div 2)
• Hence we have
• (0lty)(z(xy)ab)even(y) (xxx yy div
  2) p
• This completes the proof obligation for the else
  branch!

20
3. Proving (P(y/0))-gt (ygt0)

• Notice P is (0lty)(z(xy)ab)
• Hence P(y/0) -gt (ygt0)

21
4. Proving Properties of the Counting Function

• Need to show that ydecreases with each
  iteration
• If in the beginning of iteration odd(y), then
• Y Y-1, hence Y decreases
• If in the beginning of iteration odd(y), then
• Y Y div 2, and Y gt (Y div 2), hence Y decreases

22
Summary Structure of the Completed Proof

• QS11P1 P1S12P2
• Q(S11S12)P2 P2S13P
• Q S1 P
• Prr1S21P Prr1S21P
• PrS2RP
• Pr-gtR (Iteration Decreases Y)
  (Pr -gt (Ygt0))
• Q S R

23
Gieses Guideline for Developing a Loop from
Given Invariant P and Bound Function t

• Step1 Develop initialization to validate P
• Step2 Develop loop guard B to satisfy (PB-gtR)
• Step3Verify (P B) -gt (tgt0)
• Step4Develop loop body to progress towards goal
• I.e. find a way to decrease bound function t.
• Step5Modify loop body to make P a loop
  invariant

24
Properties of WP

• Wp(S, False) False
• Wp(S, Q)Wp(S, R) Wp(S, QR)
• If Q-gt R then Wp(S,Q) -gt Wp(S,R)
• For deterministic programs S,
• Wp(S, QvR) Wp(S, Q)vWp(S, R)
• Wp(skip, R) R, where skip does nothing.
• Wp(abort, R) False, where abort never executes.
• Wp(S1S2, R) Wp(S1 Wp(S2,R))
• Wp((S1S2)S3, R) Wp(S1(S2S3), R)