Embed Size (px)
Citation preview
1
Discrete Structures
Lecture 29
Predicates and Programming
Read Ch. 10.1 - 10.2
2
Edsger Dijkstra
Edsger Dijkstra wrote:
"Programs should be composed correctly, and not just debugged into correctness."
This is an important concept we should strive for.
3
Predicates and Programming
This chapter looks at some applications of predicate logic in computing:
• The formal specification of imperative (procedural) programs
• The proof and development of sequences of assignments.
• Practice formulating English specifications. • Proof of the correctness of conditional
statements. (Iterative statements are covered in chapter 12.)
4
Program Specifications
A state is a set of identifier-value pairs.(x1 = T, x2 = F, x3 = F, …)
Recall the Hoare Triple:
{Q} S {R}
If Q is true before S executes,
then the state R will be true after S executes.
5
Program Specifications
{Q} x:=? {R}• precondition Q: a Boolean expression that
describes the initial states for which execution of the program is being defined.
• a list of variables, x, that may be assigned
• postcondition R: a Boolean expression that characterizes the final states, after execution of the program
6
Final States Are Not Always Unambiguously Determined
{true} x := ? {x2 = 4}
Either x = 2 or x = -2 satisfies this specification.
7
Proofs of {Q} x:= E {R}
(10.2) Assignment IntroductionTo show that
x := E is an implementation of
{Q} X:=? {R}, prove
Q R[x := E].
8
Weakest Precondition
Definition: For any commands (or statements), S, and a predicate, R, we define a predicate wp(S, R),
the weakest precondition of S with respect to R,
to be the set of all states such that,
• if the execution of S begins in any one of the states,
• then the execution of S is guaranteed to terminate in a finite amount of time satisfying R.
{?} x:=E {R}
wp(x:=E, R) = R[x:=E]
9
(10.2) shows us if {Q} x:=E {R}
To show that x:= E
is an implementation of {Q} X:=? {R},
prove Q wp([x := E], R).
In other words, prove:Q R[x := E]
Almost all hints in the following are textual substitution, arithmetic and (3.84a)
10
Practice with wp{Q} x:= E {R}
must prove Q R[x := E]{i = 0} i := i + 1 {i <=1}(i = 0) (i <= 1)[i := i + 1](i = 0) (i+1 <= 1)(i = 0) (i <= 0)
= <remove abbreviation>
(i = 0) (i = 0 V i < 0)= <(3.76a) Weakening/Strengthening p, q := (i=0), (i<0) >
true
11
Just weakest precondition
{wp?} i := i + 1 {i > 0}
(i > 0)[i := i + 1]
i+1 > 0
{i >= 0} is the weakest precondition
12
Just wp
{wp?} x := 5 {x = 5}
{x = 5}[x := 5]
{5 = 5}
{true} -- the set of all states
{wp?} x := 5 {x <> 5}
{x <> 5}[x := 5]
{5 <> 5}
{false} -- the set of NO states
13
more assignment statement wp
{wp?} x := x * x {x4 = 10}
{x4 = 10}[x := x * x]
{(x*x)4 = 10}
{x8 = 10}
{x = +/- 1.231144413}
14
wp
{wp?} x :=(x-y)*(x+y) {x + y2 <> 0}
{x + y2 <> 0}[x := (x-y) * (x+y)]
{ (x - y) * (x + y) + y2 <> 0}
{x2 + xy -xy - y2 + y2 <> 0}
{x2 <> 0}
{x <> 0}
15
wp with multiple assignment
{wp?} x,y := x-y, x+y {x + y = C}
{x + y = C}[x,y := x-y, x+y]replace x with x - y and y with x + y
{ x - y + x + y = C}
{x + x = C}
{2x = C}
16
Properties of WP
Law of Excluded Miracle: wp(S,F) = F
If execution begins in w, where w wp(S, F),
S is executed and the result is False, which is ø, i.e. no states,
therefore there is no state in wp(S, F) (because such a state would make the postcondition true).
17
Properties of WP
Distributivity of Conjunction:
wp(S,Q) wp(S,R) = wp(S, Q R)Let w wp(S, Q) wp(S, R), thus w wp(S, Q) and w wp(S, R).If execution begins in w, S is executed and the result is Q is true and R is true, thus Q R is true. Therefore w wp(S, Q R).
Let w wp(S, Q R)If execution begins in w, S is executed and the result is Q R is true, thus Q is true and R is true.Therefore Q is true, w wp(S, Q) and R is true, w wp(S, R)Therefore w wp(S, Q) wp(S, R).
18
Properties of WP
Law of Monotonicity: if Q R then wp(S,Q) wp(S,R)
Assume w wp(S,Q)If execution begins in w, S is executed and the result is Q is true. Since Q R is true, R is also true. Therefore w wp(S,R).
