Embed Size (px)
Citation preview
1
Program verification: flowchart programs
(Book: chapter 7)
2
History
Verification of flowchart programs: Floyd, 1967 Hoare’s logic: Hoare, 1969 Linear Temporal Logic: Pnueli, Krueger, 1977 Model Checking: Clarke & Emerson, 1981
3
Program Verification
Predicate (first order) logic. Partial correctness, Total correctness Flowchart programs Invariants, annotated programs Well founded ordering (for
termination) Hoare’s logic
4
Predicate (first order logic)
Variables, functions, predicates
Terms
Formulas (assertions)
5
Signature
Variables: v1, x, y18Each variable represents a value of some given
domain (int, real, string, …). Function symbols: f(_,_), g2(_), h(_,_,_).Each function has an arity (number of
paramenters), a domain for each parameter, and a range.
f:int*int->int (e.g., addition), g:real->real (e.g., square root)
A constant is a predicate with arity 0. Relation symbols: R(_,_), Q(_).Each relation has an arity, and a domain for each
parameter.R : real*real (e.g., greater than).Q : int (e.g., is a prime).
6
Terms
Terms are objects that have values. Each variable is a term. Applying a function with arity n to n
terms results in a new term.Examples: v1, 5.0, f(v1,5.0),
g2(f(v1,5.0))
More familiar notation: sqr(v1+5.0)
7
Formulas
Applying predicates to terms results in a formula.
R(v1,5.0), Q(x)More familiar notation: v1>5.0 One can combine formulas with the
boolean operators (and, or, not, implies).
R(v1,5.0)->Q(x)x>1 -> x*x>x One can apply existentail and universal
quantification to formulas.x Q(X) x1 R(x1,5.0) x y R(x,y)
8
A model, A proofs
A model gives a meaning (semantics) to a first order formula: A relation for each relation symbol. A function for each function symbol. A value for each variable.
An important concept in first order logic is that of a proof. We assume the ability to prove that a formula holds for a given model.
Example proof rule (MP) :
9
Flowchart programs
Input variables: X=x1,x2,…,xlProgram variables: Y=y1,y2,…,ymOutput variables: Z=z1,z2,…,zn
start
haltY=f(X)
Z=h(X,Y)
10
Assignments and tests
Y=g(X,Y) t(X,Y)FT
11
start
halt
(y1,y2)=(0,x1)
y2>=x2
(y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2)
Initial condition
Initial condition: the values for the input variables for which the program must work.
x1>=0 /\ x2>0
FT
12
start
halt
(y1,y2)=(0,x1)
y2>=x2
(y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2)
The input-output claim
The relation between the values of the input and the output variables at termination.
x1=z1*x2+z2 /\ 0<=z2<x2
FT
13
Partial correctness, Termination, Total correctness
Partial correctness: if the initial condition holds and the program terminates then the input-output claim holds.
Termination: if the initial condition holds, the program terminates.
Total correctness: if the initial condition holds, the program terminates and the input-output claim holds.
14
Subtle point:
The program ispartially correct
withrespect tox1>=0/\x2>=0and totally correctwith respect tox1>=0/\x2>0
start
halt
(y1,y2)=(0,x1)
y2>=x2
(y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2)
T F
15
start
halt
(y1,y2)=(0,x1)
y2>=x2
(y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2)
Annotating a scheme
Assign an assertion for each pair of nodes. The assertion expresses the relation between the variable when the program counter is located between these nodes.
A
B
C D
E
FT
16
Invariants Invariants are assertions that hold at each state
throughout the execution of the program. One can attach an assertion to a particular
location in the code:e.g., at(B) (B).This is also an invariant; in other locations, at(B) does not hold hence the implication holds.
If there is an assertion attached to each location, (A), (B), (C), (D), (E), then their disjunction is also an invariant: (A)\/(B)\/(C)\/(D)\/(E)(since location is always at one of these locations).
17
Annotating a scheme with invariants
A): x1>=0 /\ x2>=0B): x1=y1*x2+y2 /\
y2>=0C): x1=y1*x2+y2 /\
y2>=0 /\ y2>=x2D):x1=y1*x2+y2 /\
y2>=0 /\ y2<x2E):x1=z1*x2+z2 /\ 0<=z2<x2Notice: (A) is the initial
condition, Eis the input-output condition.
start
halt
(y1,y2)=(0,x1)
y2>=x2
(y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2)
A
B
C D
E
FT
A) Is the precondition of (y1,y2)=(0,x1) and B) is its postcondition
18
Preliminary:Relativizing assertions
(B) : x1= y1 * x2 + y2 /\ y2 >= 0Relativize B) w.r.t. the assignment,
obtaining B) [Y\g(X,Y)]e(B) expressed w.r.t. variables at
A.) (B)A =x1=0 * x2 + x1 /\ x1>=0Think about two sets of variables,
before={x, y, z, …} after={x’,y’,z’…}.
Rewrite (B) using after, and the assignment as a relation between the set of variables. Then eliminate after by substitution.
Here: x1’=y1’ * x2’ + y2’ /\ y2’>=0 /\x1’=x1 /\ x2’=x2 /\ y1’=0 /\ y2’=x1now eliminate x1’, x2’, y1’, y2’.
(y1,y2)=(0,x1)
A
B
A
B
(y1,y2)=(0,x1)
Y=g(X,Y)
19
Preliminary:Relativizing assertions
(y1,y2)=(0,x1)
A
B
A
B
(y1,y2)=(0,x1)
A):
(B)A
(B)
Y=g(X,Y)
Y=g(X,Y)
20
Verification conditions: assignment
A) B)A
where B)A = B)[Y\g(X,Y)]
A): x1>=0 /\ x2>=0B): x1=y1*x2+y2 /\
y2>=0
B)A=x1=0*x2+x1 /\
x1>=0
(y1,y2)=(0,x1)
A
B
A
B
(y1,y2)=(0,x1)
Y=g(X,Y)
21
(y1,y2)=(y1+1,y2-x2)
Second assignment
C): x1=y1*x2+y2 /\ y2>=0 /\ y2>=x2
B): x1=y1*x2+y2 /\ y2>=0
B)C: x1=(y1+1)*x2+y2-x2 /\ y2-x2>=0
C
B
22
(z1,z2)=(y1,y2)
Third assignment
D):x1=y1*x2+y2 /\ y2>=0 /\ y2<x2
E):x1=z1*x2+z2 /\ 0<=z2<x2
E)D:
x1=y1*x2+y2 /\ 0<=y2<x2
E
D
23
Verification conditions: tests
B) /\ t(X,Y) C)B) /\¬t(X,Y) D)
B): x1=y1*x2+y2 /\y2>=0
C): x1=y1*x2+y2 /\ y2>=0 /\ y2>=x2
D):x1=y1*x2+y2 /\ y2>=0 /\ y2<x2
y2>=x2
B
C
D
B
C
Dt(X,Y)
FT
FT
24
Verification conditions: tests
y2>=x2
B
C
D
B
C
Dt(X,Y)
FT
FT
t(X,Y)¬t(X,Y)
B)
C)
25
Partial correctness proof:An induction on length of execution
B)
B)
D)
C)
Initially, states satisfy the initial conditions.
Then, passing from one set of states to another, we preserve the invariants at the appropriate location.
We prove: starting with a state satisfying the initial conditions, if are at a point in the execution, the invariant there holds.
Not a proof of termination!
start
halt
(y1,y2)=(0,x1)
y2>=x2
(y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2)
A
B
C D
E
A)
no
no
yes
yes
T F
26
Exercise: prove partial correctness
Initial condition: x>=0
Input-output claim:
z=x!
start
halt
(y1,y2)=(0,1)
y1=x
(y1,y2)=(y1+1,(y1+1)*y2) z=y2
TF
27
What have we achieved?
For each statement S that appears between points X and Y we showed that if the control is in X when (X) holds (the precondition of S) and S is executed, then (Y) (the postcondition of S) holds.
Initially, we know that (A) holds. The above two conditions can be combined into
an induction on the number of statements that were executed: If after n steps we are at point X, then (X)
holds.
28
Another example
(A) : x>=0
(F) : z^2<=x<(z+1)^2
z is the biggest numberthat is not greaterthan sqrt x.
start
(y1,y2,y3)=(0,0,1)
A
halt
y2>x
(y1,y3)=(y1+1,y3+2) z=y1
B
C
D
F
truefalse
E
y2=y2+y3
29
Some insight
1+3+5+…+(2n+1)=(n+1)^2
y2 accumulates theabove sum, untilit is bigger than x.
y3 ranges over oddnumbers 1,3,5,…
y1 is n-1.
start
(y1,y2,y3)=(0,0,1)
A
halt
y2>x
(y1,y3)=(y1+1,y3+2) z=y1
B
C
D
F
truefalse
E
y2=y2+y3
30
Invariants
It is sufficient to have one invariant for every loop(cycle in the program’sgraph).
We will have(C)=y1^2<=x /\ y2=(y1+1)^2 /\ y3=2*y1+1
start
(y1,y2,y3)=(0,0,1)
A
halt
y2>x
(y1,y3)=(y1+1,y3+2) z=y1
B
C
D
F
truefalse
E
y2=y2+y3
31
Obtaining (B)
By backwards substitution in (C).
(C)=y1^2<=x /\ y2=(y1+1)^2 /\ y3=2*y1+1
(B)=y1^2<=x /\ y2+y3=(y1+1)^2 /\ y3=2*y1+1
start
(y1,y2,y3)=(0,0,1)
A
halt
y2>x
(y1,y3)=(y1+1,y3+2) z=y1
B
C
D
F
truefalse
E
y2=y2+y3
32
Check assignment condition
(A)=x>=0(B)=y1^2<=x /\ y2+y3=(y1+1)^2 /\ y3=2*y1+1(B) relativized is 0^2<=x /\ 0+1=(0+1)^2 /\ 1=2*0+1Simplified: x>=0
start
(y1,y2,y3)=(0,0,1)
A
halt
y2>x
(y1,y3)=(y1+1,y3+2) z=y1
B
C
D
F
truefalse
E
y2=y2+y3
33
Obtaining (D)
By backwards substitution in
(B).
(B)=y1^2<=x /\ y2+y3=(y1+1)^2 /\ y3=2*y1+1
(D)=(y1+1)^2<=x /\ y2+y3+2=(y1+2)^2 /\ y3+2=2*(y1+1)+1
start
(y1,y2,y3)=(0,0,1)
A
halt
y2>x
(y1,y3)=(y1+1,y3+2) z=y1
B
C
D
F
truefalse
E
y2=y2+y3
34
Checking
(C)=y1^2<=x /\ y2=(y1+1)^2 /\ y3=2*y1+1
(C)/\y2<=x) (D)
(D)=(y1+1)^2<=x /\ y2+y3+2=(y1+2)^2 /\ y3+2=2*(y1+1)+1
start
(y1,y2,y3)=(0,0,1)
A
halt
y2>x
(y1,y3)=(y1+1,y3+2) z=y1
B
C
D
F
truefalse
E
y2=y2+y3
35
y1^2<=x /\
y2=(y1+1)^2 /\ y3=2*y1+1 /\y2<=x (y1+1)^2<=x /\
y2+y3+2=(y1+2)^2 /\
y3+2=2*(y1+1)+1y1^2<=x /\ y2=(y1+1)^2 /\ y3=2*y1+1 /\y2<=x (y1+1)^2<=x /\ y2+y3+2=(y1+2)^2
/\ y3+2=2*(y1+1)+1
y1^2<=x /\
y2=(y1+1)^2 /\
y3=2*y1+1 /\y2<=x (y1+1)^2<=x /\
y2+y3+2=(y1+2)^2 /\
y3+2=2*(y1+1)+1
36
Not finished!
Still needs to:
Calculate (E) bysubstituting backwardsfrom (F).
Check that(C)/\y2>x(E)
start
(y1,y2,y3)=(0,0,1)
A
halt
y2>x
(y1,y3)=(y1+1,y3+2) z=y1
B
C
D
F
truefalse
E
y2=y2+y3
37
Exercise: prove partial correctness. Initially: x1>0/\x2>0. At termination: z1=gcd(x1,x2).
halthalt
startstart
(y1,y2)=(x1,x2)(y1,y2)=(x1,x2)
z1=y1z1=y1
y1=y2F T
y1>y2y1>y2
y2=y2-y1y2=y2-y1y1=y1-y2y1=y1-y2
TF
38
Annotation of program with invariants
halthalt
startstart
(y1,y2)=(x1,x2)(y1,y2)=(x1,x2)
z1=y1z1=y1
y1=y2F
T
y1>y2y1>y2
y2=y2-y1y2=y2-y1y1=y1-y2y1=y1-y2
TF
z1=gcd(x1,x2)
x1>0 /\ x2>0
gcd(y1,y2)=gcd(x1,x2)/\y1>0/\y2>0
gcd(y1,y2)=gcd(x1,x2)/\y1>0/\y2>0/\y1y2
gcd(y1,y2)=gcd(x1,x2)/\y1>0/\y2>0/\y1<y2
gcd(y1,y2)=gcd(x1,x2)/\y1>0/\y2>0/\y1>y2
y1=gcd(x1,x2)
A
B
D
EF
G
H
39
Part 1
halthalt
startstart
(y1,y2)=(x1,x2)(y1,y2)=(x1,x2)
z1=y1z1=y1
y1=y2F
T
y1>y2y1>y2
y2=y2-y1y2=y2-y1y1=y1-y2y1=y1-y2
TF
(A)= x1>0 /\ x2>0
(B)=gcd(y1,y2)=gcd(x1,x2)/\y1>0/\y2>0 A
B
D
EF
G
H
(B)’rel= gcd(x1,x2)=gcd(x1,x2)/\x1>0/\x2>0 (A)
(B)’rel
40
Part 2a
halthalt
startstart
(y1,y2)=(x1,x2)(y1,y2)=(x1,x2)
z1=y1z1=y1
y1=y2F
T
y1>y2y1>y2
y2=y2-y1y2=y2-y1y1=y1-y2y1=y1-y2
TF
(B)= gcd(y1,y2)=gcd(x1,x2)/\y1>0/\y2>0
(D)=gcd(y1,y2)=gcd(x1,x2)/\y1>0/\y2>0/\y1y2 A
B
D
EF
G
H
(B)/\¬(y1=y2) (D)
41
Part 2b
halthalt
startstart
(y1,y2)=(x1,x2)(y1,y2)=(x1,x2)
z1=y1z1=y1
y1=y2F
T
y1>y2y1>y2
y2=y2-y1y2=y2-y1y1=y1-y2y1=y1-y2
TF
(G)= y1=gcd(x1,x2)
A
B
D
EF
G
H
(B)= gcd(y1,y2)=gcd(x1,x2)/\y1>0/\y2>0
(B)/\(y1=y2) (G)
42
Part 3
halthalt
startstart
(y1,y2)=(x1,x2)(y1,y2)=(x1,x2)
z1=y1z1=y1
y1=y2F
T
y1>y2y1>y2
y2=y2-y1y2=y2-y1y1=y1-y2y1=y1-y2
TF
(D)= gcd(y1,y2)=gcd(x1,x2)/\y1>0/\y2>0/\y1y2
(E)=gcd(y1,y2)=gcd(x1,x2)/\y1>0/\y2>0/\y1<y2
(F)=(gcd(y1,y2)=gcd(x1,x2)/\y1>0/\y2>0/\y1>y2
A
B
D
EF
G
H
(D)/\(y1>y2) (F)
(D)/\¬(y1>y2) (E)
43
Part 4
halthalt
startstart
(y1,y2)=(x1,x2)(y1,y2)=(x1,x2)
z1=y1z1=y1
y1=y2F T
y1>y2y1>y2
y2=y2-y1y2=y2-y1y1=y1-y2y1=y1-y2
TF
x1>0 /\ x2>0
(B)= gcd(y1,y2)=gcd(x1,x2)/\y1>0/\y2>0
(E)= gcd(y1,y2)=gcd(x1,x2)/\y1>0/\y2>0/\y1<y2
(F)= gcd(y1,y2)=gcd(x1,x2)/\y1>0/\y2>0/\y1>y2
A
B
D
EF
G
H
(B)’rel1=gcd(y1,y2-y1)=gcd(x1,x2)/\y1>0/\y2-y1>0(B)’rel2=gcd(y1-y2,y2)=gcd(x1,x2)/\y1-y2>0/\y2>0
(E) (B)’rel1 (F) (B)’rel2
44
Annotation of program with invariants
halthalt
startstart
(y1,y2)=(x1,x2)(y1,y2)=(x1,x2)
z1=y1z1=y1
y1=y2F
T
y1>y2y1>y2
y2=y2-y1y2=y2-y1y1=y1-y2y1=y1-y2
TF
(H)= z1=gcd(x1,x2)
(G)= y1=gcd(x1,x2)
A
B
D
EF
G
H
(H)’rel= y1=gcd(x1,x2)
(G) (H)’rel2
45
Proving termination
46
Well-founded sets
Partially ordered set (W,<): If a<b and b<c then a<c (transitivity). If a<b then not b<a (asymmetry). Not a<a (irreflexivity).
Well-founded set (W,<): Partially ordered. No infinite decreasing chain a1>a2>a3>…
47
Examples for well founded sets Natural numbers with the bigger than
relation. Finite sets with the set inclusion relation. Strings with the substring relation. Tuples with alphabetic order:
(a1,b1)>(a2,b2) iff a1>a2 or [a1=a2 and b1>b2].
(a1,b1,c1)>(a2,b2,c2) iff a1>a2 or [a1=a2 and b1>b2] or [a1=a2 and b1=b2 and c1>c2].
48
Why does the program terminate
y2 starts as x1. Each time the loop is
executed, y2 is decremented.
y2 is natural number The loop cannot be
entered again when y2<x2.
start
halt
(y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2)
(y1,y2)=(0,x1)
A
B
D
E
falsey2>=x2
C
true
49
Proving termination
Choose a well-founded set (W,<). Attach a function u(N) to each
point N. Annotate the flowchart with
invariants, and prove their consistency conditions.
Prove that (N) (u(N) in W).
50
How not to stay in a loop?
Show that u(M)>=u(N)’rel.
At least once in each loop, show that u(M)>u(N).
S
M
N
TN
M
51
How not to stay in a loop?
For stmt: (M)(u(M)>=u(N)’rel)
Relativize since we need to compare values not syntactic expressions.
For test (true side):((M)/\test)(u(M)>=u(N))
For test (false side):((M)/\
¬test)(u(M)>=u(L))
stmt
M
N
test
N
M
true
L
false
52
What did we achieve?
There are finitely many control points. The value of the function u cannot
increase. If we return to the same control point,
the value of u must decrease (its a loop!).
The value of u can decrease only a finite number of times.
53
Why does the program terminate
u(A)=x1u(B)=y2u(C)=y2u(D)=y2u(E)=z2
W: naturals> : greater than
start
halt
(y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2)
(y1,y2)=(0,x1)
A
B
D
E
falsey2>=x2
C
true
54
Recall partial correctness annotation
A): x1>=0 /\ x2>=0B): x1=y1*x2+y2 /\
y2>=0C): x1=y1*x2+y2 /\
y2>=0 /\ y2>=x2D):x1=y1*x2+y2 /\
y2>=0 /\ y2<x2E):x1=z1*x2+z2 /\ 0<=z2<x2
start
halt
(y1,y2)=(0,x1)
y2>=x2
(y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2)
A
B
C D
E
falsetrue
55
Strengthen for termination
A): x1>=0 /\ x2>0B): x1=y1*x2+y2 /\
y2>=0/\x2>0C): x1=y1*x2+y2 /\
y2>=0/\y2>=x2/\x2>0D):x1=y1*x2+y2 /\
y2>=0 /\ y2<x2/\x2>0E):x1=z1*x2+z2 /\ 0<=z2<x2
start
halt
(y1,y2)=(0,x1)
y2>=x2
(y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2)
A
B
C D
E
falsetrue
56
Strengthen for termination
A): x1>=0 /\ x2>0 u(A)>=0B): x1=y1*x2+y2 /\ y2>=0/\
x2>0u(B)>=0C): x1=y1*x2+y2 /\y2>=0
/\y2>=x2/\x2>0u(c)>=0D):x1=y1*x2+y2 /\ y2>=0 /\
y2<x2/\x2>0u(D)>=0E):x1=z1*x2+z2 /\ 0<=z2<x2u(E)>=0This proves that u(M) is natural for
each point M.
u(A)=x1u(B)=y2u(C)=y2u(D)=y2u(E)=z2
57
We shall show:
u(A)=x1u(B)=y2u(C)=y2u(D)=y2u(E)=z2A)u(A)>=u(B)’relB)u(B)>=u(C)C)u(C)>u(B)’relB)u(B)>=u(D)D)u(D)>=u(E)’re
l
start
halt
(y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2)
(y1,y2)=(0,x1)
A
B
D
E
falsey2>=x2
C
true
58
Proving decrement
C): x1=y1*x2+y2 /\ y2>=0 /\ y2>=x2/\x2>0
u(C)=y2u(B)=y2u(B)’rel=y2-x2
C) y2>y2-x2(notice that C) x2>0)
start
halt
(y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2)
(y1,y2)=(0,x1)
A
B
D
E
falsey2>=x2
C
true
59
Integer square prog.
(C)=y1^2<=x /\ y2=(y1+1)^2 /\ y3=2*y1+1
(B)=y1^2<=x /\ y2+y3=(y1+1)^2 /\y3=2*y1+1
start
(y1,y2,y3)=(0,0,1)
A
halt
y2>x
(y1,y3)=(y1+1,y3+2) z=y1
B
C
D
F
truefalse
E
y2=y2+y3
60
u(A)=x+1u(B)=x-y2+1u(C)=max(0,x-y2+1)u(D)=x-y2+1u(E)=u(F)=0u(A)>=u(B)’relu(B)>u(C)’relu(C)>=u(D)u(C)>=u(E)u(D)>=u(B)’relNeed some invariants,i.e., y2<=x/\y3>0at points B and D,and y3>0 at point C.
start
(y1,y2,y3)=(0,0,1)
A
halt
y2>x
(y1,y3)=(y1+1,y3+2) z=y1
B
C
D
F
truefalse
E
y2=y2+y3
61
Program VerificationUsing Hoare’s Logic
Hoare triple is of the form{Precondition} Prog-segment {Postcondition}
It expresses partial correctness: if the segment starts with a state satisfying the precondition and it terminates, the final state satisfies the postscondition.
The idea is that one can decompose the proof of the program into smaller and smaller segments, depending on its structure.
62
While programs
Assignments y:=e Composition S1; S2 If-then-else if t then S1 else S2 fi While while e do S od
63
Greatest common divisor
{x1>0/\x2>0}y1:=x1;y2:=x2;while ¬(y1=y2) do if y1>y2 then y1:=y1-y2 else y2:=y2-y1 fiod{y1=gcd(x1,x2)}
64
Why it works?
Suppose that y1,y2 are both positive integers. If y1>y2 then gcd(y1,y2)=gcd(y1-y2,y2) If y2>y1 then gcd(y1,y2)=gcd(y1,y2-y1) If y1=y2 then gcd(y1,y2)=y1=y2
65
Assignment axiom
{p[e/y] } y:=e {p}
For example:{y+5=10} y:=y+5 {y=10}{y+y<z} x:=y {x+y<z}{2*(y+5)>20} y:=2*(y+5) {y>20}Justification: write p with y’ instead of y,
and add the conjunct y’=e. Next, eliminate y’ by replacing y’ by e.
66
Why axiom works backwards?
{p} y:=t {?}Strategy: write p and the conjunct y=t, where
y’ replaces y in both p and t. Eliminate y’.This y’ represents value of y before the
assignment.{y>5} y:=2*(y+5) {? } {p} y:=t { y’ (p[y’/y] /\ t[y’/y]=y) }y’>5 /\ y=2*(y’+5) y>20
67
Composition rule
{p} S1 {r }, {r} S2 {q }
{p} S1;S2 {q}For example: if the antecedents are1. {x+1=y+2} x:=x+1 {x=y+2}2. {x=y+2} y:=y+2 {x=y}Then the consequent is {x+1=y+2} x:=x+1; y:=y+2 {x=y}
68
More examples
{p} S1 {r}, {r} S2 {q} {p} S1;S2 {q}{x1>0/\x2>0} y1:=x1
{gcd(x1,x2)=gcd(y1,x2)/\y1>0/\x2>0}
{gcd(x1,x2)=gcd(y1,x2)/\y1>0/\x2>0} y2:=x2
___{gcd(x1,x2)=gcd(y1,y2)/\y1>0/\y2>0}____
{x1>0/\x2>0} y1:=x1 ; y2:=x2 {gcd(x1,x2)=gcd(y1,y2)/\y1>0/\y2>0}
69
If-then-else rule
{p/\t} S1 {q}, {p/\¬t} S2 {q}
{p} if t then S1 else S2 fi {q}For example: p is gcd(y1,y2)=gcd(x1,x2) /\y1>0/\y2>0/\¬(y1=y2)t is y1>y2S1 is y1:=y1-y2S2 is y2:=y2-y1q is gcd(y1,y2)=gcd(x1,x2)/\y1>0/\y2>0
70
While rule
{p/\t} S {p} {p} while t do S od {p/\¬t}Example:p is {gcd(y1,y2)=gcd(x1,x2)/\y1>0/\y2>0}t is ¬ (y1=y2)S is if y1>y2 then y1:=y1-y2 else y2:=y2-y1 fi
71
Consequence rules
Strengthen a precondition rp, {p } S {q } {r } S {q } Weaken a postcondition {p } S {q }, qr {p } S {r }
72
Use of first consequence rule
Want to prove{x1>0/\x2>0} y1:=x1
{gcd(x1,x2)=gcd(y1,x2)/\y1>0/\x2>0}By assignment rule:{gcd(x1,x2)=gcd(x1,x2)/\x1>0/\x2>0}
y1:=x1 {gcd(x1,x2)=gcd(y1,x2)/\y1>0/\x2>0}
x1>0/\x2>0 gcd(x1,x2)=gcd(x1,x2)/\x1>0/\x2>0
73
Combining program
{x1>0 /\ x2>0} y1:=x1; y2:=x1;{gcd(x1,x2)=gcd(y1,y2)/\y1>0/\y2>0} while S do if e then S1 else S2 fi od{gcd(x1,x2)=gcd(y1,y2)/\y1>0/\y2>0/\
y1=y2}Combine the above using concatenation
rule!
74
Not completely finished
{x1>0/\x2>0} y1:=x1; y2:=x1; while ¬(y1=y2) do if e then S1 else S2 fi od{gcd(x1,x2)=gcd(y1,y2)/\y1>0/\y2>0/\
y1=y2}But we wanted to prove:{x1>0/\x1>0} Prog {y1=gcd(x1,x2)}
75
Use of second consequence rule
{x1>0/\x2>0} Prog{gcd(x1,x2)=gcd(y1,y2)/\y1>0/\y2>0/\
y1=y2}And the implicationgcd(x1,x2)=gcd(y1,y2)/\y1>0/\y2>0/\y1=y2 y1=gcd(x1,x2)Thus,{x1>0/\x2>0} Prog {y1=gcd(x1,x2)}
76
Annotating a while program
{x1>0/\x2>0}y1:=x1; {gcd(x1,x2)=gcd(y1,x2
) /\y1>0/\x2>0}y2:=x2; {gcd(x1,x2)=gcd(y1,y2
) /\y1>0/\y2>0}
while ¬(y1=y2) do{gcd(x1,x2)=gcd(y1,y2)/\
y1>0/\y2>0/\¬(y1=y2)}
if y1>y2 then y1:=y1-y2 else y2:=y2-y1 fiod{y1=gcd(x1,x2)}
77
While rule
{p/\e} S {p} {p} while e do S od {p/\¬e}
78
Consequence rules
Strengthen a precondition rp, {p} S {q} {r} S {q} Weaken a postcondition {p} S {q}, qr {p} S {r}
79
Soundness
Hoare logic is sound in the sense thateverything that can be proved is correct!
This follows from the fact that each axiomand proof rule preserves soundness.
80
Completeness
A proof system is called complete if every
correct assertion can be proved.
Propositional logic is complete. No deductive system for the
standard arithmetic can be complete (Godel).
81
And for Hoare’s logic?
Let S be a program and p its precondition.
Then {p} S {false} means that S never terminates when started from p. This is undecideable. Thus, Hoare’s logic cannot be complete.
82
Weakest prendition, Strongest postcondition
For an assertion p and code S, let post(p,S) be the strongest assertion such that {p}S{post(p,S) }
That is, if {p}S{q} then post(p,S)q. For an assertion q and code S, let
pre(S,q) be the weakest assertion such that {pre(S,q)}S{q}
That is, if {p}S{q} then ppre(S,q).
83
Relative completeness
Suppose that either post(p,S) exists for each p, S, or pre(S,q) exists for each S, q.
Some oracle decides on pure implications.Then each correct Hoare triple can be proved.What does that mean? The weakness of theproof system stem from the weakness of the
(FO) logic, not of Hoare’s proof system.
84
Extensions
Many extensions for Hoare’s proof rules:
Total correctness Arrays Subroutines Concurrent programs Fairness
85
Proof rule for total correctnessSimilar idea to Floyd’s termination: Well foundedness
{p/\t/\f=z} S {p/\f<z}, p(f>=0) {p} while t do S od {p/\¬t}
wherez - an int. variable, not appearing in
p,t,e,S.f - an int. expression.
![Foreign Supplier Verification Programs [FSVP]](https://img.pdfslide.us/doc/110x75/589de0f81a28ab77148b6267/foreign-supplier-verification-programs-fsvp.jpg)
