lecture8-cont.pdf

8/13/2019 lecture8-cont.pdf

http://slidepdf.com/reader/full/lecture8-contpdf 1/23

Lecture #8 : Proof Rules for Partial Correctness (cont.)

Topics

Floyd-Hoare Logic for proving Partial Correctness

1) Rule for Precondition Strengthening

2) Rule for Postcondition Weakening

3) Rule for Sequential commands

4) The Block Rule

5) The conditional Rule

6) The while Rule

- Invariant

7) Finding Invaiants





3

Example

• From

• |- (X=n) → (X+1= n+1)

• trivial arithmetical fact

• |- {X + 1 = n + 1} X :=X+1 {X = n + 1}

• instance of the assignment axiom

• It follow by precondition strengthening that

|- {X = n} X := X+1 {X = n+1}

• n is an auxiliary (or ghost ) variable



4

Example

• From

• |- T → (E=E)

• |- {E=E} X := E {X =E}

• It follows that

|- {T} X :=E {X =E}

• as long as X is not in E (why ?)



5

Postcondition weakening

• Just as the previous rule as allows the precondition of a partial

correctness specification to be strengthened, the following one allows us

to weaken the postcondition.

• The postcondition can be weakened since if Q’ holds in the final state,

Q also holds.

Postcondition weakening

|- {P} C {Q’} and |- Q’ → Q

--------------------------------------

|- {P} C {Q}



6

An Example Formal Proof

• Here is a little formal proof

1. |- {R=X ∧ 0=0} Q:=0 {R=X ∧ Q=0} By the assignment axiom

2. |- R=X → ( R=X ∧ 0=0 ) By pure logic

3. |- {R=X} Q:=0 {R=X ∧ Q=0} By precondition strengthening

4. |- (R=X ∧ Q=0) → R=X+(Y × Q) By the laws of arithmetic

5. |- {R=X} Q:=0 {R=X+(Y × Q)} By postcondition weakening

• The rules precondition strengthening and postcondition weakening are

sometimes called the rules of consequence.



7

Sequences

• Syntax: C 1 ; . . . ; C n

• Semantics: the commands C 1 ; . . . ; C n are executed in that order

• Example: R:=X; X:=Y; Y:=R

• the values of X and Y are swapped using R as a temporary variable

• this command has the side effect of changing the value of variable R

to the old value of variable X



8

The sequencing rule

• The next rule enables a partial correctness specification for a sequence

C 1; C 2 to be derived from specification for C 1 and C 2

The sequencing rule

|- {P} C 1 {Q} and |- {Q} C 2 {R}

--------------------------------------------

|- {P} C 1;C 2 {R}



9

Example Proof

Example: By the assignment axiom:

(i) |- {X=x ∧Y=y} R:=X {R=x ∧ Y=y}

(ii) |- {R=x ∧ Y=y} X:=Y {R=x ∧ X=y}

(iii) |- {R=x ∧ X=y} Y:=R {Y=x ∧ X=y}

Hence by (i), (ii) and the sequencing rule

(iv) |- {X=x ∧ Y=y} R:=X; X:=Y {R=x ∧ X=y}

Hence by (iv) and (iii) and the sequencing rule

(v) |- {X=x ∧ Y=y} R:=X; X:=Y; Y:=R {Y=x ∧ X=y}



10

Blocks

• Syntax: BEGIN VAR V 1 ; … VAR V n; C END

• Semantics: the command C is executed, and then the values of V 1 , … ,V n

are restored to the values they had before the block was entered

• the initial value of V 1 , … ,V n inside the block are unspecified

• Example: BEGIN VAR R; R:=X; X:=Y; Y:=R END

• the value of X and Y are swapped using R as a temporary variable

• this command does not have a side effect on the variable R





12

The Side Condition

• The syntactic condition that none of the variables V 1 , … ,V n occur in P

or Q is an example of a side condition

• without this condition the rule is invalid, as illustrated in the example

below

• From

• |- {X=x ∧Y=y} R:=X; X:=Y; Y:=R {Y=x ∧ X=y}

• it follows by the block rule that

|- {X=x ∧Y=y}

BEGIN VAR R; R:=X; X:=Y; Y:=R END

{Y=x ∧ X=y}

• since R does not occur in X=x ∧Y=y or X=y ∧ Y=x

• However from

• |- {X=x ∧Y=y} R:=X; X:=Y; {R=x ∧ X=y}

• one cannot deduce

|- {X=x ∧Y=y}

BEGIN VAR R; R:=X; X:=Y END

{R=x ∧ X=y}

• since R occurs in R=x ∧ X=y



13

Exercises

• Is the following true?

|- {X=x ∧Y=y} X:=X+Y; Y:=X-Y; X:=X-Y {Y=x ∧ X=y}

• if so prove it

• if not, give the circumstances when it fails



14

Two-armed conditionals

• Syntax: IF S THEN C 1 ELSE C 2

• Semantics:

• if the statement S is true in the current state, then C 1 is executed

• if S is false, then C 2 is executed

• Example IF X<Y THEN MAX:=Y ELSE MAX:=X

• the value of the variable MAX it set to the maximum of the values of

X and Y

• One-armed conditional is defined by:

IF S THEN C ≡ IF S THEN C ELSE SKIP





16

WHILE-commands

• Syntax: WHILE S DO C

• Semantics:

• if the statement S is true in the current state, then C is executed and

the WHILE-command is repeated

• if S is false, then nothing is done

• thus C is repeatedly executed until the value of S becomes false

• if S never becomes false, then the execution of the command never

terminates

• Example: WHILE ¬ (X=0) DO X:=X-2

• if the value of X is non-zero, then its value is decreased by 2 and then

process is repeated

• This WHILE-command will terminate (with X having value 0) if the

value of X is an even non-negative number

• in all other states it will not terminate (eg. X is negative or zero)



17

Invariants

• There are two kinds of properties that can be reasoned about for the

WHILE command, namely variant and invariant .

• Variant is the property that is changed by the while command whereas

the invariant is the property that is not changed by the while command.

• The variant is the test condition which must be false after a WHILE-

command has terminated.

• otherwise, it wouldn’t have terminated

• Suppose |- {P ∧ S} C {P}

• Then P is an invariant of C whenever S holds

• The WHILE-rule says that

• if P is an invariant of the body of a WHILE-command whenever the

test condition holds

• then P is an invariant of the whole WHILE-command

• In other words

• if executing C once preserves the truth of P

• then executing C any number of times also preserves the truth of P

• Invariant is not straightforward to see.

• One must examine closely.



18

The WHILE-Rule

• It is easy to show

|- {X= R+(Y × Q) ∧ Y ≤ R}

BEGIN R:=R-Y; Q:=Q+1 END

{ X= R+(Y × Q) }

• Hence by the WHILE-rule with P = ‘X= R+(Y × Q)’

|- {X= R+(Y × Q)}

WHILE Y ≤ R DO


{X= R+(Y × Q) ∧ ¬ (Y ≤ R)}

The WHILE-rule

|- {P ∧ S} C {P}

--------------------------------------------

|- {P} WHILE S DO C {P ∧ ¬ S}



19

Example

• From the previous slide

|- {X= R+(Y × Q)}

WHILE Y ≤ R DO


{ X= R+(Y × Q) ∧ ¬ (Y ≤ R)}

• It is easy to deduce that

|- {T} R:=X; Q:=0 {X= R+(Y × Q)}

• Hence by the sequencing rule and postcondition weakening

|- {T}

R:=X;

Q:=0 WHILE Y ≤ R DO


{R<Y ∧ X= R+(Y × Q)}



20

Overview

• We have given

• a notation for specifying what a program does

• a way of proving that it meets its specification

• We will now look at ways of finding proofs and organizing them:

• finding invariants

• derived rules

• backwards proofs

• annotating programs prior to proof



21

How do you find an invariant?

• Look at the facts:

• it must hold initially

• with the negated test, it must establish the result

• the body must leave it unchanged

• Think about how the loop works (ie. the repetition of body C )

• the invariant says that what has been done so far together with what

remains to be done gives the desired result of the loop.

• This is the guideline for finding an invariant.

The WHILE-rule

|- {P ∧ S} C {P}

-----------------------------------------

|- {P} WHILE S DO C {P ∧ ¬ S}



22

Example

• Consider a factorial program

{X=n ∧ Y=1}

WHILE X ≠ 0 DO

BEGIN Y:=Y × X; X:=X-1 END

{X=0 ∧ Y=n!}

• Look at the Facts

• finally X=0 and Y=n!

• initially X=n and Y=1

• on each loop Y is increased and, X is decreased

• Eg. Y = X × (X-1) × (X-2) × (X-3) × …× 1

• Think how the loop works

• Y holds the result so far

• X! is what remains to be computed

• n! is the desired result

• The invariant is X! × Y = n!



(Y = X!) ∧ (X ≤ N)

Related example

{X=0 ∧ Y=1}

WHILE X<N DO

BEGIN X:=X+1; Y:=Y × X END

{Y=N!}

• Look at the Facts

• finally X=N and Y=N!

• initially X=0 and Y=1

• on each iteration both X and Y increase

• Eg. Y = 1 × 2 × … × (X-2) × (X-1)× X

• Thus, what has been done so far is Y = X!

• The desired result is Y = N!

• Ah Ha!: invariant needed:

• At the end, ¬ (X < N) → (X = N) holds.

• Thus, (Y = X! ∧ X = N ) → Y = N!

• Then the desired result Y = N! can be obtained from the invariant at the

end of the loop.

Documents

lecture8-cont.pdf