36
Prepared by: Sharif Omar Salem – [email protected] Prepared by: Sharif Omar Salem – [email protected] Formal Methods: Hoare Logic – Proof of correctness 1

#5 formal methods – hoare logic

Embed Size (px)

Citation preview

Page 1: #5 formal methods – hoare logic

Prep

ared

by:

Sha

rif

Om

ar S

alem

– s

sale

mg@

gmai

l.com

1

Prepared by: Sharif Omar Salem – [email protected]

Formal Methods:Hoare Logic – Proof of

correctness

Page 2: #5 formal methods – hoare logic

Prep

ared

by:

Sha

rif

Om

ar S

alem

– s

sale

mg@

gmai

l.com

2

Proof of Correctness

Program verification attempts to ensure that a computer program is correct. And a program is correct if it behaves in accordance with its specifications.

This does not necessarily mean that the program solves the problem that it was intended to solve; the program’s specifications may be at odds with or not address all aspects of a client’s requirements.

Program validation attempts to ensure that the program indeed meets the client’s original requirements.

Program testing seeks to show that particular input values produce acceptable output values.

Proof of correctness uses the techniques of a formal logic system to prove that if the input variables satisfy certain specified predicates or properties, the output variables produced by executing the program satisfy other specified properties.

Page 3: #5 formal methods – hoare logic

Prep

ared

by:

Sha

rif

Om

ar S

alem

– s

sale

mg@

gmai

l.com

3

Assertions

What is assertions in computer programmingan assertion is a predicate (for example a true–false statement) placed in a

program to indicate that the developer thinks that the predicate is always true at that place.

For example, the following code contains two assertions:

Programmers can use assertions to help specify programs and to reason about program correctness.

For example, a precondition — an assertion placed at the beginning of a section of code — determines the set of states under which the programmer expects the code to execute. A postcondition — placed at the end — describes the expected state at the end of execution.

x > 0 and x > 1, and they are indeed true at the indicated points during

execution.

Page 4: #5 formal methods – hoare logic

Prep

ared

by:

Sha

rif

Om

ar S

alem

– s

sale

mg@

gmai

l.com

4

Assertions

The previous example uses the notation for including assertions used by C.A.R. Hoare in his 1969 paper.

That notation cannot be used in existing mainstream programming languages. However, programmers can include unchecked assertions using the comment feature of their programming language. For example, in

C Language

Java Language

Page 5: #5 formal methods – hoare logic

Prep

ared

by:

Sha

rif

Om

ar S

alem

– s

sale

mg@

gmai

l.com

5

The central feature of Hoare logic is the Hoare triple. A triple describes how the execution of a piece of code changes the state of the computation. A Hoare triple is of the form

where Q and R are assertions and P is a P command. Q is named

the precondition and R the postcondition: when the precondition is met, the command establishes the postcondition. Assertions are formulas in predicate logic.

Hoare logic provides axioms and inference rules for all the constructs of a simple imperative programming language.

In addition to the rules for the simple language in Hoare's original paper, rules for other language constructs have been developed since then by Hoare and many other researchers. There are rules for concurrency, procedures, jumps, and pointers.

Hoare Logic

{Q} P {R} {Pre-condition} Program {Post-condition}

Page 6: #5 formal methods – hoare logic

Prep

ared

by:

Sha

rif

Om

ar S

alem

– s

sale

mg@

gmai

l.com

6

Hoare Triple Examples

Page 7: #5 formal methods – hoare logic

Prep

ared

by:

Sha

rif

Om

ar S

alem

– s

sale

mg@

gmai

l.com

7

Hoare LogicLet us denote (suppose) by

X an arbitrary collection of input values.P the program or program segment.Y an arbitrary collection of output values.

Y = P(X) Y is the result of applying the program P using the inputs X (the notation suggests that the Y values depend on the X values through the actions of program P).

Q(X) a predicate describes conditions that the input values are supposed to satisfy. Q is the pre-condition.

R(X,Y) R[X, P(X)] A predicate R describes conditions that the output values are supposed to satisfy. These conditions will often involve the input values. R is the post-condition.

Page 8: #5 formal methods – hoare logic

Prep

ared

by:

Sha

rif

Om

ar S

alem

– s

sale

mg@

gmai

l.com

8

Hoare LogicFor example, if a program is supposed to find the square root of a

positive number.X Positive numbers (single input is x).Q(X) x > 0Y Output result (single output is y) P(X)= R(X,Y) x=y2

Program P is correct if the following implication is valid:("X)(Q(X) R[X, P(X)])

For the square root case, it is:("x)(x > 0 x=[P(x)]2 )

Page 9: #5 formal methods – hoare logic

Prep

ared

by:

Sha

rif

Om

ar S

alem

– s

sale

mg@

gmai

l.com

9

Hoare LogicA program or program segment is broken down into individual statements si,

with predicates (Conditions) inserted between statements as well as at the beginning and end.

These predicates are also called assertions because they assert what is supposed to be true about the program variables at that point in the program.{Q}

s0

{R1}s1

{R2}sn1

.{R}

Where Q, R1, R2, ... , Rn = R are assertions. The intermediate assertions are often obtained by working backward from the output assertion R.

Page 10: #5 formal methods – hoare logic

Prep

ared

by:

Sha

rif

Om

ar S

alem

– s

sale

mg@

gmai

l.com

10

Hoare Logic

P is provably correct if each of the following implications holds:{Q}s0{Rl}{Rl}sl{R2}{R2}s2{R3}

.

.

.{Rn1}sn1{R}

A proof of correctness for P consists of producing this sequence of valid implications.

Some new rules of inference can be used, based on the nature of the program statement si.

Page 11: #5 formal methods – hoare logic

Prep

ared

by:

Sha

rif

Om

ar S

alem

– s

sale

mg@

gmai

l.com

11

Hoare Logic rulesThe goal of Hoare logic is to provide a compositional method for proving

the validity of Hoare triples. That is, the structure of a program's correctness proof should mirror the structure of the program itself.

Hoare logic is a methodology to assert the correctness of a program by defining a precondition and postcondition predicates to define the status of the variable before and after executing the program.

Many rules could be used during applying hoare logic.Empty statement axiom schemaAssignment axiom schemaRule of compositionConditional ruleConsequence ruleLoop rule

Page 12: #5 formal methods – hoare logic

Prep

ared

by:

Sha

rif

Om

ar S

alem

– s

sale

mg@

gmai

l.com

12

Hoare Logic rules

Empty statement axiom schemaThe empty statement rule asserts that

the skip statement does not change the state of the program, thus whatever holds true before skip also holds true afterwards.

{Q} Skip {Q}

Page 13: #5 formal methods – hoare logic

Prep

ared

by:

Sha

rif

Om

ar S

alem

– s

sale

mg@

gmai

l.com

13

Hoare Logic rules

Assignment axiom schemaThe program/command part here is an assignment related to the variable under assertion.

The assignment axiom states that after the assignment any predicate holds for the variable that was previously true, are also true for the right-hand side of the assignment:

x:=2 x:=x+

1y:=x+

1

{Q} Assignment {R}

Page 14: #5 formal methods – hoare logic

Prep

ared

by:

Sha

rif

Om

ar S

alem

– s

sale

mg@

gmai

l.com

14

this axiom is “backwards” - it allows the precondition to be inferred automatically from the statement and the postcondition .

For example, the Hoare triple:{x 1 > 0} x = x 1 {x > 0}

is valid by the assignment rule.The post-condition is:

x > 0Substituting x 1 for x throughout the post-condition results in:

x – 1 > 0 or x > 1which is the pre-condition.

Hoare Logic rules

{R(x/y)} y:=x {R}

Page 15: #5 formal methods – hoare logic

Prep

ared

by:

Sha

rif

Om

ar S

alem

– s

sale

mg@

gmai

l.com

15

Hoare Logic rules

Examples:{ ? } x := 3 { x+y > 0 }What is the weakest precondition ?

{ ? } x=y+7 {x>42}What is the weakest precondition ?

{ ? } x := 3+y + z { x + y - z > 0 }What is the weakest precondition ?

{ ? } x := 3*y + z { x * y - z > 0 }What is the weakest precondition ?

y > -3

y > 35

y > -1.5

3*y2 + z*y - z > 0

Page 16: #5 formal methods – hoare logic

Prep

ared

by:

Sha

rif

Om

ar S

alem

– s

sale

mg@

gmai

l.com

16

Hoare Logic rules

Sequence/Composition Rule: Hoare's rule of composition applies to sequentially-executed

programs S and T, where S executes prior to T and is written S;T.

{Q} S {Z} , {Z} T {R} ⊢ {Q} S;T {R}

Page 17: #5 formal methods – hoare logic

Prep

ared

by:

Sha

rif

Om

ar S

alem

– s

sale

mg@

gmai

l.com

17

Hoare Logic rules

Example:{ ? } x := x + 1; y := x + y { y > 5 }What is the weakest precondition ?

The solution method begin from backward by finding the weakest precondition for the second part of the sequence

{ ? } y := x + y { y > 5 }Then continue by finding the weakest precondition for the First part of

the sequence { ? } x := x + 1 { x > 5-y }

x+y>4

x+y>5

x+y>4

Page 18: #5 formal methods – hoare logic

Prep

ared

by:

Sha

rif

Om

ar S

alem

– s

sale

mg@

gmai

l.com

18

Hoare Logic rules

Consequence rule

{Q} P {R} , Q1 → Q ⊢ {Q1} P {R}

{Q} P {R} , R1 → R ⊢ {Q} P {R1}

{Q} P {R} , Q1 → Q , R1 → R ⊢ {Q1} P {R1}

Page 19: #5 formal methods – hoare logic

Prep

ared

by:

Sha

rif

Om

ar S

alem

– s

sale

mg@

gmai

l.com

19

Condition RuleA conditional statement is a program statement of the form:

The Hoare triple is inferred from two other Hoare triples:

This simply says that each branch of the conditional statement must

be proved correct.

if condition B thenP1

elseP2

end if

{Q ∧ B } P1 {R} if B is true

{Q ∧ B } P2 {R} if B is false

Hoare Logic rules

{Q ∧ B } P1 {R} , {Q ∧ B } P2 {R} ⊢ {Q} if B then P1 else P2 endif {R}

Page 20: #5 formal methods – hoare logic

Prep

ared

by:

Sha

rif

Om

ar S

alem

– s

sale

mg@

gmai

l.com

20

Hoare Logic rules

Example:{ ? } if x > 0 then y := x else y := -x { y > 5 }What is the weakest precondition ?

Conditional statement 1 “then: {Q1} y :=x { y > 5}”Q1 = x>5

Condicional statement 2 “else: {Q2} y :=-x { y > 5}”Q2 = -x > 5

Q = |x| > 5

|x| > 5

Page 21: #5 formal methods – hoare logic

Prep

ared

by:

Sha

rif

Om

ar S

alem

– s

sale

mg@

gmai

l.com

21

Hoare Logic rules

Example: {a = T ^ b = 6 ^ c = 10} x := b {(x = 6 ^ a = T) ∨ (x = 10 ^ a = F)} and {a = F ^ b = 6 ^ c = 10} x := c {(x = 6 ^ a = T) (x = 10 ^ a = F)}∨After applying the condition rule:

{(b = 6 ^ c = 10)} If (a = T) then x := b; else x := c {(x = 6 ^ a = T) (x ∨= 10 ^ a = F)}

{Q ∧ B } P1 {R} , {Q ∧ B } P2 {R} ⊢ {Q} if B then P1 else P2 endif {R}

Page 22: #5 formal methods – hoare logic

Prep

ared

by:

Sha

rif

Om

ar S

alem

– s

sale

mg@

gmai

l.com

22

Hoare Logic rules

Rule for IterationSuppose that si is a loop statement in the form:

B is a condition of the while loop and P is a program segment/command.The Loop Rule of inference states that we can infer the following rule

{Q Λ B} P {Q} {Q} s⊢ i {Q Λ B } The precondition Q holds before the loop is entered and after it

terminates. Q represents a predicate, or relation, among the values of the program

variables unaffected by the action of the loop iteration which is The loop invariant.

while condition B doP

end while

Page 23: #5 formal methods – hoare logic

Prep

ared

by:

Sha

rif

Om

ar S

alem

– s

sale

mg@

gmai

l.com

23

Hoare Logic rules

Rule for Iteration

•Q is the loop invariant - this is where the main difficulty is!•This rule can be extended to handle total

correctness where we use termination condition test at post-condition predicate.

• A loop invariant is a relation among program variables that is true when control enters a loop, remains true each time the program executes the body of the loop, and is still true when control exits the loop. Understanding loop invariants can help us analyze programs, check for errors, and derive programs from specifications.

{Q ∧ B} P {Q} ⊢ {Q} while (B) [P] {Q∧¬ B}

{Inv ∧ Condition} P {Inv} ⊢ {Inv} while (Condition) [P] {Inv ∧¬Condition}

Page 24: #5 formal methods – hoare logic

Prep

ared

by:

Sha

rif

Om

ar S

alem

– s

sale

mg@

gmai

l.com

24

Hoare Logic rules

Example:while (x < 10) x = x+1Start with this:x <= 10 is a useful loop invariant.{x <= 10} while (x < 10) x = x+1 {??}Move inside the test: {Inv Condition} P {Inv} ∧{x <= 10 ^ x < 10} x = x+1 {x <= 10}Backing out: {Inv} while (Condition) [P] {Inv ∧¬ Condition}{ x <= 10} while (x<10) x=x+1 {¬(x < 10) ^ x <= 10}

Page 25: #5 formal methods – hoare logic

Prep

ared

by:

Sha

rif

Om

ar S

alem

– s

sale

mg@

gmai

l.com

25

Hoare Logic rules

Page 26: #5 formal methods – hoare logic

Prep

ared

by:

Sha

rif

Om

ar S

alem

– s

sale

mg@

gmai

l.com

26

Hoare Triple rules

• Empty statement rule.

• Assignment rule.

• Composition rule.

• Consequence rule.

• Conditional rule.

• Loop rule.

{Q} Skip {Q}

{Q} Assignment {R}

{Q} S {Z} , {Z} T {R} ⊢ {Q} S;T {R}

{Q} P {R} , Q1 → Q , R1 → R ⊢ {Q1} P {R1}

{Q ∧ B } P1 {R} , {Q ∧ B } P2 {R} ⊢ {Q} if B then P1 else P2 endif {R}

{Q ∧ B} P {Q} ⊢ {Q} while (B) [P] {Q∧¬ E}

Page 27: #5 formal methods – hoare logic

Prep

ared

by:

Sha

rif

Om

ar S

alem

– s

sale

mg@

gmai

l.com

27

Strongest Postconditions

Here are a number of valid Hoare Triples for the same command segment

{x = 5} x := x * 2 { true }{x = 5} x := x * 2 { x > 0 }{x = 5} x := x * 2 { (x = 10) ^ (x = 5) }{x = 5} x := x * 2 { x = 10 }

All are true, but the most useful one is the one with se (it is the most specific condition )

x=10 is the strongest postcondition ………… Why????????????

check: x = 10 true⇒check: x = 10 x > 0⇒check: x = 10 x = 10 || x = 5⇒check: x = 10 x = 10⇒

If {Q} P {R} and for all R* such that {Q} P {R*}, R ⇒ R*, then R is the strongest postcondition [ sp(P,Q) ] of P with respect to Q.

Page 28: #5 formal methods – hoare logic

Prep

ared

by:

Sha

rif

Om

ar S

alem

– s

sale

mg@

gmai

l.com

28

Weakest PreconditionsHere are a number of valid Hoare Triples for the same command

segment{(x = 5) Λ (y = 10)} z := x / y { z < 1 }{(x < y) Λ (y > 0)} z := x / y { z < 1 }{(y ≠ 0) Λ (x / y < 1)} z := x / y { z < 1 }

All are true, but the most useful one is the one with the most general condition (y ≠ 0) Λ (x / y < 1) is the weakest precondition ……….. Why??????

check: (x = 5) Λ (y = 10) (y ≠ 0) Λ (x / y < 1)⇒check: (x < y) Λ (y > 0) (y ≠ 0) Λ (x / y < 1)⇒check: (y ≠ 0) Λ (x / y < 1) (y ≠ 0) Λ (x / y < 1)⇒

If {Q} P {R} and for all Q* such that {Q*} P {R}, Q* ⇒ Q, then Q is the weakest precondition [ wp(P,R) ] of P with respect to R.

Page 29: #5 formal methods – hoare logic

Prep

ared

by:

Sha

rif

Om

ar S

alem

– s

sale

mg@

gmai

l.com

29

Hoare Triple : wp and sp{Q} P {R} holds if and only if Q wp(P,R)⇒

In other words, a Hoare Triple is still valid if the precondition is stronger than necessary, but not if it is too weak

{Q} P {R} holds if and only if sp(P,Q) R⇒A Hoare Triple is still valid if the postcondition is weak

enough, but not if it is too strong.

In other words, both conditions must be strong enough to hold the best general condition as the precondition and the best specific condition as the postcondition.

Page 30: #5 formal methods – hoare logic

Prep

ared

by:

Sha

rif

Om

ar S

alem

– s

sale

mg@

gmai

l.com

30

Assignment rule conditions{ Q } x := 3 { x+y > 0 }

What is the weakest precondition Q?If {Q} P {R} then the weakest precondition [wp(P,R) ] Assignment rulewp(X:= E, R) = (X:=E), R= (x:=3), (x + y > 0)= (3) + y > 0= y > -3

Hoare Triple : wp and sp

Page 31: #5 formal methods – hoare logic

Prep

ared

by:

Sha

rif

Om

ar S

alem

– s

sale

mg@

gmai

l.com

31

Assignment{ Q } x := 3*y + z { x * y - z > 0 }

What is the weakest precondition Q?If {Q} P {R} then the weakest precondition [wp(P,R) ] Assignment rulewp(X:= E, R) = (X:=E), R= (x:=3*y+z), (x * y – z > 0)= (3*y+z) * y - z > 0= 3*y2 + z*y - z > 0

Hoare Triple : wp and sp

Page 32: #5 formal methods – hoare logic

Prep

ared

by:

Sha

rif

Om

ar S

alem

– s

sale

mg@

gmai

l.com

32

Sequence{ Q } x := x + 1; y := x + y { y > 5 }

What is the weakest precondition Q?Sequence rulewp(S;T, R) = wp(S, wp(T, R))wp(x:=x+1; y:=x+y, y>5)= wp(x:=x+1, wp(y:=x+y, y>5))= wp(x:=x+1, x+y>5)= x+1+y>5= x+y>4

Hoare Triple : wp and sp

wp(y:=x+y, y>5)= (y:= x+y ),

( y>5)= x+y > 5

Page 33: #5 formal methods – hoare logic

Prep

ared

by:

Sha

rif

Om

ar S

alem

– s

sale

mg@

gmai

l.com

33

Conditional{ Q } if x > 0 then y := x else y := -x { y > 5 }

What is the weakest precondition Q?answer:Case 1 then: {Q1} y :=x { y > 5}

Q1 = x>5

Case 2 else: {Q2} y :=-x { y > 5}Q2 = -x > 5

Q = (x > 5) ( -x > 5) = |x| > 5∧

Hoare Triple : wp and sp

wp(y:=x, y>5)= (y:= x ), ( y>5)

= x > 5

wp(y:= -x, y>5)= (y:= -x ),

( y>5)= -x > 5

Page 34: #5 formal methods – hoare logic

Prep

ared

by:

Sha

rif

Om

ar S

alem

– s

sale

mg@

gmai

l.com

34

Conditional{ Q } if x > 0 then y := x else y := -x { y > 5 }

What is the weakest precondition Q?Conditional rule

wp(if B then P1 else P2, R)= B wp(P1,R) B’ wp(P2,R)⇒ ∧ ⇒

wp(if x>0 then y:=x else y:=-x, y>5)= x>0 wp(y:=x, y>5) x≤0 wp(y:=-x, y>5)⇒ ∧ ⇒= x>0 x>5 x≤0 -x>5⇒ ∧ ⇒

= |x| > 5

Page 35: #5 formal methods – hoare logic

Prep

ared

by:

Sha

rif

Om

ar S

alem

– s

sale

mg@

gmai

l.com

35

Prepared by: Sharif Omar Salem – [email protected]

End of Lecture

Page 36: #5 formal methods – hoare logic

Prep

ared

by:

Sha

rif

Om

ar S

alem

– s

sale

mg@

gmai

l.com

36

Prepared by: Sharif Omar Salem – [email protected]

Next Lecture:Loop proof using induction

method