Upload
sharif-omar-salem
View
938
Download
4
Embed Size (px)
Citation preview
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
1
Prepared by: Sharif Omar Salem – [email protected]
Formal Methods:Hoare Logic – Proof of
correctness
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
2
Proof of Correctness
Program verification attempts to ensure that a computer program is correct. And a program is correct if it behaves in accordance with its specifications.
This does not necessarily mean that the program solves the problem that it was intended to solve; the program’s specifications may be at odds with or not address all aspects of a client’s requirements.
Program validation attempts to ensure that the program indeed meets the client’s original requirements.
Program testing seeks to show that particular input values produce acceptable output values.
Proof of correctness uses the techniques of a formal logic system to prove that if the input variables satisfy certain specified predicates or properties, the output variables produced by executing the program satisfy other specified properties.
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
3
Assertions
What is assertions in computer programmingan assertion is a predicate (for example a true–false statement) placed in a
program to indicate that the developer thinks that the predicate is always true at that place.
For example, the following code contains two assertions:
Programmers can use assertions to help specify programs and to reason about program correctness.
For example, a precondition — an assertion placed at the beginning of a section of code — determines the set of states under which the programmer expects the code to execute. A postcondition — placed at the end — describes the expected state at the end of execution.
x > 0 and x > 1, and they are indeed true at the indicated points during
execution.
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
4
Assertions
The previous example uses the notation for including assertions used by C.A.R. Hoare in his 1969 paper.
That notation cannot be used in existing mainstream programming languages. However, programmers can include unchecked assertions using the comment feature of their programming language. For example, in
C Language
Java Language
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
5
The central feature of Hoare logic is the Hoare triple. A triple describes how the execution of a piece of code changes the state of the computation. A Hoare triple is of the form
where Q and R are assertions and P is a P command. Q is named
the precondition and R the postcondition: when the precondition is met, the command establishes the postcondition. Assertions are formulas in predicate logic.
Hoare logic provides axioms and inference rules for all the constructs of a simple imperative programming language.
In addition to the rules for the simple language in Hoare's original paper, rules for other language constructs have been developed since then by Hoare and many other researchers. There are rules for concurrency, procedures, jumps, and pointers.
Hoare Logic
{Q} P {R} {Pre-condition} Program {Post-condition}
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
6
Hoare Triple Examples
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
7
Hoare LogicLet us denote (suppose) by
X an arbitrary collection of input values.P the program or program segment.Y an arbitrary collection of output values.
Y = P(X) Y is the result of applying the program P using the inputs X (the notation suggests that the Y values depend on the X values through the actions of program P).
Q(X) a predicate describes conditions that the input values are supposed to satisfy. Q is the pre-condition.
R(X,Y) R[X, P(X)] A predicate R describes conditions that the output values are supposed to satisfy. These conditions will often involve the input values. R is the post-condition.
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
8
Hoare LogicFor example, if a program is supposed to find the square root of a
positive number.X Positive numbers (single input is x).Q(X) x > 0Y Output result (single output is y) P(X)= R(X,Y) x=y2
Program P is correct if the following implication is valid:("X)(Q(X) R[X, P(X)])
For the square root case, it is:("x)(x > 0 x=[P(x)]2 )
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
9
Hoare LogicA program or program segment is broken down into individual statements si,
with predicates (Conditions) inserted between statements as well as at the beginning and end.
These predicates are also called assertions because they assert what is supposed to be true about the program variables at that point in the program.{Q}
s0
{R1}s1
{R2}sn1
.{R}
Where Q, R1, R2, ... , Rn = R are assertions. The intermediate assertions are often obtained by working backward from the output assertion R.
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
10
Hoare Logic
P is provably correct if each of the following implications holds:{Q}s0{Rl}{Rl}sl{R2}{R2}s2{R3}
.
.
.{Rn1}sn1{R}
A proof of correctness for P consists of producing this sequence of valid implications.
Some new rules of inference can be used, based on the nature of the program statement si.
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
11
Hoare Logic rulesThe goal of Hoare logic is to provide a compositional method for proving
the validity of Hoare triples. That is, the structure of a program's correctness proof should mirror the structure of the program itself.
Hoare logic is a methodology to assert the correctness of a program by defining a precondition and postcondition predicates to define the status of the variable before and after executing the program.
Many rules could be used during applying hoare logic.Empty statement axiom schemaAssignment axiom schemaRule of compositionConditional ruleConsequence ruleLoop rule
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
12
Hoare Logic rules
Empty statement axiom schemaThe empty statement rule asserts that
the skip statement does not change the state of the program, thus whatever holds true before skip also holds true afterwards.
{Q} Skip {Q}
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
13
Hoare Logic rules
Assignment axiom schemaThe program/command part here is an assignment related to the variable under assertion.
The assignment axiom states that after the assignment any predicate holds for the variable that was previously true, are also true for the right-hand side of the assignment:
x:=2 x:=x+
1y:=x+
1
{Q} Assignment {R}
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
14
this axiom is “backwards” - it allows the precondition to be inferred automatically from the statement and the postcondition .
For example, the Hoare triple:{x 1 > 0} x = x 1 {x > 0}
is valid by the assignment rule.The post-condition is:
x > 0Substituting x 1 for x throughout the post-condition results in:
x – 1 > 0 or x > 1which is the pre-condition.
Hoare Logic rules
{R(x/y)} y:=x {R}
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
15
Hoare Logic rules
Examples:{ ? } x := 3 { x+y > 0 }What is the weakest precondition ?
{ ? } x=y+7 {x>42}What is the weakest precondition ?
{ ? } x := 3+y + z { x + y - z > 0 }What is the weakest precondition ?
{ ? } x := 3*y + z { x * y - z > 0 }What is the weakest precondition ?
y > -3
y > 35
y > -1.5
3*y2 + z*y - z > 0
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
16
Hoare Logic rules
Sequence/Composition Rule: Hoare's rule of composition applies to sequentially-executed
programs S and T, where S executes prior to T and is written S;T.
{Q} S {Z} , {Z} T {R} ⊢ {Q} S;T {R}
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
17
Hoare Logic rules
Example:{ ? } x := x + 1; y := x + y { y > 5 }What is the weakest precondition ?
The solution method begin from backward by finding the weakest precondition for the second part of the sequence
{ ? } y := x + y { y > 5 }Then continue by finding the weakest precondition for the First part of
the sequence { ? } x := x + 1 { x > 5-y }
x+y>4
x+y>5
x+y>4
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
18
Hoare Logic rules
Consequence rule
{Q} P {R} , Q1 → Q ⊢ {Q1} P {R}
{Q} P {R} , R1 → R ⊢ {Q} P {R1}
{Q} P {R} , Q1 → Q , R1 → R ⊢ {Q1} P {R1}
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
19
Condition RuleA conditional statement is a program statement of the form:
The Hoare triple is inferred from two other Hoare triples:
This simply says that each branch of the conditional statement must
be proved correct.
if condition B thenP1
elseP2
end if
{Q ∧ B } P1 {R} if B is true
{Q ∧ B } P2 {R} if B is false
Hoare Logic rules
{Q ∧ B } P1 {R} , {Q ∧ B } P2 {R} ⊢ {Q} if B then P1 else P2 endif {R}
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
20
Hoare Logic rules
Example:{ ? } if x > 0 then y := x else y := -x { y > 5 }What is the weakest precondition ?
Conditional statement 1 “then: {Q1} y :=x { y > 5}”Q1 = x>5
Condicional statement 2 “else: {Q2} y :=-x { y > 5}”Q2 = -x > 5
Q = |x| > 5
|x| > 5
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
21
Hoare Logic rules
Example: {a = T ^ b = 6 ^ c = 10} x := b {(x = 6 ^ a = T) ∨ (x = 10 ^ a = F)} and {a = F ^ b = 6 ^ c = 10} x := c {(x = 6 ^ a = T) (x = 10 ^ a = F)}∨After applying the condition rule:
{(b = 6 ^ c = 10)} If (a = T) then x := b; else x := c {(x = 6 ^ a = T) (x ∨= 10 ^ a = F)}
{Q ∧ B } P1 {R} , {Q ∧ B } P2 {R} ⊢ {Q} if B then P1 else P2 endif {R}
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
22
Hoare Logic rules
Rule for IterationSuppose that si is a loop statement in the form:
B is a condition of the while loop and P is a program segment/command.The Loop Rule of inference states that we can infer the following rule
{Q Λ B} P {Q} {Q} s⊢ i {Q Λ B } The precondition Q holds before the loop is entered and after it
terminates. Q represents a predicate, or relation, among the values of the program
variables unaffected by the action of the loop iteration which is The loop invariant.
while condition B doP
end while
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
23
Hoare Logic rules
Rule for Iteration
•Q is the loop invariant - this is where the main difficulty is!•This rule can be extended to handle total
correctness where we use termination condition test at post-condition predicate.
• A loop invariant is a relation among program variables that is true when control enters a loop, remains true each time the program executes the body of the loop, and is still true when control exits the loop. Understanding loop invariants can help us analyze programs, check for errors, and derive programs from specifications.
{Q ∧ B} P {Q} ⊢ {Q} while (B) [P] {Q∧¬ B}
{Inv ∧ Condition} P {Inv} ⊢ {Inv} while (Condition) [P] {Inv ∧¬Condition}
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
24
Hoare Logic rules
Example:while (x < 10) x = x+1Start with this:x <= 10 is a useful loop invariant.{x <= 10} while (x < 10) x = x+1 {??}Move inside the test: {Inv Condition} P {Inv} ∧{x <= 10 ^ x < 10} x = x+1 {x <= 10}Backing out: {Inv} while (Condition) [P] {Inv ∧¬ Condition}{ x <= 10} while (x<10) x=x+1 {¬(x < 10) ^ x <= 10}
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
25
Hoare Logic rules
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
26
Hoare Triple rules
• Empty statement rule.
• Assignment rule.
• Composition rule.
• Consequence rule.
• Conditional rule.
• Loop rule.
{Q} Skip {Q}
{Q} Assignment {R}
{Q} S {Z} , {Z} T {R} ⊢ {Q} S;T {R}
{Q} P {R} , Q1 → Q , R1 → R ⊢ {Q1} P {R1}
{Q ∧ B } P1 {R} , {Q ∧ B } P2 {R} ⊢ {Q} if B then P1 else P2 endif {R}
{Q ∧ B} P {Q} ⊢ {Q} while (B) [P] {Q∧¬ E}
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
27
Strongest Postconditions
Here are a number of valid Hoare Triples for the same command segment
{x = 5} x := x * 2 { true }{x = 5} x := x * 2 { x > 0 }{x = 5} x := x * 2 { (x = 10) ^ (x = 5) }{x = 5} x := x * 2 { x = 10 }
All are true, but the most useful one is the one with se (it is the most specific condition )
x=10 is the strongest postcondition ………… Why????????????
check: x = 10 true⇒check: x = 10 x > 0⇒check: x = 10 x = 10 || x = 5⇒check: x = 10 x = 10⇒
If {Q} P {R} and for all R* such that {Q} P {R*}, R ⇒ R*, then R is the strongest postcondition [ sp(P,Q) ] of P with respect to Q.
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
28
Weakest PreconditionsHere are a number of valid Hoare Triples for the same command
segment{(x = 5) Λ (y = 10)} z := x / y { z < 1 }{(x < y) Λ (y > 0)} z := x / y { z < 1 }{(y ≠ 0) Λ (x / y < 1)} z := x / y { z < 1 }
All are true, but the most useful one is the one with the most general condition (y ≠ 0) Λ (x / y < 1) is the weakest precondition ……….. Why??????
check: (x = 5) Λ (y = 10) (y ≠ 0) Λ (x / y < 1)⇒check: (x < y) Λ (y > 0) (y ≠ 0) Λ (x / y < 1)⇒check: (y ≠ 0) Λ (x / y < 1) (y ≠ 0) Λ (x / y < 1)⇒
If {Q} P {R} and for all Q* such that {Q*} P {R}, Q* ⇒ Q, then Q is the weakest precondition [ wp(P,R) ] of P with respect to R.
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
29
Hoare Triple : wp and sp{Q} P {R} holds if and only if Q wp(P,R)⇒
In other words, a Hoare Triple is still valid if the precondition is stronger than necessary, but not if it is too weak
{Q} P {R} holds if and only if sp(P,Q) R⇒A Hoare Triple is still valid if the postcondition is weak
enough, but not if it is too strong.
In other words, both conditions must be strong enough to hold the best general condition as the precondition and the best specific condition as the postcondition.
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
30
Assignment rule conditions{ Q } x := 3 { x+y > 0 }
What is the weakest precondition Q?If {Q} P {R} then the weakest precondition [wp(P,R) ] Assignment rulewp(X:= E, R) = (X:=E), R= (x:=3), (x + y > 0)= (3) + y > 0= y > -3
Hoare Triple : wp and sp
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
31
Assignment{ Q } x := 3*y + z { x * y - z > 0 }
What is the weakest precondition Q?If {Q} P {R} then the weakest precondition [wp(P,R) ] Assignment rulewp(X:= E, R) = (X:=E), R= (x:=3*y+z), (x * y – z > 0)= (3*y+z) * y - z > 0= 3*y2 + z*y - z > 0
Hoare Triple : wp and sp
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
32
Sequence{ Q } x := x + 1; y := x + y { y > 5 }
What is the weakest precondition Q?Sequence rulewp(S;T, R) = wp(S, wp(T, R))wp(x:=x+1; y:=x+y, y>5)= wp(x:=x+1, wp(y:=x+y, y>5))= wp(x:=x+1, x+y>5)= x+1+y>5= x+y>4
Hoare Triple : wp and sp
wp(y:=x+y, y>5)= (y:= x+y ),
( y>5)= x+y > 5
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
33
Conditional{ Q } if x > 0 then y := x else y := -x { y > 5 }
What is the weakest precondition Q?answer:Case 1 then: {Q1} y :=x { y > 5}
Q1 = x>5
Case 2 else: {Q2} y :=-x { y > 5}Q2 = -x > 5
Q = (x > 5) ( -x > 5) = |x| > 5∧
Hoare Triple : wp and sp
wp(y:=x, y>5)= (y:= x ), ( y>5)
= x > 5
wp(y:= -x, y>5)= (y:= -x ),
( y>5)= -x > 5
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
34
Conditional{ Q } if x > 0 then y := x else y := -x { y > 5 }
What is the weakest precondition Q?Conditional rule
wp(if B then P1 else P2, R)= B wp(P1,R) B’ wp(P2,R)⇒ ∧ ⇒
wp(if x>0 then y:=x else y:=-x, y>5)= x>0 wp(y:=x, y>5) x≤0 wp(y:=-x, y>5)⇒ ∧ ⇒= x>0 x>5 x≤0 -x>5⇒ ∧ ⇒
= |x| > 5
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
35
Prepared by: Sharif Omar Salem – [email protected]
End of Lecture
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
36
Prepared by: Sharif Omar Salem – [email protected]
Next Lecture:Loop proof using induction
method