11/22/2016IT 3271 A formal system:Axioms and Rules, for inferring valid specification x := m; y := n; while ¬(x=y) do if x>y then x := x-y else y := y-x program { m≥1, n ≥1 } { x = gcd(m,n) } assertion pre-condition post-condition specification Ch 23:Formal Semantics

11/22/2016IT 3272 A formal system:Axioms and Rules, { P } skip { P } { true } diverge { false } { [P] (i  E) } i := E { P } assignment { P } C {Q}  { P } ( C ) { Q } grouping { P } C 0 {Q} & { Q } C 1 { R }  { P } C 0 ; C 1 { R } sequencing { P, B } C 0 {Q} & { P, ¬B } C 1 { Q }  { P } if B then C 0 else C 1 { Q } if-statement { P, B } C { P }  { P } while B do C { P, ¬B } while-loop this P is called the loop invariant map

11/22/2016IT 3273 A formal system:Axioms and Rules, { P  R} & { R } C { Q }  { P } C { Q } pre-condition strengthening (II) implies { R  Q} & { P } C { R }  { P } C { Q } post-condition weakening { P 1 } C { Q } & { P 2 } C { Q }  { P 1  P 2 } C { Q } pre-condition disjunction { P} C { Q 1 } & { P} C { Q 2 }  { P } C { Q 1, Q 2 } post-condition conjunction or and

11/22/2016IT 3274 A correct program n := n+1; { ( n+1) ≥0 } { n ≥0 } This is a correct specification { [P] (i  E) } i := E { P } assignment It is correct because we can apply the following axiom to obtain the specification: This (piece of) program is correct.. Is what sense?

11/22/2016IT 3275 Another proof of the program correctness s := a; i := 0; while ¬(i=b) do ( s := s+1; i := i+1 ) program {b ≥0 } { s = a+b } assertion pre-condition post-condition specification The most difficult part is to figure out a useful loop invariant { s = a+i }

11/22/2016IT 3276 s := a; i := 0; {b ≥0 } {b ≥0, s = a+i } {b ≥0  (b ≥0, a = a+0) } {b ≥0, a = a+0 } s := a; {b ≥0, s = a+0 } {(b ≥0, s = a+0)  (b ≥0, s = a+0, 0=0) } {b ≥0, s = a+0, 0=0 } i := 0; {b ≥0, s = a+0, i = 0 } { (b ≥0, s = a+0, i=0)  ( b ≥0, s = a+i) }

11/22/2016IT 3277 s := s+1; i := i+1; {b ≥0, s = a+i, ¬(i=b) } {b ≥0, s = a+i } { P, B } C { P }  { P } while B do C { P, ¬B } {b ≥0, s = a+i, ¬¬(i=b) } {b ≥0, s = a+i } while ¬(i=b) do ( s := s+1; i := i+1 ) {(b ≥0, s = a+i, ¬¬(i=b))  (b ≥0, s = a+i, i=b) } {(b ≥0, s = a+i, i=b)  s = a+b}

11/22/2016IT 3278 Examples of correctness proofs Easy introduction to loop invariants