Predicate Transforms II Software Testing and Verification Lecture Notes 20 Prepared by Stephen M. Thebaut, Ph.D. University of Florida
Predicate Transforms II Transform rules for while loops: Weakest pre-conditions (wp’s) Weakest liberal pre-conditions (wlp’s) Relationships between wp’s and wlp’s with loop invariants Strongest post-conditions (sp’s) On the power of axiomatic verification and the relative usefulness of predicate transforms (when dealing with loops)
Predicate Transforms II Transform rules for while loops: Weakest pre-conditions (wp’s) Weakest liberal pre-conditions (wlp’s) Relationships between wp’s and wlp’s with loop invariants Strongest post-conditions (sp’s) On the power of axiomatic verification and the relative usefulness of predicate transforms (when dealing with loops)
wp Rule for while_do Statement In order for the program while b do S to terminate in state Q, it is necessary that:
wp Rule for while_do Statement In order for the program while b do S to terminate in state Q, it is necessary that: 0. b is initially false and Q holds, OR
wp Rule for while_do Statement In order for the program while b do S to terminate in state Q, it is necessary that: 0. b is initially false and Q holds, OR 1. b is initially true and after executing S, ¬b and Q hold, OR
wp Rule for while_do Statement In order for the program while b do S to terminate in state Q, it is necessary that: 0. b is initially false and Q holds, OR 1. b is initially true and after executing S, ¬b and Q hold, OR 2. b is initially true and after executing S, b is still true, and after executing S a second time, ¬b and Q hold, OR
wp Rule for while_do Statement In order for the program while b do S to terminate in state Q, it is necessary that: 0. b is initially false and Q holds, OR 1. b is initially true and after executing S, ¬b and Q hold, OR 2. b is initially true and after executing S, b is still true, and after executing S a second time, ¬b and Q hold, OR .
wp Rule for while_do Statement (cont’d) Thus, we can write wp(while b do S, Q) H0 V H1 V H2 V… where H0 ¬b Л Q H1 b Л wp(S, ¬b Л Q) H2 b Л wp(S, b Л wp(S, ¬b Л Q)) .
wp Rule for while_do Statement (cont’d) Thus, we can write wp(while b do S, Q) H0 V H1 V H2 V… where H0 ¬b Л Q H1 b Л wp(S, ¬b Л Q) H2 b Л wp(S, b Л wp(S, ¬b Л Q)) .
wp Rule for while_do Statement (cont’d) Thus, we can write wp(while b do S, Q) H0 V H1 V H2 V… where H0 ¬b Л Q H1 b Л wp(S, ¬b Л Q) H2 b Л wp(S, b Л wp(S, ¬b Л Q)) .
wp Rule for while_do Statement (cont’d) Equivalently, we can write wp(while b do S, Q) H0 V H1 V H2 V… where H0 ¬b Л Q H1 b Л wp(S, H0) H2 b Л wp(S, H1) Hi b Л wp(S, Hi-1) … …
wp Rule for while_do Statement (cont’d) Equivalently, we can write wp(while b do S, Q) H0 V H1 V H2 V… where H0 ¬b Л Q H1 b Л wp(S, H0) H2 b Л wp(S, H1) Hi b Л wp(S, Hi-1) … …
wp Rule for while_do Statement (cont’d) Equivalently, we can write wp(while b do S, Q) H0 V H1 V H2 V… where H0 ¬b Л Q H1 b Л wp(S, H0) H2 b Л wp(S, H1) Hi b Л wp(S, Hi-1) … …
Something to think about… How do these terms compare to the (infinite) set of necessary conditions derived for the while_do ROI?
FLASHBACK to Lecture Notes #18… Something to think about… (cont'd) FLASHBACK to Lecture Notes #18… So, we know that {P} while b do S {Q} will hold if the following conditions hold: Case 0: (P Л b) Q Case 1: {P Л b} S {K1}, (K1 Л b) Q Case 2: {K1 Л b} S {K2}, (K2 Л b) Q … Case N: {KN-1 Л b} S {KN}, (KN Л b) Q …
Something to think about… (cont'd) What is the relationship between wp(while b do S, Q) and an invariant, I, for which initialization, preservation, and finalization hold?
Something to think about… (cont'd) What is the relationship between wp(while b do S, Q) and an invariant, I, for which initialization, preservation, and finalization hold? We'll come back to this question later...
Example For what initial values of i, n, and t will the following program terminate with t=xn? while i <= n do t := t*x i := i+1 end_while How about i=1, t=1, and n=2? Can you think of any others? For example... {i=1 Л t=1 Л n≥1}? {i=3 Л t=x Л n=1}? {i=2 Л t=x Л n=5}?
Example (cont’d) Find the wp of this program with respect to the post-condition {t=xn}. (Attempt to find a regularity in terms that allows a closed-form expression.)
Example (cont’d) while i <= n do H0 ¬b Л Q t := t*x = i := i+1 H1 b Л wp(S, H0) H2 b Л wp(S, H1) while i <= n do t := t*x i := i+1 end_while
Example (cont’d) while i <= n do H0 ¬b Л Q t := t*x = i>n Л t=xn H1 b Л wp(S, H0) = H2 b Л wp(S, H1) while i <= n do t := t*x i := i+1 end_while
Example (cont’d) while i <= n do H0 ¬b Л Q t := t*x = i>n Л t=xn H1 b Л wp(S, H0) = i≤n Л wp(S, i>n Л t=xn) = H2 b Л wp(S, H1) while i <= n do t := t*x i := i+1 end_while
Example (cont’d) while i <= n do H0 ¬b Л Q t := t*x = i>n Л t=xn H1 b Л wp(S, H0) = i≤n Л wp(S, i>n Л t=xn) = H2 b Л wp(S, H1) while i <= n do t := t*x i := i+1 end_while
Example (cont’d) while i <= n do H0 ¬b Л Q t := t*x = i>n Л t=xn H1 b Л wp(S, H0) = i≤n Л wp(S, i>n Л t=xn) = i≤n Л i+1>n Л tx=xn = H2 b Л wp(S, H1) while i <= n do t := t*x i := i+1 end_while
Example (cont’d) while i <= n do H0 ¬b Л Q t := t*x = i>n Л t=xn H1 b Л wp(S, H0) = i≤n Л wp(S, i>n Л t=xn) = i≤n Л i+1>n Л tx=xn = i=n Л t=xn-1 H2 b Л wp(S, H1) = while i <= n do t := t*x i := i+1 end_while
Example (cont’d) while i <= n do H0 ¬b Л Q t := t*x = i>n Л t=xn H1 b Л wp(S, H0) = i≤n Л wp(S, i>n Л t=xn) = i≤n Л i+1>n Л tx=xn = i=n Л t=xn-1 H2 b Л wp(S, H1) = i≤n Л wp(S, i=n Л t=xn-1) = while i <= n do t := t*x i := i+1 end_while
Example (cont’d) while i <= n do H0 ¬b Л Q t := t*x = i>n Л t=xn H1 b Л wp(S, H0) = i≤n Л wp(S, i>n Л t=xn) = i≤n Л i+1>n Л tx=xn = i=n Л t=xn-1 H2 b Л wp(S, H1) = i≤n Л wp(S, i=n Л t=xn-1) = while i <= n do t := t*x i := i+1 end_while
Example (cont’d) while i <= n do H0 ¬b Л Q t := t*x = i>n Л t=xn H1 b Л wp(S, H0) = i≤n Л wp(S, i>n Л t=xn) = i≤n Л i+1>n Л tx=xn = i=n Л t=xn-1 H2 b Л wp(S, H1) = i≤n Л wp(S, i=n Л t=xn-1) = i≤n Л i+1=n Л tx=xn-1 = while i <= n do t := t*x i := i+1 end_while
Example (cont’d) while i <= n do H0 ¬b Л Q t := t*x = i>n Л t=xn H1 b Л wp(S, H0) = i≤n Л wp(S, i>n Л t=xn) = i≤n Л i+1>n Л tx=xn = i=n Л t=xn-1 H2 b Л wp(S, H1) = i≤n Л wp(S, i=n Л t=xn-1) = i≤n Л i+1=n Л tx=xn-1 = i=n-1 Л t=xn-2 while i <= n do t := t*x i := i+1 end_while
Example (cont’d) H3 b Л wp(S, H2) while i <= n do = t := t*x . Hk b Л wp(S, Hk-1) while i <= n do t := t*x i := i+1 end_while
Example (cont’d) H3 b Л wp(S, H2) while i <= n do = i≤n Л wp(S, i=n-1 Л t=xn-2) = . Hk b Л wp(S, Hk-1) while i <= n do t := t*x i := i+1 end_while
Example (cont’d) H3 b Л wp(S, H2) while i <= n do = i≤n Л wp(S, i=n-1 Л t=xn-2) = . Hk b Л wp(S, Hk-1) while i <= n do t := t*x i := i+1 end_while
Example (cont’d) H3 b Л wp(S, H2) while i <= n do = i≤n Л wp(S, i=n-1 Л t=xn-2) = i≤n Л i+1=n-1 Л tx=xn-2) = . Hk b Л wp(S, Hk-1) while i <= n do t := t*x i := i+1 end_while
Example (cont’d) H3 b Л wp(S, H2) while i <= n do = i≤n Л wp(S, i=n-1 Л t=xn-2) = i≤n Л i+1=n-1 Л tx=xn-2) = i=n-2 Л t=xn-3 . Hk b Л wp(S, Hk-1) = while i <= n do t := t*x i := i+1 end_while
Example (cont’d) H3 b Л wp(S, H2) while i <= n do = i≤n Л wp(S, i=n-1 Л t=xn-2) = i≤n Л i+1=n-1 Л tx=xn-2) = i=n-2 Л t=xn-3 . Hk b Л wp(S, Hk-1) = i=n-(k-1) Л t=xn-k = while i <= n do t := t*x i := i+1 end_while
Example (cont’d) H3 b Л wp(S, H2) while i <= n do = i≤n Л wp(S, i=n-1 Л t=xn-2) = i≤n Л i+1=n-1 Л tx=xn-2) = i=n-2 Л t=xn-3 . Hk b Л wp(S, Hk-1) = i=n-(k-1) Л t=xn-k = i=n-k+1 Л t=xn-k while i <= n do t := t*x i := i+1 end_while
Example (cont’d) Thus, we have: H0 = i>n Л t=xn Hk = i=n-k+1 Л t=xn-k (for all k>0)
Example (cont’d) Thus, we have: H0 = i>n Л t=xn Hk = i=n-k+1 Л t=xn-k (for all k>0)
Example (cont’d) Thus, we have: H0 = i>n Л t=xn Hk = i=n-k+1 Л t=xn-k (for all k>0) and since i=n-k+1 n-k=i-1
Example (cont’d) Thus, we have: H0 = i>n Л t=xn Hk = i=n-k+1 Л t=xn-k (for all k>0) and since i=n-k+1 n-k=i-1 = i≤n Л t=xi-1 (where i≤n for all k>0)
Example (cont’d) Thus, we have: H0 = i>n Л t=xn Hk = i=n-k+1 Л t=xn-k (for all k>0) and since i=n-k+1 n-k=i-1 = i≤n Л t=xi-1 (where i≤n for all k>0) Therefore, wp H0 V H1 V H2 V ... = (i>n Л t=xn) V (i≤n Л t=xi-1)
(i>n Л t=xn) V (i≤n Л t=xi-1) Example (cont’d) So, given that the wp is (i>n Л t=xn) V (i≤n Л t=xi-1) which of the following initial states will result in the program terminating with t=xn? {i=1 Л t=1 Л n≥1}? {i=3 Л t=x Л n=1}? {i=2 Л t=x Л n=5}?
(i>n Л t=xn) V (i≤n Л t=xi-1) Example (cont’d) So, given that the wp is (i>n Л t=xn) V (i≤n Л t=xi-1) which of the following initial states will result in the program terminating with t=xn? {i=1 Л t=1 Л n≥1}? {i=3 Л t=x Л n=1}? {i=2 Л t=x Л n=5}?
Example (cont’d) So, given that the wp is (i>n Л t=xn) V (i≤n Л t=xi-1) which of the following initial states will result in the program terminating with t=xn? {i=1 Л t=1 Л n≥1}? {i=3 Л t=x Л n=1}? {i=2 Л t=x Л n=5}? (1>(1,2,…) Л 1=x(1,2,…)) V (1≤(1,2,…) Л 1=x1-1)
Example (cont’d) So, given that the wp is (i>n Л t=xn) V (i≤n Л t=xi-1) which of the following initial states will result in the program terminating with t=xn? {i=1 Л t=1 Л n≥1}? {i=3 Л t=x Л n=1}? {i=2 Л t=x Л n=5}? (1>(1,2,…) Л 1=x(1,2,…)) V (1≤(1,2,…) Л 1=x1-1) √
(i>n Л t=xn) V (i≤n Л t=xi-1) Example (cont’d) So, given that the wp is (i>n Л t=xn) V (i≤n Л t=xi-1) which of the following initial states will result in the program terminating with t=xn? {i=1 Л t=1 Л n≥1}? {i=3 Л t=x Л n=1}? {i=2 Л t=x Л n=5}? √
(i>n Л t=xn) V (i≤n Л t=xi-1) Example (cont’d) So, given that the wp is (i>n Л t=xn) V (i≤n Л t=xi-1) which of the following initial states will result in the program terminating with t=xn? {i=1 Л t=1 Л n≥1}? {i=3 Л t=x Л n=1}? {i=2 Л t=x Л n=5}? √
(i>n Л t=xn) V (i≤n Л t=xi-1) Example (cont’d) So, given that the wp is (i>n Л t=xn) V (i≤n Л t=xi-1) which of the following initial states will result in the program terminating with t=xn? {i=1 Л t=1 Л n≥1}? {i=3 Л t=x Л n=1}? {i=2 Л t=x Л n=5}? (3>1 Л x=x1) V (3≤1 Л x=x3-1) √
(i>n Л t=xn) V (i≤n Л t=xi-1) Example (cont’d) So, given that the wp is (i>n Л t=xn) V (i≤n Л t=xi-1) which of the following initial states will result in the program terminating with t=xn? {i=1 Л t=1 Л n≥1}? {i=3 Л t=x Л n=1}? {i=2 Л t=x Л n=5}? (3>1 Л x=x1) V (3≤1 Л x=x3-1) √ √
(i>n Л t=xn) V (i≤n Л t=xi-1) Example (cont’d) So, given that the wp is (i>n Л t=xn) V (i≤n Л t=xi-1) which of the following initial states will result in the program terminating with t=xn? {i=1 Л t=1 Л n≥1}? {i=3 Л t=x Л n=1}? {i=2 Л t=x Л n=5}? √ √
(i>n Л t=xn) V (i≤n Л t=xi-1) Example (cont’d) So, given that the wp is (i>n Л t=xn) V (i≤n Л t=xi-1) which of the following initial states will result in the program terminating with t=xn? {i=1 Л t=1 Л n≥1}? {i=3 Л t=x Л n=1}? {i=2 Л t=x Л n=5}? √ √
(i>n Л t=xn) V (i≤n Л t=xi-1) Example (cont’d) So, given that the wp is (i>n Л t=xn) V (i≤n Л t=xi-1) which of the following initial states will result in the program terminating with t=xn? {i=1 Л t=1 Л n≥1}? {i=3 Л t=x Л n=1}? {i=2 Л t=x Л n=5}? (2>5 Л x=x5) V (2≤5 Л x=x2-1) √ √
(i>n Л t=xn) V (i≤n Л t=xi-1) Example (cont’d) So, given that the wp is (i>n Л t=xn) V (i≤n Л t=xi-1) which of the following initial states will result in the program terminating with t=xn? {i=1 Л t=1 Л n≥1}? {i=3 Л t=x Л n=1}? {i=2 Л t=x Л n=5}? (2>5 Л x=x5) V (2≤5 Л x=x2-1) √ √ √
(i>n Л t=xn) V (i≤n Л t=xi-1) Example (cont’d) So, given that the wp is (i>n Л t=xn) V (i≤n Л t=xi-1) which of the following initial states will result in the program terminating with t=xn? {i=1 Л t=1 Л n≥1}? {i=3 Л t=x Л n=1}? {i=2 Л t=x Л n=5}? √ √ √
Addendum (based on a question raised in class) Another example…given that the wp is (i>n Л t=xn) V (i≤n Л t=xi-1) will the following initial state values result in the program terminating with t=xn? {i=1 Л t=1 Л n=0}
Addendum (based on a question raised in class) Another example…given that the wp is (i>n Л t=xn) V (i≤n Л t=xi-1) will the following initial state values result in the program terminating with t=xn? {i=1 Л t=1 Л n=0} (1>0 Л 1=x0) V (1≤0 Л 1=x1-1)
Addendum (based on a question raised in class) Another example…given that the wp is (i>n Л t=xn) V (i≤n Л t=xi-1) will the following initial state values result in the program terminating with t=xn? {i=1 Л t=1 Л n=0} (1>0 Л 1=x0) V (1≤0 Л 1=x1-1) √
Addendum (based on a question raised in class) Another example…given that the wp is (i>n Л t=xn) V (i≤n Л t=xi-1) will the following initial state values result in the program terminating with t=xn? {i=1 Л t=1 Л n=0} (1>0 Л 1=x0) V (1≤0 Л 1=x1-1) √ √
Predicate Transforms II Transform rules for while loops: Weakest pre-conditions (wp’s) Weakest liberal pre-conditions (wlp’s) Relationships between wp’s and wlp’s with loop invariants Strongest post-conditions (sp’s) On the power of axiomatic verification and the relative usefulness of predicate transforms (when dealing with loops)
wlp Rule for while_do Statement In order for the program while b do S to either terminate in state Q, or not term- inate at all, it is necessary that: Q will hold on program termination, OR the program will not terminate. Therefore, wlp(while b do S, Q) ≡ wp(while b do S, Q) V ¬wp(while b do S, true)
wlp Rule for while_do Statement In order for the program while b do S to either terminate in state Q, or not term- inate at all, it is necessary that: Q will hold on program termination, OR the program will not terminate. Therefore, wlp(while b do S, Q) ≡ wp(while b do S, Q) V ¬wp(while b do S, true) (Note: wp(M, true) is the weakest pre-condition ensuring termination of program M.)
Example Use the wlp rule for while_do statements to determine the weakest liberal pre-condition for the following program with respect to post-condition t=x5. while i<>3 do t := t*x i := i+1 end_while
Step 1: determine wp with respect to Q H0 ¬b Л Q = H1 b Л wp(S, H0) . Hk b Л wp(S, Hk-1) while i<>3 do t := t*x i := i+1 end_while
Step 1: determine wp with respect to Q H0 ¬b Л Q = i=3 Л t=x5 H1 b Л wp(S, H0) = . Hk b Л wp(S, Hk-1) while i<>3 do t := t*x i := i+1 end_while
Step 1: determine wp with respect to Q H0 ¬b Л Q = i=3 Л t=x5 H1 b Л wp(S, H0) = i≠3 Л wp(S, i=3 Л t=x5) = . Hk b Л wp(S, Hk-1) while i<>3 do t := t*x i := i+1 end_while
Step 1: determine wp with respect to Q H0 ¬b Л Q = i=3 Л t=x5 H1 b Л wp(S, H0) = i≠3 Л wp(S, i=3 Л t=x5) = . Hk b Л wp(S, Hk-1) while i<>3 do t := t*x i := i+1 end_while
Step 1: determine wp with respect to Q H0 ¬b Л Q = i=3 Л t=x5 H1 b Л wp(S, H0) = i≠3 Л wp(S, i=3 Л t=x5) = i≠3 Л i+1=3 Л tx=x5 = . Hk b Л wp(S, Hk-1) while i<>3 do t := t*x i := i+1 end_while
Step 1: determine wp with respect to Q H0 ¬b Л Q = i=3 Л t=x5 H1 b Л wp(S, H0) = i≠3 Л wp(S, i=3 Л t=x5) = i≠3 Л i+1=3 Л tx=x5 = i=2 Л t=x4 . Hk b Л wp(S, Hk-1) = while i<>3 do t := t*x i := i+1 end_while
Step 1: determine wp with respect to Q H0 ¬b Л Q = i=3 Л t=x5 H1 b Л wp(S, H0) = i≠3 Л wp(S, i=3 Л t=x5) = i≠3 Л i+1=3 Л tx=x5 = i=2 Л t=x4 . Hk b Л wp(S, Hk-1) = i=3-k Л t=x5-k while i<>3 do t := t*x i := i+1 end_while
Step 1: determine wp with respect to Q Thus, we have: H0 = i=3 Л t=x5 Hk = i=3-k Л t=x5-k (for all k>0)
Step 1: determine wp with respect to Q Thus, we have: H0 = i=3 Л t=x5 Hk = i=3-k Л t=x5-k (for all k>0)
Step 1: determine wp with respect to Q Thus, we have: H0 = i=3 Л t=x5 Hk = i=3-k Л t=x5-k (for all k>0) and since i=3-k => 5-k=i+2 = i<3 Л t=xi+2 (where i<3 for all k>0)
Step 1: determine wp with respect to Q Thus, we have: H0 = i=3 Л t=x5 Hk = i=3-k Л t=x5-k (for all k>0) and since i=3-k => 5-k=i+2 = i<3 Л t=xi+2 (where i<3 for all k>0) Therefore, the wp w.r.t. Q, H0 V H1 V H2 V... is:
Step 1: determine wp with respect to Q Thus, we have: H0 = i=3 Л t=x5 Hk = i=3-k Л t=x5-k (for all k>0) and since i=3-k => 5-k=i+2 = i<3 Л t=xi+2 (where i<3 for all k>0) Therefore, the wp w.r.t. Q, H0 V H1 V H2 V... is: i≤3 Л t=xi+2
Step 2: determine wp with respect to true H0 ¬b Л true = H1 b Л wp(S, H0) . Hk b Л wp(S, Hk-1) while i<>3 do t := t*x i := i+1 end_while
Step 2: determine wp with respect to true H0 ¬b Л true = i=3 H1 b Л wp(S, H0) = . Hk b Л wp(S, Hk-1) while i<>3 do t := t*x i := i+1 end_while
Step 2: determine wp with respect to true H0 ¬b Л true = i=3 H1 b Л wp(S, H0) = i≠3 Л wp(S, i=3) = . Hk b Л wp(S, Hk-1) while i<>3 do t := t*x i := i+1 end_while
Step 2: determine wp with respect to true H0 ¬b Л true = i=3 H1 b Л wp(S, H0) = i≠3 Л wp(S, i=3) = . Hk b Л wp(S, Hk-1) while i<>3 do t := t*x i := i+1 end_while
Step 2: determine wp with respect to true H0 ¬b Л true = i=3 H1 b Л wp(S, H0) = i≠3 Л wp(S, i=3) = i≠3 Л i+1=3 = . Hk b Л wp(S, Hk-1) while i<>3 do t := t*x i := i+1 end_while
Step 2: determine wp with respect to true H0 ¬b Л true = i=3 H1 b Л wp(S, H0) = i≠3 Л wp(S, i=3) = i≠3 Л i+1=3 = i=2 . Hk b Л wp(S, Hk-1) = while i<>3 do t := t*x i := i+1 end_while
Step 2: determine wp with respect to true H0 ¬b Л true = i=3 H1 b Л wp(S, H0) = i≠3 Л wp(S, i=3) = i≠3 Л i+1=3 = i=2 . Hk b Л wp(S, Hk-1) = i=3-k while i<>3 do t := t*x i := i+1 end_while
Step 2: determine wp with respect to true Thus, we have: H0 = i=3 Hk = i=3-k (for all k>0)
Step 2: determine wp with respect to true Thus, we have: H0 = i=3 Hk = i=3-k (for all k>0) = i<3
Step 2: determine wp with respect to true Thus, we have: H0 = i=3 Hk = i=3-k (for all k>0) = i<3 Therefore, the wp w.r.t. true, H0 V H1 V H2 V... is: i≤3
Step 3: combine wp’s into one disjunct Thus, wlp(while i<>3 do t := t*x; i := i+1, t=x5) = (i≤3 Л t=xi+2) V i>3 Exercise: In light of this, for which of the following initial states is the program weakly correct with re- spect to t=x5? {i=1 Л t=1 Л x=1}? {i=2 Л t=x Л x=2}? {i=5 Л t=8 Л x=3}?
Step 3: combine wp’s into one disjunct Thus, wlp(while i<>3 do t := t*x; i := i+1, t=x5) = (i≤3 Л t=xi+2) V i>3 Exercise: In light of this, for which of the following initial states is the program weakly correct with re- spect to t=x5? {i=1 Л t=1 Л x=1}? {i=2 Л t=x Л x=2}? {i=5 Л t=8 Л x=3}?
Predicate Transforms II Transform rules for while loops: Weakest pre-conditions (wp’s) Weakest liberal pre-conditions (wlp’s) Relationships between wp’s and wlp’s with loop invariants Strongest post-conditions (sp’s) On the power of axiomatic verification and the relative usefulness of predicate transforms (when dealing with loops)
Loop Invariants and w(l)p’s In general, are loops guaranteed to terminate when: P wp ? P wlp ? For while loops, does {w(l)p Л b} S {w(l)p} ? Does (w(l)p Л ¬b) Q ?
Loop Invariants and w(l)p’s In general, are loops guaranteed to terminate when: P wp ? P wlp ? For while loops, does {w(l)p Л b} S {w(l)p} ? Does (w(l)p Л ¬b) Q ?
Loop Invariants and w(l)p’s In general, are loops guaranteed to terminate when: P wp ? yes P wlp ? no For while loops, does {w(l)p Л b} S {w(l)p} ? Does (w(l)p Л ¬b) Q ?
Loop Invariants and w(l)p’s In general, are loops guaranteed to terminate when: P wp ? yes P wlp ? no For while loops, does {w(l)p Л b} S {w(l)p} ? Does (w(l)p Л ¬b) Q ?
{wp Л b} S {wp} ???
{wp Л b} S
{wp Л b} = {[H0 V H1 V …] Л b} S
{wp Л b} = {[H0 V H1 V …] Л b} = {[(¬b Л Q) V (b Л wp(S, H0)) V (b Л wp(S, H1)) V …] Л b} S
{wp Л b} = {[H0 V H1 V …] Л b} = {[(¬b Л Q) V (b Л wp(S, H0)) V (b Л wp(S, H1)) V …] Л b} S
{wp Л b} = {[H0 V H1 V …] Л b} = {[(¬b Л Q) V (b Л wp(S, H0)) V (b Л wp(S, H1)) V …] Л b} = {(b Л wp(S, H0)) V (b Л wp(S, H1)) V …} S
{wp Л b} = {[H0 V H1 V …] Л b} = {[(¬b Л Q) V (b Л wp(S, H0)) V (b Л wp(S, H1)) V …] Л b} = {(b Л wp(S, H0)) V (b Л wp(S, H1)) V …} = {H1 V H2 V …} S
{wp Л b} = {[H0 V H1 V …] Л b} = {[(¬b Л Q) V (b Л wp(S, H0)) V (b Л wp(S, H1)) V …] Л b} = {(b Л wp(S, H0)) V (b Л wp(S, H1)) V …} = {H1 V H2 V …} S {H0 V H1 V …}
{wp Л b} = {[H0 V H1 V …] Л b} = {[(¬b Л Q) V (b Л wp(S, H0)) V (b Л wp(S, H1)) V …] Л b} = {(b Л wp(S, H0)) V (b Л wp(S, H1)) V …} = {H1 V H2 V …} S {H0 V H1 V …} = {wp}
Similarly, it can be shown that {wlp Л b} S {wlp}. {wp Л b} = {[H0 V H1 V …] Л b} = {[(¬b Л Q) V (b Л wp(S, H0)) V (b Л wp(S, H1)) V …] Л b} = {(b Л wp(S, H0)) V (b Л wp(S, H1)) V …} = {H1 V H2 V …} S {H0 V H1 V …} = {wp} Similarly, it can be shown that {wlp Л b} S {wlp}.
Loop Invariants and w(l)p’s In general, are loops guaranteed to terminate when: P wp ? yes P wlp ? no For while loops, does {w(l)p Л b} S {w(l)p} ? yes Does (w(l)p Л ¬b) Q ?
Loop Invariants and w(l)p’s In general, are loops guaranteed to terminate when: P wp ? yes P wlp ? no For while loops, does {w(l)p Л b} S {w(l)p} ? yes Does (w(l)p Л ¬b) Q ?
{wp Л ¬b}
{wp Л ¬b} {[(¬b Л Q) V (b Л wp(S, H0)) V (b Л wp(S, H1)) V …] Л ¬b}
{wp Л ¬b} {[(¬b Л Q) V (b Л wp(S, H0)) V (b Л wp(S, H1)) V …] Л ¬b} {(¬b Л Q)} Q
{wp Л ¬b} {[(¬b Л Q) V (b Л wp(S, H0)) V (b Л wp(S, H1)) V …] Л ¬b} {(¬b Л Q)} Q
Similarly, it is easy to show that {wlp Л ¬b} Q. {wp Л ¬b} {[(¬b Л Q) V (b Л wp(S, H0)) V (b Л wp(S, H1)) V …] Л ¬b} {(¬b Л Q)} Q Similarly, it is easy to show that {wlp Л ¬b} Q.
Loop Invariants and w(l)p’s In general, are loops guaranteed to terminate when: P wp ? yes P wlp ? no For while loops, does {w(l)p Л b} S {w(l)p} ? yes Does (w(l)p Л ¬b) Q ? yes
Loop Invariants and w(l)p’s In general, are loops guaranteed to terminate when: P wp ? yes P wlp ? no For while loops, does {w(l)p Л b} S {w(l)p} ? yes Does (w(l)p Л ¬b) Q ? yes _________________________ wp weakest while loop invariant which guarantees termination!
Loop Invariants and w(l)p’s In general, are loops guaranteed to terminate when: P wp ? yes P wlp ? no For while loops, does {w(l)p Л b} S {w(l)p} ? yes Does (w(l)p Л ¬b) Q ? yes _________________________ wp weakest while loop invariant which guarantees termination! wlp weakest while loop invariant which does NOT guarantee termination!
Predicate Transforms II Transform rules for while loops: Weakest pre-conditions (wp’s) Weakest liberal pre-conditions (wlp’s) Relationships between wp’s and wlp’s with loop invariants Strongest post-conditions (sp’s) On the power of axiomatic verification and the relative usefulness of predicate transforms (when dealing with loops)
sp Rule for while_do Statement What is the strongest condition on the final state of program while b do S given that P holds initially? (Note that the post-condition is undefined when the program does not terminate.) Recall our derivation of the while loop Rule of Inference from Lecture Notes #18 (Axiomatic Verification II). (flashback follows...)
Necessary Conditions: while_do So, we know that {P} while b do S {Q} will hold if the following conditions hold: Case 0: (P Л b) Q Case 1: {P Л b} S {K1}, (K1 Л b) Q Case 2: {K1 Л b} S {K2}, (K2 Л b) Q … Case N: {KN-1 Л b} S {KN}, (KN Л b) Q … Great! But who has the time to show that an infinite number of conditions hold?
sp Rule for while_do Statement In order to eliminate the infinite sequence of necessary conditions, we replaced each Ki with I (a loop invariant.) But for i≥1, Ki is just the strongest post- condition of S with respect to (Ki-1 Л b), where K0 = P.
sp Rule for while_do Statement Thus, if the loop terminates, sp(while b do S, P) = ¬b Л (K0 V K1 V K2 V ...) where K0 P K1 sp(S, b Л P) K2 sp(S, b Л sp(S, b Л P)) K3 sp(S, b Л sp(S, b Л sp(S, b Л P))) .
sp Rule for while_do Statement Thus, if the loop terminates, sp(while b do S, P) = ¬b Л (K0 V K1 V K2 V ...) where K0 P K1 sp(S, b Л P) K2 sp(S, b Л sp(S, b Л P)) K3 sp(S, b Л sp(S, b Л sp(S, b Л P))) .
sp Rule for while_do Statement Thus, if the loop terminates, sp(while b do S, P) = ¬b Л (K0 V K1 V K2 V ...) where K0 P K1 sp(S, b Л P) K2 sp(S, b Л sp(S, b Л P)) K3 sp(S, b Л sp(S, b Л sp(S, b Л P))) .
sp Rule for while_do Statement Thus, if the loop terminates, sp(while b do S, P) = ¬b Л (K0 V K1 V K2 V ...) where K0 P K1 sp(S, b Л P) K2 sp(S, b Л sp(S, b Л P)) K3 sp(S, b Л sp(S, b Л sp(S, b Л P))) .
sp Rule for while_do Statement Equivalently, we can write: on termination, sp(while b do S, P) = ¬b Л (K0 V K1 V K2 V ...) where K0 P K1 sp(S, b Л K0) K2 sp(S, b Л K1) KN sp(S, b Л KN-1) … …
sp Rule for while_do Statement Equivalently, we can write: on termination, sp(while b do S, P) = ¬b Л (K0 V K1 V K2 V ...) where K0 P K1 sp(S, b Л K0) K2 sp(S, b Л K1) KN sp(S, b Л KN-1) … …
sp Rule for while_do Statement Equivalently, we can write: on termination, sp(while b do S, P) = ¬b Л (K0 V K1 V K2 V ...) where K0 P K1 sp(S, b Л K0) K2 sp(S, b Л K1) KN sp(S, b Л KN-1) … …
Example Use the Strongest Post-condition ROI to prove: {true} Z := X J := 1 while J<>Y do Z := Z+X J := J+1 end_while {Z=XY}
Example Use the Strongest Post-condition ROI to prove: T {true} Z := X J := 1 while J<>Y do Z := Z+X J := J+1 end_while {Z=XY} We need to show: sp(T, Z=X Л J=1) Z=XY where T is: while J<>Y do Z := Z+X J := J+1 end_while if T terminates. T
Example (cont’d) K0 P = {true} K1 sp(S, b Л K0) Z := X J := 1 while J<>Y do Z := Z+X J := J+1 end_while {Z=XY}
Example (cont’d) K0 P = Z=X Л J=1 {true} K1 sp(S, b Л K0) Z := X = while J<>Y do Z := Z+X J := J+1 end_while {Z=XY}
Example (cont’d) K0 P = Z=X Л J=1 {true} K1 sp(S, b Л K0) Z := X = while J<>Y do Z := Z+X J := J+1 end_while {Z=XY}
Example (cont’d) K0 P = Z=X Л J=1 {true} K1 sp(S, b Л K0) Z := X = Z=Z’+X Л J=J’+1 Л J’≠Y Л Z’=X Л J’=1 = K2 sp(S, b Л K1) {true} Z := X J := 1 while J<>Y do Z := Z+X J := J+1 end_while {Z=XY}
Example (cont’d) K0 P = Z=X Л J=1 {true} K1 sp(S, b Л K0) Z := X = Z=Z’+X Л J=J’+1 Л J’≠Y Л Z’=X Л J’=1 = Z=2X Л J=2 Л Y≠1 K2 sp(S, b Л K1) = {true} Z := X J := 1 while J<>Y do Z := Z+X J := J+1 end_while {Z=XY}
Example (cont’d) K0 P = Z=X Л J=1 {true} K1 sp(S, b Л K0) Z := X = Z=Z’+X Л J=J’+1 Л J’≠Y Л Z’=X Л J’=1 = Z=2X Л J=2 Л Y≠1 K2 sp(S, b Л K1) = {true} Z := X J := 1 while J<>Y do Z := Z+X J := J+1 end_while {Z=XY}
Example (cont’d) K0 P = Z=X Л J=1 {true} K1 sp(S, b Л K0) Z := X = Z=Z’+X Л J=J’+1 Л J’≠Y Л Z’=X Л J’=1 = Z=2X Л J=2 Л Y≠1 K2 sp(S, b Л K1) Z’=2X Л J’=2 Л Y≠1 = {true} Z := X J := 1 while J<>Y do Z := Z+X J := J+1 end_while {Z=XY}
Example (cont’d) K0 P = Z=X Л J=1 {true} K1 sp(S, b Л K0) Z := X = Z=Z’+X Л J=J’+1 Л J’≠Y Л Z’=X Л J’=1 = Z=2X Л J=2 Л Y≠1 K2 sp(S, b Л K1) Z’=2X Л J’=2 Л Y≠1 = Z=3X Л J=3 Л Y≠1 Л Y≠2 {true} Z := X J := 1 while J<>Y do Z := Z+X J := J+1 end_while {Z=XY}
Example (cont’d) . K3 sp(S, b Л K2) = {true} Z := X J := 1 KN sp(S, b Л KN-1) {true} Z := X J := 1 while J<>Y do Z := Z+X J := J+1 end_while {Z=XY}
Example (cont’d) . K3 sp(S, b Л K2) = Z=4X Л J=4 Л Y≠1 Л {true} Y≠2 Л Y≠3 . KN sp(S, b Л KN-1) = {true} Z := X J := 1 while J<>Y do Z := Z+X J := J+1 end_while {Z=XY}
Example (cont’d) . K3 sp(S, b Л K2) = Z=4X Л J=4 Л Y≠1 Л {true} Y≠2 Л Y≠3 . KN sp(S, b Л KN-1) = Z=(N+1)X Л J=N+1 Л Y≠1 Л Y≠2 Л ... Л Y≠N . {true} Z := X J := 1 while J<>Y do Z := Z+X J := J+1 end_while {Z=XY}
Example (cont’d) Thus, when T terminates (i.e., when Y≥1), sp(T, Z=X Л J=1) = J=Y Л [(Z=X Л J=1) V (Z=2X Л J=2 Л Y≠1) V (Z=3X Л J=3 Л Y≠1 Л Y≠2) V ...]
Example (cont’d) Thus, when T terminates (i.e., when Y≥1), sp(T, Z=X Л J=1) = J=Y Л [(Z=X Л J=1) V (Z=2X Л J=2 Л Y≠1) V (Z=3X Л J=3 Л Y≠1 Л Y≠2) V ...] => [(Z=XY Л Y=1) V (Z=XY Л Y=2) V ...]
Example (cont’d) Thus, when T terminates (i.e., when Y≥1), sp(T, Z=X Л J=1) = J=Y Л [(Z=X Л J=1) V (Z=2X Л J=2 Л Y≠1) V (Z=3X Л J=3 Л Y≠1 Л Y≠2) V ...] => [(Z=XY Л Y=1) V (Z=XY Л Y=2) V ...] => (Z=XY Л Y≥1) => Q (i.e., Z=XY)
sp(T, Z=X Л J=1) is undefined Example (cont’d) When T does NOT terminate (i.e., when Y<1), sp(T, Z=X Л J=1) is undefined
sp(T, Z=X Л J=1) is undefined Example (cont’d) When T does NOT terminate (i.e., when Y<1), sp(T, Z=X Л J=1) is undefined Therefore, by the Strongest Post-Condition ROI, the assertion of weak correctness holds.
Predicate Transforms II Transform rules for while loops: Weakest pre-conditions (wp’s) Weakest liberal pre-conditions (wlp’s) Relationships between wp’s and wlp’s with loop invariants Strongest post-conditions (sp’s) On the power of axiomatic verification and the relative usefulness of predicate transforms (when dealing with loops)
On the power of axiomatic verification and the relative usefulness of predicate transforms Hoare Logic is a deductive system that is both sound and relatively complete (i.e., complete to the extent that we can decide the validity of assertions in ROI’s) for deriving proofs of Hoare triples. Predicate transforms operationalize this system by providing a way to produce valid correctness specifications. Weakest pre-conditions (wp’s) are typically easier to use in this respect than either wlp’s or sp’s when dealing with loops.
Problem Set 6: Predicate Transforms Note especially Problem 6: deriving and using the weakest pre-condition for the repeat_until construct.
Predicate Transforms II Software Testing and Verification Lecture Notes 20 Prepared by Stephen M. Thebaut, Ph.D. University of Florida