Program Correctness an introduction

Program Correctness How do you do that? How can we be sure that a program/algorithm always produces the correct result? Test it on sample input Test boundary conditions Test it on all possible inputs Prove it correct can we automate this? Use rules of inference, mathematical induction

Program Correctness Correct, what does that mean? A program is correct if it produces correct output for all possible inputs this is called partial correctness it terminates An initial assertion gives the properties of the input A final assertion gives the properties of the output The initial and final assertions must be given otherwise we cannot check correctness

Program Correctness Partially Correct? A program, or program segment, S is partially correct if with respect to initial assertion p and final assertion q whenever p is true for the input and S terminates then q is true for the output. p{S}q indicates program, or program segment S is partially correct p{S}q is called a Hoare triple Note: partial correctness only states that the program produces the correct results if it terminates. It does not prove that the program terminates

Program Correctness Tony Hoare

Program Correctness A very simple example Program segment S is as follows y:=2; z := x + y; Initial assertion p: x = 1 Final assertion q: z = 3 Prove p{S}q assume p x initially has the value 1 y is assigned the value 2 z is then assigned the value x + y that is equal to 1 + 2 which is 3 Therefore S is correct with respect to p and q

Program Correctness Decompose your program We can split our program into parts (subprograms) and prove that each of these parts (subprograms) is correct Split S into subprograms S1 and S2 S is then S1 followed by S2 S = S1;S2 Assume p is the initial assertion of S1, q is the final assertion of S1 q is the initial assertion of S2 r is the final assertion of S2 Further assume we have established p{S1}q and q{S2}r It follows that if p is true and S1 executes and terminates then q is true if q is true and S2 executes and terminates then r is true Therefore if p is true and S executes and terminates r is true

Program Correctness A new rule of inference: The Composition Rule

Program Correctness Simple Conditional Statement Assume program segment is as follows if cond then S S is executed if cond is true S is not executed if cond is false To verify that the segment above is true with respect to initial assertion p final assertion q Show that when p is true, and cond is true and S executes, q is true when p is true and cond is false and S does not execute, q is true

Program Correctness The simple condition rule of inference

Program Correctness An example of a simple conditional Program segment S is as follows if x > y then x := y Initial assertion p: is True Final assertion q: y  x (y is greater than or equal to x) Consider cond = true (x > y) and cond = false (x  y) (1) p and x > y the assignment x := y is made consequently y  x therefore q holds (2) p and x  y no assignment is made y  x Therefore S is correct with respect to p and q

Program Correctness Conditional Statement Assume program segment is as follows if cond then S1 else S2 S1 is executed if cond is true S2 is executed if cond is false To verify that the segment above is true with respect to initial assertion p final assertion q Show that when p is true, and cond is true and S1 executes, q is true when p is true, and cond is false and S2 executes, q is true

Program Correctness The condition rule of inference

Program Correctness An example of a conditional Program segment S is as follows if x < 0 then abs := -x else abs := x Initial assertion p: is True Final assertion q: abs = |x| Consider the cases when cond = true and when cond = false (1) p and x < 0 the assignment abs := -x is made consequently abs = |x| therefore q holds (2) p and x  0 consequently abs := x, and again abs is |x| Therefore S is correct with respect to p and q

Program Correctness While Loop (loop invariants) Assume program segment is as follows while cond do S S is repeatedly executed while cond is true S is repeatedly executed until cond is false An assertion that remains true each time S is executed is required this is the loop invariant p is a loop invariant if (p and cond){S}p is true To verify that the segment above is true with respect to loop invariant p Show that p is true before S is executed p is true and cond is false on termination of the loop if it terminates

Program Correctness The loop invariant rule of inference

An example of a loop invariant Program Correctness An example of a loop invariant i := 1; fact := 1; while i < n do begin i := i + 1; fact := fact * i; end Prove segment terminates with fact = n! a loop invariant is required let p be proposition p: fact = i! and i <= n let S be the segment: i := i+1; fact := fact * i; Prove that p is a loop invariant, using mathematical induction Basis Step: initially i = fact = 1 = i! and 1 <= n Inductive Step assume p is true and 1 < i < n and fact = i! after executing loop i was incremented by 1, i.e. i + 1 therefore i  n fact := i!(i + 1) therefore fact = (i+1)! … and i has been incremented Therefore p is a loop invariant

An example of a loop invariant Program Correctness An example of a loop invariant i := 1; fact := 1; while i < n do begin i := i + 1; fact := fact * i; end Therefore p is a loop invariant Therefore the assumption [p and (i < n)]{S}p is true Therefore it follows that p{while i<n do S}[i >= n and p] is true The while loop terminates i starts at 1, assuming n  0 i is incremented inside loop eventually i will equal n Therefore the program segment is correct

Program Correctness An example, min(x,y) Program segment S is as follows if x < y then min := x else min := y Initial assertion p: is True Final assertion q: (x  y and min = x) or (x > y and min = y) Consider three cases (1) p and x < y min is set to x (x  y and min = x) (2) p and x = y min is set to y, which equals x (x  y and min = x) (3) p and x > y min is set to y (x > y and min = y) Therefore S is correct with respect to p and q Question 4

Program Correctness An example, ? Initial assertion p: is True Final assertion q: x  y Consider two cases (1) p and x  y S is not executed q is true (2) p and x > y x := x + y y := x - y = (x + y) - y = x x := x - y = (x + y) - x = y x and y are now swapped, so y is now greater than x Therefore S is correct with respect to p and q if x > y then begin x := x + y; y := x - y; x := x - y; end;

Program Correctness So? For each program segment S we need an initial assertion p a final assertion q If it is a loop we need to establish a loop invariant p We need to apply the appropriate rules of inference Generally we need to decompose program It takes time, it aint easy Could we automate the process? For partial correctness For correctness What do we do in an industrial setting