Duminda WijesekeraSWSE Program Correctness1 SWSE 623 Program Correctness -Pre-condition, Post-conditions and Loop invariants

Duminda WijesekeraSWSE Program Correctness2 Basic Definitions Partial Correctness with respect to predicates: –If program P starts satisfying predicate A, and P terminates, then the terminating state satisfies B. Termination with respect to predicates: –If program P starts in a state satisfying predicate A, then it will terminate in a state satisfying B. Total correctness: –If program P starts in a state satisfying A, then it will terminate in a state satisfying B. Notation: {A} P {B}

Duminda WijesekeraSWSE Program Correctness3 Weakest Pre-condition and Strongest Post-condition Weakest Precondition: If a predicate QQ satisfying following conditions is a weakest pre-condition. –{QQ} S {R} –For every Q satisfying {Q} S {R} then Q => QQ Strongest Post-condition: If a predicate RR satisfies following, it is a strongest post- condition. –{Q} S {RR} –For every R satisfying {Q} S {R}, then RR => R

Duminda WijesekeraSWSE Program Correctness4 Axiomatic Method of Tony Hoare Rules of predicate logic are enriched by adding more rules corresponding to program constructs. Assignment Axiom: –{p(e/x)} ( x:= e ){ p} Composition Rule: –{p} S { r} {r} S’ {q} {p} (S; S’) {q} Conditional Rule: –{p ^ r} S {q} {p ^ ~r} S’ {q} {p} (If (r) then S else S’} {q}

Duminda WijesekeraSWSE Program Correctness5 Hoare Axioms - Continued While Rule: {p ^ r } S {p} {p} (while r do S) {p ^ ~r } Consequence Rule: p -> q {q} H {r} r -> s {p} H {r}

Duminda WijesekeraSWSE Program Correctness6 Soundness and Completeness of Hoare’s Axiomatic System Theorem: Hoare calculus is Sound –I.e. if |- {p} S {q} then |= {p} S {q} –We will not go through the proof, but similar to soundness of predicate calculus. Fact: Hoare calculus is NOT complete. –I.e. if |= {p} S {q} then |- {p} S {q} is FLASE! –Counter example: {true} ( x:= 1) { x=1} is true in every model, but cannot be proved !

Duminda WijesekeraSWSE Program Correctness7 Issues Related to Incompleteness The problem with the incompleteness lies in finding a weakest pre-condition for while loops. Theorem: (Cook –1978) If in an interpretation, every while loop has a weakest pre-condition, then Hoare calculus is complete with respect to that interpretation. – (Referred to as Cook’s relative completeness theorem) Give examples of using each rule.

Duminda WijesekeraSWSE Program Correctness8 Sequencing Rule Rule: {p} S {q}{q} S’ {r} {p} (S : S’) {r} To use this rule, take the form WP( S;S’, R) = WP( S, WP(S’, R)) Example: Calculate –WP( (t:=x;x:=y;y:=t) x=1 ^ y=2) –=WP((t:=x;x:=y),WP(y:=t, (x=1^y=2))) –=WP((t:=x;x:=y), (2=t ^x=1)) –=WP((t:=x),(1=y^2=t)) = (1=y)^(2=x)

Duminda WijesekeraSWSE Program Correctness9 Conditional Statement {p ^ r} S {R} {p ^ ~r} S’ {R} {p} (If (r) then S else S’} {R} Example: WP((if x>=y then z:=x else z:=y), z =max(x,y)) Let R=z=max{x,y}= (z=x^x>=y)V(z=y^y>x) Claim p=T. Need to show –{p^(x>=y)} (z:=x) {R} WP((z:=x), R) = ((x=x)^(x>=y))V((x=y)^(y>x))=(x>=y). Hence p^(x>=y) -> (x>=y). –{p^(x <y)} (z:=y) {R} WP((Z:=Y), R) = ((y=x)^(x>=y))V((y=y)^(Y>X))=(Y=X)V(Y>X)=(Y>=X). Now notice that {p^(x X) -> (y>=X)

Duminda WijesekeraSWSE Program Correctness10 Suggestions for using the Conditional Rule Suppose we have to show –{Q} (If (r) then S else S’} {R}, using the rule –{p ^ r} S {q} {p ^ ~r} S’ {R} {p} (If (r) then S else S’} {R} Compute the Wp for alternatives, I.e. –Wp(S, R) and Wp(S’, R) Then prove –p^(r ) -> Wp(S,R) and P^(~r) -> Wp(S’,R) –Q -> (p^r) and Q -> (p^(~r))

Duminda WijesekeraSWSE Program Correctness11 Analyzing Loops {p ^ r } S {p} {p} (while r do S) {p ^ ~r } In using this rule, there is no way to guarantee termination of the loop, unless r is false. In order to compute an upper bound on the number of loop iterations, Gries has added a bounding function Rule: With loop invariant p and bounding function t If –(p^ (~r)) -> (t=0) : Says that if guard fails then looping has ended. –{p ^ r } S {p} : Says that P is a loop invariant. –(p^r) -> (t >0) : Says that if the guard is true then won’t end looping. –t decreases with each iteration Then –{p} (while r do S) {p ^ ~r }

Duminda WijesekeraSWSE Program Correctness12 Using Looping Rules To show {Q} s’; (while r do S) {R} using loop invariance P and counting function t show: –{Q} s’ {p} –(p^ (~r)) -> R : Says that if guard fails then looping has ended. –{p ^ r } S {p} : Says that P is a loop invariant. –(p^r) -> (t >0) : Says that if the guard is true then won’t end looping. –t decreases with each iteration

Duminda WijesekeraSWSE Program Correctness13 Example: Exponentiation Want to show {Q} S {R} where Q = (0 <= b) R = (z = a**b) S = (z:=1; x:=a; y:=b); ( while (y =/=0) do { If odd(y) then ( z:=z*x; y:=y-1) end else (x:=x*x; y:=y div 2) end-if } od) Use loop invariant P = {(y>=0)^(z*(x**y)=a**b)} Bounding function = y

Duminda WijesekeraSWSE Program Correctness14 Example Continued: Proof Obligations 0. {Q} (z:=1; x:=a; y:=b) {P}. I.e. {0= =0)^(z*(x**y)=a**b)} 1. P^(~(y=/=0)) -> R. I.e. {(y>=0)^(z*(x**y)=a**b)}^(y=0) -> (z = a**b) 2. {P^(y=/=0)} S {P} I.e. that P is a loop invariant 3. P^(y=/=0) -> (y>0) 4. Each iteration of the loop decreases the bound function y

Duminda WijesekeraSWSE Program Correctness15 0. Proving {Q} (z:=1; x:=a; y:=b) {P} Wp((z:=1; x:=a; y:=b), (0=<y^(z*(x**y)=a**b)) Wp((z:=1;x:=a), (0=<b^(z*(x**b)=a**b)) Wp(z:=1,(0=<b^(z*(a**b)=a**b))) (0=<b) == Q

Duminda WijesekeraSWSE Program Correctness16 1. Proving P^(~(y=/=0)) -> R {(y>=0)^(z*(x**y)=a**b)}^(y=0) -> (z = a**b) {(y>=0)^(z*(x**y)=a**b)}^(y=0)-> z*(x**0)=a**b) (Z*1=a**b) -> (z=a**b) – this is true!

Duminda WijesekeraSWSE Program Correctness17 2. Proving {P^(y=/=0)} S {P} Need to prove: {(0<y)^(z*(x**y)=a**b)} S {(0=<y)^(z*(x**y)=a**b} Notice that S is the conditional statement: –If odd(y) then ( z:=z*x; y:=y-1) –Else (x:=x*x; y:=y div 2) endif } Hence we need to show: {(0<y)^(z*(x**y)=a**b)^odd(y)} ( z:=z*x; y:=y-1) {P} {(0<y)^(z*(x**y)=a**b)^even(y)} (x:=x*x; y:=y div 2) {p}

Duminda WijesekeraSWSE Program Correctness18 2.1: Proving {(0<y)^(z*(x**y)=a**b)^odd(y)} ( z:=z*x; y:=y-1) {P} Wp(( z:=z*x; y:=y-1), (0<y)^(z*(x**y)=a**b)} Wp((z:=z*x), (0<y-1)^(z*(x**(y-1)=a**b)) (1<y)^(z*x*(x**(y-1)=a**b) (1<y)^(z*(x**y)=a**b) Now notice that (0 (1<y) Hence we get that –(0 (1<y)^(z*(x**y)=a**b) –This completes the proof of the If branch!

Duminda WijesekeraSWSE Program Correctness19 2.2: Proving {(0<y)^(z*(x**y)=a**b)^even(y)} (x:=x*x; y:=y div 2) {p} Wp ((x:=x*x; y:=y div 2), {(0=<y)^(z*(x**y)=a**b)}) Wp(((x:=x*x), {(0=< y div 2)^(z*(x**(y div 2)=a**b)}) (0=< y div 2)^(z*(x*x)**(y div 2) = a**b) (0=<y div 2)^(z**y = a**b) Notice now that (0 (2=<y) -> (0 =< y div 2) Hence we have –{(0<y)^(z*(x**y)=a**b)^even(y)} (x:=x*x; y:=y div 2) {p} –This completes the proof obligation for the else branch!

Duminda WijesekeraSWSE Program Correctness20 3. Proving (P^(y=/=0))-> (y>0) Notice P is (0=<y)^(z*(x**y)=a**b) Hence P^(y=/=0) -> (y>0)

Duminda WijesekeraSWSE Program Correctness21 4. Proving Properties of the Counting Function Need to show that “y”decreases with each iteration –If in the beginning of iteration odd(y), then Y :=Y-1, hence Y decreases –If in the beginning of iteration ~odd(y), then Y := Y div 2, and Y > (Y div 2), hence Y decreases

Duminda WijesekeraSWSE Program Correctness22 Summary: Structure of the Completed Proof {Q}S11{P1} {P1}S12{P2} {Q}(S11;S12){P2} {P2}S13{P} {Q} S1 {P} {P^r^r1}S21{P} {P^r^~r1}S21{P} {P^r}S2{RP} {P^~r}->R (Iteration Decreases Y) (P^r -> (Y>0)) {Q} S {R}

Duminda WijesekeraSWSE Program Correctness23 Giese’s Guideline for Developing a Loop from Given Invariant P and Bound Function t Step1: Develop initialization to validate P Step2: Develop loop guard B to satisfy (P^~B->R) Step3:Verify (P^ B) -> (t>0) Step4:Develop loop body to progress towards goal I.e. find a way to decrease bound function t. Step5:Modify loop body to make P a loop invariant

Duminda WijesekeraSWSE Program Correctness24 Properties of WP Wp(S, False) = False Wp(S, Q)^Wp(S, R) = Wp(S, Q^R) If Q-> R then Wp(S,Q) -> Wp(S,R) For deterministic programs S, Wp(S, QvR) = Wp(S, Q)vWp(S, R) Wp(skip, R) = R, where skip does nothing. Wp(abort, R) = False, where abort never executes. Wp(S1;S2, R) = Wp(S1 Wp(S2,R)) Wp((S1;S2);S3, R) Wp(S1;(S2;S3), R)