Dr. Naveed Riaz Design and Analysis of Algorithms 1 1 Formal Methods in Software Engineering Lecture # 26

Dr. Naveed Riaz Design and Analysis of Algorithms 2 2 Conditional Correctness  { P} S {Q}  (initial state) (set of instruction) (Final State)  Expresses the conditional correctness of S  Binary search (pre-condition) - > Array must be in sorted form  Which means that, in-order to work this program properly we need to start with a given condition.  Post Condition: If the key is present then you will get the index, if the key is not present then you will get some value which will tell you that the key is not present (desired output).  If we start with “P” and ended with “Q” then our program is conditional corret.

Dr. Naveed Riaz Design and Analysis of Algorithms 3 3 Conditional Correctness  Suppose : post condition: n <0  S: n = n-1  Pre-condition: We started with n=0; n-1; end: n-1  Another point: We started with n = -10 ; n-1; -11  Which means that there are infinite number of values for n which will satisfy the post condition.  Weakest Pre-condition: N <= 0 (infinite possibilities ) and then – then get n <0

Dr. Naveed Riaz Design and Analysis of Algorithms 4 4 Weakest Pre-Condition  wp (z : = x, z ≥ y)  x ≥ y  Wp (t := x, t = xo)  x = xo  Wp ( i : = i +1 ; i <= n)  i < n  First and third exmp give many values to satisfy the final state and the middle give just one value

Dr. Naveed Riaz Design and Analysis of Algorithms 5 5 Weakest Pre-Condition  Suppose: Array which is not sorted and you want to implement linear search.  Any condition on input: If data is not sorted still the linear search will give you result.  Wp: any arrangement of data in the array will give the out i.e. True  But in Binary search : if your data is not sorted you can not apply binary search  Wp: Specific arrangement required

Dr. Naveed Riaz Design and Analysis of Algorithms 6 6 Broad CAT of statements  Assignment statements  Selection ( Control statements)  Loops statements

Dr. Naveed Riaz Design and Analysis of Algorithms 7 7 Assignment Axiom  Wp (x : = e, Q(x) ) Q(e) -> e represents an expression  X will have the value which e had before executing the statement  Q(e) denotes the predicate obtained by substituting e for all free occurrences of x in the predicate Q

Dr. Naveed Riaz Design and Analysis of Algorithms 8 8 Assignment Axiom  Wp (i : = i-1, i = 0 )  i -1 = 0  Wp (i : = ( l + u ) div 2, l <= i <= u )  l <= ( l + u ) div 2 <= u  Wp (i : = 1, i = 0 )  1 = 0 : false  Hence for single assignment statement “Assignment Axiom perform good but our program contains more than one assignment Statements

Dr. Naveed Riaz Design and Analysis of Algorithms 9 9 Rules for Sequential Composition  Suppose that we have only set of assignment statements are given along with post condition so we need to determine the WP  Post condition will be achieved after executing the last statement  Which means that if we are at wp before last statement then -> meet post condition  Means that wp is the post condition for the previous statement  Wp ( S1; S2, Q) Wp ( S1, wp (S2, Q))

Dr. Naveed Riaz Design and Analysis of Algorithms 10 Rules for Sequential Composition  Wp (( x: = x +1; y: = y+1 ), x =y  Wp ( x: = x +1, wp (y: = y+1, x =y) -> Group post condition with last statement  Wp ( x: = x +1; x = y+1 ) -> Apply assignment Axiom  x+1 = y+1  x = y  So if we started with initial condition i.e. x= y and then we executed x and y statements then we will end with post condition

Dr. Naveed Riaz Design and Analysis of Algorithms 11 Rules for Sequential Composition  Wp (( x: = 2 * x +1; y: = y-1 ), y = 3 * x  Wp (x: = 2 * x +1, wp (y: = y-1, y = 3 * x ) -> Group post condition with last statement  Wp (x: = 2 * x +1; y- 1 = 3 * x ) -> Apply assignment Axiom  y -1 = 3 * ( 2 * x +1)  y = 6 * x + 4 

Dr. Naveed Riaz Design and Analysis of Algorithms 12 Rules for Sequential Composition  Pre-condition and post-condition basically gives a specification for a function  Now we have to prove that a function or a set of statements meets its specification  Specification given in the form of pre and post conditions  We can calculate wp from post condition. In the same way we can calculate post condition from wp. But it is easier to work backward i.e. If objective (post condition) is given then it is so easy as compared to hidden objective.

Dr. Naveed Riaz Design and Analysis of Algorithms 13 Rules for Sequential Composition  { x = x0 and y = y0 } initial condition  t: = x;  x:=y;  y:=t;  {x = y0 and y = x0} Final output

Dr. Naveed Riaz Design and Analysis of Algorithms 14 Rules for Sequential Composition  { x = x0 and y = y0 } t: = x {t = xo and y = y0}  {t = xo and y = y0} post condition become precond  x:=y; y:=t;  { y = x0 and x = y0}  {t = xo and y = y0} x := y {{t = xo and x = y0}  {t = xo and x = y0} y := t { y = x0 and x = y0}

Dr. Naveed Riaz Design and Analysis of Algorithms 15 Hoare’s Consequence Rule  Logical Implication  If statement is model by logical implication  P => Q i.e. If P then Q  P => Q Q => R  {Q} S {R} {P} S {Q}  {P} S {R} {P} S {R}

Dr. Naveed Riaz Design and Analysis of Algorithms 16 Rules for conditional  {P and C} S {Q}  P and (not C) => Q  {P} If C then S {Q}  If is divided into two portion (i.e. True or False)  So will check both true and false path and if in both cases with end with Q then our program will be correct

Dr. Naveed Riaz Design and Analysis of Algorithms 17 Rules for conditional  {P and C} S1 {Q}  {P and (not C)} S2 {Q}  {P} If C then S1 else S2 {Q}  If is divided into two portion (i.e. True or False)  So will check both true and false path and if in both cases with end with Q then our program will be correct

Dr. Naveed Riaz Design and Analysis of Algorithms 18 Dijkstra’s Healthiness Condition  wp (S, false) i.e. false – empty set  False – law of excluded miracle  wp (S, true) i.e. true – universal set  termination condition – all states that guarantee termination of S  Second case is special one and normally not in practise  In sequentional statements the program termination is guarantee  When Program may not terminate ?  Stuck in infinite loop

Dr. Naveed Riaz Design and Analysis of Algorithms 19 Dijkstra’s Healthiness Condition  In the case of loops when we will give argument about program correctness then => first loop in question actually terminate ( if it did not then no post condition)  If the loop terminate then argue about other  Secondly if loop terminate then what condition occur after it  Wp (while 0 = n do n := n -1, true )  0 <= n  So if we start with any other value of “n” i.e. -1 then we will not get n = 0,

Dr. Naveed Riaz Design and Analysis of Algorithms 20 Verification  Invariant  Something which is unchanging  Key to proofs for programs containing loops ( iteration or recursion) Questions seem to ask for the next change Answer lies in determining what does not change

Dr. Naveed Riaz Design and Analysis of Algorithms 21 Verification  What was the invariant condition in Dijasktra’s Game? Pulling the ball from jar is an iterative process Parity of white balls count i.e. If we started with even # of white balls we would have black ball at the end If we have started with odd number of white balls then colour of the last ball would be white ball

Dr. Naveed Riaz Design and Analysis of Algorithms 22 Verification Invariant => Parity of the white ball does not change i.e. If we take out two white or black balls outside jar, in that case we put a black ball inside jar Number of white balls either reduce by two or zero i.e. Parity does not change Second case: If got different color balls, we put the white ball back into the jar so parity does not change Think: identify the pattern would led us to identify the color of the last ball Why invariant condition is important ?

Dr. Naveed Riaz Design and Analysis of Algorithms 23 Verification Why invariant condition is important ? Because of iteration => you want to closer to your objective function You have to follow some pattern which will led's you one step closer to your objective function in iterative process

Dr. Naveed Riaz Design and Analysis of Algorithms 24 Classical Problem Can you completely cover the chessboard with these dominoes without partially using a domino? If so how. If not prove that you cannot.

Dr. Naveed Riaz Design and Analysis of Algorithms 25 Classical Problem Key of invariant condition i.e. Shape of the tiles which we are using to cover the chessboard ( some information store in color) Given piece will cover one light and one blue tile because on a cheeseboard we do not have two white or black tiles adjusnt to each other We have equal number of blue and white squares on chessboard If do not have equal number of squares then we will not cover the whole chessboard Condition: We have removed two squares of the same color i.e. We are left with more blue then white i.e. 32 blue and 30 whites