Predicate Transforms II

Predicate Transforms II
Software Testing and Verification Lecture Notes 20 Prepared by Stephen M. Thebaut, Ph.D. University of Florida

Transform rules for while loops: Weakest pre-conditions (wp’s) Weakest liberal pre-conditions (wlp’s) Relationships between wp’s and wlp’s with loop invariants Strongest post-conditions (sp’s) On the power of axiomatic verification and the relative usefulness of predicate transforms (when dealing with loops)

wp Rule for while_do Statement
In order for the program while b do S to terminate in state Q, it is necessary that:

In order for the program while b do S to terminate in state Q, it is necessary that: 0. b is initially false and Q holds, OR

In order for the program while b do S to terminate in state Q, it is necessary that: 0. b is initially false and Q holds, OR 1. b is initially true and after executing S, ¬b and Q hold, OR

In order for the program while b do S to terminate in state Q, it is necessary that: 0. b is initially false and Q holds, OR 1. b is initially true and after executing S, ¬b and Q hold, OR 2. b is initially true and after executing S, b is still true, and after executing S a second time, ¬b and Q hold, OR

In order for the program while b do S to terminate in state Q, it is necessary that: 0. b is initially false and Q holds, OR 1. b is initially true and after executing S, ¬b and Q hold, OR 2. b is initially true and after executing S, b is still true, and after executing S a second time, ¬b and Q hold, OR .

wp Rule for while_do Statement (cont’d)
Thus, we can write wp(while b do S, Q)  H0 V H1 V H2 V… where H0  ¬b Л Q H1  b Л wp(S, ¬b Л Q) H2  b Л wp(S, b Л wp(S, ¬b Л Q)) .

wp Rule for while_do Statement (cont’d)
Equivalently, we can write wp(while b do S, Q)  H0 V H1 V H2 V… where H0  ¬b Л Q H1  b Л wp(S, H0) H2  b Л wp(S, H1) Hi  b Л wp(S, Hi-1) … …

Something to think about…
How do these terms compare to the (infinite) set of necessary conditions derived for the while_do ROI?

FLASHBACK to Lecture Notes #18…
Something to think about… (cont'd) FLASHBACK to Lecture Notes #18… So, we know that {P} while b do S {Q} will hold if the following conditions hold: Case 0: (P Л b)  Q Case 1: {P Л b} S {K1}, (K1 Л b)  Q Case 2: {K1 Л b} S {K2}, (K2 Л b)  Q … Case N: {KN-1 Л b} S {KN}, (KN Л b)  Q …

Something to think about… (cont'd)
What is the relationship between wp(while b do S, Q) and an invariant, I, for which initialization, preservation, and finalization hold?

Something to think about… (cont'd)
What is the relationship between wp(while b do S, Q) and an invariant, I, for which initialization, preservation, and finalization hold? We'll come back to this question later...

Example For what initial values of i, n, and t will the following program terminate with t=xn? while i <= n do t := t*x i := i+1 end_while How about i=1, t=1, and n=2? Can you think of any others? For example... {i=1 Л t=1 Л n≥1}? {i=3 Л t=x Л n=1}? {i=2 Л t=x Л n=5}?

Example (cont’d) Find the wp of this program with respect to the post-condition {t=xn}. (Attempt to find a regularity in terms that allows a closed-form expression.)

Example (cont’d) while i <= n do H0  ¬b Л Q t := t*x = i := i+1
H1  b Л wp(S, H0) H2  b Л wp(S, H1) while i <= n do t := t*x i := i+1 end_while

Example (cont’d) while i <= n do H0  ¬b Л Q t := t*x
= i>n Л t=xn H1  b Л wp(S, H0) = H2  b Л wp(S, H1) while i <= n do t := t*x i := i+1 end_while

= i>n Л t=xn H1  b Л wp(S, H0) = i≤n Л wp(S, i>n Л t=xn) = H2  b Л wp(S, H1) while i <= n do t := t*x i := i+1 end_while

= i>n Л t=xn H1  b Л wp(S, H0) = i≤n Л wp(S, i>n Л t=xn) = i≤n Л i+1>n Л tx=xn = H2  b Л wp(S, H1) while i <= n do t := t*x i := i+1 end_while

= i>n Л t=xn H1  b Л wp(S, H0) = i≤n Л wp(S, i>n Л t=xn) = i≤n Л i+1>n Л tx=xn = i=n Л t=xn-1 H2  b Л wp(S, H1) = while i <= n do t := t*x i := i+1 end_while

= i>n Л t=xn H1  b Л wp(S, H0) = i≤n Л wp(S, i>n Л t=xn) = i≤n Л i+1>n Л tx=xn = i=n Л t=xn-1 H2  b Л wp(S, H1) = i≤n Л wp(S, i=n Л t=xn-1) = while i <= n do t := t*x i := i+1 end_while

= i>n Л t=xn H1  b Л wp(S, H0) = i≤n Л wp(S, i>n Л t=xn) = i≤n Л i+1>n Л tx=xn = i=n Л t=xn-1 H2  b Л wp(S, H1) = i≤n Л wp(S, i=n Л t=xn-1) = i≤n Л i+1=n Л tx=xn-1 = while i <= n do t := t*x i := i+1 end_while

= i>n Л t=xn H1  b Л wp(S, H0) = i≤n Л wp(S, i>n Л t=xn) = i≤n Л i+1>n Л tx=xn = i=n Л t=xn-1 H2  b Л wp(S, H1) = i≤n Л wp(S, i=n Л t=xn-1) = i≤n Л i+1=n Л tx=xn-1 = i=n-1 Л t=xn-2 while i <= n do t := t*x i := i+1 end_while

Example (cont’d) H3  b Л wp(S, H2) while i <= n do = t := t*x
. Hk  b Л wp(S, Hk-1) while i <= n do t := t*x i := i+1 end_while

Example (cont’d) H3  b Л wp(S, H2) while i <= n do
= i≤n Л wp(S, i=n-1 Л t=xn-2) = . Hk  b Л wp(S, Hk-1) while i <= n do t := t*x i := i+1 end_while

= i≤n Л wp(S, i=n-1 Л t=xn-2) = i≤n Л i+1=n-1 Л tx=xn-2) = . Hk  b Л wp(S, Hk-1) while i <= n do t := t*x i := i+1 end_while

= i≤n Л wp(S, i=n-1 Л t=xn-2) = i≤n Л i+1=n-1 Л tx=xn-2) = i=n-2 Л t=xn-3 . Hk  b Л wp(S, Hk-1) = while i <= n do t := t*x i := i+1 end_while

= i≤n Л wp(S, i=n-1 Л t=xn-2) = i≤n Л i+1=n-1 Л tx=xn-2) = i=n-2 Л t=xn-3 . Hk  b Л wp(S, Hk-1) = i=n-(k-1) Л t=xn-k = while i <= n do t := t*x i := i+1 end_while

= i≤n Л wp(S, i=n-1 Л t=xn-2) = i≤n Л i+1=n-1 Л tx=xn-2) = i=n-2 Л t=xn-3 . Hk  b Л wp(S, Hk-1) = i=n-(k-1) Л t=xn-k = i=n-k+1 Л t=xn-k while i <= n do t := t*x i := i+1 end_while

Example (cont’d) Thus, we have: H0 = i>n Л t=xn
Hk = i=n-k+1 Л t=xn-k (for all k>0)

Hk = i=n-k+1 Л t=xn-k (for all k>0) and since i=n-k+1  n-k=i-1

Hk = i=n-k+1 Л t=xn-k (for all k>0) and since i=n-k+1  n-k=i-1 = i≤n Л t=xi-1 (where i≤n for all k>0)

Hk = i=n-k+1 Л t=xn-k (for all k>0) and since i=n-k+1  n-k=i-1 = i≤n Л t=xi-1 (where i≤n for all k>0) Therefore, wp  H0 V H1 V H2 V ... = (i>n Л t=xn) V (i≤n Л t=xi-1)

(i>n Л t=xn) V (i≤n Л t=xi-1)
Example (cont’d) So, given that the wp is (i>n Л t=xn) V (i≤n Л t=xi-1) which of the following initial states will result in the program terminating with t=xn? {i=1 Л t=1 Л n≥1}? {i=3 Л t=x Л n=1}? {i=2 Л t=x Л n=5}?

Example (cont’d) So, given that the wp is
(i>n Л t=xn) V (i≤n Л t=xi-1) which of the following initial states will result in the program terminating with t=xn? {i=1 Л t=1 Л n≥1}? {i=3 Л t=x Л n=1}? {i=2 Л t=x Л n=5}? (1>(1,2,…) Л 1=x(1,2,…)) V (1≤(1,2,…) Л 1=x1-1)

Example (cont’d) So, given that the wp is
(i>n Л t=xn) V (i≤n Л t=xi-1) which of the following initial states will result in the program terminating with t=xn? {i=1 Л t=1 Л n≥1}? {i=3 Л t=x Л n=1}? {i=2 Л t=x Л n=5}? (1>(1,2,…) Л 1=x(1,2,…)) V (1≤(1,2,…) Л 1=x1-1) √

(i>n Л t=xn) V (i≤n Л t=xi-1)
Example (cont’d) So, given that the wp is (i>n Л t=xn) V (i≤n Л t=xi-1) which of the following initial states will result in the program terminating with t=xn? {i=1 Л t=1 Л n≥1}? {i=3 Л t=x Л n=1}? {i=2 Л t=x Л n=5}? √

(i>n Л t=xn) V (i≤n Л t=xi-1)
Example (cont’d) So, given that the wp is (i>n Л t=xn) V (i≤n Л t=xi-1) which of the following initial states will result in the program terminating with t=xn? {i=1 Л t=1 Л n≥1}? {i=3 Л t=x Л n=1}? {i=2 Л t=x Л n=5}? (3>1 Л x=x1) V (3≤1 Л x=x3-1) √

(i>n Л t=xn) V (i≤n Л t=xi-1)
Example (cont’d) So, given that the wp is (i>n Л t=xn) V (i≤n Л t=xi-1) which of the following initial states will result in the program terminating with t=xn? {i=1 Л t=1 Л n≥1}? {i=3 Л t=x Л n=1}? {i=2 Л t=x Л n=5}? (3>1 Л x=x1) V (3≤1 Л x=x3-1) √ √

(i>n Л t=xn) V (i≤n Л t=xi-1)
Example (cont’d) So, given that the wp is (i>n Л t=xn) V (i≤n Л t=xi-1) which of the following initial states will result in the program terminating with t=xn? {i=1 Л t=1 Л n≥1}? {i=3 Л t=x Л n=1}? {i=2 Л t=x Л n=5}? √ √

(i>n Л t=xn) V (i≤n Л t=xi-1)
Example (cont’d) So, given that the wp is (i>n Л t=xn) V (i≤n Л t=xi-1) which of the following initial states will result in the program terminating with t=xn? {i=1 Л t=1 Л n≥1}? {i=3 Л t=x Л n=1}? {i=2 Л t=x Л n=5}? (2>5 Л x=x5) V (2≤5 Л x=x2-1) √ √

(i>n Л t=xn) V (i≤n Л t=xi-1)
Example (cont’d) So, given that the wp is (i>n Л t=xn) V (i≤n Л t=xi-1) which of the following initial states will result in the program terminating with t=xn? {i=1 Л t=1 Л n≥1}? {i=3 Л t=x Л n=1}? {i=2 Л t=x Л n=5}? (2>5 Л x=x5) V (2≤5 Л x=x2-1) √ √ √

(i>n Л t=xn) V (i≤n Л t=xi-1)
Example (cont’d) So, given that the wp is (i>n Л t=xn) V (i≤n Л t=xi-1) which of the following initial states will result in the program terminating with t=xn? {i=1 Л t=1 Л n≥1}? {i=3 Л t=x Л n=1}? {i=2 Л t=x Л n=5}? √ √ √

Addendum (based on a question raised in class)
Another example…given that the wp is (i>n Л t=xn) V (i≤n Л t=xi-1) will the following initial state values result in the program terminating with t=xn? {i=1 Л t=1 Л n=0}

Another example…given that the wp is (i>n Л t=xn) V (i≤n Л t=xi-1) will the following initial state values result in the program terminating with t=xn? {i=1 Л t=1 Л n=0} (1>0 Л 1=x0) V (1≤0 Л 1=x1-1)

Another example…given that the wp is (i>n Л t=xn) V (i≤n Л t=xi-1) will the following initial state values result in the program terminating with t=xn? {i=1 Л t=1 Л n=0} (1>0 Л 1=x0) V (1≤0 Л 1=x1-1) √

Another example…given that the wp is (i>n Л t=xn) V (i≤n Л t=xi-1) will the following initial state values result in the program terminating with t=xn? {i=1 Л t=1 Л n=0} (1>0 Л 1=x0) V (1≤0 Л 1=x1-1) √ √

wlp Rule for while_do Statement
In order for the program while b do S to either terminate in state Q, or not terminate at all, it is necessary that: Q will hold on program termination, OR the program will not terminate. Therefore, wlp(while b do S, Q) ≡ wp(while b do S, Q) V ¬wp(while b do S, true)

wlp Rule for while_do Statement
In order for the program while b do S to either terminate in state Q, or not terminate at all, it is necessary that: Q will hold on program termination, OR the program will not terminate. Therefore, wlp(while b do S, Q) ≡ wp(while b do S, Q) V ¬wp(while b do S, true) (Note: wp(M, true) is the weakest pre-condition ensuring termination of program M.)

Example Use the wlp rule for while_do statements to determine the weakest liberal pre-condition for the following program with respect to post-condition t=x5. while i<>3 do t := t*x i := i+1 end_while

Step 1: determine wp with respect to Q
H0  ¬b Л Q = H1  b Л wp(S, H0) . Hk  b Л wp(S, Hk-1) while i<>3 do t := t*x i := i+1 end_while

H0  ¬b Л Q = i=3 Л t=x5 H1  b Л wp(S, H0) = . Hk  b Л wp(S, Hk-1) while i<>3 do t := t*x i := i+1 end_while

H0  ¬b Л Q = i=3 Л t=x5 H1  b Л wp(S, H0) = i≠3 Л wp(S, i=3 Л t=x5) = . Hk  b Л wp(S, Hk-1) while i<>3 do t := t*x i := i+1 end_while

H0  ¬b Л Q = i=3 Л t=x5 H1  b Л wp(S, H0) = i≠3 Л wp(S, i=3 Л t=x5) = i≠3 Л i+1=3 Л tx=x5 = . Hk  b Л wp(S, Hk-1) while i<>3 do t := t*x i := i+1 end_while

H0  ¬b Л Q = i=3 Л t=x5 H1  b Л wp(S, H0) = i≠3 Л wp(S, i=3 Л t=x5) = i≠3 Л i+1=3 Л tx=x5 = i=2 Л t=x4 . Hk  b Л wp(S, Hk-1) = while i<>3 do t := t*x i := i+1 end_while

H0  ¬b Л Q = i=3 Л t=x5 H1  b Л wp(S, H0) = i≠3 Л wp(S, i=3 Л t=x5) = i≠3 Л i+1=3 Л tx=x5 = i=2 Л t=x4 . Hk  b Л wp(S, Hk-1) = i=3-k Л t=x5-k while i<>3 do t := t*x i := i+1 end_while

Thus, we have: H0 = i=3 Л t=x5 Hk = i=3-k Л t=x5-k (for all k>0)

Thus, we have: H0 = i=3 Л t=x5 Hk = i=3-k Л t=x5-k (for all k>0) and since i=3-k => 5-k=i+2 = i<3 Л t=xi+2 (where i<3 for all k>0)

Thus, we have: H0 = i=3 Л t=x5 Hk = i=3-k Л t=x5-k (for all k>0) and since i=3-k => 5-k=i+2 = i<3 Л t=xi+2 (where i<3 for all k>0) Therefore, the wp w.r.t. Q, H0 V H1 V H2 V... is:

Thus, we have: H0 = i=3 Л t=x5 Hk = i=3-k Л t=x5-k (for all k>0) and since i=3-k => 5-k=i+2 = i<3 Л t=xi+2 (where i<3 for all k>0) Therefore, the wp w.r.t. Q, H0 V H1 V H2 V... is: i≤3 Л t=xi+2

Step 2: determine wp with respect to true
H0  ¬b Л true = H1  b Л wp(S, H0) . Hk  b Л wp(S, Hk-1) while i<>3 do t := t*x i := i+1 end_while

H0  ¬b Л true = i=3 H1  b Л wp(S, H0) = . Hk  b Л wp(S, Hk-1) while i<>3 do t := t*x i := i+1 end_while

H0  ¬b Л true = i=3 H1  b Л wp(S, H0) = i≠3 Л wp(S, i=3) = . Hk  b Л wp(S, Hk-1) while i<>3 do t := t*x i := i+1 end_while

H0  ¬b Л true = i=3 H1  b Л wp(S, H0) = i≠3 Л wp(S, i=3) = i≠3 Л i+1=3 = . Hk  b Л wp(S, Hk-1) while i<>3 do t := t*x i := i+1 end_while

H0  ¬b Л true = i=3 H1  b Л wp(S, H0) = i≠3 Л wp(S, i=3) = i≠3 Л i+1=3 = i=2 . Hk  b Л wp(S, Hk-1) = while i<>3 do t := t*x i := i+1 end_while

H0  ¬b Л true = i=3 H1  b Л wp(S, H0) = i≠3 Л wp(S, i=3) = i≠3 Л i+1=3 = i=2 . Hk  b Л wp(S, Hk-1) = i=3-k while i<>3 do t := t*x i := i+1 end_while

Thus, we have: H0 = i=3 Hk = i=3-k (for all k>0)

Thus, we have: H0 = i=3 Hk = i=3-k (for all k>0) = i<3

Thus, we have: H0 = i=3 Hk = i=3-k (for all k>0) = i<3 Therefore, the wp w.r.t. true, H0 V H1 V H2 V... is: i≤3

Step 3: combine wp’s into one disjunct
Thus, wlp(while i<>3 do t := t*x; i := i+1, t=x5) = (i≤3 Л t=xi+2) V i>3 Exercise: In light of this, for which of the following initial states is the program weakly correct with respect to t=x5? {i=1 Л t=1 Л x=1}? {i=2 Л t=x Л x=2}? {i=5 Л t=8 Л x=3}?

Loop Invariants and w(l)p’s
In general, are loops guaranteed to terminate when: P  wp ? P  wlp ? For while loops, does {w(l)p Л b} S {w(l)p} ? Does (w(l)p Л ¬b)  Q ?

In general, are loops guaranteed to terminate when: P  wp ? yes P  wlp ? no For while loops, does {w(l)p Л b} S {w(l)p} ? Does (w(l)p Л ¬b)  Q ?

{wp Л b} S {wp} ???

{wp Л b} S

{wp Л b} = {[H0 V H1 V …] Л b} S

{wp Л b} = {[H0 V H1 V …] Л b} = {[(¬b Л Q) V (b Л wp(S, H0)) V (b Л wp(S, H1)) V …] Л b} S

{wp Л b} = {[H0 V H1 V …] Л b} = {[(¬b Л Q) V (b Л wp(S, H0)) V (b Л wp(S, H1)) V …] Л b} = {(b Л wp(S, H0)) V (b Л wp(S, H1)) V …} S

{wp Л b} = {[H0 V H1 V …] Л b} = {[(¬b Л Q) V (b Л wp(S, H0)) V (b Л wp(S, H1)) V …] Л b} = {(b Л wp(S, H0)) V (b Л wp(S, H1)) V …} = {H1 V H2 V …} S

{wp Л b} = {[H0 V H1 V …] Л b} = {[(¬b Л Q) V (b Л wp(S, H0)) V (b Л wp(S, H1)) V …] Л b} = {(b Л wp(S, H0)) V (b Л wp(S, H1)) V …} = {H1 V H2 V …} S {H0 V H1 V …}

{wp Л b} = {[H0 V H1 V …] Л b} = {[(¬b Л Q) V (b Л wp(S, H0)) V (b Л wp(S, H1)) V …] Л b} = {(b Л wp(S, H0)) V (b Л wp(S, H1)) V …} = {H1 V H2 V …} S {H0 V H1 V …} = {wp}

Similarly, it can be shown that {wlp Л b} S {wlp}.
{wp Л b} = {[H0 V H1 V …] Л b} = {[(¬b Л Q) V (b Л wp(S, H0)) V (b Л wp(S, H1)) V …] Л b} = {(b Л wp(S, H0)) V (b Л wp(S, H1)) V …} = {H1 V H2 V …} S {H0 V H1 V …} = {wp} Similarly, it can be shown that {wlp Л b} S {wlp}.

In general, are loops guaranteed to terminate when: P  wp ? yes P  wlp ? no For while loops, does {w(l)p Л b} S {w(l)p} ? yes Does (w(l)p Л ¬b)  Q ?

{wp Л ¬b}

{wp Л ¬b} {[(¬b Л Q) V (b Л wp(S, H0)) V (b Л wp(S, H1)) V …] Л ¬b}

{wp Л ¬b} {[(¬b Л Q) V (b Л wp(S, H0)) V (b Л wp(S, H1)) V …] Л ¬b} {(¬b Л Q)}  Q

Similarly, it is easy to show that {wlp Л ¬b}  Q.
{wp Л ¬b} {[(¬b Л Q) V (b Л wp(S, H0)) V (b Л wp(S, H1)) V …] Л ¬b} {(¬b Л Q)}  Q Similarly, it is easy to show that {wlp Л ¬b}  Q.

In general, are loops guaranteed to terminate when: P  wp ? yes P  wlp ? no For while loops, does {w(l)p Л b} S {w(l)p} ? yes Does (w(l)p Л ¬b)  Q ? yes

In general, are loops guaranteed to terminate when: P  wp ? yes P  wlp ? no For while loops, does {w(l)p Л b} S {w(l)p} ? yes Does (w(l)p Л ¬b)  Q ? yes _________________________ wp  weakest while loop invariant which guarantees termination!

In general, are loops guaranteed to terminate when: P  wp ? yes P  wlp ? no For while loops, does {w(l)p Л b} S {w(l)p} ? yes Does (w(l)p Л ¬b)  Q ? yes _________________________ wp  weakest while loop invariant which guarantees termination! wlp  weakest while loop invariant which does NOT guarantee termination!

sp Rule for while_do Statement
What is the strongest condition on the final state of program while b do S given that P holds initially? (Note that the post-condition is undefined when the program does not terminate.) Recall our derivation of the while loop Rule of Inference from Lecture Notes #18 (Axiomatic Verification II). (flashback follows...)

Necessary Conditions: while_do
So, we know that {P} while b do S {Q} will hold if the following conditions hold: Case 0: (P Л b)  Q Case 1: {P Л b} S {K1}, (K1 Л b)  Q Case 2: {K1 Л b} S {K2}, (K2 Л b)  Q … Case N: {KN-1 Л b} S {KN}, (KN Л b)  Q … Great! But who has the time to show that an infinite number of conditions hold?

In order to eliminate the infinite sequence of necessary conditions, we replaced each Ki with I (a loop invariant.) But for i≥1, Ki is just the strongest post- condition of S with respect to (Ki-1 Л b), where K0 = P.

Thus, if the loop terminates, sp(while b do S, P) = ¬b Л (K0 V K1 V K2 V ...) where K0  P K1  sp(S, b Л P) K2  sp(S, b Л sp(S, b Л P)) K3  sp(S, b Л sp(S, b Л sp(S, b Л P))) .

Equivalently, we can write: on termination, sp(while b do S, P) = ¬b Л (K0 V K1 V K2 V ...) where K0  P K1  sp(S, b Л K0) K2  sp(S, b Л K1) KN  sp(S, b Л KN-1) … …

Example Use the Strongest Post-condition ROI to prove: {true} Z := X
J := 1 while J<>Y do Z := Z+X J := J+1 end_while {Z=XY}

Example Use the Strongest Post-condition ROI to prove: T {true}
Z := X J := 1 while J<>Y do Z := Z+X J := J+1 end_while {Z=XY} We need to show: sp(T, Z=X Л J=1)  Z=XY where T is: while J<>Y do Z := Z+X J := J+1 end_while if T terminates. T

Example (cont’d) K0  P = {true} K1  sp(S, b Л K0) Z := X J := 1
while J<>Y do Z := Z+X J := J+1 end_while {Z=XY}

Example (cont’d) K0  P = Z=X Л J=1 {true} K1  sp(S, b Л K0) Z := X =
while J<>Y do Z := Z+X J := J+1 end_while {Z=XY}

Example (cont’d) K0  P = Z=X Л J=1 {true} K1  sp(S, b Л K0) Z := X
= Z=Z’+X Л J=J’+1 Л J’≠Y Л Z’=X Л J’=1 = K2  sp(S, b Л K1) {true} Z := X J := 1 while J<>Y do Z := Z+X J := J+1 end_while {Z=XY}

= Z=Z’+X Л J=J’+1 Л J’≠Y Л Z’=X Л J’=1 = Z=2X Л J=2 Л Y≠1 K2  sp(S, b Л K1) = {true} Z := X J := 1 while J<>Y do Z := Z+X J := J+1 end_while {Z=XY}

= Z=Z’+X Л J=J’+1 Л J’≠Y Л Z’=X Л J’=1 = Z=2X Л J=2 Л Y≠1 K2  sp(S, b Л K1) Z’=2X Л J’=2 Л Y≠1 = {true} Z := X J := 1 while J<>Y do Z := Z+X J := J+1 end_while {Z=XY}

= Z=Z’+X Л J=J’+1 Л J’≠Y Л Z’=X Л J’=1 = Z=2X Л J=2 Л Y≠1 K2  sp(S, b Л K1) Z’=2X Л J’=2 Л Y≠1 = Z=3X Л J=3 Л Y≠1 Л Y≠2 {true} Z := X J := 1 while J<>Y do Z := Z+X J := J+1 end_while {Z=XY}

Example (cont’d) . K3  sp(S, b Л K2) = {true} Z := X J := 1
KN  sp(S, b Л KN-1) {true} Z := X J := 1 while J<>Y do Z := Z+X J := J+1 end_while {Z=XY}

Example (cont’d) . K3  sp(S, b Л K2) = Z=4X Л J=4 Л Y≠1 Л {true}
Y≠2 Л Y≠3 . KN  sp(S, b Л KN-1) = {true} Z := X J := 1 while J<>Y do Z := Z+X J := J+1 end_while {Z=XY}

Example (cont’d) . K3  sp(S, b Л K2) = Z=4X Л J=4 Л Y≠1 Л {true}
Y≠2 Л Y≠3 . KN  sp(S, b Л KN-1) = Z=(N+1)X Л J=N+1 Л Y≠1 Л Y≠2 Л ... Л Y≠N . {true} Z := X J := 1 while J<>Y do Z := Z+X J := J+1 end_while {Z=XY}

Example (cont’d) Thus, when T terminates (i.e., when Y≥1),
sp(T, Z=X Л J=1) = J=Y Л [(Z=X Л J=1) V (Z=2X Л J=2 Л Y≠1) V (Z=3X Л J=3 Л Y≠1 Л Y≠2) V ...]

sp(T, Z=X Л J=1) = J=Y Л [(Z=X Л J=1) V (Z=2X Л J=2 Л Y≠1) V (Z=3X Л J=3 Л Y≠1 Л Y≠2) V ...] => [(Z=XY Л Y=1) V (Z=XY Л Y=2) V ...]

sp(T, Z=X Л J=1) = J=Y Л [(Z=X Л J=1) V (Z=2X Л J=2 Л Y≠1) V (Z=3X Л J=3 Л Y≠1 Л Y≠2) V ...] => [(Z=XY Л Y=1) V (Z=XY Л Y=2) V ...] => (Z=XY Л Y≥1) => Q (i.e., Z=XY)

sp(T, Z=X Л J=1) is undefined
Example (cont’d) When T does NOT terminate (i.e., when Y<1), sp(T, Z=X Л J=1) is undefined

sp(T, Z=X Л J=1) is undefined
Example (cont’d) When T does NOT terminate (i.e., when Y<1), sp(T, Z=X Л J=1) is undefined Therefore, by the Strongest Post-Condition ROI, the assertion of weak correctness holds.

On the power of axiomatic verification and the relative usefulness of predicate transforms
Hoare Logic is a deductive system that is both sound and relatively complete (i.e., complete to the extent that we can decide the validity of assertions in ROI’s) for deriving proofs of Hoare triples. Predicate transforms operationalize this system by providing a way to produce valid correctness specifications. Weakest pre-conditions (wp’s) are typically easier to use in this respect than either wlp’s or sp’s when dealing with loops.

Problem Set 6: Predicate Transforms
Note especially Problem 6: deriving and using the weakest pre-condition for the repeat_until construct.

Software Testing and Verification Lecture Notes 20 Prepared by Stephen M. Thebaut, Ph.D. University of Florida

Predicate Transforms II

Similar presentations

Presentation on theme: "Predicate Transforms II"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Predicate Transforms II

Similar presentations

Presentation on theme: "Predicate Transforms II"— Presentation transcript:

Similar presentations

About project

Feedback