Predicate Transforms I

Predicate Transforms I
Software Testing and Verification Lecture Notes 19 Prepared by Stephen M. Thebaut, Ph.D. University of Florida

Introduction: weakest pre-conditions (wp’s) weakest liberal pre-conditions (wlp’s) strongest post-conditions (sp’s) Proving {P} S {Q} using predicate transforms Transform rules for: assignment statements sequencing selection statements

Introduction What are Predicate Transforms†?
Rules for transforming post-conditions into pre-conditions or vice-versa. They provide algorithms to reduce the problem of verifying Hoare triples to proving predicate calculus formulas. Thus, predicate transforms operationalize Hoare Logic. † Also known as “Predicate Transformers”

Introduction (cont’d)
What is a “weakest pre-condition”? It is the weakest condition on the initial state of program S ensuring termination in state Q. It is denoted wp(S,Q) and read, “the weakest pre-condition of S with respect to Q.”

What is a “weakest liberal pre-condition”? It is the weakest condition on the initial state of program S ensuring state Q on termination if S terminates. It is denoted wlp(S,Q) and read, “the weakest liberal pre-condition of S with respect to Q.”

What is a “strongest post-condition”? It is the strongest condition on the final state of program S given that P holds initially and given that S terminates. It is denoted sp(S,P) and read, “the strongest post-condition of S with respect to P.”

ROI’s (algorithms) for proving program correctness using predicate transforms
P  wp(S,Q) {P} S {Q} strongly P  wlp(S,Q) {P} S {Q} sp(S,P)  Q

ROI’s (algorithms) for proving program correctness (cont’d)
Note the relationship between weakest liberal pre-conditions and strongest post-conditions: P  wlp(S,Q) ≡ sp(S,P)  Q We now consider rules for computing predi-cate transforms for structured programs comprised of assignment statements, if-then (-else) statements, and (in part II) while loops.

wp and wlp Rule for Assignment Statements
w(l)p(x:=E, Q(x,y,z))  Q(E,y,z)

w(l)p(x:=E, Q(x,y,z))  Q(E,y,z) Examples: w(l)p(x:=y+3, x>0) =

w(l)p(x:=E, Q(x,y,z))  Q(E,y,z) Examples: w(l)p(x:=y+3, x>0) = w(l)p(x:=x+1, xn+1) =

w(l)p(x:=E, Q(x,y,z))  Q(E,y,z) Examples: w(l)p(x:=y+3, x>0) = w(l)p(x:=x+1, xn+1) = w(l)p(x:=7, x=7) = (cont’d)

w(l)p(x:=E, Q(x,y,z))  Q(E,y,z) Examples: (cont’d) w(l)p(x:=7, x=6) =

w(l)p(x:=E, Q(x,y,z))  Q(E,y,z) Examples: (cont’d) w(l)p(x:=7, x=6) = w(l)p(x:=7, y=7) =

w(l)p(x:=E, Q(x,y,z))  Q(E,y,z) Examples: (cont’d) w(l)p(x:=7, x=6) = w(l)p(x:=7, y=7) = w(l)p(y:=-x, y=|x|) =

sp Rule for Assignment Statements
sp(x:=E, P)  x=E(x’,y,z) Л P(x’,y,z)

sp(x:=E, P)  x=E(x’,y,z) Л P(x’,y,z) Examples: sp(x:=y+3, y>-3) =

sp(x:=E, P)  x=E(x’,y,z) Л P(x’,y,z) Examples: sp(x:=y+3, y>-3) = sp(x:=x+1, x<n) =

sp(x:=E, P)  x=E(x’,y,z) Л P(x’,y,z) Examples: sp(x:=y+3, y>-3) = sp(x:=x+1, x<n) = sp(x:=7, true) = (cont’d)

sp(x:=E, P)  x=E(x’,y,z) Л P(x’,y,z) Examples: (cont’d) sp(x:=7, false) =

sp(x:=E, P)  x=E(x’,y,z) Л P(x’,y,z) Examples: (cont’d) sp(x:=7, false) = sp(x:=7, y=7) =

sp(x:=E, P)  x=E(x’,y,z) Л P(x’,y,z) Examples: (cont’d) sp(x:=7, false) = sp(x:=7, y=7) = sp(y:=-x, y=|x|) =

wp and wlp Rule for Sequencing
w(l)p(S1;S2;...;Sn-1;Sn, Q)  w(l)p(S1, w(l)p(S2,...w(l)p(Sn-1, w(l)p(Sn, Q))…))

wp and wlp Rule for Sequencing (cont’d)
Example: w(l)p(C:=D+1; B:=C2; A:=B2, A=36)

Example: w(l)p(C:=D+1; B:=C2; A:=B2, A=36) C:=D+1 B:=C2 A:=B2 { A=36 }

Example: w(l)p(C:=D+1; B:=C2; A:=B2, A=36) C:=D+1 B:=C2 A:=B2 { A=36 } C:=D+1 B:=C2 A:=B2 { A=36 }

sp Rule for Sequencing Rule: sp(S1;S2;...;Sn-1;Sn, P) 
sp(Sn, sp(Sn-1,...sp(S2, sp(S1, P))…))

sp Rule for Sequencing (cont’d)
Example 1: sp(C:=D+1; B:=C2; A:=B2, D=1)

Example 1: sp(C:=D+1; B:=C2; A:=B2, D=1) { D=1 } C:=D+1 B:=C2 A:=B2

Compound programs often include multiple assignments to the same variable, e.g., X := X+1; ...; X := Y-X; ...; X := ZY; ... It is sometimes useful to “anchor” the initial values of such variables using some suitable notation such as X0 when applying the sp Rule for Assignment Statements. Consider the following example...

Example 2: sp(S, true) where S is X:=X+1; X:=YX; X:=X-1 { true } (1) X:=X+1 { X=X’+1 Л true } = { X=X0+1 } (2) X:=YX { X=YX’ Л X’=X0+1 } = { X=Y(X0+1) } (3) X:=X-1 { X=X’-1 Л X’=Y(X0+1) } = { X=Y(X0+1)-1 } Therefore, sp(S, true) is X=YX’+Y-1 “anchoring” initial value of X to X0: reverting to standard X’ notation:

wp and wlp Rule for if-then-else Statement
w(l)p(if b then S1 else S2, Q)  (b Л w(l)p(S1, Q)) V (¬b Л w(l)p(S2, Q))

w(l)p(if b then S1 else S2, Q)  (b Л w(l)p(S1, Q)) V (¬b Л w(l)p(S2, Q)) T F b S1 S2 {Q}

w(l)p(if b then S1 else S2, Q)  (b Л w(l)p(S1, Q)) V (¬b Л w(l)p(S2, Q)) T F b b Л w(l)p(S1, Q) S1 S2 {Q}

w(l)p(if b then S1 else S2, Q)  (b Л w(l)p(S1, Q)) V (¬b Л w(l)p(S2, Q)) T F b b Л w(l)p(S1, Q) ¬b Л w(l)p(S2, Q) S1 S2 {Q}

Example: w(l)p(if x<0 then y:=-x else y:=x, y=|x|)

Example: w(l)p(if x<0 then y:=-x else y:=x, y=|x|) = (b Л w(l)p(S1, Q)) V (¬b Л w(l)p(S2, Q)) = (x<0 Л w(l)p(y:=-x, y=|x|)) V (x≥0 Л w(l)p(y:=x, y=|x|)) = (x<0 Л -x=|x|) V (x≥0 Л x=|x|) = (x<0 Л x≤0) V (x≥0 Л x≥0) = (x<0 V x≥0) = true b S1 S2 Q

wp and wlp Rule for if-then Statement
w(l)p(if b then S, Q)  (b Л w(l)p(S, Q)) V (¬b Л Q)

w(l)p(if b then S, Q)  (b Л w(l)p(S, Q)) V (¬b Л Q) T b F S {Q}

w(l)p(if b then S, Q)  (b Л w(l)p(S, Q)) V (¬b Л Q) T b b Л w(l)p(S, Q) F S {Q}

w(l)p(if b then S, Q)  (b Л w(l)p(S, Q)) V (¬b Л Q) T b b Л w(l)p(S, Q) F S ¬b Л Q {Q}

wp and wlp Rule for if-then Statement (cont’d)
Example: w(l)p(if x<0 then y:=-x, y=|x|)

wp and wlp Rule for if-then Statement (cont’d)
Example: w(l)p(if x<0 then y:=-x, y=|x|) = (b Л w(l)p(S, Q)) V (¬b Л Q)) = (x<0 Л w(l)p(y:=-x, y=|x|)) V (x≥0 Л y=|x|) = (x<0 Л -x=|x|) V (x≥0 Л y=|x|) = (x<0 Л x≤0) V (x≥0 Л y=|x|) = (x<0 V (x≥0 Л y=|x|)) = (x<0 V (x≥0 Л y=x)) = (x<0 V y=x) b S Q

Exercise Prove the assertion below using the wlp ROI.
{Z=B} if A>B then Z := A {Z=Max(A,B)}

{Z=B} if A>B then Z := A {Z=Max(A,B)} P S Q

{Z=B} if A>B then Z := A {Z=Max(A,B)} Recall the wlp ROI: P  wlp(S,Q) {P} S {Q} P S Q

sp Rule for if-then-else Statement
sp(if b then S1 else S2, P)  sp(S1, b Л P) V sp(S2, ¬b Л P)

sp(if b then S1 else S2, P)  sp(S1, b Л P) V sp(S2, ¬b Л P) {P} T F b S1 S2

sp(if b then S1 else S2, P)  sp(S1, b Л P) V sp(S2, ¬b Л P) {P} T F b S1 S2 sp(S1, b Л P)

sp(if b then S1 else S2, P)  sp(S1, b Л P) V sp(S2, ¬b Л P) {P} T F b S1 S2 sp(S1, b Л P) sp(S2, ¬b Л P)

sp Rule for if-then Statement
sp(if b then S, P)  sp(S, b Л P) V (¬b Л P)

sp(if b then S, P)  sp(S, b Л P) V (¬b Л P) {P} T b F S

sp(if b then S, P)  sp(S, b Л P) V (¬b Л P) {P} T b F S sp(S, b Л P)

sp(if b then S, P)  sp(S, b Л P) V (¬b Л P) {P} T b F S ¬b Л P sp(S, b Л P)

Example Prove the assertion: {y=x} if x<0 then y:=-x {y=|x|}
using the strongest post-condition (sp) ROI.

using the strongest post-condition (sp) ROI. Recall the sp ROI: sp(S,P)  Q {P} S {Q}

using the strongest post-condition (sp) ROI. (1) sp(if x<0 then y:=-x, y=x) = sp(y:=-x, x<0 Л y=x) V (x≥0 Л y=x) = (y=-x Л x<0 Л y’=x) V (x≥0 Л y=x) (2) (y=-x Л x<0 Л y’=x) V (x≥0 Л y=x) => (x<0 Л y=-x) V (x≥0 Л y=x) => y=|x| √ P Q

Coming Up Next… Transform rules for while loops

Software Testing and Verification Lecture Notes 19 Prepared by Stephen M. Thebaut, Ph.D. University of Florida

Predicate Transforms I

Similar presentations

Presentation on theme: "Predicate Transforms I"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Predicate Transforms I

Similar presentations

Presentation on theme: "Predicate Transforms I"— Presentation transcript:

Similar presentations

About project

Feedback