Presentation is loading. Please wait.

Presentation is loading. Please wait.

Program Correctness an introduction.

Published byErika Schäfer Modified over 4 years ago

Similar presentations

Presentation on theme: "Program Correctness an introduction."— Presentation transcript:

1 Program Correctness an introduction

2 Program Correctness How do you do that? How can we be sure that a program/algorithm always produces the correct result? Test it on sample input Test boundary conditions Test it on all possible inputs Prove it correct can we automate this? Use rules of inference, mathematical induction

3 Program Correctness Correct, what does that mean? A program is correct if it produces correct output for all possible inputs this is called partial correctness it terminates An initial assertion gives the properties of the input A final assertion gives the properties of the output The initial and final assertions must be given otherwise we cannot check correctness

4 Program Correctness Partially Correct? A program, or program segment, S is partially correct if with respect to initial assertion p and final assertion q whenever p is true for the input and S terminates then q is true for the output. p{S}q indicates program, or program segment S is partially correct p{S}q is called a Hoare triple Note: partial correctness only states that the program produces the correct results if it terminates. It does not prove that the program terminates

5 Program Correctness Tony Hoare

6 Program Correctness A very simple example Program segment S is as follows y:=2; z := x + y; Initial assertion p: x = 1 Final assertion q: z = 3 Prove p{S}q assume p x initially has the value 1 y is assigned the value 2 z is then assigned the value x + y that is equal to which is 3 Therefore S is correct with respect to p and q

7 Program Correctness Decompose your program We can split our program into parts (subprograms) and prove that each of these parts (subprograms) is correct Split S into subprograms S1 and S2 S is then S1 followed by S2 S = S1;S2 Assume p is the initial assertion of S1, q is the final assertion of S1 q is the initial assertion of S2 r is the final assertion of S2 Further assume we have established p{S1}q and q{S2}r It follows that if p is true and S1 executes and terminates then q is true if q is true and S2 executes and terminates then r is true Therefore if p is true and S executes and terminates r is true

8 Program Correctness A new rule of inference: The Composition Rule

9 Program Correctness Simple Conditional Statement Assume program segment is as follows if cond then S S is executed if cond is true S is not executed if cond is false To verify that the segment above is true with respect to initial assertion p final assertion q Show that when p is true, and cond is true and S executes, q is true when p is true and cond is false and S does not execute, q is true

10 Program Correctness The simple condition rule of inference

11 Program Correctness An example of a simple conditional Program segment S is as follows if x > y then x := y Initial assertion p: is True Final assertion q: y  x (y is greater than or equal to x) Consider cond = true (x > y) and cond = false (x  y) (1) p and x > y the assignment x := y is made consequently y  x therefore q holds (2) p and x  y no assignment is made y  x Therefore S is correct with respect to p and q

12 Program Correctness Conditional Statement Assume program segment is as follows if cond then S1 else S2 S1 is executed if cond is true S2 is executed if cond is false To verify that the segment above is true with respect to initial assertion p final assertion q Show that when p is true, and cond is true and S1 executes, q is true when p is true, and cond is false and S2 executes, q is true

13 Program Correctness The condition rule of inference

14 Program Correctness An example of a conditional Program segment S is as follows if x < 0 then abs := -x else abs := x Initial assertion p: is True Final assertion q: abs = |x| Consider the cases when cond = true and when cond = false (1) p and x < 0 the assignment abs := -x is made consequently abs = |x| therefore q holds (2) p and x  0 consequently abs := x, and again abs is |x| Therefore S is correct with respect to p and q

15 Program Correctness While Loop (loop invariants) Assume program segment is as follows while cond do S S is repeatedly executed while cond is true S is repeatedly executed until cond is false An assertion that remains true each time S is executed is required this is the loop invariant p is a loop invariant if (p and cond){S}p is true To verify that the segment above is true with respect to loop invariant p Show that p is true before S is executed p is true and cond is false on termination of the loop if it terminates

16 Program Correctness The loop invariant rule of inference

17 An example of a loop invariant
Program Correctness An example of a loop invariant i := 1; fact := 1; while i < n do begin i := i + 1; fact := fact * i; end Prove segment terminates with fact = n! a loop invariant is required let p be proposition p: fact = i! and i <= n let S be the segment: i := i+1; fact := fact * i; Prove that p is a loop invariant, using mathematical induction Basis Step: initially i = fact = 1 = i! and 1 <= n Inductive Step assume p is true and 1 < i < n and fact = i! after executing loop i was incremented by 1, i.e. i + 1 therefore i  n fact := i!(i + 1) therefore fact = (i+1)! … and i has been incremented Therefore p is a loop invariant

18 An example of a loop invariant
Program Correctness An example of a loop invariant i := 1; fact := 1; while i < n do begin i := i + 1; fact := fact * i; end Therefore p is a loop invariant Therefore the assumption [p and (i < n)]{S}p is true Therefore it follows that p{while i<n do S}[i >= n and p] is true The while loop terminates i starts at 1, assuming n  0 i is incremented inside loop eventually i will equal n Therefore the program segment is correct

19 Program Correctness An example, min(x,y) Program segment S is as follows if x < y then min := x else min := y Initial assertion p: is True Final assertion q: (x  y and min = x) or (x > y and min = y) Consider three cases (1) p and x < y min is set to x (x  y and min = x) (2) p and x = y min is set to y, which equals x (x  y and min = x) (3) p and x > y min is set to y (x > y and min = y) Therefore S is correct with respect to p and q Question 4

20 Program Correctness An example, ? Initial assertion p: is True Final assertion q: x  y Consider two cases (1) p and x  y S is not executed q is true (2) p and x > y x := x + y y := x - y = (x + y) - y = x x := x - y = (x + y) - x = y x and y are now swapped, so y is now greater than x Therefore S is correct with respect to p and q if x > y then begin x := x + y; y := x - y; x := x - y; end;

21 Program Correctness So? For each program segment S we need an initial assertion p a final assertion q If it is a loop we need to establish a loop invariant p We need to apply the appropriate rules of inference Generally we need to decompose program It takes time, it aint easy Could we automate the process? For partial correctness For correctness What do we do in an industrial setting

Download ppt "Program Correctness an introduction."

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
In this episode of The Verification Corner, Rustan Leino talks about Loop Invariants. He gives a brief summary of the theoretical foundations and shows.

In this episode of The Verification Corner, Rustan Leino talks about Loop Invariants. He gives a brief summary of the theoretical foundations and shows.
Copyright 2003-04, Doron Peled and Cesare Tinelli. These notes are based on a set of lecture notes originally developed by Doron Peled at the University.

Copyright , Doron Peled and Cesare Tinelli. These notes are based on a set of lecture notes originally developed by Doron Peled at the University.
Reasoning About Code; Hoare Logic, continued

Reasoning About Code; Hoare Logic, continued
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
Axiomatic Verification I Prepared by Stephen M. Thebaut, Ph.D. University of Florida Software Testing and Verification Lecture 17.

Axiomatic Verification I Prepared by Stephen M. Thebaut, Ph.D. University of Florida Software Testing and Verification Lecture 17.
Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.

Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.
Predicate Transformers

Predicate Transformers
1/22 Programs : Semantics and Verification Charngki PSWLAB Programs: Semantics and Verification Mordechai Ben-Ari Mathematical Logic for Computer.

1/22 Programs : Semantics and Verification Charngki PSWLAB Programs: Semantics and Verification Mordechai Ben-Ari Mathematical Logic for Computer.
CSE115/ENGR160 Discrete Mathematics 04/12/11 Ming-Hsuan Yang UC Merced 1.

CSE115/ENGR160 Discrete Mathematics 04/12/11 Ming-Hsuan Yang UC Merced 1.
TR1413: INTRO TO DISCRETE MATHEMATICS LECTURE 2: MATHEMATICAL INDUCTION.

TR1413: INTRO TO DISCRETE MATHEMATICS LECTURE 2: MATHEMATICAL INDUCTION.
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.

Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
4/17/2017 Section 3.6 Program Correctness ch3.6.

4/17/2017 Section 3.6 Program Correctness ch3.6.
Chapter Mathematical Induction

Chapter Mathematical Induction
Proofs, Recursion, and Analysis of Algorithms Mathematical Structures for Computer Science Chapter 2 Copyright © 2006 W.H. Freeman & Co.MSCS SlidesProofs,

Proofs, Recursion, and Analysis of Algorithms Mathematical Structures for Computer Science Chapter 2 Copyright © 2006 W.H. Freeman & Co.MSCS SlidesProofs,
Lecture 4 Discrete Mathematics Harper Langston. Algorithms Algorithm is step-by-step method for performing some action Cost of statements execution –Simple.

Lecture 4 Discrete Mathematics Harper Langston. Algorithms Algorithm is step-by-step method for performing some action Cost of statements execution –Simple.
Proving Program Correctness The Axiomatic Approach.

Proving Program Correctness The Axiomatic Approach.
DAST 2005 Tirgul 6 Heaps Induction. DAST 2005 Heaps A binary heap is a nearly complete binary tree stored in an array object In a max heap, the value.

DAST 2005 Tirgul 6 Heaps Induction. DAST 2005 Heaps A binary heap is a nearly complete binary tree stored in an array object In a max heap, the value.
Proving Program Correctness The Axiomatic Approach.

Proving Program Correctness The Axiomatic Approach.

Similar presentations

Ads by Google