Presentation is loading. Please wait.

Presentation is loading. Please wait.

Example of a Worked-out Proof. Consider again this program Let 0  n. This program checks if all elements of the segment a[0..n) are zero. {* 0  n *}

Published byThomas Ward Modified over 8 years ago

Similar presentations

Presentation on theme: "Example of a Worked-out Proof. Consider again this program Let 0  n. This program checks if all elements of the segment a[0..n) are zero. {* 0  n *}"— Presentation transcript:

1 Example of a Worked-out Proof

2 Consider again this program Let 0  n. This program checks if all elements of the segment a[0..n) are zero. {* 0  n *} i := 0 ; r := true ; while i<n do { r := r /\ (a[i]=0) ; i++ } {* ?? *} 2

3 Proof rule for loop (total correctness) {* g /\ I *} S {* I *} // invariance I /\  g  Q // exit cond {* I /\ g *} C:=m; S {* m 0 // m bounded below ---------------------------------------- {* I *} while g do S {* Q *} 3

4 Formal spec, inv, and term. metric {* 0  n *} i := 0 ; r := true ; while i<n do { r := r /\ (a[i]=0) ; i++ } {* r = (  k : 0  k<n : a[k]=0) *} Chosen invariant & termination metric: I : (r = (  k : 0  k<i : a[k]=0)) /\ 0  i  n m : n - i 4 I1I1 I2I2

5 It comes down to proving these (Exit Condition) I /\  g  Q (Initialization Condition) {* given-pre-cond *} i := 0 ; r := true {* I *}, Equivalently : given-pre-cond  wp (i := 0 ; r := true) I (Invariance) I /\ g  wp body I (Termination Condition) I /\ g  wp (C:=m ; body) (m<C) (Termination Condition) I /\ g  m>0 5

6 Proof of the exit condition PROOF PEC [A1] r = (  k : 0  k<i : a[k]=0) // I1 [A2] 0  i  n // I2 [A3] i  n //  g [G] r = (  k : 0  k<n : a[k]=0) 1. { A2 and A3 } i = n 2. { rewrite A1 with 1 } r = (  k : 0  k<n : a[k]=0) END 6

7 Proof of the initialization condition Calculate the wp first : wp (i := 0 ; r := true ) I =..... PROOF Init [A1] 0  n [ G ] (true = (  k : 0  k<0 : a[k]=0)) /\ 0  0  n // calculated wp 1. { 0  0, conjunction with A1 } 0  0  n 2. { see the eq. sub proof below } true = (  k : 0  k<0 : a[k]=0) EQUATIONAL PROOF (  k : 0  k<0 : a[k]=0) = { the domain is empty } (  k : false : a[k]=0) = {  over empty domain } true END 3. { conjunction of 1 and 2 } G 7

8 Proof of the invariance condition We have to prove: I /\ g  wp body I Calculate the wp first: wp (r := r /\ (a[i]=0) ; i++ ) I =.... Proof structure: PROOF PIC [A1] r = (  k : 0  k<i : a[k]=0) // I1 [A2] 0  i  n // I2 [A3] i<n // g [G].... here the wp you calculated above 8

9 Proof of the invariance condition PROOF PIC [A1] r = (  k : 0  k<i : a[k]=0) [A2] 0  i  n [A3] i<n [G1] r/\(a[i]=0) = (  k : 0  k<i+1 : a[k]=0) [G2] 0  i+1  n 1. { follows from 0  i in A2 } 0  i+1 2. { follows from A3 } i+1  n 3. { see eq. subproof below } G1 EQUATIONAL PROOF ---------------------------- (  k : 0  k<i+1 : a[k]=0) = { dom. merge, PIC.A2 } (  k : 0  k<i \/ k=i : a[k]=0) = {  domain-split } (  k : 0  k<i: a[k]=0) /\ (  k : k=i : a[k]=0) = { PIC.A1 } r /\ (  k : k=i : a[k]=0) = { quant. over singleton } r /\ (a[i]=0) END 4. { conjunction of 1,2,3} G END 9

10 Proof that m decreases You have to prove: I /\ g  wp (C:=m ; body) (m<C) Calculate this first: wp (C:=n-i ; r := r /\ (a[i]=0) ; i++ ) (n-i<C) =.... PROOF PTC1 [A1] r = (  k : 0  k<i : a[k]=0) // I1 [A2] 0  i  n // I2 [A3] i<n // g [G] n-(i+1) < n-i 1. { x-1 < x } n – i - 1 < n-i 2. { rewriting 1 } n – (i+1) < n-1 END 10

11 Proof that m has a lower bound You have to prove: I /\ g  m  0 PROOF PTC2 [A1] r = (  k : 0  k 0..... complete this yourself. 11

12 Let’s take a look at the version with a break {* 0  n *} i := 0 ; r := true ; while i<n /\ r do { r := r /\ (a[i]=0) ; i++ } {* r = (  k : 0  k<n : a[k]=0) *} Let’s just use the same invariant & termination metric: I : (r = (  k : 0  k<i : a[k]=0)) /\ 0  i  n m : n - i 12 let’s call this g /\ h

13 Ok.. so what do we have to prove ? (Exit Condition) I /\  (g /\ h)  Q (Initialization Condition) given-pre-cond  wp (i := 0 ; r := true) I (Invariance) I /\ g /\ h  wp body I (Termination Condition) I /\ g /\ h  wp (C:=m ; body) (m<C) (Termination Condition) I /\ g /\ h  m>0 13

14 Patched proof of the exit condition PROOF PEC [A1] r = (  k : 0  k<i : a[k]=0) // I1 [A2] 0  i  n // I2 [A3] i  n \/  r //  g [G] r = (  k : 0  k<n : a[k]=0) 1. { see subproof1} i  n  G 2. { see subproof2}  r  G 3. { case-split on A3, using 1 and 2 } G END 14

15 The Subproofs of PEC PROOF sub2 [A1]  r [G] r = (  k : 0  k<n : a[k]=0) 1. { rewrite A1 with PEC.A1}  (  k : 0  k<i : a[k]=0) 2. { neg of  on 1 } (  k : 0  k<i : a[k]  0) 3. {  elim on 2} [SOME k] 0  k<i /\ a[k]  0 4. {PEC.A2 says i  n, so 3 implies this: } 0  k<n /\ a[k]  0 5. {  intro on 4 } (  k : 0  k<n : a[k]  0) 6. { neg of  on 5 }  (  k : 0  k<n : a[k]=0) 7. {A1 and 6 }  r =  (  k : 0  k<n : a[k]=0) 8. { follows from 7 } r = (  k : 0  k<n : a[k]=0) END 15 P, Q ------------------- P = Q

Download ppt "Example of a Worked-out Proof. Consider again this program Let 0  n. This program checks if all elements of the segment a[0..n) are zero. {* 0  n *}"

Similar presentations

Ack: Several slides from Prof. Jim Anderson’s COMP 202 notes.

Ack: Several slides from Prof. Jim Anderson’s COMP 202 notes.
AE1APS Algorithmic Problem Solving John Drake

AE1APS Algorithmic Problem Solving John Drake
PROOF BY CONTRADICTION

PROOF BY CONTRADICTION
If R = {(x,y)| y = 3x + 2}, then R -1 = (1) x = 3y + 2 (2) y = (x – 2)/3 (3) {(x,y)| y = 3x + 2} (4) {(x,y)| y = (x – 2)/3} (5) {(x,y)| y – 2 = 3x} (6)

If R = {(x,y)| y = 3x + 2}, then R -1 = (1) x = 3y + 2 (2) y = (x – 2)/3 (3) {(x,y)| y = 3x + 2} (4) {(x,y)| y = (x – 2)/3} (5) {(x,y)| y – 2 = 3x} (6)
Reasoning About Code; Hoare Logic, continued

Reasoning About Code; Hoare Logic, continued
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
MA/CSSE 473/474 How (not) to do an induction proof.

MA/CSSE 473/474 How (not) to do an induction proof.
The Engineering Design of Systems: Models and Methods

The Engineering Design of Systems: Models and Methods
>In We need a rule that will let us prove a conditional. What should the rule be?

>In We need a rule that will let us prove a conditional. What should the rule be?
Axiomatic Semantics The meaning of a program is defined by a formal system that allows one to deduce true properties of that program. No specific meaning.

Axiomatic Semantics The meaning of a program is defined by a formal system that allows one to deduce true properties of that program. No specific meaning.
Program Proving Notes Ellen L. Walker.

Program Proving Notes Ellen L. Walker.
1/22 Programs : Semantics and Verification Charngki PSWLAB Programs: Semantics and Verification Mordechai Ben-Ari Mathematical Logic for Computer.

1/22 Programs : Semantics and Verification Charngki PSWLAB Programs: Semantics and Verification Mordechai Ben-Ari Mathematical Logic for Computer.
Program Analysis and Verification Spring 2014 Program Analysis and Verification Lecture 5: Axiomatic Semantics II Roman Manevich Ben-Gurion University.

Program Analysis and Verification Spring 2014 Program Analysis and Verification Lecture 5: Axiomatic Semantics II Roman Manevich Ben-Gurion University.
Copyright © Cengage Learning. All rights reserved.

Copyright © Cengage Learning. All rights reserved.
Sorting. Input: A sequence of n numbers a 1, …, a n Output: A reordering a 1 ’, …, a n ’, such that a 1 ’ < … < a n ’ 14326816 23141668.

Sorting. Input: A sequence of n numbers a 1, …, a n Output: A reordering a 1 ’, …, a n ’, such that a 1 ’ < … < a n ’
Hoare-style program verification K. Rustan M. Leino Guest lecturer Rob DeLine’s CSE 503, Software Engineering University of Washington 28 Apr 2004.

Hoare-style program verification K. Rustan M. Leino Guest lecturer Rob DeLine’s CSE 503, Software Engineering University of Washington 28 Apr 2004.
1 Recitation 7. Developing loops Introduction. This recitation concerns developing loops using their invariants and bound functions. Your recitation instructor.

1 Recitation 7. Developing loops Introduction. This recitation concerns developing loops using their invariants and bound functions. Your recitation instructor.
Proving correctness. Proof based on loop invariants  an assertion which is satisfied before each iteration of a loop  At termination the loop invariant.

Proving correctness. Proof based on loop invariants  an assertion which is satisfied before each iteration of a loop  At termination the loop invariant.
Floyd Hoare Logic. Semantics A programming language specification consists of a syntactic description and a semantic description. Syntactic description:symbols.

Floyd Hoare Logic. Semantics A programming language specification consists of a syntactic description and a semantic description. Syntactic description:symbols.
Proving Program Correctness The Axiomatic Approach.

Proving Program Correctness The Axiomatic Approach.

Similar presentations

Ads by Google