Review: Hoare Logic Rules

Similar documents
Hoare Logic: Proving Programs Correct

Lecture Notes: Hoare Logic

Backward Reasoning: Rule for Assignment. Backward Reasoning: Rule for Sequence. Simple Example. Hoare Logic, continued Reasoning About Loops

COMP 507: Computer-Aided Program Design

Softwaretechnik. Program verification. Albert-Ludwigs-Universität Freiburg. June 28, Softwaretechnik June 28, / 24

Softwaretechnik. Program verification. Software Engineering Albert-Ludwigs-University Freiburg. June 30, 2011

Proving Programs Correct

Last time. Reasoning about programs. Coming up. Project Final Presentations. This Thursday, Nov 30: 4 th in-class exercise

Reasoning about programs

Outline. Introduction. 2 Proof of Correctness. 3 Final Notes. Precondition P 1 : Inputs include

An Annotated Language

Formal Methods. CITS5501 Software Testing and Quality Assurance

Arguing for program correctness and writing correct programs

Forward Assignment; Strongest Postconditions

Assertions & Verification & Example Loop Invariants Example Exam Questions

Formal Systems II: Applications

Hardware versus software

Assertions & Verification Example Exam Questions

The Eiffel language. Slides partly based on :

Overview. Verification with Functions and Pointers. IMP with assertions and assumptions. Proof rules for Assert and Assume. IMP+: IMP with functions

CITS5501 Software Testing and Quality Assurance Formal methods

Lecture 1 Contracts. 1 A Mysterious Program : Principles of Imperative Computation (Spring 2018) Frank Pfenning

AXIOMS OF AN IMPERATIVE LANGUAGE PARTIAL CORRECTNESS WEAK AND STRONG CONDITIONS. THE AXIOM FOR nop

3EA3 Lecture 16: Linear Search

CSE 331 Software Design and Implementation. Lecture 3 Loop Reasoning

Lecture 1 Contracts : Principles of Imperative Computation (Fall 2018) Frank Pfenning

Abstract Interpretation

CS 161 Computer Security

Algorithms. Notations/pseudo-codes vs programs Algorithms for simple problems Analysis of algorithms

Recall our recursive multiply algorithm:

Searching Algorithms/Time Analysis

Spark verification features

Program Verification. Program Verification 307/434

Loop Invariant Examples

6.046 Recitation 1: Proving Correctness Bill Thies, Fall 2004 Outline

Announcements. Lab Friday, 1-2:30 and 3-4:30 in Boot your laptop and start Forte, if you brought your laptop

A survey of loop invariants

Symbolic Execution and Proof of Properties

Lecture 24: Loop Invariants

Lecture 5 - Axiomatic semantics

SOME TYPICAL QUESTIONS, THEIR EXPECTED ANSWERS AND THINGS

Qualifying Exam Languages

The Rule of Constancy(Derived Frame Rule)

Mathematical Induction

Lecture 8: Control Structures I

Graph Theory. Part of Texas Counties.

Outline. Computer Science 331. Three Classical Algorithms. The Sorting Problem. Classical Sorting Algorithms. Mike Jacobson. Description Analysis

How to get an efficient yet verified arbitrary-precision integer library

CS158 Section B Exam 1 Key

Verifying Java Programs Verifying Java Programs with KeY

Binary Search to find item in sorted array

Invariant Based Programming

Chapter 19 Verification of Counting Sort and Radix Sort

1.3. Conditional expressions To express case distinctions like

Program Static Analysis. Overview

Data Structures and Algorithms. Part 2

Data Structures and Algorithms Chapter 2

Reasoning About Imperative Programs. COS 441 Slides 10

SECTION 2: CODE REASONING + PROGRAMMING TOOLS. slides borrowed and adapted from Alex Mariakis and CSE 390a

Part II. Hoare Logic and Program Verification. Why specify programs? Specification and Verification. Code Verification. Why verify programs?

Analyze the obvious algorithm, 5 points Here is the most obvious algorithm for this problem: (LastLargerElement[A[1..n]:

CIS 890: Safety Critical Systems

Lecture Notes on Linear Search

CORRECTNESS ISSUES AND LOOP INVARIANTS

Programmer s spring SPECIFICATION FIRST ATTEMPT. int search( int [] a, int x) { // Pre: Sorted(a) // Post: a[r]= x } Weaken.

A Partial Correctness Proof for Programs with Decided Specifications

Software Development. Modular Design and Algorithm Analysis

Lecture 2: Getting Started

Fundamentals of Software Engineering

Complexity, Induction, and Recurrence Relations. CSE 373 Help Session 4/7/2016

PROBLEM SOLVING WITH LOOPS. Chapter 7

Algorithms 4. Odd or even Algorithm 5. Greatest among three numbers Algorithm 6. Simple Calculator Algorithm

Chapter 3. Describing Syntax and Semantics ISBN

Reminder of the last lecture. Aliasing Issues: Call by reference, Pointer programs. Introducing Aliasing Issues. Home Work from previous lecture

Warm-Up Problem. 1. What is the definition of a Hoare triple satisfying partial correctness? 2. Recall the rule for assignment: x (assignment)

Plan of the lecture. Quick-Sort. Partition of lists (or using extra workspace) Quick-Sort ( 10.2) Quick-Sort Tree. Partitioning arrays

SECTION 5.1. Sequences

15-122: Principles of Imperative Computation (Section G)

4/24/18. Overview. Program Static Analysis. Has anyone done static analysis? What is static analysis? Why static analysis?

Source. Sink. Chapter 10: Iterative Programming Maximum Flow Problem. CmSc250 Intro to Algorithms

Program Verification. Aarti Gupta

A Crash Course in Compilers for Parallel Computing. Mary Hall Fall, L2: Transforms, Reuse, Locality

The divide and conquer strategy has three basic parts. For a given problem of size n,

CS 561, Lecture 1. Jared Saia University of New Mexico

Assignment 1. Stefano Guerra. October 11, The following observation follows directly from the definition of in order and pre order traversal:

VSTTE 2010 software verification competition. Problem 1: Sum and Maximum

Data Structures and Algorithms CSE 465

Introduction to Axiomatic Semantics

CHAPTER 9. GRAPHS 310. Figure 9.1 An undirected graph. Figure 9.2 A directed graph

More on control structures

CS 1110: Introduction to Computing Using Python Loop Invariants

Awk. 1 What is AWK? 2 Why use AWK instead of Perl? 3 Uses Of AWK. 4 Basic Structure Of AWK Programs. 5 Running AWK programs

Mock exam 1. ETH Zurich. Date: 9./10. November 2009

Invariants and Algorithms

Lecture 7: General Loops (Chapter 7)

Computer Programming

VSTTE 2012 software verification competition. Problem 1: Two-Way Sort

MSO Lecture Design by Contract"

Cantor s Diagonal Argument for Different Levels of Infinity

6. Hoare Logic and Weakest Preconditions

Transcription:

Review: Hoare Logic Rules wp(x := E, P) = [E/x] P wp(s;t, Q) = wp(s, wp(t, Q)) wp(if B then S else T, Q) = B wp(s,q) && B wp(t,q) Proving loops correct First consider partial correctness The loop may not terminate, but if it does, the postcondition will hold {P} while B do S {Q} Find an invariant Inv such that: P Inv The invariant is initially true { Inv && B } S {Inv} Each execution of the loop preserves the invariant (Inv && B) Q The invariant and the loop exit condition imply the postcondition 1

Loop Example Prove array sum correct { N 0 } j := 0; s := 0; while (j < N) do end { s = (Σi 0 i<n a[i]) } Loop Example Prove array sum correct { N 0 } j := 0; s := 0; { 0 j N && s = (Σi 0 i<j a[i]) } while (j < N) do {0 j N && s = (Σi 0 i<j a[i]) && j < N} {0 j N && s = (Σi 0 i<j a[i]) } end { s = (Σi 0 i<n a[i]) } 2

Proof Obligations Invariant is initially true { N 0 } j := 0; s := 0; { 0 j N && s = (Σi 0 i<j a[i]) } Invariant is maintained {0 j N && s = (Σi 0 i<j a[i]) && j < N} {0 j N && s = (Σi 0 i<j a[i]) } Invariant and exit condition implies postcondition 0 j N && s = (Σi 0 i<j a[i]) && j N s = (Σi 0 i<n a[i]) Proof Obligations Invariant is initially true { N 0 } { 0 0 N && 0 = (Σi 0 i<0 a[i]) } // by assignment rule j := 0; { 0 j N && 0 = (Σi 0 i<j a[i]) } // by assignment rule s := 0; { 0 j N && s = (Σi 0 i<j a[i]) } Need to show that: (N 0) (0 0 N && 0 = (Σi 0 i<0 a[i])) = (N 0) (0 N && 0 = 0) // 0 0 is true, empty sum is 0 = (N 0) (0 N) // 0=0 is true, P && true is P = true 3

Proof Obligations Invariant is maintained {0 j N && s = (Σi 0 i<j a[i]) && j < N} {0 j +1 N && s+a[j] = (Σi 0 i<j+1 a[i]) } // by assignment rule {0 j +1 N && s = (Σi 0 i<j+1 a[i]) } // by assignment rule {0 j N && s = (Σi 0 i<j a[i]) } Need to show that: (0 j N && s = (Σi 0 i<j a[i]) && j < N) (0 j +1 N && s+a[j] = (Σi 0 i<j+1 a[i])) = (0 j < N && s = (Σi 0 i<j a[i])) (0 j < N && s+a[j] = (Σi 0 i<j+1 a[i])) // simplify bounds of j = (0 j < N && s = (Σi 0 i<j a[i])) (0 j < N && s+a[j] = (Σi 0 i<j a[i]) + a[j] ) // separate last part of sum = (0 j < N && s = (Σi 0 i<j a[i])) (0 j < N && s = (Σi 0 i<j a[i])) // subtract a[j] from both sides = true Proof Obligations Invariant and exit condition implies postcondition 0 j N && s = (Σi 0 i<j a[i]) && j N s = (Σi 0 i<n a[i]) = 0 j && j = N && s = (Σi 0 i<j a[i]) s = (Σi 0 i<n a[i]) // because (j N && j N) = (j = N) = 0 N && s = (Σi 0 i<n a[i]) s = (Σi 0 i<n a[i]) // by substituting N for j, since j = N = true // because P && Q Q 4

Invariant Intuition For code without loops, we are simulating execution directly We prove one Hoare Triple for each statement, and each statement is executed once For code with loops, we are doing one proof of correctness for multiple loop iterations Don t know how many iterations there will be Need our proof to cover all of them The invariant expresses a general condition that is true for every execution, but is still strong enough to give us the postcondition we need This tension between generality and precision can make coming up with loop invariants hard Total Correctness for Loops {P} while B do S {Q} Partial correctness: Find an invariant Inv such that: P Inv The invariant is initially true { Inv && B } S {Inv} Each execution of the loop preserves the invariant (Inv && B) Q The invariant and the loop exit condition imply the postcondition Termination bound Find a variant function v such that: (Inv && B) v > 0 The variant function evaluates to a finite integer value greater than zero at the beginning of the loop { Inv && B && v=v } S {v < V} The value of the variant function decreases each time the loop body executes (here V is a constant) 5

Total Correctness Example while (j < N) do end {0 j N && s = (Σi 0 i<j a[i]) && j < N} {0 j N && s = (Σi 0 i<j a[i]) } Variant function for this loop? N-j Guessing Variant Functions Loops with an index N ± i Applies if you always add or always subtract a constant, and if you exit the loop when the index reaches some constant Use N-i if you are incrementing i, N+i if you are decrementing i Set N such that N ± i 0 at loop exit Other loops Find an expression that is an upper bound on the number of iterations left in the loop 6

Additional Proof Obligations Variant function for this loop: N-j To show: variant function initially positive (0 j N && s = (Σi 0 i<j a[i]) && j < N) N-j > 0 To show: variant function is decreasing {0 j N && s = (Σi 0 i<j a[i]) && j < N && N-j = V} {N-j < V} Additional Proof Obligations To show: variant function initially positive (0 j N && s = (Σi 0 i<j a[i]) && j < N) N-j > 0 = (0 j N && s = (Σi 0 i<j a[i]) && j < N) N > j // added j to both sides = true // (N > j) = (j < N), P && Q P 7

Additional Proof Obligations To show: variant function is decreasing {0 j N && s = (Σi 0 i<j a[i]) && j < N && N-j = V} {N-(j+1) < V} // by assignment {N-(j+1) < V} // by assignment {N-j < V} Need to show: (0 j N && s = (Σi 0 i<j a[i]) && j < N && N-j = V) (N-(j+1) < V) Assume 0 j N && s = (Σi 0 i<j a[i]) && j < N && N-j = V By weakening we have N-j = V Therefore N-j-1 < V But this is equivalent to N-(j+1) < V, so we are done. Factorial { N 1 } k := 1 f := 1 while (k < N) do f := f * k k := k + 1 end { f = N! } Loop invariant? f = Pi(0 < i < k)(i) AND k <= N what if we initialize k to 5? Variant function? 8

Factorial { N 1 } { 1 = 1! && 0 1 N } k := 1 { 1 = k! && 0 k N } f := 1 { f = k! && 0 k N } while (k < N) do { f = k! && 0 k N && k < N && N-k = V} { f*(k+1) = (k+1)! && 0 k+1 N && N-(k+1) < V} k := k + 1 { f*k = k! && 0 k N && N-k < V} f := f * k { f = k! && 0 k N && N-k < V} end { f = k! && 0 k N && k N} { f = N! } Factorial Obligations (1) (N 1) (1 = 1! && 0 1 N) = (N 1) (1 N) // because 1 = 1! and 0 1 = true // because (N 1) = (1 N) 9

Factorial Obligations (2) (f = k! && 0 k N && k < N && N-k = V) (f*(k+1) = (k+1)! && 0 k+1 N && N-(k+1)< V) = (f = k! && 0 k < N && N-k = V) (f*(k+1) = k!*(k+1) && 0 k+1 N && N-k-1< V) // by simplification and (k+1)!=k!*(k+1) Assume (f = k! && 0 k < N && N-k = V) Check each RHS clause: (f*(k+1) = k!*(k+1)) = (f = k!) // division by (k+1) (nonzero by assumption) = true // by assumption 0 k+1 = true // by assumption that 0 k k+1 N = true // by assumption that k < N N-k-1< V = N-k-1 < N-k // by assumption that N-k = V = N-1 < N // by addition of k = true // by properties of < Factorial Obligations (3) (f = k! && 0 k N && k N) (f = N!) Assume f = k! && 0 k N && k N Then k=n by k N && k N So f = N! by substituting k=n 10

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback