In this episode of The Verification Corner, Rustan Leino talks about Loop Invariants. He gives a brief summary of the theoretical foundations and

Similar documents
Program Analysis Part I : Sequential Programs

Dynamic Semantics. Dynamic Semantics. Operational Semantics Axiomatic Semantics Denotational Semantic. Operational Semantics

Hoare Logic: Reasoning About Imperative Programs

Hoare Logic (I): Axiomatic Semantics and Program Correctness

What happens to the value of the expression x + y every time we execute this loop? while x>0 do ( y := y+z ; x := x:= x z )

Hoare Logic: Part II

Axiomatic Semantics: Verification Conditions. Review of Soundness and Completeness of Axiomatic Semantics. Announcements

Lecture Notes: Axiomatic Semantics and Hoare-style Verification

Programming Languages and Compilers (CS 421)

Logic. Propositional Logic: Syntax. Wffs

Lecture 2: Axiomatic semantics

Hoare Logic I. Introduction to Deductive Program Verification. Simple Imperative Programming Language. Hoare Logic. Meaning of Hoare Triples

Axiomatic Semantics: Verification Conditions. Review of Soundness of Axiomatic Semantics. Questions? Announcements

Logic. Propositional Logic: Syntax

Axiomatic Semantics. Lecture 9 CS 565 2/12/08

Axiomatic Semantics. Stansifer Ch 2.4, Ch. 9 Winskel Ch.6 Slonneger and Kurtz Ch. 11 CSE

Floyd-Hoare Style Program Verification

CSC 7101: Programming Language Structures 1. Axiomatic Semantics. Stansifer Ch 2.4, Ch. 9 Winskel Ch.6 Slonneger and Kurtz Ch. 11.

Hoare Logic and Model Checking

Soundness and Completeness of Axiomatic Semantics

Propositional Logic: Syntax

CSE 331 Winter 2018 Reasoning About Code I

Program verification. Hoare triples. Assertional semantics (cont) Example: Semantics of assignment. Assertional semantics of a program

Proof Calculus for Partial Correctness

Program verification. 18 October 2017

Axiomatic Semantics. Hoare s Correctness Triplets Dijkstra s Predicate Transformers

Loop Convergence. CS 536: Science of Programming, Fall 2018

Hoare Logic: Reasoning About Imperative Programs

C241 Homework Assignment 7

The Assignment Axiom (Hoare)

Foundations of Computation

Hoare Calculus and Predicate Transformers

Solutions to exercises for the Hoare logic (based on material written by Mark Staples)

Proofs of Correctness: Introduction to Axiomatic Verification

Bilateral Proofs of Safety and Progress Properties of Concurrent Programs (Working Draft)

Weakest Precondition Calculus

Predicate Transforms I

Hoare Examples & Proof Theory. COS 441 Slides 11

1. Propositions: Contrapositives and Converses

CSC236 Week 2. Larry Zhang

Spring 2015 Program Analysis and Verification. Lecture 4: Axiomatic Semantics I. Roman Manevich Ben-Gurion University

Last Time. Inference Rules

Lecture Notes on Software Model Checking

Programming Languages

CS558 Programming Languages

Axiomatic Semantics. Operational semantics. Good for. Not good for automatic reasoning about programs

Spring 2016 Program Analysis and Verification. Lecture 3: Axiomatic Semantics I. Roman Manevich Ben-Gurion University

Proving Programs Correct

A Short Introduction to Hoare Logic

Learning Goals of CS245 Logic and Computation

First Order Logic vs Propositional Logic CS477 Formal Software Dev Methods

Section Summary. Section 1.5 9/9/2014

Understanding IC3. Aaron R. Bradley. ECEE, CU Boulder & Summit Middle School. Understanding IC3 1/55

Program Construction and Reasoning

ICS141: Discrete Mathematics for Computer Science I

Axiomatic Verification II

COP4020 Programming Languages. Introduction to Axiomatic Semantics Prof. Robert van Engelen

Deductive Verification

Topic 1: Propositional logic

Proof Rules for Correctness Triples

INVARIANT RELATIONS: A CONCEPT FOR ANALYZING WHILE LOOPS. Ali Mili, NJIT NII, Tokyo, Japan December 20, 2011

5 + 9(10) + 3(100) + 0(1000) + 2(10000) =

Classical Program Logics: Hoare Logic, Weakest Liberal Preconditions

CSE20: Discrete Mathematics

Mid-Semester Quiz Second Semester, 2012

Axiomatic Semantics. Semantics of Programming Languages course. Joosep Rõõmusaare

CIS (More Propositional Calculus - 6 points)

Reasoning About Imperative Programs. COS 441 Slides 10b

Introduction to Axiomatic Semantics

Algebra 1. Predicting Patterns & Examining Experiments. Unit 5: Changing on a Plane Section 4: Try Without Angles

Program verification using Hoare Logic¹

Logic, Sets, and Proofs

Program Analysis and Verification

Section 7.1 Relations and Their Properties. Definition: A binary relation R from a set A to a set B is a subset R A B.

Problem Sheet 1: Axiomatic Semantics

Tutorial on Axiomatic Set Theory. Javier R. Movellan

Incremental Proof-Based Verification of Compiler Optimizations

Math 10850, fall 2017, University of Notre Dame

Propositional Logic Not Enough

Proof. Theorems. Theorems. Example. Example. Example. Part 4. The Big Bang Theory

Formal Reasoning CSE 331. Lecture 2 Formal Reasoning. Announcements. Formalization and Reasoning. Software Design and Implementation

Homework. Turn in Homework #4. The fifth homework assignment has been posted on the course website. It is due on Monday, March 2.

In Class Problem Set #15

Lecture Notes on Invariants for Arbitrary Loops

IC3 and Beyond: Incremental, Inductive Verification

Deterministic Program The While Program

3 The language of proof

Proving languages to be nonregular

The Inductive Proof Template

Math /Foundations of Algebra/Fall 2017 Foundations of the Foundations: Proofs

CS173 Strong Induction and Functions. Tandy Warnow

Software Testing Lecture 5. Justin Pearson

SAT-Based Verification with IC3: Foundations and Demands

Formal Methods in Software Engineering

Spring 2014 Program Analysis and Verification. Lecture 6: Axiomatic Semantics III. Roman Manevich Ben-Gurion University

Reading and Writing. Mathematical Proofs. Slides by Arthur van Goetham

Math 31 Lesson Plan. Day 2: Sets; Binary Operations. Elizabeth Gillaspy. September 23, 2011

Automata-Theoretic Model Checking of Reactive Systems

Logical Abduction and its Applications in Program Verification. Isil Dillig MSR Cambridge

MATH 22 INFERENCE & QUANTIFICATION. Lecture F: 9/18/2003

Transcription:

In this episode of The Verification Corner, Rustan Leino talks about Loop Invariants. He gives a brief summary of the theoretical foundations and shows how a program can sometimes be systematically constructed from its specifications.

This slide shows a Hoare triple, which is used to reason about programs. S denotes a program statement, like x := x+y; or if (x < 0) x := -x;. P and Q are conditions (also called assertions, or predicates, or boolean expressions), like x < 10 or x is even. An execution of S starts in some state and ends in some state. (We restrict our attention to program statements that are well behaved and terminate.) A Hoare triple tells you something about executions of S. The Hoare triple on this slide says that any execution of S that starts in a state satisfying P ends in some state satisfying Q. For example, { x*x = y } if (x < 0) x := -x; { x*x = y } says that if the statement if (x < 0) x := -x; is executed from a state where y equals the square of x, then it will end in a state where, again, x*x = y.

This slide shows the general form of a valid Hoare triple for an assignment statement x := E. It says that the statement x := E will end in a state satisfying Q if it is started in a state satisfying Q*E/x+, which stands for the expression Q in which any mention of variable x is replaced by the expression E. For example, if Q is 2*x + y 11 and E is y+1, then Q*E/x+ is (2*x + y 11)* y+1 / x +, which is 2*(y+1) + y 11, which can be simplified as 3*y + 2 11, that is, y 3. In other words, the following is a valid Hoare triple:, y 3 - x := y + 1, 2*x + y 11 - Among other things, it lets us conclude that if we execute statement x := y + 1 from a state where x is 5 and y is 1, then it will end in a state where 2*x + y 11. The second Hoare triple on the slide shows another example: if you want to execute x := y and be sure that it ends in a state satisfying x = 10, then you must start the execution in a state where y = 10.

Here are two more examples of valid Hoare triples for assignments. The first says that if you want the increment-by-1 statement to end in a state where the variable is at most 10, then you must start the execution in a state where the variable is strictly less than 10. The pre-state of this Hoare triple is obtained by replacing x by x + 1 in the condition on the post-state, and then simplifying x+1 10 to x < 10. The second, which is more complicated, considers the statement x := 3*x + 2*y and the post-state condition x*x = 81. Again, one can figure out the most general condition on the pre-state that makes the Hoare triple valid by replacing x in the poststate condition by the right-hand side of the assignment. Without any further (thinking or) simplification, that pre-state condition is (3*x + 2*y)*(3*x + 2*y) = 81.

This slide considers another statement, namely a simple while loop with a loop guard B and a loop body S. If you want to be sure that every execution of the loop statement that starts in P ends in Q, then you must find a condition J that satisfies the three provisos at the bottom. The condition J is called a loop invariant. The first proviso says that the loop invariant must hold before the loop statement is executed. It is expressed by a logical implication: P ==> J (pronounced P implies J ). This proviso is analogous to the base case of a mathematical proof by induction. The second proviso says that taking a loop iteration must maintain the loop invariant. More precisely, if the loop body, S, is started in a state where the loop invariant holds and the loop guard evaluates to true, then it ends in a state where the loop invariant holds again. This proviso is analogous to the induction case of a mathematical proof by induction. Continued

The third proviso says that one must pick a loop invariant that is strong enough to conclude the desired Q after the loop terminates. More precisely, it says that if the loop invariant holds and the loop guard evaluates to false, then Q holds. This proviso is analogous, in mathematics, to making sure the induction hypothesis is strong enough to conclude the theorem one is trying to prove. For example, suppose we are trying to establishing the following Hoare triple: { n = 0 } while n < 99 do n := n + 2 { x = 100 } Let s pick the loop invariant, J, to be n is even and n 100. The first proviso is: n = 0 ==> n is even and n 100 which holds, because 0 is even and no greater than 100. continued

The second proviso is:, n is even and n 100 and n < 99 - n := n + 2, n is even and n 100 - We check this Hoare triple by replacing n by n+2 in the post-state condition, which gives us: (n+2) is even and n+2 100 which simplifies to: n+2 is even and n 98 We note that the pre-state condition in the triple also simplifies to the same expression, so the proviso holds. Continued

The third proviso is: n is even and n 100 and not n < 99 ==> x = 100 If n is at most 100 but not less than 99, then n is either 99 or 100. Furthermore, if n is even, then n can only be 100, which is what we are trying to prove. That proves the example Hoare triple to be valid. To fully reason about loops, one also needs to consider termination. However, in this episode of Verification Corner, we ignore that issue; come back for a different episode on termination.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback