Foundations of Computation

Similar documents
Hoare Logic: Reasoning About Imperative Programs

Hoare Logic: Part II

Hoare Logic: Reasoning About Imperative Programs

The Assignment Axiom (Hoare)

Weakest Precondition Calculus

What happens to the value of the expression x + y every time we execute this loop? while x>0 do ( y := y+z ; x := x:= x z )

Programming Languages and Compilers (CS 421)

Dynamic Semantics. Dynamic Semantics. Operational Semantics Axiomatic Semantics Denotational Semantic. Operational Semantics

Hoare Logic and Model Checking

Solutions to exercises for the Hoare logic (based on material written by Mark Staples)

Hoare Examples & Proof Theory. COS 441 Slides 11

Program verification using Hoare Logic¹

Axiomatic Semantics. Lecture 9 CS 565 2/12/08

CS558 Programming Languages

Program verification. Hoare triples. Assertional semantics (cont) Example: Semantics of assignment. Assertional semantics of a program

Proof Calculus for Partial Correctness

Program Analysis Part I : Sequential Programs

Spring 2015 Program Analysis and Verification. Lecture 4: Axiomatic Semantics I. Roman Manevich Ben-Gurion University

Mid-Semester Quiz Second Semester, 2012

Last Time. Inference Rules

THE AUSTRALIAN NATIONAL UNIVERSITY Second Semester COMP2600/COMP6260 (Formal Methods for Software Engineering)

Hoare Logic I. Introduction to Deductive Program Verification. Simple Imperative Programming Language. Hoare Logic. Meaning of Hoare Triples

Lecture Notes: Axiomatic Semantics and Hoare-style Verification

Spring 2016 Program Analysis and Verification. Lecture 3: Axiomatic Semantics I. Roman Manevich Ben-Gurion University

Hoare Logic (I): Axiomatic Semantics and Program Correctness

Reasoning About Imperative Programs. COS 441 Slides 10b

CSE 331 Winter 2018 Reasoning About Code I

Axiomatic Semantics. Stansifer Ch 2.4, Ch. 9 Winskel Ch.6 Slonneger and Kurtz Ch. 11 CSE

COP4020 Programming Languages. Introduction to Axiomatic Semantics Prof. Robert van Engelen

In this episode of The Verification Corner, Rustan Leino talks about Loop Invariants. He gives a brief summary of the theoretical foundations and

Program verification. 18 October 2017

Lecture 17: Floyd-Hoare Logic for Partial Correctness

A Short Introduction to Hoare Logic

Classical Program Logics: Hoare Logic, Weakest Liberal Preconditions

Axiomatic Semantics. Hoare s Correctness Triplets Dijkstra s Predicate Transformers

THE AUSTRALIAN NATIONAL UNIVERSITY Second Semester COMP2600 (Formal Methods for Software Engineering)

Hoare Calculus and Predicate Transformers

Foundations of Computation

CSC 7101: Programming Language Structures 1. Axiomatic Semantics. Stansifer Ch 2.4, Ch. 9 Winskel Ch.6 Slonneger and Kurtz Ch. 11.

THE AUSTRALIAN NATIONAL UNIVERSITY Second Semester COMP2600 (Formal Methods in Software Engineering)

Formal Reasoning CSE 331. Lecture 2 Formal Reasoning. Announcements. Formalization and Reasoning. Software Design and Implementation

Axiomatic Semantics. Operational semantics. Good for. Not good for automatic reasoning about programs

Proofs of Correctness: Introduction to Axiomatic Verification

COMP2111 Glossary. Kai Engelhardt. Contents. 1 Symbols. 1 Symbols 1. 2 Hoare Logic 3. 3 Refinement Calculus 5. rational numbers Q, real numbers R.

First Order Logic vs Propositional Logic CS477 Formal Software Dev Methods

Floyd-Hoare Style Program Verification

Top Down Design. Gunnar Gotshalks 03-1

Marie Farrell Supervisors: Dr Rosemary Monahan & Dr James Power Principles of Programming Research Group

Axiomatic Semantics. Semantics of Programming Languages course. Joosep Rõõmusaare

Bilateral Proofs of Safety and Progress Properties of Concurrent Programs (Working Draft)

Proof Rules for Correctness Triples

CSE 331 Winter 2018 Homework 1

Design of Distributed Systems Melinda Tóth, Zoltán Horváth

Program Analysis and Verification

Deductive Verification

Axiomatic Verification II

Formal Specification and Verification. Specifications

Propositional natural deduction

CSE 331 Software Design & Implementation

Program Construction and Reasoning

Software Engineering

Lecture 25. Designing Sequence Algorithms

Stepwise Refinement! Top Down Design!

Lecture 2: Axiomatic semantics

Lecture Notes on Compositional Reasoning

Axiomatic Semantics: Verification Conditions. Review of Soundness and Completeness of Axiomatic Semantics. Announcements

Axiomatic Semantics: Verification Conditions. Review of Soundness of Axiomatic Semantics. Questions? Announcements

Propositional Logic: Syntax

Loop Convergence. CS 536: Science of Programming, Fall 2018

Outline. 1 Introduction. 3 Quicksort. 4 Analysis. 5 References. Idea. 1 Choose an element x and reorder the array as follows:

Softwaretechnik. Lecture 13: Design by Contract. Peter Thiemann University of Freiburg, Germany

Softwaretechnik. Lecture 13: Design by Contract. Peter Thiemann University of Freiburg, Germany

Axiomatic semantics. Semantics and Application to Program Verification. Antoine Miné. École normale supérieure, Paris year

Verifying Properties of Parallel Programs: An Axiomatic Approach

Probabilistic Guarded Commands Mechanized in HOL

2.3 Some Properties of Continuous Functions

Background reading on Hoare Logic

ASYMPTOTIC COMPLEXITY SEARCHING/SORTING

Learning Goals of CS245 Logic and Computation

THE AUSTRALIAN NATIONAL UNIVERSITY Second Semester COMP2600 (Formal Methods for Software Engineering)

Spring 2015 Program Analysis and Verification. Lecture 6: Axiomatic Semantics III. Roman Manevich Ben-Gurion University

1 Introduction. 2 First Order Logic. 3 SPL Syntax. 4 Hoare Logic. 5 Exercises

Introduction to Axiomatic Semantics

Data Structures and Algorithms Chapter 2

Calculating axiomatic semantics from program equations by means of functional predicate calculus

Lecture Notes on Invariants for Arbitrary Loops

DUBLIN CITY UNIVERSITY SEMESTER 2 SOLUTIONS 2017/2018. CA648 - Formal Programming

Hoare Calculus for SIMT Programms

Control Predicates Are Better Than Dummy Variables For Reasoning About Program Control

C241 Homework Assignment 7

Lecture Notes on Programs with Arrays

CIS 500: Software Foundations

CS156: The Calculus of Computation Zohar Manna Autumn 2008

Ch 3.2: Direct proofs

Soundness and Completeness of Axiomatic Semantics

Deterministic Program The While Program

Logic. Propositional Logic: Syntax

Verificación de Programas!

Unifying Theories of Programming

Proof strategies, or, a manual of logical style

Transcription:

The Australian National University Semester 2, 2018 Research School of Computer Science Tutorial 6 Dirk Pattinson Foundations of Computation The tutorial contains a number of exercises designed for the students to practice the course content. During the lab, the tutor will work through some of these exercises while the students will be responsible for completing the remaining exercises in their own time. There is no expectation that all the exercises will be covered in lab time. Exercise 1 Hoare Logic: Semantics Determine the truth value of the following Hoare triples and give your reasoning. You are not required to use Hoare Logic to prove these! 1. {j = a} j:=j+1 {a = j + 1} False. Consider the case of a = j = 0; the precondition is satisfied, but after the assignment a = 0 and j = 1 and the postcondition is false. 2. {i = j} i:=j+i {i > j} False. will be false. 3. {i > j} j:=i+1; i:=j+1 {i > j} Consider the case that i is negative. For example, if i = j = 1 initially, then the postcondition True. Regardless of the initial state, the computation ends by making i = j +1 and so i > j is satisfied. 4. {i j} if i>j then m:=i-j else m:=j-i {m > 0} True. If i > j then m will be assigned a positive quantity. The other possibility is that i < j, given that the precondition holds, and again m will be assigned a positive number. 5. {i = 3 j} if i>j then m:=i-j else m:=j-i {m 2 j = 0} False. If i = 3 and j = 1 then m will end up as 2, and so the postcondition will not hold. 6. {a = 0} while x>a do x:=x-1 {x = 0} Exercise 2 False. If initially x = 1, or any other negative number, then the loop terminates with no iterations and x is unchanged. Assignment Axiom Prove each of the following. The first one has been done for you in detail, but you can just give the line numbered steps and their justifications. 1. {i = 5} a := i + 2 {(a = 7) (i = 5)} We apply the copy-and-replace assignment axiom. The precondition this generates doesn t look exactly like the one we are asked for, but it is equivalent to it: 1. {(i + 2 = 7) (i = 5)} a := i + 2 {(a = 7) (i = 5)} (Asst.) 2. {i = 5} a := i + 2 {(a = 7) (i = 5)} (1, Precon. Equiv.) We could have used precondition strengthening instead of precondition equivalence here, but the proof would have been one line longer. 2. {i = 5} a:=i+2 {(a = 7) (i > 0)} This follows by the same reasoning as 2(a) above - the assignment axiom, then precondition equivalence. Alternatively, we could apply postcondition weakening to the result of 2(a). 3. {(i = 5) (a = 3)} a:=i+2 {a = 7} Again we start with the assignment axiom, but this time the precondition we generate is not equivalent to the one we want - it is too weak. Hence we must invoke precondition strengthening: 1. {i + 2 = 7} a := i + 2 {a = 7} (Asst.) 2. (i = 5 a = 3) (i + 2 = 7) (Basic Math. & Logic) 3. {(i = 5) (a = 3)} a := i + 2 {a = 7} (1,2, Precon. Strength.)

4. {a = 7} i:=i+2 {a = 7} This question is a trivial assignment axiom one-liner. The importance of the example is that you often want to know that some variable s value is not affected by the execution of some given code. This is a sort of invariant. 5. {i = a 1} i:=i+2 {i = a + 1} Assignment axiom, then precondition equivalence, once again. 6. {T rue} a:=i+2 {a = i + 2} 1. {a = 7} i := i + 2 {a = 7} (Asst.) Assignment axiom and precondition equivalence again. The only thing that is a little unusual is the constant True as the precondition, so discuss what this means (that if the code fragment terminates then it does so fulfilling the postcondition, whatever the opening state might have been). What might it mean if False was the precondition? 1. {i + 2 = i + 2} a := i + 2 {a = i + 2} (Asst.) 2. {T rue} a := i + 2 {a = i + 2} (1, Precon. Equiv.) Exercise 3 Control Structures Prove each of the following. The first one has been done for you. You need only give the formal proof steps and their justifications. 1. {a > b} m:=1; n:=a-b {m n > 0} Start at the end of the program, and apply the assignment axiom to the command n := a b and the given postcondition. This generates the precondition m (a b) > 0. Apply the assignment axiom again with this new intermediate assertion and m := 1, rearrange the precondition we generate from this to get a > b, then use the sequencing rule to stick the proof together. 2. {s = 2 i } i:=i+1; s:=s*2 {s = 2 i } 1. {m (a b) > 0} n := a b {m n > 0} (Asst.) 2. {1 (a b) > 0} m := 1 {m (a b) > 0} (Asst.) 3. {a > b} m := 1 {m (a b) > 0} (2, Precon. Equiv.) 4. {a > b} m := 1; n := a b {m n > 0} (1,3, Seq.) 1. {s 2 = 2 i } s := s 2 {s = 2 i } (Asst.) 2. {s 2 = 2 i+1 } i := i + 1 {s 2 = 2 i } (Asst.) 3. {s = 2 i } i := i + 1 {s 2 = 2 i } (2, Precon. Equiv.) 4. {s = 2 i } i := i + 1; s := s 2 {s = 2 i } (1,3, Seq.) Step 3 is valid because we can divide both sides of the equation by 2. Note also that we have proved that (s = 2 i ) is an invariant for this code. 3. {T rue} if i<j then min:=i else min:=j {(min i) (min j)} We obviously need to apply the conditional rule; the rest of the proof is occupied by producing a match for the top line of this rule. 1. {(i i) (i j)} min := i {(min i) (min j)} (Asst.) 2. (T rue (i < j)) ((i i) (i j)) (Basic Math.) 3. {T rue (i < j)} min := i {(min i) (min j)} (1,2, Pre. Strength.) 4. {(j i) (j j)} min := j {(min i) (min j)} (Asst.) 5. {T rue (i < j)} min := j {(min i) (min j)} (4, Pre. Equiv.) 6. {T rue} if i<j then min:=i else min:=j {(min i) (min j)} (3,5, Cond.)

4. {(i > 0) (j > 0)} if i<j then min:=i else min:=j {min > 0} Follows similarly to part (c). 1. {i > 0} min := i {min > 0} (Asst.) 2. i > 0 j > 0 i < j i > 0 (Basic Logic) 3. {i > 0 j > 0 i < j} min := i {min > 0} (1,2, Pre. Strength.) 4. {j > 0} min := j {min > 0} (Asst.) 5. i > 0 j > 0 (i < j) j > 0 (Basic Logic) 6. {i > 0 j > 0 (i < j)} min := j {min > 0} (4,5, Pre. Strength.) 7. {i > 0 j > 0} if i < j then min := i else min := j {min > 0} (3,6, Cond.) Exercise 4 Consider the following Hoare triples: Control Structures 1. {x = y} if (x=0) then x:=y+1 else z:=y+1 {(x = y + 1) (z = x + 1)} 2. {x = y} if (x=0) then x:=y+1 else z:=y+1 {(z = 1) (x = 1)} For each triple: determine whether it is valid or not if it is not valid, justify why this is the case by giving values for the variables that satisfy the precondition, and argue that the postcondition is not true after running the code if it is valid, give a proof in Hoare logic. 1. This Hoare triple is valid. For a proof, note that to apply the conditional rule, we need to prove the following Hoare triples to be true: {x = y x = 0} x := y + 1 {x = y + 1 z = x + 1} {x = y x 0} z := y + 1 {x = y + 1 z = x + 1} (This informs the strategy of proof, but is not required as part of the solution.) We give the following proof in Hoare logic: 1 {(y + 1) = y + 1 z = y + 1 + 1} x := y + 1 {(x = y + 1) (z = x + 1)} (assignment) 2 {x = y x = 0} x := y + 1 {(x = y + 1) (z = x + 1)} (precondition strengthening, 1) 3 {x = y + 1 (y + 1) = x + 1} z := y+1 {(x = y + 1) (z = x + 1)} (assignment) 4 {x = y x 0} z := y+1 {(x = y + 1) (z = x + 1)} (precondition strengthening, 3) 5 {x = y} if (x=0) then x:=y+1 else z:=y+1 {(x = y + 1) (z = x + 1)} (conditional, 2, 4) 2. This hoare triple is also valid. We give the following hoare logic proof: 1 {z = 1 y + 1 = 1} x := y+1 {z = 1 x = 1} (assignment) 2 {x = y x = 0} x := y+1 {z = 1 x = 1} (precondition strengthening, 1) 3 {y + 1 = 1 x = 1} z := y+1 {z = 1 x = 1} (assignment) 4 {x = y x 0} z := y+1 {z = 1 x = 1} (precondition strengthening, 3) 5 {x = y} if (x=0) then x:=y+1 else z:=y+1 {(z = 1) (x = 1)} (conditional, 2, 4) Exercise 5 Variable Swap Give a Hoare logic proof of the validity of the following Hoare triple: {x = x 0 y = y 0 } tmp := x; x := y; y := tmp {x = y 0 y = x 0 }

1. {x = y 0 tmp = x 0 } y := tmp {x = y 0 y = x 0 } (assignment) 2. {y = y 0 y = tmp} x := y {x = y 0 tmp = x 0 } (assignment) 3. {y = y 0 tmp = x 0 } x := y; y := tmp {x = y 0 y = x 0 } (sequencing, 1, 2) 4. {y = y 0 x = x 0 } tmp := x {y := y 0 y = tmp} (assignment) 5. {y = y 0 x = x 0 } tmp := x; x := y; y := tmp {x = y 0 y = x 0 } (sequencing, 3, 4) 6. {x = x 0 y = y 0 } tmp := x; x := y; y := tmp {x = y 0 y = x 0 } (precondition equiv, 5)

Appendix Hoare Logic Rules Assignment: Precondition Strengthening: Postcondition Weakening: Sequence: Conditional: While Loop: {Q(e)} x := e {Q(x)} P s P w {P w } S {Q} {P s } S {Q} {P } S {Q s } Q s Q w {P } S {Q w } {P } S 1 {Q} {Q} S 2 {R} {P } S 1 ; S 2 {R} {P b} S 1 {Q} {P b} S 2 {Q} {P } if b then S 1 else S 2 {Q} {P b} S {P } {P } while b do S {P b} While Loop (Total Correctness): P b E [P b E = n] S [P E < n] [P ] while b do S [P b] where n is an auxilliary variable not appearing anywhere else.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback