Lecture 17: Floyd-Hoare Logic for Partial Correctness

Similar documents
Last Time. Inference Rules

Hoare Logic: Reasoning About Imperative Programs

What happens to the value of the expression x + y every time we execute this loop? while x>0 do ( y := y+z ; x := x:= x z )

Lecture 36: Other Non-computable Problems

Hoare Logic I. Introduction to Deductive Program Verification. Simple Imperative Programming Language. Hoare Logic. Meaning of Hoare Triples

Programming Languages and Compilers (CS 421)

The Assignment Axiom (Hoare)

Proof Calculus for Partial Correctness

Proof Rules for Correctness Triples

Solutions to exercises for the Hoare logic (based on material written by Mark Staples)

CSE 331 Winter 2018 Reasoning About Code I

Axiomatic Semantics. Lecture 9 CS 565 2/12/08

Program verification using Hoare Logic¹

Lecture 31: Reductions

Hoare Logic and Model Checking

Quadratic Equations Part I

Proof Techniques (Review of Math 271)

Logic. Propositional Logic: Syntax. Wffs

Reasoning About Imperative Programs. COS 441 Slides 10b

Foundations of Computation

Loop Convergence. CS 536: Science of Programming, Fall 2018

Dynamic Semantics. Dynamic Semantics. Operational Semantics Axiomatic Semantics Denotational Semantic. Operational Semantics

Program Analysis Part I : Sequential Programs

Weakest Precondition Calculus

Math 31 Lesson Plan. Day 2: Sets; Binary Operations. Elizabeth Gillaspy. September 23, 2011

Reading 5 : Induction

Spring 2015 Program Analysis and Verification. Lecture 4: Axiomatic Semantics I. Roman Manevich Ben-Gurion University

Logic. Propositional Logic: Syntax

Program verification. Hoare triples. Assertional semantics (cont) Example: Semantics of assignment. Assertional semantics of a program

CSE 331 Winter 2018 Homework 1

SOME SMALL EXAMPLES OF FORMAL VERIFICATION

Basics of Proofs. 1 The Basics. 2 Proof Strategies. 2.1 Understand What s Going On

THE AUSTRALIAN NATIONAL UNIVERSITY Second Semester COMP2600/COMP6260 (Formal Methods for Software Engineering)

Alex s Guide to Word Problems and Linear Equations Following Glencoe Algebra 1

1 Review of the dot product

Nondeterministic finite automata

CS558 Programming Languages

Math101, Sections 2 and 3, Spring 2008 Review Sheet for Exam #2:

Deduction by Daniel Bonevac. Chapter 3 Truth Trees

Classical Program Logics: Hoare Logic, Weakest Liberal Preconditions

Lecture 2: Axiomatic semantics

QUADRATICS 3.2 Breaking Symmetry: Factoring

Lecture Notes on Invariants for Arbitrary Loops

Guide to Proofs on Sets

Discrete Mathematics and Probability Theory Fall 2016 Seshia and Walrand Note 2

Spring 2016 Program Analysis and Verification. Lecture 3: Axiomatic Semantics I. Roman Manevich Ben-Gurion University

Hoare Logic: Part II

HOW TO WRITE PROOFS. Dr. Min Ru, University of Houston

Direct Proof MAT231. Fall Transition to Higher Mathematics. MAT231 (Transition to Higher Math) Direct Proof Fall / 24

Propositional Logic: Syntax

Adam Blank Spring 2017 CSE 311. Foundations of Computing I

Proving Programs Correct

Lecture 4: Constructing the Integers, Rationals and Reals

Axiomatic systems. Revisiting the rules of inference. Example: A theorem and its proof in an abstract axiomatic system:

Discrete Structures Proofwriting Checklist

Manual of Logical Style

Single-Predicate Derivations

4 Derivations in the Propositional Calculus

First Order Logic vs Propositional Logic CS477 Formal Software Dev Methods

Properties of Arithmetic

Program verification. 18 October 2017

Example. How to Guess What to Prove

Sequence convergence, the weak T-axioms, and first countability

Lecture Notes on Programs with Arrays

#29: Logarithm review May 16, 2009

Axiomatic Semantics. Stansifer Ch 2.4, Ch. 9 Winskel Ch.6 Slonneger and Kurtz Ch. 11 CSE

Examples: P: it is not the case that P. P Q: P or Q P Q: P implies Q (if P then Q) Typical formula:

Hypothesis testing I. - In particular, we are talking about statistical hypotheses. [get everyone s finger length!] n =

( )( b + c) = ab + ac, but it can also be ( )( a) = ba + ca. Let s use the distributive property on a couple of

Lecture Notes: Axiomatic Semantics and Hoare-style Verification

Formal Reasoning CSE 331. Lecture 2 Formal Reasoning. Announcements. Formalization and Reasoning. Software Design and Implementation

Hoare Examples & Proof Theory. COS 441 Slides 11

Induction 1 = 1(1+1) = 2(2+1) = 3(3+1) 2

Mathematical induction

CS 301. Lecture 18 Decidable languages. Stephen Checkoway. April 2, 2018

MA 3280 Lecture 05 - Generalized Echelon Form and Free Variables. Friday, January 31, 2014.

Descriptive Statistics (And a little bit on rounding and significant digits)

Natural deduction for truth-functional logic

Section 0.6: Factoring from Precalculus Prerequisites a.k.a. Chapter 0 by Carl Stitz, PhD, and Jeff Zeager, PhD, is available under a Creative

TheFourierTransformAndItsApplications-Lecture28

Discrete Mathematics

Intermediate Logic. Natural Deduction for TFL

CS 124 Math Review Section January 29, 2018

Guide to Proofs on Discrete Structures

CSC 7101: Programming Language Structures 1. Axiomatic Semantics. Stansifer Ch 2.4, Ch. 9 Winskel Ch.6 Slonneger and Kurtz Ch. 11.

Math 31 Lesson Plan. Day 5: Intro to Groups. Elizabeth Gillaspy. September 28, 2011

6. The transfinite ordinals*

COP4020 Programming Languages. Introduction to Axiomatic Semantics Prof. Robert van Engelen

Modern Algebra Prof. Manindra Agrawal Department of Computer Science and Engineering Indian Institute of Technology, Kanpur

2.1 Convergence of Sequences

Discrete Mathematics and Probability Theory Fall 2018 Alistair Sinclair and Yun Song Note 2

Astronomy 102 Math Review

Lecture 29: Tractable and Intractable Problems

Lecture Notes on Inductive Definitions

Cambridge University Press How to Prove it: A Structured Approach: Second edition Daniel J. Velleman Excerpt More information

A Short Introduction to Hoare Logic

Line Integrals and Path Independence

Solving Quadratic & Higher Degree Equations

Proofs. Introduction II. Notes. Notes. Notes. Slides by Christopher M. Bourke Instructor: Berthe Y. Choueiry. Fall 2007

CS1800: Strong Induction. Professor Kevin Gold

Transcription:

Lecture 17: Floyd-Hoare Logic for Partial Correctness Aims: To look at the following inference rules Page 1 of 9 sequence; assignment and consequence.

17.1. The Deduction System for Partial Correctness The inference rules we are about to look at are credited to R. Floyd and C.A.R. Hoare. Hence, we sometimes call this Floyd-Hoare Logic. There are inference rules for each of the constructs of the programming language. This allows us to compose proofs, command by command. A global piece of advice is to read the rules backwards : from bottom to top. In a lot of the examples and exercises, I won t use specification variables, even though the program specifications might be better if I did. This is OK because we re proving programs rather than constructing them and the ones I will generally give you to prove will not exploit the laxity of specification in particular, the programs I give you to prove will not directly assign to the parameters. 17.1.1. Sequencing Page 2 of 9 Sequencing P C 1 R, R C 2 Q P C 1 ; C 2 Q So, if you know that C 1 takes you from states satisfying P to states satisfying R, and that C 2 takes you from states satisfying R to states satisfying Q, then you know that executing C 1 and C 2 in sequence will take you from states satisfying P to states satisfying R. But, as per my piece of global advice, when we use this inference rule in program verification, we read it from bottom to top. In order to prove that the sequence C 1 ; C 2 will take us from states satisfying P to states satisfying Q, we need to find an R and prove that R C 2 Q and then that P C 1 R.

17.1.2. Assignment Notation: Let Q[V E] be the result of replacing all occurrences of variable V in Q by expression E. Page 3 of 9 Assignment Q[V E] V := E Q Since this inference rule has no conditions, it is more accurate to call it an axiom, but we won t worry about that. The rule states that if we want to show that Q holds after the assignment of E into V, then we must show that Q[V E] holds before the assignment. In program verification, we will apply this rule backwards. We know Q and we wish to find a precondition that makes Q true after the assignment V := E. The nice thing about this rule is that it is completely mechanical. You just do a substitution and, hey presto, that gives you the precondition. Unfortunately, not all the inference rules are so simple; some require ingenuity. Applying the rule mechanically and backwards in this way will generate the weakest precondition that is needed for execution of the assignment to result in a state that satisfies the postcondition. However, students don t like this rule! It appears to be written the wrong way round. First, let s look at some examples that show that it does work. par y = 2 x := 2 y = x The postcondition is y = x. We do a substitution to get the precondition: y = x[x 2]. This gives y = 2.

And we can read the statement as follows: if you want to prove that y = x after the assignment x := 2, then you must be able to prove that y = 2 before it. Page 4 of 9 par 2 > 0 x := 2 x > 0 If you want to prove that x > 0 after x := 2, then you must be able to prove that 2 > 0 before it. par x + 1 = 2 x := x + 1 x = 2 If you want to prove that x = 2 after x := x + 1, then you must be able to prove that x + 1 = 2 (i.e. x = 1) before it. I ll give some more examples, but I won t include any more paraphrases into English. You can do the paraphrases yourself. par x + 1 = y x := x + 1 x = y par x + 1 + 5 = y x := x + 1 x + 5 = y par x + 1 > 0 y > 0 x := x + 1 x > 0 y > 0 So we ve seen that, although you may feel it has been written the wrong way round, it does seem to work. The key to making sense of it is to think about what you need to prove about the precondition. That s the way our paraphrases have been written. Another way to try to convince you that the rule is correct is to show you that various alternative rules get things wrong. We ll look at two duff attempts. Duff-Assignment-1 P V := E P [V E] Example of this getting it wrong; it allows us to prove the following: par x = 0 x := 1 1 = 0

Need I say more? (Yes? Then you haven t read it!) Well, if Duff-Assignment-1 isn t right, then what about this one: Duff-Assignment-2 P V := E P [E V ] Example of this getting it wrong; it allows us to prove the following: par x = 0 x := 1 x = 0 The rule tells us to replace E by V. In this case, E is 1. But 1 doesn t occur in P (x = 0), so the result of the substitution is still x = 0. Class Exercise Page 5 of 9 Determine the weakest precondition P that satisfies 1. P x := x + 1 x > 0 2. P x := x 2 x > 0 3. P x := x + 1 x 3 5x 2 + 2x > 0 4. P x := x + 1 x = x 0 + 1 5. P x := y mod 2 x = y mod 2 Determine the weakest precondition P that satisfies 1. P x := x + 1; x := x + 1 x > 0 2. P temp := x; x := y; y := temp x = y 0 y = x 0 3. P x := x + y; y := x y; x := x y x = m y = n

17.1.3. Rule of Consequence Page 6 of 9 Consequence P P, P C Q, Q Q P C Q This rule tells us that if we have proved P C Q and we have a wff P which implies P and another one Q which is implied by Q, then we can conclude that P C Q. In some books, this one rule is presented as two separate rules, referred to as precondition strengthening and postcondition weakening. One thing to note about this rule is that two of its conditions have nothing to do with programs and their partial correctness. Instead these two conditions require you to prove statements of normal logic (about P, P, Q and Q ). You would prove these using the kinds of techniques we were exploring in the lecture on proof. (Use the methods for informal proof.) Hence, this rule acts as a link between Floyd-Hoare logic (for programs) and normal logic. Its greatest use for us is in glueing together different components of proofs. E.g. We can prove that par x = n x := x + 1 x = n + 1 This time we are not looking for a weakest precondition P. Instead, we ve been given a precondition (x = n). So we have to lay this one out as a proof.

We write out the precondition, the program and the postcondition with lots of blank lines. x = n x := x + 1; x = n + 1 Page 7 of 9 We start with the postcondition and push it upwards through the program until a wff P emerges at the top. Ideally, P is the weakest precondition which guarantees that Q will hold if the program is executed and terminates. We then check to see whether P follows from P, the given precondition. This is a use of the rule of consequence. As we proceed, we fill in weakest preconditions and we add comments that justify the different steps. So, in our example, let s push the postcondition upwards through the assignment command. This involves using the Assignment rule of inference, we write the precondition above the assignment command. We write the comment alongside the postcondition. This is logical because, when we read the final proof we will read it in a forwards direction. x = n x + 1 = n + 1 x := x + 1; x = n + 1 Assignment To finish this proof, we need to show that x = n x + 1 = n + 1.

So we would write an extra justification alongside the program and show where to find the proof. x = n x + 1 = n + 1 Consequence (proof 1 ) x := x + 1; x = n + 1 Assignment Page 8 of 9 Proof 1 : To show x = n x + 1 = n + 1. Assume x = n. By arithmetic, we get x + 1 = n + 1. Discharging the assumption, we have x = n x + 1 = n + 1 as desired. In the real world, when the proofs are really simple (like this), it suffices to write Consequence and omit the proof. But if you do this in exercises and exam questions, do not expect credit. If you want credit, include your proofs! Here s another example. In the lecture, we ll prove that par True y := x; y := y + y y = 2x Acknowledgements I continue to base material on that in Chapter 4 of [HR00]. Clip Art (of head with bomb) licensed from the Clip Art Gallery on DiscoverySchool.com.

References [HR00] M. Huth and M. Ryan. Logic in Computer Science: Modelling and Reasoning about Systems. Cambridge University Press, 2000. Page 9 of 9

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback