Lecture #8 : Proof Rules for Partial Correctness (cont.

)
Topics

Floyd-Hoare Logic for proving Partial Correctness 1) Rule for Precondition Strengthening 2) Rule for Postcondition Weakening 3) Rule for Sequential commands 4) The Block Rule 5) The conditional Rule 6) The while Rule - Invariant 7) Finding Invaiants

Precondition Strengthening
Recall that |- S1 , . . ., |- Sn |- S means |- S can be deduced from |- S1 , . . ., |- Sn.

If P Q holds, then P is called stronger than Q and Q is called weaker than P. For example, X ! 2 is stronger than X !1 because X !1 follows from X !2 but not the other way around. X2 ! 0 is weaker than X ! 0 because if X ! 0 then surely X2 !0 but not vice versa. The weakest predicate is true (T), since P T for any P. The strongest predicate is false (F),since F P for any P.

Using this notation, the rule of precondition strengthening is Precondition strengthening |- P P and |- {P} C {Q} -------------------------------------|- {P} C {Q}

The precondition can be strengthened since if P holds in the initial state, P also holds.

Example
From |- (X=n) (X+1= n+1) trivial arithmetical fact |- {X + 1 = n + 1} X :=X+1 {X = n + 1} instance of the assignment axiom

It follow by precondition strengthening that |- {X = n} X := X+1 {X = n+1} n is an auxiliary (or ghost) variable

Example
From |- T (E=E) |- {E=E} X := E {X =E}

It follows that |- {T} X :=E {X =E} as long as X is not in E (why ?)

Postcondition weakening
Just as the previous rule as allows the precondition of a partial correctness specification to be strengthened, the following one allows us to weaken the postcondition.

Postcondition weakening |- {P} C {Q} and |- Q Q -------------------------------------|- {P} C {Q}

The postcondition can be weakened since if Q holds in the final state, Q also holds.

An Example Formal Proof

Here is a little formal proof 1. |- {R=X 0=0} Q:=0 {R=X Q=0} 2. |- R=X ( R=X 0=0 ) 3. |- {R=X} Q:=0 {R=X Q=0} 4. |- (R=X Q=0) R=X+(Y Q) 5. |- {R=X} Q:=0 {R=X+(Y Q)} By the assignment axiom By pure logic By precondition strengthening By the laws of arithmetic By postcondition weakening

The rules precondition strengthening and postcondition weakening are sometimes called the rules of consequence.

Sequences
Syntax: C1 ; . . . ; Cn Semantics: the commands C1 ; . . . ; Cn are executed in that order

Example: R:=X; X:=Y; Y:=R the values of X and Y are swapped using R as a temporary variable this command has the side effect of changing the value of variable R to the old value of variable X

The sequencing rule

The next rule enables a partial correctness specification for a sequence C1; C2 to be derived from specification for C1 and C2

The sequencing rule |- {P} C1 {Q} and |- {Q} C2 {R} -------------------------------------------|- {P} C1;C2 {R}

Example Proof
Example: By the assignment axiom: (i) |- {X=x Y=y} R:=X {R=x Y=y} (ii) |- {R=x Y=y} X:=Y {R=x X=y} (iii) |- {R=x X=y} Y:=R {Y=x X=y}

Hence by (i), (ii) and the sequencing rule (iv) |- {X=x Y=y} R:=X; X:=Y {R=x X=y}

Hence by (iv) and (iii) and the sequencing rule (v) |- {X=x Y=y} R:=X; X:=Y; Y:=R {Y=x X=y}

Blocks
Syntax: BEGIN VAR V1 ; VAR Vn; C END Semantics: the command C is executed, and then the values of V1, ,Vn are restored to the values they had before the block was entered the initial value of V1 , ,Vn inside the block are unspecified

Example: BEGIN VAR R; R:=X; X:=Y; Y:=R END the value of X and Y are swapped using R as a temporary variable this command does not have a side effect on the variable R

10

The Block Rule

The block rule takes care of local variables The block rule |- {P} C {Q} --------------------------------------------------------------|- {P} BEGIN VAR V1 ; ; VAR Vn; C END {Q} where none of the variables V1 , ,Vn occur in P or Q.

Note that the block rule is regarded as including the case when there are no local variables ( the n=0 case ) The condition that none of the local variables V1 , ,Vn occurs in P or Q captures the semantics of the block command that is the effects of those local variables are local.

11

The Side Condition

The syntactic condition that none of the variables V1 , ,Vn occur in P or Q is an example of a side condition without this condition the rule is invalid, as illustrated in the example below

From |- {X=x Y=y} R:=X; X:=Y; Y:=R {Y=x X=y} it follows by the block rule that |- {X=x Y=y} BEGIN VAR R; R:=X; X:=Y; Y:=R END {Y=x X=y} since R does not occur in X=x Y=y or X=y Y=x However from |- {X=x Y=y} R:=X; X:=Y; {R=x X=y} one cannot deduce |- {X=x Y=y} BEGIN VAR R; R:=X; X:=Y END {R=x X=y} since R occurs in R=x X=y

12

Exercises
Is the following true? |- {X=x Y=y} X:=X+Y; Y:=X-Y; X:=X-Y {Y=x X=y} if so prove it if not, give the circumstances when it fails

13

Two-armed conditionals
Syntax: IF S THEN C1 ELSE C2 Semantics: if the statement S is true in the current state, then C1 is executed if S is false, then C2 is executed

Example IF X<Y THEN MAX:=Y ELSE MAX:=X the value of the variable MAX it set to the maximum of the values of X and Y One-armed conditional is defined by: IF S THEN C IF S THEN C ELSE SKIP

14

The Conditional Rule

The conditional rule |- {P S} C1 {Q}, |- {P S} C2 {Q}

-------------------------------------------------------|- {P} IF S THEN C1 ELSE C2 {Q}

This rule aims to reason about properties that are not changed over the conditional command, ie. those properties that hold in the initial state and in the final state of the conditional command. { ? } IF S THEN C1 ELSE C2 { ? } Suppose we are given |- {T X Y} MAX:=X {MAX=max(X,Y)} and |- {T (X Y)} MAX:=Y {MAX=max(X,Y)}

Then by the conditional rule it follows that |- {T} IF X Y THEN MAX:=X ELSE MAX:=Y {MAX=max(X,Y)}

A one-armed conditional rule is derived later

15

WHILE-commands
Syntax: WHILE S DO C Semantics: if the statement S is true in the current state, then C is executed and the WHILE-command is repeated if S is false, then nothing is done thus C is repeatedly executed until the value of S becomes false if S never becomes false, then the execution of the command never terminates

Example: WHILE (X=0) DO X:=X-2 if the value of X is non-zero, then its value is decreased by 2 and then process is repeated This WHILE-command will terminate (with X having value 0) if the value of X is an even non-negative number in all other states it will not terminate (eg. X is negative or zero)

16

Invariants
There are two kinds of properties that can be reasoned about for the WHILE command, namely variant and invariant. Variant is the property that is changed by the while command whereas the invariant is the property that is not changed by the while command. The variant is the test condition which must be false after a WHILEcommand has terminated. otherwise, it wouldnt have terminated

Suppose |- {P S} C {P} Then P is an invariant of C whenever S holds The WHILE-rule says that if P is an invariant of the body of a WHILE-command whenever the test condition holds then P is an invariant of the whole WHILE-command In other words if executing C once preserves the truth of P then executing C any number of times also preserves the truth of P Invariant is not straightforward to see. One must examine closely.

17

The WHILE-Rule

The WHILE-rule |- {P S} C {P} -------------------------------------------|- {P} WHILE S DO C {P S}

It is easy to show |- {X= R+(Y Q) Y R} BEGIN R:=R-Y; Q:=Q+1 END { X= R+(Y Q) }

Hence by the WHILE-rule with P = X= R+(Y Q) |- {X= R+(Y Q)} WHILE Y R DO BEGIN R:=R-Y; Q:=Q+1 END {X= R+(Y Q) (YR)}

18

Example
From the previous slide |- {X= R+(Y Q)} WHILE Y R DO BEGIN R:=R-Y; Q:=Q+1 END { X= R+(Y Q) (YR)}

It is easy to deduce that |- {T} R:=X; Q:=0 {X= R+(Y Q)}

Hence by the sequencing rule and postcondition weakening |- {T} R:=X; Q:=0 WHILE YR DO BEGIN R:=R-Y; Q:=Q+1 END {R<Y X= R+(Y Q)}

19

Overview
We have given a notation for specifying what a program does a way of proving that it meets its specification We will now look at ways of finding proofs and organizing them: finding invariants derived rules backwards proofs annotating programs prior to proof

20

How do you find an invariant?

The WHILE-rule |- {P S} C {P} ----------------------------------------|- {P} WHILE S DO C {P S}

Look at the facts: it must hold initially with the negated test, it must establish the result the body must leave it unchanged Think about how the loop works (ie. the repetition of body C) the invariant says that what has been done so far together with what remains to be done gives the desired result of the loop. This is the guideline for finding an invariant.

21

Example
Consider a factorial program {X=n Y=1} WHILE X 0 DO BEGIN Y:=Y X; X:=X-1 END {X=0 Y=n!} Look at the Facts finally X=0 and Y=n! initially X=n and Y=1 on each loop Y is increased and, X is decreased Eg. Y = X (X-1) (X-2) (X-3) 1

Think how the loop works Y holds the result so far X! is what remains to be computed n! is the desired result The invariant is X! Y = n!

22

Related example {X=0 Y=1} WHILE X<N DO BEGIN X:=X+1; Y:=Y X END {Y=N!} Look at the Facts finally X=N and Y=N! initially X=0 and Y=1 on each iteration both X and Y increase Eg. Y = 1 2 (X-2) (X-1) X Thus, what has been done so far is Y = X! The desired result is Y = N! Ah Ha!: invariant needed: (Y = X!) (X N) At the end, (X< N) (X = N) holds. Thus, (Y = X! X = N ) Y = N! Then the desired result Y = N! can be obtained from the invariant at the end of the loop.

23