Proving Program Correctness: Sequence, If-Else, and Loop Rules, Lecture notes of Computer Science

The concept of program correctness through the use of hoare triples and the sequence, if-else, and loop rules. The sequence and if-else rules are presented as rote, while the loop rule requires the appropriate guesses as to the values of loop invariants. Proving a program correct is a challenging process, and debugging still plays a role.

Typology: Lecture notes

2012/2013

Uploaded on 04/23/2013

ashwini
ashwini 🇮🇳

4.5

(18)

167 documents

1 / 18

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
We know that any sum 25p+40m is divisible by 5.
After $140, one can get every multiple of 5.
Basis: $140 = ...
$145 = …
$150
$155
$160
Then let n be some multiple of 5 > $160. Assume that
every multiple of 5 between 140 and n is representable.
Thus n+5 = 25 + n+5-25.
n+5-25 = m*25 + p*40 by the strong induction
hypothesis.
Thus n+5 = 25 + n+5-25 = 25 = 2+ m*25+p*40 = (m+1)*25
+ p*40.
Thus the hypothesis is true for n+5.
$25 and $40 certificates
Wednesda y, October 20, 20 10
3:04 PM
Correctness Page 1
Docsity.com
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12

Partial preview of the text

Download Proving Program Correctness: Sequence, If-Else, and Loop Rules and more Lecture notes Computer Science in PDF only on Docsity!

We know that any sum 25p+40m is divisible by 5. After $140, one can get every multiple of 5. Basis: $140 = ... $145 = … $ $ $ Then let n be some multiple of 5 > $160. Assume that every multiple of 5 between 140 and n is representable. Then for n+5, n+5-25 is between 140 and n. Thus n+5 = 25 + n+5-25. n+5-25 = m25 + p40 by the strong induction hypothesis. Thus n+5 = 25 + n+5-25 = 25 = 2+ m25+p40 = (m+1)*

  • p*40. Thus the hypothesis is true for n+5. $25 and $40 certificates Wednesday, October 20, 2010 3:04 PM Docsity.com

Docsity.com

When it doesn't crash? When it answers the way we expect? When is a program "correct"? Program correctness Friday, October 15, 2010 6:41 PM Docsity.com

preconditions: what is true before the program starts. postconditions: what is true afterward. Every statement or program has preconditions and postconditions. p: y is a number (preconditions) S: x:=y; (statement) q: x==y (postconditions) Example x:=y The form p{S}q is called a Hoare triple. We write this as (y is a number) {x=y;} (x==y) Mathematical basis of program correctness. Friday, October 15, 2010 6:42 PM Docsity.com

Break large programs into smaller ones. Prove correctness of the smaller ones. Combine those proofs into a proof of correctness for the larger one. We can use a calculus of Hoare triples to The sequence rule: when is a sequence of statements correct? The if-else rule: what does an if statement do? The while rule: what does a "while" statement do? Several tools We can think of these rules as the semantics for sequence, if, and while. The calculus of Hoare triples Wednesday, October 20, 2010 2:33 PM Docsity.com

If pS 1 q and qS 2 r then p{S 1 ;S 2 }r The sequence(composition) rule: Example: T {x:=1} x==1 (def. of :=) x==1 {x:=x+1} x==2 (def. of +)


T {x:=1; x:=x+1} x== The sequence rule Friday, October 15, 2010 6:46 PM Docsity.com

if p→q and q{S}r then p{S}r. If p{S}q and q→r then p{S}r. Example: T { x=1 } x== x==1 → x>


T { x=1 } x> Implication Tuesday, October 19, 2010 3:26 PM Docsity.com

(p ˄ condition) {S} q (p ˄ ≦condition) → q


p { if condition then S} q T { if (x<0) x=-x; } x≥ 0 Example: p=T, condition=(x<0), S={x=-x;} Demonstrating this: (x<0) { x=-x; } (x>0) by definition of - x x>0 →x≥ 0 by definition of > so : (T ˄ x<0) { x=-x; } (x≥0) p˄condition{S}q (T ˄ x≥0) → x≥ 0 p˄ ≦ condition → q


T { if (x<0) x=-x; } x≥ 0 p {S} q The if statement Tuesday, October 19, 2010 3:15 PM Docsity.com

Start with perhaps disparate states, expressed as p, q, whatever. End with one description, e.g., q or r, of a complex expression. So far, we've been doing a rote algorithm So far Wednesday, October 20, 2010 3:40 PM Docsity.com

(p ˄ condition) {S} p

p { while condition S} (≦ condition ˄ p) p is called a loop invariant. p is an expression, whose variables aren't necessarily constant. In other words, if S doesn't affect p, then repeating it an arbitrary number of times doesn't affect p, either Example: (i=1) { while (i<10) i++ } (i≥ 10 ˄ i>=1) p=(i>=1): the loop invariant: i++ only increases i. S= (i++): loop operation. i>=10 is the same as ≦ (i<10) Note that (i≥ 10 ˄ i≥1) → i≥10, so we could write the above as: (i=1) { while (i<10) i++ } (i≥ 10 ) Loop invariants Tuesday, October 19, 2010 3:38 PM Docsity.com

condition is (j<=n) S is { sum += j; j++ } What is p? A tricky calculation: We know that for a particular j, sum = 1+…+j-1 = (j-1)j/ Thus an appropriate loop invariant is True for all j<=n+ p = (sum==(j-1)j/2 ^ j<=n+1) Thus, applying the loop rule: (p ˄ condition) {S} p


p { while condition S} (≦ condition ˄ p) we get: { sum += j; j++ } ((sum==(j-1)j/2 ^ j<=n+1) ^ j<=n) sum==(j-1)j/2 ^ j<=n+


{ while (j<=n) { sum += j; j++ } (sum==(j-1)j/2 ^ j<=n+1) (≦ (j<=n) ^ (sum==(j-1)j/2 ^ j<=n+1)) (≦ (j<=n) ^ (sum==(j-1)j/2 ^ j<=n+1) j>n ^ j<=n+1 ^ sum==(j-1)j/2) j==n+1 ^ sum==(j-1)j/ j==n+1 ^ sum==(n+1-1)(n+1)/ sum==n(n+1)/ Simplifying the last: Done! Whew! Docsity.com

Done! Whew! Docsity.com