program verification using hoares logic book: chapter 7

Program VerificationUsing Hoare’s LogicBook: Chapter 7

While programs

Assignments y:=t Composition S1; S2 If-then-else if e the S1 else S2 fi While while e do S od

Greatest common divisor

{x1>0/\x2>0}y1:=x1;y2:=x2;while ¬(y1=y2) do if y1>y2 then y1:=y1-y2 else y2:=y2-y1 fiod{y1=gcd(x1,x2)}

Why it works?

Suppose that y1,y2 are both positive integers. If y1>y2 then gcd(y1,y2)=gcd(y1-y2,y2) If y2>y1 then gcd(y1,y2)=gcd(y1,y2-y1) If y1-y2 then gcd(y1,y2)=y1=y2

Assignment axiom

{p[t/y]} y:=t {p}

For example:{y+5=10} y:=y+5 {y=10}{y+y<z} x:=y {x+y<z}{2*(y+5)>20} y:=2*(y+5) {y>20}Justification: write p with y’ instead of y,

and add the conjunct y’=t. Next, eliminate y’ by replacing y’ by t.

Why axiom works backwards?

{p} y:=t {?}

Strategy: write p and the conjunct y=t, where y’ replaces y in both p and t. Eliminate y’.

{y>5} y:=2*(y+5) {?} {p} y:=t {y’ (p[y’/y] /\ t[y’/y]=y)}y’>5 /\ y=2*(y’+5) y>20

Composition rule

{p} S1 {r}, {r} S2 {q}

{p} S1;S2 {q}For example: if the antecedents are1. {x+1=y+2} x:=x+1 {x=y+2}2. {x=y+2} y:=y+2 {x=y}Then the consequent is {x+1=y+2} x:=x+1; y:=y+2 {x=y}

More examples

{p} S1 {r}, {r} S2 {q}

{p} S1;S2 {q}{x1>0/\x2>0} y1:=x1

{gcd(x1,x2)=gcd(y1,x2)/\y1>0/\x2>0}{gcd(y1,x2)=gcd(y1,x2)/\y1>0/\x2>0}

y2:=x2 {gcd(x1,x2)=gcd(y1,y2)/\y1>0/\y2>0}

{x1>0/\x2>0} y1:=x1 ; y2:=x2 {gcd(x1,x2)=gcd(y1,y2)/\y1>0/\y2>0}

If-then-else rule

{p/\e} S1 {q}, {p/\¬e} S2 {q}

{p} if e then S1 else S2 fi {q}For example: p is gcd(y1,y2)=gcd(x1,x2) /\y1>0/\y2>0/\¬(y1=y2)e is y1>y2S1 is y1:=y1-y2S2 is y2:=y2-y1q is gcd(y1,y2)=gcd(x1,x2)/\y1>0/\y2>0

While rule

{p/\e} S {p} {p} while e do S od {p/\¬e}Example:p is {gcd(y1,y2)=gcd(x1,x2)/\y1>0/\y2>0}e is (y1=y2)S is if y1>y2 then y1:=y1-y2 else y2:=y2-y1 fi

Consequence rules

Strengthen a precondition rp, {p} S {q} {r} S {q} Weaken a postscondition {p} S {q}, qr {p} S {r}

Use of first consequence rule

Want to prove{x1>0/\x2>0} y1:=x1

{gcd(x1,x2)=gcd(y1,x2)/\y1>0/\x2>0}By assignment rule:{gcd(x1,x2)=gcd(x1,x2)/\x1>0/\x2>0}

y1:=x1 {gcd(x1,x2)=gcd(y1,x2)/\y1>0/\x2>0}x1>0/\x2>0 gcd(x1,x2)=gcd(x1,x2)/\

x1>0/\x2>0

Combining program

{x1>0 /\ x2>0} y1:=x1; y2:=x1;{gcd(x1,x2)=gcd(y1,y2)/\y1>0/\y2>0} while S do if e then S1 else S2 fi od{gcd(x1,x2)=gcd(y1,y2)/\y1>0/\y2>0}Combine the above using concatenation

rule!

Not completely finished

{x1>0/\x2>0} y1:=x1; y2:=x1; while ~(y1=y2) do if e then S1 else S2 fi od{gcd(x1,x2)=gcd(y1,y2)/\y1>0/\y2>0/\

y1=y2}But we wanted to prove:{x1>0/\x1>0} Prog {y1=gcd(x1,x2)}

Use of secend consequence rule

{x1>0/\x2>0} Prog{gcd(x1,x2)=gcd(y1,y2)/\y1>0/\y2>0/\y1=y2}And the implication{gcd(x1,x2)=gcd(y1,y2)/\y1>0/\y2>0/\y1=y2} y1=gcd(x1,x2)Thus,{x1>0/\x2>0} Prog {y1=gcd(x1,x2)

Annotating a while program

{x1>0/\x2>0}y1:=x1; {gcd(x1,x2)=gcd(y1,x2

) /\y1>0/\x2>0}y2:=x2; {gcd(x1,x2)=gcd(y1,y2

) /\y1>0/\y2>0}

while ¬(y1=y2) do{gcd(x1,x2)=gcd(y1,y2)/\

y1>0/\y2>0/\¬(y1=y2)}

if y1>y2 then y1:=y1-y2 else y2:=y2-y1 fiod{y1=gcd(x1,x2)}

Another example

{x>=0 /\ y>=0}a:=0;b:=x;while b>=y do b:=b-y; a:=a+1od.{x=a*y+b/\b>=0/\

b<y}

Invariant:x=a*y+b /\ b>=0

Invariant

How to start the proof?Heuristics: Find invariant for each loop.

For this example: x=a*y+b/\x>=0Note: total correctness does not hold for y=0.Total correctness (with y>0) to be proved

separately.

Proof

(1) {x=a*y+x/\x>=0} b:=x {x=a*y+b/\

b>=0} (Assignment)(2) {x=0*y+x/\x>=0} a:=0 {x=a*y+x/\x>=0} (Assignment)(3){x=0*y+x/\x>=0}a:=0;b:=x{x=a*y+b/\

x>=0} (Composition (2), (1))

{p[t/y]} y:=t {p}

{p}S1{r}, {r} S2{q}

{p} S1;S2 {q}

Proof (cont.)

(4){x=(a+1)*y+b/\b>=0}a:=a+1{x=a*y+b/\b>=0} (Assignment) (5){x=(a+1)*y+b-y/\b-y>=0}b:=b-y{x=(a+1)*y+b/\b>=0} (Assignment)(6){x=(a+1)*y+b-y/\b-y>=0}b:=b-y;a:=a+1{x=a*y+b/\

b>=0} (Composition (5), (4))

{p[t/y]} y:=t {p}

{p}S1{r}, {r} S2{q}

{p} S1;S2 {q}

While rule

{p/\e} S {p} {p} while e do S od {p/\¬e}

Consequence rules

Strengthen a precondition rp, {p} S {q} {r} S {q} Weaken a postcondition {p} S {q}, qr {p} S {r}

Proof (cont.)

(7) x=a*y+b/\b>=0/\b>=y x=(a+1)*y+b-y/\b-y>=0 (Logic)(8) {x=a*y+b/\b>=0/\b>=y} b:=b-y; a:=a+1 {x=a*y+b/\b>=0} (Consequence (6), (7))(9) {x=a*y+b/\b>=0}while b>=y do

b:=b-y; a:=a+1 od {x=a*y+b/\b>=0/\b<y} (while (8))

Proof (cont.)

(10) {x=0*y+x/\x>=0} Prog {x=a*y+b/\b>=0/\b<y} (Composition (3), (9))(11) x>=0/\y>=0 x=0*y+x/\x>=0 (Logic)(12) {x>=0/\y>=0} Prog {x=a*y+b/\b>=0/\b<y}

(Consequence)

Soundness

Hoare logic is sound in the sense thateverything that can be proved is correct!

This follows from the fact that each axiomand proof rule preserves soundness.

Completeness

A proof system is called complete if every

correct assertion can be proved.

Propositional logic is complete. No deductive system for the

standard arithmetic can be complete (Godel).

And for Hoare’s logic?

Let S be a program and p its precondition.

Then {p} S {false} means that S never terminates when started from p. This is undecideable. Thus, Hoare’s logic cannot be complete.

Weakest prendition, Strongest postcondition

For an assertion p and code S, let post(p,S) be the strongest assertion such that {p}S{post(p,S)}

That is, if {p}S{q} then post(p,S)q. For an assertion q and code S, let

pre(S,q) be the weakest assertion such that {pre(S,q)}S{q}

That is, if {p}S{q} then ppre(S,q).

Relative completeness

Suppose that either post(p,S) exists for each p, S, or pre(S,q) exists for each S, q.

Some oracle decides on pure implications.Then each correct Hoare triple can be proved.What does that mean? The weakness of theproof system stem from the weakness of the

(FO) logic, not of Hoare’s proof system.

Extensions

Many extensions for Hoare’s proof rules:

Total correctness Arrays Subroutines Concurrent programs Fairness

Proof rule for total correctness

{p/\e/\t=z} S {p/\t<z}, pt>=0 {p} while e do S od {p/\¬e}

wherez - an int. variable, not appearing in

p,t,e,S.t - an int. expression.