cs477 formal software dev methods · floyd-hoare logic approach: for each type of language...
TRANSCRIPT
![Page 1: CS477 Formal Software Dev Methods · Floyd-Hoare Logic Approach: For each type of language statement, give an axiom or inference rule stating how to derive assertions of form fPgC](https://reader035.vdocument.in/reader035/viewer/2022081614/5fc4d98c08f1660d505d5ddf/html5/thumbnails/1.jpg)
CS477 Formal Software Dev Methods
Elsa L Gunter2112 SC, UIUC
[email protected]://courses.engr.illinois.edu/cs477
Slides based in part on previous lecturesby Mahesh Vishwanathan, and by Gul Agha
February 27, 2020
Elsa L Gunter CS477 Formal Software Dev Methods February 27, 2020 1 / 41
![Page 2: CS477 Formal Software Dev Methods · Floyd-Hoare Logic Approach: For each type of language statement, give an axiom or inference rule stating how to derive assertions of form fPgC](https://reader035.vdocument.in/reader035/viewer/2022081614/5fc4d98c08f1660d505d5ddf/html5/thumbnails/2.jpg)
Floyd-Hoare Logic
Also called Axiomatic Semantics
Based on formal logic (first order predicate calculus)
Logical system built from axioms and inference rules
Mainly suited to simple imperative programminglanguages
Ideas applicable quite broadly
Elsa L Gunter CS477 Formal Software Dev Methods February 27, 2020 2 / 41
![Page 3: CS477 Formal Software Dev Methods · Floyd-Hoare Logic Approach: For each type of language statement, give an axiom or inference rule stating how to derive assertions of form fPgC](https://reader035.vdocument.in/reader035/viewer/2022081614/5fc4d98c08f1660d505d5ddf/html5/thumbnails/3.jpg)
Floyd-Hoare Logic
Used to formally prove a property (post-condition) ofthe state (the values of the program variables) afterthe execution of program, assuming another property(pre-condition) of the state holds before execution
Elsa L Gunter CS477 Formal Software Dev Methods February 27, 2020 3 / 41
![Page 4: CS477 Formal Software Dev Methods · Floyd-Hoare Logic Approach: For each type of language statement, give an axiom or inference rule stating how to derive assertions of form fPgC](https://reader035.vdocument.in/reader035/viewer/2022081614/5fc4d98c08f1660d505d5ddf/html5/thumbnails/4.jpg)
Floyd-Hoare Logic
Goal: Derive statements of form
{P} C {Q}
P, Q logical statements about state, P precondition, Q postcondition,C program
Example:
{x = 1} x := x + 1 {x = 2}
Elsa L Gunter CS477 Formal Software Dev Methods February 27, 2020 4 / 41
![Page 5: CS477 Formal Software Dev Methods · Floyd-Hoare Logic Approach: For each type of language statement, give an axiom or inference rule stating how to derive assertions of form fPgC](https://reader035.vdocument.in/reader035/viewer/2022081614/5fc4d98c08f1660d505d5ddf/html5/thumbnails/5.jpg)
Floyd-Hoare Logic
Approach: For each type of language statement, give an axiom orinference rule stating how to derive assertions of form
{P} C {Q}
where C is a statement of that type
Compose axioms and inference rules to build proofs for complexprograms
Elsa L Gunter CS477 Formal Software Dev Methods February 27, 2020 5 / 41
![Page 6: CS477 Formal Software Dev Methods · Floyd-Hoare Logic Approach: For each type of language statement, give an axiom or inference rule stating how to derive assertions of form fPgC](https://reader035.vdocument.in/reader035/viewer/2022081614/5fc4d98c08f1660d505d5ddf/html5/thumbnails/6.jpg)
Partial vs Total Correctness
An expression {P} C {Q} is a partial correctnessstatementFor total correctness must also prove that Cterminates (i.e. doesnt run forever)
Written: [P] C [Q]
Will only consider partial correctness here
Elsa L Gunter CS477 Formal Software Dev Methods February 27, 2020 6 / 41
![Page 7: CS477 Formal Software Dev Methods · Floyd-Hoare Logic Approach: For each type of language statement, give an axiom or inference rule stating how to derive assertions of form fPgC](https://reader035.vdocument.in/reader035/viewer/2022081614/5fc4d98c08f1660d505d5ddf/html5/thumbnails/7.jpg)
Simple Imperative Language
We will give rules for simple imperative language
〈command〉 ::= 〈variable〉 := 〈term〉| 〈command〉; . . . ; 〈command〉| if 〈statement〉 then 〈command〉 else 〈command〉| while 〈statement〉 do 〈command〉
Could add more features, like for-loops
Elsa L Gunter CS477 Formal Software Dev Methods February 27, 2020 7 / 41
![Page 8: CS477 Formal Software Dev Methods · Floyd-Hoare Logic Approach: For each type of language statement, give an axiom or inference rule stating how to derive assertions of form fPgC](https://reader035.vdocument.in/reader035/viewer/2022081614/5fc4d98c08f1660d505d5ddf/html5/thumbnails/8.jpg)
Substitution
Notation: P[e/v ] (sometimes P[v → e])
Meaning: Replace every v in P by e
Example:
(x + 2)[y − 1/x ] = ((y − 1) + 2)
Elsa L Gunter CS477 Formal Software Dev Methods February 27, 2020 8 / 41
![Page 9: CS477 Formal Software Dev Methods · Floyd-Hoare Logic Approach: For each type of language statement, give an axiom or inference rule stating how to derive assertions of form fPgC](https://reader035.vdocument.in/reader035/viewer/2022081614/5fc4d98c08f1660d505d5ddf/html5/thumbnails/9.jpg)
The Assingment Rule
{P[e/x ]} x := e {P}
Example: {
y
= 2
?}
x := y { x
x
= 2 }
Elsa L Gunter CS477 Formal Software Dev Methods February 27, 2020 9 / 41
![Page 10: CS477 Formal Software Dev Methods · Floyd-Hoare Logic Approach: For each type of language statement, give an axiom or inference rule stating how to derive assertions of form fPgC](https://reader035.vdocument.in/reader035/viewer/2022081614/5fc4d98c08f1660d505d5ddf/html5/thumbnails/10.jpg)
The Assingment Rule
{P[e/x ]} x := e {P}
Example: {
y
= 2
?
}x := y {
x
x = 2 }
Elsa L Gunter CS477 Formal Software Dev Methods February 27, 2020 9 / 41
![Page 11: CS477 Formal Software Dev Methods · Floyd-Hoare Logic Approach: For each type of language statement, give an axiom or inference rule stating how to derive assertions of form fPgC](https://reader035.vdocument.in/reader035/viewer/2022081614/5fc4d98c08f1660d505d5ddf/html5/thumbnails/11.jpg)
The Assingment Rule
{P[e/x ]} x := e {P}
Example: {y = 2
?
}x := y {
x
x = 2 }
Elsa L Gunter CS477 Formal Software Dev Methods February 27, 2020 9 / 41
![Page 12: CS477 Formal Software Dev Methods · Floyd-Hoare Logic Approach: For each type of language statement, give an axiom or inference rule stating how to derive assertions of form fPgC](https://reader035.vdocument.in/reader035/viewer/2022081614/5fc4d98c08f1660d505d5ddf/html5/thumbnails/12.jpg)
The Assingment Rule
{P[e/x ]} x := e {P}Examples:
{y = 2} x := y {x = 2}
{y = 2} x := 2 {y = x}
{x + 1 = n + 1} x := x + 1 {x = n + 1}
{2 = 2} x := 2 {x = 2}
Elsa L Gunter CS477 Formal Software Dev Methods February 27, 2020 10 / 41
![Page 13: CS477 Formal Software Dev Methods · Floyd-Hoare Logic Approach: For each type of language statement, give an axiom or inference rule stating how to derive assertions of form fPgC](https://reader035.vdocument.in/reader035/viewer/2022081614/5fc4d98c08f1660d505d5ddf/html5/thumbnails/13.jpg)
The Assignment Rule – Your Turn
What is the weakest precondition of
x := x + y { x + y = wx }?
{
(x + y) + y = w(x + y)
}?x := x + y{ x + y = wx }
Elsa L Gunter CS477 Formal Software Dev Methods February 27, 2020 11 / 41
![Page 14: CS477 Formal Software Dev Methods · Floyd-Hoare Logic Approach: For each type of language statement, give an axiom or inference rule stating how to derive assertions of form fPgC](https://reader035.vdocument.in/reader035/viewer/2022081614/5fc4d98c08f1660d505d5ddf/html5/thumbnails/14.jpg)
The Assignment Rule – Your Turn
What is the weakest precondition of
x := x + y { x + y = wx }?
{ (x + y) + y = w(x + y) }
?
x := x + y{ x + y = wx }
Elsa L Gunter CS477 Formal Software Dev Methods February 27, 2020 11 / 41
![Page 15: CS477 Formal Software Dev Methods · Floyd-Hoare Logic Approach: For each type of language statement, give an axiom or inference rule stating how to derive assertions of form fPgC](https://reader035.vdocument.in/reader035/viewer/2022081614/5fc4d98c08f1660d505d5ddf/html5/thumbnails/15.jpg)
Precondition Strengthening
(P ⇒ P ′) {P ′} C {Q}{P} C {Q}
Meaning: If we can show that P implies P ′ (i.e. (P ⇒ P ′) andwe can show that {P} C {Q}, then we know that {P} C {Q}P is stronger than P ′ means P ⇒ P ′
Elsa L Gunter CS477 Formal Software Dev Methods February 27, 2020 12 / 41
![Page 16: CS477 Formal Software Dev Methods · Floyd-Hoare Logic Approach: For each type of language statement, give an axiom or inference rule stating how to derive assertions of form fPgC](https://reader035.vdocument.in/reader035/viewer/2022081614/5fc4d98c08f1660d505d5ddf/html5/thumbnails/16.jpg)
Precondition Strengthening
Examples:
x = 3⇒ x < 7 {x < 7} x := x + 3 {x < 10}{x = 3} x := x + 3 {x < 10}
True ⇒ (2 = 2) {2 = 2} x := 2 {x = 2}{True} x := 2 {x = 2}
x = n⇒ x + 1 = n + 1 {x + 1 = n + 1} x := x + 1 {x = n + 1}
{x = n} x := x + 1 {x = n + 1}
Elsa L Gunter CS477 Formal Software Dev Methods February 27, 2020 13 / 41
![Page 17: CS477 Formal Software Dev Methods · Floyd-Hoare Logic Approach: For each type of language statement, give an axiom or inference rule stating how to derive assertions of form fPgC](https://reader035.vdocument.in/reader035/viewer/2022081614/5fc4d98c08f1660d505d5ddf/html5/thumbnails/17.jpg)
Which Inferences Are Correct?
{x > 0 ∧ x < 5} x := x ∗ x {x < 25}
YES
{x = 3} x := x ∗ x {x < 25}
{x = 3} x := x ∗ x {x < 25}
NO
{x > 0 ∧ x < 5} x := x ∗ x {x < 25}
{x ∗ x < 25} x := x ∗ x {x < 25}
YES
{x > 0 ∧ x < 5} x := x ∗ x {x < 25}
Elsa L Gunter CS477 Formal Software Dev Methods February 27, 2020 14 / 41
![Page 18: CS477 Formal Software Dev Methods · Floyd-Hoare Logic Approach: For each type of language statement, give an axiom or inference rule stating how to derive assertions of form fPgC](https://reader035.vdocument.in/reader035/viewer/2022081614/5fc4d98c08f1660d505d5ddf/html5/thumbnails/18.jpg)
Which Inferences Are Correct?
{x > 0 ∧ x < 5} x := x ∗ x {x < 25}YES
{x = 3} x := x ∗ x {x < 25}
{x = 3} x := x ∗ x {x < 25}
NO
{x > 0 ∧ x < 5} x := x ∗ x {x < 25}
{x ∗ x < 25} x := x ∗ x {x < 25}
YES
{x > 0 ∧ x < 5} x := x ∗ x {x < 25}
Elsa L Gunter CS477 Formal Software Dev Methods February 27, 2020 14 / 41
![Page 19: CS477 Formal Software Dev Methods · Floyd-Hoare Logic Approach: For each type of language statement, give an axiom or inference rule stating how to derive assertions of form fPgC](https://reader035.vdocument.in/reader035/viewer/2022081614/5fc4d98c08f1660d505d5ddf/html5/thumbnails/19.jpg)
Which Inferences Are Correct?
{x > 0 ∧ x < 5} x := x ∗ x {x < 25}YES
{x = 3} x := x ∗ x {x < 25}
{x = 3} x := x ∗ x {x < 25}NO
{x > 0 ∧ x < 5} x := x ∗ x {x < 25}
{x ∗ x < 25} x := x ∗ x {x < 25}
YES
{x > 0 ∧ x < 5} x := x ∗ x {x < 25}
Elsa L Gunter CS477 Formal Software Dev Methods February 27, 2020 14 / 41
![Page 20: CS477 Formal Software Dev Methods · Floyd-Hoare Logic Approach: For each type of language statement, give an axiom or inference rule stating how to derive assertions of form fPgC](https://reader035.vdocument.in/reader035/viewer/2022081614/5fc4d98c08f1660d505d5ddf/html5/thumbnails/20.jpg)
Which Inferences Are Correct?
{x > 0 ∧ x < 5} x := x ∗ x {x < 25}YES
{x = 3} x := x ∗ x {x < 25}
{x = 3} x := x ∗ x {x < 25}NO
{x > 0 ∧ x < 5} x := x ∗ x {x < 25}
{x ∗ x < 25} x := x ∗ x {x < 25}YES
{x > 0 ∧ x < 5} x := x ∗ x {x < 25}
Elsa L Gunter CS477 Formal Software Dev Methods February 27, 2020 14 / 41
![Page 21: CS477 Formal Software Dev Methods · Floyd-Hoare Logic Approach: For each type of language statement, give an axiom or inference rule stating how to derive assertions of form fPgC](https://reader035.vdocument.in/reader035/viewer/2022081614/5fc4d98c08f1660d505d5ddf/html5/thumbnails/21.jpg)
Post Condition Weakening
{P} C {Q ′} Q ′ ⇒ Q
{P} C {Q}
Example:
{x + y = 5} x := x + y {x = 5} (x = 5)⇒ (x < 10)
{x + y = 5} x := x + y {x < 10}
Elsa L Gunter CS477 Formal Software Dev Methods February 27, 2020 15 / 41
![Page 22: CS477 Formal Software Dev Methods · Floyd-Hoare Logic Approach: For each type of language statement, give an axiom or inference rule stating how to derive assertions of form fPgC](https://reader035.vdocument.in/reader035/viewer/2022081614/5fc4d98c08f1660d505d5ddf/html5/thumbnails/22.jpg)
Rule of Consequence
P ⇒ P ′ {P ′} C {Q ′} Q ′ ⇒ Q
{P} C {Q}
Logically equivalent to the combination of PreconditionStrengthening and Postcondition Weakening
Uses P ⇒ P and Q ⇒ Q
Elsa L Gunter CS477 Formal Software Dev Methods February 27, 2020 16 / 41
![Page 23: CS477 Formal Software Dev Methods · Floyd-Hoare Logic Approach: For each type of language statement, give an axiom or inference rule stating how to derive assertions of form fPgC](https://reader035.vdocument.in/reader035/viewer/2022081614/5fc4d98c08f1660d505d5ddf/html5/thumbnails/23.jpg)
Sequencing
{P} C1 {Q} {Q} C2 {R}{P} C1; C2 {R}
Example:
{z = z ∧ z = z} x := z {x = z ∧ z = z}{x = z ∧ z = z} y := z {x = z ∧ y = z}
{z = z ∧ z = z} x := z ; y := z {x = z ∧ y = z}
Elsa L Gunter CS477 Formal Software Dev Methods February 27, 2020 17 / 41
![Page 24: CS477 Formal Software Dev Methods · Floyd-Hoare Logic Approach: For each type of language statement, give an axiom or inference rule stating how to derive assertions of form fPgC](https://reader035.vdocument.in/reader035/viewer/2022081614/5fc4d98c08f1660d505d5ddf/html5/thumbnails/24.jpg)
If Then Else
{P ∧ B} C1 {Q} {P ∧ ¬B} C2 {Q}{P} if B then C1 else C2 {Q}
Example:
{y = a} if x < 0 then y := y − x else y := y + x {y = a + |x |}
By If Then Else Rule suffices to show:(1) {y = a ∧ x < 0} y := y − x {y = a + |x |} and
(4) {y = a ∧ ¬(x < 0)} y := y + x {y = a + |x |}
Elsa L Gunter CS477 Formal Software Dev Methods February 27, 2020 18 / 41
![Page 25: CS477 Formal Software Dev Methods · Floyd-Hoare Logic Approach: For each type of language statement, give an axiom or inference rule stating how to derive assertions of form fPgC](https://reader035.vdocument.in/reader035/viewer/2022081614/5fc4d98c08f1660d505d5ddf/html5/thumbnails/25.jpg)
(1) {y = a ∧ x < 0} y := y − x {y = a + |x |}
(3) (y = a ∧ x < 0)⇒ (y − x = a + |x |)(2) {y − x = a + |x |} y := y − x {y = a + |x |}(1) {y = a ∧ x < 0} y := y − x {y = a + |x |}
(1) reduces to (2) and (3) by Precondition Strengthening
(2) instance of Assignment Axiom
(3) holds since x < 0⇒ |x | = −x
Elsa L Gunter CS477 Formal Software Dev Methods February 27, 2020 19 / 41
![Page 26: CS477 Formal Software Dev Methods · Floyd-Hoare Logic Approach: For each type of language statement, give an axiom or inference rule stating how to derive assertions of form fPgC](https://reader035.vdocument.in/reader035/viewer/2022081614/5fc4d98c08f1660d505d5ddf/html5/thumbnails/26.jpg)
(4) {y = a ∧ ¬(x < 0)} y := y + x {y = a + |x |}
(6) (y = a ∧ ¬(x < 0))⇒ (y + x = a + |x |)(5) {y + x = a + |x |} y := y + x {y = a + |x}
(4) {y = a ∧ ¬(x < 0)} y := y + x {y = a + |x |}
(4) reduces to (5) and (6) by Precondition Strengthening
(5) Follows from Assignment Axiom
(6) since ¬(x < 0)⇒ |x | = x
Elsa L Gunter CS477 Formal Software Dev Methods February 27, 2020 20 / 41
![Page 27: CS477 Formal Software Dev Methods · Floyd-Hoare Logic Approach: For each type of language statement, give an axiom or inference rule stating how to derive assertions of form fPgC](https://reader035.vdocument.in/reader035/viewer/2022081614/5fc4d98c08f1660d505d5ddf/html5/thumbnails/27.jpg)
If Then Else
(1) {y = a ∧ x < 0} y := y − x {y = a + |x |}(4) {y = a ∧ ¬(x < 0)} y := y + x {y = a + |x |}
{y = a} if x < 0 then y := y − x else y := y + x {y = a + |x |}
by the If Then Else Rule
Elsa L Gunter CS477 Formal Software Dev Methods February 27, 2020 21 / 41
![Page 28: CS477 Formal Software Dev Methods · Floyd-Hoare Logic Approach: For each type of language statement, give an axiom or inference rule stating how to derive assertions of form fPgC](https://reader035.vdocument.in/reader035/viewer/2022081614/5fc4d98c08f1660d505d5ddf/html5/thumbnails/28.jpg)
While
We need a rule to be able to make assertions about while loops.
Inference rule because we can only draw conclusions if we knowsomething about the body
Lets start with:{ ? } C { ? }
{ ? } while B do C {P}
Elsa L Gunter CS477 Formal Software Dev Methods February 27, 2020 22 / 41
![Page 29: CS477 Formal Software Dev Methods · Floyd-Hoare Logic Approach: For each type of language statement, give an axiom or inference rule stating how to derive assertions of form fPgC](https://reader035.vdocument.in/reader035/viewer/2022081614/5fc4d98c08f1660d505d5ddf/html5/thumbnails/29.jpg)
While
Loop may never execute
To know P holds after, it had better hold before
Second approximation:
{ ? } C { ? }{P} while B do C {P}
Elsa L Gunter CS477 Formal Software Dev Methods February 27, 2020 23 / 41
![Page 30: CS477 Formal Software Dev Methods · Floyd-Hoare Logic Approach: For each type of language statement, give an axiom or inference rule stating how to derive assertions of form fPgC](https://reader035.vdocument.in/reader035/viewer/2022081614/5fc4d98c08f1660d505d5ddf/html5/thumbnails/30.jpg)
While
Loop may execute C ; enf of loop is of C
P holds at end of while means P holds at end of loop C
P holds at start of while; loop taken means P ∧ B holds at start of C
Third approximation:
{P ∧ B} C {P}
{P} while B do C {P}
Elsa L Gunter CS477 Formal Software Dev Methods February 27, 2020 24 / 41
![Page 31: CS477 Formal Software Dev Methods · Floyd-Hoare Logic Approach: For each type of language statement, give an axiom or inference rule stating how to derive assertions of form fPgC](https://reader035.vdocument.in/reader035/viewer/2022081614/5fc4d98c08f1660d505d5ddf/html5/thumbnails/31.jpg)
While
Always know ¬B when while loop finishes
Final While rule:
{P ∧ B} C {P}
{P} while B do C {P ∧ ¬B}
Elsa L Gunter CS477 Formal Software Dev Methods February 27, 2020 25 / 41
![Page 32: CS477 Formal Software Dev Methods · Floyd-Hoare Logic Approach: For each type of language statement, give an axiom or inference rule stating how to derive assertions of form fPgC](https://reader035.vdocument.in/reader035/viewer/2022081614/5fc4d98c08f1660d505d5ddf/html5/thumbnails/32.jpg)
While
{P ∧ B} C {P}{P} while B do C {P ∧ ¬B}
P satisfying this rule is called a loop invariant
Must hold before and after the each iteration of the loop
Elsa L Gunter CS477 Formal Software Dev Methods February 27, 2020 26 / 41
![Page 33: CS477 Formal Software Dev Methods · Floyd-Hoare Logic Approach: For each type of language statement, give an axiom or inference rule stating how to derive assertions of form fPgC](https://reader035.vdocument.in/reader035/viewer/2022081614/5fc4d98c08f1660d505d5ddf/html5/thumbnails/33.jpg)
While
While rule generally used with precondition strengthening andpostcondition weakening
No algorithm for computing P in general
Requires intuition and an understanding of why the programworks
Elsa L Gunter CS477 Formal Software Dev Methods February 27, 2020 27 / 41
![Page 34: CS477 Formal Software Dev Methods · Floyd-Hoare Logic Approach: For each type of language statement, give an axiom or inference rule stating how to derive assertions of form fPgC](https://reader035.vdocument.in/reader035/viewer/2022081614/5fc4d98c08f1660d505d5ddf/html5/thumbnails/34.jpg)
Example
Prove:{n ≥ 0}x := 0; y := 0;while x < n do(y := y + ((2 ∗ x) + 1);x := x + 1){y = n ∗ n}
Elsa L Gunter CS477 Formal Software Dev Methods February 27, 2020 28 / 41
![Page 35: CS477 Formal Software Dev Methods · Floyd-Hoare Logic Approach: For each type of language statement, give an axiom or inference rule stating how to derive assertions of form fPgC](https://reader035.vdocument.in/reader035/viewer/2022081614/5fc4d98c08f1660d505d5ddf/html5/thumbnails/35.jpg)
Example
Need to find P that is true before and after loop isexecuted, such that
(P ∧ ¬(x < n))⇒ y = n ∗ n
Elsa L Gunter CS477 Formal Software Dev Methods February 27, 2020 29 / 41
![Page 36: CS477 Formal Software Dev Methods · Floyd-Hoare Logic Approach: For each type of language statement, give an axiom or inference rule stating how to derive assertions of form fPgC](https://reader035.vdocument.in/reader035/viewer/2022081614/5fc4d98c08f1660d505d5ddf/html5/thumbnails/36.jpg)
Example
First attempt:y = x ∗ x
Motivation:
Want y = n ∗ nx counts up to n
Guess: Each pass of loop calcuates next square
Elsa L Gunter CS477 Formal Software Dev Methods February 27, 2020 30 / 41
![Page 37: CS477 Formal Software Dev Methods · Floyd-Hoare Logic Approach: For each type of language statement, give an axiom or inference rule stating how to derive assertions of form fPgC](https://reader035.vdocument.in/reader035/viewer/2022081614/5fc4d98c08f1660d505d5ddf/html5/thumbnails/37.jpg)
Example
By Post-condition Weakening, suffices to show:
(1) {n ≥ 0}x := 0; y := 0;while x < n do(y := y + ((2 ∗ x) + 1); x := x + 1){y = x ∗ x ∧ ¬(x < n)}
and
(2) (y = x ∗ x ∧ ¬(x < n))⇒ (y = n ∗ n)
Elsa L Gunter CS477 Formal Software Dev Methods February 27, 2020 31 / 41
![Page 38: CS477 Formal Software Dev Methods · Floyd-Hoare Logic Approach: For each type of language statement, give an axiom or inference rule stating how to derive assertions of form fPgC](https://reader035.vdocument.in/reader035/viewer/2022081614/5fc4d98c08f1660d505d5ddf/html5/thumbnails/38.jpg)
Problem with (2)
Want (2) (y = x ∗ x ∧ ¬(x < n))⇒ (y = n ∗ n)
From ¬(x < n) have x ≥ n
Need x = n
Don’t know this; from this could have x > n
Need stronger invariant
Try ading x ≤ n
Then have ((x ≤ n) ∧ ¬(x < n))⇒ (x = n)
Then have x = n when loop done
Elsa L Gunter CS477 Formal Software Dev Methods February 27, 2020 32 / 41
![Page 39: CS477 Formal Software Dev Methods · Floyd-Hoare Logic Approach: For each type of language statement, give an axiom or inference rule stating how to derive assertions of form fPgC](https://reader035.vdocument.in/reader035/viewer/2022081614/5fc4d98c08f1660d505d5ddf/html5/thumbnails/39.jpg)
Example
Second attempt:
P = ((y = x ∗ x) ∧ (x ≤ n))
Again by Post-condition Weakening, sufices to show:
(1) {n ≥ 0}x := 0; y := 0;while x < n do(y := y + ((2 ∗ x) + 1); x := x + 1){(y = x ∗ x) ∧ (x ≤ n) ∧ ¬(x < n)}
and
(2) ((y = x ∗ x) ∧ (x ≤ n) ∧ ¬(x < n))⇒ (y = n ∗ n)
Elsa L Gunter CS477 Formal Software Dev Methods February 27, 2020 33 / 41
![Page 40: CS477 Formal Software Dev Methods · Floyd-Hoare Logic Approach: For each type of language statement, give an axiom or inference rule stating how to derive assertions of form fPgC](https://reader035.vdocument.in/reader035/viewer/2022081614/5fc4d98c08f1660d505d5ddf/html5/thumbnails/40.jpg)
Proof of (2)
(¬(x < n))⇒ (x ≥ n)
((x ≥ n) ∧ (x ≤ n))⇒ (x = n)
((x = n) ∧ (y = x ∗ x))⇒ (y = n ∗ n)
Elsa L Gunter CS477 Formal Software Dev Methods February 27, 2020 34 / 41
![Page 41: CS477 Formal Software Dev Methods · Floyd-Hoare Logic Approach: For each type of language statement, give an axiom or inference rule stating how to derive assertions of form fPgC](https://reader035.vdocument.in/reader035/viewer/2022081614/5fc4d98c08f1660d505d5ddf/html5/thumbnails/41.jpg)
Example
For (1), set up While Rule using Sequencing Rule
By Sequencing Rule, suffices to show
(3) {n ≥ 0} x := 0; y := 0 {(y = x ∗ x) ∧ (x ≤ n)}and
(4) {(y = x ∗ x) ∧ (x ≤ n)}while x < n do(y := y + ((2 ∗ x) + 1); x := x + 1){(y = x ∗ x) ∧ (x ≤ n) ∧ ¬(x < n)}
Elsa L Gunter CS477 Formal Software Dev Methods February 27, 2020 35 / 41
![Page 42: CS477 Formal Software Dev Methods · Floyd-Hoare Logic Approach: For each type of language statement, give an axiom or inference rule stating how to derive assertions of form fPgC](https://reader035.vdocument.in/reader035/viewer/2022081614/5fc4d98c08f1660d505d5ddf/html5/thumbnails/42.jpg)
Proof of (4)
By While Rule
(5) {(y = x ∗ x) ∧ (x ≤ n) ∧ (x < n)}y := y + ((2 ∗ x) + 1); x := x + 1{(y = x ∗ x) ∧ (x ≤ n)}
{(y = x ∗ x) ∧ (x ≤ n)}while x < n do(y := y + ((2 ∗ x) + 1); x := x + 1){(y = x ∗ x) ∧ (x ≤ n) ∧ ¬(x < n)}
Elsa L Gunter CS477 Formal Software Dev Methods February 27, 2020 36 / 41
![Page 43: CS477 Formal Software Dev Methods · Floyd-Hoare Logic Approach: For each type of language statement, give an axiom or inference rule stating how to derive assertions of form fPgC](https://reader035.vdocument.in/reader035/viewer/2022081614/5fc4d98c08f1660d505d5ddf/html5/thumbnails/43.jpg)
Proof of (5)
By Sequencing Rule
(6) {(y = x ∗ x) ∧ (x ≤ n)∧(x < n)}y := y + ((2 ∗ x) + 1){(y = (x + 1) ∗ (x + 1))∧((x + 1) ≤ n)}
(7) {(y = (x + 1) ∗ (x + 1))∧((x + 1) ≤ n)}x := x + 1{(y = x ∗ x) ∧ (x ≤ n)}
{(y = x ∗ x) ∧ (x ≤ n) ∧ (x < n)}y := y + ((2 ∗ x) + 1); x := x + 1{(y = x ∗ x) ∧ (x ≤ n)}
(7) holds by Assignment Axiom
Elsa L Gunter CS477 Formal Software Dev Methods February 27, 2020 37 / 41
![Page 44: CS477 Formal Software Dev Methods · Floyd-Hoare Logic Approach: For each type of language statement, give an axiom or inference rule stating how to derive assertions of form fPgC](https://reader035.vdocument.in/reader035/viewer/2022081614/5fc4d98c08f1660d505d5ddf/html5/thumbnails/44.jpg)
Proof of (6)
By Precondition Strengthening
(8) ((y = x ∗ x)∧(x ≤ n) ∧ (x < n))⇒
(((y + ((2 ∗ x) + 1))= (x + 1) ∗ (x + 1))∧((x + 1) ≤ n))
(9) {((y + ((2 ∗ x) + 1))= ((x + 1) ∗ (x + 1)))∧((x + 1) ≤ n)}y := y + ((2 ∗ x) + 1){(y = (x + 1) ∗ (x + 1))∧((x + 1) ≤ n)}
{(y = x ∗ x) ∧ (x ≤ n)∧(x < n)}y := y + ((2 ∗ x) + 1){(y = (x + 1) ∗ (x + 1))∧((x + 1) ≤ n)}
Have (9) by Assignment Axiom
Elsa L Gunter CS477 Formal Software Dev Methods February 27, 2020 38 / 41
![Page 45: CS477 Formal Software Dev Methods · Floyd-Hoare Logic Approach: For each type of language statement, give an axiom or inference rule stating how to derive assertions of form fPgC](https://reader035.vdocument.in/reader035/viewer/2022081614/5fc4d98c08f1660d505d5ddf/html5/thumbnails/45.jpg)
Proof of (8)
(Assuming x integer) (x < n)⇒ ((x + 1) ≤ n)
(y = x ∗ x)⇒ ((y + ((2 ∗ x) + 1))= ((x ∗ x) + ((2 ∗ x) + 1))= ((x + 1) ∗ (x + 1)))
That finishes (8), and thus (6) and thus (5) and thus (4) (while)
Need (3) {n ≥ 0} x := 0; y := 0 {(y = x ∗ x) ∧ (x ≤ n)}
Elsa L Gunter CS477 Formal Software Dev Methods February 27, 2020 39 / 41
![Page 46: CS477 Formal Software Dev Methods · Floyd-Hoare Logic Approach: For each type of language statement, give an axiom or inference rule stating how to derive assertions of form fPgC](https://reader035.vdocument.in/reader035/viewer/2022081614/5fc4d98c08f1660d505d5ddf/html5/thumbnails/46.jpg)
Proof of (3)
By Sequencing
(10) {n ≥ 0}x := 0{(0 = x ∗ x) ∧ (x ≤ n)}
(11) {(0 = x ∗ x) ∧ (x ≤ n)}y := 0{(y = x ∗ x) ∧ (x ≤ n)}
{n ≥ 0} x := 0; y := 0 {(y = x ∗ x) ∧ (x ≤ n)}
Have (11) by Assignment Axiom
Elsa L Gunter CS477 Formal Software Dev Methods February 27, 2020 40 / 41
![Page 47: CS477 Formal Software Dev Methods · Floyd-Hoare Logic Approach: For each type of language statement, give an axiom or inference rule stating how to derive assertions of form fPgC](https://reader035.vdocument.in/reader035/viewer/2022081614/5fc4d98c08f1660d505d5ddf/html5/thumbnails/47.jpg)
Proof of (10)
By Precondition Strengthening
(12) (n ≥ 0)⇒ ((0 = 0 ∗ 0) ∧ (0 ≤ n))
(13) {(0 = 0 ∗ 0) ∧ (0 ≤ n)}x := 0{(0 = x ∗ x) ∧ (x ≤ n)}
{n ≥ 0} x := 0; y := 0 {(0 = x ∗ x) ∧ (x ≤ n)}
For (12), 0 = 0 ∗ 0 and (n ≥ 0)⇔ (0 ≤ n)
Have (13) by Assignment Axiom
Finishes (10), thus (3), thus (1)
Elsa L Gunter CS477 Formal Software Dev Methods February 27, 2020 41 / 41