0 Up votes0 Down votes

0 views73 pagesFeb 15, 2017

© © All Rights Reserved

PDF, TXT or read online from Scribd

© All Rights Reserved

0 views

© All Rights Reserved

- Inside the Mind of a Hacker
- Progress Report
- RnR_bharath Ver 2
- Annex
- performance of applications
- General Information About Testing
- 6.01 Receiving Test Script
- FlexSimHealthcare 3.1.4 Manual
- Software Testing 10CO04 2
- IJAIEM-2014-01-30-084
- Metrics
- mentorpaper_81009
- 6958360 Manual Testing
- ISTQB Latest Sample Paper 7
- A Bayesian Model for Controlling Software Inspections Sw_inspection
- Bug Life Cycle
- Chapter 1
- Example of Development Release Procedures - QA
- Software Engineer Resume
- Bates v Post Office: Steve Parker Witness Statement 2

You are on page 1of 73

Hoares axiomatisation

Loop invariants

Algorithms and Complexity Theory

Matei Popovici1

16 noiembrie 2012

Motivation

Hoares axiomatisation

Correctness - Motivation

Correctness, so far:

Motivation

Hoares axiomatisation

Correctness - Motivation

Correctness, so far:

Checking if an ADT specification has desirable properties

Motivation

Hoares axiomatisation

Correctness - Motivation

Correctness, so far:

Checking if an ADT specification has desirable properties

Verifying whether an implementation of an ADT satisfies

the specification (axioms)

Motivation

Hoares axiomatisation

Correctness - Motivation

Correctness, so far:

Checking if an ADT specification has desirable properties

Verifying whether an implementation of an ADT satisfies

the specification (axioms)

What more to expect ? [1]

Motivation

Hoares axiomatisation

Correctness - Motivation

Correctness, so far:

Checking if an ADT specification has desirable properties

Verifying whether an implementation of an ADT satisfies

the specification (axioms)

What more to expect ? [1]

50% of software development focused on testing and

debugging

Motivation

Hoares axiomatisation

Correctness - Motivation

Correctness, so far:

Checking if an ADT specification has desirable properties

Verifying whether an implementation of an ADT satisfies

the specification (axioms)

What more to expect ? [1]

50% of software development focused on testing and

debugging

roughly 2 out of 6 software projects never reach

completion

Motivation

Hoares axiomatisation

Correctness - Motivation

Correctness, so far:

Checking if an ADT specification has desirable properties

Verifying whether an implementation of an ADT satisfies

the specification (axioms)

What more to expect ? [1]

50% of software development focused on testing and

debugging

roughly 2 out of 6 software projects never reach

completion

people may actually die due to software errors

Motivation

Hoares axiomatisation

Correctness - Motivation

Correctness, so far:

Checking if an ADT specification has desirable properties

Verifying whether an implementation of an ADT satisfies

the specification (axioms)

What more to expect ? [1]

50% of software development focused on testing and

debugging

roughly 2 out of 6 software projects never reach

completion

people may actually die due to software errors

In 1991, during the Gulf War, an american missile failed to

hit an enemy missile, due to accumulated errors on

real-number computations. 28 people died.

Motivation

Hoares axiomatisation

Correctness - Motivation

Peter Naur:

It is a deplorable consequence of the lack of influence of

mathematical thinking on the way in which computer

programming is being pursued.

Motivation

Hoares axiomatisation

Correctness - Motivation

Edsger W. Dijkstra:

Testing shows the presence, not the absence of bugs

[..] it is not only the programmers responsibility to

produce a correct program but also to demonstrate its

correctness in a convincing manner

Motivation

Hoares axiomatisation

implementations) to programs in general.

Motivation

Hoares axiomatisation

Motivation

Hoares axiomatisation

The program output is valid...

Motivation

Hoares axiomatisation

The program output is valid...

... iff the program input is valid

Motivation

Hoares axiomatisation

The program output is valid...

... iff the program input is valid

Validity of program input/output:

Motivation

Hoares axiomatisation

The program output is valid...

... iff the program input is valid

Validity of program input/output:

Defined w.r.t input/output assertions (predicates)

Motivation

Hoares axiomatisation

The program output is valid...

... iff the program input is valid

Validity of program input/output:

Defined w.r.t input/output assertions (predicates)

Example

Motivation

Hoares axiomatisation

The program output is valid...

... iff the program input is valid

Validity of program input/output:

Defined w.r.t input/output assertions (predicates)

Example

A program computing the square root of a number:

A(x) = y

Motivation

Hoares axiomatisation

The program output is valid...

... iff the program input is valid

Validity of program input/output:

Defined w.r.t input/output assertions (predicates)

Example

A program computing the square root of a number:

A(x) = y

Input assertion:

Motivation

Hoares axiomatisation

The program output is valid...

... iff the program input is valid

Validity of program input/output:

Defined w.r.t input/output assertions (predicates)

Example

A program computing the square root of a number:

A(x) = y

Input assertion: Pin (x) x > 0

Motivation

Hoares axiomatisation

The program output is valid...

... iff the program input is valid

Validity of program input/output:

Defined w.r.t input/output assertions (predicates)

Example

A program computing the square root of a number:

A(x) = y

Input assertion: Pin (x) x > 0

Output assertion:

Motivation

Hoares axiomatisation

The program output is valid...

... iff the program input is valid

Validity of program input/output:

Defined w.r.t input/output assertions (predicates)

Example

A program computing the square root of a number:

A(x) = y

Input assertion: Pin (x) x > 0

Output assertion: Pout (x, y ) y 2 = x

Motivation

Hoares axiomatisation

The program output is valid...

... iff the program input is valid

Validity of program input/output:

Defined w.r.t input/output assertions (predicates)

Example

A program computing the square root of a number:

A(x) = y

Input assertion: Pin (x) x > 0

Output assertion: Pout (x, y ) y 2 = x

What about program termination ?

Motivation

Hoares axiomatisation

The program output is valid...

... iff the program input is valid

Validity of program input/output:

Defined w.r.t input/output assertions (predicates)

Example

A program computing the square root of a number:

A(x) = y

Input assertion: Pin (x) x > 0

Output assertion: Pout (x, y ) y 2 = x

What about program termination ? Can we prove it ?

Motivation

Hoares axiomatisation

The program output is valid...

... iff the program input is valid

Validity of program input/output:

Defined w.r.t input/output assertions (predicates)

Example

A program computing the square root of a number:

A(x) = y

Input assertion: Pin (x) x > 0

Output assertion: Pout (x, y ) y 2 = x

What about program termination ? Can we prove it ? No!

Motivation

Hoares axiomatisation

The program output is valid...

... iff the program input is valid

Validity of program input/output:

Defined w.r.t input/output assertions (predicates)

Example

A program computing the square root of a number:

A(x) = y

Input assertion: Pin (x) x > 0

Output assertion: Pout (x, y ) y 2 = x

What about program termination ? Can we prove it ? No!

Partial correctness

Motivation

Hoares axiomatisation

The program output is valid...

... iff the program input is valid

Validity of program input/output:

Defined w.r.t input/output assertions (predicates)

Example

A program computing the square root of a number:

A(x) = y

Input assertion: Pin (x) x > 0

Output assertion: Pout (x, y ) y 2 = x

What about program termination ? Can we prove it ? No!

Partial correctness vs Total correctness

Motivation

Hoares axiomatisation

The program output is valid...

... iff the program input is valid

Validity of program input/output:

Defined w.r.t input/output assertions (predicates)

Example

A program computing the square root of a number:

A(x) = y

Input assertion: Pin (x) x > 0

Output assertion: Pout (x, y ) y 2 = x

What about program termination ? Can we prove it ? No!

Partial correctness vs Total correctness

Can we prove partial correctness ?

Motivation

Hoares axiomatisation

The program output is valid...

... iff the program input is valid

Validity of program input/output:

Defined w.r.t input/output assertions (predicates)

Example

A program computing the square root of a number:

A(x) = y

Input assertion: Pin (x) x > 0

Output assertion: Pout (x, y ) y 2 = x

What about program termination ? Can we prove it ? No!

Partial correctness vs Total correctness

Can we prove partial correctness ?Automatically ?

Motivation

Hoares axiomatisation

Hoares idea

Motivation

Hoares axiomatisation

Hoares idea

Denotational semantics:

Motivation

Hoares axiomatisation

Hoares idea

to the constructs of a language

Motivation

Hoares axiomatisation

Hoares idea

to the constructs of a language

{P}A{Q}

Motivation

Hoares axiomatisation

Hoares idea

to the constructs of a language

{P}A{Q} - P, Q are the input/output assertions,

respectively,

Motivation

Hoares axiomatisation

Hoares idea

to the constructs of a language

{P}A{Q} - P, Q are the input/output assertions,

respectively, A is the program

Motivation

Hoares axiomatisation

Hoares idea

to the constructs of a language

{P}A{Q} - P, Q are the input/output assertions,

respectively, A is the program

Step 1: Break the program A into parts.

Motivation

Hoares axiomatisation

Hoares idea

to the constructs of a language

{P}A{Q} - P, Q are the input/output assertions,

respectively, A is the program

Step 1: Break the program A into parts. More complex

programs are build from simpler ones using construction rules

(combinators)

Motivation

Hoares axiomatisation

Hoares idea

to the constructs of a language

{P}A{Q} - P, Q are the input/output assertions,

respectively, A is the program

Step 1: Break the program A into parts. More complex

programs are build from simpler ones using construction rules

(combinators)

v := e is a program (assignment)

Motivation

Hoares axiomatisation

Hoares idea

to the constructs of a language

{P}A{Q} - P, Q are the input/output assertions,

respectively, A is the program

Step 1: Break the program A into parts. More complex

programs are build from simpler ones using construction rules

(combinators)

v := e is a program (assignment)

if A1 , A2 are programs then A1 ; A2 is a program (sequence)

Motivation

Hoares axiomatisation

Hoares idea

to the constructs of a language

{P}A{Q} - P, Q are the input/output assertions,

respectively, A is the program

Step 1: Break the program A into parts. More complex

programs are build from simpler ones using construction rules

(combinators)

v := e is a program (assignment)

if A1 , A2 are programs then A1 ; A2 is a program (sequence)

if b is a program expression producing a boolean result

and A1 , A2 are programs then if b then A1 else A2

is a program (conditional)

Motivation

Hoares axiomatisation

Hoares idea

to the constructs of a language

{P}A{Q} - P, Q are the input/output assertions,

respectively, A is the program

Step 1: Break the program A into parts. More complex

programs are build from simpler ones using construction rules

(combinators)

v := e is a program (assignment)

if A1 , A2 are programs then A1 ; A2 is a program (sequence)

if b is a program expression producing a boolean result

and A1 , A2 are programs then if b then A1 else A2

is a program (conditional)

if b is a program expression producing a boolean result

and A is a program then while b do A is a program

(loop)

Matei Popovici Loop invariants

Motivation

Hoares axiomatisation

Hoares idea

Motivation

Hoares axiomatisation

Hoares idea

a step-by-step proof of partial correctness

Motivation

Hoares axiomatisation

Rules of inference

Motivation

Hoares axiomatisation

Rules of inference

{P}A1 {R} {R}A2 {Q}

(sequence)

{P}A1 ; A2 {Q}

Motivation

Hoares axiomatisation

Rules of inference

{P}A1 {R} {R}A2 {Q}

(sequence)

{P}A1 ; A2 {Q}

Motivation

Hoares axiomatisation

Rules of inference

{P}A1 {R} {R}A2 {Q}

(sequence)

{P}A1 ; A2 {Q}

true

(assignment)

{Q[v e]}v := e{Q}

Motivation

Hoares axiomatisation

Rules of inference

{P}A1 {R} {R}A2 {Q}

(sequence)

{P}A1 ; A2 {Q}

true

(assignment)

{Q[v e]}v := e{Q}

{P b}A1 {Q} {P b}A2 {Q}

(if )

{P}if b then A1 else A2 {Q}

Motivation

Hoares axiomatisation

Rules of inference

{P}A1 {R} {R}A2 {Q}

(sequence)

{P}A1 ; A2 {Q}

true

(assignment)

{Q[v e]}v := e{Q}

{P b}A1 {Q} {P b}A2 {Q}

(if )

{P}if b then A1 else A2 {Q}

{P}A{R}, R = Q

(cons1)

{P}A{Q}

Motivation

Hoares axiomatisation

Rules of inference

{P}A1 {R} {R}A2 {Q}

(sequence)

{P}A1 ; A2 {Q}

true

(assignment)

{Q[v e]}v := e{Q}

{P b}A1 {Q} {P b}A2 {Q}

(if )

{P}if b then A1 else A2 {Q}

{P}A{R}, R = Q

(cons1)

{P}A{Q}

R = P, {R}A{Q}

(cons2)

{P}A{Q}

Motivation

Hoares axiomatisation

Rules of inference

{P}A1 {R} {R}A2 {Q}

(sequence)

{P}A1 ; A2 {Q}

true

(assignment)

{Q[v e]}v := e{Q}

{P b}A1 {Q} {P b}A2 {Q}

(if )

{P}if b then A1 else A2 {Q}

{P}A{R}, R = Q

(cons1)

{P}A{Q}

R = P, {R}A{Q}

(cons2)

{P}A{Q}

Step 3: Build a proof tree starting from the complex program

Motivation

Hoares axiomatisation

Rules of inference

{P}A1 {R} {R}A2 {Q}

(sequence)

{P}A1 ; A2 {Q}

true

(assignment)

{Q[v e]}v := e{Q}

{P b}A1 {Q} {P b}A2 {Q}

(if )

{P}if b then A1 else A2 {Q}

{P}A{R}, R = Q

(cons1)

{P}A{Q}

R = P, {R}A{Q}

(cons2)

{P}A{Q}

Step 3: Build a proof tree starting from the complex program

(- blackboard -)

Motivation

Hoares axiomatisation

Loop invariants

Motivation

Hoares axiomatisation

Loop invariants

Motivation

Hoares axiomatisation

Loop invariants

(loop)

{P} while b do A {Q}

Motivation

Hoares axiomatisation

Loop invariants

P = I(0)

(loop)

{P} while b do A {Q}

Motivation

Hoares axiomatisation

Loop invariants

(loop)

{P} while b do A {Q}

Motivation

Hoares axiomatisation

Loop invariants

(loop)

{P} while b do A {Q}

Motivation

Hoares axiomatisation

Loop invariants

(loop)

{P} while b do A {Q}

Motivation

Hoares axiomatisation

Loop invariants

(loop)

{P} while b do A {Q}

I is a loop invariant

Motivation

Hoares axiomatisation

Loop invariants

(loop)

{P} while b do A {Q}

I is a loop invariant (invariant does not change during

any iteration)

Motivation

Hoares axiomatisation

Loop invariants

(loop)

{P} while b do A {Q}

I is a loop invariant (invariant does not change during

any iteration)

In general, I cannot be automatically inferred. We must

specify it

Motivation

Hoares axiomatisation

Roadmap

Motivation

Hoares axiomatisation

Loop invariants

Motivation

Hoares axiomatisation

Loop invariants

P = I(0) (initialisation)

Motivation

Hoares axiomatisation

Loop invariants

P = I(0) (initialisation)

b I(k ) = I(k + 1) (maintenance)

Motivation

Hoares axiomatisation

Loop invariants

P = I(0) (initialisation)

b I(k ) = I(k + 1) (maintenance)

b I(N) = Q (termination)

Motivation

Hoares axiomatisation

Loop invariants

P = I(0) (initialisation)

b I(k ) = I(k + 1) (maintenance)

b I(N) = Q (termination)

Recall that P is the precondition, and Q is the postcondition

Motivation

Hoares axiomatisation

Loop invariants

P = I(0) (initialisation)

b I(k ) = I(k + 1) (maintenance)

b I(N) = Q (termination)

Recall that P is the precondition, and Q is the postcondition

If all three steps are proved, then {P} while b do A {Q}

holds (is true)

Motivation

Hoares axiomatisation

Examples

- Example - Blackboard -

Motivation

Hoares axiomatisation

Question

Motivation

Hoares axiomatisation

Bibliography I

Militon Frentiu.

Correctness: A very important quality factor in

programming.

STUDIA UNIV. BABES BOLYAI, INFORMATICA, 2005.

- Inside the Mind of a HackerUploaded byParth Dode
- Progress ReportUploaded byMhelodie Javier
- RnR_bharath Ver 2Uploaded bysarayudixit
- AnnexUploaded byAnonymous a89xsKG
- performance of applicationsUploaded byShailesh Puranik
- General Information About TestingUploaded bymarcutzsrj
- 6.01 Receiving Test ScriptUploaded byrajesh_talwar_3
- FlexSimHealthcare 3.1.4 ManualUploaded byohernandez_46
- Software Testing 10CO04 2Uploaded byAbhishek Agrawal
- IJAIEM-2014-01-30-084Uploaded byAnonymous vQrJlEN
- MetricsUploaded byVinesh
- mentorpaper_81009Uploaded byRam Krishna
- 6958360 Manual TestingUploaded byprasadreddy87
- ISTQB Latest Sample Paper 7Uploaded byShadaab Qureshi
- A Bayesian Model for Controlling Software Inspections Sw_inspectionUploaded byjgonzalezsanz8914
- Bug Life CycleUploaded bybiswajit mohanty
- Chapter 1Uploaded byChetan
- Example of Development Release Procedures - QAUploaded byapi-3834287
- Software Engineer ResumeUploaded bynishantnishi
- Bates v Post Office: Steve Parker Witness Statement 2Uploaded byNick Wallis
- WP - DWH - BI - HPE - Predictive ALM AnalyticsUploaded byRaja Vishnudas
- Agile Practitioner Software Business AnalystUploaded byhazzoom
- Proposal 12-8-10Uploaded bydimo414
- MIS QS N ANS.docxUploaded bymaitree mohanty
- Better SoftwareUploaded byalbertusuario
- Choosing Secure ExtensionsUploaded byImafighter4Him
- UMIT - Software EngineeringUploaded byAyushi Tewari

- MTUploaded byPawan_Singh_6974
- PropositionalLogic-SAT-NP-complete-problems.pdfUploaded byp_simi20039558
- Turing-Machines.pdfUploaded byp_simi20039558
- PotentialMethodForTable.pdfUploaded byp_simi20039558
- QRG_CDE-178BT_EN.pdfUploaded byp_simi20039558
- Undecidability.pdfUploaded byp_simi20039558
- HoareLoopInvariants.pdfUploaded byp_simi20039558
- AmortisedAnalysis.pdfUploaded byp_simi20039558
- Complexity-Classes Reductions.pdfUploaded byp_simi20039558
- CommonTypesOfRecurrences.pdfUploaded byp_simi20039558
- AbstractDataTypes.pdfUploaded byp_simi20039558
- AsymptoticNotations.pdfUploaded byp_simi20039558
- algoritmi.pdfUploaded byp_simi20039558
- CommonTypesOfRecurrences.pdfUploaded byp_simi20039558
- AbstractDataTypes.pdfUploaded byp_simi20039558
- algoritmi.pdfUploaded byp_simi20039558
- AsymptoticNotations.pdfUploaded byp_simi20039558
- Cm50 Users ManualUploaded byp_simi20039558
- KEY_Fisa-Scorare_Test-Praga_Var.2_.pdfUploaded byp_simi20039558
- Q368300E.GUI.pdfUploaded byp_simi20039558
- GPS01_1090035_NIGHT_BREAKER_UNLIMITED.pdfUploaded byp_simi20039558
- Gps01 1057023 Osram Original Line (2)Uploaded byp_simi20039558

- Mobile ServerUploaded byAkashdeep Soni
- Computer Practical FileUploaded byShubham Birange
- CN Lab ManualUploaded bysrimuthu_22
- What is Traceability matrixUploaded byapi-3756170
- HTML and Css in TeluguUploaded byNaga Pradeep Veerisetty
- Business computingUploaded byShilpi Jain
- CDAC TechnicalUploaded byheenadhingra98
- M257-MTA-2012-2013Fall 1_MOCKUploaded bySalif Ndiaye
- Excel DATEDIF FunctionUploaded byanthony_obiora
- aws in eclipseUploaded byL'enin Aleph
- Il SpyUploaded byAnonymous GAhlJL
- TCIG-Matrimony-Software Requirement Specification.docxUploaded byMudasar Ellahi
- IT4520-Kinte CNPM - Slide 2Uploaded byLinh Gấu
- Win Runner FAQUploaded byapi-3705219
- AJAX ADDUploaded byPawan Kumar
- ManualUploaded byÂrnāb Singha
- Attacking NET SerializationUploaded byAdrian Carpio Belen
- chapter-3-engdata-handling1 (1)Uploaded byKeshav Saxena
- CSC 330Uploaded bydr_digital
- CHEK LIKE SQL SERVER.docxUploaded byLuis Gonzalo Bonifacio
- Design Document Template - ChaptersUploaded bySuresh Sai
- Business Analysis Lecture SeriesUploaded byJune Sung Park
- CS401-Mid-MCQs.pdfUploaded byaafiah
- Programming Without Coding Technology (PWCT) - Practical EditorUploaded byMahmoud Samir Fayed
- A Git Cheat Sheet (Git Command Reference) _ a Git Cheat Sheet and Command ReferenceUploaded byMohd Azahari
- CMMUploaded byGokul
- grep_fgrepUploaded byNihar Sawant
- B2MML BatchML V0401 Code GenerationUploaded byjuan_fanesi
- CALCULATOR A.docxUploaded byabhijith sajith
- Database ModelsUploaded byJesmine Gandhi

## Much more than documents.

Discover everything Scribd has to offer, including books and audiobooks from major publishers.

Cancel anytime.