Program Correctness: Jorge A. Pérez

Program Correctness
Lecture 1
Jorge A. Pérez
(based on slides by Arnold Meijster)
Bernoulli Institute for Mathematics, Computer Science, and AI

University of Groningen, Groningen, the Netherlands
February 6, 2023
Overview
Mathematical Background
Programs and Their Specifications
Hoare Logic
Triples
Assignments
Weakening and Strengthening
Sequential Composition and Conditionals
Examples of Annotations
Assignments
Conditionals
Exercise 5.6
Summary of Background
2 / 60
This Course
I Dijkstra’s hand in hand approach for imperative programs.

I Deductive verification based on Hoare logic
I The main mathematical object of interest: the Hoare triple
fP g S fQ g
S is a program statement (or command)
P and Q are logical formulas: precondition and postcondition
I Intuitively, a contract:
If we can ensure property P holds before executing S , then we
are guaranteed that property Q holds after the execution ends.
I Our goal is to prove that fP g S fQ g is valid.
Starting from P and Q, we deduce S by applying rules.
Actually, we discover S based on P and Q.
3 / 60
Outline
Hoare Logic
Triples
Assignments
Assignments
Conditionals
Exercise 5.6
4 / 60
Background
We shall follow notations as in Chapter 2 of the Lecture Notes:

I Identifiers
I Types as sets of values
I Declarations
I Formulas / conditions / sets
I Integer division
I Conditional expressions
I Intervals / minima & maxima operators
I Bags and families (sums and products)
I Quantifiers and predicates
We don’t fully repeat this content here. See at the end for a recap.
5 / 60
Identifiers
I constants:
1 ;:::; 2; 1; 0; 1; 2; : : : ; 1;
I variables
i ; j ; k ; m ; n ; p; q ; v ; w ; x ; y ; z
I specification constants (logical variables):
M;V;X;Y ;Z
I arrays:
a; b
6 / 60
Types as Sets of Values
Domains for identifiers:

I Z = f ; 3; 2; 1; 0; 1; 2; 3; g the set of integers
I N+ = N+ = f1; 2; 3; g the set of positive integers
I N = f0g [ N+ the set of natural numbers
I Z1 = f 1; 1g [ Z the set of integers including 1
I R the set of real numbers
I B = ftrue; falseg the set of booleans
7 / 60
Formulas / Conditions
Indicated by capital letters A; B ; C ; J ; P ; Q ; R, possibly with

subscripts.
Examples:
I atomic proposition:
x +3 > a [0]2 X =m +n
I (compound) proposition:
( n = 2 ^ m 0) ) m n y
I predicate:
8x (x 0 ) 9y (y 0 ^ x + y = 0))
8 / 60
Declarations
A typical example of a declaration would be:
const n : N; x : R; a : array [0::n ) of Z;

var i : N; y : R;
The program can modify variables under var .

Variables under const can only be inspected, but not modified.
9 / 60
Outline
Hoare Logic
Triples
Assignments
Assignments
Conditionals
Exercise 5.6
10 / 60
Program States
I A program S with n declared variables: x0 ; : : : ; xn 1.
I A state (or context) of program S is a set of n pairs
f(x0 m0) (xn 1 mn 1)g

; ;:::; ;
where, for each i 2 [0 n ), the value of mi is an element of the

::
domain of xi .
I A program’s execution depends on its current state.
I The state space is the set of all possible states of a program.
I We often talk about commands, rather than programs.
11 / 60
Program Correctness
I Program verification is about proving that a program has a

certain behavior. But this may mean different things.
I Our focus: does the program produce the expected output for a
given input?
I Thus, a program is correct if it satisfies a specification of its
input-output behavior.
12 / 60
Program Correctness
I Program verification is about proving that a program has a

certain behavior. But this may mean different things.
I Our focus: does the program produce the expected output for a
given input?
I Thus, a program is correct if it satisfies a specification of its
input-output behavior.
More precisely:
I Let S be a command with declared variables x0 ; : : : ; xn 1 .
I S is specified by a precondition P and a postcondition Q.
I P describes the state before execution of S
I Q describes the state after execution of S
I Formally, P and Q are formulas whose free variables are
x0 ; : : : ; xn 1 and specification constants X ; Y ; : : :.
12 / 60
A Small Programming Language
Our language for expressions:

I Numerical expressions (E ; E 0 ; : : :), such as ‘42’ and ‘x + 21’.
I Boolean expressions (B ; B 0 ; : : :), such as ‘true’ and ‘x 42’
Our language for commands S ; T ; : : ::
Syntax Description
skip Does nothing
x := E Store E into the variable x
S; T Run S followed by T
if B then S else T end If B is true then run S else run T
while B do S end As long as B is true then run S
An admittedly rudimentary language, yet it is as expressive as any

computer machine (aka Turing complete).
13 / 60
Familiar Commands are Derivable
if B then S end = if B then S else skip end

do S while B end = S ; while B do S end
for i := 0 to n do S end = i := 0; while i n do S ; i := i + 1 end
14 / 60
Two Simple Programs
Program A: Program B:
y := 1;
y := x ;
z := 0;
while (2 y ) do
while (z 6= x ) do
y := y 2
z := z + 1;
y := y z
end
end
What do they do?
15 / 60
Two Simple Programs
Program A: Program B:
y := 1;
y := x ;
z := 0;
while (2 y ) do
while (z 6= x ) do
y := y 2
z := z + 1;
y := y z
end
end
What do they do?

I A determines whether x is even (if y = 0) or odd (if y = 1)
I B computes x ! into y
15 / 60
Triples
A triple denotes a command with its precondition and postcondition:
fP g S fQ g
Intuitive reading:
I “If we execute S in any state in which (property) P holds,
then S will terminate in a state in which (property) Q holds”
In this course, we focus on total correctness:

a command must terminate to satisfy a specification.
16 / 60
Triples
A triple denotes a command with its precondition and postcondition:
fP g S fQ g
Intuitive reading:
I “If we execute S in any state in which (property) P holds,
In this course, we focus on total correctness:

a command must terminate to satisfy a specification.
Under partial correctness, we have a weaker requirement:

I “If we execute S in any state in which P holds, then S will reach
a state in which Q holds, provided it terminates”
Partial correctness is still useful and relevant.
16 / 60
Valid Tuples, Informally
Given the intended reading for the tuple fP g S fQ g
“If we execute S in any state in which (property) P holds,
we wish to identify valid tuples only.
17 / 60
Let’s start with intuitions — valid or invalid?
I fi = 0g i := i + 1 fi = 1g
17 / 60
I fi = 0g i := i + 1 fi = 1g Valid
17 / 60
I fi = 1g i := i + 1 fi = 0g
17 / 60
I fi = 1g i := i + 1 fi = 0g Invalid
17 / 60
I ftrueg i := 1 fi = 1g
17 / 60
I ftrueg i := 1 fi = 1g Valid
17 / 60
I fi + j = 0g i := i + 1; j := j 1; fi + j = 0g
17 / 60
I fi + j = 0g i := i + 1; j := j 1; fi + j = 0g Valid
17 / 60
I fi + j 6= 0g i := i + 1; j := j 1; fi + j = 0g
17 / 60
I fi + j 6= 0g i := i + 1; j := j 1; fi + j = 0g Invalid
17 / 60
I fi = 1g i := 0 ftrueg
17 / 60
I fi = 1g i := 0 ftrueg Valid
17 / 60
I ffalseg i := 1 fi = 0g
17 / 60
I ffalseg i := 1 fi = 0g Vacuously valid
17 / 60
I fi = 0g i := 1 ffalseg
17 / 60
I fi = 0g i := 1 ffalseg Invalid: One can’t end in a false state
17 / 60
I fi = 0g i := 1 ffalseg Invalid: One can’t end in a false state
Warning! Abuse of notation when using variable i !
17 / 60
Biregular Specifications
Consider a specification
fP g S fQ g
I It is pre-regular if P is independent of the initial values of its
variables (not the constants!)
I It is post-regular if the Q is of the form
(x1 = X1 ) ^ (x2 = X2 ) ^ ^ (xn = Xn )

where xi are variables and Xi are specification constants
I It is bi-regular if it is both pre- and post-regular.
We prefer bi-regular specifications whenever possible.
18 / 60
An Informal Specification
Given:
I an array a [0::n ) of real values
I a value w which is present in the array
We want a command that assigns to a variable x the smallest index

i for which a [i ] = w .
19 / 60
A Formal Specification (1/4)
We start with the declaration of some identifiers:
const n : N; w : R; a : array [0::n ) of R;

var x : N;
An initial pre/post-condition:
P : 9i 2 [0 n ) : a [i ] = w
::
Q : a [x ] = w ^ 8i 2 [0 n ) : (a [i ] = w ) x i )
::
The precondition P asserts the existence of the required index.

The postcondition Q assigns this index to x , enforcing minimality.
20 / 60
To obtain a post-regular spec, we define X in the precondition:
P :X 2 [0 n ) ^ a [X ] = w ^ 8i 2 [0 n ) : (a [i ] = w ) X i )
:: ::
Q :x =X
P can be expressed more compactly:
P : Min fi j 0 i < n ^ a [i ] = w g = X 1
<
21 / 60
So, the complete specification is:

var x : N;
fP : X 2 [0::n ) ^ a [X ] = w ^ 8i 2 [0::n ) : (a [i ] = w ) X i )g
S
fQ : x = X g
Equivalently:

var x : N;
fP : Min fi j 0 i < n ^ a [i ] = w g = X < 1g
S
fQ : x = X g
22 / 60
We started from

var x : N;
fP : 9i 2 [0::n ) : a [i ] = w g
S
fQ : a [x ] = w ^ 8i 2 [0::n ) : (a [i ] = w ) x i )g
and finally obtained

var x : N;
fP : Min fi j 0 i < n ^ a [i ] = w g = X < 1g
S
fQ : x = X g
Notice: the spec is post-regular and pre-regular: P is independent of
the initial values of its variables (not the constants!).
23 / 60
Not All Specifications are Satisfiable
The following specification is unsatisfiable (contradiction):
var x : N;
fP : trueg
S
f Q : x 2 = 5g
So is the following one (lack of information about X ):
var x : Z;
fP : X 2 = 25g
S
fQ : x = X g
24 / 60
Outline
Hoare Logic
Triples
Assignments
Assignments
Conditionals
Exercise 5.6
25 / 60
Hoare Logic
I Triples of the form fP g S fQ g are called Hoare triples

I Our goal is to prove that Hoare triples are valid.
We use a series of rules (and axioms) for this.
26 / 60
Hoare Logic
I Triples of the form fP g S fQ g are called Hoare triples

I Our goal is to prove that Hoare triples are valid.
We use a series of rules (and axioms) for this.
I Rules are of the form
Premise1 Premisen
Conclusion
Read: from the premises the conclusion holds.
I Each command has a rule. We combine these rules into proofs
about complex commands.
I We now examine the rules of Hoare logic.
They are sound: they don’t allow us to prove invalid tuples.
26 / 60
Rule for skip
fP g skip fP g
I No premises: this is an axiom.
I After running skip in any state in which P holds, we reach a
state in which P holds (actually, we remain in the same state)
27 / 60
A Rule for Assignment?
We shall be looking for another axiom. For the moment:
fP g x := E fQ g
What should P and Q be?
28 / 60
fP g x := E fQ g
What should P and Q be? Some guiding intuitions:
I They are related, but cannot be equal.
I After the assignment, Q is a property that depends on x .
We could write Q (x ) to make this dependency explicit.
I What about Q prior to the assignment?
At that point, Q does not depend on x , but on the expression E .
We could write Q (E ) to make this explicit.
28 / 60
fP g x := E fQ g
What should P and Q be? Some guiding intuitions:
I They are related, but cannot be equal.
I After the assignment, Q is a property that depends on x .
We could write Q (x ) to make this dependency explicit.
I What about Q prior to the assignment?
At that point, Q does not depend on x , but on the expression E .
We could write Q (E ) to make this explicit.
This suggests a rule
fQ (E )g x := E fQ (x )g
but we prefer something more precise than ‘Q (E )’ and ‘Q (x )’. 28 / 60
Rule for Assignment
I Suppose a predicate P , an expression E , and a variable x .

We write
[E =x ]P
to denote the predicate that is obtained from P by substituting
each free occurrence of x (if any) by E .
I Example: If P : x = y then [z + 1=y ]P means
“P with z + 1 in place of y”, so we obtain x = z + 1.
29 / 60
Rule for Assignment
I Suppose a predicate P , an expression E , and a variable x .

We write
[E =x ]P
to denote the predicate that is obtained from P by substituting
each free occurrence of x (if any) by E .
I Example: If P : x = y then [z + 1=y ]P means
“P with z + 1 in place of y”, so we obtain x = z + 1.
We are now ready for the rule for assignment:
f[E x ]P g x := E fP g
=
I Looks simple, but can you make sense of it?
29 / 60
Rule for Assignment
=
How to interpret it?

I Think about what you would have to prove about the initial state
in order to prove that P holds in the resulting state.
30 / 60
Rule for Assignment
=

I In general, P will say something about the value of x .
Hence, whatever it says about that value must have been true of
E , because in the resulting state the value of x is E .
30 / 60
Rule for Assignment
=

I In general, P will say something about the value of x .
Hence, whatever it says about that value must have been true of
E , because in the resulting state the value of x is E .
I Often, this axiom is best applied backwards.
That is, given P we find a P 0 such that fP 0 g x := E fP g holds.
In this case, we simply set P 0 to be [E =x ]P .
I While a backwards reading is mechanical (uses a substitution),
a forward reading (find P based on P 0 ) is not easy.
30 / 60
Rules for Pre- and Postconditions (1/2)
Given fP g S fQ g, it is often useful to “massage” P and/or Q in

order to combine different rules according to their own format.
We strengthen the precondition and weaken the postcondition using

logical implication.
Weaker? Stronger?
I If P ) P 0 but not P 0 ) P , then
P 0 is weaker than P (and P is stronger than P 0 ).
I Example:
(x > 1) is weaker than (x > 0), because (x > 0) ) (x > 1).
I The weakest possible predicate is true,
because P ) true, for any P .
I The strongest possible predicate is false
31 / 60

We have the following two rules:
Strengthen the precondition: Weaken the postcondition:

P ) P 0 fP 0 g S fQ g fP g S fQ 0g Q 0 ) Q
fP g S fQ g fP g S fQ g
32 / 60

We have the following two rules:
Strengthen the precondition: Weaken the postcondition:

A derivable rule that combines the two:
P ) P 0 fP 0g S fQ 0g Q0 )Q
fP g S fQ g
Important: the command doesn’t change!
32 / 60
Example: Strengthening Precondition
A simple example of combination of rules for assignment (A) and

strengthening of precondition (S):
= 5 ) [x + 1 x ](x = 6) f[x + 1 x ](x = 6)g x := x + 1 fx = 6g

A
x = =
S
fx = 5g x := x + 1 fx = 6g
33 / 60
Example: Strengthening Precondition
A simple example of combination of rules for assignment (A) and

strengthening of precondition (S):
= 5 ) [x + 1 x ](x = 6) f[x + 1 x ](x = 6)g x := x + 1 fx = 6g

A
x = =
S
fx = 5g x := x + 1 fx = 6g
Several noteworthy aspects:
I Our preferred precondition (x = 5) is stronger than the
precondition required by the assignment rule ([x + 1=x ](x = 6)).
I The assignment rule is applied just as before.
I The tree-like format doesn’t scale to large examples.
33 / 60
Linear Annotated Proofs
Rather than derivations like
= 5 ) [x + 1 x ](x = 6) f[x + 1 x ](x = 6)g x := x + 1 fx = 6g

A
x = =
S
fx = 5g x := x + 1 fx = 6g
we will use linear annotated proofs. In this case:
fx = 5g
(* logic to “prepare” the assignment *)
f[x + 1 x ](x = 6)g
=
x := x + 1
fx = 6g
34 / 60
Linear Annotated Proofs
Rather than derivations like
= 5 ) [x + 1 x ](x = 6) f[x + 1 x ](x = 6)g x := x + 1 fx = 6g

A
x = =
S
fx = 5g x := x + 1 fx = 6g
we will use linear annotated proofs. In this case:
fx = 5g
(* logic to “prepare” the assignment *)
f[x + 1 x ](x = 6)g
=
x := x + 1
fx = 6g
I If fP g and fQ g appear after each other without a command,
then P ) Q. A comment must justify this implication.
I Indentation highlights commands from conditions.
We use colors to further improve readability.
34 / 60
Rule for Sequential Composition
fP g S fQ g fQ g T fRg
fP g S ; T fRg
I Reasoning is modular: to verify the composite command
‘S ; T ’, we independently verify the validity of tuples for S and T .
I The postcondition for S must match the precondition for T .
If not, we can use weakening and strengthening rules.
35 / 60
Sequential Assignments
Let’s examine a verification for
fx = 5g x := x + 1; x := x + 1 fx > 6g
We can modularly ‘reuse’ the verification we had for x := x + 1,

adjusting pre- and post-conditions:
fx = 5g
(* arithmetic *)
f[x + 1=x ](x = 6)g
x := x + 1;
fx = 6g
36 / 60
fx = 5g x := x + 1; x := x + 1 fx > 6g

fx = 5g
(* arithmetic *)
f[x + 1=x ](x = 6)g
x := x + 1;
fx = 6g
(* weakening to x > 5 *)
fx > 5g
36 / 60
fx = 5g x := x + 1; x := x + 1 fx > 6g

fx = 5g
(* arithmetic *)
f[x + 1=x ](x = 6)g
x := x + 1;
fx = 6g
(* weakening to x > 5 *)
fx > 5g
(* arithmetic *)
f[x + 1=x ](x > 6)g
x := x + 1
fx > 6g
36 / 60
Rule for Conditionals
fP ^ B g S fQ g fP ^ :B g T fQ g
fP g if B then S else T end fQ g
Equivalently:
fP ^ B g S fQ g fP ^ :B g T fRg
fP g if B then S else T end fQ _ Rg
I Another instance of modular verification: we verify S and T
independently, assuming B and its negation :B in each case.
37 / 60
Taking Stock
fP g skip fP g
=
fP g S fQ g fQ g T fRg
fP g S ; T fRg
fP ^ B g S fQ g fP ^ :B g T fQ g
fP g if B then S else T end fQ g
I Given a precondition P and a precondition Q, our goal will be to
mechanically derive a command S such that fP g S fQ g.
I We examine further examples before giving the rule for while .
38 / 60
Outline
Hoare Logic
Triples
Assignments
Assignments
Conditionals
Exercise 5.6
39 / 60
A First Annotation
We consider the following specification:
fP : x = X g
S
fQ : x = 3 X + 1g
What is S ? Based on Q, it is reasonable to implement S with an
assignment x := E , and to use the axiom f[E =x ]P g x := E fP g.
40 / 60
A First Annotation
fP : x = X g
S
fQ : x = 3 X + 1g
fP : x = X g
(* calculus *)
f3 x + 1 = 3 X + 1g
40 / 60
A First Annotation
fP : x = X g
S
fQ : x = 3 X + 1g
fP : x = X g
(* calculus *)
f3 x + 1 = 3 X + 1g
x := 3 x + 1
fQ : x = 3 X + 1g
Notice how we relate the program variable x and the specification
(logical) variable X . This is the style we shall adopt in the following.
40 / 60
Reversing the Assignment
Consider now the inverse specification:
fP : x = 3 X + 1g
S
fQ : x = X g
We expect again an assignment:
fP : x = 3 X + 1g
(* calculus *)
f(x 1) div 3 = X g
x := (x 1) div 3
fQ : x = X g
41 / 60
A More Interesting Annotation
fP : x = y 2 + X ^ y + 1 = Y g
S
fQ : x = y 2 + X ^ y = Y g
Based on Q, we start with the assignment y := y + 1.
We need to prepare it.
fP : x = y 2 + X ^ y + 1 = Y g
42 / 60
fP : x = y 2 + X ^ y + 1 = Y g
S
fQ : x = y 2 + X ^ y = Y g
fP : x = y 2 + X ^ y + 1 = Y g
(* calculus: prepare y := y + 1 *)
42 / 60
fP : x = y 2 + X ^ y + 1 = Y g
S
fQ : x = y 2 + X ^ y = Y g
fP : x = y 2 + X ^ y + 1 = Y g
fx = (y + 1 1)2 + X ^ y + 1 = Y g
42 / 60
fP : x = y 2 + X ^ y + 1 = Y g
S
fQ : x = y 2 + X ^ y = Y g
fP : x = y 2 + X ^ y + 1 = Y g
fx = (y + 1 1)2 + X ^ y + 1 = Y g
y := y + 1;
fx = (y 1)2 + X ^ y = Y g
42 / 60
fP : x = y 2 + X ^ y + 1 = Y g
S
fQ : x = y 2 + X ^ y = Y g
fP : x = y 2 + X ^ y + 1 = Y g
fx = (y + 1 1)2 + X ^ y + 1 = Y g
y := y + 1;
fx = (y 1)2 + X ^ y = Y g
(* calculus *)
fx = y 2 2 y + 1 + X ^ y = Y g
42 / 60
fP : x = y 2 + X ^ y + 1 = Y g
S
fQ : x = y 2 + X ^ y = Y g
fP : x = y 2 + X ^ y + 1 = Y g
fx = (y + 1 1)2 + X ^ y + 1 = Y g
y := y + 1;
fx = (y 1)2 + X ^ y = Y g
(* calculus *)
fx = y 2 2 y + 1 + X ^ y = Y g
(* calculus *)
fx + 2 y 1 = y 2 + X ^ y = Y g
42 / 60
fP : x = y 2 + X ^ y + 1 = Y g
S
fQ : x = y 2 + X ^ y = Y g
fP : x = y 2 + X ^ y + 1 = Y g
fx = (y + 1 1)2 + X ^ y + 1 = Y g
y := y + 1;
fx = (y 1)2 + X ^ y = Y g
(* calculus *)
fx = y 2 2 y + 1 + X ^ y = Y g
(* calculus *)
fx + 2 y 1 = y 2 + X ^ y = Y g
x := x + 2 y 1
fQ : x = y 2 + X ^ y = Y g 42 / 60
A Conditional Command
fP : x max y = X ^ x min y = Y g
S
fQ : x = X ^ y = Y g
Note: We need not do anything if x y.
43 / 60
Conditional commands
< y then
if x
fP ^ (x < y )g
fQ : x = X ^ y = Y g
else
fP ^ :(x < y )g
fQ : x = X ^y = Yg
end
fQ : x = X ^y = Yg
44 / 60
< y then
if x
fP ^ (x < y )g
(* P and calculus *)
fy = X ^ x = Y g
fQ : x = X ^ y = Y g
else
fP ^ :(x < y )g
fQ : x = X ^y = Yg
end
fQ : x = X ^y = Yg
44 / 60
< y then
if x
fP ^ (x < y )g
fy = X ^ x = Y g
z := x;
fy = X ^ z = Y g
fQ : x = X ^ y = Y g
else
fP ^ :(x < y )g
fQ : x = X ^y = Yg
end
fQ : x = X ^y = Yg
44 / 60
< y then
if x
fP ^ (x < y )g
fy = X ^ x = Y g
z := x;
fy = X ^ z = Y g
x := y;
fx = X ^ z = Y g
fQ : x = X ^ y = Y g
else
fP ^ :(x < y )g
fQ : x = X ^y = Yg
end
fQ : x = X ^y = Yg
44 / 60
< y then
if x
fP ^ (x < y )g
fy = X ^ x = Y g
z := x;
fy = X ^ z = Y g
x := y;
fx = X ^ z = Y g
y := z
fQ : x = X ^ y = Y g
else
fP ^ :(x < y )g
fQ : x = X ^y = Yg
end
fQ : x = X ^y = Yg
44 / 60
< y then
if x
fP ^ (x < y )g
fy = X ^ x = Y g
z := x;
fy = X ^ z = Y g
x := y;
fx = X ^ z = Y g
y := z
fQ : x = X ^ y = Y g
else
fP ^ :(x < y )g
(* :(x < y ) y x ; use P and calculus *)
fQ : x = X ^ y = Y g
fQ : x = X ^y = Yg
end
fQ : x = X ^y = Yg
44 / 60
< y then
if x
fP ^ (x < y )g
fy = X ^ x = Y g
z := x;
fy = X ^ z = Y g
x := y;
fx = X ^ z = Y g
y := z
fQ : x = X ^ y = Y g
else
fP ^ :(x < y )g
(* :(x < y ) y x ; use P and calculus *)
fQ : x = X ^ y = Y g
skip
fQ : x = X ^ y = Y g
end (* collect branches *)
fQ : x = X ^ y = Y g
44 / 60
Exercise 5.6(a)
fx = 3 X 2Y + 1 ^ y = Xg
S
fx = X ^ y = Y g
Implement S using an auxiliary variable h:
fx = 3 X 2Y + 1 ^ y = Xg
fx = X ^ y = Y g
45 / 60
Exercise 5.6(a)
fx = 3 X 2Y + 1 ^ y = Xg
S
fx = X ^ y = Y g
fx = 3 X 2Y + 1 ^ y = Xg
h := x ;
fh = 3 X 2Y + 1 ^ y = Xg
fx = X ^ y = Y g
45 / 60
Exercise 5.6(a)
fx = 3 X 2Y + 1 ^ y = Xg
S
fx = X ^ y = Y g
fx = 3 X 2Y + 1 ^ y = Xg
h := x ;
fh = 3 X 2Y + 1 ^ y = Xg
x := y ;
fh = 3 X 2Y + 1 ^ x = Xg
fx = X ^ y = Y g
45 / 60
Exercise 5.6(a)
fx = 3 X 2Y + 1 ^ y = Xg
S
fx = X ^ y = Y g
fx = 3 X 2Y + 1 ^ y = Xg
h := x ;
fh = 3 X 2Y + 1 ^ y = Xg
x := y ;
fh = 3 X 2 Y + 1 ^ x = Xg
(* calculus; substitute x = X *)
f2 Y = 3 x h + 1 ^ x = X g
fx = X ^ y = Y g
45 / 60
Exercise 5.6(a)
fx = 3 X 2Y + 1 ^ y = Xg
S
fx = X ^ y = Y g
fx = 3 X 2Y + 1 ^ y = Xg
h := x ;
fh = 3 X 2Y + 1 ^ y = Xg
x := y ;
fh = 3 X 2 Y + 1 ^ x = Xg
f2 Y = 3 x h + 1 ^ x = X g
(* calculus; (2 Y ) div 2 = Y *)
fY = (3 x h + 1) div 2 ^ x = X g
fx = X ^ y = Y g
45 / 60
Exercise 5.6(a)
fx = 3 X 2Y + 1 ^ y = Xg
S
fx = X ^ y = Y g
fx = 3 X 2Y + 1 ^ y = Xg
h := x ;
fh = 3 X 2Y + 1 ^ y = Xg
x := y ;
fh = 3 X 2 Y + 1 ^ x = Xg
f2 Y = 3 x h + 1 ^ x = X g
fY = (3 x h + 1) div 2 ^ x = X g
y := (3 x h + 1) div 2
fx = X ^ y = Y g
45 / 60
Exercise 5.6(a): Variation
fx = 3 X 2Y + 1 ^ y = X g S fx = X ^ y = Y g
An alternative solution would use h differently:
fx = 3 X 2Y + 1 ^ y = Xg
fx = X ^ y = Y g
46 / 60
fx = 3 X 2Y + 1 ^ y = X g S fx = X ^ y = Y g
fx = 3 X 2 Y + 1 ^ y = Xg
(* substitute y = X *)
fx = 3 y 2 Y + 1 ^ y = X g
fx = X ^ y = Y g
46 / 60
fx = 3 X 2Y + 1 ^ y = X g S fx = X ^ y = Y g
fx = 3 X 2 Y + 1 ^ y = Xg
fx = 3 y 2 Y + 1 ^ y = X g
f(3 y x + 1) div 2 = Y ^ y = X g
fx = X ^ y = Y g
46 / 60
fx = 3 X 2Y + 1 ^ y = X g S fx = X ^ y = Y g
fx = 3 X 2 Y + 1 ^ y = Xg
fx = 3 y 2 Y + 1 ^ y = X g
f(3 y x + 1) div 2 = Y ^ y = X g
h := (3 y x + 1) div 2;
fh = Y ^ y = X g
fx = X ^ y = Y g
46 / 60
fx = 3 X 2Y + 1 ^ y = X g S fx = X ^ y = Y g
fx = 3 X 2 Y + 1 ^ y = Xg
fx = 3 y 2 Y + 1 ^ y = X g
f(3 y x + 1) div 2 = Y ^ y = X g
h := (3 y x + 1) div 2;
fh = Y ^ y = X g
x := y ;
fh = Y ^ x = X g
fx = X ^ y = Y g
46 / 60
fx = 3 X 2Y + 1 ^ y = X g S fx = X ^ y = Y g
fx = 3 X 2 Y + 1 ^ y = Xg
fx = 3 y 2 Y + 1 ^ y = X g
f(3 y x + 1) div 2 = Y ^ y = X g
h := (3 y x + 1) div 2;
fh = Y ^ y = X g
x := y ;
fh = Y ^ x = X g
y := h
fx = X ^ y = Y g
46 / 60
Exercise 5.6(b)
fx = 3 X 2Y + 1 ^ y = X g S fx = X ^ y = Y g
Implement S using only two assignments:
fx = 3 X 2Y + 1 ^ y = Xg
fx = X ^ y = Y g
47 / 60
Exercise 5.6(b)
fx = 3 X 2Y + 1 ^ y = X g S fx = X ^ y = Y g
fx = 3 X 2 Y + 1 ^ y = Xg
(* calculus; substitute y = X *)
fx = 3 X 2 Y + 1 ^ 3 y x +1 = 2Yg
fx = X ^ y = Y g
47 / 60
Exercise 5.6(b)
fx = 3 X 2Y + 1 ^ y = X g S fx = X ^ y = Y g
fx = 3 X 2 Y + 1 ^ y = Xg
fx = 3 X 2 Y + 1 ^ 3 y x + 1 = 2 Y g
fx = 3 X 2 Y + 1 ^ (3 y x + 1) div 2 = Y g
fx = X ^ y = Y g
47 / 60
Exercise 5.6(b)
fx = 3 X 2Y + 1 ^ y = X g S fx = X ^ y = Y g
fx = 3 X 2 Y + 1 ^ y = Xg
fx = 3 X 2 Y + 1 ^ 3 y x + 1 = 2 Y g
fx = 3 X 2 Y + 1 ^ (3 y x + 1) div 2 = Y g
y := (3 y x + 1) div 2;
fx = 3 X 2 Y + 1 ^ y = Y g
fx = X ^ y = Y g
47 / 60
Exercise 5.6(b)
fx = 3 X 2Y + 1 ^ y = X g S fx = X ^ y = Y g
fx = 3 X 2 Y + 1 ^ y = Xg
fx = 3 X 2 Y + 1 ^ 3 y x + 1 = 2 Y g
fx = 3 X 2 Y + 1 ^ (3 y x + 1) div 2 = Y g
y := (3 y x + 1) div 2;
fx = 3 X 2 Y + 1 ^ y = Y g
(* calculus; substitute y = Y *)
fx + 2 y 1 = 3 X ^ y = Y g
fx = X ^ y = Y g
47 / 60
Exercise 5.6(b)
fx = 3 X 2Y + 1 ^ y = X g S fx = X ^ y = Y g
fx = 3 X 2 Y + 1 ^ y = Xg
fx = 3 X 2 Y + 1 ^ 3 y x + 1 = 2 Y g
fx = 3 X 2 Y + 1 ^ (3 y x + 1) div 2 = Y g
y := (3 y x + 1) div 2;
fx = 3 X 2 Y + 1 ^ y = Y g
fx + 2 y 1 = 3 X ^ y = Y g
(* calculus; (3 X ) div 3 = X *)
f(x + 2 y 1) div 3 = X ^ y = Y g
fx = X ^ y = Y g
47 / 60
Exercise 5.6(b)
fx = 3 X 2Y + 1 ^ y = X g S fx = X ^ y = Y g
fx = 3 X 2 Y + 1 ^ y = Xg
fx = 3 X 2 Y + 1 ^ 3 y x + 1 = 2 Y g
fx = 3 X 2 Y + 1 ^ (3 y x + 1) div 2 = Y g
y := (3 y x + 1) div 2;
fx = 3 X 2 Y + 1 ^ y = Y g
fx + 2 y 1 = 3 X ^ y = Y g
(* calculus; (3 X ) div 3 = X *)
f(x + 2 y 1) div 3 = X ^ y = Y g
x := (x + 2 y 1) div 3
fx = X ^ y = Y g
47 / 60
The End
48 / 60
Outline
Hoare Logic
Triples
Assignments
Assignments
Conditionals
Exercise 5.6
49 / 60
Notational matters
I Equivalence: P Q is notation for

(P ) Q ) ^ (Q ) P )
I Universal and existential quantifiers:
8x 2 V : P (x ) 8x (x 2 V ) P (x ))
9x 2 V : P (x ) 9x (x 2 V ^ P (x ))
50 / 60
Sets
I Empty set: ;
I Element: w 2 V means “w is member of the set V ”
I Standard notation: fx j P (x )g. Example:
fx j 0 x 3 100g = f0 1 2 3 4g
; ; ; ;
I Alternative notation: fE (x ) j x : P (x )g. Example:
f2 x j x : 0 x 5g = f0 2 4 6 8 10g
; ; ; ; ;
I Notations are equivalent:
fE (x ) j x : P (x )g = fy j 9x (y = E (x ) ^ P (x ))g
51 / 60
Integer division
I ‘x div y’ and ‘x mod y’ are only defined for x 2 Z and y 2 N+

x = y (x div y ) + x mod y ^ 0 x mod y < y
I Consequence: x div y is the largest integer x =y. Examples:
10 div 3 = 3 ^ 10 mod 3 = 1
( 10) div 3 = 4 ^ ( 10) mod 3 = 2
I Identities:
z x div y z y x
x div y z x z y
< <
52 / 60
Conditional Expressions
I Conditional expression:
(C ? E : F ) “if C then E else F ”
I Function ord, used in counting:
ord(b ) = (b ? 1 : 0)
53 / 60
Counting operator
#V : number of elements of the set V

I #; = 0
I singleton rule: #fa g = 1
I split rule: #V = #(V \ W ) + #(V nW )
I #fx 2 V j x = a g = ord(a 2 V )
54 / 60
Intervals
A consecutive subset of Z. Also called segment.

I Closed:
[m ::n ] = fk j m k n g
I Open:
(m n ) = fk j m
:: < k < ng
I Half open:
[m n ) = fk j m k n g
:: <
(m n ] = fk j m k n g
:: <
I Half open intervals are convenient for counting:
#[m n ) = #(m n ] = n
:: :: m
55 / 60
Maxima/Minima operators
The general case - Given a non-empty V :
a = Max V a 2 V ^ 8x (x 2 V ) x a )
a = Min V a 2 V ^ 8x (x 2 V ) a x )
Specific cases:
I empty set: Max ; = 1 and Min ; = 1
I singleton: Max fa g = Min fa g = a
I the binary operators max and min:
x max y = Max fx y g
; x min y = Min fx y g
;
I split rules:
Max V = Max (V \ W ) max Max (V nW )

Min V = Min (V \ W ) min Min (V nW )
56 / 60
Families/Bags/Multi sets
In sequences of numbers, repetitions matter. We write
(f (i ) j i 2 V )
to denote the family that consists of the values f (i ) for all i 2 V.
I Alternative notation: (f (i ) j i 2 V : P (i ))
I The family (f (i ) j i 2 V ) differs from the set ff (i ) j i 2 V g.
Example:
fi div 2 j i 2 [0 5)g = f0 1 2g
:: ; ;
(i div 2 j i 2 [0 5)) = (0 0 1 1 2)
:: ; ; ; ;
I In a family, the order of elements is relevant.

Example:
(1; 0; 0) 6= (0; 1; 0), (1; 0; 0) 6= (0; 0; 1), and (0; 1; 0) 6= (0; 0; 1).
57 / 60
Operators on families
(f (i ) j i 2 V ) is the sum of the elements of the family.

I (f (i ) j i 2 ;) = 0
I (f (i ) j i 2 fa g) = f (a )
I (f (i ) j i 2 V ) = (f (i ) j i 2 V \ W ) + (f (i ) j i 2 V nW )
58 / 60
Operators on families
(f (i ) j i 2 V ) is the sum of the elements of the family.

I (f (i ) j i 2 ;) = 0
I (f (i ) j i 2 fa g) = f (a )
I (f (i ) j i 2 V ) = (f (i ) j i 2 V \ W ) + (f (i ) j i 2 V nW )
(f (i ) j i 2 V ) is the product of the elements of the family.

I (f (i ) j i 2 ;) = 1
I (f (i ) j i 2 fa g) = f (a )
I (f (i ) j i 2 V ) = (f (i ) j i 2 V \ W ) (f (i ) j i 2 V nW )
58 / 60
Distribution
I Multiplication over addition:
(x f (i ) j i 2 V ) = x (f (i ) j i 2 V )
I Addition over Max :
Max (x + f (i ) j i 2 V ) = x + Max (f (i ) j i 2 V )
I Addition over Min :
Min (x + f (i ) j i 2 V ) = x + Min (f (i ) j i 2 V )
I Multiplication over Max :
x 0 ^ V 6= ; ) Max (x f (i ) j i 2 V ) = x Max (f (i ) j i 2 V )
I Multiplication over Min :
x 0 ^ V 6= ; ) Min (x f (i ) j i 2 V ) = x Min (f (i ) j i 2 V )
59 / 60
Distribution
I Multiplication over addition:
(x f (i ) j i 2 V ) = x (f (i ) j i 2 V )
I Addition over Max :
Max (x + f (i ) j i 2 V ) = x + Max (f (i ) j i 2 V )
I Addition over Min :
Min (x + f (i ) j i 2 V ) = x + Min (f (i ) j i 2 V )
I Multiplication over Max :
x 0 ^ V 6= ; ) Max (x f (i ) j i 2 V ) = x Max (f (i ) j i 2 V )
I Multiplication over Min :
x 0 ^ V 6= ; ) Min (x f (i ) j i 2 V ) = x Min (f (i ) j i 2 V )
Notice:
I x <0^V 6= ; ) Max (x f (i ) j i 2 V ) = x Min (f (i ) j i 2 V )
I x < 0^V =6 ; ) Min (x f (i ) j i 2 V ) = x Max (f (i ) j i 2 V )
59 / 60
Quantifiers and Predicates
‘8’ as repeated conjunction and ‘9’ as repeated disjunction:

I 8x 2 ; : P (x ) true
I 9x 2 ; : P (x ) false
I 8x 2 fa g : P (x ) P (a )
I 9x 2 fa g : P (x ) P (a )
I 8x 2 V : P (x ) (8x 2 V \ W : P (x )) ^ (8x 2 V nW : P (x ))
I 9x 2 V : P (x ) (9x 2 V \ W : P (x )) _ (9x 2 V nW : P (x ))
Distribution (assuming Q does not depend on x ):
(8x 2 V : Q _ P (x )) Q _ (8x 2 V : P (x ))
(9x 2 V : Q ^ P (x )) Q ^ (9x 2 V : P (x ))
60 / 60

Program Correctness: Jorge A. Pérez

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Program Correctness: Jorge A. Pérez

Uploaded by

Copyright:

Available Formats

Program Correctness

Bernoulli Institute for Mathematics, Computer Science, and AI

Programs and Their Specifications

I Dijkstra’s hand in hand approach for imperative programs.

Programs and Their Specifications

We shall follow notations as in Chapter 2 of the Lecture Notes:

Domains for identifiers:

Indicated by capital letters A; B ; C ; J ; P ; Q ; R, possibly with

A typical example of a declaration would be:

const n : N; x : R; a : array [0::n ) of Z;

The program can modify variables under var .

Programs and Their Specifications

I A program S with n declared variables: x0 ; : : : ; xn 1.

I A state (or context) of program S is a set of n pairs

f(x0 m0) (xn 1 mn 1)g

where, for each i 2 [0 n ), the value of mi is an element of the

I Program verification is about proving that a program has a

I Program verification is about proving that a program has a

Our language for expressions:

An admittedly rudimentary language, yet it is as expressive as any

if B then S end = if B then S else skip end

What do they do?

What do they do?

A triple denotes a command with its precondition and postcondition:

In this course, we focus on total correctness:

A triple denotes a command with its precondition and postcondition:

In this course, we focus on total correctness:

Under partial correctness, we have a weaker requirement:

(x1 = X1 ) ^ (x2 = X2 ) ^ ^ (xn = Xn )

We prefer bi-regular specifications whenever possible.

We want a command that assigns to a variable x the smallest index

We start with the declaration of some identifiers:

const n : N; w : R; a : array [0::n ) of R;

The precondition P asserts the existence of the required index.

To obtain a post-regular spec, we define X in the precondition:

const n : N; w : R; a : array [0::n ) of R;

const n : N; w : R; a : array [0::n ) of R;

const n : N; w : R; a : array [0::n ) of R;

const n : N; w : R; a : array [0::n ) of R;

The following specification is unsatisfiable (contradiction):

So is the following one (lack of information about X ):

Programs and Their Specifications

I Triples of the form fP g S fQ g are called Hoare triples

I Triples of the form fP g S fQ g are called Hoare triples

This suggests a rule

I Suppose a predicate P , an expression E , and a variable x .

I Suppose a predicate P , an expression E , and a variable x .

I Looks simple, but can you make sense of it?

How to interpret it?

How to interpret it?

How to interpret it?

Given fP g S fQ g, it is often useful to “massage” P and/or Q in

We strengthen the precondition and weaken the postcondition using

Given fP g S fQ g, it is often useful to “massage” P and/or Q in

We have the following two rules:

Strengthen the precondition: Weaken the postcondition:

Given fP g S fQ g, it is often useful to “massage” P and/or Q in

We have the following two rules:

Strengthen the precondition: Weaken the postcondition:

A simple example of combination of rules for assignment (A) and

= 5 ) [x + 1 x ](x = 6) f[x + 1 x ](x = 6)g x := x + 1 fx = 6g

A simple example of combination of rules for assignment (A) and

= 5 ) [x + 1 x ](x = 6) f[x + 1 x ](x = 6)g x := x + 1 fx = 6g

I Equivalence: P Q is notation for

I Consequence: x div y is the largest integer x =y. Examples:

(f (i ) j i 2 V ) is the sum of the elements of the family.

(f (i ) j i 2 V ) is the sum of the elements of the family.

(f (i ) j i 2 V ) is the product of the elements of the family.