correctness proofs

Download Correctness Proofs

Post on 02-Feb-2016




0 download

Embed Size (px)


Correctness Proofs. Correctness Proofs. Formal mathematical argument that an algorithm meets its specification, which means that it always produces the correct output for any permitted input. Correctness Proofs. - PowerPoint PPT Presentation


  • Correctness Proofs

  • Correctness ProofsFormal mathematical argument that an algorithm meets its specification, which means that it always produces the correct output for any permitted input.

  • Correctness ProofsIs Important to understand what a deteiled formal correctness proof looks like, because otherwise you wont know what somebody is really saying with an informal correctness argument.

  • Invariants, Preconditions and Posconditions.P holds in the initial state.P holds after step k if it hods before step k.If P holds when the algorithm terminates, then the output of the algorithm is correct.

  • Hoare LogicAttach to each statement of a program a precondition and a postcondition.

    Precondition, Statement and Postcondition, form a Hoare triple.

  • Hoare Logic{ x is an integer }x := 2*x{ x is even }{ P: x is an integer }x := 2*x{ Q: x is even }x := x+1{R: x is odd }{ x is even }x := x + 1{ x is odd }

  • Hoare Logic{P} S1 {Q} {Q} S2 {R}{P} S1:S2 {R}Composition Axiom

  • Hoare Logic AxiomsRules like before, which define what new propositions can be deduced from old ones, are called Axioms.

  • Pre-strengthening AxiomMaking the precondition stronger doesnt change the truth of a Hoare triple.

    {Q} S {R} P Q{P} S {R}

  • Pre strengthening AxiomMostly used to sneak in extra facts that dont appear explicitly in our original precondition.

    If whenever Q is true,P P Qis also true.

  • Post weakening AxiomMaking the postcondition weaker is also allowed.

    {P} S {Q} Q R{P} S {R}

  • Post weakening AxiomTypically used for getting rid of bits of a postcondition we dont care about.

    The direction of the implications is important. Pre weakening and post strengthening do NOT produce valid proofs.

  • Assignment Axiom{P[x/t]} x := t {P}

    If P is true with x replaced by t before the assignment, it is true without the replacement afterwards.

    {0 = 0} x := {x=0}{x+5 < 12} x:= x+5 {x < 12}{x < 7} x:= x+5 {x < 12}

  • Baggage LemmaUsed to carry along extra baggage that you will need later.

    { } S {x = A}

    But you also need know that y is unchanged.

    {y = B} S {y = B x = A}

  • StrategyWrite down the algorithm.

    Precondition and postcondition for each statements.

    Prove for each statement that its postcondition follow from its precondition.

  • Proofs for if/then/else statements{P}if B then{P and B}do something{Q}else{P and Not B}do something{Q}end if{Q}

  • Proofs for if/then/else statements{P B} S1 {Q} {P B} S2 {Q}{P} if B then S1 else S2 end if {Q}

  • Proofs for Loops{P}while B do{R and B}body{R}end while{Q}

  • Proofs for Loops{A is an array with indices 0..n-1}i := nWhile i 0 do{A[j] = 0 for all j >= i}i := i 1{A[j] = 0 for all j >= i+1}A[i] := 0{A[j] = 0 for all j >= i}end while{A[0] .. A[n-1] are all equal to zero}

  • Total vs Partial CorrectnessWe will want to show that an algorithm produce the right output in a reasonable amount of time, tipically bounded by some function of the size of the input.

  • Proofs for Recursive ProceduresProcedure Euclid(x,y: integer) return integer{}if y = 0 then{y = 0}gcd := x{gcd = gcd(x,y)}else{y 0}gcd := Euclid(y,x mod y){gcd = gcd(x,y)}endif{gcd = gcd(x,y)}return gcdend procedure{return value = gcd(x,y)