correctness proofs
DESCRIPTION
Correctness Proofs. Correctness Proofs. Formal mathematical argument that an algorithm meets its specification, which means that it always produces the correct output for any permitted input. Correctness Proofs. - PowerPoint PPT PresentationTRANSCRIPT
Correctness ProofsCorrectness Proofs
Correctness ProofsCorrectness Proofs
Formal mathematical argument Formal mathematical argument that an algorithm meets its that an algorithm meets its
specification, which means that specification, which means that it always produces the correct it always produces the correct output for any permitted input.output for any permitted input.
Correctness ProofsCorrectness Proofs
Is Important to understand Is Important to understand what a deteiled formal what a deteiled formal
correctness proof looks like, correctness proof looks like, because otherwise you won’t because otherwise you won’t know what somebody is really know what somebody is really
saying with an informal saying with an informal correctness argument.correctness argument.
Invariants, Preconditions and Invariants, Preconditions and Posconditions.Posconditions.
1.1. P holds in the initial state.P holds in the initial state.
2.2. P holds after step P holds after step kk if it hods if it hods before step before step kk..
3.3. If P holds when the algorithm If P holds when the algorithm terminates, then the output of terminates, then the output of the algorithm is correct.the algorithm is correct.
Hoare LogicHoare Logic
Attach to each statement of a Attach to each statement of a program a precondition and a program a precondition and a postcondition.postcondition.
Precondition, Statement and Precondition, Statement and Postcondition, form a Postcondition, form a Hoare Hoare tripletriple..
Hoare LogicHoare Logic
{ x is an integer }{ x is an integer }
x := 2*xx := 2*x
{ x is even }{ x is even }
{ P: x is an integer }{ P: x is an integer }
x := 2*xx := 2*x
{ Q: x is even }{ Q: x is even }
x := x+1x := x+1
{R: x is odd }{R: x is odd }
{ x is even }{ x is even }
x := x + 1x := x + 1
{ x is odd }{ x is odd }
Hoare LogicHoare Logic
{P} S{P} S11 {Q} {Q} ΛΛ {Q} S {Q} S22 {R} {R}
{P} S{P} S11:S:S22 {R} {R}
Composition AxiomComposition Axiom
Hoare Logic AxiomsHoare Logic Axioms
Rules like before, which Rules like before, which define what new define what new
propositions can be propositions can be deduced from old ones, deduced from old ones,
are called are called AxiomsAxioms..
Pre-strengthening AxiomPre-strengthening Axiom
Making the precondition stronger Making the precondition stronger doesn’t change the truth of a doesn’t change the truth of a
Hoare triple.Hoare triple.
{Q} S {R} {Q} S {R} ΛΛ P P Q Q{P} S {R}{P} S {R}
Pre – strengthening AxiomPre – strengthening Axiom
Mostly used to sneak in extra Mostly used to sneak in extra facts that don’t appear explicitly facts that don’t appear explicitly
in our original precondition.in our original precondition.
If whenever Q is true,If whenever Q is true,
P P P P ΛΛ Q Q
is also true.is also true.
Post – weakening AxiomPost – weakening Axiom
Making the postcondition Making the postcondition weaker is also allowed.weaker is also allowed.
{P} S {Q} {P} S {Q} ΛΛ Q Q R R{P} S {R}{P} S {R}
Post – weakening AxiomPost – weakening Axiom
Typically used for getting rid of Typically used for getting rid of bits of a postcondition we don’t bits of a postcondition we don’t
care about.care about.
The direction of the implications The direction of the implications is important. Pre – weakening is important. Pre – weakening
and post – strengthening do and post – strengthening do NOTNOT produce valid proofs.produce valid proofs.
Assignment AxiomAssignment Axiom
{P[x/t]} x := t {P}{P[x/t]} x := t {P}
If P is true with If P is true with xx replaced by replaced by tt before before the assignment, it is true without the the assignment, it is true without the
replacement afterwards.replacement afterwards.
{0 = 0} x := {x=0}{0 = 0} x := {x=0}
{x+5 < 12} x:= x+5 {x < 12}{x+5 < 12} x:= x+5 {x < 12}
{x < 7} x:= x+5 {x < 12}{x < 7} x:= x+5 {x < 12}
Baggage LemmaBaggage Lemma
Used to carry along extra baggage Used to carry along extra baggage that you will need later.that you will need later.
{ } S {x = A}{ } S {x = A}
But you also need know that But you also need know that yy is is unchanged.unchanged.
{y = B} S {y = B {y = B} S {y = B ΛΛ x = A} x = A}
StrategyStrategy
1.1. Write down the algorithm.Write down the algorithm.
2.2. Precondition and postcondition Precondition and postcondition for each statements.for each statements.
3.3. Prove for each statement that Prove for each statement that its postcondition follow from its its postcondition follow from its precondition.precondition.
Proofs for if/then/else statementsProofs for if/then/else statements
{P}{P}if B thenif B then
{P and B}{P and B}do somethingdo something{Q}{Q}
elseelse{P and Not B}{P and Not B}do somethingdo something{Q}{Q}
end ifend if{Q}{Q}
Proofs for if/then/else statementsProofs for if/then/else statements
{P {P ΛΛ B} S B} S11 {Q} {Q} ΛΛ {P {P ΛΛ ¬B} S ¬B} S22 {Q} {Q}
{P} {P} ifif B B thenthen S S11 elseelse S S22 end ifend if {Q} {Q}
Proofs for LoopsProofs for Loops
{P}{P}
while B dowhile B do
{R and B}{R and B}
bodybody
{R}{R}
end whileend while
{Q}{Q}
Proofs for LoopsProofs for Loops
{A is an array with indices 0..n-1}{A is an array with indices 0..n-1}
i := ni := n
While i <> 0 doWhile i <> 0 do
{A[j] = 0 for all j >= i}{A[j] = 0 for all j >= i}
i := i – 1i := i – 1
{A[j] = 0 for all j >= i+1}{A[j] = 0 for all j >= i+1}
A[i] := 0A[i] := 0
{A[j] = 0 for all j >= i}{A[j] = 0 for all j >= i}
end whileend while
{A[0] .. A[n-1] are all equal to zero}{A[0] .. A[n-1] are all equal to zero}
Total vs Partial CorrectnessTotal vs Partial Correctness
We will want to show that an We will want to show that an algorithm produce the right algorithm produce the right
output in a reasonable amount output in a reasonable amount of time, tipically bounded by of time, tipically bounded by some function of the size of some function of the size of
the input.the input.
Proofs for Recursive ProceduresProofs for Recursive ProceduresProcedure Euclid(x,y: integer) return integerProcedure Euclid(x,y: integer) return integer
{}{}if y = 0 thenif y = 0 then
{y = 0}{y = 0}gcd := xgcd := x{gcd = gcd(x,y)}{gcd = gcd(x,y)}
elseelse{y <> 0}{y <> 0}gcd := Euclid(y,x mod y)gcd := Euclid(y,x mod y){gcd = gcd(x,y)}{gcd = gcd(x,y)}
endifendif{gcd = gcd(x,y)}{gcd = gcd(x,y)}return gcdreturn gcd
end procedureend procedure{return value = gcd(x,y){return value = gcd(x,y)