![Page 1: CSE 3341.03 Winter 2008 Introduction to Program Verification](https://reader035.vdocuments.site/reader035/viewer/2022062816/56813ea9550346895da90837/html5/thumbnails/1.jpg)
CSE 3341.03 Winter 2008Introduction to Program Verification
calculating with wp
![Page 2: CSE 3341.03 Winter 2008 Introduction to Program Verification](https://reader035.vdocuments.site/reader035/viewer/2022062816/56813ea9550346895da90837/html5/thumbnails/2.jpg)
symbex: swap example (p. 30)//{ X = 'old X' and Y = 'old Y' }void swap(X, Y);//{ X = 'old Y' and Y = 'old X' }//{ true } swap(&a, &b); ... cannot show true implies OLD(b)=b and OLD(a)=a for swap(&a, &b). // assert: old b=a // -- assertion is verified. how?
//{ old b=a and old a=b } symbex can show that if the swap pre-condition is satisfied (instantiated with a and
b), then the conclusion 'old a' = b is valid, but cannot prove a = 'old a' and b = 'old b'.
![Page 3: CSE 3341.03 Winter 2008 Introduction to Program Verification](https://reader035.vdocuments.site/reader035/viewer/2022062816/56813ea9550346895da90837/html5/thumbnails/3.jpg)
"we're trying to prove that the pre-condition for the swap procedure is satisfied. In this context, that follows from the fact that 'OLD'(X) = X ->> true
before the swap procedure is executed."But this violates the intended interpretation of rewrite rules. (The rule
is a 'timeless' mathematical equality.)
Solution: either assume the desired pre-conditionfor a "manual" proof, or assert the pre-condition for the specific call swap(&a, &b).
![Page 4: CSE 3341.03 Winter 2008 Introduction to Program Verification](https://reader035.vdocuments.site/reader035/viewer/2022062816/56813ea9550346895da90837/html5/thumbnails/4.jpg)
assert a pre-condition alternative: add //{'old a' = a and 'old b' = b } as a pre-
condition
//{ a = 'old a' and b = 'old b' } swap(&a,&b); // assert: old b=a // -- assertion is verified.
//{ old b=a and old a=b }
![Page 5: CSE 3341.03 Winter 2008 Introduction to Program Verification](https://reader035.vdocuments.site/reader035/viewer/2022062816/56813ea9550346895da90837/html5/thumbnails/5.jpg)
why weakest post-condition? if we can calculate wp(S, Q), we can test
any other proposition directly, using just logic and axioms, without further calculation:
(P implies wp(S, Q)) implies {P} S {Q}.why? see p. 35-36
(if (P implies wp(S, Q)) then P is a pre-condition)
![Page 6: CSE 3341.03 Winter 2008 Introduction to Program Verification](https://reader035.vdocuments.site/reader035/viewer/2022062816/56813ea9550346895da90837/html5/thumbnails/6.jpg)
wp: the bigger picture working backwards from goal to initial state:
goal-directed backward chainingcf. stimulus-response, forward chaining
important concept in AI: if-then is "blind";
• based on what is true at the moment;• doesn't need representation
selecting an action, based on goal uses a represention of what is not true at the moment
• more "intelligent"
![Page 7: CSE 3341.03 Winter 2008 Introduction to Program Verification](https://reader035.vdocuments.site/reader035/viewer/2022062816/56813ea9550346895da90837/html5/thumbnails/7.jpg)
the null statement wp(";", Q) = Q
is this a theorem? a definition, an axiom?
we could extend wp to create new statement typeswp("swap(A, B);", A = X and B = Y )
A = Y and B = X.
![Page 8: CSE 3341.03 Winter 2008 Introduction to Program Verification](https://reader035.vdocuments.site/reader035/viewer/2022062816/56813ea9550346895da90837/html5/thumbnails/8.jpg)
calculating wp conditional statements:
wp(“if (B) S1 else S2”, Q)
B and wp(S1, Q) or not B and wp(S2, Q)
wp(“if (B) S1”, Q)
B and wp(S1, Q) or not B and Q
using implication?
![Page 9: CSE 3341.03 Winter 2008 Introduction to Program Verification](https://reader035.vdocuments.site/reader035/viewer/2022062816/56813ea9550346895da90837/html5/thumbnails/9.jpg)
Exercise 9.1 substitute definition of wp("if(B) S", Q) into
wp(“if (B)S”, Q) iff (B implies wp(S, Q)) and (not B implies Q)
and rewrite it as a proposition that can be checked by wang:
(b and wp(s, q) or not b and q) iff (b implies
wp(s, q) and (not b implies q)
![Page 10: CSE 3341.03 Winter 2008 Introduction to Program Verification](https://reader035.vdocuments.site/reader035/viewer/2022062816/56813ea9550346895da90837/html5/thumbnails/10.jpg)
switch statement: exercise 9.2 wp(“switch (C) {
case L1:S1; break;
case L2:S2 ; break;
. . . case Ln:Sn ; break;
default S}”, Q) C=L1 and wp(S1, Q) or . . .
C=Ln and wp(Sn, Q) or
![Page 11: CSE 3341.03 Winter 2008 Introduction to Program Verification](https://reader035.vdocuments.site/reader035/viewer/2022062816/56813ea9550346895da90837/html5/thumbnails/11.jpg)
assignment statement: examples wp(“R = Exp;” Q) = Q[Exp / R]) wp(“x = f(y)”, x**2 - y /x > 0) = ?
= f(y)**2 - y/f(y) > 0
wp(“x = x*3”, odd(x)) = odd(x*3) ->> odd(x).
![Page 12: CSE 3341.03 Winter 2008 Introduction to Program Verification](https://reader035.vdocuments.site/reader035/viewer/2022062816/56813ea9550346895da90837/html5/thumbnails/12.jpg)
exercise 9.3 ? wp(“a[i+3] = 7;”, a[4] = x) = (i = 1 and x = 7)what’s wrong here?
correct answer:wp(“a[i+3] = 7;”, a[4] = x) = wp(“a = change(a, i+3, 7);”
array(a, 4) = x)
now use the rule for assignment to calculate the wp:(array(a, 4) = x)[change(a, i+3, 7)/a] =(array(change(a, i+3, 7), 4) = x) =(i + 3 = 4 and x = 7) or (x = array(a, i+3))
![Page 13: CSE 3341.03 Winter 2008 Introduction to Program Verification](https://reader035.vdocuments.site/reader035/viewer/2022062816/56813ea9550346895da90837/html5/thumbnails/13.jpg)
wp does it correctly compare with what wp calculates:
// PRE: (i+3=4 implies x=7) and (not i+3=4 implies array(a, i+3)=x)
->> (i=1 implies x=7)and (not i=1 implies array(a, i+3)=x)
![Page 14: CSE 3341.03 Winter 2008 Introduction to Program Verification](https://reader035.vdocuments.site/reader035/viewer/2022062816/56813ea9550346895da90837/html5/thumbnails/14.jpg)
wp's input loop a note on using wp
input loop designed differently than symbex• symbex input loops on the statements in a single
code segment wp loops on multiple code segments
• allows you to experiment and explore within wp• don’t have to repeatedly re-execute wp and reload
the files.• so ^D causes a prompt for the next input• How to escape?
• a 2nd ^D, or enter “stop”
![Page 15: CSE 3341.03 Winter 2008 Introduction to Program Verification](https://reader035.vdocuments.site/reader035/viewer/2022062816/56813ea9550346895da90837/html5/thumbnails/15.jpg)
examples % wp (^D's not shown) |:x = (x=1); y = y+1; % S (code)|://{ x = y} % Q (goal)|:// PRE: (y+1=x)=1 % wp(S, Q)
|:x = x+1; y = y+1;|://{ x = y }|:// PRE: y+1=x+1
|:x = (x-y)*(x+y);|://{x + y**2 <> 0}|:// PRE: x*x<>0
![Page 16: CSE 3341.03 Winter 2008 Introduction to Program Verification](https://reader035.vdocuments.site/reader035/viewer/2022062816/56813ea9550346895da90837/html5/thumbnails/16.jpg)
array references|: b[i] = i; % b = change(b, i, i);|: //{ b[b[i]] = i } |: ^D
// PRE: true
|:a[x] = a[x+1];|://{ a[0] = 0}|:// PRE: array(change(a, x, array(a, x+1)), 0)=0
![Page 17: CSE 3341.03 Winter 2008 Introduction to Program Verification](https://reader035.vdocuments.site/reader035/viewer/2022062816/56813ea9550346895da90837/html5/thumbnails/17.jpg)
impossible goal|:x =1; //{x = 0}
// PRE: false % how was this computed?Goal is impossible.
![Page 18: CSE 3341.03 Winter 2008 Introduction to Program Verification](https://reader035.vdocuments.site/reader035/viewer/2022062816/56813ea9550346895da90837/html5/thumbnails/18.jpg)
Exercise 9.7|:if(m < y) m = y; // {m = max(m, y)}|: % is this correct?
// PRE: y<=y and m<y or y<=m and not m<y
->> ?
![Page 19: CSE 3341.03 Winter 2008 Introduction to Program Verification](https://reader035.vdocuments.site/reader035/viewer/2022062816/56813ea9550346895da90837/html5/thumbnails/19.jpg)
exercise 9.9(a)|://{ r = n*n } n= n+1; r= '??'; //{ r = n*n } |:// PRE: n*n+n*2+1= ??Initial condition may not be compatible with the goal.Cannot prove n*n=r implies n*n+n*2+1= ??.
|://{ r = n*n } n= n+1; r= n*n+n*2+1; //{ r = n*n }|:// PRE: n*2*2+n*n+2+1=n*n+n*2 ->> ?Initial condition may not be compatible with the goal.Cannot prove n*n=r implies n*2*2+n*n+2+1=n*n+n*2.
![Page 20: CSE 3341.03 Winter 2008 Introduction to Program Verification](https://reader035.vdocuments.site/reader035/viewer/2022062816/56813ea9550346895da90837/html5/thumbnails/20.jpg)
exercise 9.9(a) continued|://{ r = n*n and n = -3/2} n= n+1; r= n*n+n*2+1; //{ r = n*n }|:// PRE: n*2*2+n*n+2+1=n*n+n*2Initial condition is compatible with the goal.
what was proved?why not (as in the text example): "Initial condition achieves
the goal."?
![Page 21: CSE 3341.03 Winter 2008 Introduction to Program Verification](https://reader035.vdocuments.site/reader035/viewer/2022062816/56813ea9550346895da90837/html5/thumbnails/21.jpg)
termination (p. 45) interpret {P} as {computational states s: P
is true in s}. What can we say about {P} if {P} S {true}?
Suppose, for some initial state s,wp(S, true) is false -- but this contradicts the definition of wp(S, P), so wp(S, true) is true in all and only those initial states in which S terminates.