program verification[1].color
TRANSCRIPT
-
8/9/2019 Program Verification[1].Color
1/109
Core Programming Language
Hoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
Programming by Contract
11Program Verification
CS 3234: Logic and Formal Systems
Martin Henz and Aquinas Hobor
October 29, 2009
Generated on Thursday 29th October, 2009, 13:52
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
2/109
Core Programming Language
Hoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
Programming by Contract
1 Core Programming Language
2 Hoare Triples; Partial and Total Correctness
3 Proof Calculus for Partial Correctness
4 Proof Calculus for Total Correctness
5 Programming by Contract
http://find/http://goback/http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
3/109
Core Programming Language
Hoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
Programming by Contract
Motivation
Model checking is bumping into major problems, if the
systems deal with complex data structures and numbers,and interact with the user and each other in complex ways.
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
4/109
Core Programming Language
Hoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
Programming by Contract
Motivation
Model checking is bumping into major problems, if the
systems deal with complex data structures and numbers,and interact with the user and each other in complex ways.
Models become infinite.
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
5/109
Core Programming Language
Hoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
Programming by Contract
Motivation
Model checking is bumping into major problems, if the
systems deal with complex data structures and numbers,and interact with the user and each other in complex ways.
Models become infinite.Satisfaction/validity becomes undecidable.
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
6/109
Core Programming Language
Hoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
Programming by Contract
Motivation
Model checking is bumping into major problems, if the
systems deal with complex data structures and numbers,and interact with the user and each other in complex ways.
Models become infinite.Satisfaction/validity becomes undecidable.
We retreat to a proof-based framework for software
program verification.
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
7/109
Core Programming Language
Hoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
Programming by Contract
Characteristics of the Approach
Proof-based instead of model checking
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
8/109
Core Programming Language
Hoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
Programming by Contract
Characteristics of the Approach
Proof-based instead of model checking
Semi-automatic instead of automatic
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
9/109
Core Programming Language
Hoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
Programming by Contract
Characteristics of the Approach
Proof-based instead of model checking
Semi-automatic instead of automatic
Property-oriented not using full specification
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
10/109
Core Programming Language
Hoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
Programming by Contract
Characteristics of the Approach
Proof-based instead of model checking
Semi-automatic instead of automatic
Property-oriented not using full specification
Application domain fixed to sequential programs using integers
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
11/109
Core Programming Language
Hoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
Programming by Contract
Characteristics of the Approach
Proof-based instead of model checking
Semi-automatic instead of automatic
Property-oriented not using full specification
Application domain fixed to sequential programs using integers
Interleaved with development rather than a-posteriori
verification
C P i L
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
12/109
Core Programming Language
Hoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
Programming by Contract
Reasons for Program Verification
Documentation. Program properties formulated as theorems
can serve as concise documentation
C P i L
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
13/109
Core Programming Language
Hoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
Programming by Contract
Reasons for Program Verification
Documentation. Program properties formulated as theorems
can serve as concise documentation
Time-to-market. Verification prevents/catches bugs and can
reduce development time
C P i L
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
14/109
Core Programming Language
Hoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
Programming by Contract
Reasons for Program Verification
Documentation. Program properties formulated as theorems
can serve as concise documentation
Time-to-market. Verification prevents/catches bugs and can
reduce development time
Reuse. Clear specification provides basis for reuse
Core Programming Lang age
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
15/109
Core Programming Language
Hoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
Programming by Contract
Reasons for Program Verification
Documentation. Program properties formulated as theorems
can serve as concise documentation
Time-to-market. Verification prevents/catches bugs and can
reduce development time
Reuse. Clear specification provides basis for reuse
Certification. Verification is required in safety-critical domains
such as nuclear power stations and aircraftcockpits
Core Programming Language
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
16/109
Core Programming Language
Hoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
Programming by Contract
Framework for Software Verification
Convert informal description R of requirementsfor anapplication domain into formula R.
Core Programming Language
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
17/109
Core Programming Language
Hoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
Programming by Contract
Framework for Software Verification
Convert informal description R of requirementsfor anapplication domain into formula R.
Write program P that meets R.
Core Programming Language
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
18/109
Core Programming Language
Hoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
Programming by Contract
Framework for Software Verification
Convert informal description R of requirementsfor anapplication domain into formula R.
Write program P that meets R.
Prove that P satisfies R.
Core Programming Language
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
19/109
Core Programming Language
Hoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
Programming by Contract
Framework for Software Verification
Convert informal description R of requirementsfor anapplication domain into formula R.
Write program P that meets R.
Prove that P satisfies R.
Each step provides risks and opportunities.
Core Programming Language
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
20/109
Core Programming Language
Hoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
Programming by Contract
1 Core Programming Language
2 Hoare Triples; Partial and Total Correctness
3 Proof Calculus for Partial Correctness
4 Proof Calculus for Total Correctness
5 Programming by Contract
Core Programming Language
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
21/109
Core Programming Language
Hoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
Programming by Contract
Motivation of Core Language
Real-world languages are quite large; many features and
constructs
Core Programming Language
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
22/109
Core Programming Language
Hoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
Programming by Contract
Motivation of Core Language
Real-world languages are quite large; many features and
constructs
Verification framework would exceed time we have inCS3234
Core Programming Language
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
23/109
Core Programming Language
Hoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
Programming by Contract
Motivation of Core Language
Real-world languages are quite large; many features and
constructs
Verification framework would exceed time we have inCS3234
Theoretical constructions such as Turing machines or
lambda calculus are too far from actual applications; too
low-level
Core Programming Language
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
24/109
Core Programming Language
Hoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
Programming by Contract
Motivation of Core Language
Real-world languages are quite large; many features and
constructs
Verification framework would exceed time we have inCS3234
Theoretical constructions such as Turing machines or
lambda calculus are too far from actual applications; too
low-level
Idea: use subset of Pascal/C/C++/Java
Core Programming Language
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
25/109
Core Programming Language
Hoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
Programming by Contract
Motivation of Core Language
Real-world languages are quite large; many features and
constructs
Verification framework would exceed time we have inCS3234
Theoretical constructions such as Turing machines or
lambda calculus are too far from actual applications; too
low-level
Idea: use subset of Pascal/C/C++/Java
Benefit: we can study useful realistic examples
Core Programming Language
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
26/109
g g g g
Hoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
Programming by Contract
Expressions in Core Language
Expressions come as arithmetic expressions E:
E ::= n | x | (E) | (E + E) | (E E) | (E E)
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
27/109
Core Programming Language
-
8/9/2019 Program Verification[1].Color
28/109
g g g g
Hoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
Programming by Contract
Expressions in Core Language
Expressions come as arithmetic expressions E:
E ::= n | x | (E) | (E + E) | (E E) | (E E)
and boolean expressions B:
B ::= true | false | (!B) | (B&B) | (BB) | (E< E)
Where are the other comparisons, for example ==?
Core Programming Language
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
29/109
g g g g
Hoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
Programming by Contract
Commands in Core Language
Commands cover some common programming idioms.Expressions are components of commands.
C ::= x = E | C; C | if B {C} else {C} | while B {C}
Core Programming Language
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
30/109
Hoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
Programming by Contract
Example
Consider the factorial function:
0!def= 1
(n+ 1)! def= (n+ 1) n!
We shall show that after the execution of the following Core
program, we have y = x!.
y = 1 ;z = 0 ;
while ( z ! = x ) { z = z + 1 ; y = y z ; }
Core Programming Language
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
31/109
Hoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
Programming by Contract
1 Core Programming Language
2 Hoare Triples; Partial and Total Correctness
3 Proof Calculus for Partial Correctness
4 Proof Calculus for Total Correctness
5 Programming by Contract
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
32/109
Core Programming Language
-
8/9/2019 Program Verification[1].Color
33/109
Hoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
Programming by Contract
Example
y = 1 ;z = 0 ;
while ( z ! = x ) { z = z + 1 ; y = y z ; }
We need to be able to say that at the end, y is x!
Core Programming Language
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
34/109
Hoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
Programming by Contract
Example
y = 1 ;
z = 0 ;while ( z ! = x ) { z = z + 1 ; y = y z ; }
We need to be able to say that at the end, y is x!
That means we require a post-condition y = x!
Core Programming Language
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
35/109
Hoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
Programming by Contract
Example
y = 1 ;z = 0 ;
while ( z ! = x ) { z = z + 1 ; y = y z ; }
Do we need pre-conditions, too?
Core Programming Language
H T i l P i l d T l C
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
36/109
Hoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
Programming by Contract
Example
y = 1 ;
z = 0 ;
while ( z ! = x ) { z = z + 1 ; y = y z ; }
Do we need pre-conditions, too?
Yes, they specify what needs to be the case before
execution.Example: x> 0
Core Programming Language
H T i l P ti l d T t l C t
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
37/109
Hoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
Programming by Contract
Example
y = 1 ;
z = 0 ;
while ( z ! = x ) { z = z + 1 ; y = y z ; }
Do we need pre-conditions, too?
Yes, they specify what needs to be the case before
execution.
Example: x> 0
Do we have to prove the postcondition in one go?
Core Programming Language
H T i l P ti l d T t l C t
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
38/109
Hoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
Programming by Contract
Example
y = 1 ;
z = 0 ;
while ( z ! = x ) { z = z + 1 ; y = y z ; }
Do we need pre-conditions, too?
Yes, they specify what needs to be the case before
execution.
Example: x> 0
Do we have to prove the postcondition in one go?
No, the postcondition of one line can be the
pre-condition of the next!
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
39/109
Core Programming Language
Hoare Triples; Partial and Total Correctness
-
8/9/2019 Program Verification[1].Color
40/109
Hoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
Programming by Contract
Assertions on Programs
Shape of assertions
(||) P (||)
Informal meaning
If the program P is run in a state that satisfies , then the state
resulting from Ps execution will satisfy .
Core Programming Language
Hoare Triples; Partial and Total Correctness
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
41/109
Hoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
Programming by Contract
(Slightly Trivial) Example
Informal specification
Given a positive number x, the program P calculates a number
y whose square is less than x.
Core Programming Language
Hoare Triples; Partial and Total Correctness
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
42/109
Hoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
Programming by Contract
(Slightly Trivial) Example
Informal specification
Given a positive number x, the program P calculates a number
y whose square is less than x.
Assertion
(|x> 0|) P (|y y< x|)
Core Programming Language
Hoare Triples; Partial and Total Correctness
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
43/109
Hoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
Programming by Contract
(Slightly Trivial) Example
Informal specification
Given a positive number x, the program P calculates a number
y whose square is less than x.
Assertion
(|x> 0|) P (|y y< x|)
Example for P
y = 0
Core Programming LanguageHoare Triples; Partial and Total Correctness
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
44/109
Hoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
Programming by Contract
(Slightly Trivial) Example
Informal specification
Given a positive number x, the program P calculates a number
y whose square is less than x.
Assertion
(|x> 0|) P (|y y< x|)
Example for P
y = 0
Our first Hoare triple
(|x> 0|) y = 0 (|y y< x|)
Core Programming LanguageHoare Triples; Partial and Total Correctness
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
45/109
Hoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
Programming by Contract
(Slightly Less Trivial) Example
Same assertion
(|x> 0|) P (|y y< x|)
Another example for P
y = 0 ;
w h i le ( y y < x ) {
y = y + 1 ;}y = y 1 ;
Core Programming LanguageHoare Triples; Partial and Total Correctness
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
46/109
Hoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
Programming by Contract
Recall: Models in Predicate Logic
Definition
Let F contain function symbols and P contain predicate
symbols. A model M for (F,P) consists of:1 A non-empty set A, the universe;
2 for each nullary function symbol f F a concrete elementfM A;
3
for each f F with arity n> 0, a concrete functionfM : An A;
4 for each P P with arity n> 0, a set PM An.
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
47/109
-
8/9/2019 Program Verification[1].Color
48/109
-
8/9/2019 Program Verification[1].Color
49/109
-
8/9/2019 Program Verification[1].Color
50/109
Core Programming LanguageHoare Triples; Partial and Total Correctness
-
8/9/2019 Program Verification[1].Color
51/109
p ;
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
Programming by Contract
Partial Correctness
Definition
We say that the triple (||) P (||) is satisfied under partialcorrectnessif, for all states which satisfy , the state resultingfrom Ps execution satisfies , provided that P terminates.
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
52/109
Core Programming LanguageHoare Triples; Partial and Total Correctness
-
8/9/2019 Program Verification[1].Color
53/109
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
Programming by Contract
Extreme Example
(||) while true { x = 0; } (||)
holds for all and .
Core Programming LanguageHoare Triples; Partial and Total Correctness
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
54/109
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
Programming by Contract
Total Correctness
Definition
We say that the triple (||) P (||) is satisfied under totalcorrectnessif, for all states which satisfy , P is guaranteed toterminate and the resulting state satisfies .
Notation
We write |=tot (||) P (||).
Core Programming LanguageHoare Triples; Partial and Total Correctness
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
55/109
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
Programming by Contract
Back to Factorial
Consider Fac1:
y = 1 ;
z = 0 ;
while ( z ! = x ) { z = z + 1 ; y = y z ; }
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
56/109
Core Programming LanguageHoare Triples; Partial and Total Correctness
-
8/9/2019 Program Verification[1].Color
57/109
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
Programming by Contract
Back to Factorial
Consider Fac1:
y = 1 ;z = 0 ;
while ( z ! = x ) { z = z + 1 ; y = y z ; }
|=tot (|x 0|) Fac1 (|y = x!|)
|=tot (||) Fac1 (|y = x!|)
Core Programming LanguageHoare Triples; Partial and Total Correctness
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
58/109
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
Programming by Contract
Back to Factorial
Consider Fac1:
y = 1 ;
z = 0 ;while ( z ! = x ) { z = z + 1 ; y = y z ; }
|=tot (|x 0|) Fac1 (|y = x!|)
|=tot (||)Fac1
(|y = x!|)|=par (|x 0|) Fac1 (|y = x!|)
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
59/109
Core Programming LanguageHoare Triples; Partial and Total Correctness
P f C l l f P i l C
-
8/9/2019 Program Verification[1].Color
60/109
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
Programming by Contract
1 Core Programming Language
2 Hoare Triples; Partial and Total Correctness
3 Proof Calculus for Partial Correctness
4 Proof Calculus for Total Correctness
5 Programming by Contract
Core Programming LanguageHoare Triples; Partial and Total Correctness
P f C l l f P ti l C t
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
61/109
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
Programming by Contract
Strategy
We are looking for a proof calculus that allows us to establish
par(|
|) P (
|
|)
Core Programming LanguageHoare Triples; Partial and Total Correctness
P f C l l f P ti l C t
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
62/109
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
Programming by Contract
Strategy
We are looking for a proof calculus that allows us to establish
par
(||) P (||)
where
|=par (||) P (||) holds whenever par (||) P (||)(correctness)
Core Programming LanguageHoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
63/109
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
Programming by Contract
Strategy
We are looking for a proof calculus that allows us to establish
par
(||) P (||)
where
|=par (||) P (||) holds whenever par (||) P (||)(correctness), and
par (||) P (||) holds whenever |=par (||) P (||)(completeness).
Core Programming LanguageHoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
64/109
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
Programming by Contract
Rules for Partial Correctness
(||) C1 (||) (||) C2 (||)
(||) C1; C2 (||)
[Composition]
Core Programming LanguageHoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
65/109
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
Programming by Contract
Rules for Partial Correctness (continued)
(|[x E]|) x = E (||)
[Assignment]
Core Programming LanguageHoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
66/109
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
Programming by Contract
Examples
Let P be the program x = 2.
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
67/109
Core Programming LanguageHoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
-
8/9/2019 Program Verification[1].Color
68/109
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
Programming by Contract
Examples
Let P be the program x = 2.
Using
(|[x E]|) x = E (||)
[Assignment]
we can prove:
(|2 = 2|) P (|x = 2|)
Core Programming LanguageHoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
69/109
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
Programming by Contract
Examples
Let P be the program x = 2.
Using
(|[x E]|) x = E (||)
[Assignment]
we can prove:
(|2 = 2|) P (|x = 2|)
(|2 = 4|) P (|x = 4|)
Core Programming LanguageHoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
70/109
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
Programming by Contract
Examples
Let P be the program x = 2.
Using
(|[x E]|) x = E (||)
[Assignment]
we can prove:
(|2 = 2|) P (|x = 2|)
(|2 = 4|) P (|x = 4|)
(|2 = y|) P (|x = y|)
Core Programming LanguageHoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
71/109
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
Programming by Contract
Examples
Let P be the program x = 2.
Using
(|[x E]|) x = E (||)
[Assignment]
we can prove:
(|2 = 2|) P (|x = 2|)
(|2 = 4|) P (|x = 4|)
(|2 = y|) P (|x = y|)
(|2 > 0|) P (|x> 0|)
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
72/109
-
8/9/2019 Program Verification[1].Color
73/109
Core Programming LanguageHoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
-
8/9/2019 Program Verification[1].Color
74/109
Proof Calculus for Total Correctness
Programming by Contract
More Examples
Let P be the program x = x + 1.
Using
(|[x E]|) x = E (||)
[Assignment]
we can prove:
(|x + 1 = 2|) P (|x = 2|)
Core Programming LanguageHoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
75/109
Proof Calculus for Total Correctness
Programming by Contract
More Examples
Let P be the program x = x + 1.
Using
(|[x E]|) x = E (||)
[Assignment]
we can prove:
(|x + 1 = 2|) P (|x = 2|)(|x + 1 = y|) P (|x = y|)
Core Programming LanguageHoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
76/109
Proof Calculus for Total Correctness
Programming by Contract
Rules for Partial Correctness (continued)
(| B|) C1 (||) (| B|) C2 (||)
(||) if B { C1 } else { C2 } (||)
[If-statement]
Core Programming LanguageHoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
77/109
Proof Calculus for Total Correctness
Programming by Contract
Rules for Partial Correctness (continued)
(| B|) C1 (||) (| B|) C2 (||)
(||) if B { C1 } else { C2 } (||)
[If-statement]
(| B|) C (||)
(||) while B { C } (| B|)
[Partial-while]
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
78/109
Core Programming LanguageHoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
-
8/9/2019 Program Verification[1].Color
79/109
Proof Calculus for Total Correctness
Programming by Contract
Proof Tableaux
Proofs have tree shape
All rules have the structure
something
something else
As a result, all proofs can be written as a tree.
Practical concern
These trees tend to be very wide when written out on paper.
Thus we are using a linear format, called proof tableaux.
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
80/109
-
8/9/2019 Program Verification[1].Color
81/109
Core Programming LanguageHoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
-
8/9/2019 Program Verification[1].Color
82/109
Proof Calculus for Total Correctness
Programming by Contract
Working Backwards
Overall goal
Find a proof that at the end of executing a program P, some
condition holds.
Common situation
If P has the shape C1; . . . ; Cn, we need to find the weakestformula such that
(||) Cn (||)
Core Programming LanguageHoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
C C
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
83/109
Proof Calculus for Total Correctness
Programming by Contract
Working Backwards
Overall goal
Find a proof that at the end of executing a program P, some
condition holds.
Common situation
If P has the shape C1; . . . ; Cn, we need to find the weakestformula such that
(||) Cn (||)
Terminology
The weakest formula is called weakest precondition.
Core Programming LanguageHoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
P f C l l f T l C
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
84/109
Proof Calculus for Total Correctness
Programming by Contract
Example
(|y< 3|)(|y + 1 < 4|) Impliedy = y + 1;
(|y< 4|) Assignment
Core Programming LanguageHoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
P f C l l f T t l C t
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
85/109
Proof Calculus for Total Correctness
Programming by Contract
Another Example
Can we claim u = x + y after z = x; z = z + y; u = z; ?
Core Programming LanguageHoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
P f C l l f T t l C t
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
86/109
Proof Calculus for Total Correctness
Programming by Contract
Another Example
Can we claim u = x + y after z = x; z = z + y; u = z; ?
(||)
(|x + y = x + y|) Impliedz = x;
(|z+ y = x + y|) Assignmentz = z + y;
(|z = x + y|) Assignment
u = z;(|u = x + y|) Assignment
Core Programming LanguageHoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
87/109
Proof Calculus for Total Correctness
Programming by Contract
An Alternative Rule for If
We have:
(| B|) C1 (||) (| B|) C2 (||)
(||) if B { C1 } else { C2 } (||)
[If-statement]
Sometimes, the following derived rule is more suitable:
(|1|) C1 (||) (|2|) C2 (||)
(|(B 1) (B 2)|) if B { C1 } else { C2 } (||)
[If-stmt 2]
Core Programming LanguageHoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
88/109
Proof Calculus for Total Correctness
Programming by Contract
Example
Consider this implementation of Succ:
a = x + 1 ;
i f ( a = 1 == 0 ) {y = 1 ;
} e l s e {y = a ;
}
Can we prove (||) Succ (|y = x + 1|) ?
Core Programming LanguageHoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
89/109
Proof Calculus for Total Correctness
Programming by Contract
Another Example
...
i f ( a 1 == 0 ) {(|1 = x + 1|) If-Statement 2
y = 1;(|y = x + 1|) Assignment
} else {(|a= x + 1|) If-Statement 2y = a;
(|y = x + 1|) Assignment}
(|y = x + 1|) If-Statement 2
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
90/109
Core Programming LanguageHoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
-
8/9/2019 Program Verification[1].Color
91/109
Proof Calculus for Total Correctness
Programming by Contract
Recall: Partial-while Rule
(| B|) C (||)
(||) while B { C } (| B|)
[Partial-while]
Core Programming LanguageHoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
92/109
Proof Calculus for Total Correctness
Programming by Contract
Factorial Example
We shall show that the following Core program Fac1 meets this
specification:
y = 1 ;
z = 0 ;
while ( z ! = x ) { z = z + 1 ; y = y z ; }
Thus, to show:
(||) Fac1 (|y = x!|)
Core Programming LanguageHoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
93/109
Proof Calculus for Total Correctness
Programming by Contract
Partial Correctness of Fac1
...
(|y = z!|)while ( z != x ) {
(|y = z! z = x|) Invariant(|y (z + 1) = (z + 1)!|) Impliedz = z + 1;
(|y z = z!|) Assignmenty = y z;
(|y = z!|) Assignment}(|y = z! (z = x)|) Partial-while(|y = x!|) Implied
Core Programming LanguageHoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
94/109
Proof Calculus for Total Correctness
Programming by Contract
Partial Correctness of Fac1
(||)(|(1 = 0!)|) Impliedy = 1;
(|y = 0!|) Assignmentz = 0;
(|y = z!|) Assignmentwhile ( z != x ) {
...
}(|y = z! (z = x)|) Partial-while(|y = x!|) Implied
Core Programming LanguageHoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
95/109
Proof Calculus for Total Correctness
Programming by Contract
1 Core Programming Language
2 Hoare Triples; Partial and Total Correctness
3 Proof Calculus for Partial Correctness
4 Proof Calculus for Total Correctness
5 Programming by Contract
Core Programming LanguageHoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
96/109
Proof Calculus for Total Correctness
Programming by Contract
Ideas for Total Correctness
The only source of non-termination is the while
command.
If we can show that the value of an integer expressiondecreases in each iteration, but never goes negative, we
have proven termination.
Core Programming LanguageHoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
97/109
oo Ca cu us o ota Co ect ess
Programming by Contract
Ideas for Total Correctness
The only source of non-termination is the while
command.
If we can show that the value of an integer expressiondecreases in each iteration, but never goes negative, we
have proven termination.
Why?
Core Programming LanguageHoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
98/109
Programming by Contract
Ideas for Total Correctness
The only source of non-termination is the while
command.
If we can show that the value of an integer expressiondecreases in each iteration, but never goes negative, we
have proven termination.
Why? Well-foundedness of natural numbers
Core Programming LanguageHoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
99/109
Programming by Contract
Ideas for Total Correctness
The only source of non-termination is the while
command.
If we can show that the value of an integer expressiondecreases in each iteration, but never goes negative, we
have proven termination.
Why? Well-foundedness of natural numbers
We shall include this argument in a new version of thewhile rule.
Core Programming LanguageHoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
100/109
Programming by Contract
Rules for Partial Correctness (continued)
(| B|) C (||)
(||) while B { C } (| B|)
[Partial-while]
(| B 0 E = E0|) C (| 0 E< E0|)
(| 0 E|) while B { C } (| B|)
[Total-while]
Core Programming LanguageHoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
101/109
Programming by Contract
Factorial Example (Again!)
y = 1 ;z = 0 ;
while ( z ! = x ) { z = z + 1 ; y = y z ; }
What could be a good invariant?
Core Programming LanguageHoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
102/109
Programming by Contract
Factorial Example (Again!)
y = 1 ;
z = 0 ;
while ( z ! = x ) { z = z + 1 ; y = y z ; }
What could be a good invariant?
Answer:
x z
Core Programming LanguageHoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
103/109
Programming by Contract
Total Correctness of Fac1
...
(|y = z! 0 x z|)while ( z != x ) {
(|y = z! z = x 0 x z = E0|) Invariant(|y (z + 1) = (z + 1)! 0 x (z+ 1) < E0|) Impliedz = z + 1;
(|y z = z! 0 x z< E0|) Assignmenty = y z;
(|y = z! 0 x z< E0|) Assignment}(|y = z! (z = x)|) Total-while(|y = x!|) Implied
Core Programming LanguageHoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
104/109
Programming by Contract
Total Correctness of Fac1
(|x 0|)(|(1 = 0! 0 x 0|) Impliedy = 1;
(|y = 0! 0 x 0|) Assignmentz = 0;
(|y = z! 0 x z|) Assignmentwhile ( z != x ) {
...
}(|y = z! (z = x)|) Total-while(|y = x!|) Implied
Core Programming LanguageHoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
105/109
Programming by Contract
1 Core Programming Language
2 Hoare Triples; Partial and Total Correctness
3 Proof Calculus for Partial Correctness
4 Proof Calculus for Total Correctness
5 Programming by Contract
Core Programming LanguageHoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
106/109
Programming by Contract
Programming by Contract
Consider
(||) P (||)
Obligation for consumer of P
Only run P when is met.
Obligation for producer of P
Make sure is met after every run of P, assuming that is metbefore the run.
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
107/109
Core Programming LanguageHoare Triples; Partial and Total Correctness
Proof Calculus for Partial Correctness
Proof Calculus for Total Correctness
P i b C
-
8/9/2019 Program Verification[1].Color
108/109
Programming by Contract
Next Week
Lecture 12: Semantics of Hoare Logic
http://find/http://goback/ -
8/9/2019 Program Verification[1].Color
109/109