warm-up problemcbruni/cs245resources/lectures/2018_fall/… · warm-up problem 1. what is the...
TRANSCRIPT
![Page 1: Warm-Up Problemcbruni/CS245Resources/lectures/2018_Fall/… · Warm-Up Problem 1. What is the definition of a Hoare triple satisfying partial correctness? 2. Recall the rule for assignment:](https://reader034.vdocuments.site/reader034/viewer/2022042805/5f5f0b0c6b57d37b6c79be2b/html5/thumbnails/1.jpg)
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
Warm-Up Problem
1. What is the definition of a Hoare triple satisfying partial correctness?2. Recall the rule for assignment:
⦇ 𝑄[𝐸/𝑥] ⦈ (x = 𝐸) ⦇ 𝑄 ⦈ (assignment)
Why is this the correct rule and not the following rule?
⦇ 𝑄 ⦈ (x = 𝐸) ⦇ 𝑄[𝐸/𝑥] ⦈ (assignment)
Solution: With the second rule, triples like⦇ 𝑥 = 3 ⦈ x=2 ⦇ 2 = 3 ⦈ are provable which would allow us toprove false statements.
1/38
![Page 2: Warm-Up Problemcbruni/CS245Resources/lectures/2018_Fall/… · Warm-Up Problem 1. What is the definition of a Hoare triple satisfying partial correctness? 2. Recall the rule for assignment:](https://reader034.vdocuments.site/reader034/viewer/2022042805/5f5f0b0c6b57d37b6c79be2b/html5/thumbnails/2.jpg)
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
Warm-Up Problem
1. What is the definition of a Hoare triple satisfying partial correctness?2. Recall the rule for assignment:
⦇ 𝑄[𝐸/𝑥] ⦈ (x = 𝐸) ⦇ 𝑄 ⦈ (assignment)
Why is this the correct rule and not the following rule?
⦇ 𝑄 ⦈ (x = 𝐸) ⦇ 𝑄[𝐸/𝑥] ⦈ (assignment)
Solution: With the second rule, triples like⦇ 𝑥 = 3 ⦈ x=2 ⦇ 2 = 3 ⦈ are provable which would allow us toprove false statements.
1/38
![Page 3: Warm-Up Problemcbruni/CS245Resources/lectures/2018_Fall/… · Warm-Up Problem 1. What is the definition of a Hoare triple satisfying partial correctness? 2. Recall the rule for assignment:](https://reader034.vdocuments.site/reader034/viewer/2022042805/5f5f0b0c6b57d37b6c79be2b/html5/thumbnails/3.jpg)
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
Program VerificationConditionals
Carmen BruniLecture 18
Based on slides by Jonathan Buss, Lila Kari, Anna Lubiw and SteveWolfman with thanks to B. Bonakdarpour, A. Gao, D. Maftuleac, C.
Roberts, R. Trefler, and P. Van Beek
2/38
![Page 4: Warm-Up Problemcbruni/CS245Resources/lectures/2018_Fall/… · Warm-Up Problem 1. What is the definition of a Hoare triple satisfying partial correctness? 2. Recall the rule for assignment:](https://reader034.vdocuments.site/reader034/viewer/2022042805/5f5f0b0c6b57d37b6c79be2b/html5/thumbnails/4.jpg)
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
Last Time
• Give reasons for performing formal verification vs testing.• Define a Hoare Triple.• Define Partial Correctness.• Prove that a Hoare triple is satisfied under partial correctness for a
program containing assignment statements.
3/38
![Page 5: Warm-Up Problemcbruni/CS245Resources/lectures/2018_Fall/… · Warm-Up Problem 1. What is the definition of a Hoare triple satisfying partial correctness? 2. Recall the rule for assignment:](https://reader034.vdocuments.site/reader034/viewer/2022042805/5f5f0b0c6b57d37b6c79be2b/html5/thumbnails/5.jpg)
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
Learning Goals
• Understand and use implied statements as needed.• Prove that a Hoare triple is satisfied under partial correctness for a
program containing assignment and conditional statements.
4/38
![Page 6: Warm-Up Problemcbruni/CS245Resources/lectures/2018_Fall/… · Warm-Up Problem 1. What is the definition of a Hoare triple satisfying partial correctness? 2. Recall the rule for assignment:](https://reader034.vdocuments.site/reader034/viewer/2022042805/5f5f0b0c6b57d37b6c79be2b/html5/thumbnails/6.jpg)
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
Example
Show that the following Hoare triple is satisfied under partial correctness.⦇ ((((2 ⋅ 𝑥) + (3 ⋅ 𝑦)) ≥ 7) ∧ ((𝑥 + (2 ⋅ 𝑦)) ≥ 0)) ⦈x = x + y;y = x + y;x = x + y;⦇ ((𝑥 ≥ 5) ∧ (𝑦 ≥ 0)) ⦈
Why is it that 𝑥 = 1 and 𝑦 = 2 satisfies the pre-condition but not the postcondition and yet the above Hoare triple is satisfied under partialcorrectness?
Answer: The code will actually mutate 𝑥 and 𝑦! The 𝑥 and 𝑦 at the endis not the same as the original.
5/38
![Page 7: Warm-Up Problemcbruni/CS245Resources/lectures/2018_Fall/… · Warm-Up Problem 1. What is the definition of a Hoare triple satisfying partial correctness? 2. Recall the rule for assignment:](https://reader034.vdocuments.site/reader034/viewer/2022042805/5f5f0b0c6b57d37b6c79be2b/html5/thumbnails/7.jpg)
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
Example
Show that the following Hoare triple is satisfied under partial correctness.⦇ ((((2 ⋅ 𝑥) + (3 ⋅ 𝑦)) ≥ 7) ∧ ((𝑥 + (2 ⋅ 𝑦)) ≥ 0)) ⦈x = x + y;y = x + y;x = x + y;⦇ ((𝑥 ≥ 5) ∧ (𝑦 ≥ 0)) ⦈
Why is it that 𝑥 = 1 and 𝑦 = 2 satisfies the pre-condition but not the postcondition and yet the above Hoare triple is satisfied under partialcorrectness?
Answer: The code will actually mutate 𝑥 and 𝑦! The 𝑥 and 𝑦 at the endis not the same as the original.
5/38
![Page 8: Warm-Up Problemcbruni/CS245Resources/lectures/2018_Fall/… · Warm-Up Problem 1. What is the definition of a Hoare triple satisfying partial correctness? 2. Recall the rule for assignment:](https://reader034.vdocuments.site/reader034/viewer/2022042805/5f5f0b0c6b57d37b6c79be2b/html5/thumbnails/8.jpg)
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
Example
Show that the following Hoare triple is satisfied under partial correctness.⦇ ((((2 ⋅ 𝑥) + (3 ⋅ 𝑦)) ≥ 7) ∧ ((𝑥 + (2 ⋅ 𝑦)) ≥ 0)) ⦈x = x + y;y = x + y;x = x + y;⦇ ((𝑥 ≥ 5) ∧ (𝑦 ≥ 0)) ⦈
Why is it that 𝑥 = 1 and 𝑦 = 2 satisfies the pre-condition but not the postcondition and yet the above Hoare triple is satisfied under partialcorrectness?
Answer: The code will actually mutate 𝑥 and 𝑦! The 𝑥 and 𝑦 at the endis not the same as the original.
5/38
![Page 9: Warm-Up Problemcbruni/CS245Resources/lectures/2018_Fall/… · Warm-Up Problem 1. What is the definition of a Hoare triple satisfying partial correctness? 2. Recall the rule for assignment:](https://reader034.vdocuments.site/reader034/viewer/2022042805/5f5f0b0c6b57d37b6c79be2b/html5/thumbnails/9.jpg)
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
Programs with Conditional Statements
Conditionals 6/38
![Page 10: Warm-Up Problemcbruni/CS245Resources/lectures/2018_Fall/… · Warm-Up Problem 1. What is the definition of a Hoare triple satisfying partial correctness? 2. Recall the rule for assignment:](https://reader034.vdocuments.site/reader034/viewer/2022042805/5f5f0b0c6b57d37b6c79be2b/html5/thumbnails/10.jpg)
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
Deduction Rules for Conditionals
if-then-else:
⦇ (𝑃 ∧ 𝐵) ⦈ C1 ⦇ 𝑄 ⦈ ⦇ (𝑃 ∧ (¬𝐵)) ⦈ C2 ⦇ 𝑄 ⦈⦇ 𝑃 ⦈ if (B) C1 else C2 ⦇ 𝑄 ⦈ (if-then-else)
if-then (without else):
⦇ (𝑃 ∧ 𝐵) ⦈ C ⦇ 𝑄 ⦈ ((𝑃 ∧ (¬𝐵)) → 𝑄)⦇ 𝑃 ⦈ if (B) C ⦇ 𝑄 ⦈ (if-then)
Conditionals 7/38
![Page 11: Warm-Up Problemcbruni/CS245Resources/lectures/2018_Fall/… · Warm-Up Problem 1. What is the definition of a Hoare triple satisfying partial correctness? 2. Recall the rule for assignment:](https://reader034.vdocuments.site/reader034/viewer/2022042805/5f5f0b0c6b57d37b6c79be2b/html5/thumbnails/11.jpg)
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
Template for Conditionals With else
Annotated program template for if-then-else:
⦇ 𝑃 ⦈if ( 𝐵 ) {
⦇ (𝑃 ∧ 𝐵) ⦈ if-then-else𝐶1⦇ 𝑄 ⦈ (justify depending on 𝐶1—a “subproof”)
} else {⦇ (𝑃 ∧ (¬𝐵)) ⦈ if-then-else𝐶2⦇ 𝑄 ⦈ (justify depending on 𝐶2—a “subproof”)
}⦇ 𝑄 ⦈ if-then-else [justifies this 𝑄, given previous two]
Conditionals 8/38
![Page 12: Warm-Up Problemcbruni/CS245Resources/lectures/2018_Fall/… · Warm-Up Problem 1. What is the definition of a Hoare triple satisfying partial correctness? 2. Recall the rule for assignment:](https://reader034.vdocuments.site/reader034/viewer/2022042805/5f5f0b0c6b57d37b6c79be2b/html5/thumbnails/12.jpg)
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
Template for Conditionals Without else
Annotated program template for if-then:
⦇ 𝑃 ⦈if ( 𝐵 ) {
⦇ (𝑃 ∧ 𝐵) ⦈ if-then𝐶⦇ 𝑄 ⦈ [add justification based on 𝐶]
}⦇ 𝑄 ⦈ if-then
Implied: Proof of ((𝑃 ∧ (¬𝐵)) → 𝑄)
Conditionals 9/38
![Page 13: Warm-Up Problemcbruni/CS245Resources/lectures/2018_Fall/… · Warm-Up Problem 1. What is the definition of a Hoare triple satisfying partial correctness? 2. Recall the rule for assignment:](https://reader034.vdocuments.site/reader034/viewer/2022042805/5f5f0b0c6b57d37b6c79be2b/html5/thumbnails/13.jpg)
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
Example: Conditional Code
Example: Prove the following is satisfied under partial correctness.
⦇ true ⦈ ⦇ 𝑃 ⦈
if ( max < x ) { if ( 𝐵 ) {max = x ; 𝐶
} }
⦇ (max ≥ 𝑥) ⦈ ⦇ 𝑄 ⦈
First, let’s recall our proof method….
Conditionals 10/38
![Page 14: Warm-Up Problemcbruni/CS245Resources/lectures/2018_Fall/… · Warm-Up Problem 1. What is the definition of a Hoare triple satisfying partial correctness? 2. Recall the rule for assignment:](https://reader034.vdocuments.site/reader034/viewer/2022042805/5f5f0b0c6b57d37b6c79be2b/html5/thumbnails/14.jpg)
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
The Steps of Creating a Proof
Three steps in doing a proof of partial correctness:
1. First annotate using the appropriate inference rules.2. Then ”back up” in the proof: add an assertion before each assignment
statement, based on the assertion following the assignment.3. Finally prove any “implieds”:
• Annotations from (1) above containing implications• Adjacent assertions created in step (2).
Proofs here are written in Math 135 style. They can use PredicateLogic, basic arithmetic, or any other appropriate reasoning.
Conditionals 11/38
![Page 15: Warm-Up Problemcbruni/CS245Resources/lectures/2018_Fall/… · Warm-Up Problem 1. What is the definition of a Hoare triple satisfying partial correctness? 2. Recall the rule for assignment:](https://reader034.vdocuments.site/reader034/viewer/2022042805/5f5f0b0c6b57d37b6c79be2b/html5/thumbnails/15.jpg)
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
Doing the Steps
1. Add annotations for the if-then statement.
2. “Push up” for the assignments.3. Identify “implieds” to be proven.
⦇ true ⦈if ( max < x ) {
⦇ (true ∧ (max < 𝑥)) ⦈ if-then
⦇ (𝑥 ≥ 𝑥) ⦈
max = x ;⦇ (max ≥ 𝑥) ⦈ ⟵ to be shown
}
⦇ (max ≥ 𝑥) ⦈ if-thenImplied: (( �true ∧ ¬((max < 𝑥))) � → (max ≥ 𝑥))
Conditionals 12/38
![Page 16: Warm-Up Problemcbruni/CS245Resources/lectures/2018_Fall/… · Warm-Up Problem 1. What is the definition of a Hoare triple satisfying partial correctness? 2. Recall the rule for assignment:](https://reader034.vdocuments.site/reader034/viewer/2022042805/5f5f0b0c6b57d37b6c79be2b/html5/thumbnails/16.jpg)
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
Doing the Steps
1. Add annotations for the if-then statement.2. “Push up” for the assignments.
3. Identify “implieds” to be proven.
⦇ true ⦈if ( max < x ) {
⦇ (true ∧ (max < 𝑥)) ⦈ if-then⦇ (𝑥 ≥ 𝑥) ⦈max = x ;⦇ (max ≥ 𝑥) ⦈ assignment
}
⦇ (max ≥ 𝑥) ⦈ if-thenImplied: (( �true ∧ ¬((max < 𝑥))) � → (max ≥ 𝑥))
Conditionals 12/38
![Page 17: Warm-Up Problemcbruni/CS245Resources/lectures/2018_Fall/… · Warm-Up Problem 1. What is the definition of a Hoare triple satisfying partial correctness? 2. Recall the rule for assignment:](https://reader034.vdocuments.site/reader034/viewer/2022042805/5f5f0b0c6b57d37b6c79be2b/html5/thumbnails/17.jpg)
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
Doing the Steps
1. Add annotations for the if-then statement.2. “Push up” for the assignments.3. Identify “implieds” to be proven.
⦇ true ⦈if ( max < x ) {
⦇ (true ∧ (max < 𝑥)) ⦈ if-then⦇ (𝑥 ≥ 𝑥) ⦈ Implied (a)max = x ;⦇ (max ≥ 𝑥) ⦈ assignment
}
⦇ (max ≥ 𝑥) ⦈ if-thenImplied (b): (( �true ∧ ¬((max < 𝑥))) � → (max ≥ 𝑥))
Conditionals 12/38
![Page 18: Warm-Up Problemcbruni/CS245Resources/lectures/2018_Fall/… · Warm-Up Problem 1. What is the definition of a Hoare triple satisfying partial correctness? 2. Recall the rule for assignment:](https://reader034.vdocuments.site/reader034/viewer/2022042805/5f5f0b0c6b57d37b6c79be2b/html5/thumbnails/18.jpg)
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
Proving “Implied” Conditions
The auxiliary “implied” proofs can be done in Math 135 style (andassuming the necessary arithmetic properties). We will write theminformally, but clearly.
Proof of Implied (a):
∅ ⊢ ((true ∧ (max < 𝑥)) → (𝑥 ≥ 𝑥)).
• The statement (𝑥 ≥ 𝑥) is a tautology since ≥ is reflexive and so therequired implication holds.
Conditionals 13/38
![Page 19: Warm-Up Problemcbruni/CS245Resources/lectures/2018_Fall/… · Warm-Up Problem 1. What is the definition of a Hoare triple satisfying partial correctness? 2. Recall the rule for assignment:](https://reader034.vdocuments.site/reader034/viewer/2022042805/5f5f0b0c6b57d37b6c79be2b/html5/thumbnails/19.jpg)
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
Implied (b)
Proof of Implied (b): Show ∅ ⊢ ((𝑃 ∧ (¬𝐵)) → 𝑄), which in this case is
∅ ⊢ ((true ∧ (¬(max < 𝑥))) → (max ≥ 𝑥)).
• The hypothesis, (true ∧ (¬(max < 𝑥))) can be simplified to(¬(max < 𝑥)).
• Then by properties of ¬, < and ≥, the conclusion, (max ≥ 𝑥), follows.
Conditionals 14/38
![Page 20: Warm-Up Problemcbruni/CS245Resources/lectures/2018_Fall/… · Warm-Up Problem 1. What is the definition of a Hoare triple satisfying partial correctness? 2. Recall the rule for assignment:](https://reader034.vdocuments.site/reader034/viewer/2022042805/5f5f0b0c6b57d37b6c79be2b/html5/thumbnails/20.jpg)
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
Example 2 for Conditionals
Prove the following is satisfied under partial correctness.
⦇ true ⦈if ( x > y ) {
max = x;} else {
max = y;}⦇ (((𝑥 > 𝑦) ∧ (max = 𝑥)) ∨ ((𝑥 ≤ 𝑦) ∧ (max = 𝑦))) ⦈
Conditionals 15/38
![Page 21: Warm-Up Problemcbruni/CS245Resources/lectures/2018_Fall/… · Warm-Up Problem 1. What is the definition of a Hoare triple satisfying partial correctness? 2. Recall the rule for assignment:](https://reader034.vdocuments.site/reader034/viewer/2022042805/5f5f0b0c6b57d37b6c79be2b/html5/thumbnails/21.jpg)
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
Example 2: Annotated Code
⦇ true ⦈if ( x > y ) {
⦇ (𝑥 > 𝑦) ⦈ if-then-else
⦇ (((𝑥 > 𝑦) ∧ (𝑥 = 𝑥)) ∨ ((𝑥 ≤ 𝑦) ∧ (𝑥 = 𝑦))) ⦈
implied (a)
max = x ;⦇ (((𝑥 > 𝑦) ∧ (max = 𝑥)) ∨ ((𝑥 ≤ 𝑦) ∧ (max = 𝑦))) ⦈
assignment
} else {⦇ (¬(𝑥 > 𝑦)) ⦈ if-then-else
⦇ (((𝑥 > 𝑦) ∧ (𝑦 = 𝑥)) ∨ ((𝑥 ≤ 𝑦) ∧ (𝑦 = 𝑦))) ⦈
implied (b)
max = y ;⦇ (((𝑥 > 𝑦) ∧ (max = 𝑥)) ∨ ((𝑥 ≤ 𝑦) ∧ (max = 𝑦))) ⦈
assignment
}⦇ (((𝑥 > 𝑦) ∧ (max = 𝑥)) ∨ ((𝑥 ≤ 𝑦) ∧ (max = 𝑦))) ⦈ if-then-else
Conditionals 16/38
![Page 22: Warm-Up Problemcbruni/CS245Resources/lectures/2018_Fall/… · Warm-Up Problem 1. What is the definition of a Hoare triple satisfying partial correctness? 2. Recall the rule for assignment:](https://reader034.vdocuments.site/reader034/viewer/2022042805/5f5f0b0c6b57d37b6c79be2b/html5/thumbnails/22.jpg)
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
Example 2: Annotated Code
⦇ true ⦈if ( x > y ) {
⦇ (𝑥 > 𝑦) ⦈ if-then-else⦇ (((𝑥 > 𝑦) ∧ (𝑥 = 𝑥)) ∨ ((𝑥 ≤ 𝑦) ∧ (𝑥 = 𝑦))) ⦈
implied (a)
max = x ;⦇ (((𝑥 > 𝑦) ∧ (max = 𝑥)) ∨ ((𝑥 ≤ 𝑦) ∧ (max = 𝑦))) ⦈ assignment
} else {⦇ (¬(𝑥 > 𝑦)) ⦈ if-then-else⦇ (((𝑥 > 𝑦) ∧ (𝑦 = 𝑥)) ∨ ((𝑥 ≤ 𝑦) ∧ (𝑦 = 𝑦))) ⦈
implied (b)
max = y ;⦇ (((𝑥 > 𝑦) ∧ (max = 𝑥)) ∨ ((𝑥 ≤ 𝑦) ∧ (max = 𝑦))) ⦈ assignment
}⦇ (((𝑥 > 𝑦) ∧ (max = 𝑥)) ∨ ((𝑥 ≤ 𝑦) ∧ (max = 𝑦))) ⦈ if-then-else
Conditionals 16/38
![Page 23: Warm-Up Problemcbruni/CS245Resources/lectures/2018_Fall/… · Warm-Up Problem 1. What is the definition of a Hoare triple satisfying partial correctness? 2. Recall the rule for assignment:](https://reader034.vdocuments.site/reader034/viewer/2022042805/5f5f0b0c6b57d37b6c79be2b/html5/thumbnails/23.jpg)
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
Example 2: Annotated Code
⦇ true ⦈if ( x > y ) {
⦇ (𝑥 > 𝑦) ⦈ if-then-else⦇ (((𝑥 > 𝑦) ∧ (𝑥 = 𝑥)) ∨ ((𝑥 ≤ 𝑦) ∧ (𝑥 = 𝑦))) ⦈ implied (a)max = x ;⦇ (((𝑥 > 𝑦) ∧ (max = 𝑥)) ∨ ((𝑥 ≤ 𝑦) ∧ (max = 𝑦))) ⦈ assignment
} else {⦇ (¬(𝑥 > 𝑦)) ⦈ if-then-else⦇ (((𝑥 > 𝑦) ∧ (𝑦 = 𝑥)) ∨ ((𝑥 ≤ 𝑦) ∧ (𝑦 = 𝑦))) ⦈ implied (b)max = y ;⦇ (((𝑥 > 𝑦) ∧ (max = 𝑥)) ∨ ((𝑥 ≤ 𝑦) ∧ (max = 𝑦))) ⦈ assignment
}⦇ (((𝑥 > 𝑦) ∧ (max = 𝑥)) ∨ ((𝑥 ≤ 𝑦) ∧ (max = 𝑦))) ⦈ if-then-else
Conditionals 16/38
![Page 24: Warm-Up Problemcbruni/CS245Resources/lectures/2018_Fall/… · Warm-Up Problem 1. What is the definition of a Hoare triple satisfying partial correctness? 2. Recall the rule for assignment:](https://reader034.vdocuments.site/reader034/viewer/2022042805/5f5f0b0c6b57d37b6c79be2b/html5/thumbnails/24.jpg)
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
Example 2: Implied Conditions
(a) Prove ((𝑥 > 𝑦) → (((𝑥 > 𝑦) ∧ (𝑥 = 𝑥)) ∨ ((𝑥 ≤ 𝑦) ∧ (𝑥 = 𝑦)))).
• From (𝑥 > 𝑦) and from the trivially true (𝑥 = 𝑥), it follows that((𝑥 > 𝑦) ∧ (𝑥 = 𝑥)).
• From this it follows that (((𝑥 > 𝑦) ∧ (𝑥 = 𝑥)) ∨ ((𝑥 ≤ 𝑦) ∧ (𝑥 = 𝑦))).
(b) Prove ((𝑥 ≤ 𝑦) → (((𝑥 > 𝑦) ∧ (𝑦 = 𝑥)) ∨ ((𝑥 ≤ 𝑦) ∧ (𝑦 = 𝑦)))).
• From (𝑥 ≤ 𝑦) and from the trivially true (𝑦 = 𝑦), it follows that((𝑥 > 𝑦) ∧ (𝑦 = 𝑥)).
• From this it follows that (((𝑥 > 𝑦) ∧ (𝑦 = 𝑥)) ∨ ((𝑥 ≤ 𝑦) ∧ (𝑦 = 𝑦))).
Conditionals 17/38
![Page 25: Warm-Up Problemcbruni/CS245Resources/lectures/2018_Fall/… · Warm-Up Problem 1. What is the definition of a Hoare triple satisfying partial correctness? 2. Recall the rule for assignment:](https://reader034.vdocuments.site/reader034/viewer/2022042805/5f5f0b0c6b57d37b6c79be2b/html5/thumbnails/25.jpg)
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
While-Loops and Total Correctness
while-Loops 18/38
![Page 26: Warm-Up Problemcbruni/CS245Resources/lectures/2018_Fall/… · Warm-Up Problem 1. What is the definition of a Hoare triple satisfying partial correctness? 2. Recall the rule for assignment:](https://reader034.vdocuments.site/reader034/viewer/2022042805/5f5f0b0c6b57d37b6c79be2b/html5/thumbnails/26.jpg)
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
Total correctness
A triple ⦇ 𝑃 ⦈ 𝐶 ⦇ 𝑄 ⦈ is satisfied under total correctness, denoted
⊧tot ⦇ 𝑃 ⦈ 𝐶 ⦇ 𝑄 ⦈ ,
if and only if
for every state 𝑠 that satisfies 𝑃 ,execution of 𝐶 starting from state 𝑠 terminates,and the resulting state 𝑠′ satisfies 𝑄.
Total Correctness = Partial Correctness + Termination
while-Loops 19/38
![Page 27: Warm-Up Problemcbruni/CS245Resources/lectures/2018_Fall/… · Warm-Up Problem 1. What is the definition of a Hoare triple satisfying partial correctness? 2. Recall the rule for assignment:](https://reader034.vdocuments.site/reader034/viewer/2022042805/5f5f0b0c6b57d37b6c79be2b/html5/thumbnails/27.jpg)
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
Examples for Partial and Total Correctness
Example 1. Total correctness satisfied:
⦇ (𝑥 = 1) ⦈y = x ;⦇ (𝑦 = 1) ⦈
Example 2. Neither total nor partial correctness:
⦇ (𝑥 = 1) ⦈y = x ;⦇ (𝑦 = 2) ⦈
while-Loops 20/38
![Page 28: Warm-Up Problemcbruni/CS245Resources/lectures/2018_Fall/… · Warm-Up Problem 1. What is the definition of a Hoare triple satisfying partial correctness? 2. Recall the rule for assignment:](https://reader034.vdocuments.site/reader034/viewer/2022042805/5f5f0b0c6b57d37b6c79be2b/html5/thumbnails/28.jpg)
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
Examples for Partial and Total Correctness
Example 3. Infinite loop (partial correctness)
⦇ (𝑥 = 1) ⦈while (true) {
x = 0 ;}⦇ (𝑥 > 0) ⦈
while-Loops 21/38
![Page 29: Warm-Up Problemcbruni/CS245Resources/lectures/2018_Fall/… · Warm-Up Problem 1. What is the definition of a Hoare triple satisfying partial correctness? 2. Recall the rule for assignment:](https://reader034.vdocuments.site/reader034/viewer/2022042805/5f5f0b0c6b57d37b6c79be2b/html5/thumbnails/29.jpg)
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
Partial and Total Correctness
Example 4. Total correctness
⦇ (𝑥 ≥ 0) ⦈y = 1 ;z = 0 ;while (z ! = x) {
z = z + 1 ;y = y ∗ z ;
}⦇ (𝑦 = 𝑥!) ⦈
What happens if we remove the precondition?
while-Loops 22/38
![Page 30: Warm-Up Problemcbruni/CS245Resources/lectures/2018_Fall/… · Warm-Up Problem 1. What is the definition of a Hoare triple satisfying partial correctness? 2. Recall the rule for assignment:](https://reader034.vdocuments.site/reader034/viewer/2022042805/5f5f0b0c6b57d37b6c79be2b/html5/thumbnails/30.jpg)
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
Examples for Partial and Total Correctness
Example 5. No correctness, because input altered (“consumed”)
⦇ true ⦈y = 1 ;while (x ! = 0) {
y = y ∗ x ;x = x − 1 ;
}⦇ (𝑦 = 𝑥!) ⦈
while-Loops 23/38
![Page 31: Warm-Up Problemcbruni/CS245Resources/lectures/2018_Fall/… · Warm-Up Problem 1. What is the definition of a Hoare triple satisfying partial correctness? 2. Recall the rule for assignment:](https://reader034.vdocuments.site/reader034/viewer/2022042805/5f5f0b0c6b57d37b6c79be2b/html5/thumbnails/31.jpg)
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
Proving Correctness: Recap and Overview
• Total correctness is our goal.• We usually prove it by proving partial correctness and termination
separately.• For partial correctness, we introduced sound inference rules.• For total correctness, we shall use ad hoc reasoning, which suffices for
our examples.(In general, total correctness is undecidable.)
Our focus on partial correctness may seem strange. It’s not the conditionwe want to justify.
But experience has shown it is useful to think about partial correctnessseparately from termination.
while-Loops 24/38
![Page 32: Warm-Up Problemcbruni/CS245Resources/lectures/2018_Fall/… · Warm-Up Problem 1. What is the definition of a Hoare triple satisfying partial correctness? 2. Recall the rule for assignment:](https://reader034.vdocuments.site/reader034/viewer/2022042805/5f5f0b0c6b57d37b6c79be2b/html5/thumbnails/32.jpg)
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
Inference Rule: Partial-while
“Partial while”: do not (yet) require termination.
⦇ 𝐼 ∧ 𝐵 ⦈ 𝐶 ⦇ 𝐼 ⦈⦇ 𝐼 ⦈ while (𝐵) 𝐶 ⦇ 𝐼 ∧ ¬𝐵 ⦈ (partial-while)
In words:
If the code 𝐶 satisfies the triple ⦇ 𝐼 ∧ 𝐵 ⦈ 𝐶 ⦇ 𝐼 ⦈,and 𝐼 is true at the start of the while-loop,then no matter how many times we execute 𝐶,condition 𝐼 will still be true.
Condition 𝐼 is called a loop invariant.
After the while-loop terminates, ¬𝐵 is also true.
while-Loops 25/38
![Page 33: Warm-Up Problemcbruni/CS245Resources/lectures/2018_Fall/… · Warm-Up Problem 1. What is the definition of a Hoare triple satisfying partial correctness? 2. Recall the rule for assignment:](https://reader034.vdocuments.site/reader034/viewer/2022042805/5f5f0b0c6b57d37b6c79be2b/html5/thumbnails/33.jpg)
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
Annotations for Partial-while
⦇ 𝑃 ⦈⦇ 𝐼 ⦈ Implied (a)while ( 𝐵 ) {
⦇ 𝐼 ∧ 𝐵 ⦈ partial-while𝐶⦇ 𝐼 ⦈ ⟵ to be justified, based on 𝐶}
⦇ 𝐼 ∧ ¬𝐵 ⦈ partial-while⦇ 𝑄 ⦈ Implied (b)
(a) Prove 𝑃 → 𝐼 (precondition 𝑃 implies the loop invariant)
(b) Prove (𝐼 ∧ ¬𝐵) → 𝑄 (exit condition implies postcondition)
We need to determine 𝐼!!
while-Loops 26/38
![Page 34: Warm-Up Problemcbruni/CS245Resources/lectures/2018_Fall/… · Warm-Up Problem 1. What is the definition of a Hoare triple satisfying partial correctness? 2. Recall the rule for assignment:](https://reader034.vdocuments.site/reader034/viewer/2022042805/5f5f0b0c6b57d37b6c79be2b/html5/thumbnails/34.jpg)
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
Loop Invariants
A loop invariant is an assertion (condition) that is true both before andafter each execution of the body of a loop.
• True before the while-loop begins.• True after the while-loop ends.• Expresses a relationship among the variables used within the body of
the loop. Some of these variables will have their values changedwithin the loop.
• An invariant may or may not be useful in proving termination(to discuss later).
while-Loops 27/38
![Page 35: Warm-Up Problemcbruni/CS245Resources/lectures/2018_Fall/… · Warm-Up Problem 1. What is the definition of a Hoare triple satisfying partial correctness? 2. Recall the rule for assignment:](https://reader034.vdocuments.site/reader034/viewer/2022042805/5f5f0b0c6b57d37b6c79be2b/html5/thumbnails/35.jpg)
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
Example: Finding a loop invariant⦇ 𝑥 ≥ 0 ⦈y = 1 ;z = 0 ;
⟶
while (z != x) {z = z + 1 ;y = y * z ;
}⦇ 𝑦 = 𝑥! ⦈
At the while statement:𝑥 𝑦 𝑧 𝑧 ≠ 𝑥5 1 0 true5 1 1 true5 2 2 true5 6 3 true5 24 4 true5 120 5 false
From the trace and the post-condition,a candidate loop invariant is 𝑦 = 𝑧!
Why are 𝑦 ≥ 𝑧 or 𝑥 ≥ 0 not useful?
These do not involve the loop-termination condition.
while-Loops 28/38
![Page 36: Warm-Up Problemcbruni/CS245Resources/lectures/2018_Fall/… · Warm-Up Problem 1. What is the definition of a Hoare triple satisfying partial correctness? 2. Recall the rule for assignment:](https://reader034.vdocuments.site/reader034/viewer/2022042805/5f5f0b0c6b57d37b6c79be2b/html5/thumbnails/36.jpg)
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
Example: Finding a loop invariant⦇ 𝑥 ≥ 0 ⦈y = 1 ;z = 0 ;
⟶ while (z != x) {z = z + 1 ;y = y * z ;
}⦇ 𝑦 = 𝑥! ⦈
At the while statement:𝑥 𝑦 𝑧 𝑧 ≠ 𝑥5 1 0 true5 1 1 true5 2 2 true5 6 3 true5 24 4 true5 120 5 false
From the trace and the post-condition,a candidate loop invariant is 𝑦 = 𝑧!
Why are 𝑦 ≥ 𝑧 or 𝑥 ≥ 0 not useful?
These do not involve the loop-termination condition.
while-Loops 28/38
![Page 37: Warm-Up Problemcbruni/CS245Resources/lectures/2018_Fall/… · Warm-Up Problem 1. What is the definition of a Hoare triple satisfying partial correctness? 2. Recall the rule for assignment:](https://reader034.vdocuments.site/reader034/viewer/2022042805/5f5f0b0c6b57d37b6c79be2b/html5/thumbnails/37.jpg)
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
Example: Finding a loop invariant⦇ 𝑥 ≥ 0 ⦈y = 1 ;z = 0 ;
⟶ while (z != x) {z = z + 1 ;y = y * z ;
}⦇ 𝑦 = 𝑥! ⦈
At the while statement:𝑥 𝑦 𝑧 𝑧 ≠ 𝑥5 1 0 true5 1 1 true5 2 2 true5 6 3 true5 24 4 true5 120 5 false
From the trace and the post-condition,a candidate loop invariant is 𝑦 = 𝑧!
Why are 𝑦 ≥ 𝑧 or 𝑥 ≥ 0 not useful?
These do not involve the loop-termination condition.
while-Loops 28/38
![Page 38: Warm-Up Problemcbruni/CS245Resources/lectures/2018_Fall/… · Warm-Up Problem 1. What is the definition of a Hoare triple satisfying partial correctness? 2. Recall the rule for assignment:](https://reader034.vdocuments.site/reader034/viewer/2022042805/5f5f0b0c6b57d37b6c79be2b/html5/thumbnails/38.jpg)
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
Annotations Inside a while-Loop
1. First annotate code using the while-loop inference rule, and any othercontrol rules, such as if-then.
2. Then work bottom-up (“push up”) through program code.• Apply inference rule appropriate for the specific line of code, or• Note a new assertion (“implied”) to be proven separately.
3. Prove the implied assertions using the inference rules of ordinary logic.
while-Loops 29/38
![Page 39: Warm-Up Problemcbruni/CS245Resources/lectures/2018_Fall/… · Warm-Up Problem 1. What is the definition of a Hoare triple satisfying partial correctness? 2. Recall the rule for assignment:](https://reader034.vdocuments.site/reader034/viewer/2022042805/5f5f0b0c6b57d37b6c79be2b/html5/thumbnails/39.jpg)
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
Example: annotations for partial-while
Annotate by partial-while, with chosen invariant (𝑦 = 𝑧!).⦇ 𝑥 ≥ 0 ⦈
⦇ 1 = 0! ⦈ implied (a)
y = 1 ;
⦇ 𝑦 = 0! ⦈ assignment
z = 0 ;⦇ 𝑦 = 𝑧! ⦈ [justification required]while (z != x) {
⦇ (𝑦 = 𝑧!) ∧ ¬(𝑧 = 𝑥) ⦈ partial-while (⦇ 𝐼 ∧ 𝐵 ⦈)
⦇ 𝑦(𝑧 + 1) = (𝑧 + 1)! ⦈ implied (b)
z = z + 1 ;
⦇ 𝑦𝑧 = 𝑧! ⦈ assignment
y = y * z ;⦇ 𝑦 = 𝑧! ⦈ [justification required]
}⦇ 𝑦 = 𝑧! ∧ (𝑧 = 𝑥) ⦈ partial-while (⦇ 𝐼 ∧ ¬𝐵 ⦈)⦇ 𝑦 = 𝑥! ⦈
implied (c)
while-Loops 30/38
![Page 40: Warm-Up Problemcbruni/CS245Resources/lectures/2018_Fall/… · Warm-Up Problem 1. What is the definition of a Hoare triple satisfying partial correctness? 2. Recall the rule for assignment:](https://reader034.vdocuments.site/reader034/viewer/2022042805/5f5f0b0c6b57d37b6c79be2b/html5/thumbnails/40.jpg)
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
Example: annotations for partial-while
Annotate assignment statements (bottom-up).
⦇ 𝑥 ≥ 0 ⦈⦇ 1 = 0! ⦈
implied (a)
y = 1 ;⦇ 𝑦 = 0! ⦈ assignmentz = 0 ;⦇ 𝑦 = 𝑧! ⦈ assignmentwhile (z != x) {
⦇ (𝑦 = 𝑧!) ∧ ¬(𝑧 = 𝑥) ⦈ partial-while
(⦇ 𝐼 ∧ 𝐵 ⦈)
⦇ 𝑦(𝑧 + 1) = (𝑧 + 1)! ⦈
implied (b)
z = z + 1 ;⦇ 𝑦𝑧 = 𝑧! ⦈ assignmenty = y * z ;⦇ 𝑦 = 𝑧! ⦈ assignment
}⦇ 𝑦 = 𝑧! ∧ (𝑧 = 𝑥) ⦈ partial-while
(⦇ 𝐼 ∧ ¬𝐵 ⦈)
⦇ 𝑦 = 𝑥! ⦈
implied (c)
while-Loops 30/38
![Page 41: Warm-Up Problemcbruni/CS245Resources/lectures/2018_Fall/… · Warm-Up Problem 1. What is the definition of a Hoare triple satisfying partial correctness? 2. Recall the rule for assignment:](https://reader034.vdocuments.site/reader034/viewer/2022042805/5f5f0b0c6b57d37b6c79be2b/html5/thumbnails/41.jpg)
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
Example: annotations for partial-while
Note the required implied conditions.
⦇ 𝑥 ≥ 0 ⦈⦇ 1 = 0! ⦈ implied (a)y = 1 ;⦇ 𝑦 = 0! ⦈ assignmentz = 0 ;⦇ 𝑦 = 𝑧! ⦈ assignmentwhile (z != x) {
⦇ (𝑦 = 𝑧!) ∧ ¬(𝑧 = 𝑥) ⦈ partial-while
(⦇ 𝐼 ∧ 𝐵 ⦈)
⦇ 𝑦(𝑧 + 1) = (𝑧 + 1)! ⦈ implied (b)z = z + 1 ;⦇ 𝑦𝑧 = 𝑧! ⦈ assignmenty = y * z ;⦇ 𝑦 = 𝑧! ⦈ assignment
}⦇ 𝑦 = 𝑧! ∧ (𝑧 = 𝑥) ⦈ partial-while
(⦇ 𝐼 ∧ ¬𝐵 ⦈)
⦇ 𝑦 = 𝑥! ⦈ implied (c)
while-Loops 30/38
![Page 42: Warm-Up Problemcbruni/CS245Resources/lectures/2018_Fall/… · Warm-Up Problem 1. What is the definition of a Hoare triple satisfying partial correctness? 2. Recall the rule for assignment:](https://reader034.vdocuments.site/reader034/viewer/2022042805/5f5f0b0c6b57d37b6c79be2b/html5/thumbnails/42.jpg)
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
Example: implied conditions (a) and (c)
Proof of implied (a): (𝑥 ≥ 0) ⊢ (1 = 0!).
By definition of factorial.
Proof of implied (c): (�(𝑦 = 𝑧!) ∧ (𝑧 = 𝑥)) � ⊢ (𝑦 = 𝑥!).
1. ((𝑦 = 𝑧!) ∧ (𝑧 = 𝑥)) Premise2. (𝑦 = 𝑧!) ∧e : 13. (𝑧 = 𝑥) ∧e : 14. (𝑧! = 𝑥!) EQSubs [𝑓(𝑢) = 𝑢!]:
35. (𝑦 = 𝑥!) EQTrans : 2, 4
while-Loops 31/38
![Page 43: Warm-Up Problemcbruni/CS245Resources/lectures/2018_Fall/… · Warm-Up Problem 1. What is the definition of a Hoare triple satisfying partial correctness? 2. Recall the rule for assignment:](https://reader034.vdocuments.site/reader034/viewer/2022042805/5f5f0b0c6b57d37b6c79be2b/html5/thumbnails/43.jpg)
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
Example: implied condition (b)
Proof of implied (b):
(�(𝑦 = 𝑧!) ∧ ¬(𝑧 = 𝑥)) � ⊢ (𝑧 + 1) 𝑦 = (𝑧 + 1)! .
1. 𝑦 = 𝑧! ∧ 𝑧 ≠ 𝑥 premise2. 𝑦 = 𝑧! ∧e: 13. (𝑧 + 1) 𝑦 = (𝑧 + 1) 𝑧! EqSubs: 24. (𝑧 + 1) 𝑧! = (𝑧 + 1)! def. of factorial: 35. (𝑧 + 1) 𝑦 = (𝑧 + 1)! EqTrans: 3, 4
while-Loops 32/38
![Page 44: Warm-Up Problemcbruni/CS245Resources/lectures/2018_Fall/… · Warm-Up Problem 1. What is the definition of a Hoare triple satisfying partial correctness? 2. Recall the rule for assignment:](https://reader034.vdocuments.site/reader034/viewer/2022042805/5f5f0b0c6b57d37b6c79be2b/html5/thumbnails/44.jpg)
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
Example 2 (Partial-while)
Prove the following is satisfied under partial correctness.
⦇ 𝑛 ≥ 0 ∧ 𝑎 ≥ 0 ⦈s = 1 ;i = 0 ;while (i < n) {
s = s * a ;i = i + 1 ;
}⦇ 𝑠 = 𝑎𝑛 ⦈
Trace of the loop:a n i s2 3 0 12 3 1 1∗22 3 2 1∗2∗22 3 3 1∗2∗2∗2
Candidate for the loop invariant: 𝑠 = 𝑎𝑖.
while-Loops 33/38
![Page 45: Warm-Up Problemcbruni/CS245Resources/lectures/2018_Fall/… · Warm-Up Problem 1. What is the definition of a Hoare triple satisfying partial correctness? 2. Recall the rule for assignment:](https://reader034.vdocuments.site/reader034/viewer/2022042805/5f5f0b0c6b57d37b6c79be2b/html5/thumbnails/45.jpg)
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
Example 2 (Partial-while)
Prove the following is satisfied under partial correctness.
⦇ 𝑛 ≥ 0 ∧ 𝑎 ≥ 0 ⦈s = 1 ;i = 0 ;while (i < n) {
s = s * a ;i = i + 1 ;
}⦇ 𝑠 = 𝑎𝑛 ⦈
Trace of the loop:a n i s2 3 0 12 3 1 1∗22 3 2 1∗2∗22 3 3 1∗2∗2∗2
Candidate for the loop invariant: 𝑠 = 𝑎𝑖.
while-Loops 33/38
![Page 46: Warm-Up Problemcbruni/CS245Resources/lectures/2018_Fall/… · Warm-Up Problem 1. What is the definition of a Hoare triple satisfying partial correctness? 2. Recall the rule for assignment:](https://reader034.vdocuments.site/reader034/viewer/2022042805/5f5f0b0c6b57d37b6c79be2b/html5/thumbnails/46.jpg)
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
Example 2 (Partial-while)
Prove the following is satisfied under partial correctness.
⦇ 𝑛 ≥ 0 ∧ 𝑎 ≥ 0 ⦈s = 1 ;i = 0 ;while (i < n) {
s = s * a ;i = i + 1 ;
}⦇ 𝑠 = 𝑎𝑛 ⦈
Trace of the loop:a n i s2 3 0 12 3 1 1∗22 3 2 1∗2∗22 3 3 1∗2∗2∗2
Candidate for the loop invariant: 𝑠 = 𝑎𝑖.
while-Loops 33/38
![Page 47: Warm-Up Problemcbruni/CS245Resources/lectures/2018_Fall/… · Warm-Up Problem 1. What is the definition of a Hoare triple satisfying partial correctness? 2. Recall the rule for assignment:](https://reader034.vdocuments.site/reader034/viewer/2022042805/5f5f0b0c6b57d37b6c79be2b/html5/thumbnails/47.jpg)
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
Example 2: Testing the invariantUsing 𝑠 = 𝑎𝑖 as an invariantyields the annotations shown atright.
Next, we want to• Push up for assignments• Prove the implications
But: implied (c) is false!
We must use a differentinvariant.
⦇ 𝑛 ≥ 0 ∧ 𝑎 ≥ 0 ⦈⦇ … ⦈s = 1 ;⦇ … ⦈i = 0 ;⦇ 𝑠 = 𝑎𝑖 ⦈while (i < n) {
⦇ 𝑠 = 𝑎𝑖 ∧ 𝑖 < 𝑛 ⦈ partial-while⦇ … ⦈s = s * a ;⦇ … ⦈i = i + 1 ;⦇ 𝑠 = 𝑎𝑖 ⦈
}⦇ 𝑠 = 𝑎𝑖 ∧ 𝑖 ≥ 𝑛 ⦈ partial-while⦇ 𝑠 = 𝑎𝑛 ⦈ implied (c)
while-Loops 34/38
![Page 48: Warm-Up Problemcbruni/CS245Resources/lectures/2018_Fall/… · Warm-Up Problem 1. What is the definition of a Hoare triple satisfying partial correctness? 2. Recall the rule for assignment:](https://reader034.vdocuments.site/reader034/viewer/2022042805/5f5f0b0c6b57d37b6c79be2b/html5/thumbnails/48.jpg)
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
Example 2: Adjusted invariantTry a new invariant:
𝑠 = 𝑎𝑖 ∧ 𝑖 ≤ 𝑛 .
Now the “implied”conditions areactually true, andthe proof cansucceed.
⦇ 𝑛 ≥ 0 ∧ 𝑎 ≥ 0 ⦈⦇ 1 = 𝑎0 ∧ 0 ≤ 𝑛 ⦈ implied (a)s = 1 ;⦇ 𝑠 = 𝑎0 ∧ 0 ≤ 𝑛 ⦈ assignmenti = 0 ;⦇ 𝑠 = 𝑎𝑖∧ 𝑖 ≤ 𝑛 ⦈ assignmentwhile (i < n) {
⦇ 𝑠 = 𝑎𝑖∧ 𝑖 ≤ 𝑛 ∧ 𝑖 < 𝑛 ⦈ partial-while⦇ 𝑠 ⋅ 𝑎 = 𝑎𝑖+1 ∧ 𝑖 + 1 ≤ 𝑛 ⦈ implied (b)s = s * a ;⦇ 𝑠 = 𝑎𝑖+1 ∧ 𝑖 + 1 ≤ 𝑛 ⦈ assignmenti = i + 1 ;⦇ 𝑠 = 𝑎𝑖∧ 𝑖 ≤ 𝑛 ⦈ assignment
}⦇ 𝑠 = 𝑎𝑖∧ 𝑖 ≤ 𝑛 ∧ 𝑖 ≥ 𝑛 ⦈ partial-while⦇ 𝑠 = 𝑎𝑛 ⦈ implied (c)
while-Loops 35/38
![Page 49: Warm-Up Problemcbruni/CS245Resources/lectures/2018_Fall/… · Warm-Up Problem 1. What is the definition of a Hoare triple satisfying partial correctness? 2. Recall the rule for assignment:](https://reader034.vdocuments.site/reader034/viewer/2022042805/5f5f0b0c6b57d37b6c79be2b/html5/thumbnails/49.jpg)
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
Total Correctness (Termination)
Total Correctness = Partial Correctness + Termination
Only while-loops can be responsible for non-termination in ourprogramming language.
(In general, recursion can also cause it).
Proving termination:For each while-loop in the program,
Identify an integer expression which is always non-negative andwhose value decreases every time through the while-loop.
while-Loops 36/38
![Page 50: Warm-Up Problemcbruni/CS245Resources/lectures/2018_Fall/… · Warm-Up Problem 1. What is the definition of a Hoare triple satisfying partial correctness? 2. Recall the rule for assignment:](https://reader034.vdocuments.site/reader034/viewer/2022042805/5f5f0b0c6b57d37b6c79be2b/html5/thumbnails/50.jpg)
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
Example For Total Correctness
The code below has a “loop guard” of 𝑧 ≠ 𝑥,which is equivalent to 𝑥 − 𝑧 ≠ 0.
What happens to the value of 𝑥 − 𝑧 during execution?
⦇ 𝑥 ≥ 0 ⦈y = 1 ;z = 0 ;
At start of loop: 𝑥 − 𝑧 = 𝑥 ≥ 0while ( z != x ) {
z = z + 1 ;
𝑥 − 𝑧 decreases by 1
y = y * z ;
𝑥 − 𝑧 unchanged
}⦇ 𝑦 = 𝑥! ⦈
Thus the value of 𝑥 − 𝑧 will eventually reach 0.The loop then exits and the program terminates.
while-Loops 37/38
![Page 51: Warm-Up Problemcbruni/CS245Resources/lectures/2018_Fall/… · Warm-Up Problem 1. What is the definition of a Hoare triple satisfying partial correctness? 2. Recall the rule for assignment:](https://reader034.vdocuments.site/reader034/viewer/2022042805/5f5f0b0c6b57d37b6c79be2b/html5/thumbnails/51.jpg)
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
Example For Total Correctness
The code below has a “loop guard” of 𝑧 ≠ 𝑥,which is equivalent to 𝑥 − 𝑧 ≠ 0.
What happens to the value of 𝑥 − 𝑧 during execution?
⦇ 𝑥 ≥ 0 ⦈y = 1 ;z = 0 ;
At start of loop: 𝑥 − 𝑧 = 𝑥 ≥ 0while ( z != x ) {
z = z + 1 ; 𝑥 − 𝑧 decreases by 1y = y * z ;
𝑥 − 𝑧 unchanged
}⦇ 𝑦 = 𝑥! ⦈
Thus the value of 𝑥 − 𝑧 will eventually reach 0.The loop then exits and the program terminates.
while-Loops 37/38
![Page 52: Warm-Up Problemcbruni/CS245Resources/lectures/2018_Fall/… · Warm-Up Problem 1. What is the definition of a Hoare triple satisfying partial correctness? 2. Recall the rule for assignment:](https://reader034.vdocuments.site/reader034/viewer/2022042805/5f5f0b0c6b57d37b6c79be2b/html5/thumbnails/52.jpg)
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
Example For Total Correctness
The code below has a “loop guard” of 𝑧 ≠ 𝑥,which is equivalent to 𝑥 − 𝑧 ≠ 0.
What happens to the value of 𝑥 − 𝑧 during execution?
⦇ 𝑥 ≥ 0 ⦈y = 1 ;z = 0 ;
At start of loop: 𝑥 − 𝑧 = 𝑥 ≥ 0while ( z != x ) {
z = z + 1 ; 𝑥 − 𝑧 decreases by 1y = y * z ; 𝑥 − 𝑧 unchanged
}⦇ 𝑦 = 𝑥! ⦈
Thus the value of 𝑥 − 𝑧 will eventually reach 0.The loop then exits and the program terminates.
while-Loops 37/38
![Page 53: Warm-Up Problemcbruni/CS245Resources/lectures/2018_Fall/… · Warm-Up Problem 1. What is the definition of a Hoare triple satisfying partial correctness? 2. Recall the rule for assignment:](https://reader034.vdocuments.site/reader034/viewer/2022042805/5f5f0b0c6b57d37b6c79be2b/html5/thumbnails/53.jpg)
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
Example For Total Correctness
The code below has a “loop guard” of 𝑧 ≠ 𝑥,which is equivalent to 𝑥 − 𝑧 ≠ 0.
What happens to the value of 𝑥 − 𝑧 during execution?
⦇ 𝑥 ≥ 0 ⦈y = 1 ;z = 0 ;
At start of loop: 𝑥 − 𝑧 = 𝑥 ≥ 0while ( z != x ) {
z = z + 1 ; 𝑥 − 𝑧 decreases by 1y = y * z ; 𝑥 − 𝑧 unchanged
}⦇ 𝑦 = 𝑥! ⦈
Thus the value of 𝑥 − 𝑧 will eventually reach 0.The loop then exits and the program terminates.
while-Loops 37/38
![Page 54: Warm-Up Problemcbruni/CS245Resources/lectures/2018_Fall/… · Warm-Up Problem 1. What is the definition of a Hoare triple satisfying partial correctness? 2. Recall the rule for assignment:](https://reader034.vdocuments.site/reader034/viewer/2022042805/5f5f0b0c6b57d37b6c79be2b/html5/thumbnails/54.jpg)
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
...
.
Proof of Total Correctness
We chose an expression 𝑥 − 𝑧 (called the variant).
At the start of the loop, 𝑥 − 𝑧 ≥ 0:
• Precondition: 𝑥 ≥ 0.• Assignment 𝑧 ← 0.
Each time through the loop:
• 𝑥 doesn’t change: no assignment to it.• 𝑧 increases by 1, by assignment.• Thus 𝑥 − 𝑧 decreases by 1.
Thus the value of 𝑥 − 𝑧 will eventually reach 0.
When 𝑥 − 𝑧 = 0, the guard 𝑧 ! = 𝑥 ends the loop.
while-Loops 38/38