Correctness Proofs

Correctness ProofsCorrectness Proofs


Formal mathematical argument Formal mathematical argument that an algorithm meets its that an algorithm meets its

specification, which means that specification, which means that it always produces the correct it always produces the correct output for any permitted input.output for any permitted input.


Is Important to understand Is Important to understand what a deteiled formal what a deteiled formal

correctness proof looks like, correctness proof looks like, because otherwise you won’t because otherwise you won’t know what somebody is really know what somebody is really

saying with an informal saying with an informal correctness argument.correctness argument.

Invariants, Preconditions and Invariants, Preconditions and Posconditions.Posconditions.

1.1. P holds in the initial state.P holds in the initial state.

2.2. P holds after step P holds after step kk if it hods if it hods before step before step kk..

3.3. If P holds when the algorithm If P holds when the algorithm terminates, then the output of terminates, then the output of the algorithm is correct.the algorithm is correct.

Hoare LogicHoare Logic

Attach to each statement of a Attach to each statement of a program a precondition and a program a precondition and a postcondition.postcondition.

Precondition, Statement and Precondition, Statement and Postcondition, form a Postcondition, form a Hoare Hoare tripletriple..


{ x is an integer }{ x is an integer }

x := 2*xx := 2*x

{ x is even }{ x is even }

{ P: x is an integer }{ P: x is an integer }

x := 2*xx := 2*x

{ Q: x is even }{ Q: x is even }

x := x+1x := x+1

{R: x is odd }{R: x is odd }

{ x is even }{ x is even }

x := x + 1x := x + 1

{ x is odd }{ x is odd }


{P} S{P} S11 {Q} {Q} ΛΛ {Q} S {Q} S22 {R} {R}

{P} S{P} S11:S:S22 {R} {R}

Composition AxiomComposition Axiom

Hoare Logic AxiomsHoare Logic Axioms

Rules like before, which Rules like before, which define what new define what new

propositions can be propositions can be deduced from old ones, deduced from old ones,

are called are called AxiomsAxioms..

Pre-strengthening AxiomPre-strengthening Axiom

Making the precondition stronger Making the precondition stronger doesn’t change the truth of a doesn’t change the truth of a

Hoare triple.Hoare triple.

{Q} S {R} {Q} S {R} ΛΛ P P Q Q{P} S {R}{P} S {R}

Pre – strengthening AxiomPre – strengthening Axiom

Mostly used to sneak in extra Mostly used to sneak in extra facts that don’t appear explicitly facts that don’t appear explicitly

in our original precondition.in our original precondition.

If whenever Q is true,If whenever Q is true,

P P P P ΛΛ Q Q

is also true.is also true.

Post – weakening AxiomPost – weakening Axiom

Making the postcondition Making the postcondition weaker is also allowed.weaker is also allowed.

{P} S {Q} {P} S {Q} ΛΛ Q Q R R{P} S {R}{P} S {R}

Post – weakening AxiomPost – weakening Axiom

Typically used for getting rid of Typically used for getting rid of bits of a postcondition we don’t bits of a postcondition we don’t

care about.care about.

The direction of the implications The direction of the implications is important. Pre – weakening is important. Pre – weakening

and post – strengthening do and post – strengthening do NOTNOT produce valid proofs.produce valid proofs.

Assignment AxiomAssignment Axiom

{P[x/t]} x := t {P}{P[x/t]} x := t {P}

If P is true with If P is true with xx replaced by replaced by tt before before the assignment, it is true without the the assignment, it is true without the

replacement afterwards.replacement afterwards.

{0 = 0} x := {x=0}{0 = 0} x := {x=0}

{x+5 < 12} x:= x+5 {x < 12}{x+5 < 12} x:= x+5 {x < 12}

{x < 7} x:= x+5 {x < 12}{x < 7} x:= x+5 {x < 12}

Baggage LemmaBaggage Lemma

Used to carry along extra baggage Used to carry along extra baggage that you will need later.that you will need later.

{ } S {x = A}{ } S {x = A}

But you also need know that But you also need know that yy is is unchanged.unchanged.

{y = B} S {y = B {y = B} S {y = B ΛΛ x = A} x = A}

StrategyStrategy

1.1. Write down the algorithm.Write down the algorithm.

2.2. Precondition and postcondition Precondition and postcondition for each statements.for each statements.

3.3. Prove for each statement that Prove for each statement that its postcondition follow from its its postcondition follow from its precondition.precondition.

Proofs for if/then/else statementsProofs for if/then/else statements

{P}{P}if B thenif B then

{P and B}{P and B}do somethingdo something{Q}{Q}

elseelse{P and Not B}{P and Not B}do somethingdo something{Q}{Q}

end ifend if{Q}{Q}

Proofs for if/then/else statementsProofs for if/then/else statements

{P {P ΛΛ B} S B} S11 {Q} {Q} ΛΛ {P {P ΛΛ ¬B} S ¬B} S22 {Q} {Q}

{P} {P} ifif B B thenthen S S11 elseelse S S22 end ifend if {Q} {Q}

Proofs for LoopsProofs for Loops

{P}{P}

while B dowhile B do

{R and B}{R and B}

bodybody

{R}{R}

end whileend while

{Q}{Q}

Proofs for LoopsProofs for Loops

{A is an array with indices 0..n-1}{A is an array with indices 0..n-1}

i := ni := n

While i <> 0 doWhile i <> 0 do

{A[j] = 0 for all j >= i}{A[j] = 0 for all j >= i}

i := i – 1i := i – 1

{A[j] = 0 for all j >= i+1}{A[j] = 0 for all j >= i+1}

A[i] := 0A[i] := 0

{A[j] = 0 for all j >= i}{A[j] = 0 for all j >= i}

end whileend while

{A[0] .. A[n-1] are all equal to zero}{A[0] .. A[n-1] are all equal to zero}

Total vs Partial CorrectnessTotal vs Partial Correctness

We will want to show that an We will want to show that an algorithm produce the right algorithm produce the right

output in a reasonable amount output in a reasonable amount of time, tipically bounded by of time, tipically bounded by some function of the size of some function of the size of

the input.the input.

Proofs for Recursive ProceduresProofs for Recursive ProceduresProcedure Euclid(x,y: integer) return integerProcedure Euclid(x,y: integer) return integer

{}{}if y = 0 thenif y = 0 then

{y = 0}{y = 0}gcd := xgcd := x{gcd = gcd(x,y)}{gcd = gcd(x,y)}

elseelse{y <> 0}{y <> 0}gcd := Euclid(y,x mod y)gcd := Euclid(y,x mod y){gcd = gcd(x,y)}{gcd = gcd(x,y)}

endifendif{gcd = gcd(x,y)}{gcd = gcd(x,y)}return gcdreturn gcd

end procedureend procedure{return value = gcd(x,y){return value = gcd(x,y)

Correctness Proofs

Documents

Transcript of Correctness Proofs