Program Correctness

2

Program Verification

• An object is a finite state machine: – Its attribute values are its state.

– Its methods optionally:• Transition it from 1 state to another;

• Produce a return value.

• We deal with static methods: Functions.

• The discussion can be extended to objects.

3

• Let function f: I O, where

– I is the set of valid input

– O is the set of valid output

• Let program P compute f.

• If i I, P(i) = f(i), then P correctly computes f.

• If I is an int, then |I| > 1 billion.

• Idea: Prove that P computes f without testing.

4

Partial Correctness

An initial assertion states the properties of valid input.

A final assertion states the properties of valid output.

Let program [segment] S have:

initial assertion p

final assertion q.

If

(p is true for S’s input S terminates) q is true for S’s output

then

S is partially correct with respect to p & q, denoted pSq.

5

Correctness

• A program [segment] is correct when:

– It is partially correct.

– It terminates on all valid input.

• Initial & final assertions specify the function.

• N.B.

– Humans create the specification.

– A specification thus is a source of error.

– If specifying a function is more error-prone then programming it,

then “Houston, we have a problem.”

6

Is this Java segment correct?

assert ( y >= 0 );

int x = y*y;

x *= x*x;

assert x == y*y*y*y*y*y;

1. Let p be the initial assertion: y >= 0.

2. Let q be the final assertion: x == y6.

3. If p, then 1. x == y2 after the 1st statement,

2. x == y2 *y2 *y2 after the 2nd statement.

Is the above proof correct?

7

Is this Java segment correct?

assert ( y >= 0 ) && ( Math.pow(y, 6) <= Integer.MAX_VALUE );

int x = y*y;

x *= x*x;

assert x == y*y*y*y*y*y;

1. Let p & q be the initial & final assertion, respectively.

2. If p, then

1. x == y2 after the 1st statement,

2. x == y2 *y2 *y2 after the 2nd statement

3. no overflow occurs.

8

Rules of Inference

• Let segment S be segment S1 followed by

segment S2, written S = S1;S2.

• Composition inference rule:

( pS1q qS2r ) pS1;S2r

“If p is true and S1 & S2 terminate, then r is true.”

9

Conditional Statements

Suppose we have a segment of the form:if ( condition )

S

where condition is booelan & S is a segment.

Let p & q be initial & final assertions.

( p condition )Sq

( p condition ) q__________________

p if ( condition ) S q.

10

Suppose we have a segment of the form:if ( condition )

S1

else

S2

( p condition )S1q

( p condition )S2q_______________________

p if ( condition ) S1 else S2 q.

11

Loop Invariants

Suppose we have a segment of the form:while ( condition )

S

If assertion p is true whenever S is executed, it is a loop invariant.

Let p be a loop invariant.

(p condition )Sp

______________________________

p while condition S( condition p).

12

procedure int multiply( int m, int n ) // assume int is unbounded

boolean p = true, q = false, r = false, s = false, t = false;

assert p; // p represents: int m, n;

int a = ( n < 0 ) ? –n : n;

assert q = ( p && a == Math.abs( n ) );

int k = 0, x = 0;

assert r = ( q && k == 0 && x == 0 );

while ( k < a )

x += m;

k++;

assert k <= a && x == m*k;

assert s = ( x == m*a && a == Math.abs( n ) );

int product = ( n < 0 ) ? –x : x;

assert t = ( product == n*m );

return product;

13

Correctness Proof Framework

1. Show that p q r s t.

2. Conclude that p t.

3. Show that all program segments terminate.

4. Conclude that the program is correct.

Again, we omitted overflow considerations.

14

Characters

• ≥ ≡ ~

• ≈• • Ω Θ

• Σ•