hoare-logic.pdf - Handout C2: Reasoning About Code (Hoare...

This preview shows page 1 - 3 out of 16 pages.

Handout C2: Reasoning About Code (Hoare Logic), CSE 331 Spring 20121Handout C2: Reasoning About Code (Hoare Logic)CSE 331, Spring 2012Written by Krysta YousoufianWith material from Michael Ernst, Hal Perkins, and David NotkinContentsIntroductionCode reasoning fundamentalsoAssertionsoForward and backward reasoningoWeakest preconditionoHoare triplesif/else statementsSummary so far: Rules for finding the weakest preconditionoAssignment statementsoStatement listsoif/else statementsLoopsoExample 1: sum = 1 + 2 ++ noExample 2:max = largest value in items[0…size-1]oExample 3: reverse a[0 ... n-1]oExample 4: binary searchoExample 5: “Dutch national flag”IntroductionIn this handout you will learn how to formally reason about code. This process will enable you to proveto yourself and others that a given block of code works correctly.Code reasoning fundamentalsImagine it’syour first internship, and you are asked to write a max() method for an IntList class. Youwrite this code and bring it to your boss. She says, “Prove to me that itworks.” OK…how do you dothat? You could (and surely would) run some tests on sample input, but there’s effectively an infinitenumber of possible IntLists. Tests are useful, but theycan’t prove that your code works in all possiblescenarios.This is where reasoning about code comes in. Instead of running your code, you step back and read it.You ask:“What is guaranteed to be true at this point in the program, based on the statements beforeit?” Or, going in the in other direction:“If I want to guarantee thatsome fact Q is true at this point in the
Handout C2: Reasoning About Code (Hoare Logic), CSE 331 Spring 20122program, what must be true earlier to provide that guarantee?”You’ve surely donesome of thisnaturally. Nowyou’ll learnto do it in a more structured way with techniques to help.AssertionsLet’s startwith a simple code example:x = 17;y = 42;z = x+y;At each point before/after/in between statements, what do we know about the state of the program,specifically the values of variables?Since we’re looking at this chunk ofcodein isolation, we don’t knowanything before it executes. After the first line executes, we know thatx = 17. After the second lineexecutes, we still know thatx = 17, and we know thaty = 42too. After the third line executes, wealso know thatz = 17 + 42 = 59. We annotate the code toshow this information:{ true }x = 17;{ x = 17 }y = 42;{ x = 17 Λ y= 42 }z = x+y;{ x= 17 Λy= 42 Λz = 59 }Each logical formula shows what must be true at that point in the program. Since we don’t knowanything at the beginning, only “true” itself must betrue, so we simply write{true}.Each of the lines with curly braces is an assertion. Anassertionis a logical formula inserted at somepoint in a program. It is presumed to hold true at that point in the program. There are two specialassertions: the precondition and the postcondition. Apreconditionis an assertion inserted prior toexecution, and apostcondition

Upload your study docs or become a

Course Hero member to access this document

Upload your study docs or become a

Course Hero member to access this document

End of preview. Want to read all 16 pages?

Upload your study docs or become a

Course Hero member to access this document

Term
Fall
Professor
Junjie Zhang
Tags
Design by contract, formal methods, Hoare logic, Hoare

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture