CS336F105 - 9/8/10 Lecture 5 CS336 F10 What will we cover...

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: 9/8/10 Lecture 5 CS336 F10 What will we cover •  Quiz on if •  Proof of correctness for Loops Program Correctness The If Theorem To Show {Q} if B0→ S0 B1→ S1 fi {R} 1.  Q→ (B0∨B1) 2.  Q ∧ B0→wp(S0,R) 3.  Q ∧ B1→wp(S1,R) Quiz {(∀ j| 0 ≤ j ≤ i-1 : x ≤ b[j])} if x ≤ b[i] → skip ☐ x ≥ b[i] → x:= b[i] fi; i:= i+ 1 {(∀ j| 0 ≤ j ≤ i-1 : x ≤ b[j])} Step 1: First find wp(“S2”,R) =<instantiation> wp(“i:=i+1”, (∀ j| 0 ≤ j ≤ i-1 : x ≤ b[j])) =<wp := > (∀ j| 0 ≤ j ≤ i : x ≤ b[j]) Step 1: Then, show by the “if theorem” that Q → wp(“S1”,wp(“S2”,R)) That is, show 1. Q → Β1 ∨ Β2 2. Q ∧ Β1 → wp(“S11”,wp(“S2”,R)) 3. Q ∧ Β2 → wp(“S12”,wp(“S2”,R)) 1 9/8/10 Q → Β1 ∨ Β2 : Proof : Q → Β1 ∨ Β2 ↔<instantiation> Q → x≤b[i] ∨ x≥b[i] ↔<excluded middle ( or arith)> Q → T Q ∧ Β1 → wp(“S11”,wp(“S2”,R)) Q ∧ Β1 → wp(“S11”,wp(“S2”,R)) ↔<instantiation> Q ∧ Β1 → wp(“ skip”, (∀ j| 0 ≤ j ≤ i : x ≤ b[j])) Q ∧ Β1 → wp(“S11”,wp(“S2”,R)) Q ∧ Β1 → wp(“S11”,wp(“S2”,R)) Q ∧ Β1 → wp(“S11”,wp(“S2”,R)) ↔<instantiation> Q ∧ Β1 → wp(“ skip”, (∀ j| 0 ≤ j ≤ i : x ≤ b[j])) ↔<skip> Q ∧ Β1 → (∀ j| 0 ≤ j ≤ i : x ≤ b[j]) Q ∧ Β1 → wp(“S11”,wp(“S2”,R)) ↔<instantiation> Q ∧ Β1 → wp(“ skip”, (∀ j| 0 ≤ j ≤ i : x ≤ b[j])) ↔<skip> Q ∧ Β1 → (∀ j| 0 ≤ j ≤ i : x ≤ b[j]) ↔<instantiation> (∀ j| 0 ≤ j ≤ i-1 : x ≤ b[j])∧ (x ≤ b[i])→ (∀ j| 0 ≤ j ≤ i : x ≤ b[j]) Q ∧ Β1 → wp(“S11”,wp(“S2”,R)) Q ∧ Β2 → wp(“S12”,wp(“S2”,R)) Q ∧ Β2 → wp(“S12”,wp(“S2”,R)) ↔<instantiation> Q ∧ Β2 → wp(“ x:= b[i] ”, (∀ j| 0 ≤ j ≤ i : x ≤ b[j])) Q ∧ Β1 → wp(“S11”,wp(“S2”,R)) ↔<instantiation> Q ∧ Β1 → wp(“ skip”, (∀ j| 0 ≤ j ≤ i : x ≤ b[j])) ↔<skip> Q ∧ Β1 → (∀ j| 0 ≤ j ≤ i : x ≤ b[j]) ↔<instantiation> (∀ j| 0 ≤ j ≤ i-1 : x ≤ b[j])∧ (x ≤ b[i])→ (∀ j| 0 ≤ j ≤ i : x ≤ b[j]) ↔<split range; identity> T 2 9/8/10 Q ∧ Β2 → wp(“S12”,wp(“S2”,R)) Q ∧ Β2 → wp(“S12”,wp(“S2”,R)) ↔<instantiation> Q ∧ Β2 → wp(“ x:= b[i] ”, (∀ j| 0 ≤ j ≤ i : x ≤ b[j])) ↔<wp:=> Q ∧ Β2 → (∀ j| 0 ≤ j ≤ i : b[i] ≤ b[j]) Q ∧ Β2 → wp(“S12”,wp(“S2”,R)) Q ∧ Β2 → wp(“S12”,wp(“S2”,R)) ↔<instantiation> Q ∧ Β2 → wp(“ x:= b[i] ”, (∀ j| 0 ≤ j ≤ i : x ≤ b[j])) ↔<wp:=> Q ∧ Β2 → (∀ j| 0 ≤ j ≤ i : b[i] ≤ b[j]) ↔<instantiation> (∀ j| 0 ≤ j ≤ i-1 : x ≤ b[j])∧ (x ≥ b[i])→ (∀ j| 0 ≤ j ≤ i : b[i] ≤ b[j]) ↔<∧ simp; transitivity; split-off term > (∀ j| 0 ≤ j ≤ i-1 :b[i]≤ x ≤ b[j])→(∀j| 0≤j≤ i-1:b[i]≤b[j])∧(b[i] ≤b[i]) Q ∧ Β2 → wp(“S12”,wp(“S2”,R)) Q ∧ Β2 → wp(“S12”,wp(“S2”,R)) ↔<instantiation> Q ∧ Β2 → wp(“ x:= b[i] ”, (∀ j| 0 ≤ j ≤ i : x ≤ b[j])) ↔<wp:=> Q ∧ Β2 → (∀ j| 0 ≤ j ≤ i : b[i] ≤ b[j]) ↔<instantiation> (∀ j| 0 ≤ j ≤ i-1 : x ≤ b[j])∧ (x ≥ b[i])→ (∀ j| 0 ≤ j ≤ i : b[i] ≤ b[j]) ↔<∧ simp; transitivity; split-off term > (∀ j| 0 ≤ j ≤ i-1 :b[i]≤ x ≤ b[j])→(∀j| 0≤j≤ i-1:b[i]≤b[j])∧(b[i] ≤b[i]) ↔<identity; ∧ simp> (∀ j| 0 ≤ j ≤ i-1 :b[i]≤ x ≤ b[j])→(∀j| 0≤j≤ i-1:b[i]≤b[j]) Q ∧ Β2 → wp(“S12”,wp(“S2”,R)) Q ∧ Β2 → wp(“S12”,wp(“S2”,R)) ↔<instantiation> Q ∧ Β2 → wp(“ x:= b[i] ”, (∀ j| 0 ≤ j ≤ i : x ≤ b[j])) ↔<wp:=> Q ∧ Β2 → (∀ j| 0 ≤ j ≤ i : b[i] ≤ b[j]) ↔<instantiation> (∀ j| 0 ≤ j ≤ i-1 : x ≤ b[j])∧ (x ≥ b[i])→ (∀ j| 0 ≤ j ≤ i : b[i] ≤ b[j]) ↔<∧ simp; transitivity; split-off term > (∀ j| 0 ≤ j ≤ i-1 :b[i]≤ x ≤ b[j])→(∀j| 0≤j≤ i-1:b[i]≤b[j])∧(b[i] ≤b[i]) ↔<identity; ∧ simp> (∀ j| 0 ≤ j ≤ i-1 :b[i]≤ x ≤ b[j])→(∀j| 0≤j≤ i-1:b[i]≤b[j]) ↔<WS> T What We’ll Discuss Loops…While GCN for Loops do B1→ S1 repeat as long as possible. B2→ S2 choose a B that is true and . execute its command . . Bn → Sn od 3 9/8/10 {Q} do od {R} •  The formal definition: wp(DO,R) is defined recursively (in terms of the number of iterations of the loop), but the definition is not particularly useful in developing programs. •  Much more useful than wp(DO,R) is a theorem (analogous to the IF-theorem) that relates DO’s postconditions to preconditions. Example To store in s the sum of the elements of array b[0..9]: i, s := 0 , 0; S: do i<10 → i, s := i+1, s+ b[i] od {R}: {s=(Σj| 0≤j<10: b[j])} We begin by decorating the program with some assertions {Q}: {T} S0: i, s := 0 , 0; {P}: {0≤i≤10 ∧ s=(Σk| 0≤k<i: b[k])} S: do i<10 → i, s := i+1, s+ b[i] od {R}: {s=(Σk| 0≤k<10: b[k])} Showing that P holds before the loop is executed. Q→wp(“S0”, P) {Q}: {T} S0: i, s := 0 , 0; {P}: {0≤i≤10 ∧ s=(Σk| 0≤k<i: b[k]) S: do i<10 → i, s := i+1, s+ b[i] od {R}: {s=(Σk| 0≤k<10: b[k])} Showing that P holds before the loop is executed. Q→wp(“i, s:= 0, 0”, P) ↔ <instantiation > Q→wp( “i,s:= 0,0 ”, 0≤i≤10 ∧ s = (∑k: 0≤k<i: b[k])) Showing that P holds before the loop is executed. Q→wp(“i, s:= 0, 0”, P) ↔ <instantiation > Q→wp( “i,s:= 0,0 ”, 0≤i≤10 ∧ s = (∑k: 0≤k<i: b[k])) ↔ <wp :=> Q→ 0≤0≤10 ∧ 0 = (∑k: 0≤k<0: b[k]) 4 9/8/10 Showing that P holds before the loop is executed. Q→wp(“i, s:= 0, 0”, P) ↔ <instantiation > Q→wp( “i,s:= 0,0 ”, 0≤i≤10 ∧ s = (∑k: 0≤k<i: b[k])) ↔ <wp :=> Q→ 0≤0≤10 ∧ 0 = (∑k: 0≤k<0: b[k]) ↔ <arithmetic; empty range> Q→ (T ∧ 0 = 0) Showing that P holds before the loop is executed. Q→wp(“i, s:= 0, 0”, P) ↔ <instantiation > Q→wp( “i,s:= 0,0 ”, 0≤i≤10 ∧ s = (∑k: 0≤k<i: b[k])) ↔ <wp :=> Q→ 0≤0≤10 ∧ 0 = (∑k: 0≤k<0: b[k]) ↔ <arithmetic; empty range> Q→ (T ∧ 0 = 0) ↔ <identity; ∧ simp > Q→ T ↔ <→ simp> T Now we show that if P∧B holds before an iteration, then P holds after it, i.e., {P ∧B } S {P} {Q}: {T} S0: i, s := 0 , 0; {P}: {0≤i≤10 ∧ s=(Σk| 0≤k<i: b[k])} S: do i<10 → i, s := i+1, s+ b[i] od {R}: {s=(Σk| 0≤k<10: b[k])} Now we show that if P∧B holds before an iteration, then P holds after it. Proof: (i<10∧P) → wp(“i,s:= i+1, s+b[i]”, 0≤i≤10 ∧ s=(Σk| 0≤k<i: b[k])) Proof: (P ∧ i<10) → wp(“i,s:= i+1, s+b[i]”, P) Now we show that if P∧B holds before an iteration, then P holds after it. Proof: (i<10∧P) → wp(“i,s:= i+1, s+b[i]”, P) ↔<def. of wp :=> (i<10∧P) → 0≤i+1≤10 ∧ s+b[i] = (∑k: 0≤k<i+1: b[k]) Now we show that if P∧B holds before an iteration, then P holds after it. Proof: (i<10∧P) → wp(“i,s:= i+1, s+b[i]”, P) ↔<def. of wp :=> (i<10∧P) → 0≤i+1≤10 ∧ s+b[i] = (∑k: 0≤k<i+1: b[k]) ↔<arithmetic, splitting the range> (i<10∧0≤i≤10 ∧ s = (∑k: 0≤k<i: b[k])) → -1≤i<10 ∧ s+b[i] = (∑k: 0≤k<i: b[k]) + b[i] 5 9/8/10 Now we show that if P∧B holds before an iteration, then P holds after it. Proof: (i<10∧P) → wp(“i,s:= i+1, s+b[i]”, P) ↔<def. of wp :=> (i<10∧P) → 0≤i+1≤10 ∧ s+b[i] = (∑k: 0≤k<i+1: b[k]) ↔<arithmetic, splitting the range> (i<10∧0≤i≤10 ∧ s = (∑k: 0≤k<i: b[k])) → -1≤i<10 ∧ s+b[i] = (∑k: 0≤k<i: b[k]) + b[i] ↔<arithmetic> (0≤i<10 ∧ s = (∑k: 0≤k<i: b[k])) → (0-1=i ∨ 0≤i<10) ∧ s = (∑k: 0≤k<i: b[k]) Now we show that if P∧B holds before an iteration, then P holds after it. Proof: (i<10∧P) → wp(“i,s:= i+1, s+b[i]”, P) ↔<def. of wp :=> (i<10∧P) → 1≤i+1≤10 ∧ s+b[i] = (∑k: 0≤k<i+1: b[k]) ↔<arithmetic, splitting the range> (i<10∧1≤i≤10 ∧ s = (∑k: 0≤k<i: b[k])) → 0≤i<10 ∧ s+b[i] = (∑k: 0≤k<i: b[k]) + b[i] ↔<arithmetic> (0<i<10∧s = (∑k: 0≤k<i: b[k])) → (0=i ∨0<i<10) ∧ s = (∑k: 0≤k<i: b[k]) ↔<W/S> T Next we show that P∧¬BB → R. {Q}: {T} S0: i, s := 0 , 0; {P}: {0≤i≤10 ∧ s=(Σk| 0≤k<i: b[k])} S: do i<10 → i, s := i+1, s+ b[i] od {R}: {s=(Σk| 0≤k<10: b[k])} Next we show that P∧¬BB → R. P∧¬BB → R ↔  instantiate> < (0≤i≤10 ∧ s = (∑k: 0≤k<i: b[k]) ∧¬ (i<10)) → (s = (∑k: 0≤k<10: b[k])) Next we show that P∧¬BB → R. P∧¬BB → R ↔  instantiate> < (0≤i≤10 ∧s = (∑k: 0≤k<i: b[k])∧ ¬ (i<10)) → (s = (∑k: 0≤k<10: b[k])) ↔ <arithmetic,> (i=10 ∧ s = (∑k: 0≤k<i: b[k])) → (s = (∑k: 0≤k<10: b[k])) Next we show that P∧¬BB → R. P∧¬BB → R ↔  instantiate> < (0≤i≤10 ∧s = (∑k: 0≤k<i: b[k]) ∧ ¬ (i<10)) → (s = (∑k: 0≤k<10: b[k])) ↔ <arithmetic,> (i=10 ∧ s = (∑k: 0≤k<i: b[k])) → (s = (∑k: 0≤k<10: b[k])) ↔ <substitution> i=10 ∧ s = (∑k: 0≤k<10: b[k])) → (s = (∑k: 0≤k<10: b[k])) 6 9/8/10 Next we show that P∧¬BB → R. P∧¬BB → R ↔  instantiate> < (0≤i≤10 ∧s = (∑k: 0≤k<i: b[k]) ∧ ¬ (i<10)) → R ↔ <arithmetic,> (i=10 ∧ s = (∑k: 0≤k<i: b[k])) → (s = (∑k: 0≤k<10: b[k])) ↔ <substitution> i=10∧s = (∑k: 0≤k<10: b[k]))→ s = (∑k: 0≤k<10: b[k]) ↔ <W/S> T Partial Correctness •  The predicate P, which holds before, during, and after the iteration, plays a crucial role. Because it is always true, it is known as the loop’s invariant relation, or simply invariant. •  So far, we have proved only partial correctness: If the loop terminates, R will hold. Total Correctness •  Since we claimed at the outset that the wp method yields proofs of total correctness, our task is not finished. •  To show that the iteration will indeed terminate, we devise an integer function t of the program variables that •  decreases on every iteration, and •  is bounded from below while the iteration has not terminated. Total Correctness •  For this program, a suitable bound function (also called a terminating function) is t = 10-i. •  Each iteration increases i and hence decreases t by 1; as long as the iteration continues, i<10 and hence t>0. •  Ensuring that t satisfies these two requirements adds two more proof obligations (to the three we have already). Total Correctness {Q}: {T} S0: i, s := 0 , 0; {P}: {0≤i≤10 ∧ s=(Σj| 0≤j<i: b[j])} S: do i<10 → i, s := i+1, s+ b[i] od {R}: {s=(Σj| 0≤j<10: b[j])} P∧B → t≥ 0 Total Correctness P∧B → t≥ 0 ↔<instantiation> 0≤i≤10∧s=(Σj| 0≤j<i: b[j])∧i<10 → 10-i≥0 ↔< arith, W/S> T 7 9/8/10 Proving that t decreases is not as simple: •  The standard technique is to show that each execution of the guarded command S reduces t, by recording t’s value in a variable —say, t'— before S is executed, and showing that after S has been executed, t<t'. In formal terms, •  {P∧B} t':= t; S {t<t'}. Proof of t Decreasing P∧B → wp(“t':= t; i,s:= i+1, s+b[i]”, t<t') Proof of t Decreasing P∧B → wp(“t':= t; i,s:= i+1, s+b[i]”, t<t') ↔<def. of ‘; ’> P∧B → wp(“t':= t”, wp(“i,s:= i+1, s+b[i]”, t<t')) ↔<def. of ‘:=’> Proof of t Decreasing P∧B → wp(“t':= t; i,s:= i+1, s+b[i]”, t<t') ↔<def. of ‘; ’> P∧B → wp(“t':= t”, wp(“i,s:= i+1, s+b[i]”, t<t')) ↔<def. of ‘:=’> P∧B → wp(“t':= t”, 10-(i+1) < t') Proof of t Decreasing P∧B → wp(“t':= t; i,s:= i+1, s+b[i]”, t<t') ↔<def. of ‘; ’> P∧B → wp(“t':= t”, wp(“i,s:= i+1, s+b[i]”, t<t')) ↔<def. of ‘:=’> P∧B → wp(“t':= t”, 10-(i+1) < t') ↔<def. of ‘:=’> P∧B → (10-(i+1) < t) ↔<def. of t> P∧B → (10-(i+1) < 10-i) Proof of t Decreasing P∧B → wp(“t':= t; i,s:= i+1, s+b[i]”, t<t') ↔<def. of ‘; ’> P∧B → wp(“t':= t, wp(“i,s:= i+1, s+b[i]”, t<t')) ↔<def. of ‘:=’> P∧B → wp(“t':= t”, 10-(i+1) < t') ↔<def. of ‘:=’> P∧B → (10-(i+1) < t) ↔<def. of t> P∧B → (10-(i+1) < 10-i) ↔<algebra; → -simp> T 8 9/8/10 •  Hence the Program is correct. 9 ...
View Full Document

Ask a homework question - tutors are online