This preview has intentionally blurred sections. Sign up to view the full version.
View Full Document
Unformatted text preview: CSci 5106: Programming Languages Reasoning About Programs Gopalan Nadathur Department of Computer Science and Engineering University of Minnesota Lectures in Fall 2010 Gopalan Nadathur Reasoning About Programs Reasoning About Program Behaviour The general idea: Make assertions about values of program variables Show the assertions to be true Relate truth of assertions to desired behaviour A Potential Problem Program variable values are constantly changing and so there is very little that is universally true about them The Solution (due to Floyd) Focus only on values at particular program points ; this is all that is of interest anyway Gopalan Nadathur Reasoning About Programs An Example Suppose we are given the program x = y + 2; { point A } if x < z then z = z  x; else x = x  z; Now consider the property x > y Cannot say much about the general truth or falsity of this property We can say something about its truth or falsity at particular program points though; e.g. it is true when control reaches point A Typically, this is the only kind of thing that we need Gopalan Nadathur Reasoning About Programs A Refinement to the Earlier View Actually, we are interested in the truth of assertions after some statements based on what was true before them For example, consider y = z / x We know that y is z/x , but only assuming that x is not before We may write this as {x <> 0} y = z / x {y = z/x} Thus, our interest is in triples of this kind that are called Hoare triples Gopalan Nadathur Reasoning About Programs Hoare Triples and Their Meanings The units of assertion have the form { P } Q { R } where P , R are formulas based on program variables Q is a wellformed program fragment Such assertions are known as Hoare triples The meaning of the assertion if P is true before the execution of Q commences and the execution of Q actually terminates then R is true upon completion P and R are called the pre and postconditions Notice that such assertions are vacuously true if Q does not terminate Thus, to get some useful information from the triple, we also have to show that Q terminates Gopalan Nadathur Reasoning About Programs Examples of Hoare Triples Let us consider the following triples and see if they are true or false: {true} x = x * 2 {x is x * 2} {true} x = x * 2 {x is even} {x is a natural number} x = x * 2 {x is even} {true} x = x * 2 {x > 0} {false} x = x * 2 {x is odd} {true} while true do x = x * 2 {x is even} Note that the assertion language is actually quite restricted: the pre and postconditions can only be properties based on instantaneous states logical symbols can be used only inside these conditions, i.e., not on Hoare triples themselves Gopalan Nadathur Reasoning About Programs Showing Assertions to be True First, observe that simply writing down assertions of the form {P} Q {R} does not mean that they are true!...
View
Full Document
 Fall '09
 Computer Science, Correctness, formal methods, Hoare logic, Gopalan Nadathur

Click to edit the document details