ReynoldsCh03

# ReynoldsCh03 - Program Speciﬁcations and Proofs Syntax:...

This preview shows page 1. Sign up to view the full content.

This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: Program Speciﬁcations and Proofs Syntax: spec ::= [assert ] comm [assert ] | {assert } comm {assert } total correctness partial correctness Semantics: [[−]]spec ∈ spec → B s is valid when [[s]]spec = true [[[p] c [q ]]]spec = ∀σ ∈ Σ. [[p]]assert σ ⇒ ([[c]]comm σ ￿= ⊥ and [[q ]]assert ([[c]]comm σ )) [[{p} c {q }]]spec = ∀σ ∈ Σ. [[p]]assert σ ⇒ ([[c]]comm σ = ⊥ or [[q ]]assert ([[c]]comm σ )) or, when B is ordered by false ￿ true, [[[p] c [q ]]]spec = [[p]]assert ￿ ([[q ]]assert )⊥ · [[c]]comm ⊥ [[{p} c {q }]]spec = (not · [[q ]]assert )⊥ · [[c]]comm ￿ not · [[p]]assert ⊥ Properties of Program Specs If [[[p] c [q ]]]spec and [[c]]comm ￿ [[c￿]]comm , then [[[p] c￿ [q ]]]spec . If [[{p} c {q }]]spec and [[c￿]]comm ￿ [[c]]comm , then [[{p} c￿ {q }]]spec . If [[{p} ci {q }]]spec for all ci, and [[c0]]comm ￿ [[c1]]comm ￿ . . ., ￿ and [[c]]comm = i[[ci]]comm , then [[{p} c {q }]]spec . Examples of Program Specs {x-y > 3} x:= x-y {x > 2} valid [x-y > 3] x:= x-y [x > 2] valid {x ≤ 10} while x ￿= 10 do x:= x+1 {x=10} valid {true} while x ￿= 10 do x:= x+1 {x=10} valid [x ≤ 10] while x ￿= 10 do x:= x+1 [x=10] valid [true] while x ￿= 10 do x:= x+1 [x=10] invalid Basic Inference Rules for Speciﬁcations assignment (AS) [ p/v → e} v := e [ p} { {] [ p} c1 [ q } [ q } c2 [ r} {] {] {] {] sequential composition (SQ) [ p} c1 ; c2 [ r} {] {] strengthening precedent (SP) p ⇒ q [ q} s [ r} {] {] [ p} s [ r} {] {] weakening consequent (WC) [ p} s [ q } q ⇒ r {] {] [ p} s [ r} {] {] (SP) and (WC) are noncompositional (not syntax-directed). Soundness of the Assignment Rule Recall the Substitution Theorem for predicate logic: if [[δ −]]σ ￿ = σ (on F V (p)), then [[p/δ ]]σ ￿ = [[p]]σ Let σ ￿ be a state satisfying p/v → e: [[p/v → e]]assert σ ￿ = true. Let σ = [[v := e]]comm σ ￿ = [σ ￿|v : [[e]]intexp σ ￿]. Let δ = (v → e) = [cvar|v : e]. Then [[δ v ]]intexp σ ￿ = [[e]]intexp σ ￿ = σ v , and [[δ u]]intexp σ ￿ = [[u]]intexp σ ￿ = [[u]]intexp σ for u ￿= v . By the Substitution Theorem, [[p/v → e]]σ ￿ = [[p]]σ . Derived Rule for Multiple Sequential Composition (MSQn) p0 ⇒ q0 [ q0} c0 [ p1} p1 ⇒ q1 {] {] ... [ qn−1} cn−1 [ pn} pn ⇒ qn { {] [ p0} c0 ; . . . ; cn−1 [ qn} {] {] Derivation of (MSQ1): 1. 2. 3. 4. 5. p0 ⇒ q0 [ q0} c0 [ p1} {] {] [ p0} c0 [ p1} {] {] p1 ⇒ q1 [ p0} c0 [ q1} {] {] assumption assumption SP (1, 2) assumption WC (3, 4) (MSQn) derived from (MSQn−1) and (SQ). A Simple Derivation Prove validity of [y > 3] x:= 2*y ; x:= x-y [x ≥ 4] 1. y > 3 ⇒ (2*y)-y > 3 (predicate logic) 2. [(2*y)-y > 3] x:= 2*y [x-y > 3] AS 3. [x-y > 3] x:= x-y [x > 3] AS 4. x > 3 ⇒ x ≥ 4 (predicate logic) 5. [y > 3] x:= 2*y ; x:= x-y [x ≥ 4] MSQ2 (1, 2, ∗,3, 4) Derived Rule for Repeated Assignment Derived from MSQn: RASn p ⇒ (. . . (q/vn−1 → en−1) . . . /v0 → e0) [ p} v0:= e0 ; . . . vn−1:= en−1 [ q } {] {] The previous example can now be proved by 1. y > 3 ⇒ (2*y)-y ≥ 4 (predicate logic) 2. [y > 3] x:= 2*y ; x:= x-y [x ≥ 4] RAS2 (1) Rule (RASn) is sound and complete: if its conclusion is valid, its premiss is valid Rules for the while Construct Partial correctness of while: {i ∧ b} c {i} (WHP) {i} while b do c {i ∧ ¬b} i is the loop invariant. Total correctness of while: [i ∧ b ∧ (e = v0)] c [i ∧ (e < v0)] i ∧ b ⇒ e ≥ 0 (WHT) [i] while b do c [i ∧ ¬b] where v0 ∈ F V (i) ∪ F V (b) ∪ F V (e) ∪ F V (c). / Proof of Soundness for (WHP) {i ∧ b} c {i} (WHP) {i} while b do c {i ∧ ¬b} Recall the approximation to while b do c: def w0 = while true do skip ⇒ m0σ = ⊥ (where mi = [[wi]]comm ) def wi+1 = if b then (c ; wi) else skip ⇒ mi+1σ = if [[b]]σ then (mi)⊥ ([[c]]σ ) else σ ⊥ Recall meaning of partial correctness specs: [[{p} c {q }]]spec = (not · [[q ]]assert )⊥ · [[c]]comm ￿ not · [[p]]assert ⊥ Goal: prove that if then (not · [[i]])⊥ · [[c]] ￿ not · [[i ∧ b]] ⊥ ￿ (not · [[i ∧ ¬b]])⊥ · ( i mi) ￿ not · [[i]] ⊥ Proof of Soundness for (WHP), cont’d Goal: prove that if (not · [[i]])⊥ · [[c]] ￿ not · [[i ∧ b]] ⊥ ￿ then (not · [[i ∧ ¬b]])⊥ · ( n mn) ￿ not · [[i]] ⊥ ￿ (not · [[i ∧ ¬b]])⊥ · ( n mn) ￿ not · [[i]] ⊥ ￿ if ((not · [[i ∧ ¬b]])⊥ · mn) ￿ not · [[i]] ⊥ if ∀n. n (not · [[i ∧ ¬b]])⊥ · mn ￿ not · [[i]] ⊥ By induction on n: easy for n = 0; if true for n then for any σ (not · [[i ∧ ¬b]])⊥ (mn+1σ ) ⊥ = if [[b]]σ then (not · [[i ∧ ¬b]])⊥ ((mn)⊥ ([[c]]σ )) ⊥ ⊥ else (not · [[i ∧ ¬b]])⊥ σ ⊥ Proof of Soundness for (WHP), cont’d Goal: prove that if (not · [[i]])⊥ · [[c]] ￿ not · [[i ∧ b]] ⊥ and (not · [[i ∧ ¬b]])⊥ · mn ￿ not · [[i]] ⊥ then (not · [[i ∧ ¬b]])⊥ · mn+1 ￿ not · [[i]] ⊥ (not · [[i ∧ ¬b]])⊥ (mn+1σ ) ⊥ = if [[b]]σ then (not · [[i ∧ ¬b]])⊥ ((mn)⊥ ([[c]]σ )) ⊥ ⊥ else (not · [[i ∧ ¬b]])⊥ σ ⊥ (not · [[i ∧ ¬b]])⊥ ((mn)⊥ ([[c]]σ )) = ((not · [[i ∧ ¬b]])⊥ · mn)⊥ ([[c]]σ ) ⊥ ⊥ ⊥ ⊥ ￿ (not · [[i]])⊥ ([[c]]σ ) ⊥ ￿ (not · [[i ∧ b]])⊥ σ ⊥ Proof of Soundness for (WHP), cont’d Goal: prove that if (not · [[i]])⊥ · [[c]] ￿ not · [[i ∧ b]] ⊥ and (not · [[i ∧ ¬b]])⊥ · mn ￿ not · [[i]] ⊥ then (not · [[i ∧ ¬b]])⊥ · mn+1 ￿ not · [[i]] ⊥ (not · [[i ∧ ¬b]])⊥ (mn+1σ ) ⊥ ￿ if [[b]]σ then (not · [[i ∧ b]])⊥ σ else (not · [[i ∧ ¬b]])⊥ σ ⊥ ⊥ = (not · [[i]])σ QED Soundness of (WHT) [i ∧ b ∧ (e = v0)] c [i ∧ (e < v0)] i ∧ b ⇒ e ≥ 0 (WHT) [i] while b do c [i ∧ ¬b] where the ghost variable v0 is not in F V (i) ∪ F V (b) ∪ F V (e) ∪ F V (c). Idea: e serves as a loop counter with initial value v0. The ﬁrst premiss: the counter is decreased by execution of c. The second premiss: when the counter becomes negative, b is false, and the loop terminates (invariant i is always satisﬁed). Rules for the while Construct Partial correctness of while: {i ∧ b} c {i} (WHP) {i} while b do c {i ∧ ¬b} where i is the loop invariant. Total correctness of while: (WHT) [i ∧ b ∧ (e = v0)] c [i ∧ (e < v0)] i ∧ b ⇒ e ≥ 0 [i] while b do c [i ∧ ¬b] where v0 ∈ F V (i) ∪ F V (b) ∪ F V (e) ∪ F V (c) / e is the loop variant. More Compositional Rules skip (SK) implication and skip (ISK) (derived from (SK),(SP)) conditional (CD) variable declaration (DC’) [ p} skip [ p} {] {] p⇒q [ p} skip [ q } {] {] [ p ∧ b} c [ q } [ p ∧ ¬b} c￿ [ q } { {] { {] [ p} if b then c else c￿ [ q } {] {] [ p} v := e ; c [ q } {] {] [ p} newvar v := e in c [ q } {] {] v ∈ F V (q ) / More Non-Compositional Rules [ p} c [ q } {] {] [ p￿} c￿ [ q ￿} {] {] renaming (RN) where p￿, c￿, q ￿ are obtained by renaming bound variables in p, c, q conjunction (CA) [ p} c [ q } [ p￿} c [ q ￿} {] {] { ] { ] [ p ∧ p￿} c [ q ∧ q ￿} {{ disjunction (DA) [ p} c [ q } [ p￿} c [ q ￿} {] {] { ] { ] [ p ∨ p￿} c [ q ∨ q ￿} {{ constancy for partial correctness (CSP) {p} c {p} F V (p) ∩ F A(c) = {} [q ] c [r ] constancy for total correctness (CST) [p ∧ q ] c [p ∧ r] F V (p) ∩ F A(c) = {} Speciﬁcation of a Factorial Computation [n=m]f := 1 ; while n>0 do (f := f *n ; n:= n-1)[n<0 ∨ f =m!] Proof: by (SP) and (DA) from (G1) [n<0] f := 1 ; while n>0 do (f := f *n ; n:= n-1) [n<0] (G2) [n=0 ∧ n=m] f := 1 ; while n>0 do (f := f *n ; n:= n-1) [f =m!] Speciﬁcation of a Factorial Computation [n=m] f := 1 ; while n>0 do (f := f *n ; n:= n-1) [n<0 ∨ f =m!] Proof: by (SP) and (DA) from (G1) [n<0] f := 1 ; while n>0 do (f := f *n ; n:= n-1) [n<0] (G2) [n=m ∧ n ≥ 0] f := 1 ; while n>0 do (f := f *n ; n:= n-1) [f =m!] Correctness of the Factorial Speciﬁcation To prove (G1): 1 [n-1<0 ∧ n-1<count] (f := f *n ; n:= n-1) [n<0 ∧ n<count] 2 n<0 ∧ n>0 ∧ n=count ⇒ n-1<0 ∧ n-1<count 3 [n<0 ∧ n>0 ∧ n=count] (f := f *n ; n:= n-1) [n<0 ∧ n<count] 4 n<0 ∧ n>0 ⇒ n ≥ 0 5 [n<0] while n>0 do (f := f *n ; n:= n-1) [n<0 ∧ ¬(n>0)] 6 [n<0] while n>0 do (f := f *n ; n:= n-1) [n<0] 7 [n<0] f := 1 [n<0] 8 [n<0] f := 1 ; while n>0 do (f := f *n ; n:= n-1) [n<0] by (RAS2 ) by (SP 1,2) by (WHT 3,4) by (WC 5) by (AS) by (SQ 7,6) Correctness of the Factorial Speciﬁcation To prove (G2): 1 f =m!/n! ∧ n ≥ 0 ∧ n>0 ∧ (n=cnt) ⇒ f *n=m!/(n-1)! ∧ n-1 ≥ 0 ∧ (n-1<cnt) 2 [f =m!/n! ∧ n ≥ 0 ∧ n>0 ∧ (n=cnt)] (f := f *n ; n:= n-1) [f =m!/n! ∧ n ≥ 0 ∧ (n<cnt)] (RAS2 1) 3 f =m!/n! ∧ n ≥ 0 ∧ n>0 ⇒ n ≥ 0 4 [f =m!/n! ∧ n ≥ 0] while n>0 do (f := f *n ; n:= n-1) [f =m!/n! ∧ n ≥ 0 ∧ ¬(n>0)] (WHT 2,3) 5 6 7 f =1 ∧ n=m ∧ n ≥ 0 ⇒ f =m!/n! ∧ n ≥ 0 f =m!/n! ∧ n ≥ 0 ∧ ¬(n>0) ⇒ f = m! [f =1 ∧ n=m ∧ n ≥ 0] while n>0 do (f := f *n ; n:= n-1) [f = m!] (SP,WC 5,4,6) 8 [n=m ∧ n ≥ 0] f := 1 [f =1 ∧ n=m ∧ n ≥ 0] 9 [n=m ∧ n ≥ 0] f := 1 ; while n>0 do (f := f *n ; n:= n-1) [f = m!] (AS) (SQ 8,7) ...
View Full Document

## This document was uploaded on 02/20/2012.

Ask a homework question - tutors are online