Hoare s method for proving correctness of programs
Download
1 / 17

- PowerPoint PPT Presentation


  • 311 Views
  • Uploaded on

Hoare ’ s method for proving correctness of programs. Hoare ’ s logic. Hoare suggested in 1969 an inference system with which we can prove properties of programs. A unique form of proof rules, called Hoare triples: P {Q} R where P is a precondition Q is a program or a program statement

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about '' - ishmael


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Hoare s method for proving correctness of programs l.jpg

Hoare’s method for proving correctness of programs


Hoare s logic l.jpg
Hoare’s logic

  • Hoare suggested in 1969 an inference system with which we can prove properties of programs.

  • A unique form of proof rules, called Hoare triples:P {Q} Rwhere

    • P is a precondition

    • Q is a program or a program statement

    • R postcondition.


The simple language we consider l.jpg
The simple language we consider

  • Hoare’s logic includes rules for inference on program constructs:

    • Assignments y = t

    • Composition S1; S2

    • If-then-else if e then S1 else S2 fi

    • While while e do S od

    • ...


The simple language we consider4 l.jpg
The simple language we consider

  • A proof typically needs additional inference rules for the elementary operations (+,-,*,mod...)

    • e.g., axioms for arithmetic such as

      • x + 0 = 0

      • x £ y = y £ x

      • ...


Assignments l.jpg
Assignments

  • D0 Axiom of assignments

    P {x = f} R

    where

    • P is derived from R by replacing all occurrences of x with f.

  • Example: y + 1 < 10 {y = y+1} y < 10


Consequence l.jpg
Consequence

  • D1 Inference rules for consequence

    P {Q} R R → S (make a postcondition weaker)

    P {Q} S

    P {Q} R S → P (make a precondition stronger)

    S {Q} R

  • Example

    y + 1 < 10 {y = y+1} y < 10 y < 10 → x = 1

    y + 1 < 10 {y = y+1} x = 1


Composition l.jpg
Composition

  • D2 Inference rule for composition

    P {Q1} R1 R1 {Q2} R

    P {Q1; Q2} R

  • Example:

    x=1 {y = x} y=1 y=1 {z=y} z=1

    x=1{y=x; z=y} z=1


Iteration l.jpg
Iteration

  • Consider the statement: while B do S

  • D3 Inference rule for iteration

    P B {S} P

    P {while B do S}:B Æ P

  • Example

    x < 10 x < 5 {x = x+1} x < 10x<10 {while (x < 5) x = x + 1} x ¸ 5 Æ x < 10


If then else l.jpg
if-then-else

  • D4 if-then-else inference rule

    P Æ e {Q1} R P Æ ¬e {Q2} R

    P {if e then Q1 else Q2 fi} R

  • Example

    z = 0 Æ x < 0 {y := -x + z} y ¸ 0 z = 0 Æ x ¸ 0 {y := x + z} y ¸ 0

    z = 0 {if (x<0) y := -x + z else y := x + z} y ¸ 0


Example l.jpg
Example

  • Consider the following program for finding the quotient and remainder of x / y.

    r := x;

    q := 0;

    while (y <= r) {

    r := r – y;

    q := 1 + q;}

  • We will try to prove that in the end: x = r + y£ q and y > r.

x = 16, y = 6


Example11 l.jpg
Example

  • Strategy: find a loop invariant.

    r := x;

    q := 0;

    while (y <= r) {

    r := r – y;

    q := 1 + q;}

x = x + y £ 0

x = r + y £ 0

x = r + y £ q


Proof l.jpg
Proof

  • So we first need to prove Lemma 1: x = x + y £ 0

  • For this we will use the following axioms from arithmetic:

    • A0 x = x

    • A1 x + 0 = x

    • A2 x £ 0 = 0

  • Proof

    • x = x A0

    • y £ 0 = 0 A2

    • x = x + y £ 0 1,2,A1


Proof13 l.jpg
Proof

  • true → x = x + y £ 0 Lemma1

  • x = x + y £ 0{r := x}x = r + y £ 0D0

  • x = r + y £ 0{q := 0}x = r + y £ qD0

  • true{r := x}x = r + y £ 0D1, 1,2

  • true{r := x; q :=0}x = r + y £ qD2, 4,3


Proof14 l.jpg

!

!

Proof

Line Formal proof Justification

(Continued on next page ...)


Proof cont d l.jpg
Proof (cont’d)

Line Formal proof Justification


Notes on hoare style rules l.jpg
Notes on Hoare-style rules

  • Proves partial correctness

    • i.e., meaningless when the program does not terminate.

  • If in addition we prove termination, then we have total correctness.

  • Q: suppose that y < 0 in our program. Does it change the proof ?


Notes on hoare style rules17 l.jpg
Notes on Hoare-style rules

  • Hoare logic is sound in the sense that everything that can be proved is correct

  • There exists extensions to all popular constructs:

    • recursion

    • arrays, pointers,...

    • concurrency...


ad