1 / 17

- PowerPoint PPT Presentation

Hoare ’ s method for proving correctness of programs. Hoare ’ s logic. Hoare suggested in 1969 an inference system with which we can prove properties of programs. A unique form of proof rules, called Hoare triples: P {Q} R where P is a precondition Q is a program or a program statement

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

PowerPoint Slideshow about '' - ishmael

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Hoare’s method for proving correctness of programs

Hoare’s logic

• Hoare suggested in 1969 an inference system with which we can prove properties of programs.

• A unique form of proof rules, called Hoare triples:P {Q} Rwhere

• P is a precondition

• Q is a program or a program statement

• R postcondition.

• Hoare’s logic includes rules for inference on program constructs:

• Assignments y = t

• Composition S1; S2

• If-then-else if e then S1 else S2 fi

• While while e do S od

• ...

• A proof typically needs additional inference rules for the elementary operations (+,-,*,mod...)

• e.g., axioms for arithmetic such as

• x + 0 = 0

• x £ y = y £ x

• ...

• D0 Axiom of assignments

P {x = f} R

where

• P is derived from R by replacing all occurrences of x with f.

• Example: y + 1 < 10 {y = y+1} y < 10

• D1 Inference rules for consequence

P {Q} R R → S (make a postcondition weaker)

P {Q} S

P {Q} R S → P (make a precondition stronger)

S {Q} R

• Example

y + 1 < 10 {y = y+1} y < 10 y < 10 → x = 1

y + 1 < 10 {y = y+1} x = 1

• D2 Inference rule for composition

P {Q1} R1 R1 {Q2} R

P {Q1; Q2} R

• Example:

x=1 {y = x} y=1 y=1 {z=y} z=1

x=1{y=x; z=y} z=1

• Consider the statement: while B do S

• D3 Inference rule for iteration

P B {S} P

P {while B do S}:B Æ P

• Example

x < 10 x < 5 {x = x+1} x < 10x<10 {while (x < 5) x = x + 1} x ¸ 5 Æ x < 10

• D4 if-then-else inference rule

P Æ e {Q1} R P Æ ¬e {Q2} R

P {if e then Q1 else Q2 fi} R

• Example

z = 0 Æ x < 0 {y := -x + z} y ¸ 0 z = 0 Æ x ¸ 0 {y := x + z} y ¸ 0

z = 0 {if (x<0) y := -x + z else y := x + z} y ¸ 0

• Consider the following program for finding the quotient and remainder of x / y.

r := x;

q := 0;

while (y <= r) {

r := r – y;

q := 1 + q;}

• We will try to prove that in the end: x = r + y£ q and y > r.

x = 16, y = 6

• Strategy: find a loop invariant.

r := x;

q := 0;

while (y <= r) {

r := r – y;

q := 1 + q;}

x = x + y £ 0

x = r + y £ 0

x = r + y £ q

• So we first need to prove Lemma 1: x = x + y £ 0

• For this we will use the following axioms from arithmetic:

• A0 x = x

• A1 x + 0 = x

• A2 x £ 0 = 0

• Proof

• x = x A0

• y £ 0 = 0 A2

• x = x + y £ 0 1,2,A1

• true → x = x + y £ 0 Lemma1

• x = x + y £ 0{r := x}x = r + y £ 0D0

• x = r + y £ 0{q := 0}x = r + y £ qD0

• true{r := x}x = r + y £ 0D1, 1,2

• true{r := x; q :=0}x = r + y £ qD2, 4,3

!

Proof

Line Formal proof Justification

(Continued on next page ...)

Proof (cont’d)

Line Formal proof Justification

• Proves partial correctness

• i.e., meaningless when the program does not terminate.

• If in addition we prove termination, then we have total correctness.

• Q: suppose that y < 0 in our program. Does it change the proof ?

• Hoare logic is sound in the sense that everything that can be proved is correct

• There exists extensions to all popular constructs:

• recursion

• arrays, pointers,...

• concurrency...