Hoare ’ s method for proving correctness of programs

# Hoare ’ s method for proving correctness of programs

Télécharger la présentation

## Hoare ’ s method for proving correctness of programs

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
##### Presentation Transcript

1. Hoare’s method for proving correctness of programs

2. Hoare’s logic • Hoare suggested in 1969 an inference system with which we can prove properties of programs. • A unique form of proof rules, called Hoare triples:P {Q} Rwhere • P is a precondition • Q is a program or a program statement • R postcondition.

3. The simple language we consider • Hoare’s logic includes rules for inference on program constructs: • Assignments y = t • Composition S1; S2 • If-then-else if e then S1 else S2 fi • While while e do S od • ...

4. The simple language we consider • A proof typically needs additional inference rules for the elementary operations (+,-,*,mod...) • e.g., axioms for arithmetic such as • x + 0 = 0 • x £ y = y £ x • ...

5. Assignments • D0 Axiom of assignments P {x = f} R where • P is derived from R by replacing all occurrences of x with f. • Example: y + 1 < 10 {y = y+1} y < 10

6. Consequence • D1 Inference rules for consequence P {Q} R R → S (make a postcondition weaker) P {Q} S P {Q} R S → P (make a precondition stronger) S {Q} R • Example y + 1 < 10 {y = y+1} y < 10 y < 10 → x = 1 y + 1 < 10 {y = y+1} x = 1

7. Composition • D2 Inference rule for composition P {Q1} R1 R1 {Q2} R P {Q1; Q2} R • Example: x=1 {y = x} y=1 y=1 {z=y} z=1 x=1{y=x; z=y} z=1

8. Iteration • Consider the statement: while B do S • D3 Inference rule for iteration P B {S} P P {while B do S}:B Æ P • Example x < 10 x < 5 {x = x+1} x < 10x<10 {while (x < 5) x = x + 1} x ¸ 5 Æ x < 10

9. if-then-else • D4 if-then-else inference rule P Æ e {Q1} R P Æ ¬e {Q2} R P {if e then Q1 else Q2 fi} R • Example z = 0 Æ x < 0 {y := -x + z} y ¸ 0 z = 0 Æ x ¸ 0 {y := x + z} y ¸ 0 z = 0 {if (x<0) y := -x + z else y := x + z} y ¸ 0

10. Example • Consider the following program for finding the quotient and remainder of x / y. r := x; q := 0; while (y <= r) { r := r – y; q := 1 + q;} • We will try to prove that in the end: x = r + y£ q and y > r. x = 16, y = 6

11. Example • Strategy: find a loop invariant. r := x; q := 0; while (y <= r) { r := r – y; q := 1 + q;} x = x + y £ 0 x = r + y £ 0 x = r + y £ q

12. Proof • So we first need to prove Lemma 1: x = x + y £ 0 • For this we will use the following axioms from arithmetic: • A0 x = x • A1 x + 0 = x • A2 x £ 0 = 0 • Proof • x = x A0 • y £ 0 = 0 A2 • x = x + y £ 0 1,2,A1

13. Proof • true → x = x + y £ 0 Lemma1 • x = x + y £ 0{r := x}x = r + y £ 0D0 • x = r + y £ 0{q := 0}x = r + y £ qD0 • true{r := x}x = r + y £ 0D1, 1,2 • true{r := x; q :=0}x = r + y £ qD2, 4,3

14. ! ! Proof Line Formal proof Justification (Continued on next page ...)

15. Proof (cont’d) Line Formal proof Justification

16. Notes on Hoare-style rules • Proves partial correctness • i.e., meaningless when the program does not terminate. • If in addition we prove termination, then we have total correctness. • Q: suppose that y < 0 in our program. Does it change the proof ?

17. Notes on Hoare-style rules • Hoare logic is sound in the sense that everything that can be proved is correct • There exists extensions to all popular constructs: • recursion • arrays, pointers,... • concurrency...