Scribd
Upload
92 views

Proof Example: 1 Specification

The document summarizes the specification and proof of a while loop program that calculates the sum of elements in an array b. The program is specified using state spaces and parameter spaces. An invariant is defined for the loop that the sum s equals the sum of array elements from index 0 to i-1. The proof extracts the verification conditions from the structure of the program. It is shown that each verification condition follows logically from the previous ones, proving correctness of the program. Minor mistakes in the source document are noted but not described.

Uploaded by

Pollen Ahmed
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
92 views

Proof Example: 1 Specification

The document summarizes the specification and proof of a while loop program that calculates the sum of elements in an array b. The program is specified using state spaces and parameter spaces. An invariant is defined for the loop that the sum s equals the sum of array elements from index 0 to i-1. The proof extracts the verification conditions from the structure of the program. It is shown that each verification condition follows logically from the previous ones, proving correctness of the program. Minor mistakes in the source document are noted but not described.

Uploaded by

Pollen Ahmed
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

Proof example

Gergely Feldoffer
October 21, 2018

Abstract
It this article the following program will be specified and proven.
i := 1;
s := b[0];
while (i < 11)
s := s + b[i];
i := i + 1;
end-while
There are minor mistakes in the source document, we will point out
these.

1 Specification
Starting with the state space and parameter space. Since the example uses a
11 element vector (using 0..10 indices), we need to formalize the corresponding
supspace of the state space as a 11 dimensinal vector.
A = R11 × R
b s
B = R11
0b
Q : b = b0 P
j≤10
R : Q ∧ s = j=0 b[j]

2 Structure, statements, invariants


First, let us reformulate the sequence of sequentially independent assignments
into one parallel assignments. Therefore the program will be:
i,s := 1,b[0];
while (i < 11)
s,i := s + b[i],i+1;
end-while
So this is a sequence where the second part of the sequence is a loop con-
taining a loop body of a single assignment. We need to create a Q0 intermediate
statement in the sequence, a P loop invariant and a t terminating function.

Q0 = Q ∧ i = 1 ∧ s = b[0] (1)

1
We create the loop invariant by weakening the post-condition.
j≤i−1
X
P = Q ∧ i ∈ [0, 11] ∧ s = b[j] (2)
j=0

t = 12 − i (3)
The corresponding deduction rules are the rules of the sequence:

• Q → wp(S1 , Q0 )
• Q0 → wp(S2 , R)
and the rules of the loop:
• Q→P

• P ∧ ¬π → R
• P ∧ π → wp(S0 , P )
• P ∧π →t>0

• P ∧ π ∧ t = t0 → wp(S0 , t < t0 )
so the rules together:
• Q → wp(S1 , Q0 )
• Q0 → P

• P ∧ ¬π → R
• P ∧ π → wp(S0 , P )
• P ∧π →t>0

• P ∧ π ∧ t = t0 → wp(S0 , t < t0 )

3 Extraction
Extracting the rules above with

Q : b = b0

j≤10
X
R:Q∧s= b[j]
j=0

Q0 = Q ∧ i = 1 ∧ s = b[0]

j≤i−1
X
P = Q ∧ i ∈ [0, 11] ∧ s = b[j]
j=0

2
t = 12 − i

S1 : i, s := 1, b[0]

S0 : s, i := s + b[i], i + 1
we get

1. Q → wp(i, s := 1, b[0], Q ∧ i = 1 ∧ s = b[0])


Pj≤i−1
2. Q ∧ i = 1 ∧ s = b[0] → Q ∧ i ∈ [0, 11] ∧ s = j=0 b[j]
Pj≤i−1 Pj≤10
3. Q ∧ i ∈ [0, 11] ∧ s = j=0 b[j] ∧ ¬(i < 11) → Q ∧ s = j=0 b[j]
Pj≤i−1
4. Q ∧ i ∈ [0, 11] ∧ s = j=0 b[j] ∧ i < 11 → wp(s, i := s + b[i], i + 1, Q ∧ i ∈
Pj≤i−1
[0, 11] ∧ s = j=0 b[j])
Pj≤i−1
5. Q ∧ i ∈ [0, 11] ∧ s = j=0 b[j] ∧ i < 11 → t > 0
Pj≤i−1
6. Q ∧ i ∈ [0, 11] ∧ s = j=0 b[j] ∧ i < 11 ∧ t = t0 → wp(s, i := s + b[i], i +
1, t < t0 )

3.1 Deductions
1. Q → wp(i, s := 1, b[0], Q ∧ i = 1 ∧ s = b[0])
Q → Q ∧ 1 = 1 ∧ b[0] = b[0]
Q→Q

Pj≤i−1
2. Q ∧ i = 1 ∧ s = b[0] → Q ∧ i ∈ [0, 11] ∧ s = j=0 b[j]
Pj≤1−1
Q∧ → Q ∧ 1 ∈ [0, 11] ∧ b[0] = j=0 b[j]
Pj≤0
Q∧ → Q ∧ 1 ∈ [0, 11] ∧ b[0] = j=0 b[j]

Pj≤i−1 Pj≤10
3. Q ∧ i ∈ [0, 11] ∧ s = j=0b[j] ∧ ¬(i < 11) → Q ∧ s = j=0 b[j]
Pj≤i−1 Pj≤10
Q ∧ i ∈ [0, 11] ∧ s = j=0 b[j] ∧ i > 10 → Q ∧ s = j=0 b[j]
since i ∈ [0, 11] ∧ i > 10 → i = 11
Pj≤i−1 Pj≤10
Q ∧ s = j=0 b[j] ∧ i = 11 → Q ∧ s = j=0 b[j]
Pj≤11−1 Pj≤10
Q ∧ s = j=0 b[j] → Q ∧ s = j=0 b[j]
Pj≤10 Pj≤10
Q ∧ s = j=0 b[j] → Q ∧ s = j=0 b[j]


3
Pj≤i−1
4. Q ∧ i ∈ [0, 11] ∧ s = j=0 b[j] ∧ i < 11 → wp(s, i := s + b[i], i + 1, Q ∧ i ∈
Pj≤i−1
[0, 11] ∧ s = j=0 b[j])
using wp(x := y, R) = Rx←y
Pj≤i−1
Q ∧ i ∈ [0, 11] ∧ s = j=0 b[j] ∧ i < 11 → Q ∧ i + 1 ∈ [0, 11] ∧ s + b[i] =
Pj≤i+1−1
j=0 b[j]
since the right hand side of the equation is a clause ∧ clause ∧ clause
Pj≤i−1
(a) Q ∧ i ∈ [0, 11] ∧ s = j=0 b[j] ∧ i < 11 → Q

Pj≤i−1
(b) Q ∧ i ∈ [0, 11] ∧ s = j=0 b[j] ∧ i < 11 → i + 1 ∈ [0, 11]
since
Q ∧ i ∈ [0, 11] ∧ i < 11 → i ∈ [0, 10]
therefore
Q ∧ i ∈ [0, 11] ∧ i < 11 → i + 1 ∈ [0, 11]

Pj≤i−1 Pj≤i+1−1
(c) Q ∧ i ∈ [0, 11] ∧ s = j=0 b[j] ∧ i < 11 → s + b[i] = j=0 b[j]
Pj≤i−1 Pj≤i
Q ∧ i ∈ [0, 11] ∧ s = j=0 b[j] ∧ i < 11 → s + b[i] = j=0 b[j]
since
Pj≤i Pj≤i−i
j=0 b[j] = j=0 b[j] + b[i]
therefore
Pj≤i−1 Pj≤i−i
Q∧i ∈ [0, 11]∧s = j=0 b[j]∧i < 11 → s+b[i] = j=0 b[j]+b[i]
Pj≤i−1
Q ∧ i ∈ [0, 11] ∧ s = j=0 b[j] ∧ i < 11 → s + b[i] = s + b[i]

Pj≤i−1
5. Q ∧ i ∈ [0, 11] ∧ s = j=0 b[j] ∧ i < 11 → t > 0
using t = 12 − i
Pj≤i−1
Q ∧ i ∈ [0, 11] ∧ s = j=0 b[j] ∧ i < 11 → 12 − i > 0
i < 11 → 12 − i > 0

Pj≤i−1
6. Q ∧ i ∈ [0, 11] ∧ s = j=0 b[j] ∧ i < 11 ∧ t = t0 → wp(s, i := s + b[i], i +
1, t < t0 )
Pj≤i−1
Q ∧ i ∈ [0, 11] ∧ s = j=0 b[j] ∧ i < 11 ∧ 12 − i = t0 → wp(s, i :=
s + b[i], i + 1, 12 − i < t0 )
Pj≤i−1
Q ∧ i ∈ [0, 11] ∧ s = j=0 b[j] ∧ i < 11 ∧ 12 − i = t0 → 12 − (i + 1) < t0
Pj≤i−1
Q ∧ i ∈ [0, 11] ∧ s = j=0 b[j] ∧ i < 11 ∧ 12 − i = t0 → 12 − i − 1 < 12 − i
and 12 − i − 1 < 12 − i is always true


You might also like