Program Correctness

1
Objectives
• Define program correctness
• Identify the techniques used to prove program correctness
• Analyse the rules of Inference and Program Correctness

2
Introduction to Program Correctness
• A correct program is a program that always produces correct
output
• It is easy to prove that a program is incorrect:
• test program with sample input
• if it produces incorrect results, it is incorrect
• The opposite is not so simple, however:
• can’t prove correctness by testing unless all possible inputs can be tested

3
Proving Program Correctness
• Also known as program verification
• How can we be sure that a program/algorithm always produces the
correct result?
• Test it on sample input
• Test boundary conditions
• Test it on all possible inputs
• Prove it correct
• can we automate this?
• Difficult, perhaps impossible to automate the process
• Use rules of inference, mathematical induction

4
Proving Program Correctness
• Two major steps:
• Prove partial correctness: that is, prove that the program produces correct
output if it terminates
• Prove that the program always terminates
• Two propositions involved:
• initial assertion: gives properties input values must have
• final assertion: gives properties output should have, if program performed
correctly

5
Proving Program Correctness
• A program or program segment S is said to be partially correct with respect
to initial assertion p and final assertion q if:
• whenever p is true for the input values of S and S terminates,
• q is true for output values of S
• The notation p{S}q indicates such partial correctness
• p{S}q is called a Hoare triple
Note:
partial correctness only states that the program produces the correct results if
it terminates.
It does not prove that the program terminates
partial correctness is only proven within the context of the initial and final
assertions

6
Example 1
•Program segment S is as follows
• y=2;
• z = x + y;
• Initial assertion
• p: x = 1
• Final assertion
• q: z = 3
• Prove p{S}q
• assume p
• x initially has the value 1
• y is assigned the value 2
• z is then assigned the value x + y
• that is equal to 1 + 2 which is 3
• Therefore S is correct with respect to p and q

7
Rules of Inference and Program Correctness
• Several rules of inference are useful in proving program correctness
• The first of these is called the composition rule, which in essence states
that a program is correct if each of its subprograms is correct

8
Composition Rule
We can split our program into parts (subprograms) and prove that each of these parts (subprograms) is
correct

• Split S into subprograms S1 and S2

• S is then S1 followed by S2
• S = S1;S2
• Assume
• p is the initial assertion of S1,
• q is the final assertion of S1
• q is the initial assertion of S2
• r is the final assertion of S2

• Further assume we have established

• p{S1}q and q{S2}r

• It follows that
• if p is true and S1 executes and terminates then q is true
• if q is true and S2 executes and terminates then r is true
• Therefore if p is true and S executes and terminates r is true

9
Composition Rule Cont.
• Stated mathematically, the composition rule is:
p{S1}q
q{S2}r
---------------
 p{S1;S2}r

10
Conditional Statements
• Conditional statements are program segments of the form: if condition
then S (where S is a block of statements)
• When condition is true, S is executed
• When condition is untrue, S is not executed

11
Conditional Statements Cont.
•Assume program segment is as follows

• if cond then S

• S is executed if cond is true

• S is not executed if cond is false

• To verify that the segment above is true with respect to

• initial assertion p
• final assertion q

• Show that
• when p is true, and cond is true and S executes, q is true
• when p is true and cond is false and S does not execute, q is true
12
Rule of Inference for Conditional Statements

(p  condition){S}q
(p  condition)  q
-------------------------------------
 p{if condition then S}q

13
Conditional Statements : Example 1
• Program segment S is as follows

• if x > y then
•x = y

• Initial assertion
• p: is True
• Final assertion
• q: y  x (y is greater than or equal to x)

• Consider cond = true (x > y) and cond = false (x  y)

• (1) p and x > y

• the assignment x = y is made
• consequently y  x
• therefore q is true
• (2) p and x  y
• no assignment is made
•y  x
• therefore q is true
• Therefore S is correct with respect to p and q 14
More complex conditional statements
• With a statement of the form:
if condition then S1 else S2
the logic is somewhat more complicated: if condition is true, S1 executes; if
condition is untrue, S2 executes

15
Verifying more complex conditionals
• To verify segment correct with respect to initial assertion p and final
assertion q:
• show that when p is true and condition is true, q is true after S1 terminates;
• show that when p is true and condition is false, q is true after S2 terminates

16
Rule of Inference

(p  condition){S1}q
(p  condition){S2}q
----------------------------------------------
 p{if condition then S1 else S2}q

17
Complex Conditionals: Example
•Program segment S is as follows

• if x < 0 then abs = -x else abs = x

• Initial assertion
• p: is True
• Final assertion
• q: abs = |x|

• Consider the cases when cond = true and when cond = false

• (1) p and x < 0

• the assignment abs := -x is made
• consequently abs = |x|
• therefore q is true
• (2) p and x  0
• consequently abs := x, and again abs is |x|
• therefore q is true
• Therefore S is correct with respect to p and q

18
Loops and loop invariants
• A loop is a statement of the form:
• while condition S
• where S is executed repeatedly until condition becomes false
• A loop invariant is an assertion that remains true each time S is
executed

19
Loops and loop invariants cont.
• Assume program segment is as follows

• while cond do S

• S is repeatedly executed while cond is true

• S is repeatedly executed until cond is false

• An assertion that remains true each time S is executed is required

• this is the loop invariant
• p is a loop invariant if
• (p and cond){S}p
• is true

• To verify that the segment above is true with respect to

• loop invariant p

• Show that
• p is true before S is executed
• p is true and cond is false on termination of the loop
• if it terminates
20
Rule of Inference for Loops

(p  condition){S}p
----------------------------------------------
 p{while condition S}(condition  p)

21
Loops and loop invariants: Example
i := 1;
• Prove segment terminates with fact = n! fact = 1;
• a loop invariant is required while i < n
do begin
• let p be proposition p: fact = i! and i <= n i = i + 1;
• let S be the segment: i = i+1; fact = fact * i; fact = fact * i;
end
• Prove that p is a loop invariant, using mathematical induction
• Basis Step: initially i = fact = 1 = i! and 1 <= n
• Inductive Step
• assume p is true and 1 < i < n and fact = i!
• after executing loop
• i was incremented by 1, i.e. i + 1
• therefore i  n
• fact = i!(i + 1)
• therefore fact = (i+1)! … and i has been incremented
• Therefore p is a loop invariant

22
Loops and loop invariants: Example cont.
•Therefore p is a loop invariant

• Therefore the assumption

• [p and (i < n)]{S}p is true

• Therefore it follows that

• p{while i<n do S}[i >= n and p] is true

The while loop terminates

• i starts at 1, assuming n  0
• i is incremented inside loop
• eventually i will equal n

23
Proving correctness of entire programs
• Split the program into segments: the rule of composition can be used to
build the correctness proof
• Prove the correctness of each segment: for example, if there are 4
segments, prove p{S1}q, q{S2}r, r{S3}s, and s{S4}t
• If all are true, then p{S}t is true
• If all 4 segments terminate, then S terminates, and correctness is proven

24
Exercise
• Prove the correctness of the following
1. if (x < y)
min = x;
else
min = y;

2. if (x > y)
{
x = x + y;
y = x - y;
x = x - y;
}

25