IN.

6011 Formal Methods

Prof. Ulrich Ultes-Nitsche

Department of Informatics

BSc course – Introduction Lecture

University of Fribourg
I N F O R M AT I C S
Some General Information

I 2 hours of lecturing, 1 hour exercise class

I exercises are compulsory
(you must solve 3/4 of the assignments to be accepted to the exam)
I today: no exercise class
I recommended textbooks:
I Aaron R. Bradley and Zohar Manna. The Calculus of
Computation. Springer, 2007.
I John E Hopcroft, Rajeev Motwani, Jeffrey D Ullman.
Introduction to Automata Theory, Languages, and
Computation. 3rd Edition, Addison-Wesley, 2007.
I Moodle course:
http://moodle2.unifr.ch/course/view.php?id=2954
I Don’t forget to register on Gestens!
University of Fribourg
I N F O R M AT I C S
Goals of the Course Unit

Understand the formal (mathematical) foundations (and

limitations) of program verification.

Learn the necessary logical language and its algorithmic treatment.

Understand what can and what cannot be computed.

Learn what complex problems are (in contrast to complex

algorithms).

University of Fribourg
I N F O R M AT I C S
Today . . .

. . . some initial considerations, introducing Hoare logic

University of Fribourg
I N F O R M AT I C S
Hoare Logic?

Sir Charles Antony Richard (Tony) Hoare (*11 January 1934):

picture source: http://de.wikipedia.org/wiki/Tony Hoare (accessed 13 February 2014)

University of Fribourg
I N F O R M AT I C S
Predicates Describe States

Logical formulas (predicates) can be used to express information

about program states.

For example, in a program state satisfying

x = 10,

variable x must have value 10. All other variables can have
arbitrary values.

University of Fribourg
I N F O R M AT I C S
Pre- and Postconditions

A precondition P states what can be assumed to be true before

executing a sequence of statements S.

A postcondition Q states what will be true after execution of S.

We write
{P}S{Q}
to indicate that, if P is true, then executing S will make Q true.

{P}S{Q} is called a Hoare triple.

University of Fribourg
I N F O R M AT I C S
Some Examples

{true} x = 10; {x > 0}

{y > 0} y = y + 1; {y > 1}
{y 6= 0} x = 1/y ; {x = 1/y }
{x = 2} x = x ∗ 3; {x = 6}
{true} x = x + 1; {???}

How can we express that the value of x has increased by executing

the program statement x = x + 1?

University of Fribourg
I N F O R M AT I C S
Primed and Unprimed Variables

We use the primed notation x 0 of variable x to refer to its value

after the execution of a program and its unprimed notation x to
refer to its value before the program execution.

For example:
{true} x = x + 1; {x 0 > x}
Or even more precisely:

{true} x = x + 1; {x 0 = x + 1}

University of Fribourg
I N F O R M AT I C S
Program Annotations

We can write a predicate in between any two lines of code.

It is then assumed that the predicate is the

I postcondition of the previous line of code,
I precondition to the following line of code.

Such a predicate is called an assertion or, equivalently a program

annotation.

It states what is assumed to be true whenever the program reaches

that point in the program.

University of Fribourg
I N F O R M AT I C S
A Little more “Complex” Example

{x 6= 0} x = 1/x;
x = 1/x; {x 0 = x}

University of Fribourg
I N F O R M AT I C S
Formal Proof

How do we know that our Hoare triples are correct?

Well, for the tiny examples we considered, we just saw that they
were correct.

For bigger examples, such an approach will probably not work. So

besides seeing the correctness, is there any better technique to
prove correctness?

University of Fribourg
I N F O R M AT I C S
Programs as Formulas

We translate our program S into a formula ΦS .

Then we can turn proving the correctness of

{P}S{Q}

into checking the truth of formula

P ∧ ΦS → Q.

This is, by the way, equivalent to checking

ΦS → (P → Q).

University of Fribourg
I N F O R M AT I C S
A Totally Trivial Example

{true} x = 10; {x > 0}

The formula representing assignment “x = 10;” is just

x = 10.

Therefore we get

true ∧ x = 10 → x > 0,

which is a true statement, using elementary arithmetic (and

propositional logic).
University of Fribourg
I N F O R M AT I C S
The Little more “Complex” Example

{x 6= 0} x = 1/x;
x = 1/x; {x 0 = x}
To turn the program into a formula, we must refer to the value of
x after the first “x = 1/x” statement and before the second
“x = 1/x” statement.

University of Fribourg
I N F O R M AT I C S
The Little more “Complex” Example

{x 6= 0} x = 1/x;
x = 1/x; {x 0 = x}
To turn the program into a formula, we must refer to the value of
x after the first “x = 1/x” statement and before the second
“x = 1/x” statement. We use double primed notation x 00 , and we
get the formula
x 00 = 1/x ∧ x 0 = 1/x 00 .

University of Fribourg
I N F O R M AT I C S
The Little more “Complex” Example

{x 6= 0} x = 1/x;
x = 1/x; {x 0 = x}
To turn the program into a formula, we must refer to the value of
x after the first “x = 1/x” statement and before the second
“x = 1/x” statement. We use double primed notation x 00 , and we
get the formula
x 00 = 1/x ∧ x 0 = 1/x 00 .
So finally, we must verify

x 6= 0 ∧ x 00 = 1/x ∧ x 0 = 1/x 00 → x 0 = x,

which, again, by elementary arithmetic is true.

University of Fribourg
I N F O R M AT I C S
If Clauses

Assume we must deal with

{P} if (condition) {prog 1}
else {prog 2}; {Q}

University of Fribourg
I N F O R M AT I C S
If Clauses

Assume we must deal with

{P} if (condition) {prog 1}
else {prog 2}; {Q}

How can we prove such a far more complicated program correct?

University of Fribourg
I N F O R M AT I C S
If Clauses

Assume we must deal with

{P} if (condition) {prog 1}
else {prog 2}; {Q}

How can we prove such a far more complicated program correct?

We prove two Hoare triples!

University of Fribourg
I N F O R M AT I C S
If Clauses

We turn
{P} if (condition) {prog 1}
else {prog 2}; {Q}
into
{P ∧ condition}prog 1{Q}
and
{P ∧ ¬condition}prog 2{Q}.

Both these Hoare triple must be true for the if clause to be correct.

University of Fribourg
I N F O R M AT I C S
An “If” Example

{true} if (x < 0) {x = −x}

else {x = x}; {x 0 ≥ 0}
must be transformed into

{true ∧ x < 0} x = −x {x 0 ≥ 0}

and
{true ∧ ¬(x < 0)} x = x {x 0 ≥ 0}.

Both these Hoare triples are true.

University of Fribourg
I N F O R M AT I C S
Program Loops

When is a program loop correct?

University of Fribourg
I N F O R M AT I C S
Program Loops

When is a program loop correct?

When, after the loop has come to an end, a desired result is

achieved (we call this partial correctness).

University of Fribourg
I N F O R M AT I C S
Program Loops

When is a program loop correct?

When, after the loop has come to an end, a desired result is

achieved (we call this partial correctness).

When the loop definitely will come to an end (we call this
termination).

University of Fribourg
I N F O R M AT I C S
Program Loops

When is a program loop correct?

When, after the loop has come to an end, a desired result is

achieved (we call this partial correctness).

When the loop definitely will come to an end (we call this
termination).

We have the following “equation”:

total correctness = partial correctness + termination.

University of Fribourg
I N F O R M AT I C S
While Loops

Assume we must deal with

{P} initialisation;
while (condition) {loop body }; {Q}

University of Fribourg
I N F O R M AT I C S
While Loops

Assume we must deal with

{P} initialisation;
while (condition) {loop body }; {Q}

How can we prove this even more complicated program correct?

University of Fribourg
I N F O R M AT I C S
While Loops

Assume we must deal with

{P} initialisation;
while (condition) {loop body }; {Q}

How can we prove this even more complicated program correct?

We deal with partial correctness and termination separately.

University of Fribourg
I N F O R M AT I C S
Partial Correctness: (Loop) Invariant

A loop invariant is a logical formula that is true

I before the loop,
I before each execution of the loop body,
I after each execution of the loop body,
I after the loop.

A meaningful invariant will make the postcondition of the loop

true (possibly taking the negated loop condition into account).

University of Fribourg
I N F O R M AT I C S
Invariant inv

From
{P} initialisation;
while (condition) {loop body }; {Q}
we get
{P} initialisation; {inv }
{inv ∧ condition} loop body ; {inv }
{inv ∧ ¬condition} skip; {Q}

University of Fribourg
I N F O R M AT I C S
Termination: (Loop) Variant

A loop variant is an integer-valued expression that

I is decreased at least by 1 in each execution of the loop body,
I cannot go below 0.

University of Fribourg
I N F O R M AT I C S
Variant var

From
{P} initialisation;
while (condition) {loop body }; {Q}
we get

{int var ∧ var > 0} loop body ; {var > var 0 ≥ 0}

University of Fribourg
I N F O R M AT I C S
Example (Whiteboard)

{n > 0 ∧ x = 1} sum = 1;
while (x < n) {
x = x + 1;
sum = sum + x;
}; {sum = n(n + 1)/2}

University of Fribourg
I N F O R M AT I C S
Weakness and Strength of Predicates

P is weaker than Q if and only if

Q→P

true is the weakest predicate (implied by everything)

false is the strongest predicate (implying everything)

University of Fribourg
I N F O R M AT I C S
Weakening a Precondition

If P is weaker than P 0 , then proving

{P}S{Q}

guarantees the truth of

{P 0 }S{Q}

University of Fribourg
I N F O R M AT I C S
Strengthening a Postcondition

If Q is stronger than Q 0 , then proving

{P}S{Q}

guarantees the truth of

{P}S{Q 0 }

University of Fribourg
I N F O R M AT I C S
Example (Whiteboard)

Assume we have proved

{x > 0} x = 1/x; {x 0 > 0}

{x 6= 0} if (x < 0) {x = −x}
else {x = x} {x 0 > 0}

How can we prove

{x > 0} x = 1/x;
if (x < 0) {x = −x}
else {x = x} {x 0 > 0} ?

University of Fribourg
I N F O R M AT I C S
That’s all about Hoare Logic for the Moment

This part of the lecture was supposed to motivate that a treatment

of logic is inevitable in program verification.

The next part will cover a formal treatment of logic.

University of Fribourg
I N F O R M AT I C S
That’s all about Hoare Logic for the Moment

This part of the lecture was supposed to motivate that a treatment

of logic is inevitable in program verification.

The next part will cover a formal treatment of logic.

This leads us to more fundamental questions about what is computable and

what is not.

In addition, we will consider the complexity of computable problems.

University of Fribourg
I N F O R M AT I C S