Scribd
Upload
30 views40 pages

12BSC203 Verifying Algorithms

Uploaded by

Song Hyo yoo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
30 views40 pages

12BSC203 Verifying Algorithms

Uploaded by

Song Hyo yoo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 40

BCS203 Software Specifications

Verifying Algorithms

Dr. May Mahmoud

Slides extracted from Specifying software : a hands-on introduction


Tennent, R. D., 1944-
Cambridge ; New York : Cambridge University Press; 2002
Array-Searching Specification
Some Programs for Array-Searching

though the code is correct, it is unnecessarily


inefficient because, after the first assignment of the value true
to present, its value will not change, and the loop could
immediately terminate.
4
Some Programs for Array-Searching

This code will always give correct results whenever it


terminates normally;
however, consider what will happen if x does not occur in
A[0:n-l] and n =max. Then the value of i will increase to n and
A [n] will be compared to x !!
Note: the array comparison is "short-circuited"
Some Programs for Array-Searching

This code will always give correct results whenever it


terminates normally;
however, consider what will happen if x does not occur in
A[0:n-l] and n =max. Then the value of i will increase to n and
A [n] will be compared to x !!
Note: the array comparison is "short-circuited"
Here is the bug: if n = 0 and the "garbage" component A [0]
happens to contain the search target x, the program will
assign true to present, whereas the correct result is false.

7
This code is correct. The variable m acts as an upper limit for
the iteration counter i. It is initialized to the value of n, but if
an entry equal to the search target is found, m is assigned the
current value of the iteration counter, and the loop terminates.
If no entry equal to x is found, the loop terminates with i
equal to the initial value of m.
8
Correctness of Code
• These examples, though small, have shown that it is
very difficult to be sure whether the code is correct,
particularly when the programmer has used an
unfamiliar code style or has tried to write very
efficient code.
• We will discuss how to support sound reasoning
about a program behavior.
Correctness Statement

OR P {C} Q

In other words, if code C is executed with an initial state


satisfying pre-condition P, any resulting final state will satisfy
post-condition Q.

P {C} Q is considered a correctness statement.

10
Correctness Statement vs. Assertions
• A correctness statement is either true(valid) or false
(invalid) independent of any particular state of
computation.

• While an assertion may be true for some states and


false for others.

• An assertion asserts a property of computational


states

• A correctness statement is essentially a statement


about code satisfying a pre- and post-condition
specification.
Validating Algorithm
• Correctness Statement
• Simple Assignment Statements (Hoare axiom)
• Substitution into Assertions and using mathematical
facts
• Sequencing
• If Statements
Simple Assignment Statements

Simple Assignment Statements

Example:

Generalize this reasoning pattern by stating the following


axiom scheme:

13
Simple Assignment Statement

Does this help with the following assignment statement:

What if int? what if float?

14
Hoare’s Axiom scheme for Assignment
• C.A.R. Hoare:

• 𝑄 𝑉 → 𝐸 : means assertion Q with E substituted for


occurrences of V.

• Used backward, start from post-condition Q, and


determine the pre-condition [Q](V -> E)

• In other words, if Q is to be true of V after the


assignment, it must be that Q is true of the value of
expression E before the assignment of E to V.

15
Hoare’s Axiom scheme for Assignment

For example, the following is an instance of the assignment


scheme:

16
Check-in
• What should pre-condition P be in each of the
following correctness statements for the statement to
be an instance of Hoare’s axiom scheme? All
variables are of type int.

1. P { x = x+1;} x>0
2. P { x = x+1;} x==y
3. P { x = x-1;} x == y-1
Solution
1. x+1> 0 {x = x+1} x>0 Or x >-1 { x = x+1;} x>0
2. x+1== y {x = x+1} x==y Or x== y-1 { x = x+1;} x==y
3. x-1 == y-1 {x=x-1} x==y-1 Or x==y { x = x-1;} x == y-
1
Substitution into Assertion
• If Q is an assertion, I is an identifier, and E is an
expression, we use the notation [Q](I->E) to denote
the assertion that is Q, except that E has been
substituted for every occurrence of I

• For example, [A[j] > 0](j-> j-1) is A[j-1] >0


Free vs. Bound identifiers
• If an identifier occurs in an assertion or expression
and it is not bound within that assertion or
expression, the identifier is said to have free
occurrence in the assertion or expression; otherwise,
it is said to have bound occurrence in the assertion
or expression.

• For example, in the assertion


n>0 implies Exists (i=0; i<n) A[i] == x

The identifiers A, n and x all occur freely, however,


every occurrence of I in the assertion is bound
occurrence
Substitution into Assertion
• In general, when substituting E for I in W, it is only
the free occurrences of I that are replaced by E.

• For example, the substitution [ForAll (i=0; i<n)


A[i]>0](i->i-1) will not change anything as i only
occurs in the assertion bound.

• On the other hand, substitution [ForAll(i=0; i<n) A[i]


>0](n->n-1) produces
ForAll(i=0; i<n-1) A[i] >0 because the occurrence of n is
free.
Substitution into Assertion
• Another issue is when the substituting expression E
for occurrence of identifier I in assertion Q will result
in free identifier of E to become bound with the
assertion.
• For example, doing substitution
[ForAll (i=0; i<n) A[i] >j] (j->i-1)

To do this substitution, we first change the bound


identifier first as follows:
ForAll(k=0;k<n) A[k] > i-1

– This is because a free identifier in the substituted expression


should be regarded as distinct from a bound identifier of the
assertion, even if they happen to look the same
Check-in
• Carry out the following substitution:

• [ForAll (x) y>x](y->x)

Solution:
ForAll(k) x>k
Using Mathematical Facts
We may validate the correctness statement
n-l >= 0 { n = n-1; } n >= 0 by using Hoare's axiom scheme. To verify
n>0 { n = n-l; } n >= 0
we note that the assertion:
n>0 implies n-l >= 0
is true in every state; that is, it is a mathematical fact independent of
the computational state, provided that n is of type int. This justifies
the validity of:
ASSERT(n>0)
ASSERT(n-l >= 0)
n = n-l;
ASSERT(n >= 0)

because the mathematical fact ensures that if n>0 is true in any


execution state, so is n-l >= 0.
Using Mathematical Facts

• In general, if P implies P' is a mathematical fact, an instance of P as a comment


may validly appear immediately before an instance of P; as a comment:
Pre-condition Strengthening and Post-
condition Weaking
• Use of a mathematical fact to strengthen a pre-condition is formalized by the
following inference rule:

• An inference rule allows the derivation of the statement below the horizontal
line if the premises above the horizontal line may be proved.

• Similarly, mathematical facts may be used to weaken post-conditions

• Mathematical facts used to justify instances of either of these inference rules


are often termed verification conditions.
Sequencing
• Consider the following correctness statement for
code that is supposed to exchange the values of two
variables, x and y, using an auxiliary variable z:
Sequencing
To validate the correctness statement, we may use the
assignment axiom scheme to work backwards from the given
post-condition to get a precondition for the third assignment, as
follows:

Then consider the resulting pre-condition for the third


assignment as a postcondition for the second assignment and
again use the assignment axiom as follows:
Sequencing
Finally, consider the resulting pre-condition for the second
assignment as the post-condition for the first assignment; the
assignment axiom then gives us:
Sequencing
Putting these together, we have demonstrated the validity of the following
correctness statement:
ASSERT(x==xO && y==yO)
z = x;
x = y;
y = z;
ASSERT(y==xO && x==yO)

Here is the code annotated to show the intermediate assertions:


ASSERT(x==xO && y==yO)
z = x;
ASSERT(z==xO && y==yO)
x = y;
ASSERT(z==xO && x==yO)
y = z;
ASSERT(y==xO && x==yO)
Sequencing
• Each intermediate assertion between assignment
statements is both a postcondition for the preceding
statement and a pre-condition for the succeeding
statement.

• The following inference rule formalizes this approach


to reasoning about statement sequences:

• It will not always be as easy as in the example to determine the intermediate assertions;
often it will be necessary to use mathematical facts to strengthen pre-conditions or weaken
post-conditions appropriately.
Check-in
Verify the validity of

ASSERT(i >= 0 && y == power(x,i))


y = y * x;
i++;
ASSERT(i >= 0 && y == power(x,i))

where * denotes multiplication and power (x,i) denotes x* (for


nonnegative integers i only); that is, for any x, power (x,0) = 1 and power
(x , n+l) = x * power (x,n) and i>=0 implies i+1>0.
Solution
ASSERT(i >= 0 && y == power(x,i))
FACT(power(x,i) * x == power(x,i+l))
ASSERT(i+l>0 && y * x == power(x,i+l))
y = y * x;
ASSERT(i+l>0 && y == power(x,i+l))
i++;
ASSERT(i>0 && y == power(x,i))
Check-in
• Verify the validity of the following correctness
statements by adding all the intermediate assertions.
All variables are of type int. Clearly state any
mathematical facts and inference rules used.

Assert(x >4 && y==7)


x=x-y;
y=y-x;
x=x+y;
Assert(x == 7 && y<10)
Solution
Assert (x>4 && y==7) // y==7 && x> 4 implies 2*y-x<10 (pre-condition strengthening )
Assert(y==7 && 2*y –x <10) //arithmetic simplification
x=x-y;
Assert(x+y-x==7 && y-x <10)
y=y-x;
Assert(x+y) == 7 && y<10)
x=x+y;
Assert(x==7 && y<10)
If-statement
• To validate the correctness statement of the form

• We follow the scheme:


If-statement
• We want to validate the correctness statement for the code
fragment Co and C1, but what pre- and post-conditions to use?

• To ensure that Q is true after executing Co or C1, assertion Q


should be the post-condition for both of them.
• Pre-condition P should be true initially for both.
• If Co is executed then we may assume B as a pre-condition and
If C1 is executed, we may assume that !B holds.

• The corresponding inference rule is:


If-statement
• We have a code fragment that assigns to variable m
of type int the larger of the integer values of x and y.

• Pre-condition: true
• Post-condition: m>= x && m>=y && (m==x || m==y)

Assert(true) P
If(x>y) B
m=x; C0
else
m=y; C1
Assert(m>=x && m>=y && (m==x || m==y) ) Q
If-statement
We will start to verify the first statement C0
Assert(true&&x>y)
m=x;
Assert(m>=x && m>=y && (m==x || m==y))

Using the assignment axiom scheme gives us:


Assert(x>y)
Assert(x>=x && x>=y && (x==x||x==y))
m=x;
Assert(m>=x && m>=y && (m==x || m==y))

It is valid by pre-condition strengthening, using the logical


properties of || and && and mathematical facts that x ==x and x>=x
and that x>y implies x>=y
MTH-114 Linear Algebra

Check-in
• Complete the verification of the if-statement by
verifying the correctness statement of C1 (else)

Assert(x<=y) // !(x>y) -> x<=y or y>=x


Assert(y>=x && y>=y && (y==x || y==y))
m=y;
Assert(m>=x && m>=y && (m==x || m==y))

You might also like