Dr.

Kholoud Nairoukh
Department of Computer Science
German-Jordanian University
Lecture 18
• We want to be able to prove that a given
program meets the intended specifications.
– This can often be done manually, or even by
automated program verification tools.
– Example: PVS (People’s Verification
System).
• A program is correct if it produces the
correct output for every possible input.
– A program has partial correctness if it
produces the correct output for every input
for which the program eventually halts.
Dr. Kholoud Nairoukh
• A program’s I/O specification can be given using initial and final
assertions.
– The initial assertion p is the condition that the program’s
input (its initial state) is guaranteed (by its user) to satisfy.
– The final assertion q is the condition that the output
produced by the program (its final state) is required to
satisfy.
• Hoare triple notation:
– The notation p{S}q means that, for all inputs I such that p(I)
is true, if program S (given input I) halts and produces
output O = S(I), then q(O) is true.
• That is, S is partially correct with respect to
specification p,q.

Dr. Kholoud Nairoukh

• Deduction rules for Hoare Triple statements.
• Example: The composition rule:

p{S1}q
q{S2}r
∴ p{S1; S2}r

• If program S1 given input p produces output q,

and S2 given q produces r, then the program
“S1 followed by S2”, if given p, yields r.

Dr. Kholoud Nairoukh

• Let S be the program fragment :
y = 2;
z = x+y;
• Let p be the initial assertion “x = 1”.
The variable x will hold 1 in all initial states.
• Let q be the final assertion “z = 3”.
The variable z must hold 3 in all final states.
• Prove p{S}q.
Proof: If x=1 in the program’s input state, then
after running y=2 and z=x+y, z will be 1+2=3.

Dr. Kholoud Nairoukh

 (p  cond){S}q
(p  ¬cond)→q
∴ p{if cond then S}q

• Example: Show that: T {if x>y then y=x} y≥x.

Proof: If initially x>y, then the if body is
executed, setting y=x, and so afterwards y≥x
is true. Otherwise, x≤y and so y≥x. In either
case y≥x is true. So the rule applies, and so
the fragment meets the specification.

Dr. Kholoud Nairoukh

 (p  cond){S1}q
(p  ¬cond){S2}q
∴ p{if cond then S1 else S2}q

• Example: Show that

T {if x<0 then abs = −x else abs = x} abs =|x|

Proof: If x<0 then after the if body, abs=-x
which is |x|. If ¬(x<0), i.e., x≥0, then after
the else body, abs=x, which is |x|.
So the rule applies.

Dr. Kholoud Nairoukh

• For a while loop “while cond S”, we say that p is a loop
invariant of this loop if (pcond){S}p.
➢ If (p and the continuation condition cond) is true
before executing the body, then p remains true
afterwards.
➢ p stays true through all subsequent iterations.

• This leads to the inference rule:

(p  cond){S}p
∴ p{while cond S}(¬cond  p)

Dr. Kholoud Nairoukh

Prove that the following Hoare triple holds:
T {i=1; fact=1; while i<n {i++; fact*=i}} (fact=n!)
Proof. Note that p =“fact=i!  i≤n” is a loop invariant
and is true before the loop. Thus, after the loop we
have
¬condp  ¬(i<n) fact=i!  i≤n  i=n  fact=i! 
fact=n!.

Dr. Kholoud Nairoukh

Dr. Kholoud Nairoukh
procedure multiply(m,n: integers) m,nZ
if {n<0 then a:=−n else a:=n} a=|n|
k:=0; x:=0 x = mk  k≤a
while k<a {Maintains loop invariant:
x += m; k++ x = mk  k≤a
}
x = mk  k=a ∴ x = ma = m|n|
if n<0 then prod := −x else prod:=x
∴ (n<0  x=−mn)  (n≥0  x=mn)
prod = mn

Dr. Kholoud Nairoukh

• Relationships between elements of sets
occur in many contexts
Example: relationships in everyday life;
employee and her salary, person and relative,
business and it’s phone number, etc.

• In mathematics we study relationships such

as those between a positive integer and one
that divides it, etc.

Dr. Kholoud Nairoukh

• The most direct way to express a
relationship between elements of two sets is
to use ordered pairs (binary relations).

• A binary relation from A to B is a set R of

ordered pairs where the first element of
each ordered pair comes from A and the
second element comes from B. We use the
notation a R b to denote that (a, b) ∈ R and a
a R b to denote that (a, b) ∉ R.
Dr. Kholoud Nairoukh
• Recall the definition of the Cartesian (Cross)
Product:
The Cartesian Product of sets A and B, A x
B, is the set A x B = {<x,y> : x ∈ A and y ∈ B}.

• A relation is just any subset of the CP!!

R⊆ AxB

• Example: A = students; B = courses.

R = {(a,b) | student a is enrolled in class b}
Dr. Kholoud Nairoukh
• Recall the definition of a function:
f = {<a,b> : b = f(a) , aA and bB}

• Is every function a relation?

Yes, a function is a special kind of relation

Dr. Kholoud Nairoukh

• Relations from a set A to itself are of special
interest

• A relation on the set A is a relation from A to

A

• In other words, a relation on a set A is a

subset of A x A

Dr. Kholoud Nairoukh

• Reflexivity: A relation R on AxA is reflexive
if for all a ∈ A, (a,a) ∈ R.
• Symmetry: A relation R on AxA is symmetric
if (a,b) ∈ R implies (b,a) ∈ R for all a,b ∈A.
• Anti-symmetry: A relation on AxA is anti-
symmetric for all a,b ∈A, if (a,b) ∈ R and (b,a)
∈ R, then a=b.
• Transitivity: A relation on AxA is transitive
if (a,b)  R and (b,c)  R imply (a,c)  R.

Dr. Kholoud Nairoukh