Formal Methods

Sajjad Ali
Outlines

• Hoare’s Logic
• Initial State
• Statement(s)
• Final State
• Weakest Pre-Condition
Reviews

• Propositional Logic
• Implication

• Logical Equivalences

• Set Theory
Formal Methods in SE
• Coming Lectures will focus on
• With the help of Logic, we will construct the model for
computer programs

• Second objective is to verify correctness of constructed model

of computer programs
Hoare’s Logic
• Toney Hoare was of famous computer scientist

• He worked in 60’s

• Famous program invented by Hoare was Quick Sort

• Basic logic of Quick Sort program was given by Tony Hoare

Conditional Correctness
Conditional Correctness
• Initial state also known as Pre-Condition

• Starting point for our program is pre-condition

• Post-condition tells you the desired output of our program –

final state

• Example:
• Sorted Data in Binary Search

 You can apply Binary search if your data is in sorted form

• What is post-condition here?

• If the key is present(index of the key)
• Key not present
Conditional Correctness
Weakest Pre-condition
• The pre-conditional which has largest set of values,
• Least restrictive condition

Examples:
• 1)
Let us say our final state a = 10
So pre-conditional might be a=10
• 2)
Final State n<0 (Desired output)
Statement = n=n-1
Pre-condition?

 Start with 0, we got our objective

 If we start with n<=0, we will get our desired output
 Here weakest pre-conditional is set of n<=0,
Weakest Pre-condition Examples
• wp(z :=x, z >= y)

Let us try to understand notation

Wp = weakest pre-condition

• Statements before comma are program or our set of

statements of our program (z:=x)

• Statements after comma(,) is the final output (z>=y)

• Our weakest pre-conditional for this program is

 x>=y
Weakest Pre-condition Examples
Weakest Pre-condition Examples
Weakest Pre-condition Examples
Example:
•Take an array with unsorted data with Linear Search
• Weakest pre-condition – Any arrangement of data will
give us desired output
=(true)

•Binary Search input has restriction on Sorted Data

Weakest pre-condition – (Data is to be sorted)
Set of Statements

Categorized into three broad categories

• Assignments - (Sequence)
• Selection - (Control Flow (If Then Else) )
• Loops - (Iteration)

•We will see Hoare’s triple with these three categories

•How to calculate Weakest Pre-conditions based on these

statement categories?
Assignment Axioms
Assignment Axioms - Examples
Assignment Axioms - Examples
Assignment Axioms – Set of Statements
• If we look at the previous examples, we come to know that
post-condition(final state) is achieved after execution of final
statement of a program.

• Post Condition (Q) – the third component of Hoare’s Triple is

achieved after executing the last statement.

• Weakest pre-condition of the last statement becomes the post

condition(final state) of the 2nd last statement. And weakest
pre-condition of the 2nd last statement will become the post-
condition for 3rd last statement.
Rule of Sequential Composition
• We use Rule of Sequential Composition when we have
multiple assignment statements

wp(S1;S2,Q)  wp(S1, wp(S2,Q))

Rule of Sequential Composition
• We use Rule of Sequential Composition when we have
multiple assignment statements

wp(S1;S2,Q)  wp(S1, wp(S2,Q))

Example:
wp((x:= x+1; y := y+1), x = y)
Rule of Sequential Composition

Example:

wp((x:= x+1; y := y+1), x = y)

 wp(x := x+1, wp(y := y+1, x = y))

Rule of Sequential Composition

Example:

wp((x:= x+1; y := y+1), x = y)

 wp(x := x+1, wp(y := y+1, x = y))

 wp(x := x+1, x = y+1)
Rule of Sequential Composition

Example:

wp((x:= x+1; y := y+1), x = y)

 wp(x := x+1, wp(y := y+1, x = y))

wp(x := x+1, x = y+1)
 x+1 = y+1
Rule of Sequential Composition

Example:

wp((x:= x+1; y := y+1), x = y)

 wp(x := x+1, wp(y := y+1, x = y))

wp(x := x+1, x = y+1)
 x+1 = y+1
x=y
Rule of Sequential Composition
• Let us take another Example

Example:
wp((x:= 2*x+1; y := y-1), y = 3*x)
Rule of Sequential Composition
• Let us take another Example

Example:
wp((x:= 2*x+1; y := y-1), y = 3*x)
 wp(x := 2*x+1, wp(y := y-1, y = 3*x))
Rule of Sequential Composition
• Let us take another Example

Example:
wp((x:= 2*x+1; y := y-1), y = 3*x)

 wp(x := 2*x+1, wp(y := y-1, y = 3*x))

 wp(x := 2*x+1, y-1 = 3*x))

Rule of Sequential Composition
• Let us take another Example

Example:
wp((x:= 2*x+1; y := y-1), y = 3*x)

 wp(x := 2*x+1, wp(y := y-1, y = 3*x))

 wp(x := 2*x+1, y-1 = 3*x))

 y-1 = 3*(2*x+1)
Rule of Sequential Composition
• Let us take another Example

Example:
wp((x:= 2*x+1; y := y-1), y = 3*x)

 wp(x := 2*x+1, wp(y := y-1, y = 3*x))

 wp(x := 2*x+1, y-1 = 3*x))

 y-1 = 3*(2*x+1)

 y = 6*x + 4
Hoare’s Triple
• We have discussed Hoare’s Triple

{p} S {Q}

• If we start with Pre-condition P and if we execute S,

and if we ended with Q, then the program was
correct.

• The Post-Condition Q tells us the objective of this

program or objective of this function or set of
statements

• And the Pre-Condition P tells us the conditions

imposed on the input to that program
Weakest Pre-condition
Let us go towards Verification

What are Pre-conditions and Post-conditions of a

Program?

•Pre-conditions and Post-conditions actually gives

you an specification for a function

•Our Objective is to verify the correctness or proof of a Program