Hoarestyle program verification

1
Hoare-style program verification

• K. Rustan M. LeinoGuest lecturer

Rob DeLines CSE 503, Software EngineeringUnivers
ity of Washington26 Apr 2004
2
Is this program correct? How do we know?

• int Find(float a, int m, int n, float x)
• while (m
• int j (mn) / 2
• if (aj aj) n j-1 else return
  j return -1

3
Making sense of programs

• Program semantics defines programming language
• e.g., Hoare logic, Dijkstra's weakest
  preconditions
  
• Specifications record design decisions
• bridge intent and code
• Tools amplify human effort
• manage details
• find inconsistencies
• ensure quality

4
State predicates

• A predicate is a boolean function onthe program
  state
  
• Examples
• x 8
• x
• m ? n ? (?j 0?j
• true
• false

5
Hoare triples

• For any predicates P and Q andany program
  S, P S Qsays that if S is started in (a
  state satisfying) P, then it terminates in Q

postcondition
precondition
6
Examples

• true x 12 x 12
• x
• x
• m ? n j (mn)/2 m ? j ? n
• 0 ? m m, n, x)m ? r
  
• false S xn yn zn

7
Precise triples

• If P S Q and P S R,then does P S Q
  ? Rhold?

8
Precise triples

• If P S Q and P S R,then does P S Q
  ? Rhold?
  
• The most precise Q such that P S Qis called
  the strongest postcondition of S with respect to
  P.

yes
9
Weakest preconditions

• If P S R and Q S R,then P ? Q S
  Rholds.
  
• The most general P such that P S Ris called
  the weakest precondition of S with respect to R,
  written wp(S, R)

10
Triples and wp

• P S Q
• if and only if
• P ? wp(S, Q)

11
Program semanticsskip

• no-op
• wp(skip, R) R
• wp(skip, xn yn zn) xn yn zn

12
Program semanticsassignment

• evaluate E and change value of w to E
• wp(w E, R) Rw E
• wp(x x 1, x ? 10) x1 ? 10 x
• wp(x 15, x ? 10) 15 ? 10 false
• wp(y x 3y, x ? 10) x ? 10
• wp(x,y y,x, x

replace w by Ein R
13
Program semanticsassert

• if P holds, do nothing, else don't terminate
• wp(assert P, R) P ? R
• wp(assert x
• wp(assert x yy, 0 ? x) x yy ? 0 ?
  x x yy
  
• wp(assert false, x ? 10) false

14
Program compositions

• If P S Q and Q T R, then P S T
  R
  
• If P ? B S R and P ??B T R,then P
  if B then S else T end R

15
Program semanticssequential composition

• wp(ST, R) wp(S, wp(T, R))
• wp(x x1 assert x ? y, 0 x1, wp(assert x ? y, 0 x ? y) 0
• wp(y y1 x x 3y, y ? 10 ? 3 ?
  x) wp(y y1, wp(x x3y, y ? 10 ? 3 ?
  x)) wp(y y1, y ? 10 ? 3 ? x3y) y1 ?
  10 ? 3 ? x3(y1) y 3 y

16
Program semanticsconditional composition

• wp(if B then S else T end, R) (B ? wp(S,
  R)) ? (?B ? wp(T, R)) (B ? wp(S, R)) ? (?B ?
  wp(T, R))
  
• wp(if x z) (x wp(z x, 0 ? z)) (x 0 ? x) 0 ? y ? 0 ? x
• wp(if x?10 then x x1 else x x 2 end, x ?
  10) (x?10 ? wp(x x1, x ? 10)) ? (?(x?10)
  ? wp(x x2, x ? 10)) (x?10 ? x1 ? 10) ?
  (x10 ? x2 ? 10) (x?10 ? x false x

17
Example
(x ! null x ! null x.f 0) (x
null z-1 0)

• if (x ! null) n x.f else n
  z-1 za new charn

x ! null x.f 0
z-1 0
n 0
true
18
A good exercise

• Define change w such that Pby giving its
  weakest precondition

19
Loops

• To prove
• P while B do S end Q
• find invariant J and well-founded variant
  function vf such that
  
• invariant holds initially P ? J
• invariant is maintained J ? B S J
• invariant is sufficient J ??B ? Q
• variant function is bounded J ? B ? 0 ? vf
• variant function decreases J ? B ? vfVF S
  vf