Program Verification Using Hoare

1
Program VerificationUsing Hoares LogicBook
Chapter 7
2
While programs

• Assignments yt
• Composition S1 S2
• If-then-else if e the S1 else S2 fi
• While while e do S od

3
Greatest common divisor

• x1gt0/\x2gt0
• y1x1
• y2x2
• while (y1y2) do
• if y1gty2 then y1y1-y2
• else y2y2-y1 fi
• od
• y1gcd(x1,x2)

4
Why it works?

• Suppose that y1,y2 are both positive integers.
• If y1gty2 then gcd(y1,y2)gcd(y1-y2,y2)
• If y2gty1 then gcd(y1,y2)gcd(y1,y2-y1)
• If y1-y2 then gcd(y1,y2)y1y2

5
Assignment axiom

• pt/y yt p
• For example
• y510 yy5 y10
• yyltz xy xyltz
• 2(y5)gt20 y2(y5) ygt20
• Justification write p with y instead of y, and
  add the conjunct yt. Next, eliminate y by
  replacing y by t.

6
Why axiom works backwards?

• p yt ?
• Strategy write p and the conjunct yt, where y
  replaces y in both p and t. Eliminate y.
• This y represents value of y before the
  assignment.
• ygt5 y2(y5) ?
• p yt y (py/y /\ ty/yy)
• ygt5 /\ y2(y5) ? ygt20

7
Composition rule

• p S1 r , r S2 q
• p S1S2 q
• For example if the antecedents are
• 1. x1y2 xx1 xy2
• 2. xy2 yy2 xy
• Then the consequent is
• x1y2 xx1 yy2 xy

8
More examples

• p S1 r, r S2 q
• p S1S2 q
• x1gt0/\x2gt0 y1x1 gcd(x1,x2)gcd(y1,x2)/\y1gt0/\
  x2gt0
• gcd(y1,x2)gcd(y1,x2)/\y1gt0/\x2gt0 y2x2
  gcd(x1,x2)gcd(y1,y2)/\y1gt0/\y2gt0
• x1gt0/\x2gt0 y1x1 y2x2
• gcd(x1,x2)gcd(y1,y2)/\y1gt0/\y2gt0

9
If-then-else rule

• p/\t S1 q, p/\t S2 q
• p if t then S1 else S2 fi q
• For example
• p is gcd(y1,y2)gcd(x1,x2)
• /\y1gt0/\y2gt0/\(y1y2)
• t is y1gty2
• S1 is y1y1-y2
• S2 is y2y2-y1
• q is gcd(y1,y2)gcd(x1,x2)/\y1gt0/\y2gt0

10
While rule

• p/\t S p
• p while t do S od p/\t
• Example
• p is gcd(y1,y2)gcd(x1,x2)/\y1gt0/\y2gt0
• t is (y1y2)
• S is if y1gty2 then y1y1-y2 else y2y2-y1 fi

11
Consequence rules

• Strengthen a precondition
• r?p, p S q
• r S q
• Weaken a postscondition
• p S q , q?r
• p S r

12
Use of first consequence rule

• Want to prove
• x1gt0/\x2gt0 y1x1 gcd(x1,x2)gcd(y1,x2)/\y1gt0/\
  x2gt0
• By assignment rule
• gcd(x1,x2)gcd(x1,x2)/\x1gt0/\x2gt0 y1x1
• gcd(x1,x2)gcd(y1,x2)/\y1gt0/\x2gt0
• x1gt0/\x2gt0? gcd(x1,x2)gcd(x1,x2)/\x1gt0/\x2gt0

13
Combining program

• x1gt0 /\ x2gt0
• y1x1 y2x1
• gcd(x1,x2)gcd(y1,y2)/\y1gt0/\y2gt0
• while S do
• if e then S1 else S2 fi od
• gcd(x1,x2)gcd(y1,y2)/\y1gt0/\y2gt0
• Combine the above using concatenation rule!

14
Not completely finished

• x1gt0/\x2gt0
• y1x1 y2x1
• while (y1y2) do
• if e then S1 else S2 fi od
• gcd(x1,x2)gcd(y1,y2)/\y1gt0/\y2gt0/\y1y2
• But we wanted to prove
• x1gt0/\x1gt0 Prog y1gcd(x1,x2)

15
Use of secend consequence rule

• x1gt0/\x2gt0 Prog
• gcd(x1,x2)gcd(y1,y2)/\y1gt0/\y2gt0/\y1y2
• And the implication
• gcd(x1,x2)gcd(y1,y2)/\y1gt0/\y2gt0/\y1y2
• ?y1gcd(x1,x2)
• Thus,
• x1gt0/\x2gt0 Prog y1gcd(x1,x2)

16
Annotating a while program

• while (y1y2) do
• gcd(x1,x2)gcd(y1,y2)/\ y1gt0/\y2gt0/\(y1y2)
• if y1gty2 then y1y1-y2
• else y2y2-y1 fi
• od
• y1gcd(x1,x2)

• x1gt0/\x2gt0
• y1x1
• gcd(x1,x2)gcd(y1,x2)
• /\y1gt0/\x2gt0
• y2x2
• gcd(x1,x2)gcd(y1,y2)
• /\y1gt0/\y2gt0

17
Another example

• Invariant
• xayb /\ bgt0

• xgt0 /\ ygt0
• a0
• bx
• while bgty do
• bb-y
• aa1
• od.
• xayb/\bgt0/\blty

18
Invariant

• How to start the proof?
• Heuristics Find invariant for each loop.
• For this example
• xayb/\xgt0
• Note total correctness does not hold for y0.
• Total correctness (with ygt0) to be proved
  separately.

19
Proof
pt/y yt p

• (1) xayx/\xgt0
• bx xayb/\bgt0
• (Assignment)
• (2) x0yx/\xgt0
• a0 xayx/\xgt0
• (Assignment)
• (3)x0yx/\xgt0
• a0bxxayb/\xgt0
• (Composition (2), (1))

pS1r, r S2q p S1S2 q
20
Proof (cont.)

• (4)x(a1)yb/\bgt0
• aa1xayb/\bgt0
• (Assignment)
• (5)x(a1)yb-y/\b-ygt0
• bb-yx(a1)yb/\bgt0
• (Assignment)
• (6)x(a1)yb-y/\b-ygt0
• bb-yaa1xayb/\bgt0
• (Composition (5), (4))

pt/y ytp
pS1r, r S2q p S1S2 q
21
While rule

• p/\e S p
• p while e do S od p/\e

22
Consequence rules

• Strengthen a precondition
• r?p, p S q
• r S q
• Weaken a postcondition
• p S q, q?r
• p S r

23
Proof (cont.)

• (7) xayb/\bgt0/\bgty?
• x(a1)yb-y/\b-ygt0 (Logic)
• (8) xayb/\bgt0/\bgty
• bb-y aa1 xayb/\bgt0
• (Consequence (6), (7))
• (9) xayb/\bgt0 while bgty do bb-y
• aa1 od xayb/\bgt0/\blty
• (while (8))

24
Proof (cont.)

• (10) x0yx/\xgt0 Prog
• xayb/\bgt0/\blty
• (Composition (3), (9))
• (11) xgt0/\ygt0?
• x0yx/\xgt0 (Logic)
• (12) xgt0/\ygt0 Prog
• xayb/\bgt0/\blty (Consequence)

25
Soundness

• Hoare logic is sound in the sense that
• everything that can be proved is correct!
• This follows from the fact that each axiom
• and proof rule preserves soundness.

26
Completeness

• A proof system is called complete if every
• correct assertion can be proved.
• Propositional logic is complete.
• No deductive system for the standard arithmetic
  can be complete (Godel).

27
And for Hoares logic?

• Let S be a program and p its precondition.
• Then p S false means that S never terminates
  when started from p. This is undecideable. Thus,
  Hoares logic cannot be complete.

28
Weakest prendition, Strongest postcondition

• For an assertion p and code S, let post(p,S) be
  the strongest assertion such that pSpost(p,S)
  
• That is, if pSq then post(p,S)?q.
• For an assertion q and code S, let pre(S,q) be
  the weakest assertion such that pre(S,q)Sq
• That is, if pSq then p?pre(S,q).

29
Relative completeness

• Suppose that either
• post(p,S) exists for each p, S, or
• pre(S,q) exists for each S, q.
• Some oracle decides on pure implications.
• Then each correct Hoare triple can be proved.
• What does that mean? The weakness of the
• proof system stem from the weakness of the (FO)
  logic, not of Hoares proof system.

30
Extensions

• Many extensions for Hoares proof rules
• Total correctness
• Arrays
• Subroutines
• Concurrent programs
• Fairness

31
Proof rule for total correctness

• p/\t/\fz S p/\fltz, p?(fgt0)
  p while t do S od p/\t
• where
• z - an int. variable, not appearing in p,t,e,S.
• f - an int. expression.

32
Verification with Array Variables

• Book Chapter 7.2

33
The problem

• Using array variables can lead to complication
• x11/\x23
• xx12
• xx12 No!!!
• Why?
• Because the assignment changes x1 as well. Now
  it is also 2, and xx1, which is x2 is 3 and
  not 2!

34
What went wrong?

• Take the postcondition xx12 and substitute
  2 instead of xx1.
• We obtain 22 (which is equivalent to true).
• Now, (x11/\x23)? 22.
• So we may wrongly conclude that the above Hoare
  triple is correct.

35
How to fix this?

• Backward substitution should be done with
  arrays as complete elements.
• Define (x e1 e2) an array like x, with value
  at the index e1 changed to e2.
• (x e1 e2)e3e2 if e1e3
  xe3 otherwise
• (x e1 e2)e3if (e1e3, e2, xe3)

36
Solved the problem?

• How to deal with if(f, e1, e2)?
• Suppose that formula ? contains this expression.
• Replace if(f, e1, e2) by new variable v in ?.
• The original formula ? is equivalent to
• (f/\ ?e1/v)\/(f/\ ?e2/v)

37
Returning to our case

• Our postcondition is xx12.
• The assignment xx12 causes the substitution
  in the postcondition ofthe (array) variable x by
  a new array, which is (x x1 2), resulting in
• xx12
• (x x1 2)(x x1 2)1 2

38
Are we done?

• Not yet. It remains to
• Convert the array form into an if form.
• Get rid of the if form.
• Will not be done in class.
• All we say is that we obtain an expression that
  is not implied by the precondition x11/\x23.