# University of Capital University of Economics and Business Dept' of Computer Science IT222 Applicati - PowerPoint PPT Presentation

PPT – University of Capital University of Economics and Business Dept' of Computer Science IT222 Applicati PowerPoint presentation | free to view - id: 226710-ZDc1Z

The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
Title:

## University of Capital University of Economics and Business Dept' of Computer Science IT222 Applicati

Description:

### One example is PVS (People's Verification System) ... Note that p:'fact=i! in' is a loop invariant, and is true before the loop. ... – PowerPoint PPT presentation

Number of Views:24
Avg rating:3.0/5.0
Slides: 12
Provided by: Michael1809
Category:
Tags:
Transcript and Presenter's Notes

Title: University of Capital University of Economics and Business Dept' of Computer Science IT222 Applicati

1
University of Capital University of Economics and
IT222Applications of Discrete
StructuresInstructor Xiaoting Zhao
2
Module 17Verifying Program Correctness
• Rosen 5th ed., 3.6
• 18 slides, 1 lecture

3
3.6 Program Correctness
• We want to be able to prove that a given program
meets the intended specifications.
• This can often be done manually, or even by
automated program verification tools.
• One example is PVS (Peoples Verification
System).
• A program is correct if it produces the correct
output for every possible input.
• A program has partial correctness if it produces
the correct output for every input for which the
program eventually halts.

4
Initial Final Assertions
• A programs I/O specification can be given using
initial and final assertions.
• The initial assertion p is the condition that the
programs input (its initial state) is guaranteed
(by its user) to satisfy.
• The final assertion q is the condition that the
output produced by the program (its final state)
is required to satisfy.
• Hoare triple notation
• The notation pSq means that, for all inputs I
such that p(I) is true, if program S (given input
I) halts and produces output O S(I), then q(O)
is true.
• That is, S is partially correct with respect to
specification p,q.

5
A Trivial Example
• Let S be the program fragment y 2 z xy
• Let p be the initial assertion x 1.
• The variable x will hold 1 in all initial states.
• Let q be the final assertion z 3.
• The variable z must hold 1 in all final states.
• Prove pSq.
• Proof If x1 in the programs input state, then
after running y2 and zxy, z will be 123.

6
Hoare Triple Inference Rules
• Deduction rules for Hoare Triple statements.
• A simple example The composition rule
• pS1q qS2r? pS1 S2r
• It says If program S1 given condition p produces
condition q, and S2 given q produces r, then the
program S1 followed by S2, if given p, yields r.

7
Inference rule for if statements
• (p ? cond)Sq (p ? cond)?q? pif cond
then Sq
• Example Show that T if xgty then yx yx.
• Proof If initially xgty, then the if body is
executed, setting yx, and so afterwards yx is
true. Otherwise, xy and so yx. In either case
yx is true. So the rule applies, and so the
fragment meets the specification.

8
if-then-else rule
• (p ? cond)S1q (p ? cond)S2q? pif cond
then S1 else S2q
• Example Show that
• T if xlt0 then abs-x else absx absx
• If xlt0 then after the if body, abs will be x.
If (xlt0), i.e., x0, then after the else body,
absx, which is x. So the rule applies.

9
Loop Invariants
• For a while loop while cond S, we say that p is
a loop invariant of this loop if (p?cond)Sp.
• If p (and the continuation condition cond) is
true before executing the body, then p remains
true afterwards.
• And so p stays true through all subsequent
iterations.
• This leads to the inference rule (p ?
cond)Sp? pwhile cond S(cond ? p)

10
Loop Invariant Example
• Prove that the following Hoare triple holds T
i1 fact1 while iltn i
facti(factn!)
• Proof. Note that pfacti! ? in is a loop
invariant, and is true before the loop. Thus,
after the loop we have cond?p ? (iltn)? facti!
? in ? in ? facti! ? factn!.

11
Big Example
• procedure multiply(m,n integers)
m,n?Zif nlt0 then a-n else an
ank0 x0 x mk ? ka while
klta Maintains loop invariant x
m k x mk ? ka x
mk ? ka ? x ma mn ? (nlt0 ? x-mn) ?
(n0 ? xmn)if nlt0 then prod -x else
prodx prod mn