University of Capital University of Economics and Business Dept' of Computer Science IT222 Applicati - PowerPoint PPT Presentation

Loading...

PPT – University of Capital University of Economics and Business Dept' of Computer Science IT222 Applicati PowerPoint presentation | free to view - id: 226710-ZDc1Z



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

University of Capital University of Economics and Business Dept' of Computer Science IT222 Applicati

Description:

One example is PVS (People's Verification System) ... Note that p:'fact=i! in' is a loop invariant, and is true before the loop. ... – PowerPoint PPT presentation

Number of Views:24
Avg rating:3.0/5.0
Slides: 12
Provided by: Michael1809
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: University of Capital University of Economics and Business Dept' of Computer Science IT222 Applicati


1
University of Capital University of Economics and
BusinessDept. of Computer Science
IT222Applications of Discrete
StructuresInstructor Xiaoting Zhao
2
Module 17Verifying Program Correctness
  • Rosen 5th ed., 3.6
  • 18 slides, 1 lecture

3
3.6 Program Correctness
  • We want to be able to prove that a given program
    meets the intended specifications.
  • This can often be done manually, or even by
    automated program verification tools.
  • One example is PVS (Peoples Verification
    System).
  • A program is correct if it produces the correct
    output for every possible input.
  • A program has partial correctness if it produces
    the correct output for every input for which the
    program eventually halts.

4
Initial Final Assertions
  • A programs I/O specification can be given using
    initial and final assertions.
  • The initial assertion p is the condition that the
    programs input (its initial state) is guaranteed
    (by its user) to satisfy.
  • The final assertion q is the condition that the
    output produced by the program (its final state)
    is required to satisfy.
  • Hoare triple notation
  • The notation pSq means that, for all inputs I
    such that p(I) is true, if program S (given input
    I) halts and produces output O S(I), then q(O)
    is true.
  • That is, S is partially correct with respect to
    specification p,q.

5
A Trivial Example
  • Let S be the program fragment y 2 z xy
  • Let p be the initial assertion x 1.
  • The variable x will hold 1 in all initial states.
  • Let q be the final assertion z 3.
  • The variable z must hold 1 in all final states.
  • Prove pSq.
  • Proof If x1 in the programs input state, then
    after running y2 and zxy, z will be 123.

6
Hoare Triple Inference Rules
  • Deduction rules for Hoare Triple statements.
  • A simple example The composition rule
  • pS1q qS2r? pS1 S2r
  • It says If program S1 given condition p produces
    condition q, and S2 given q produces r, then the
    program S1 followed by S2, if given p, yields r.

7
Inference rule for if statements
  • (p ? cond)Sq (p ? cond)?q? pif cond
    then Sq
  • Example Show that T if xgty then yx yx.
  • Proof If initially xgty, then the if body is
    executed, setting yx, and so afterwards yx is
    true. Otherwise, xy and so yx. In either case
    yx is true. So the rule applies, and so the
    fragment meets the specification.

8
if-then-else rule
  • (p ? cond)S1q (p ? cond)S2q? pif cond
    then S1 else S2q
  • Example Show that
  • T if xlt0 then abs-x else absx absx
  • If xlt0 then after the if body, abs will be x.
    If (xlt0), i.e., x0, then after the else body,
    absx, which is x. So the rule applies.

9
Loop Invariants
  • For a while loop while cond S, we say that p is
    a loop invariant of this loop if (p?cond)Sp.
  • If p (and the continuation condition cond) is
    true before executing the body, then p remains
    true afterwards.
  • And so p stays true through all subsequent
    iterations.
  • This leads to the inference rule (p ?
    cond)Sp? pwhile cond S(cond ? p)

10
Loop Invariant Example
  • Prove that the following Hoare triple holds T
    i1 fact1 while iltn i
    facti(factn!)
  • Proof. Note that pfacti! ? in is a loop
    invariant, and is true before the loop. Thus,
    after the loop we have cond?p ? (iltn)? facti!
    ? in ? in ? facti! ? factn!.

11
Big Example
  • procedure multiply(m,n integers)
    m,n?Zif nlt0 then a-n else an
    ank0 x0 x mk ? ka while
    klta Maintains loop invariant x
    m k x mk ? ka x
    mk ? ka ? x ma mn ? (nlt0 ? x-mn) ?
    (n0 ? xmn)if nlt0 then prod -x else
    prodx prod mn
About PowerShow.com