0 views

Uploaded by p_simi20039558

- 51090679 Software Testing
- Improving Software Quality
- Chapter_5
- FreePascal-ProgrammersGuide.pdf
- LoopOptimizations.part1.6p
- Chapter 5 and 6 and 7
- Chapter 1_ Proof of Correctness_2
- Chapter 10
- CS605MidtermSolvedSubjectiveswithreferencesbyMoaaz1.rtf
- Chapter 2 Answers.pdf
- TR-2006-22
- Defect LifeCycle and Report
- 07-CSI2101programCorrectness
- Books Www
- ieee 1044_2009 (2)
- TFS Branching Guide - Main 2.0
- ST1
- Question Paper
- Readme
- Test Faq

You are on page 1of 73

Hoares axiomatisation

Loop invariants

Algorithms and Complexity Theory

Matei Popovici1

16 noiembrie 2012

Motivation

Hoares axiomatisation

Correctness - Motivation

Correctness, so far:

Motivation

Hoares axiomatisation

Correctness - Motivation

Correctness, so far:

Checking if an ADT specification has desirable properties

Motivation

Hoares axiomatisation

Correctness - Motivation

Correctness, so far:

Checking if an ADT specification has desirable properties

Verifying whether an implementation of an ADT satisfies

the specification (axioms)

Motivation

Hoares axiomatisation

Correctness - Motivation

Correctness, so far:

Checking if an ADT specification has desirable properties

Verifying whether an implementation of an ADT satisfies

the specification (axioms)

What more to expect ? [1]

Motivation

Hoares axiomatisation

Correctness - Motivation

Correctness, so far:

Checking if an ADT specification has desirable properties

Verifying whether an implementation of an ADT satisfies

the specification (axioms)

What more to expect ? [1]

50% of software development focused on testing and

debugging

Motivation

Hoares axiomatisation

Correctness - Motivation

Correctness, so far:

Checking if an ADT specification has desirable properties

Verifying whether an implementation of an ADT satisfies

the specification (axioms)

What more to expect ? [1]

50% of software development focused on testing and

debugging

roughly 2 out of 6 software projects never reach

completion

Motivation

Hoares axiomatisation

Correctness - Motivation

Correctness, so far:

Checking if an ADT specification has desirable properties

Verifying whether an implementation of an ADT satisfies

the specification (axioms)

What more to expect ? [1]

50% of software development focused on testing and

debugging

roughly 2 out of 6 software projects never reach

completion

people may actually die due to software errors

Motivation

Hoares axiomatisation

Correctness - Motivation

Correctness, so far:

Checking if an ADT specification has desirable properties

Verifying whether an implementation of an ADT satisfies

the specification (axioms)

What more to expect ? [1]

50% of software development focused on testing and

debugging

roughly 2 out of 6 software projects never reach

completion

people may actually die due to software errors

In 1991, during the Gulf War, an american missile failed to

hit an enemy missile, due to accumulated errors on

real-number computations. 28 people died.

Motivation

Hoares axiomatisation

Correctness - Motivation

Peter Naur:

It is a deplorable consequence of the lack of influence of

mathematical thinking on the way in which computer

programming is being pursued.

Motivation

Hoares axiomatisation

Correctness - Motivation

Edsger W. Dijkstra:

Testing shows the presence, not the absence of bugs

[..] it is not only the programmers responsibility to

produce a correct program but also to demonstrate its

correctness in a convincing manner

Motivation

Hoares axiomatisation

implementations) to programs in general.

Motivation

Hoares axiomatisation

Motivation

Hoares axiomatisation

The program output is valid...

Motivation

Hoares axiomatisation

The program output is valid...

... iff the program input is valid

Motivation

Hoares axiomatisation

The program output is valid...

... iff the program input is valid

Validity of program input/output:

Motivation

Hoares axiomatisation

The program output is valid...

... iff the program input is valid

Validity of program input/output:

Defined w.r.t input/output assertions (predicates)

Motivation

Hoares axiomatisation

The program output is valid...

... iff the program input is valid

Validity of program input/output:

Defined w.r.t input/output assertions (predicates)

Example

Motivation

Hoares axiomatisation

The program output is valid...

... iff the program input is valid

Validity of program input/output:

Defined w.r.t input/output assertions (predicates)

Example

A program computing the square root of a number:

A(x) = y

Motivation

Hoares axiomatisation

The program output is valid...

... iff the program input is valid

Validity of program input/output:

Defined w.r.t input/output assertions (predicates)

Example

A program computing the square root of a number:

A(x) = y

Input assertion:

Motivation

Hoares axiomatisation

The program output is valid...

... iff the program input is valid

Validity of program input/output:

Defined w.r.t input/output assertions (predicates)

Example

A program computing the square root of a number:

A(x) = y

Input assertion: Pin (x) x > 0

Motivation

Hoares axiomatisation

The program output is valid...

... iff the program input is valid

Validity of program input/output:

Defined w.r.t input/output assertions (predicates)

Example

A program computing the square root of a number:

A(x) = y

Input assertion: Pin (x) x > 0

Output assertion:

Motivation

Hoares axiomatisation

The program output is valid...

... iff the program input is valid

Validity of program input/output:

Defined w.r.t input/output assertions (predicates)

Example

A program computing the square root of a number:

A(x) = y

Input assertion: Pin (x) x > 0

Output assertion: Pout (x, y ) y 2 = x

Motivation

Hoares axiomatisation

The program output is valid...

... iff the program input is valid

Validity of program input/output:

Defined w.r.t input/output assertions (predicates)

Example

A program computing the square root of a number:

A(x) = y

Input assertion: Pin (x) x > 0

Output assertion: Pout (x, y ) y 2 = x

What about program termination ?

Motivation

Hoares axiomatisation

The program output is valid...

... iff the program input is valid

Validity of program input/output:

Defined w.r.t input/output assertions (predicates)

Example

A program computing the square root of a number:

A(x) = y

Input assertion: Pin (x) x > 0

Output assertion: Pout (x, y ) y 2 = x

What about program termination ? Can we prove it ?

Motivation

Hoares axiomatisation

The program output is valid...

... iff the program input is valid

Validity of program input/output:

Defined w.r.t input/output assertions (predicates)

Example

A program computing the square root of a number:

A(x) = y

Input assertion: Pin (x) x > 0

Output assertion: Pout (x, y ) y 2 = x

What about program termination ? Can we prove it ? No!

Motivation

Hoares axiomatisation

The program output is valid...

... iff the program input is valid

Validity of program input/output:

Defined w.r.t input/output assertions (predicates)

Example

A program computing the square root of a number:

A(x) = y

Input assertion: Pin (x) x > 0

Output assertion: Pout (x, y ) y 2 = x

What about program termination ? Can we prove it ? No!

Partial correctness

Motivation

Hoares axiomatisation

The program output is valid...

... iff the program input is valid

Validity of program input/output:

Defined w.r.t input/output assertions (predicates)

Example

A program computing the square root of a number:

A(x) = y

Input assertion: Pin (x) x > 0

Output assertion: Pout (x, y ) y 2 = x

What about program termination ? Can we prove it ? No!

Partial correctness vs Total correctness

Motivation

Hoares axiomatisation

The program output is valid...

... iff the program input is valid

Validity of program input/output:

Defined w.r.t input/output assertions (predicates)

Example

A program computing the square root of a number:

A(x) = y

Input assertion: Pin (x) x > 0

Output assertion: Pout (x, y ) y 2 = x

What about program termination ? Can we prove it ? No!

Partial correctness vs Total correctness

Can we prove partial correctness ?

Motivation

Hoares axiomatisation

The program output is valid...

... iff the program input is valid

Validity of program input/output:

Defined w.r.t input/output assertions (predicates)

Example

A program computing the square root of a number:

A(x) = y

Input assertion: Pin (x) x > 0

Output assertion: Pout (x, y ) y 2 = x

What about program termination ? Can we prove it ? No!

Partial correctness vs Total correctness

Can we prove partial correctness ?Automatically ?

Motivation

Hoares axiomatisation

Hoares idea

Motivation

Hoares axiomatisation

Hoares idea

Denotational semantics:

Motivation

Hoares axiomatisation

Hoares idea

to the constructs of a language

Motivation

Hoares axiomatisation

Hoares idea

to the constructs of a language

{P}A{Q}

Motivation

Hoares axiomatisation

Hoares idea

to the constructs of a language

{P}A{Q} - P, Q are the input/output assertions,

respectively,

Motivation

Hoares axiomatisation

Hoares idea

to the constructs of a language

{P}A{Q} - P, Q are the input/output assertions,

respectively, A is the program

Motivation

Hoares axiomatisation

Hoares idea

to the constructs of a language

{P}A{Q} - P, Q are the input/output assertions,

respectively, A is the program

Step 1: Break the program A into parts.

Motivation

Hoares axiomatisation

Hoares idea

to the constructs of a language

{P}A{Q} - P, Q are the input/output assertions,

respectively, A is the program

Step 1: Break the program A into parts. More complex

programs are build from simpler ones using construction rules

(combinators)

Motivation

Hoares axiomatisation

Hoares idea

to the constructs of a language

{P}A{Q} - P, Q are the input/output assertions,

respectively, A is the program

Step 1: Break the program A into parts. More complex

programs are build from simpler ones using construction rules

(combinators)

v := e is a program (assignment)

Motivation

Hoares axiomatisation

Hoares idea

to the constructs of a language

{P}A{Q} - P, Q are the input/output assertions,

respectively, A is the program

Step 1: Break the program A into parts. More complex

programs are build from simpler ones using construction rules

(combinators)

v := e is a program (assignment)

if A1 , A2 are programs then A1 ; A2 is a program (sequence)

Motivation

Hoares axiomatisation

Hoares idea

to the constructs of a language

{P}A{Q} - P, Q are the input/output assertions,

respectively, A is the program

Step 1: Break the program A into parts. More complex

programs are build from simpler ones using construction rules

(combinators)

v := e is a program (assignment)

if A1 , A2 are programs then A1 ; A2 is a program (sequence)

if b is a program expression producing a boolean result

and A1 , A2 are programs then if b then A1 else A2

is a program (conditional)

Motivation

Hoares axiomatisation

Hoares idea

to the constructs of a language

{P}A{Q} - P, Q are the input/output assertions,

respectively, A is the program

Step 1: Break the program A into parts. More complex

programs are build from simpler ones using construction rules

(combinators)

v := e is a program (assignment)

if A1 , A2 are programs then A1 ; A2 is a program (sequence)

if b is a program expression producing a boolean result

and A1 , A2 are programs then if b then A1 else A2

is a program (conditional)

if b is a program expression producing a boolean result

and A is a program then while b do A is a program

(loop)

Matei Popovici Loop invariants

Motivation

Hoares axiomatisation

Hoares idea

Motivation

Hoares axiomatisation

Hoares idea

a step-by-step proof of partial correctness

Motivation

Hoares axiomatisation

Rules of inference

Motivation

Hoares axiomatisation

Rules of inference

{P}A1 {R} {R}A2 {Q}

(sequence)

{P}A1 ; A2 {Q}

Motivation

Hoares axiomatisation

Rules of inference

{P}A1 {R} {R}A2 {Q}

(sequence)

{P}A1 ; A2 {Q}

Motivation

Hoares axiomatisation

Rules of inference

{P}A1 {R} {R}A2 {Q}

(sequence)

{P}A1 ; A2 {Q}

true

(assignment)

{Q[v e]}v := e{Q}

Motivation

Hoares axiomatisation

Rules of inference

{P}A1 {R} {R}A2 {Q}

(sequence)

{P}A1 ; A2 {Q}

true

(assignment)

{Q[v e]}v := e{Q}

{P b}A1 {Q} {P b}A2 {Q}

(if )

{P}if b then A1 else A2 {Q}

Motivation

Hoares axiomatisation

Rules of inference

{P}A1 {R} {R}A2 {Q}

(sequence)

{P}A1 ; A2 {Q}

true

(assignment)

{Q[v e]}v := e{Q}

{P b}A1 {Q} {P b}A2 {Q}

(if )

{P}if b then A1 else A2 {Q}

{P}A{R}, R = Q

(cons1)

{P}A{Q}

Motivation

Hoares axiomatisation

Rules of inference

{P}A1 {R} {R}A2 {Q}

(sequence)

{P}A1 ; A2 {Q}

true

(assignment)

{Q[v e]}v := e{Q}

{P b}A1 {Q} {P b}A2 {Q}

(if )

{P}if b then A1 else A2 {Q}

{P}A{R}, R = Q

(cons1)

{P}A{Q}

R = P, {R}A{Q}

(cons2)

{P}A{Q}

Motivation

Hoares axiomatisation

Rules of inference

{P}A1 {R} {R}A2 {Q}

(sequence)

{P}A1 ; A2 {Q}

true

(assignment)

{Q[v e]}v := e{Q}

{P b}A1 {Q} {P b}A2 {Q}

(if )

{P}if b then A1 else A2 {Q}

{P}A{R}, R = Q

(cons1)

{P}A{Q}

R = P, {R}A{Q}

(cons2)

{P}A{Q}

Step 3: Build a proof tree starting from the complex program

Motivation

Hoares axiomatisation

Rules of inference

{P}A1 {R} {R}A2 {Q}

(sequence)

{P}A1 ; A2 {Q}

true

(assignment)

{Q[v e]}v := e{Q}

{P b}A1 {Q} {P b}A2 {Q}

(if )

{P}if b then A1 else A2 {Q}

{P}A{R}, R = Q

(cons1)

{P}A{Q}

R = P, {R}A{Q}

(cons2)

{P}A{Q}

Step 3: Build a proof tree starting from the complex program

(- blackboard -)

Motivation

Hoares axiomatisation

Loop invariants

Motivation

Hoares axiomatisation

Loop invariants

Motivation

Hoares axiomatisation

Loop invariants

(loop)

{P} while b do A {Q}

Motivation

Hoares axiomatisation

Loop invariants

P = I(0)

(loop)

{P} while b do A {Q}

Motivation

Hoares axiomatisation

Loop invariants

(loop)

{P} while b do A {Q}

Motivation

Hoares axiomatisation

Loop invariants

(loop)

{P} while b do A {Q}

Motivation

Hoares axiomatisation

Loop invariants

(loop)

{P} while b do A {Q}

Motivation

Hoares axiomatisation

Loop invariants

(loop)

{P} while b do A {Q}

I is a loop invariant

Motivation

Hoares axiomatisation

Loop invariants

(loop)

{P} while b do A {Q}

I is a loop invariant (invariant does not change during

any iteration)

Motivation

Hoares axiomatisation

Loop invariants

(loop)

{P} while b do A {Q}

I is a loop invariant (invariant does not change during

any iteration)

In general, I cannot be automatically inferred. We must

specify it

Motivation

Hoares axiomatisation

Roadmap

Motivation

Hoares axiomatisation

Loop invariants

Motivation

Hoares axiomatisation

Loop invariants

P = I(0) (initialisation)

Motivation

Hoares axiomatisation

Loop invariants

P = I(0) (initialisation)

b I(k ) = I(k + 1) (maintenance)

Motivation

Hoares axiomatisation

Loop invariants

P = I(0) (initialisation)

b I(k ) = I(k + 1) (maintenance)

b I(N) = Q (termination)

Motivation

Hoares axiomatisation

Loop invariants

P = I(0) (initialisation)

b I(k ) = I(k + 1) (maintenance)

b I(N) = Q (termination)

Recall that P is the precondition, and Q is the postcondition

Motivation

Hoares axiomatisation

Loop invariants

P = I(0) (initialisation)

b I(k ) = I(k + 1) (maintenance)

b I(N) = Q (termination)

Recall that P is the precondition, and Q is the postcondition

If all three steps are proved, then {P} while b do A {Q}

holds (is true)

Motivation

Hoares axiomatisation

Examples

- Example - Blackboard -

Motivation

Hoares axiomatisation

Question

Motivation

Hoares axiomatisation

Bibliography I

Militon Frentiu.

Correctness: A very important quality factor in

programming.

STUDIA UNIV. BABES BOLYAI, INFORMATICA, 2005.

- 51090679 Software TestingUploaded byDeepak Kumar Mallick
- Improving Software QualityUploaded byqabalamurali
- Chapter_5Uploaded bydineshgomber
- FreePascal-ProgrammersGuide.pdfUploaded byAlex
- LoopOptimizations.part1.6pUploaded byMir Kalaam
- Chapter 5 and 6 and 7Uploaded bydineshgomber
- Chapter 1_ Proof of Correctness_2Uploaded byPus En Dra
- Chapter 10Uploaded byalibox21
- CS605MidtermSolvedSubjectiveswithreferencesbyMoaaz1.rtfUploaded byJamshed Ali
- Chapter 2 Answers.pdfUploaded byKancharla
- TR-2006-22Uploaded byNguyễn Dương Thế Anh
- Defect LifeCycle and ReportUploaded byNaresh Edupuganti
- 07-CSI2101programCorrectnessUploaded byIbrahim Kanouche
- Books WwwUploaded byquickoffice_sqa
- ieee 1044_2009 (2)Uploaded byReid Sheppard
- TFS Branching Guide - Main 2.0Uploaded bypradeepku.b
- ST1Uploaded bydinudineshbhawnani2916
- Question PaperUploaded byGaurav Chetry
- ReadmeUploaded byKritik_the_k
- Test FaqUploaded byapi-3695674
- 15721_CAP609(1)Uploaded byVinod Jain
- New Changed FeaturesUploaded byaminubunza
- Change LogUploaded byVo Haianh
- Testing Materials for BasicUploaded byThirunavukkarasuKumarasamy
- Notes on Continuous Integration.docUploaded byvenunaini
- Manual Testing StatusUploaded byChetan
- Unit Testing CameraReadyUploaded bylakshmiescribd
- Why not Exploratory TestingUploaded byapi-3738458
- Document Um FaqsUploaded byshiva
- Release NotesUploaded byshittyshit

- Exemple-Norme_tehnice-Gradul_I-2016.xlsUploaded byp_simi20039558
- Tematica_si_bibliografie_pentru_examenul_de_autorizare_electricieni_01.2017.docUploaded byvalentin enciu
- 17-01-09-04-35-40Anexa_2.docxUploaded byp_simi20039558
- Exemple-Norme_tehnice-Gradele_IIIA_si_IVA-2016.xlsUploaded byp_simi20039558
- Exemple-Norme_tehnice-Gradul_II-2016.xlsUploaded byp_simi20039558
- Exemple Legislatie Gradele III Si IV 2016Uploaded bymarinik89
- Ord 11 13 Reg Autorizare EEretertUploaded byBogdan Malita
- Ord 90 09 RegAutorizEE MO0847Uploaded bygesy75
- 16-08-16-01-44-56Exemple-Legislatie-Gradul_I-2016.xlsxUploaded byp_simi20039558
- 16-08-16-01-44-56Exemple-Legislatie-Gradul_I-2016.xlsxUploaded byp_simi20039558
- Ord_116_16Uploaded byponderatul
- Exemple-Electrotehnica-2016.xlsUploaded byp_simi20039558
- Exemple-Norme_tehnice-Gradele_IIIB_si_IVB-2016.xlsUploaded byp_simi20039558
- ElectricieniProblemeUploaded byAncaOniscu
- 17-01-09-04-35-40Anexa_1.docxUploaded byp_simi20039558
- HoareLoopInvariants.pdfUploaded byp_simi20039558
- Notatii de ComplexitateUploaded byRoxana Puf
- 1. Introducere in algorimtiUploaded byFlorentin Drăgan
- Calcula Bili TateUploaded bySimona Sorescu
- AmortisedAnalysis.pdfUploaded byp_simi20039558
- PropositionalLogic-SAT-NP-complete-problems.pdfUploaded byp_simi20039558
- Metode de Determinare a ComplexitatiiUploaded byAndi Vlad
- Turing-Machines.pdfUploaded byp_simi20039558
- ReteleUploaded bypetraasandei
- Teorema Lui CoockUploaded byMihai Ilie
- LAB00.pdfUploaded byp_simi20039558
- Undecidability.pdfUploaded byp_simi20039558
- PotentialMethodForTable.pdfUploaded byp_simi20039558
- Ghid_RO-administrator de retea.pdfUploaded byvalymot
- Caiet de sarcini Deviz Tehnic Cablare Structurata.pdfUploaded byDobos Ovidiu

- Recursive Functions and Their Turing-ComputabilityUploaded byGuilherme Pombo
- Greedy Solution to the Fractional Knapsack ProbUploaded byapi-3844034
- Giaquinto - Hilbert's Philosophy of MathematicsUploaded byJair Gallegos
- Philosophy of Logical ConsequenceUploaded bymh1972
- Cocchiarella StoicsUploaded byMarcos Fernandes Otsuka
- ExamUploaded byselina104
- pxc3879024.pdfUploaded byLê Thị Phương Viên
- Aristotle - Prior Analytics (Hackett, 1989)Uploaded byMatheus M. Dos Reis
- Abrusci__'Proof', 'Theory', And 'Foundations' in Hilbert Mathematical WorkUploaded byGuillermo Nigro
- FuzzyUploaded byDinesh Dinu
- NDA Coaching ChandigarhUploaded byGyan Sagar
- Definability in Degree Structures by Slaman, WoodinUploaded byDavid Toth
- Discrete Mathematics ebook.pdfUploaded byrrs_1988
- Modens PonesUploaded byroncurtiss
- 080701 Wheat Her Son Intro-logic SyllabusUploaded byqfp
- 4.6InverseTrigFunctions.pptUploaded byBryce
- Saharon Shelah- Proper and Improper Forcing Second Edition: Front MatterUploaded byUwem356
- Schemata BSL 12 (2006) 219-40_CorcoranUploaded byMariaFrank
- Problem Books in MathUploaded byVarun Ahluwalia
- APPM3170Uploaded byAnonymous 57lhp82
- Categorical SyllogismsUploaded bynikkimayor
- Lap Report SampleUploaded byaskmeagain
- 9-10.25_Higher Math Eng.pdfUploaded bykodatic
- LogicDesign_Chpt_05Uploaded byjohn juan
- SemanticsUploaded byintz_ar
- Chapter_1 NCERT XI MATHSUploaded byHimanshu Ranjan
- daaUploaded byRajesh Manoharan
- Xii Maths Ch1 Relations Functions HssliveUploaded byMuhammad Saleem
- A Brief Introduction to InfinityUploaded byRamses Iviiv
- CS201SEB Discrete MathematicsUploaded byMouseManX