You are on page 1of 73

Motivation

Hoares axiomatisation

Loop invariants
Algorithms and Complexity Theory

Matei Popovici1

1 POLITEHNICA University of Bucharest

Computer Science and Engineering Department, Bucharest, Romania

16 noiembrie 2012

Matei Popovici Loop invariants


Motivation
Hoares axiomatisation

Correctness - Motivation

Correctness, so far:

Matei Popovici Loop invariants


Motivation
Hoares axiomatisation

Correctness - Motivation

Correctness, so far:
Checking if an ADT specification has desirable properties

Matei Popovici Loop invariants


Motivation
Hoares axiomatisation

Correctness - Motivation

Correctness, so far:
Checking if an ADT specification has desirable properties
Verifying whether an implementation of an ADT satisfies
the specification (axioms)

Matei Popovici Loop invariants


Motivation
Hoares axiomatisation

Correctness - Motivation

Correctness, so far:
Checking if an ADT specification has desirable properties
Verifying whether an implementation of an ADT satisfies
the specification (axioms)
What more to expect ? [1]

Matei Popovici Loop invariants


Motivation
Hoares axiomatisation

Correctness - Motivation

Correctness, so far:
Checking if an ADT specification has desirable properties
Verifying whether an implementation of an ADT satisfies
the specification (axioms)
What more to expect ? [1]
50% of software development focused on testing and
debugging

Matei Popovici Loop invariants


Motivation
Hoares axiomatisation

Correctness - Motivation

Correctness, so far:
Checking if an ADT specification has desirable properties
Verifying whether an implementation of an ADT satisfies
the specification (axioms)
What more to expect ? [1]
50% of software development focused on testing and
debugging
roughly 2 out of 6 software projects never reach
completion

Matei Popovici Loop invariants


Motivation
Hoares axiomatisation

Correctness - Motivation

Correctness, so far:
Checking if an ADT specification has desirable properties
Verifying whether an implementation of an ADT satisfies
the specification (axioms)
What more to expect ? [1]
50% of software development focused on testing and
debugging
roughly 2 out of 6 software projects never reach
completion
people may actually die due to software errors

Matei Popovici Loop invariants


Motivation
Hoares axiomatisation

Correctness - Motivation

Correctness, so far:
Checking if an ADT specification has desirable properties
Verifying whether an implementation of an ADT satisfies
the specification (axioms)
What more to expect ? [1]
50% of software development focused on testing and
debugging
roughly 2 out of 6 software projects never reach
completion
people may actually die due to software errors
In 1991, during the Gulf War, an american missile failed to
hit an enemy missile, due to accumulated errors on
real-number computations. 28 people died.

Matei Popovici Loop invariants


Motivation
Hoares axiomatisation

Correctness - Motivation

About correctness ...


Peter Naur:
It is a deplorable consequence of the lack of influence of
mathematical thinking on the way in which computer
programming is being pursued.

Matei Popovici Loop invariants


Motivation
Hoares axiomatisation

Correctness - Motivation

About correctness ...


Edsger W. Dijkstra:
Testing shows the presence, not the absence of bugs
[..] it is not only the programmers responsibility to
produce a correct program but also to demonstrate its
correctness in a convincing manner

Matei Popovici Loop invariants


Motivation
Hoares axiomatisation

Let us extend the concept of correctness from ADTs (and their


implementations) to programs in general.

Matei Popovici Loop invariants


Motivation
Hoares axiomatisation

What does it mean for a program to be correct ?

What does it mean for a program to be correct ?

Matei Popovici Loop invariants


Motivation
Hoares axiomatisation

What does it mean for a program to be correct ?

What does it mean for a program to be correct ?


The program output is valid...

Matei Popovici Loop invariants


Motivation
Hoares axiomatisation

What does it mean for a program to be correct ?

What does it mean for a program to be correct ?


The program output is valid...
... iff the program input is valid

Matei Popovici Loop invariants


Motivation
Hoares axiomatisation

What does it mean for a program to be correct ?

What does it mean for a program to be correct ?


The program output is valid...
... iff the program input is valid
Validity of program input/output:

Matei Popovici Loop invariants


Motivation
Hoares axiomatisation

What does it mean for a program to be correct ?

What does it mean for a program to be correct ?


The program output is valid...
... iff the program input is valid
Validity of program input/output:
Defined w.r.t input/output assertions (predicates)

Matei Popovici Loop invariants


Motivation
Hoares axiomatisation

What does it mean for a program to be correct ?

What does it mean for a program to be correct ?


The program output is valid...
... iff the program input is valid
Validity of program input/output:
Defined w.r.t input/output assertions (predicates)
Example

Matei Popovici Loop invariants


Motivation
Hoares axiomatisation

What does it mean for a program to be correct ?

What does it mean for a program to be correct ?


The program output is valid...
... iff the program input is valid
Validity of program input/output:
Defined w.r.t input/output assertions (predicates)
Example
A program computing the square root of a number:
A(x) = y

Matei Popovici Loop invariants


Motivation
Hoares axiomatisation

What does it mean for a program to be correct ?

What does it mean for a program to be correct ?


The program output is valid...
... iff the program input is valid
Validity of program input/output:
Defined w.r.t input/output assertions (predicates)
Example
A program computing the square root of a number:
A(x) = y
Input assertion:

Matei Popovici Loop invariants


Motivation
Hoares axiomatisation

What does it mean for a program to be correct ?

What does it mean for a program to be correct ?


The program output is valid...
... iff the program input is valid
Validity of program input/output:
Defined w.r.t input/output assertions (predicates)
Example
A program computing the square root of a number:
A(x) = y
Input assertion: Pin (x) x > 0

Matei Popovici Loop invariants


Motivation
Hoares axiomatisation

What does it mean for a program to be correct ?

What does it mean for a program to be correct ?


The program output is valid...
... iff the program input is valid
Validity of program input/output:
Defined w.r.t input/output assertions (predicates)
Example
A program computing the square root of a number:
A(x) = y
Input assertion: Pin (x) x > 0
Output assertion:

Matei Popovici Loop invariants


Motivation
Hoares axiomatisation

What does it mean for a program to be correct ?

What does it mean for a program to be correct ?


The program output is valid...
... iff the program input is valid
Validity of program input/output:
Defined w.r.t input/output assertions (predicates)
Example
A program computing the square root of a number:
A(x) = y
Input assertion: Pin (x) x > 0
Output assertion: Pout (x, y ) y 2 = x

Matei Popovici Loop invariants


Motivation
Hoares axiomatisation

What does it mean for a program to be correct ?

What does it mean for a program to be correct ?


The program output is valid...
... iff the program input is valid
Validity of program input/output:
Defined w.r.t input/output assertions (predicates)
Example
A program computing the square root of a number:
A(x) = y
Input assertion: Pin (x) x > 0
Output assertion: Pout (x, y ) y 2 = x
What about program termination ?

Matei Popovici Loop invariants


Motivation
Hoares axiomatisation

What does it mean for a program to be correct ?

What does it mean for a program to be correct ?


The program output is valid...
... iff the program input is valid
Validity of program input/output:
Defined w.r.t input/output assertions (predicates)
Example
A program computing the square root of a number:
A(x) = y
Input assertion: Pin (x) x > 0
Output assertion: Pout (x, y ) y 2 = x
What about program termination ? Can we prove it ?

Matei Popovici Loop invariants


Motivation
Hoares axiomatisation

What does it mean for a program to be correct ?

What does it mean for a program to be correct ?


The program output is valid...
... iff the program input is valid
Validity of program input/output:
Defined w.r.t input/output assertions (predicates)
Example
A program computing the square root of a number:
A(x) = y
Input assertion: Pin (x) x > 0
Output assertion: Pout (x, y ) y 2 = x
What about program termination ? Can we prove it ? No!

Matei Popovici Loop invariants


Motivation
Hoares axiomatisation

What does it mean for a program to be correct ?

What does it mean for a program to be correct ?


The program output is valid...
... iff the program input is valid
Validity of program input/output:
Defined w.r.t input/output assertions (predicates)
Example
A program computing the square root of a number:
A(x) = y
Input assertion: Pin (x) x > 0
Output assertion: Pout (x, y ) y 2 = x
What about program termination ? Can we prove it ? No!
Partial correctness

Matei Popovici Loop invariants


Motivation
Hoares axiomatisation

What does it mean for a program to be correct ?

What does it mean for a program to be correct ?


The program output is valid...
... iff the program input is valid
Validity of program input/output:
Defined w.r.t input/output assertions (predicates)
Example
A program computing the square root of a number:
A(x) = y
Input assertion: Pin (x) x > 0
Output assertion: Pout (x, y ) y 2 = x
What about program termination ? Can we prove it ? No!
Partial correctness vs Total correctness

Matei Popovici Loop invariants


Motivation
Hoares axiomatisation

What does it mean for a program to be correct ?

What does it mean for a program to be correct ?


The program output is valid...
... iff the program input is valid
Validity of program input/output:
Defined w.r.t input/output assertions (predicates)
Example
A program computing the square root of a number:
A(x) = y
Input assertion: Pin (x) x > 0
Output assertion: Pout (x, y ) y 2 = x
What about program termination ? Can we prove it ? No!
Partial correctness vs Total correctness
Can we prove partial correctness ?

Matei Popovici Loop invariants


Motivation
Hoares axiomatisation

What does it mean for a program to be correct ?

What does it mean for a program to be correct ?


The program output is valid...
... iff the program input is valid
Validity of program input/output:
Defined w.r.t input/output assertions (predicates)
Example
A program computing the square root of a number:
A(x) = y
Input assertion: Pin (x) x > 0
Output assertion: Pout (x, y ) y 2 = x
What about program termination ? Can we prove it ? No!
Partial correctness vs Total correctness
Can we prove partial correctness ?Automatically ?

Matei Popovici Loop invariants


Motivation
Hoares axiomatisation

Hoares idea

Matei Popovici Loop invariants


Motivation
Hoares axiomatisation

Hoares idea

Denotational semantics:

Matei Popovici Loop invariants


Motivation
Hoares axiomatisation

Hoares idea

Denotational semantics: assign a mathematical meaning


to the constructs of a language

Matei Popovici Loop invariants


Motivation
Hoares axiomatisation

Hoares idea

Denotational semantics: assign a mathematical meaning


to the constructs of a language
{P}A{Q}

Matei Popovici Loop invariants


Motivation
Hoares axiomatisation

Hoares idea

Denotational semantics: assign a mathematical meaning


to the constructs of a language
{P}A{Q} - P, Q are the input/output assertions,
respectively,

Matei Popovici Loop invariants


Motivation
Hoares axiomatisation

Hoares idea

Denotational semantics: assign a mathematical meaning


to the constructs of a language
{P}A{Q} - P, Q are the input/output assertions,
respectively, A is the program

Matei Popovici Loop invariants


Motivation
Hoares axiomatisation

Hoares idea

Denotational semantics: assign a mathematical meaning


to the constructs of a language
{P}A{Q} - P, Q are the input/output assertions,
respectively, A is the program
Step 1: Break the program A into parts.

Matei Popovici Loop invariants


Motivation
Hoares axiomatisation

Hoares idea

Denotational semantics: assign a mathematical meaning


to the constructs of a language
{P}A{Q} - P, Q are the input/output assertions,
respectively, A is the program
Step 1: Break the program A into parts. More complex
programs are build from simpler ones using construction rules
(combinators)

Matei Popovici Loop invariants


Motivation
Hoares axiomatisation

Hoares idea

Denotational semantics: assign a mathematical meaning


to the constructs of a language
{P}A{Q} - P, Q are the input/output assertions,
respectively, A is the program
Step 1: Break the program A into parts. More complex
programs are build from simpler ones using construction rules
(combinators)
v := e is a program (assignment)

Matei Popovici Loop invariants


Motivation
Hoares axiomatisation

Hoares idea

Denotational semantics: assign a mathematical meaning


to the constructs of a language
{P}A{Q} - P, Q are the input/output assertions,
respectively, A is the program
Step 1: Break the program A into parts. More complex
programs are build from simpler ones using construction rules
(combinators)
v := e is a program (assignment)
if A1 , A2 are programs then A1 ; A2 is a program (sequence)

Matei Popovici Loop invariants


Motivation
Hoares axiomatisation

Hoares idea

Denotational semantics: assign a mathematical meaning


to the constructs of a language
{P}A{Q} - P, Q are the input/output assertions,
respectively, A is the program
Step 1: Break the program A into parts. More complex
programs are build from simpler ones using construction rules
(combinators)
v := e is a program (assignment)
if A1 , A2 are programs then A1 ; A2 is a program (sequence)
if b is a program expression producing a boolean result
and A1 , A2 are programs then if b then A1 else A2
is a program (conditional)

Matei Popovici Loop invariants


Motivation
Hoares axiomatisation

Hoares idea

Denotational semantics: assign a mathematical meaning


to the constructs of a language
{P}A{Q} - P, Q are the input/output assertions,
respectively, A is the program
Step 1: Break the program A into parts. More complex
programs are build from simpler ones using construction rules
(combinators)
v := e is a program (assignment)
if A1 , A2 are programs then A1 ; A2 is a program (sequence)
if b is a program expression producing a boolean result
and A1 , A2 are programs then if b then A1 else A2
is a program (conditional)
if b is a program expression producing a boolean result
and A is a program then while b do A is a program
(loop)
Matei Popovici Loop invariants
Motivation
Hoares axiomatisation

Hoares idea

Step 2: Create rules of inference for each combinator

Matei Popovici Loop invariants


Motivation
Hoares axiomatisation

Hoares idea

Step 2: Create rules of inference for each combinator and do


a step-by-step proof of partial correctness

Matei Popovici Loop invariants


Motivation
Hoares axiomatisation

Rules of inference

Create rules of inference for each combinator:

Matei Popovici Loop invariants


Motivation
Hoares axiomatisation

Rules of inference

Create rules of inference for each combinator:


{P}A1 {R} {R}A2 {Q}
(sequence)
{P}A1 ; A2 {Q}

Matei Popovici Loop invariants


Motivation
Hoares axiomatisation

Rules of inference

Create rules of inference for each combinator:


{P}A1 {R} {R}A2 {Q}
(sequence)
{P}A1 ; A2 {Q}

Matei Popovici Loop invariants


Motivation
Hoares axiomatisation

Rules of inference

Create rules of inference for each combinator:


{P}A1 {R} {R}A2 {Q}
(sequence)
{P}A1 ; A2 {Q}
true
(assignment)
{Q[v e]}v := e{Q}

Matei Popovici Loop invariants


Motivation
Hoares axiomatisation

Rules of inference

Create rules of inference for each combinator:


{P}A1 {R} {R}A2 {Q}
(sequence)
{P}A1 ; A2 {Q}
true
(assignment)
{Q[v e]}v := e{Q}
{P b}A1 {Q} {P b}A2 {Q}
(if )
{P}if b then A1 else A2 {Q}

Matei Popovici Loop invariants


Motivation
Hoares axiomatisation

Rules of inference

Create rules of inference for each combinator:


{P}A1 {R} {R}A2 {Q}
(sequence)
{P}A1 ; A2 {Q}
true
(assignment)
{Q[v e]}v := e{Q}
{P b}A1 {Q} {P b}A2 {Q}
(if )
{P}if b then A1 else A2 {Q}
{P}A{R}, R = Q
(cons1)
{P}A{Q}

Matei Popovici Loop invariants


Motivation
Hoares axiomatisation

Rules of inference

Create rules of inference for each combinator:


{P}A1 {R} {R}A2 {Q}
(sequence)
{P}A1 ; A2 {Q}
true
(assignment)
{Q[v e]}v := e{Q}
{P b}A1 {Q} {P b}A2 {Q}
(if )
{P}if b then A1 else A2 {Q}
{P}A{R}, R = Q
(cons1)
{P}A{Q}
R = P, {R}A{Q}
(cons2)
{P}A{Q}

Matei Popovici Loop invariants


Motivation
Hoares axiomatisation

Rules of inference

Create rules of inference for each combinator:


{P}A1 {R} {R}A2 {Q}
(sequence)
{P}A1 ; A2 {Q}
true
(assignment)
{Q[v e]}v := e{Q}
{P b}A1 {Q} {P b}A2 {Q}
(if )
{P}if b then A1 else A2 {Q}
{P}A{R}, R = Q
(cons1)
{P}A{Q}
R = P, {R}A{Q}
(cons2)
{P}A{Q}
Step 3: Build a proof tree starting from the complex program

Matei Popovici Loop invariants


Motivation
Hoares axiomatisation

Rules of inference

Create rules of inference for each combinator:


{P}A1 {R} {R}A2 {Q}
(sequence)
{P}A1 ; A2 {Q}
true
(assignment)
{Q[v e]}v := e{Q}
{P b}A1 {Q} {P b}A2 {Q}
(if )
{P}if b then A1 else A2 {Q}
{P}A{R}, R = Q
(cons1)
{P}A{Q}
R = P, {R}A{Q}
(cons2)
{P}A{Q}
Step 3: Build a proof tree starting from the complex program

(- blackboard -)

Matei Popovici Loop invariants


Motivation
Hoares axiomatisation

Loop invariants

We need to state another rule:

Matei Popovici Loop invariants


Motivation
Hoares axiomatisation

Loop invariants

We need to state another rule: the loop

Matei Popovici Loop invariants


Motivation
Hoares axiomatisation

Loop invariants

We need to state another rule: the loop

(loop)
{P} while b do A {Q}

Matei Popovici Loop invariants


Motivation
Hoares axiomatisation

Loop invariants

We need to state another rule: the loop

P = I(0)
(loop)
{P} while b do A {Q}

Matei Popovici Loop invariants


Motivation
Hoares axiomatisation

Loop invariants

We need to state another rule: the loop

P = I(0) b I(k ) = I(k + 1)


(loop)
{P} while b do A {Q}

Matei Popovici Loop invariants


Motivation
Hoares axiomatisation

Loop invariants

We need to state another rule: the loop

P = I(0) b I(k ) = I(k + 1) b I(N) = Q


(loop)
{P} while b do A {Q}

Matei Popovici Loop invariants


Motivation
Hoares axiomatisation

Loop invariants

We need to state another rule: the loop

P = I(0) b I(k ) = I(k + 1) b I(N) = Q


(loop)
{P} while b do A {Q}

Matei Popovici Loop invariants


Motivation
Hoares axiomatisation

Loop invariants

We need to state another rule: the loop

P = I(0) b I(k ) = I(k + 1) b I(N) = Q


(loop)
{P} while b do A {Q}
I is a loop invariant

Matei Popovici Loop invariants


Motivation
Hoares axiomatisation

Loop invariants

We need to state another rule: the loop

P = I(0) b I(k ) = I(k + 1) b I(N) = Q


(loop)
{P} while b do A {Q}
I is a loop invariant (invariant does not change during
any iteration)

Matei Popovici Loop invariants


Motivation
Hoares axiomatisation

Loop invariants

We need to state another rule: the loop

P = I(0) b I(k ) = I(k + 1) b I(N) = Q


(loop)
{P} while b do A {Q}
I is a loop invariant (invariant does not change during
any iteration)
In general, I cannot be automatically inferred. We must
specify it

Matei Popovici Loop invariants


Motivation
Hoares axiomatisation

Roadmap

Matei Popovici Loop invariants


Motivation
Hoares axiomatisation

Loop invariants

Proofs involving loop invariants require the following steps:

Matei Popovici Loop invariants


Motivation
Hoares axiomatisation

Loop invariants

Proofs involving loop invariants require the following steps:


P = I(0) (initialisation)

Matei Popovici Loop invariants


Motivation
Hoares axiomatisation

Loop invariants

Proofs involving loop invariants require the following steps:


P = I(0) (initialisation)
b I(k ) = I(k + 1) (maintenance)

Matei Popovici Loop invariants


Motivation
Hoares axiomatisation

Loop invariants

Proofs involving loop invariants require the following steps:


P = I(0) (initialisation)
b I(k ) = I(k + 1) (maintenance)
b I(N) = Q (termination)

Matei Popovici Loop invariants


Motivation
Hoares axiomatisation

Loop invariants

Proofs involving loop invariants require the following steps:


P = I(0) (initialisation)
b I(k ) = I(k + 1) (maintenance)
b I(N) = Q (termination)
Recall that P is the precondition, and Q is the postcondition

Matei Popovici Loop invariants


Motivation
Hoares axiomatisation

Loop invariants

Proofs involving loop invariants require the following steps:


P = I(0) (initialisation)
b I(k ) = I(k + 1) (maintenance)
b I(N) = Q (termination)
Recall that P is the precondition, and Q is the postcondition
If all three steps are proved, then {P} while b do A {Q}
holds (is true)

Matei Popovici Loop invariants


Motivation
Hoares axiomatisation

Examples

- Example - Blackboard -

Matei Popovici Loop invariants


Motivation
Hoares axiomatisation

Question

- structural induction vs loop invariants -

Matei Popovici Loop invariants


Motivation
Hoares axiomatisation

Bibliography I

Militon Frentiu.
Correctness: A very important quality factor in
programming.
STUDIA UNIV. BABES BOLYAI, INFORMATICA, 2005.

Matei Popovici Loop invariants