Reasoning about Loops, Conclusion

Announcements QUIZ 1 today. You have 10 minutes Hand in quiz at the end of class

Announcements HW1 will be up tomorrow (due next Thursday) Check class Web page for an announcement You must clone a new repository, hw01 To submit answers, push to Git, then submit in Submitty If you have questions, please email us at csci2600@cs.lists.rpi.edu Use LMS discussion board

Outline Reasoning about loops (conclusion) Dafny basics Specifications (next time) Spring 18 CSCI 2600, K. Kuzmin, A Milanova

So Far We discussed reasoning about code Hoare Logic Forward reasoning and backward reasoning Hoare Logic Hoare Triples Rule for backward reasoning Assignment Sequence If-then-else Method call Reasoning about loops Spring 17 CSCI 2600, A Milanova

Reasoning About Loops Partial correctness Termination total correctness=partial correctness+termination Partial correctness “Guess”, then prove loop invariant Loop invariant and loop exit condition must imply the postcondition This gives us: “If the loop terminated then the postcondtion did hold”. But does the loop terminate? Termination “Guess” decrementing function D. (1) D >= 0, (2) strictly decreases, (3) D at 0 along with the loop invariant must imply loop exit condition

Let’s Catch the Bug Precondition: len ≥ 1 && a.length = len int sum = a[0]; int i = 1; while (i <= len) invariant sum = a[0]+…+a[i-1] && i<=len+1 { sum = sum + a[i]; i = i+1; } Postcondition: sum = a[0]+…+a[a.length-1] After a bit of observation, we’ll settle on the above loop invariant. Step 1. Invariant holds before the loop. Step 2. If Inv holds after kth iteration, it holds after k+1st iteration as well. Step 3. i > len AND i <= len+1 => i = len+1. Thus, Spring 18 CSCI 2600, K. Kuzmin, A Milanova

“Interesting” Invariant Another Factorial Precondition: t >= 0 r = 1; n = t; while (n != 0) { r = r*n; n = n-1; } Postcondition: r = t! r = t!/n! Spring 18 CSCI 2600, K. Kuzmin, A Milanova (example due to Michael Ernst, UW)

Interesting Invariant Integer Division Precondition: x >= 0 && y > 0 r = x; q = 0; while (y <= r) { r = r-y; q = q+1; } Postcondition: x = y*q + r && r < y Spring 18 CSCI 2600, K. Kuzmin, A Milanova (example due to Michael Ernst, UW)

Interesting Invariant Precondition: a > 0 && b > 0 y1 = a; y2 = b; while (y1 != y2) invariant gcd(y1,y2) = gcd(a,b) { if (y1 > y2) { y1 = y1-y2 } else { y2 = y2-y1; } Postcondition: y1 = gcd(a,b) gcd(y1,y2) = gcd(y1-y2,y2)

Dafny Dafny: programming language and verifier Author: K. Rustan M. Leino, Microsoft Research Programmer writes programs with specifications Verifier proves that program obeys specification Binary downloads at https://github.com/Microsoft/dafny Try online at http://www.rise4fun.com/dafny Fall 17 CSCI 2600, A Milanova

Dafny Basics The smallest unit of verification is the method method Foo(x: int, y: int) returns (z: int, w: int) Preconditions requires x == 0 && y >= 0 Postconditions ensures z != 0 || w != 0 Fall 17 CSCI 2600, A Milanova

Our Earlier Exercise, in Dafny // precondition: ?? y = x + 4 if (x > 0) { y = x*x – 1; } else { y = y+x; } { y = 0 } x = x/y; Find what input causes divide-by-zero at the last statement. Answer: Precondition: x=1 || x=-2 These are the inputs that cause divide-by-zero error

Our Division Example in Dafny method DivisionByZero(x: int) returns (y: int) requires x == 1 || x == -2 ensures y == 0 { y := x + 4; if (x > 0) { y := x*x - 1; } else { y := y + x; } Named returns, can have multiple output variables! Equality test: ==, NOT = Assignment: :=, NOT =