Example of a Worked-out Proof

Slides:

Advertisements

Similar presentations

Ack: Several slides from Prof. Jim Anderson’s COMP 202 notes.

Advertisements

AE1APS Algorithmic Problem Solving John Drake

PROOF BY CONTRADICTION

If R = {(x,y)| y = 3x + 2}, then R -1 = (1) x = 3y + 2 (2) y = (x – 2)/3 (3) {(x,y)| y = 3x + 2} (4) {(x,y)| y = (x – 2)/3} (5) {(x,y)| y – 2 = 3x} (6)

Reasoning About Code; Hoare Logic, continued

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

MA/CSSE 473/474 How (not) to do an induction proof.

>In We need a rule that will let us prove a conditional. What should the rule be?

Program Proving Notes Ellen L. Walker.

1/22 Programs : Semantics and Verification Charngki PSWLAB Programs: Semantics and Verification Mordechai Ben-Ari Mathematical Logic for Computer.

Program Analysis and Verification Spring 2014 Program Analysis and Verification Lecture 5: Axiomatic Semantics II Roman Manevich Ben-Gurion University.

Sorting. Input: A sequence of n numbers a 1, …, a n Output: A reordering a 1 ’, …, a n ’, such that a 1 ’ < … < a n ’

4/17/2017 Section 3.6 Program Correctness ch3.6.

1 Recitation 7. Developing loops Introduction. This recitation concerns developing loops using their invariants and bound functions. Your recitation instructor.

Proving correctness. Proof based on loop invariants  an assertion which is satisfied before each iteration of a loop  At termination the loop invariant.

Floyd Hoare Logic. Semantics A programming language specification consists of a syntactic description and a semantic description. Syntactic description:symbols.

Reading and Writing Mathematical Proofs

1 Inference Rules and Proofs (Z); Program Specification and Verification Inference Rules and Proofs (Z); Program Specification and Verification.

Equations Reducible to Quadratic

TABLES AND VALUES Section 1.5. Open Sentence Equation.

Recursive Algorithms &

Divide-and-Conquer UNC Chapel HillZ. Guo. Divide-and-Conquer It’s a technique instead of an algorithm Recursive in structure – Divide the problem into.

Example of a Worked-out Proof. Consider again this program Let 0  n. This program checks if all elements of the segment a[0..n) are zero. {* 0  n *}

1 Software Correctness Proofs CIS 376 Bruce R. Maxim UM-Dearborn.

2IS80 Fundamentals of Informatics Fall 2015 Lecture 6: Sorting and Searching.

CSE 311: Foundations of Computing Fall 2013 Lecture 8: Proofs and Set theory.

1/20 Arrays Changki PSWLAB Arrays Daniel Kroening and Ofer Strichman Decision Procedure.

Big O David Kauchak cs302 Spring Administrative Assignment 1: how’d it go? Assignment 2: out soon… Lab code.

What have you learned in this lecture until now? Circuit theory Undefined quantities ( , ) Axioms ( , ) Two.

CORRECTNESS ISSUES AND LOOP INVARIANTS Lecture 8 CS2110 – Fall 2014.

© Bertrand Meyer and Yishai Feldman Notice Some of the material is taken from Object-Oriented Software Construction, 2nd edition, by Bertrand Meyer (Prentice.

Hoare Logic LN chapter 5, 6 but without 6.8, 6.12, 6.13 (to be discussed later) Hoare Logic is used to reason about the correctness of programs. In the.

Axiomatic Verification II Prepared by Stephen M. Thebaut, Ph.D. University of Florida Software Testing and Verification Lecture Notes 18.

11/22/2016IT 3271 A formal system:Axioms and Rules, for inferring valid specification x := m; y := n; while ¬(x=y) do if x>y then x := x-y else y := y-x.

Kirchhoff’s Laws.

Lifting Abstract Interpreters to Quantified Logical Domains (POPL’08)

Further with Hoare Logic Sections 6.12, 6.10, 6.13

Correctness issues and Loop invariants

Reasoning with invariants

Reasoning About Code.

Revisiting Predicate Logic LN chapters 3,4

Proving Loops Testing debugging and verification

Disjunctive Normal Form

Hoare Logic LN chapter 5, 6 but without 6. 8, 6. 12, 6

Chapter 2 Sets and Functions.

Asymptotic Notations Algorithms Lecture 9.

Axiomatic semantics Points to discuss: The assignment statement

Proving correctness.

Axiomatic Verification II

Hoare Logic LN chapter 5, 6 Hoare Logic is used to reason about the correctness of programs. In the end, it reduces a program and its specification to.

Some heuristics for deriving invariant LN sections 6.7 , 6.8

Axiomatic Verification II

Predicate Transformers

Divide and Conquer (Merge Sort)

Output Variables {true} S {i = j} i := j; or j := i;

More Mathematical Reasoning (Conditional Statements)

Binary Search and Loop invariants

Ack: Several slides from Prof. Jim Anderson’s COMP 202 notes.

David Kauchak cs161 Summer 2009

Program Verification with Hoare Logic

CSE Winter 2008 Introduction to Program Verification

How does the point (2, 4) change as a result of the transformation

Use the Chain Rule to find {image} where t = 5, u = 3, v = 0. {image}

nalysis of lgorithms A A Universidad Nacional de Colombia

Quicksort Quick sort Correctness of partition - loop invariant

Tutorial Number 8 - Daniel Razavi

Searching and Sorting Hint at Asymptotic Complexity

Solving Quadratics EQ: How do you solve quadratic inequalities algebraically? M2 Unit 1C: Day 7.

Hoare Logic LN chapter 5, 6, 9.3 Hoare Logic is used to reason about the correctness of programs. In the end, it reduces a program and its specification.

Program Correctness an introduction.

Presentation transcript:

Example of a Worked-out Proof

Consider again this program Let 0n. This program checks if all elements of the segment a[0..n) are zero. {* 0n *} i := 0 ; r := true ; while i<n do { r := r /\ (a[i]=0) ; i++ } {* ?? *}

Proof rule for loop (total correctness) {* g /\ I *} S {* I *} // invariance I /\ g  Q // exit cond {* I /\ g *} C:=m; S {* m<C *} // m decreasing I /\ g  m > 0 // m bounded below ---------------------------------------- {* I *} while g do S {* Q *}

Formal spec, inv, and term. metric {* 0n *} i := 0 ; r := true ; while i<n do { r := r /\ (a[i]=0) ; i++ } {* r = (k : 0k<n : a[k]=0) *} Chosen invariant & termination metric: I : (r = (k : 0k<i : a[k]=0)) /\ 0in m : n - i I1 I2

It comes down to proving these (Exit Condition) I /\ g  Q (Initialization Condition) {* given-pre-cond *} i := 0 ; r := true {* I *}, Equivalently : given-pre-cond  wp (i := 0 ; r := true) I (Invariance) I /\ g  wp body I (Termination Condition) I /\ g  wp (C:=m ; body) (m<C) (Termination Condition) I /\ g  m>0

Proof of the exit condition PROOF PEC [A1] r = (k : 0k<i : a[k]=0) // I1 [A2] 0in // I2 [A3] in // g [G] r = (k : 0k<n : a[k]=0) { A2 and A3 } i = n { rewrite A1 with 1 } r = (k : 0k<n : a[k]=0) END

Proof of the initialization condition Calculate the wp first : wp (i := 0 ; r := true ) I = ..... PROOF Init [A1] 0n [ G ] (true = (k : 0k<0 : a[k]=0)) /\ 00n // calculated wp { 00 , conjunction with A1 } 00n { see the eq. sub proof below } true = (k : 0k<0 : a[k]=0) EQUATIONAL PROOF (k : 0k<0 : a[k]=0) = { the domain is empty } (k : false : a[k]=0) = { over empty domain } true END { conjunction of 1 and 2 } G

Proof of the invariance condition We have to prove: I /\ g  wp body I Calculate the wp first: wp (r := r /\ (a[i]=0) ; i++ ) I = .... Proof structure: PROOF PIC [A1] r = (k : 0k<i : a[k]=0) // I1 [A2] 0in // I2 [A3] i<n // g [G] .... here the wp you calculated above

Proof of the invariance condition PROOF PIC [A1] r = (k : 0k<i : a[k]=0) [A2] 0in [A3] i<n [G1] r/\(a[i]=0) = (k : 0k<i+1 : a[k]=0) [G2] 0i+1n { follows from 0  i in A2 } 0i+1 { follows from A3 } i+1n { see eq. subproof below } G1 EQUATIONAL PROOF ---------------------------- (k : 0k<i+1 : a[k]=0) = { dom. merge , PIC.A2 } (k : 0k<i \/ k=i : a[k]=0) = {  domain-split } (k : 0k<i: a[k]=0) /\ (k : k=i : a[k]=0) = { PIC.A1 } r /\ (k : k=i : a[k]=0) = { quant. over singleton } r /\ (a[i]=0) END { conjunction of 1,2,3} G END

Proof that m decreases You have to prove: I /\ g  wp (C:=m ; body) (m<C) Calculate this first: wp (C:=n-i ; r := r /\ (a[i]=0) ; i++ ) (n-i<C) = .... PROOF PTC1 [A1] r = (k : 0k<i : a[k]=0) // I1 [A2] 0in // I2 [A3] i<n // g [G] n-(i+1) < n-i { x-1 < x } n – i - 1 < n-i { rewriting 1 } n – (i+1) < n-1 END

Proof that m has a lower bound You have to prove: I /\ g  m0 PROOF PTC2 [A1] r = (k : 0k<i : a[k]=0) // I1 [A2] 0in // I2 [A3] i<n // g [G] n – i > 0 ..... complete this yourself.

Let’s take a look at the version with a break {* 0n *} i := 0 ; r := true ; while i<n /\ r do { r := r /\ (a[i]=0) ; i++ } {* r = (k : 0k<n : a[k]=0) *} Let’s just use the same invariant & termination metric: I : (r = (k : 0k<i : a[k]=0)) /\ 0in m : n - i let’s call this g /\ h

Ok.. so what do we have to prove ? (Exit Condition) I /\ (g /\ h)  Q (Initialization Condition) given-pre-cond  wp (i := 0 ; r := true) I (Invariance) I /\ g /\ h  wp body I (Termination Condition) I /\ g /\ h  wp (C:=m ; body) (m<C) (Termination Condition) I /\ g /\ h  m>0

Patched proof of the exit condition PROOF PEC [A1] r = (k : 0k<i : a[k]=0) // I1 [A2] 0in // I2 [A3] in \/ r // g [G] r = (k : 0k<n : a[k]=0) { see subproof1} i  n  G { see subproof2} r  G { case-split on A3, using 1 and 2 } G END

The Subproofs of PEC PROOF sub2 [A1] r [G] r = (k : 0k<n : a[k]=0) { rewrite A1 with PEC.A1} (k : 0k<i : a[k]=0) { neg of  on 1 } (k : 0k<i : a[k]  0) { elim on 2} [SOME k] 0k<i /\ a[k]  0 {PEC.A2 says i  n, so 3 implies this: } 0k<n /\ a[k]  0 { intro on 4 } (k : 0k<n : a[k]  0) { neg of  on 5 } (k : 0k<n : a[k]=0) {A1 and 6 } r = (k : 0k<n : a[k]=0) { follows from 7 } r = (k : 0k<n : a[k]=0) END P , Q ------------------- P = Q

We can also prove sub2’s goal with an equational proof EQ PROOF sub2 [A1] r (k : 0k<n : a[k]=0) = { domain merging, justified by PEC.A2 } (k : 0k<i \/ ik<n : a[k]=0) = { domain split } (k : 0k<i : a[k]=0) /\ (k : ik<n : a[k]=0) = { rewrite with PEC.A1 } r /\ (k : ik<n : a[k]=0) = { rewrite with A1 above } false /\ (k : ik<n : a[k]=0) = { trivial } false = { A1 implies r=false } r END