Predicate Transforms I Software Testing and Verification Lecture 19 Prepared by Stephen M. Thebaut, Ph.D. University of Florida

Predicate Transforms I and II Introduction Proving strong correctness Assignment statements Sequencing Selection statements --------------------------- Iteration

Introduction What are Predicate Transforms? An extension of axiomatic verification. Rules are provided for transforming post-conditions into weakest pre-conditions with respect to various program constructs.

Introduction (cont’d) What is a weakest pre-condition? It is the necessary pre-condition for program S to terminate in state Q. It is denoted wp(S,Q) and read, “the weakest pre-condition of S with respect to Q.”

Proving Strong Correctness To prove {P} S {Q} and to prove that P implies that S will terminate, show that P  wp(S,Q) We now consider rules for computing weakest pre-conditions for structured programs comprised of assignment statements, if-then (-else) statements, and while loops.

Rule for Assignment Statements wp(x:=E, Q(x,y,z))  Q(E,y,z)

Rule for Assignment Statements wp(x:=E, Q(x,y,z))  Q(E,y,z) Examples: wp(x:=y+3, x>0) =

Rule for Assignment Statements wp(x:=E, Q(x,y,z))  Q(E,y,z) Examples: wp(x:=y+3, x>0) = wp(x:=x+1, xn+1) =

Rule for Assignment Statements wp(x:=E, Q(x,y,z))  Q(E,y,z) Examples: wp(x:=y+3, x>0) wp(x:=x+1, xn+1) wp(x:=7, x=7) =

Rule for Assignment Statements wp(x:=E, Q(x,y,z))  Q(E,y,z) Examples: (cont’d) wp(x:=7, x=6) =

Rule for Assignment Statements wp(x:=E, Q(x,y,z))  Q(E,y,z) Examples: (cont’d) wp(x:=7, x=6) = wp(x:=7, y=7) =

Rule for Assignment Statements wp(x:=E, Q(x,y,z))  Q(E,y,z) Examples: (cont’d) wp(x:=7, x=6) = wp(x:=7, y=7) = wp(y:=-x, y=|x|) =

wp(S1, wp(S2,...wp(Sn-1, wp(Sn, Q))…)) Rule for Sequencing Rule: wp(S1;S2;...;Sn-1;Sn, Q)  wp(S1, wp(S2,...wp(Sn-1, wp(Sn, Q))…))

Rule for Sequencing (cont’d) Example: wp(C:=D+1; B:=C2; A:=B2, A=36)

Rule for Sequencing (cont’d) Example: wp(C:=D+1; B:=C2; A:=B2, A=36) C:=D+1 B:=C2 A:=B2 { A=36 }

Rule for Sequencing (cont’d) Example: wp(C:=D+1; B:=C2; A:=B2, A=36) C:=D+1 B:=C2 A:=B2 { A=36 } C:=D+1 B:=C2 A:=B2 { A=36 }

Rule for if-then-else Statement wp(if b then S1 else S2, Q)  (b Л wp(S1, Q)) V (¬b Л wp(S2, Q))

Rule for if-then-else Statement wp(if b then S1 else S2, Q)  (b Л wp(S1, Q)) V (¬b Л wp(S2, Q)) T F b S1 S2 {Q}

Rule for if-then-else Statement wp(if b then S1 else S2, Q)  (b Л wp(S1, Q)) V (¬b Л wp(S2, Q)) T F b b Л wp(S1, Q)) S1 S2 {Q}

Rule for if-then-else Statement wp(if b then S1 else S2, Q)  (b Л wp(S1, Q)) V (¬b Л wp(S2, Q)) T F b b Л wp(S1, Q)) ¬b Л wp(S2, Q)) S1 S2 {Q}

Rule for if-then-else Statement (cont’d) Example: wp(if x<0 then y:=-x else y:=x, y=|x|)

Rule for if-then Statement wp(if b then S, Q)  (b Л wp(S, Q)) V (¬b Л Q)

Rule for if-then Statement wp(if b then S, Q)  (b Л wp(S, Q)) V (¬b Л Q) T b F S {Q}

Rule for if-then Statement wp(if b then S, Q)  (b Л wp(S, Q)) V (¬b Л Q) T b b Л wp(S, Q)) F S {Q}

Rule for if-then Statement wp(if b then S, Q)  (b Л wp(S, Q)) V (¬b Л Q) T b b Л wp(S, Q)) F S ¬b Л Q {Q}

Rule for if-then Statement (cont’d) Example: wp(if x<0 then y:=-x, y=|x|)

{Z=B} if A>B then Z := A {Z=Max(A,B)} Exercise Prove the assertion below using the predicate transform based approach. {Z=B} if A>B then Z := A {Z=Max(A,B)}

{Z=B} if A>B then Z := A {Z=Max(A,B)} Exercise Prove the assertion below using the predicate transform based approach. {Z=B} if A>B then Z := A {Z=Max(A,B)} P S Q

{Z=B} if A>B then Z := A {Z=Max(A,B)} Exercise Prove the assertion below using the predicate transform based approach. {Z=B} if A>B then Z := A {Z=Max(A,B)} Hint: Compute the wp(S,Q) Show that P  wp(S,Q) P S Q

Predicate Transforms I Software Testing and Verification Lecture 19 Prepared by Stephen M. Thebaut, Ph.D. University of Florida