CIS 720 Lecture 3

Correctness of sequential programs Program logic { P } S { Q } If S begins in a state satisfying P and S terminates, then the resulting state satisfies Q. Partial correctness P = precondition Q = postcondition

Axioms Skip statement Assignment statement { P } skip { P } { Pxe } x := e { P } Pxe = P with all occurrences of x replaced by e { true } x := 5 { x = 5} { y = 1 } x := 5 { x = 5 /\ y = 1} { y = 1 } x := 5 { x + y = 6 }

Rule of consequence P’ => P, {P } S {Q}, Q => Q’ {P’ } S {Q’}

Alternative statement if B1  S1 [] …... [] Bn  Sn fi Bi = boolean guard Its evaluation does not change the state All guards are evaluated One of the true guards is selected non-deterministically and its statement executed. If no guards evaluates to true then skip

If-statement axiom 1 ≤ i ≤ N, { P /\ Bi } Si { Q } /\ ( P /\ !(B1\/....\/Bn)) => Q {P} if B1  S1 [] …... [] Bn  Sn fi {Q} {P} if B1  S1 [] B2  S2 : Bn  Sn fi {P /\ B1} {P} {Q}

{true} m >=

Rule of Consequence

Iterative rule do B1  S1 [] …... [] Bn  Sn od Perform all of the following steps until all guards evaluate to false Evaluate all guards Select one of the true guards non-deterministically and execute the statement

Iterative statement axiom Loop invariant I is a predicate that holds before and after each iteration of the loop. 1 ≤ i ≤ N, { I /\ Bi } Si { I } {I} do B1  S1 [] …... [] Bn  Sn od {I /\ ¬(B1 \/....\/ Bn)}

Proof Outline Proof outline consists of one assertion before and after each statement (or one assertion for each control point). Assertion is supposed to indicate what must be true at that point Each assertion must follow from the previous assertion using either an axiom or logical implication

Example i := 1 fact := 1 do i < n  i = i + 1 fact =fact * i od {A1} i := 1 {A2} – using AA {A2} fact := 1 {A3} – using AA {A1: n > 0} A3  I i := 1 fact := 1 do i < n  i = i + 1 fact =fact * i od {A4 /\ i < n} i := i+1 {A5} – using AA {A2: n > 0 /\ i = 1} {A5} fact := fact *i {I} – using AA {I} do … od {I /\ I >= n} – using Do-loop axiom {A3: n > 0 /\ i = 1 /\ fact = 1} {I: n > 0 /\ fact = i! /\ i <= n} {A4: I /\ i < n} {A5: n > 0 /\ fact = (i – 1)! /\ i <= n} {I} {A6: I /\ i >= n} {fact = n!}

i { A4 /\ i < n }

i := 1 max := A[1] do i < n  i = i + 1 if (max < A[i]) max = A[i] od

Concurrency rule { Pi } Si { Qi } are interference free { P1 /\ …. /\ Pn } co S1 // …. // Sn { Q1 /\ …. /\ Qn}

Interference freedom Let a be a statement and C be an assertion. NI(a, C) iff { pre(a) /\ C } a { C } Execution of a does not invalidates (or interferes with C).

{ Pi } Si { Qi }, for all I, are interference free if for all assertions C in proof outline of Si, for all actions a in Sj, i != j NI(a, C) holds