Strongest postcondition rules sp(skip, P) = P sp(x := a, P) = v. x=a[v/x] P[v/x] sp(S1; S2, P) = sp(S2, sp(S1, P)) sp(if b then S1 else S2, P) = sp(S1, b P) sp(S2, b P) sp(while b do {} S, P) = b where {b } S {} and P b Inv ((Inv b) wp(S, Inv)) ((Inv b) Q) Parameterized by the loop invariant Inv
Exponentiation prog. – prove Background axioms: { } t := 0; { } res := 1; { } Inv = { } while (t < y) do { } { } res := res * x; { } t := t + 1; { } { } { }
Small array update rules (sp) [array-loadF] { a=b } x := y[a] { x=y(b) } In both rules v, g, and b are fresh [array-updateF] { y=g a=b } y[a] := x { y=g[bx] } same as [array-updateF] { y=g a=b } y := y[ax] { y=g[bx] }
Rewrite assignment as function update b[i] := a[j]
Calculate the postcondition 2 { ob=b a(j)=x z.0z<i ob(z)=x } b := b[ia(j)] { }
Array-max program – specify nums : array N : int // N stands for num’s length { N0 nums=orig_nums } x := 0 res := nums[0] Inv = { } while x < N if nums[x] > res then res := nums[x] x := x + 1 { x=N } { m. (m0 m<N) nums(m)res } { m. m0 m<N nums(m)=res } { nums=orig_nums }
Array-max program – specify nums : array N : int // N stands for num’s length { N0 } x := 0 res := nums[0] while x < N if nums[x] > res then res := nums[x] x := x + 1
Total correctness semantics for While [ P[a/x] ] x := a [ P ] [assp] [ P ] skip [ P ] [skipp] [ P ] S1 [ Q ], [ Q ] S2 [ R ] [ P ] S1; S2 [ R ] [compp] [ b P ] S1 [ Q ], [ b P ] S2 [ Q ] [ P ] if b then S1 else S2 [ Q ] [ifp] [whilep] [ b P t=k ] S [ P t<k ] [ P ] while b do S [ b P ] P t0 [ P’ ] S [ Q’ ] [ P ] S [ Q ] [consp] if PP’ and Q’Q
Two counters [ ] b := 0; Variant = [ ] while (x0 y0) do b := 1−b; if (b) x := x−1 else y := y−1 [ true ]
Slow countdown: find variant [ true ] flag := 0; Variant = [ ] while (x>0) do flag := 1−flag; if flag=0 then x := x−1 [ true ]