1 Discrete Structures Lecture 29 Predicates and Programming Read Ch
2 Edsger Dijkstra Edsger Dijkstra wrote: "Programs should be composed correctly, and not just debugged into correctness." This is an important concept we should strive for.
3 Predicates and Programming This chapter looks at some applications of predicate logic in computing: The formal specification of imperative (procedural) programs The proof and development of sequences of assignments. Practice formulating English specifications. Proof of the correctness of conditional statements. (Iterative statements are covered in chapter 12.)
4 Program Specifications A state is a set of identifier-value pairs. (x 1 = T, x 2 = F, x 3 = F, …) Recall the Hoare Triple: {Q} S {R} If Q is true before S executes, then the state R will be true after S executes.
5 Program Specifications {Q} x:=? {R} precondition Q : a Boolean expression that describes the initial states for which execution of the program is being defined. a list of variables, x, that may be assigned postcondition R : a Boolean expression that characterizes the final states, after execution of the program
6 Final States Are Not Always Unambiguously Determined {true}x := ?{x 2 = 4} Either x = 2 or x = -2 satisfies this specification.
7 Proofs of {Q} x:= E {R} (10.2) Assignment Introduction To show that x := E is an implementation of {Q} X:=? {R}, prove Q R[x := E].
8 Weakest Precondition Definition: For any commands (or statements), S, and a predicate, R, we define a predicate wp(S, R), the weakest precondition of S with respect to R, to be the set of all states such that, if the execution of S begins in any one of the states, then the execution of S is guaranteed to terminate in a finite amount of time satisfying R. {?} x:=E {R} wp( x:=E, R) = R[x:=E]
9 (10.2) shows us if {Q} x:=E {R} To show that x:= E is an implementation of {Q} X:=? {R}, prove Q wp([x := E], R). In other words, prove: Q R[x := E] Almost all hints in the following are textual substitution, arithmetic and (3.84a)
10 Practice with wp {Q} x:= E {R} must prove Q R[x := E] {i = 0} i := i + 1 {i <=1} (i = 0) (i <= 1)[i := i + 1] (i = 0) (i+1 <= 1) (i = 0) (i <= 0) = (i = 0) (i = 0 V i < 0) =< (3.76a) Weakening/Strengthening p, q := (i=0), (i true
11 Just weakest precondition {wp?} i := i + 1 {i > 0} (i > 0)[i := i + 1] i+1 > 0 {i >= 0} is the weakest precondition
12 Just wp {wp?} x := 5 {x = 5} {x = 5}[x := 5] {5 = 5} {true} -- the set of all states {wp?} x := 5 {x <> 5} {x <> 5}[x := 5] {5 <> 5} {false} -- the set of NO states
13 more assignment statement wp {wp?} x := x * x {x 4 = 10} {x 4 = 10}[x := x * x] {(x*x) 4 = 10} {x 8 = 10} {x = +/ }
14 wp {wp?} x :=(x-y)*(x+y) {x + y 2 <> 0} {x + y 2 <> 0}[x := (x-y) * (x+y)] { (x - y) * (x + y) + y 2 <> 0} {x 2 + xy -xy - y 2 + y 2 <> 0} {x 2 <> 0} {x <> 0}
15 wp with multiple assignment {wp?} x,y := x-y, x+y {x + y = C} {x + y = C}[x,y := x-y, x+y] replace x with x - y and y with x + y { x - y + x + y = C} {x + x = C} {2x = C}
16 Properties of WP Law of Excluded Miracle: wp(S,F) = F If execution begins in w, where w wp(S, F), S is executed and the result is False, which is ø, i.e. no states, therefore there is no state in wp(S, F) (because such a state would make the postcondition true).
17 Properties of WP Distributivity of Conjunction: wp(S,Q) wp(S,R) = wp(S, Q R) Let w wp(S, Q) wp(S, R), thus w wp(S, Q) and w wp(S, R). If execution begins in w, S is executed and the result is Q is true and R is true, thus Q R is true. Therefore w wp(S, Q R). Let w wp(S, Q R) If execution begins in w, S is executed and the result is Q R is true, thus Q is true and R is true. Therefore Q is true, w wp(S, Q) and R is true, w wp(S, R) Therefore w wp(S, Q) wp(S, R).
18 Properties of WP Law of Monotonicity: if Q R then wp(S,Q) wp(S,R) Assume w wp(S,Q) If execution begins in w, S is executed and the result is Q is true. Since Q R is true, R is also true. Therefore w wp(S,R).