Predicate Transforms I

Predicate Transforms I
Software Testing and Verification Lecture Notes 19 Prepared by Stephen M. Thebaut, Ph.D. University of Florida

Introduction: weakest pre-conditions (wp’s) weakest liberal pre-conditions (wlp’s) strongest post-conditions (sp’s) Proving {P} S {Q} using predicate transforms Transform rules for: assignment statements sequencing selection statements

Introduction What are Predicate Transforms†?
Rules for transforming post-conditions into pre-conditions or vice-versa. They provide algorithms to reduce the problem of verifying Hoare triples to proving predicate calculus formulas. Thus, predicate transforms operationalize Hoare Logic. † Also known as “Predicate Transformers”

Introduction (cont’d)
What is a “weakest pre-condition”? It is the weakest condition on the initial state of program S ensuring termination in state Q. It is denoted wp(S,Q) and read, “the weakest pre-condition of S with respect to Q.”

What is a “weakest liberal pre-condition”? It is the weakest condition on the initial state of program S ensuring state Q on termination if S terminates. It is denoted wlp(S,Q) and read, “the weakest liberal pre-condition of S with respect to Q.”

What is a “strongest post-condition”? It is the strongest condition on the final state of program S given that P holds initially and given that S terminates. It is denoted sp(S,P) and read, “the strongest post-condition of S with respect to P.”

ROI’s (algorithms) for proving program correctness using predicate transforms
P  wp(S,Q) {P} S {Q} strongly P  wlp(S,Q) {P} S {Q} sp(S,P)  Q

ROI’s (algorithms) for proving program correctness (cont’d)
Note the relationship between weakest liberal pre-conditions and strongest post-conditions: P  wlp(S,Q) ≡ sp(S,P)  Q We now consider rules for computing predi-cate transforms for structured programs comprised of assignment statements, if-then (-else) statements, and (in part II) while loops.

wp and wlp Rule for Assignment Statements
w(l)p(x:=E, Q(x,y,z))  Q(E,y,z)

w(l)p(x:=E, Q(x,y,z))  Q(E,y,z) Examples: w(l)p(x:=y+3, x>0) =

w(l)p(x:=E, Q(x,y,z))  Q(E,y,z) Examples: w(l)p(x:=y+3, x>0) = y+3>0

w(l)p(x:=E, Q(x,y,z))  Q(E,y,z) Examples: w(l)p(x:=y+3, x>0) = y+3>0 = y>-3

w(l)p(x:=E, Q(x,y,z))  Q(E,y,z) Examples: w(l)p(x:=y+3, x>0) = y+3>0 = y>-3 w(l)p(x:=x+1, xn+1) =

w(l)p(x:=E, Q(x,y,z))  Q(E,y,z) Examples: w(l)p(x:=y+3, x>0) = y+3>0 = y>-3 w(l)p(x:=x+1, xn+1) = x+1n+1

w(l)p(x:=E, Q(x,y,z))  Q(E,y,z) Examples: w(l)p(x:=y+3, x>0) = y+3>0 = y>-3 w(l)p(x:=x+1, xn+1) = x+1n+1 = xn

w(l)p(x:=E, Q(x,y,z))  Q(E,y,z) Examples: w(l)p(x:=y+3, x>0) = y+3>0 = y>-3 w(l)p(x:=x+1, xn+1) = x+1n+1 = xn w(l)p(x:=7, x=7) =

w(l)p(x:=E, Q(x,y,z))  Q(E,y,z) Examples: w(l)p(x:=y+3, x>0) = y+3>0 = y>-3 w(l)p(x:=x+1, xn+1) = x+1n+1 = xn w(l)p(x:=7, x=7) = (7=7)

w(l)p(x:=E, Q(x,y,z))  Q(E,y,z) Examples: w(l)p(x:=y+3, x>0) = y+3>0 = y>-3 w(l)p(x:=x+1, xn+1) = x+1n+1 = xn w(l)p(x:=7, x=7) = (7=7) = true (cont’d)

w(l)p(x:=E, Q(x,y,z))  Q(E,y,z) Examples: (cont’d) w(l)p(x:=7, x=6) =

w(l)p(x:=E, Q(x,y,z))  Q(E,y,z) Examples: (cont’d) w(l)p(x:=7, x=6) = (7=6)

w(l)p(x:=E, Q(x,y,z))  Q(E,y,z) Examples: (cont’d) w(l)p(x:=7, x=6) = (7=6) = false

w(l)p(x:=E, Q(x,y,z))  Q(E,y,z) Examples: (cont’d) w(l)p(x:=7, x=6) = (7=6) = false w(l)p(x:=7, y=7) =

w(l)p(x:=E, Q(x,y,z))  Q(E,y,z) Examples: (cont’d) w(l)p(x:=7, x=6) = (7=6) = false w(l)p(x:=7, y=7) = y=7

w(l)p(x:=E, Q(x,y,z))  Q(E,y,z) Examples: (cont’d) w(l)p(x:=7, x=6) = (7=6) = false w(l)p(x:=7, y=7) = y=7 w(l)p(y:=-x, y=|x|) =

w(l)p(x:=E, Q(x,y,z))  Q(E,y,z) Examples: (cont’d) w(l)p(x:=7, x=6) = (7=6) = false w(l)p(x:=7, y=7) = y=7 w(l)p(y:=-x, y=|x|) = -x=|x|

w(l)p(x:=E, Q(x,y,z))  Q(E,y,z) Examples: (cont’d) w(l)p(x:=7, x=6) = (7=6) = false w(l)p(x:=7, y=7) = y=7 w(l)p(y:=-x, y=|x|) = -x=|x| = x0

sp Rule for Assignment Statements
sp(x:=E, P)  x=E(x’,y,z) Л P(x’,y,z)

sp(x:=E, P)  x=E(x’,y,z) Л P(x’,y,z) Examples: sp(x:=y+3, y>-3) =

sp(x:=E, P)  x=E(x’,y,z) Л P(x’,y,z) Examples: sp(x:=y+3, y>-3) = x=y+3 Л y>-3

sp(x:=E, P)  x=E(x’,y,z) Л P(x’,y,z) Examples: sp(x:=y+3, y>-3) = x=y+3 Л y>-3 (=> x>0)

sp(x:=E, P)  x=E(x’,y,z) Л P(x’,y,z) Examples: sp(x:=y+3, y>-3) = x=y+3 Л y>-3 (=> x>0) sp(x:=x+1, x<n) =

sp(x:=E, P)  x=E(x’,y,z) Л P(x’,y,z) Examples: sp(x:=y+3, y>-3) = x=y+3 Л y>-3 (=> x>0) sp(x:=x+1, x<n) = x=x’+1 Л x’<n

sp(x:=E, P)  x=E(x’,y,z) Л P(x’,y,z) Examples: sp(x:=y+3, y>-3) = x=y+3 Л y>-3 (=> x>0) sp(x:=x+1, x<n) = x=x’+1 Л x’<n (=> x-1<n)

sp(x:=E, P)  x=E(x’,y,z) Л P(x’,y,z) Examples: sp(x:=y+3, y>-3) = x=y+3 Л y>-3 (=> x>0) sp(x:=x+1, x<n) = x=x’+1 Л x’<n (=> x-1<n) sp(x:=7, true) =

sp(x:=E, P)  x=E(x’,y,z) Л P(x’,y,z) Examples: sp(x:=y+3, y>-3) = x=y+3 Л y>-3 (=> x>0) sp(x:=x+1, x<n) = x=x’+1 Л x’<n (=> x-1<n) sp(x:=7, true) = x=7 Л true

sp(x:=E, P)  x=E(x’,y,z) Л P(x’,y,z) Examples: sp(x:=y+3, y>-3) = x=y+3 Л y>-3 (=> x>0) sp(x:=x+1, x<n) = x=x’+1 Л x’<n (=> x-1<n) sp(x:=7, true) = x=7 Л true = x=7 (cont’d)

sp(x:=E, P)  x=E(x’,y,z) Л P(x’,y,z) Examples: (cont’d) sp(x:=7, false) =

sp(x:=E, P)  x=E(x’,y,z) Л P(x’,y,z) Examples: (cont’d) sp(x:=7, false) = x=7 Л false

sp(x:=E, P)  x=E(x’,y,z) Л P(x’,y,z) Examples: (cont’d) sp(x:=7, false) = x=7 Л false = false

sp(x:=E, P)  x=E(x’,y,z) Л P(x’,y,z) Examples: (cont’d) sp(x:=7, false) = x=7 Л false = false sp(x:=7, y=7) =

sp(x:=E, P)  x=E(x’,y,z) Л P(x’,y,z) Examples: (cont’d) sp(x:=7, false) = x=7 Л false = false sp(x:=7, y=7) = x=7 Л y=7

sp(x:=E, P)  x=E(x’,y,z) Л P(x’,y,z) Examples: (cont’d) sp(x:=7, false) = x=7 Л false = false sp(x:=7, y=7) = x=7 Л y=7 sp(y:=-x, y=|x|) =

sp(x:=E, P)  x=E(x’,y,z) Л P(x’,y,z) Examples: (cont’d) sp(x:=7, false) = x=7 Л false = false sp(x:=7, y=7) = x=7 Л y=7 sp(y:=-x, y=|x|) = y=-x Л y’=|x|

wp and wlp Rule for Sequencing
w(l)p(S1;S2;...;Sn-1;Sn, Q)  w(l)p(S1, w(l)p(S2,...w(l)p(Sn-1, w(l)p(Sn, Q))…))

wp and wlp Rule for Sequencing (cont’d)
Example: w(l)p(C:=D+1; B:=C2; A:=B2, A=36)

Example: w(l)p(C:=D+1; B:=C2; A:=B2, A=36) C:=D+1 B:=C2 A:=B2 { A=36 }

Example: w(l)p(C:=D+1; B:=C2; A:=B2, A=36) C:=D+1 B:=C2 { B2 = 36 } A:=B2 { A=36 }

Example: w(l)p(C:=D+1; B:=C2; A:=B2, A=36) C:=D+1 { (2C)2 = 36 } B:=C2 { B2 = 36 } A:=B2 { A=36 }

Example: w(l)p(C:=D+1; B:=C2; A:=B2, A=36) { (2(D+1))2 = 36 } C:=D+1 { (2C)2 = 36 } B:=C2 { B2 = 36 } A:=B2 { A=36 }

Example: w(l)p(C:=D+1; B:=C2; A:=B2, A=36) { (2(D+1))2 = 36 } C:=D+1 { (2C)2 = 36 } B:=C2 { B2 = 36 } A:=B2 { A=36 } C:=D+1 B:=C2 A:=B2 { A=36 }

Example: w(l)p(C:=D+1; B:=C2; A:=B2, A=36) { (2(D+1))2 = 36 } C:=D+1 { (2C)2 = 36 } B:=C2 { B2 = 36 } A:=B2 { A=36 } C:=D+1 B:=C2 { B=6 V B=-6 } A:=B2 { A=36 }

Example: w(l)p(C:=D+1; B:=C2; A:=B2, A=36) { (2(D+1))2 = 36 } C:=D+1 { (2C)2 = 36 } B:=C2 { B2 = 36 } A:=B2 { A=36 } C:=D+1 { C=3 V C=-3 } B:=C2 { B=6 V B=-6 } A:=B2 { A=36 }

Example: w(l)p(C:=D+1; B:=C2; A:=B2, A=36) { (2(D+1))2 = 36 } C:=D+1 { (2C)2 = 36 } B:=C2 { B2 = 36 } A:=B2 { A=36 } { D=2 V D=-4 } C:=D+1 { C=3 V C=-3 } B:=C2 { B=6 V B=-6 } A:=B2 { A=36 }

sp Rule for Sequencing Rule: sp(S1;S2;...;Sn-1;Sn, P) 
sp(Sn, sp(Sn-1,...sp(S2, sp(S1, P))…))

sp Rule for Sequencing (cont’d)
Example 1: sp(C:=D+1; B:=C2; A:=B2, D=1)

Example 1: sp(C:=D+1; B:=C2; A:=B2, D=1) { D=1 } C:=D+1 B:=C2 A:=B2

Example 1: sp(C:=D+1; B:=C2; A:=B2, D=1) { D=1 } C:=D+1 { C=D+1 Л D=1 } B:=C2 A:=B2

Example 1: sp(C:=D+1; B:=C2; A:=B2, D=1) { D=1 } C:=D+1 { C=D+1 Л D=1 } B:=C2 { B=2C Л C=D+1 Л D=1 } A:=B2

Example 1: sp(C:=D+1; B:=C2; A:=B2, D=1) { D=1 } C:=D+1 { C=D+1 Л D=1 } B:=C2 { B=2C Л C=D+1 Л D=1 } A:=B2 { A=B2 Л B=2C Л C=D+1 Л D=1 }

Example 1: sp(C:=D+1; B:=C2; A:=B2, D=1) { D=1 } C:=D+1 B:=C2 A:=B2

Example 1: sp(C:=D+1; B:=C2; A:=B2, D=1) { D=1 } C:=D+1 { C=D+1 Л D=1 } B:=C2 A:=B2

Example 1: sp(C:=D+1; B:=C2; A:=B2, D=1) { D=1 } C:=D+1 { C=2 Л D=1 } B:=C2 A:=B2

Example 1: sp(C:=D+1; B:=C2; A:=B2, D=1) { D=1 } C:=D+1 { C=2 Л D=1 } B:=C2 { B=2C Л C=2 Л D=1 } A:=B2

Example 1: sp(C:=D+1; B:=C2; A:=B2, D=1) { D=1 } C:=D+1 { C=2 Л D=1 } B:=C2 { B=4 Л C=2 Л D=1 } A:=B2

Example 1: sp(C:=D+1; B:=C2; A:=B2, D=1) { D=1 } C:=D+1 { C=2 Л D=1 } B:=C2 { B=4 Л C=2 Л D=1 } A:=B2 { A=B2 Л B=4 Л C=2 Л D=1 }

Example 1: sp(C:=D+1; B:=C2; A:=B2, D=1) { D=1 } C:=D+1 { C=2 Л D=1 } B:=C2 { B=4 Л C=2 Л D=1 } A:=B2 { A=16 Л B=4 Л C=2 Л D=1 }

Compound programs often include multiple assignments to the same variable, e.g., X := X+1; ...; X := Y-X; ...; X := ZY; ... It is sometimes useful to “anchor” the initial values of such variables using some suitable notation such as X0 when applying the sp Rule for Assignment Statements. Consider the following example...

Example 2: sp(S, true) where S is X:=X+1; X:=YX; X:=X-1

Example 2: sp(S, true) where S is X:=X+1; X:=YX; X:=X-1 { true } (1) X:=X+1 (2) X:=YX (3) X:=X-1

Example 2: sp(S, true) where S is X:=X+1; X:=YX; X:=X-1 { true } (1) X:=X+1 { X=X’+1 Л true } = { X=X0+1 } (2) X:=YX (3) X:=X-1

Example 2: sp(S, true) where S is X:=X+1; X:=YX; X:=X-1 { true } (1) X:=X+1 { X=X’+1 Л true } = { X=X0+1 } (2) X:=YX (3) X:=X-1 “anchoring” initial value of X to X0:

Example 2: sp(S, true) where S is X:=X+1; X:=YX; X:=X-1 { true } (1) X:=X+1 { X=X’+1 Л true } = { X=X0+1 } (2) X:=YX { X=YX’ Л X’=X0+1 } = { X=Y(X0+1) } (3) X:=X-1 “anchoring” initial value of X to X0:

Example 2: sp(S, true) where S is X:=X+1; X:=YX; X:=X-1 { true } (1) X:=X+1 { X=X’+1 Л true } = { X=X0+1 } (2) X:=YX { X=YX’ Л X’=X0+1 } = { X=Y(X0+1) } (3) X:=X-1 { X=X’-1 Л X’=Y(X0+1) } = { X=Y(X0+1)-1 } “anchoring” initial value of X to X0:

Example 2: sp(S, true) where S is X:=X+1; X:=YX; X:=X-1 { true } (1) X:=X+1 { X=X’+1 Л true } = { X=X0+1 } (2) X:=YX { X=YX’ Л X’=X0+1 } = { X=Y(X0+1) } (3) X:=X-1 { X=X’-1 Л X’=Y(X0+1) } = { X=Y(X0+1)-1 } Therefore, sp(S, true) is X=YX’+Y-1 “anchoring” initial value of X to X0:

Example 2: sp(S, true) where S is X:=X+1; X:=YX; X:=X-1 { true } (1) X:=X+1 { X=X’+1 Л true } = { X=X0+1 } (2) X:=YX { X=YX’ Л X’=X0+1 } = { X=Y(X0+1) } (3) X:=X-1 { X=X’-1 Л X’=Y(X0+1) } = { X=Y(X0+1)-1 } Therefore, sp(S, true) is X=YX’+Y-1 “anchoring” initial value of X to X0: reverting to standard X’ notation:

wp and wlp Rule for if-then-else Statement
w(l)p(if b then S1 else S2, Q)  (b Л w(l)p(S1, Q)) V (¬b Л w(l)p(S2, Q))

w(l)p(if b then S1 else S2, Q)  (b Л w(l)p(S1, Q)) V (¬b Л w(l)p(S2, Q)) T F b S1 S2 {Q}

w(l)p(if b then S1 else S2, Q)  (b Л w(l)p(S1, Q)) V (¬b Л w(l)p(S2, Q)) T F b b Л w(l)p(S1, Q) S1 S2 {Q}

w(l)p(if b then S1 else S2, Q)  (b Л w(l)p(S1, Q)) V (¬b Л w(l)p(S2, Q)) T F b b Л w(l)p(S1, Q) ¬b Л w(l)p(S2, Q) S1 S2 {Q}

Example: w(l)p(if x<0 then y:=-x else y:=x, y=|x|)

Example: w(l)p(if x<0 then y:=-x else y:=x, y=|x|) b S1 S2 Q

Example: w(l)p(if x<0 then y:=-x else y:=x, y=|x|) = (b Л w(l)p(S1, Q)) V (¬b Л w(l)p(S2, Q)) b S1 S2 Q

Example: w(l)p(if x<0 then y:=-x else y:=x, y=|x|) = (b Л w(l)p(S1, Q)) V (¬b Л w(l)p(S2, Q)) = (x<0 Л w(l)p(y:=-x, y=|x|) V (x≥0 Л w(l)p(y:=x, y=|x|) b S1 S2 Q

Example: w(l)p(if x<0 then y:=-x else y:=x, y=|x|) = (b Л w(l)p(S1, Q)) V (¬b Л w(l)p(S2, Q)) = (x<0 Л w(l)p(y:=-x, y=|x|) V (x≥0 Л w(l)p(y:=x, y=|x|) = (x<0 Л -x=|x|) V (x≥0 Л x=|x|) b S1 S2 Q

Example: w(l)p(if x<0 then y:=-x else y:=x, y=|x|) = (b Л w(l)p(S1, Q)) V (¬b Л w(l)p(S2, Q)) = (x<0 Л w(l)p(y:=-x, y=|x|) V (x≥0 Л w(l)p(y:=x, y=|x|) = (x<0 Л -x=|x|) V (x≥0 Л x=|x|) = (x<0 Л x≤0) V (x≥0 Л x≥0) b S1 S2 Q

Example: w(l)p(if x<0 then y:=-x else y:=x, y=|x|) = (b Л w(l)p(S1, Q)) V (¬b Л w(l)p(S2, Q)) = (x<0 Л w(l)p(y:=-x, y=|x|) V (x≥0 Л w(l)p(y:=x, y=|x|) = (x<0 Л -x=|x|) V (x≥0 Л x=|x|) = (x<0 Л x≤0) V (x≥0 Л x≥0) = (x<0 V x≥0) b S1 S2 Q

Example: w(l)p(if x<0 then y:=-x else y:=x, y=|x|) = (b Л w(l)p(S1, Q)) V (¬b Л w(l)p(S2, Q)) = (x<0 Л w(l)p(y:=-x, y=|x|) V (x≥0 Л w(l)p(y:=x, y=|x|) = (x<0 Л -x=|x|) V (x≥0 Л x=|x|) = (x<0 Л x≤0) V (x≥0 Л x≥0) = (x<0 V x≥0) = true b S1 S2 Q

wp and wlp Rule for if-then Statement
w(l)p(if b then S, Q)  (b Л w(l)p(S, Q)) V (¬b Л Q)

w(l)p(if b then S, Q)  (b Л w(l)p(S, Q)) V (¬b Л Q) T b F S {Q}

w(l)p(if b then S, Q)  (b Л w(l)p(S, Q)) V (¬b Л Q) T b b Л w(l)p(S, Q) F S {Q}

w(l)p(if b then S, Q)  (b Л w(l)p(S, Q)) V (¬b Л Q) T b b Л w(l)p(S, Q) F S ¬b Л Q {Q}

wp and wlp Rule for if-then Statement (cont’d)
Example: w(l)p(if x<0 then y:=-x, y=|x|)

Example: w(l)p(if x<0 then y:=-x, y=|x|) b S Q

Example: w(l)p(if x<0 then y:=-x, y=|x|) = (b Л w(l)p(S, Q)) V (¬b Л Q)) b S Q

Example: w(l)p(if x<0 then y:=-x, y=|x|) = (b Л w(l)p(S, Q)) V (¬b Л Q)) = (x<0 Л w(l)p(y:=-x, y=|x|) V (x≥0 Л y=|x|) b S Q

Example: w(l)p(if x<0 then y:=-x, y=|x|) = (b Л w(l)p(S, Q)) V (¬b Л Q)) = (x<0 Л w(l)p(y:=-x, y=|x|) V (x≥0 Л y=|x|) = (x<0 Л -x=|x|) V (x≥0 Л y=|x|) b S Q

Example: w(l)p(if x<0 then y:=-x, y=|x|) = (b Л w(l)p(S, Q)) V (¬b Л Q)) = (x<0 Л w(l)p(y:=-x, y=|x|) V (x≥0 Л y=|x|) = (x<0 Л -x=|x|) V (x≥0 Л y=|x|) = (x<0 Л x≤0) V (x≥0 Л y=|x|) b S Q

Example: w(l)p(if x<0 then y:=-x, y=|x|) = (b Л w(l)p(S, Q)) V (¬b Л Q)) = (x<0 Л w(l)p(y:=-x, y=|x|) V (x≥0 Л y=|x|) = (x<0 Л -x=|x|) V (x≥0 Л y=|x|) = (x<0 Л x≤0) V (x≥0 Л y=|x|) = (x<0 V (x≥0 Л y=|x|)) b S Q

Example: w(l)p(if x<0 then y:=-x, y=|x|) = (b Л w(l)p(S, Q)) V (¬b Л Q)) = (x<0 Л w(l)p(y:=-x, y=|x|) V (x≥0 Л y=|x|) = (x<0 Л -x=|x|) V (x≥0 Л y=|x|) = (x<0 Л x≤0) V (x≥0 Л y=|x|) = (x<0 V (x≥0 Л y=|x|)) = (x<0 V (x≥0 Л y=x)) b S Q

Example: w(l)p(if x<0 then y:=-x, y=|x|) = (b Л w(l)p(S, Q)) V (¬b Л Q)) = (x<0 Л w(l)p(y:=-x, y=|x|) V (x≥0 Л y=|x|) = (x<0 Л -x=|x|) V (x≥0 Л y=|x|) = (x<0 Л x≤0) V (x≥0 Л y=|x|) = (x<0 V (x≥0 Л y=|x|)) = (x<0 V (x≥0 Л y=x)) = (x<0 V y=x) b S Q

Exercise Prove the assertion below using the wlp ROI.
{Z=B} if A>B then Z := A {Z=Max(A,B)}

{Z=B} if A>B then Z := A {Z=Max(A,B)} P S Q

{Z=B} if A>B then Z := A {Z=Max(A,B)} Recall the wlp ROI: P  wlp(S,Q) {P} S {Q} P S Q

sp Rule for if-then-else Statement
sp(if b then S1 else S2, P)  sp(S1, b Л P) V sp(S2, ¬b Л P)

sp(if b then S1 else S2, P)  sp(S1, b Л P) V sp(S2, ¬b Л P) {P} T F b S1 S2

sp(if b then S1 else S2, P)  sp(S1, b Л P) V sp(S2, ¬b Л P) {P} T F b S1 S2 sp(S1, b Л P)

sp(if b then S1 else S2, P)  sp(S1, b Л P) V sp(S2, ¬b Л P) {P} T F b S1 S2 sp(S1, b Л P) sp(S2, ¬b Л P)

sp Rule for if-then Statement
sp(if b then S, P)  sp(S, b Л P) V (¬b Л P)

sp(if b then S, P)  sp(S, b Л P) V (¬b Л P) {P} T b F S

sp(if b then S, P)  sp(S, b Л P) V (¬b Л P) {P} T b F S sp(S, b Л P)

sp(if b then S, P)  sp(S, b Л P) V (¬b Л P) {P} T b F S ¬b Л P sp(S, b Л P)

Example Prove the assertion: {y=x} if x<0 then y:=-x {y=|x|}
using the strongest post-condition (sp) ROI.

using the strongest post-condition (sp) ROI. Recall the sp ROI: sp(S,P)  Q {P} S {Q}

using the strongest post-condition (sp) ROI. (1) sp(if x<0 then y:=-x, y=x) = sp(y:=-x, x<0 Л y=x) V (x≥0 Л y=x) = (y=-x Л x<0 Л y’=x) V (x≥0 Л y=x) P

using the strongest post-condition (sp) ROI. (1) sp(if x<0 then y:=-x, y=x) = sp(y:=-x, x<0 Л y=x) V (x≥0 Л y=x) = (y=-x Л x<0 Л y’=x) V (x≥0 Л y=x) (2) (y=-x Л x<0 Л y’=x) V (x≥0 Л y=x) => (x<0 Л y=-x) V (x≥0 Л y=x) => y=|x| √ P Q

Coming Up Next… Transform rules for while loops

Software Testing and Verification Lecture Notes 19 Prepared by Stephen M. Thebaut, Ph.D. University of Florida

Predicate Transforms I

Similar presentations

Presentation on theme: "Predicate Transforms I"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Predicate Transforms I

Similar presentations

Presentation on theme: "Predicate Transforms I"— Presentation transcript:

Similar presentations

About project

Feedback