1. Reasoning about Loops, Conclusion

2. Announcements QUIZ 1 today. You have 10 minutes
Hand in quiz at the end of class

3. Announcements HW1 will be up tomorrow (due next Thursday)
Check class Web page for an announcement
You must clone a new repository, hw01
To submit answers, push to Git, then submit in Submitty
If you have questions, please us at
Use LMS discussion board

4. Outline Reasoning about loops (conclusion) Dafny basics
Specifications (next time)
Spring 18 CSCI 2600, K. Kuzmin, A Milanova

5. So Far We discussed reasoning about code Hoare Logic
Forward reasoning and backward reasoning
Hoare Logic
Hoare Triples
Rule for backward reasoning
Assignment
Sequence
If-then-else
Method call
Reasoning about loops
Spring 17 CSCI 2600, A Milanova

6. Reasoning About Loops Partial correctness Termination
total correctness=partial correctness+termination
Partial correctness
“Guess”, then prove loop invariant
Loop invariant and loop exit condition must imply the postcondition
This gives us: “If the loop terminated then the postcondtion did hold”. But does the loop terminate?
Termination
“Guess” decrementing function D. (1) D >= 0, (2) strictly decreases, (3) D at 0 along with the loop invariant must imply loop exit condition

7. Let’s Catch the Bug
Precondition: len ≥ 1 && a.length = len int sum = a[0]; int i = 1; while (i <= len) invariant sum = a[0]+…+a[i-1] && i<=len+1 { sum = sum + a[i]; i = i+1; } Postcondition: sum = a[0]+…+a[a.length-1]
After a bit of observation, we’ll settle on the above loop invariant.
Step 1. Invariant holds before the loop.
Step 2. If Inv holds after kth iteration, it holds after k+1st iteration as well.
Step 3. i > len AND i <= len+1 => i = len+1. Thus,
Spring 18 CSCI 2600, K. Kuzmin, A Milanova

8. “Interesting” Invariant
Another Factorial Precondition: t >= 0 r = 1; n = t; while (n != 0) { r = r*n; n = n-1; } Postcondition: r = t!
r = t!/n!
Spring 18 CSCI 2600, K. Kuzmin, A Milanova (example due to Michael Ernst, UW)

9. Interesting Invariant
Integer Division Precondition: x >= 0 && y > 0 r = x; q = 0; while (y <= r) { r = r-y; q = q+1; } Postcondition: x = y*q + r && r < y
Spring 18 CSCI 2600, K. Kuzmin, A Milanova (example due to Michael Ernst, UW)

10. Interesting Invariant
Precondition: a > 0 && b > 0 y1 = a; y2 = b; while (y1 != y2) invariant gcd(y1,y2) = gcd(a,b) { if (y1 > y2) { y1 = y1-y2 } else { y2 = y2-y1; } Postcondition: y1 = gcd(a,b)
gcd(y1,y2) = gcd(y1-y2,y2)

11. Dafny Dafny: programming language and verifier
Author: K. Rustan M. Leino, Microsoft Research
Programmer writes programs with specifications
Verifier proves that program obeys specification
Binary downloads at
Try online at
Fall 17 CSCI 2600, A Milanova

12. Dafny Basics The smallest unit of verification is the method
method Foo(x: int, y: int) returns (z: int, w: int)
Preconditions
requires x == 0 && y >= 0
Postconditions
ensures z != 0 || w != 0
Fall 17 CSCI 2600, A Milanova

13. Our Earlier Exercise, in Dafny
// precondition: ?? y = x + 4 if (x > 0) {
y = x*x – 1; } else { y = y+x; }
{ y = 0 } x = x/y;
Find what input causes divide-by-zero at the last
statement.
Answer:
Precondition: x=1 || x=-2
These are the inputs that
cause divide-by-zero error

14. Our Division Example in Dafny
method DivisionByZero(x: int) returns (y: int) requires x == 1 || x == -2 ensures y == 0 { y := x + 4; if (x > 0) { y := x*x - 1; } else { y := y + x; }
Named returns, can have multiple output variables!
Equality test: ==, NOT =
Assignment: :=, NOT =