1. Program Correctness

2. 2 Program Verification An object is a finite state machine: –Its attribute values are its state. –Its methods optionally: Transition it from 1 state to another; Produce a return value. We deal with static methods: Functions. The discussion can be extended to objects.

3. 3 Let function f: I  O, where –I is the set of valid input –O is the set of valid output Let program P compute f. If  i  I, P(i) = f(i), then P correctly computes f. If I is an int, then |I| > 1 billion. Idea: Prove that P computes f without testing.

4. 4 Partial Correctness An initial assertion states the properties of valid input. A final assertion states the properties of valid output. Let program [segment] S have: initial assertion p final assertion q. If (p is true for S’s input  S terminates)  q is true for S’s output then S is partially correct with respect to p & q, denoted p{S}q.

5. 5 Correctness A program [segment] is correct when: –It is partially correct. –It terminates on all valid input. Initial & final assertions specify the function. N.B. –Humans create the specification. –A specification thus is a source of error. –If specifying a function is more error-prone then programming it, then “Houston, we have a problem.”

6. 6 Is this Java segment correct? assert ( y >= 0 ); int x = y*y; x *= x*x; assert x == y*y*y*y*y*y; 1.Let p be the initial assertion: y >= 0. 2.Let q be the final assertion: x == y 6. 3.If p, then 1.x == y 2 after the 1 st statement, 2.x == y 2 *y 2 *y 2 after the 2 nd statement. Is the above proof correct?

7. 7 Is this Java segment correct? assert ( y >= 0 ) && ( Math.pow(y, 6) <= Integer.MAX_VALUE ); int x = y*y; x *= x*x; assert x == y*y*y*y*y*y; 1.Let p & q be the initial & final assertion, respectively. 2.If p, then 1.x == y 2 after the 1 st statement, 2.x == y 2 *y 2 *y 2 after the 2 nd statement 3.no overflow occurs.

8. 8 Rules of Inference Let segment S be segment S 1 followed by segment S 2, written S = S 1 ;S 2. Composition inference rule: ( p{S 1 }q  q{S 2 }r )  p{S 1 ;S 2 }r “If p is true and S 1 & S 2 terminate, then r is true.”

9. 9 Conditional Statements Suppose we have a segment of the form: if ( condition ) S where condition is booelan & S is a segment. Let p & q be initial & final assertions. ( p  condition ){S}q ( p   condition )  q __________________ p{ if ( condition ) S }q.

10. 10 Suppose we have a segment of the form: if ( condition ) S 1 else S 2 ( p  condition ){S 1 }q ( p   condition ){S 2 }q _______________________ p{ if ( condition ) S 1 else S 2 }q.

11. 11 Loop Invariants Suppose we have a segment of the form: while ( condition ) S If assertion p is true whenever S is executed, it is a loop invariant. Let p be a loop invariant. (p  condition ){S}p ______________________________ p { while condition S}(  condition  p).

12. 12 procedure int multiply( int m, int n ) { // assume int is unbounded boolean p = true, q = false, r = false, s = false, t = false; assert p; // p represents: int m, n; int a = ( n < 0 ) ? –n : n; assert q = ( p && a == Math.abs( n ) ); int k = 0, x = 0; assert r = ( q && k == 0 && x == 0 ); while ( k < a ) { x += m; k++; assert k <= a && x == m*k; } assert s = ( x == m*a && a == Math.abs( n ) ); int product = ( n < 0 ) ? –x : x; assert t = ( product == n*m ); return product; }

13. 13 Correctness Proof Framework 1.Show that p{ }q { }r{ }s{ }t. 2.Conclude that p{ }t. 3.Show that all program segments terminate. 4.Conclude that the program is correct. Again, we omitted overflow considerations.

14. 14 Characters    ≥ ≡ ~ ┌ ┐ └ ┘        ≈      Ω Θ     Σ        