Post on 07-Jan-2016
description
Predicate Transforms II
Prepared by
Stephen M. Thebaut, Ph.D.University of Florida
Software Testing and Verification
Lecture Notes 20
Predicate Transforms II
• Transform rules for while loops:
Weakest pre-conditions (wp’s)
Weakest liberal pre-conditions (wlp’s)
Relationships between wp’s and wlp’s with loop invariants
Strongest post-conditions (sp’s)
• On the power of axiomatic verification and the relative usefulness of predicate transforms (when dealing with loops)
Predicate Transforms II
• Transform rules for while loops:
Weakest pre-conditions (wp’s)
Weakest liberal pre-conditions (wlp’s)
Relationships between wp’s and wlp’s with loop invariants
Strongest post-conditions (sp’s)
• On the power of axiomatic verification and the relative usefulness of predicate transforms (when dealing with loops)
wp Rule for while_do Statement• In order for the program while b do S to
terminate in state Q, it is necessary that:
wp Rule for while_do Statement• In order for the program while b do S to
terminate in state Q, it is necessary that:0. b is initially false and Q holds, OR
wp Rule for while_do Statement• In order for the program while b do S to
terminate in state Q, it is necessary that:0. b is initially false and Q holds, OR1. b is initially true and after
executing S, ¬b and Q hold, OR
wp Rule for while_do Statement• In order for the program while b do S to
terminate in state Q, it is necessary that:0. b is initially false and Q holds, OR1. b is initially true and after
executing S, ¬b and Q hold, OR2. b is initially true and after
executing S, b is still true, and after executing S a second time, ¬b and Q hold, OR
wp Rule for while_do Statement• In order for the program while b do S to
terminate in state Q, it is necessary that:0. b is initially false and Q holds, OR1. b is initially true and after
executing S, ¬b and Q hold, OR2. b is initially true and after
executing S, b is still true, and after executing S a second time, ¬b and Q hold, OR
.
.
.
wp Rule for while_do Statement (cont’d)
Thus, we can write
wp(while b do S, Q) H0 V H1 V H2 V…
whereH0 ¬b Л Q
H1 b Л wp(S, ¬b Л Q)
H2 b Л wp(S, b Л wp(S, ¬b Л Q))
.
.
.
wp Rule for while_do Statement (cont’d)
Thus, we can write
wp(while b do S, Q) H0 V H1 V H2 V…
whereH0 ¬b Л Q
H1 b Л wp(S, ¬b Л Q)
H2 b Л wp(S, b Л wp(S, ¬b Л Q))
.
.
.
wp Rule for while_do Statement (cont’d)
Thus, we can write
wp(while b do S, Q) H0 V H1 V H2 V…
whereH0 ¬b Л Q
H1 b Л wp(S, ¬b Л Q)
H2 b Л wp(S, b Л wp(S, ¬b Л Q))
.
.
.
wp Rule for while_do Statement (cont’d)
Equivalently, we can write
wp(while b do S, Q) H0 V H1 V H2 V…
whereH0 ¬b Л Q
H1 b Л wp(S, H0)
H2 b Л wp(S, H1)
Hi b Л wp(S, Hi-1)…
…
wp Rule for while_do Statement (cont’d)
Equivalently, we can write
wp(while b do S, Q) H0 V H1 V H2 V…
whereH0 ¬b Л Q
H1 b Л wp(S, H0)
H2 b Л wp(S, H1)
Hi b Л wp(S, Hi-1)…
…
wp Rule for while_do Statement (cont’d)
Equivalently, we can write
wp(while b do S, Q) H0 V H1 V H2 V…
whereH0 ¬b Л Q
H1 b Л wp(S, H0)
H2 b Л wp(S, H1)
Hi b Л wp(S, Hi-1)…
…
Something to think about…
• How do these terms compare to the (infinite) set of necessary conditions derived for the while_do ROI?
FLASHBACK to Lecture Notes #18…
Case 0: (P Л b) Q
Case 1: {P Л b} S {K1}, (K1 Л b) Q
Case 2: {K1 Л b} S {K2}, (K2 Л b) Q
Case N: {KN-1 Л b} S {KN}, (KN Л b) Q
……
So, we know that {P} while b do S {Q} will hold if the following conditions hold:
Something to think about… (cont'd)
Something to think about… (cont'd)• What is the relationship between
wp(while b do S, Q)
and an invariant, I, for which initialization, preservation, and finalization hold?
Something to think about… (cont'd)• What is the relationship between
wp(while b do S, Q)
and an invariant, I, for which initialization, preservation, and finalization hold?
We'll come back to this question later...
Example
• For what initial values of i, n, and t will the following program terminate with t=xn?
while i <= n do t := tx i := i+1 end_while
How about i=1, t=1, and n=2? Can you think of any others? For example...
{i=1 Л t=1 Л n≥1}?{i=3 Л t=x Л n=1}?{i=2 Л t=x Л n=5}?
Example (cont’d)
• Find the wp of this program with respect to the post-condition {t=xn}. (Attempt to find a regularity in terms that allows a closed-form expression.)
Example (cont’d)
while i <= n do t := tx i := i+1end_while
H0 ¬b Л Q
=H1 b Л wp(S, H0)
= = =H2 b Л wp(S, H1)
= = =
Example (cont’d)
while i <= n do t := tx i := i+1end_while
H0 ¬b Л Q
= i>n Л t=xn
H1 b Л wp(S, H0)
= = =H2 b Л wp(S, H1)
= = =
Example (cont’d)
while i <= n do t := tx i := i+1end_while
H0 ¬b Л Q
= i>n Л t=xn
H1 b Л wp(S, H0)
= i≤n Л wp(S, i>n Л t=xn) = =H2 b Л wp(S, H1)
= = =
Example (cont’d)
while i <= n do t := tx i := i+1end_while
H0 ¬b Л Q
= i>n Л t=xn
H1 b Л wp(S, H0)
= i≤n Л wp(S, i>n Л t=xn) = =H2 b Л wp(S, H1)
= = =
Example (cont’d)
while i <= n do t := tx i := i+1end_while
H0 ¬b Л Q
= i>n Л t=xn
H1 b Л wp(S, H0)
= i≤n Л wp(S, i>n Л t=xn)
= i≤n Л i+1>n Л tx=xn
=H2 b Л wp(S, H1)
= = =
Example (cont’d)
while i <= n do t := tx i := i+1end_while
H0 ¬b Л Q
= i>n Л t=xn
H1 b Л wp(S, H0)
= i≤n Л wp(S, i>n Л t=xn)
= i≤n Л i+1>n Л tx=xn
= i=n Л t=xn-1
H2 b Л wp(S, H1)
= = =
Example (cont’d)
while i <= n do t := tx i := i+1end_while
H0 ¬b Л Q
= i>n Л t=xn
H1 b Л wp(S, H0)
= i≤n Л wp(S, i>n Л t=xn)
= i≤n Л i+1>n Л tx=xn
= i=n Л t=xn-1
H2 b Л wp(S, H1)
= i≤n Л wp(S, i=n Л t=xn-1) = =
Example (cont’d)
while i <= n do t := tx i := i+1end_while
H0 ¬b Л Q
= i>n Л t=xn
H1 b Л wp(S, H0)
= i≤n Л wp(S, i>n Л t=xn)
= i≤n Л i+1>n Л tx=xn
= i=n Л t=xn-1
H2 b Л wp(S, H1)
= i≤n Л wp(S, i=n Л t=xn-1) = =
Example (cont’d)
while i <= n do t := tx i := i+1end_while
H0 ¬b Л Q
= i>n Л t=xn
H1 b Л wp(S, H0)
= i≤n Л wp(S, i>n Л t=xn)
= i≤n Л i+1>n Л tx=xn
= i=n Л t=xn-1
H2 b Л wp(S, H1)
= i≤n Л wp(S, i=n Л t=xn-1)
= i≤n Л i+1=n Л tx=xn-1
=
Example (cont’d)
while i <= n do t := tx i := i+1end_while
H0 ¬b Л Q
= i>n Л t=xn
H1 b Л wp(S, H0)
= i≤n Л wp(S, i>n Л t=xn)
= i≤n Л i+1>n Л tx=xn
= i=n Л t=xn-1
H2 b Л wp(S, H1)
= i≤n Л wp(S, i=n Л t=xn-1)
= i≤n Л i+1=n Л tx=xn-1
= i=n-1 Л t=xn-2
Example (cont’d)
while i <= n do t := tx i := i+1end_while
H3 b Л wp(S, H2)
= = = . . .Hk b Л wp(S, Hk-1)
= =
Example (cont’d)
while i <= n do t := tx i := i+1end_while
H3 b Л wp(S, H2)
= i≤n Л wp(S, i=n-1 Л t=xn-2) = = . . .Hk b Л wp(S, Hk-1)
= =
Example (cont’d)
while i <= n do t := tx i := i+1end_while
H3 b Л wp(S, H2)
= i≤n Л wp(S, i=n-1 Л t=xn-2) = = . . .Hk b Л wp(S, Hk-1)
= =
Example (cont’d)
while i <= n do t := tx i := i+1end_while
H3 b Л wp(S, H2)
= i≤n Л wp(S, i=n-1 Л t=xn-2)
= i≤n Л i+1=n-1 Л tx=xn-2) = . . .Hk b Л wp(S, Hk-1)
= =
Example (cont’d)
while i <= n do t := tx i := i+1end_while
H3 b Л wp(S, H2)
= i≤n Л wp(S, i=n-1 Л t=xn-2)
= i≤n Л i+1=n-1 Л tx=xn-2)
= i=n-2 Л t=xn-3
. . .Hk b Л wp(S, Hk-1)
= =
Example (cont’d)
while i <= n do t := tx i := i+1end_while
H3 b Л wp(S, H2)
= i≤n Л wp(S, i=n-1 Л t=xn-2)
= i≤n Л i+1=n-1 Л tx=xn-2)
= i=n-2 Л t=xn-3
. . .Hk b Л wp(S, Hk-1)
= i=n-(k-1) Л t=xn-k
=
Example (cont’d)
while i <= n do t := tx i := i+1end_while
H3 b Л wp(S, H2)
= i≤n Л wp(S, i=n-1 Л t=xn-2)
= i≤n Л i+1=n-1 Л tx=xn-2)
= i=n-2 Л t=xn-3
. . .Hk b Л wp(S, Hk-1)
= i=n-(k-1) Л t=xn-k
= i=n-k+1 Л t=xn-k
Example (cont’d)
Thus, we have:
H0 = i>n Л t=xn
Hk = i=n-k+1 Л t=xn-k (for all k>0)
Example (cont’d)
Thus, we have:
H0 = i>n Л t=xn
Hk = i=n-k+1 Л t=xn-k (for all k>0)
Example (cont’d)
Thus, we have:
H0 = i>n Л t=xn
Hk = i=n-k+1 Л t=xn-k (for all k>0)
and since i=n-k+1 n-k=i-1
Example (cont’d)
Thus, we have:
H0 = i>n Л t=xn
Hk = i=n-k+1 Л t=xn-k (for all k>0)
and since i=n-k+1 n-k=i-1
= i≤n Л t=xi-1 (where i≤n for all k>0)
Example (cont’d)
Thus, we have:
H0 = i>n Л t=xn
Hk = i=n-k+1 Л t=xn-k (for all k>0)
and since i=n-k+1 n-k=i-1
= i≤n Л t=xi-1 (where i≤n for all k>0)
Therefore, wp H0 V H1 V H2 V ...
= (i>n Л t=xn) V (i≤n Л t=xi-1)
Example (cont’d)
• So, given that the wp is
(i>n Л t=xn) V (i≤n Л t=xi-1)
which of the following initial states will result in the program terminating with t=xn?
{i=1 Л t=1 Л n≥1}?{i=3 Л t=x Л n=1}?{i=2 Л t=x Л n=5}?
Example (cont’d)
• So, given that the wp is
(i>n Л t=xn) V (i≤n Л t=xi-1)
which of the following initial states will result in the program terminating with t=xn?
{i=1 Л t=1 Л n≥1}?{i=3 Л t=x Л n=1}?{i=2 Л t=x Л n=5}?
Example (cont’d)
• So, given that the wp is
(i>n Л t=xn) V (i≤n Л t=xi-1)
which of the following initial states will result in the program terminating with t=xn?
{i=1 Л t=1 Л n≥1}?{i=3 Л t=x Л n=1}?{i=2 Л t=x Л n=5}?
(1>(1,2,…) Л 1=x(1,2,…)) V (1≤(1,2,…) Л 1=x1-1)
Example (cont’d)
• So, given that the wp is
(i>n Л t=xn) V (i≤n Л t=xi-1)
which of the following initial states will result in the program terminating with t=xn?
{i=1 Л t=1 Л n≥1}?{i=3 Л t=x Л n=1}?{i=2 Л t=x Л n=5}?
(1>(1,2,…) Л 1=x(1,2,…)) V (1≤(1,2,…) Л 1=x1-1)√
Example (cont’d)
• So, given that the wp is
(i>n Л t=xn) V (i≤n Л t=xi-1)
which of the following initial states will result in the program terminating with t=xn?
{i=1 Л t=1 Л n≥1}?{i=3 Л t=x Л n=1}?{i=2 Л t=x Л n=5}?
√
Example (cont’d)
• So, given that the wp is
(i>n Л t=xn) V (i≤n Л t=xi-1)
which of the following initial states will result in the program terminating with t=xn?
{i=1 Л t=1 Л n≥1}?{i=3 Л t=x Л n=1}?{i=2 Л t=x Л n=5}?
√
Example (cont’d)
• So, given that the wp is
(i>n Л t=xn) V (i≤n Л t=xi-1)
which of the following initial states will result in the program terminating with t=xn?
{i=1 Л t=1 Л n≥1}?{i=3 Л t=x Л n=1}?{i=2 Л t=x Л n=5}?
(3>1 Л x=x1) V (3≤1 Л x=x3-1)
√
Example (cont’d)
• So, given that the wp is
(i>n Л t=xn) V (i≤n Л t=xi-1)
which of the following initial states will result in the program terminating with t=xn?
{i=1 Л t=1 Л n≥1}?{i=3 Л t=x Л n=1}?{i=2 Л t=x Л n=5}?
(3>1 Л x=x1) V (3≤1 Л x=x3-1)
√
√
Example (cont’d)
• So, given that the wp is
(i>n Л t=xn) V (i≤n Л t=xi-1)
which of the following initial states will result in the program terminating with t=xn?
{i=1 Л t=1 Л n≥1}?{i=3 Л t=x Л n=1}?{i=2 Л t=x Л n=5}?
√
√
Example (cont’d)
• So, given that the wp is
(i>n Л t=xn) V (i≤n Л t=xi-1)
which of the following initial states will result in the program terminating with t=xn?
{i=1 Л t=1 Л n≥1}?{i=3 Л t=x Л n=1}?{i=2 Л t=x Л n=5}?
√
√
Example (cont’d)
• So, given that the wp is
(i>n Л t=xn) V (i≤n Л t=xi-1)
which of the following initial states will result in the program terminating with t=xn?
{i=1 Л t=1 Л n≥1}?{i=3 Л t=x Л n=1}?{i=2 Л t=x Л n=5}?
(2>5 Л x=x5) V (2≤5 Л x=x2-1)
√
√
Example (cont’d)
• So, given that the wp is
(i>n Л t=xn) V (i≤n Л t=xi-1)
which of the following initial states will result in the program terminating with t=xn?
{i=1 Л t=1 Л n≥1}?{i=3 Л t=x Л n=1}?{i=2 Л t=x Л n=5}?
(2>5 Л x=x5) V (2≤5 Л x=x2-1)
√
√
√
Example (cont’d)
• So, given that the wp is
(i>n Л t=xn) V (i≤n Л t=xi-1)
which of the following initial states will result in the program terminating with t=xn?
{i=1 Л t=1 Л n≥1}?{i=3 Л t=x Л n=1}?{i=2 Л t=x Л n=5}?
√
√√
Addendum (based on a question raised in class)
• Another example…given that the wp is
(i>n Л t=xn) V (i≤n Л t=xi-1)
will the following initial state values result in the program terminating with t=xn?
{i=1 Л t=1 Л n=0}
Addendum (based on a question raised in class)
• Another example…given that the wp is
(i>n Л t=xn) V (i≤n Л t=xi-1)
will the following initial state values result in the program terminating with t=xn?
{i=1 Л t=1 Л n=0}
(1>0 Л 1=x0) V (1≤0 Л 1=x1-1)
Addendum (based on a question raised in class)
• Another example…given that the wp is
(i>n Л t=xn) V (i≤n Л t=xi-1)
will the following initial state values result in the program terminating with t=xn?
{i=1 Л t=1 Л n=0}
(1>0 Л 1=x0) V (1≤0 Л 1=x1-1)√
Addendum (based on a question raised in class)
• Another example…given that the wp is
(i>n Л t=xn) V (i≤n Л t=xi-1)
will the following initial state values result in the program terminating with t=xn?
{i=1 Л t=1 Л n=0}
(1>0 Л 1=x0) V (1≤0 Л 1=x1-1)√
√
Predicate Transforms II
• Transform rules for while loops:
Weakest pre-conditions (wp’s)
Weakest liberal pre-conditions (wlp’s)
Relationships between wp’s and wlp’s with loop invariants
Strongest post-conditions (sp’s)
• On the power of axiomatic verification and the relative usefulness of predicate transforms (when dealing with loops)
wlp Rule for while_do Statement
• In order for the program while b do S to either terminate in state Q, or not term-inate at all, it is necessary that:
1. Q will hold on program termination, OR2. the program will not terminate.
Therefore, wlp(while b do S, Q) ≡
wp(while b do S, Q) V ¬wp(while b do S, true)
wlp Rule for while_do Statement
• In order for the program while b do S to either terminate in state Q, or not term-inate at all, it is necessary that:
1. Q will hold on program termination, OR2. the program will not terminate.
Therefore, wlp(while b do S, Q) ≡
wp(while b do S, Q) V ¬wp(while b do S, true)
(Note: wp(M, true) is the weakest pre-condition ensuring termination of program M.)
Example
• Use the wlp rule for while_do statements to determine the weakest liberal pre-condition for the following program with respect to post-condition t=x5.
while i<>3 do t := tx i := i+1 end_while
Step 1: determine wp with respect to Q
while i<>3 do t := tx i := i+1end_while
H0 ¬b Л Q
=H1 b Л wp(S, H0)
= = =
. . .Hk b Л wp(S, Hk-1)
= . . .
Step 1: determine wp with respect to Q
while i<>3 do t := tx i := i+1end_while
H0 ¬b Л Q
= i=3 Л t=x5
H1 b Л wp(S, H0)
= = =
. . .Hk b Л wp(S, Hk-1)
= . . .
Step 1: determine wp with respect to Q
while i<>3 do t := tx i := i+1end_while
H0 ¬b Л Q
= i=3 Л t=x5
H1 b Л wp(S, H0)
= i≠3 Л wp(S, i=3 Л t=x5) = =
. . .Hk b Л wp(S, Hk-1)
= . . .
Step 1: determine wp with respect to Q
while i<>3 do t := tx i := i+1end_while
H0 ¬b Л Q
= i=3 Л t=x5
H1 b Л wp(S, H0)
= i≠3 Л wp(S, i=3 Л t=x5) = =
. . .Hk b Л wp(S, Hk-1)
= . . .
Step 1: determine wp with respect to Q
while i<>3 do t := tx i := i+1end_while
H0 ¬b Л Q
= i=3 Л t=x5
H1 b Л wp(S, H0)
= i≠3 Л wp(S, i=3 Л t=x5)
= i≠3 Л i+1=3 Л tx=x5
= . . .
Hk b Л wp(S, Hk-1)
= . . .
Step 1: determine wp with respect to Q
while i<>3 do t := tx i := i+1end_while
H0 ¬b Л Q
= i=3 Л t=x5
H1 b Л wp(S, H0)
= i≠3 Л wp(S, i=3 Л t=x5)
= i≠3 Л i+1=3 Л tx=x5
= i=2 Л t=x4 . . .
Hk b Л wp(S, Hk-1)
= . . .
Step 1: determine wp with respect to Q
while i<>3 do t := tx i := i+1end_while
H0 ¬b Л Q
= i=3 Л t=x5
H1 b Л wp(S, H0)
= i≠3 Л wp(S, i=3 Л t=x5)
= i≠3 Л i+1=3 Л tx=x5
= i=2 Л t=x4 . . .
Hk b Л wp(S, Hk-1)
= i=3-k Л t=x5-k
. . .
Step 1: determine wp with respect to Q
Thus, we have:
H0 = i=3 Л t=x5
Hk = i=3-k Л t=x5-k (for all k>0)
Step 1: determine wp with respect to Q
Thus, we have:
H0 = i=3 Л t=x5
Hk = i=3-k Л t=x5-k (for all k>0)
Step 1: determine wp with respect to Q
Thus, we have:
H0 = i=3 Л t=x5
Hk = i=3-k Л t=x5-k (for all k>0)
and since i=3-k => 5-k=i+2
= i<3 Л t=xi+2 (where i<3 for all k>0)
Step 1: determine wp with respect to Q
Thus, we have:
H0 = i=3 Л t=x5
Hk = i=3-k Л t=x5-k (for all k>0)
and since i=3-k => 5-k=i+2
= i<3 Л t=xi+2 (where i<3 for all k>0)
Therefore, the wp w.r.t. Q, H0 V H1 V H2 V... is:
Step 1: determine wp with respect to Q
Thus, we have:
H0 = i=3 Л t=x5
Hk = i=3-k Л t=x5-k (for all k>0)
and since i=3-k => 5-k=i+2
= i<3 Л t=xi+2 (where i<3 for all k>0)
Therefore, the wp w.r.t. Q, H0 V H1 V H2 V... is:
i≤3 Л t=xi+2
Step 2: determine wp with respect to true
while i<>3 do t := tx i := i+1end_while
H0 ¬b Л true
=H1 b Л wp(S, H0)
= = =
. . .Hk b Л wp(S, Hk-1)
= . . .
Step 2: determine wp with respect to true
while i<>3 do t := tx i := i+1end_while
H0 ¬b Л true
= i=3H1 b Л wp(S, H0)
= = =
. . .Hk b Л wp(S, Hk-1)
= . . .
Step 2: determine wp with respect to true
while i<>3 do t := tx i := i+1end_while
H0 ¬b Л true
= i=3H1 b Л wp(S, H0)
= i≠3 Л wp(S, i=3) = =
. . .Hk b Л wp(S, Hk-1)
= . . .
Step 2: determine wp with respect to true
while i<>3 do t := tx i := i+1end_while
H0 ¬b Л true
= i=3H1 b Л wp(S, H0)
= i≠3 Л wp(S, i=3) = =
. . .Hk b Л wp(S, Hk-1)
= . . .
Step 2: determine wp with respect to true
while i<>3 do t := tx i := i+1end_while
H0 ¬b Л true
= i=3H1 b Л wp(S, H0)
= i≠3 Л wp(S, i=3) = i≠3 Л i+1=3 =
. . .Hk b Л wp(S, Hk-1)
= . . .
Step 2: determine wp with respect to true
while i<>3 do t := tx i := i+1end_while
H0 ¬b Л true
= i=3H1 b Л wp(S, H0)
= i≠3 Л wp(S, i=3) = i≠3 Л i+1=3 = i=2
. . .Hk b Л wp(S, Hk-1)
= . . .
Step 2: determine wp with respect to true
while i<>3 do t := tx i := i+1end_while
H0 ¬b Л true
= i=3H1 b Л wp(S, H0)
= i≠3 Л wp(S, i=3) = i≠3 Л i+1=3 = i=2
. . .Hk b Л wp(S, Hk-1)
= i=3-k . . .
Step 2: determine wp with respect to true
Thus, we have:
H0 = i=3
Hk = i=3-k (for all k>0)
Step 2: determine wp with respect to true
Thus, we have:
H0 = i=3
Hk = i=3-k (for all k>0)
= i<3
Step 2: determine wp with respect to true
Thus, we have:
H0 = i=3
Hk = i=3-k (for all k>0)
= i<3
Therefore, the wp w.r.t. true, H0 V H1 V H2 V... is:
i≤3
Step 3: combine wp’s into one disjunct
Thus, wlp(while i<>3 do t := tx; i := i+1, t=x5) =
(i≤3 Л t=xi+2) V i>3
Exercise: In light of this, for which of the followinginitial states is the program weakly correct with re-spect to t=x5?
{i=1 Л t=1 Л x=1}?{i=2 Л t=x Л x=2}?{i=5 Л t=8 Л x=3}?
Step 3: combine wp’s into one disjunct
Thus, wlp(while i<>3 do t := tx; i := i+1, t=x5) =
(i≤3 Л t=xi+2) V i>3
Exercise: In light of this, for which of the followinginitial states is the program weakly correct with re-spect to t=x5?
{i=1 Л t=1 Л x=1}?{i=2 Л t=x Л x=2}?{i=5 Л t=8 Л x=3}?
Predicate Transforms II
• Transform rules for while loops:
Weakest pre-conditions (wp’s)
Weakest liberal pre-conditions (wlp’s)
Relationships between wp’s and wlp’s with loop invariants
Strongest post-conditions (sp’s)
• On the power of axiomatic verification and the relative usefulness of predicate transforms (when dealing with loops)
Loop Invariants and w(l)p’s
• In general, are loops guaranteed to terminate when: P wp ? P wlp ?
• For while loops, does {w(l)p Л b} S {w(l)p} ?• Does (w(l)p Л ¬b) Q ?
Loop Invariants and w(l)p’s
• In general, are loops guaranteed to terminate when: P wp ? P wlp ?
• For while loops, does {w(l)p Л b} S {w(l)p} ?• Does (w(l)p Л ¬b) Q ?
Loop Invariants and w(l)p’s
• In general, are loops guaranteed to terminate when: P wp ? yesP wlp ? no
• For while loops, does {w(l)p Л b} S {w(l)p} ?• Does (w(l)p Л ¬b) Q ?
Loop Invariants and w(l)p’s
• In general, are loops guaranteed to terminate when: P wp ? yesP wlp ? no
• For while loops, does {w(l)p Л b} S {w(l)p} ?• Does (w(l)p Л ¬b) Q ?
{wp Л b}
S
{wp} ???
{wp Л b}
S
{wp Л b}= {[H0 V H1 V …] Л b}
S
{wp Л b}= {[H0 V H1 V …] Л b}
= {[(¬b Л Q) V (b Л wp(S, H0)) V (b Л wp(S, H1)) V …] Л b}
S
{wp Л b}= {[H0 V H1 V …] Л b}
= {[(¬b Л Q) V (b Л wp(S, H0)) V (b Л wp(S, H1)) V …] Л b}
S
{wp Л b}= {[H0 V H1 V …] Л b}
= {[(¬b Л Q) V (b Л wp(S, H0)) V (b Л wp(S, H1)) V …] Л b}
= {(b Л wp(S, H0)) V (b Л wp(S, H1)) V …}
S
{wp Л b}= {[H0 V H1 V …] Л b}
= {[(¬b Л Q) V (b Л wp(S, H0)) V (b Л wp(S, H1)) V …] Л b}
= {(b Л wp(S, H0)) V (b Л wp(S, H1)) V …}
= {H1 V H2 V …}
S
{wp Л b}= {[H0 V H1 V …] Л b}
= {[(¬b Л Q) V (b Л wp(S, H0)) V (b Л wp(S, H1)) V …] Л b}
= {(b Л wp(S, H0)) V (b Л wp(S, H1)) V …}
= {H1 V H2 V …}
S{H0 V H1 V …}
{wp Л b}= {[H0 V H1 V …] Л b}
= {[(¬b Л Q) V (b Л wp(S, H0)) V (b Л wp(S, H1)) V …] Л b}
= {(b Л wp(S, H0)) V (b Л wp(S, H1)) V …}
= {H1 V H2 V …}
S{H0 V H1 V …} = {wp}
{wp Л b}= {[H0 V H1 V …] Л b}
= {[(¬b Л Q) V (b Л wp(S, H0)) V (b Л wp(S, H1)) V …] Л b}
= {(b Л wp(S, H0)) V (b Л wp(S, H1)) V …}
= {H1 V H2 V …}
S{H0 V H1 V …} = {wp}
Similarly, it can be shown that {wlp Л b} S {wlp}.
Loop Invariants and w(l)p’s
• In general, are loops guaranteed to terminate when: P wp ? yesP wlp ? no
• For while loops, does {w(l)p Л b} S {w(l)p} ? yes• Does (w(l)p Л ¬b) Q ?
Loop Invariants and w(l)p’s
• In general, are loops guaranteed to terminate when: P wp ? yesP wlp ? no
• For while loops, does {w(l)p Л b} S {w(l)p} ? yes• Does (w(l)p Л ¬b) Q ?
{wp Л ¬b}
{wp Л ¬b}{[(¬b Л Q) V (b Л wp(S, H0)) V (b Л wp(S, H1)) V …] Л ¬b}
{wp Л ¬b}{[(¬b Л Q) V (b Л wp(S, H0)) V (b Л wp(S, H1)) V …] Л ¬b}
{(¬b Л Q)} Q
{wp Л ¬b}{[(¬b Л Q) V (b Л wp(S, H0)) V (b Л wp(S, H1)) V …] Л ¬b}
{(¬b Л Q)} Q
{wp Л ¬b}{[(¬b Л Q) V (b Л wp(S, H0)) V (b Л wp(S, H1)) V …] Л ¬b}
{(¬b Л Q)} Q
Similarly, it is easy to show that {wlp Л ¬b} Q.
Loop Invariants and w(l)p’s
• In general, are loops guaranteed to terminate when: P wp ? yesP wlp ? no
• For while loops, does {w(l)p Л b} S {w(l)p} ? yes• Does (w(l)p Л ¬b) Q ? yes
Loop Invariants and w(l)p’s
• In general, are loops guaranteed to terminate when: P wp ? yesP wlp ? no
• For while loops, does {w(l)p Л b} S {w(l)p} ? yes• Does (w(l)p Л ¬b) Q ? yes
_________________________
wp weakest while loop invariant which guarantees termination!
Loop Invariants and w(l)p’s
• In general, are loops guaranteed to terminate when: P wp ? yesP wlp ? no
• For while loops, does {w(l)p Л b} S {w(l)p} ? yes• Does (w(l)p Л ¬b) Q ? yes
_________________________
wp weakest while loop invariant which guarantees termination!
wlp weakest while loop invariant which does NOT guarantee termination!
Predicate Transforms II
• Transform rules for while loops:
Weakest pre-conditions (wp’s)
Weakest liberal pre-conditions (wlp’s)
Relationships between wp’s and wlp’s with loop invariants
Strongest post-conditions (sp’s)
• On the power of axiomatic verification and the relative usefulness of predicate transforms (when dealing with loops)
sp Rule for while_do Statement• What is the strongest condition on the final
state of program while b do S given that P holds initially? (Note that the post-condition is undefined when the program does not terminate.)
• Recall our derivation of the while loop Rule of Inference from Lecture Notes #18 (Axiomatic Verification II).
(flashback follows...)
Necessary Conditions: while_do
Case 0: (P Л b) Q
Case 1: {P Л b} S {K1}, (K1 Л b) Q
Case 2: {K1 Л b} S {K2}, (K2 Л b) Q
Case N: {KN-1 Л b} S {KN}, (KN Л b) Q
……
So, we know that {P} while b do S {Q} will hold if the following conditions hold:
Great! But who has the time to show that an infinite number of conditions hold?
sp Rule for while_do Statement• In order to eliminate the infinite sequence
of necessary conditions, we replaced each Ki with I (a loop invariant.)
• But for i≥1, Ki is just the strongest post-condition of S with respect to (Ki-1 Л b), where K0 = P.
sp Rule for while_do Statement
Thus, if the loop terminates,
sp(while b do S, P) = ¬b Л (K0 V K1 V K2 V ...)
whereK0 PK1 sp(S, b Л P)K2 sp(S, b Л sp(S, b Л P))K3 sp(S, b Л sp(S, b Л sp(S, b Л P)))
...
sp Rule for while_do Statement
Thus, if the loop terminates,
sp(while b do S, P) = ¬b Л (K0 V K1 V K2 V ...)
whereK0 PK1 sp(S, b Л P)K2 sp(S, b Л sp(S, b Л P))K3 sp(S, b Л sp(S, b Л sp(S, b Л P)))
.
.
.
sp Rule for while_do Statement
Thus, if the loop terminates,
sp(while b do S, P) = ¬b Л (K0 V K1 V K2 V ...)
whereK0 PK1 sp(S, b Л P)K2 sp(S, b Л sp(S, b Л P))K3 sp(S, b Л sp(S, b Л sp(S, b Л P)))
.
.
.
sp Rule for while_do Statement
Thus, if the loop terminates,
sp(while b do S, P) = ¬b Л (K0 V K1 V K2 V ...)
whereK0 PK1 sp(S, b Л P)K2 sp(S, b Л sp(S, b Л P))K3 sp(S, b Л sp(S, b Л sp(S, b Л P)))
.
.
.
sp Rule for while_do Statement
Equivalently, we can write: on termination,
sp(while b do S, P) = ¬b Л (K0 V K1 V K2 V ...)
whereK0 PK1 sp(S, b Л K0)K2 sp(S, b Л K1)
KN sp(S, b Л KN-1)……
sp Rule for while_do Statement
Equivalently, we can write: on termination,
sp(while b do S, P) = ¬b Л (K0 V K1 V K2 V ...)
whereK0 PK1 sp(S, b Л K0)K2 sp(S, b Л K1)
KN sp(S, b Л KN-1)……
sp Rule for while_do Statement
Equivalently, we can write: on termination,
sp(while b do S, P) = ¬b Л (K0 V K1 V K2 V ...)
whereK0 PK1 sp(S, b Л K0)K2 sp(S, b Л K1)
KN sp(S, b Л KN-1)……
{true}
Z := X J := 1 while J<>Y do Z := Z+X J := J+1 end_while
{Z=XY}
Example
Use the Strongest Post-condition ROI to prove:
{true}
Z := X J := 1 while J<>Y do Z := Z+X J := J+1 end_while
{Z=XY}
We need to show:
sp(T, Z=X Л J=1) Z=XY
where T is: while J<>Y do Z := Z+X J := J+1 end_while
if T terminates.
Use the Strongest Post-condition ROI to prove:
Example
T
Example (cont’d)
K0 P
=K1 sp(S, b Л K0)
=
=K2 sp(S, b Л K1)
=
=
{true} Z := X J := 1 while J<>Y do Z := Z+X J := J+1 end_while{Z=XY}
Example (cont’d)
K0 P
= Z=X Л J=1K1 sp(S, b Л K0)
=
=K2 sp(S, b Л K1)
=
=
{true} Z := X J := 1 while J<>Y do Z := Z+X J := J+1 end_while{Z=XY}
Example (cont’d)
K0 P
= Z=X Л J=1K1 sp(S, b Л K0)
=
=K2 sp(S, b Л K1)
=
=
{true} Z := X J := 1 while J<>Y do Z := Z+X J := J+1 end_while{Z=XY}
Example (cont’d)
K0 P
= Z=X Л J=1K1 sp(S, b Л K0)
= Z=Z’+X Л J=J’+1 Л J’≠Y Л Z’=X Л J’=1
=K2 sp(S, b Л K1)
=
=
{true} Z := X J := 1 while J<>Y do Z := Z+X J := J+1 end_while{Z=XY}
Example (cont’d)
K0 P
= Z=X Л J=1K1 sp(S, b Л K0)
= Z=Z’+X Л J=J’+1 Л J’≠Y Л Z’=X Л J’=1
= Z=2X Л J=2 Л Y≠1 K2 sp(S, b Л K1)
=
=
{true} Z := X J := 1 while J<>Y do Z := Z+X J := J+1 end_while{Z=XY}
Example (cont’d)
K0 P
= Z=X Л J=1K1 sp(S, b Л K0)
= Z=Z’+X Л J=J’+1 Л J’≠Y Л Z’=X Л J’=1
= Z=2X Л J=2 Л Y≠1 K2 sp(S, b Л K1)
=
=
{true} Z := X J := 1 while J<>Y do Z := Z+X J := J+1 end_while{Z=XY}
Example (cont’d)
K0 P
= Z=X Л J=1K1 sp(S, b Л K0)
= Z=Z’+X Л J=J’+1 Л J’≠Y Л Z’=X Л J’=1
= Z=2X Л J=2 Л Y≠1 K2 sp(S, b Л K1)
= Z=Z’+X Л J=J’+1 Л J’≠Y Л Z’=2X Л J’=2 Л Y≠1
=
{true} Z := X J := 1 while J<>Y do Z := Z+X J := J+1 end_while{Z=XY}
Example (cont’d)
K0 P
= Z=X Л J=1K1 sp(S, b Л K0)
= Z=Z’+X Л J=J’+1 Л J’≠Y Л Z’=X Л J’=1
= Z=2X Л J=2 Л Y≠1 K2 sp(S, b Л K1)
= Z=Z’+X Л J=J’+1 Л J’≠Y Л Z’=2X Л J’=2 Л Y≠1
= Z=3X Л J=3 Л Y≠1 Л Y≠2
{true} Z := X J := 1 while J<>Y do Z := Z+X J := J+1 end_while{Z=XY}
Example (cont’d)
K3 sp(S, b Л K2)
=
.
..
KN sp(S, b Л KN-1)
=
.
..
{true} Z := X J := 1 while J<>Y do Z := Z+X J := J+1 end_while{Z=XY}
Example (cont’d)
K3 sp(S, b Л K2)
= Z=4X Л J=4 Л Y≠1 Л Y≠2 Л Y≠3
.
..
KN sp(S, b Л KN-1)
=
.
..
{true} Z := X J := 1 while J<>Y do Z := Z+X J := J+1 end_while{Z=XY}
Example (cont’d)
K3 sp(S, b Л K2)
= Z=4X Л J=4 Л Y≠1 Л Y≠2 Л Y≠3
.
..
KN sp(S, b Л KN-1)
= Z=(N+1)X Л J=N+1 Л
Y≠1 Л Y≠2 Л ... Л Y≠N.
..
{true} Z := X J := 1 while J<>Y do Z := Z+X J := J+1 end_while{Z=XY}
Example (cont’d)
Thus, when T terminates (i.e., when Y≥1),
sp(T, Z=X Л J=1) =
J=Y Л [(Z=X Л J=1) V (Z=2X Л J=2 Л Y≠1) V (Z=3X Л J=3 Л Y≠1 Л Y≠2) V ...]
Example (cont’d)
Thus, when T terminates (i.e., when Y≥1),
sp(T, Z=X Л J=1) =
J=Y Л [(Z=X Л J=1) V (Z=2X Л J=2 Л Y≠1) V (Z=3X Л J=3 Л Y≠1 Л Y≠2) V ...]
=> [(Z=XY Л Y=1) V (Z=XY Л Y=2) V ...]
Example (cont’d)
Thus, when T terminates (i.e., when Y≥1),
sp(T, Z=X Л J=1) =
J=Y Л [(Z=X Л J=1) V (Z=2X Л J=2 Л Y≠1) V (Z=3X Л J=3 Л Y≠1 Л Y≠2) V ...]
=> [(Z=XY Л Y=1) V (Z=XY Л Y=2) V ...]
=> (Z=XY Л Y≥1)
=> Q (i.e., Z=XY)
Example (cont’d)
When T does NOT terminate (i.e., when Y<1),
sp(T, Z=X Л J=1) is undefined
Example (cont’d)
When T does NOT terminate (i.e., when Y<1),
sp(T, Z=X Л J=1) is undefined
Therefore, by the Strongest Post-Condition ROI, theassertion of weak correctness holds.
Predicate Transforms II
• Transform rules for while loops:
Weakest pre-conditions (wp’s)
Weakest liberal pre-conditions (wlp’s)
Relationships between wp’s and wlp’s with loop invariants
Strongest post-conditions (sp’s)
• On the power of axiomatic verification and the relative usefulness of predicate transforms (when dealing with loops)
On the power of axiomatic verification and the relative usefulness of predicate transforms
• Hoare Logic is a deductive system that is both SOUND and RELATIVELY COMPLETE (i.e., COMPLETE to the extent that we can decide the validity of assertions in ROI’s) for deriving proofs of Hoare triples.
• Predicate transforms operationalize this system by providing a way to produce valid correctness specifications.
• Weakest pre-conditions (wp’s) are typically easier to use in this respect than either wlp’s or sp’s when dealing with loops.
Problem Set 6: Predicate Transforms
Note especially Problem 6: deriving and usingthe weakest pre-condition for the repeat_untilconstruct.
Predicate Transforms II
Prepared by
Stephen M. Thebaut, Ph.D.University of Florida
Software Testing and Verification
Lecture Notes 20