Predicate Transforms II

Prepared by

Stephen M. Thebaut, Ph.D.University of Florida

Software Testing and Verification

Lecture Notes 20

Predicate Transforms II

• Transform rules for while loops:

Weakest pre-conditions (wp’s)

Weakest liberal pre-conditions (wlp’s)

Relationships between wp’s and wlp’s with loop invariants

Strongest post-conditions (sp’s)

• On the power of axiomatic verification and the relative usefulness of predicate transforms (when dealing with loops)

Predicate Transforms II

• Transform rules for while loops:

Weakest pre-conditions (wp’s)

Weakest liberal pre-conditions (wlp’s)

Relationships between wp’s and wlp’s with loop invariants

Strongest post-conditions (sp’s)

• On the power of axiomatic verification and the relative usefulness of predicate transforms (when dealing with loops)

wp Rule for while_do Statement• In order for the program while b do S to

terminate in state Q, it is necessary that:

wp Rule for while_do Statement• In order for the program while b do S to

terminate in state Q, it is necessary that:0. b is initially false and Q holds, OR

wp Rule for while_do Statement• In order for the program while b do S to

terminate in state Q, it is necessary that:0. b is initially false and Q holds, OR1. b is initially true and after

executing S, ¬b and Q hold, OR

wp Rule for while_do Statement• In order for the program while b do S to

terminate in state Q, it is necessary that:0. b is initially false and Q holds, OR1. b is initially true and after

executing S, ¬b and Q hold, OR2. b is initially true and after

executing S, b is still true, and after executing S a second time, ¬b and Q hold, OR

wp Rule for while_do Statement• In order for the program while b do S to

terminate in state Q, it is necessary that:0. b is initially false and Q holds, OR1. b is initially true and after

executing S, ¬b and Q hold, OR2. b is initially true and after

executing S, b is still true, and after executing S a second time, ¬b and Q hold, OR

.

.

.

wp Rule for while_do Statement (cont’d)

Thus, we can write

wp(while b do S, Q) H0 V H1 V H2 V…

whereH0 ¬b Л Q

H1 b Л wp(S, ¬b Л Q)

H2 b Л wp(S, b Л wp(S, ¬b Л Q))

.

.

.

wp Rule for while_do Statement (cont’d)

Thus, we can write

wp(while b do S, Q) H0 V H1 V H2 V…

whereH0 ¬b Л Q

H1 b Л wp(S, ¬b Л Q)

H2 b Л wp(S, b Л wp(S, ¬b Л Q))

.

.

.

wp Rule for while_do Statement (cont’d)

Thus, we can write

wp(while b do S, Q) H0 V H1 V H2 V…

whereH0 ¬b Л Q

H1 b Л wp(S, ¬b Л Q)

H2 b Л wp(S, b Л wp(S, ¬b Л Q))

.

.

.

wp Rule for while_do Statement (cont’d)

Equivalently, we can write

wp(while b do S, Q) H0 V H1 V H2 V…

whereH0 ¬b Л Q

H1 b Л wp(S, H0)

H2 b Л wp(S, H1)

Hi b Л wp(S, Hi-1)…

…

wp Rule for while_do Statement (cont’d)

Equivalently, we can write

wp(while b do S, Q) H0 V H1 V H2 V…

whereH0 ¬b Л Q

H1 b Л wp(S, H0)

H2 b Л wp(S, H1)

Hi b Л wp(S, Hi-1)…

…

wp Rule for while_do Statement (cont’d)

Equivalently, we can write

wp(while b do S, Q) H0 V H1 V H2 V…

whereH0 ¬b Л Q

H1 b Л wp(S, H0)

H2 b Л wp(S, H1)

Hi b Л wp(S, Hi-1)…

…

Something to think about…

• How do these terms compare to the (infinite) set of necessary conditions derived for the while_do ROI?

FLASHBACK to Lecture Notes #18…

Case 0: (P Л b) Q

Case 1: {P Л b} S {K1}, (K1 Л b) Q

Case 2: {K1 Л b} S {K2}, (K2 Л b) Q

Case N: {KN-1 Л b} S {KN}, (KN Л b) Q

……

So, we know that {P} while b do S {Q} will hold if the following conditions hold:

Something to think about… (cont'd)

Something to think about… (cont'd)• What is the relationship between

wp(while b do S, Q)

and an invariant, I, for which initialization, preservation, and finalization hold?

Something to think about… (cont'd)• What is the relationship between

wp(while b do S, Q)

and an invariant, I, for which initialization, preservation, and finalization hold?

We'll come back to this question later...

Example

• For what initial values of i, n, and t will the following program terminate with t=xn?

while i <= n do t := tx i := i+1 end_while

How about i=1, t=1, and n=2? Can you think of any others? For example...

{i=1 Л t=1 Л n≥1}?{i=3 Л t=x Л n=1}?{i=2 Л t=x Л n=5}?

Example (cont’d)

• Find the wp of this program with respect to the post-condition {t=xn}. (Attempt to find a regularity in terms that allows a closed-form expression.)

Example (cont’d)

while i <= n do t := tx i := i+1end_while

H0 ¬b Л Q

=H1 b Л wp(S, H0)

= = =H2 b Л wp(S, H1)

= = =

Example (cont’d)

while i <= n do t := tx i := i+1end_while

H0 ¬b Л Q

= i>n Л t=xn

H1 b Л wp(S, H0)

= = =H2 b Л wp(S, H1)

= = =

Example (cont’d)

while i <= n do t := tx i := i+1end_while

H0 ¬b Л Q

= i>n Л t=xn

H1 b Л wp(S, H0)

= i≤n Л wp(S, i>n Л t=xn) = =H2 b Л wp(S, H1)

= = =

Example (cont’d)

while i <= n do t := tx i := i+1end_while

H0 ¬b Л Q

= i>n Л t=xn

H1 b Л wp(S, H0)

= i≤n Л wp(S, i>n Л t=xn) = =H2 b Л wp(S, H1)

= = =

Example (cont’d)

while i <= n do t := tx i := i+1end_while

H0 ¬b Л Q

= i>n Л t=xn

H1 b Л wp(S, H0)

= i≤n Л wp(S, i>n Л t=xn)

= i≤n Л i+1>n Л tx=xn

=H2 b Л wp(S, H1)

= = =

Example (cont’d)

while i <= n do t := tx i := i+1end_while

H0 ¬b Л Q

= i>n Л t=xn

H1 b Л wp(S, H0)

= i≤n Л wp(S, i>n Л t=xn)

= i≤n Л i+1>n Л tx=xn

= i=n Л t=xn-1

H2 b Л wp(S, H1)

= = =

Example (cont’d)

while i <= n do t := tx i := i+1end_while

H0 ¬b Л Q

= i>n Л t=xn

H1 b Л wp(S, H0)

= i≤n Л wp(S, i>n Л t=xn)

= i≤n Л i+1>n Л tx=xn

= i=n Л t=xn-1

H2 b Л wp(S, H1)

= i≤n Л wp(S, i=n Л t=xn-1) = =

Example (cont’d)

while i <= n do t := tx i := i+1end_while

H0 ¬b Л Q

= i>n Л t=xn

H1 b Л wp(S, H0)

= i≤n Л wp(S, i>n Л t=xn)

= i≤n Л i+1>n Л tx=xn

= i=n Л t=xn-1

H2 b Л wp(S, H1)

= i≤n Л wp(S, i=n Л t=xn-1) = =

Example (cont’d)

while i <= n do t := tx i := i+1end_while

H0 ¬b Л Q

= i>n Л t=xn

H1 b Л wp(S, H0)

= i≤n Л wp(S, i>n Л t=xn)

= i≤n Л i+1>n Л tx=xn

= i=n Л t=xn-1

H2 b Л wp(S, H1)

= i≤n Л wp(S, i=n Л t=xn-1)

= i≤n Л i+1=n Л tx=xn-1

=

Example (cont’d)

while i <= n do t := tx i := i+1end_while

H0 ¬b Л Q

= i>n Л t=xn

H1 b Л wp(S, H0)

= i≤n Л wp(S, i>n Л t=xn)

= i≤n Л i+1>n Л tx=xn

= i=n Л t=xn-1

H2 b Л wp(S, H1)

= i≤n Л wp(S, i=n Л t=xn-1)

= i≤n Л i+1=n Л tx=xn-1

= i=n-1 Л t=xn-2

Example (cont’d)

while i <= n do t := tx i := i+1end_while

H3 b Л wp(S, H2)

= = = . . .Hk b Л wp(S, Hk-1)

= =

Example (cont’d)

while i <= n do t := tx i := i+1end_while

H3 b Л wp(S, H2)

= i≤n Л wp(S, i=n-1 Л t=xn-2) = = . . .Hk b Л wp(S, Hk-1)

= =

Example (cont’d)

while i <= n do t := tx i := i+1end_while

H3 b Л wp(S, H2)

= i≤n Л wp(S, i=n-1 Л t=xn-2) = = . . .Hk b Л wp(S, Hk-1)

= =

Example (cont’d)

while i <= n do t := tx i := i+1end_while

H3 b Л wp(S, H2)

= i≤n Л wp(S, i=n-1 Л t=xn-2)

= i≤n Л i+1=n-1 Л tx=xn-2) = . . .Hk b Л wp(S, Hk-1)

= =

Example (cont’d)

while i <= n do t := tx i := i+1end_while

H3 b Л wp(S, H2)

= i≤n Л wp(S, i=n-1 Л t=xn-2)

= i≤n Л i+1=n-1 Л tx=xn-2)

= i=n-2 Л t=xn-3

. . .Hk b Л wp(S, Hk-1)

= =

Example (cont’d)

while i <= n do t := tx i := i+1end_while

H3 b Л wp(S, H2)

= i≤n Л wp(S, i=n-1 Л t=xn-2)

= i≤n Л i+1=n-1 Л tx=xn-2)

= i=n-2 Л t=xn-3

. . .Hk b Л wp(S, Hk-1)

= i=n-(k-1) Л t=xn-k

=

Example (cont’d)

while i <= n do t := tx i := i+1end_while

H3 b Л wp(S, H2)

= i≤n Л wp(S, i=n-1 Л t=xn-2)

= i≤n Л i+1=n-1 Л tx=xn-2)

= i=n-2 Л t=xn-3

. . .Hk b Л wp(S, Hk-1)

= i=n-(k-1) Л t=xn-k

= i=n-k+1 Л t=xn-k

Example (cont’d)

Thus, we have:

H0 = i>n Л t=xn

Hk = i=n-k+1 Л t=xn-k (for all k>0)

Example (cont’d)

Thus, we have:

H0 = i>n Л t=xn

Hk = i=n-k+1 Л t=xn-k (for all k>0)

Example (cont’d)

Thus, we have:

H0 = i>n Л t=xn

Hk = i=n-k+1 Л t=xn-k (for all k>0)

and since i=n-k+1 n-k=i-1

Example (cont’d)

Thus, we have:

H0 = i>n Л t=xn

Hk = i=n-k+1 Л t=xn-k (for all k>0)

and since i=n-k+1 n-k=i-1

= i≤n Л t=xi-1 (where i≤n for all k>0)

Example (cont’d)

Thus, we have:

H0 = i>n Л t=xn

Hk = i=n-k+1 Л t=xn-k (for all k>0)

and since i=n-k+1 n-k=i-1

= i≤n Л t=xi-1 (where i≤n for all k>0)

Therefore, wp H0 V H1 V H2 V ...

= (i>n Л t=xn) V (i≤n Л t=xi-1)

Example (cont’d)

• So, given that the wp is

(i>n Л t=xn) V (i≤n Л t=xi-1)

which of the following initial states will result in the program terminating with t=xn?

{i=1 Л t=1 Л n≥1}?{i=3 Л t=x Л n=1}?{i=2 Л t=x Л n=5}?

Example (cont’d)

• So, given that the wp is

(i>n Л t=xn) V (i≤n Л t=xi-1)

which of the following initial states will result in the program terminating with t=xn?

{i=1 Л t=1 Л n≥1}?{i=3 Л t=x Л n=1}?{i=2 Л t=x Л n=5}?

Example (cont’d)

• So, given that the wp is

(i>n Л t=xn) V (i≤n Л t=xi-1)

which of the following initial states will result in the program terminating with t=xn?

{i=1 Л t=1 Л n≥1}?{i=3 Л t=x Л n=1}?{i=2 Л t=x Л n=5}?

(1>(1,2,…) Л 1=x(1,2,…)) V (1≤(1,2,…) Л 1=x1-1)

Example (cont’d)

• So, given that the wp is

(i>n Л t=xn) V (i≤n Л t=xi-1)

which of the following initial states will result in the program terminating with t=xn?

{i=1 Л t=1 Л n≥1}?{i=3 Л t=x Л n=1}?{i=2 Л t=x Л n=5}?

(1>(1,2,…) Л 1=x(1,2,…)) V (1≤(1,2,…) Л 1=x1-1)√

Example (cont’d)

• So, given that the wp is

(i>n Л t=xn) V (i≤n Л t=xi-1)

which of the following initial states will result in the program terminating with t=xn?

{i=1 Л t=1 Л n≥1}?{i=3 Л t=x Л n=1}?{i=2 Л t=x Л n=5}?

√

Example (cont’d)

• So, given that the wp is

(i>n Л t=xn) V (i≤n Л t=xi-1)

which of the following initial states will result in the program terminating with t=xn?

{i=1 Л t=1 Л n≥1}?{i=3 Л t=x Л n=1}?{i=2 Л t=x Л n=5}?

√

Example (cont’d)

• So, given that the wp is

(i>n Л t=xn) V (i≤n Л t=xi-1)

which of the following initial states will result in the program terminating with t=xn?

{i=1 Л t=1 Л n≥1}?{i=3 Л t=x Л n=1}?{i=2 Л t=x Л n=5}?

(3>1 Л x=x1) V (3≤1 Л x=x3-1)

√

Example (cont’d)

• So, given that the wp is

(i>n Л t=xn) V (i≤n Л t=xi-1)

which of the following initial states will result in the program terminating with t=xn?

{i=1 Л t=1 Л n≥1}?{i=3 Л t=x Л n=1}?{i=2 Л t=x Л n=5}?

(3>1 Л x=x1) V (3≤1 Л x=x3-1)

√

√

Example (cont’d)

• So, given that the wp is

(i>n Л t=xn) V (i≤n Л t=xi-1)

which of the following initial states will result in the program terminating with t=xn?

{i=1 Л t=1 Л n≥1}?{i=3 Л t=x Л n=1}?{i=2 Л t=x Л n=5}?

√

√

Example (cont’d)

• So, given that the wp is

(i>n Л t=xn) V (i≤n Л t=xi-1)

which of the following initial states will result in the program terminating with t=xn?

{i=1 Л t=1 Л n≥1}?{i=3 Л t=x Л n=1}?{i=2 Л t=x Л n=5}?

√

√

Example (cont’d)

• So, given that the wp is

(i>n Л t=xn) V (i≤n Л t=xi-1)

which of the following initial states will result in the program terminating with t=xn?

{i=1 Л t=1 Л n≥1}?{i=3 Л t=x Л n=1}?{i=2 Л t=x Л n=5}?

(2>5 Л x=x5) V (2≤5 Л x=x2-1)

√

√

Example (cont’d)

• So, given that the wp is

(i>n Л t=xn) V (i≤n Л t=xi-1)

which of the following initial states will result in the program terminating with t=xn?

{i=1 Л t=1 Л n≥1}?{i=3 Л t=x Л n=1}?{i=2 Л t=x Л n=5}?

(2>5 Л x=x5) V (2≤5 Л x=x2-1)

√

√

√

Example (cont’d)

• So, given that the wp is

(i>n Л t=xn) V (i≤n Л t=xi-1)

which of the following initial states will result in the program terminating with t=xn?

{i=1 Л t=1 Л n≥1}?{i=3 Л t=x Л n=1}?{i=2 Л t=x Л n=5}?

√

√√

Addendum (based on a question raised in class)

• Another example…given that the wp is

(i>n Л t=xn) V (i≤n Л t=xi-1)

will the following initial state values result in the program terminating with t=xn?

{i=1 Л t=1 Л n=0}

Addendum (based on a question raised in class)

• Another example…given that the wp is

(i>n Л t=xn) V (i≤n Л t=xi-1)

will the following initial state values result in the program terminating with t=xn?

{i=1 Л t=1 Л n=0}

(1>0 Л 1=x0) V (1≤0 Л 1=x1-1)

Addendum (based on a question raised in class)

• Another example…given that the wp is

(i>n Л t=xn) V (i≤n Л t=xi-1)

will the following initial state values result in the program terminating with t=xn?

{i=1 Л t=1 Л n=0}

(1>0 Л 1=x0) V (1≤0 Л 1=x1-1)√

Addendum (based on a question raised in class)

• Another example…given that the wp is

(i>n Л t=xn) V (i≤n Л t=xi-1)

will the following initial state values result in the program terminating with t=xn?

{i=1 Л t=1 Л n=0}

(1>0 Л 1=x0) V (1≤0 Л 1=x1-1)√

√

Predicate Transforms II

• Transform rules for while loops:

Weakest pre-conditions (wp’s)

Weakest liberal pre-conditions (wlp’s)

Relationships between wp’s and wlp’s with loop invariants

Strongest post-conditions (sp’s)

• On the power of axiomatic verification and the relative usefulness of predicate transforms (when dealing with loops)

wlp Rule for while_do Statement

• In order for the program while b do S to either terminate in state Q, or not term-inate at all, it is necessary that:

1. Q will hold on program termination, OR2. the program will not terminate.

Therefore, wlp(while b do S, Q) ≡

wp(while b do S, Q) V ¬wp(while b do S, true)

wlp Rule for while_do Statement

• In order for the program while b do S to either terminate in state Q, or not term-inate at all, it is necessary that:

1. Q will hold on program termination, OR2. the program will not terminate.

Therefore, wlp(while b do S, Q) ≡

wp(while b do S, Q) V ¬wp(while b do S, true)

(Note: wp(M, true) is the weakest pre-condition ensuring termination of program M.)

Example

• Use the wlp rule for while_do statements to determine the weakest liberal pre-condition for the following program with respect to post-condition t=x5.

while i<>3 do t := tx i := i+1 end_while

Step 1: determine wp with respect to Q

while i<>3 do t := tx i := i+1end_while

H0 ¬b Л Q

=H1 b Л wp(S, H0)

= = =

. . .Hk b Л wp(S, Hk-1)

= . . .

Step 1: determine wp with respect to Q

while i<>3 do t := tx i := i+1end_while

H0 ¬b Л Q

= i=3 Л t=x5

H1 b Л wp(S, H0)

= = =

. . .Hk b Л wp(S, Hk-1)

= . . .

Step 1: determine wp with respect to Q

while i<>3 do t := tx i := i+1end_while

H0 ¬b Л Q

= i=3 Л t=x5

H1 b Л wp(S, H0)

= i≠3 Л wp(S, i=3 Л t=x5) = =

. . .Hk b Л wp(S, Hk-1)

= . . .

Step 1: determine wp with respect to Q

while i<>3 do t := tx i := i+1end_while

H0 ¬b Л Q

= i=3 Л t=x5

H1 b Л wp(S, H0)

= i≠3 Л wp(S, i=3 Л t=x5) = =

. . .Hk b Л wp(S, Hk-1)

= . . .

Step 1: determine wp with respect to Q

while i<>3 do t := tx i := i+1end_while

H0 ¬b Л Q

= i=3 Л t=x5

H1 b Л wp(S, H0)

= i≠3 Л wp(S, i=3 Л t=x5)

= i≠3 Л i+1=3 Л tx=x5

= . . .

Hk b Л wp(S, Hk-1)

= . . .

Step 1: determine wp with respect to Q

while i<>3 do t := tx i := i+1end_while

H0 ¬b Л Q

= i=3 Л t=x5

H1 b Л wp(S, H0)

= i≠3 Л wp(S, i=3 Л t=x5)

= i≠3 Л i+1=3 Л tx=x5

= i=2 Л t=x4 . . .

Hk b Л wp(S, Hk-1)

= . . .

Step 1: determine wp with respect to Q

while i<>3 do t := tx i := i+1end_while

H0 ¬b Л Q

= i=3 Л t=x5

H1 b Л wp(S, H0)

= i≠3 Л wp(S, i=3 Л t=x5)

= i≠3 Л i+1=3 Л tx=x5

= i=2 Л t=x4 . . .

Hk b Л wp(S, Hk-1)

= i=3-k Л t=x5-k

. . .

Step 1: determine wp with respect to Q

Thus, we have:

H0 = i=3 Л t=x5

Hk = i=3-k Л t=x5-k (for all k>0)

Step 1: determine wp with respect to Q

Thus, we have:

H0 = i=3 Л t=x5

Hk = i=3-k Л t=x5-k (for all k>0)

Step 1: determine wp with respect to Q

Thus, we have:

H0 = i=3 Л t=x5

Hk = i=3-k Л t=x5-k (for all k>0)

and since i=3-k => 5-k=i+2

= i<3 Л t=xi+2 (where i<3 for all k>0)

Step 1: determine wp with respect to Q

Thus, we have:

H0 = i=3 Л t=x5

Hk = i=3-k Л t=x5-k (for all k>0)

and since i=3-k => 5-k=i+2

= i<3 Л t=xi+2 (where i<3 for all k>0)

Therefore, the wp w.r.t. Q, H0 V H1 V H2 V... is:

Step 1: determine wp with respect to Q

Thus, we have:

H0 = i=3 Л t=x5

Hk = i=3-k Л t=x5-k (for all k>0)

and since i=3-k => 5-k=i+2

= i<3 Л t=xi+2 (where i<3 for all k>0)

Therefore, the wp w.r.t. Q, H0 V H1 V H2 V... is:

i≤3 Л t=xi+2

Step 2: determine wp with respect to true

while i<>3 do t := tx i := i+1end_while

H0 ¬b Л true

=H1 b Л wp(S, H0)

= = =

. . .Hk b Л wp(S, Hk-1)

= . . .

Step 2: determine wp with respect to true

while i<>3 do t := tx i := i+1end_while

H0 ¬b Л true

= i=3H1 b Л wp(S, H0)

= = =

. . .Hk b Л wp(S, Hk-1)

= . . .

Step 2: determine wp with respect to true

while i<>3 do t := tx i := i+1end_while

H0 ¬b Л true

= i=3H1 b Л wp(S, H0)

= i≠3 Л wp(S, i=3) = =

. . .Hk b Л wp(S, Hk-1)

= . . .

Step 2: determine wp with respect to true

while i<>3 do t := tx i := i+1end_while

H0 ¬b Л true

= i=3H1 b Л wp(S, H0)

= i≠3 Л wp(S, i=3) = =

. . .Hk b Л wp(S, Hk-1)

= . . .

Step 2: determine wp with respect to true

while i<>3 do t := tx i := i+1end_while

H0 ¬b Л true

= i=3H1 b Л wp(S, H0)

= i≠3 Л wp(S, i=3) = i≠3 Л i+1=3 =

. . .Hk b Л wp(S, Hk-1)

= . . .

Step 2: determine wp with respect to true

while i<>3 do t := tx i := i+1end_while

H0 ¬b Л true

= i=3H1 b Л wp(S, H0)

= i≠3 Л wp(S, i=3) = i≠3 Л i+1=3 = i=2

. . .Hk b Л wp(S, Hk-1)

= . . .

Step 2: determine wp with respect to true

while i<>3 do t := tx i := i+1end_while

H0 ¬b Л true

= i=3H1 b Л wp(S, H0)

= i≠3 Л wp(S, i=3) = i≠3 Л i+1=3 = i=2

. . .Hk b Л wp(S, Hk-1)

= i=3-k . . .

Step 2: determine wp with respect to true

Thus, we have:

H0 = i=3

Hk = i=3-k (for all k>0)

Step 2: determine wp with respect to true

Thus, we have:

H0 = i=3

Hk = i=3-k (for all k>0)

= i<3

Step 2: determine wp with respect to true

Thus, we have:

H0 = i=3

Hk = i=3-k (for all k>0)

= i<3

Therefore, the wp w.r.t. true, H0 V H1 V H2 V... is:

i≤3

Step 3: combine wp’s into one disjunct

Thus, wlp(while i<>3 do t := tx; i := i+1, t=x5) =

(i≤3 Л t=xi+2) V i>3

Exercise: In light of this, for which of the followinginitial states is the program weakly correct with re-spect to t=x5?

{i=1 Л t=1 Л x=1}?{i=2 Л t=x Л x=2}?{i=5 Л t=8 Л x=3}?

Step 3: combine wp’s into one disjunct

Thus, wlp(while i<>3 do t := tx; i := i+1, t=x5) =

(i≤3 Л t=xi+2) V i>3

Exercise: In light of this, for which of the followinginitial states is the program weakly correct with re-spect to t=x5?

{i=1 Л t=1 Л x=1}?{i=2 Л t=x Л x=2}?{i=5 Л t=8 Л x=3}?

Predicate Transforms II

• Transform rules for while loops:

Weakest pre-conditions (wp’s)

Weakest liberal pre-conditions (wlp’s)

Relationships between wp’s and wlp’s with loop invariants

Strongest post-conditions (sp’s)

• On the power of axiomatic verification and the relative usefulness of predicate transforms (when dealing with loops)

Loop Invariants and w(l)p’s

• In general, are loops guaranteed to terminate when: P wp ? P wlp ?

• For while loops, does {w(l)p Л b} S {w(l)p} ?• Does (w(l)p Л ¬b) Q ?

Loop Invariants and w(l)p’s

• In general, are loops guaranteed to terminate when: P wp ? P wlp ?

• For while loops, does {w(l)p Л b} S {w(l)p} ?• Does (w(l)p Л ¬b) Q ?

Loop Invariants and w(l)p’s

• In general, are loops guaranteed to terminate when: P wp ? yesP wlp ? no

• For while loops, does {w(l)p Л b} S {w(l)p} ?• Does (w(l)p Л ¬b) Q ?

Loop Invariants and w(l)p’s

• In general, are loops guaranteed to terminate when: P wp ? yesP wlp ? no

• For while loops, does {w(l)p Л b} S {w(l)p} ?• Does (w(l)p Л ¬b) Q ?

{wp Л b}

S

{wp} ???

{wp Л b}

S

{wp Л b}= {[H0 V H1 V …] Л b}

S

{wp Л b}= {[H0 V H1 V …] Л b}

= {[(¬b Л Q) V (b Л wp(S, H0)) V (b Л wp(S, H1)) V …] Л b}

S

{wp Л b}= {[H0 V H1 V …] Л b}

= {[(¬b Л Q) V (b Л wp(S, H0)) V (b Л wp(S, H1)) V …] Л b}

S

{wp Л b}= {[H0 V H1 V …] Л b}

= {[(¬b Л Q) V (b Л wp(S, H0)) V (b Л wp(S, H1)) V …] Л b}

= {(b Л wp(S, H0)) V (b Л wp(S, H1)) V …}

S

{wp Л b}= {[H0 V H1 V …] Л b}

= {[(¬b Л Q) V (b Л wp(S, H0)) V (b Л wp(S, H1)) V …] Л b}

= {(b Л wp(S, H0)) V (b Л wp(S, H1)) V …}

= {H1 V H2 V …}

S

{wp Л b}= {[H0 V H1 V …] Л b}

= {[(¬b Л Q) V (b Л wp(S, H0)) V (b Л wp(S, H1)) V …] Л b}

= {(b Л wp(S, H0)) V (b Л wp(S, H1)) V …}

= {H1 V H2 V …}

S{H0 V H1 V …}

{wp Л b}= {[H0 V H1 V …] Л b}

= {[(¬b Л Q) V (b Л wp(S, H0)) V (b Л wp(S, H1)) V …] Л b}

= {(b Л wp(S, H0)) V (b Л wp(S, H1)) V …}

= {H1 V H2 V …}

S{H0 V H1 V …} = {wp}

{wp Л b}= {[H0 V H1 V …] Л b}

= {[(¬b Л Q) V (b Л wp(S, H0)) V (b Л wp(S, H1)) V …] Л b}

= {(b Л wp(S, H0)) V (b Л wp(S, H1)) V …}

= {H1 V H2 V …}

S{H0 V H1 V …} = {wp}

Similarly, it can be shown that {wlp Л b} S {wlp}.

Loop Invariants and w(l)p’s

• In general, are loops guaranteed to terminate when: P wp ? yesP wlp ? no

• For while loops, does {w(l)p Л b} S {w(l)p} ? yes• Does (w(l)p Л ¬b) Q ?

Loop Invariants and w(l)p’s

• In general, are loops guaranteed to terminate when: P wp ? yesP wlp ? no

• For while loops, does {w(l)p Л b} S {w(l)p} ? yes• Does (w(l)p Л ¬b) Q ?

{wp Л ¬b}

{wp Л ¬b}{[(¬b Л Q) V (b Л wp(S, H0)) V (b Л wp(S, H1)) V …] Л ¬b}

{wp Л ¬b}{[(¬b Л Q) V (b Л wp(S, H0)) V (b Л wp(S, H1)) V …] Л ¬b}

{(¬b Л Q)} Q

{wp Л ¬b}{[(¬b Л Q) V (b Л wp(S, H0)) V (b Л wp(S, H1)) V …] Л ¬b}

{(¬b Л Q)} Q

{wp Л ¬b}{[(¬b Л Q) V (b Л wp(S, H0)) V (b Л wp(S, H1)) V …] Л ¬b}

{(¬b Л Q)} Q

Similarly, it is easy to show that {wlp Л ¬b} Q.

Loop Invariants and w(l)p’s

• In general, are loops guaranteed to terminate when: P wp ? yesP wlp ? no

• For while loops, does {w(l)p Л b} S {w(l)p} ? yes• Does (w(l)p Л ¬b) Q ? yes

Loop Invariants and w(l)p’s

• In general, are loops guaranteed to terminate when: P wp ? yesP wlp ? no

• For while loops, does {w(l)p Л b} S {w(l)p} ? yes• Does (w(l)p Л ¬b) Q ? yes

_________________________

wp weakest while loop invariant which guarantees termination!

Loop Invariants and w(l)p’s

• In general, are loops guaranteed to terminate when: P wp ? yesP wlp ? no

• For while loops, does {w(l)p Л b} S {w(l)p} ? yes• Does (w(l)p Л ¬b) Q ? yes

_________________________

wp weakest while loop invariant which guarantees termination!

wlp weakest while loop invariant which does NOT guarantee termination!

Predicate Transforms II

• Transform rules for while loops:

Weakest pre-conditions (wp’s)

Weakest liberal pre-conditions (wlp’s)

Relationships between wp’s and wlp’s with loop invariants

Strongest post-conditions (sp’s)

• On the power of axiomatic verification and the relative usefulness of predicate transforms (when dealing with loops)

sp Rule for while_do Statement• What is the strongest condition on the final

state of program while b do S given that P holds initially? (Note that the post-condition is undefined when the program does not terminate.)

• Recall our derivation of the while loop Rule of Inference from Lecture Notes #18 (Axiomatic Verification II).

(flashback follows...)

Necessary Conditions: while_do

Case 0: (P Л b) Q

Case 1: {P Л b} S {K1}, (K1 Л b) Q

Case 2: {K1 Л b} S {K2}, (K2 Л b) Q

Case N: {KN-1 Л b} S {KN}, (KN Л b) Q

……

So, we know that {P} while b do S {Q} will hold if the following conditions hold:

Great! But who has the time to show that an infinite number of conditions hold?

sp Rule for while_do Statement• In order to eliminate the infinite sequence

of necessary conditions, we replaced each Ki with I (a loop invariant.)

• But for i≥1, Ki is just the strongest post-condition of S with respect to (Ki-1 Л b), where K0 = P.

sp Rule for while_do Statement

Thus, if the loop terminates,

sp(while b do S, P) = ¬b Л (K0 V K1 V K2 V ...)

whereK0 PK1 sp(S, b Л P)K2 sp(S, b Л sp(S, b Л P))K3 sp(S, b Л sp(S, b Л sp(S, b Л P)))

...

sp Rule for while_do Statement

Thus, if the loop terminates,

sp(while b do S, P) = ¬b Л (K0 V K1 V K2 V ...)

whereK0 PK1 sp(S, b Л P)K2 sp(S, b Л sp(S, b Л P))K3 sp(S, b Л sp(S, b Л sp(S, b Л P)))

.

.

.

sp Rule for while_do Statement

Thus, if the loop terminates,

sp(while b do S, P) = ¬b Л (K0 V K1 V K2 V ...)

whereK0 PK1 sp(S, b Л P)K2 sp(S, b Л sp(S, b Л P))K3 sp(S, b Л sp(S, b Л sp(S, b Л P)))

.

.

.

sp Rule for while_do Statement

Thus, if the loop terminates,

sp(while b do S, P) = ¬b Л (K0 V K1 V K2 V ...)

whereK0 PK1 sp(S, b Л P)K2 sp(S, b Л sp(S, b Л P))K3 sp(S, b Л sp(S, b Л sp(S, b Л P)))

.

.

.

sp Rule for while_do Statement

Equivalently, we can write: on termination,

sp(while b do S, P) = ¬b Л (K0 V K1 V K2 V ...)

whereK0 PK1 sp(S, b Л K0)K2 sp(S, b Л K1)

KN sp(S, b Л KN-1)……

sp Rule for while_do Statement

Equivalently, we can write: on termination,

sp(while b do S, P) = ¬b Л (K0 V K1 V K2 V ...)

whereK0 PK1 sp(S, b Л K0)K2 sp(S, b Л K1)

KN sp(S, b Л KN-1)……

sp Rule for while_do Statement

Equivalently, we can write: on termination,

sp(while b do S, P) = ¬b Л (K0 V K1 V K2 V ...)

whereK0 PK1 sp(S, b Л K0)K2 sp(S, b Л K1)

KN sp(S, b Л KN-1)……

{true}

Z := X J := 1 while J<>Y do Z := Z+X J := J+1 end_while

{Z=XY}

Example

Use the Strongest Post-condition ROI to prove:

{true}

Z := X J := 1 while J<>Y do Z := Z+X J := J+1 end_while

{Z=XY}

We need to show:

sp(T, Z=X Л J=1) Z=XY

where T is: while J<>Y do Z := Z+X J := J+1 end_while

if T terminates.

Use the Strongest Post-condition ROI to prove:

Example

T

Example (cont’d)

K0 P

=K1 sp(S, b Л K0)

=

=K2 sp(S, b Л K1)

=

=

{true} Z := X J := 1 while J<>Y do Z := Z+X J := J+1 end_while{Z=XY}

Example (cont’d)

K0 P

= Z=X Л J=1K1 sp(S, b Л K0)

=

=K2 sp(S, b Л K1)

=

=

{true} Z := X J := 1 while J<>Y do Z := Z+X J := J+1 end_while{Z=XY}

Example (cont’d)

K0 P

= Z=X Л J=1K1 sp(S, b Л K0)

=

=K2 sp(S, b Л K1)

=

=

{true} Z := X J := 1 while J<>Y do Z := Z+X J := J+1 end_while{Z=XY}

Example (cont’d)

K0 P

= Z=X Л J=1K1 sp(S, b Л K0)

= Z=Z’+X Л J=J’+1 Л J’≠Y Л Z’=X Л J’=1

=K2 sp(S, b Л K1)

=

=

{true} Z := X J := 1 while J<>Y do Z := Z+X J := J+1 end_while{Z=XY}

Example (cont’d)

K0 P

= Z=X Л J=1K1 sp(S, b Л K0)

= Z=Z’+X Л J=J’+1 Л J’≠Y Л Z’=X Л J’=1

= Z=2X Л J=2 Л Y≠1 K2 sp(S, b Л K1)

=

=

{true} Z := X J := 1 while J<>Y do Z := Z+X J := J+1 end_while{Z=XY}

Example (cont’d)

K0 P

= Z=X Л J=1K1 sp(S, b Л K0)

= Z=Z’+X Л J=J’+1 Л J’≠Y Л Z’=X Л J’=1

= Z=2X Л J=2 Л Y≠1 K2 sp(S, b Л K1)

=

=

{true} Z := X J := 1 while J<>Y do Z := Z+X J := J+1 end_while{Z=XY}

Example (cont’d)

K0 P

= Z=X Л J=1K1 sp(S, b Л K0)

= Z=Z’+X Л J=J’+1 Л J’≠Y Л Z’=X Л J’=1

= Z=2X Л J=2 Л Y≠1 K2 sp(S, b Л K1)

= Z=Z’+X Л J=J’+1 Л J’≠Y Л Z’=2X Л J’=2 Л Y≠1

=

{true} Z := X J := 1 while J<>Y do Z := Z+X J := J+1 end_while{Z=XY}

Example (cont’d)

K0 P

= Z=X Л J=1K1 sp(S, b Л K0)

= Z=Z’+X Л J=J’+1 Л J’≠Y Л Z’=X Л J’=1

= Z=2X Л J=2 Л Y≠1 K2 sp(S, b Л K1)

= Z=Z’+X Л J=J’+1 Л J’≠Y Л Z’=2X Л J’=2 Л Y≠1

= Z=3X Л J=3 Л Y≠1 Л Y≠2

{true} Z := X J := 1 while J<>Y do Z := Z+X J := J+1 end_while{Z=XY}

Example (cont’d)

K3 sp(S, b Л K2)

=

.

..

KN sp(S, b Л KN-1)

=

.

..

{true} Z := X J := 1 while J<>Y do Z := Z+X J := J+1 end_while{Z=XY}

Example (cont’d)

K3 sp(S, b Л K2)

= Z=4X Л J=4 Л Y≠1 Л Y≠2 Л Y≠3

.

..

KN sp(S, b Л KN-1)

=

.

..

{true} Z := X J := 1 while J<>Y do Z := Z+X J := J+1 end_while{Z=XY}

Example (cont’d)

K3 sp(S, b Л K2)

= Z=4X Л J=4 Л Y≠1 Л Y≠2 Л Y≠3

.

..

KN sp(S, b Л KN-1)

= Z=(N+1)X Л J=N+1 Л

Y≠1 Л Y≠2 Л ... Л Y≠N.

..

{true} Z := X J := 1 while J<>Y do Z := Z+X J := J+1 end_while{Z=XY}

Example (cont’d)

Thus, when T terminates (i.e., when Y≥1),

sp(T, Z=X Л J=1) =

J=Y Л [(Z=X Л J=1) V (Z=2X Л J=2 Л Y≠1) V (Z=3X Л J=3 Л Y≠1 Л Y≠2) V ...]

Example (cont’d)

Thus, when T terminates (i.e., when Y≥1),

sp(T, Z=X Л J=1) =

J=Y Л [(Z=X Л J=1) V (Z=2X Л J=2 Л Y≠1) V (Z=3X Л J=3 Л Y≠1 Л Y≠2) V ...]

=> [(Z=XY Л Y=1) V (Z=XY Л Y=2) V ...]

Example (cont’d)

Thus, when T terminates (i.e., when Y≥1),

sp(T, Z=X Л J=1) =

J=Y Л [(Z=X Л J=1) V (Z=2X Л J=2 Л Y≠1) V (Z=3X Л J=3 Л Y≠1 Л Y≠2) V ...]

=> [(Z=XY Л Y=1) V (Z=XY Л Y=2) V ...]

=> (Z=XY Л Y≥1)

=> Q (i.e., Z=XY)

Example (cont’d)

When T does NOT terminate (i.e., when Y<1),

sp(T, Z=X Л J=1) is undefined

Example (cont’d)

When T does NOT terminate (i.e., when Y<1),

sp(T, Z=X Л J=1) is undefined

Therefore, by the Strongest Post-Condition ROI, theassertion of weak correctness holds.

Predicate Transforms II

• Transform rules for while loops:

Weakest pre-conditions (wp’s)

Weakest liberal pre-conditions (wlp’s)

Relationships between wp’s and wlp’s with loop invariants

Strongest post-conditions (sp’s)

• On the power of axiomatic verification and the relative usefulness of predicate transforms (when dealing with loops)

On the power of axiomatic verification and the relative usefulness of predicate transforms

• Hoare Logic is a deductive system that is both SOUND and RELATIVELY COMPLETE (i.e., COMPLETE to the extent that we can decide the validity of assertions in ROI’s) for deriving proofs of Hoare triples.

• Predicate transforms operationalize this system by providing a way to produce valid correctness specifications.

• Weakest pre-conditions (wp’s) are typically easier to use in this respect than either wlp’s or sp’s when dealing with loops.

Problem Set 6: Predicate Transforms

Note especially Problem 6: deriving and usingthe weakest pre-condition for the repeat_untilconstruct.

Predicate Transforms II

Prepared by

Stephen M. Thebaut, Ph.D.University of Florida

Software Testing and Verification

Lecture Notes 20