1 / 30

Floyd/Hoare Logic

Floyd/Hoare Logic. Literature: peled ch. 7 – 7.5 Mads Dam. Transition Diagrams. Transition system specs, with explicit underlying control graph Labelled directed graph (S,  ,R,s i ,s f ): s 2 S: Control states  =  ! (x 1 ,...,x n ) := (e 1 ,...,e n ) 2  : Transition specification

epifanio-juno
Download Presentation

Floyd/Hoare Logic

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Floyd/Hoare Logic Literature: peled ch. 7 – 7.5 Mads Dam

  2. Transition Diagrams Transition system specs, with explicit underlying control graph Labelled directed graph (S,,R,si,sf): • s2 S: Control states • = ! (x1,...,xn) := (e1,...,en) 2: Transition specification • Rµ S ££ S: (Control) transition relation • s! s’: Means R(s,,s’) • s0 2 S: Initial state • sf 2 S: Final state sf should not have outgoing edges Generated state space has states (s,x1=v1,...,xn=vn)  ranges over data vectors (v1,...,vn) s0 1! f1 2! f2 s1 4! f4 s2 3! f3 5! f5 s3 sf 6! f6

  3. Floyd Inductive Assertions Assume transition diagram P = (S,,R,si,sf) Assertion network: Assignment N: s s of total predicates to control states in S N is inductive if whenever then if ²s() and ²() then ²s’[e1/x1,...,en/xn]() Formally: ²sÆ! (s’[e1/x1,...,en/xn]) s s’   ! (x1,...,xn) := (e1,...,en) s s’

  4. An assertion network N is invariant if for all computation paths (s0,0) ! ... ! (si,i) ! ... such that ²s0(0), also ²si(i), for any i ¸ 0 An assertion network N is consistent, or correct, w.r.t. precondition pre and postcondition post, if: • ²pre!s0 , and • ²sf!post A transition diagram P is partially correct w.r.t. precondition pre and postcondition post if whenever ²pre(0) and (s0,0) ! ... ! (si,i) ! ... ! (sf,f) then ²post(f) Partial correctness of P w.r.t. pre and post is written {pre}P{post}

  5. Floyd’s Inductive Assertion Method • Give assertion network N for P • Prove that N is inductive, i.e. prove that whenever then ²sÆ!s’[e1/x1,...,en/xn] • Prove that N is consistent w.r.t. pre and post, i.e. that • ²pre!s0 • ²sf!post Then P is partially correct w.r.t. pre and post ! (x1,...,xn) := (e1,...,en) s s’

  6. Inductive Assertion Method: Soundness Theorem: If N is an inductive assertion network for P which is consistent w.r.t. pre and post then P is partially correct w.r.t. pre and post Lemma: If N is an inductive assertion network for P then N is invariant for P Proof: Induction on length of prefix (s0,0) ! ... ! (si,i) Lemma: If N is invariant for P and consistent w.r.t. pre and post then {pre}P{post}

  7. Example Procedure for computing integer square root of nonnegative integer y1, with result in y2 Integer square root: y2 s.t. y22· y1< (y2+1)2 s0 (y2,y3,y4) := (0,0,1) s1 y3 := y3 + y4 (y3· y1) ! (y2,y4) := (y2 + 1, y4 + 2) s2 sf y3 > y1

  8. Example s0: y1¸ 0 s0 (y2,y3,y4) := (0,0,1) s1: y22· y1Æ y3 = y22Æ y4 = 2*y2 + 1 s1 y3 := y3 + y4 (y3· y1) ! (y2,y4) := (y2 + 1, y4 + 2) y3 > y1 s2 sf s2: y22· y1Æ y3 = (y2 + 1)2Æ y4 = 2*y2 + 1 sf: y22· y1< (y2 + 1)2

  9. Semantic Completeness Soundness: Whenever {pre} P {post} is proved using the inductive assertion method then {pre} P {post} is valid Completeness: The inductive assertion method is sufficient to derive any valid partial correctness property {pre} P {post} For completeness prove the existence of network N such that ²pre!N,s0 and ²N,sf!post Obs: Doesn’t prove that the s are expressible in any given logic The derived ass’n network N is minimal in the sense that if M is some other ass’n network which establishes partial correctness of P w.r.t. pre and post then N,s!M,s for all s 2 S In other words, {N,sj s2 S} is the set of strongest = least inclusive predicates such that {pre} P {post} Notation: N,s = SPs(pre,P), SPsf(pre,P) = SP(pre,P)

  10. Proof of Semantic Completeness Suppose {pre} P {post} Define: SPs(pre,P) = {’|9.(s0,)!*(s,’) and ²pre()} The assertion network N determined by s = SPs(pre,P) is inductive: • If ²s(), s !! f s’, and ²(s) then ²s’(f()) N is also consistent w.r.t. pre and post: • SPs0(pre,P) = pre, so ²pre!s0 • N is inductive, hence invariant. We assumed {pre} P {post}. But then ² SPsf(pre,P) !post Since N is inductive and consistent w.r.t. pre and post the inductive assertions method applies

  11. Strongest Postconditions SP(,P) = SPsf(,P) = {’ | 9.(s0,) !* (sf,’) and ²()} Lemma: • ² {} P {SP(,P)} • If ² {} P {} then ² SP(,P) ! 2. explains why SP(,P) is called strongest

  12. Incompleteness By Gödel’s incompleteness theorem no complete proof system can exist for FOL + (Peano) arithmetic It follows that the inductive assertion method is incomplete too: Consider P: with specification {true} P {} such that ² Completeness would require us to prove  which is not generally possible true! Id s0 sf

  13. Total Correctness Total correctness = partial correctness + termination • This terminology is from the days when programs were by default sequential and terminating A transition diagram P is totally correct w.r.t. precondition pre and postcondition post if whenever ²pre(0) and (s0,0) ! ... ! (si,i) 9 then si = sf for some i, and ²post(i) Termination is about progressing towards a terminal state Termination is proved using induction For termination proofs need general induction principle called well-founded induction but here ordinary induction suffices

  14. Strict Partial Orders Strict partial order (W,Â): • Irreflexivity: For no u 2 W is u  u • Asymmetry: For each u,v 2 W is u  v then v ¨ u • Transitivity: For each u,v,w2 W, if u  v  w then u  w Examples: • Natural numbers (N,>) or (N,<) • Set of finite sets of integers under ¾ • String under “superstring” ordering u  v iff v substring of u iff exists strings v1, v2 such that u = v1.v.v2 • Strings under lexicographic ordering • Tuples under lexicographic ordering

  15. Well-founded Orderings Strictly decreasing chain: • Finite or infinite sequence u1 u2 ...  un ... Well-founded ordering: Strict partial order (W,Â) such that all strictly decreasing chains are finite Examples: • Natural numbers (N,>) is WFO • Natural numbers (N,<) is NOT WFO • Set of finite sets of integers under ¾ is WFO • String under “superstring” ordering is WFO • Strings under lexicographic ordering is NOT WFO • Tuples under lexicographic ordering is WFO

  16. Deadlock-free Networks To avoid states (s,) such that (s,)9 but s  sf we assume that if are all control transitions emanating from control state s then ²1Ç2Ç ... Çn s 1! f1 n! fn 2! f2 . . . . s1 s2 sn

  17. Extended Inductive Assertions Extended assertion network: In addition to assertion network N: Associate to each control state s an expression w(s) s.t. whenever then • ²s! w(s) 2 W • ²sÆ! w(s) º w(s’)[e1/x1,...,en/xn] • For each cycle (= strongly connected subset) there is at least one transition as above such that ²sÆ! w(s) Â w(s’)[e1/x1,...,en/xn] Say N is progressing if an assignment w satisfying 1.-3. exists s w(s) s’ w(s’)   ! f = (x1,...,xn) := (e1,...,en) s s’

  18. Extended Inductive Assertion Method • Give assertion network N for P • Prove that the network is inductive • Prove that N is consistent w.r.t. pre and post • Prove that N is deadlock-free • Determine WFO (W,Â) and assignment w • Prove that N with this assignment is progressing Then P is totally correct w.r.t. pre and post Theorem The extended inductive assertion method is sound

  19. Example w(s0) = y1 w(s1) = w(s2) = w(sf) = y1 – y2 s0: y1¸ 0 s0 (y2,y3,y4) := (0,0,1) s1: y22· y1Æ y3 = y22Æ y4 = 2*y2 + 1 s1 y3 := y3 + y4 (y3· y1) ! (y2,y4) := (y2 + 1, y4 + 2) y3 > y1 s2 sf s2: y22· y1Æ y3 = (y2 + 1)2Æ y4 = 2*y2 + 1 sf: y22· y1< (y2 + 1)2

  20. While programs Primitive: • x2 X: set of identifiers • e2 E: set of expressions • v2 V: set of values Command syntax in BNF: c ::= skip | x := e | c ; c | if e then c else c | while e do c Exercise: Cast the command syntax as first-order structure  = {.} (will remain so for a while)

  21. Stores Stores are assignments : x  v of values to identifiers e(): value of e in store  Store update: [x  v](y) = if x=y then v else (y) States are either • Intermediate: Pairs of commands and stores (c,), or • Final: A state 

  22. While Programs Transitions inductively defined by inference system: - - (skip,) ! (x:=e,) ![x  e()] (c1,) !’ (c1,)! (c1’,’) (c1;c2,) ! (c2,’) (c1,c2,) ! (c1’;c2,’) e()  0 (if e then c1 else c2,) ! (c1,) e() = 0 (if e then c1 else c2,) ! (c2,)

  23. While Programs, II e()  0 (while e do c,) ! (c ; while e do c,) e() = 0 (while e do c,) ! Exercise: Let c1 = x:=1;while x>0 do x:=x-1. Pick an arbitrary 1. Compute a sequence (c1,1)!(c2,2)! ... !n Exercise: Prove that ! is deterministic, i.e that for any c,  there is at most one c’,’ such that (c,)!(c’,’) Exercise (more advanced): Try to add some new language construction, like choice, cobegin/coend, or variable declarations. Add new components to the state if you want.

  24. Hoare Logic Hoare triple {} c {}: • Starting in state satisfying , if and when c terminates,  holds • Or: Whenever ²() and (c,) = (c0,0) ! (c1,1) ! ... !i then ²(i) • I.e. c is partially correct w.r.t.  and 

  25. Inference Rules Assignment: - {[e/v]} v := e {} Skip: - {} skip {} Rule of consequence: ²!’ {’} c {’} ²’ ! {} c {}

  26. Inference Rules, II Sequential composition {} c1 {} {} c2 {} {} c1;c2 {} Conditional {Æ e  0} c1 {} {Æ e = 0} c2 {} {} if e then c1 else c2 {} While {Æ e  0} c {} {} while e do c od {Æ e=0}

  27. Example The integer square root example again: P: y2 := 0 ; y3 := 1 ; y4 := 1 ; while y3 <= y1 do y2 := y2 + 1 ; y4 := y4 + 2 ; y3 := y3 + y4 od Proof goal: {y1 >= 0} P {y22<= y1 < (y2 + 1)2}

  28. Proof Outlines State predicates inserted into program text such that each statement (simple or compound) has pre- and postcondition Proof outline is valid, if each embedded triple if valid and adjacent state predicates related by implication

  29. Proof Outlines, Example P: {y1>=0} y2 := 0 ; {y1>=0 Æ y2=0} y3 := 1 ; {y1>=0 Æ y2=0 Æ y3=1} y4 := 1 ; {y1>=0 Æ y2=0 Æ y3=1 Æ y4=1} {y22<=y1 Æ y3=(y2+1)2Æ y4=2*y2+1} while y3 <= y1 do {y22<=y1 Æ y3=(y2+1)2Æ y4=2*y2+1 Æ y3<=y1} y2 := y2 + 1 ; {y22<=y1 Æ y3=y22Æ y4=2*y2–1} y4 := y4 + 2 ; {y22<=y1 Æ y3=y22Æ y4=2*y2+1} y3 := y3 + y4 {y22<=y1 Æ y3=(y2+1)2Æ y4=2*y2+1} od {y22 <= y1< (y2+1)2 } /* Postcondition */

  30. Soundness and Completeness Theorem (soundness): If {} c {} is provable then c is partially correct w.r.t.  and  For the case of sequential composition and while, let (c,) !n’ if (c,)!!’ in ”n steps” Lemma: If (c1;c2,) !n’ then there are n1,n2, ’’ such that (c1,) !n1’’, (c2,’’) !n2 ’ and n = n1 + n2 Completeness: Can obtain relative completeness, completeness relative to oracle answering true statements in FOL + arithmetic

More Related