Hoare Calculus and Predicate Transformers 1. The Hoare Calculus for - PowerPoint PPT Presentation

Hoare Calculus and Predicate Transformers 1. The Hoare Calculus for Non-Loop Programs Wolfgang Schreiner Wolfgang.Schreiner@risc.uni-linz.ac.at 2. Predicate Transformers Research Institute for Symbolic Computation (RISC) 3. Partial Correctness of Loop Programs Johannes Kepler University, Linz, Austria http://www.risc.uni-linz.ac.at 4. Total Correctness of Loop Programs 5. Abortion 6. Procedures Wolfgang Schreiner http://www.risc.uni-linz.ac.at 1/41 Wolfgang Schreiner http://www.risc.uni-linz.ac.at 2/41 The Hoare Calculus General Rules Calculus for reasoning about imperative programs. P ⇒ P ′ { P ′ } c { Q ′ } Q ′ ⇒ Q P ⇒ Q “Hoare triple”: { P } c { Q } { P } { Q } { P } c { Q } Logical propositions P and Q , program command c . The Hoare triple is itself a logical proposition. A 1 A 2 The Hoare calculus gives rules for constructing true Hoare triples. Logical derivation: Partial correctness interpretation of { P } c { Q } : B “If c is executed in a state in which P holds, then it terminates Forward: If we have shown A 1 and A 2 , then we have also shown B . in a state in which Q holds unless it aborts or runs forever.” Backward: To show B , it suffices to show A 1 and A 2 . Program does not produce wrong result. Interpretation of above sentences: But program also need not produce any result. To show that, if P holds in a state, then Q holds in the same state Abortion and non-termination are not ruled out. (no command is executed), it suffices to show P implies Q . Total correctness interpretation of { P } c { Q } : Hoare triples are ultimately reduced to classical logic. “If c is executed in a state in which P holds, then it terminates To show that, if P holds, then Q holds after executing c , it suffices to in a state in which Q holds. show this for a P ′ weaker than P and a Q ′ stronger than Q . Program produces the correct result. Precondition may be weakened, postcondition may be strengthened. We will use the partial correctness interpretation for the moment. Wolfgang Schreiner http://www.risc.uni-linz.ac.at 3/41 Wolfgang Schreiner http://www.risc.uni-linz.ac.at 4/41

Special Commands Scalar Assignments Commands modeling “emptiness” and abortion. { Q [ e / x ] } x := e { Q } { P } skip { P } { true } abort { false } Syntax Variable x , expression e . The skip command does not change the state; if P holds before its Q [ e / x ] . . . Q where every free occurrence of x is replaced by e . execution, then P thus holds afterwards as well. Interpretation The abort command aborts execution and thus trivially satisfies To make sure that Q holds for x after the assignment of e to x , it partial correctness. suffices to make sure that Q holds for e before the assignment. Axiom implies { P } abort { Q } for arbitrary P , Q . Partial correctness Useful commands for reasoning and program transformations. Evaluation of e may abort. { x + 3 < 5 } x := x + 3 { x < 5 } { x < 2 } x := x + 3 { x < 5 } Wolfgang Schreiner http://www.risc.uni-linz.ac.at 5/41 Wolfgang Schreiner http://www.risc.uni-linz.ac.at 6/41 Array Assignments Command Sequences { Q [ a [ i �→ e ] / a ] } a [ i ] := e { Q } { P } c 1 { R 1 } R 1 ⇒ R 2 { R 2 } c 2 { Q } { P } c 1 ; c 2 { Q } An array is modelled as a function a : I → V Interpretation Index set I , value set V . a [ i ] = e . . . a holds at index i the value e . To show that, if P holds before the execution of c 1 ; c 2 , then Q holds afterwards, it suffices to show for some R 1 and R 2 with R 1 ⇒ R 2 that Updated array a [ i �→ e ] if P holds before c 1 , that R 1 holds afterwards, and that Array that is constructed from a by mapping index i to value e . if R 2 holds before c 2 , then Q holds afterwards. Axioms (for all a : I → V , i ∈ I , j ∈ I , e ∈ V ): Problem: find suitable R 1 and R 2 i = j ⇒ a [ i �→ e ][ j ] = e Easy in many cases (see later). i � = j ⇒ a [ i �→ e ][ j ] = a [ j ] { x + y − 1 > 0 } y := y − 1 { x + y > 0 } { x + y > 0 } x := x + y { x > 0 } { a [ i �→ x ][1] > 0 } a [ i ] := x { a [1] > 0 } { x + y − 1 > 0 } y := y − 1; x := x + y { x > 0 } { ( i = 1 ⇒ x > 0) ∧ ( i � = 1 ⇒ a [1] > 0) } a[i] := x { a [1] > 0 } Index violations and pointer semantics of arrays not yet considered. Wolfgang Schreiner http://www.risc.uni-linz.ac.at 7/41 Wolfgang Schreiner http://www.risc.uni-linz.ac.at 8/41

Conditionals 1. The Hoare Calculus for Non-Loop Programs { P ∧ b } c 1 { Q } { P ∧ ¬ b } c 2 { Q } { P } if b then c 1 else c 2 { Q } 2. Predicate Transformers { P ∧ b } c { Q } ( P ∧ ¬ b ) ⇒ Q { P } if b then c { Q } 3. Partial Correctness of Loop Programs Interpretation 4. Total Correctness of Loop Programs To show that, if P holds before the execution of the conditional, then Q holds afterwards, it suffices to show that the same is true for each conditional branch, 5. Abortion under the additional assumption that this branch is executed. 6. Procedures { x � = 0 ∧ x ≥ 0 } y := x { y > 0 } { x � = 0 ∧ x �≥ 0 } y := − x { y > 0 } { x � = 0 } if x ≥ 0 then y := x else y := − x { y > 0 } Wolfgang Schreiner http://www.risc.uni-linz.ac.at 9/41 Wolfgang Schreiner http://www.risc.uni-linz.ac.at 10/41 Backward Reasoning Weakest Preconditions Implication of rule for command sequences and rule for assignments: A calculus for “backward reasoning”. Predicate transformer wp { P } c { Q [ e / x ] } Function “wp” that takes a command c and a postcondition Q and { P } c ; x := e { Q } returns a precondition. Read wp( c , Q ) as “the weakest precondition of c w.r.t. Q ”. Interpretation wp( c , Q ) is a precondition for c that ensures Q as a postcondition. If the last command of a sequence is an assignment, we can remove Must satisfy { wp( c , Q ) } c { Q } . the assignment from the proof obligation. wp( c , Q ) is the weakest such precondition. By multiple application, assignment sequences can be removed from Take any P such that { P } c { Q } . the back to the front. Then P ⇒ wp( P , Q ). { P } { P } { P } { P } P ⇒ x = 4 Consequence: { P } c { Q } iff ( P ⇒ wp( c , Q )) x := x+1; x := x+1; x := x+1; { x + 1 = 5 } We want to prove { P } c { Q } . y := 2*x; y := 2*x; { x + 2 x = 15 } ( ⇔ x = 4) z := x+y { x + y = 15 } ( ⇔ 3 x = 15) We may prove P ⇒ wp( c , Q ) instead. { z = 15 } ( ⇔ x = 5) Verification is reduced to the calculation of weakest preconditions. Wolfgang Schreiner http://www.risc.uni-linz.ac.at 11/41 Wolfgang Schreiner http://www.risc.uni-linz.ac.at 12/41

Forward Reasoning Weakest Preconditions The weakest precondition of each program construct. Sometimes, we want to derive a postcondition from a given precondition. wp( skip , Q ) ⇔ Q { P } x := e {∃ x 0 : P [ x 0 / x ] ∧ x = e [ x 0 / x ] } wp( abort , Q ) ⇔ true wp( x := e , Q ) ⇔ Q [ e / x ] Forward Reasoning wp( c 1 ; c 2 , Q ) ⇔ wp( c 1 , wp( c 2 , Q )) What is the maximum we know about the post-state of an wp( if b then c 1 else c 2 , Q ) ⇔ ( b ⇒ wp( c 1 , Q )) ∧ ( ¬ b ⇒ wp( c 2 , Q )) assignment x := e , if the pre-state satisfies P ? wp( if b then c , Q ) ⇔ ( b ⇒ wp( c , Q )) ∧ ( ¬ b ⇒ Q ) We know that P holds for some value x 0 (the value of x in the Alternative formulation of a program calculus. pre-state) and that x equals e [ x 0 / x ]. { x ≥ 0 ∧ y = a } x := x + 1 {∃ x 0 : x 0 ≥ 0 ∧ y = a ∧ x = x 0 + 1 } ( ⇔ ( ∃ x 0 : x 0 ≥ 0 ∧ x = x 0 + 1) ∧ y = a ) ( ⇔ x > 0 ∧ y = a ) Wolfgang Schreiner http://www.risc.uni-linz.ac.at 13/41 Wolfgang Schreiner http://www.risc.uni-linz.ac.at 14/41 Strongest Postcondition Strongest Postconditions A calculus for forward reasoning. The strongest postcondition of each program construct. Predicate transformer sp sp( P , skip ) ⇔ P Function “sp” that takes a precondition P and a command c and sp( P , abort ) ⇔ false returns a postcondition. sp( P , x := e ) ⇔ ∃ x 0 : P [ x 0 / x ] ∧ x = e [ x 0 / x ] Read sp( P , c ) as “the strongest postcondition of c w.r.t. P ”. sp( P , c 1 ; c 2 ) ⇔ sp ( sp ( P , c 1 ) , c 2 ) sp( P , if b then c 1 else c 2 ) ⇔ ( b ⇒ sp( P , c 1 )) ∧ ( ¬ b ⇒ sp( P , c 2 )) sp( P , c ) is a postcondition for c that is ensured by precondition P . sp( P , if b then c ) ⇔ ( b ⇒ sp( P , c )) ∧ ( ¬ b ⇒ P ) Must satisfy { P } c { sp( P , c ) } . sp( P , c ) is the strongest such postcondition. The use of predicate transformers is an alternative/supplement to the Take any P , Q such that { P } c { Q } . Hoare calculus; this view is due to Dijkstra. Then sp( P , c ) ⇒ Q . Consequence: { P } c { Q } iff (sp( P , c ) ⇒ Q ). We want to prove { P } c { Q } . We may prove sp( P , c ) ⇒ Q instead. Verification is reduced to the calculation of strongest postconditions. Wolfgang Schreiner http://www.risc.uni-linz.ac.at 15/41 Wolfgang Schreiner http://www.risc.uni-linz.ac.at 16/41