Partial and Total Correctness Natural semantics Example: ( y:=1; - - PowerPoint PPT Presentation

Partial and Total Correctness Example: y:=1; while ¬(x=1) do (y:=y ⋆ x; x:=x−1) Partial correctness: if initially x has the value n and if the program terminates then the final value of y is n! Total correctness: if initially x has the value n then the program terminates and the fi- nal value of y is n!

XXVI.1

Natural semantics (y:=1; while ¬(x=1) do (y:=y ⋆x; x:=x−1), s) → s′ ⇓ s′ y = (s x)! and s x > 0 Stage 1: correctness of the body of the while loop Stage 2: correctness of the while loop Stage 3: overall correctness In all cases: reconstruct the derivation tree

XXVI.2

Stage 1 (y:=y⋆x; x:=x−1, s) → s′′ and s′′ x > 0 ⇓ (s y)⋆(s x)!=(s′′ y)⋆(s′′ x)! and s x > 0 Proof: (y:=y⋆x; x:=x−1, s) → s′′ ⇓ (y:=y⋆x, s) → s′, (x:=x−1, s′) → s′′ ⇓ s′ = s[y→A[y⋆x]s] s′′ = s′[x→A[x−1]s′] If s′′ x > 0 then (s′′ y) ⋆ (s′′ x)! = ((s y) ⋆ (s x)) ⋆ ((s x)−1)! = (s y) ⋆ (s x)! and s x = s′′ x + 1 > 0

XXVI.3

Stage 2 (while ¬(x=1) do (y:=y⋆x; x:=x−1), s) → s′ ⇓ (s y) ⋆ (s x)! = s′ y, s′ x = 1, s x > 0 Proof: If B[¬(x=1)]s = ff then s = s′ so s′ x = 1 and the result follows. If B[¬(x=1)]s = tt then (y:=y⋆x; x:=x−1, s) → s′′ (while ¬(x=1) do (y:=y⋆x; x:=x−1), s′′) → s′ We have (s y) ⋆ (s x)! = (s′′ y) ⋆ (s′′ x)!, s x > 0 (s′′ y) ⋆ (s′′ x)! = s′ y, s′ x = 1, s′′ x > 0 so (s y) ⋆ (s x)! = s′ y, s′ x = 1, s x > 0

XXVI.4

Stage 3 (y:=1; while ¬(x=1) do (y:=y⋆x; x:=x−1), s) → s′ ⇓ s′ y = (s x)! and s x > 0 Proof: (y:=1; while ¬(x=1) do (y:=y⋆x; x:=x−1), s) → s′ ⇓ (y:=1, s) → s′′ (while ¬(x=1) do (y:=y⋆x; x:=x−1), s′′) → s′ ⇓ s′′ = s[y→1] (s′′ y) ⋆ (s′′ x)! = s′ y, s′ x = 1, s′′ x > 0 ⇓ s′ y = (s x)! and s x > 0

XXVI.5

Structural operational semantics (y:=1; while ¬(x=1) do (y:=y⋆x; x:=x−1), s) ⇒∗ s′ ⇓ s′ y = (s x)! and s x > 0 Stage 1: correctness of the while loop Stage 2: overall correctness In both cases: reconstruct the derivation sequence

XXVI.6

Denotational semantics ψfac(S[y:=1; while ¬(x=1) do (y:=y⋆x; x:=x−1)]) = tt ψfac: (State ֒ → State) → T ψfac(g) = tt

• g s = s′ implies s′ y = (s x)! and s x > 0

XXVI.7

Fixed Point Induction Let (D,⊑) be a ccpo. Then ψ: D → T is an admissible predicate if and only if ψ d = tt for all d ∈ Y ⇓ ψ(

Y ) = tt

for every chain Y in D. Theorem 6.5: Let (D,⊑) be a ccpo and let f: D → D be a continuous function and let ψ be an admissible predicate on D. If for all d ∈ D ψ d = tt implies ψ(f d) = tt then ψ(FIX f) = tt.

XXVI.8

Example (1) Define ψ′

fac(g) = tt

• g s = s′ implies s′ y = (s y)⋆(s x)!, s x>0

Then ψ′

fac is an admissible predicate.

Proof: Assume Y is a chain in State ֒ → State and ψ′

fac g = tt for all g ∈ Y .

We shall prove ψ′

fac( Y ) = tt

(

Y ) s = s′

⇓ g s = s′ for some g ∈ Y ⇓ s′ y = (s y) ⋆ (s x)! and s x > 0

XXVI.9

Example (2) S[y:=1; while ¬(x=1) do (y:=y⋆x; x:=x−1)]s = (FIX F)(s[y→1]) where F g s =

          

s if s x = 1 g(s[y→(s y)⋆(s x)][x→(s x)−1])

• therwise

ψfac(S[y:=1; while ¬(x=1) do (y:=y⋆x; x:=x−1)]) = tt

• ψ′

fac(FIX F) = tt

From Theorem 6.5 it is sufficient to prove

• F is continuous
• ψ′

fac is admissible

• ψ′

fac g = tt implies ψ′ fac(F g) = tt

XXVI.10

Example (3) Assume ψ′

fac g = tt and (F g) s = s′.

We shall prove s′ y = (s y) ⋆ (s x)! and s x > 0. If s x = 1 then s = s′, s y = (s y) ⋆ (s x)! and s x > 0. If s x = 1 then (F g) s = g(s[y→(sy)⋆(sx)][x→(sx)−1]) From the assumptions about g we have s′ y = ((s y)⋆(s x))⋆((s x)−1)! (s x)−1>0 and therefore s′ y = (s y) ⋆ (s x)! and s x > 0

XXVI.11

Proof of Theorem 6.5 We shall first note that ψ ⊥ = tt holds by admissibility of ψ applied to the chain Y = ∅ By induction on n we can then show that ψ(fn ⊥) = tt using the assumptions of the theorem. By admissibility of ψ applied to the chain Y = { fn ⊥ | n ≥ 0 } we then have ψ(FIX f) = tt This completes the proof.

XXVI.12