program construction and reasoning
play

Program Construction and Reasoning Shin-Cheng Mu Institute of - PowerPoint PPT Presentation

Mar 12, 2024 •229 likes •1.84k views

Program Construction and Reasoning Shin-Cheng Mu Institute of Information Science, Academia Sinica, Taiwan 2010 Formosan Summer School on Logic, Language, and Computation June 28 July 9, 2010 . . . . . . 1 / 97 Introduction: On

  1. Introduction: On Programs Correctness The Maximum Segment Sum Problem Program Verification using Hoare Logic The Binary Search Challenge Binary Search Revisited Verification v.s. Derivation ◮ Verification: given a program, prove that it is correct with respect to some specification. ◮ Derivation: start from the specification, and attempt to construct only correct programs! ◮ Dijkstra: “to prove the correctness of a given program, was in a sense putting the cart before the horse. A much more promising approach turned out to be letting correctness proof and program grow hand in hand: with the choice of the structure of the correctness proof one designs a program for which this proof is applicable.” ◮ What happened so far is that theoretical development of one side benefits the other. ◮ We focus on verification today, and talk about derivation tomorrow. . . . . . . 8 / 97

  2. Introduction: On Programs Correctness The Maximum Segment Sum Problem Program Verification using Hoare Logic The Binary Search Challenge Binary Search Revisited Can you Implement Binary Search? Given a sorted array of N numbers and a key to search for, either locate the position where the key resides in the array, or report that the value does not present in the array, in O (log N ) time. ◮ You would not expect it to be a hard programming task. ◮ Jon Bentley, however, noted: “I’ve assigned this problem in courses at Bell Labs and IBM. Professional programmers had a couple of hours to convert the above description into a program in the language of their choice; . . . 90% of the programmers found bugs in their programs. . . . Knuth points out that while the first binary search was published in 1946, the first published binary search without bugs did not appear until 1962.” . . . . . . 9 / 97

  3. Introduction: On Programs Correctness The Maximum Segment Sum Problem Program Verification using Hoare Logic The Binary Search Challenge Binary Search Revisited Give It a Try? ◮ Bentley: “The only way you’ll believe this is by putting down this column right now and writing the code yourself.” ◮ Given: an array a [0 , N ) of N elements, ◮ that is sorted: ( ∀ i , j : 0 ≤ i < j < N : a [ i ] ≤ a [ j ]). ◮ Find i such that a [ i ] = K , or report that K is not in the array. . . . . . . 10 / 97

  4. Assignments Introduction: On Programs Correctness Sequencing Program Verification using Hoare Logic Selection Binary Search Revisited Loop and loop invariants Introduction: On Programs Correctness The Maximum Segment Sum Problem The Binary Search Challenge Program Verification using Hoare Logic Assignments Sequencing Selection Loop and loop invariants Binary Search Revisited The van Gasteren-Feijen Approach Searching in a Sorted List Searching with Premature Return . . . . . . 11 / 97

  5. Assignments Introduction: On Programs Correctness Sequencing Program Verification using Hoare Logic Selection Binary Search Revisited Loop and loop invariants The Guarded Command Language In this course we will talk about program construction using Dijkstra’s calculus. Most of the materials are from Kaldewaij. ◮ A program computing the greatest common divisor: | [ con A , B : int ; var x , y : int ; x , y := A , B ; do y < x → x := x − y [ ] x < y → y := y − x od ] | . ◮ do denotes loops with guarded bodies. . . . . . . 12 / 97

  6. Assignments Introduction: On Programs Correctness Sequencing Program Verification using Hoare Logic Selection Binary Search Revisited Loop and loop invariants The Guarded Command Language In this course we will talk about program construction using Dijkstra’s calculus. Most of the materials are from Kaldewaij. ◮ A program computing the greatest common divisor: | [ con A , B : int { 0 < A ∧ 0 < B } ; var x , y : int ; x , y := A , B ; do y < x → x := x − y [ ] x < y → y := y − x od { x = y = gcd ( A , B ) } ] | . ◮ do denotes loops with guarded bodies. ◮ Assertions delimited in curly brackets. . . . . . . 12 / 97

  7. Assignments Introduction: On Programs Correctness Sequencing Program Verification using Hoare Logic Selection Binary Search Revisited Loop and loop invariants The Hoare Triple ◮ The state space of a program is the states of all its variables. ◮ E.g. state space for the GCD program is ( int × int ). ◮ The Hoare triple { P } S { Q } , operationally, denotes that the statement S , when executed in a state satisfying P , terminates in a state satisfying Q . ◮ Perhaps the simplest statement: { P } skip { Q } iff. P ⇒ Q . ◮ { X > 0 ∧ Y > 0 } skip { X ≥ 0 } . ◮ Note that the annotations need not be “exact.” . . . . . . 13 / 97

  8. Assignments Introduction: On Programs Correctness Sequencing Program Verification using Hoare Logic Selection Binary Search Revisited Loop and loop invariants The Hoare Triple ◮ { P } S { true } expresses that S terminates. ◮ { P } S { Q } and P 0 ⇒ P implies { P 0 } S { Q } . ◮ { P } S { Q } and Q ⇒ Q 0 implies { P } S { Q 0 } . ◮ { P } S { Q } and { P } S { R } equivales { P } S { Q ∧ R } . ◮ { P } S { Q } and { R } S { Q } equivales { P ∨ R } S { Q } . . . . . . . 14 / 97

  9. Assignments Introduction: On Programs Correctness Sequencing Program Verification using Hoare Logic Selection Binary Search Revisited Loop and loop invariants Substitution ◮ P [ E / x ]: substituting free occurrences of x in P for E . ◮ We do so in mathematics all the time. A formal definition of substitution, however, is rather tedious. ◮ For this lecture we will only appeal to “common sense”: ◮ E.g. ( x ≤ 3)[ x − 1 / x ] ⇔ x − 1 ≤ 3 ⇔ x ≤ 4. ◮ (( ∃ y : y ∈ N : x < y ) ∧ y < x )[ y + 1 / y ] ⇔ ( ∃ y : y ∈ N : x < y ) ∧ y + 1 < x . ◮ ( ∃ y : y ∈ N : x < y )[ y / x ] ⇔ ( ∃ z : z ∈ N : y < z ). ◮ The notation [ E / x ] hints at “divide by x and multiply by E .” In the refinement calculus, substitution is closely related to assignments, thus some also write [ x := E ]. . . . . . . 15 / 97

  10. Assignments Introduction: On Programs Correctness Sequencing Program Verification using Hoare Logic Selection Binary Search Revisited Loop and loop invariants Substitution and Assignments ◮ Which is correct: 1. { P } x := E { P [ E / x ] } , or 2. { P [ E / x ] } x := E { P } ? . . . . . . 16 / 97

  11. Assignments Introduction: On Programs Correctness Sequencing Program Verification using Hoare Logic Selection Binary Search Revisited Loop and loop invariants Substitution and Assignments ◮ Which is correct: 1. { P } x := E { P [ E / x ] } , or 2. { P [ E / x ] } x := E { P } ? ◮ Answer: 2! For example: { ( x ≤ 3)[ x + 1 / x ] } x := x + 1 { x ≤ 3 } ⇔ { x + 1 ≤ 3 } x := x + 1 { x ≤ 3 } ⇔ { x ≤ 2 } x := x + 1 { x ≤ 3 } . . . . . . . 16 / 97

  12. Assignments Introduction: On Programs Correctness Sequencing Program Verification using Hoare Logic Selection Binary Search Revisited Loop and loop invariants Catenation ◮ { P } S ; T { Q } equivals that there exists R such that { P } S { R } and { R } T { Q } . ◮ Verify: | [ var x , y : int ; { x = A ∧ y = B } x := x − y ; y := x + y ; x := y − x ; { x = B ∧ y = A } ] | . . . . . . . 17 / 97

  13. Assignments Introduction: On Programs Correctness Sequencing Program Verification using Hoare Logic Selection Binary Search Revisited Loop and loop invariants Catenation ◮ { P } S ; T { Q } equivals that there exists R such that { P } S { R } and { R } T { Q } . ◮ Verify: | [ var x , y : int ; { x = A ∧ y = B } x := x − y ; y := x + y ; { y − x = B ∧ y = A } x := y − x ; { x = B ∧ y = A } ] | . . . . . . . 17 / 97

  14. Assignments Introduction: On Programs Correctness Sequencing Program Verification using Hoare Logic Selection Binary Search Revisited Loop and loop invariants Catenation ◮ { P } S ; T { Q } equivals that there exists R such that { P } S { R } and { R } T { Q } . ◮ Verify: | [ var x , y : int ; { x = A ∧ y = B } x := x − y ; { x + y − x = B ∧ x + y = A } y := x + y ; { y − x = B ∧ y = A } x := y − x ; { x = B ∧ y = A } ] | . . . . . . . 17 / 97

  15. Assignments Introduction: On Programs Correctness Sequencing Program Verification using Hoare Logic Selection Binary Search Revisited Loop and loop invariants Catenation ◮ { P } S ; T { Q } equivals that there exists R such that { P } S { R } and { R } T { Q } . ◮ Verify: | [ var x , y : int ; { x = A ∧ y = B } x := x − y ; { y = B ∧ x + y = A } ⇒ { x + y − x = B ∧ x + y = A } y := x + y ; { y − x = B ∧ y = A } x := y − x ; { x = B ∧ y = A } ] | . . . . . . . 17 / 97

  16. Assignments Introduction: On Programs Correctness Sequencing Program Verification using Hoare Logic Selection Binary Search Revisited Loop and loop invariants Catenation ◮ { P } S ; T { Q } equivals that there exists R such that { P } S { R } and { R } T { Q } . ◮ Verify: | [ var x , y : int ; { x = A ∧ y = B } ⇒ { y = B ∧ x − y + y = A } x := x − y ; { y = B ∧ x + y = A } y := x + y ; { y − x = B ∧ y = A } x := y − x ; { x = B ∧ y = A } ] | . . . . . . . 17 / 97

  17. Assignments Introduction: On Programs Correctness Sequencing Program Verification using Hoare Logic Selection Binary Search Revisited Loop and loop invariants Catenation ◮ { P } S ; T { Q } equivals that there exists R such that { P } S { R } and { R } T { Q } . ◮ Verify: | [ var x , y : int ; { x = A ∧ y = B } x := x − y ; { y = B ∧ x + y = A } y := x + y ; { y − x = B ∧ y = A } x := y − x ; { x = B ∧ y = A } ] | . . . . . . . 17 / 97

  18. Assignments Introduction: On Programs Correctness Sequencing Program Verification using Hoare Logic Selection Binary Search Revisited Loop and loop invariants If-Conditionals ◮ Selection takes the form if B 0 → S 0 [ ] . . . [ ] B n → S n fi . ◮ Each B i is called a guard ; B i → S i is a guarded command . ◮ If none of the guards B 0 . . . B n evaluate to true, the program aborts. Otherwise, one of the command with a true guard is chosen non-deterministically and executed. . . . . . . 18 / 97

  19. Assignments Introduction: On Programs Correctness Sequencing Program Verification using Hoare Logic Selection Binary Search Revisited Loop and loop invariants If-Conditionals ◮ Selection takes the form if B 0 → S 0 [ ] . . . [ ] B n → S n fi . ◮ Each B i is called a guard ; B i → S i is a guarded command . ◮ If none of the guards B 0 . . . B n evaluate to true, the program aborts. Otherwise, one of the command with a true guard is chosen non-deterministically and executed. ◮ To annotate an if statement: { P } if B 0 → { P ∧ B 0 } S 0 { Q } [ ] B 1 → { P ∧ B 1 } S 1 { Q } fi { Q , Pf } , where Pf : P ⇒ B 0 ∨ B 1 . . . . . . . 18 / 97

  20. Assignments Introduction: On Programs Correctness Sequencing Program Verification using Hoare Logic Selection Binary Search Revisited Loop and loop invariants Binary Maximum ◮ Goal: to assign x ↑ y to z . By definition, z = x ↑ y ↔ ( z = x ∨ z = y ) ∧ x ≤ z ∧ y ≤ z . . . . . . . 19 / 97

  21. Assignments Introduction: On Programs Correctness Sequencing Program Verification using Hoare Logic Selection Binary Search Revisited Loop and loop invariants Binary Maximum ◮ Goal: to assign x ↑ y to z . By definition, z = x ↑ y ↔ ( z = x ∨ z = y ) ∧ x ≤ z ∧ y ≤ z . ◮ Try z := x . We reason: (( z = x ∨ z = y ) ∧ x ≤ z ∧ y ≤ z )[ x / z ] ⇔ ( x = x ∨ x = y ) ∧ x ≤ x ∧ y ≤ x ⇔ y ≤ x , which hinted at using a guarded command: y ≤ x → z := x . . . . . . . 19 / 97

  22. Assignments Introduction: On Programs Correctness Sequencing Program Verification using Hoare Logic Selection Binary Search Revisited Loop and loop invariants Binary Maximum ◮ Goal: to assign x ↑ y to z . By definition, z = x ↑ y ↔ ( z = x ∨ z = y ) ∧ x ≤ z ∧ y ≤ z . ◮ Try z := x . We reason: (( z = x ∨ z = y ) ∧ x ≤ z ∧ y ≤ z )[ x / z ] ⇔ ( x = x ∨ x = y ) ∧ x ≤ x ∧ y ≤ x ⇔ y ≤ x , which hinted at using a guarded command: y ≤ x → z := x . ◮ Indeed: { true } if y ≤ x → { y ≤ x } z := x { z = x ↑ y } [ ] x ≤ y → { x ≤ y } z := y { z = x ↑ y } fi { z = x ↑ y } . . . . . . . 19 / 97

  23. Assignments Introduction: On Programs Correctness Sequencing Program Verification using Hoare Logic Selection Binary Search Revisited Loop and loop invariants On Understanding Programs ◮ There are two ways to understand the program below: if B 00 → S 00 [ ] B 01 → S 01 fi ; if B 10 → S 10 [ ] B 11 → S 11 fi ; : if B n 0 → S n 0 [ ] B n 1 → S n 1 fi . ◮ One takes effort exponential to n ; the other is linear. ◮ Dijkstra: “. . . if we ever want to be able to compose really large programs reliably, we need a programming discipline such that the intellectual effort needed to understand a program does not grow more rapidly than in proportion to the program length.” . . . . . . 20 / 97

  24. Assignments Introduction: On Programs Correctness Sequencing Program Verification using Hoare Logic Selection Binary Search Revisited Loop and loop invariants Loops ◮ Repetition takes the form do B 0 → S 0 [ ] . . . [ ] B n → S n od . ◮ If none of the guards B 0 . . . B n evaluate to true, the loop terminates. Otherwise one of the commands is chosen non-deterministically, before the next iteration. . . . . . . 21 / 97

  25. Assignments Introduction: On Programs Correctness Sequencing Program Verification using Hoare Logic Selection Binary Search Revisited Loop and loop invariants Loops ◮ Repetition takes the form do B 0 → S 0 [ ] . . . [ ] B n → S n od . ◮ If none of the guards B 0 . . . B n evaluate to true, the loop terminates. Otherwise one of the commands is chosen non-deterministically, before the next iteration. ◮ To annotate a loop (for partial correctness): { P } do B 0 → { P ∧ B 0 } S 0 { P } [ ] B 1 → { P ∧ B 1 } S 1 { P } od { Q , Pf } , where Pf : P ∧ ¬ B 0 ∧ ¬ B 1 ⇒ Q . . . . . . . 21 / 97

  26. Assignments Introduction: On Programs Correctness Sequencing Program Verification using Hoare Logic Selection Binary Search Revisited Loop and loop invariants Loops ◮ Repetition takes the form do B 0 → S 0 [ ] . . . [ ] B n → S n od . ◮ If none of the guards B 0 . . . B n evaluate to true, the loop terminates. Otherwise one of the commands is chosen non-deterministically, before the next iteration. ◮ To annotate a loop (for partial correctness): { P } do B 0 → { P ∧ B 0 } S 0 { P } [ ] B 1 → { P ∧ B 1 } S 1 { P } od { Q , Pf } , where Pf : P ∧ ¬ B 0 ∧ ¬ B 1 ⇒ Q . ◮ P is called the loop invariant . Every loop should be constructed with an invariant in mind! . . . . . . 21 / 97

  27. Assignments Introduction: On Programs Correctness Sequencing Program Verification using Hoare Logic Selection Binary Search Revisited Loop and loop invariants Linear-Time Exponentiation | [ con N { 0 ≤ N } ; var x , n : int ; x , n := 1 , 0 ; do n ̸ = N → x , n := x + x , n + 1 od { x = 2 N } ] | . . . . . . 22 / 97

  28. Assignments Introduction: On Programs Correctness Sequencing Program Verification using Hoare Logic Selection Binary Search Revisited Loop and loop invariants Linear-Time Exponentiation | [ con N { 0 ≤ N } ; var x , n : int ; x , n := 1 , 0 { x = 2 n ∧ n ≤ N } ; do n ̸ = N → x , n := x + x , n + 1 od { x = 2 N } ] | . . . . . . 22 / 97

  29. Assignments Introduction: On Programs Correctness Sequencing Program Verification using Hoare Logic Selection Binary Search Revisited Loop and loop invariants Linear-Time Exponentiation | [ con N { 0 ≤ N } ; var x , n : int ; x , n := 1 , 0 { x = 2 n ∧ n ≤ N } ; do n ̸ = N → Pf2: x , n := x + x , n + 1 x = 2 n ∧ n ≤ N ∧ ¬ ( n ̸ = N ) od ⇒ x = 2 N { x = 2 N , Pf2 } ] | . . . . . . 22 / 97

  30. Assignments Introduction: On Programs Correctness Sequencing Program Verification using Hoare Logic Selection Binary Search Revisited Loop and loop invariants Linear-Time Exponentiation | [ con N { 0 ≤ N } ; var x , n : int ; x , n := 1 , 0 { x = 2 n ∧ n ≤ N } ; do n ̸ = N → Pf2: x , n := x + x , n + 1 { x = 2 n ∧ n ≤ N , Pf1 } x = 2 n ∧ n ≤ N ∧ ¬ ( n ̸ = N ) od ⇒ x = 2 N { x = 2 N , Pf2 } ] | . . . . . . 22 / 97

  31. Assignments Introduction: On Programs Correctness Sequencing Program Verification using Hoare Logic Selection Binary Search Revisited Loop and loop invariants Linear-Time Exponentiation | [ con N { 0 ≤ N } ; var x , n : int ; x , n := 1 , 0 { x = 2 n ∧ n ≤ N } ; do n ̸ = N → { x = 2 n ∧ n ≤ N ∧ n ̸ = N } Pf2: x , n := x + x , n + 1 { x = 2 n ∧ n ≤ N , Pf1 } x = 2 n ∧ n ≤ N ∧ ¬ ( n ̸ = N ) od ⇒ x = 2 N { x = 2 N , Pf2 } ] | . . . . . . 22 / 97

  32. Assignments Introduction: On Programs Correctness Sequencing Program Verification using Hoare Logic Selection Binary Search Revisited Loop and loop invariants Linear-Time Exponentiation Pf1: | [ con N { 0 ≤ N } ; var x , n : int ; ( x = 2 n ∧ n ≤ N )[ x + x , n + 1 / x , n ] x , n := 1 , 0 ⇔ x + x = 2 n +1 ∧ n + 1 ≤ N { x = 2 n ∧ n ≤ N } ⇔ x = 2 n ∧ n < N ; do n ̸ = N → { x = 2 n ∧ n ≤ N ∧ n ̸ = N } Pf2: x , n := x + x , n + 1 { x = 2 n ∧ n ≤ N , Pf1 } x = 2 n ∧ n ≤ N ∧ ¬ ( n ̸ = N ) od ⇒ x = 2 N { x = 2 N , Pf2 } ] | . . . . . . 22 / 97

  33. Assignments Introduction: On Programs Correctness Sequencing Program Verification using Hoare Logic Selection Binary Search Revisited Loop and loop invariants Greatest Common Divisor ◮ Known: gcd ( x , x ) = x ; gcd ( x , y ) = gcd ( y , x − y ) if x > y . . . . . . . 23 / 97

  34. Assignments Introduction: On Programs Correctness Sequencing Program Verification using Hoare Logic Selection Binary Search Revisited Loop and loop invariants Greatest Common Divisor ◮ Known: gcd ( x , x ) = x ; gcd ( x , y ) = gcd ( y , x − y ) if x > y . ◮ | [ con A , B : int { 0 < A ∧ 0 < B } ; var x , y : int ; x , y := A , B { 0 < x ∧ 0 < y ∧ gcd ( x , y ) = gcd ( A , B ) } ; do y < x → x := x − y [ ] x < y → y := y − x od { x = gcd ( A , B ) ∧ y = gcd ( A , B ) } ] | . . . . . . 23 / 97

  35. Assignments Introduction: On Programs Correctness Sequencing Program Verification using Hoare Logic Selection Binary Search Revisited Loop and loop invariants Greatest Common Divisor ◮ Known: gcd ( x , x ) = x ; gcd ( x , y ) = gcd ( y , x − y ) if x > y . ◮ | [ con A , B : int { 0 < A ∧ 0 < B } ; var x , y : int ; x , y := A , B { 0 < x ∧ 0 < y ∧ gcd ( x , y ) = gcd ( A , B ) } ; do y < x → x := x − y [ ] x < y → y := y − x od { x = gcd ( A , B ) ∧ y = gcd ( A , B ) } ] | ◮ (0 < x ∧ 0 < y ∧ gcd ( x , y ) = gcd ( A , B ))[ x − y / x ] ↔ 0 < x − y ∧ 0 < y ∧ gcd ( x − y , y ) = gcd ( A , B ) ⇐ 0 < x ∧ 0 < y ∧ gcd ( x , y ) = gcd ( A , B ) ∧ y < x . . . . . . 23 / 97

  36. Assignments Introduction: On Programs Correctness Sequencing Program Verification using Hoare Logic Selection Binary Search Revisited Loop and loop invariants A Weird Equilibrium ◮ Consider the following program: | [ var x , y , z : int { true } ; do x < y → x := x + 1 [ ] y < z → y := y + 1 [ ] z < x → z := z + 1 od { x = y = z } ] | . ◮ If it terminates at all, we do have x = y = z . But why does it terminate? . . . . . . 24 / 97

  37. Assignments Introduction: On Programs Correctness Sequencing Program Verification using Hoare Logic Selection Binary Search Revisited Loop and loop invariants A Weird Equilibrium ◮ Consider the following program: | [ var x , y , z : int { true , bnd : 3 × ( x ↑ y ↑ z ) − ( x + y + z ) } ; do x < y → x := x + 1 [ ] y < z → y := y + 1 [ ] z < x → z := z + 1 od { x = y = z } ] | . ◮ If it terminates at all, we do have x = y = z . But why does it terminate? 1. bnd ≥ 0, and bnd = 0 implies none of the guards are true. 2. { x < y ∧ bnd = t } x := x + 1 { bnd < t } . . . . . . . 24 / 97

  38. Assignments Introduction: On Programs Correctness Sequencing Program Verification using Hoare Logic Selection Binary Search Revisited Loop and loop invariants Repetition To annotate a loop for total correctness : { P , bnd : t } do B 0 → { P ∧ B 0 } S 0 { P } [ ] B 1 → { P ∧ B 1 } S 1 { P } od { Q } , we have got a list of things to prove: . . . . . . 25 / 97

  39. Assignments Introduction: On Programs Correctness Sequencing Program Verification using Hoare Logic Selection Binary Search Revisited Loop and loop invariants Repetition To annotate a loop for total correctness : { P , bnd : t } do B 0 → { P ∧ B 0 } S 0 { P } [ ] B 1 → { P ∧ B 1 } S 1 { P } od { Q } , we have got a list of things to prove: 1. B ∧ ¬ B 0 ∧ ¬ B 1 ⇒ Q , . . . . . . 25 / 97

  40. Assignments Introduction: On Programs Correctness Sequencing Program Verification using Hoare Logic Selection Binary Search Revisited Loop and loop invariants Repetition To annotate a loop for total correctness : { P , bnd : t } do B 0 → { P ∧ B 0 } S 0 { P } [ ] B 1 → { P ∧ B 1 } S 1 { P } od { Q } , we have got a list of things to prove: 1. B ∧ ¬ B 0 ∧ ¬ B 1 ⇒ Q , 2. for all i , { P ∧ B i } S i { P } , . . . . . . 25 / 97

  41. Assignments Introduction: On Programs Correctness Sequencing Program Verification using Hoare Logic Selection Binary Search Revisited Loop and loop invariants Repetition To annotate a loop for total correctness : { P , bnd : t } do B 0 → { P ∧ B 0 } S 0 { P } [ ] B 1 → { P ∧ B 1 } S 1 { P } od { Q } , we have got a list of things to prove: 1. B ∧ ¬ B 0 ∧ ¬ B 1 ⇒ Q , 2. for all i , { P ∧ B i } S i { P } , 3. P ∧ ( B 1 ∨ B 2 ) ⇒ t ≥ 0, . . . . . . 25 / 97

  42. Assignments Introduction: On Programs Correctness Sequencing Program Verification using Hoare Logic Selection Binary Search Revisited Loop and loop invariants Repetition To annotate a loop for total correctness : { P , bnd : t } do B 0 → { P ∧ B 0 } S 0 { P } [ ] B 1 → { P ∧ B 1 } S 1 { P } od { Q } , we have got a list of things to prove: 1. B ∧ ¬ B 0 ∧ ¬ B 1 ⇒ Q , 2. for all i , { P ∧ B i } S i { P } , 3. P ∧ ( B 1 ∨ B 2 ) ⇒ t ≥ 0, 4. for all i , { P ∧ B i ∧ t = C } S i { t < C } . . . . . . . 25 / 97

  43. Assignments Introduction: On Programs Correctness Sequencing Program Verification using Hoare Logic Selection Binary Search Revisited Loop and loop invariants E.g. Linear-Time Exponentiation ◮ What is the bound function? | [ con N { 0 ≤ N } ; var x , n : int ; x , n := 1 , 0 { x = 2 n ∧ n ≤ N } ; do n ̸ = N → x , n := x + x , n + 1 od { x = 2 N } ] | . . . . . . 26 / 97

  44. Assignments Introduction: On Programs Correctness Sequencing Program Verification using Hoare Logic Selection Binary Search Revisited Loop and loop invariants E.g. Linear-Time Exponentiation ◮ What is the bound function? | [ con N { 0 ≤ N } ; var x , n : int ; x , n := 1 , 0 { x = 2 n ∧ n ≤ N , bnd : N − n } ; do n ̸ = N → x , n := x + x , n + 1 od { x = 2 N } ] | ◮ x = 2 n ∧ n ∧ n ̸ = N ⇒ N − n ≥ 0, ◮ { . . . ∧ N − n = t } x , n := x + x , n − 1 { N − n < t } . . . . . . . 26 / 97

  45. Assignments Introduction: On Programs Correctness Sequencing Program Verification using Hoare Logic Selection Binary Search Revisited Loop and loop invariants E.g. Greatest Common Divisor ◮ What is the bound function? | [ con A , B : int { 0 < A ∧ 0 < B } ; var x , y : int ; x , y := A , B { 0 < x ∧ 0 < y ∧ gcd ( x , y ) = gcd ( A , B ) } ; do y < x → x := x − y [ ] x < y → y := y − x od { x = gcd ( A , B ) ∧ y = gcd ( A , B ) } ] | . . . . . . 27 / 97

  46. Assignments Introduction: On Programs Correctness Sequencing Program Verification using Hoare Logic Selection Binary Search Revisited Loop and loop invariants E.g. Greatest Common Divisor ◮ What is the bound function? | [ con A , B : int { 0 < A ∧ 0 < B } ; var x , y : int ; x , y := A , B { 0 < x ∧ 0 < y ∧ gcd ( x , y ) = gcd ( A , B ) , bnd : | x − y |} ; do y < x → x := x − y [ ] x < y → y := y − x od { x = gcd ( A , B ) ∧ y = gcd ( A , B ) } ] | ◮ . . . ⇒ | x − y | ≥ 0, ◮ { . . . 0 < y ∧ y < x ∧ | x − y | = t } x := x − y {| x − y | < t } . . . . . . . 27 / 97

  47. Assignments Introduction: On Programs Correctness Sequencing Program Verification using Hoare Logic Selection Binary Search Revisited Loop and loop invariants Introduction: On Programs Correctness The Maximum Segment Sum Problem The Binary Search Challenge Program Verification using Hoare Logic Assignments Sequencing Selection Loop and loop invariants Binary Search Revisited The van Gasteren-Feijen Approach Searching in a Sorted List Searching with Premature Return . . . . . . 28 / 97

  48. Introduction: On Programs Correctness The van Gasteren-Feijen Approach Program Verification using Hoare Logic Searching in a Sorted List Binary Search Revisited Searching with Premature Return The van Gasteren-Feijen Approach ◮ Van Gasteren and Feijen pointed a surprising fact: binary search does not apply only to sorted lists! ◮ In fact, they believe that comparing binary search to searching for a word in a dictionary is a major educational blunder. ◮ Their binary search: let Φ be a predicate on ( int × int ), with some additional constraints to be given later: | [ con M , N : int { M < N ∧ Φ( M , N ) . . . } ; var l , r : int ; bsearch { M ≤ l < N ∧ Φ( l , l + 1) } ] | . . . . . . 29 / 97

  49. Introduction: On Programs Correctness The van Gasteren-Feijen Approach Program Verification using Hoare Logic Searching in a Sorted List Binary Search Revisited Searching with Premature Return The Program { M < N ∧ Φ( M , N ) } l , r := M , N { M ≤ l < r ≤ N ∧ Φ( l , r ) , bnd : r − l } ; do l + 1 ̸ = r → { . . . ∧ l + 2 ≤ r } m := ( l + r ) / 2 { . . . ∧ l < m < r } ; if Φ( m , r ) → l := m [ ] Φ( l , m ) → r := m fi od { M ≤ l < N ∧ Φ( l , l + 1) } . . . . . . 30 / 97

  50. Introduction: On Programs Correctness The van Gasteren-Feijen Approach Program Verification using Hoare Logic Searching in a Sorted List Binary Search Revisited Searching with Premature Return Proof of Correctness Let’s start with verifying the easier bits. ◮ When the loop exits: M ≤ l < r ≤ N ∧ Φ( l , r ) ∧ ¬ ( l + 1 ̸ = r ) ⇒ M ≤ l < l + 1 ≤ N ∧ Φ( l , l + 1) ⇔ M ≤ l < N ∧ Φ( l , l + 1). ◮ Termination: exercise. ◮ To verify { . . . l + 2 ≤ r } m := ( l + r ) / 2 { . . . l < m < r } : ( l < m < r )[(( l + r ) / 2) / m ] ⇔ l < ( l + r ) / 2 ⇐ l + 2 ≤ r . . . . . . . 31 / 97

  51. Introduction: On Programs Correctness The van Gasteren-Feijen Approach Program Verification using Hoare Logic Searching in a Sorted List Binary Search Revisited Searching with Premature Return Proof of Correctness ◮ To verify that the loop body maintains the invariant, check the first branch in if : ( M ≤ l < r ≤ N ∧ Φ( l , r ))[ m / l ] ⇔ M ≤ m < r ≤ N ∧ Φ( m , r ) ⇐ M ≤ l < r ≤ N ∧ Φ( l , r ) ∧ l < m < r ∧ Φ( m , r ). ◮ Similarly with the other branch. ◮ However, we still need to be sure that at least one of the guards in if holds! Thus we need this property from Φ: Φ( l , r ) ∧ l < m < r ⇒ Φ( l , m ) ∨ Φ( m , r ). (1) . . . . . . 32 / 97

  52. Introduction: On Programs Correctness The van Gasteren-Feijen Approach Program Verification using Hoare Logic Searching in a Sorted List Binary Search Revisited Searching with Premature Return Instantiations Some Φ that satisfies (1): ◮ Φ( i , j ) = a [ i ] ̸ = a [ j ] for some array a . Van Gasteren and Feijen suggested using this as the example when introducing binary search. ◮ Φ( i , j ) = a [ i ] < a [ j ], ◮ Φ( i , j ) = a [ i ] × a [ j ] ≤ 0, ◮ Φ( i , j ) = a [ i ] ∨ a [ j ], etc. . . . . . . 33 / 97

  53. Introduction: On Programs Correctness The van Gasteren-Feijen Approach Program Verification using Hoare Logic Searching in a Sorted List Binary Search Revisited Searching with Premature Return Searching for a Key ◮ To search for a key K in an ascending-sorted array a , it seems that we could just pick: Φ( i , j ) = a [ i ] ≤ K < a [ j ], and check whether a [ i ] = K after the loop. ◮ However, we are not sure we can establish the precondition a [ l ] ≤ K < a [ r ]! ◮ For a possibly empty array a [0 .. N ), imagine two elements a [ − 1] and a [ N ] such that a [ − 1] ≤ x and x < a [ N ] for all x . ◮ Equivalently, pick: Φ( i , j ) = ( i = − 1 ∨ a [ i ] ≤ K ) ∧ ( K < a [ j ] ∨ j = N ). . . . . . . 34 / 97

  54. Introduction: On Programs Correctness The van Gasteren-Feijen Approach Program Verification using Hoare Logic Searching in a Sorted List Binary Search Revisited Searching with Premature Return The Program Recall Φ( i , j ) = ( i = − 1 ∨ a [ i ] ≤ K ) ∧ ( K < a [ j ] ∨ j = N ). { 0 ≥ N ∧ Φ( − 1 , N ) } l , r := − 1 , N {− 1 ≤ l < r ≤ N ∧ Φ( l , r ) , bnd : r − l } ; do l + 1 ̸ = r → { . . . ∧ l + 2 ≤ r } m := ( l + r ) / 2 ; if a [ m ] ≤ K → l := m [ ] K < a [ m ] → r := m fi od {− 1 ≤ l < N ∧ Φ( l , l + 1) } ; if l > − 1 → found := a [ l ] = k [ ] l = − 1 → found := false fi . . . . . . 35 / 97

  55. Introduction: On Programs Correctness The van Gasteren-Feijen Approach Program Verification using Hoare Logic Searching in a Sorted List Binary Search Revisited Searching with Premature Return Discussions ◮ “Adding” elements to a ? ◮ The invariant implies that − 1 < m < N , thus a [ − 1] and a [ N ] are never accessed. ◮ No actual alteration necessary. ◮ It also enables us to handle possibly empty arrays ◮ Is the program different from the usual binary search you’ve seen? . . . . . . 36 / 97

  56. Introduction: On Programs Correctness The van Gasteren-Feijen Approach Program Verification using Hoare Logic Searching in a Sorted List Binary Search Revisited Searching with Premature Return A More Common Program Bentley’s program can be rephrased below: l , r := 0 , N − 1; found := false ; do l ≤ r → m := ( l + r ) / 2; if a [ m ] < K → l := m + 1 [ ] a [ m ] = K → found := true ; break [ ] K < a [ m ] → r := m − 1 fi od . I’d like to derive it, but ◮ it is harder to formally deal with break ◮ but Bentley also employed a semi-formal reasoning using a loop invariant to argue for the correctness of the program; ◮ to relate the test a [ m ] < K to l := m + 1 we have to bring in the fact that a is sorted earlier. . . . . . . 37 / 97

  57. Introduction: On Programs Correctness The van Gasteren-Feijen Approach Program Verification using Hoare Logic Searching in a Sorted List Binary Search Revisited Searching with Premature Return Comparison ◮ The two programs do not solve exactly the same problem (e.g. when there are multiple K s in a ). ◮ Is the second program quicker because it assigns l and r to m + 1 and m − 1 rather than m ? ◮ l := m + 1 because a [ m ] is covered in another case; ◮ r := m − 1 because a range is represented differently. ◮ Is it quicker to perform an extra test to return early? ◮ When K is not in a , the test is wasted. ◮ Rolfe claimed that single comparison is quicker in average. ◮ Knuth: single comparison needs 17 . 5 lg N + 17 instructions, double comparison needs 18 lg N − 16 instructions. . . . . . . 38 / 97

  58. Introduction: On Programs Correctness The van Gasteren-Feijen Approach Program Verification using Hoare Logic Searching in a Sorted List Binary Search Revisited Searching with Premature Return Exercise: Unimodel Search ◮ Let array a [0 , N ), with 0 < N , be the concatenation of a strictly increasing and a strictly decreasing array. Formally: ( ∃ k : 0 ≤ k < N : ( ∀ i : 0 < i ≤ k : a [ i − 1] < a [ i ]) ∧ ( ∀ j : k ≤ j < N : a [ j − 1] > a [ j ])). Use binary search to find the maximum element. ◮ What invariant to use? . . . . . . 39 / 97

  59. What is a Proof, Anyway? Loop construction Max. Segment Sum Solved Where to Go from Here? Correct by Construction Dijkstra: “The only effective way to raise the confidence level of a program significantly is to give a convincing proof of its correctness. But one should not first make the program and then prove its correctness, because then the requirement of providing the proof would only increase the poor programmer’s burden. On the contrary: the programmer should . . . ” “. . . [let] correctness proof and program grow hand in hand: with the choice of the structure of the correctness proof one designs a program for which this proof is applicable.” . . . . . . 40 / 97

  60. What is a Proof, Anyway? Loop construction Max. Segment Sum Solved Where to Go from Here? Program Derivation ◮ Wikipedia: program derivation is the derivation of a program from its specification, by mathematical means. ◮ To write a formal specification (which could be non-executable), and then apply mathematically correct rules in order to obtain an executable program. ◮ The program thus obtained is correct by construction. . . . . . . 41 / 97

  61. What is a Proof, Anyway? Loop construction Max. Segment Sum Solved Where to Go from Here? What is a Proof, Anyway? Quantifier manipulation Loop construction Taking Conjuncts as Invariants Replacing Constants by Variables Strengthening the Invariant Tail Invariants Max. Segment Sum Solved Where to Go from Here? . . . . . . 42 / 97

  62. What is a Proof, Anyway? Loop construction Quantifier manipulation Max. Segment Sum Solved Where to Go from Here? But What is a Proof, Anyway? Xavier Leroy, “How to prove it”: Proof by example Prove the case n = 2 and suggests that it contains most of the ideas of the general proof. Proof by intimidation ‘Trivial’. Proof by cumbersome notation Best done with access to at least four alphabets and special symbols. Proof by reference to inaccessible literature a simple corollary of a theorem to be found in a privately circulated memoir of the Slovenian Philological Society, 1883. Proof by personal communication ‘Eight-dimensional colored cycle stripping is NP-complete [Karp, personal communication] (in the elevator).’ Proof by appeal to intuition Cloud-shaped drawings. . . . . . . 43 / 97

  63. What is a Proof, Anyway? Loop construction Quantifier manipulation Max. Segment Sum Solved Where to Go from Here? A semantic proof A map of London is place on the ground of Trafalgar Square. There is a point on the map that is directly above the point on the ground that it represents. Proof. The map is directly above a part of London. Thus the entire map is directly above the part of the area which it represents. Now, the smaller area of the map representing Central London is also above the part of the area which it represents. Within the area representing Central London, Trafalgar Square is marked, and this yet smaller part of the map is directly above the part it represents. Continuing this way, we can find smaller and smaller areas of the map each of which is directly above the part of the area which it represents. In the limit we reduce the area on the map to a single point. . . . . . . 44 / 97

  64. What is a Proof, Anyway? Loop construction Quantifier manipulation Max. Segment Sum Solved Where to Go from Here? Proof of Pythagoras’s Theorem Let ABC be a triangle with � BAC = 90 o . Let the lengths of BC , AC , AB be, respectively, a , b , and c . I B J We wish to prove that a 2 = b 2 + c 2 . Construct a square IJKL , of side b + c , and a square BCDE , of side a . a E c Clearly, area ( IJKL ) = ( b + c ) 2 . But area ( IJKL ) = area ( BCDE )+ C A b 4 × area ( ABC ) = a 2 + abc . L D K That is, ( b + c ) 2 = a 2 + 2 bc , whence b 2 + c 2 = a 2 . . . . . . . 45 / 97

  65. What is a Proof, Anyway? Loop construction Quantifier manipulation Max. Segment Sum Solved Where to Go from Here? Informal v.s. Formal Proofs ◮ To read an informal proof, we are expected to have a good understanding of the problem domain, the meaning of the natural language statements, and the language of mathematics. ◮ A formal proof shifts some of the burdens to the “form”: the symbols, the syntax, and rules manipulating them. “Let the symbols do the work!” ◮ Our proof of the swapping program is formal: { x = A ∧ y = B } x := x − y ; y := x + y ; x := y − x { x = B ∧ y = A } . . . . . . . 46 / 97

  66. What is a Proof, Anyway? Loop construction Quantifier manipulation Max. Segment Sum Solved Where to Go from Here? Tsuru-Kame Zan The Tsuru-Kame Problem Some cranes (tsuru) and tortoises (kame) are mixed in a cage. Known is that there are 5 heads and 14 legs. Find out the numbers of cranes and tortoises. . . . . . . 47 / 97

  67. What is a Proof, Anyway? Loop construction Quantifier manipulation Max. Segment Sum Solved Where to Go from Here? Tsuru-Kame Zan The Tsuru-Kame Problem Some cranes (tsuru) and tortoises (kame) are mixed in a cage. Known is that there are 5 heads and 14 legs. Find out the numbers of cranes and tortoises. ◮ The kindergarten approach: plain simple enumeration! ◮ Crane 0, Tortoise 5 . . . No. ◮ Crane 1, Tortoise 4 . . . No. ◮ Crane 2, Tortoise 3 . . . No. ◮ Crane 3, Tortoise 2 . . . Yes! ◮ Crane 4, Tortoise 1 . . . No. ◮ Crane 5, Tortoise 0 . . . No. . . . . . . 47 / 97

  68. What is a Proof, Anyway? Loop construction Quantifier manipulation Max. Segment Sum Solved Where to Go from Here? Tsuru-Kame Zan The Tsuru-Kame Problem Some cranes (tsuru) and tortoises (kame) are mixed in a cage. Known is that there are 5 heads and 14 legs. Find out the numbers of cranes and tortoises. ◮ Elementary school: let’s do some reasoning . . . ◮ If all 5 animals were cranes, there ought to be 5 × 2 = 10 legs. ◮ However, there are in fact 14 legs. The extra 4 legs must belong to some tortoises. There must be (14 − 10) / 2 = 2 tortoises. ◮ So there must be 5 − 2 = 3 cranes. ◮ It generalises to larger numbers of heads and legs. ◮ Given a different problem, we have to come up with another different way to solve it. . . . . . . 47 / 97

  69. What is a Proof, Anyway? Loop construction Quantifier manipulation Max. Segment Sum Solved Where to Go from Here? Tsuru-Kame Zan The Tsuru-Kame Problem Some cranes (tsuru) and tortoises (kame) are mixed in a cage. Known is that there are 5 heads and 14 legs. Find out the numbers of cranes and tortoises. ◮ Junior high school: algebra! x + y = 5 2 x + 4 y = 14. ◮ It’s a general approach applicable to many other problems . . . ◮ . . . and perhaps easier. ◮ However, it takes efforts to learn! . . . . . . 47 / 97

  70. What is a Proof, Anyway? Loop construction Quantifier manipulation Max. Segment Sum Solved Where to Go from Here? Another Formal Proof The calculational logic proofs we have seen were formal: ¬ ( P ↔ Q ) ⇔ { unfolding ¬ } ( P ↔ Q ) ↔ ⊥ ⇔ { ↔ associative } P ↔ ( Q ↔ ⊥ ) ⇔ { folding ¬ } P ↔ ¬ Q . Rather than relying on intuition on truth tables, we try to develop intuition on calculational rules. . . . . . . 48 / 97

  71. What is a Proof, Anyway? Loop construction Quantifier manipulation Max. Segment Sum Solved Where to Go from Here? What is a Proof, Anyway? Quantifier manipulation Loop construction Taking Conjuncts as Invariants Replacing Constants by Variables Strengthening the Invariant Tail Invariants Max. Segment Sum Solved Where to Go from Here? . . . . . . 49 / 97

  72. What is a Proof, Anyway? Loop construction Quantifier manipulation Max. Segment Sum Solved Where to Go from Here? Quantifications ◮ Let ⊕ be a commutative, associative operator with identity e , that is, ◮ x ⊕ y = y ⊕ x , ◮ x ⊕ ( y ⊕ z ) = ( x ⊕ y ) ⊕ z , and ◮ e ⊕ x = x = x ⊕ e , and let f be a function defined on int . ◮ We denote f m ⊕ f ( m + 1) ⊕ . . . ⊕ f ( n − 1) by ( ⊕ i : m ≤ i < n : f i ). ◮ ( ⊕ i : n ≤ i < n : f i ) = e . ◮ ( ⊕ i : m ≤ i < n +1 : f i ) = ( ⊕ i : m ≤ i < n : f i ) ⊕ f n if m ≤ n . ◮ We will refer to this rule as to “split off n ”. . . . . . . 50 / 97

  73. What is a Proof, Anyway? Loop construction Quantifier manipulation Max. Segment Sum Solved Where to Go from Here? Quantifications in General General form: ( ⊕ i : R : F ), where R specifies a range. We sometimes write ( ⊕ i : R i : F i ) to emphasise that they depend on i . ◮ ( ⊕ i : false : F ) = e . ◮ ( ⊕ i : i = x : F i ) = F x . ◮ ( ⊕ i : R : F ) ⊕ ( ⊕ i : S : F ) = ( ⊕ i : R ∨ S : F ) ⊕ ( ⊕ i : R ∧ S : F ). ◮ ( ⊕ i : R : F ) ⊕ ( ⊕ i : R : G ) = ( ⊕ i : R : F ⊕ G ). ◮ ( ⊕ i , j : R i ∧ S i j : F ) = ( ⊕ i : R i : ( ⊕ j : S i j : F )), ◮ ( i , j distinct, j does not occur free in R ). (Of which rule is range splitting a special case?) . . . . . . 51 / 97

  74. What is a Proof, Anyway? Loop construction Quantifier manipulation Max. Segment Sum Solved Where to Go from Here? Examples ◮ E.g. ◮ (+ i : 3 ≤ i < 5 : i 2 ) = 3 2 + 4 2 = 25. ◮ (+ i , j : 3 ≤ i ≤ j < 5 : i × j ) = 3 × 3 + 3 × 4 + 4 × 4. ◮ ( ∧ i : 2 ≤ i < 9 : odd i ⇒ prime i ) = true . ◮ ( ↑ i : 1 ≤ i < 7 : − i 2 + 5 i ) = 6 (when i = 2 or 3). ◮ As a convention, (+ i : R : F ) is written (Σ i : R : F ), ( ∧ i : R : F ) is written ( ∀ i : R : F ), and ( ∨ i : R : F ) is written ( ∃ i : R : F ). ◮ A special rule for ↑ (or ↓ ) and +: x + ( ↑ i : R : F i ) = ( ↑ i : R : x + F i ). . . . . . . 52 / 97

  75. What is a Proof, Anyway? Loop construction Quantifier manipulation Max. Segment Sum Solved Where to Go from Here? The Number Of . . . ◮ Define # : Bool → { 0 , 1 } : # false = 0 # true = 1. ◮ “The number of” quantifier is defined by: (# i : R i : F i ) = (Σ i : R i : #( F i )), from which we may derive: ◮ (# i : false : F i ) = 0, ◮ (# i : 0 ≤ i < n + 1 : F i ) = (# i : 0 ≤ i < n : F i ) + #( F n ). . . . . . . 53 / 97

  76. What is a Proof, Anyway? Taking Conjuncts as Invariants Loop construction Replacing Constants by Variables Max. Segment Sum Solved Strengthening the Invariant Where to Go from Here? Tail Invariants What is a Proof, Anyway? Quantifier manipulation Loop construction Taking Conjuncts as Invariants Replacing Constants by Variables Strengthening the Invariant Tail Invariants Max. Segment Sum Solved Where to Go from Here? . . . . . . 54 / 97

  77. What is a Proof, Anyway? Taking Conjuncts as Invariants Loop construction Replacing Constants by Variables Max. Segment Sum Solved Strengthening the Invariant Where to Go from Here? Tail Invariants Deriving Programs from Specifications ◮ From such a specification: | [ con declarations ; { preconditions } prog { postcondition } ] | we hope to derive prog . ◮ We usually work backwards from the post condition. ◮ The techniques we are about to learn is mostly about constructing loops and loop invariants. . . . . . . 55 / 97

  78. What is a Proof, Anyway? Taking Conjuncts as Invariants Loop construction Replacing Constants by Variables Max. Segment Sum Solved Strengthening the Invariant Where to Go from Here? Tail Invariants Conjunctive Postconditions ◮ When the post condition has the form P ∧ Q , one may take one of the conjuncts as the invariant and the other as the guard: ◮ { P } do ¬ Q → S od { P ∧ Q } . ◮ E.g. consider the specficication: | [ con A , B : int ; { 0 ≤ A ∧ 0 ≤ B } var q , r : int ; divmod { q = A div B ∧ r = A mod B } ] | . ◮ The post condition expands to R :: A = q × B + r ∧ 0 ≤ r ∧ r < B . . . . . . . 56 / 97

  79. What is a Proof, Anyway? Taking Conjuncts as Invariants Loop construction Replacing Constants by Variables Max. Segment Sum Solved Strengthening the Invariant Where to Go from Here? Tail Invariants But Which Conjunct to Choose? ◮ q = A div B ∧ r = A mod B expands to R : A = q × B + r ∧ 0 ≤ r ∧ r < B , which leads to a number of possibilities: ◮ { 0 ≤ r ∧ r < B } do A ̸ = q × B + r → S od { R } , ◮ { A = q × B + r ∧ r < B } do 0 > r → S od { R } , or ◮ { A = q × B + r ∧ 0 ≤ r } do r ≥ B → S od { R } , etc. . . . . . . 57 / 97

  80. What is a Proof, Anyway? Taking Conjuncts as Invariants Loop construction Replacing Constants by Variables Max. Segment Sum Solved Strengthening the Invariant Where to Go from Here? Tail Invariants Computing the Quotient and the Remainder Try A = q × B + r ∧ 0 ≤ r as the invariant and ¬ ( r < B ) as the guard: { P : A = q × B + r ∧ 0 ≤ r } do B ≤ r → { P ∧ B ≤ r } { P } od { P ∧ r < B } . . . . . . 58 / 97

  81. What is a Proof, Anyway? Taking Conjuncts as Invariants Loop construction Replacing Constants by Variables Max. Segment Sum Solved Strengthening the Invariant Where to Go from Here? Tail Invariants Computing the Quotient and the Remainder Try A = q × B + r ∧ 0 ≤ r as the invariant and ¬ ( r < B ) as the guard: ◮ P is established by q , r := 0 , A . q , r := 0 , A ; { P : A = q × B + r ∧ 0 ≤ r } do B ≤ r → { P ∧ B ≤ r } { P } od { P ∧ r < B } . . . . . . 58 / 97

  82. What is a Proof, Anyway? Taking Conjuncts as Invariants Loop construction Replacing Constants by Variables Max. Segment Sum Solved Strengthening the Invariant Where to Go from Here? Tail Invariants Computing the Quotient and the Remainder Try A = q × B + r ∧ 0 ≤ r as the invariant and ¬ ( r < B ) as the guard: ◮ P is established by q , r := 0 , A . ◮ Choose r as the bound. q , r := 0 , A ; { P : A = q × B + r ∧ 0 ≤ r } do B ≤ r → { P ∧ B ≤ r } { P } od { P ∧ r < B } . . . . . . 58 / 97

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Towards a formal theory of program construction Christoph Kreitz Abstract Principles of a

Towards a formal theory of program construction Christoph Kreitz Abstract Principles of a

Towards a formal theory of program construction Christoph Kreitz Abstract Principles of a unified formal theory on reasoning about programs and program con- struction built on top of Intuitionistic Type Theory. 1 OVERVIEW 1. Motivation and

398 views • 20 slides
Completeness of Resolution 5ai We will show by construction: AUTOMATED REASONING If clauses S

Completeness of Resolution 5ai We will show by construction: AUTOMATED REASONING If clauses S

Completeness of Resolution 5ai We will show by construction: AUTOMATED REASONING If clauses S have no models then there is a resolution proof of [] from S . As shown in Slides 4 the construction has two parts : SLIDES 5: (i) find a ground

544 views • 5 slides
COMMUNITY REFERENCE GROUP 6 AUGUST 2019 DISCUSSION ITEMS 1. Construction program lookahead 2.

COMMUNITY REFERENCE GROUP 6 AUGUST 2019 DISCUSSION ITEMS 1. Construction program lookahead 2.

SOUTH YARRA (EASTERN PORTAL) PRECINCT COMMUNITY REFERENCE GROUP 6 AUGUST 2019 DISCUSSION ITEMS 1. Construction program lookahead 2. Contractors parking in local streets PROGRAM PROGRESS UPDATE CONSTRUCTION PROGRAM LONGER TERM CONSTRUCTION

603 views • 34 slides
Maintenance, Repair, and Construction of Facilities and Infrastructure RAFB Construction Program

Maintenance, Repair, and Construction of Facilities and Infrastructure RAFB Construction Program

Maintenance, Repair, and Construction of Facilities and Infrastructure RAFB Construction Program Ms. Becky McCoy, P.E. 778th Civil Engineer Squadron Robins AFB, GA August 2013 The Installation of Excellence The Place to Live, Learn,

631 views • 27 slides
RRADs Program Versus Construction Program Parker-Davis Project and Intertie May 21, 2018 JPA

RRADs Program Versus Construction Program Parker-Davis Project and Intertie May 21, 2018 JPA

RRADs Program Versus Construction Program Parker-Davis Project and Intertie May 21, 2018 JPA Meeting Phoenix, AZ What is a Construction Project? Construction Project requires a Services Contract to build the Substation and/or Transmission

84 views • 7 slides
CHAPTER-4 1 LOGIC AND REASONING ! Knowledge and ! Reasoning in Knowledge- Reasoning Based

CHAPTER-4 1 LOGIC AND REASONING ! Knowledge and ! Reasoning in Knowledge- Reasoning Based

CHAPTER-4 1 LOGIC AND REASONING ! Knowledge and ! Reasoning in Knowledge- Reasoning Based Systems ! syntax and semantics ! shallow and deep reasoning ! validity and satisfiability ! forward and backward ! logic languages chaining ! alternative

616 views • 23 slides
Probabilistic Reasoning; Probabilistic Reasoning; Network-based reasoning Network-based

Probabilistic Reasoning; Probabilistic Reasoning; Network-based reasoning Network-based

Probabilistic Reasoning; Probabilistic Reasoning; Network-based reasoning Network-based reasoning COMPSCI 276, Fall 2014 Set 1: Introduction and Background Rina Dechter (Reading: Pearl chapter 1-2, Darwiche chapters 1,3) 1 Why/What/How

700 views • 45 slides
Maintenance, Repair, and Construction of Facilities and Infrastructure RAFB Construction Program

Maintenance, Repair, and Construction of Facilities and Infrastructure RAFB Construction Program

Maintenance, Repair, and Construction of Facilities and Infrastructure RAFB Construction Program Robins AFB, GA August 2014 The Installation of Excellence The Place to Live, Learn, Work and Play Overview Robins Air Force Base

539 views • 23 slides
Evidential and Causal Reasoning Much reasoning in AI can be seen as evidential reasoning ,

Evidential and Causal Reasoning Much reasoning in AI can be seen as evidential reasoning ,

Evidential and Causal Reasoning Much reasoning in AI can be seen as evidential reasoning , (observations to a theory) followed by causal reasoning (theory to predictions). Diagnosis Given symptoms, evidential reasoning leads to hypotheses about

243 views • 8 slides
Logics for Program Reasoning University of Oslo Ratan Thapa/ratanbt@ifi.uio.no INF 5140:

Logics for Program Reasoning University of Oslo Ratan Thapa/ratanbt@ifi.uio.no INF 5140:

Logics for Program Reasoning University of Oslo Ratan Thapa/ratanbt@ifi.uio.no INF 5140: Specification and verification of parallel system 18 May 2018 Modal Logic Modal logic is particularly suitable for reasoning dynamic behaviour of programs

255 views • 10 slides
SECTION 1: Introductions Code Reasoning Forward Reasoning CODE REASONING +

SECTION 1: Introductions Code Reasoning Forward Reasoning CODE REASONING +

OUTLINE SECTION 1: Introductions Code Reasoning Forward Reasoning CODE REASONING + Backward Reasoning Weaker vs. Stronger statements Version control VERSION CONTROL CSE 331 Summer 2018 slides borrowed and

763 views • 11 slides
Reasoning and Meta-reasoning Sonia Marin IT-University of Copenhagen, Denmark 85-211

Reasoning and Meta-reasoning Sonia Marin IT-University of Copenhagen, Denmark 85-211

Reasoning and Meta-reasoning Sonia Marin IT-University of Copenhagen, Denmark 85-211 Cognitive Psychology, Guest lecture CMU Qatar November 28, 2018 1 / 15 What is reasoning? Reasoning is the process of drawing conclusions from

911 views • 59 slides
Neighborhood Community and Revitalization Program (NCR) Procurement, Contract, and Construction

Neighborhood Community and Revitalization Program (NCR) Procurement, Contract, and Construction

Subrecipient Administrative Training (SAT) Meeting McAfee Center, Fort Monmouth, NJ August 13, 2014 Neighborhood Community and Revitalization Program (NCR) Procurement, Contract, and Construction Standards NJEDA Construction Contacts Diana

410 views • 40 slides
Program Construction Roland Backhouse January 2001 2 Outline Program Specification

Program Construction Roland Backhouse January 2001 2 Outline Program Specification

1 Program Construction Roland Backhouse January 2001 2 Outline Program Specification Assignments Conditional Statements Sequential Composition Loops 3 Program Specification Comments When writing computer programs it is a

388 views • 25 slides
Automated Reasoning Course Presentation Summary Automated Reasoning Motivations Course Plan

Automated Reasoning Course Presentation Summary Automated Reasoning Motivations Course Plan

Automated Reasoning Automated Reasoning Course Presentation Summary Automated Reasoning Motivations Course Plan Resources Exam Methods Motivations Automated Reasoning Automated reasoning mechanising the reasoning process. reasoning :

159 views • 14 slides
Automated Reasoning: Some Successes and New Challenges Predrag Jani ci c

Automated Reasoning: Some Successes and New Challenges Predrag Jani ci c

What is this talk about? What is automated reasoning? Automated reasoning in propositional logic Automated reasoning in first-order logic Automated reasoning in higher-order logic Automated reasoning in geometry Conclusions Automated

806 views • 52 slides
Lecture 14 (01.02.2016) Concluding Remarks Christoph Lth Jan Peleska Dieter Hutter Where are

Lecture 14 (01.02.2016) Concluding Remarks Christoph Lth Jan Peleska Dieter Hutter Where are

Systeme Hoher Sicherheit und Qualitt Universitt Bremen WS 2015/2016 Lecture 14 (01.02.2016) Concluding Remarks Christoph Lth Jan Peleska Dieter Hutter Where are we? 01: Concepts of Quality 02: Legal Requirements: Norms and

767 views • 38 slides
Computer-aided cryptographic proofs Gilles Barthe IMDEA Software Institute, Madrid, Spain July

Computer-aided cryptographic proofs Gilles Barthe IMDEA Software Institute, Madrid, Spain July

Computer-aided cryptographic proofs Gilles Barthe IMDEA Software Institute, Madrid, Spain July 18, 2014 Motivation Cryptography is a small but important part of security Proofs are a small but important part of cryptography Hard to

402 views • 17 slides
Dependent Type Theory of Stateful Higher-Order Functions Aleksandar Nanevski Harvard University

Dependent Type Theory of Stateful Higher-Order Functions Aleksandar Nanevski Harvard University

Dependent Type Theory of Stateful Higher-Order Functions Aleksandar Nanevski Harvard University joint with Greg Morrisett and Lars Birkedal TYPES 2006, Nottingham April 20, 2006 Dependent Type Theory of Stateful Higher-Order Functions p.

625 views • 44 slides
Separation Logic for Weak Consistency PLMW15 Viktor Vafeiadis Max Planck Institute for

Separation Logic for Weak Consistency PLMW15 Viktor Vafeiadis Max Planck Institute for

Separation Logic for Weak Consistency PLMW15 Viktor Vafeiadis Max Planck Institute for Software Systems (MPI-SWS) 14 January 2015 Sequential consistency Sequential consistency (SC): The standard model for concurrency. Interleave

375 views • 21 slides
Principles for Value Annotation Languages Bjrn Lisper School of Innovation, Design, and

Principles for Value Annotation Languages Bjrn Lisper School of Innovation, Design, and

Principles for Value Annotation Languages Bjrn Lisper School of Innovation, Design, and Engineering Mlardalen University bjorn.lisper@mdh.se July 8, 2014 WCET Workshop 2014 Introduction WCET analysis tools require many kinds of

434 views • 19 slides
Verifying Graph Transformation Systems with Description Logics Jon H. Brenas 1 , Rachid Echahed 2

Verifying Graph Transformation Systems with Description Logics Jon H. Brenas 1 , Rachid Echahed 2

Verifying Graph Transformation Systems with Description Logics Jon H. Brenas 1 , Rachid Echahed 2 and Martin Strecker 3 1 UTHSC - ORNL, University of Memphis, Tennessee, USA 2 CNRS and Universit e Grenoble Alpes, Grenoble, France 3 Universit

976 views • 59 slides
Computer-Aided Privacy Proofs C esar Kunz Joint work with Gilles Barthe, Benjamin Gr

Computer-Aided Privacy Proofs C esar Kunz Joint work with Gilles Barthe, Benjamin Gr

Computer-Aided Privacy Proofs C esar Kunz Joint work with Gilles Barthe, Benjamin Gr egoire, Santiago Zanella-B eguelin 2012.07.10 Provable Privacy Workshop 2012 Privacy for Statistical Databases Privacy for Statistical Databases

721 views • 23 slides
A Coq formalization of an analysis and optimization of While Fedyukovich Grigory Andu, 5 of

A Coq formalization of an analysis and optimization of While Fedyukovich Grigory Andu, 5 of

A Coq formalization of an analysis and optimization of While Fedyukovich Grigory Andu, 5 of February, 2010 1 Introduction We present the formalization of the While language developed in Coq. Then we develop the type systems for live

472 views • 18 slides

More recommend