Program verification and correctness using Hoare logic

Preparedby:SharifOmarSalem–ssalemg@gmail.com
Prepared by: Sharif Omar Salem – ssalemg@gmail.com
0

 Program verification attempts to ensure that a computer program is
correct. And a program is correct if it behaves in accordance with its
specifications.
 This does not necessarily mean that the program solves the problem
that it was intended to solve; the program’s specifications may be at
odds with or not address all aspects of a client’s requirements.
 Program validation attempts to ensure that the program indeed meets
the client’s original requirements.
 Program testing seeks to show that particular input values produce
acceptable output values.
 Proof of correctness uses the techniques of a formal logic system to
prove that if the input variables satisfy certain specified predicates or
properties, the output variables produced by executing the program
satisfy other specified properties.
1

What is assertions in computer programming
 an assertion is a predicate (for example a true–false statement) placed in a
program to indicate that the developer thinks that the predicate is always true at
that place.
 For example, the following code contains two assertions:
 Programmers can use assertions to help specify programs and to reason about
program correctness.
 For example, a precondition — an assertion placed at the beginning of a section
of code — determines the set of states under which the programmer expects
the code to execute. A postcondition — placed at the end — describes the
expected state at the end of execution.
2
x > 0 and x > 1, and they are indeed true at
the indicated points during execution.

 The previous example uses the notation for including assertions used
by C.A.R. Hoare in his 1969 paper.
 That notation cannot be used in existing mainstream programming
languages. However, programmers can include unchecked assertions
using the comment feature of their programming language. For
example, in
3
 C Language
 Java Language

 The central feature of Hoare logic is the Hoare triple. A triple
describes how the execution of a piece of code changes the state of
the computation. A Hoare triple is of the form

 where Q and R are assertions and P is a P command. Q is named
the precondition and R the postcondition: when the precondition is
met, the command establishes the postcondition. Assertions are
formulas in predicate logic.
 Hoare logic provides axioms and inference rules for all the
constructs of a simple imperative programming language.
 In addition to the rules for the simple language in Hoare's original
paper, rules for other language constructs have been developed
since then by Hoare and many other researchers. There are rules
for concurrency, procedures, jumps, and pointers.
4
{Q} P {R}  {Pre-condition} Program {Post-condition}

5

 Let us denote (suppose) by
 X  an arbitrary collection of input values.
 P  the program or program segment.
 Y  an arbitrary collection of output values.
 Y = P(X)  Y is the result of applying the program P using the inputs
X (the notation suggests that the Y values depend on the X values
through the actions of program P).
 Q(X)  a predicate describes conditions that the input values are
supposed to satisfy.
Q is the pre-condition.
 R(X,Y)  R[X, P(X)]  A predicate R describes conditions that the
output values are supposed to satisfy. These conditions will often
involve the input values.
R is the post-condition.
6

 For example, if a program is supposed to find the square root of a
positive number.
 X  Positive numbers (single input is x).
 Q(X)  x > 0
 Y  Output result (single output is y)  P(X)=
 R(X,Y)  x=y2
 Program P is correct if the following implication is valid:
 ("X)(Q(X)  R[X, P(X)])
 For the square root case, it is:
 ("x)(x > 0  x=[P(x)]2 )
7

 A program or program segment is broken down into individual statements si,
with predicates (Conditions) inserted between statements as well as at the
beginning and end.
 These predicates are also called assertions because they assert what is
supposed to be true about the program variables at that point in the program.
 {Q}
s0
 {R1}
s1
 {R2}
sn1
.
 {R}
 Where Q, R1, R2, ... , Rn = R are assertions. The intermediate assertions are often
obtained by working backward from the output assertion R.
8

 P is provably correct if each of the following implications holds:
 {Q}s0{Rl}
 {Rl}sl{R2}
 {R2}s2{R3}
.
.
.
 {Rn1}sn1{R}
 A proof of correctness for P consists of producing this sequence of valid
implications.
 Some new rules of inference can be used, based on the nature of the program
statement si.
9

 The goal of Hoare logic is to provide a compositional method for proving
the validity of Hoare triples. That is, the structure of a program's
correctness proof should mirror the structure of the program itself.
 Hoare logic is a methodology to assert the correctness of a program by
defining a precondition and postcondition predicates to define the status
of the variable before and after executing the program.
 Many rules could be used during applying hoare logic.
 Empty statement axiom schema
 Assignment axiom schema
 Rule of composition
 Conditional rule
 Consequence rule
 Loop rule
10

Empty statement axiom schema
The empty statement rule asserts that the skip statement
does not change the state of the program, thus whatever
holds true before skip also holds true afterwards.
11
{Q} Skip {Q}

Assignment axiom schema
The program/command part here is an assignment related to the
variable under assertion.
 The assignment axiom states that after the assignment any
predicate holds for the variable that was previously true, are also
true for the right-hand side of the assignment:
12
x:=2
x:=x+1
y:=x+1
{Q} Assignment {R}

 this axiom is “backwards” - it allows the precondition to be inferred
automatically from the statement and the postcondition .
 For example, the Hoare triple:
 {x  1 > 0} x = x  1 {x > 0}
 is valid by the assignment rule.
 The post-condition is:
 x > 0
 Substituting x  1 for x throughout the post-condition results in:
 x – 1 > 0 or x > 1
 which is the pre-condition.
13
Hoare Logic rules
{R(x/y)} y:=x {R}

Examples:
{ ? } x := 3 { x+y > 0 }
 What is the weakest precondition ?
{ ? } x=y+7 {x>42}
{ ? } x := 3+y + z { x + y - z > 0 }
{ ? } x := 3*y + z { x * y - z > 0 }
14
y > -3
y > 35
y > -1.5
3*y2 + z*y - z > 0

Sequence/Composition Rule:
 Hoare's rule of composition applies to sequentially-executed
programs S and T, where S executes prior to T and is written S;T.
15
{Q} S {Z} , {Z} T {R} ⊢ {Q} S;T {R}

Example:
{ ? } x := x + 1; y := x + y { y > 5 }
What is the weakest precondition ?
The solution method begin from backward by finding the weakest
precondition for the second part of the sequence
{ ? } y := x + y { y > 5 }
Then continue by finding the weakest precondition for the First part of
the sequence
{ ? } x := x + 1 { x > 5-y }
16
x+y>4
x+y>5
x+y>4

Consequence rule
17
{Q} P {R} , Q1 → Q ⊢ {Q1} P {R}
{Q} P {R} , R1 → R ⊢ {Q} P {R1}
{Q} P {R} , Q1 → Q , R1 → R ⊢ {Q1} P {R1}

Condition Rule
 A conditional statement is a program statement of the form:
 The Hoare triple is inferred from two other Hoare triples:
This simply says that each branch of the conditional statement must
be proved correct.
18
if condition B then
P1
else
P2
end if
{Q ∧ B } P1 {R} if B is true
{Q ∧ B } P2 {R} if B is false
Hoare Logic rules
{Q ∧ B } P1 {R} , {Q ∧ B } P2 {R} ⊢ {Q} if B then P1 else P2 endif {R}

Example:
{ ? } if x > 0 then y := x else y := -x { y > 5 }
What is the weakest precondition ?
 Conditional statement 1 “then: {Q1} y :=x { y > 5}”
 Q1 = x>5
 Condicional statement 2 “else: {Q2} y :=-x { y > 5}”
 Q2 = -x > 5
 Q = |x| > 5
19
|x| > 5

Example:
{a = T ^ b = 6 ^ c = 10} x := b {(x = 6 ^ a = T) ∨ (x = 10 ^ a = F)} and
{a = F ^ b = 6 ^ c = 10} x := c {(x = 6 ^ a = T) ∨ (x = 10 ^ a = F)}
 After applying the condition rule:
 {(b = 6 ^ c = 10)} If (a = T) then x := b; else x := c {(x = 6 ^ a = T) ∨ (x
= 10 ^ a = F)}
20

Rule for Iteration
 Suppose that si is a loop statement in the form:
 B is a condition of the while loop and P is a program segment/command.
 The Loop Rule of inference states that we can infer the following rule
{Q Λ B} P {Q} ⊢ {Q} si {Q Λ B }
 The precondition Q holds before the loop is entered and after it terminates.
 Q represents a predicate, or relation, among the values of the program
variables unaffected by the action of the loop iteration which is The loop
invariant.
21
while condition B do
P
end while

22
Rule for Iteration
• Q is the loop invariant - this is where the main difficulty is!
• This rule can be extended to handle total correctness where
we use termination condition test at post-condition predicate.
• A loop invariant is a relation among program variables that
is true when control enters a loop, remains true each time
the program executes the body of the loop, and is still true
when control exits the loop. Understanding loop invariants
can help us analyze programs, check for errors, and derive
programs from specifications.
{Q ∧ B} P {Q} ⊢ {Q} while (B) [P] {Q∧￢B}
{Inv ∧ Condition} P {Inv} ⊢ {Inv} while (Condition) [P] {Inv ∧￢Condition}

Example:
while (x < 10) x = x+1
 Start with this:
 x <= 10 is a useful loop invariant.
 {x <= 10} while (x < 10) x = x+1 {??}
 Move inside the test: {Inv ∧ Condition} P {Inv}
 {x <= 10 ^ x < 10} x = x+1 {x <= 10}
 Backing out: {Inv} while (Condition) [P] {Inv ∧￢Condition}
 { x <= 10} while (x<10) x=x+1 {¬(x < 10) ^ x <= 10}
23

24
Hoare Logic rules

• Empty statement rule.
• Assignment rule.
• Composition rule.
• Consequence rule.
• Conditional rule.
• Loop rule.
25
{Q} Skip {Q}
{Q} Assignment {R}
{Q} S {Z} , {Z} T {R} ⊢ {Q} S;T {R}
{Q} P {R} , Q1 → Q , R1 → R ⊢ {Q1} P {R1}
{Q ∧ B} P {Q} ⊢ {Q} while (B) [P] {Q∧￢E}

 Here are a number of valid Hoare Triples for the same command
segment
 {x = 5} x := x * 2 { true }
 {x = 5} x := x * 2 { x > 0 }
 {x = 5} x := x * 2 { (x = 10) ^ (x = 5) }
 {x = 5} x := x * 2 { x = 10 }
 All are true, but the most useful one is the one with se (it is the most specific
condition )
x=10 is the strongest postcondition ………… Why????????????
 check: x = 10 ⇒ true
 check: x = 10 ⇒ x > 0
 check: x = 10 ⇒ x = 10 || x = 5
 check: x = 10 ⇒ x = 10
26
If {Q} P {R} and for all R* such that {Q} P {R*}, R ⇒ R*, then R is the
strongest postcondition [ sp(P,Q) ] of P with respect to Q.

 Here are a number of valid Hoare Triples for the same command
segment
 {(x = 5) Λ (y = 10)} z := x / y { z < 1 }
 {(x < y) Λ (y > 0)} z := x / y { z < 1 }
 {(y ≠ 0) Λ (x / y < 1)} z := x / y { z < 1 }
 All are true, but the most useful one is the one with the most general condition
(y ≠ 0) Λ (x / y < 1) is the weakest precondition ……….. Why??????
 check: (x = 5) Λ (y = 10) ⇒ (y ≠ 0) Λ (x / y < 1)
 check: (x < y) Λ (y > 0) ⇒ (y ≠ 0) Λ (x / y < 1)
 check: (y ≠ 0) Λ (x / y < 1) ⇒ (y ≠ 0) Λ (x / y < 1)
27
If {Q} P {R} and for all Q* such that {Q*} P {R}, Q* ⇒ Q, then Q is the
weakest precondition [ wp(P,R) ] of P with respect to R.

 {Q} P {R} holds if and only if Q ⇒ wp(P,R)
 In other words, a Hoare Triple is still valid if the precondition is
stronger than necessary, but not if it is too weak
 {Q} P {R} holds if and only if sp(P,Q) ⇒ R
 A Hoare Triple is still valid if the postcondition is weak
enough, but not if it is too strong.
In other words, both conditions must be strong enough
to hold the best general condition as the precondition
and the best specific condition as the postcondition.
28

 Assignment rule conditions
{ Q } x := 3 { x+y > 0 }
 What is the weakest precondition Q?
 If {Q} P {R} then the weakestprecondition [wp(P,R) ]
 Assignment rule
 wp(X:= E, R) = (X:=E), R
 = (x:=3), (x + y > 0)
 = (3) + y > 0
 = y > -3
29

 Assignment
{ Q } x := 3*y + z { x * y - z > 0 }
 If {Q} P {R} then the weakestprecondition [wp(P,R) ]
 Assignment rule
 wp(X:= E, R) = (X:=E), R
 = (x:=3*y+z), (x * y – z > 0)
 = (3*y+z) * y - z > 0
 = 3*y2 + z*y - z > 0
30

 Sequence
{ Q } x := x + 1; y := x + y { y > 5 }
 Sequence rule
 wp(S;T, R) = wp(S, wp(T, R))
 wp(x:=x+1; y:=x+y, y>5)
 = wp(x:=x+1, wp(y:=x+y, y>5))
 = wp(x:=x+1, x+y>5)
 = x+1+y>5
 = x+y>4
31
wp(y:=x+y, y>5)
= (y:= x+y ), ( y>5)
= x+y > 5

Conditional
{ Q } if x > 0 then y := x else y := -x { y > 5 }
answer:
 Case 1 then: {Q1} y :=x { y > 5}
Q1 = x>5
 Case 2 else: {Q2} y :=-x { y > 5}
Q2 = -x > 5
 Q = (x > 5) ∧ ( -x > 5) = |x| > 5
32
wp(y:=x, y>5)
= (y:= x ), ( y>5)
= x > 5
wp(y:= -x, y>5)
= (y:= -x ), ( y>5)
= -x > 5

Conditional
{ Q } if x > 0 then y := x else y := -x { y > 5 }
 Conditional rule
wp(if B then P1 else P2, R)
= B ⇒ wp(P1,R) ∧ B’ ⇒ wp(P2,R)
 wp(if x>0 then y:=x else y:=-x, y>5)
= x>0 ⇒ wp(y:=x, y>5) ∧ x≤0 ⇒ wp(y:=-x, y>5)
= x>0 ⇒ x>5 ∧ x≤0 ⇒ -x>5
 = |x| > 5
33

34

35

Program verification and correctness using Hoare logic

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Program verification and correctness using Hoare logic

Similar to Program verification and correctness using Hoare logic (20)

Recently uploaded

Recently uploaded (20)

Program verification and correctness using Hoare logic