predefenseslide

Motivation and Goal Related Work HR H∗
R
Appendix
Completeness of Veriﬁcation System with
Separation Logic for Recursive Procedures
Mahmudul Faisal Al Ameen
Department of Informatics
SOKENDAI (The Graduate University for Advanced Studies)
June 3, 2015
Mahmudul Faisal Al Ameen — Completeness of Veriﬁcation System with Separation Logic for Recursive Procedures 1/44

R
Appendix
Contents
1 Motivation and Goal
2 Related Work
3 HR
System
Achivement
4 H∗
R
System
Challenges and Solution
Expressiveness and Completeness
5 Appendix

R
Appendix
Motivation and Goal
Motivation
Ensure safety of mission critical programs
Verify program’s correctness with its execution safety
Goal
A veriﬁcation system for simple imperative programs with
recursive procedures, and
commands for explicitly allocate, read, write and
deallocate memory.

R
Appendix
Related Work
An axiomatic basis for computer programming by C.A.R.
Hoare at 1969
Soundness and completeness of an axiom system for
program veriﬁcation by S.A. Cook at 1978
Ten Years of Hoares Logic by K.R. Apt at 1981
Separation logic: a logic for shared mutable data
structures by J.C. Reynolds at 2002
Completeness of pointer program veriﬁcation by
separation logic by Tatsuta et el. at 2009

R
Appendix
New Hoare’s Logic for Recursive
Procedures (HR )

R
Appendix
Goal and The System
Goal
A Hoare’s logic for recursive procedure that can be extended to
separation logic.
Language
Similar to Hoare’s Logic for Recursive Procedures in [Apt, 1981]
Programming language
Recursive procedures in the context are
Procedure R1(Q1),...,Procedure Rnproc
(Qnproc
)
Assertion language
Semantics of programming language
Semantics of assertion language

R
Appendix
Logical System - Part I
SKIP:
Γ {A}skip{A}
AXIOM:
Γ ,{A}P{B} {A}P{B}
ASSIGNMENT:
Γ {A[x := e]}x := e{A}
COMPOSITION:
Γ {A}P1{C} Γ {C}P2{B}
Γ {A}P1;P2{B}
CONSEQ:
Γ {A1}P{B1}
Γ {A}P{B} (A → A1, B1 → B)
IF:
Γ {A ∧ b}P1{B} Γ {A ∧ ¬b}P2{B}
Γ {A}if (b) then (P1) else (P2){B}
WHILE:
Γ {A ∧ b}P{A}
Γ {A}while (b) do (P){A ∧ ¬b}
RECURSION:
Γ ∪ {{Ai }Ri {Bi }|i = 1,...,nproc} {A1}Q1{B1}
...
Γ ∪ {{Ai }Ri {Bi }|i = 1,...,nproc} {Anproc
}Qnproc
{Bnproc
}
Γ {Aj }Rj {Bj }

R
Appendix
Logical System - Part II
HR
INV-CONJ:
Γ {A}P{C}
Γ {A ∧ B}P{C ∧ B}
(FV(B) ∩ Mod(P) = ∅)
EXISTS:
Γ {A}P{B}
Γ {∃x.A}P{B}
(x FV(B) ∪ EFV(P))
Replaces
HR [Apt, 1981]
INVARIANCE AXIOM:
Γ {A}P{A}
(FV(A) ∩ EFV(P) = ∅)
SUBSTITUTION RULE I:
Γ {A}P{B}
Γ {A[y/z]}P{B[y/z]}
(y,z EFV(P))
SUBSTITUTION RULE II:
Γ {A}P{B}
Γ {A[y/z]}P{B}
(z EFV(P) ∪ FV(B))
CONJUNCTION RULE:
Γ {A}P{B} Γ {C}P{D}
Γ {A ∧ C}P{B ∧ D}

R
Appendix
Derivability of SUBSTITUTION RULE I
Proposition
SUBSTITUTION RULE I,
Γ {A}P{B}
Γ {A[y/z]}P{B[y/z]}
(y,z EFV(P))
, is derivable.
Proof:
Assumption: Γ {A}P{B}
INV-CONJ (z,y EFV(P)): Γ {A ∧ y = z}P{B ∧ y = z}
CONSEQ (B ∧ y = z → B[z/y]): Γ {A ∧ y = z}P{B[z/y]}
EXISTS (y FV(B[z/y])): Γ {∃y(A ∧ y = z)}P{B[z/y]}
CONSEQ (A[z/y] → ∃y(A ∧ y = z)) Γ {A[z/y]}P{B[z/y]}

R
Appendix
Results
Theorem: Completeness
If {A}P{B} is true then {A}P{B} is provable.
Completeness in the sense of Cook
We assume that
the assertion language is expressive relative to the
programs for all interpretation.
all the true assertions are given.
Theorem: Equivalence
Γ HR
{A}P{B} if and only if Γ HR
{A}P{B}.

R
Appendix
A Veriﬁcation System for Pointer
Programs with Recursive Procedures
(H∗
R )

R
Appendix
Assertion Language
Assertion language is the same as that of Separation logic,
that is A with special connectives to assert about heap.
Assertion Language, A∗
A ::= emp (empty heap)
| e → e (singleton heap)
| e = e | e < e | ¬A | A ∧ A | A ∨ A | A → A (boolean formula)
| ∀xA | ∃xA (quantiﬁers)
| A ∗ A (separating conjunction)
| A −∗ A (separating implication)
A pure formula does not assert about heap, which is
constructed by the ﬁrst order language with equality.

R
Appendix
Languages
Programming language is obtained from while programs with
recursive procedures and commands for memory allocation,
access, change and deallocation.
Programming Language, L
Procedure R1(Q1), ..., Procedure Rnproc
(Qnproc
)
P,Q ::= x := e (assignment)
| if (b) then (P) else (P) (condition)
| while (b) do (P) (iteration)
| P;P (composition)
| skip (no operation)
| x := cons(e,e) (allocation)
| x := [e] (read)
| [e] := e (write)
| dispose(e) (deallocation)
| Ri (procedure name)
L− is obtained from removing the construct for procedure names (Ri ) from L.

R
Appendix
Semantics
Heap, h : Locs →ﬁn N
l1 m1
l2 m2
... ...
lk mk
A state is a pair of store s and heap h, (s,h).
Example of semantics: Mutation
x 3
... ...
3 0
4 0
[x] := 5
(mutation)
x 3
... ...
3 5
4 0
store, s heap, h store, s
heap, h[ x s := 5]

R
Appendix
Semantics of Programs (Example)
Non-deterministic semantics
x 0
... ...
(empty heap)
x :=cons(97,101)
x 2
... ...
2 97
3 101
or
x 1
... ...
1 97
2 101
or
x 3
... ...
3 97
4 101
...
How abort occurs
x 3
... ...
4 0 [x] := 5 abort

R
Appendix
Semantics of Programs in L−
P −(abort) = {abort},
x := e −((s,h)) = {(s[x := e s],h)},
if (b) then (P1) else (P2) −((s,h)) =
P1 ((s,h)) if b s=True
P2 ((s,h)) otherwise,
while (b) do (P) − is the least function satisfying
while (b) do (P) −(abort) = {abort},
while (b) do (P) −((s,h)) = {(s,h)} if b s = False,
while (b) do (P) −((s,h)) = { while (b) do (P) −(r) | r ∈ P −((s,h))} otherwise
P1;P2
−((s,h)) = { P2
−(r) | r ∈ P1
−((s,h))},
skip −((s,h)) = {(s,h)},
x := cons(e1,e2) −((s,h)) =
{(s[x := n],h[n := e1 s,n + 1 := e2 s])|n > 0,n,n + 1 Dom(h)},
x := [e] −((s,h)) = {(s[x := h( e s)],h)} if e s ∈ Dom(h),{abort} otherwise,
[e1] := e2
−((s,h)) = {(s,h[ e1 s := e2 s])} if e1 s ∈ Dom(h),{abort} otherwise,
dispose(e) −((s,h)) = {(s,h|Dom(h)−{ e s })} if e s ∈ Dom(h),{abort} otherwise

R
Appendix
Semantics of Programs in L
Type of Semantics of P
P : States ∪ {abort} → p(States ∪ {abort})
Program unfolding:
Ω ≡ while (0 = 0) do (skip),
P(0) = P[Ω,...,Ω],
P(k+1) = P[Q(k)].
Deﬁnition of P
P (r) = ∞
i=0( P(i) −(r))

R
Appendix
Semantics of Assertions in A∗
emp (s,h) = True if Dom(h) = ∅,
e1 = e2 (s,h) = ( e1 s = e2 s),
e1 < e2 (s,h) = ( e1 s < e2 s),
e1 → e2 (s,h) = True if Dom(h) = { e1 s} and h( e1 s) = e2 s,
¬A (s,h) = (not A (s,h)),
A ∧ B (s,h) = ( A (s,h) and B (s,h)),
A ∨ B (s,h) = ( A (s,h) or B (s,h)),
A → B (s,h) = ( A (s,h) implies B (s,h)),
∀xA (s,h) = True if A (s[x:=m],h) = True for all m ∈ N,
∃xA (s,h) = True if A (s[x:=m],h) = True for some m ∈ N,
A ∗ B (s,h) = True if h = h1 + h2,
A (s,h1) = B (s,h2) = True for some h1,h2,
A −∗ B (s,h) = True if h2 = h1 + h and
A (s,h1) = True implies B (s,h2) = True for all h1,h2

R
Appendix
An Asserted Program
Asserted Program: {A}P{B}
Precondition: A
Program: P
Postcondition: B
Semantics
{A}P{B} is deﬁned to be True if both of the following hold.
1 ∀(s,h) ( A (s,h) = True → P ((s,h)) abort).
2 ∀(s,h),(s ,h )
( A (s,h) = True ∧ P ((s,h)) (s ,h ) → B (s ,h ) = True).

R
Appendix
Challenges
We need –
Hoare’s logic for recursive procedures + Separation logic
Choices of Logical System Construction
1 HR in [Apt, 1981], or our new HR .
2 Local, global or backwards reasoning inference rules of
Separation logic in [Reynolds, 2002].
Other Challenges
1 The expression x = z
is necessary to prove the completeness
cannot be used for heap information
2 Existence of abort made it diﬃcult to utilize the strongest
postcondition in separation logic.

R
Appendix
Logical System Construction
Issues
1 INVARIANCE AXIOM in HR is not sound in Separation logic.
{emp}cons(0,0){emp} is provable but false
{x = 0}[0] := 0{x = 0} is provable but false
2 SUBSTITUTION RULE I in HR is derivable in HR .
3 Backwards reasoning rules are chosen in [Tatsuta, 2009]
to show completeness.
Our Choice
1 The new and complete logical system HR .
2 Backwards reasoning rules for pointer programs.

R
Appendix
Logical System - H∗
R
H∗
R
(The extension of Hoare’s logic and separation logic to recursive procedures) is obtained from HR .
SKIP:
Γ {A}skip{A}
AXIOM:
Γ ,{A}P{B} {A}P{B}
ASSIGNMENT:
Γ {A[x := e]}x := e{A}
COMPOSITION:
Γ {A}P1{C} Γ {C}P2{B}
Γ {A}P1;P2{B}
CONSEQ:
Γ {A1}P{B1}
Γ {A}P{B} (A → A1, B1 → B)
IF:
Γ {A ∧ b}P1{B} Γ {A ∧ ¬b}P2{B}
Γ {A}if (b) then (P1) else (P2){B}
WHILE:
Γ {A ∧ b}P{A}
Γ {A}while (b) do (P){A ∧ ¬b}
RECURSION:
Γ ∪ {{Ai }Ri {Bi }|i = 1,...,nproc} {A1}Q1{B1}
..
.
Γ ∪ {{Ai }Ri {Bi }|i = 1,...,nproc} {Anproc
}Qnproc
{Bnproc
}
Γ {Aj }Rj {Bj }

R
Appendix
Logical System - H∗
R
INV-CONJ:
Γ {A}P{C}
Γ {A ∧ B}P{C ∧ B}
(FV(B) ∩ Mod(P) = ∅,B is pure)
EXISTS:
Γ {A}P{B}
Γ {∃x.A}P{B}
(x FV(B) ∪ EFV(P))
added with the following backwards reasoning rules
CONS:
Γ {∀x ((x → e1,e2) −∗ A[x := x ])}x := cons(e1,e2){A}
(x FV(e1,e2,A))
LOOKUP:
Γ {∃x (e → x ∗ (e → x −∗ A[x := x ]))}x := [e]{A}
(x FV(e,A))
MUTATION:
Γ {(∃x(e1 → x)) ∗ (e1 → e2 −∗ A)}[e1] := e2{A}
(x FV(e1))
DISPOSE:
Γ {(∃x(e → x)) ∗ A}dispose(e){A}
(x FV(e))

R
Appendix
Expressiveness: Coding
Coding in Peano Arithmetic
(n,m): code of pair of n and m
n1,...,nk : code of sequence n1,...,nk
A store s of x1,...,xk : ˆs = n1,...,nk where xi = nk
Heap h: ˆh = (l1,v1),...,(lk ,vk ) where h(li ) = vi , l1 > 0, li < li+1
State (s,h): (ˆs, ˆh) + 1. abort: 0.

R
Appendix
Formalization of Assertions
Coding
HEvalA (m): A is true in the state where m is the coded
heap and store is the current store.
EvalA,x(n,m): A is true at the state coded by (n,m) + 1.
Example 1: HEvalA∗B (m) = ∃y1y2(Separate(m,y1,y2) ∧ HEvalA (y1) ∧ HEvalB (y2))
y1 and y2 represents two disjoint heaps where their concatenation is m and A and B is
true at y1 and y2 respectively.
Example 2: HEvalA−∗B (m) = ∀y1y2(HEvalA (y2) ∧ Separate(y1,m,y2) → HEvalB (y1))
If m and y2 represents two disjoint heaps and their concatenation is y1 and A is true
at y2 then B is true at y2.

R
Appendix
Representation Lemma: Assertions
Representation
Relation of computation between real world and representation
world.
EvalA,x(n,m) means A (s,h) for ˆs = n and ˆh = m.
Lemma A: Representation Lemma for Assertions
1 If Heapcode(m,h) holds then HEvalA (m) s = A (s,h) also
holds.
2 EvalA,x(n,m) is true if and only if
∃sh(Storecodex(n,s) ∧ Heapcode(m,h) ∧ A (s,h) = True)
holds.

R
Appendix
Formalization of Programs
Coding: ExecUP,x(m,n1,n2)
Execution of k level unfolding of P at the state coded by n1
gives a state coded by n2
Example 1: ExecUwhile (b) do (P),x(m,n1,n2)
n1 = 0 gives n2 = 0
n1 > 0 gives the following:
n1 = w1,...,wk = n2;
∀i < k, b is true at wi and ExecUP,x(m,wi ,wi+1));
wk > 0 implies ¬b at wk .

R
Appendix
Example 2: ExecUx:=cons(e1,e2),x(m,n1,n2)
n1 = 0 gives n2 = 0
n1 > 0 gives the following:
n1 = (p,q) + 1;
e1 is w1 and e2 is w2 at the store coded by p;
w,w + 1 isn’t in domain of heap, coded by q;
p = p1,...,pi−1,w,... where x = xi ;
q = q + (w,w1),(w + 1,w2) ;
n2 = (p ,q ) + 1.
Example 3:
ExecURi ,x(m,n1,n2) =
n1 = 0 ∧ n2 = 0 m = 0
ExecUQi ,x(m − 1,n1,n2) m > 0

R
Appendix
Coding: ExecP,x(n1,n2)
Execution of P for the state coded by n1 gives a state coded by
n2 for some level of unfolding of P.
ExecP,x(n1,n2) = ∃k(ExecUP,x(k,n1,n2))
Representation world and Real world
Relation of computation between real world and
representation world
ExecP,x(n1,n2) means ˆr1 = n1, ˆr2 = n2 and P (r1) r2.

R
Appendix
Representation Lemmas of Programs
Lemma P-I: Representation Lemmas
1 If ExecUP,x(k,n1,n2) is true, then for all r1 such that
Resultx(n1,r1), we have r2 such that Resultx(n2,r2) and
P(k) −(r1) r2.
2 If P(k) −(r1) r2, Resultx(n1,r1), and Resultx(n2,r2) hold, then
ExecUP,x(k,n1,n2) is true.
Lemma P-II: Representation Lemmas
1 If ExecP,x(n1,n2) is true, then for all r1 such that Resultx(n1,r1),
we have r2 such that Resultx(n2,r2) and P (r1) r2.
2 If P (r1) r2, Resultx(n1,r1), and Resultx(n2,r2) hold, then
ExecP,x(n1,n2) is true.

R
Appendix
Expressiveness
Lemma WP: Lemmas for the Weakest Precondition
WP,A (x) gives the weakest assertion such that
1 {WP,A (x)}P{A} is true.
2 If P ((s,h)) r implies r abort and A r = True for all r, then
WP,A (x) (s,h) = True.
3 If {A}P{B} is true, then A → WP,B (x) is true.
Theorem: Expressiveness
A∗ is expressive relative to the set of programs L under standard
interpretation.
∀P ∈ L,A ∈ A∗,∃W ∈ A∗
W (s,h) = True ⇐⇒ (s,h) ∈ {(s,h) | ∀r( P ((s,h)) r → A r)}

R
Appendix
Completeness
Idea:
Extending the completeness proof of
Hoare’s Logic with recursive procedure
Separation Logic
Utilizing the strongest postcondition in separation logic
Using {A}P{True} as the abort-free condition for a program
and an assertion
To express general information about a state
Using Heap(xh ) to express the general information of a
heap by coding in xh .
Using WP,True(x) to ensure execution of P without abort.
Relative completeness: we assume all the true assertions
are given

R
Appendix
Lemmas for Completeness
SA,P (x)
∃xyzw(EvalA,x(x,y) ∧ Pair2(z,x,y) ∧ ExecP,x(z,w)∧
∃y1z1(Pair2(w,y1,z1) ∧ Storex(y1) ∧ Heap(z1))).
Lemma SP: Lemmas for Strongest Postcondition
1 If {A}P{True} is true then {A}P{SA,P (x)} is true.
2 SA,P (x) (s ,h ) implies ∃s,h( A r ∧ P ((s,h)) (s ,h )).

R
Appendix
Completeness
y = ∪
nproc
i=1 EFV(Ri )
x ⊇ y ∪ FV(A) ∪ EFV(P) for all A ∈ A∗ and P ∈ L
(z ∪ {xh }) ∩ x = ∅
x = x ∪ z ∪ {x}
Gi is y = z ∧ Heap(xh ) ∧ WRi ,True(x)
Fi is {Gi }Ri {SGi ,Ri
(x)}
Key Lemmas:
Lemma 1
If {A}P{B} is true then F1,...,Fnproc
{A}P{B}.
Lemma 2
Fi is provable for all i = 1,...,nproc.

R
Appendix
Completeness
y = ∪
nproc
i=1 EFV(Ri ) and z ∩ y = ∅ Gi is y = z ∧ Heap(xh ) ∧ WRi ,True(x) Fi = {Gi }Ri {SGi ,Ri
(x)}
Lemma 1
{A}P{B}.
Proof.
Proved by induction on P. Here we will present most interesting cases of P, Ri .
Let H be HEvalA[y:=z](xh )
Assume that {A}Ri {B} is true.
Naturally F1,...,Fnproc
{Gi }Ri {SGi ,Ri
(x)}
INV-CONJ (EFV(Ri ) ∩ FV(H) = ∅): F1,...,Fnproc
{Gi ∧ H}Ri {SGi ,Ri
(x) ∧ H}
To be proved: SGi ,Ri
(x) ∧ H → B
Assume SGi ,Ri
(x) ∧ H (s ,h ) = True
Lemma SP(2): ∃s,h( Ri ((s,h)) (s ,h ) and Gi (s,h) = True)
We have H (s,h) = True
Since s(z) = s(y) Heap(xh ) ∧ WRi ,True(x) ∧ HEvalA (xh ) (s,h) = True
Lemma A(1): A (s,h) = True
Since Ri ((s,h)) (s ,h ) B (s ,h ) = True

R
Appendix
Completeness
y = ∪
nproc
i=1 EFV(Ri ) and z ∩ y = ∅ Gi is y = z ∧ Heap(xh ) ∧ WRi ,True(x) Fi = {Gi }Ri {SGi ,Ri
(x)}
Lemma 1
{A}P{B}.
Proof.
Proved by induction on P. Here we will present most interesting cases of P, Ri .
Let H be HEvalA[y:=z](xh )
Assume that {A}Ri {B} is true.
Naturally F1,...,Fnproc
{Gi }Ri {SGi ,Ri
(x)}
INV-CONJ (EFV(Ri ) ∩ FV(H) = ∅): F1,...,Fnproc
{Gi ∧ H}Ri {SGi ,Ri
(x) ∧ H}
Now Proved: SGi ,Ri
(x) ∧ H → B
CONSEQ: F1,...,Fnproc
{Gi ∧ H}Ri {B}
EXISTS: F1,...,Fnproc
{∃z,xh (Gi ∧ H)}Ri {B}
Lemma WP(3) ({A}P{True}): A → WRi ,True(x)
A → ∃x(Heap(x) ∧ HEvalA (x): A → ∃z,xh (y = z ∧ Heap(xh ) ∧ HEvalA[y:=z](xh ) ∧ WRi ,True(x))
CONSEQ: F1,...,Fnproc
{A}Ri {B}

R
Appendix
Completeness
Lemma 2
Fi is provable for all i = 1,...,nproc.
Proof.
Fix i.
z ,xh : fresh variables.
Gi is Gi [z := z ,xh := xh ].
SGi ,Ri
(x) is SGi ,Ri
(x)[z := z ,xh := xh ].
Lemma WP(1): {WRi ,True(x)}Ri {True} is true.
∴ {Gi }Ri {True} is true.
Lemma SP(1): {Gi }Ri {SGi ,Ri
(x)} is true.
Since Ri = Qi {Gi }Qi {SGi ,Ri
(x)} is true.
Truthness of Proposition: {Gi }Qi {SGi ,Ri
(x)} is true.
Lemma 1 F1,...,Fnproc
{Gi }Qi {SGi ,Ri
(x)} is provable.
Proposition: F1,...,Fnproc
{Gi }Qi {SGi ,Ri
(x)} is provable.
RECURSION: Fi is provable.

R
Appendix
Theorems
Theorem: Completeness
If {A}P{B} is true then {A}P{B} is provable.
Proof.
Assume {A}P{B} is true
Lemma 1: F1,...,Fnproc
{A}P{B}
Lemma 2: Fi is provable for all i = 1,...,nproc.
∴ {A}P{B} is provable.

R
Appendix
Conclusion
Result
1 A new Hoare’s logic for recursive procedure (HR )
Introduction of two new inference rules.
Derivability of an inference rule of HR in HR .
Completeness in the sense of Cook.
2 A veriﬁcation system for Hoare’s logic and separation logic for
recursive procedures.
Proved inconsistency of an axiom of HR in the separation
logic. HR is extended instead.
Heap(xh ): to express general information of heap
{A}P{True} and WP,True(x): to reason about abort-free
execution
Proof of soundness and expressiveness for standard
interpretation
Proof of relative completeness

R
Appendix
Thank you very much

R
Appendix
Example of Veriﬁcation
Let A be ∀y(y ≥ x ∧ y < z ⇐⇒ ∃(y → w) ∗ True)
Procedure R1(if (x < z) then (dispose(x);x := x + 1;R1) else (skip))
Γ {A[x := x + 1]}x := x + 1{A}
assignment
Γ {A}R1{emp}
axiom
Γ {A[x := x + 1]}x := x + 1;R1{emp}
comp

R
Appendix
Γ {A[x := x + 1]}x := x + 1{A}
assignment
Γ {A}R1{emp}
axiom
Γ {A[x := x + 1]}x := x + 1;R1{emp}
comp
Γ {(∃y(x → y)) ∗ A[x := x + 1]}dispose(x){A[x := x + 1]}
dispose
Γ {A[x := x + 1]}x := x + 1;R1{emp}
Γ {(∃y(x → y)) ∗ A[x := x + 1]}dispose(x);x := x + 1;R1{emp}
comp

R
Appendix
Γ {A[x := x + 1]}x := x + 1{A}
assignment
Γ {A}R1{emp}
axiom
Γ {A[x := x + 1]}x := x + 1;R1{emp}
comp
dispose
Γ {A[x := x + 1]}x := x + 1;R1{emp}
comp
Γ {A ∧ ¬(x < z)}skip{A ∧ ¬(x < z)
skip
A ∧ ¬(x < z) → emp
Γ {A ∧ ¬(x < z)}skip{emp}
conseq

R
Appendix
Γ {A[x := x + 1]}x := x + 1{A}
assignment
Γ {A}R1{emp}
axiom
Γ {A[x := x + 1]}x := x + 1;R1{emp}
comp
dispose
Γ {A[x := x + 1]}x := x + 1;R1{emp}
comp
Γ {A ∧ ¬(x < z)}skip{A ∧ ¬(x < z)
skip
A ∧ ¬(x < z) → emp
Γ {A ∧ ¬(x < z)}skip{emp}
conseq
Γ {A ∧ x < z}dispose(x);x := x + 1;R1{emp} Γ {A ∧ ¬(x < z)}skip{emp}
Γ {A}if (x < z) then (dispose(x);x := x + 1;R1) else (skip){emp}
if
{A}R1{emp}
rec

predefenseslide

Recommended

Recommended

More Related Content

What's hot

What's hot (12)

Similar to predefenseslide

Similar to predefenseslide (20)

More from Mahmudul Faisal

More from Mahmudul Faisal (6)

predefenseslide