1. Lecture 4-Proof of Correctness
May 21th, 2003

2. Review
• Questions in Assignment 1
– Negation of English statementQue
• Validity of predicate logic
– (∀x) [P(x) ∧ Q(x)]  (∀x) P(x) ∧ (∀x) Q(x)
Yes
– (∀x) [P(x) ∨ Q(x)]  (∀x) P(x) ∨ (∀x) Q(x)
No

3. Motivation
• When a software company is developing a
new software, it needs to ensure the product
is error free and reliable. But how?

4. Motivation
• Software Quality assurance
– Program Verification
• Attempts to ensure that a computer program is
correct. (it follows the specification )
– Program Validation
• It attempts to ensure that the program meets the
client’s original requirements (about the design and
specification).
– We will focus on Program verification

5. Program Verification
• Two approaches: Program testing and program
• Program Testing
– Seeks to show that particular input values produce
acceptable output values.
– Testing can prove the presence of errors but never their
absence
– It is a major part of software development (some tools
could help, e.g.. Junit in Eclipse, a java IDE)

6. Program Verification (cont.)
• Proof of correctness
– Use the technique of a formal logic system to
prove that if the input values satisfy certain
constraints, the output values produced by the
program, satisfy certain properties.
• The difference between proof of correctness and
testing. For example, a program to compute the
average of two number x1,x2.
– Testing take each possible input of x1, x2, the result is
(x1+x2)/2
– Proof of correctness establish the results is the average

7. Formal Methods
• Advantages
– Change program from a private, puzzle-solving activity to a
public, verifiable activity of translating specifications into
programs
– Based on formal mathematical techniques
– Only way to provide guaranteed correctness
– Supported by formal languages (Z, VDM-SL, REFINE), proof-
checkers, and translation systems
• Disadvantages
– Notations are often confusing
– Formal techniques do not scale up very well.

8. Assertions
Hoare triple: {Q} P {R}
precondition post condition
==
(∀X)(Q(X)  R[ X, P(X)])
Q(X)– the input values are supposed to satisfy
R – the output values are supposed to satisfy

9. {Q}
S
o
{R }
1
S
1
Assertions or Predicates, {R }
2
assert what is supposed to be true 
S
n −1
{R}
{Q} S {R 1 }
o
A proof of correctness for P {R1 } S {R 2 }
1
consists of producing this {R 2 } S {R 3 }
2
sequence of valid implications. 
Some new rules may be used. 
{R n -1 } S {R}
n −1

10. Assignment Rule
{Ri} x = e {Ri+1}
• If the precondition and postcondition are appropriately related, the
Hoare triple can be inserted at any time in a proof sequence.
• Can derive {Ri} s {Ri+1}
• Restrictions
1. Si has the form x = e.
2. Ri is Ri+1 with e substituted everywhere for x.
• The assignment rule tells us what a precondition should look like
based on what a postcondition looks like, a proof of correctness
often begins with the final desired postcondition and works its way
back up.

11. Examples
Swap(x,y){}
{y=b, x=a} {x-4 = x-4}
temp = x temp = x y=x
x=y {y=b, temp=a} y=x {y-4 = x-4}
y=temp x=y y=y-4 y=y-4
{x=b, temp=a} {y = x – 4}
y=temp
{x=b, y=a}
Try: { x = 3}
y=4
z=x+y
{ z = 7}

12. Conditional Rule
{Q} Si {R}
If si is a conditional statement.The triplet is inferred from two other
triplets. Each branch of the conditional statement must be proved correct.
From: {Q ∧ B} P1 {R}, can derive {Q} Si {R}
{Q ∧ B’} P2 {R}
Restriction: Si has the form if condition B then
P1
else
P2
end if

13. Examples
{n=5} precondition is n = 5, B is n >= 10
if n >=10 then
y=100 We must prove:
else 1) {n = 5 and n>= 10} y = 100 { y = 6 }
y = n+1 2) {n = 5 and n < 10} y = n + 1 { y = 6 }
end if
{y = 6} 1) is true because the antecedent is false
to prove 2) {n+1 = 6 or n=5}
y=n+1
{y = 6}
thus {n=5 and n<10} y = n + 1 {y=6} is true by the assignment rule
and {n = 5 and n < 10} y = n + 1 { y = 6 } is also true

14. Exercise
• Exercise 1.6
3, 8, 11