Proofs about Programs Why make you study logic? Program - PowerPoint PPT Presentation

Proofs about Programs • Why make you study logic? Program Verification • Why make you do proofs? (Rosen, Sections 5.5) • Because we want to prove properties of TOPICS programs: • Program Correctness • Preconditions & Postconditions – In particular, we want to prove properties of • Program Verification variables at specific points in a program. • Assignment Statements – For example, we may want prove that a program • Conditional Statements • Loops segment or method gets the right answer. • Composition Rule CS 160, Summer Semester 2016 2 Isn’t testing enough? Software Testing • Methods • Assuming the program compiles, we can go – Black-box, white-box ahead and perform some amount of testing. • Levels • Testing shows that for specific examples (test – Unit (Method), Module (Class), Integration, System cases) the program is doing what was intended. • Types – Functionality, Configuration, Usability, Reliability, • Testing can only show existence of some bugs Performance, Compatibility, Error, Localization, … but cannot exhaustively identify all of them. • Processes • Program verification can be used to prove the – Regression, Automation, Test-Driven Development, Code Coverage, … correctness of the program with any input. CS 160, Summer Semester 2016 3 CS160 - Summer Semester 2016 4

Program Verification Program Correctness Proofs • We consider a program to be correct if it produces the expected • Part 1 - Prove program produces correct output for all possible inputs . answer when (if) it terminates. • Domain of input values can be very large, how many possible values of an integer? 2 32 • Part 2 - Prove that the program does indeed int divide (int operand1, int operand2) { terminate at some point. return operand1 / operand2; • We can only Part 1, because Part 2 has been } • 2 32 * 2 32 = 2 64 , a large number, so we clearly cannot test proven to be undecidable: exhaustively! – Thus we try to prove that a method is correct, • Instead we formally specify program behavior, then use logic assuming that it terminates (partial correctness). techniques to infer (prove) program correctness. CS160 - Summer Semester 2016 5 CS 160, Summer Semester 2016 6 Predicate Logic and Programs Assertions • Variables in programs are like variables in predicate • Two parts: logic: – Initial Assertion : a statement of what must be true about – They have a domain of discourse (data type) the input values or values of variables at the beginning of – They have values (drawn from the data type) the program segment • Variables in programs are different from variables in • For Example: Method that determines the square root of a number, requires the input (parameters) to be >= 0 predicate logic: – Final Assertion : a statement of what must be true about – Their values change over time (i.e., locations in the the output values or values of variables at the end of the program) program segment – Associate the predicate with specific program points • For Example: Can we specify that the output or result is • Immediately before or after a statement exactly correct after a call to the method? CS 160, Summer Semester 2016 7 CS 160, Summer Semester 2016 8

Pre and Post Conditions Hoare Triple • “A program, or program segment, • Initial Assertion : sometimes Pre-condition S , is said to be partially correct with called the pre-condition before code executes Pre-condition (p) respect to the initial assertion (pre- x = 1 before code executes condition) p and the final assertion • Final Assertion : sometimes { { (post-condition) q , if, whenever p is called the post-condition // Program segment // Program segment: (S) true for the input values of S , and if } } S terminates, then q is true for the • Note : these assertions can be output values of S .” represented as propositions or Post-condition Post-condition (q) – [Rosen 7th edition, p. 372] predicates. For simplicity, we will after code executes after code executes write them generally as propositions. • Notation: p {S} q z = 3 CS 160, Summer Semester 2016 9 CS 160, Summer Semester 2016 10 Program Verification Program Verification Example #1: Assignment Statements Example #1: Assignment Statements • Prove that the program segment: • Assume that our proof system already includes rules of arithmetic, and theorems about divisibility … y = 2; z = x + y; • Consider the following code: • Is correct with respect to: y = 2; pre-condition: x = 1 z = x + y; post-condition: z = 3 • Suppose x = 1 is true as program begins: What is true – Then y is assigned the value of 2 BEFORE code • Pre-condition: p ( x ) , x =1 executes – Then z is assigned the value of x + y = 1 + 2 = 3 • Post-condition: q ( z ) , z =3 • Thus, the program segment is correct with regards to the What is true pre-condition that x = 1 and post-condition z = 3. AFTER code executes CS160 - Summer Semester 2016 11 CS160 - Summer Semester 2016 12

Program Verification Program Verification Example #2: Assignment Statements Example #3: Assignment Statements • Prove that the program segment, given integer variables: • Prove that the program segment: y = x * x + 2 * x – 5; y = 2; z = x * y; • Is correct with respect to: pre-condition: -4<= x <= 1, and post- • Is correct with respect to: condition: -6 <= y <= 3 • Suppose -4 <= x and x <=3 as the program begins pre-condition: x >= 1 – If x = -4 then y is assigned (-4)*(-4) + 2*(-4) - 5 = 3 post-condition: z >= 2 – If x = -3 then y is assigned (-3)*(-3) + 2*(-3) – 5 = -2 • Suppose y >= 1 is true as program begins: – If x = -2 then y is assigned (-2)*(-2) + 2*(-2) – 5 = -5 – Then x is assigned the value of 2 – If x = -1 then y is assigned (-1)*(-1) + 2*(-1) -5 = -6 – If x = 0 then y is assigned (0)*(0) + 2*(0) -5 = -5 – Then z is assigned the value of x * y = 2 * (y >= 1), which – If x = 1 then y is assigned (1)*(1) + 2*(1) – 5 = -2 makes z >= 2 • Thus, program segment is correct post-condition -6 <= y <= 3, or more • Thus, the program segment is correct for pre-condition y >= 1 precisely y belongs to the set {-6, -5, -2, 3} and post-condition z >= 2. CS 160, Summer Semester 2016 13 CS 160, Summer Semester 2016 14 So far only propositions, Program Verification what about predicates? Example #4: Assignment Statements • What if the data type was float or double, or the interval was • Given the following segment, x and y are integer variables: unbounded? // pre-condition: -3 < x <= 3 • Now we need to use predicates – universally quantified over a y = x * x - 3 * x + 4; range of values. // post-condition: ?? <= y <= ?? • Actually this is what we did, but simply enumerated all the values • Suppose -3 < x and x <= 3 as the program begins in the range since they were integers. – If x = -2 then y is assigned (-2)*(-2) - 3*(-2) + 4 = 14 • Revisit Example #3: with floating point values: – If x = -1 then y is assigned (-1)*(-1) - 3*(-1) + 4 = 8 – Need to use more math – If x = 0 then y is assigned (0)*(0) - 3*(0) + 4 = 4 – If x = 1 then y is assigned (1)*(1) - 3*(1) + 4 = 2 – Is the function increasing? float x, y; – If x = 2 then y is assigned (2)*(2) - 3*(2) + 4 = 2 – In what intervals? // code to initialize x – If x = 3 then y is assigned (3)*(3) - 3*(3) + 4 = 4 y = x * x – 2 * x - 5; • Thus, the post-condition for y is 2 <= y <= 14. CS 160, Summer Semester 2016 15 CS 160, Summer Semester 2016 16

General Rule Redo with floating point Example #3: Assignment Statements for Assignments • Given that the polynomial below is an increasing • To prove the Hoare triple: Pre-condition (p) function in the interval [-1, 4], prove conditions of the before code executes program segment: p {v = expression} q float x, y; // code to initialize x – note that p and q are predicates involving y = x * x – 2 * x - 5; { program variables (usually q involves v ) v = expression; • We first replace occurrences of v in q by – Pre-condition: -1 <= x <= 4 } the right hand side expression (expression) – Post-condition: ?? <= y <= ?? • Then we derive this modified q from p • Without executing the assignment we know domain of x, so Post-condition (q) we can prove (using math) the range of y values. using our rules of inference after code executes • Q: What is the range of values of f(x)= x * x – 2 * x – 5 that • Sometimes we use common sense, e.g., satisfy f(-1) ≤ f(x) ≤ f(4) for values of x in the interval [-1, 4]? derive first substitute later, as in previous. • A: We can prove that, -2 ≤ y ≤ 3 because f(-1)=-2 and f(4)=3 CS 160, Summer Semester 2016 17 CS 160, Summer Semester 2016 18 Rule 1: Pre-condition (p) Program Verification before code executes Composition Rule Example #1: Composition Rule { • Prove that the program segment (swap): // Program segment S1 • Once we prove correctness of t = x; } program segments, we can x = y; combine the proofs together y = t; Post-condition (q) • Is correct with respect to to prove correctness of an after code executes pre-condition: x = 7, y = 5 entire program. post-condition: x = 5, y = 7 { p {S1} q { S2} r -> p {S1,S2} r // Program segment S2 • This is similar to the } hypothetical syllogism inference rule. Post-condition (r) after code executes CS 160, Summer Semester 2016 19 CS 160, Summer Semester 2016 20