Proving Program Correctness

The Axiomatic Approach

 What is Correctness?

• Correctness:
– partial correctness + termination
• Partial correctness:
– Program implements its specification
 Proving Partial Correctness

• Goal: prove that program is partially correct

• Approach: model computation with predicates
– Predicates are boolean functions over program state
• Simple example
– {odd(x)} a = x {odd(a)}
• Generally: {P} S {Q}, where
– P  precondition
– Q  postcondition
– S  Programming language statement
 Proof System

• Two elements of proof system

– Axioms: capture the effect of prog. lang. stmts.
– Inference rules: compose axioms to build up proofs of entire program
behavior
• Let’s start by discussing inference rules and then we’ll return to
discussing axioms
 Composition

• Rule: {P} S1{Q} , {Q} S2{R}

{P} S1 ; S2 {R}
• Consider two predicates
– {odd(x+1)} x = x+1 {odd(x)}
– {odd(x)} a = x {odd(a)}
• What is the effect of executing both stmts?
– {odd(x+1)} x = x+1 ; a = x {odd(a)}
 Consequence 1

• Rule {P} S {R} , R  Q

• Ex: {P} S {Q}
– {odd(x)} a = x {odd(a)} and
– Postcondition  {a  4}
• What can we say about this program?

{odd(x)} a  x {odd(a)} , odd (a)  a  4

{odd(x)} a  x {a  4}
 Consequence 2

• Rule: P  R , {R} S {Q}

• Ex: {P} S {Q}
– Precondition  {x=1} and
– {odd(x)} a = x {odd(a)}
• What can we say about this program?

x 1  odd(x) , {odd(x)} a  x {odd(a)}

{x  1} a  x {odd(a)}
 Axioms

• Axioms explain the effect of executing a single statement

• Axioms will be derived “backwards.”
– Start with postcondition and determine what conditions must be true on
entry to stmt.
 Assignment Axiom

• Rule: {Pyx} x  y {P}

• Replace all free occurences of x with y
– e.g., {odd(x)} a = x {odd(a)}
 Conditional Stmt 1 Axiom

• Rule:
{P}
{P  Bif } S {Q} , {P  Bif }  {Q}
{P} if Bif then S {Q} Bif

{P  Bif } {P  Bif}

{Q}
 Conditional Stmt 1

• Example: • else part

1. if even(x) then { (??  even(x)  (odd(x)  x>3)
2. x = x +1 • then part:
3. } {odd(x+1)  x>2} x = x+1 {odd(x)  x > 3}
(??  even(x))  (odd(x+1)  x>2)
{odd(x)  x > 3}
• P  ((odd(x+1)  x>2)  x >3)
– x > 3 works as well.
 Conditional Stmt 2 Axiom

• Rule
{P}
{P  Bif } S1 {Q} , {P  Bif } S2 {Q}
{P} if Bif then S1 else S2 {Q} Bif
{P  Bif } {P  Bif}

S1 S2

{Q}
 Conditional Stmt 2 Axiom

• Example:
Then part:
1. = if|x|}
{x x y< =0 xthen
{y ={|x|}
{-x
2. = |x|} x =x =-x;-xy{x= =x|x|}
(3.?? else
x <0)  -x = |x|
• Else
4. part: y = x
{x =|x|} y=x{y=|x|}
5. }
( ??  ¬(x < 0))  x = |x|
{y = |x|}
• P  (-x = |x|)  (x=|x|)
 While Loop Axiom

• Rule
{P  B} S {P} {P}
{P} while B do S {P  B}
Bif
• Infinite number of paths, so we need one
predicate for that captures the effect of S
• P is called an invariant
S

{P  B}
 While Loop Axiom

• Example • INV  y + ab = AB  b  0
IN  {B  0} • Bw  b > 0
– a=A
• Show INV  ¬ Bw  OUT
– b=B
y + ab = AB  b  0  ¬(b > 0)
– y=0
y + ab = AB  b = 0
– while b > 0 do {
y = AB
– y=y+a
So {INV  ¬ Bw}  OUT
– b=b-1
– } • Establish IN  INV
OUT  {y = AB} {ab = AB  b  0} y=0 { INV}
{aB = AB  B  0} b = B {….}
{AB = AB  B  0} a = A {….}
So {IN} a=A;b=B;y=0 {INV}
 While Loop Axiom

• Need to show
{INV  Bw} loop body {INV}
{y+a(b-1) = AB  b-1  0} b = b - 1 {INV}
{y+a+a(b-1) = AB  b-1  0} y = y+a {….}
{y +ab = AB  b-1  0} loop body {INV}
• y + ab = AB  b  0  b > 0  {y +ab = AB  b-1  0},
• So
– {IN} lines 1-3} {INV},
– {INV} while loop {INV  ¬ Bw }, and
– {INV  ¬ Bw}  OUT
• Therefore
– {IN} program {OUT}
 Total correctness

• After you have shown partial correctness

– Need to prove that program terminates
• Usually a progress argument. Last program
– Loop terminates if b  0
– b starts positive and is decremented by 1 every iteration
– So loop must eventually terminate