5.3.3 Illustrative Examples

We consider the following program on space S defined by variables x and y of type real, and we form a triplet by embedding it between a precondition and a postcondition:

• Program: while (y 0) {x=x+1; y=y–1;}. • Precondition: x = x0 y = y0, for some constants x0 and y0. • Postcondition: x = x0 +y0.

We form the following formula and we attempt to prove that this formula is a theorem of the proposed inference system:

v: x = x0 y = y0 While (y≠0){x=x+1;y=y−1;} x = x0 +y0 We apply the iteration rule to v, using the invariant assertion inv ≡ x +y = x0 +y0 .

This yields the following three formulas: This yields the following three formulas:

y=0

x = x0 + y0 We find that v 0 and v 2 are both tautologies and hence they are axioms of the

inference system. We consider v 1 , to which we apply the sequence rule, with the intermediate assertion int ≡ x + y = x0 + y0 + 1 . This yields two formulas:

v 10 x + y = x0 + y0 y 0 x=x+1 x + y = x0 + y0 + 1 v 11 x + y = x0 + y0 + 1 y=y–1 x + y = x0 + y0

We apply the assignment statement rule to v 10 and v 11 , which yields the following formulas:

We find that v 100 and v 110 are both tautologies and hence they are axioms of the inference system. This concludes our proof to the effect that v is a theorem, since the sequence

v 100 ,v 110 ,v 10 ,v 11 ,v 0 ,v 1 ,v 2 ,v

is an inference, as the reader may check: each formula in this sequence is either an axiom or the conclusion of a rule whose premises are to the left of the formula. By virtue of the proposition labeled Proving Partial Correctness, we conclude that program p is partially correct with respect to the following specification:

R= s, s x0,y0 x = x0 y = y0 x = x0 + y0 = s,s x = x + y It may be more expressive to view this inference as a tree structure, where

leaves are the axioms and internal nodes represent the rules that were invoked in the inference; the root of the tree represents the theorem that is established in the inference (Fig. 5.5).

As a second illustrative example, we let space S be defined by three integer variables n, f, k, such that n is nonnegative, and we let program p be defined as:

{f=1; k=1; while (k≠n+1) {f=f*k; k=k+1;};}.

We choose the following precondition and postcondition: • ϕ s ≡ n = n0

• ψ s ≡ f = n0 This produces the following formula:

v : {(n = n0)} f=1; k=1; while (k≠n+1) {f=f*k; k=k+1;} {f = n0!}.

96 PROGRAM CORRECTNESS AND VERIFICATION

Figure 5.5 Structure of an Inference.

We apply the sequence rule to v, using the intermediate predicate int ≡ n = n0 f = 1 k = 1 . This yields

v 0 n = n0 f=1; k=1 n = n0 f = 1 k = 1 v 1 n = n0 f = 1 k = 1 while (k≠n+1) {f=f*k; k=k+1;} {f = n0!}.

We apply the sequence rule to v 0 , using the intermediate assertion int ≡ n = n0 f = 1 . This yields

v 00 n = n0 f=1 n = n0 f = 1 v 01 n = n0 f=1 k=1 n = n0 f = 1 k = 1

We apply the assignment statement rule to v 00 and v 01 . This yields respectively: v 000 n = n0 n = n0 1=1

v 010 n = n0 f=1 n = n0 f=1 1=1 We find that v 000 and v 010 are both tautologies and hence axioms of the inference

system. We now focus on v 1 , to which we apply the iteration rule, with the invariant assertion inv ≡ n = n0

f = k −1 . This yields:

f = k −1 k n + 1 f=f*k; k=k+1 n = n0 f = k −1 v 12 n = n0

v 11 n = n0

f = k −1

k=n+1

f = n0

We find that formula v 10 is a tautology, since the factorial of 0 is 1, and we find

5.3 VERIFICATION

to which we apply the sequence rule, with the intermediate assertion int ≡ n = n0 f = k . This yields:

v 110 n = n0 f = k −1

n = n0 f = k v 111

k n+1 f=f*k

n = n0 f = k

k=k+1 n = n0 f = k −1

Application of the assignment statement rule to v 110 and v 111 yields: v 10 n = n0 f = k − 1

n = n0 f × k = k v 1110 n = n0 f = k

k n+1

n = n0 f = k + 1 −1

We find that v 10 and v 1110 are both tautologies and hence axioms of the inference system. This concludes our proof; we leave it to the reader to verify that the following sequence is an inference in the proposed inference system:

v 10 ,v 1110 ,v 110 ,v 111 ,v 11 ,v 10 ,v 12 ,v 000 ,v 010 ,v 00 ,v 01 ,v 0 ,v 1 ,v Because v is a theorem, we conclude that program p is partially correct with respect to

the following specification (formed from the precondition and postcondition of v): R= s,s

n0 n = n0 f = n0 = s,s f = n As a third example, we consider the following GCD program on positive integer

variables x and y:

{while (x≠y) {if (x>y) {x=x–y;} else {y=y–x;};},

and we consider the following precondition/postcondition pair: • ϕ s ≡ x = x0 y = y0 ,

• ψ s ≡ x = gcd x0,y0 We form the following formula:

v x = x0 y = y0

while (x≠y) {if (x>y) {x=x–y;}else {y=y–x;}}

x = gcd x0,y0 We apply the iteration rule to v with the following invariant assertion:

inv≡ gcd x,y = gcd x0,y0 . This yields: v 0 x = x0 y = y0

gcd x, y = gcd x0, y0 , v 1 gcd x, y = gcd x0, y0

if (x>y) {x=x–y;} else {y=y–x;}

gcd x, y = gcd x0, y0

98 PROGRAM CORRECTNESS AND VERIFICATION

We find that v 0 and v 2 are tautologies and hence axioms of the inference system. We focus on v 1 , to which we apply the alternation rule, which yields:

v 10 gcd x, y = gcd x0, y0

x>y

x=x–y

gcd x, y = gcd x0, y0 v 11 gcd x, y = gcd x0, y0

x≤y

y=y–x

gcd x, y = gcd x0, y0 We apply the assignment statement rule to v 10 and v 11 , which yields:

gcd x, y − x = gcd x0, y0 We find that both of these formulas are tautologies and hence axioms of the

x≤y

inference system. This concludes the proof that v is a theorem; hence program p is partially correct with respect to

R= s,s x0,y0 x = x0 y = y0x = gcd x0,y0 = s,s x = gcd x,y