Bradley, Manna. The Calculus of Computation, Springer, 2007

138 5 Program Correctness: Mechanics

{x ≥ 0}x := x + 1{x ≥ 1} : x ≥ 0 → wp(x ≥ 1, x := x + 1)

so compute

wp(x ≥ 1, x := x + 1)

(x ≥ 1){x 7→x + 1}

x + 1 ≥ 1

x ≥ 0

Simplifying the VC based on this computation produces

x ≥ 0 → x ≥ 0 ,

Example 5.21. We generate the VC corresponding to basic path (2) in Example 5.13 (LinearSearch):

(2)

@L : F : ℓ ≤ i ( j. ℓ ≤ j < i → a[j] 6= e)

wp( j. ℓ ≤ j ≤ u a[j] = e, S1; S2)

wp(wp( j. ℓ ≤ j ≤ u a[j] = e, assume a[i] = e), S1)

i ≤ u → (a[i] = e → j. ℓ ≤ j ≤ u a[j] = e)

Replacing F and wp(G, S1; S2; S3) according to the computed formula results in the VC

ℓ ≤ i ( j. ℓ ≤ j < i → a[j] 6= e)

→ (i ≤ u → (a[i] = e → j. ℓ ≤ j ≤ u a[j] = e))

or, equivalently,

ℓ ≤ i ( j. ℓ ≤ j < i → a[j] 6= e) i ≤ u a[i] = e → j. ℓ ≤ j ≤ u a[j] = e

@L : G : ℓ ≤ i ( j. ℓ ≤ j < i → a[j] 6= e)

we use a di erent strategy to compute the corresponding VC

F → wp(G, S1; S2; S3) .

We collect all modifications to G during applications of wp and then apply them all at once. Compute

wp(G, S1; S2; S3)

wp(wp(G, i := i + 1), S1; S2)

wp(G{i 7→i + 1}, S1; S2)

wp(wp(G{i 7→i + 1}, assume a[i] 6= e), S1)

wp(a[i] 6= e → G{i 7→i + 1}, S1)

wp(a[i] 6= e → G{i 7→i + 1}, assume i ≤ u)

i ≤ u → a[i] 6= e → G{i 7→i + 1}

Then the VC is

Example 5.23. Consider basic path (2) of Example 5.17 (BinarySearch):

(2)

@pre F : 0 ≤ ℓ u < |a| sorted(a, ℓ, u)

S1 : assume ℓ ≤ u;

S2 : m := (ℓ + u) div 2;

S3 : assume a[m] = e;

S4 : rv := true;

@post G : rv ↔ i. ℓ ≤ i ≤ u a[i] = e

The VC is

140 5 Program Correctness: Mechanics

F → wp(G, S1; S2; S3; S4) , so compute

wp(G, S1; S2; S3; S4)

wp(wp(G, rv := true), S1; S2; S3)

wp(G{rv 7→true}, S1; S2; S3)

wp(wp(G{rv 7→true}, assume a[m] = e), S1; S2)

wp(a[m] = e → G{rv 7→true}, S1; S2)

wp(wp(a[m] = e → G{rv 7→true}, m := (ℓ + u) div 2), S1)

wp((a[m] = e → G{rv 7→true}){m 7→(ℓ + u) div 2}, S1)

wp((a[m] = e → G{rv 7→true}){m 7→(ℓ + u) div 2}

,assume ℓ ≤ u)

ℓ ≤ u → (a[m] = e → G{rv 7→true}){m 7→(ℓ + u) div 2}

Applying the substitutions produces

ℓ ≤ u → a[(ℓ + u) div 2] = e → G{rv 7→true, m 7→(ℓ + u) div 2} .

Simplifying the VC accordingly

0 ≤ ℓ u < |a| sorted(a, ℓ, u) ℓ ≤ u a[(ℓ + u) div 2] = e → i. ℓ ≤ i ≤ u a[i] = e

reveals that it is (TZ TA)-valid: ℓ ≤ u from the antecedent implies that ℓ ≤ (ℓ + u) div 2 ≤ u, so that a[(ℓ + u) div 2] = e implies that i. ℓ ≤ i ≤

The VC is

F → wp(G, S1; S2; S3; S4; S5; S6)

so compute

142 5 Program Correctness: Mechanics

σ : {j 7→j + 1, a 7→ahj a[j + 1]ihj + 1 a[j]i, t 7→a[j]}

to G produces Gσ:

1 ≤ i < |ahj a[j + 1]ihj + 1 a[j]i| 0 ≤ j + 1 ≤ i

partitioned(ahj a[j + 1]ihj + 1 a[j]i, 0, i, i + 1,

|ahj a[j + 1]ihj + 1 a[j]i| − 1)

partitioned(ahj a[j + 1]ihj + 1 a[j]i, 0, j, j + 1, j + 1)

sorted(ahj a[j + 1]ihj + 1 a[j]i, i, |ahj a[j + 1]ihj + 1 a[j]i| − 1)

The length function | · | obeys the following axiom:

In other words, modifying an array’s elements does not change its size. Under this axiom, Gσ is equivalent to

1 ≤ i < |a| 0 ≤ j + 1 ≤ i

partitioned(ahj a[j + 1]ihj + 1 a[j]i, 0, i, i + 1, |a| − 1)

partitioned(ahj a[j + 1]ihj + 1 a[j]i, 0, j, j + 1, j + 1)

sorted(ahj a[j + 1]ihj + 1 a[j]i, i, |a| − 1)

5.2.5 P -Invariant and P -Inductive

Let us consider the inductive assertion method abstractly.

A program is a set of functions with some distinguished entry function. Let P be a program with distinguished entry function f such that f has function precondition Fpre and initial location L0. A computation of program P , or a P -computation, is a sequence of states

s0, s1, s2, . . .

such that

1.s0[pc] = L0 and s0 |= Fpre;

2.and for each index i, si+1 is a result of executing the instruction at si[pc] on state si.

The notation si[pc] indicates the value of pc given by state si. A computation may be finite or infinite. Infinite computations arise when a program contains a function that does not always halt (either through recursion or looping).

A formula F annotating location L of program P is P -invariant (also, is an invariant of P , or is a P -invariant) i for all P -computations s0, s1, s2, . . .

and for each index i, if si[pc] = L then si |= F . The annotations of P are P -invariant i each annotation is P -invariant. This definition is not implementable: checking if F is P -invariant requires checking an infinite number of P -computations in general, even if all computations are finite.

Instead, we use the inductive assertion method introduced in this chapter. If all verification conditions generated from program P are T -valid (in the proper theory T ), then the annotations are P -inductive (also, are inductive P -invariants) and therefore P -invariant. In summary, we have the following theorem.

Theorem 5.25 (Verification Conditions). If for every basic path

@Li : F S1;

.

.

.

Sn;

@Lj : G

of program P , the verification condition

{F }S1; . . . ; Sn{G}

is valid (in the appropriate theory), then the annotations are P -invariant. In particular, the annotations are P -inductive.

In other words, when P ’s annotations are P -inductive, each function of P obeys its specification.

Henceforth, when P is obvious from the context, we say invariant instead of P -invariant and inductive instead of P -inductive.

5.3 Total Correctness

Partial correctness is just one step in proving the total correctness of a function or program. Total correctness of a function asserts that if the input satisfies the function precondition, then the function eventually halts and produces output that satisfies its function postcondition. In other words, total

144 5 Program Correctness: Mechanics

correctness requires proving partial correctness and that the function always halts on input satisfying its precondition. We focus now on the latter task.

Proving function termination is based on well-founded relations (see Chapter 4). Define a set S with a well-founded relation . Then find a function δ mapping program states to S such that δ decreases according to along every basic path. Since is well-founded, there cannot exist an infinite sequence of program states; otherwise, they would map to an infinite decreasing sequence in S. The function δ is called a ranking function.

Choosing Well-Founded Relations and Ranking Functions

The concept of well-founded relations is the fundamental principle of this method. The ranking function itself is really just a convenience. One could directly construct a well-founded relation over the program states and show that the output state of each basic path is less than the input state according to this relation. However, it is often conceptually easier to find a function that maps states to a known set S with a known well-founded relation . For example, we usually choose as S the set of n-tuples of natural numbers and asthe lexicographic extension <n of < to n-tuples of natural numbers, where n varies according to the application.

As with partial correctness, we consider total correctness in the context of loops first and then in the context of recursion. Section 6.2 examines a program with both loops and recursion.

Example 5.26. Figure 5.23 lists BubbleSort with ranking annotations. It contains one new type of annotation: ↓ (i + 1, i + 1) and ↓ (i + 1, i −j) assert that the functions (i + 1, i + 1) and (i + 1, i −j), respectively, are ranking functions. These functions map states of BubbleSort onto pairs of natural numbers S : N2 with well-founded relation <2. Intuitively, we have captured two separate arguments. The outer loop eventually finishes because i decreases to 0; hence i + 1 decreases as well. Why do we use i + 1 rather than i? When |a| = 0, the initial assignment to i is −1. While i + 1 is always nonnegative, i is not; and recall that we want to map into the natural numbers. The inner loop halts because j increases to i; hence i − j decreases to 0. Therefore, our intuition tells us that i + 1 is important for the outer loop, and i − j is important for the inner loop.

Placing these two functions i + 1 and i − j together as a pair (i + 1, i − j) provides the annotation for the inner loop. We expect i + 1 to remain constant while the inner loop is executing and decreasing i − j. For the annotation of the outer loop, we note that i + 1 > i − j = i − 0 = i on entry to the inner loop, so that (i + 1, i + 1) >2 (i + 1, i − j).

The loop annotations assert that the ranking functions (i + 1, i + 1) and (i + 1, i − j) map program states to pairs of natural numbers. Hence, we need to prove that the loop annotations are inductive using the inductive assertion

@pre @post

int[] BubbleSort(int[] a0) { int[] a := a0;

for

@L1 : i + 1 ≥ 0 ↓ (i + 1, i + 1)

(int i := |a| − 1; i > 0; i := i − 1) { for

@L2 : i + 1 ≥ 0 i − j ≥ 0 ↓ (i + 1, i − j)

(int j := 0; j < i; j := j + 1) { if (a[j] > a[j + 1]) {

int t := a[j]; a[j] := a[j + 1]; a[j + 1] := t;

}

}

}

return a;

}

Fig. 5.23. BubbleSort with annotations to prove termination

method. We leave this step to the reader. It only remains to prove that the functions decrease along each basic path.

The relevant basic paths are the following:

(1)

@L1 : i + 1 ≥ 0

↓L1 : (i + 1, i + 1) assume i > 0;

j := 0;

↓L2 : (i + 1, i − j)

(2)

@L2 : i + 1 ≥ 0 i − j ≥ 0

↓L2 : (i + 1, i − j) assume j < i;

assume a[j] > a[j + 1]; t := a[j];

a[j] := a[j + 1]; a[j + 1] := t;

j := j + 1;

↓L2 : (i + 1, i − j)

146 5 Program Correctness: Mechanics

(3)

@L2 : i + 1 ≥ 0 i − j ≥ 0

↓L2 : (i + 1, i − j) assume j < i;

assume a[j] ≤ a[j + 1]; j := j + 1;

↓L2 : (i + 1, i − j)

(4)

@L2 : i + 1 ≥ 0 i − j ≥ 0

↓L2 : (i + 1, i − j) assume j ≥ i;

i := i − 1;

↓L1 : (i + 1, i + 1)

The paths entering and exiting the outer loop at L1 are not relevant for the termination argument. The entering path does not begin with a ranking function annotation, so there is nothing to prove. The exiting path leads to the return statement.

For termination purposes, paths (2) and (3) can be treated the same:

@L2 : i + 1 ≥ 0 i − j ≥ 0

↓L2 : (i + 1, i − j) assume j < i;

· · ·

j := j + 1;

↓L2 : (i + 1, i − j)

The excluded statements do not impact the value of the ranking functions.

Verification Conditions

A basic path beginning and ending with a ranking function

@ F

↓ δ[x] S1;

.

.

.

Sk ;

↓ κ[x]

induces a verification condition

F → wp(κ δ[x0], S1; · · · ; Sk ){x0 7→x} .

In words, we must prove that the value of κ after executing statements S1; · · · ; Sk is less than the value of δ before executing the statements. Therefore, we rename the variables of δ to something new (x0 in this case), compute the weakest precondition of κ δ[x0] across the statements S1; · · · ; Sk , and then rename the new variables back to their original names (x in this case). This renaming process preserves the value of δ[x] in its context. The annotation F can provide extra invariant information with which to prove this relation.

Example 5.27. Let us return to the proof of Example 5.26 that BubbleSort halts. Path (1) induces the following verification condition:

i + 1 ≥ 0 i > 0 → (i + 1, i − 0) <2 (i + 1, i + 1) ,

which is valid. Paths (2) and (3) induce the verification condition:

i + 1 ≥ 0 i − j ≥ 0 j < i → (i + 1, i − (j + 1)) <2 (i + 1, i − j) ,

which is valid. Finally, (4) induces the verification condition

i + 1 ≥ 0 i − j ≥ 0 j ≥ i → ((i − 1) + 1, (i − 1) + 1) <2 (i + 1, i − j) ,

which is also valid. Hence, BubbleSort always halts. Combined with the proof of the sortedness property, we can now say that BubbleSort is totally correct with respect to its specification: it always halts and returns a sorted array.

Let us work through the construction of the final verification condition for basic path (4). First, replace i and j with i0 and j0, respectively, in the function annotating L2: (i0 + 1, i0 − j0). Then compute

wp((i + 1, i + 1) <2 (i0 + 1, i0 − j0), assume j ≥ i; i := i − 1)

wp(((i − 1) + 1, (i − 1) + 1) <2 (i0 + 1, i0 − j0), assume j ≥ i)

j ≥ i → (i, i) <2 (i0 + 1, i0 − j0)

Now, having preserved the original value of (i + 1, i − j) at L2, replace i0 and j0 with i and j, respectively:

j ≥ i → (i, i) <2 (i + 1, i − j) .

Noting that (4) begins by asserting i + 1 ≥ 0 i − j ≥ 0, we have our verification condition:

i + 1 ≥ 0 i − j ≥ 0 j ≥ i → (i, i) <2 (i + 1, i − j) .

In this proof, the loop annotations (other than the ranking functions) do not have any bearing on the termination argument. Their purpose is only to prove that the given functions map to the natural numbers.