Program Verification

Nguyen An Khuong

Chapter 2f
Program Verification
Contents
Mathematical Modeling (CO2011)
Core Programming
Language

Hoare Triples; Partial

and Total Correctness

Proof Calculus for

Partial Correctness

(Materials drawn from: Practical Aspects of

Correctness Proofs
“Michael Huth and Mark Ryan. Logic in Computer Science: Modelling and Correctness of the
Factorial Function
Reasoning about Systems, 2nd Ed., Cambridge University Press, 2006.”)
Proof Calculus for
Total Correctness

Homeworks

Nguyen An Khuong
Faculty of Computer Science and Engineering
University of Technology, VNU-HCM
2f.1
 Program Verification
Contents
Nguyen An Khuong

1 Core Programming Language

2 Hoare Triples; Partial and Total Correctness Contents

Core Programming
Language
3 Proof Calculus for Partial Correctness Hoare Triples; Partial
and Total Correctness

Proof Calculus for

4 Practical Aspects of Correctness Proofs Partial Correctness

Practical Aspects of
Correctness Proofs

5 Correctness of the Factorial Function Correctness of the

Factorial Function

Proof Calculus for

Total Correctness
6 Proof Calculus for Total Correctness Homeworks

7 Homeworks

2f.2
 Program Verification
Motivation
Nguyen An Khuong

• One way of checking the correctness of programs is to explore Contents

the possible states that a computation system can reach Core Programming
Language
during the execution of the program. Hoare Triples; Partial
and Total Correctness

Proof Calculus for

Partial Correctness

Practical Aspects of
Correctness Proofs

Correctness of the
Factorial Function

Proof Calculus for

Total Correctness

Homeworks

2f.3
 Program Verification
Motivation
Nguyen An Khuong

• One way of checking the correctness of programs is to explore Contents

the possible states that a computation system can reach Core Programming
Language
during the execution of the program. Hoare Triples; Partial
and Total Correctness
• Problems with this model checking approach:
Proof Calculus for
• Models become infinite. Partial Correctness

Practical Aspects of
Correctness Proofs

Correctness of the
Factorial Function

Proof Calculus for

Total Correctness

Homeworks

2f.3
 Program Verification
Motivation
Nguyen An Khuong

• One way of checking the correctness of programs is to explore Contents

the possible states that a computation system can reach Core Programming
Language
during the execution of the program. Hoare Triples; Partial
and Total Correctness
• Problems with this model checking approach:
Proof Calculus for
• Models become infinite. Partial Correctness

• Satisfaction/validity becomes undecidable. Practical Aspects of

Correctness Proofs

Correctness of the
Factorial Function

Proof Calculus for

Total Correctness

Homeworks

2f.3
 Program Verification
Motivation
Nguyen An Khuong

• One way of checking the correctness of programs is to explore Contents

the possible states that a computation system can reach Core Programming
Language
during the execution of the program. Hoare Triples; Partial
and Total Correctness
• Problems with this model checking approach:
Proof Calculus for
• Models become infinite. Partial Correctness

• Satisfaction/validity becomes undecidable. Practical Aspects of

Correctness Proofs

• In this lecture, we cover a proof-based framework for program Correctness of the

Factorial Function
verification. Proof Calculus for
Total Correctness

Homeworks

2f.3
 Program Verification
Characteristics of the Approach
Nguyen An Khuong

Contents

Proof-based instead of model checking Core Programming

Language

Hoare Triples; Partial

and Total Correctness

Proof Calculus for

Partial Correctness

Practical Aspects of
Correctness Proofs

Correctness of the
Factorial Function

Proof Calculus for

Total Correctness

Homeworks

2f.4
 Program Verification
Characteristics of the Approach
Nguyen An Khuong

Contents

Proof-based instead of model checking Core Programming

Language

Semi-automatic instead of automatic Hoare Triples; Partial

and Total Correctness

Proof Calculus for

Partial Correctness

Practical Aspects of
Correctness Proofs

Correctness of the
Factorial Function

Proof Calculus for

Total Correctness

Homeworks

2f.4
 Program Verification
Characteristics of the Approach
Nguyen An Khuong

Contents

Proof-based instead of model checking Core Programming

Language

Semi-automatic instead of automatic Hoare Triples; Partial

and Total Correctness
Property-oriented not using full specification Proof Calculus for
Partial Correctness

Practical Aspects of
Correctness Proofs

Correctness of the
Factorial Function

Proof Calculus for

Total Correctness

Homeworks

2f.4
 Program Verification
Characteristics of the Approach
Nguyen An Khuong

Contents

Proof-based instead of model checking Core Programming

Language

Semi-automatic instead of automatic Hoare Triples; Partial

and Total Correctness
Property-oriented not using full specification Proof Calculus for
Partial Correctness
Application domain fixed to sequential programs using integers Practical Aspects of
Correctness Proofs

Correctness of the
Factorial Function

Proof Calculus for

Total Correctness

Homeworks

2f.4
 Program Verification
Characteristics of the Approach
Nguyen An Khuong

Contents

Proof-based instead of model checking Core Programming

Language

Semi-automatic instead of automatic Hoare Triples; Partial

and Total Correctness
Property-oriented not using full specification Proof Calculus for
Partial Correctness
Application domain fixed to sequential programs using integers Practical Aspects of
Correctness Proofs
Interleaved with development rather than a-posteriori verification
Correctness of the
Factorial Function

Proof Calculus for

Total Correctness

Homeworks

2f.4
 Program Verification
Reasons for Program Verification
Nguyen An Khuong

Contents
Documentation. Program properties formulated as theorems can
Core Programming
serve as concise documentation Language

Hoare Triples; Partial

and Total Correctness

Proof Calculus for

Partial Correctness

Practical Aspects of
Correctness Proofs

Correctness of the
Factorial Function

Proof Calculus for

Total Correctness

Homeworks

2f.5
 Program Verification
Reasons for Program Verification
Nguyen An Khuong

Contents
Documentation. Program properties formulated as theorems can
Core Programming
serve as concise documentation Language

Time-to-market. Verification prevents/catches bugs and can Hoare Triples; Partial

and Total Correctness
reduce development time Proof Calculus for
Partial Correctness

Practical Aspects of
Correctness Proofs

Correctness of the
Factorial Function

Proof Calculus for

Total Correctness

Homeworks

2f.5
 Program Verification
Reasons for Program Verification
Nguyen An Khuong

Contents
Documentation. Program properties formulated as theorems can
Core Programming
serve as concise documentation Language

Time-to-market. Verification prevents/catches bugs and can Hoare Triples; Partial

and Total Correctness
reduce development time Proof Calculus for
Partial Correctness
Reuse. Clear specification provides basis for reuse Practical Aspects of
Correctness Proofs

Correctness of the
Factorial Function

Proof Calculus for

Total Correctness

Homeworks

2f.5
 Program Verification
Reasons for Program Verification
Nguyen An Khuong

Contents
Documentation. Program properties formulated as theorems can
Core Programming
serve as concise documentation Language

Time-to-market. Verification prevents/catches bugs and can Hoare Triples; Partial

and Total Correctness
reduce development time Proof Calculus for
Partial Correctness
Reuse. Clear specification provides basis for reuse Practical Aspects of
Correctness Proofs
Certification. Verification is required in safety-critical domains
Correctness of the
such as nuclear power stations and aircraft cockpits Factorial Function

Proof Calculus for

Total Correctness

Homeworks

2f.5
 Program Verification
Framework for Software Verification
Nguyen An Khuong

Contents

Core Programming
Convert informal description R of requirements for an Language

application domain into formula φR . Hoare Triples; Partial

and Total Correctness

Proof Calculus for

Partial Correctness

Practical Aspects of
Correctness Proofs

Correctness of the
Factorial Function

Proof Calculus for

Total Correctness

Homeworks

2f.6
 Program Verification
Framework for Software Verification
Nguyen An Khuong

Contents

Core Programming
Convert informal description R of requirements for an Language

application domain into formula φR . Hoare Triples; Partial

and Total Correctness
Write program P that meets φR . Proof Calculus for
Partial Correctness

Practical Aspects of
Correctness Proofs

Correctness of the
Factorial Function

Proof Calculus for

Total Correctness

Homeworks

2f.6
 Program Verification
Framework for Software Verification
Nguyen An Khuong

Contents

Core Programming
Convert informal description R of requirements for an Language

application domain into formula φR . Hoare Triples; Partial

and Total Correctness
Write program P that meets φR . Proof Calculus for
Partial Correctness
Prove that P satisfies φR . Practical Aspects of
Correctness Proofs

Correctness of the
Factorial Function

Proof Calculus for

Total Correctness

Homeworks

2f.6
 Program Verification
Framework for Software Verification
Nguyen An Khuong

Contents

Core Programming
Convert informal description R of requirements for an Language

application domain into formula φR . Hoare Triples; Partial

and Total Correctness
Write program P that meets φR . Proof Calculus for
Partial Correctness
Prove that P satisfies φR . Practical Aspects of
Correctness Proofs
Each step provides risks and opportunities. Correctness of the
Factorial Function

Proof Calculus for

Total Correctness

Homeworks

2f.6
 Program Verification

Nguyen An Khuong

1 Core Programming Language

2 Hoare Triples; Partial and Total Correctness

Contents

3 Proof Calculus for Partial Correctness Core Programming

Language

Hoare Triples; Partial

and Total Correctness
4 Practical Aspects of Correctness Proofs
Proof Calculus for
Partial Correctness

5 Correctness of the Factorial Function Practical Aspects of

Correctness Proofs

Correctness of the
Factorial Function
6 Proof Calculus for Total Correctness Proof Calculus for
Total Correctness

Homeworks
7 Homeworks

2f.7
 Program Verification
Motivation of Core Language
Nguyen An Khuong

• Real-world languages are quite large; many features and Contents

Core Programming
constructs Language

Hoare Triples; Partial

and Total Correctness

Proof Calculus for

Partial Correctness

Practical Aspects of
Correctness Proofs

Correctness of the
Factorial Function

Proof Calculus for

Total Correctness

Homeworks

2f.8
 Program Verification
Motivation of Core Language
Nguyen An Khuong

• Real-world languages are quite large; many features and Contents

Core Programming
constructs Language

• Verification framework would exceed time we have in CS5209 Hoare Triples; Partial
and Total Correctness

Proof Calculus for

Partial Correctness

Practical Aspects of
Correctness Proofs

Correctness of the
Factorial Function

Proof Calculus for

Total Correctness

Homeworks

2f.8
 Program Verification
Motivation of Core Language
Nguyen An Khuong

• Real-world languages are quite large; many features and Contents

Core Programming
constructs Language

• Verification framework would exceed time we have in CS5209 Hoare Triples; Partial
and Total Correctness

• Theoretical constructions such as Turing machines or lambda Proof Calculus for

Partial Correctness
calculus are too far from actual applications; too low-level Practical Aspects of
Correctness Proofs

Correctness of the
Factorial Function

Proof Calculus for

Total Correctness

Homeworks

2f.8
 Program Verification
Motivation of Core Language
Nguyen An Khuong

• Real-world languages are quite large; many features and Contents

Core Programming
constructs Language

• Verification framework would exceed time we have in CS5209 Hoare Triples; Partial
and Total Correctness

• Theoretical constructions such as Turing machines or lambda Proof Calculus for

Partial Correctness
calculus are too far from actual applications; too low-level Practical Aspects of
Correctness Proofs
• Idea: use subset of Pascal/C/C++/Java
Correctness of the
Factorial Function

Proof Calculus for

Total Correctness

Homeworks

2f.8
 Program Verification
Motivation of Core Language
Nguyen An Khuong

• Real-world languages are quite large; many features and Contents

Core Programming
constructs Language

• Verification framework would exceed time we have in CS5209 Hoare Triples; Partial
and Total Correctness

• Theoretical constructions such as Turing machines or lambda Proof Calculus for

Partial Correctness
calculus are too far from actual applications; too low-level Practical Aspects of
Correctness Proofs
• Idea: use subset of Pascal/C/C++/Java
Correctness of the
• Benefit: we can study useful “realistic” examples Factorial Function

Proof Calculus for

Total Correctness

Homeworks

2f.8
 Program Verification
Expressions in Core Language
Nguyen An Khuong

Expressions come as arithmetic expressions E: Contents

Core Programming
Language
E ::= n | x | (−E) | (E + E) | (E − E) | (E ∗ E)
Hoare Triples; Partial
and Total Correctness

Proof Calculus for

Partial Correctness

Practical Aspects of
Correctness Proofs

Correctness of the
Factorial Function

Proof Calculus for

Total Correctness

Homeworks

2f.9
 Program Verification
Expressions in Core Language
Nguyen An Khuong

Expressions come as arithmetic expressions E: Contents

Core Programming
Language
E ::= n | x | (−E) | (E + E) | (E − E) | (E ∗ E)
Hoare Triples; Partial
and Total Correctness

and boolean expressions B: Proof Calculus for

Partial Correctness

Practical Aspects of
B ::= true | false | (!B) | (B&B) | (BkB) | (E < E) Correctness Proofs

Correctness of the
Factorial Function

Proof Calculus for

Total Correctness

Homeworks

2f.9
 Program Verification
Expressions in Core Language
Nguyen An Khuong

Expressions come as arithmetic expressions E: Contents

Core Programming
Language
E ::= n | x | (−E) | (E + E) | (E − E) | (E ∗ E)
Hoare Triples; Partial
and Total Correctness

and boolean expressions B: Proof Calculus for

Partial Correctness

Practical Aspects of
B ::= true | false | (!B) | (B&B) | (BkB) | (E < E) Correctness Proofs

Correctness of the
Factorial Function
Where are the other comparisons, for example ==?
Proof Calculus for
Total Correctness

Homeworks

2f.9
 Program Verification
Commands in Core Language
Nguyen An Khuong

Contents

Core Programming
Commands cover some common programming idioms. Expressions Language

are components of commands. Hoare Triples; Partial

and Total Correctness

Proof Calculus for

C ::= x = E | C; C | if B {C} else {C} | while B {C} Partial Correctness

Practical Aspects of
Correctness Proofs

Correctness of the
Factorial Function

Proof Calculus for

Total Correctness

Homeworks

2f.10
 Program Verification
Example
Nguyen An Khuong

Consider the factorial function:

Contents
def
0! = 1 Core Programming
Language
def
(n + 1)! = (n + 1) · n! Hoare Triples; Partial
and Total Correctness

Proof Calculus for

We shall show that after the execution of the following Core Partial Correctness

program, we have y = x!. Practical Aspects of

Correctness Proofs
y = 1; Correctness of the
z = 0; Factorial Function

while ( z != x ) { z = z + 1; y = y * z ; } Proof Calculus for

Total Correctness

Homeworks

2f.11
 Program Verification

Nguyen An Khuong

1 Core Programming Language

2 Hoare Triples; Partial and Total Correctness

Contents

3 Proof Calculus for Partial Correctness Core Programming

Language

Hoare Triples; Partial

and Total Correctness
4 Practical Aspects of Correctness Proofs
Proof Calculus for
Partial Correctness

5 Correctness of the Factorial Function Practical Aspects of

Correctness Proofs

Correctness of the
Factorial Function
6 Proof Calculus for Total Correctness Proof Calculus for
Total Correctness

Homeworks
7 Homeworks

2f.12
 Program Verification
Example
Nguyen An Khuong

Contents

Core Programming
Language

y = 1; Hoare Triples; Partial

and Total Correctness
z = 0;
while ( z != x ) { z = z + 1; y = y * z ; } Proof Calculus for
Partial Correctness

Practical Aspects of
Correctness Proofs

Correctness of the
Factorial Function

Proof Calculus for

Total Correctness

Homeworks

2f.13
 Program Verification
Example
Nguyen An Khuong

Contents

Core Programming
y = 1; Language

z = 0; Hoare Triples; Partial

and Total Correctness
while ( z != x ) { z = z + 1; y = y * z ; }
Proof Calculus for
Partial Correctness
• We need to be able to say that at the end, y is x! Practical Aspects of
Correctness Proofs

Correctness of the
Factorial Function

Proof Calculus for

Total Correctness

Homeworks

2f.14
 Program Verification
Example
Nguyen An Khuong

Contents

y = 1; Core Programming
Language
z = 0;
Hoare Triples; Partial
while ( z != x ) { z = z + 1; y = y * z ; } and Total Correctness

Proof Calculus for

Partial Correctness
• We need to be able to say that at the end, y is x!
Practical Aspects of
• That means we require a post-condition y = x! Correctness Proofs

Correctness of the
Factorial Function

Proof Calculus for

Total Correctness

Homeworks

2f.15
 Program Verification
Example
Nguyen An Khuong

Contents

Core Programming
y = 1; Language

z = 0; Hoare Triples; Partial

and Total Correctness
while ( z != x ) { z = z + 1; y = y * z ; }
Proof Calculus for
Partial Correctness
• Do we need pre-conditions, too? Practical Aspects of
Correctness Proofs

Correctness of the
Factorial Function

Proof Calculus for

Total Correctness

Homeworks

2f.16
 Program Verification
Example
Nguyen An Khuong

Contents
y = 1;
Core Programming
z = 0; Language
while ( z != x ) { z = z + 1; y = y * z ; }
Hoare Triples; Partial
and Total Correctness

• Do we need pre-conditions, too? Proof Calculus for

Partial Correctness
Yes, they specify what needs to be the case before Practical Aspects of
execution. Correctness Proofs

Correctness of the
Example: x > 0 Factorial Function

Proof Calculus for

Total Correctness

Homeworks

2f.17
 Program Verification
Example
Nguyen An Khuong

y = 1; Contents
z = 0; Core Programming
while ( z != x ) { z = z + 1; y = y * z ; } Language

Hoare Triples; Partial

and Total Correctness
• Do we need pre-conditions, too?
Proof Calculus for
Yes, they specify what needs to be the case before Partial Correctness

execution. Practical Aspects of

Correctness Proofs
Example: x > 0 Correctness of the
Factorial Function
• Do we have to prove the postcondition in one go? Proof Calculus for
Total Correctness

Homeworks

2f.18
 Program Verification
Example
Nguyen An Khuong

y = 1;
z = 0; Contents
while ( z != x ) { z = z + 1; y = y * z ; } Core Programming
Language

• Do we need pre-conditions, too? Hoare Triples; Partial

and Total Correctness
Yes, they specify what needs to be the case before Proof Calculus for
Partial Correctness
execution.
Practical Aspects of
Example: x > 0 Correctness Proofs

• Do we have to prove the postcondition in one go? Correctness of the

Factorial Function
No, the postcondition of one line can be the Proof Calculus for
Total Correctness
pre-condition of the next!
Homeworks

2f.19
 Program Verification
Assertions on Programs
Nguyen An Khuong

Shape of assertions Contents

Core Programming
Language

(|φ|) P (|ψ|) Hoare Triples; Partial

and Total Correctness

Proof Calculus for

Partial Correctness

Practical Aspects of
Correctness Proofs

Correctness of the
Factorial Function

Proof Calculus for

Total Correctness

Homeworks

2f.20
 Program Verification
Assertions on Programs
Nguyen An Khuong

Shape of assertions Contents

Core Programming
Language

(|φ|) P (|ψ|) Hoare Triples; Partial

and Total Correctness

Proof Calculus for

Partial Correctness

Informal meaning Practical Aspects of

Correctness Proofs

If the program P is run in a state that satisfies φ, then the state Correctness of the
Factorial Function
resulting from P ’s execution will satisfy ψ.
Proof Calculus for
Total Correctness

Homeworks

2f.20
 Program Verification
(Slightly Trivial) Example
Nguyen An Khuong

Informal specification
Given a positive number x, the program P calculates a number y
whose square is less than x.
Contents

Core Programming
Language

Hoare Triples; Partial

and Total Correctness

Proof Calculus for

Partial Correctness

Practical Aspects of
Correctness Proofs

Correctness of the
Factorial Function

Proof Calculus for

Total Correctness

Homeworks

2f.21
 Program Verification
(Slightly Trivial) Example
Nguyen An Khuong

Informal specification
Given a positive number x, the program P calculates a number y
whose square is less than x.
Contents

Core Programming
Assertion Language

Hoare Triples; Partial

and Total Correctness
(|x > 0|) P (|y · y < x|) Proof Calculus for
Partial Correctness

Practical Aspects of
Correctness Proofs

Correctness of the
Factorial Function

Proof Calculus for

Total Correctness

Homeworks

2f.21
 Program Verification
(Slightly Trivial) Example
Nguyen An Khuong

Informal specification
Given a positive number x, the program P calculates a number y
whose square is less than x.
Contents

Core Programming
Assertion Language

Hoare Triples; Partial

and Total Correctness
(|x > 0|) P (|y · y < x|) Proof Calculus for
Partial Correctness

Practical Aspects of
Correctness Proofs
Example for P
Correctness of the
Factorial Function
y = 0
Proof Calculus for
Total Correctness

Homeworks

2f.21
 Program Verification
(Slightly Trivial) Example
Nguyen An Khuong

Informal specification
Given a positive number x, the program P calculates a number y
whose square is less than x.
Contents

Core Programming
Assertion Language

Hoare Triples; Partial

and Total Correctness
(|x > 0|) P (|y · y < x|) Proof Calculus for
Partial Correctness

Practical Aspects of
Correctness Proofs
Example for P
Correctness of the
Factorial Function
y = 0
Proof Calculus for
Total Correctness

Our first Hoare triple Homeworks

(|x > 0|) y = 0 (|y · y < x|)

2f.21
 Program Verification
(Slightly Less Trivial) Example
Nguyen An Khuong

Same assertion
Contents

(|x > 0|) P (|y · y < x|) Core Programming

Language

Hoare Triples; Partial

and Total Correctness

Another example for P Proof Calculus for

Partial Correctness

Practical Aspects of
y = 0; Correctness Proofs
while ( y * y < x ) { Correctness of the
y = y + 1; Factorial Function
} Proof Calculus for
Total Correctness
y = y - 1;
Homeworks

2f.22
 Program Verification
Recall: Models in Predicate Logic
Nguyen An Khuong

Definition
Contents
Let F contain function symbols and P contain predicate symbols. Core Programming
A model M for (F, P) consists of: Language

Hoare Triples; Partial

1 A non-empty set A, the universe; and Total Correctness

2 for each nullary function symbol f ∈ F a concrete element Proof Calculus for
Partial Correctness
f M ∈ A; Practical Aspects of
Correctness Proofs
3 for each f ∈ F with arity n > 0, a concrete function Correctness of the
f M : An → A; Factorial Function

Proof Calculus for

4 for each P ∈ P with arity n > 0, a set P M ⊆ An . Total Correctness

Homeworks

2f.23
 Program Verification
Recall: Satisfaction Relation
Nguyen An Khuong

The model M satisfies φ with respect to environment l, written

Contents
M |=l φ:
Core Programming
• in case φ is of the form P (t1 , t2 , . . . , tn ), if the result Language

Hoare Triples; Partial

(a1 , a2 , . . . , an ) of evaluating t1 , t2 , . . . , tn with respect to l is and Total Correctness
in P M ; Proof Calculus for
Partial Correctness
• in case φ has the form ∀xψ, if the M |=l[x7→a] ψ holds for all Practical Aspects of
a ∈ A; Correctness Proofs

Correctness of the
• in case φ has the form ∃xψ, if the M |=l[x7→a] ψ holds for Factorial Function

some a ∈ A; Proof Calculus for

Total Correctness

Homeworks

2f.24
 Program Verification
Recall: Satisfaction Relation (continued)
Nguyen An Khuong

Contents
• in case φ has the form ¬ψ, if M |=l ψ does not hold;
Core Programming
• in case φ has the form ψ1 ∨ ψ2 , if M |=l ψ1 holds or Language

M |=l ψ2 holds; Hoare Triples; Partial

and Total Correctness

• in case φ has the form ψ1 ∧ ψ2 , if M |=l ψ1 holds and Proof Calculus for
Partial Correctness
M |=l ψ2 holds; and Practical Aspects of
Correctness Proofs
• in case φ has the form ψ1 → ψ2 , if M |=l ψ1 holds whenever
Correctness of the
M |=l ψ2 holds. Factorial Function

Proof Calculus for

Total Correctness

Homeworks

2f.25
 Program Verification
Hoare Triples
Nguyen An Khuong

Definition
Contents
An assertion of the form (|φ|) P (|ψ|) is called a Hoare triple. Core Programming
Language
• φ is called the precondition, ψ is called the postcondition.
Hoare Triples; Partial
• A state of a Core program P is a function l that assigns each and Total Correctness

variable x in P to an integer l(x). Proof Calculus for

Partial Correctness

• A state l satisfies φ if M |=l φ, where M contains integers Practical Aspects of

Correctness Proofs
and gives the usual meaning to the arithmetic operations. Correctness of the
Factorial Function
• Quantifiers in φ and ψ bind only variables that do not occur
Proof Calculus for
in the program P . Total Correctness

Homeworks

2f.26
 Program Verification
Example
Nguyen An Khuong

Contents

Core Programming
Let l(x) = −2, l(y) = 5 and l(z) = −1. We have: Language

• l |= ¬(x + y < z) Hoare Triples; Partial

and Total Correctness

• l 6|= y = x · z < z Proof Calculus for

Partial Correctness

• l 6|= ∀u(y < u → y · z < u · z) Practical Aspects of

Correctness Proofs

Correctness of the
Factorial Function

Proof Calculus for

Total Correctness

Homeworks

2f.27
 Program Verification
Partial Correctness
Nguyen An Khuong

Contents
Definition
Core Programming
We say that the triple (|φ|) P (|ψ|) is satisfied under partial Language

Hoare Triples; Partial

correctness if, for all states which satisfy φ, the state resulting and Total Correctness
from P ’s execution satisfies ψ, provided that P terminates. Proof Calculus for
Partial Correctness

Practical Aspects of
Correctness Proofs

Correctness of the
Factorial Function

Proof Calculus for

Total Correctness

Homeworks

2f.28
 Program Verification
Partial Correctness
Nguyen An Khuong

Contents
Definition
Core Programming
We say that the triple (|φ|) P (|ψ|) is satisfied under partial Language

Hoare Triples; Partial

correctness if, for all states which satisfy φ, the state resulting and Total Correctness
from P ’s execution satisfies ψ, provided that P terminates. Proof Calculus for
Partial Correctness

Practical Aspects of
Notation Correctness Proofs

Correctness of the
We write |=par (|φ|) P (|ψ|). Factorial Function

Proof Calculus for

Total Correctness

Homeworks

2f.28
 Program Verification
Extreme Example
Nguyen An Khuong

Contents

Core Programming
Language
(|φ|) while true { x = 0; } (|ψ|) Hoare Triples; Partial
and Total Correctness

Proof Calculus for

holds for all φ and ψ. Partial Correctness

Practical Aspects of
Correctness Proofs

Correctness of the
Factorial Function

Proof Calculus for

Total Correctness

Homeworks

2f.29
 Program Verification
Total Correctness
Nguyen An Khuong

Contents
Definition
Core Programming
We say that the triple (|φ|) P (|ψ|) is satisfied under total Language

Hoare Triples; Partial

correctness if, for all states which satisfy φ, P is guaranteed to and Total Correctness

terminate and the resulting state satisfies ψ. Proof Calculus for

Partial Correctness

Practical Aspects of
Notation Correctness Proofs

Correctness of the
We write |=tot (|φ|) P (|ψ|). Factorial Function

Proof Calculus for

Total Correctness

Homeworks

2f.30
 Program Verification
Back to Factorial
Nguyen An Khuong

Contents

Core Programming
Consider Fac1: Language

Hoare Triples; Partial

y = 1; and Total Correctness

z = 0; Proof Calculus for

Partial Correctness
while ( z != x ) { z = z + 1; y = y * z ; }
Practical Aspects of
Correctness Proofs

Correctness of the
Factorial Function

Proof Calculus for

Total Correctness

Homeworks

2f.31
 Program Verification
Back to Factorial
Nguyen An Khuong

Contents

Consider Fac1: Core Programming

Language
y = 1; Hoare Triples; Partial
z = 0; and Total Correctness

while ( z != x ) { z = z + 1; y = y * z ; } Proof Calculus for

Partial Correctness

Practical Aspects of
• |=tot (|x ≥ 0|) Fac1 (|y = x!|) Correctness Proofs

Correctness of the
Factorial Function

Proof Calculus for

Total Correctness

Homeworks

2f.32
 Program Verification
Back to Factorial
Nguyen An Khuong

Contents
Consider Fac1:
Core Programming
Language
y = 1;
z = 0; Hoare Triples; Partial
and Total Correctness
while ( z != x ) { z = z + 1; y = y * z ; }
Proof Calculus for
Partial Correctness

• |=tot (|x ≥ 0|) Fac1 (|y = x!|) Practical Aspects of

Correctness Proofs
• 6|=tot (|>|) Fac1 (|y = x!|) Correctness of the
Factorial Function

Proof Calculus for

Total Correctness

Homeworks

2f.33
 Program Verification
Back to Factorial
Nguyen An Khuong

Consider Fac1: Contents

Core Programming
y = 1; Language
z = 0;
Hoare Triples; Partial
while ( z != x ) { z = z + 1; y = y * z ; } and Total Correctness

Proof Calculus for

Partial Correctness
• |=tot (|x ≥ 0|) Fac1 (|y = x!|)
Practical Aspects of
• 6|=tot (|>|) Fac1 (|y = x!|) Correctness Proofs

Correctness of the
• |=par (|x ≥ 0|) Fac1 (|y = x!|) Factorial Function

Proof Calculus for

Total Correctness

Homeworks

2f.34
 Program Verification
Back to Factorial
Nguyen An Khuong

Consider Fac1:
Contents
y = 1; Core Programming
z = 0; Language
while ( z != x ) { z = z + 1; y = y * z ; } Hoare Triples; Partial
and Total Correctness

Proof Calculus for

• |=tot (|x ≥ 0|) Fac1 (|y = x!|) Partial Correctness

• 6|=tot (|>|) Fac1 (|y = x!|) Practical Aspects of

Correctness Proofs

• |=par (|x ≥ 0|) Fac1 (|y = x!|) Correctness of the

Factorial Function
• |=par (|>|) Fac1 (|y = x!|) Proof Calculus for
Total Correctness

Homeworks

2f.35
 Program Verification

Nguyen An Khuong

1 Core Programming Language

2 Hoare Triples; Partial and Total Correctness

Contents

3 Proof Calculus for Partial Correctness Core Programming

Language

Hoare Triples; Partial

and Total Correctness
4 Practical Aspects of Correctness Proofs
Proof Calculus for
Partial Correctness

5 Correctness of the Factorial Function Practical Aspects of

Correctness Proofs

Correctness of the
Factorial Function
6 Proof Calculus for Total Correctness Proof Calculus for
Total Correctness

Homeworks
7 Homeworks

2f.36
 Program Verification
Strategy
Nguyen An Khuong

We are looking for a proof calculus that allows us to establish

Contents

Core Programming
`par (|φ|) P (|ψ|) Language

Hoare Triples; Partial

and Total Correctness

Proof Calculus for

Partial Correctness

Practical Aspects of
Correctness Proofs

Correctness of the
Factorial Function

Proof Calculus for

Total Correctness

Homeworks

2f.37
 Program Verification
Strategy
Nguyen An Khuong

We are looking for a proof calculus that allows us to establish

Contents

Core Programming
`par (|φ|) P (|ψ|) Language

Hoare Triples; Partial

and Total Correctness
where
Proof Calculus for
• |=par (|φ|) P (|ψ|) holds whenever `par (|φ|) P (|ψ|) Partial Correctness

Practical Aspects of
(correctness) Correctness Proofs

Correctness of the
Factorial Function

Proof Calculus for

Total Correctness

Homeworks

2f.37
 Program Verification
Strategy
Nguyen An Khuong

We are looking for a proof calculus that allows us to establish

Contents

Core Programming
`par (|φ|) P (|ψ|) Language

Hoare Triples; Partial

and Total Correctness
where
Proof Calculus for
• |=par (|φ|) P (|ψ|) holds whenever `par (|φ|) P (|ψ|) Partial Correctness

Practical Aspects of
(correctness), and Correctness Proofs

• `par (|φ|) P (|ψ|) holds whenever |=par (|φ|) P (|ψ|) Correctness of the
Factorial Function
(completeness). Proof Calculus for
Total Correctness

Homeworks

2f.37
 Program Verification
Rules for Partial Correctness
Nguyen An Khuong

Contents

Core Programming
Language

(|φ|) C1 (|η|) (|η|) C2 (|ψ|) Hoare Triples; Partial

and Total Correctness
[Composition] Proof Calculus for
Partial Correctness
(|φ|) C1 ; C2 (|ψ|) Practical Aspects of
Correctness Proofs

Correctness of the
Factorial Function

Proof Calculus for

Total Correctness

Homeworks

2f.38
 Program Verification
Rules for Partial Correctness (continued)
Nguyen An Khuong

Contents

Core Programming
Language

Hoare Triples; Partial

[Assignment] and Total Correctness

Proof Calculus for

(|[x → E]ψ|) x = E (|ψ|) Partial Correctness

Practical Aspects of
Correctness Proofs

Correctness of the
Factorial Function

Proof Calculus for

Total Correctness

Homeworks

2f.39
 Program Verification
Examples
Nguyen An Khuong

Let P be the program x = 2.

Contents

Core Programming
Language

Hoare Triples; Partial

and Total Correctness

Proof Calculus for

Partial Correctness

Practical Aspects of
Correctness Proofs

Correctness of the
Factorial Function

Proof Calculus for

Total Correctness

Homeworks

2f.40
 Program Verification
Examples
Nguyen An Khuong

Let P be the program x = 2.

Using
Contents

Core Programming
[Assignment] Language

Hoare Triples; Partial

(|[x → E]ψ|) x = E (|ψ|) and Total Correctness

Proof Calculus for

Partial Correctness
we can prove:
Practical Aspects of
Correctness Proofs

Correctness of the
Factorial Function

Proof Calculus for

Total Correctness

Homeworks

2f.40
 Program Verification
Examples
Nguyen An Khuong

Let P be the program x = 2.

Using
Contents

Core Programming
[Assignment] Language

Hoare Triples; Partial

(|[x → E]ψ|) x = E (|ψ|) and Total Correctness

Proof Calculus for

Partial Correctness
we can prove:
Practical Aspects of
• (|2 = 2|) P (|x = 2|) Correctness Proofs

Correctness of the
Factorial Function

Proof Calculus for

Total Correctness

Homeworks

2f.40
 Program Verification
Examples
Nguyen An Khuong

Let P be the program x = 2.

Using
Contents

Core Programming
[Assignment] Language

Hoare Triples; Partial

(|[x → E]ψ|) x = E (|ψ|) and Total Correctness

Proof Calculus for

Partial Correctness
we can prove:
Practical Aspects of
• (|2 = 2|) P (|x = 2|) Correctness Proofs

Correctness of the
• (|2 = 4|) P (|x = 4|) Factorial Function

Proof Calculus for

Total Correctness

Homeworks

2f.40
 Program Verification
Examples
Nguyen An Khuong

Let P be the program x = 2.

Using
Contents

Core Programming
[Assignment] Language

Hoare Triples; Partial

(|[x → E]ψ|) x = E (|ψ|) and Total Correctness

Proof Calculus for

Partial Correctness
we can prove:
Practical Aspects of
• (|2 = 2|) P (|x = 2|) Correctness Proofs

Correctness of the
• (|2 = 4|) P (|x = 4|) Factorial Function

Proof Calculus for

• (|2 = y|) P (|x = y|) Total Correctness

Homeworks

2f.40
 Program Verification
Examples
Nguyen An Khuong

Let P be the program x = 2.

Using
Contents

Core Programming
[Assignment] Language

Hoare Triples; Partial

(|[x → E]ψ|) x = E (|ψ|) and Total Correctness

Proof Calculus for

Partial Correctness
we can prove:
Practical Aspects of
• (|2 = 2|) P (|x = 2|) Correctness Proofs

Correctness of the
• (|2 = 4|) P (|x = 4|) Factorial Function

Proof Calculus for

• (|2 = y|) P (|x = y|) Total Correctness

• (|2 > 0|) P (|x > 0|) Homeworks

2f.40
 Program Verification
More Examples
Nguyen An Khuong

Let P be the program x = x + 1.

Contents

Core Programming
Language

Hoare Triples; Partial

and Total Correctness

Proof Calculus for

Partial Correctness

Practical Aspects of
Correctness Proofs

Correctness of the
Factorial Function

Proof Calculus for

Total Correctness

Homeworks

2f.41
 Program Verification
More Examples
Nguyen An Khuong

Let P be the program x = x + 1.

Contents
Using
Core Programming
Language

[Assignment] Hoare Triples; Partial

and Total Correctness

(|[x → E]ψ|) x = E (|ψ|) Proof Calculus for

Partial Correctness

Practical Aspects of
we can prove: Correctness Proofs

Correctness of the
Factorial Function

Proof Calculus for

Total Correctness

Homeworks

2f.41
 Program Verification
More Examples
Nguyen An Khuong

Let P be the program x = x + 1.

Contents
Using
Core Programming
Language

[Assignment] Hoare Triples; Partial

and Total Correctness

(|[x → E]ψ|) x = E (|ψ|) Proof Calculus for

Partial Correctness

Practical Aspects of
we can prove: Correctness Proofs

Correctness of the
• (|x + 1 = 2|) P (|x = 2|) Factorial Function

Proof Calculus for

Total Correctness

Homeworks

2f.41
 Program Verification
More Examples
Nguyen An Khuong

Let P be the program x = x + 1.

Contents
Using
Core Programming
Language

[Assignment] Hoare Triples; Partial

and Total Correctness

(|[x → E]ψ|) x = E (|ψ|) Proof Calculus for

Partial Correctness

Practical Aspects of
we can prove: Correctness Proofs

Correctness of the
• (|x + 1 = 2|) P (|x = 2|) Factorial Function

• (|x + 1 = y|) P (|x = y|) Proof Calculus for

Total Correctness

Homeworks

2f.41
 Program Verification
Rules for Partial Correctness (continued)
Nguyen An Khuong

(|φ ∧ B|) C1 (|ψ|) (|φ ∧ ¬B|) C2 (|ψ|) Contents

Core Programming
[If-statement] Language

Hoare Triples; Partial

(|φ|) if B { C1 } else { C2 } (|ψ|) and Total Correctness

Proof Calculus for

Partial Correctness

Practical Aspects of
Correctness Proofs

Correctness of the
Factorial Function

Proof Calculus for

Total Correctness

Homeworks

2f.42
 Program Verification
Rules for Partial Correctness (continued)
Nguyen An Khuong

(|φ ∧ B|) C1 (|ψ|) (|φ ∧ ¬B|) C2 (|ψ|) Contents

Core Programming
[If-statement] Language

Hoare Triples; Partial

(|φ|) if B { C1 } else { C2 } (|ψ|) and Total Correctness

Proof Calculus for

Partial Correctness

Practical Aspects of
Correctness Proofs

Correctness of the
(|ψ ∧ B|) C (|ψ|) Factorial Function

[Partial-while] Proof Calculus for

Total Correctness

(|ψ|) while B { C } (|ψ ∧ ¬B|) Homeworks

2f.42
 Program Verification
Rules for Partial Correctness (continued)
Nguyen An Khuong

Contents

Core Programming
Language

`AR φ0 → φ (|φ|) C (|ψ|) `AR ψ → ψ 0 Hoare Triples; Partial

and Total Correctness

[Implied] Proof Calculus for

Partial Correctness

(|φ0 |) C (|ψ 0 |) Practical Aspects of

Correctness Proofs

Correctness of the
Factorial Function

Proof Calculus for

Total Correctness

Homeworks

2f.43
 Program Verification
Proof Tableaux
Nguyen An Khuong

Proofs have tree shape

All rules have the structure
Contents

Core Programming
something Language

Hoare Triples; Partial

and Total Correctness

Proof Calculus for

something else Partial Correctness

Practical Aspects of
Correctness Proofs
As a result, all proofs can be written as a tree. Correctness of the
Factorial Function

Proof Calculus for

Practical concern Total Correctness

Homeworks
These trees tend to be very wide when written out on paper. Thus
we are using a linear format, called proof tableaux.

2f.44
 Program Verification
Interleave Formulas with Code
Nguyen An Khuong

(|φ|) C1 (|η|) (|η|) C2 (|ψ|)

[Composition]
Contents
(|φ|) C1 ; C2 (|ψ|) Core Programming
Language
Shape of rule suggests format for proof of C1 ; C2 ; . . . ; Cn : Hoare Triples; Partial
(|φ0 |) and Total Correctness

Proof Calculus for

C1 ; Partial Correctness

(|φ1 |) justification Practical Aspects of

Correctness Proofs
C2 ; Correctness of the
.. Factorial Function
. Proof Calculus for
(|φn−1 |) justification Total Correctness

Homeworks
Cn ;
(|φn |) justification

2f.45
 Program Verification
Working Backwards
Nguyen An Khuong

Overall goal
Find a proof that at the end of executing a program P , some Contents
condition ψ holds. Core Programming
Language

Hoare Triples; Partial

and Total Correctness

Proof Calculus for

Partial Correctness

Practical Aspects of
Correctness Proofs

Correctness of the
Factorial Function

Proof Calculus for

Total Correctness

Homeworks

2f.46
 Program Verification
Working Backwards
Nguyen An Khuong

Overall goal
Find a proof that at the end of executing a program P , some Contents
condition ψ holds. Core Programming
Language

Hoare Triples; Partial

Common situation and Total Correctness

Proof Calculus for

If P has the shape C1 ; . . . ; Cn , we need to find the weakest Partial Correctness

formula ψ 0 such that Practical Aspects of

(|ψ 0 |) Cn (|ψ|)
Correctness Proofs

Correctness of the
Factorial Function

Proof Calculus for

Total Correctness

Homeworks

2f.46
 Program Verification
Working Backwards
Nguyen An Khuong

Overall goal
Find a proof that at the end of executing a program P , some Contents
condition ψ holds. Core Programming
Language

Hoare Triples; Partial

Common situation and Total Correctness

Proof Calculus for

If P has the shape C1 ; . . . ; Cn , we need to find the weakest Partial Correctness

formula ψ 0 such that Practical Aspects of

(|ψ 0 |) Cn (|ψ|)
Correctness Proofs

Correctness of the
Factorial Function

Proof Calculus for

Total Correctness
Terminology
Homeworks
The weakest formula ψ 0 is called weakest precondition.

2f.46
 Program Verification
Example
Nguyen An Khuong

Contents

Core Programming
(|y < 3|) Language

(|y + 1 < 4|) Implied Hoare Triples; Partial

and Total Correctness
y = y + 1; Proof Calculus for
Partial Correctness
(|y < 4|) Assignment
Practical Aspects of
Correctness Proofs

Correctness of the
Factorial Function

Proof Calculus for

Total Correctness

Homeworks

2f.47
 Program Verification
Another Example
Nguyen An Khuong

Can we claim u = x + y after z = x; z = z + y; u = z; ?

Contents

Core Programming
Language

Hoare Triples; Partial

and Total Correctness

Proof Calculus for

Partial Correctness

Practical Aspects of
Correctness Proofs

Correctness of the
Factorial Function

Proof Calculus for

Total Correctness

Homeworks

2f.48
 Program Verification
Another Example
Nguyen An Khuong

Can we claim u = x + y after z = x; z = z + y; u = z; ?

Contents

(|>|) Core Programming

Language
(|x + y = x + y|) Implied Hoare Triples; Partial
and Total Correctness
z = x;
Proof Calculus for
(|z + y = x + y|) Assignment Partial Correctness

z = z + y; Practical Aspects of
Correctness Proofs
(|z = x + y|) Assignment
Correctness of the
u = z; Factorial Function

(|u = x + y|) Assignment Proof Calculus for

Total Correctness

Homeworks

2f.48
 Program Verification
An Alternative Rule for If
Nguyen An Khuong

We have:

(|φ ∧ B|) C1 (|ψ|) (|φ ∧ ¬B|) C2 (|ψ|)

Contents
[If-statement] Core Programming
Language
(|φ|) if B { C1 } else { C2 } (|ψ|) Hoare Triples; Partial
and Total Correctness

Proof Calculus for

Sometimes, the following derived rule is more suitable: Partial Correctness

Practical Aspects of
Correctness Proofs

Correctness of the
Factorial Function
(|φ1 |) C1 (|ψ|) (|φ2 |) C2 (|ψ|) Proof Calculus for
Total Correctness
[If-stmtHomeworks
2]
(|(B → φ1 ) ∧ (¬B → φ2 )|) if B { C1 } else { C2 } (|ψ|)

2f.49
 Program Verification
Example
Nguyen An Khuong

Consider this implementation of Succ: Contents

Core Programming
a = x + 1; Language

if ( a - 1 == 0) { Hoare Triples; Partial

and Total Correctness
y = 1;
} else { Proof Calculus for
Partial Correctness
y = a;
Practical Aspects of
} Correctness Proofs

Correctness of the
Can we prove (|>|) Succ (|y = x + 1|) ? Factorial Function

Proof Calculus for

Total Correctness

Homeworks

2f.50
 Program Verification
Another Example
Nguyen An Khuong

..
.
if ( a - 1 == 0 ) { Contents

(|1 = x + 1|) If-Statement 2 Core Programming

Language
y = 1; Hoare Triples; Partial
(|y = x + 1|) Assignment and Total Correctness

Proof Calculus for

} else { Partial Correctness

(|a = x + 1|) If-Statement 2 Practical Aspects of

Correctness Proofs
y = a;
Correctness of the
(|y = x + 1|) Assignment Factorial Function

} Proof Calculus for

Total Correctness
(|y = x + 1|) If-Statement 2 Homeworks

2f.51
 Program Verification
Another Example
Nguyen An Khuong

(|>|)
(|(x + 1 − 1 = 0 → 1 = x + 1)∧
(¬(x + 1 − 1 = 0) → x + 1 = x + 1)|) Implied
Contents
a = x + 1; Core Programming
(|(a − 1 = 0 → 1 = x + 1)∧ Language

(¬(a − 1 = 0) → a = x + 1)|) Assignment Hoare Triples; Partial

and Total Correctness
if ( a - 1 == 0 ) { Proof Calculus for
Partial Correctness
(|1 = x + 1|) If-Statement 2
Practical Aspects of
y = 1; Correctness Proofs

(|y = x + 1|) Assignment Correctness of the

Factorial Function
} else {
Proof Calculus for
(|a = x + 1|) If-Statement 2 Total Correctness

Homeworks
y = a;
(|y = x + 1|) Assignment

2f.52
 Program Verification
Recall: Partial-while Rule
Nguyen An Khuong

Contents

Core Programming
Language

(|ψ ∧ B|) C (|ψ|) Hoare Triples; Partial

and Total Correctness
[Partial-while] Proof Calculus for
Partial Correctness
(|ψ|) while B { C } (|ψ ∧ ¬B|) Practical Aspects of
Correctness Proofs

Correctness of the
Factorial Function

Proof Calculus for

Total Correctness

Homeworks

2f.53
 Program Verification
Factorial Example
Nguyen An Khuong

We shall show that the following Core program Fac1 meets this Contents

specification: Core Programming

Language

y = 1; Hoare Triples; Partial

and Total Correctness
z = 0;
Proof Calculus for
while ( z != x ) { z = z + 1; y = y * z ; } Partial Correctness

Practical Aspects of
Thus, to show: Correctness Proofs

(|>|) Fac1 (|y = x!|) Correctness of the

Factorial Function

Proof Calculus for

Total Correctness

Homeworks

2f.54
 Program Verification
Partial Correctness of Fac1
Nguyen An Khuong

..
.
(|y = z!|) Contents
while ( z != x ) { Core Programming
(|y = z! ∧ z 6= x|) Invariant Language

Hoare Triples; Partial

(|y · (z + 1) = (z + 1)!|) Implied and Total Correctness

z = z + 1; Proof Calculus for

Partial Correctness
(|y · z = z!|) Assignment
Practical Aspects of
y = y * z; Correctness Proofs

(|y = z!|) Assignment Correctness of the

Factorial Function
} Proof Calculus for
(|y = z! ∧ ¬(z 6= x)|) Partial-while Total Correctness

Homeworks
(|y = x!|) Implied

2f.55
 Program Verification
Partial Correctness of Fac1
Nguyen An Khuong

(|>|)
(|(1 = 0!)|) Implied
Contents
y = 1;
Core Programming
(|y = 0!|) Assignment Language

Hoare Triples; Partial

z = 0; and Total Correctness
(|y = z!|) Assignment Proof Calculus for
Partial Correctness
while ( z != x ) {
Practical Aspects of
.. Correctness Proofs
.
Correctness of the
} Factorial Function

(|y = z! ∧ ¬(z 6= x)|) Partial-while Proof Calculus for

Total Correctness
(|y = x!|) Implied Homeworks

2f.56
 Program Verification

Nguyen An Khuong

1 Core Programming Language

2 Hoare Triples; Partial and Total Correctness

Contents

3 Proof Calculus for Partial Correctness Core Programming

Language

Hoare Triples; Partial

and Total Correctness
4 Practical Aspects of Correctness Proofs
Proof Calculus for
Partial Correctness

5 Correctness of the Factorial Function Practical Aspects of

Correctness Proofs

Correctness of the
Factorial Function
6 Proof Calculus for Total Correctness Proof Calculus for
Total Correctness

Homeworks
7 Homeworks

2f.57
 Program Verification
Ideas for Total Correctness
Nguyen An Khuong

Contents
• The only source of non-termination is the while command.
Core Programming
Language
• If we can show that the value of an integer expression
Hoare Triples; Partial
decreases in each iteration, but never becomes negative, we and Total Correctness

have proven termination. Proof Calculus for

Partial Correctness

Practical Aspects of
Correctness Proofs

Correctness of the
Factorial Function

Proof Calculus for

Total Correctness

Homeworks

2f.58
 Program Verification
Ideas for Total Correctness
Nguyen An Khuong

Contents
• The only source of non-termination is the while command.
Core Programming
Language
• If we can show that the value of an integer expression
Hoare Triples; Partial
decreases in each iteration, but never becomes negative, we and Total Correctness

have proven termination. Proof Calculus for

Partial Correctness
Why? Practical Aspects of
Correctness Proofs

Correctness of the
Factorial Function

Proof Calculus for

Total Correctness

Homeworks

2f.58
 Program Verification
Ideas for Total Correctness
Nguyen An Khuong

Contents
• The only source of non-termination is the while command.
Core Programming
Language
• If we can show that the value of an integer expression
Hoare Triples; Partial
decreases in each iteration, but never becomes negative, we and Total Correctness

have proven termination. Proof Calculus for

Partial Correctness
Why? Well-foundedness of natural numbers Practical Aspects of
Correctness Proofs

Correctness of the
Factorial Function

Proof Calculus for

Total Correctness

Homeworks

2f.58
 Program Verification
Ideas for Total Correctness
Nguyen An Khuong

Contents
• The only source of non-termination is the while command.
Core Programming
Language
• If we can show that the value of an integer expression
Hoare Triples; Partial
decreases in each iteration, but never becomes negative, we and Total Correctness

have proven termination. Proof Calculus for

Partial Correctness
Why? Well-foundedness of natural numbers Practical Aspects of
Correctness Proofs
• We shall include this argument in a new version of the while
Correctness of the
rule. Factorial Function

Proof Calculus for

Total Correctness

Homeworks

2f.58
 Program Verification
Rules for Partial Correctness (continued)
Nguyen An Khuong

(|ψ ∧ B|) C (|ψ|)

Contents
[Partial-while] Core Programming
Language
(|ψ|) while B { C } (|ψ ∧ ¬B|)
Hoare Triples; Partial
and Total Correctness

Proof Calculus for

Partial Correctness

Practical Aspects of
Correctness Proofs

(|ψ ∧ B ∧ 0 ≤ E = E0 |) C (|ψ ∧ 0 ≤ E < E0 |) Correctness of the

Factorial Function

[Total-while] Proof Calculus for

Total Correctness
(|ψ ∧ 0 ≤ E|) while B { C } (|ψ ∧ ¬B|) Homeworks

2f.59
 Program Verification
Factorial Example (Again!)
Nguyen An Khuong

Contents

Core Programming
Language
y = 1;
Hoare Triples; Partial
z = 0; and Total Correctness
while ( z != x ) { z = z + 1; y = y * z ; } Proof Calculus for
Partial Correctness
What could be a good variant E? Practical Aspects of
Correctness Proofs

Correctness of the
Factorial Function

Proof Calculus for

Total Correctness

Homeworks

2f.60
 Program Verification
Factorial Example (Again!)
Nguyen An Khuong

Contents

Core Programming
y = 1; Language
z = 0;
Hoare Triples; Partial
while ( z != x ) { z = z + 1; y = y * z ; } and Total Correctness

Proof Calculus for

What could be a good variant E? Partial Correctness

Practical Aspects of
Correctness Proofs
E must strictly decrease in the loop, but not become negative. Correctness of the
Factorial Function

Proof Calculus for

Total Correctness

Homeworks

2f.61
 Program Verification
Factorial Example (Again!)
Nguyen An Khuong

y = 1; Contents
z = 0; Core Programming
while ( z != x ) { z = z + 1; y = y * z ; } Language

Hoare Triples; Partial

What could be a good variant E? and Total Correctness

Proof Calculus for

Partial Correctness
E must strictly decrease in the loop, but not become negative. Practical Aspects of
Correctness Proofs

Answer: Correctness of the

Factorial Function
x−z Proof Calculus for
Total Correctness

Homeworks

2f.62
 Program Verification
Total Correctness of Fac1
Nguyen An Khuong

..
.
(|y = z! ∧ 0 ≤ x − z|) Contents
while ( z != x ) { Core Programming
(|y = z! ∧ z 6= x ∧ 0 ≤ x − z = E0 |) Invariant Language

Hoare Triples; Partial

(|y · (z + 1) = (z + 1)! ∧ 0 ≤ x − (z + 1) < E0 |) Implied and Total Correctness

z = z + 1; Proof Calculus for

Partial Correctness
(|y · z = z! ∧ 0 ≤ x − z < E0 |) Assignment
Practical Aspects of
y = y * z; Correctness Proofs

(|y = z! ∧ 0 ≤ x − z < E0 |) Assignment Correctness of the

Factorial Function
} Proof Calculus for
(|y = z! ∧ ¬(z 6= x)|) Total-while Total Correctness

Homeworks
(|y = x!|) Implied

2f.63
 Program Verification
Total Correctness of Fac1
Nguyen An Khuong

(|x ≤ 0|)
(|(1 = 0! ∧ 0 ≤ x − 0|) Implied
Contents
y = 1;
Core Programming
(|y = 0! ∧ 0 ≤ x − 0|) Assignment Language

Hoare Triples; Partial

z = 0; and Total Correctness
(|y = z! ∧ 0 ≤ x − z|) Assignment Proof Calculus for
Partial Correctness
while ( z != x ) {
Practical Aspects of
.. Correctness Proofs
.
Correctness of the
} Factorial Function

(|y = z! ∧ ¬(z 6= x)|) Total-while Proof Calculus for

Total Correctness
(|y = x!|) Implied Homeworks

2f.64
 Program Verification
HW
Nguyen An Khuong

Contents

Core Programming
Language

Do as much as possible (at least ALL designated) problems given Hoare Triples; Partial
and Total Correctness
in Section 4.6 in [2] Proof Calculus for
Partial Correctness

Practical Aspects of
Correctness Proofs

Correctness of the
Factorial Function

Proof Calculus for

Total Correctness

Homeworks

2f.65