1. No category

Program verification

Programs:
Semantics and Verification
Mordechai Ben-Ari
Mathematical Logic for Computer Science
1/22
Programs : Semantics and Verification
Charngki Hong @ PSWLAB
Table of Contents
Introduction
 Semantics of programming language


Weakest precondition
The deductive system HL
 Program verification


Total correctness
Program synthesis
 References

2/22
Programs : Semantics and Verification
Charngki Hong @ PSWLAB
Introduction

The syntax of programming language is specified using
formal systems such as BNF, but the semantics is usually
informally specified

Example :

The formal BNF syntax of an if-statement


But its semantics is described informally


if-statement ::= if expression then statement [else statement]
The boolean expression is evaluated. If true, the statement following then
is executed, otherwise the statement following else is executed.
If the semantics is informally defined there is no formal
way of determining the validity or correctness of a
program.
3/22
Programs : Semantics and Verification
Charngki Hong @ PSWLAB
Semantics of programming language (1/8)

A statement in a programming language is considered to
be a function that transforms the state of computation.


If the variables (x,y) = (8,7) in a state s, then the result of
executing the statement x := 2*y+1 is the state s’ in which
(x,y) = (15,7)
Definition 1.

Let U be the set of all n-tuples of values over some domain,
and let U’ µ U. PU’(x1, … , xn), the characteristic predicate of U’,
is defined so that U’ = { (x1,…,xn) 2 U | P U’ (x1,…,xn) }
4/22
Programs : Semantics and Verification
Charngki Hong @ PSWLAB
Semantics of programming language (2/8)

Example of def.1

Let U be the set of 2-tuples over Z and let U’ µ U be the 2tuples described in the following table
…
…(-2,-3), (-2,-2), (-2, -1), (-2,0), (-2,1), (-2,2), (-2,3)
…(-1,-3), (-1,-2), (-1, -1), (-1,0), (-1,1), (-1,2), (-1,3)
… (0,-3), (0,-2), (0, -1), (0,0), (0,1), (0,2), (0,3)
… (1,-3), (1,-2), (1, -1), (1,0), (1,1), (1,2), (1,3)
…

The characteristic predicate of U’ is (x1 = x1) Æ (x2 · 3)
5/22
Programs : Semantics and Verification
Charngki Hong @ PSWLAB
Semantics of programming language (3/8)

Definition. 2





An assertion is a triple {p} S {q}, where S is a program, and p
and q are formulas in the predicate calculus called the
precondition and postcondition, respectively.
An assertion is true, denoted ² {p} S {q}, iff: if S is started in a
state satisfying p and if this computation of S terminates, then
the computation terminates in a state satisfying q.
If ² {p} S {q}, then S is said to be partially correct with respect to
p and q
Assertions are also called Hoare triples
Example

6/22
² { y · 3} x:= 2*y+1 {(x · 7) Æ (y·3)}
Programs : Semantics and Verification
Charngki Hong @ PSWLAB
Semantics of programming language (4/8)

Weakest preconditions

Definition 3.


Definition 4.


A formula A is weaker than formula B if B ! A. Given a set of
formulas {A1, A2,…An}, Ai is the weakest formula in the set if Aj ! Ai
for all j.
For program S and formula q, wp(S,q), the weakest precondition of S and
q, is the weakest formula p such that ² {p} S {q}
Example


7/22
y · 3 is weaker than y = 1 Ç y = 3
wp(x:=2*y+1, (x·7)Æ(y·3)) = y·3
Programs : Semantics and Verification
Charngki Hong @ PSWLAB
Semantics of programming language (5/8)

Lemma 5.


² {p} S {q} if and only if ² p ! wp( S, q )
Definition 6.


wp( x := t, p(x) ) = p(x) { x à t }
Example


wp( y := y-1 , y ¸ 0 ) = ( y-1¸ 0 ) = ( y ¸ 1)
Definition 7.

wp( S1; S2, q ) = wp( S1, wp(S2, q) )
8/22
Programs : Semantics and Verification
Charngki Hong @ PSWLAB
Semantics of programming language (6/8)

Examples of def. 7
1.
wp(x := x+1; y := y+2, x < y) = wp(x := x+1, wp(y :=y+2, x < y ))
= wp(x := x+1, x < y+2)
= x +1 < y+2
≡ x < y+1
2.
wp( x := x+a; y := y-1, x = (b-y)·a )
= wp( x := x+a, wp(y := y-1, x = (b-y)·a))
= wp( x := x+a, x = (b–y+1)·a)
= x + a = ( b – y + 1)·a
≡ x = (b-y)·a
9/22
Programs : Semantics and Verification
Charngki Hong @ PSWLAB
Semantics of programming language (7/8)

Definition 8.


A predicate I is an invariant of S iff wp( S, I ) = I
Definition 9.

if-statement


wp(if B then S1 else S2, q) = (B ! wp(S1, q)) Æ (:B ! wp(S2, q))
Definition 10.

while-statement

wp(while B do S, q) = (: B ! q) Æ (B ! wp(S; while B do S, q))
10/22
Programs : Semantics and Verification
Charngki Hong @ PSWLAB
Semantics of programming language (8/8)

If-statement
wp(if y=0 then x := 0 else x := y+1, x=y)
= ( y=0 ! wp(x :=0, x=y)) Æ ( y  0 ! wp(x := y+1, x=y))
≡ ((y=0) ! (y=0)) Æ ((y  0) ! (y+1 = y))
≡ true Æ ((y  0) ! false)
≡:(y0)
≡y=0


While-statement

You’ll see many of this examples later.
11/22
Programs : Semantics and Verification
Charngki Hong @ PSWLAB
The deductive system HL (1/4)


A deductive system HL (Hoare Logic) whose formulas are
assertions can be used to prove properties of programs
Definition 11.

Domain axioms


Every true formula over the domain(s) of the program variables
Assignment axiom


` {p(x) {x à t }} x := t {p(x)}
Composition rule
 ` f pgS1f qg
` f qgS2f r g
` f pgS1;S2f r g
12/22
Programs : Semantics and Verification
Charngki Hong @ PSWLAB
The deductive system HL (2/4)

Alternative rule
` f p^ B gS1f qg
` f p^ : B gS2f qg
` f pgi f B t hen S1 el se S2 f qg

Loop rule
` f p^ B gSf pg
` f pgw h i l e B do S f p^ : B g

Consequence rule
` p1 ! p
13/22
` f pg S f qg
` f p1 gSf q1 g
` q! q1
Programs : Semantics and Verification
Charngki Hong @ PSWLAB
The deductive system HL (3/4)

Loop rule
` f p^ B gSf pg
` f pgw h i l e B do S f p^ : B g


the formula p is called an invariant: it describes the behavior of
an execution of the statement S in the while statement
To prove
` {p0} while B do S {q}




We need to find an invariant
We need to show that p0 ! p is true
We need to show that (p Æ : B) ! q is true
The most difficult part in proving programs is to find
appropriate invariants
14/22
Programs : Semantics and Verification
Charngki Hong @ PSWLAB
The deductive system HL (4/4)

Example of loop rule
while x > 0 do x := x - 1


x = 5 is too strong to be an invariant of above while statement
x ¸ 0 is an invariant


x ¸ 0 Æ x > 0 implies x ¸ 0 after executing the loop body
loop terminates if x¸ 0 Æ :(x>0) is true
15/22
Programs : Semantics and Verification
Charngki Hong @ PSWLAB
Program verification (1/3)

Use HL to prove the partial correctness of the program
{true}
x := 0;
{x = 0}
y := b;
{x = 0 Æ y = b}
while y <> 0 do
{ x = (b-y)·a }
begin x := x + a; y := y-1 end;
{ x = a·b }

Let the formula x = (b-y) ·a be the invariant


{ p Æ y  0 } x : = x+a; y := y-1 {p}, where p is x = (b-y) ·a
Postcondition of the loop can be written p Æ (y = 0) so we can
deduce x = a · b
16/22
Programs : Semantics and Verification
Charngki Hong @ PSWLAB
Program verification (2/3)

Total correctness


We have proved only partial correctness
If the initial value of b is negative, the program will not
terminate
 We



need to strengthen the precondition
b¸0
Strengthening the precondition will obviously not invalidate the
proof of partial correctness, since a stronger precondition
simply selects a subset of the set of states for which the
computation is correct
All we need to prove is that the program terminates
17/22
Programs : Semantics and Verification
Charngki Hong @ PSWLAB
Program verification (3/3)


To show termination, we search for a numeric function
whose value decreases with every execution of the loop,
and whose value has an invariant lower bound.
The loop must eventually terminate because there can
not be an infinite decreasing sequence greater than the
lower bound.
{ x = (b-y)·a Æ y ¸ 0 Æ y  0}
begin x := x + a; y := y-1 end;
{x = (b-y)·a Æ y ¸ 0}

Since y is decreasing and yet bounded from below by y ¸ 0,
the loop must terminate and the program is totally correct.
18/22
Programs : Semantics and Verification
Charngki Hong @ PSWLAB
Program synthesis (1/3)


The most difficult part in proving program is to find
invariants
How to find invariants?

Solution


delete part of postcondition
We demonstrate the method by developing two different
programs for finding the integer square root of a non-negative
integer:

{ 0 · a } S { 0 · x2 · a < (x+1)2 }
19/22
Programs : Semantics and Verification
Charngki Hong @ PSWLAB
Program synthesis (2/3)

Solution
{0·a}
x := ? ;
while B(x, a) do
{ 0 · x2 · a }
x := ? ;
{0 · x2 · a < (x+1)2 }
20/22
the postcondition of the while
statement is p Æ : B(x,a), so
B(x,a) is (x+1)2 · a
the loop should be terminated,
so x should be incremented in
every iteration
Programs : Semantics and Verification
Charngki Hong @ PSWLAB
Program synthesis (3/3)

Solution
{0·a}
x := ? ;
while B(x, a) do
{ 0 · x2 · a }
x := ? ;
{0 · x2 · a < (x+1)2 }

{0·a}
x := 0 ;
while (x+1)2 · a do
{ 0 · x2 · a }
x := x + 1 ;
{0 · x2 · a < (x+1)2 }
We must check the loop invariant { p Æ B } S {p}

{ 0 · x2 · a Æ (x+1)2 · a } x := x+1 { 0 · x2 · a }
21/22
Programs : Semantics and Verification
Charngki Hong @ PSWLAB
References


Mathematical logic for computer science, Mordechai BenAri
Logic in computer science, Michael Huth and Mark Ryan
22/22
Programs : Semantics and Verification
Charngki Hong @ PSWLAB

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz