Program Correctness - Discrete Mathematics - Lecture Slides, Slides of Discrete Mathematics

Download Program Correctness - Discrete Mathematics - Lecture Slides and more Slides Discrete Mathematics in PDF only on Docsity!

CSE115/ENGR160 Discrete Mathematics

4.5 Program correctness

• Suppose we have designed an algorithm to

solve a problem with a program

• After debugging, how can we be sure that the

program always get the correct answer?

• Need a proof to show that the program

always gives the correct answer

• Program verification: uses the rules of

inference and proof techniques

Program verification

• A program is said to be correct if it produces

the correct output for every possible input

• A proof that a program is correct consists of

two parts

• Partial correctness : Correct answer is obtained if

the program terminates

• Shows the program always terminates

Partially correct

• To specify a program produces the correct output
  • Initial assertion: the properties that the input values must have
  • Final assertion: the properties that output of the program should have, if the program did what was intended
• A program or program segment, S is said to be partially correct with respect to the initial assertion p and the final assertion q if whenever p is true for the input values of S and S terminates, then q is true for the output values of S.
• The notation p{S}q indicates that the program, or program segment, S is partially correct with respect to the initial assertion p and the final assertion q

Rules of inference

• Suppose the program S is split into

subprograms S 1 and S 2 , denote it by S=S 1 ;S 2

• Suppose the correctness of S 1 w.r.t. the initial

assertion p and final assertion q, the

correctness of S 2 w.r.t. the initial assertion q

and the final assertion r

• It follows if p is true and S 1 is executed and

terminates, then q is true; and if q is true and

S 2 executes and terminates, then r is true

Rules of inference

• This, if p is true and S=S 1 ;S 2 is executed and

terminates, then r is true

• This rule of inference, called the composition

rule can be stated as

8

p S S r

q S r

p S q

1 2

2

1

Conditional statements

• The rule of inference

10

p condition S q

p condition q

p condition S q

{if then }

Condition statement

• Verify the program segment

if x > y then y:=x is correct w.r.t the initial assertion T and the final assertion y≥x

• When the initial assertion is true and x>y, then the assignment y:=x is carrier out. Thus, the final assertion is true
• When the initial assertion is true and x>y is false, so x≤y, and the final assertion is true
• Hence, using the rule of inference for conditional statements, this program is correct w.r.t. the given initial and final assertions

Conditional statements

• The rule of inference

13

p condition S S q

p condition S q

p condition S q

{if then else }

1 2

2

1

Conditional statements

• Verify the program segment

if x < 0 then abs:=-x else abs:=x is correct w.r.t. the initial assertion T and the final assertion abs=|x|

• Two things must be demonstrated. First, it must be shown that if the initial condition is true and x<0, then abs=|x|. This is correct as when x<0, the assignment statement abs:=-x sets abs=-x, which is |x| by definition when x<

Loop invariants

• Proof of correctness of while loops

while condition

S

• Note that S is repeatedly executed until condition

becomes false

• An assertion that remains true each time S is

executed must be chosen

• Such an assertion is called a loop invariant
• That is, p is a loop invariant if (p∧condition){S}p is

true

Loop invariants

• Suppose that p is a loop invariant, it follows

that is p is true before the program segment is

executed, p and ¬condition are true after

terminates, if it occurs

17

{while }( )

( ){ } p condition S condition p

p condition S p ∴ ¬ ∧

∧

Example

• Let p be the assertion “factorial=i! and i≤n”. We first prove that p is a loop invariant
• Suppose that at the beginning of one execution of the while loop, p is true and the condition holds, i.e., assume that factorial=i! that i<n
• The new values i (^) new and factorial (^) new of i and factorial are i (^) new=i+1≤n and factorialnew=factorial ∙(i+1) = (i+1)! = inew!
• Because i<n, we also have i (^) new =i+1≤n
• Thus p is true at the end of the execution of the loop
• This shows that p is a loop invariant

Example

• Just before entering the loop, i=1≤n and factorial=1=1!=i! both hold, so p is true
• As p is a loop invariant, the rule of inference implies that if the while loop terminates, it terminates with p true and with i<n false
• In this case, at the end, factorial=i! and i≤n are true, but i<n is false; in other words, i=n and factorial=i!=n!, as desired
• Finally, need to check that while loop actually terminates
• At the beginning of the program i is assigned the value 1, so that after n-1 traversals of the loop, the new value of i will be n, and the loop terminates at that point