Recall the following:
Relationship between Hoare Triples and the weakest precondition function:
{P} S {Q} ≡ [P ⇒ wp.S.Q]
wp skip Law: [wp.skip.Q ≡ Q]
wp Assignment Law: [wp.(x:=E).Q ≡ Q(x:=E)]
wp Sequential Composition Law: [wp.(S1; S2).Q ≡ wp.S1.(wp.S2.Q)]
Hoare Triple Sequential Composition Rule:
To prove the Hoare Triple {P} S1; S2 {Q},
it suffices to devise a predicate R and to prove both
{P} S1 {R} and {R} S2 {Q}.
If S2 is an assignment command, the obvious choice for
R is wp.S2.Q.
1. Prove the correctness of this program:
{x = X ∧ y = Y} x := x + y; y := x - y; x := x - y {x = Y ∧ y = X} |
Recall that if IF is the program if B then S1 else S2 fi then
2.
Prove the correctness of this program:
{P ∧ 0 ≤ k < #b} if b[k] ≤ 0 then sum,k := sum - b[k], k+1 else sum := sum + b[k]; k := k+1 fi {P} |
3.
Prove the correctness of this program:
{P ∧ 0 ≤ k < #b} if b[k] ≤ 0 then sum := sum - b[k] else sum := sum + b[k] fi ;k := k+1 {P} |
where P: sum = (+i | 0 ≤ i < k : |b[i]|).
The absolute value function satisfies this condition:
Notice that, in Problem 2, the two branches of the selection command are different in that one is a simultaneous assignment and the other is a sequential composition of two assignments. Hence their proofs should not be mirror images of one another.
Notice that, in Problem 3, the program itself is a sequential composition of a selection command and an assignment command. This is unlike Problem 2, whose program is a selection command. Hence the two proofs, while having some commonality, should not be the same.
{P} Sinit; {loop invariant I: ...} {bound function t: ...} do B ---> S od {Q} |
Then to prove the Hoare Triple {P} Sinit; LOOP {Q} it suffices to prove these five "proof obligations":
Items (i) and (ii) together show that I is, as claimed, an invariant of the loop. (In effect, (i) is the basis and (ii) is the inductive step in a proof by induction on the number of loop iterations.)
Item (iii) shows that, if and when the loop terminates, the postcondition Q holds.
Items (iv) and (v) together show that the loop terminates after finitely many iterations.
4. Prove that the following program is correct. Notice that the loop guard and the main conjunct of the loop invariant were derived (using the delete a conjunct heuristic) from the strengthened version Q' of the postcondition, which was obtained from the original postcondition Q using the replace a constant by a fresh variable heuristic.
|