Design and Analysis of Algorithms Formal Methods in

Design and Analysis of Algorithms Formal Methods in Software Engineering Lecture # 26 Dr. Naveed Riaz 1

Design and Analysis of Algorithms Conditional Correctness { P} S {Q} (initial state) (set of instruction) (Final State) Expresses the conditional correctness of S Binary search (pre-condition) - > Array must be in sorted form Which means that, in-order to work this program properly we need to start with a given condition. Post Condition: If the key is present then you will get the index, if the key is not present then you will get some value which will tell you that the key is not present (desired output). If we start with “P” and ended with “Q” then our program is conditional corret. Dr. Naveed Riaz 2

Design and Analysis of Algorithms Conditional Correctness Suppose : post condition: n <0 S: n = n-1 Pre-condition: We started with n=0; n-1; end: n-1 Another point: We started with n = -10 ; n-1; -11 Which means that there are infinite number of values for n which will satisfy the post condition. Weakest Pre-condition: N <= 0 (infinite possibilities ) and then – then get n <0 Dr. Naveed Riaz 3

Design and Analysis of Algorithms Weakest Pre-Condition wp (z : = x , z ≥ y) x ≥y Wp (t : = x , t = xo) x = xo Wp ( i : = i +1 ; i <= n) i<n First and third exmp give many values to satisfy the final state and the middle give just one value Dr. Naveed Riaz 4

Design and Analysis of Algorithms Weakest Pre-Condition Suppose: Array which is not sorted and you want to implement linear search. Any condition on input: If data is not sorted still the linear search will give you result. Wp: any arrangement of data in the array will give the out i. e. True But in Binary search : if your data is not sorted you can not apply binary search Wp: Specific arrangement required Dr. Naveed Riaz 5

Design and Analysis of Algorithms Broad CAT of statements Assignment statements Selection ( Control statements) Loops statements Dr. Naveed Riaz 6

Design and Analysis of Algorithms Assignment Axiom Wp (x : = e, Q(x) ) Q(e) -> e represents an expression X will have the value which e had before executing the statement Q(e) denotes the predicate obtained by substituting e for all free occurrences of x in the predicate Q Dr. Naveed Riaz 7

Design and Analysis of Algorithms Assignment Axiom Wp (i : = i-1, i = 0 ) i -1 = 0 Wp (i : = ( l + u ) div 2, l <= i <= u ) l <= ( l + u ) div 2 <= u Wp (i : = 1, i = 0 ) 1 = 0 : false Hence for single assignment statement “Assignment Axiom perform good but our program contains more than one assignment Statements Dr. Naveed Riaz 8

Design and Analysis of Algorithms Rules for Sequential Composition Suppose that we have only set of assignment statements are given along with post condition so we need to determine the WP Post condition will be achieved after executing the last statement Which means that if we are at wp before last statement then -> meet post condition Means that wp is the post condition for the previous statement Wp ( S 1; S 2, Q) Dr. Naveed Riaz Wp ( S 1, wp (S 2, Q)) 9

Design and Analysis of Algorithms Rules for Sequential Composition Wp (( x: = x +1; y: = y+1 ), x =y Wp ( x: = x +1, wp (y: = y+1, x =y) -> Group post condition with last statement Wp ( x: = x +1; x = y+1 ) -> Apply assignment Axiom x+1 = y+1 x=y So if we started with initial condition i. e. x= y and then we executed x and y statements then we will end with post condition Dr. Naveed Riaz 10

Design and Analysis of Algorithms Rules for Sequential Composition Wp (( x: = 2 * x +1; y: = y-1 ), y = 3 * x Wp (x: = 2 * x +1, wp (y: = y-1, y = 3 * x ) -> Group post condition with last statement Wp (x: = 2 * x +1; y- 1 = 3 * x ) -> Apply assignment Axiom y -1 = 3 * ( 2 * x +1) y=6*x+4 Dr. Naveed Riaz 11

Design and Analysis of Algorithms Rules for Sequential Composition Pre-condition and post-condition basically gives a specification for a function Now we have to prove that a function or a set of statements meets its specification Specification given in the form of pre and post conditions We can calculate wp from post condition. In the same way we can calculate post condition from wp. But it is easier to work backward i. e. If objective (post condition) is given then it is so easy as compared to hidden objective. Dr. Naveed Riaz 12

Design and Analysis of Algorithms Rules for Sequential Composition { x = x 0 and y = y 0 } initial condition t: = x; x: =y; y: =t; {x = y 0 and y = x 0} Final output Dr. Naveed Riaz 13

Design and Analysis of Algorithms Rules for Sequential Composition { x = x 0 and y = y 0 } t: = x {t = xo and y = y 0} post condition become precond x: =y; y: =t; { y = x 0 and x = y 0} {t = xo and y = y 0} x : = y {{t = xo and x = y 0} y : = t { y = x 0 and x = y 0} Dr. Naveed Riaz 14

Design and Analysis of Algorithms Hoare’s Consequence Rule Logical Implication If statement is model by logical implication P => Q i. e. P => Q If P then Q Q => R {Q} S {R} {P} S {Q} {P} S {R} Dr. Naveed Riaz 15

Design and Analysis of Algorithms Rules for conditional {P and C} S {Q} P and (not C) => Q {P} If C then S {Q} If is divided into two portion (i. e. True or False) So will check both true and false path and if in both cases with end with Q then our program will be correct Dr. Naveed Riaz 16

Design and Analysis of Algorithms Rules for conditional {P and C} S 1 {Q} {P and (not C)} S 2 {Q} {P} If C then S 1 else S 2 {Q} If is divided into two portion (i. e. True or False) So will check both true and false path and if in both cases with end with Q then our program will be correct Dr. Naveed Riaz 17

Design and Analysis of Algorithms Dijkstra’s Healthiness Condition wp (S, false) i. e. false – empty set False – law of excluded miracle wp (S, true) i. e. true – universal set termination condition – all states that guarantee termination of S Second case is special one and normally not in practise In sequentional statements the program termination is guarantee When Program may not terminate ? Stuck in infinite loop Dr. Naveed Riaz 18

Design and Analysis of Algorithms Dijkstra’s Healthiness Condition In the case of loops when we will give argument about program correctness then => first loop in question actually terminate ( if it did not then no post condition) If the loop terminate then argue about other Secondly if loop terminate then what condition occur after it Wp (while 0 = n do n : = n -1 , true ) 0 <= n So if we start with any other value of “n” i. e. -1 then we will not get n = 0, Dr. Naveed Riaz 19

Design and Analysis of Algorithms Verification Invariant Ø Something which is unchanging Ø Key to proofs for programs containing loops ( iteration or recursion) • Questions seem to ask for the next change • Answer lies in determining what does not change Dr. Naveed Riaz 20

Design and Analysis of Algorithms Verification What was the invariant condition in Dijasktra’s Game? • Pulling the ball from jar is an iterative process • Parity of white balls count • i. e. If we started with even # of white balls we would have black ball at the end • If we have started with odd number of white balls then colour of the last ball would be white ball Dr. Naveed Riaz 21

Design and Analysis of Algorithms Verification • Invariant => Parity of the white ball does not change • i. e. If we take out two white or black balls outside jar, in that case we put a black ball inside jar • Number of white balls either reduce by two or zero i. e. Parity does not change • Second case: If got different color balls, we put the white ball back into the jar so parity does not change • Think: identify the pattern would led us to identify the color of the last ball • Why invariant condition is important ? Dr. Naveed Riaz 22

Design and Analysis of Algorithms Verification • Why invariant condition is important ? • Because of iteration => you want to closer to your objective function • You have to follow some pattern which will led's you one step closer to your objective function in iterative process Dr. Naveed Riaz 23

Design and Analysis of Algorithms Classical Problem • Can you completely cover the chessboard with these dominoes without partially using a domino? If so how. If not prove that you cannot. Dr. Naveed Riaz 24

Design and Analysis of Algorithms Classical Problem • Key of invariant condition i. e. Shape of the tiles which we are using to cover the chessboard ( some information store in color) • Given piece will cover one light and one blue tile because on a cheeseboard we do not have two white or black tiles adjusnt to each other • We have equal number of blue and white squares on chessboard • If do not have equal number of squares then we will not cover the whole chessboard • Condition: We have removed two squares of the same color i. e. We are left with more blue then white i. e. 32 blue and 30 whites Dr. Naveed Riaz 25