Strongest postcondition rules 1 2 3 4 spskip

Strongest postcondition rules 1. 2. 3. 4. sp(skip, P) = P sp(x : = a, P) = � v. x=a[v/x] �P[v/x] sp(S 1; S 2, P) = sp(S 2, sp(S 1, P)) sp(if b then S 1 else S 2, P) = sp(S 1, b �P) �sp(S 2, � b �P) 5. sp(while b do {� } S, P) = ��� b where {b �� } S {� } and P � b �� 1

Exponentiation prog. – prove { t : = 0; { res : = 1; { Inv = { while (t < y) do { { res : = res * x; { t : = t + 1; { { { } Background axioms: } } } } } 2

Small array update rules (sp) [array-load. F] { a=b } x : = y[a] { x=y(b) } In both rules v, g, and b are fresh [array-update. F] { y=g �a=b } y[a] : = x { y=g[b� x] } same as [array-update. F] { y=g �a=b } y : = y[a x] { y=g[b� x] } 3

Rewrite assignment as function update b[i] : = a[j] 4

Calculate the postcondition 2 { ob=b a(j)=x z. 0 z<i ob(z)=x } b : = b[i a(j)] { } 5

Array-max program – specify nums : array N : int // N stands for num’s length { N� 0 �nums=orig_nums } x : = 0 res : = nums[0] Inv = { while x < N if nums[x] > res then res : = nums[x] x : = x + 1 1. { x=N } 2. { � m. (m� 0 �m<N) nums(m)� res } 3. { � m. m� 0 �m<N �nums(m)=res } 4. { nums=orig_nums } } 6

Array-max program – specify nums : array N : int // N stands for num’s length { N� 0 } x : = 0 res : = nums[0] while x < N if nums[x] > res then res : = nums[x] x : = x + 1 7

Total correctness semantics for While [assp] [ P[a/x] ] x : = a [ P ] [skipp] [ P ] skip [ P ] S 1 [ Q ], [ Q ] S 2 [ R ] [compp] [ P ] S 1 ; S 2 [ R ] [ b �P ] S 1 [ Q ], [ � b �P ] S 2 [ Q ] [ifp] [ P ] if b then S 1 else S 2 [ Q ] [whilep] [consp] [ b �P �t=k ] S [ P �t<k ] P t 0 [ P ] while b do S [ � b �P ] [ P’ ] S [ Q’ ] [P]S[Q] if P� P’ and Q’� Q 8

Two counters [ ] b : = 0; Variant = [ while (x 0 y 0) do b : = 1−b; if (b) x : = x− 1 else y : = y− 1 [ true ] ] 9

Slow countdown: find variant [ true flag : = 0; Variant = [ while (x>0) do flag : = 1−flag; if flag=0 then x : = x− 1 [ true ] ] ] 10