program verification: flowchart programs
DESCRIPTION
Program verification: flowchart programs. Book: chapter 7. History. Verification of flowchart programs: Floyd, 1967 Hoare’s logic: Hoare, 1969 Linear Temporal Logic: Pnueli, Krueger, 1977 Model Checking: Clarke & Emerson, 1981. Program Verification. Predicate (first order) logic. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Program verification: flowchart programs](https://reader036.vdocuments.us/reader036/viewer/2022070420/56815dba550346895dcbe8d7/html5/thumbnails/1.jpg)
Program verification: flowchart programs
Book: chapter 7
![Page 2: Program verification: flowchart programs](https://reader036.vdocuments.us/reader036/viewer/2022070420/56815dba550346895dcbe8d7/html5/thumbnails/2.jpg)
History Verification of flowchart programs: Floyd, 1967 Hoare’s logic: Hoare, 1969 Linear Temporal Logic: Pnueli, Krueger, 1977 Model Checking: Clarke & Emerson, 1981
![Page 3: Program verification: flowchart programs](https://reader036.vdocuments.us/reader036/viewer/2022070420/56815dba550346895dcbe8d7/html5/thumbnails/3.jpg)
Program Verification Predicate (first order) logic. Partial correctness, Total correctness Flowchart programs Invariants, annotated programs Well founded ordering (for
termination) Hoare’s logic
![Page 4: Program verification: flowchart programs](https://reader036.vdocuments.us/reader036/viewer/2022070420/56815dba550346895dcbe8d7/html5/thumbnails/4.jpg)
Predicate (first order logic)
Variables, functions, predicates
Terms
Formulas (assertions)
![Page 5: Program verification: flowchart programs](https://reader036.vdocuments.us/reader036/viewer/2022070420/56815dba550346895dcbe8d7/html5/thumbnails/5.jpg)
Signature Variables: v1, x, y18Each variable represents a value of some given
domain (int, real, string, …). Function symbols: f(_,_), g2(_), h(_,_,_).Each function has an arity (number of
paramenters), a domain for each parameter, and a range.
f:int*int->int (e.g., addition), g:real->real (e.g., square root)
A constant is a predicate with arity 0. Relation symbols: R(_,_), Q(_).Each relation has an arity, and a domain for each
parameter.R : real*real (e.g., greater than).Q : int (e.g., is a prime).
![Page 6: Program verification: flowchart programs](https://reader036.vdocuments.us/reader036/viewer/2022070420/56815dba550346895dcbe8d7/html5/thumbnails/6.jpg)
Terms Terms are objects that have values. Each variable is a term. Applying a function with arity n to n
terms results in a new term.Examples: v1, 5.0, f(v1,5.0),
g2(f(v1,5.0))
More familiar notation: sqr(v1+5.0)
![Page 7: Program verification: flowchart programs](https://reader036.vdocuments.us/reader036/viewer/2022070420/56815dba550346895dcbe8d7/html5/thumbnails/7.jpg)
Formulas Applying predicates to terms results in a
formula.R(v1,5.0), Q(x)More familiar notation: v1>5.0 One can combine formulas with the
boolean operators (and, or, not, implies).R(v1,5.0)->Q(x)x>1 -> x*x>x One can apply existentail and universal
quantification to formulas.x Q(X) x1 R(x1,5.0) X Y R(x,y)
![Page 8: Program verification: flowchart programs](https://reader036.vdocuments.us/reader036/viewer/2022070420/56815dba550346895dcbe8d7/html5/thumbnails/8.jpg)
A model, A proofs A model gives a meaning (semantics) to a first
order formula: A relation for each relation symbol. A function for each function symbol. A value for each variable.
An important concept in first order logic is that of a proof. We assume the ability to prove that a formula holds for a given model.
Example proof rule (MP) :
![Page 9: Program verification: flowchart programs](https://reader036.vdocuments.us/reader036/viewer/2022070420/56815dba550346895dcbe8d7/html5/thumbnails/9.jpg)
Flowchart programs
Input variables: X=x1,x2,…,xlProgram variables: Y=y1,y2,…,ymOutput variables: Z=z1,z2,…,zn
start
haltY=f(X)
Z=h(X,Y)
![Page 10: Program verification: flowchart programs](https://reader036.vdocuments.us/reader036/viewer/2022070420/56815dba550346895dcbe8d7/html5/thumbnails/10.jpg)
Assignments and tests
Y=g(X,Y) t(X,Y)FT
![Page 11: Program verification: flowchart programs](https://reader036.vdocuments.us/reader036/viewer/2022070420/56815dba550346895dcbe8d7/html5/thumbnails/11.jpg)
start
halt
(y1,y2)=(0,x1)
y2>=x2
(y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2)
Initial conditionInitial condition: the
values for the input variables for which the program must work.
x1>=0 /\ x2>0
FT
![Page 12: Program verification: flowchart programs](https://reader036.vdocuments.us/reader036/viewer/2022070420/56815dba550346895dcbe8d7/html5/thumbnails/12.jpg)
start
halt
(y1,y2)=(0,x1)
y2>=x2
(y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2)
The input-output claim
The relation between the values of the input and the output variables at termination.
x1=z1*x2+z2 /\ 0<=z2<x2
FT
![Page 13: Program verification: flowchart programs](https://reader036.vdocuments.us/reader036/viewer/2022070420/56815dba550346895dcbe8d7/html5/thumbnails/13.jpg)
Partial correctness, Termination, Total correctness Patial correctness: if the initial condition
holds and the program terminates then the input-output claim holds.
Termination: if the initial condition holds, the program terminates.
Total correctness: if the initial condition holds, the program terminates and the input-output claim holds.
![Page 14: Program verification: flowchart programs](https://reader036.vdocuments.us/reader036/viewer/2022070420/56815dba550346895dcbe8d7/html5/thumbnails/14.jpg)
start
halt
(y1,y2)=(0,x1)
y2>=x2
(y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2)
Subtle point:
The program ispartially correct
withrespect tox1>=0/\x2>=0and totally correctwith respect tox1>=0/\x2>0
T F
![Page 15: Program verification: flowchart programs](https://reader036.vdocuments.us/reader036/viewer/2022070420/56815dba550346895dcbe8d7/html5/thumbnails/15.jpg)
start
halt
(y1,y2)=(0,x1)
y2>=x2
(y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2)
Annotating a scheme
Assign an assertion for each pair of nodes. The assertion expresses the relation between the variable when the program counter is located between these nodes.
A
B
C D
E
FT
![Page 16: Program verification: flowchart programs](https://reader036.vdocuments.us/reader036/viewer/2022070420/56815dba550346895dcbe8d7/html5/thumbnails/16.jpg)
Annotating a scheme with invariants
A): x1>=0 /\ x2>=0B): x1=y1*x2+y2 /\
y2>=0C): x1=y1*x2+y2 /\
y2>=0 /\ y2>=x2D):x1=y1*x2+y2 /\
y2>=0 /\ y2<x2E):x1=z1*x2+z2 /\ 0<=z2<x2Notice: (A) is the initial
condition, is the input-output condition.
start
halt
(y1,y2)=(0,x1)
y2>=x2
(y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2)
A
B
C D
E
FT
![Page 17: Program verification: flowchart programs](https://reader036.vdocuments.us/reader036/viewer/2022070420/56815dba550346895dcbe8d7/html5/thumbnails/17.jpg)
Verification conditions: assignment
A) B) [Y\g(X,Y)]
A): x1>=0 /\ x2>=0
B): x1=y1*x2+y2 /\ y2>=0
B) [Y\g(X,Y)] =x1=0*x2+x1 /\
x1>=0
(y1,y2)=(0,x1)
A
B
A
B
(y1,y2)=(0,x1)
Y=g(X,Y)
![Page 18: Program verification: flowchart programs](https://reader036.vdocuments.us/reader036/viewer/2022070420/56815dba550346895dcbe8d7/html5/thumbnails/18.jpg)
(y1,y2)=(y1+1,y2-x2)
Second assignment
C): x1=y1*x2+y2 /\ y2>=0 /\ y2>=x2
B): x1=y1*x2+y2 /\ y2>=0
B)[Y\g(X,Y]: x1=(y1+1)*x2+y2-x2 /\ y2-x2>=0
C
B
![Page 19: Program verification: flowchart programs](https://reader036.vdocuments.us/reader036/viewer/2022070420/56815dba550346895dcbe8d7/html5/thumbnails/19.jpg)
(z1,z2)=(y1,y2)
Third assignment
D):x1=y1*x2+y2 /\ y2>=0 /\ y2<x2
E):x1=z1*x2+z2 /\ 0<=z2<x2
E)[Z\g(X,Y]: x1=y1*x2+y2 /\ 0<=y2<x2
E
D
![Page 20: Program verification: flowchart programs](https://reader036.vdocuments.us/reader036/viewer/2022070420/56815dba550346895dcbe8d7/html5/thumbnails/20.jpg)
Verification conditions: tests
B) /\ t(X,Y) C)B) /\¬t(X,Y) D)
B): x1=y1*x2+y2 /\y2>=0
C): x1=y1*x2+y2 /\ y2>=0 /\ y2>=x2
D):x1=y1*x2+y2 /\ y2>=0 /\ y2<x2
y2>=x2
B
C
D
B
C
Dt(X,Y)
FT
FT
![Page 21: Program verification: flowchart programs](https://reader036.vdocuments.us/reader036/viewer/2022070420/56815dba550346895dcbe8d7/html5/thumbnails/21.jpg)
Exercise: prove partial correctness
Initial condition: x>=0
Input-output claim:
z=x!
start
halt
(y1,y2)=(0,1)
y1=x
(y1,y2)=(y1+1,(y1+1)*y2) z=y2
TF
![Page 22: Program verification: flowchart programs](https://reader036.vdocuments.us/reader036/viewer/2022070420/56815dba550346895dcbe8d7/html5/thumbnails/22.jpg)
Annotating a scheme
Assign an assertion for each pair of nodes. The assertion expresses the relation between the variable when the program counter is located between these nodes.
start
halt
(y1,y2)=(0,x1)
y2>=x2
(y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2)
A
B
C D
E
falsetrue
![Page 23: Program verification: flowchart programs](https://reader036.vdocuments.us/reader036/viewer/2022070420/56815dba550346895dcbe8d7/html5/thumbnails/23.jpg)
Annotating a scheme with invariants
A): x1>=0 /\ x2>=0B): x1=y1*x2+y2 /\
y2>=0C): x1=y1*x2+y2 /\
y2>=0 /\ y2>=x2D):x1=y1*x2+y2 /\
y2>=0 /\ y2<x2E):x1=z1*x2+z2 /\ 0<=z2<x2Notice: (A) is the initial
condition, Eis the input-output condition.
start
halt
(y1,y2)=(0,x1)
y2>=x2
(y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2)
A
B
C D
E
falsetrue
![Page 24: Program verification: flowchart programs](https://reader036.vdocuments.us/reader036/viewer/2022070420/56815dba550346895dcbe8d7/html5/thumbnails/24.jpg)
Verification conditions: assignment
A) B) [Y\g(X,Y)]
A): x1>=0 /\ x2>=0B): x1=y1*x2+y2 /\
y2>=0
B) [Y\g(X,Y)] =x1=0*x2+x1 /\
x1>=0
A
B
(y1,y2)=(0,x1)
(y1,y2)=(0,x1)
A
B
Y=g(X,Y)
![Page 25: Program verification: flowchart programs](https://reader036.vdocuments.us/reader036/viewer/2022070420/56815dba550346895dcbe8d7/html5/thumbnails/25.jpg)
Assignment condition
(y1,y2)=(0,x1)
A
B
y1=2
y1=x1
2=x1
![Page 26: Program verification: flowchart programs](https://reader036.vdocuments.us/reader036/viewer/2022070420/56815dba550346895dcbe8d7/html5/thumbnails/26.jpg)
Another way to understand condition
(y1,y2)=(0,x1)
A
B
y1=2
y1=x1
Use two versions of variables: before assignment and after. E.g., y1 and y1’, respectively.
postcondition: y1’=x1assignment: y1’=2precondition: 2=x1
2=x1
![Page 27: Program verification: flowchart programs](https://reader036.vdocuments.us/reader036/viewer/2022070420/56815dba550346895dcbe8d7/html5/thumbnails/27.jpg)
Assignment condition
(y1,y2)=(0,x1)
A
B
y1=y1+5
y1=10
y1=5
![Page 28: Program verification: flowchart programs](https://reader036.vdocuments.us/reader036/viewer/2022070420/56815dba550346895dcbe8d7/html5/thumbnails/28.jpg)
Assignment condition
(y1,y2)=(0,x1)
A
B
y1=y1+5
y1=10
y1=5Postcondition: y1’=10
Assignment: y1’=y1+5
Precondition: y1+5=10, I.e., y1=5
![Page 29: Program verification: flowchart programs](https://reader036.vdocuments.us/reader036/viewer/2022070420/56815dba550346895dcbe8d7/html5/thumbnails/29.jpg)
Verification conditions: assignment
B): x1=y1’*x2+y2’ /\ y2’ >=0
Assignment: y1’=0 /\ y2’=x1
B) [Y\g(X,Y)] =x1=0*x2+x1 /\ x1>=0(or simply x1>=0)
A
B
(y1,y2)=(0,x1)
A): x1>=0 /\ x2>=0
![Page 30: Program verification: flowchart programs](https://reader036.vdocuments.us/reader036/viewer/2022070420/56815dba550346895dcbe8d7/html5/thumbnails/30.jpg)
Second assignment
Precondition:B): x1=y1*x2+y2 /\
y2>=0
Assignment:y1’=y1+1/\y2’=y2-x2
Postcondition:B)[Y\g(X,Y)]:
x1=(y1+1)*x2+y2-x2 /\ y2-x2>=0
(y1,y2)=(y1+1,y2-x2)
C
B
![Page 31: Program verification: flowchart programs](https://reader036.vdocuments.us/reader036/viewer/2022070420/56815dba550346895dcbe8d7/html5/thumbnails/31.jpg)
(y1,y2)=(y1+1,y2-x2)
Second assignment
C): x1=y1*x2+y2 /\ y2>=0 /\ y2>=x2
B): x1=y1*x2+y2 /\ y2>=0
B)[Y\g(X,Y)]: x1=(y1+1)*x2+y2-x2 /\ y2-x2>=0
C
B
![Page 32: Program verification: flowchart programs](https://reader036.vdocuments.us/reader036/viewer/2022070420/56815dba550346895dcbe8d7/html5/thumbnails/32.jpg)
(z1,z2)=(y1,y2)
Third assignment
D):x1=y1*x2+y2 /\ y2>=0 /\ y2<x2
E):x1=z1*x2+z2 /\ 0<=z2<x2
E)[Z\g(X,Y]: x1=y1*x2+y2 /\ 0<=y2<x2
E
D
![Page 33: Program verification: flowchart programs](https://reader036.vdocuments.us/reader036/viewer/2022070420/56815dba550346895dcbe8d7/html5/thumbnails/33.jpg)
Verification conditions: tests
B) /\ t(X,Y)) C)(B) /\ ¬t(X,Y)) D)
B): x1=y1*x2+y2 /\ y2>=0
C): x1=y1*x2+y2 /\ y2>=0 /\ y2>=x2
D):x1=y1*x2+y2 /\ y2>=0 /\ y2<x2
y2>=x2
B
C
D
B
C
Dt(X,Y)
falsetrue
falsetrue
![Page 34: Program verification: flowchart programs](https://reader036.vdocuments.us/reader036/viewer/2022070420/56815dba550346895dcbe8d7/html5/thumbnails/34.jpg)
Exercize: prove partial correctness
Initial condition: x>=0
Input-output claim: z=x!
start
halt
(y1,y2)=(0,1)
y1=x
(y1,y2)=(y1+1,(y2+1)y2) z=y2
truefalse
![Page 35: Program verification: flowchart programs](https://reader036.vdocuments.us/reader036/viewer/2022070420/56815dba550346895dcbe8d7/html5/thumbnails/35.jpg)
What have we achieved? For each statement S that appears between
points X and Y we showed that if the control is in X when (X) holds and S is executed, then (Y) holds.
Initially, we know that (A) holds. The above two conditions can be combined
into an induction on the number of statements that were executed: If after n steps we are at point X, then (X)
holds.
![Page 36: Program verification: flowchart programs](https://reader036.vdocuments.us/reader036/viewer/2022070420/56815dba550346895dcbe8d7/html5/thumbnails/36.jpg)
Another example
(A) : x>=0
(F) : z^2<=x<(z+1)^2
z is the biggest numberthat is not greaterthan sqrt x.
start
(y1,y2,y3)=(0,0,1)
A
halt
y2>x
(y1,y3)=(y1+1,y3+2) z=y1
B
C
D
F
truefalse
E
y2=y2+y3
![Page 37: Program verification: flowchart programs](https://reader036.vdocuments.us/reader036/viewer/2022070420/56815dba550346895dcbe8d7/html5/thumbnails/37.jpg)
Some insight
1+3+5+…+(2n+1)=(n+1)^2
y2 accumulates theabove sum, untilit is bigger than x.
y3 ranges over oddnumbers 1,3,5,…
y1 is n-1.
start
(y1,y2,y3)=(0,0,1)
A
halt
y2>x
(y1,y3)=(y1+1,y3+2) z=y1
B
C
D
F
truefalse
E
y2=y2+y3
![Page 38: Program verification: flowchart programs](https://reader036.vdocuments.us/reader036/viewer/2022070420/56815dba550346895dcbe8d7/html5/thumbnails/38.jpg)
Invariants
It is sufficient to have one invariant for every loop(cycle in the program’sgraph).
We will have(C)=y1^2<=x /\ y2=(y1+1)^2 /\ y3=2*y1+1
start
(y1,y2,y3)=(0,0,1)
A
halt
y2>x
(y1,y3)=(y1+1,y3+2) z=y1
B
C
D
F
truefalse
E
y2=y2+y3
![Page 39: Program verification: flowchart programs](https://reader036.vdocuments.us/reader036/viewer/2022070420/56815dba550346895dcbe8d7/html5/thumbnails/39.jpg)
Obtaining (B)
By backwards substitution in (C).
(C)=y1^2<=x /\ y2=(y1+1)^2 /\ y3=2*y1+1
(B)=y1^2<=x /\ y2+y3=(y1+1)^2 /\ y3=2*y1+1
start
(y1,y2,y3)=(0,0,1)
A
halt
y2>x
(y1,y3)=(y1+1,y3+2) z=y1
B
C
D
F
truefalse
E
y2=y2+y3
![Page 40: Program verification: flowchart programs](https://reader036.vdocuments.us/reader036/viewer/2022070420/56815dba550346895dcbe8d7/html5/thumbnails/40.jpg)
Check assignment condition
(A)=x>=0(B)=y1^2<=x /\ y2+y3=(y1+1)^2 /\ y3=2*y1+1(B) relativized is 0^2<=x /\ 0+1=(0+1)^2 /\ 1=2*0+1Simplified: x>=0
start
(y1,y2,y3)=(0,0,1)
A
halt
y2>x
(y1,y3)=(y1+1,y3+2) z=y1
B
C
D
F
truefalse
E
y2=y2+y3
![Page 41: Program verification: flowchart programs](https://reader036.vdocuments.us/reader036/viewer/2022070420/56815dba550346895dcbe8d7/html5/thumbnails/41.jpg)
Obtaining (D)
By backwards substitution in
(B).
(B)=y1^2<=x /\ y2+y3=(y1+1)^2 /\ y3=2*y1+1
(D)=(y1+1)^2<=x /\ y2+y3+2=(y1+2)^2 /\ y3+2=2*(y1+1)+1
start
(y1,y2,y3)=(0,0,1)
A
halt
y2>x
(y1,y3)=(y1+1,y3+2) z=y1
B
C
D
F
truefalse
E
y2=y2+y3
![Page 42: Program verification: flowchart programs](https://reader036.vdocuments.us/reader036/viewer/2022070420/56815dba550346895dcbe8d7/html5/thumbnails/42.jpg)
Checking
(C)=y1^2<=x /\ y2=(y1+1)^2 /\ y3=2*y1+1
(C)/\y2<=x) (D)
(D)=(y1+1)^2<=x /\ y2+y3+2=(y1+2)^2 /\ y3+2=2*(y1+1)+1
start
(y1,y2,y3)=(0,0,1)
A
halt
y2>x
(y1,y3)=(y1+1,y3+2) z=y1
B
C
D
F
truefalse
E
y2=y2+y3
![Page 43: Program verification: flowchart programs](https://reader036.vdocuments.us/reader036/viewer/2022070420/56815dba550346895dcbe8d7/html5/thumbnails/43.jpg)
y1^2<=x /\ y2=(y1+1)^2 /\ y3=2*y1+1 /\y2<=x (y1+1)^2<=x /\
y2+y3+2=(y1+2)^2 /\
y3+2=2*(y1+1)+1y1^2<=x /\ y2=(y1+1)^2 /\ y3=2*y1+1 /\y2<=x (y1+1)^2<=x /\
y2+y3+2=(y1+2)^2 /\
y3+2=2*(y1+1)+1
y1^2<=x /\ y2=(y1+1)^2 /\ y3=2*y1+1 /\y2<=x (y1+1)^2<=x /\ y2+y3+2=(y1+2)^2 /\ y3+2=2*(y1+1)+1
![Page 44: Program verification: flowchart programs](https://reader036.vdocuments.us/reader036/viewer/2022070420/56815dba550346895dcbe8d7/html5/thumbnails/44.jpg)
Not finished!
Still needs to:
Calculate (E) bysubstituting backwardsfrom (F).
Check that(C)/\y2>x(E)
start
(y1,y2,y3)=(0,0,1)
A
halt
y2>x
(y1,y3)=(y1+1,y3+2) z=y1
B
C
D
F
truefalse
E
y2=y2+y3
![Page 45: Program verification: flowchart programs](https://reader036.vdocuments.us/reader036/viewer/2022070420/56815dba550346895dcbe8d7/html5/thumbnails/45.jpg)
Proving termination
![Page 46: Program verification: flowchart programs](https://reader036.vdocuments.us/reader036/viewer/2022070420/56815dba550346895dcbe8d7/html5/thumbnails/46.jpg)
Well-founded sets Partially ordered set (W,<):
If a<b and b<c then a<c (transitivity). If a<b then not b<a (asymmetry). Not a<a (irreflexivity).
Well-founded set (W,<): Partially ordered. No infinite decreasing chain a1>a2>a3>…
![Page 47: Program verification: flowchart programs](https://reader036.vdocuments.us/reader036/viewer/2022070420/56815dba550346895dcbe8d7/html5/thumbnails/47.jpg)
Examples for well founded sets Natural numbers with the bigger than
relation. Finite sets with the set inclusion relation. Strings with the substring relation. Tuples with alphabetic order:
(a1,b1)>(a2,b2) iff a1>a2 or [a1=a2 and b1>b2].
(a1,b1,c1)>(a2,b2,c2) iff a1>a2 or [a1=a2 and b1>b2] or [a1=a2 and b1=b2 and c1>c2].
![Page 48: Program verification: flowchart programs](https://reader036.vdocuments.us/reader036/viewer/2022070420/56815dba550346895dcbe8d7/html5/thumbnails/48.jpg)
Why does the program terminate
y2 starts as x1. Each time the loop is
executed, y2 is decremented.
y2 is natural number The loop cannot be
entered again when y2<x2.
start
halt
(y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2)
(y1,y2)=(0,x1)
A
B
D
E
falsey2>=x2
C
true
![Page 49: Program verification: flowchart programs](https://reader036.vdocuments.us/reader036/viewer/2022070420/56815dba550346895dcbe8d7/html5/thumbnails/49.jpg)
Proving termination
Choose a well-founded set (W,<). Attach a function u(N) to each
point N. Annotate the flowchart with
invariants, and prove their consistency conditions.
Prove that (N) (u(N) in W).
![Page 50: Program verification: flowchart programs](https://reader036.vdocuments.us/reader036/viewer/2022070420/56815dba550346895dcbe8d7/html5/thumbnails/50.jpg)
How not to stay in a loop? Show that
u(M)>=u(N).
At least once in each loop, show that u(M)>u(N).
S
M
N
TN
M
![Page 51: Program verification: flowchart programs](https://reader036.vdocuments.us/reader036/viewer/2022070420/56815dba550346895dcbe8d7/html5/thumbnails/51.jpg)
How not to stay in a loop? For stmt: (M)(u(M)>=u(N)’rel)
For test (true side):((M)/\test)(u(M)>=u(N))
For test (false side):((M)/\
¬test)(u(M)>=u(L))
stmt
M
N
testN
M
true
L
false
![Page 52: Program verification: flowchart programs](https://reader036.vdocuments.us/reader036/viewer/2022070420/56815dba550346895dcbe8d7/html5/thumbnails/52.jpg)
What did we achieve? There are finitely many control points. The value of the function u cannot
increase. If we return to the same control point,
the value of u must decrease (its a loop!).
The value of u can decrease only a finite number of times.
![Page 53: Program verification: flowchart programs](https://reader036.vdocuments.us/reader036/viewer/2022070420/56815dba550346895dcbe8d7/html5/thumbnails/53.jpg)
Why does the program terminate
u(A)=x1u(B)=y2u(C)=y2u(D)=y2u(E)=z2
W: naturals> : greater than
start
halt
(y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2)
(y1,y2)=(0,x1)
A
B
D
E
falsey2>=x2
C
true
![Page 54: Program verification: flowchart programs](https://reader036.vdocuments.us/reader036/viewer/2022070420/56815dba550346895dcbe8d7/html5/thumbnails/54.jpg)
Recall partial correctness annotation
A): x1>=0 /\ x2>=0B): x1=y1*x2+y2 /\
y2>=0C): x1=y1*x2+y2 /\
y2>=0 /\ y2>=x2D):x1=y1*x2+y2 /\
y2>=0 /\ y2<x2E):x1=z1*x2+z2 /\ 0<=z2<x2
start
halt
(y1,y2)=(0,x1)
y2>=x2
(y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2)
A
B
C D
E
falsetrue
![Page 55: Program verification: flowchart programs](https://reader036.vdocuments.us/reader036/viewer/2022070420/56815dba550346895dcbe8d7/html5/thumbnails/55.jpg)
Strengthen for termination
A): x1>=0 /\ x2>0B): x1=y1*x2+y2 /\
y2>=0/\x2>0C): x1=y1*x2+y2 /\
y2>=0 /\ y2>=x2/\x2>0D):x1=y1*x2+y2 /\
y2>=0 /\ y2<x2/\x2>0E):x1=z1*x2+z2 /\ 0<=z2<x2This proves that u(M) is
natural for each point M.
start
halt
(y1,y2)=(0,x1)
y2>=x2
(y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2)
A
B
C D
E
falsetrue
![Page 56: Program verification: flowchart programs](https://reader036.vdocuments.us/reader036/viewer/2022070420/56815dba550346895dcbe8d7/html5/thumbnails/56.jpg)
We shall show:u(A)=x1u(B)=y2u(C)=y2u(D)=y2u(E)=z2u(A)>=u(B)u(B)>=u(C)u(C)>u(B)u(B)>=u(D)u(D)>=u(E)
start
halt
(y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2)
(y1,y2)=(0,x1)
A
B
D
E
falsey2>=x2
C
true
![Page 57: Program verification: flowchart programs](https://reader036.vdocuments.us/reader036/viewer/2022070420/56815dba550346895dcbe8d7/html5/thumbnails/57.jpg)
Proving decrement
C): x1=y1*x2+y2 /\ y2>=0 /\ y2>=x2/\x2>0
u(C)=y2u(B)=y2u(B)’rel=y2-x2
C) y2>y2-x2(notice that C) x2>0)
start
halt
(y1,y2)=(0,x1)
y2>=x2
(y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2)
A
B
C D
E
falsetrue
![Page 58: Program verification: flowchart programs](https://reader036.vdocuments.us/reader036/viewer/2022070420/56815dba550346895dcbe8d7/html5/thumbnails/58.jpg)
Integer square prog.
(C)=y1^2<=x /\ y2=(y1+1)^2 /\ y3=2*y1+1
(B)=y1^2<=x /\ y2+y3=(y1+1)^2 /\y3=2*y1+1
start
(y1,y2,y3)=(0,0,1)
A
halt
y2>x
(y1,y3)=(y1+1,y3+2) z=y1
B
C
D
F
truefalse
E
y2=y2+y3
![Page 59: Program verification: flowchart programs](https://reader036.vdocuments.us/reader036/viewer/2022070420/56815dba550346895dcbe8d7/html5/thumbnails/59.jpg)
u(A)=x+1u(B)=x-y2+1u(C)=max(0,x-y2)u(D)=x-y2+1u(E)=u(F)=0u(A)>=u(B)u(B)>u(C)u(C)>=u(D)u(D)>=u(B)Need some invariants,i.e., y2<=x/\y3>0at points B and D,and y3>0 at point C.
start
(y1,y2,y3)=(0,0,1)
A
halt
y2>x
(y1,y3)=(y1+1,y3+2) z=y1
B
C
D
F
truefalse
E
y2=y2+y3