Program Construction and Reasoning Shin-Cheng Mu 2010 Formosan Summer School on Logic, Language, and Computation June 28 { July 9, 2010 Part I • \Ok, I mean to ensure that a computer does what it is supposed to do." Hoare Logic • \Doesn't a computer always do what it is in- structed to do?" So, what is this course about? • I am going to teach you how to write programs. 1.1 The Maximum Segment Sum Problem • But you program much more than I do. What about programming could I possibly teach you? Maximum Segment Sum • Given a list of numbers, find the maximum sum 1 Introduction: On Programs of a consecutive segment. Correctness { [−1; 3; 3; −4; −1; 4; 2; −1] ) 7 { [−1; 3; 1; −4; −1; 4; 2; −1] ) 6 Programming Language Theory? It has always been, and still is, hard to talk to { [−1; 3; 1; −4; −1; 1; 2; −1] ) 4 people about my research. • Not trivial. However, there is a linear time algo- • \It's called `programming language'." rithm. −1 3 1 −4 −1 1 2 −1 • \Like, making computers understand natural • 3 4 1 0 2 3 2 0 0 (up + right) " 0 languages?" 4 4 3 3 3 3 2 0 0 up " right • \Well, no... I mean the languages we use to com- municate to computers. We design better pro- A Simple Program Whose Proof is Not gramming language concepts to make program- • f j ≤ ≤ ≤ ming easier." The specification: max sum (i; j) 0 i j N g, where sum (i; j) = a[i]+a[i+1]+:::+a[i]. • \. surely it is the easiest to program in natural languages?" { What we want the program to do. • • \Err, no. In fact we are trying to make program- The program: ming more mathematical." s = 0; m = 0; • \. and you call that an improvement?" for (i=0; i<=N; i++) { s = max(0, a[j]+s); Correctness? m = max(m, s); Or I could try to explain that our concern is about } \correctness." { How to do it. • \And what does that mean?" • They do not look like each other at all! • \That a program meets its specification." • Moral: programs that appear \simple" might • (totally confused) \A program meets . what?" not be that simple after all! 1 Programming, and Programming Languages 1.2 The Binary Search Challenge Can you Implement Binary Search? • Correctness: that the behaviour of a program is Given a sorted array of N numbers and a key to allowed by the specification. search for, either locate the position where the key resides in the array, or report that the value does not • Semantics: defining \behaviours" of a program. present in the array, in O(log N) time. • Programming: to code up a correct program! • You would not expect it to be a hard program- ming task. • Thus the job of a programming language is to help the programmer to program, • Jon Bentley [Ben86, pp. 35-36], however, noted: { either by making it easy to check that \I've assigned this problem in whether a program is correct, courses at Bell Labs and IBM. Pro- { or by ensuring that programmers may only fessional programmers had a couple of construct correct programs, that is, disal- hours to convert the above descrip- lowing the very construction of incorrect tion into a program in the language of programs! their choice; . 90% of the program- mers found bugs in their programs. Knuth points out that while the Verification v.s. Derivation first binary search was published in 1946, the first published binary search • Verification: given a program, prove that it is without bugs did not appear until correct with respect to some specification. 1962." • • Derivation: start from the specification, and at- Mike Taylor, owner of a popular blog tempt to construct only correct programs! The Reinvigorated Programmer, re- cently conducted this experiment again: Dijkstra: \to prove the correctness of a http://reprog.wordpress.com/2010/04/19/ given program, was in a sense putting the are-you-one-of-the-10-percent/ cart before the horse. A much more promis- ing approach turned out to be letting cor- Give It a Try? rectness proof and program grow hand in hand: with the choice of the structure of • Bentley: \The only way you'll believe this is by the correctness proof one designs a program putting down this column right now and writing for which this proof is applicable."[Dij74] the code yourself." \The only effective way to raise the con- • Given: an array a[0;N) of N elements, fidence level of a program significantly is • 8 ≤ ≤ to give a convincing proof of its correct- that is sorted: ( i; j : 0 i < j < N : a[i] ness. But one should not first make the a[j]). program and then prove its correctness, be- • cause then the requirement of providing the Find i such that a[i] = K, or report that K is proof would only increase the poor program- not in the array. mer's burden. On the contrary: the pro- grammer should let correctness proof and program grow hand in hand." [Dij72] 2 Program Verification using Hoare Logic • What happened so far is that theoretical devel- opment of one side benefits the other. The Guarded Command Language In this course we will talk about program construc- • We focus on verification today, and talk about tion using Dijkstra's calculus. Most of the materials derivation tomorrow. are from Kaldewaij [Kal90]. 2 • A program computing the greatest common di- 2.1 Assignments visor: Substitution j[ con A; B : int f0 < A ^ 0 < Bg • P [E=x]: substituting free occurrences of x in P ; var x; y : int; for E. x; y := A; B; • We do so in mathematics all the time. A for- do y < x ! x := x − y mal definition of substitution, however, is rather [] x < y ! y := y − x tedious. od • fx = y = gcd(A; B)g For this lecture we will only appeal to \common ]j. sense": { E.g. (x ≤ 3)[x − 1=x] , x−1 ≤ 3 , x ≤ 4. • Assignments denoted by :=; do denotes loops { ((9y : y 2 N : x < y) ^ y < x)[y + 1=y] with guarded bodies. , (9y : y 2 N : x < y) ^ y + 1 < x. • Assertions delimited in curly brackets. { (9y : y 2 N : x < y)[y=x] , (9z : z 2 N : y < z). The Hoare Triple • The notation [E=x] hints at \divide by x and multiply by E." In the refinement calculus, sub- • The state space of a program is the states of all stitution is closely related to assignments, thus its variables. some also write [x := E]. { E.g. state space for the GCD program is (int × int). Substitution and Assignments • Which is correct: • The Hoare triple fP g S fQg, operationally, de- notes that the statement S, when executed in a 1. fP g x := E fP [E=x]g, or state satisfying P , terminates in a state satisfy- 2. fP [E=x]g x := E fP g? ing Q. • Answer: 2! For example: • Perhaps the simplest statement: fP g skip fQg f ≤ g f ≤ g iff. P ) Q. (x 3)[x + 1=x] x := x + 1 x 3 , fx + 1 ≤ 3g x := x + 1 fx ≤ 3g f ^ g f ≥ g { X > 0 Y > 0 skip X 0 . , fx ≤ 2g x := x + 1 fx ≤ 3g. { Note that the annotations need not be \ex- act." 2.2 Sequencing Catenation The Hoare Triple • fP g S; T fQg equivals that there exists R such • fP g S ftrueg expresses that S terminates. that fP g S fRg and fRg T fQg. • Verify: • fP g S fQg and P0 ) P implies fP0g S fQg. j[ var x; y : int; • fP g S fQg and Q ) Q0 implies fP g S fQ0g. fx = A ^ y = Bg • fP g S fQg and fP g S fRg equivales fP g S fQ ^ x := x − y; Rg. fy = B ^ x + y = Ag • fP g S fQg and fRg S fQg equivales fP _ y := x + y; f − ^ g Rg S fQg. y x = B y = A x := y − x; • More on these \healthiness" conditions of Hoare fx = B ^ y = Ag triples in the next lecture. ]j. 3 2.3 Selection • One takes effort exponential to n; the other is linear. If-Conditionals • Dijkstra: \. if we ever want to be able to com- • ! ! Selection takes the form if B0 S0 [] ::: [] Bn pose really large programs reliably, we need a Sn fi. programming discipline such that the intellec- tual effort needed to understand a program does • Each B is called a guard; B ! S is a guarded i i i not grow more rapidly than in proportion to the command. program length." [Dijnd] • If none of the guards B0 :::Bn evaluate to true, the program aborts. Otherwise, one of the 2.4 Loop and loop invariants command with a true guard is chosen non- deterministically and executed. Loops • To annotate an if statement: • Repetition takes the form do B0 ! S0 [] ::: [] Bn ! Sn od. fP g • if B0 ! fP ^ B0g S0 fQg If none of the guards B0 :::Bn evaluate to true, [] B1 ! fP ^ B1g S1 fQg the loop terminates. Otherwise one of the com- fi mands is chosen non-deterministically, before the fQ; Pf g, next iteration. • To annotate a loop (for partial correctness): where Pf : P ) B0 _ B1. fP g Binary Maximum do B0 ! fP ^ B0g S0 fP g [] B ! fP ^ B g S fP g • Goal: to assign x " y to z. By definition, z = 1 1 1 od x " y $ (z = x _ z = y) ^ x ≤ z ^ y ≤ z.