Correctness of A/G Reasoning

Correctness as Approximation of Relations

Specification $s$ provides a relation that is intended to approximate relation $r$ defining the meaning of procedure, that is, we would like to prove

$\begin{equation*} r \subseteq s \end{equation*}$

Following Relational Semantics of Procedures, consider one procedure and its associated function

$\begin{equation*} m : {\cal R} \to {\cal R} \end{equation*}$

and its fixed point $r_*$ .

The idea of approach based on specifications is to prove that, if we assume that procedure calls satisfy the specification, then we can prove the specification for the procedure we are verifying. In other words, specifications provide a relation $s$ such that

$\begin{equation*} m(s) \subseteq s \end{equation*}$

We claim that $r_* \subseteq s$ where $r_* = \bigcup_{k \ge 0} m^k(\emptyset)$ .

Proof:

Expressing Approximation Using Assume and Assert

Consider a program with only one state variable $x$ .

We express our approximation as

$\begin{equation*} \begin{array}{l} assert\, (P(x));\\ havoc(x); \\ assume(Q(x)) \end{array} \end{equation*}$

So, we would like to show that

$\begin{equation*} r\qquad \subseteq\qquad \begin{array}{l} (assert\, (P(x));\\ havoc(x); \\ assume\, (Q(x))) \end{array} \end{equation*}$

is implied by the condition we are checking:

$\begin{equation*} \begin{array}{l} (assume\, (P(x));\\ r; \\ assert\, (Q(x))) \end{array} \qquad\subseteq \qquad havoc(x) \end{equation*}$

Shunting rules

Recall Assert and error conditions. We say that relation $r$ respects errors if for an error state $e$ we have $(e,x) \in r$ for all states $x$ .

For relations $r$ , $s$ that respect errors, we have

$\begin{equation*} assume(P) \mathop{;} r \subseteq s\ \ \leftrightarrow\ \ r \subseteq assert(P) \mathop{;} s \end{equation*}$

$\begin{equation*} r \mathop{;} assert(Q) \subseteq s\ \ \leftrightarrow\ \ r \subseteq s \mathop{;} assume(Q) \end{equation*}$

Proofs:

using relations
using weakest preconditions (see homework in SAV'07)