but first, a note on proving things equivalent... If you are asked to prove that 2 statements are equivalent, P <--> Q then you must either show they are identical (often hard), or you must show both: P --> Q and Q --> P If you are asked to show that 3 statements P,Q,R are equivalent, you can get away with P --> Q, Q --> R, and R --> P. Why is this all you need?Ok, back to program correctness.
Program correctness has two goals:
Mostly we focus on the first case, and talk about a few formal methods to demonstrate that a piece of code is correct. But good programmers learn to constantly think about each line of code; and what assumptions is may break or what property it may gauruntee.
These proofs become complicated very quickly, so we will only consider small problems. In real applications, formal proofs of program correctness are done (1) for very small pieces of very important code (such as network routers...), and (2) by automated program verification procedures. There is a lot of promise in (2), but it hasn't yet gotten to the point where you can verify your java code.
{x > 0, y > 0}
For each of these rules we describe how to prove {P} S {Q}
- Assignment: {P} x := 3 {Q} Assume P', prove Q' where P' is P with every instance of x replaced with 3 and Q' is Q with every instance of x replaced with 3 {} x := y - 1
- Conditional: {P} if A, S, else R, endif {Q} Break into cases, and prove both: case 1: {P ^ A} S {Q}, case 2: {P ^ B} R {Q}, example:
- Composition
- Loops
- Recursion