CSC510 – Discrete Structures

Chapter 5
PROGRAM CORRECTNESS

Dr. Raihah binti Aminuddin

1
Overview
• Program testing
• Concepts for Correctness proofs
• Hoare triple
• Strong and weak Assertions
• Program correctness proof
1. Assignment Statement/Rule
2. Concatenation
• Two Steps to Correctness Proof
3. Conditional Rule: if-then and if-then-else
4. Loop Rule: while-do
5. Loop invariant
2
PROGRAM TESTING
• It is impossible to get an error free program on the first try.

• To ensure a program always produces the correct answer, program

testing is required.

• If a program is free from any syntax error, we can test the program
with sample input.

• A program is considered INCORRECT if:

1. incorrect result is produced for any sample input
2. correct results are produced for all sample input but it may not
be the correct answer unless all possible input has been tested.
3
 Concepts for correctness Proofs

Assertions are meaning of computation

associated with some pieces of code.

PRE-CONDITION POST-CONDITION
- The condition that the - The final state that is
initial state must satisfy acceptable as correct
such that the program code results.
can accomplish its
objective.
4
EXAMPLE
Show that the program segment (Code) : Another example:
y := 2
{x = 1} y = 2; z = x + y {z = 3}
z := x + y
is correct with respect to the initial assertion - Precondition, P: x = 1
P: x = 1 and the final assertion Q: z = 3. - Postcondition, Q: z = 3
Prove {P} C {Q}.
- Code, C: y = 2; z = x + y

Solution:
P C Q

5
EXAMPLE
Show that the program segment (Code) : Another example:
y := 2
{x = 1} y = 2; z = x + y {z = 3}
z := x + y
is correct with respect to the initial assertion - Precondition, P: x = 1
P: x = 1 and the final assertion Q: z = 3. - Postcondition, Q: z = 3
Prove {P} C {Q}.
- Code, C: y = 2; z = x + y

Solution:
P C Q
x=1 y=2 x = 1, y = 2
//if x = 1 in the program’s //code
input state

x = 1, y = 2 z=1+2 z=3
z=3 //then after running y := 2 and
z := x + y, z will be 1 + 2 = 3.

6
Hoare triple
Axiomatic Semantics invented by Hoare is a tool/language to
specify program behaviour and proving correctness (based on
mathematical logic).
7
HOARE TRIPLE

8
Empty assertion { } is the ideal pre-condition – means true for all cases. 9
Strong & Weak Assertions

10
STRONG & WEAK ASSERTIONS

Stronger Weaker
More specific More general
x=2 vs x>2
x>2 vs x >= 2

11
STRONG & WEAK ASSERTIONS

12
FINDING WEAKEST PRE-CONDITION

• PRE-CONDITION should be as weak as possible.

• Weakest pre-condition is the most general.

• Empty assertion { } is the ideal pre-condition –

means true for all cases.

13
FINDING STRONGEST POST-CONDITION

• Post-condition should be as strong as possible.

• Strongest post-condition is the most specific.

14
PROGRAM CORRECTNESS PROOF – AXIOMATIC SEMANTICS
(HOARE TRIPLE)
1. Assignment Statement/Rule

2. Concatenation Rule

3. Conditional Rule
a) if-then
b) if-then-else

4. Loop Rule
a) while-do

15
16
ASSIGNMENT RULE

FIND THE WEAKEST PRE-CONDITION

TRY: Test the program code using the

pre and post-condition given. 17
ASSIGNMENT RULE

FIND THE WEAKEST PRE-CONDITION

P C Q START HERE

TRY: Test the program code using the

pre and post-condition given. 18
CONCATENATION RULE

19
CONCATENATION RULE:
Example 1.1: FIND THE POST-CONDITION FOR THE FOLLOWING STATEMENT

{x = 10 ∧ y = 25} x := y; y := x {?}

P START HERE C Q

PLEASE NOTE:
Therefore, the post-condition is . 1 mark for stating the conclusion. 20
CONCATENATION RULE:
Example 1.1: FIND THE POST-CONDITION FOR THE FOLLOWING STATEMENT

{x = 10 ∧ y = 25} x := y; y := x {?}

P START HERE C Q
x = 10  y = 25 x =y x = 25  y = 25
//Substitute y=25 in P into x=y. The new value of x is 25.
x = 25 //The post-condition (R) for C1 is x = 25  y = 25.

x = 25  y = 25 y=x x = 25  y = 25
//Move the final state of the 1st statement, R to //Substitute x=25 in P into y=x. The new value of y is 25.
the initial state of 2nd statement. y = 25 //Therefore the post-condition (Q) is x = 25  y = 25.

Therefore, the post-condition is x = 25  y = 25. PLEASE NOTE:

1 mark for stating the conclusion. 21
CONCATENATION RULE:
Example 1.2: FIND THE POST-CONDITION FOR THE FOLLOWING STATEMENT

{x > 10 ∧ y > 25 } x := y; y := x {?}

P START HERE C Q

PLEASE NOTE:
Therefore, the post-condition is . 1 mark for stating the conclusion. 22
CONCATENATION RULE:
Example 1.2: FIND THE POST-CONDITION FOR THE FOLLOWING STATEMENT

{x > 10 ∧ y > 25 } x := y; y := x {?}

P START HERE C Q
x > 10  y > 25 x ‫ =׃‬y x > 25  y > 25
Let x=10, and y =25 //C1 //Substitute y=25 in P into x=y. The new value of x is 25.
//The post-condition (R) for C1 is x > 25  y > 25.

x > 25  y > 25 y=x x > 25  y > 25

//Move the final state of the 1st statement, R to the //C2 //Substitute x=25 in P into y=x. The new value of y is 25.
initial state of 2nd statement. //Therefore the post-condition (Q) is x > 25  y > 25.

Therefore, the post-condition is x > 25  y > 25. PLEASE NOTE:

1 mark for stating the conclusion. 23
CONCATENATION RULE:
Example 1.3: FIND THE POST-CONDITION FOR THE FOLLOWING STATEMENT

{x >= 10 ∧ y >= 25 } x := x+2; y := y-3 {?}

P START HERE C Q

PLEASE NOTE:
Therefore, the post-condition is . 1 mark for stating the conclusion. 24
CONCATENATION RULE:
Example 1.3: FIND THE POST-CONDITION FOR THE FOLLOWING STATEMENT

{x >= 10 ∧ y >= 25 } x := x+2; y := y-3 {?}

P START HERE C Q
x >= 10  y >= 25 x ‫ =׃‬x+2 x >= 12  y >= 25
Let x=10, and y =25 x = 10 + 2 //Substitute x=10 in P into x+2. The new value of x is 12.
//The post-condition (R) for C1 is x => 12  y >= 25.
//C1

x >= 12  y >= 25 y = y-3 x >= 12  y >= 22

//Move the final state of the 1st //Substitute y=25 in P into y-3. The new value of y is 22.
statement, R to the initial state of 2nd y = 25-3 //Therefore the post-condition (Q) is x >= 12  y >= 22.
statement. //C2

PLEASE NOTE:
Therefore, the post-condition is x >= 12  y >= 22. 1 mark for stating the conclusion. 25
CONCATENATION RULE:
Example 1.4: FIND THE PRE-CONDITION FOR THE FOLLOWING STATEMENT

{?} x := x+2; y := y-3 {x >= 12  y >= 22}

P C Q

START HERE

PLEASE NOTE:
Therefore, the pre-condition is . 1 mark for stating the conclusion. 26
CONCATENATION RULE:
Example 1.4: FIND THE PRE-CONDITION FOR THE FOLLOWING STATEMENT

{?} x := x+2; y := y-3 {x >= 12  y >= 22}

P C Q
x >= 12  y >= 25 x ‫ =׃‬x + 2 x >= 12  y >= 25
x + 2 >= 12  y >= 25 //C1

x >= 10  y >= 25
x >= 12  y >= 22 y = y - 3 x >= 12  y >= 22
x >= 12  y – 3 >= 22 //C2 START HERE

x >= 12  y >= 25
PLEASE NOTE:
Therefore, the pre-condition is x >= 10  y >= 25. 1 mark for stating the conclusion. 27
Summary
{?} x = y + 1; { x < 10 }

Find Pre-condition Find Post-condition

P C Q P C Q
START HERE START HERE

∴ pre-condition is _______ ∴ post-condition is ________

28
 Summary
{?} x = y + 1; { x < 10 }

Find Pre-condition Find Post-condition

P C Q P C Q
START HERE START HERE

x < 10
x=y+1
y + 1 < 10 y<9
x=y+1 x < 10 x=9+1 y < 9  x < 10
y < 10 – 1 Let y = 9
x = 10
y<9

∴ pre-condition is y < 9 ∴ post-condition is y < 9  x < 10

29
PROVE IF THE FOLLOWING PIECES
OF CODE ARE CORRECT

30
PROVE IF THE FOLLOWING PIECES OF CODE ARE CORRECT
Find the post-condition
EXAMPLE 1.1:

{x = 1} x := x + y; x := x + y * y {x = 1 + y + y2}

SOLUTION:
P START HERE C Q

PLEASE NOTE:
Since the last statement produces the result of x = 1 + y 1 mark for stating ‘the statement is correct/incorrect’,
+ y2 which is equals to the given post-condition, hence, 1 mark for justification/explanation.
the statement is correct. 31
PROVE IF THE FOLLOWING PIECES OF CODE ARE CORRECT
Find the post-condition
EXAMPLE 1.1:

{x = 1} x := x + y; x := x + y * y {x = 1 + y + y2}

SOLUTION:
START HERE
P C Q
x=1 x := x + y x=1+y
x=1+y x := x + y * y x = (1 + y) + y * y
x = 1 + y + y2

PLEASE NOTE:
Since the last statement produces the result of x = 1 + y 1 mark for stating ‘the statement is correct/incorrect’,
+ y2 which is equals to the given post-condition, hence, 1 mark for justification/explanation.
the statement is correct. 32
 PROVE IF THE FOLLOWING PIECES OF CODE ARE CORRECT
Find the pre-condition
EXAMPLE 1.2:

{x = 1} x := x + y; x := x + y * y {x = 1 + y + y2}
P C Q

START HERE
PLEASE NOTE:
Since the initial state produces the result of x = 1 which 1 mark for stating ‘the statement is correct/incorrect’,
is equals to the given pre-condition, hence, the 1 mark for justification/explanation.
statement is correct. 33
 PROVE IF THE FOLLOWING PIECES OF CODE ARE CORRECT
Find the pre-condition
EXAMPLE 1.2:

{x = 1} x := x + y; x := x + y * y {x = 1 + y + y2}
P C Q

START HERE
PLEASE NOTE:
Since the initial state produces the result of x = 1 which 1 mark for stating ‘the statement is correct/incorrect’,
is equals to the given pre-condition, hence, the 1 mark for justification/explanation.
statement is correct. 34
PROVE IF THE FOLLOWING PIECES OF CODE ARE CORRECT

EXAMPLE 3:

START HERE
P C Q

PLEASE NOTE:
1 mark for stating the conclusion.
Since P and Q are same, therefore the invariant is proven true. 35
PROVE IF THE FOLLOWING PIECES OF CODE ARE CORRECT

EXAMPLE 3:

START HERE
P C Q
x = 2y y=y+1 x = 2(y + 1)
x = 2(y + 1) x = x*2 2x = 2(y + 1)
//Move all expression to RHS except x
x = 2(y + 1) / 21
x = 2(y + 1) - 1
x = 2y PLEASE NOTE:
1 mark for stating the conclusion.
Since P and Q are same, therefore the invariant is proven true. 36
PROVE IF THE FOLLOWING PIECES OF CODE ARE CORRECT

EXAMPLE 3:

P C Q
x*2 = 2y y=y+1 x*2 = 2y
2x = 2y
x = 2(y + 1) / 21
x = 2(y + 1) - 1
x = 2y
x = 2y x = x*2 x = 2y
START HERE PLEASE NOTE:
x*2 = 2y 1 mark for stating the conclusion.
Since P and Q are same, therefore the invariant is proven true. 37
Two Steps to Correctness Proof

38
39
Goal: Prove {P} C {Q}
1. Find wp(C, Q) NOTE:
If the P is weaker than the
wp P, then the code
2. Prove that P → wp(C, Q) segment is incorrect.

Code P vs wp P
segment
CORRECT Specific/ General/
Stronger Weaker
INCORRECT General/ Specific/
Weaker Stronger

40
 Two steps to Correctness proof
NOTE:
• Example 1: {P} C {Q} If the P is weaker than the
• Find the weakest pre-condition. wp P, then the code
segment is incorrect.
• {y = 3} x := y + 1 {2*x + y <= 11}
Code P vs wp P
//P segment
START HERE
CORRECT Specific/ General/
P C Q Stronger Weaker
INCORRECT General/ Specific/
Weaker Stronger

P vs wp P
y=3 y <= 3
Specific/
Stronger
General/
Weaker
So, code segment is CORRECT

Conclusion: P must be as weak as possible. Since y = 3 is stronger than y <= 3, so the Proven P is correct. 41
 Two steps to Correctness proof
NOTE:
• Example 1: {P} C {Q} If the P is weaker than the
• Find the weakest pre-condition. wp P, then the code
segment is incorrect.
• {y = 3} x := y + 1 {2*x + y <= 11}
Code P vs wp P
//P segment
START HERE
CORRECT Specific/ General/
P C Q Stronger Weaker

2*x + y <= 11 x=y+1 2*x + y <= 11 INCORRECT General/

Weaker
Specific/
Stronger
2*(y + 1) + y <= 11 P vs wp P
2y + 2 + y <= 11 y=3 y <= 3

y <= 3 Specific/
Stronger
//wp P General/
Weaker
So, code segment is CORRECT

Conclusion: P must be as weak as possible. Since y = 3 is stronger than y <= 3, so the Proven P is correct. 42
CONDITIONAL RULE

D is condition
¬D is the negation of the condition 43
EXAMPLE 1: if-then-else clause

44
 EXAMPLE START
1: HERE
if-then-else clause
Two parts P D C Q
If m≠1 m<0 m = -m m >= 0
//D //C1

Else m≠1 m >= 0 m=m–1 m >= 0

//¬D //C2

NOTE:
If only one part is
correct, then the
code is incorrect.

Conclusion: Since both parts are correct, therefore the code is correct. 45
 EXAMPLE
START HERE
1: if-then-else clause
Two parts P D C Q Analysis
If m≠1 m<0 m = -m m >= 0 Existing pre-condition {P ꓥ D}: m < 0
//D //C1
//Substitute m >= 0 in Q with m = -m
-m >= 0
New condition: m <= 0

No conflict between existing pre-condition and new

condition. Therefore, the code segment is correct.
Else m ≠ 1 m >= 0 m=m–1 m >= 0 Existing pre-condition {P ꓥ ¬D}: m >= 0
//¬D //C2
//Substitute m >= 0 in Q with m = m - 1
m – 1 >= 0
m >= 1
NOTE:
New condition: m >= 1
If only one part is
correct, then the
No conflict between existing pre-condition and new
code is incorrect.
condition. Therefore, the code segment is correct.

Conclusion: Since both parts are correct, therefore the code is correct. 46
CONDITIONAL RULE

D is condition
¬D is the negation of the condition 47
EXAMPLE 2: if-then clause

Solution: Refer to next slide…

48
EXAMPLE 2: if-then clause
Two parts START HERE P D C Q
If m≠1 m<0 m = -m m >= 0
//D //C1

Else m≠1 m >= 0 m=m–1 m >= 0

//¬D //C2

NOTE:
49
If only one part is correct, then the code segment is incorrect.
EXAMPLE
START HERE
2: if-then clause
Two P D C Q Analysis
parts
If { } x<0 x = -x x >= 0 Existing pre-condition {P ꓥ D}: x < 0
//D //C1
//Substitute x >= 0 in Q with x = -x
-x >= 0
New condition: x <= 0

No conflict between existing pre-condition and new

condition. Therefore, the code segment is correct.
Else { } x >= 0 x >= 0 Existing pre-condition {P ꓥ ¬D}: x >= 0
//¬D New condition: x >= 0

No conflict between existing pre-condition and new

condition. Therefore, the code segment is correct.

NOTE:
50
If only one part is correct, then the code segment is incorrect.
Example 3.1: IF ELSE How to test the code?
Refer to the next slide…

• Identify the weakest pre-condition for the following decision

segment that can guarantee the post-condition to be true.
START HERE

Two P D C Q
parts
If n>1 16n > 16 m = n*16; m > 16
//The weakest pre-condition, n>1
W1
for If block

Else n>4 n2 > 16 m = n*n m > 16

//The weakest pre-condition, n>4
W2
for Else block

Therefore, the weakest pre-condition is n > 4 (because the n > 4 is more specific than n > 1).
51
Example 3.1: IF ELSE How to test the code?
Refer to the next slide…

• Identify the weakest pre-condition for the following decision

segment that can guarantee the post-condition to be true.
START HERE

Two P D C Q
parts
If n>1 m > 16 m = n*16; m > 16
//The weakest pre-condition, n*16 > 16
W1
for If block 16n > 16
n>1

Else n>4 m > 16 m = n*n m > 16

//The weakest pre-condition, n*n > 16
W2
for Else block n2 > 16
n>4

Therefore, the weakest pre-condition is n > 4 (because the n > 4 is more specific than n > 1).
52
 Example 3.1: IF ELSE TEST THE CODE
• Based on previous example: Two parts Test code using WP n > 1 Test code using WP n > 4
• You’ve identified TWO weakest pre-conditions (WP): to each code in if and else block to each code in if and else block
1) WP for if block: n > 1 Test value n=2 n=5
2) WP for else block: n > 4 //Choose a value greater than 1 //Choose a value greater than 4

• Since both the if clause and the else clause must If //Substitute n = 2 into n //Substitute n = 5 into n
be satisfied, we need to take the stronger (more Code m = n * 16 m = n * 16
restrictive/specific) of the two pre-conditions. = 2 * 16 = 5 * 16
= 32 = 80
• Therefore, the weakest pre-condition that can
Else //Substitute n = 2 into n //Substitute n = 5 into n
guarantee the post-condition is n > 4 (because
the n > 4 is more specific than n > 1). Code m=n*n m=n*n
=2*2 =5*5
=4 = 25
Explanation Based on the results of else code, the Based on the results of if and else
value of m is less than 16. code, both values of m are greater
Therefore, the weakest pre- than 16.
condition, n > 1 cannot guarantee Therefore, the weakest pre-
the post-condition. condition, n > 4 can guarantee the
post-condition.
53
 Example 3.2: IF ELSE
• Identify the strongest post-condition for the following decision
segment that can guarantee the pre-condition to be true.

1. Find post-condition using assignment/concatenation rule.

2. Then determine if Q1 is more general than Q2 OR Q2 is more
general than Q1. Let’s say:
Strongest Post-condition for If block is Q1
3. For example, if Q1 is x > 0 and Q2 is x = 1. Strongest Post-condition for else block is Q2

Therefore, the strongest post-condition is x > 0 (because the x > 0 is more general than x = 1).

54
Example 3.3: IF ELSE POSTCONDITION

START HERE
Two parts P D C Q
If a >= 6 n < a a = 2 – (a/2)

Else a >= 6 n >= a a = 4 – a

//¬D

55
Example 3.3: IF ELSE POSTCONDITION

START HERE
Two parts P D C Q
If a >= 6 n < a a = 2 – (a/2) a >= -1, Q1

Let a = 6
a = 2 – (a/2)
= 2 – (6/2)
= -1
Else a >= 6 n >= a a = 4 – a a >= -2, Q2
//¬D
Let a = 6
a = 4 – a
= 4 – 6
= -2
56
Therefore, the strongest post-condition is x >= -2 (because the x >= -2 is more general than x >= -1).
Example 3.4: IF ELSE PRECONDITION
WEAKEST PRECONDITION

START HERE
Two parts P D C Q
If a >= -1, Q1

Else a >= -2, Q2

57
Example 3.4: IF ELSE PRECONDITION

START HERE
Two parts P D C Q
If a >= 6 n < a a = 2 – (a/2) a >= -1, Q1

a >= -1
2 – (a/2) >= -1
(a/2) >= -1-2
-(a/2) >= -3
-a >= -6
a >= 6

Else a >= 6 n >= a a = 4 – a a >= -2, Q2

//¬D
a >= -2
4 – a >= -2
- a >= -2 – 4
a >= 6
58
Therefore, the weakest pre-condition is x >= 6.
LOOP RULE: while-do clause

59
FINDING LOOP INVARIANT
• Loop invariant is the formalisation of the programmer’s
objective.

• Since the loop invariant is the basis for the post-condition, so

it must be somewhat similar to the post-condition.

• Each iteration ought to make some progress towards the post-

condition, meaning the goal of what to achieve at the end of
the loop will yield the loop invariant.

• The loop invariant typically contains all the code variables that
are changed from iteration to iteration in the loop.

• The index variable is local to the summation, so the

summation indices should be different from code variables.
60
LOOP INVARIANT – Example 1
How to find the loop invariant?
Measures the progress towards satisfying the exit condition. Often deal with summation.

{?}
x = 0; z = 0;

Stop
while (z ≠ n) when
{ z==n
x = x + y;
z = z + 1;
}
{?}

61
LOOP INVARIANT – Example 1
How to find the loop invariant?
Measures the progress towards satisfying the exit condition. Often deal with summation.

y = 2; n = 2 x z z≠n x=x+y z=z+1

(summation) (counter)
Initially

After 1st pass

After 2nd pass

Test pattern Use variable x, Formula 1 Formula 2 Formula 3

for the output y and z
Output Test/Loop value
x z

63
LOOP INVARIANT – Example 1
How to find the loop invariant?
Measures the progress towards satisfying the exit condition. Often deal with summation.

y = 2; n = 2 x z z≠n x=x+y z=z+1

(summation) (counter)
Initially 0 0 0 != 2, T 2=0+2 1=0+1
After 1st pass 2 1 1 != 2, T 4=2+2 2=1+1
After 2nd pass 4 2 2 != 2, F - -

Test pattern Use variable x, Formula 1 Formula 2 Formula 3

for the output y and z
Output Test/Loop value x=z*y x=y^z x=z^y
x z
0 0 0=0*2 1=2^0 0=0^2

2 1 2=1*2 2=2^1 1=1^2

4 2 4=2*2 4=2^2 4=2^2

64
LOOP INVARIANT – Example 1
How to find the loop invariant?
Measures the progress towards satisfying the exit condition. Often deal with summation.

{ x = z*y }
x = 0; z = 0;

Stop
while (z ≠ n) when
{ z==n
x = x + y;
z = z + 1;
}
{ x = z*y }

65
 LOOP INVARIANT – Example 2
Prove/Show that x = z*y is invariant in the following loop segment.
P C Q

START HERE
Conclusion: Since both P and Q are same, therefore the invariant is proven. 66
 LOOP INVARIANT – Example 2
Prove/Show that x = z*y is invariant in the following loop segment.

P C Q
x + y = yz + y x = x+y x = yz + y
x = yz + y - y
x = y*z
x = z*y
x = (z + 1)*y z=z+1 x = z*y
x = yz + y Start here

Conclusion: Since both P and Q are same, therefore the invariant is proven.
67
 LOOP INVARIANT – Example 3 P = Pre-condition
I = Invariant loop
• Identify the strongest post-condition for the loop segment in previous ¬D = When the condition is false
exercise if the precondition is given as { c > 5 ꓥ d > 10 }.

Step 1: Identify the P, I and ¬D.

START HERE
P I ¬D CQ = { I ꓥ ¬D)
c > 5 ꓥ d > 10 b=c+a*d D=a<d Therefore, //Substitute a in I with a=d in ¬D
CQ: b = c + d * d
b = c + d2
¬D = ¬(a<d) b = 5 + 102
= a>=d b = 105
Then
Let a = d Conclusion:
Therefore, the strongest post-condition, Q is b > 105.
Note: After the loop has been terminated, the
possible correct result(s) should be greater than 105. 68
 LOOP INVARIANT – Example 3 P = Pre-condition
I = Invariant loop
• Identify the strongest post-condition for the loop segment in previous ¬D = When the condition is false
exercise if the precondition is given as { c > 5 ꓥ d > 10 }.

Step 1: Identify the P, I and ¬D.

START HERE
P I ¬D CQ = { I ꓥ ¬D)
c > 5 ꓥ d > 10 b=c+a*d D=a<d Therefore, //Substitute a in I with a=d in ¬D
CQ: b = c + d * d
b = c + d2
¬D = ¬(a<d) b = 5 + 102 //Substitute c with 5, and d with 10, refer P
= a>=d b = 105 Let c = 5 and d = 10

Then
Let a = d Conclusion:
Therefore, the strongest post-condition, Q is b > 105.
Note: After the loop has been terminated, the
possible correct result(s) should be greater than 105. 69
Overview
• Program testing and verification
• Concepts for Correctness proofs
• Hoare triple
• Strong and weak Assertions
• Weakest Precondition and Strongest Postcondition
• Conjunction and Disjunction Rules
• Axiomatic semantics
• Program correctness proof
• Assignment Statement/Rule
• Concatenation
• Conditional Rule: if-then and if-then-else
• Loop Rule: while-do
• Loop invariant

70