How to verify that function with Hoare Triple?

Question

As the title says, how can I verify the function below with the Hoare Triple? I read various lectures about it but I can't figure out how to do it.

int uguaglianza_insiemi(elem_lista_t *insieme_A,
                        elem_lista_t *insieme_B)
{
    int esito;  

    if ((insieme_A == NULL) && 
        (insieme_B == NULL))
        esito = 1;

    else if (insieme_A == NULL ||
            insieme_B == NULL)
            esito = 0;

    else if (insieme_A->valore != insieme_B->valore) 
            esito = 0;

    else esito = uguaglianza_insiemi(insieme_A->succ_p,
                                     insieme_B->succ_p);

    return (esito);
}

You need to write the preconditions P and the postconditions Q and prove that if the precponditions are met, the postcondition will hold after the processing. For example, a precondition is that `insiema_A` and B are either null or point to a valid list element. — Paul Ogilvie, May 27 '19 at 15:56
So i need to write and set a Preconditions and a Postconditions? In my lecture i read that if the function is recursive, i can also resolve it with the induction metod, i'm a bit confused — Porchetta17, May 27 '19 at 16:12
Induction probably means here that if the first invocation was correct, and the program (function) is correct, then every next invocation will be correct. But you still need to write those pre- and post conditions. — Paul Ogilvie, May 27 '19 at 16:26
You can write statements or `assert()`s to verify the pre- and post conditions. The only thing the function can't verify is that on first invocation it has been called with pointers, if non-null, to objects that are valid list elements. C allows with casts to invoke the function with garbage pointers. — Paul Ogilvie, May 27 '19 at 16:29
Ok thank you for the tip, i only need to understand how to write those conditions, for instance, if i take this precondition you wrote:"insieme_A and B are either null or point to a valid list element." , i must write the post condition related to that pre condition? — Porchetta17, May 27 '19 at 16:30
You can write the pre and post conditions either as natural language, or using some formal language, or using C statements. — Paul Ogilvie, May 27 '19 at 16:31
I would ask you if you can introduce some examples about my code! Might you do that? — Porchetta17, May 27 '19 at 16:52

Paul Ogilvie · Answer 1 · 2019-05-28T07:50:06.777

To prevent a long discussion in comments, I'll try to write some pre- and post conditions.

As it is not possible to test inside the function whether it is called with pointers to valid list objects, that falls to the parent/the caller:

// The following function must be called with pointers that are either null
// or point to valid list elements. The lists must be correct (no malloc bugs etc).
// The compiler must have checked that it is called with pointers to the proper types,
// as C has no typeof operator.
//
int uguaglianza_insiemi(elem_lista_t *insieme_A,
                        elem_lista_t *insieme_B)
{
    int esito;  

    if ((insieme_A == NULL) && 
        (insieme_B == NULL))
        esito = 1;    // both pointers are null: equal

    // not both pointes are null
    else if (insieme_A == NULL ||
            insieme_B == NULL)
            esito = 0;    // not both pointers are null, but one is: not equal

    // neither pointer is null and so they may be dereferenced
    else if (insieme_A->valore != insieme_B->valore) 
            esito = 0;    // neither pointer is null, but their element values aer not equal: not equal


    // the function can be called recursively now because its precondition has been met,
    // that both successor pointers are null or point to valid list elements (induction).
    else esito = uguaglianza_insiemi(insieme_A->succ_p,
                                     insieme_B->succ_p);
    // the post condition is that esito reflects equality of both (partial) lists                    
    return (esito);
}

I hope this is something that you and you professor can work with.

{P}: The function must be called with pointers that are either null or point to valid list elements.

C: uguaglianza_insiemi( *A, *B)

{Q}: function result reflects equality of the lists

Inside the function, this continues with the if statement using the rule of composition.

@Porchetta17 if yu consider the answer useful you should accept it, cf to https://stackoverflow.com/help/someone-answers — alinsoar, Jun 05 '19 at 09:12

How to verify that function with Hoare Triple?

1 Answers1