1 / 25

Axiomatic Semantics

Axiomatic Semantics. Predicate Transformer s. Motivation. Input. Output. Problem Specification Properties satisfied by the input and expected of the output (usually described using “assertions”). E.g., Sorting problem Input : Sequence of numbers

Mercy
Download Presentation

Axiomatic Semantics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Axiomatic Semantics Predicate Transformers L189wp

  2. Motivation Input Output • Problem Specification • Properties satisfied by the input and expected of the output (usually described using “assertions”). • E.g., Sorting problem • Input : Sequence of numbers • Output: Permutation of input that is ordered. • Program • Transform input to output. L189wp

  3. Sorting algorithms • Bubble sort; Shell sort; • Insertion sort; Selection sort; • Merge sort; Quick sort; • Heap sort; • Axiomatic Semantics To show that a program satisfies its specification, it is convenient to have the description of the language constructs in terms of assertions characterizing the input and the corresponding output states. L189wp

  4. Axiomatic Approaches • Hoare’s Proof System (partial correctness) • Dijkstra’s Predicate Transformer (total correctness) Assertion: Logic formula involving program variables, arithmetic/boolean operations, etc. Hoare Triples : {P} S {Q} pre-condition statements post-condition (assertion) (program) (assertion) L189wp

  5. Swap Example { x = n and y = m } t := x; x := y; y := t; { x = m and y = n} • program variables vs ghost/logic variables • States : Variables -> Values • Assertions : States -> Boolean (= Powerset of States) L189wp

  6. Partial vs Total Correctness {P} S {Q} • S is partiallycorrect for P and Qif and only if whenever S is executed in a state satisfying Pand the execution terminates,then the resulting state satisfies Q. • S is totallycorrect for P and Qif and only if whenever S is executed in a state satisfying P ,then the execution terminates, and the resulting state satisfies Q. L189wp

  7. Examples • Totally correct (hence, partially correct) • { false } x := 0; { x = 111 } • { x = 11 } x := 0; { x = 0 } • { x = 0 } x := x + 1; { x = 1 } • {false} while true do; {x = 0} • {y = 0} if x <> y then x:= y; { x = 0 } • Not totally correct, but partially correct • {true} while true do; {x = 0} • Not partially correct • {true} if x < 0 then x:= -x; { x > 0 } L189wp

  8. Axioms and Inference Rules • Assignment axiom {Q[e]} x := e; {Q[x]} • Inference Rule for statement composition {P} S1 {R} {R} S2 {Q} {P} S1; S2 {Q} • Example {x = y} x := x+1; {x = y+1} {x = y+1} y := y+1; {x = y} {x = y} x:=x+1; y:=y+1; {x = y} L189wp

  9. Generating additional valid triples {P} S {Q} from {P’} S {Q’} P’ States States P’ Q P Q’ L189wp

  10. Rule of Consequence {P’} S {Q’} and P=>P’ and Q’=>Q {P} S {Q} • Strengthening the antecedent • Weakening the consequent • Example {x=0 and y=0} x:=x+1;y:=y+1; {x = y} {x=y} x:=x+1; y:=y+1; {x<=y or x=5} (+ Facts from elementary mathematics[boolean algebra + arithmetic] ) L189wp

  11. Predicate Transformers • Assignment wp( x := e , Q ) = Q[x<-e] • Composition wp( S1 ; S2 , Q) = wp( S1 , wp( S2 , Q )) • Correctness {P} S {Q} = (P => wp( S , Q)) L189wp

  12. Correctness Illustrated P => wp( S , Q) States States Q wp(S,Q) P L189wp

  13. Correctness Proof {x=0 and y=0} x:=x+1;y:=y+1; {x = y} • wp(y:=y+1; , {x = y}) = { x = y+1 } • wp(x:=x+1; , {x = y+1}) = { x+1 = y+1 } • wp(x:=x+1;y:=y+1; , {x = y}) = { x+1 = y+1 } = { x = y } • { x = 0 and y = 0 } => { x = y } L189wp

  14. Conditionals { P and B } S1 {Q} {P and not B } S2 {Q} {P} if B then S1 else S2; {Q} wp(if B then S1 else S2; , Q) = (B => wp(S1,Q)) and (not B => wp(S2,Q)) = (B and wp(S1,Q)) or (not Band wp(S2,Q)) L189wp

  15. “Invariant”: Summation Program { s = i * (i + 1) / 2 } i := i + 1; s := s + i; { s = i * (i + 1) / 2 } • Intermediate Assertion ( s and i different) { s + i = i * (i + 1) / 2 } • Weakest Precondition { s+i+1 = (i+1) * (i+1+1) / 2 } L189wp

  16. while-loop : Hoare’s Approach {Inv and B} S {Inv} {Inv} while B do S {Inv and not B} Proof of Correctness {P} while B do S {Q} = P => Inv and {Inv} B {Inv} and {Inv and B} S {Inv} and {Inv andnot B => Q} + Loop Termination argument L189wp

  17. {I} while B do S {I and not B} {I and B} S {I} 0 iterations: {I} {I and not B} notB holds 1 iteration: {I} S {I and not B} B holdsnotBholds 2 iterations: {I} S ; S {I and not B} B holds B holdsnotBholds • Infinite loop if B never becomes false. L189wp

  18. Example1 : while-loop correctness { n>0 and x=1 and y=1} while (y < n) [ y++; x := x*y;] {x = n!} • Choice of Invariant • {I and not B} => Q • {I and (y >= n)} => (x = n!) • I = {(x = y!) and (n >= y)} • Precondition implies invariant { n>0 and x=1 and y=1} => { 1=1! and n>=1 } L189wp

  19. Verify Invariant {I and B} => wp(S,I) wp( y++; x:=x*y; , {x=y! and n>=y}) = { x=y! and n>=y+1 } I and B = { x=y! and n>=y } and { y<n } = { x=y! and n>y } • Termination • Variant : ( n - y ) y : 1 -> 2 -> … -> n (n-y) : (n-1) -> (n-2) -> … -> 0 L189wp

  20. GCD-LCM code PRE: (x = n) and (y = m) • u := x; v := y; • while (x <> y) do ASSERT: (** INVARIANT **) • begin • if x > y then x := x - y; u := u + v • else y := y - x; v := v + u • end; POST: (x = gcd(n,m)) and (lcm (n,m) = (u+v) div 2) L189wp

  21. while-loop : Dijkstra’s Approach wp( while B do S , Q) = P0 or P1 or … or Pn or … = there existsk >= 0 such that Pk Pi: Set of states causingi-iterations ofwhile-loopbefore halting in a state inQ. P0 = not B and Q P1 = B and wp(S, P0) Pk+1 = B and wp(S, Pk) L189wp

  22. States States ... wp Q P2 P0 P1 P0 P0 => wp(skip, Q) P0 subset Q P1 => wp(S, P0) L189wp

  23. Example2 : while-loop correctness P0 = { y >= n and x = n! } Pk = B and wp(S,Pk-1) P1 = { y<n andy+1>=n and x*(y+1) = n! } Pk = y=n-kand x=(n-k)! Weakest Precondition Assertion: Wp = there existsk >= 0 such that P0 or {y = n-kand x = (n-k)!} Verification : P = n>0 and x=1 and y=1 Fori = n-1: P => Wp L189wp

  24. Induction Proof Hypothesis : Pk = {y=n-kand x=(n-k)!} Pk+1 = { B and wp(S,Pk) } = y<n and (y+1 = n-k) and (x*(y+1)=(n-k)!) = y<n and (y = n-k-1) and (x = (n-k-1)!) = y<n and (y = n- k+1) and (x = (n- k+1)!) = (y = n - k+1) and (x = (n - k+1)!) Valid preconditions: • { n = 4 and y = 2 and x = 2 } (k = 2) • { n = 5 and x = 5! and y = 6} (no iteration) L189wp

  25. Detailed Working wp( y++; x:=x*y; , {x=y! and n>=y}) = wp(y++,{x*y=y! and n>=y}) = wp(y++,{x=y-1! and n>=y}) = wp(y++,{x=y-1! and n>=y}) = {x=y+1-1! and n>=y+1} L189wp

More Related