# Axiomatic Semantics - PowerPoint PPT Presentation

1 / 9

Axiomatic Semantics The meaning of a program is defined by a formal system that allows one to deduce true properties of that program. No specific meaning is attached to any particular program by such a system. The task of determining which properties are of interest is left to the programmer.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

Axiomatic Semantics

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

### Axiomatic Semantics

• The meaning of a program is defined by a formal system that allows one to deduce true properties of that program. No specific meaning is attached to any particular program by such a system. The task of determining which properties are of interest is left to the programmer.

• In this setting, we are interested in assertions about program state (in particular values of program variables). Each such assertion can be couched as what’s known as a Hoare triple (after C.A.R. Hoare){P}S{Q}which is interpreted as follows:Assertion Q will hold in the state yielded immediately upon termination of statement S when executed in state satisfying assertion P.

• By way of example, consider the following:{ x = A } x := x + 1 { x = A + 1}

• Hoare triples are typically used to express partial correctness of a program, however, one can use them to specify the conditions under which a program will terminate.

### Weakest Preconditions

• To adequately describe the semantics of a programming language construct C, we can’t just manufacture a few true Hoare triples, we must have some plan for describing exactly what we want to say about a program’s behavior.

• An assertion R is said to be weaker than assertion P if the truth of P implies the truth of R, written P→R (equivalently R or not(P)).Example: x >0 is weaker than x = 3.

• The program proving game is played as follows:

• We know what program construct C we are using.

• We know what assertion Q we want to be true after C terminates.

• We use the proof system to find out what absolutely must be true before executing C and nothing more, that is we find the weakest precondition of C that will yield Q, wp(C,Q).

Then we know that if we execute C in any state P such that P→wp(C,Q), then Q will be true when C terminates.

### General Properties of wp(not specific to any language)

• Law of the Excluded Miraclewp(C,false) = falseNote that if false is true, we can prove anything!

• Distributivity of Conjunctionwp(C,P and Q) = wp(C,P) and wp(C,Q)

• Law of Monotonicityif Q→R then wp(C,Q)→wp(C,R)

• Distributivity of Disjunctionwp(C,P) or wp(C,Q) → wp(C,P or Q)

### wp Properties Specific to our Simple Language

• We make a huge leap of faith assuming that all of us already understand some underlying logic that captures all interesting properties of expressions, and note that true assertions P→Q from this logic can be used in our proofs.

• Statement Listswp(L1;L2,Q) = wp(L1,wp(L2,Q))This says weakest preconditions propagate backwards through statement sequences.

• Assignment Statementswp(I:=E,Q) = Q[E/I]

• The substitution Q[E/I] involves substituting the expression E for each free occurrence of I in Q. An occurrence of a variable is said to be bound in an assertion if it is the argument of an existential () or universal () quantifier. An occurrence is free if it is not bound. Consider Q[1/j] when Q has the following two values:

• Q = (for all i, a[i] = a[j])

• Q = (for all j, a[i] = a[j])

• Now consider applying this:wp(x := x + 1, x = A)= (x = A)[(x + 1)/x]= (x + 1 = A)= (x = A – 1)

### If statements

• If Statementswp(if E then L1 else L2 fi,Q) =(E >0→wp(L1,Q)) and (E0→wp(L2,Q))

• Consider applying this in Louden’s example:wp(if x then x := 1 else x := -1 fi, x = 1)= (x>0→wp(x := 1,x=1)) and (x0→wp(x := -1,x=1))= (x>0→1=1) and (x0→-1=1)

• Note (x>0→1=1) = (1=1 or not(x>0)) = true

• Note (x0→-1=1) = (-1=1 or not(x0)) = not(x0) = x>0

• Thuswp(if x then x := 1 else x := -1 fi, x = 1)= (x>0→1=1) and (x0→-1=1)= true and x>0= x>0

### While Statements

• To precisely define the weakest precondition of a while loop is difficult, we must define it inductively on the number of times the loop may be executed. Thus we have a sequence of assertions Hi(while E do L od,Q) each capturing the weakest preconditions satisfying that the loop executes i times and terminates in a state satisfying Q. Consider the sequence of H’s:

• H0(while E do L od,Q) = E0 and Q

• H1(while E do L od,Q) = E>0 and wp(L, H0(while E do L od,Q))

• Hi+1(while E do L od,Q) = E>0 and wp(L, Hi(while E do L od,Q))

• This seems pretty complicated. What should we really do?

{x = X and y = Y}t := x;x := y;y := t;{x = Y and y = X}

### Partial Correctness Proofs for Loop Invariants

• If we have a while loop, while E do L od, and an assertion W satisfying each of the following:

• W and (E >0)→wp(L,W)

• W and (E0)→Q

• P→W

then we can conclude that{P} while E do L od{Q}

• An assertion W satisfying these conditions is known as a loop invariant. Property 1 above guarantees that the truth of the assertion does not vary when the loop body is executed.

• Note that the loop termination and the invariant alone must be sufficient to satisfy the postcondition. P can be stronger than the invariant, but that won’t affect the postcondition that is provable in this manner.

### Choosing a Loop Invariant

{n>0}i := n;sum := 0;while i dosum := sum + i;i := i – 1;od{sum = 1 + 2 + ... + n}