axiomatic semantics
Download
Skip this Video
Download Presentation
Axiomatic Semantics

Loading in 2 Seconds...

play fullscreen
1 / 9

Some slides - PowerPoint PPT Presentation


  • 322 Views
  • Uploaded on

Axiomatic Semantics The meaning of a program is defined by a formal system that allows one to deduce true properties of that program. No specific meaning is attached to any particular program by such a system. The task of determining which properties are of interest is left to the programmer.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Some slides' - bernad


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
axiomatic semantics
Axiomatic Semantics
  • The meaning of a program is defined by a formal system that allows one to deduce true properties of that program. No specific meaning is attached to any particular program by such a system. The task of determining which properties are of interest is left to the programmer.
  • In this setting, we are interested in assertions about program state (in particular values of program variables). Each such assertion can be couched as what’s known as a Hoare triple (after C.A.R. Hoare) {P}S{Q}which is interpreted as follows:Assertion Q will hold in the state yielded immediately upon termination of statement S when executed in state satisfying assertion P.
  • By way of example, consider the following: { x = A } x := x + 1 { x = A + 1}
  • Hoare triples are typically used to express partial correctness of a program, however, one can use them to specify the conditions under which a program will terminate.
weakest preconditions
Weakest Preconditions
  • To adequately describe the semantics of a programming language construct C, we can’t just manufacture a few true Hoare triples, we must have some plan for describing exactly what we want to say about a program’s behavior.
  • An assertion R is said to be weaker than assertion P if the truth of P implies the truth of R, written P→R (equivalently R or not(P)). Example: x >0 is weaker than x = 3.
  • The program proving game is played as follows:
    • We know what program construct C we are using.
    • We know what assertion Q we want to be true after C terminates.
    • We use the proof system to find out what absolutely must be true before executing C and nothing more, that is we find the weakest precondition of C that will yield Q, wp(C,Q).

Then we know that if we execute C in any state P such that P→wp(C,Q), then Q will be true when C terminates.

general properties of wp not specific to any language
General Properties of wp(not specific to any language)
  • Law of the Excluded Miraclewp(C,false) = falseNote that if false is true, we can prove anything!
  • Distributivity of Conjunctionwp(C,P and Q) = wp(C,P) and wp(C,Q)
  • Law of Monotonicity if Q→R then wp(C,Q)→wp(C,R)
  • Distributivity of Disjunctionwp(C,P) or wp(C,Q) → wp(C,P or Q)
wp properties specific to our simple language
wp Properties Specific to our Simple Language
  • We make a huge leap of faith assuming that all of us already understand some underlying logic that captures all interesting properties of expressions, and note that true assertions P→Q from this logic can be used in our proofs.
  • Statement Listswp(L1;L2,Q) = wp(L1,wp(L2,Q))This says weakest preconditions propagate backwards through statement sequences.
  • Assignment Statementswp(I:=E,Q) = Q[E/I]
  • The substitution Q[E/I] involves substituting the expression E for each free occurrence of I in Q. An occurrence of a variable is said to be bound in an assertion if it is the argument of an existential () or universal () quantifier. An occurrence is free if it is not bound. Consider Q[1/j] when Q has the following two values:
    • Q = (for all i, a[i] = a[j])
    • Q = (for all j, a[i] = a[j])
  • Now consider applying this:wp(x := x + 1, x = A) = (x = A)[(x + 1)/x] = (x + 1 = A) = (x = A – 1)
if statements
If statements
  • If Statementswp(if E then L1 else L2 fi,Q) = (E >0→wp(L1,Q)) and (E0→wp(L2,Q))
  • Consider applying this in Louden’s example:wp(if x then x := 1 else x := -1 fi, x = 1) = (x>0→wp(x := 1,x=1)) and (x0→wp(x := -1,x=1)) = (x>0→1=1) and (x0→-1=1)
  • Note (x>0→1=1) = (1=1 or not(x>0)) = true
  • Note (x0→-1=1) = (-1=1 or not(x0)) = not(x0) = x>0
  • Thuswp(if x then x := 1 else x := -1 fi, x = 1) = (x>0→1=1) and (x0→-1=1) = true and x>0 = x>0
while statements
While Statements
  • To precisely define the weakest precondition of a while loop is difficult, we must define it inductively on the number of times the loop may be executed. Thus we have a sequence of assertions Hi(while E do L od,Q) each capturing the weakest preconditions satisfying that the loop executes i times and terminates in a state satisfying Q. Consider the sequence of H’s:
  • H0(while E do L od,Q) = E0 and Q
  • H1(while E do L od,Q) = E>0 and wp(L, H0(while E do L od,Q))
  • Hi+1(while E do L od,Q) = E>0 and wp(L, Hi(while E do L od,Q))
  • This seems pretty complicated. What should we really do?
partial correctness proofs for loop invariants
Partial Correctness Proofs for Loop Invariants
  • If we have a while loop, while E do L od, and an assertion W satisfying each of the following:
    • W and (E >0)→wp(L,W)
    • W and (E0)→Q
    • P→W

then we can conclude that {P} while E do L od{Q}

  • An assertion W satisfying these conditions is known as a loop invariant. Property 1 above guarantees that the truth of the assertion does not vary when the loop body is executed.
  • Note that the loop termination and the invariant alone must be sufficient to satisfy the postcondition. P can be stronger than the invariant, but that won’t affect the postcondition that is provable in this manner.
choosing a loop invariant
Choosing a Loop Invariant

{n>0}i := n;sum := 0;while i do sum := sum + i; i := i – 1;od{sum = 1 + 2 + ... + n}

ad