Axiomatic semantics
Download
1 / 9

Some slides - PowerPoint PPT Presentation


  • 321 Views
  • Uploaded on

Axiomatic Semantics The meaning of a program is defined by a formal system that allows one to deduce true properties of that program. No specific meaning is attached to any particular program by such a system. The task of determining which properties are of interest is left to the programmer.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Some slides' - bernad


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Axiomatic semantics l.jpg
Axiomatic Semantics

  • The meaning of a program is defined by a formal system that allows one to deduce true properties of that program. No specific meaning is attached to any particular program by such a system. The task of determining which properties are of interest is left to the programmer.

  • In this setting, we are interested in assertions about program state (in particular values of program variables). Each such assertion can be couched as what’s known as a Hoare triple (after C.A.R. Hoare) {P}S{Q}which is interpreted as follows:Assertion Q will hold in the state yielded immediately upon termination of statement S when executed in state satisfying assertion P.

  • By way of example, consider the following: { x = A } x := x + 1 { x = A + 1}

  • Hoare triples are typically used to express partial correctness of a program, however, one can use them to specify the conditions under which a program will terminate.


Weakest preconditions l.jpg
Weakest Preconditions

  • To adequately describe the semantics of a programming language construct C, we can’t just manufacture a few true Hoare triples, we must have some plan for describing exactly what we want to say about a program’s behavior.

  • An assertion R is said to be weaker than assertion P if the truth of P implies the truth of R, written P→R (equivalently R or not(P)). Example: x >0 is weaker than x = 3.

  • The program proving game is played as follows:

    • We know what program construct C we are using.

    • We know what assertion Q we want to be true after C terminates.

    • We use the proof system to find out what absolutely must be true before executing C and nothing more, that is we find the weakest precondition of C that will yield Q, wp(C,Q).

      Then we know that if we execute C in any state P such that P→wp(C,Q), then Q will be true when C terminates.


General properties of wp not specific to any language l.jpg
General Properties of wp(not specific to any language)

  • Law of the Excluded Miraclewp(C,false) = falseNote that if false is true, we can prove anything!

  • Distributivity of Conjunctionwp(C,P and Q) = wp(C,P) and wp(C,Q)

  • Law of Monotonicity if Q→R then wp(C,Q)→wp(C,R)

  • Distributivity of Disjunctionwp(C,P) or wp(C,Q) → wp(C,P or Q)


Wp properties specific to our simple language l.jpg
wp Properties Specific to our Simple Language

  • We make a huge leap of faith assuming that all of us already understand some underlying logic that captures all interesting properties of expressions, and note that true assertions P→Q from this logic can be used in our proofs.

  • Statement Listswp(L1;L2,Q) = wp(L1,wp(L2,Q))This says weakest preconditions propagate backwards through statement sequences.

  • Assignment Statementswp(I:=E,Q) = Q[E/I]

  • The substitution Q[E/I] involves substituting the expression E for each free occurrence of I in Q. An occurrence of a variable is said to be bound in an assertion if it is the argument of an existential () or universal () quantifier. An occurrence is free if it is not bound. Consider Q[1/j] when Q has the following two values:

    • Q = (for all i, a[i] = a[j])

    • Q = (for all j, a[i] = a[j])

  • Now consider applying this:wp(x := x + 1, x = A) = (x = A)[(x + 1)/x] = (x + 1 = A) = (x = A – 1)


If statements l.jpg
If statements

  • If Statementswp(if E then L1 else L2 fi,Q) = (E >0→wp(L1,Q)) and (E0→wp(L2,Q))

  • Consider applying this in Louden’s example:wp(if x then x := 1 else x := -1 fi, x = 1) = (x>0→wp(x := 1,x=1)) and (x0→wp(x := -1,x=1)) = (x>0→1=1) and (x0→-1=1)

  • Note (x>0→1=1) = (1=1 or not(x>0)) = true

  • Note (x0→-1=1) = (-1=1 or not(x0)) = not(x0) = x>0

  • Thuswp(if x then x := 1 else x := -1 fi, x = 1) = (x>0→1=1) and (x0→-1=1) = true and x>0 = x>0


While statements l.jpg
While Statements

  • To precisely define the weakest precondition of a while loop is difficult, we must define it inductively on the number of times the loop may be executed. Thus we have a sequence of assertions Hi(while E do L od,Q) each capturing the weakest preconditions satisfying that the loop executes i times and terminates in a state satisfying Q. Consider the sequence of H’s:

  • H0(while E do L od,Q) = E0 and Q

  • H1(while E do L od,Q) = E>0 and wp(L, H0(while E do L od,Q))

  • Hi+1(while E do L od,Q) = E>0 and wp(L, Hi(while E do L od,Q))

  • This seems pretty complicated. What should we really do?


Slide7 l.jpg

{x = X and y = Y}t := x;x := y;y := t;{x = Y and y = X}


Partial correctness proofs for loop invariants l.jpg
Partial Correctness Proofs for Loop Invariants

  • If we have a while loop, while E do L od, and an assertion W satisfying each of the following:

    • W and (E >0)→wp(L,W)

    • W and (E0)→Q

    • P→W

      then we can conclude that {P} while E do L od{Q}

  • An assertion W satisfying these conditions is known as a loop invariant. Property 1 above guarantees that the truth of the assertion does not vary when the loop body is executed.

  • Note that the loop termination and the invariant alone must be sufficient to satisfy the postcondition. P can be stronger than the invariant, but that won’t affect the postcondition that is provable in this manner.


Choosing a loop invariant l.jpg
Choosing a Loop Invariant

{n>0}i := n;sum := 0;while i do sum := sum + i; i := i – 1;od{sum = 1 + 2 + ... + n}


ad