Axiomatic semantics
This presentation is the property of its rightful owner.
Sponsored Links
1 / 25

Axiomatic Semantics PowerPoint PPT Presentation


  • 71 Views
  • Uploaded on
  • Presentation posted in: General

Axiomatic Semantics. Predicate Transformer s. Motivation. Input. Output. Problem Specification Properties satisfied by the input and expected of the output (usually described using “ assertions ” ). E.g., Sorting problem Input : Sequence of numbers

Download Presentation

Axiomatic Semantics

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Axiomatic semantics

Axiomatic Semantics

Predicate Transformers

L18-9WP


Motivation

Motivation

Input

Output

  • Problem Specification

    • Properties satisfied by the input and expected of the output (usually described using “assertions”).

    • E.g., Sorting problem

      • Input : Sequence of numbers

      • Output: Permutation of input that is ordered.

  • Program

    • Transform input to output.

  • L18-9WP


    Axiomatic semantics

    • Sorting algorithms

      • Bubble sort; Shell sort;

      • Insertion sort; Selection sort;

      • Merge sort; Quick sort;

      • Heap sort;

  • Axiomatic Semantics

    To show that a program satisfies its specification, it is convenient to have the description of the language constructs in terms of assertions characterizing the input and the corresponding output states.

  • L18-9WP


    Axiomatic approaches

    Axiomatic Approaches

    • Hoare’s Proof System (partial correctness)

    • Dijkstra’s Predicate Transformer (total correctness)

      Assertion: Logic formula involving program variables, arithmetic/boolean operations, etc.

      Hoare Triples : {P} S {Q}

      pre-condition statements post-condition

      (assertion) (program) (assertion)

    L18-9WP


    Swap example

    Swap Example

    { x = n and y = m }

    t := x;

    x := y;

    y := t;

    { x = m and y = n}

    • program variables vs ghost/logic variables

  • States : Variables -> Values

  • Assertions : States -> Boolean

    (= Powerset of States)

  • L18-9WP


    Partial vs total correctness

    Partial vs Total Correctness

    {P} S {Q}

    • S is partiallycorrect for P and Qif and only if whenever S is executed in a state satisfying Pand the execution terminates,then the resulting state satisfies Q.

    • S is totallycorrect for P and Qif and only if whenever S is executed in a state satisfying P ,then the execution terminates, and the resulting state satisfies Q.

    L18-9WP


    Examples

    Examples

    • Totally correct (hence, partially correct)

      • { false } x := 0; { x = 111 }

      • { x = 11 } x := 0; { x = 0 }

      • { x = 0 } x := x + 1; { x = 1 }

      • {false} while true do; {x = 0}

      • {y = 0} if x <> y then x:= y; { x = 0 }

  • Not totally correct, but partially correct

    • {true} while true do; {x = 0}

  • Not partially correct

    • {true} if x < 0 then x:= -x; { x > 0 }

  • L18-9WP


    Axioms and inference rules

    Axioms and Inference Rules

    • Assignment axiom

      {Q[e]} x := e; {Q[x]}

    • Inference Rule for statement composition

      {P} S1 {R}

      {R} S2 {Q}

      {P} S1; S2 {Q}

    • Example

      {x = y} x := x+1; {x = y+1}

      {x = y+1} y := y+1; {x = y}

      {x = y} x:=x+1; y:=y+1; {x = y}

    L18-9WP


    Generating additional valid triples p s q from p s q

    Generating additional valid triples {P} S {Q} from {P’} S {Q’}

    P’

    States

    States

    P’

    Q

    P

    Q’

    L18-9WP


    Rule of consequence

    Rule of Consequence

    {P’} S {Q’} and P=>P’and Q’=>Q

    {P} S {Q}

    • Strengthening the antecedent

    • Weakening the consequent

  • Example

    {x=0 and y=0} x:=x+1;y:=y+1; {x = y}

    {x=y} x:=x+1; y:=y+1; {x<=y or x=5}

    (+ Facts from elementary mathematics[boolean algebra + arithmetic] )

  • L18-9WP


    Predicate transformers

    Predicate Transformers

    • Assignment

      wp( x := e , Q ) = Q[x<-e]

    • Composition

      wp( S1 ; S2 , Q) =

      wp( S1 , wp( S2 , Q ))

    • Correctness

      {P} S {Q} = (P => wp( S , Q))

    L18-9WP


    Correctness illustrated

    Correctness Illustrated

    P => wp( S , Q)

    States

    States

    Q

    wp(S,Q)

    P

    L18-9WP


    Correctness proof

    Correctness Proof

    {x=0 and y=0} x:=x+1;y:=y+1; {x = y}

    • wp(y:=y+1; , {x = y})

      = { x = y+1 }

    • wp(x:=x+1; , {x = y+1})

      = { x+1 = y+1 }

    • wp(x:=x+1;y:=y+1; , {x = y})

      = { x+1 = y+1 }

      = { x = y }

    • { x = 0 and y = 0 } => { x = y }

    L18-9WP


    Conditionals

    Conditionals

    { P and B } S1 {Q}

    {P and not B } S2 {Q}

    {P} if B then S1 else S2; {Q}

    wp(if B then S1 else S2; , Q)

    = (B => wp(S1,Q)) and

    (not B => wp(S2,Q))

    = (B and wp(S1,Q)) or

    (not Band wp(S2,Q))

    L18-9WP


    Invariant summation program

    “Invariant”: Summation Program

    { s = i * (i + 1) / 2 }

    i := i + 1;

    s := s + i;

    { s = i * (i + 1) / 2 }

    • Intermediate Assertion ( s and i different)

      { s + i = i * (i + 1) / 2 }

    • Weakest Precondition

      { s+i+1 = (i+1) * (i+1+1) / 2 }

    L18-9WP


    While loop hoare s approach

    while-loop : Hoare’s Approach

    {Invand B} S {Inv}

    {Inv} while B do S {Invand not B}

    Proof of Correctness

    {P} while B do S {Q}

    = P => Invand {Inv} B {Inv}

    and {Invand B} S {Inv}

    and {Invandnot B => Q}

    + Loop Termination argument

    L18-9WP


    I while b do s i and not b

    {I} while B do S {I and not B}

    {I and B} S {I}

    0 iterations: {I} {I and not B}

    notB holds

    1 iteration: {I} S {I and not B}

    B holdsnotBholds

    2 iterations: {I} S ; S {I and not B}

    B holds B holdsnotBholds

    • Infinite loop if B never becomes false.

    L18-9WP


    Example1 while loop correctness

    Example1 : while-loop correctness

    { n>0 and x=1 and y=1}

    while (y < n) [ y++; x := x*y;]

    {x = n!}

    • Choice of Invariant

      • {I and not B} => Q

      • {I and (y >= n)} => (x = n!)

      • I = {(x = y!) and (n >= y)}

  • Precondition implies invariant

    { n>0 and x=1 and y=1} =>

    { 1=1! and n>=1 }

  • L18-9WP


    Axiomatic semantics

    • Verify Invariant

      {I and B} => wp(S,I)

      wp( y++; x:=x*y; , {x=y! and n>=y})

      = { x=y! and n>=y+1 }

      I and B

      = { x=y! and n>=y } and { y<n }

      = { x=y! and n>y }

    • Termination

      • Variant : ( n - y )

        y : 1 -> 2 -> … -> n

        (n-y) : (n-1) -> (n-2) -> … -> 0

    L18-9WP


    Detailed working

    Detailed Working

    wp( y++; x:=x*y; , {x=y! and n>=y})

    = wp(y++,{x*y=y! and n>=y})

    = wp(y++,{x=y-1! and n>=y})

    = wp(y++,{x=y-1! and n>=y})

    = {x=y+1-1! and n>=y+1}

    L18-9WP


    Gcd lcm code

    GCD-LCM code

    PRE: (x = n) and (y = m)

    • u := x; v := y;

    • while (x <> y) do

      ASSERT: (** INVARIANT **)

    • begin

    • if x > y then x := x - y; u := u + v

    • else y := y - x; v := v + u

    • end;

      POST: (x = gcd(n,m)) and (lcm (n,m) = (u+v) div 2)

    L18-9WP


    While loop dijkstra s approach

    while-loop : Dijkstra’s Approach

    wp( while B do S , Q)

    = P0 or P1 or … or Pn or …

    = there existsk >= 0 such that Pk

    Pi: Set of states causingi-iterations ofwhile-loopbefore halting in a state inQ.

    P0 = not B and Q

    P1 = B and wp(S, P0)

    Pk+1 = B and wp(S, Pk)

    L18-9WP


    Axiomatic semantics

    States

    States

    ...

    wp

    Q

    P2

    P0

    P1

    P0

    P0 => wp(skip, Q)

    P0 subset Q

    P1 => wp(S, P0)

    L18-9WP


    Example2 while loop correctness

    Example2 : while-loop correctness

    P0 = { y >= n and x = n! }

    Pk = B and wp(S,Pk-1)

    P1 = { y<n andy+1>=n and x*(y+1) = n! }

    Pk = y=n-kand x=(n-k)!

    Weakest Precondition Assertion:

    Wp = there existsk >= 0 such that

    P0 or {y = n-kand x = (n-k)!}

    Verification :

    P = n>0 and x=1 and y=1

    Fori = n-1: P => Wp

    L18-9WP


    Induction proof

    Induction Proof

    Hypothesis : Pk = {y=n-kand x=(n-k)!}

    Pk+1 = { B and wp(S,Pk) }

    = y<n and (y+1 = n-k) and (x*(y+1)=(n-k)!)

    = y<n and (y = n-k-1) and (x = (n-k-1)!)

    = y<n and (y = n- k+1) and (x = (n- k+1)!)

    = (y = n - k+1) and (x = (n - k+1)!)

    Valid preconditions:

    • { n = 4 and y = 2 and x = 2 } (k = 2)

    • { n = 5 and x = 5! and y = 6} (no iteration)

    L18-9WP


  • Login