1 / 25

Axiomatic Semantics

Axiomatic Semantics. Predicate Transformer s. Motivation. Input. Output. Problem Specification Properties satisfied by the input and expected of the output (usually described using “ assertions ” ). E.g., Sorting problem Input : Sequence of numbers

miette
Download Presentation

Axiomatic Semantics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Axiomatic Semantics Predicate Transformers L18-9WP

  2. Motivation Input Output • Problem Specification • Properties satisfied by the input and expected of the output (usually described using “assertions”). • E.g., Sorting problem • Input : Sequence of numbers • Output: Permutation of input that is ordered. • Program • Transform input to output. L18-9WP

  3. Sorting algorithms • Bubble sort; Shell sort; • Insertion sort; Selection sort; • Merge sort; Quick sort; • Heap sort; • Axiomatic Semantics To show that a program satisfies its specification, it is convenient to have the description of the language constructs in terms of assertions characterizing the input and the corresponding output states. L18-9WP

  4. Axiomatic Approaches • Hoare’s Proof System (partial correctness) • Dijkstra’s Predicate Transformer (total correctness) Assertion: Logic formula involving program variables, arithmetic/boolean operations, etc. Hoare Triples : {P} S {Q} pre-condition statements post-condition (assertion) (program) (assertion) L18-9WP

  5. Swap Example { x = n and y = m } t := x; x := y; y := t; { x = m and y = n} • program variables vs ghost/logic variables • States : Variables -> Values • Assertions : States -> Boolean (= Powerset of States) L18-9WP

  6. Partial vs Total Correctness {P} S {Q} • S is partiallycorrect for P and Qif and only if whenever S is executed in a state satisfying Pand the execution terminates,then the resulting state satisfies Q. • S is totallycorrect for P and Qif and only if whenever S is executed in a state satisfying P ,then the execution terminates, and the resulting state satisfies Q. L18-9WP

  7. Examples • Totally correct (hence, partially correct) • { false } x := 0; { x = 111 } • { x = 11 } x := 0; { x = 0 } • { x = 0 } x := x + 1; { x = 1 } • {false} while true do; {x = 0} • {y = 0} if x <> y then x:= y; { x = 0 } • Not totally correct, but partially correct • {true} while true do; {x = 0} • Not partially correct • {true} if x < 0 then x:= -x; { x > 0 } L18-9WP

  8. Axioms and Inference Rules • Assignment axiom {Q[e]} x := e; {Q[x]} • Inference Rule for statement composition {P} S1 {R} {R} S2 {Q} {P} S1; S2 {Q} • Example {x = y} x := x+1; {x = y+1} {x = y+1} y := y+1; {x = y} {x = y} x:=x+1; y:=y+1; {x = y} L18-9WP

  9. Generating additional valid triples {P} S {Q} from {P’} S {Q’} P’ States States P’ Q P Q’ L18-9WP

  10. Rule of Consequence {P’} S {Q’} and P=>P’and Q’=>Q {P} S {Q} • Strengthening the antecedent • Weakening the consequent • Example {x=0 and y=0} x:=x+1;y:=y+1; {x = y} {x=y} x:=x+1; y:=y+1; {x<=y or x=5} (+ Facts from elementary mathematics[boolean algebra + arithmetic] ) L18-9WP

  11. Predicate Transformers • Assignment wp( x := e , Q ) = Q[x<-e] • Composition wp( S1 ; S2 , Q) = wp( S1 , wp( S2 , Q )) • Correctness {P} S {Q} = (P => wp( S , Q)) L18-9WP

  12. Correctness Illustrated P => wp( S , Q) States States Q wp(S,Q) P L18-9WP

  13. Correctness Proof {x=0 and y=0} x:=x+1;y:=y+1; {x = y} • wp(y:=y+1; , {x = y}) = { x = y+1 } • wp(x:=x+1; , {x = y+1}) = { x+1 = y+1 } • wp(x:=x+1;y:=y+1; , {x = y}) = { x+1 = y+1 } = { x = y } • { x = 0 and y = 0 } => { x = y } L18-9WP

  14. Conditionals { P and B } S1 {Q} {P and not B } S2 {Q} {P} if B then S1 else S2; {Q} wp(if B then S1 else S2; , Q) = (B => wp(S1,Q)) and (not B => wp(S2,Q)) = (B and wp(S1,Q)) or (not Band wp(S2,Q)) L18-9WP

  15. “Invariant”: Summation Program { s = i * (i + 1) / 2 } i := i + 1; s := s + i; { s = i * (i + 1) / 2 } • Intermediate Assertion ( s and i different) { s + i = i * (i + 1) / 2 } • Weakest Precondition { s+i+1 = (i+1) * (i+1+1) / 2 } L18-9WP

  16. while-loop : Hoare’s Approach {Invand B} S {Inv} {Inv} while B do S {Invand not B} Proof of Correctness {P} while B do S {Q} = P => Invand {Inv} B {Inv} and {Invand B} S {Inv} and {Invandnot B => Q} + Loop Termination argument L18-9WP

  17. {I} while B do S {I and not B} {I and B} S {I} 0 iterations: {I} {I and not B} notB holds 1 iteration: {I} S {I and not B} B holdsnotBholds 2 iterations: {I} S ; S {I and not B} B holds B holdsnotBholds • Infinite loop if B never becomes false. L18-9WP

  18. Example1 : while-loop correctness { n>0 and x=1 and y=1} while (y < n) [ y++; x := x*y;] {x = n!} • Choice of Invariant • {I and not B} => Q • {I and (y >= n)} => (x = n!) • I = {(x = y!) and (n >= y)} • Precondition implies invariant { n>0 and x=1 and y=1} => { 1=1! and n>=1 } L18-9WP

  19. Verify Invariant {I and B} => wp(S,I) wp( y++; x:=x*y; , {x=y! and n>=y}) = { x=y! and n>=y+1 } I and B = { x=y! and n>=y } and { y<n } = { x=y! and n>y } • Termination • Variant : ( n - y ) y : 1 -> 2 -> … -> n (n-y) : (n-1) -> (n-2) -> … -> 0 L18-9WP

  20. Detailed Working wp( y++; x:=x*y; , {x=y! and n>=y}) = wp(y++,{x*y=y! and n>=y}) = wp(y++,{x=y-1! and n>=y}) = wp(y++,{x=y-1! and n>=y}) = {x=y+1-1! and n>=y+1} L18-9WP

  21. GCD-LCM code PRE: (x = n) and (y = m) • u := x; v := y; • while (x <> y) do ASSERT: (** INVARIANT **) • begin • if x > y then x := x - y; u := u + v • else y := y - x; v := v + u • end; POST: (x = gcd(n,m)) and (lcm (n,m) = (u+v) div 2) L18-9WP

  22. while-loop : Dijkstra’s Approach wp( while B do S , Q) = P0 or P1 or … or Pn or … = there existsk >= 0 such that Pk Pi: Set of states causingi-iterations ofwhile-loopbefore halting in a state inQ. P0 = not B and Q P1 = B and wp(S, P0) Pk+1 = B and wp(S, Pk) L18-9WP

  23. States States ... wp Q P2 P0 P1 P0 P0 => wp(skip, Q) P0 subset Q P1 => wp(S, P0) L18-9WP

  24. Example2 : while-loop correctness P0 = { y >= n and x = n! } Pk = B and wp(S,Pk-1) P1 = { y<n andy+1>=n and x*(y+1) = n! } Pk = y=n-kand x=(n-k)! Weakest Precondition Assertion: Wp = there existsk >= 0 such that P0 or {y = n-kand x = (n-k)!} Verification : P = n>0 and x=1 and y=1 Fori = n-1: P => Wp L18-9WP

  25. Induction Proof Hypothesis : Pk = {y=n-kand x=(n-k)!} Pk+1 = { B and wp(S,Pk) } = y<n and (y+1 = n-k) and (x*(y+1)=(n-k)!) = y<n and (y = n-k-1) and (x = (n-k-1)!) = y<n and (y = n- k+1) and (x = (n- k+1)!) = (y = n - k+1) and (x = (n - k+1)!) Valid preconditions: • { n = 4 and y = 2 and x = 2 } (k = 2) • { n = 5 and x = 5! and y = 6} (no iteration) L18-9WP

More Related