1 / 25

# Axiomatic Semantics - PowerPoint PPT Presentation

Axiomatic Semantics. Predicate Transformer s. Motivation. Input. Output. Problem Specification Properties satisfied by the input and expected of the output (usually described using “ assertions ” ). E.g., Sorting problem Input : Sequence of numbers

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

## PowerPoint Slideshow about 'Axiomatic Semantics' - miette

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

### Axiomatic Semantics

Predicate Transformers

L18-9WP

Input

Output

• Problem Specification

• Properties satisfied by the input and expected of the output (usually described using “assertions”).

• E.g., Sorting problem

• Input : Sequence of numbers

• Output: Permutation of input that is ordered.

• Program

• Transform input to output.

• L18-9WP

• Sorting algorithms

• Bubble sort; Shell sort;

• Insertion sort; Selection sort;

• Merge sort; Quick sort;

• Heap sort;

• Axiomatic Semantics

To show that a program satisfies its specification, it is convenient to have the description of the language constructs in terms of assertions characterizing the input and the corresponding output states.

• L18-9WP

• Hoare’s Proof System (partial correctness)

• Dijkstra’s Predicate Transformer (total correctness)

Assertion: Logic formula involving program variables, arithmetic/boolean operations, etc.

Hoare Triples : {P} S {Q}

pre-condition statements post-condition

(assertion) (program) (assertion)

L18-9WP

{ x = n and y = m }

t := x;

x := y;

y := t;

{ x = m and y = n}

• program variables vs ghost/logic variables

• States : Variables -> Values

• Assertions : States -> Boolean

(= Powerset of States)

• L18-9WP

Partial vs Total Correctness

{P} S {Q}

• S is partiallycorrect for P and Qif and only if whenever S is executed in a state satisfying Pand the execution terminates,then the resulting state satisfies Q.

• S is totallycorrect for P and Qif and only if whenever S is executed in a state satisfying P ,then the execution terminates, and the resulting state satisfies Q.

L18-9WP

• Totally correct (hence, partially correct)

• { false } x := 0; { x = 111 }

• { x = 11 } x := 0; { x = 0 }

• { x = 0 } x := x + 1; { x = 1 }

• {false} while true do; {x = 0}

• {y = 0} if x <> y then x:= y; { x = 0 }

• Not totally correct, but partially correct

• {true} while true do; {x = 0}

• Not partially correct

• {true} if x < 0 then x:= -x; { x > 0 }

• L18-9WP

• Assignment axiom

{Q[e]} x := e; {Q[x]}

• Inference Rule for statement composition

{P} S1 {R}

{R} S2 {Q}

{P} S1; S2 {Q}

• Example

{x = y} x := x+1; {x = y+1}

{x = y+1} y := y+1; {x = y}

{x = y} x:=x+1; y:=y+1; {x = y}

L18-9WP

Generating additional valid triples {P} S {Q} from {P’} S {Q’}

P’

States

States

P’

Q

P

Q’

L18-9WP

{P’} S {Q’} and P=>P’and Q’=>Q

{P} S {Q}

• Strengthening the antecedent

• Weakening the consequent

• Example

{x=0 and y=0} x:=x+1;y:=y+1; {x = y}

{x=y} x:=x+1; y:=y+1; {x<=y or x=5}

(+ Facts from elementary mathematics[boolean algebra + arithmetic] )

• L18-9WP

• Assignment

wp( x := e , Q ) = Q[x<-e]

• Composition

wp( S1 ; S2 , Q) =

wp( S1 , wp( S2 , Q ))

• Correctness

{P} S {Q} = (P => wp( S , Q))

L18-9WP

P => wp( S , Q)

States

States

Q

wp(S,Q)

P

L18-9WP

{x=0 and y=0} x:=x+1;y:=y+1; {x = y}

• wp(y:=y+1; , {x = y})

= { x = y+1 }

• wp(x:=x+1; , {x = y+1})

= { x+1 = y+1 }

• wp(x:=x+1;y:=y+1; , {x = y})

= { x+1 = y+1 }

= { x = y }

• { x = 0 and y = 0 } => { x = y }

L18-9WP

{ P and B } S1 {Q}

{P and not B } S2 {Q}

{P} if B then S1 else S2; {Q}

wp(if B then S1 else S2; , Q)

= (B => wp(S1,Q)) and

(not B => wp(S2,Q))

= (B and wp(S1,Q)) or

(not Band wp(S2,Q))

L18-9WP

Invariant”: Summation Program

{ s = i * (i + 1) / 2 }

i := i + 1;

s := s + i;

{ s = i * (i + 1) / 2 }

• Intermediate Assertion ( s and i different)

{ s + i = i * (i + 1) / 2 }

• Weakest Precondition

{ s+i+1 = (i+1) * (i+1+1) / 2 }

L18-9WP

while-loop : Hoare’s Approach

{Invand B} S {Inv}

{Inv} while B do S {Invand not B}

Proof of Correctness

{P} while B do S {Q}

= P => Invand {Inv} B {Inv}

and {Invand B} S {Inv}

and {Invandnot B => Q}

+ Loop Termination argument

L18-9WP

{I} while B do S {I and not B}

{I and B} S {I}

0 iterations: {I} {I and not B}

notB holds

1 iteration: {I} S {I and not B}

B holdsnotBholds

2 iterations: {I} S ; S {I and not B}

B holds B holdsnotBholds

• Infinite loop if B never becomes false.

L18-9WP

Example1 : while-loop correctness

{ n>0 and x=1 and y=1}

while (y < n) [ y++; x := x*y;]

{x = n!}

• Choice of Invariant

• {I and not B} => Q

• {I and (y >= n)} => (x = n!)

• I = {(x = y!) and (n >= y)}

• Precondition implies invariant

{ n>0 and x=1 and y=1} =>

{ 1=1! and n>=1 }

• L18-9WP

• Verify Invariant

{I and B} => wp(S,I)

wp( y++; x:=x*y; , {x=y! and n>=y})

= { x=y! and n>=y+1 }

I and B

= { x=y! and n>=y } and { y<n }

= { x=y! and n>y }

• Termination

• Variant : ( n - y )

y : 1 -> 2 -> … -> n

(n-y) : (n-1) -> (n-2) -> … -> 0

L18-9WP

wp( y++; x:=x*y; , {x=y! and n>=y})

= wp(y++,{x*y=y! and n>=y})

= wp(y++,{x=y-1! and n>=y})

= wp(y++,{x=y-1! and n>=y})

= {x=y+1-1! and n>=y+1}

L18-9WP

PRE: (x = n) and (y = m)

• u := x; v := y;

• while (x <> y) do

ASSERT: (** INVARIANT **)

• begin

• if x > y then x := x - y; u := u + v

• else y := y - x; v := v + u

• end;

POST: (x = gcd(n,m)) and (lcm (n,m) = (u+v) div 2)

L18-9WP

while-loop : Dijkstra’s Approach

wp( while B do S , Q)

= P0 or P1 or … or Pn or …

= there existsk >= 0 such that Pk

Pi: Set of states causingi-iterations ofwhile-loopbefore halting in a state inQ.

P0 = not B and Q

P1 = B and wp(S, P0)

Pk+1 = B and wp(S, Pk)

L18-9WP

States

...

wp

Q

P2

P0

P1

P0

P0 => wp(skip, Q)

P0 subset Q

P1 => wp(S, P0)

L18-9WP

Example2 : while-loop correctness

P0 = { y >= n and x = n! }

Pk = B and wp(S,Pk-1)

P1 = { y<n andy+1>=n and x*(y+1) = n! }

Pk = y=n-kand x=(n-k)!

Weakest Precondition Assertion:

Wp = there existsk >= 0 such that

P0 or {y = n-kand x = (n-k)!}

Verification :

P = n>0 and x=1 and y=1

Fori = n-1: P => Wp

L18-9WP

Hypothesis : Pk = {y=n-kand x=(n-k)!}

Pk+1 = { B and wp(S,Pk) }

= y<n and (y+1 = n-k) and (x*(y+1)=(n-k)!)

= y<n and (y = n-k-1) and (x = (n-k-1)!)

= y<n and (y = n- k+1) and (x = (n- k+1)!)

= (y = n - k+1) and (x = (n - k+1)!)

Valid preconditions:

• { n = 4 and y = 2 and x = 2 } (k = 2)

• { n = 5 and x = 5! and y = 6} (no iteration)

L18-9WP