prev

next

of 45

View

47Download

0

Embed Size (px)

DESCRIPTION

Axiomatic Semantics. Hoare’s Correctness Triplets Dijkstra’s Predicate Transformer s. gcd -lcm algorithm w/ invariant. {PRE: (x = n) and (y = m)} u := x; v := y; while {INV: 2*m*n = x*v + y*u} (x y) do if x > y then x := x - y; u := u + v else y := y - x; v := v + u fi - PowerPoint PPT Presentation

Axiomatic Semantics

Hoares Correctness TripletsDijkstras Predicate Transformers Axiomatic Semantics1Calculating with programs : Reasoning reduced to symbol manipulation.Helps determine precise Boundary conditions. Formalizing intuitions.Other approaches: Denotational Semantics: Real meaning in terms of functions on N. Equivalence: f(x) = f(x) + 1 f(x) = if f(x) ==1 then 0 else 1 unsatisfiable (non-sense) f(x) = f(x) f(x) = if f(x) ==1 then 1 else f(x) multiple solutions (no information) McCarthys 91-function Operational Semantics: Abstract interpreter based

gcd-lcm algorithm w/ invariant{PRE: (x = n) and (y = m)}u := x; v := y;while {INV: 2*m*n = x*v + y*u} (x y) do if x > y thenx := x - y; u := u + v elsey := y - x; v := v + u fiod{POST:(x = gcd(m, n)) and (lcm(m, n) = (u+v) div 2)}cs784(tk/pm)22Goal of a program = IO RelationProblem SpecificationProperties satisfied by the input and expected of the output (usually described using assertions).E.g., Sorting problemInput : Sequence of numbersOutput: Permutation of input that is ordered.View PointAll other properties are ignored.Timing behaviorResource consumptioncs784(tk/pm)33axiomn.1.A self-evident or universally recognized truth; a maxim2.An established rule, principle, or law.3.A self-evident principle or one that is accepted as true without proof as the basis for argument; a postulate.From a dictionary

cs784(tk/pm)44Axiomatic SemanticsCapture the semantics of the elements of the PL as axiomsCapture the semantics of composition as a rule of inference.Apply the standard rules/logic of inference.Consider termination separately.cs784(tk/pm)55States and AssertionsStates: Variables mapped to ValuesIncludes all variablesFiles etc. are considered global variables.No notion of value-undefined variablesAt a given moment in executionAn assertion is a logic formula involving program variables, arithmetic/boolean operations, etc.All assertions are attached to a control point.Assertions: States mapped to BooleanBoolean connectives: and, or, not, implies, For-all, There-existsSpecial predicates defined just for use in assertions (not for use in the program).cs784(tk/pm)66Hoares LogicHoare Triplets: {P} S {Q}P, pre-condition assertion; S, statements of a PL; Q, post-condition assertionIf S begins executing in a state satisfying P, upon completion of S, the resulting state satisfies Q.{P} S {Q} has no relevance if S is begun otherwise.A Hoare triplet is either true or false. Never undefined.The entire {P}S{Q} is considered true if the resulting state satisfies Q if and when S terminates.If not, the entire {P}S{Q} is false.cs784(tk/pm)77Hoare Triplet Examplestrue triplets{x = 11 } x := 0 { x = 0 }we can give a weaker precondition{x = 0 } x := x + 1 { x = 1 }{y = 0} if x y then x:= y fi { x = 0 }{false } x := 0 { x = 111 }correct because we cannot beginno state satisfies falsepost condition can be any thing you dream{true} while true do od {x = 0}true is the weakest of all predicatescorrect because control never reaches post{false} while true do od {x = 0}false is the strongest of all predicatesfalse triplet{true} if x < 0 then x:= -x fi { x > 0 }cs784(tk/pm)881. False = empty set of states. Precondition unsatisfiable, so Hoare triple trivially valid.2. Strong precondition4. Nontermination.5. Multipath program : Else null statement;

6. Partially correct because the IF-part of definition not met, so there are no guarantees from THEN.7. Modify the precondition to get a valid triple.

Material Implication : IF sun rises in the west THEN there will be snow in July in Mexico City.Weaker/StrongerAn assertion R is said to be weaker than assertion P if the truth of P implies the truth of Rwritten: PRequivalentlynot P or R.For arbitrary A, B we have: A and B BThis general idea is from Propositional Calculusn > 0 is of course weaker than n = 1, but this follows from Number Theory.cs784(tk/pm)99cs784(tk/pm)10Weaker/StrongerPStatesPPStatesQQP weakerP PQ strongerQ Q10The program transforms a state into another state. (point to point map)Assertions characterize a collection of states.Partial vs Total CorrectnessAre P and S such that termination is guaranteed?S is partially correct for P and Q iff whenever the execution terminates, the resulting state satisfies Q.S is totally correct for P and Q iff the execution is guaranteed to terminate, and the resulting state satisfies Q.cs784(tk/pm)1111Logical Implication :

IF false THEN (1 = 2) is valid. Hoare Triplet ExamplesTotally correct (hence, partially correct){x = 11} x := 0 {x = 0}{x = 0} x := x + 1 {x = 1}{y = 0}if x y then x:= y fi {x = 0}{false} while true do S od {x = 0}{false} x := 0 {x = 111}Not totally correct, but partially correct{true} while true do S od {x = 0}Not partially correct{true} if x < 0 then x:= -x fi {x > 0}

cs784(tk/pm)1212False = empty set of states. Precondition unsatisfiable, so Hoare triple trivially valid.1a. Unecessarily Strong precondition1d and 2. Nontermination.3. Multipath program : Else null statement;

6. Partially correct because the IF-part of definition not met, so there are no guarantees from THEN.7. Modify the precondition to get a valid triple.

Material Implication : IF sun rises in the west THEN there will be snow in July in Mexico City.Assignment axiom{Q(e)} x := e {Q(x)}Q(x) has free occurrences of x.Q(e): every free x in Q replaced with eAssumption: e has no side effects.CaveatsIf x is not a whole variable (e.g., a[2]), we need to work harder.PL is assumed to not facilitate aliasing.cs784(tk/pm)1313Inference RulesRules are written as Hypotheses: H1, H2, H3------------------------------Conclusion: C1Can also be stated as:H1 and H2 and H3 implies C1Given H1, H2, and H3, we can conclude C1.cs784(tk/pm)1414Soundness and CompletenessSoundness is about validityCompleteness is about deducibililtyIdeally in a formal system, we should have both.Godels Incompleteness Theorem:Cannot have bothInference Rules ought to be soundWhat we proved/ inferred/ deduced is validExamples of Unsound RulesA and B and C not Bx > y implies x > y+1 (in the context of numbers)All the rules we present from now on are soundcs784(tk/pm)1515Rule of ConsequenceSuppose: {P} S {Q}, P=>P, Q=>QConclude: {P} S {Q}Replaceprecondition by a stronger onepostcondition by a weaker one

cs784(tk/pm)1616Statement Composition Rule {P} S1 {R}, {R} S2 {Q}------------------------------{P} S1;S2 {Q}Using Rule of Consequence {P} S1 {R1}, R1 R2, {R2} S2 {Q}-----------------------------{P} S1;S2 {Q}cs784(tk/pm)1717Reasoning turned into symbol manipulation : Substitution.Confusing with constructs such as: {??} x == x++ * 5 { x = y }if-then-else-fi Hoares Triplets{P and B} S1 {Q}{P and not B} S2 {Q}-------------------------------------{P} if B then S1 else S2 fi {Q}We assumed that B is side-effect freeExecution of B does not alter statecs784(tk/pm)1818InvariantsAn invariant is an assertion whose truth-value does not changeRecall: All assertions are attached to a control point.An Example: x > yThe values of x and y may or may not change each time control reaches that point.But suppose the > relationship remains true.Then x > y is an invariant

cs784(tk/pm)1919Focus on what is essential for the problem at hand rather than the weakest conditiion.Invariant = truth preserved.Loop InvariantsSemantics of while-loop{I and B} S {I}-------------------------------------------{I} while B do S od {I and not B}Termination of while-loop is not included in the above.We assumed that B is side-effect free.cs784(tk/pm)2020Data InvariantsWell-defined OOP classesPublic methods ought to have a pre- and post-conditions definedThere is a common portion across all public methodsThat common portion is known as thedata invariant of the class.cs784(tk/pm)2121while-loop: Hoares Approach Wish to prove: {P} while B do S od {Q}Given: P, B, S and QNot given: a loop invariant IThe I is expected to be true just before testing BTo prove {P} while B do S od {Q}, discover a strong enough loop invariant I so thatP => I{I and B} S {I}I and not B => QWe used the Rule of Consequence twicecs784(tk/pm)2222Focus on what is essential for the problem at hand rather than the weakest conditiion.Invariant = truth preserved.A while-loop example{ n > 0 and x = 1 and y = 1}while (n > y) doy := y + 1; x := x*yod{x = n!}cs784(tk/pm)2323Choosing invariant requires insight and is goal driven.Invariant must hold in the loop. So cannot have (n = y) or (x = n!) etc

n > 0 implies n >= 1 because n is of type natural-numberwhile-loop: Choose the InvariantInvariant I should be such thatI and not B QI and not (n > y) (x = n!)Choose (n y and x = y!) as our IPrecondition Invariantn > 0 and x=1 and y=1 n 1 and 1=1!cs784(tk/pm)2424Choosing invariant requires insight and is goal driven.Invariant must hold in the loop. So cannot have (n = y) or (x = n!) etc

n > 0 implies n >= 1 because n is of type natural-numberwhile-loop: Verify InvariantI === n y and x = y!Verify: {I and n > y} y:= y + 1; x:=x*y {I}{I and n > y} y:= y + 1 {n y and x*y = y!}{I and n > y} y:= y + 1 {n y and x= (y-1)!}(I and n > y) (n y+1 and x= (y+1-1)!)(I and n > y) (n > y and x= y!)(n y and x = y! and n > y) (n > y and x= y!)QEDcs784(tk/pm)2525Hoares triplets, but also using wp().while-loop: I and not B QI === n y and x = y!n y and