Axiomatic Semantics

ceg860(Prasad) Lwp 1

Axiomatic Semantics

Predicate Transformers


Motivation

• Problem Specification• Properties satisfied by the input and expected of the

output (usually described using “assertions”).

• E.g., Sorting problem– Input : Sequence of numbers

– Output: Permutation of input that is ordered.

• Program• Transform input to output.

Input Output


• Sorting algorithms» Bubble sort; Shell sort;

» Insertion sort; Selection sort;

» Merge sort; Quick sort;

» Heap sort;

• Axiomatic Semantics To facilitate proving that a program satisfies its

specification, it is convenient to have the description of the language constructs in terms of assertions characterizing the input and the corresponding output states.


Axiomatic Approaches• Hoare’s Proof System (partial correctness)

• Dijkstra’s Predicate Transformer (total correctness)

Assertion: Logic formula involving program variables, arithmetic/boolean operations, etc.

Hoare Triples : {P} S {Q}

pre-condition statements post-condition

(assertion) (program) (assertion)


Swap Example{ x = n and y = m } t := x; x := y; y := t;{ x = m and y = n }

– program variables vs ghost/logic variables

• States : Variables Values

• Assertions : States Boolean

(= Powerset of States)


Partial vs Total Correctness{P} S {Q}

• S is partiallypartially correct for P and Q if and only if whenever S is executed in a state satisfying P and the execution terminates, then the resulting state satisfies Q.

• S is totallytotally correct for P and Q if and only if whenever S is executed in a state satisfying P , then the execution terminates, and the resulting state satisfies Q.


Examples• Totally correct (hence, partially correct)

•{ false } x := 0; { x = 111 }•{ x = 11 } x := 0; { x = 0 }•{ x = 0 } x := x + 1; { x = 1 }•{false} while true do; {x = 0}• {y = 0} if x <> y then x:= y; { x = 0 }

• Not totally correct, but partially correct•{true} while true do; {x = 0}

• Not partially correct• {true} if x < 0 then x:= -x; { x > 0 }


Axioms and Inference Rules• Assignment axiom

{Q[e]} x := e; {Q[x]}

• Inference Rule for statement composition {P} S1 {R} {R} S2 {Q} {P} S1; S2 {Q}

• Example {x = y} x := x+1; {x = y+1} {x = y+1} y := y+1; {x = y}{x = y} x:=x+1; y:=y+1; {x = y}


Generating additional valid triples {P} S {Q} from {P’} S {Q’}

P’

States States

P’

P Q’

Q


Rule of Consequence

{P’} S {Q’} and P=>P’ and Q’=>Q {P} S {Q}

– Strengthening the antecedent – Weakening the consequent

• Example{x=0 and y=0} x:=x+1;y:=y+1; {x = y}{x=y} x:=x+1; y:=y+1; {x<=y or x=5} (+ Facts from elementary mathematics [boolean algebra + arithmetic] )


Predicate Transformers

• Assignment

wp( x := e , Q ) = Q[x<-e]• Composition

wp( S1 ; S2 , Q) = wp( S1 , wp( S2 , Q )) • Correctness

{P} S {Q} = (P => wp( S , Q))


Correctness Illustrated

States States

QQPP

wp(S,Q)wp(S,Q)

P => wp( S , Q)P => wp( S , Q)


Correctness Proof {x=0 and y=0} x:=x+1;y:=y+1; {x = y}

• wp(y:=y+1; , {x = y}) = { x = y+1 }• wp(x:=x+1; , {x = y+1}) = { x+1 = y+1 }• wp(x:=x+1;y:=y+1; , {x = y}) = { x+1 = y+1 } = { x = y }• { x = 0 and y = 0 } => { x = y }


Conditionals { P and B } S1 {Q}

{P and not B } S2 {Q}{P} if B then S1 else S2; {Q}

wp(if B then S1 else S2; , Q) = (B => wp(S1,Q)) and

(not B => wp(S2,Q))

= (B and wp(S1,Q)) or

(not B and wp(S2,Q))


“Invariant”: Summation Program

{ s = i * (i + 1) / 2 } i := i + 1; s := s + i; { s = i * (i + 1) / 2 }

• Intermediate Assertion ( s and i different){ s + i = i * (i + 1) / 2 }

• Weakest Precondition{ s+i+1 = (i+1) * (i+1+1) / 2 }


while-loop : Hoare’s Approach {Inv and B} S {Inv}{Inv} while B do S {Inv and not B}

Proof of Correctness {P} while B do S {Q}= P => Inv andand {Inv} B {Inv} andand {Inv and B} S {Inv} andand {Inv and not B => Q}

+ Loop Termination argument


{I} while B do S {I and not B}

{I and B} S {I}

0 iterations: {I} {I and not B} ^not B holds

1 iteration: {I} S {I and not B} ^B holds ^ not B holds

2 iterations: {I} S ; S {I and not B} ^B holds ^B holds ^ not B holds

• Infinite loop if B never becomes false.


Example1 : while-loop correctness { n>0 and x=1 and y=1}while (y < n) [ y++; x := x*y;] {x = n!}

• Choice of Invariant•{I and not B} => Q•{I and (y >= n)} => (x = n!)•I = {(x = y!) and (n >= y)}

• Precondition implies invariant{ n>0 and x=1 and y=1} => { 1=1! and n>=1 }


• Verify Invariant {I and B} => wp(S,I)wp( y++; x:=x*y; , {x=y! and n>=y})= { x=y! and n>=y+1 }I and B = { x=y! and n>=y } and { y<n }= { x=y! and n>y }

• Termination• VariantVariant : ( n - y ) y : 1 -> 2 -> … -> n(n-y) : (n-1) -> (n-2) -> … -> 0


while-loop : Dijkstra’s Approach

wp( while B do S , Q)

= P0 or P1 or … or Pn or …

= there exists k >= 0 such that Pk

Pi : Set of states causing i-iterations of while-loop before halting in a state in Q.

P0 = not B and Q P1 = B and wp(S, P0) Pk+1 = B and wp(S, Pk)


...

P0P0

P1P1

P2P2

States

Q

States

wpwp

P0 => wp(skip, Q)

P0 subsetsubset Q

P1 => wp(S, P0)

P0P0


Example2 : while-loop correctnessP0 = { y >= n and x = n! }Pk = B and wp(S,Pk-1)P1 = { y<n and y+1>=n and x*(y+1) = n! }

Pk = y=n-k and x=(n-k)!Weakest Precondition Assertion:

Wp = there exists k >= 0 such that P0 or {y = n-k and x = (n-k)!}Verification :

P = n>0 and x=1 and y=1 For i = n-1: P => Wp


Induction ProofHypothesis : Pk = {y=n-k and x=(n-k)!}

Pk+1 = { B and wp(S,Pk) }

= y<n and (y+1 = n-k) and (x*(y+1)=(n-k)!)

= y<n and (y = n-k-1) and (x = (n-k-1)!) = y<n and (y = n- k+1) and (x = (n- k+1)!) = (y = n - k+1) and (x = (n - k+1)!)

Valid preconditions:– { n = 4 and y = 2 and x = 2 } (k = 2)– { n = 5 and x = 5! And y = 6} (no iteration)

Documents

Axiomatic Semantics