Cs7100(Prasad)L18-9WP1 Axiomatic Semantics Predicate Transformers

cs7100(Prasad) L18-9WP 1

Axiomatic Semantics

Predicate Transformers


Motivation

• Problem Specification• Properties satisfied by the input and expected of the

output (usually described using “assertions”).• E.g., Sorting problem

– Input : Sequence of numbers– Output: Permutation of input that is ordered.

• Program• Transform input to output.

Input Output


• Sorting algorithms» Bubble sort; Shell sort;» Insertion sort; Selection sort;» Merge sort; Quick sort;» Heap sort;

• Axiomatic Semantics To show that a program satisfies its

specification, it is convenient to have a description of the language constructs in terms of assertions characterizing the input and the corresponding output states.


p q :tionContraposiq p :nImplicatio

q thenp ifp ifonly q

p.for necessary is q q.for sufficient is p


q p hold.not does q and holds p: thatcase not the isIt

q

p


Axiomatic Approaches• Hoare’s Proof System (partial correctness)• Dijkstra’s Predicate Transformer (total correctness)

Assertion: Logic formula involving program variables, arithmetic/boolean operations, etc.

Hoare Triples : {P} S {Q}

pre-condition statements post-condition (assertion) (program) (assertion)


Swap Example{ x = n and y = m } t := x; x := y; y := t;{ x = m and y = n }

– program variables vs ghost/logic variables

• States : Variables Values• Assertions : States Boolean (= Powerset of States)


Partial vs Total Correctness{P} S {Q}

• S is partiallypartially correct for P and Q if and only if whenever S is executed in a state satisfying P and the execution terminates, then the resulting state satisfies Q.

• S is totallytotally correct for P and Q if and only if whenever S is executed in a state satisfying P , then the execution terminates, and the resulting state satisfies Q.


Examples• Totally correct (hence, partially correct)

•{ false } x := 0; { x = 111 }•{ x = 11 } x := 0; { x = 0 }•{ x = 0 } x := x + 1; { x = 1 }•{false} while true do; {x = 0}• {y = 0} if x <> y then x:= y; { x = 0 }

• Not totally correct, but partially correct•{true} while true do; {x = 0}

• Not partially correct• {true} if x < 0 then x:= -x; { x > 0 }


Axioms and Inference Rules• Assignment axiom {Q[e]} x := e; {Q[x]}• Inference Rule for statement composition

{P} S1 {R} {R} S2 {Q} {P} S1; S2 {Q}

• Example {x = y} x := x+1; {x = y+1} {x = y+1} y := y+1; {x = y}{x = y} x:=x+1; y:=y+1; {x = y}


Generating additional valid triples {P} S {Q} from {P’} S {Q’}

P’

States States

P’

P Q’

Q


Rule of Consequence

{P’} S {Q’} and P=>P’ and Q’=>Q {P} S {Q}

– Strengthening the antecedent – Weakening the consequent

• Example{x=0 and y=0} x:=x+1;y:=y+1; {x = y}{x=y} x:=x+1; y:=y+1; {x<=y or x=5} (+ Facts from elementary mathematics [boolean algebra + arithmetic] )


Predicate Transformers

• Assignment wp( x := e , Q ) = Q[x<-e]• Composition wp( S1 ; S2 , Q) = wp( S1 , wp( S2 , Q )) • Correctness {P} S {Q} = (P => wp( S , Q))


Correctness Illustrated

States States

QQPP

wp(S,Q)wp(S,Q)

P => wp( S , Q)P => wp( S , Q)


Correctness Proof {x=0 and y=0} x:=x+1;y:=y+1; {x = y}

• wp(y:=y+1; , {x = y}) = { x = y+1 }• wp(x:=x+1; , {x = y+1}) = { x+1 = y+1 }• wp(x:=x+1;y:=y+1; , {x = y}) = { x+1 = y+1 } = { x = y }• { x = 0 and y = 0 } => { x = y }


Conditionals { P and B } S1 {Q} {P and not B } S2 {Q}{P} if B then S1 else S2; {Q}

wp(if B then S1 else S2; , Q) = (B => wp(S1,Q)) and

(not B => wp(S2,Q)) = (B and wp(S1,Q)) or

(not B and wp(S2,Q))


“Debugging” Program{true} if x < 0 then x:= -x; { x > 0 }

{x < 0} x:= -x; { x > 0 }{x >= 0} ; { x > 0 }

(x < 0) => (-x > 0)Because (x < 0) (0 < -x)

(x >= 0) => (x > 0)

(x = 0) => (x > 0)


“Invariant”: Summation Program

{ s = i * (i + 1) / 2 } i := i + 1; s := s + i; { s = i * (i + 1) / 2 }

• Intermediate Assertion ( s and i different){ s + i = i * (i + 1) / 2 }

• Weakest Precondition{ s+i+1 = (i+1) * (i+1+1) / 2 }


while-loop : Hoare’s Approach

{Inv and B} S {Inv}{Inv} while B do S {Inv and not B}

Proof of Correctness {P} while B do S {Q}= P => Inv andand {Inv} B {Inv} andand {Inv and B} S {Inv} andand {Inv and not B => Q}

+ Loop Termination argument


{I and B} S {I}

0 iterations: {I} {I and not B} not B holds

1 iteration: {I} S {I and not B} B holds not B holds

2 iterations: {I} S ; S {I and not B} B holds B holds not B holds

• Infinite loop if B never becomes false.

{I} while B do S {I and not B}


Example1 : while-loop correctness { n>0 and x=1 and y=1}while (y < n) [ y++; x := x*y;] {x = n!}

• Choice of Invariant•{I and not B} => Q•{I and (y >= n)} => (x = n!)•I = {(x = y!) and (n >= y)}

• Precondition implies invariant{ n>0 and x=1 and y=1} => { 1=1! and n>=1 }


• Verify Invariant {I and B} => wp(S,I)wp( y++; x:=x*y; , {x=y! and n>=y})= { x=y! and n>=y+1 }I and B = { x=y! and n>=y } and { y<n }= { x=y! and n>y }

• Termination• VariantVariant : ( n - y ) y : 1 -> 2 -> … -> n(n-y) : (n-1) -> (n-2) -> … -> 0


Detailed Working

wp( y++; x:=x*y; , {x=y! and n>=y})= wp(y++,{x*y=y! and n>=y})= wp(y++,{x=y-1! and n>=y})= {x=y+1-1! and n>=y+1}= {x=y! and n>y}


GCD/HCF codePRE: (x = n) and (y = m) • while (x <> y) doASSERT: (** INVARIANT **) • begin • if x > y then x := x - y; • else y := y - x; • end;POST: (x = gcd(n,m))


GCD-LCM codePRE: (x = n) and (y = m) • u := x; v := y;• while (x <> y) doASSERT: (** INVARIANT **) • begin • if x > y then x := x - y; u := u + v• else y := y - x; v := v + u• end;POST: (x = gcd(n,m))

and (lcm (n,m) = (u+v) div 2)


while-loop : Dijkstra’s Approach wp( while B do S , Q) = P0 or P1 or … or Pn or … = there exists k >= 0 such that Pk Pi : Set of states causing i-iterations of while-loop before halting in a state in Q.

P0 = not B and Q P1 = B and wp(S, P0) Pk+1 = B and wp(S, Pk)


...

P0P0

P1P1

P2P2

States

Q

States

wpwp

P0 => wp(skip, Q)

P0 subsetsubset Q

P1 => wp(S, P0)

P0P0


Example2 : while-loop correctnessP0 = { y >= n and x = n! }Pk = B and wp(S,Pk-1)P1 = { y<n and y+1>=n and x*(y+1) = n! }

Pk = y=n-k and x=(n-k)!Weakest Precondition Assertion:Wp = there exists k >= 0 such that P0 or {y = n-k and x = (n-k)!}Verification : P = n>0 and x=1 and y=1 For i = n-1: P => Wp


Induction ProofHypothesis : Pk = {y=n-k and x=(n-k)!}

Pk+1 = { B and wp(S,Pk) }= y<n and (y+1 = n-k) and (x*(y+1)=(n-k)!) = y<n and (y = n-k-1) and (x = (n-k-1)!) = y<n and (y = n- k+1) and (x = (n- k+1)!) = (y = n - k+1) and (x = (n - k+1)!)

Valid preconditions:– { n = 4 and y = 2 and x = 2 } (k = 2)– { n = 5 and x = 5! and y = 6} (no iteration)

Documents

Cs7100(Prasad)L18-9WP1 Axiomatic Semantics Predicate Transformers