Axiomatic Semantics

1
Axiomatic Semantics

• Predicate Transformers

2
Motivation
Input
Output

• Problem Specification
• Properties satisfied by the input and expected of
  the output (usually described using
  assertions).
• E.g., Sorting problem
• Input Sequence of numbers
• Output Permutation of input that is ordered.
• Program
• Transform input to output.

3

• Sorting algorithms
• Bubble sort Shell sort
• Insertion sort Selection sort
• Merge sort Quick sort
• Heap sort
• Axiomatic Semantics
• To facilitate proving that a program satisfies
  its specification, it is convenient to have the
  description of the language constructs in terms
  of assertions characterizing the input and the
  corresponding output states.

4
Axiomatic Approaches

• Hoares Proof System (partial correctness)
• Dijkstras Predicate Transformer (total
  correctness)
• Assertion Logic formula involving program
  variables, arithmetic/boolean operations, etc.
• Hoare Triples P S Q
• pre-condition statements
  post-condition
• (assertion) (program)
  (assertion)

5
Swap Example

• x n and y m
• t x
• x y
• y t
• x m and y n
• program variables vs ghost/logic variables
• States Variables -gt Values
• Assertions States -gt Boolean
• ( Powerset of States)

6
Partial vs Total Correctness

• P S Q
• S is partially correct for P and Q if and
  only if whenever S is executed in a state
  satisfying P and the execution terminates,
  then the resulting state satisfies Q.
• S is totally correct for P and Q if and only
  if whenever S is executed in a state satisfying
  P , then the execution terminates, and the
  resulting state satisfies Q.

7
Examples

• Totally correct (hence, partially correct)
• false x 0 x 111
• x 11 x 0 x 0
• x 0 x x 1 x 1
• false while true do x 0
• y 0 if x ltgt y then x y x 0
• Not totally correct, but partially correct
• true while true do x 0
• Not partially correct
• true if x lt 0 then x -x x gt 0

8
Axioms and Inference Rules

• Assignment axiom
• Qe x e Qx
• Inference Rule for statement composition
• P S1 R
• R S2 Q
• P S1 S2 Q
• Example
• x y x x1 x y1
• x y1 y y1 x y
• x y xx1 yy1 x y

9
Generating additional valid triples P S Q
from P S Q
P
States
States
P
Q
P
Q
10
Rule of Consequence

• P S Q and PgtP and QgtQ
• P S Q
• Strengthening the antecedent
• Weakening the consequent
• Example
• x0 and y0 xx1yy1 x y
• xy xx1 yy1 xlty or x5
• ( Facts from elementary mathematics
  boolean algebra arithmetic )

11
Predicate Transformers

• Assignment
• wp( x e , Q ) Qxlt-e
• Composition
• wp( S1 S2 , Q)
• wp( S1 , wp( S2 , Q ))
• Correctness
• P S Q (P gt wp( S , Q))

12
Correctness Illustrated
P gt wp( S , Q)
States
States
Q
wp(S,Q)
P
13
Correctness Proof

• x0 and y0 xx1yy1 x y
• wp(yy1 , x y)
• x y1
• wp(xx1 , x y1)
• x1 y1
• wp(xx1yy1 , x y)
• x1 y1
• x y
• x 0 and y 0 gt x y

14
Conditionals

• P and B S1 Q
• P and not B S2 Q
• P if B then S1 else S2 Q
• wp(if B then S1 else S2 , Q)
• (B gt wp(S1,Q)) and
• (not B gt wp(S2,Q))
• (B and wp(S1,Q)) or
• (not B and wp(S2,Q))

15
Invariant Summation Program

• s i (i 1) / 2
• i i 1
• s s i
• s i (i 1) / 2
• Intermediate Assertion ( s and i different)
• s i i (i 1) / 2
• Weakest Precondition
• si1 (i1) (i11) / 2

16
while-loop Hoares Approach

• Inv and B S Inv
• Inv while B do S Inv and not B
• Proof of Correctness
• P while B do S Q
• P gt Inv and Inv B Inv
• and Inv and B S Inv
• and Inv and not B gt Q
• Loop Termination argument

17
I while B do S I and not B

• I and B S I
• 0 iterations I I and not B
• not B holds
• 1 iteration I S I and not B
• B holds not B holds
• 2 iterations I S S I and not B
• B holds B holds not B
  holds
• Infinite loop if B never becomes false.

18
Example1 while-loop correctness

• ngt0 and x1 and y1
• while (y lt n) y x xy
• x n!
• Choice of Invariant
• I and not B gt Q
• I and (y gt n) gt (x n!)
• I (x y!) and (n gt y)
• Precondition implies invariant
• ngt0 and x1 and y1 gt
• 11! and ngt1

19

• Verify Invariant
• I and B gt wp(S,I)
• wp( y xxy , xy! and ngty)
• xy! and ngty1
• I and B
• xy! and ngty and yltn
• xy! and ngty
• Termination
• Variant ( n - y )
• y 1 -gt 2 -gt -gt n
• (n-y) (n-1) -gt (n-2) -gt -gt 0

20
while-loop Dijkstras Approach

• wp( while B do S , Q)
• P0 or P1 or or Pn or
• there exists k gt 0 such that Pk
• Pi Set of states causing i-iterations of
  while-loop before halting in a state in Q.
• P0 not B and Q
• P1 B and wp(S, P0)
• Pk1 B and wp(S, Pk)

21
States
States
...
wp
Q
P2
P0
P1
P0
P0 gt wp(skip, Q) P0 subset Q P1
gt wp(S, P0)
22
Example2 while-loop correctness

• P0 y gt n and x n!
• Pk B and wp(S,Pk-1)
• P1 yltn and y1gtn and x(y1) n!
• Pk yn-k and x(n-k)!
• Weakest Precondition Assertion
• Wp there exists k gt 0 such that
• P0 or y n-k and x (n-k)!
• Verification
• P ngt0 and x1 and y1
• For i n-1 P gt Wp

23
Induction Proof

• Hypothesis Pk yn-k and x(n-k)!
• Pk1 B and wp(S,Pk)
• yltn and (y1 n-k) and (x(y1)(n-k)!)
• yltn and (y n-k-1) and (x (n-k-1)!)
• yltn and (y n- k1) and (x (n- k1)!)
• (y n - k1) and (x (n - k1)!)
• Valid preconditions
• n 4 and y 2 and x 2 (k 2)
• n 5 and x 5! And y 6 (no iteration)