Dynamic semantics

1
Dynamic semantics

• Precisely specify the meanings of programs.
• Why?
• programmers need to understand the meanings of
  programs they read
• programmers need to understand how to express
  themselves in a given language
• compiler writers need to understand how to
  translate a high-level program into a
  semantically equivalent low-level one
• Formal semantics are not always used no single
  formalism exists. We will look at
• operational semantics
• axiomatic semantics
• denotational semantics

2
Operational semantics

• Basic idea we describe the meanings of program
  elements by describing how a machine executes
  them.
• Basic approach express semantics of a high-level
  construct in terms of its translation into a
  low-level construct
• Example Java described in terms of JVM
• Example Pascal described in terms of p-code
• Example C described in terms of PDP-11 assembly

3
Examplehigh-level program operational semantics

• for (e1 e2 e3)
• .
• .
• .
• ltrest of programgt

e1 L1 if not(e2) goto L2 . . .
e3 goto L1 L2 ltrest of programgt
4
Axiomatic semantics

• Basic idea you make assertions about statements
  in a program.
• A precondition is an assertion about what is true
  prior to execution of a statement.
• A postcondition is an assertion about what is
  true after execution of a statement. For
  example
• sum 2sum 1 sum gt 1

5
Weakest precondition

• The weakest precondition is the least
  restrictive precondition that will guarantee the
  validity of the associated postcondition. p.
  151
• In example above sumgt10 is a valid precondition
  but sumgt0 is the weakest precondition
• sum gt 0 sum 2sum 1 sum gt 1

6
Correctness proofs

• If the weakest precondition can be computed from
  the given postconditions for each statement of a
  language, then correctness proofs can be
  constructed for programs in that language. p.
  151
• Start with output specifications for the program
  as the postcondition for the program as a whole.

7

• Work backwards computing weakest preconditions,
  one statement at a time, to derive the weakest
  precondition for the program as a whole
• stmt1 c0 stmt1 c1
• stmt2 c1 stmt2 c2
• . .
• . ? .
• . .
• stmtN cN cN-1 stmtN cN

8

• If the input specification for the program
  satisfies the programs weakest precondition,
  then the program will (provably) produce the
  correct result.

9
Assignment statements

• The axiomatic semantics of an assignment
  statement xE is written as PQx?E
• This means that the precondition is the
  postcondition with all instances of x replaced by
  E.
• Example
• a b/2-1 alt10
• To compute precondition, replace all instances
  of a in postcondition alt10 by b/21
• b/2-1 lt 10, or
• b lt 22
• Semantics blt22 a b/2-1 alt10
• In general Qx?E xE Q

10
Inference

• Suppose we wanted to prove the following
• sum gt 5 sum 2sum 1 sum gt 3
• Starting with the postcondition, we derive as the
  weakest precondition something different
• 2sum 1 gt 3
• 2sum gt 2
• sum gt 1 (weakest precondition)
• Clearly this is OK, because the actual
  precondition sumgt5 implies the weakest
  precondition sumgt1
• sumgt5 gt sumgt1
• We use an inference rule, the rule of
  consequence, to prove this.

11
Rule of consequence

• General form
• S1, S2, , Sn
• S
• Precondition strengthening
• PgtP, P C Q
• P C Q
• Postcondition weakening
• QgtQ, P C Q
• P C Q

12
Precondition strengthening applied

• Recall our example. We want to prove the
  following
• sum gt 5 sum 2sum 1 sum gt 3
• The weakest precondition we derive is
• sum gt 1
• Apply precondition strengthening to finish proof
• PgtP, P C Q
• P C Q
• sumgt5 gt sumgt1, sumgt1 sum2sum1 sumgt3
• sumgt5 sum2sum1 sumgt3

13
Hang on!

• Why get so formal?
• Because this way correctness proofs can be
  (partially) automated.

14
SequencesS1 S2
P S1 Q, Q S2 R P S1 S2 R

• Start with a sequence of statements
• y 3x1 x y3 xlt10
• Compute weakest precondition for 2nd stmt
• y3lt10 or ylt7, use as postcondition
• for 1st stmt
• y 3x1 ylt7 ylt7 x y3 xlt10
• Compute weakest precondition for 1st stmt
• 3x1lt7 or xlt2
• xlt2 y 3x1 ylt7 ylt7 x y3 xlt10
• Conclude, applying sequence rule
• xlt2 y 3x1 x y3 xlt10

15
Selectionif B then S1 else S2
B P S1 Q, !B P S2 Q P if B then S1
else S2 Q

• Start with a conditional statement
• if (xgt0) then yy-1 else yy1 ygt0
• Deal with arms of the conditional one at a time,
  first the then-arm
• y y-1 ygt0 ? ygt1 y y-1 ygt0
• Now the else-arm
• y y1 ygt0 ? ygt-1 y y1 ygt0
• Use rule of precondition strengthening on the
  else-arm result (to make both arms uniform)
• ygt1 y y1 ygt0
• Now strengthen both arms preconditions by
  imposing a constraint on x
• xgt0 ygt1 y y-1 ygt0
• !(xgt0) ygt1 y y1 ygt0
• Conclude, applying selection rule
• ygt1 if (xgt0) then yy-1 else yy1 ygt0

16
Whilewhile B do S end
B I S I _ I
while B do S end I and !B

• Lets prove the following
• true
• rx q0 while yltr do rr-y qq1 end
• ygtr xryq
• Start by proving loop body
• yltr xryq rr-y qq1xryq
• Start with last statement
• qq1 xryq ? xry(q1) qq1 xryq
• xryyq qq1 xryq
• Continue with second-to-last statement
• rr-y xryyq ? xr-yy(q1) rr-y
  xryyq
• xryq rr-y xryyq
• Use rule for sequence to get
• xryq rr-y qq1 xryq
• Now strengthen precondition to conclude proof of
  loop body
• yltr xryq rr-y qq1 xryq
• This lets us derive a weakest precondition for
  the while loop
• xryq while yltr do rr-y qq1 end
  xryq !(yltr)

17
Whilewhile B do S end
B I S I _ I
while B do S end I and !B

• The next step is to prove the sequence
• true rx q0 while yltr do rr-y qq1 end
  xryq ygtr)
• Start by moving backwards from the while loop
  (since we derived a weakest precondition from its
  postcondition already)
• true rx q0 xryq
• Start with last statement
• q0 xryq ? xry0 q0 xryq
• xr q0 xryq
• Continue with second-to-last statement
• rx xr ? xx rx xr
• Precondition strengthening
• true rx xr
• Sequence rule (applied in general form)
• true rx q0 while yltr do rr-y qq1 end
  xryq !(yltr)
• Finally, postcondition weakening because !(yltr)
  gt ygtr
• true rx q0 while yltr do rr-y qq1 end
  xryq ygtr
• We're done!