Loading...

PPT – Axiomatic Semantics PowerPoint presentation | free to download - id: 6f7a4e-ZGU1M

The Adobe Flash plugin is needed to view this content

Axiomatic Semantics

- Predicate Transformers

Motivation

Input

Output

- Problem Specification
- Properties satisfied by the input and expected of

the output (usually described using

assertions). - E.g., Sorting problem
- Input Sequence of numbers
- Output Permutation of input that is ordered.
- Program
- Transform input to output.

- Sorting algorithms
- Bubble sort Shell sort
- Insertion sort Selection sort
- Merge sort Quick sort
- Heap sort
- Axiomatic Semantics
- To show that a program satisfies its

specification, it is convenient to have a

description of the language constructs in terms

of assertions characterizing the input and the

corresponding output states.

(No Transcript)

q

p

Axiomatic Approaches

- Hoares Proof System (partial correctness)
- Dijkstras Predicate Transformer (total

correctness) - Assertion Logic formula involving program

variables, arithmetic/boolean operations, etc. - Hoare Triples P S Q
- pre-condition statements

post-condition - (assertion) (program)

(assertion)

Swap Example

- x n and y m
- t x
- x y
- y t
- x m and y n
- program variables vs ghost/logic variables
- States Variables -gt Values
- Assertions States -gt Boolean
- ( Powerset of States)

Partial vs Total Correctness

- P S Q
- S is partially correct for P and Q if and

only if whenever S is executed in a state

satisfying P and the execution terminates,

then the resulting state satisfies Q. - S is totally correct for P and Q if and only

if whenever S is executed in a state satisfying

P , then the execution terminates, and the

resulting state satisfies Q.

Examples

- Totally correct (hence, partially correct)
- false x 0 x 111
- x 11 x 0 x 0
- x 0 x x 1 x 1
- false while true do x 0
- y 0 if x ltgt y then x y x 0
- Not totally correct, but partially correct
- true while true do x 0
- Not partially correct
- true if x lt 0 then x -x x gt 0

Axioms and Inference Rules

- Assignment axiom
- Qe x e Qx
- Inference Rule for statement composition
- P S1 R
- R S2 Q
- P S1 S2 Q
- Example
- x y x x1 x y1
- x y1 y y1 x y
- x y xx1 yy1 x y

Generating additional valid triples P S Q

from P S Q

P

States

States

P

Q

P

Q

Rule of Consequence

- P S Q and PgtP and QgtQ
- P S Q
- Strengthening the antecedent
- Weakening the consequent
- Example
- x0 and y0 xx1yy1 x y
- xy xx1 yy1 xlty or x5
- ( Facts from elementary mathematics

boolean algebra arithmetic )

Predicate Transformers

- Assignment
- wp( x e , Q ) Qxlt-e
- Composition
- wp( S1 S2 , Q)
- wp( S1 , wp( S2 , Q ))
- Correctness
- P S Q (P gt wp( S , Q))

Correctness Illustrated

P gt wp( S , Q)

States

States

Q

wp(S,Q)

P

Correctness Proof

- x0 and y0 xx1yy1 x y
- wp(yy1 , x y)
- x y1
- wp(xx1 , x y1)
- x1 y1
- wp(xx1yy1 , x y)
- x1 y1
- x y
- x 0 and y 0 gt x y

Conditionals

- P and B S1 Q
- P and not B S2 Q
- P if B then S1 else S2 Q
- wp(if B then S1 else S2 , Q)
- (B gt wp(S1,Q)) and
- (not B gt wp(S2,Q))
- (B and wp(S1,Q)) or
- (not B and wp(S2,Q))

Invariant Summation Program

- s i (i 1) / 2
- i i 1
- s s i
- s i (i 1) / 2
- Intermediate Assertion ( s and i different)
- s i i (i 1) / 2
- Weakest Precondition
- si1 (i1) (i11) / 2

while-loop Hoares Approach

- Inv and B S Inv
- Inv while B do S Inv and not B
- Proof of Correctness
- P while B do S Q
- P gt Inv and Inv B Inv
- and Inv and B S Inv
- and Inv and not B gt Q
- Loop Termination argument

I while B do S I and not B

- I and B S I
- 0 iterations I I and not B
- not B holds
- 1 iteration I S I and not B
- B holds not B holds
- 2 iterations I S S I and not B
- B holds B holds not B

holds - Infinite loop if B never becomes false.

Example1 while-loop correctness

- ngt0 and x1 and y1
- while (y lt n) y x xy
- x n!
- Choice of Invariant
- I and not B gt Q
- I and (y gt n) gt (x n!)
- I (x y!) and (n gt y)
- Precondition implies invariant
- ngt0 and x1 and y1 gt
- 11! and ngt1

- Verify Invariant
- I and B gt wp(S,I)
- wp( y xxy , xy! and ngty)
- xy! and ngty1
- I and B
- xy! and ngty and yltn
- xy! and ngty
- Termination
- Variant ( n - y )
- y 1 -gt 2 -gt -gt n
- (n-y) (n-1) -gt (n-2) -gt -gt 0

Detailed Working

- wp( y xxy , xy! and ngty)
- wp(y,xyy! and ngty)
- wp(y,xy-1! and ngty)
- xy1-1! and ngty1
- xy! and ngty

GCD/HCF code

- PRE (x n) and (y m)
- while (x ltgt y) do
- ASSERT ( INVARIANT )
- begin
- if x gt y then x x - y
- else y y - x
- end
- POST (x gcd(n,m))

GCD-LCM code

- PRE (x n) and (y m)
- u x v y
- while (x ltgt y) do
- ASSERT ( INVARIANT )
- begin
- if x gt y then x x - y u u v
- else y y - x v v u
- end
- POST (x gcd(n,m))
- and (lcm (n,m) (uv) div 2)

while-loop Dijkstras Approach

- wp( while B do S , Q)
- P0 or P1 or or Pn or
- there exists k gt 0 such that Pk
- Pi Set of states causing i-iterations of

while-loop before halting in a state in Q. - P0 not B and Q
- P1 B and wp(S, P0)
- Pk1 B and wp(S, Pk)

States

States

...

wp

Q

P2

P0

P1

P0

P0 gt wp(skip, Q) P0 subset Q P1

gt wp(S, P0)

Example2 while-loop correctness

- P0 y gt n and x n!
- Pk B and wp(S,Pk-1)
- P1 yltn and y1gtn and x(y1) n!
- Pk yn-k and x(n-k)!
- Weakest Precondition Assertion
- Wp there exists k gt 0 such that
- P0 or y n-k and x (n-k)!
- Verification
- P ngt0 and x1 and y1
- For i n-1 P gt Wp

Induction Proof

- Hypothesis Pk yn-k and x(n-k)!
- Pk1 B and wp(S,Pk)
- yltn and (y1 n-k) and (x(y1)(n-k)!)
- yltn and (y n-k-1) and (x (n-k-1)!)
- yltn and (y n- k1) and (x (n- k1)!)
- (y n - k1) and (x (n - k1)!)
- Valid preconditions
- n 4 and y 2 and x 2 (k 2)
- n 5 and x 5! and y 6 (no iteration)