Other approaches: Denotational Semantics: Real meaning in terms of functions on N. Equivalence: f(x) = f(x) + 1 f(x) = if f(x) ==1 then 0 else 1 ...

Transcript and Presenter's Notes

Title: Axiomatic Semantics

1
Axiomatic Semantics
• Predicate Transformers

2
Motivation
Input
Output
• Problem Specification
• Properties satisfied by the input and expected of
the output (usually described using
assertions).
• E.g., Sorting problem
• Input Sequence of numbers
• Output Permutation of input that is ordered.
• Program
• Transform input to output.

3
• Sorting algorithms
• Bubble sort Shell sort
• Insertion sort Selection sort
• Merge sort Quick sort
• Heap sort
• Axiomatic Semantics
• To show that a program satisfies its
specification, it is convenient to have a
description of the language constructs in terms
of assertions characterizing the input and the
corresponding output states.

4
(No Transcript)
5
q
p
6
Axiomatic Approaches
• Hoares Proof System (partial correctness)
• Dijkstras Predicate Transformer (total
correctness)
• Assertion Logic formula involving program
variables, arithmetic/boolean operations, etc.
• Hoare Triples P S Q
• pre-condition statements
post-condition
• (assertion) (program)
(assertion)

7
Swap Example
• x n and y m
• t x
• x y
• y t
• x m and y n
• program variables vs ghost/logic variables
• States Variables -gt Values
• Assertions States -gt Boolean
• ( Powerset of States)

8
Partial vs Total Correctness
• P S Q
• S is partially correct for P and Q if and
only if whenever S is executed in a state
satisfying P and the execution terminates,
then the resulting state satisfies Q.
• S is totally correct for P and Q if and only
if whenever S is executed in a state satisfying
P , then the execution terminates, and the
resulting state satisfies Q.

9
Examples
• Totally correct (hence, partially correct)
• false x 0 x 111
• x 11 x 0 x 0
• x 0 x x 1 x 1
• false while true do x 0
• y 0 if x ltgt y then x y x 0
• Not totally correct, but partially correct
• true while true do x 0
• Not partially correct
• true if x lt 0 then x -x x gt 0

10
Axioms and Inference Rules
• Assignment axiom
• Qe x e Qx
• Inference Rule for statement composition
• P S1 R
• R S2 Q
• P S1 S2 Q
• Example
• x y x x1 x y1
• x y1 y y1 x y
• x y xx1 yy1 x y

11
Generating additional valid triples P S Q
from P S Q
P
States
States
P
Q
P
Q
12
Rule of Consequence
• P S Q and PgtP and QgtQ
• P S Q
• Strengthening the antecedent
• Weakening the consequent
• Example
• x0 and y0 xx1yy1 x y
• xy xx1 yy1 xlty or x5
• ( Facts from elementary mathematics
boolean algebra arithmetic )

13
Predicate Transformers
• Assignment
• wp( x e , Q ) Qxlt-e
• Composition
• wp( S1 S2 , Q)
• wp( S1 , wp( S2 , Q ))
• Correctness
• P S Q (P gt wp( S , Q))

14
Correctness Illustrated
P gt wp( S , Q)
States
States
Q
wp(S,Q)
P
15
Correctness Proof
• x0 and y0 xx1yy1 x y
• wp(yy1 , x y)
• x y1
• wp(xx1 , x y1)
• x1 y1
• wp(xx1yy1 , x y)
• x1 y1
• x y
• x 0 and y 0 gt x y

16
Conditionals
• P and B S1 Q
• P and not B S2 Q
• P if B then S1 else S2 Q
• wp(if B then S1 else S2 , Q)
• (B gt wp(S1,Q)) and
• (not B gt wp(S2,Q))
• (B and wp(S1,Q)) or
• (not B and wp(S2,Q))

17
Invariant Summation Program
• s i (i 1) / 2
• i i 1
• s s i
• s i (i 1) / 2
• Intermediate Assertion ( s and i different)
• s i i (i 1) / 2
• Weakest Precondition
• si1 (i1) (i11) / 2

18
while-loop Hoares Approach
• Inv and B S Inv
• Inv while B do S Inv and not B
• Proof of Correctness
• P while B do S Q
• P gt Inv and Inv B Inv
• and Inv and B S Inv
• and Inv and not B gt Q
• Loop Termination argument

19
I while B do S I and not B
• I and B S I
• 0 iterations I I and not B
• not B holds
• 1 iteration I S I and not B
• B holds not B holds
• 2 iterations I S S I and not B
• B holds B holds not B
holds
• Infinite loop if B never becomes false.

20
Example1 while-loop correctness
• ngt0 and x1 and y1
• while (y lt n) y x xy
• x n!
• Choice of Invariant
• I and not B gt Q
• I and (y gt n) gt (x n!)
• I (x y!) and (n gt y)
• Precondition implies invariant
• ngt0 and x1 and y1 gt
• 11! and ngt1

21
• Verify Invariant
• I and B gt wp(S,I)
• wp( y xxy , xy! and ngty)
• xy! and ngty1
• I and B
• xy! and ngty and yltn
• xy! and ngty
• Termination
• Variant ( n - y )
• y 1 -gt 2 -gt -gt n
• (n-y) (n-1) -gt (n-2) -gt -gt 0

22
Detailed Working
• wp( y xxy , xy! and ngty)
• wp(y,xyy! and ngty)
• wp(y,xy-1! and ngty)
• xy1-1! and ngty1
• xy! and ngty

23
GCD/HCF code
• PRE (x n) and (y m)
• while (x ltgt y) do
• ASSERT ( INVARIANT )
• begin
• if x gt y then x x - y
• else y y - x
• end
• POST (x gcd(n,m))

24
GCD-LCM code
• PRE (x n) and (y m)
• u x v y
• while (x ltgt y) do
• ASSERT ( INVARIANT )
• begin
• if x gt y then x x - y u u v
• else y y - x v v u
• end
• POST (x gcd(n,m))
• and (lcm (n,m) (uv) div 2)

25
while-loop Dijkstras Approach
• wp( while B do S , Q)
• P0 or P1 or or Pn or
• there exists k gt 0 such that Pk
• Pi Set of states causing i-iterations of
while-loop before halting in a state in Q.
• P0 not B and Q
• P1 B and wp(S, P0)
• Pk1 B and wp(S, Pk)

26
States
States
...
wp
Q
P2
P0
P1
P0
P0 gt wp(skip, Q) P0 subset Q P1
gt wp(S, P0)
27
Example2 while-loop correctness
• P0 y gt n and x n!
• Pk B and wp(S,Pk-1)
• P1 yltn and y1gtn and x(y1) n!
• Pk yn-k and x(n-k)!
• Weakest Precondition Assertion
• Wp there exists k gt 0 such that
• P0 or y n-k and x (n-k)!
• Verification
• P ngt0 and x1 and y1
• For i n-1 P gt Wp

28
Induction Proof
• Hypothesis Pk yn-k and x(n-k)!
• Pk1 B and wp(S,Pk)
• yltn and (y1 n-k) and (x(y1)(n-k)!)
• yltn and (y n-k-1) and (x (n-k-1)!)
• yltn and (y n- k1) and (x (n- k1)!)
• (y n - k1) and (x (n - k1)!)
• Valid preconditions
• n 4 and y 2 and x 2 (k 2)
• n 5 and x 5! and y 6 (no iteration)