David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 19: Minding Ps & Qs: Axiomatic.

Slides:



Advertisements
Similar presentations
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Advertisements

David Evans cs302: Theory of Computation University of Virginia Computer Science Lecture 17: ProvingUndecidability.
Semantics Static semantics Dynamic semantics attribute grammars
PZ03D Programming Language design and Implementation -4th Edition Copyright©Prentice Hall, PZ03D - Program verification Programming Language Design.
ICE1341 Programming Languages Spring 2005 Lecture #6 Lecture #6 In-Young Ko iko.AT. icu.ac.kr iko.AT. icu.ac.kr Information and Communications University.
David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 20: Total Correctness; Proof-
Reasoning About Code; Hoare Logic, continued
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
Axiomatic Verification I Prepared by Stephen M. Thebaut, Ph.D. University of Florida Software Testing and Verification Lecture 17.
Partial correctness © Marcelo d’Amorim 2010.
Axiomatic Semantics The meaning of a program is defined by a formal system that allows one to deduce true properties of that program. No specific meaning.
Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.
ISBN Chapter 3 Describing Syntax and Semantics.
Copyright © 2006 Addison-Wesley. All rights reserved. 3.5 Dynamic Semantics Meanings of expressions, statements, and program units Static semantics – type.
1 Discrete Structures Lecture 29 Predicates and Programming Read Ch
1 Design by Contract Building Reliable Software. 2 Software Correctness Correctness is a relative notion  A program is correct with respect to its specification.
Program Proving Notes Ellen L. Walker.
Fall Semantics Juan Carlos Guzmán CS 3123 Programming Languages Concepts Southern Polytechnic State University.
CS 330 Programming Languages 09 / 19 / 2006 Instructor: Michael Eckmann.
1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.
1/22 Programs : Semantics and Verification Charngki PSWLAB Programs: Semantics and Verification Mordechai Ben-Ari Mathematical Logic for Computer.
CS 355 – Programming Languages
Comp 205: Comparative Programming Languages Semantics of Imperative Programming Languages denotational semantics operational semantics logical semantics.
ESC Java. Static Analysis Spectrum Power Cost Type checking Data-flow analysis Model checking Program verification AutomatedManual ESC.
Axiomatic Semantics Dr. M Al-Mulhem ICS
CS 330 Programming Languages 09 / 18 / 2007 Instructor: Michael Eckmann.
Dr. Muhammed Al-Mulhem 1ICS ICS 535 Design and Implementation of Programming Languages Part 1 Fundamentals (Chapter 4) Axiomatic Semantics ICS 535.
4/17/2017 Section 3.6 Program Correctness ch3.6.
CS 330 Programming Languages 09 / 16 / 2008 Instructor: Michael Eckmann.
Software Verification Bertrand Meyer Chair of Software Engineering Lecture 2: Axiomatic semantics.
Operational Semantics Semantics with Applications Chapter 2 H. Nielson and F. Nielson
Describing Syntax and Semantics
Reading and Writing Mathematical Proofs
1 Inference Rules and Proofs (Z); Program Specification and Verification Inference Rules and Proofs (Z); Program Specification and Verification.
CSI 3125, Axiomatic Semantics, page 1 Axiomatic semantics The assignment statement Statement composition The "if-then-else" statement The "while" statement.
Chapter 25 Formal Methods Formal methods Specify program using math Develop program using math Prove program matches specification using.
ISBN Chapter 3 Describing Semantics -Attribute Grammars -Dynamic Semantics.
CS 363 Comparative Programming Languages Semantics.
1 cs205: engineering software university of virginia fall 2006 Avoiding Software Disasters.
Muhammad Idrees Lecturer University of Lahore 1. Outline Introduction The General Problem of Describing Syntax Formal Methods of Describing Syntax Attribute.
Reasoning about programs March CSE 403, Winter 2011, Brun.
Program Analysis and Verification Spring 2014 Program Analysis and Verification Lecture 4: Axiomatic Semantics I Roman Manevich Ben-Gurion University.
3.2 Semantics. 2 Semantics Attribute Grammars The Meanings of Programs: Semantics Sebesta Chapter 3.
ISBN Chapter 3 Describing Semantics.
Chapter 3 Part II Describing Syntax and Semantics.
Semantics In Text: Chapter 3.
COP4020 Programming Languages Introduction to Axiomatic Semantics Prof. Robert van Engelen.
CSCI1600: Embedded and Real Time Software Lecture 28: Verification I Steven Reiss, Fall 2015.
Principle of Programming Lanugages 3: Compilation of statements Statements in C Assertion Hoare logic Department of Information Science and Engineering.
Static Techniques for V&V. Hierarchy of V&V techniques Static Analysis V&V Dynamic Techniques Model Checking Simulation Symbolic Execution Testing Informal.
This Week Lecture on relational semantics Exercises on logic and relations Labs on using Isabelle to do proofs.
CSC3315 (Spring 2009)1 CSC 3315 Languages & Compilers Hamid Harroud School of Science and Engineering, Akhawayn University
C HAPTER 3 Describing Syntax and Semantics. D YNAMIC S EMANTICS Describing syntax is relatively simple There is no single widely acceptable notation or.
Chapter 3 of Programming Languages by Ravi Sethi
Matching Logic An Alternative to Hoare/Floyd Logic
Formal Methods in Software Engineering 1
Lecture 5 Floyd-Hoare Style Verification
Axiomatic semantics Points to discuss: The assignment statement
Programming Languages and Compilers (CS 421)
Semantics In Text: Chapter 3.
Predicate Transformers
Formal Methods in software development
The Zoo of Software Security Techniques
Lecture 12: Minding your Ps & Qs:
Program correctness Axiomatic semantics
Program Verification with Hoare Logic
Programming Languages and Compilers (CS 421)
COP4020 Programming Languages
Lecture 23: Computability CS200: Computer Science
Presentation transcript:

David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 19: Minding Ps & Qs: Axiomatic Semantics and Program Verification It is easier to write an incorrect program than understand a correct one. Alan Perlis

5 April 2001CS 655: Lecture 192 Operational Semantics Map to execution of a virtual machine Depends on informal understanding of machine Were able to prove that all programs in a language without loops terminate Awkward notion of equivalence Hard to prove properties about all possible executions of a program – need to simulate execution

5 April 2001CS 655: Lecture 193 Static Semantics Can prove properties about simple properties (type checking) easily Cannot take into account any dynamic properties –Proofs must assume type of reference does not change throughout execution

5 April 2001CS 655: Lecture 194 Axiomatic Semantics Reason about programs using axioms (mathematical rules about program text fragments) Depends on informal (almost formal) understanding of logic –Better than depending on informal understanding of Virtual Machine (Operational Semantics) Allows reasoning about all possible executions Can prove more interesting properties about programs than static semantics –Can deal with control flow, dynamic properties, etc.

5 April 2001CS 655: Lecture 195 Floyd-Hoare Rules P { code fragment } Q Partial correctness: For all execution states which satisfy P, if the code fragment terminates, the resulting execution state satisfies Q. Total correctness: For all execution states which satisfy P, the code fragment terminates and the resulting execution state satisfies Q. (Sometimes people write: P [ code fragment ] Q.) pre-condition post-condition

5 April 2001CS 655: Lecture 196 A simple example { true } while true do x := 1 { = 5 } Partial correctness: Yes! Since code doesn’t terminate, any post-condition is satisfied. Total correctness: No!Since code doesn’t terminate, no total correctness post-condition could be satisfied.

5 April 2001CS 655: Lecture 197 A Toy Language: Algorel Program ::= Statement Statement ::= Variable := Expression | Statement ; Statement | while Pred do Statement end Expression ::= Variable | IntLiteral | Expression + Expression | Expression * Expression Pred ::= true | false | Expression <= Expression

5 April 2001CS 655: Lecture 198 Assignment Axiom P[e/x] { x := e  side-effect-free(e) } P P is true after x := e, iff P with e substituted for x was true before the assignment.

5 April 2001CS 655: Lecture 199 Assignment Example wp { x := x + 1 } x = 3 P[e/x] { x := e  sef(e) } P wp = (x = 3)[x + 1/x] wp = ((x + 1)= 3) wp = (x = 2)

5 April 2001CS 655: Lecture 1910 Weakest Preconditions P { S } Q Given Q and S, what is the weakest P such that P { S }  Q x = 2 { x := x + 1 } x = 3 Is there a stronger precondition? Is there a weaker precondition? Is there always a weakest precondition for any S and Q?

5 April 2001CS 655: Lecture 1911 If Axiom side-effect-free (b)  (P  b { s1 } Q)  (P   b { s2 } Q) P { if b then s1 else s2 } Q

5 April 2001CS 655: Lecture 1912 If Example P { if (x < 3) then x := x + 1 else x := x – 1 } x  3

5 April 2001CS 655: Lecture 1913 If Example side-effect-free (x < 3)  (P  x < 3 { x := x + 1 } x  3 )  (P   (x < 3) { x := x – 1 } x  3 ) P { if (x < 3) then x := x + 1 else x := x – 1 } x  3 weakest-precondition: P = x  3  x  2

5 April 2001CS 655: Lecture 1914 An Algorel Program Fragment % Pre-condition: ? while n <= x do n := n + 1; result := result * n; end % Post-condition: result = x!

5 April 2001CS 655: Lecture 1915 Goal: find weakest pre-condition P & x 0 = x { while n <= x do n := n + 1; result := result * n; end } result = x 0 ! Elevator speech

5 April 2001CS 655: Lecture 1916 Rule for while P  Inv  Inv { Pred }  Inv  Inv & Pred { Statement } Inv  (Inv & ~Pred)  Q  while Pred do Statement end terminates P { while Pred do Statement end } Q

5 April 2001CS 655: Lecture 1917 What can go wrong? Invariant too weak –Can’t prove (Inv & ~Pred)  Q Invariant too strong –Can’t prove Inv & Pred { Statement } Inv –Can’t prove P  Inv (for sufficiently weak P)

5 April 2001CS 655: Lecture 1918 Summary Once you have the right invariant, proving partial correctness is tedious but easy –Computers can do this quickly Picking the right invariant is hard and not well understood –Computers can do this slowly in special circumstances, often need help (from programmer or language designer) Next time: Proof-Carrying Code –Can quickly and automatically prove interesting properties (type safety, memory safety, etc.) about arbitrary code if you are given the right invariants

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.