Axiomatic Semantics The meaning of a program is defined by a formal system that allows one to deduce true properties of that program. No specific meaning is attached to any particular program by such a system. The task of determining which properties are of interest is left to the programmer. In this setting, we are interested in assertions about program state (in particular values of program variables). Each such assertion can be couched as what’s known as a Hoare triple (after C.A.R. Hoare) {P}S{Q} which is interpreted as follows: Assertion Q will hold in the state yielded immediately upon termination of statement S when executed in state satisfying assertion P. By way of example, consider the following: { x = A } x := x + 1 { x = A + 1} Hoare triples are typically used to express partial correctness of a program, however, one can use them to specify the conditions under which a program will terminate.

Weakest Preconditions To adequately describe the semantics of a programming language construct C, we can’t just manufacture a few true Hoare triples, we must have some plan for describing exactly what we want to say about a program’s behavior. An assertion R is said to be weaker than assertion P if the truth of P implies the truth of R, written P→R (equivalently R or not(P)). Example: x >0 is weaker than x = 3. The program proving game is played as follows: –We know what program construct C we are using. –We know what assertion Q we want to be true after C terminates. –We use the proof system to find out what absolutely must be true before executing C and nothing more, that is we find the weakest precondition of C that will yield Q, wp(C,Q). Then we know that if we execute C in any state P such that P→wp(C,Q), then Q will be true when C terminates.

General Properties of wp (not specific to any language) Law of the Excluded Miracle wp(C,false) = false Note that if false is true, we can prove anything! Distributivity of Conjunction wp(C,P and Q) = wp(C,P) and wp(C,Q) Law of Monotonicity if Q→R then wp(C,Q)→wp(C,R) Distributivity of Disjunction wp(C,P) or wp(C,Q) → wp(C,P or Q)

wp Properties Specific to our Simple Language We make a huge leap of faith assuming that all of us already understand some underlying logic that captures all interesting properties of expressions, and note that true assertions P→Q from this logic can be used in our proofs. Statement Lists wp( L 1 ;L 2,Q) = wp( L 1,wp( L 2,Q)) This says weakest preconditions propagate backwards through statement sequences. Assignment Statements wp( I:=E,Q) = Q[ E/I ] The substitution Q[ E/I ] involves substituting the expression E for each free occurrence of I in Q. An occurrence of a variable is said to be bound in an assertion if it is the argument of an existential (  ) or universal (  ) quantifier. An occurrence is free if it is not bound. Consider Q[1/j] when Q has the following two values: –Q = (for all i, a[i] = a[j]) –Q = (for all j, a[i] = a[j]) Now consider applying this: wp(x := x + 1, x = A) = (x = A)[(x + 1)/x] = (x + 1 = A) = (x = A – 1)

If statements If Statements wp(if E then L 1 else L 2 fi,Q) = ( E >0→wp( L 1,Q)) and ( E  0→wp( L 2,Q)) Consider applying this in Louden’s example: wp(if x then x := 1 else x := -1 fi, x = 1) = (x>0→wp(x := 1,x=1)) and (x  0→wp(x := -1,x=1)) = (x>0→1=1) and (x  0→-1=1) Note (x>0→1=1) = (1=1 or not(x>0)) = true Note (x  0→-1=1) = (-1=1 or not(x  0)) = not(x  0) = x>0 Thus wp(if x then x := 1 else x := -1 fi, x = 1) = (x>0→1=1) and (x  0→-1=1) = true and x>0 = x>0

While Statements To precisely define the weakest precondition of a while loop is difficult, we must define it inductively on the number of times the loop may be executed. Thus we have a sequence of assertions H i (while E do L od,Q) each capturing the weakest preconditions satisfying that the loop executes i times and terminates in a state satisfying Q. Consider the sequence of H’s: H 0 (while E do L od,Q) = E  0 and Q H 1 (while E do L od,Q) = E >0 and wp( L, H 0 (while E do L od,Q)) H i+1 (while E do L od,Q) = E >0 and wp( L, H i (while E do L od,Q)) This seems pretty complicated. What should we really do?

{x = X and y = Y} t := x; x := y; y := t; {x = Y and y = X}

Partial Correctness Proofs for Loop Invariants If we have a while loop, while E do L od, and an assertion W satisfying each of the following: 1.W and ( E >0)→wp( L,W) 2.W and ( E  0)→Q 3.P→W then we can conclude that {P} while E do L od{Q} An assertion W satisfying these conditions is known as a loop invariant. Property 1 above guarantees that the truth of the assertion does not vary when the loop body is executed. Note that the loop termination and the invariant alone must be sufficient to satisfy the postcondition. P can be stronger than the invariant, but that won’t affect the postcondition that is provable in this manner.

Choosing a Loop Invariant {n>0} i := n; sum := 0; while i do sum := sum + i; i := i – 1; od {sum = n}