Predicate Transformers Axiomatic Semantics Predicate Transformers Calculating with programs : Reasoning reduced to symbol manipulation. Helps determine precise Boundary conditions. Formalizing intuitions. Other approaches: Denotational Semantics: Real meaning in terms of functions on N. Equivalence: f(x) = f(x) + 1 f(x) = if f(x) ==1 then 0 else 1 unsatisfiable (“non-sense”) f(x) = f(x) f(x) = if f(x) ==1 then 1 else f(x) multiple solutions (“no information”) McCarthy’s 91-function Operational Semantics: Abstract interpreter based cs784(Prasad) L189wp

Motivation Problem Specification Program Input Output Properties satisfied by the input and expected of the output (usually described using “assertions”). E.g., Sorting problem Input : Sequence of numbers Output: Permutation of input that is ordered. Program Transform input to output. cs784(Prasad) L189wp

Sorting algorithms Bubble sort; Shell sort; Insertion sort; Selection sort; Merge sort; Quick sort; Heap sort; Axiomatic Semantics To show that a program satisfies its specification, it is convenient to have the description of the language constructs in terms of assertions characterizing the input and the corresponding output states. cs784(Prasad) L189wp

Axiomatic Approaches Hoare’s Proof System (partial correctness) Dijkstra’s Predicate Transformer (total correctness) Assertion: Logic formula involving program variables, arithmetic/boolean operations, etc. Hoare Triples : {P} S {Q} pre-condition statements post-condition (assertion) (program) (assertion) cs784(Prasad) L189wp

Swap Example States : Variables -> Values { x = n and y = m } t := x; x := y; y := t; { x = m and y = n } program variables vs ghost/logic variables States : Variables -> Values Assertions : States -> Boolean (= Powerset of States) cs784(Prasad) L189wp

Partial vs Total Correctness {P} S {Q} S is partially correct for P and Q if and only if whenever S is executed in a state satisfying P and the execution terminates, then the resulting state satisfies Q. S is totally correct for P and Q if and only if whenever S is executed in a state satisfying P , then the execution terminates, and the resulting state satisfies Q. Logical Implication : IF false THEN (1 = 2) is valid. cs784(Prasad) L189wp

Examples Totally correct (hence, partially correct) { false } x := 0; { x = 111 } { x = 11 } x := 0; { x = 0 } { x = 0 } x := x + 1; { x = 1 } {false} while true do; {x = 0} {y = 0} if x <> y then x:= y; { x = 0 } Not totally correct, but partially correct {true} while true do; {x = 0} Not partially correct {true} if x < 0 then x:= -x; { x > 0 } 1. False = empty set of states. Precondition unsatisfiable, so Hoare triple trivially valid. 2. Strong precondition 4. Nontermination. 5. Multipath program : Else null statement; 6. Partially correct because the IF-part of definition not met, so there are no guarantees from THEN. 7. Modify the precondition to get a valid triple. Material Implication : IF sun rises in the west THEN there will be snow in July in Mexico City. cs784(Prasad) L189wp

Axioms and Inference Rules Assignment axiom {Q[e]} x := e; {Q[x]} Inference Rule for statement composition {P} S1 {R} {R} S2 {Q} {P} S1; S2 {Q} Example {x = y} x := x+1; {x = y+1} {x = y+1} y := y+1; {x = y} {x = y} x:=x+1; y:=y+1; {x = y} Reasoning turned into symbol manipulation : Substitution. Confusing with constructs such as: {??} x == x++ * 5 { x = y } cs784(Prasad) L189wp

Generating additional valid triples {P} S {Q} from {P’} S {Q’} States States P’ Q P Q’ Subtle Point: The program transforms a state into another state. (point to point map) Assertions characterize mapping from collection of states to collection of states. They deal with the delineating boundary as it were. But if we use FOPC for Assertion both schemes have equal discriminating power. (full abstraction) cs784(Prasad) L189wp

{P’} S {Q’} and P=>P’ and Q’=>Q {P} S {Q} Rule of Consequence {P’} S {Q’} and P=>P’ and Q’=>Q {P} S {Q} Strengthening the antecedent Weakening the consequent Example {x=0 and y=0} x:=x+1;y:=y+1; {x = y} {x=y} x:=x+1; y:=y+1; {x<=y or x=5} (+ Facts from elementary mathematics [boolean algebra + arithmetic] ) cs784(Prasad) L189wp

Predicate Transformers Assignment wp( x := e , Q ) = Q[x<-e] Composition wp( S1 ; S2 , Q) = wp( S1 , wp( S2 , Q )) Correctness {P} S {Q} = (P => wp( S , Q)) For programs without loops (and recursion), Hoare’s and Dijkstra’s approach converge. Hoare’s approach generates triples while Dijkstra’s approach tries to capture the semantics Unaddressed Questions: Why weakest precondition rather than strongest post-condition? Expressiveness in FOL for while? Application: Distributed computing program proofs. cs784(Prasad) L189wp

Correctness Illustrated P => wp( S , Q) States States Q wp(S,Q) P cs784(Prasad) L189wp

Correctness Proof {x=0 and y=0} x:=x+1;y:=y+1; {x = y} wp(y:=y+1; , {x = y}) = { x = y+1 } wp(x:=x+1; , {x = y+1}) = { x+1 = y+1 } wp(x:=x+1;y:=y+1; , {x = y}) = { x = y } { x = 0 and y = 0 } => { x = y } cs784(Prasad) L189wp

Conditionals { P and B } S1 {Q} {P and not B } S2 {Q} {P} if B then S1 else S2; {Q} wp(if B then S1 else S2; , Q) = (B => wp(S1,Q)) and (not B => wp(S2,Q)) = (B and wp(S1,Q)) or (not B and wp(S2,Q)) cs784(Prasad) L189wp

“Invariant”: Summation Program { s = i * (i + 1) / 2 } i := i + 1; s := s + i; Intermediate Assertion ( s and i different) { s + i = i * (i + 1) / 2 } Weakest Precondition { s+i+1 = (i+1) * (i+1+1) / 2 } Values bound to variables keep changing (DYNAMIC). In order to be able to reason about program, We need to discover INVARIANTS. (Physics laws: PV=RT, E=mc**2, Boyle’s law.) (Implicit relationships) ( STATIC) State and assertion is associated with a “point” in the program. cs784(Prasad) L189wp

while-loop : Hoare’s Approach {Inv and B} S {Inv} {Inv} while B do S {Inv and not B} Proof of Correctness {P} while B do S {Q} = P => Inv and {Inv} B {Inv} and {Inv and B} S {Inv} and {Inv and not B => Q} + Loop Termination argument Focus on what is essential for the problem at hand rather than the weakest conditiion. Invariant = Assertion preserved. cs784(Prasad) L189wp

{I} while B do S {I and not B} {I and B} S {I} 0 iterations: {I} {I and not B} not B holds 1 iteration: {I} S {I and not B} B holds not B holds 2 iterations: {I} S ; S {I and not B} B holds B holds not B holds Infinite loop if B never becomes false. cs784(Prasad) L189wp

Example1 : while-loop correctness { n>0 and x=1 and y=1} while (y < n) [ y++; x := x*y;] {x = n!} Choice of Invariant {I and not B} => Q {I and (y >= n)} => (x = n!) I = {(x = y!) and (n >= y)} Precondition implies invariant { n>0 and x=1 and y=1} => { 1=1! and n>=1 } Choosing invariant requires insight and is goal driven. Invariant must hold in the loop. So cannot have (n = y) or (x = n!) etc Soundness cs784(Prasad) L189wp

Verify Invariant Termination {I and B} => wp(S,I) wp( y++; x:=x*y; , {x=y! and n>=y}) = { x=y! and n>=y+1 } I and B = { x=y! and n>=y } and { y<n } = { x=y! and n>y } Termination Variant : ( n - y ) y : 1 -> 2 -> … -> n (n-y) : (n-1) -> (n-2) -> … -> 0 Soundness cs784(Prasad) L189wp

GCD-LCM code PRE: (x = n) and (y = m) u := x; v := y; while (x <> y) do ASSERT: (** INVARIANT **) begin if x > y then x := x - y; u := u + v else y := y - x; v := v + u end; POST: (x = gcd(n,m)) and (lcm (n,m) = (u+v) div 2) PRE: (x = n) and (y = m) u := x; v := y; while (x <> y) do ASSERT: ( 2*n*m = x*v + y*u ) begin if x > y then x := x - y; u := u + v else y := y - x; v := v + u end; POST: (x = gcd(n,m)) and (lcm (n,m) = (u+v) div 2) cs784(Prasad) L189wp

while-loop : Dijkstra’s Approach wp( while B do S , Q) = P0 or P1 or … or Pn or … = there exists k >= 0 such that Pk Pi : Set of states causing i-iterations of while-loop before halting in a state in Q. P0 = not B and Q P1 = B and wp(S, P0) Pk+1 = B and wp(S, Pk) cs784(Prasad) L189wp

... P0 => wp(skip, Q) P0 subset Q P1 => wp(S, P0) States wp Q cs784(Prasad) L189wp

Example2 : while-loop correctness P0 = { y >= n and x = n! } Pk = B and wp(S,Pk-1) P1 = { y<n and y+1>=n and x*(y+1) = n! } Pk = y=n-k and x=(n-k)! Weakest Precondition Assertion: Wp = there exists k >= 0 such that P0 or {y = n-k and x = (n-k)!} Verification : P = n>0 and x=1 and y=1 For i = n-1: P => Wp cs784(Prasad) L189wp

Induction Proof Hypothesis : Pk = {y=n-k and x=(n-k)!} Pk+1 = { B and wp(S,Pk) } = y<n and (y+1 = n-k) and (x*(y+1)=(n-k)!) = y<n and (y = n-k-1) and (x = (n-k-1)!) = y<n and (y = n- k+1) and (x = (n- k+1)!) = (y = n - k+1) and (x = (n - k+1)!) Valid preconditions: { n = 4 and y = 2 and x = 2 } (k = 2) { n = 5 and x = 5! and y = 6} (no iteration) cs784(Prasad) L189wp

Detailed Working wp( y++; x:=x*y; , {x=y! and n>=y}) = wp(y++,{x*y=y! and n>=y}) = wp(y++,{x=y-1! and n>=y}) = {x=y+1-1! and n>=y+1} cs784(Prasad) L189wp