1/22 Programs : Semantics and Verification Charngki PSWLAB Programs: Semantics and Verification Mordechai Ben-Ari Mathematical Logic for Computer Science TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAA A A

2/22 Programs : Semantics and Verification Charngki PSWLAB Table of Contents  Introduction  Semantics of programming language  Weakest precondition  The deductive system HL  Program verification  Total correctness  Program synthesis  References

3/22 Programs : Semantics and Verification Charngki PSWLAB Introduction  The syntax of programming language is specified using formal systems such as BNF, but the semantics is usually informally specified  Example :  The formal BNF syntax of an if-statement  if-statement ::= if expression then statement [else statement]  But its semantics is described informally  The boolean expression is evaluated. If true, the statement following then is executed, otherwise the statement following else is executed.  If the semantics is informally defined there is no formal way of determining the validity or correctness of a program.

4/22 Programs : Semantics and Verification Charngki PSWLAB Semantics of programming language (1/8)  A statement in a programming language is considered to be a function that transforms the state of computation.  If the variables (x,y) = (8,7) in a state s, then the result of executing the statement x := 2*y+1 is the state s’ in which (x,y) = (15,7)  Definition 1.  Let U be the set of all n-tuples of values over some domain, and let U’ µ U. P U’ ( x 1, …, x n ), the characteristic predicate of U’, is defined so that U’ = { ( x 1,…, x n ) 2 U | P U’ ( x 1,…, x n ) }

5/22 Programs : Semantics and Verification Charngki PSWLAB Semantics of programming language (2/8)  Example of def.1  Let U be the set of 2-tuples over Z and let U’ µ U be the 2- tuples described in the following table … …(-2,-3), (-2,-2), (-2, -1), (-2,0), (-2,1), (-2,2), (-2,3) …(-1,-3), (-1,-2), (-1, -1), (-1,0), (-1,1), (-1,2), (-1,3) … (0,-3), (0,-2), (0, -1), (0,0), (0,1), (0,2), (0,3) … (1,-3), (1,-2), (1, -1), (1,0), (1,1), (1,2), (1,3) …  The characteristic predicate of U’ is ( x 1 = x 1 ) Æ ( x 2 · 3)

6/22 Programs : Semantics and Verification Charngki PSWLAB Semantics of programming language (3/8)  Definition. 2  An assertion is a triple {p} S {q}, where S is a program, and p and q are formulas in the predicate calculus called the precondition and postcondition, respectively.  An assertion is true, denoted ² {p} S {q}, iff: if S is started in a state satisfying p and if this computation of S terminates, then the computation terminates in a state satisfying q.  If ² {p} S {q}, then S is said to be partially correct with respect to p and q  Assertions are also called Hoare triples  Example  ² { y · 3} x:= 2*y+1 {(x · 7) Æ (y · 3)}

7/22 Programs : Semantics and Verification Charngki PSWLAB Semantics of programming language (4/8)  Weakest preconditions  Definition 3.  A formula A is weaker than formula B if B ! A. Given a set of formulas { A 1, A 2,… A n }, A i is the weakest formula in the set if A j ! A i for all j.  Definition 4.  For program S and formula q, wp(S,q), the weakest precondition of S and q, is the weakest formula p such that ² {p} S {q}  Example  y · 3 is weaker than y = 1 Ç y = 3  wp(x:=2*y+1, (x · 7) Æ (y · 3)) = y · 3

8/22 Programs : Semantics and Verification Charngki PSWLAB Semantics of programming language (5/8)  Lemma 5.  ² {p} S {q} if and only if ² p ! wp( S, q )  Definition 6.  wp( x := t, p(x) ) = p(x) { x à t }  Example  wp( y := y-1, y ¸ 0 ) = ( y-1 ¸ 0 ) = ( y ¸ 1)  Definition 7.  wp( S1; S2, q ) = wp( S1, wp(S2, q) )

9/22 Programs : Semantics and Verification Charngki PSWLAB Semantics of programming language (6/8)  Examples of def wp(x := x+1; y := y+2, x < y) = wp(x := x+1, wp(y :=y+2, x < y )) = wp(x := x+1, x < y+2) = x +1 < y+2 ≡ x < y+1 2. wp( x := x+a; y := y-1, x = (b-y) · a ) = wp( x := x+a, wp(y := y-1, x = (b-y) · a)) = wp( x := x+a, x = (b–y+1) · a) = x + a = ( b – y + 1) · a ≡ x = (b-y) · a

10/22 Programs : Semantics and Verification Charngki PSWLAB Semantics of programming language (7/8)  Definition 8.  A predicate I is an invariant of S iff wp( S, I ) = I  Definition 9.  if-statement  wp(if B then S1 else S2, q) = (B ! wp(S1, q)) Æ ( : B ! wp(S2, q))  Definition 10.  while-statement  wp(while B do S, q) = ( : B ! q) Æ (B ! wp(S; while B do S, q))

11/22 Programs : Semantics and Verification Charngki PSWLAB Semantics of programming language (8/8)  If-statement  wp(if y=0 then x := 0 else x := y+1, x=y) = ( y=0 ! wp(x :=0, x=y)) Æ ( y  0 ! wp(x := y+1, x=y)) ≡ ((y=0) ! (y=0)) Æ ((y  0) ! (y+1 = y)) ≡ true Æ ((y  0) ! false) ≡ : ( y  0 ) ≡ y = 0  While-statement  You’ll see many of this examples later.

12/22 Programs : Semantics and Verification Charngki PSWLAB The deductive system HL (1/4)  A deductive system HL (Hoare Logic) whose formulas are assertions can be used to prove properties of programs  Definition 11.  Domain axioms  Every true formula over the domain(s) of the program variables  Assignment axiom  ` {p(x) {x à t }} x := t {p(x)}  Composition rule 

13/22 Programs : Semantics and Verification Charngki PSWLAB The deductive system HL (2/4)  Alternative rule  Loop rule  Consequence rule

14/22 Programs : Semantics and Verification Charngki PSWLAB The deductive system HL (3/4)  Loop rule  the formula p is called an invariant: it describes the behavior of an execution of the statement S in the while statement  To prove ` { p 0 } while B do S {q}  We need to find an invariant  We need to show that p 0 ! p is true  We need to show that (p Æ : B) ! q is true  The most difficult part in proving programs is to find appropriate invariants

15/22 Programs : Semantics and Verification Charngki PSWLAB The deductive system HL (4/4)  Example of loop rule  x = 5 is too strong to be an invariant of above while statement  x ¸ 0 is an invariant  x ¸ 0 Æ x > 0 implies x ¸ 0 after executing the loop body  loop terminates if x ¸ 0 Æ : (x>0) is true while x > 0 do x := x - 1

16/22 Programs : Semantics and Verification Charngki PSWLAB  Use HL to prove the partial correctness of the program  Let the formula x = (b-y) · a be the invariant  { p Æ y  0 } x : = x+a; y := y-1 {p}, where p is x = (b-y) · a  Postcondition of the loop can be written p Æ (y = 0) so we can deduce x = a · b Program verification (1/3) {true} x := 0; {x = 0} y := b; {x = 0 Æ y = b} while y <> 0 do { x = (b-y) · a } begin x := x + a; y := y-1 end; { x = a · b }

17/22 Programs : Semantics and Verification Charngki PSWLAB Program verification (2/3)  Total correctness  We have proved only partial correctness  If the initial value of b is negative, the program will not terminate  We need to strengthen the precondition  b ¸ 0  Strengthening the precondition will obviously not invalidate the proof of partial correctness, since a stronger precondition simply selects a subset of the set of states for which the computation is correct  All we need to prove is that the program terminates

18/22 Programs : Semantics and Verification Charngki PSWLAB Program verification (3/3)  To show termination, we search for a numeric function whose value decreases with every execution of the loop, and whose value has an invariant lower bound.  The loop must eventually terminate because there can not be an infinite decreasing sequence greater than the lower bound.  Since y is decreasing and yet bounded from below by y ¸ 0, the loop must terminate and the program is totally correct. { x = (b-y) · a Æ y ¸ 0 Æ y  0} begin x := x + a; y := y-1 end; {x = (b-y) · a Æ y ¸ 0}

19/22 Programs : Semantics and Verification Charngki PSWLAB Program synthesis (1/3)  The most difficult part in proving program is to find invariants  How to find invariants?  Solution  delete part of postcondition  We demonstrate the method by developing two different programs for finding the integer square root of a non-negative integer:  { 0 · a } S { 0 · x 2 · a < ( x+1) 2 }

20/22 Programs : Semantics and Verification Charngki PSWLAB Program synthesis (2/3)  Solution { 0 · a } x := ? ; while B(x, a) do { 0 · x 2 · a } x := ? ; {0 · x 2 · a < ( x+1) 2 } the postcondition of the while statement is p Æ : B(x,a), so B(x,a) is ( x+1) 2 · a the loop should be terminated, so x should be incremented in every iteration

21/22 Programs : Semantics and Verification Charngki PSWLAB Program synthesis (3/3)  Solution  We must check the loop invariant { p Æ B } S {p}  { 0 · x 2 · a Æ ( x +1) 2 · a } x := x+1 { 0 · x 2 · a } { 0 · a } x := ? ; while B(x, a) do { 0 · x 2 · a } x := ? ; {0 · x 2 · a < ( x+1) 2 } { 0 · a } x := 0 ; while ( x+1) 2 · a do { 0 · x 2 · a } x := x + 1 ; {0 · x 2 · a < ( x+1) 2 }

22/22 Programs : Semantics and Verification Charngki PSWLAB References  Mathematical logic for computer science, Mordechai Ben- Ari  Logic in computer science, Michael Huth and Mark Ryan