Program Analysis and Verification Noam Rinetzky Lecture 6: Axiomatic Semantics II Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

Good manners Mobiles 2

Home Work Assignment #1 In the following, we refer to the “Semantics with Application” book as “the book”. The book can be found here: Solve Ex 2.8 and 2.18 in the book. 2.In the previous question, you were asked to extend the While language with a new construct (a for loop). Extend the proof of theorem 2.26 in the book (semantic equivalence) to handle for commands. 3.Solve Ex 2.34 in the book. 4.Read Section 2.5 in the book and solve Ex Prove or disprove: The denotational semantics of any statement in the While language shown in the lectures is a monotone and continuous function. 6.Define a denotational semantics for the the While language extended with the random command. (The extension is described in Question 3). 3 (due next lesson)

Axiomatic Semantics C.A.R. Hoare Robert Floyd Edsger W. Dijkstra 4

A simple imperative language: While Abstract syntax: a ::= n | x | a 1 + a 2 | a 1  a 2 | a 1 – a 2 b ::= true | false | a 1 = a 2 | a 1  a 2 |  b | b 1  b 2 S ::= x := a | skip | S 1 ; S 2 | if b then S 1 else S 2 | while b do S 5

Program correctness concepts Property = a certain relationship between initial state and final state Partial correctness = properties that hold if program terminates Termination = program always terminates – i.e., for every input state 6 partial correctness + termination = total correctness Other correctness concepts exist: resource usage, linearizability, … Mostly focus in this course Other notions of properties exist

Factorial example  S fac, s   s’ implies s’ y = (s x )! 7 S fac  y := 1; while  (x=1) do (y := y*x; x := x–1)

Natural semantics for While 8  x := a, s   s[x  A  a  s] [ass ns ]  skip, s   s [skip ns ]  S 1, s   s’,  S 2, s’   s’’  S 1 ; S 2, s   s’’ [comp ns ]  S 1, s   s’  if b then S 1 else S 2, s   s’ if B  b  s = tt [if tt ns ]  S 2, s   s’  if b then S 1 else S 2, s   s’ if B  b  s = ff [if ff ns ]  while b do S, s   s if B  b  s = ff [while ff ns ]  S, s   s’,  while b do S, s’   s’’  while b do S, s   s’’ if B  b  s = tt [while tt ns ]

Semantics-based Proof 9  x := a, s   s[x  A  a  s] [ass ns ]  S 1, s   s’,  S 2, s’   s’’  S 1 ; S 2, s   s’’ [comp ns ]

Semantics-based Proof  S fac, s   s’ implies s’ y = (s x )! 10 S fac  y := 1; while  (x=1) do (y := y*x; x := x–1) Tedious Correct? How do we check correctness? Rigorous vs. formal

Axiomatic verification approach What do we need in order to prove that the program does what it supposed to do? 11 Specify the required behavior Compare the behavior with the one obtained by the operational semantics Develop a proof system for showing that the program satisfies a requirement Mechanically (systematically) use the proof system to show correctness The meaning of a program language is a set of verification rules

Axiomatic Verification: Spec  S fac, s   s’ implies s’ y = (s x )! {x = N} S fac {y = N!} – {Pre-condition (s)} Command (S fac ) {post-state(s’)} – Not {true} S fac {y = x!} 12 S fac  y := 1; while  (x=1) do (y := y*x; x := x–1)

Partial vs. Total Correctness  S fac, s   s’ implies s’ y = (s x )! {x = N} S fac {y = N!} – {Pre-condition (s)} Command (S fac ) {post-state(s’)} – Not {true} S fac {y = x!} [x = N] S fac [y = N!] 13 S fac  y := 1; while  (x=1) do (y := y*x; x := x–1) Hoare Triples

Verification: Assertion-Based [Floyd, ‘67] Assertion: invariant at specific program point – E.g., assert(e) use assertions as foundation for static correctness proofs specify assertions at every program point correctness reduced to reasoning about individual statements 14

Annotated Flow Programs 15 Reduction: Program verification is reduced to claims about the subject of discourse Straight line code: claims are determined “by construction”

Annotated Flow Programs 16 Reduction: Program verification is reduced to claims about the subject of discourse Straight line code: claims are determined “by construction” Cut points

Assertion-Based Verification [Floyd, ‘67] Assertion: invariant at specific program point – E.g., assert(e) Proof reduced to logical claims – Considering the effect of statements – But, not reusable Challenge: Finding invariants at cut points in loops 17

Floyd-Hoare Logic 1969 Use Floyd’s ideas to define axiomatic semantics – Structured programming No gotos Modular (reusable claims) – Hoare triples {P} C {Q} [P] C [Q] (often C ) – Define the programming language semantics as a proof system 18

Axiomatic semantics for While 19 { P[a/ x ] } x := a { P } [ass p ] { P } skip { P } [skip p ] { P } S 1 { Q },{ Q } S 2 { R } { P } S 1 ; S 2 { R } [comp p ] { b  P } S 1 { Q }, {  b  P } S 2 { Q } { P } if b then S 1 else S 2 { Q } [if p ] { b  P } S { P } { P } while b do S {  b  P } [while p ] { P’ } S { Q’ } { P } S { Q } [cons p ] if P  P’ and Q’  Q Inference rule for every composed statement Axiom for every primitive statement

Proofs: Inference trees Leaves are axiom Internal nodes correspond to composed statements Inference tree is called – Simple if tree is only an axiom – Composite otherwise Similar to derivation trees of natural semantics – Reasoning about immediate constituents 20

Factorial proof 21 W = while (x  1) do (y:=y*x; x:=x–1) INV = x > 0  (y  x! = n!  n  x) { INV[x-1/x][y*x/y] } y:=y*x; x:=x–1 {INV} { INV[x-1/x] } x:=x-1 {INV} { INV } W {x=1  INV } { INV[1/y] } y:=1 { INV } { INV[x-1/x][y*x/y] } y:=y*x { INV[x-1/x] } { x  1  INV } y:=y*x; x:=x–1 { INV } [comp] [cons] [while] [cons] { INV } W { y =n!  n>0 }{ x=n } y:=1 { INV } [cons] { x=n } while (x  1) do (y:=y*x; x:=x–1) { y =n!  n>0 } [comp] Goal: { x=n } y:=1; while (x  1) do (y:=y*x; x:=x–1) { y =n!  n>0 }

Factorial proof 22 W = while (x  1) do (y:=y*x; x:=x–1) INV = x > 0  (y  x! = n!  n  x) { INV[x-1/x][y*x/y] } y:=y*x; x:=x–1 {INV} { INV[x-1/x] } x:=x-1 {INV} { INV } W {x=1  INV } { INV[1/y] } y:=1 { INV } { INV[x-1/x][y*x/y] } y:=y*x { INV[x-1/x] } { x  1  INV } y:=y*x; x:=x–1 { INV } [comp] [cons] [while] [cons] { INV } W { y =n!  n>0 }{ x=n } y:=1 { INV } [cons] { x=n } while (x  1) do (y:=y*x; x:=x–1) { y =n!  n>0 } [comp] Goal: { x=n } y:=1; while (x  1) do (y:=y*x; x:=x–1) { y =n!  n>0 } { b  P } S { P } { P } while b do S {  b  P }

Factorial proof 23 W = while (x  1) do (y:=y*x; x:=x–1) INV = x > 0  (y  x! = n!  n  x) { INV[x-1/x][y*x/y] } y:=y*x; x:=x–1 {INV} { INV[x-1/x] } x:=x-1 {INV} { INV } W {x=1  INV } { INV[1/y] } y:=1 { INV } { INV[x-1/x][y*x/y] } y:=y*x { INV[x-1/x] } { x  1  INV } y:=y*x; x:=x–1 { INV } [comp] [cons] [while] [cons] { INV } W { y =n!  n>0 }{ x=n } y:=1 { INV } [cons] { x=n } while (x  1) do (y:=y*x; x:=x–1) { y =n!  n>0 } [comp] Goal: { x=n } y:=1; while (x  1) do (y:=y*x; x:=x–1) { y =n!  n>0 } { P’ } S { Q’ } { P } S { Q } if P  P’ and Q’  Q

Axiomatic semantics for While 24 { P[a/ x ] } x := a { P } [ass p ] { P } skip { P } [skip p ] { P } S 1 { Q },{ Q } S 2 { R } { P } S 1 ; S 2 { R } [comp p ] { b  P } S 1 { Q }, {  b  P } S 2 { Q } { P } if b then S 1 else S 2 { Q } [if p ] { b  P } S { P } { P } while b do S {  b  P } [while p ] { P’ } S { Q’ } { P } S { Q } [cons p ] if P  P’ and Q’  Q Inference rule for every composed statement Axiom for every primitive statement

Axiomatic semantics for While 25 { P[a/ x ] } x := a { P } [ass p ] { P } skip { P } [skip p ] { P } S 1 { Q },{ Q } S 2 { R } { P } S 1 ; S 2 { R } [comp p ] { b  P } S 1 { Q }, {  b  P } S 2 { Q } { P } if b then S 1 else S 2 { Q } [if p ] { b  P } S { P } { P } while b do S {  b  P } [while p ] { P’ } S { Q’ } { P } S { Q } [cons p ] if P  P’ and Q’  Q Notice similarity to natural semantics rules

Assignment rule A “backwards” rule x := a always finishes Why is this true? – Recall operational semantics: Example: {y*z<9} x:=y*z {x<9} What about {y*z<9  w=5} x:=y*z {w=5} ? 26  x := a, s   s[x  A  a  s] [ass ns ] s[x  A  a  s]  P

skip rule 27  skip, s   s [skip ns ]

Composition rule Holds when S 1 terminates in every state where P holds and then Q holds and S 2 terminates in every state where Q holds and then R holds 28  S 1, s   s’,  S 2, s’   s’’  S 1 ; S 2, s   s’’ [comp ns ]

Condition rule 29  S 1, s   s’  if b then S 1 else S 2, s   s’ if B  b  s = tt [if tt ns ]  S 2, s   s’  if b then S 1 else S 2, s   s’ if B  b  s = ff [if ff ns ]

Loop rule Here P is called an invariant for the loop – Holds before and after each loop iteration – Finding loop invariants – most challenging part of proofs When loop finishes, b is false 30  while b do S, s   s if B  b  s = ff [while ff ns ]  S, s   s’,  while b do S, s’   s’’  while b do S, s   s’’ if B  b  s = tt [while tt ns ]

Rule of consequence Allows strengthening the precondition and weakening the postcondition The only rule that is not sensitive to the form of the statement 31

Rule of consequence 32 Why do we need it? Allows the following {y*z<9} x:=y*z {x<9} {y*z<9  w=5} x:=y*z {x<10}

Inference trees Similar to derivation trees of natural semantics Leaves are … Internal nodes correspond to … Inference tree is called – Simple if tree is only an axiom – Composite otherwise 33

Provability We say that an assertion { P } C { Q } is provable if there exists an inference tree – Written as  p { P } C { Q } 34

Validity s  P – P holds in state s  – program states { P } C { Q } is valid if  s, s’  . (s  P   C, s   s’)  s’  Q 35 P Q s s’ C

Soundness and completeness The inference system is sound: –  p { P } C { Q } implies  p { P } C { Q } The inference system is complete: –  p { P } C { Q } implies  p { P } C { Q } 36

Hoare logic is sound and (relatively) complete Soundness:  p { P } C { Q } implies  p { P } C { Q } (Relative) completeness:  p { P } C { Q } implies  p { P } C { Q } – Provided we can prove any implication R  R’ 37

Hoare logic is sound and (relatively) complete Soundness:  p { P } C { Q } implies  p { P } C { Q } (Relative) completeness:  p { P } C { Q } implies  p { P } C { Q } – Provided we can prove any implication R  R’ FYI, nobody tells us how to find a proof … 38

Is there an Algorithm? 39 { x =n } y := 1; { x >0  y * x !=n!  n  x } while  (x=1) do { x-1 >0  ( y*x) *( x-1) !=n!  n  (x-1) } y := y*x; { x-1 >0  y *( x-1) !=n!  n  (x-1) } x := x–1 { y * x !=n!  n >0 } Annotated programs provides a compact representation of inference trees

? 40

Predicate Transformers 41

Weakest liberal precondition A backward-going predicate transformer The weakest liberal precondition for Q is s  wlp(C, Q) if and only if ∀ s’. if  C, s   s’ then s’  Q Propositions: 1.  p { wlp(C, Q) } C { Q } 2.If  p { P } C { Q } then P  wlp(C, Q) 42

Strongest postcondition A forward-going predicate transformer The strongest postcondition for P is s’  sp(P, C) if and only if ∃ s’.  C, s   s’ and s  P Propositions: a.  p { P } C { sp(P, C) } b.If  p { P } C { Q } then sp(P, C)  Q 43

Predicate transformer semantics wlp and sp can be seen functions that transform predicates to other predicates – wlp  C  : Predicate  Predicate { P } C { Q } if and only if wlp  C  Q = P – sp  C  : Predicate  Predicate { P } C { Q } if and only if sp  C  P = Q 44

Hoare logic is (relatively) complete Proving  p { P } C { Q } implies  p { P } C { Q } is the same as proving  p { wlp(C, Q) } C { Q } Suppose that  p { P } C { Q } then (from proposition 2) P  { wlp(C, Q) } 45 { P } S { Q } { wlp(C, Q) } S { Q } [cons p ]

Calculating wlp 1.wlp( skip, Q) = Q 2.wlp( x := a, Q) = Q[a/ x ] 3.wlp(S 1 ; S 2, Q) = wlp(S 1, wlp(S 2, Q)) 4.wlp( if b then S 1 else S 2, Q) = (b  wlp(S 1, Q))  (  b  wlp(S 2, Q)) 5.wlp( while b do S, Q) = … ? hard to capture 46

Calculating wlp of a loop 47 wlp( while b do S, Q) = Idea: we know the following statements are semantically equivalent while b do S if b do ( S ; while b do S ) else skip Let’s try to substitute and calculate on wlp( if b do ( S ; while b do S ) else skip, Q) = (b  wlp(S ; while b do S, Q))  (  b  wlp( skip, Q)) = (b  wlp(S, wlp( while b do S, Q)))  (  b  Q) LoopInv = (b  wlp(S, LoopInv))  (  b  Q) We have a recurrence The loop invariant

Prove the following triple LoopInv = (b  wlp(S, LoopInv))  (  b  Q) Let’s substitute LoopInv with timer  0 Show that timer  0 is equal to (timer>0  wlp(timer:=timer-1, timer  0))  (timer  0  timer=0) = (timer>0  (timer  0)[timer-1/timer])  (timer  0  timer=0) = (timer>0  timer-1  0)  (timer  0  timer=0) = timer>0  timer=0 = timer  0 48 { timer  0 } while (timer > 0) do timer := timer – 1 { timer = 0 }

Issues with wlp-based proofs Requires backwards reasoning – not very intuitive Backward reasoning is non-deterministic – causes problems when While is extended with dynamically allocated heaps (aliasing) Also, a few more rules will be helpful 49

Verification Conditions Generate assertions that describe the partial correctness of the program Use automatic theorem provers to show partial correctness Existing tools ESC/Java, Spec#

Verification condition for annotated commands S ::= skip | X := a | S; (X:=a) | S 0 ; {D} S 1 | if b then S 0 else S 1 | while b {D} do S vc({P} skip {Q}) = {P  Q} vc({P} X:= a {Q}) = {P  Q[a/X]} vc({P} S ; X:=a {Q}) = vc({P} S {Q[a/X]}) vc({P} S 0 ; {D} S 1 {Q}) = vc({P} S 0 {D})  vc({D} S 1 {Q}) vc({P} if b then S 0 else S 1 {Q}) = vc({P  b} S 0 {Q})  vc({P   b} S 1 {Q}) vc({P} while b {D} do c {Q}) = vc({D  b} c {D})  {P  D}  {D   b  Q}

Conjunction rule 52 Not necessary (for completeness) but practically useful Starting point of extending Hoare logic to handle parallelism Related to Cartesian abstraction – Will point this out when we learn it

Structural Rules 53 { P } C { Q } { P’ } C { Q’ } { P  P’ } C {Q  Q’ } [disj p ] { P } C { Q } {  v. P } C {  v. Q } [exist p ] v  FV( C) { P } C { Q } {  v. P } C {  v. Q } [univ p ] v  FV(C ) { F } C { F } Mod(C)  FV(F)={} [Inv p ] Mod(C) = set of variables assigned to in sub-statements of C FV(F) = free variables of F

Invariance + Conjunction = Constancy 54 Mod(C) = set of variables assigned to in sub-statements of C FV(F) = free variables of F { P } C { Q } { F  P } C { F  Q } [constancy p ] Mod(C)  FV(F)={}

Floyd’s strongest postcondition rule Example { z=x } x:=x+1 { ?  v. x=v+1  z=v } This rule is often considered problematic because it introduces a quantifier – needs to be eliminated further on We will now see a variant of this rule 55 { P } x := a {  v. x=a[v/x]  P[v/x] } where v is a fresh variable [ass Floyd ]

“Small” assignment axiom Examples: {x=n} x:=5*y {x=5*y} {x=n} x:=x+1 {x=n+1} {x=y} x:=y+1 {x=y+1} {x=n} x:=y+1 {x=y+1} [exist p ] {  n. x=n} x:=y+1 {  n. x=y+1} therefore {true} x:=y+1 {x=y+1} [constancy p ] {z=9} x:=y+1 {z=9  x=y+1} 56 { x=v } x:=a { x=a[v/x] } where v  FV(a) [ass floyd ] First evaluate a in the precondition state (as a may access x) Then assign the resulting value to x Create an explicit Skolem variable in precondition

Buggy sum program 57 { y  0 } x := 0 { y  0  x=0 } res := 0 { y  0  x=0  res=0 } Inv = { y  0  res=Sum(0, x) } = { y  0  res=m  x=n  m=Sum(0, n) } while (x  y) do { y  0  res=m  x=n  m=Sum(0, n)  x  y  n  y } x := x+1 { y  0  res=m  x=n+1  m=Sum(0, n)  n  y} res := res+x { y  0  res=m+x  x=n+1  m=Sum(0, n)  n  y} { y  0  res-x=Sum(0, x-1)  n  y} { y  0  res=Sum(0, x) } { y  0  res=Sum(0, x)  x>y }  {res = Sum(0, y) }

Sum program Define Sum(0, n) = 0+1+…+n 58 { y  0 } x := 0 { y  0  x=0 } res := 0 { y  0  x=0  res=0 } Inv = { y  0  res=Sum(0, x)  x  y } { y  0  res=m  x=n  n  y  m=Sum(0, n) } while (x<y) do { y  0  res=m  x=n  m=Sum(0, n)  x<y  n<y } res := res+x { y  0  res=m+x  x=n  m=Sum(0, n)  n<y } x := x+1 { y  0  res=m+x  x=n+1  m=Sum(0, n)  n<y } { y  0  res-x=Sum(0, x-1)  x-1<y } { y  0  res=Sum(0, x) } { y  0  res=Sum(0, x)  x  y  x  y } { y  0  res=Sum(0, y)  x=y } { res = Sum(0, y) } { x=Sum(0, n) } { y=n+1 } { x+y=Sum(0, n+1) } Background axiom

Floyd’s strongest postcondition rule Example { z=x } x:=x+1 { ?  v. x=v+1  z=v } This rule is often considered problematic because it introduces a quantifier – needs to be eliminated further on We will now see a variant of this rule 59 { P } x := a {  v. x=a[v/x]  P[v/x] } where v is a fresh variable [ass Floyd ]

Floyd’s strongest postcondition rule Example { z=x } x:=x+1 {  v. x=v+1  z=v } This rule is often considered problematic because it introduces a quantifier – needs to be eliminated further on We will now see a variant of this rule 60 { P } x := a {  v. x=a[v/x]  P[v/x] } where v is a fresh variable [ass Floyd ]

“Small” assignment axiom Examples: {x=n} x:=5*y {x=5*y} {x=n} x:=x+1 {x=n+1} {x=n} x:=y+1 {x=y+1} [exist p ] {  n. x=n} x:=y+1 {  n. x=y+1} therefore {true} x:=y+1 {x=y+1} [constancy p ] {z=9} x:=y+1 {z=9  x=y+1} 61 { x=v } x:=a { x=a[v/x] } where v  FV(a) [ass floyd ] First evaluate a in the precondition state (as a may access x) Then assign the resulting value to x Create an explicit Skolem variable in precondition

“Small” assignment axiom Examples: {x=n} x:=5*y {x=5*y} {x=n} x:=x+1 {x=n+1} {x=n} x:=y+1 {x=y+1} [exist p ] {  n. x=n} x:=y+1 {  n. x=y+1} therefore {true} x:=y+1 {x=y+1} [constancy p ] {z=9} x:=y+1 {z=9  x=y+1} 62 { x=v } x:=a { x=a[v/x] } where v  FV(a) [ass floyd ]

“Small” assignment axiom Examples: {x=n} x:=5*y {x=5*y} {x=n} x:=x+1 {x=n+1} {x=n} x:=y+1 {x=y+1} [exist p ] {  n. x=n} x:=y+1 {  n. x=y+1} therefore {true} x:=y+1 {x=y+1} [constancy p ] {z=9} x:=y+1 {z=9  x=y+1} 63 { x=v } x:=a { x=a[v/x] } where v  FV(a) [ass floyd ]

“Small” assignment axiom Examples: {x=n} x:=5*y {x=5*y} {x=n} x:=x+1 {x=n+1} {x=n} x:=y+1 {x=y+1} [exist p ] {  n. x=n} x:=y+1 {  n. x=y+1} therefore {true} x:=y+1 {x=y+1} [constancy p ] {z=9} x:=y+1 {z=9  x=y+1} 64 { x=v } x:=a { x=a[v/x] } where v  FV(a) [ass floyd ]

Sum program Define Sum(0, n) = 0+1+…+n 65 { y  0 } x := 1 { y  0  x=1 } res := 0 { y  0  x=1  res=0 } Inv = { y  0  res=Sum(0, x-1)  x  y+1 } { y  0  res=m  x=n  n  y+1  m=Sum(0, n-1) } while (x  y) do { y  0  res=m  x=n  m=Sum(0, n-1)  x<y  n  y+1 } res := res+x { y  0  res=m+x  x=n  m=Sum(0, n-1)  n  y+1 } x := x+1 { y  0  res=m+x  x=n+1  m=Sum(0, n-1)  n  y+1 } { y  0  res-x=Sum(0, x-1)  x-1<y+1 } { y  0  res=Sum(0, x-1)  x  y+1 } // axm-Sum { y  0  res=Sum(0, x-1)  x  y+1  x>y } { y  0  res=Sum(0, x-1)  x=y+1 } { y  0  res=Sum(0, y) } { res = Sum(0, y) } Background axiom { x=Sum(0, n) } { y=n+1 } { x+y=Sum(0, n+1) } [axm-Sum]

Buggy sum program 66 { y  0 } x := 0 { y  0  x=0 } res := 0 { y  0  x=0  res=0 } Inv = { y  0  res=Sum(0, x) } = { y  0  res=m  x=n  m=Sum(0, n) } while (x  y) do { y  0  res=m  x=n  m=Sum(0, n)  x  y  n  y } x := x+1 { y  0  res=m  x=n+1  m=Sum(0, n)  n  y} res := res+x { y  0  res=m+x  x=n+1  m=Sum(0, n)  n  y} { y  0  res-x=Sum(0, x-1)  n  y} { y  0  res=Sum(0, x) } { y  0  res=Sum(0, x)  x>y }  {res = Sum(0, y) }

Sum program Define Sum(0, n) = 0+1+…+n 67 { y  0 } x := 1 { y  0  x=0 } res := 0 { y  0  x=0  res=0 } Inv = { y  0  res=Sum(0, x-1)  x  y+1 } while (x  y) do { y  0  res=m  x=n  m=Sum(0, n-1)  n  y+1  x<y } res := res+x { y  0  res=m+x  x=n  m=Sum(0, n-1)  n  y+1 } { y  0  res=Sum(0, n)  x=n  n  y+1 } // axm-Sum x := x+1 { y  0  res=Sum(0, n)  x=n+1  n  y+1 } { y  0  res=Sum(0, x-1)  x  y+1 } { y  0  res=Sum(0, x-1)  x  y+1  x>y } { y  0  res=Sum(0, x-1)  x=y+1 } { y  0  res=Sum(0, y) } { res = Sum(0, y) } Background axiom { x=Sum(0, n) } { y=n+1 } { x+y=Sum(0, n+1) } [axm-Sum]

Example 1: Absolute value program 68 { } if x<0 then x := -x else skip { }

Absolute value program 69 { x=v } if x 0 } else { x=v  x  0 } skip { x=v  x  0 } { v<0  x=-v  v  0  x=v} { x=|v| }

Example 2: Variable swap program 70 { } t := x x := y y := t { }

Variable swap program 71 { x=a  y=b } t := x { x=a  y=b  t=a } x := y { x=b  y=b  t=a } y := t { x=b  y=a  t=a } { x=b  y=a } // cons

Example 3: Axiomatizing data types 72 We added a new type of variables – array variables – Model array variable as a function y : Z  Z We need the two following axioms: S ::= x := a | x := y [ a ] | y [ a ] := x | skip | S 1 ; S 2 | if b then S 1 else S 2 | while b do S y[x  a](x) = a z  x  y[x  a](z) = y(z)

Array update rules (wp) Treat an array assignment y[a] := x as an update to the array function y – y := y[a  x] meaning y’=  v. v=a ? X : y(v) 73 S ::= x := a | x := y [ a ] | y [ a ] := x | skip | S 1 ; S 2 | if b then S 1 else S 2 | while b do S [array-update] { P[y[a  x]/y] } y[a] := x { P } [array-load] { P[y(a)/x] } x := y[a] { P } A very general approach – allows handling many data types

Array update rules (wp) example Treat an array assignment y[a] := x as an update to the array function y – y := y[a  x] meaning y’=  v. v=a ? x : y(v) 74 [array-update] { P[y[a  x]/y] } y[a] := x { P } {x=y[i  7](i)} y[i]:=7 {x=y(i)} {x=7} y[i]:=7 {x=y(i)} [array-load] { P[y(a)/x] } x := y[a] { P } {y(a)=7} x:=y[a] {x=7}

Array update rules (sp) 75 [array-update F ] { x=v  y=g  a=b } y[a] := x { y=g[b  v] } [array-load F ] { y=g  a=b } x := y[a] { x=g(b) } In both rules v, g, and b are fresh

Array-max program 76 nums : array N : int // N stands for num’s length { N  0  nums=orig_nums } x := 0 res := nums[0] while x res then res := nums[x] x := x { x=N } 2.{  m. (m  0  m<N)  nums(m)  res } 3.{  m. m  0  m<N  nums(m)=res } 4.{ nums=orig_nums }

Array-max program 77 nums : array N : int // N stands for num’s length { N  0  nums=orig_nums } x := 0 res := nums[0] while x res then res := nums[x] x := x + 1 Post 1 : { x=N } Post 2 : { nums=orig_nums } Post 3 : {  m. 0  m<N  nums(m)  res } Post 4 : {  m. 0  m<N  nums(m)=res }

Summary C programming language P assertions {P} C {Q} judgments { P[a/ x ] } x := a { P } proof Rules – Soundness – Completeness {x = N} y:=factorial(x) { y = N!} proofs 78

Extensions to axiomatic semantics Assertions for parallelism – Owicki-Gries – Concurrent Separation Logic – Rely-guarantee Assertions for dynamic memory – Separation Logic Procedures Total correctness assertions Assertions for execution time – Exact time – Order of magnitude time 79