Presentation is loading. Please wait.

Presentation is loading. Please wait.

Predicate Transformers

Published byMargery Crawford Modified over 6 years ago

Similar presentations

Presentation on theme: "Predicate Transformers"— Presentation transcript:

1 Predicate Transformers
Axiomatic Semantics Predicate Transformers Calculating with programs : Reasoning reduced to symbol manipulation. Helps determine precise Boundary conditions. Formalizing intuitions. ceg860(Prasad) Lwp

2 Motivation Problem Specification Program Input Output
Properties satisfied by the input and expected of the output (usually described using “assertions”). E.g., Sorting problem Input : Sequence of numbers Output: Permutation of input that is ordered. Program Transform input to output. ceg860(Prasad) Lwp

3 Sorting algorithms Bubble sort; Shell sort; Insertion sort; Selection sort; Merge sort; Quick sort; Heap sort; Axiomatic Semantics To facilitate proving that a program satisfies its specification, it is convenient to have the description of the language constructs in terms of assertions characterizing the input and the corresponding output states. ceg860(Prasad) Lwp

4 Axiomatic Approaches Hoare’s Proof System (partial correctness)
Dijkstra’s Predicate Transformer (total correctness) Assertion: Logic formula involving program variables, arithmetic/boolean operations, etc. Hoare Triples : {P} S {Q} pre-condition statements post-condition (assertion) (program) (assertion) ceg860(Prasad) Lwp

5 Swap Example States : Variables -> Values
{ x = n and y = m } t := x; x := y; y := t; { x = m and y = n } program variables vs ghost/logic variables States : Variables -> Values Assertions : States > Boolean (= Powerset of States) ceg860(Prasad) Lwp

6 Partial vs Total Correctness
{P} S {Q} S is partially correct for P and Q if and only if whenever S is executed in a state satisfying P and the execution terminates, then the resulting state satisfies Q. S is totally correct for P and Q if and only if whenever S is executed in a state satisfying P , then the execution terminates, and the resulting state satisfies Q. Logical Implication : IF false THEN (1 = 2) is valid. ceg860(Prasad) Lwp

7 Examples Totally correct (hence, partially correct)
{ false } x := 0; { x = 111 } { x = 11 } x := 0; { x = 0 } { x = 0 } x := x + 1; { x = 1 } {false} while true do; {x = 0} {y = 0} if x <> y then x:= y; { x = 0 } Not totally correct, but partially correct {true} while true do; {x = 0} Not partially correct {true} if x < 0 then x:= -x; { x > 0 } 1. False = empty set of states. Precondition unsatisfiable so Hoare triple trivially valid. 2. Strong precondition 4. Nontermination. 5. Multipath program : Else null statement; 6. Partially correct because the IF-part of definition not met, so there are no guarantees from THEN. 7. Modify the precondition to get a valid triple. ceg860(Prasad) Lwp

8 Axioms and Inference Rules
Assignment axiom {Q[e]} x := e; {Q[x]} Inference Rule for statement composition {P} S1 {R} {R} S2 {Q} {P} S1; S2 {Q} Example {x = y} x := x+1; {x = y+1} {x = y+1} y := y+1; {x = y} {x = y} x:=x+1; y:=y+1; {x = y} Substituition ceg860(Prasad) Lwp

9 Generating additional valid triples {P} S {Q} from {P’} S {Q’}
States States P’ Q P Q’ Subtle Point: The program transforms a state into another state. (point to point map) Assertions characterize mapping from collection of states to collection of states. They deal with the delineating boundary as it were. ceg860(Prasad) Lwp

10 Rule of Consequence {P’} S {Q’} and P=>P’ and Q’=>Q {P} S {Q}
Strengthening the antecedent Weakening the consequent Example {x=0 and y=0} x:=x+1;y:=y+1; {x = y} {x=y} x:=x+1; y:=y+1; {x<=y or x=5} (+ Facts from elementary mathematics [boolean algebra + arithmetic] ) ceg860(Prasad) Lwp

11 Predicate Transformers
Assignment wp( x := e , Q ) = Q[x<-e] Composition wp( S1 ; S2 , Q) = wp( S1 , wp( S2 , Q )) Correctness {P} S {Q} = (P => wp( S , Q)) For programs without loops (and recursion) Hoare’s and Dijkstra’s approach converge. ceg860(Prasad) Lwp

12 Correctness Illustrated
P => wp( S , Q) States States Q wp(S,Q) P ceg860(Prasad) Lwp

13 Correctness Proof {x=0 and y=0} x:=x+1;y:=y+1; {x = y}
wp(y:=y+1; , {x = y}) = { x = y+1 } wp(x:=x+1; , {x = y+1}) = { x+1 = y+1 } wp(x:=x+1;y:=y+1; , {x = y}) = { x = y } { x = 0 and y = 0 } => { x = y } ceg860(Prasad) Lwp

14 Conditionals { P and B } S1 {Q} {P and not B } S2 {Q}
{P} if B then S1 else S2; {Q} wp(if B then S1 else S2; , Q) = (B => wp(S1,Q)) and (not B => wp(S2,Q)) = (B and wp(S1,Q)) or (not B and wp(S2,Q)) ceg860(Prasad) Lwp

15 “Invariant”: Summation Program
{ s = i * (i + 1) / 2 } i := i + 1; s := s + i; Intermediate Assertion ( s and i different) { s + i = i * (i + 1) / 2 } Weakest Precondition { s+i+1 = (i+1) * (i+1+1) / 2 } ceg860(Prasad) Lwp

16 while-loop : Hoare’s Approach
{Inv and B} S {Inv} {Inv} while B do S {Inv and not B} Proof of Correctness {P} while B do S {Q} = P => Inv and {Inv} B {Inv} and {Inv and B} S {Inv} and {Inv and not B => Q} + Loop Termination argument ceg860(Prasad) Lwp

17 {I} while B do S {I and not B}
{I and B} S {I} 0 iterations: {I} {I and not B} ^not B holds 1 iteration: {I} S {I and not B} ^B holds ^ not B holds 2 iterations: {I} S ; S {I and not B} ^B holds ^B holds ^ not B holds Infinite loop if B never becomes false. ceg860(Prasad) Lwp

18 Example1 : while-loop correctness
{ n>0 and x=1 and y=1} while (y < n) [ y++; x := x*y;] {x = n!} Choice of Invariant {I and not B} => Q {I and (y >= n)} => (x = n!) I = {(x = y!) and (n >= y)} Precondition implies invariant { n>0 and x=1 and y=1} => { 1=1! and n>=1 } ceg860(Prasad) Lwp

19 Verify Invariant Termination {I and B} => wp(S,I)
wp( y++; x:=x*y; , {x=y! and n>=y}) = { x=y! and n>=y+1 } I and B = { x=y! and n>=y } and { y<n } = { x=y! and n>y } Termination Variant : ( n - y ) y : > > … -> n (n-y) : (n-1) -> (n-2) -> … -> 0 ceg860(Prasad) Lwp

20 while-loop : Dijkstra’s Approach
wp( while B do S , Q) = P0 or P1 or … or Pn or … = there exists k >= 0 such that Pk Pi : Set of states causing i-iterations of while-loop before halting in a state in Q. P0 = not B and Q P1 = B and wp(S, P0) Pk+1 = B and wp(S, Pk) ceg860(Prasad) Lwp

21 ... P0 => wp(skip, Q) P0 subset Q P1 => wp(S, P0) States wp Q
ceg860(Prasad) Lwp

22 Example2 : while-loop correctness
P0 = { y >= n and x = n! } Pk = B and wp(S,Pk-1) P1 = { y<n and y+1>=n and x*(y+1) = n! } Pk = y=n-k and x=(n-k)! Weakest Precondition Assertion: Wp = there exists k >= 0 such that P0 or {y = n-k and x = (n-k)!} Verification : P = n>0 and x=1 and y=1 For i = n-1: P => Wp ceg860(Prasad) Lwp

23 Induction Proof Hypothesis : Pk = {y=n-k and x=(n-k)!}
Pk+1 = { B and wp(S,Pk) } = y<n and (y+1 = n-k) and (x*(y+1)=(n-k)!) = y<n and (y = n-k-1) and (x = (n-k-1)!) = y<n and (y = n- k+1) and (x = (n- k+1)!) = (y = n - k+1) and (x = (n - k+1)!) Valid preconditions: { n = 4 and y = 2 and x = 2 } (k = 2) { n = 5 and x = 5! And y = 6} (no iteration) ceg860(Prasad) Lwp

Download ppt "Predicate Transformers"

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
Reasoning About Code; Hoare Logic, continued

Reasoning About Code; Hoare Logic, continued
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
Axiomatic Verification I Prepared by Stephen M. Thebaut, Ph.D. University of Florida Software Testing and Verification Lecture 17.

Axiomatic Verification I Prepared by Stephen M. Thebaut, Ph.D. University of Florida Software Testing and Verification Lecture 17.
Partial correctness © Marcelo d’Amorim 2010.

Partial correctness © Marcelo d’Amorim 2010.
Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.

Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
1 Discrete Structures Lecture 29 Predicates and Programming Read Ch. 10.1 - 10.2.

1 Discrete Structures Lecture 29 Predicates and Programming Read Ch
Predicate Transformers

Predicate Transformers
Program Proving Notes Ellen L. Walker.

Program Proving Notes Ellen L. Walker.
Duminda WijesekeraSWSE 623 - Program Correctness1 SWSE 623 Program Correctness -Pre-condition, Post-conditions and Loop invariants.

Duminda WijesekeraSWSE Program Correctness1 SWSE 623 Program Correctness -Pre-condition, Post-conditions and Loop invariants.
1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.

1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.
Announcements We are done with homeworks Second coding exam this week, in recitation –Times will be posted later today –If in doubt, show up for your regular.

Announcements We are done with homeworks Second coding exam this week, in recitation –Times will be posted later today –If in doubt, show up for your regular.
1/22 Programs : Semantics and Verification Charngki PSWLAB Programs: Semantics and Verification Mordechai Ben-Ari Mathematical Logic for Computer.

1/22 Programs : Semantics and Verification Charngki PSWLAB Programs: Semantics and Verification Mordechai Ben-Ari Mathematical Logic for Computer.
CS 355 – Programming Languages

CS 355 – Programming Languages
Hoare-style program verification K. Rustan M. Leino Guest lecturer Rob DeLine’s CSE 503, Software Engineering University of Washington 26 Apr 2004.

Hoare-style program verification K. Rustan M. Leino Guest lecturer Rob DeLine’s CSE 503, Software Engineering University of Washington 26 Apr 2004.
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.

Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
PSUCS322 HM 1 Languages and Compiler Design II Formal Semantics Material provided by Prof. Jingke Li Stolen with pride and modified by Herb Mayer PSU Spring.

PSUCS322 HM 1 Languages and Compiler Design II Formal Semantics Material provided by Prof. Jingke Li Stolen with pride and modified by Herb Mayer PSU Spring.

Similar presentations

Ads by Google