Presentation is loading. Please wait.

Presentation is loading. Please wait.

Axiomatic Semantics Will consider axiomatic semantics (A.S.) of IMP:

Published byΠολυξένη Αποστολίδης Modified over 5 years ago

Similar presentations

Presentation on theme: "Axiomatic Semantics Will consider axiomatic semantics (A.S.) of IMP:"— Presentation transcript:

1 Axiomatic Semantics Will consider axiomatic semantics (A.S.) of IMP:
<stmt> ::= skip | <assign> | <if> | <while> | <stmt>; <stmt> | <input> | <output> Only integer vars; no procedures/fns; vars declared implicitly References: Kurtz (ch. 11); Pagan (ch. 4.3) Summary: For each type of <stmt>, will define its a.s. via an axiom or rule of inference (or just rule). Using these, will be able to show (i.e., derive) that a given program behaves according to its specification. CSE 6341, part3

2 Preliminaries State: State  of a program P is a function that maps the program variables of P to their values in that state. Example: <x = 1, y = 2, z = 3>; or: (x) = 1; (y) = 2; (z) = (assuming P has 3 prog. var., x, y, z) Usually have to deal with set of states: { <x = 1, y = 2, z = 1>, <x = 1, y = 2, z = 2>, <x = 1, y = 2, z = 3> } Better: Specify an assertion (or predicate, or condition) satisfied by all the states in that set and no others: [ (x = 1)  (y = 2)  (1  z  3) ] Important: Assertion  Set of states that satisfy assertion CSE 6341, part3

3 Assertions/sets of states
[ (x = 1)  (1  y  5)  (1  z  10) ] : set with 50 states [ (x = 1)  (y = 2) ] : an infinite set [ (x = 1)  (1  y  5) ] : an 'even bigger' set [ x = y + z ] : ... [ x = x ]: the set of all states true [ x  x ]: the empty set false CSE 6341, part3

4 Assertions/sets of states
Convention: p  P (p is an assertion; P the corresponding set of states [p  q]  P  Q [p  q]  P  Q [ p ]  −P (or, rather "P bar"; i.e., U − P; U: universal set) CSE 6341, part3

5 Assertions/sets of states (contd)
"" (implication) can be thought of as a relation between two assertions: [p  q] : [P  Q] [p  true] : [P  U] [false  p] : [  P] Can also think of "" as a single assertion: [p  q] : (p  q ) Thus: [p  true] :true [false  p] :true [p  p ] :true (??) [p   p ] :false (??) [(x  1)  ( x = 2 )] : ?? The context will tell us whether to think of implication as a relation between assertions or a single assertion CSE 6341, part3

6 Assertions (contd.) "x < y" is a syntactic entity when it appears in a program Elsewhere it is an assertion (satisfied by some states and not others). A state  satisfies the assertion x < y if (and only if) (x) is less than (y) Notation:  |= (x < y) : " satisfies (x < y)" CSE 6341, part3

7 Key Notation The result {p} S {q} (where p, q are assertions and S is a statement) is operationally valid if: If we start execution of S in any state   P, the final state ' when S finishes execution will belong to Q Examples: {x = 1} skip {x = 1} : (Operationally) valid {(x=1)  (y=2) } skip {x = 1} : Valid {x = 1} skip {(x=1)  (y=2) } : Invalid (op. invalid) {x = 1} skip {(x=1)  (y=2) } : Valid {(x=1)  (y=2) } skip {x = 1} : ?? {(x=1)  (y=2) } skip { true } : ?? {(x=1)  (y=2) } skip { false } : ?? CSE 6341, part3

8 "Results" (contd.) {(x=1)  (y=2) } x := x+1 {(x=2)  (y=2)} : Valid
{(u=1)  (v=2) } x := x+1 { (v = u+1) } : ?? {x=0} while (x < 10) do x := x+1 end {x=10} : Valid What if the loop doesn't terminate? {x  0} while (x < 10) do x := x+1 end {x=10} : ?? {x  0} while (x < 10) do x := x+1 end {x  10} : ?? CSE 6341, part3

9 "Results" (contd.) { p } S { q } is a partial correctness result
It is valid if it is the case that: if we start execution of S in any state P, and if the execution terminates, then the final state ' satisfies q {x = 0} while (x  10) do x := x+1 end {x = 10} : Valid { true } while (x  10) do x := x+1 end {x = 10} : Also valid Axiomatic semantics: provides a non-operational approach --in the form of a set of axioms and rules of inference-- using which we can 'axiomatically derive' our results CSE 6341, part3

10 Terminology (*important*!)
Assertion: may be Satisfied or Not Satisfied by a particular state Result: may be Valid or Invalid in a given (operational) model Result: may be Derivable or Not Derivable in a given axiom system Some meaningless statements: "{p} S {q} is true" (note: true is a particular assertion) "{p} S {q} is valid for some states" "(The assertion) p is not valid" CSE 6341, part3

11 Relation Between A.S. & Model
If a given result is derivable in a given axiom system A, will it be valid in an operational model M? Not necessarily. Soundness (also "consistency"): An axiom system A is sound/consistent with model M if every result derivable using the axioms/rules of A is valid in M; i.e.: |-A {p} S {q}  |=M {p} S {q} Completeness: An axiom system A is complete with respect to model M if every result that is valid in M is derivable using the axioms/rules of A: |=M {p} S {q}  |-A {p} S {q} CSE 6341, part3

12 Axiomatic Semantics of IMP
A.S.: A collection of "axioms" and "rules of inference" ("rules") specified using the same {p} S {q} notation A0: skip axiom { p } skip { p } where p is any assertion Using this, can derive: { (x = 1)  (y = 2) } skip { (x = 1)  (y = 2) } by taking p to be the assertion (x = 1)  (y = 2) & using A0 Cannot derive: { (x = 1) } skip { (x = 1)  (y = 2) } which is good (why?) { (x = 1)  (y = 2) } skip { (x = 1) } which is bad (why?) CSE 6341, part3

13 Axiomatic Semantics of IMP
R0: Rule of Consequence: { p } S { q' }, q'  q { p } S { q } (p, q, q': any assertions: S: any stmt) Using R0 (and A0) we can derive: { (x = 1)  (y = 2) } skip { (x = 1) } Another form of rule of consequence: p  p', { p' } S { q }, { p } S { q } (p, q, p': any assertions: S: any stmt) Consider other forms of consequence (including inconsis. ones? CSE 6341, part3

14 Axiomatic Semantics of IMP (contd)
A1. Assignment axiom: { pxe } x := e { p } where p is any assertion; pxe is obtained from p by (simultaneously) replacing all occurrences of x in p by e. (Note: pxe  p[x/e] ) We can derive: { x+1 = y+z } x := x+1 { x = y+z } (take p to be x = y+z ) { y+z  0 } x := y+z { x  0 } (take p to be x  0 ) Operational Justification: If we want the state following the asgnmnt to satisfy p, the state before it should satisfy the same assertion - except with the value of e satisfying the conditions expected of the value of x { y+z = y+z } x := y+z { x = y+z } (take p to be x = y+z ) CSE 6341, part3

15 Axiomatic Semantics of IMP (contd.)
Caution: In axiomatic derivations, you are only allowed to use the axioms and rules of the system; no appeals to operational intuitions. If you make such appeals, you have an operational argument, not an axiomatic derivation Summary: The axiomatic semantics of a language consists of: An axiom for each atomic statement A rule (of inference) for each compound stmt + Logical rules CSE 6341, part3

16 Axiomatic Semantics of IMP (contd)
R1: Sequential Composition: { p } S1 { q' }, { q' } S2 { q } { p } S1; S2 { q } (p, q', q: any assertions; S1, S2: any stmts.) Using this, skip axiom, & assignment axiom, we can derive: {x+1 = y+z} skip; x := x+1 {x = y+z} Operational Justification: If state before S1 starts execution satisfies p, then, { p } S1 { q' } guarantees that the state when S1 finishes will satisfy q'; hence { q' } S2 { q } guarantees the state when S2 finishes will satisfy q; hence conclusion of rule follows given these two results. Caution: In (axiomatic) derivations, no appeals to operational intuitions! CSE 6341, part3

17 Axiomatic Semantics of IMP (contd)
write e  out := out ^ e A2. write axiom: { p[out / out^e] } write e { p } (where p is any assertion) read x  ( x := head(in); in := tail(in) ) { (p[in/tail(in)])[x/head(in)] } x := head(in); { p[in/tail(in)] } in := tail(in) { p } A3. read axiom: { (p[in/tail(in)])[x/head(in)] } read x { p } (p: any assertion) CSE 6341, part3

18 Axiomatic Semantics of IMP (contd)
Problem: Derive the following result (axiomatically): { (in = <3, 4>)  (out = <>) } read x; read y; write (x+y); { out = <7> } Derivation (or "proof") outline: { (in = <3, 4>)  (out = <>) } (rule of cons.) { out^(head(in) + head(tail(in)) = <7> } (read axiom) read x; { out^(x + head(in)) = <7> } (read axiom) read y; { out^(x + y) = <7> } (write axiom) write (x+y); CSE 6341, part3

19 Axiomatic Semantics of IMP (contd)
R2: If-then-else: { p  b} S1 { q }, { p  b} S2 { q } { p } if b then S1 else S2 { q } Operational Justification: Suppose we start in a state P. There are two ways to proceed: if  b, execute S1; if not, execute S2. In either case, the hypothesis (assuming they are valid) guarantee that the final state will satisfy q. Hence conclusion follows. Caution: In (axiomatic) derivations, no appeals to operational intuitions! CSE 6341, part3

20 Axiomatic Semantics of IMP (contd)
Problem: Derive the following result (axiomatically): { y = 1} if (y = 1) then x := 1 else x := 2 { x = 1 } 1. { (y = 1)  (y = 1)} x := 1 { x = 1} (by Ass. ax, rule of conseq.) 2. { 2 = 1 } x := 2 { x = 1} (by Ass. ax, rule of conseq.) 3. { (y = 1)  (y  1) } x := 2 { x = 1} (by (2), rule of conseq.) 4. { y = 1} { x = 1 } (by (1), (3), and if-then-else rule) Derive: { true} if (y = 1) then x := 1 else x := 2 { (x = 1)  (x = 2) } { true} if (y = 1) then ... { [(y=1)(x = 1)]  [(y1)  (x = 2) } CSE 6341, part3

21 Axiomatic Semantics of IMP (contd)
R3: while rule: p  q, { q  b } S { q }, (q  b)  r { p } while b do S { r } The following rule, given rule of conseq., is equivalent: { q  b } S { q }, { q } while b do S { q  b } I.e.: Any result derivable using R3 is derivable using above Operational justification: ... R3 is complete ... somewhat surprising: we can always find an appropriate loop invariant CSE 6341, part3

22 while ((r-y)  0) do q := q+ 1; r := r - x; end
Problem: Derive the following result (axiomatically): {(x  0)  (y  0)} q := 0; r := x; while ((r-y)  0) do q := q+ 1; r := r - x; end { (x = q*y + r)  (0  r  y)} Take loop invariant p to be: p  [(x = q*y + r)  (0  r)  (y  0)] Derivation outline: {(x  0)  (y  0)} {(x  0)  (y  0)  (q=0)  (r=x)} { p } while ... {p  ((r-y)  0)} Key step 1: { p  (r-y)  0} q:=q+1;r:=r-y {p} (by ass. ax, seq. comp, conseq.) Key step 2: [p  ((r-y)  0)}  [(x = q*y + r)  (0  r  y) (by math logic/oracle) CSE 6341, part3

23 Derive: {in = <1,2,3, ..., 100>  out = <> } read x;
while (x  100) do write x; read x; end { out = <1, 2, ..., 99>} Take loop invariant p to be: p  [out^x^in = <1,2, ..., 100>] Derivation outline: {in = <1,2,3, ..., 100>  out = <> } {(x=1)  (in = <2,3, ..., 100>)  (out = <>) } {out^x^in = <1,2, ..., 100>} {(out^x^in = <1,2, ..., 100>)  (x = 100)} CSE 6341, part3

24 Derive: {in = <1,2,3, ..., 100>  out = <> }
s := 0; read x; while (x  100) do write s := s+x; read x; end { s = k=0,..99 k} Take loop invariant p to be: [(#in=100-x)  k.[(0  k  #in)  (in[k]=x+k)]  (1  x 100)  (s = k=0,..(x-1) k)] A more intuitive loop invariant: [(in = <x+1, ..., 100>  (1  x 100)  (s = k=0,..(x-1) k)] Key step: {p  (x  100)} s := s+x; read x; {p} Note: (head(in)=x+1) [implied by p] is important in showing that (p  (x  100)) implies p' [obtained by taking p back] CSE 6341, part3

25 (In)Completeness R3: while rule:
p  q, { q  b } S { q }, (q  b)  r { p } while b do S { r } A simpler rule: p  q, { q } S { q }, (q  b)  r Using this rule, we can derive: { x=0 } while (x10) do x := x+1 { x = 10} Take p to be (x=0) and q to be true CSE 6341, part3

26 (In)Completeness (contd.)
The rule is incomplete: p  q, { q } S { q }, (q  b)  r { p } while b do S { r } Cannot derive: { x=0  y=0 } while (x0) do y := y+1 { x=0  y=0 } Proof: Suppose we could. Then there must exist q such that: a. (x=0  y=0)  q b. {q} y := y+1 {q} c. (q  x=0)  (x=0  y=0) Then <x=0, y=0, z=0>  Q [by (a)] Hence <x=0, y=1, z=0>  Q [by (b)] Hence <x=0, y=1, z=0>  Q  (x=0) [why?] But <x=0, y=1, z=0> is not in (x=0  y=0) Hence such a q cannot exist! CSE 6341, part3

27 Consistency/Completeness
How do you show a system A is consistent and/or complete (with respect to a model M)? Generally tedious task. Special case: If we are told that A' is consistent/complete and A is obtained from A' by making some changes to some rules of A', we may be able to use the following approach: Completeness: Show that all results derivable in A' are also derivable in A. Then completeness of A' implies completeness of A (with respect to same model). Consistency: Show that all results derivable in A are also derivable in A'. Then consistency of A' implies consistency of A (with respect to same model). CSE 6341, part3

28 Axiomatic Semantics of IMP (contd)
Suppose we change the if-then-else rule: { p  b} S1 { q }, { p  b} S2 { q } { p } if b then S1 else S2 { q } To: { p  b} S1 { q  b}, { p  b} S2 { q  b } The resulting system will be consistent: show that every result derivable in the new system is derivable in the original system Completeness? CSE 6341, part3

29 Total Correctness How do we derive: { in = <> } read x {false} ? (1) We can't! A better axiom for read: (p  in  <>)  (q[in/tail(in)])[x/head(in)] { p } read x { q } With this axiom, we can derive (1). Also suggests total correctness axiom for read : p  [ in  <>  (q[in/tail(in)])[x/head(in)] ] <p | read x | q> CSE 6341, part3

30 Total Correctness (contd.)
Similar considerations for assignment: { (x=0)  (y=3) } z := y/x {false} ? (1) We can't! A better axiom: (p  D(e))  (q[x/e] { p } x := e { q } With this axiom, we can derive (1). Also suggests total correctness axiom: p  [D(e)  q[x/e] ] <p | x := e | q> CSE 6341, part3

31 Total Correctness (contd.)
Total correctness rule for while: (p  b)  (f > 0) <p  b  f=k | S | p  (f  k) > < p | while b do S | p  b > a. Why does f have to be an integer function of the state? b. What if b is not well defined? c. What would happen if we change "<...|..|..>" in the second line to "{...}..{..}"? The other rules are essentially the same as the corresponding partial correctness rules: <p | S1 | q1>, <q1 | S2 | q> <p | S1; S2| q> CSE 6341, part3

32 Total Correctness (contd.)
Derive: < s=0  x=0 | while x  10 do x:=x+1; s:=s+x; end | s = > Loop invariant: p  (0  x  10  s =  n=0..x n ) Progress function (also called: "progress metric", "convergence function" etc.): f(x,s)  (10  x) Check: (p  (x  10))  (f  0) : easy Derive: <p  (x  10)  (f=k) | x:=x+1; s:=s+x | p  (f  k) > : exercise Hence original result follows from rule for loops CSE 6341, part3

33 Non-determinism Guarded commands:
Selection: [b1  S1 | b2  S2 | ... | bn  Sn ] To execute: choose any bi that evaluates to true and execute corresponding Si; if all bi are false, error e.g.: [ x  y  z := x | y  x  z := y ] : sets z to larger of x,y Repetition: *[b1  S1 | b2  S2 | ... | bn  Sn ] To execute: choose any bi that evaluates to true and execute corresponding Si. Repeat until, after some no. of iterations all bi evaluate to false; at that point, stop. Loop may not terminate, or may terminate in 0 iterations e.g.: *[ x1  x2  exch(x1, x2) | x2  x3  exch(x2, x3) | x3  x4  exch(x3, x4) ] : sorts [x1, x2, x3, x4] CSE 6341, part3

34 Axiomatics of non-determinism
Selection: { p  b1 } S1 { q }, { p  b2 } S2 { q },..., { p  bn } Sn { q } { p } [b1  S1 | b2  S2 | ... | bn  Sn ] { q } Repetition: { p  b1 } S1 { p }, { p  b2 } S2 { p },..., { p  bn } Sn { p } { p } [b1  S1 | ... | bn  Sn ] { p  b1  b2 ...  bn} In selection rule, what if none of the bi's evaluates to true? Total correctness rules? CSE 6341, part3

Download ppt "Axiomatic Semantics Will consider axiomatic semantics (A.S.) of IMP:"

Similar presentations

Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
Models of Concurrency Manna, Pnueli.

Models of Concurrency Manna, Pnueli.
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
This Week Finish relational semantics Hoare logic Interlude on one-point rule Building formulas from programs.

This Week Finish relational semantics Hoare logic Interlude on one-point rule Building formulas from programs.
Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.

Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
Predicate Transformers

Predicate Transformers
Program Proving Notes Ellen L. Walker.

Program Proving Notes Ellen L. Walker.
CSE115/ENGR160 Discrete Mathematics 04/12/11 Ming-Hsuan Yang UC Merced 1.

CSE115/ENGR160 Discrete Mathematics 04/12/11 Ming-Hsuan Yang UC Merced 1.
1 Operational Semantics Mooly Sagiv Tel Aviv University 640-6706 Textbook: Semantics with Applications.

1 Operational Semantics Mooly Sagiv Tel Aviv University Textbook: Semantics with Applications.
Axiomatic Semantics Dr. M Al-Mulhem ICS535-091.

Axiomatic Semantics Dr. M Al-Mulhem ICS
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.

Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
Dr. Muhammed Al-Mulhem 1ICS535-101 ICS 535 Design and Implementation of Programming Languages Part 1 Fundamentals (Chapter 4) Axiomatic Semantics ICS 535.

Dr. Muhammed Al-Mulhem 1ICS ICS 535 Design and Implementation of Programming Languages Part 1 Fundamentals (Chapter 4) Axiomatic Semantics ICS 535.
4/17/2017 Section 3.6 Program Correctness ch3.6.

4/17/2017 Section 3.6 Program Correctness ch3.6.
CS 330 Programming Languages 09 / 16 / 2008 Instructor: Michael Eckmann.

CS 330 Programming Languages 09 / 16 / 2008 Instructor: Michael Eckmann.
Operational Semantics Semantics with Applications Chapter 2 H. Nielson and F. Nielson

Operational Semantics Semantics with Applications Chapter 2 H. Nielson and F. Nielson
Describing Syntax and Semantics

Describing Syntax and Semantics
Floyd Hoare Logic. Semantics A programming language specification consists of a syntactic description and a semantic description. Syntactic description:symbols.

Floyd Hoare Logic. Semantics A programming language specification consists of a syntactic description and a semantic description. Syntactic description:symbols.
Proving Program Correctness The Axiomatic Approach.

Proving Program Correctness The Axiomatic Approach.

Similar presentations

Ads by Google