Presentation is loading. Please wait.

Presentation is loading. Please wait.

Program correctness Axiomatic semantics

Published byTurid Tollefsen Modified over 5 years ago

Similar presentations

Presentation on theme: "Program correctness Axiomatic semantics"— Presentation transcript:

1 Program correctness Axiomatic semantics
Spring 2008 Program correctness Axiomatic semantics Marcello Bonsangue

2 Axiomatic Semantics We have introduced a syntax for sequential programs An operational semantics (transition system) for “running” those programs from a starting state. A computation may terminate in a state or run forever. We would also like to have a semantics for reasoning about program correctness Slide 2

3 Axiomatic semantics We need
A logical language for making assertions about programs The program terminates If x = 0 then y = z+1 throughout the rest of the execution of the program If the program terminates, then x = y + z A proof system for establishing those assertions Slide 3

4 Why axiomatic semantics
Documentation of programs and interfaces (Meyer’s Design by Contract) Guidance in language design and coding Proving the correctness of algorithms Extended static checking checking array bounds Proof-carrying code Why not testing? Dijkstra: Program testing can be used to show the presence of bugs, but never to show their absence! Slide 4

5 The idea “Compute a number y whose square is less than the input x”
We have to write a program P such that y*y < x But what if x = -4? There is no program computing y!! Slide 5

6 The idea (continued) “If the input x is a positive number then compute a number y whose square is less than the input x” We need to talk about the states before and after the execution of the program P { x>0 } P { y*y < x } Slide 6

7 program termination is not required
The idea (continued) Hoare triple for partial correctness par {} c {} If the command c terminates when it is executed in a state that satisfies , then the resulting state will satisfy  program termination is not required postcondition precondition command Slide 7

8 Examples par{ y  x } z := x; z := z +1 { y < z } is valid
par{ true } while true do skip od { false } is valid Let Fact = y := 1; z := 0; while z  x do z := z + 1; y := y*z od Is par { x  0 } Fact { y = x! } valid? Slide 8

9 program termination is required
Total correctness Hoare triple for total correctness tot {} c {} If the command c is executed in a state that satisfies  then c is guaranteed to terminate and the resulting state will satisfy  program termination is required postcondition precondition command Slide 9

10 Example tot { y  x } z := x; z := z +1 { y < z } is valid
tot{ true } while true do skip od { false } is not valid tot { false } while true do skip od { true } is valid Let Fact = y := 1; z := 0; while z  x do z := z + 1; y := y*z od Is tot { x  0 } Fact { y = x! } valid? Slide 10

11 Partial and total correctness: meaning
Hoare triple for partial correctness par {} c {} If  holds in a state  and <c,>  ’ then  holds in ’ Hoare triple for total correctness tot {} c {} If  holds in a state  then there exists a ’ such that <c,>  ’ and  holds in ’ To be more precise, we need to: Formalize the language of assertions for  and  Say when an assertion holds in a state. Give rules for deriving Hoare triples Slide 11

12 The assertion language
Extended arithmetic expressions a ::= n | x | i |(a+a) | (a-a) | (a*a) n  N, x  Var, i  LVar Assertions (or extended Boolean expressions)  ::= true |  |  | a  a |i. i  LVar Slide 12

13 Program variables We need program variables Var in our assertion language To express properties of a state of a program as basic assertion such as x = n i.e. “The value of x is n” that can be used in more complex formulas such as x = n  y+1 = x*(y-x) i.e. “If the value of x is n then that of y + 1 is x times y - x” Slide 13

14 i. n = i * m i.e. “an integer n is multiple of another m”
Logical variables We need a set of logical variables LVar To express mathematical properties such as i. n = i * m i.e. “an integer n is multiple of another m” To remember the value of a program variable destroyed by a computation Fact2  y := 1; while x  0 do y := y*x; x := x – 1 od par{ x  0 } Fact2 { y = x! } is not valid but par{ x = x0  x  0 } Fact2 { y = x0! } is. Slide 14

15 Meaning of assertions Next we assign meaning to assertions
Problem: “ holds in a state ” may depends on the value of the logical variables in  Solution: use interpretations of logical variables Examples z  x holds in a state  :Var  N with (x) = 3 for all interpretations I:LVar  N of the logical variables such that I(i)  3 i  i+1 holds in a state for all interpretations PenC - Spring 2006 Slide 15

16 Meaning of expressions
Given a state :Var  N and an interpretation I:LVarN we define the meaning of an expression e as [[e]]I, inductively given by [[n]]I = n [[x]]I = (x) [[i]]I = I(i) [[a1+a2]]I = [[a1]]I +[[a2]]I [[a1-a2]]I = [[a1]]I - [[a2]]I [[a1*a2]]I = [[a1]]I *[[a2]]I Slide 16

17 Meaning of assertions Given a state  : Var  N and an interpretation I:LVar  N we define ,I   inductively by ,I  true ,I   iff not ,I   ,I   iff ,I   and ,I   ,I  a1  a2 iff [[a1]]I  [[a2]]I ,I  i. iff ,I[n/i]   for all n  N Slide 17

18 Partial and total correctness
Partial correctness: I par {} c {}  (,I   and <c, >  ’ )  ’,I   Total correctness: I tot {} c {} . ,I     ’.(<c, >  ’ and ’,I  ) where  and  are assertions and c is a command Slide 18

19 Validity To give an absolute meaning to {i  x} x := x+3 {i  x}
we have to quantify over all interpretations I Partial correctness: par {} c {}  I. I par {} c {} Total correctness: tot {} c {}  I. I tot {} c {} Slide 19

20 par{} c {} and tot {} c {}
Deriving assertions We have the meaning of both par{} c {} and tot {} c {} but it depends on the operational semantics and it cannot be effectively used Thus we want to define a proof system to derive symbolically valid assertions from valid assertions. par {}c{} means that the Hoare triple {}c{} can be derived by some axioms and rules Similarly for tot {}c{} Slide 20

21 Free and bound variables
A logical variable is bound in an assertion if it occurs in the scope of a quantifier i. n = i * m A logical variable is free if it is not bound i < 77   i. j+i = 3 free bound Slide 21

22 Substitution (I) For an assertion , logical variable i and arithmetic expression e we define [e/i] as the assertion resulting by substituting in  the free occurrence of i by e. Definition for extended arithmetic expressions n[e/i] = n (a1+a2)[e/i]=(a1[e/i]+a2[e/i]) x[e/i] = x (a1-a2)[e/i]=(a1[e/i]-a2[e/i]) i[e/i] = e (a1*a2)[e/i]=(a1[e/i]*a2[e/i]) j[e/i] = j Slide 22

23 Substitution (II) Definition for assertions true[e/i] = true
()[e/i] = ([e/i]) (1  2)[e/i] = (1[e/i]  2[e/i]) (a1  a2)[e/i] = (a1[e/i]  a2[e/i]) (i.)[e/i] = i. (j.)[e/i] = j.[e/i] j  i Pictorially, if  = ---i--i--i- with i free, then [e/i] = ---e--e--e- Slide 23

24 Proof rules partial correctness (I)
There is one derivation rule for each command in the language. {} skip {} skip {[a/x]} x := a {} ass {} c1 {} {} c2 {} seq {} c1; c2 {} Slide 24

25 Proof rules partial correctness (II)
{  b} c1 {} {  b} c2 {} if {} if b then c1 else c2 fi {} {  b} c {} while {} while b do c od {  b}    ’ {’} c {’}  ’   cons {} c {} Slide 25

26 A first example: assignment
Let’s prove that par {true} x:=1 {x=1} ass  true  1= {1=1} x:=1 {x=1} cons {true} x:=1 {x=1} PenC - Spring 2006 Slide 26

27 Another example: assignment
Prove that {true} x:= e {x=e} when x does not appear in e 1. Because x does ot appear in e we have (x=e)[e/x]  (x[e/x]=e[e/x])  (e=e) 2. Use assignment + consequence to obtain the proof ass  true  e=e {e=e} x:=e {x=e} cons {true} x:=e {x=e} Slide 27

28 Another example: conditional
Prove par {true} if y1 then x:=1 else x:=y fi {x>0} ass ass true  y11>0 {1>0} x:=1 {x>0} true  y>1 y>0 {y>0} x:=y {x>0} cons {true  y 1} x:=1 {x>0} {true  y >} x:=y {x>0} if {true} if y1 then x:=1 else x:=y fi {x>0} Slide 28

29 An example: while Prove par {0  x} while x>0 do x:=x-1 od {x=0}
We take as invariant 0  x in the while-rule ass  0  x  x>0  0  x {0  x-1} x:=x-1 {0  x} cons {0  x  x>0 } x:=x-1 {0  x} while {0  x} while x >0 do x:=x-1 od {0  x  x  0}  0  x  x  0  x=0 cons {x  0} x >0 do x:=x-1 od {x=0} Slide 29

30 An example: while, again
Prove that {x  0} while x  5 do x:=x+1 od {x=6} We start with the invariant x  6 in the while-rule ass  x  6  x  5  x+1  {x+1  6}x:=x+1 {x  6} cons {x  6  x  5} x:=x+1 {x  6} while {x  6} while x  5 do x:=x+1 od {x  6  x>5} We finish with the consequence rule  x0  x6 {x  6} while x  5 do x:=x+1 od {x  6  x>5}  x6  x>5  x=6 {x  0} while x  5 do x:=x+1 od {x=6} Slide 30

31 {(b1)(b2 )} if b then c1 else c2 fi {}
Auxiliary rules They can be derived from the previous ones {} c {} if the program variables in  do not appear in c {} x := a {x0.([x0 /x]  x = a[x0/x])} {1} c1 {} {2} c2 {} {(b1)(b2 )} if b then c1 else c2 fi {} {1} c {} {2} c {} {1  2} c {} {1} c { 1} {2} c { 2} {1  2} c {1  2 } Slide 31

32 Comments on Hoare logic
The rules are syntax directed Three problems: When to apply the consequence rule How to prove the implication in the consequence rule What invariant to use in the while rule The last is the real hard one Should it be given by the programmer? PenC - Spring 2006 Slide 32

33 An extensive example: a program
DIV  q := 0; r := x; while r  y do r := r-y; q := q+1 od We wish to prove {x  0  y > 0 } DIV { q*y+r=x  0ry } Slide 33

Download ppt "Program correctness Axiomatic semantics"

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 12.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 12.
Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
ICE1341 Programming Languages Spring 2005 Lecture #6 Lecture #6 In-Young Ko iko.AT. icu.ac.kr iko.AT. icu.ac.kr Information and Communications University.

ICE1341 Programming Languages Spring 2005 Lecture #6 Lecture #6 In-Young Ko iko.AT. icu.ac.kr iko.AT. icu.ac.kr Information and Communications University.
Reasoning About Code; Hoare Logic, continued

Reasoning About Code; Hoare Logic, continued
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
Formal Semantics of Programming Languages 虞慧群 Topic 5: Axiomatic Semantics.

Formal Semantics of Programming Languages 虞慧群 Topic 5: Axiomatic Semantics.
This Week Finish relational semantics Hoare logic Interlude on one-point rule Building formulas from programs.

This Week Finish relational semantics Hoare logic Interlude on one-point rule Building formulas from programs.
David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 19: Minding Ps & Qs: Axiomatic.

David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 19: Minding Ps & Qs: Axiomatic.
Axiomatic Semantics The meaning of a program is defined by a formal system that allows one to deduce true properties of that program. No specific meaning.

Axiomatic Semantics The meaning of a program is defined by a formal system that allows one to deduce true properties of that program. No specific meaning.
Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.

Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
1 Discrete Structures Lecture 29 Predicates and Programming Read Ch. 10.1 - 10.2.

1 Discrete Structures Lecture 29 Predicates and Programming Read Ch
Predicate Transformers

Predicate Transformers
Fall 20021 Semantics Juan Carlos Guzmán CS 3123 Programming Languages Concepts Southern Polytechnic State University.

Fall Semantics Juan Carlos Guzmán CS 3123 Programming Languages Concepts Southern Polytechnic State University.
1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.

1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.
1/22 Programs : Semantics and Verification Charngki PSWLAB Programs: Semantics and Verification Mordechai Ben-Ari Mathematical Logic for Computer.

1/22 Programs : Semantics and Verification Charngki PSWLAB Programs: Semantics and Verification Mordechai Ben-Ari Mathematical Logic for Computer.
Programming Language Semantics Axiomatic Semantics Chapter 6.

Programming Language Semantics Axiomatic Semantics Chapter 6.
1 Operational Semantics Mooly Sagiv Tel Aviv University 640-6706 Textbook: Semantics with Applications.

1 Operational Semantics Mooly Sagiv Tel Aviv University Textbook: Semantics with Applications.

Similar presentations

Ads by Google