Presentation is loading. Please wait.

Presentation is loading. Please wait.

Axiomatic Semantics The meaning of a program is defined by a formal system that allows one to deduce true properties of that program. No specific meaning.

Published byAlisha Webster Modified over 9 years ago

Similar presentations

Presentation on theme: "Axiomatic Semantics The meaning of a program is defined by a formal system that allows one to deduce true properties of that program. No specific meaning."— Presentation transcript:

1 Axiomatic Semantics The meaning of a program is defined by a formal system that allows one to deduce true properties of that program. No specific meaning is attached to any particular program by such a system. The task of determining which properties are of interest is left to the programmer. In this setting, we are interested in assertions about program state (in particular values of program variables). Each such assertion can be couched as what’s known as a Hoare triple (after C.A.R. Hoare) {P}S{Q} which is interpreted as follows: Assertion Q will hold in the state yielded immediately upon termination of statement S when executed in state satisfying assertion P. By way of example, consider the following: { x = A } x := x + 1 { x = A + 1} Hoare triples are typically used to express partial correctness of a program, however, one can use them to specify the conditions under which a program will terminate.

2 Weakest Preconditions To adequately describe the semantics of a programming language construct C, we can’t just manufacture a few true Hoare triples, we must have some plan for describing exactly what we want to say about a program’s behavior. An assertion R is said to be weaker than assertion P if the truth of P implies the truth of R, written P→R (equivalently R or not(P)). Example: x >0 is weaker than x = 3. The program proving game is played as follows: –We know what program construct C we are using. –We know what assertion Q we want to be true after C terminates. –We use the proof system to find out what absolutely must be true before executing C and nothing more, that is we find the weakest precondition of C that will yield Q, wp(C,Q). Then we know that if we execute C in any state P such that P→wp(C,Q), then Q will be true when C terminates.

3 General Properties of wp (not specific to any language) Law of the Excluded Miracle wp(C,false) = false Note that if false is true, we can prove anything! Distributivity of Conjunction wp(C,P and Q) = wp(C,P) and wp(C,Q) Law of Monotonicity if Q→R then wp(C,Q)→wp(C,R) Distributivity of Disjunction wp(C,P) or wp(C,Q) → wp(C,P or Q)

4 wp Properties Specific to our Simple Language We make a huge leap of faith assuming that all of us already understand some underlying logic that captures all interesting properties of expressions, and note that true assertions P→Q from this logic can be used in our proofs. Statement Lists wp( L 1 ;L 2,Q) = wp( L 1,wp( L 2,Q)) This says weakest preconditions propagate backwards through statement sequences. Assignment Statements wp( I:=E,Q) = Q[ E/I ] The substitution Q[ E/I ] involves substituting the expression E for each free occurrence of I in Q. An occurrence of a variable is said to be bound in an assertion if it is the argument of an existential (  ) or universal (  ) quantifier. An occurrence is free if it is not bound. Consider Q[1/j] when Q has the following two values: –Q = (for all i, a[i] = a[j]) –Q = (for all j, a[i] = a[j]) Now consider applying this: wp(x := x + 1, x = A) = (x = A)[(x + 1)/x] = (x + 1 = A) = (x = A – 1)

5 If statements If Statements wp(if E then L 1 else L 2 fi,Q) = ( E >0→wp( L 1,Q)) and ( E  0→wp( L 2,Q)) Consider applying this in Louden’s example: wp(if x then x := 1 else x := -1 fi, x = 1) = (x>0→wp(x := 1,x=1)) and (x  0→wp(x := -1,x=1)) = (x>0→1=1) and (x  0→-1=1) Note (x>0→1=1) = (1=1 or not(x>0)) = true Note (x  0→-1=1) = (-1=1 or not(x  0)) = not(x  0) = x>0 Thus wp(if x then x := 1 else x := -1 fi, x = 1) = (x>0→1=1) and (x  0→-1=1) = true and x>0 = x>0

6 While Statements To precisely define the weakest precondition of a while loop is difficult, we must define it inductively on the number of times the loop may be executed. Thus we have a sequence of assertions H i (while E do L od,Q) each capturing the weakest preconditions satisfying that the loop executes i times and terminates in a state satisfying Q. Consider the sequence of H’s: H 0 (while E do L od,Q) = E  0 and Q H 1 (while E do L od,Q) = E >0 and wp( L, H 0 (while E do L od,Q)) H i+1 (while E do L od,Q) = E >0 and wp( L, H i (while E do L od,Q)) This seems pretty complicated. What should we really do?

7 {x = X and y = Y} t := x; x := y; y := t; {x = Y and y = X}

8 Partial Correctness Proofs for Loop Invariants If we have a while loop, while E do L od, and an assertion W satisfying each of the following: 1.W and ( E >0)→wp( L,W) 2.W and ( E  0)→Q 3.P→W then we can conclude that {P} while E do L od{Q} An assertion W satisfying these conditions is known as a loop invariant. Property 1 above guarantees that the truth of the assertion does not vary when the loop body is executed. Note that the loop termination and the invariant alone must be sufficient to satisfy the postcondition. P can be stronger than the invariant, but that won’t affect the postcondition that is provable in this manner.

9 Choosing a Loop Invariant {n>0} i := n; sum := 0; while i do sum := sum + i; i := i – 1; od {sum = 1 + 2 +... + n}

Download ppt "Axiomatic Semantics The meaning of a program is defined by a formal system that allows one to deduce true properties of that program. No specific meaning."

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
ICE1341 Programming Languages Spring 2005 Lecture #6 Lecture #6 In-Young Ko iko.AT. icu.ac.kr iko.AT. icu.ac.kr Information and Communications University.

ICE1341 Programming Languages Spring 2005 Lecture #6 Lecture #6 In-Young Ko iko.AT. icu.ac.kr iko.AT. icu.ac.kr Information and Communications University.
Reasoning About Code; Hoare Logic, continued

Reasoning About Code; Hoare Logic, continued
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 19: Minding Ps & Qs: Axiomatic.

David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 19: Minding Ps & Qs: Axiomatic.
Axiomatic Verification I Prepared by Stephen M. Thebaut, Ph.D. University of Florida Software Testing and Verification Lecture 17.

Axiomatic Verification I Prepared by Stephen M. Thebaut, Ph.D. University of Florida Software Testing and Verification Lecture 17.
Partial correctness © Marcelo d’Amorim 2010.

Partial correctness © Marcelo d’Amorim 2010.
Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.

Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
Dynamic semantics Precisely specify the meanings of programs. Why? –programmers need to understand the meanings of programs they read –programmers need.

Dynamic semantics Precisely specify the meanings of programs. Why? –programmers need to understand the meanings of programs they read –programmers need.
Simple Example {i = 0} j := i * i {j < 100} Can we ‘verify’ this triple? Only if we know the semantics of assignment.

Simple Example {i = 0} j := i * i {j < 100} Can we ‘verify’ this triple? Only if we know the semantics of assignment.
Copyright © 2006 Addison-Wesley. All rights reserved. 3.5 Dynamic Semantics Meanings of expressions, statements, and program units Static semantics – type.

Copyright © 2006 Addison-Wesley. All rights reserved. 3.5 Dynamic Semantics Meanings of expressions, statements, and program units Static semantics – type.
1 Discrete Structures Lecture 29 Predicates and Programming Read Ch. 10.1 - 10.2.

1 Discrete Structures Lecture 29 Predicates and Programming Read Ch
Predicate Transformers

Predicate Transformers
Program Proving Notes Ellen L. Walker.

Program Proving Notes Ellen L. Walker.
1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.

1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.
Announcements We are done with homeworks Second coding exam this week, in recitation –Times will be posted later today –If in doubt, show up for your regular.

Announcements We are done with homeworks Second coding exam this week, in recitation –Times will be posted later today –If in doubt, show up for your regular.
CSE 331 Software Design & Implementation Dan Grossman Winter 2014 Lecture 2 – Reasoning About Code With Logic 1CSE 331 Winter 2014.

CSE 331 Software Design & Implementation Dan Grossman Winter 2014 Lecture 2 – Reasoning About Code With Logic 1CSE 331 Winter 2014.

Similar presentations

Ads by Google