Download presentation
1
Predicate Transformers
Axiomatic Semantics Predicate Transformers Calculating with programs : Reasoning reduced to symbol manipulation. Helps determine precise Boundary conditions. Formalizing intuitions. Other approaches: Denotational Semantics: Real meaning in terms of functions on N. Equivalence: f(x) = f(x) f(x) = if f(x) ==1 then 0 else 1 unsatisfiable (“non-sense”) f(x) = f(x) f(x) = if f(x) ==1 then 1 else f(x) multiple solutions (“no information”) McCarthy’s 91-function Operational Semantics: Abstract interpreter based cs784(Prasad) L189wp
2
Motivation Problem Specification Program Input Output
Properties satisfied by the input and expected of the output (usually described using “assertions”). E.g., Sorting problem Input : Sequence of numbers Output: Permutation of input that is ordered. Program Transform input to output. cs784(Prasad) L189wp
3
Sorting algorithms Bubble sort; Shell sort; Insertion sort; Selection sort; Merge sort; Quick sort; Heap sort; Axiomatic Semantics To show that a program satisfies its specification, it is convenient to have the description of the language constructs in terms of assertions characterizing the input and the corresponding output states. cs784(Prasad) L189wp
4
Axiomatic Approaches Hoare’s Proof System (partial correctness)
Dijkstra’s Predicate Transformer (total correctness) Assertion: Logic formula involving program variables, arithmetic/boolean operations, etc. Hoare Triples : {P} S {Q} pre-condition statements post-condition (assertion) (program) (assertion) cs784(Prasad) L189wp
5
Swap Example States : Variables -> Values
{ x = n and y = m } t := x; x := y; y := t; { x = m and y = n } program variables vs ghost/logic variables States : Variables -> Values Assertions : States > Boolean (= Powerset of States) cs784(Prasad) L189wp
6
Partial vs Total Correctness
{P} S {Q} S is partially correct for P and Q if and only if whenever S is executed in a state satisfying P and the execution terminates, then the resulting state satisfies Q. S is totally correct for P and Q if and only if whenever S is executed in a state satisfying P , then the execution terminates, and the resulting state satisfies Q. Logical Implication : IF false THEN (1 = 2) is valid. cs784(Prasad) L189wp
7
Examples Totally correct (hence, partially correct)
{ false } x := 0; { x = 111 } { x = 11 } x := 0; { x = 0 } { x = 0 } x := x + 1; { x = 1 } {false} while true do; {x = 0} {y = 0} if x <> y then x:= y; { x = 0 } Not totally correct, but partially correct {true} while true do; {x = 0} Not partially correct {true} if x < 0 then x:= -x; { x > 0 } 1. False = empty set of states. Precondition unsatisfiable, so Hoare triple trivially valid. 2. Strong precondition 4. Nontermination. 5. Multipath program : Else null statement; 6. Partially correct because the IF-part of definition not met, so there are no guarantees from THEN. 7. Modify the precondition to get a valid triple. Material Implication : IF sun rises in the west THEN there will be snow in July in Mexico City. cs784(Prasad) L189wp
8
Axioms and Inference Rules
Assignment axiom {Q[e]} x := e; {Q[x]} Inference Rule for statement composition {P} S1 {R} {R} S2 {Q} {P} S1; S2 {Q} Example {x = y} x := x+1; {x = y+1} {x = y+1} y := y+1; {x = y} {x = y} x:=x+1; y:=y+1; {x = y} Reasoning turned into symbol manipulation : Substitution. Confusing with constructs such as: {??} x == x++ * 5 { x = y } cs784(Prasad) L189wp
9
Generating additional valid triples {P} S {Q} from {P’} S {Q’}
States States P’ Q P Q’ Subtle Point: The program transforms a state into another state. (point to point map) Assertions characterize mapping from collection of states to collection of states. They deal with the delineating boundary as it were. But if we use FOPC for Assertion both schemes have equal discriminating power. (full abstraction) cs784(Prasad) L189wp
10
{P’} S {Q’} and P=>P’ and Q’=>Q {P} S {Q}
Rule of Consequence {P’} S {Q’} and P=>P’ and Q’=>Q {P} S {Q} Strengthening the antecedent Weakening the consequent Example {x=0 and y=0} x:=x+1;y:=y+1; {x = y} {x=y} x:=x+1; y:=y+1; {x<=y or x=5} (+ Facts from elementary mathematics [boolean algebra + arithmetic] ) cs784(Prasad) L189wp
11
Predicate Transformers
Assignment wp( x := e , Q ) = Q[x<-e] Composition wp( S1 ; S2 , Q) = wp( S1 , wp( S2 , Q )) Correctness {P} S {Q} = (P => wp( S , Q)) For programs without loops (and recursion), Hoare’s and Dijkstra’s approach converge. Hoare’s approach generates triples while Dijkstra’s approach tries to capture the semantics Unaddressed Questions: Why weakest precondition rather than strongest post-condition? Expressiveness in FOL for while? Application: Distributed computing program proofs. cs784(Prasad) L189wp
12
Correctness Illustrated
P => wp( S , Q) States States Q wp(S,Q) P cs784(Prasad) L189wp
13
Correctness Proof {x=0 and y=0} x:=x+1;y:=y+1; {x = y}
wp(y:=y+1; , {x = y}) = { x = y+1 } wp(x:=x+1; , {x = y+1}) = { x+1 = y+1 } wp(x:=x+1;y:=y+1; , {x = y}) = { x = y } { x = 0 and y = 0 } => { x = y } cs784(Prasad) L189wp
14
Conditionals { P and B } S1 {Q} {P and not B } S2 {Q}
{P} if B then S1 else S2; {Q} wp(if B then S1 else S2; , Q) = (B => wp(S1,Q)) and (not B => wp(S2,Q)) = (B and wp(S1,Q)) or (not B and wp(S2,Q)) cs784(Prasad) L189wp
15
“Invariant”: Summation Program
{ s = i * (i + 1) / 2 } i := i + 1; s := s + i; Intermediate Assertion ( s and i different) { s + i = i * (i + 1) / 2 } Weakest Precondition { s+i+1 = (i+1) * (i+1+1) / 2 } Values bound to variables keep changing (DYNAMIC). In order to be able to reason about program, We need to discover INVARIANTS. (Physics laws: PV=RT, E=mc**2, Boyle’s law.) (Implicit relationships) ( STATIC) State and assertion is associated with a “point” in the program. cs784(Prasad) L189wp
16
while-loop : Hoare’s Approach
{Inv and B} S {Inv} {Inv} while B do S {Inv and not B} Proof of Correctness {P} while B do S {Q} = P => Inv and {Inv} B {Inv} and {Inv and B} S {Inv} and {Inv and not B => Q} + Loop Termination argument Focus on what is essential for the problem at hand rather than the weakest conditiion. Invariant = Assertion preserved. cs784(Prasad) L189wp
17
{I} while B do S {I and not B}
{I and B} S {I} 0 iterations: {I} {I and not B} not B holds 1 iteration: {I} S {I and not B} B holds not B holds 2 iterations: {I} S ; S {I and not B} B holds B holds not B holds Infinite loop if B never becomes false. cs784(Prasad) L189wp
18
Example1 : while-loop correctness
{ n>0 and x=1 and y=1} while (y < n) [ y++; x := x*y;] {x = n!} Choice of Invariant {I and not B} => Q {I and (y >= n)} => (x = n!) I = {(x = y!) and (n >= y)} Precondition implies invariant { n>0 and x=1 and y=1} => { 1=1! and n>=1 } Choosing invariant requires insight and is goal driven. Invariant must hold in the loop. So cannot have (n = y) or (x = n!) etc Soundness cs784(Prasad) L189wp
19
Verify Invariant Termination {I and B} => wp(S,I)
wp( y++; x:=x*y; , {x=y! and n>=y}) = { x=y! and n>=y+1 } I and B = { x=y! and n>=y } and { y<n } = { x=y! and n>y } Termination Variant : ( n - y ) y : > > … -> n (n-y) : (n-1) -> (n-2) -> … -> 0 Soundness cs784(Prasad) L189wp
20
GCD-LCM code PRE: (x = n) and (y = m) u := x; v := y;
while (x <> y) do ASSERT: (** INVARIANT **) begin if x > y then x := x - y; u := u + v else y := y - x; v := v + u end; POST: (x = gcd(n,m)) and (lcm (n,m) = (u+v) div 2) PRE: (x = n) and (y = m) u := x; v := y; while (x <> y) do ASSERT: ( 2*n*m = x*v + y*u ) begin if x > y then x := x - y; u := u + v else y := y - x; v := v + u end; POST: (x = gcd(n,m)) and (lcm (n,m) = (u+v) div 2) cs784(Prasad) L189wp
21
while-loop : Dijkstra’s Approach
wp( while B do S , Q) = P0 or P1 or … or Pn or … = there exists k >= 0 such that Pk Pi : Set of states causing i-iterations of while-loop before halting in a state in Q. P0 = not B and Q P1 = B and wp(S, P0) Pk+1 = B and wp(S, Pk) cs784(Prasad) L189wp
22
... P0 => wp(skip, Q) P0 subset Q P1 => wp(S, P0) States wp Q
cs784(Prasad) L189wp
23
Example2 : while-loop correctness
P0 = { y >= n and x = n! } Pk = B and wp(S,Pk-1) P1 = { y<n and y+1>=n and x*(y+1) = n! } Pk = y=n-k and x=(n-k)! Weakest Precondition Assertion: Wp = there exists k >= 0 such that P0 or {y = n-k and x = (n-k)!} Verification : P = n>0 and x=1 and y=1 For i = n-1: P => Wp cs784(Prasad) L189wp
24
Induction Proof Hypothesis : Pk = {y=n-k and x=(n-k)!}
Pk+1 = { B and wp(S,Pk) } = y<n and (y+1 = n-k) and (x*(y+1)=(n-k)!) = y<n and (y = n-k-1) and (x = (n-k-1)!) = y<n and (y = n- k+1) and (x = (n- k+1)!) = (y = n - k+1) and (x = (n - k+1)!) Valid preconditions: { n = 4 and y = 2 and x = 2 } (k = 2) { n = 5 and x = 5! and y = 6} (no iteration) cs784(Prasad) L189wp
25
Detailed Working wp( y++; x:=x*y; , {x=y! and n>=y})
= wp(y++,{x*y=y! and n>=y}) = wp(y++,{x=y-1! and n>=y}) = {x=y+1-1! and n>=y+1} cs784(Prasad) L189wp
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.