Axiomatic Semantics - PowerPoint PPT Presentation

1 / 9
About This Presentation
Title:

Axiomatic Semantics

Description:

Hi 1(while E do L od,Q) = E 0 and wp(L, Hi(while E do L od,Q)) This seems pretty complicated. ... loop, while E do L od, and an assertion W satisfying each ... – PowerPoint PPT presentation

Number of Views:177
Avg rating:3.0/5.0
Slides: 10
Provided by: josephn6
Category:

less

Transcript and Presenter's Notes

Title: Axiomatic Semantics


1
Axiomatic Semantics
  • The meaning of a program is defined by a formal
    system that allows one to deduce true properties
    of that program. No specific meaning is attached
    to any particular program by such a system. The
    task of determining which properties are of
    interest is left to the programmer.
  • In this setting, we are interested in assertions
    about program state (in particular values of
    program variables). Each such assertion can be
    couched as whats known as a Hoare triple (after
    C.A.R. Hoare) PSQwhich is interpreted as
    followsAssertion Q will hold in the state
    yielded immediately upon termination of statement
    S when executed in state satisfying assertion P.
  • By way of example, consider the following x
    A x x 1 x A 1
  • Hoare triples are typically used to express
    partial correctness of a program, however, one
    can use them to specify the conditions under
    which a program will terminate.

2
Weakest Preconditions
  • To adequately describe the semantics of a
    programming language construct C, we cant just
    manufacture a few true Hoare triples, we must
    have some plan for describing exactly what we
    want to say about a programs behavior.
  • An assertion R is said to be weaker than
    assertion P if the truth of P implies the truth
    of R, written P?R (equivalently R or
    not(P)). Example x gt0 is weaker than x 3.
  • The program proving game is played as follows
  • We know what program construct C we are using.
  • We know what assertion Q we want to be true after
    C terminates.
  • We use the proof system to find out what
    absolutely must be true before executing C and
    nothing more, that is we find the weakest
    precondition of C that will yield Q, wp(C,Q).
  • Then we know that if we execute C in any state P
    such that P?wp(C,Q), then Q will be true when C
    terminates.

3
General Properties of wp(not specific to any
language)
  • Law of the Excluded Miracle wp(C,false)
    falseNote that if false is true, we can prove
    anything!
  • Distributivity of Conjunction wp(C,P and Q)
    wp(C,P) and wp(C,Q)
  • Law of Monotonicity if Q?R then wp(C,Q)?wp(C,R)
  • Distributivity of Disjunction wp(C,P) or wp(C,Q)
    ? wp(C,P or Q)

4
wp Properties Specific to our Simple Language
  • We make a huge leap of faith assuming that all of
    us already understand some underlying logic that
    captures all interesting properties of
    expressions, and note that true assertions P?Q
    from this logic can be used in our proofs.
  • Statement Lists wp(L1L2,Q) wp(L1,wp(L2,Q))Thi
    s says weakest preconditions propagate backwards
    through statement sequences.
  • Assignment Statements wp(IE,Q) QE/I
  • The substitution QE/I involves substituting the
    expression E for each free occurrence of I in Q.
    An occurrence of a variable is said to be bound
    in an assertion if it is the argument of an
    existential (?) or universal (?) quantifier. An
    occurrence is free if it is not bound. Consider
    Q1/j when Q has the following two values
  • Q (for all i, ai aj)
  • Q (for all j, ai aj)
  • Now consider applying this wp(x x 1, x
    A) (x A)(x 1)/x (x 1 A) (x A
    1)

5
If statements
  • If Statements wp(if E then L1 else L2 fi,Q)
    (E gt0?wp(L1,Q)) and (E ?0?wp(L2,Q))
  • Consider applying this in Loudens
    example wp(if x then x 1 else x -1 fi, x
    1) (xgt0?wp(x 1,x1)) and (x?0?wp(x
    -1,x1)) (xgt0?11) and (x?0?-11)
  • Note (xgt0?11) (11 or not(xgt0)) true
  • Note (x?0?-11) (-11 or not(x?0)) not(x?0)
    xgt0
  • Thus wp(if x then x 1 else x -1 fi, x
    1) (xgt0?11) and (x?0?-11) true and xgt0
    xgt0

6
While Statements
  • To precisely define the weakest precondition of a
    while loop is difficult, we must define it
    inductively on the number of times the loop may
    be executed. Thus we have a sequence of
    assertions Hi(while E do L od,Q) each capturing
    the weakest preconditions satisfying that the
    loop executes i times and terminates in a state
    satisfying Q. Consider the sequence of Hs
  • H0(while E do L od,Q) E ?0 and Q
  • H1(while E do L od,Q) E gt0 and wp(L, H0(while E
    do L od,Q))
  • Hi1(while E do L od,Q) E gt0 and wp(L, Hi(while
    E do L od,Q))
  • This seems pretty complicated. What should we
    really do?

7
  • x X and y Yt xx yy tx Y
    and y X

8
Partial Correctness Proofs for Loop Invariants
  • If we have a while loop, while E do L od, and an
    assertion W satisfying each of the following
  • W and (E gt0)?wp(L,W)
  • W and (E ?0)?Q
  • P?W
  • then we can conclude that P while E do L
    odQ
  • An assertion W satisfying these conditions is
    known as a loop invariant. Property 1 above
    guarantees that the truth of the assertion does
    not vary when the loop body is executed.
  • Note that the loop termination and the invariant
    alone must be sufficient to satisfy the
    postcondition. P can be stronger than the
    invariant, but that wont affect the
    postcondition that is provable in this manner.

9
Choosing a Loop Invariant
  • ngt0i nsum 0while i do sum sum
    i i i 1odsum 1 2 ... n
Write a Comment
User Comments (0)
About PowerShow.com