Axiomatic Semantics

1
Axiomatic Semantics

• Will consider axiomatic semantics (A.S.) of IMP
• ltstmtgt skip ltassigngt ltifgt ltwhilegt
  ltstmtgt ltstmtgt
• ltinputgt ltoutputgt
• Only integer vars no procedures/fns vars
  declared implicitly
• References Kurtz (ch. 11) Pagan (ch. 4.3)
• SummaryFor each type of ltstmtgt, will define its
  a.s. via an axiomor rule of inference (or just
  rule). Using these, will be able to show (i.e.,
  derive) that a given program behaves according to
  its specification.

2
Preliminaries

• State State ? of a program P is a function that
  maps the program variables of P to their values
  in that state.Example ltx 1, y 2, z 3gt
  or ?(x) 1 ?(y) 2 ?(z) 3
  (assuming P has 3 prog. var., x, y, z)
• Usually have to deal with set of states ltx
  1, y 2, z 1gt, ltx 1, y 2, z 2gt,
• ltx 1, y 2, z 3gt
• Better Specify an assertion (or predicate, or
  condition) satisfied by all the states in that
  set and no others (x 1) ? (y 2) ? (1 ? z
  ? 3)
• Important Assertion ? Set of states that
  satisfy assertion

3
Assertions/sets of states

• (x 1) ? (1 ? y ? 5) ? (1 ? z ? 10) set
  with 50 states
• (x 1) ? (y 2) an infinite set
• (x 1) ? (1 ? y ? 5) an 'even bigger' set
• x y z ...
• x x the set of all states
• true
• x ? x the empty set
• false

4
Assertions/sets of states

• Convention
• p ? P (p is an assertion P the corresponding
  set of states
• p ? q ? P ? Q
• p ? q ? P ? Q
• ?p ? -P (or, rather "P bar" i.e., U - P U
  universal set)

5
Assertions/sets of states (contd)

• "?" (implication) can be thought of as a relation
  between two assertions
• p ? q P ? Q
• p ? true P ? U
• false ? p ? ? P
• Can also think of "?" as a single assertion
• p ? q (?p ? q )
• Thus
• p ? true true
• false ? p true
• p ? p true (??)
• p ? ? p false (??)
• (x ? 1) ? ( x 2 ) ??

The context will tell us whether to think of
implication as a relation between assertions or a
single assertion
6
Assertions (contd.)

• "x lt y" is a syntactic entity when it appears in
  a program
• Elsewhere it is an assertion (satisfied by some
  states and not others).
• A state ? satisfies the assertion x lt y if (and
  only if) ?(x) is less than ?(y)
• Notation ? (x lt y) "? satisfies (x lt y)"

7
Key Notation

• The result p S q (where p, q are
  assertions and S is a statement)
• is operationally valid if
• If we start execution of S in any state ? ? P,
  the final state ?' when S finishes execution
  will belong to Q
• Examples
• x 1 skip x 1 (Operationally) valid
• (x1) ? (y2) skip x 1 Valid
• x 1 skip (x1) ? (y2) Invalid (op.
  invalid)
• x 1 skip (x1) ? (y2) Valid
• (x1) ? (y2) skip x 1 ??
• (x1) ? (y2) skip true ??
• (x1) ? (y2) skip false ??

8
"Results" (contd.)

• (x1) ? (y2) x x1 (x2) ? (y2) Valid
• (x1) ? (y2) x x1 (x y) Valid
• (u1) ? (v2) x x1 (v u1) ??
• x0 while (x lt 10) do x x1 end x10
  Valid
• What if the loop doesn't terminate?
• x ? 0 while (x lt 10) do x x1 end x10
  ??
• x ? 0 while (x lt 10) do x x1 end x ? 10
  ??

9
"Results" (contd.)

• p S q is a partial correctness result
• It is valid if it is the case that
• if we start execution of S in any state ??P, and
  if the execution terminates, then the final state
  ?' satisfies q
• x 0 while (x ? 10) do x x1 end x 10
  Valid
• true while (x ? 10) do x x1 end x
  10 Also valid
• Axiomatic semantics provides a non-operational
  approach --in the form of a set of axioms and
  rules of inference-- using which we can
  'axiomatically derive' our results

10
Terminology (important!)

• Assertion may be Satisfied or Not Satisfied by
  a particular state
• Result may be Valid or Invalid in a given
  (operational) model
• Result may be Derivable or Not Derivable in a
  given axiom system
• Some meaningless statements
• "p S q is true" (note true is a particular
  assertion)
• "p S q is valid for some states"
• "(The assertion) p is not valid"

11
Relation Between A.S. Model

• If a given result is derivable in a given axiom
  system A, will it be valid in an operational
  model M? Not necessarily.
• Soundness (also "consistency") An axiom system
  A is sound/consistent with model M if every
  result derivable using the axioms/rules of A is
  valid in M i.e.
• -A p S q ? M p S q
• Completeness An axiom system A is complete with
  respect to model M if every result that is valid
  in M is derivable using the axioms/rules of A
• M p S q ? -A p S q

12
Axiomatic Semantics of IMP

• A.S. A collection of "axioms" and "rules of
  inference" ("rules") specified using the same p
  S q notation
• A0 skip axiom p skip p where p is
  any assertion
• Using this, can derive
• (x 1) ? (y 2) skip (x 1) ? (y 2)
  
• by taking p to be the assertion (x 1) ? (y 2)
  using A0
• Cannot derive
• (x 1) skip (x 1) ? (y 2)
• which is good (why?)
• Cannot derive
• (x 1) ? (y 2) skip (x 1)
• which is bad (why?)

13
Axiomatic Semantics of IMP

• R0 Rule of Consequence
• p S q' , q' ? q
• ------------------------------- p S q
  
• (p, q, q' any assertions S any stmt)
• Using R0 (and A0) we can derive
• (x 1) ? (y 2) skip (x 1)
• Another form of rule of consequence
• p ? p', p' S q ,
• -------------------------------
• p S q
• (p, q, p' any assertions S any stmt)
• Consider other forms of consequence (including
  inconsis. ones?

14
Axiomatic Semantics of IMP (contd)

• A1. Assignment axiom
• pxe x e p where p is any
  assertion pxe is obtained from p by
  (simultaneously) replacingall occurrences of x
  in p by e. (Note pxe ? px/e )
• We can derive

x1 yz x x1 x yz (take p to be
x yz )
yz ? 0 x yz x ? 0 (take p to
be x ? 0 )
Operational Justification If we want the state
following the asgnmnt to satisfy p, the state
before it should satisfy the same assertion -
except with the value of e satisfying the
conditions expected of the value of x
yz yz x yz x yz (take p
to be x yz )
15
Axiomatic Semantics of IMP (contd.)

• Caution In axiomatic derivations, you are only
  allowed to use the axioms and rules of the
  system no appeals to operational intuitions. If
  you make such appeals, you have an operational
  argument, not an axiomatic derivation
• Summary The axiomatic semantics of a language
  consists of
• An axiom for each atomic statement
• A rule (of inference) for each compound stmt
• Logical rules

16
Axiomatic Semantics of IMP (contd)

• R1 Sequential Composition
• p S1 q' , q' S2 q
• ----------------------------------------
• p S1 S2 q (p, q', q any
  assertions S1, S2 any stmts.)
• Using this, skip axiom, assignment axiom, we
  can derive
• x1 yz skip x x1 x yz
• Operational Justification If state before S1
  starts execution satisfies p, then, p S1
  q' guarantees that the state when S1 finishes
  will satisfy q'
• hence q' S2 q guarantees the state when
  S2 finishes will satisfy q
• hence conclusion of rule follows given these two
  results.
• Caution In (axiomatic) derivations, no appeals
  to operational intuitions!

17
Axiomatic Semantics of IMP (contd)

• write e ? out out e
• A2. write axiom pout / oute write e
  p (where p is any assertion)
• read x ? ( x head(in) in tail(in) )
• (pin/tail(in))x/head(in)
• x head(in)
• pin/tail(in)
• in tail(in)
• p
• A3. read axiom
• (pin/tail(in))x/head(in) read x p
  (p any assertion)

18
Axiomatic Semantics of IMP (contd)

• Problem Derive the following result
  (axiomatically) (in lt3, 4gt) ? (out ltgt)
• read x read y write (xy)
• out lt7gt
• Derivation (or "proof") outline
• (in lt3, 4gt) ? (out ltgt) (rule of cons.)
• out(head(in) head(tail(in)) lt7gt (read
  axiom)
• read x
• out(x head(in)) lt7gt (read axiom)
• read y
• out(x y) lt7gt (write axiom)
• write (xy)
• out lt7gt

19
Axiomatic Semantics of IMP (contd)

• R2 If-then-else
• p ? b S1 q , p ? ?b S2 q
• -------------------------------------------------
  -
• p if b then S1 else S2 q
• Operational Justification Suppose we start in a
  state ??P. There are two ways to proceed if ??
  b, execute S1 if not, execute S2. In either
  case, the hypothesis (assuming they are valid)
  guarantee that the final state will satisfy q.
  Hence conclusion follows.
• Caution In (axiomatic) derivations, no appeals
  to operational intuitions!

20
Axiomatic Semantics of IMP (contd)

• Problem Derive the following result
  (axiomatically) y 1
• if (y 1) then x 1 else x 2
• x 1
• 1. (y 1) ? (y 1) x 1 x 1 (by Ass.
  ax, rule of conseq.)
• 2. 2 1 x 2 x 1 (by Ass. ax, rule
  of conseq.)
• 3. (y 1) ? (y ? 1) x 2 x 1 (by
  (2), rule of conseq.)
• 4. y 1
• if (y 1) then x 1 else x 2
• x 1 (by (1), (3), and if-then-else rule)
• Derive
• true if (y 1) then x 1 else x 2 (x
  1) ? (x 2)
• true if (y 1) then ... (y1)?(x 1) ?
  (y?1) ? (x 2)

21
Axiomatic Semantics of IMP (contd)

• R3 while rule
• p ? q, q ? b S q , (q ? ?b) ? r
• -------------------------------------------------
  ------
• p while b do S r
• The following rule, given rule of conseq., is
  equivalent q ? b S q ,
• -------------------------------------------------
  ------
• q while b do S q ? ?b
• I.e. Any result derivable using R3 is derivable
  using above
• Operational justification ...
• R3 is complete ... somewhat surprising we can
  always find an appropriate loop invariant

22

• Problem Derive the following result
  (axiomatically)(x ? 0) ? (y ? 0)
• q 0 r x
• while ((r-y) ? 0) do q q 1 r r - x end
• (x qy r) ? (0 ? r ? y)
• Take loop invariant p to be p ? (x qy r)
  ? (0 ? r) ? (y ? 0)
• Derivation outline
• (x ? 0) ? (y ? 0)
• q 0 r x
• (x ? 0) ? (y ? 0) ? (q0) ? (rx)
• p
• while ...
• p ? ((r-y) ? 0)
• (x qy r) ? (0 ? r ? y)

Key step 1 p ? (r-y) ? 0 qq1rr-y
p (by ass. ax, seq. comp, conseq.)
Key step 2 p ? ((r-y) ? 0) ? (x qy r) ?
(0 ? r ? y) (by math logic/oracle)
23

• Derivein lt1,2,3, ..., 100gt ? out ltgt
• read x
• while (x ? 100) do write x read x end
• out lt1, 2, ..., 99gt
• Take loop invariant p to be p ? outxin
  lt1,2, ..., 100gt
• Derivation outline
• in lt1,2,3, ..., 100gt ? out ltgt
• read x
• (x1) ? (in lt2,3, ..., 100gt) ? (out ltgt)
• outxin lt1,2, ..., 100gt
• while (x ? 100) do write x read x end
• (outxin lt1,2, ..., 100gt) ? (x 100)
• out lt1, 2, ..., 99gt

24

• Derivein lt1,2,3, ..., 100gt ? out ltgt
• s 0 read x
• while (x ? 100) do write s sx read x end
• s ?k0,..99 k
• Take loop invariant p to be (in100-x) ?
  ?k.(0 ? k ? in) ? (inkxk) ? (1 ? x ?100)
  ? (s ?k0,..(x-1) k)
• A more intuitive loop invariant
• (in ltx1, ..., 100gt ? (1 ? x ?100) ? (s
  ?k0,..(x-1) k)
• Key step
• p ? (x ? 100)
• s sx read x
• p
• Note (head(in)x1) implied by p is important
  in showing that (p ? (x ? 100)) implies p'
  obtained by taking p back

25
(In)Completeness

• R3 while rule
• p ? q, q ? b S q , (q ? ?b) ? r
• -------------------------------------------------
  ------
• p while b do S r
• A simpler rule p ? q, q S q , (q ? ?b) ?
  r
• -------------------------------------------------
  ------
• p while b do S r
• Using this rule, we can derive
• x0 while (x?10) do x x1 x 10
• Take p to be (x0) and q to be true

26
(In)Completeness (contd.)

• The rule is incomplete p ? q, q S q , (q
  ? ?b) ? r
• -------------------------------------------------
  ------
• p while b do S r
• Cannot derive
• x0 ? y0 while (x?0) do y y1 x0 ?
  y0
• Proof Suppose we could. Then there must exist q
  such that
• a. (x0 ? y0) ? q
• b. q y y1 q
• c. (q ? x0) ? (x0 ? y0)
• Then ltx0, y0, z0gt ? Q by (a)
• Hence ltx0, y1, z0gt ? Q by (b)
• Hence ltx0, y1, z0gt ? Q ? (x0) why?
• But ltx0, y1, z0gt is not in (x0 ? y0)
• Hence such a q cannot exist!

27
Consistency/Completeness

• How do you show a system A is consistent and/or
  complete (with respect to a model M)?
• Generally tedious task.
• Special case If we are told that A' is
  consistent/complete and A is obtained from A' by
  making some changes to some rules of A', we may
  be able to use the following approach
• Completeness Show that all results derivable in
  A' are also derivable in A. Then completeness of
  A' implies completeness of A (with respect to
  same model).
• Consistency Show that all results derivable in A
  are also derivable in A'. Then consistency of A'
  implies consistency of A (with respect to same
  model).

28
Axiomatic Semantics of IMP (contd)

• Suppose we change the if-then-else rule
• p ? b S1 q , p ? ?b S2 q
• -------------------------------------------------
  -
• p if b then S1 else S2 q
• To
• p ? b S1 q ? b, p ? ?b S2 q ? ?b
• -------------------------------------------------
  -----------
• p if b then S1 else S2 q
• The resulting system will be consistent show
  that every result derivable in the new system is
  derivable in the original system
• Completeness?

29
Total Correctness

• How do we derive in ltgt read x false
  ? (1)
• We can't!
• A better axiom for read
• (p ? in ? ltgt) ? (qin/tail(in))x/head(in)
  -------------------------------------------------
  -
• p read x q
• With this axiom, we can derive (1).
• Also suggests total correctness axiom for read
  p ? in ? ltgt ? (qin/tail(in))x/head(in)
  ----------------------------------------------
  -------
• ltp read x qgt

30
Total Correctness (contd.)

• Similar considerations for assignment (x0) ?
  (y3) z y/x false ? (1)
• We can't!
• A better axiom (p ? D(e)) ? (qx/e
  -------------------------------------------------
  -
• p x e q
• With this axiom, we can derive (1).
• Also suggests total correctness axiom
• p ? D(e) ? qx/e -------------------------
  ----------------------------
• ltp x e qgt

31
Total Correctness (contd.)

• Total correctness rule for while (p ? b) ? (f
  gt 0) ltp ? b ? fk S p ? (f ? k)
  gt------------------------------------------------
  --
• lt p while b do S p ? ?b gt
• a. Why does f have to be an integer function of
  the state?
• b. What if b is not well defined?
• c. What would happen if we change "lt.......gt"
  in the second line to "......."?
• The other rules are essentially the same as the
  corresponding partial correctness rules
• ltp S1 q1gt, ltq1 S2 qgt ------------------
  --------------------
• ltp S1 S2 qgt

32
Total Correctness (contd.)

• Derive
• lt s0 ? x0
• while x ? 10 do xx1 ssx end
• s 0 1 2 3 ... 10 gt
• Loop invariantp ? (0 ? x ? 10 ? s ? n0..x n
  )
• Progress function (also called "progress
  metric", "convergence function" etc.)f(x,s) ?
  (10 ? x)
• Check (p ? (x ? 10)) ? (f ? 0) easy
• Deriveltp ? (x ? 10) ? (fk) xx1 ssx
  p ? (f ? k) gt exercise
• Hence original result follows from rule for loops

33
Non-determinism

• Guarded commands
• Selection b1 ? S1 b2 ? S2 ... bn ? Sn
  To execute choose any bi that evaluates to
  true and execute corresponding Si if all bi are
  false, errore.g. x ? y ? z x y ? x ? z
  y sets z to larger of x,y
• Repetition b1 ? S1 b2 ? S2 ... bn ? Sn
  To execute choose any bi that evaluates to
  true and execute corresponding Si. Repeat until,
  after some no. of iterations all bi evaluate to
  false at that point, stop. Loop may not
  terminate, or may terminate in 0 iterationse.g.
  x1 ? x2 ? exch(x1, x2) x2 ? x3 ? exch(x2,
  x3) x3 ? x4 ? exch(x3, x4) sorts x1, x2,
  x3, x4

34
Axiomatics of non-determinism

• Selection p ? b1 S1 q , p ? b2 S2 q
  ,..., p ? bn Sn q -----------------------
  --------------------------------------------------
  --
• p b1 ? S1 b2 ? S2 ... bn ? Sn q
  
• Repetition p ? b1 S1 p , p ? b2 S2
  p ,..., p ? bn Sn p ---------------------
  --------------------------------------------------
  ----
• p b1 ? S1 ... bn ? Sn p ? ?b1 ? ?b2
  ... ? ?bn
• In selection rule, what if none of the bi's
  evaluates to true?
• Total correctness rules?