CSI 3125, Axiomatic Semantics, page 1 - PowerPoint PPT Presentation

About This Presentation

Title:

CSI 3125, Axiomatic Semantics, page 1

Description:

CSI 3125, Axiomatic Semantics, page 7. The axiom for the assignment statement ... The axiom for statement composition gives us: { true } x = 0; f = 1; while ( x != n ) ... – PowerPoint PPT presentation

Number of Views:24

Avg rating:3.0/5.0

Slides: 58

Provided by: alanwi8

Category:

more less

Transcript and Presenter's Notes

Title: CSI 3125, Axiomatic Semantics, page 1

1
Axiomatic semantics
Points to discuss

The assignment statement
Statement composition
The "if-then-else" statement
The "while" statement
Narrowing and widening
Termination
Two diversions
The greatest common divisor
The "if-then" statement

2
Program verification

Program verification includes two steps.
Associate a formula with every meaningful step
of the computation.
Show that the final formula logically follows
from the initial one through all intermediate
steps and formulae.

3
What is axiomatic semantics?

Axiomatic semantics of assignments, compound
statements, conditional statements, and iterative
statements has been developed by Professor
C. A. R. Hoare.
The elementary building blocks are the formulae
for assignments and conditions.
The effects of other statements are described by
inference rules that combine formulae for
assignments (just as statements themselves are
combinations of assignments and conditions).

4
The assignment statement

Let ? be a logical formula that contains variable
v.
? v ? e is a formula which we get from ? when we
replace all occurrences of variable v with
expression e.

5
Replacement, an example

Before replacement
? ? h gt 0 h lt n n gt 0
h ? 0 ? 0 gt 0 0 lt n n gt 0
after replacement

6
Another example

? ? m min( 1 lt i i lt k1 ai )
k1 lt N
?k ? k1 ? m min( 1 lt i i lt (k1) 1 ai
)
(k1)1 lt N
? m min( 1 lt i i lt k ai ) k lt N

7
The axiom for the assignment statement

?v ? e v e ?
Example
0 gt 0 0 lt n n gt 0
x 0
x gt 0 x lt n n gt 0

8
Two small puzzles
??? z z 1 z lt N a gt b
a a b ???
9
Statement composition

ASSUME THAT
? S ?
and
? S ?
CONCLUDE THAT
? S S ?
In other words
? S ? S ?

10
A more complicated example

x 0 f 1
while (x ! n)
x x 1
f f x
We want to prove that
f x! x x 1f f x
f x!

11
The factorial

Let's apply the inference rule for composition.
? is f x!
? is f x!
S is x x 1
S is f f x

12
The factorial (2)

We need to find a ? for which we can prove
f x! x x 1
?
f f x f x!
Observe that f x! ? f ((x 1) 1)!
and therefore f (x 1)! x ? x 1 ? f
x!
That is
f x! x x 1 f (x 1)!

?
?
S
13
The factorial (3)

Now, let us observe that
f (x 1)! ? f x (x 1)! x x!
So, we have
f x! f ? f x ? f (x 1)!
That is,
f (x 1)! f f x f x!

?
?
S
QED
14
The "if-else" statement

ASSUME THAT
? ? S ?
and
? ? ? S ?
CONCLUDE THAT
? if ( ? ) S else S ?
Both paths through the if-else statement
establish the same fact ?. That is why the whole
conditional statement establishes this fact.

15
"if-else", an example

The statement
if ( a lt 0 ) b -a else b a
makes the formula b abs(a) true.
Specifically, the following fact holds
trueif ( a lt 0 ) b -a else b a b
abs(a)
Here ? is true
? is b abs(a)
? is a lt 0
Also S is b -a
S is b a

16
"if-else", an example (2)

We will consider cases. First, we assume that ?
is true
true a lt 0 ? a lt 0 ? a abs(a)
Therefore, by the assignment axiom
a abs(a) b -a b abs(a)
Similarly, when we assume ? ?, we get this
true ? a lt 0 ? a ? 0 ? a abs(a)
Therefore
a abs(a) b a b abs(a)

17
"if-else", an example (3)

This shows that both S and S establish the
same condition
b abs(a)
Our fact has been proven
trueif ( a lt 0 ) b -a else b a b
abs(a)
In other words, our conditional statement
computes abs(a). It does so without any
preconditions "true" means that there are no
restrictions on the initial values of a and b.

18
The "while" statement

A loop invariant is a condition that is true
immediately before entering the loop, stays true
during its execution, and is still true after the
loop has terminated.
ASSUME THAT
? ? S ?
That is, S preserves ?.
CONCLUDE THAT
? while ( ? ) S ? ? ?
provided that the loop terminates.

19
The factorial again...

x 0 f 1
while ( x ! n )
x x 1
f f x
Assume for now that n 0. After computing
x 0 f 1
we have f x! because it is true that 1
0!
We showed earlier that
f x! x x 1 f f x f x!

20
The factorial again... (2)

Now, ? is f x! ? is x ! n ? ? is x n
Using the inference rule for "while" loops
f x!
while ( x ! n )
x x 1
f f x
f x! x n

21
The factorial again... (3)

Notice that
f x! x n ? f n!
This means two things
true x 0 f 1 f x!
AND
f x! while ( x ! n )
x x 1
f f x
f n!

22
The factorial again... (4)

In other words, the program establishes f n!
without any preconditions on the initial values
of f and n, assuming that we only deal with n
0.
The axiom for statement composition gives us
true x 0 f 1
while ( x ! n )
x x 1
f f x
f n!
So this program does compute the factorial of n.

23
The factorial again... (5)

Our reasoning agrees with the intuition of loop
invariants we adjust some variables and make the
invariant temporarily false, but we re-establish
it by adjusting some other variables.
f x! x x 1 f (x 1)!
the invariant is "almost true"
f (x 1)! f f x f x!
the invariant is back to normal
This reasoning is not valid for infinite
loopsthe terminating condition ? ? ? is never
reached, and we know nothing of the situation
following the loop.

24
Narrowing and widening

ASSUME THAT
? ? ?
and
? S ?
CONCLUDE THAT
? S ?

ASSUME THAT
? S ?
and
? ? ?
CONCLUDE THAT
? S ?

These rules can be used to narrow a precondition,
or to widen a postcondition.
25
Narrowing and widening, a small example

n! is computed, for any nonnegative n, with true
as the precondition (it is always computed
successfully)
So, n! will in particular must be computed
successfully if initially n 5.

26
A larger example (in a more concise notation)

N gt 1 ?
N gt 1 1 1 a1 a1 i 1 s
a1
N gt 1 i 1 s a1 ?
N gt 1 s a1 ai ? INVARIANT
while ( i ! N )
N gt 1 s a1 ai i ! N
i i 1
N gt 1 s a1 ai1 i 1 ! N
s s ai
N gt 1 s a1 ai
N gt 1 s a1 ai i N ?
N gt 1 s a1 aN

27
A larger example (2)

We have shown that this program computes the sum
of a1, ..., aN.
The precondition N gt 1 is only necessary to
prove termination.

28
Termination

Proofs like these show only partial correctness.
Everything is fine if the loop stops.
Otherwise we don't know (but the program may be
correct for most kinds of data).
A reliable proof must show that all loops in the
program are finite.
We can prove termination by showing how each step
brings us closer to the final condition.

29
Once again, the factorial

Initially, x 0.
Every step increases x by 1, so we go through the
numbers 0, 1, 2, ...
n gt 0 must be found among these numbers.
Notice that this reasoning will not work forn lt
0 the program loops.

30
A decreasing function

A loop terminates when the value of some function
of program variables goes down to 0 during the
execution of the loop.
For the factorial program, such a function could
be n x. Its value starts at n and decreases by
1 at every step.
For summation, we can take N i.

31
Multiplication by successive additions

B gt 0 B B 0 0 ? FOR TERMINATION
b B p 0
b B p 0 ? p A (B b) ?
INVARIANT
while ( b ! 0 )
p p A
p A (B (b 1))
b b - 1
p A (B b)
p A (B b) b 0 ?
p A B
The loop terminates, because the value of the
variable b goes down to 0.

32
Two diversions

Prove that the sequence
p a a b b p
exchanges the values of a and b
a A b B
p a a b b p
b A a B
The highlights of a proof
a A b B p a
p A b B a b
p A a B b p
b A a B

33
Two diversions (2)
Discover and PROVE the behaviour of the following
sequence of statements for integer variables x, y

x x y
y x - y
x x - y

34
Two diversions (3)

x X y Y ?
x y X Y y Y x x y
x X Y y Y ?
x X Y x - y X y x - y
x X Y y X ?
x - y Y y X x x - y
x Y y X

35
The greatest common divisor

X gt 0 Y gt 0
a X b Y
? ? what should the invariant be?
while ( a ! b ) ? a ! b
if ( a gt b ) ? a ! b a gt b
a a - b
else ? a ! b ? (a gt b)
b b - a
? ? (a ! b)
GCD( X, Y ) a

36
GCD (2)

We will need only a few properties of greatest
common divisors
GCD( n m, m ) GCD( n, m )
GCD( n, m n ) GCD( n, m )
The first step (very formally)
X gt 0 Y gt 0 ?
X gt 0 Y gt 0 X X Y Y
a X b Y
a gt 0 b gt 0 a X b Y

37
GCD (3)

When the loop stops, we get a b GCD( a, b
) aWe may want this condition in the
invariant
a b GCD( X, Y ) GCD( a, b )
At the beginning of the loop, we have
a gt 0 b gt 0 a X b Y ?
a gt 0 b gt 0 GCD( X, Y ) GCD( a, b )
So, the invariant could be this
a gt 0 b gt 0 GCD( X, Y ) GCD( a, b )

38
GCD (4)

We should be able to prove that
a gt 0 b gt 0 GCD(X, Y) GCD(a, b) a
! b
while ......
a gt 0 b gt 0 GCD(X, Y) GCD(a, b)
The final condition will be
a gt 0 b gt 0 GCD(X, Y) GCD(a, b) a
b
and this will imply
GCD( X, Y ) a

39
GCD (5)

The loop consists of one conditional statement.
Our proof will be complete if we show this
a gt 0 b gt 0 GCD(X, Y) GCD(a, b) a
! b
if ( a gt b )
a a - b
else
b b - a
a gt 0 b gt 0 GCD(X, Y) GCD(a, b)

40
GCD (6)

Consider first the case of a gt b.
a gt 0 b gt 0 GCD(X, Y) GCD(a, b) a
! b a gt b ?
a b gt 0 b gt 0 GCD(X, Y) GCD(a b,
b)
a a - b
a gt 0 b gt 0 GCD(X, Y) GCD(a, b)

41
GCD (7)

Now, the case of ? a gt b.
a gt 0 b gt 0 GCD(X, Y) GCD(a, b) a
! b ? (a gt b) ?
a gt 0 b a gt 0 GCD(X, Y) GCD(a, b
a)
b b - a
a gt 0 b gt 0 GCD(X, Y) GCD(a, b)

42
GCD (8)

Both branches of if-else give the same final
condition. We will complete the correctness proof
when we show that the loop terminates.
We show how the value of max( a, b ) decreases at
each turn of the loop.
Let a A, b B at the beginning of a step.
Assume first that a gt b
max( a, b ) A,
so a b lt A, b lt A,
therefore max( a b, b ) lt A.

43
GCD (9)

Now assume that a lt b
max( a, b ) B,
b a lt B, a lt B,
therefore max( a, b a ) lt B.
Since a gt 0 and b gt 0, max( a, b ) gt 0.
This means that decreasing the values of a, b
cannot go forever.
QED

44
The "if" statement

ASSUME THAT
? ? S ?
and
? ? ? ? ?
CONCLUDE THAT
? if ( ? ) S ?

45
An example with "if"

We will show the following
N gt 0
k 1 m a1
while ( k ! N )
k k 1
if ( ak lt m ) m ak
m min( 1 lt i i lt N ai )

46
Minimum

Loop termination is obvious
the value of N k goes down to zero.
Here is a good invariant at the kth turn of the
loop, when we have already looked at a1, ..., ak,
we know that m min( 1 lt i i lt k ai ).
Initially, we have this
N gt 0 k 1 m a1
k 1 m a1 ?
k 1 m min( 1 lt i i lt k ai )

47
Minimum

We must prove the following
m min( 1 lt i i lt k ai ) k ! N
k k 1
if ( ak lt m ) m ak
m min( 1 lt i i lt k ai )

48
Minimum (2)

m min( 1 lt i i lt k ai ) k ! N
?
m min( 1 lt i i lt (k 1) 1 ai )
(k 1) 1 ! N
k k 1
m min( 1 lt i i lt k 1 ai ) k 1
! N
Note that k 1 ! N ensures the existence of
ak.

49
Minimum (3)

This remains to be shown
m min( 1 lt i i lt k 1 ai ) k 1
! N
if ( ak lt m ) m ak
m min( 1 lt i i lt k ai )
The fact we will use is this
min( 1 lt i i lt k ai ) min2( min( 1 lt i
i lt k 1 ai ), ak )

50
Minimum (4)

We will consider two cases of the conditional
statement.
First, ?(ak lt m).
m min(1 lt i i lt k 1 ai ) k 1 ! N
?(ak lt m) ?
m min2(min( 1 lt i i lt k 1 ai ), ak )
?
m min(1 lt i i lt k ai )

51
Minimum (5)

Now, ak lt m.
m min(1 lt i i lt k 1 ai ) k 1 !
N ak lt m ?
ak min2( min( 1 lt i i lt k 1 ai ), ak
) ?
ak min(1 lt i i lt k ai )
m ak
m min(1 lt i i lt k ai )
So, the body of the loop preserves the condition
m min( 1 lt i i lt k ai )

52
Minimum (6)

Now, the whole loop works as follows
m min( 1 lt i i lt k ai )
while ( k ! N )
k k 1 if ( ak lt m ) ak m
m min( 1 lt i i lt k ai ) k N ?
m min( 1 lt i i lt N ai )
All in all, we have shown that our program finds
the minimum of N numbers, if only N gt 0.
QED

53
Yet another "while" loop
Examples