COP4020 Programming Languages

1
COP4020Programming Languages

• Introduction to Axiomatic Semantics
• Prof. Robert van Engelen

2
Assertions and Preconditions

• Assertions are used by programmers to verify
  run-time execution
• An assertion is a logical formula to verify the
  state of variables and data to ensure safe
  continuation
• A failed assertion should stop the program
• Assertions are placed by programmers explicitly
  in code assert (lengt0) mean sum/len
• By contrast, preconditions state the initial
  conditions under which an algorithm has been
  proven correct

3
Preconditions, Postconditions and Partial
Correctness

• We will place assertions before and after a
  command C Precondition C Postcondition
  
• We say that the command C is partially correct
  with respect to the ltprecondition,postconditiongt
  specification, provided that
• The command C is executed with values that make
  the precondition true
• If the command terminates, then the resulting
  values make the postcondition true
• Total correctness requires termination

4
Assignment Axiom

• If we view assertions as predicates, the
  assignment axiom can be stated P(E) V E
  P(V) that is, if we state a property of V
  after the assignment, then the property must hold
  for expression E before the assignment
• We can use substitution to derive the
  precondition given a postcondition formula P
  this is the assignment axiom PV?E V
  E P where PV?E denotes the substitution
  of V by E in P

5
Examples for Assignments

• k 5 k k 1 k 6 (k 6)k?k1 ?
  (k1 6) ? (k 5)
• j 3 and k 4 j j k j 7 and k
  4 (j 7 and k 4)j?jk ? (jk 7 and k
  4) ? (j 3 and k 4)
• true x 2 x 2 (x 2)x?2 ? (2
  2) ? (true)
• a gt 0 a a - 1 a gt 0 (a gt 0)a?a - 1
  ? (a - 1 gt 0) ? (a gt 0) Assuming a is int !
• false y 1 y 2 No state can satisfy
  precondition ! partially correct

6
Validity of Assignment Axiom

• At first glance it seems that working backward
  from a postcondition is more complicated than
  necessary and we could use true V E
  V E
• However, consider true m m 1 m m
  1and we find that m m 1 ? false

assignment
equality
7
Statement Composition Sequence Axiom

• The sequence axiom P C1 Q C2 R
  Q is a postcondition of C1 and a precondition
  for C2
• Written as a rule of inference
• P C1 Q Q C2 R P C1
  C2 R

8
Example Sequencing

• We usually write the sequencing vertical and
  insert the assertions between the statements i
  gt 0 k i 1 k gt 0 and j j ? k gt 0
  i j k gt 0 and i j
• The rule of inference
• i gt 0 k i 1 k gt 0 k gt 0 i
  j k gt 0 and i j i gt 0 k i 1
  i j k gt 0 and i j

(k gt 0)k?i 1
(k gt 0 and i j)i?j
9
Skip Axiom

• The skip statement is a no-op P skip P
  pre- and postconditions are identical

10
If-then-else Axiom

• The if-then-else axiom written vertically P
  if B then P and B C1 Q else P and
  not B C2 Q end if Q

11
If-then-else Axiom

• And as an inference rule
• P and B C1 Q P and not B C2 Q
• P if B then C1 else C2 end if Q

12
The if-then-else Weakest Precondition Rule

• We can derive the weakest precondition P of and
  if-then-else using P ? (not B or P1) and (B or
  P2)where P1 is the precondition of C1 given
  postcondition Q and P2 is the precondition of C2
  given postcondition Q
• Example ( x lt 0 or x gt 0) and (x gt 0 or true)
  ? true if x gt 0 then x gt 0 y
  xelse 0 gt 0 ? true y 0end if y gt
  0

Compute preconditionsP1 and P2 of C1 and C2
13
Precondition Strengthening

• Logical implication (? or ?) means
• stronger condition ? weaker condition(more
  restrictive) (less restrictive)
• For example
• x y and y 0 ? y 0
• x ? 0 ? x 0 or x lt 0 or x gt 0
• x 0 ? x gt 0
• x y ? true
• false ? x y2

14
Using Precondition Strengthening

• We can always make a precondition stronger than
  necessary to complete a proof
• For example, suppose we know that x gt 0 and y 2
  at the start of the program x gt 0 and y 2 ?
  x gt 0y x y x and y gt 0

(y x and y gt 0)y?x? (x x and x gt 0)
15
Loops and Loop Invariants

• A loop-invariant condition is a logical formula
  that is true before the loop, in the loop, and
  after the loop
• An common example grocery shopping
• The invariant isgroceries needed groceries on
  list groceries in cart
• cart empty groceries needed groceries on
  list groceries in cart ? groceries needed
  groceries on list while grocery list not
  empty do groceries needed groceries on list
  groceries in cart and not empty list add
  grocery to cart take grocery off list
  groceries needed groceries on list groceries
  in cart end do groceries needed groceries
  on list groceries in cart and empty list ?
  groceries needed groceries in cart

16
While-loop Axiom

• The while-loop axiom uses a loop invariant I,
  which must be determined
• Invariant cannot generally be automatically
  computed and must be guessed by an experienced
  programmer I while B do I and B C I
  end do I and not B

17
While-loop Example (1)

• Loop invariant I ? (fk! n! and k gt 0) n gt 0
  k nf 1while k gt 0 do f
  fk k k-1 end do f n!

Proof that this algorithm is correct given
precondition ngt0 and postcondition fn!
18
While-loop Example (2)

• Loop invariant I ? (fk! n! and k gt 0) n gt 0
  k nf 1 fk! n! and k gt 0 while
  k gt 0 do fk! n! and k gt 0 and k gt 0 f
  fk k k-1 fk! n! and k gt 0 end
  do fk! n! and k gt 0 and k lt 0 f n!

Add while-loop preconditions and postconditions
based on the invariant
19
While-loop Example (3)

• Loop invariant I ? (fk! n! and k gt 0) n gt 0
  k n 1k! n! and k gt 0 f 1 fk!
  n! and k gt 0 while k gt 0 do fk! n! and
  k gt 0 and k gt 0 f fk f(k-1)! n!
  and k-1 gt 0 k k-1 fk! n! and k gt 0
  end do fk! n! and k gt 0 and k lt 0 f
  n!

Use assignment axioms
20
While-loop Example (4)

• Loop invariant I ? (fk! n! and k gt 0) n gt 0
  n! n! and n gt 0 k n 1k! n! and k
  gt 0 f 1 fk! n! and k gt 0 while k gt 0
  do fk! n! and k gt 0 and k gt 0
  fk(k-1)! n! and k-1 gt 0 f fk
  f(k-1)! n! and k-1 gt 0 k k-1 fk!
  n! and k gt 0 end do fk! n! and k gt 0 and k
  lt 0 f n!

Use assignment axioms
21
While-loop Example (5)

• Loop invariant I ? (fk! n! and k gt 0) n gt 0
  ? n! n! and n gt 0 k n 1k! n! and
  k gt 0 f 1 fk! n! and k gt 0 while k gt
  0 do fk! n! and k gt 0 and k gt 0 ?
  fk(k-1)! n! and k-1 gt 0 f fk
  f(k-1)! n! and k-1 gt 0 k k-1 fk!
  n! and k gt 0 end do fk! n! and k gt 0 and k
  lt 0 f n!

Use precondition strengthening to prove the
correctness of implications
22
While-loop Example (6)

• Loop invariant I ? (fk! n! and k gt 0) n gt 0
  ? n! n! and n gt 0 k n 1k! n! and
  k gt 0 f 1 fk! n! and k gt 0 while k gt
  0 do fk! n! and k gt 0 and k gt 0 ?
  fk(k-1)! n! and k-1 gt 0 f fk
  f(k-1)! n! and k-1 gt 0 k k-1 fk!
  n! and k gt 0 end do fk! n! and k gt 0 and k
  lt 0 ? fk! n! and k 0 ? f n!

Use simplification and logical implications to
complete the proof
23
Specifications

• A postcondition specification can by any logical
  formula
• A specification that states the input-output
  requirements of an algorithm is needed to prove
  correctness
• A specification that tests a violation can aid in
  debugging
• For example (precondition strengthening is
  disallowed)

(n gt 0 or false) and (n lt 0 or n 0) ?
false if (n lt 0) false p 2else
n 0 p n1 p 1 k m / (p-1)
if (n lt 0) p 2else p n1k m /
(p-1)// Error when p 1
Means never possible