Semantics and Verification of Software

Transcription

1 Semantics and Verification of Software Thomas Noll Software Modeling and Verification Group RWTH Aachen University

2 The Denotational Approach Denotational Semantics of WHILE Primary aspect of a program: its effect, i.e., input/output behavior In operational semantics: indirect definition of semantic functional by execution relation O. : Cmd (Σ Σ) Now: abstract from operational details Denotational semantics: direct definition of program effect by induction on its syntactic structure 3 of 24 Semantics and Verification of Software

3 Denotational Semantics of Expressions Semantics of Arithmetic Expressions Again: value of an expression determined by current state Definition 6.1 (Denotational semantics of arithmetic expressions) The (denotational) semantic functional for arithmetic expressions, A. : AExp (Σ Z), is given by: A z σ := z A x σ := σ(x) A a 1 +a 2 σ := A a 1 σ + A a 2 σ A a 1 -a 2 σ := A a 1 σ A a 2 σ A a 1 *a 2 σ := A a 1 σ A a 2 σ 5 of 24 Semantics and Verification of Software

4 Denotational Semantics of Expressions Semantics of Boolean Expressions Definition 6.2 (Denotational semantics of Boolean expressions) The (denotational) semantic functional for Boolean expressions is given by B. : BExp (Σ B) where B t σ := t{ true if A a1 σ = A a B a 1 =a 2 σ := 2 σ false otherwise { true if A a1 σ > A a B a 1 >a 2 σ := 2 σ false otherwise { true if B b σ = false B b σ := false otherwise { true if B b1 σ = B b B b 1 b 2 σ := 2 σ = true false otherwise { false if B b1 σ = B b B b 1 b 2 σ := 2 σ = false true otherwise 6 of 24 Semantics and Verification of Software

5 Denotational Semantics of Statements The Goal Now: semantic functional C. : Cmd (Σ Σ) Same type as operational functional O. : Cmd (Σ Σ) (in fact, both will turn out to be the same equivalence of operational and denotational semantics) 8 of 24 Semantics and Verification of Software

6 Denotational Semantics of Statements Auxiliary Functions Inductive definition of C. employs following auxiliary functions: identity on states: id Σ : Σ Σ : σ σ (strict) composition of partial state transformations: : (Σ Σ) (Σ Σ) (Σ Σ) where, for every f, g : Σ Σ and σ Σ, { g(f (σ)) if f (σ) defined (g f )(σ) := undefined otherwise semantic conditional: cond : (Σ B) (Σ Σ) (Σ Σ) (Σ Σ) where, for every p : Σ B, f, g : Σ Σ, and σ Σ, { f (σ) if p(σ) = true cond(p, f, g)(σ) := g(σ) otherwise 9 of 24 Semantics and Verification of Software

7 Denotational Semantics of Statements Semantics of Statements I Definition 6.3 (Denotational semantics of statements) The (denotational) semantic functional for statements, is given by: C. : Cmd (Σ Σ), C skip := id Σ C x := a σ := σ[x A a σ] C c 1 ;c 2 := C c 2 C c 1 C if b then c 1 else c 2 end := cond(b b, C c 1, C c 2 ) C while b do c end := fix(φ) where Φ : (Σ Σ) (Σ Σ) : f cond(b b, f C c, id Σ ) 10 of 24 Semantics and Verification of Software

8 Denotational Semantics of Statements Semantics of Statements II Remarks: Definition of C c given by induction on syntactic structure of c Cmd in particular, C while b do c end only refers to B b and C c (and not to C while b do c end again) note difference to O c : (wh-t) b, σ true c, σ σ while b do c, σ σ while b do c end, σ σ In C c 1 ;c 2 := C c 2 C c 1, function composition has to be strict since non-termination of c 1 implies non-termination of c 1 ;c 2 In C while b do c end := fix(φ), fix denotes a fixpoint operator (which remains to be defined) fixpoint semantics But: why fixpoints? 11 of 24 Semantics and Verification of Software

9 Denotational Semantics of Statements Why Fixpoints? Goal: preserve validity of equivalence C while b do c end ( ) = C if b then c;while b do c end else skip end (cf. Lemma 4.3) Using the known parts of Definition 6.3, we obtain: C while b do c end ( ) = C if b then c;while b do c end else skip end Def. 6.3 = cond(b b, C c;while b do c end, C skip ) Def. 6.3 = cond(b b, C while b do c end C c, id Σ ) Abbreviating f := C while b do c end this yields: f = cond(b b, f C c, id Σ ) Hence f must be a solution of this recursive equation In other words: f must be a fixpoint of the mapping Φ : (Σ Σ) (Σ Σ) : f cond(b b, f C c, id Σ ) (since the equation can be stated as f = Φ(f )) 12 of 24 Semantics and Verification of Software

10 Denotational Semantics of Statements Well-Definedness of Fixpoint Semantics But: fixpoint property not sufficient to obtain a well-defined semantics Potential problems: Existence: there does not need to exist any fixpoint. Examples: 1. φ 1 : N N : n n + 1 has no fixpoint { g1 if f = g 2. Φ 1 : (Σ Σ) (Σ Σ) : f 2 g 2 otherwise has no fixpoint if g 1 g 2 Solution: in our setting, fixpoints always exist Uniqueness: there might exist several fixpoints. Examples: 1. φ 2 : N N : n n 3 has fixpoints {0, 1} 2. every state transformation f is a fixpoint of Φ 2 : (Σ Σ) (Σ Σ) : f f Solution: uniqueness guaranteed by choosing a special fixpoint 13 of 24 Semantics and Verification of Software

11 Characterisation of fix(φ) Characterisation of fix(φ) Let b BExp and c Cmd Let Φ(f ) := cond(b b, f C c, id Σ ) Let f 0 : Σ Σ be a fixpoint of Φ, i.e., Φ(f 0 ) = f 0 Given some initial state σ 0 Σ, we will distinguish the following cases: 1. loop while b do c end terminates after n iterations (n N) 2. body c diverges in the n-th iteration (as it contains a non-terminating while statement) 3. loop while b do c end itself diverges 15 of 24 Semantics and Verification of Software

12 Characterisation of fix(φ) Case 1: Termination of Loop Loop while b do c end terminates after n iterations (n N) Formally: there exist σ 1,..., σ n Σ such that { true if 0 i < n B b σ i = and false if i = n C c σ i = σ i+1 for every 0 i < n Now the definition Φ(f ) := cond(b b, f C c, id Σ ) implies, for every 0 i < n, Φ(f 0 )(σ i ) = (f 0 C c )(σ i ) since B b σ i = true = f 0 (σ i+1 ) and Φ(f 0 )(σ n ) = σ n since B b σ n = false Since Φ(f 0 ) = f 0 it follows that { f0 (σ f 0 (σ i ) = i+1 ) if 0 i < n σ n if i = n and hence f 0 (σ 0 ) = f 0 (σ 1 ) =... f 0 (σ n ) = σ n All fixpoints f 0 coincide on σ 0 (with result σ n )! 16 of 24 Semantics and Verification of Software

13 Characterisation of fix(φ) Case 2: Divergence of Body Body c diverges in the n-th iteration (since it contains a non-terminating while statement) Formally: there exist σ 1,..., σ n 1 Σ such that B b σ i = true { σi+1 if 0 i n 2 C c σ i = undefined if i = n 1 for every 0 i < n and Just as in the previous case (setting σ n := undefined) it follows that f 0 (σ 0 ) = undefined Again all fixpoints f 0 coincide on σ 0 (with undefined result)! 17 of 24 Semantics and Verification of Software

14 Characterisation of fix(φ) Case 3: Divergence of Loop Loop while b do c end diverges Formally: there exist σ 1, σ 2,... Σ such that B b σ i = true C c σ i = σ i+1 and for every i N Here only derivable: f 0 (σ 0 ) = f 0 (σ i ) for every i N Value of f 0 (σ 0 ) not determined! 18 of 24 Semantics and Verification of Software

15 Characterisation of fix(φ) Summary For Φ(f 0 ) = f 0 and initial state σ 0 Σ, case distinction yields: 1. Loop while b do c end terminates after n iterations (n N) f 0 (σ 0 ) = σ n 2. Body c diverges in the n-th iteration f 0 (σ 0 ) = undefined 3. Loop while b do c end diverges no condition on f 0 (only f 0 (σ 0 ) = f 0 (σ i ) for every i N) Not surprising since, e.g., for the loop while true do skip end every f : Σ Σ is a fixpoint: Φ(f ) = cond(b true, f C skip, id Σ ) = f On the other hand, our operational understanding requires, for every σ 0 Σ, Conclusion fix(φ) is the least defined fixpoint of Φ. C while true do skip end σ 0 = undefined 19 of 24 Semantics and Verification of Software

16 Making It Precise Making It Precise I To use fixpoint theory, the notion of least defined has to be made precise. Given f, g : Σ Σ, let f g for every σ, σ Σ : f (σ) = σ g(σ) = σ (g is at least as defined as f ) Equivalent to requiring graph(f ) graph(g) where graph(h) := {(σ, σ ) σ Σ, σ = h(σ) defined} Σ Σ for every h : Σ Σ 21 of 24 Semantics and Verification of Software

17 Making It Precise Making It Precise II Example 6.4 Let x Var be fixed, and let f 0, f 1, f 2, f 3 : Σ Σ be given by f 0 (σ) := undefined { σ if σ(x) even f 1 (σ) := undefined otherwise { σ if σ(x) odd f 2 (σ) := f 3 (σ) := σ undefined otherwise This implies f 0 f 1 f 3, f 0 f 2 f 3, f 1 f 2, and f 2 f 1 22 of 24 Semantics and Verification of Software

18 Making It Precise Characterisation of fix(φ) I Now fix(φ) can be characterised by: fix(φ) is a fixpoint of Φ, i.e., Φ(fix(Φ)) = fix(φ) fix(φ) is minimal with respect to, i.e., for every f 0 : Σ Σ such that Φ(f 0 ) = f 0, fix(φ) f 0 Example 6.5 For while true do skip end we obtain for every f : Σ Σ: Φ(f) = cond(b true, f C skip, id Σ ) = f fix(φ) = f where f (σ) := undefined for every σ Σ (that is, graph(f ) = ) 23 of 24 Semantics and Verification of Software

19 Making It Precise Characterisation of fix(φ) II Goals: Prove existence of fix(φ) for Φ(f ) = cond(b b, f C c, id Σ ) Show how it can be computed (more exactly: approximated) Sufficient conditions: on domain Σ Σ: chain-complete partial order on function Φ: monotonicity and continuity 24 of 24 Semantics and Verification of Software