Programming Languages and Compilers (CS 421)

Similar documents
First Order Logic vs Propositional Logic CS477 Formal Software Dev Methods

Dynamic Semantics. Dynamic Semantics. Operational Semantics Axiomatic Semantics Denotational Semantic. Operational Semantics

Weakest Precondition Calculus

Program verification. Hoare triples. Assertional semantics (cont) Example: Semantics of assignment. Assertional semantics of a program

The Assignment Axiom (Hoare)

Axiomatic Semantics. Lecture 9 CS 565 2/12/08

What happens to the value of the expression x + y every time we execute this loop? while x>0 do ( y := y+z ; x := x:= x z )

Program verification. 18 October 2017

Proofs of Correctness: Introduction to Axiomatic Verification

COP4020 Programming Languages. Introduction to Axiomatic Semantics Prof. Robert van Engelen

CS558 Programming Languages

Spring 2016 Program Analysis and Verification. Lecture 3: Axiomatic Semantics I. Roman Manevich Ben-Gurion University

Hoare Logic: Reasoning About Imperative Programs

Program Analysis Part I : Sequential Programs

Solutions to exercises for the Hoare logic (based on material written by Mark Staples)

Hoare Logic and Model Checking

Foundations of Computation

Program Analysis and Verification

Spring 2015 Program Analysis and Verification. Lecture 4: Axiomatic Semantics I. Roman Manevich Ben-Gurion University

Lecture Notes: Axiomatic Semantics and Hoare-style Verification

Hoare Logic: Reasoning About Imperative Programs

Axiomatic Semantics. Operational semantics. Good for. Not good for automatic reasoning about programs

Program verification using Hoare Logic¹

Lecture 17: Floyd-Hoare Logic for Partial Correctness

Hoare Logic (I): Axiomatic Semantics and Program Correctness

Axiomatic Semantics. Semantics of Programming Languages course. Joosep Rõõmusaare

Proof Calculus for Partial Correctness

Hoare Calculus and Predicate Transformers

Reasoning About Imperative Programs. COS 441 Slides 10b

Proof Rules for Correctness Triples

Hoare Logic: Part II

In this episode of The Verification Corner, Rustan Leino talks about Loop Invariants. He gives a brief summary of the theoretical foundations and

Deterministic Program The While Program

Hoare Logic I. Introduction to Deductive Program Verification. Simple Imperative Programming Language. Hoare Logic. Meaning of Hoare Triples

Bilateral Proofs of Safety and Progress Properties of Concurrent Programs (Working Draft)

Axiomatic Verification II

Axiomatic Semantics. Hoare s Correctness Triplets Dijkstra s Predicate Transformers

Floyd-Hoare Style Program Verification

Classical Program Logics: Hoare Logic, Weakest Liberal Preconditions

Axiomatic Semantics. Stansifer Ch 2.4, Ch. 9 Winskel Ch.6 Slonneger and Kurtz Ch. 11 CSE

Lecture 2: Axiomatic semantics

Loop Convergence. CS 536: Science of Programming, Fall 2018

Spring 2014 Program Analysis and Verification. Lecture 6: Axiomatic Semantics III. Roman Manevich Ben-Gurion University

CSC 7101: Programming Language Structures 1. Axiomatic Semantics. Stansifer Ch 2.4, Ch. 9 Winskel Ch.6 Slonneger and Kurtz Ch. 11.

Last Time. Inference Rules

A Short Introduction to Hoare Logic

THE AUSTRALIAN NATIONAL UNIVERSITY Second Semester COMP2600/COMP6260 (Formal Methods for Software Engineering)

Verifying Properties of Parallel Programs: An Axiomatic Approach

Axiomatic Semantics: Verification Conditions. Review of Soundness and Completeness of Axiomatic Semantics. Announcements

Spring 2015 Program Analysis and Verification. Lecture 6: Axiomatic Semantics III. Roman Manevich Ben-Gurion University

Proving Programs Correct

Marie Farrell Supervisors: Dr Rosemary Monahan & Dr James Power Principles of Programming Research Group

Introduction. Pedro Cabalar. Department of Computer Science University of Corunna, SPAIN 2013/2014

Axiomatic Semantics: Verification Conditions. Review of Soundness of Axiomatic Semantics. Questions? Announcements

Deductive Verification

CSE 331 Winter 2018 Reasoning About Code I

CS477 Formal Software Dev Methods

Programming Languages

Unifying Theories of Programming

Hoare Examples & Proof Theory. COS 441 Slides 11

Calculating axiomatic semantics from program equations by means of functional predicate calculus

Introduction to Axiomatic Semantics

Softwaretechnik. Lecture 13: Design by Contract. Peter Thiemann University of Freiburg, Germany

Logic. Propositional Logic: Syntax. Wffs

Software Engineering

Softwaretechnik. Lecture 13: Design by Contract. Peter Thiemann University of Freiburg, Germany

COMP2111 Glossary. Kai Engelhardt. Contents. 1 Symbols. 1 Symbols 1. 2 Hoare Logic 3. 3 Refinement Calculus 5. rational numbers Q, real numbers R.

Formal Specification and Verification. Specifications

Verification Frameworks and Hoare Logic

Axiomatic semantics. Semantics and Application to Program Verification. Antoine Miné. École normale supérieure, Paris year

INVARIANT RELATIONS: A CONCEPT FOR ANALYZING WHILE LOOPS. Ali Mili, NJIT NII, Tokyo, Japan December 20, 2011

Verificación de Programas!

Mid-Semester Quiz Second Semester, 2012

Propositional Logic: Syntax

CSE 331 Software Design & Implementation

Control Predicates Are Better Than Dummy Variables For Reasoning About Program Control

arxiv: v1 [cs.pl] 5 Apr 2017

Soundness and Completeness of Axiomatic Semantics

Background reading on Hoare Logic

A Humble Introduction to DIJKSTRA S A A DISCIPLINE OF PROGRAMMING

Strength; Weakest Preconditions

Verification and Validation

Probabilistic Guarded Commands Mechanized in HOL

EDA045F: Program Analysis LECTURE 10: TYPES 1. Christoph Reichenbach

1 Introduction. 2 First Order Logic. 3 SPL Syntax. 4 Hoare Logic. 5 Exercises

Program Construction and Reasoning

Principles of Program Analysis: A Sampler of Approaches

Predicate Transforms I

Automata-Theoretic Model Checking of Reactive Systems

Formal Reasoning CSE 331. Lecture 2 Formal Reasoning. Announcements. Formalization and Reasoning. Software Design and Implementation

Design of Distributed Systems Melinda Tóth, Zoltán Horváth

Logic. Propositional Logic: Syntax

Lecture Notes on Programs with Arrays

CIS 500: Software Foundations

(La méthode Event-B) Proof. Thanks to Jean-Raymond Abrial. Language of Predicates.

Simply Typed Lambda Calculus

Hoare Calculus for SIMT Programms

First Order Logic: Syntax and Semantics

AN INTRODUCTION TO SEPARATION LOGIC. 2. Assertions

CSE 331 Winter 2018 Homework 1

Transcription:

Programming Languages and Compilers (CS 421) Sasa Misailovic 4110 SC, UIUC https://courses.engr.illinois.edu/cs421/fa2017/cs421a Based in part on slides by Mattox Beckman, as updated by Vikram Adve, Gul Agha, and Elsa L Gunter 12/5/2017 1

Axiomatic Semantics Also called Floyd-Hoare Logic Based on formal logic (first order predicate calculus) Axiomatic Semantics is a logical system built from axioms and inference rules Mainly suited to simple imperative programming languages 12/5/2017 2

Axiomatic Semantics Used to formally prove a property (postcondition) of the state (the values of the program variables) after the execution of program, assuming another property (pre-condition) of the state holds before execution 12/5/2017 3

Axiomatic Semantics Goal: Derive statements of form {P} C {Q} P, Q logical statements about state, P precondition, Q postcondition, C program Example: {x = 1} x := x + 1 {x = 2} 12/5/2017 4

Axiomatic Semantics Approach: For each kind of language statement, give an axiom or inference rule stating how to derive assertions of form {P} C {Q} where C is a statement of that kind Compose axioms and inference rules to build proofs for complex programs 12/5/2017 5

Axiomatic Semantics An expression {P} C {Q} is a partial correctness statement For total correctness must also prove that C terminates (i.e. doesn t run forever) Written: [P] C [Q] Will only consider partial correctness here 12/5/2017 6

Language We will give rules for simple imperative language <command> ::= <variable> := <term> <command>; ;<command> if <statement> then <command> else <command> fi while <statement> do <command> od Could add more features, like for-loops 12/5/2017 7

Substitution Notation: P[e/v] (sometimes P[v <- e]) Meaning: Replace every v in P by e Example: (x + 2) [y-1/x] = ((y 1) + 2) 12/5/2017 8

The Assignment Rule Example: {P [e/x] } x := e {P} {? } x := y {x = 2} 12/5/2017 9

The Assignment Rule Example: {P [e/x] } x := e {P} { _ = 2 } x := y { x = 2} 12/5/2017 10

The Assignment Rule Example: {P [e/x] } x := e {P} { y = 2 } x := y { x = 2} 12/5/2017 11

The Assignment Rule Examples: {P [e/x] } x := e {P} {y = 2} x := y {x = 2} {y = 2} x := 2 {y = x} {x + 1 = n + 1} x := x + 1 {x = n + 1} {2 = 2} x := 2 {x = 2} 12/5/2017 12

The Assignment Rule Your Turn What is the weakest precondition of x := x + y {x + y = w x}?? {(x + y) + y = w (x + y)} x := x + y {x + y = w x} 12/5/2017 13

The Assignment Rule Your Turn What is the weakest precondition of x := x + y {x + y = w x}? {(x + y) + y = w (x + y)} x := x + y {x + y = w x} 12/5/2017 14

Precondition Strengthening P P {P } C {Q} {P} C {Q} Meaning: If we can show that P implies P (P P ) and we can show that {P } C {Q}, then we know that {P} C {Q} P is stronger than P means P P 12/5/2017 15

Precondition Strengthening Examples: x = 3 x < 7 {x < 7} x := x + 3 {x < 10} {x = 3} x := x + 3 {x < 10} True 2 = 2 {2 = 2} x:= 2 {x = 2} {True} x:= 2 {x = 2} x=n x+1=n+1 {x+1=n+1} x:=x+1 {x=n+1} {x=n} x:=x+1 {x=n+1} 12/5/2017 16

Which Inferences Are Correct? {x > 0 & x < 5} x := x * x {x < 25} {x = 3} x := x * x {x < 25} {x = 3} x := x * x {x < 25} {x > 0 & x < 5} x := x * x {x < 25} {x * x < 25 } x := x * x {x < 25} {x > 0 & x < 5} x := x * x {x < 25} 12/5/2017 17

Which Inferences Are Correct? {x > 0 & x < 5} x := x * x {x < 25} {x = 3} x := x * x {x < 25} {x = 3} x := x * x {x < 25} {x > 0 & x < 5} x := x * x {x < 25} {x * x < 25 } x := x * x {x < 25} {x > 0 & x < 5} x := x * x {x < 25} 12/5/2017 18

Sequencing {P} C 1 {Q} {Q} C 2 {R} {P} C 1 ; C 2 {R} Example: {z = z & z = z} x := z {x = z & z = z} {x = z & z = z} y := z {x = z & y = z} {z = z & z = z} x := z; y := z {x = z & y = z} 12/5/2017 19

Sequencing {P} C 1 {Q} {Q} C 2 {R} {P} C 1 ; C 2 {R} Example: {z = z & z = z} x := z {x = z & z = z} {x = z & z = z} y := z {x = z & y = z} {z = z & z = z} x := z; y := z {x = z & y = z} 12/5/2017 20

Postcondition Weakening {P} C {Q } {P} C {Q} Q Q Example: {z = z & z = z} x := z; y := z {x = z & y = z} (x = z & y = z) (x = y) {z = z & z = z} x := z; y := z {x = y} 12/5/2017 21

Rule of Consequence P P {P } C {Q } Q Q {P} C {Q} Logically equivalent to the combination of Precondition Strengthening and Postcondition Weakening Uses P P and Q Q 12/5/2017 22

If Then Else {P and B} C 1 {Q} {P and (not B)} C 2 {Q} {P} if B then C 1 else C 2 fi {Q} Example: Want {y=a} if x < 0 then y:= y-x else y:= y+x fi {y=a+ x } Suffices to show: (1) {y=a&x<0} y:=y-x {y=a+ x } and (4) {y=a&not(x<0)} y:=y+x {y=a+ x } 12/5/2017 23

{y=a&x<0} y:=y-x {y=a+ x } (3) (y=a&x<0) y-x=a+ x (2) {y-x=a+ x } y:=y-x {y=a+ x } (1) {y=a&x<0} y:=y-x {y=a+ x } (1) Reduces to (2) and (3) by Precondition Strengthening (2) Follows from assignment axiom (3) Because x<0 x = -x 12/5/2017 24

{y=a&not(x<0)} y:=y+x {y=a+ x } (6) (y=a&not(x<0)) (y+x=a+ x ) (5) {y+x=a+ x } y:=y+x {y=a+ x}} (4) {y=a&not(x<0)} y:=y+x {y=a+ x } (4) Reduces to (5) and (6) by Precondition Strengthening (5) Follows from assignment axiom (6) Because not(x<0) x = x 12/5/2017 25

If then else (1) {y=a&x<0}y:=y-x{y=a+ x }. (4) {y=a&not(x<0)}y:=y+x{y=a+ x }. {y=a} if x < 0 then y:= y-x else y:= y+x {y=a+ x } By the if_then_else rule 12/5/2017 26

While We need a rule to be able to make assertions about while loops. Inference rule because we can only draw conclusions if we know something about the body Let s start with: {? } C {? } {? } while B do C od { P } 12/5/2017 27

While The loop may never be executed, so if we want P to hold after, it had better hold before, so let s try: {? } C {? } { P } while B do C od { P } 12/5/2017 28

While If all we know is P when we enter the while loop, then we all we know when we enter the body is (P and B) If we need to know P when we finish the while loop, we had better know it when we finish the loop body: { P and B} C { P } { P } while B do C od { P } 12/5/2017 29

While We can strengthen the previous rule because we also know that when the loop is finished, not B also holds Final while rule: { P and B } C { P } { P } while B do C od { P and not B } 12/5/2017 30

While { P and B } C { P } { P } while B do C od { P and not B } P satisfying this rule is called a loop invariant because it must hold before and after the each iteration of the loop 12/5/2017 31

While While rule generally needs to be used together with precondition strengthening and postcondition weakening There is NO algorithm for computing the correct P; it requires intuition and an understanding of why the program works 12/5/2017 32

Example Let us prove {x>= 0 and x = a} fact := 1; while x > 0 do (fact := fact * x; x := x 1) od {fact = a!} 12/5/2017 33

Example We need to find a condition P that is true both before and after the loop is executed, and such that (P and not x > 0) (fact = a!) 12/5/2017 34

Example First attempt: Motivation: {a! = fact * (x!)} What we want to compute: a! What we have computed: fact which is the sequential product of a down through (x + 1) What we still need to compute: x! 12/5/2017 35

Example By post-condition weakening suffices to show 1. {x>=0 and x = a} fact := 1; while x > 0 do (fact := fact * x; x := x 1) od {a! = fact * (x!) and not (x > 0)} and 2. {a! = fact * (x!) and not (x > 0) } {fact = a!} 12/5/2017 36

Problem 2. {a! = fact * (x!) and not (x > 0)} {fact = a!} Don t know this if x < 0 Need to know that x = 0 when loop terminates Need a new loop invariant Try adding x >= 0 Then will have x = 0 when loop is done 12/5/2017 37

Example Second try, combine the two: P = {a! = fact * (x!) and x >=0} Again, suffices to show 1. {x>=0 and x = a} fact := 1; while x > 0 do (fact := fact * x; x := x 1) od {P and not x > 0} and 2. {P and not x > 0} {fact = a!} 12/5/2017 38

Example For 2, we need {a! = fact * (x!) and x >=0 and not (x > 0)} {fact = a!} But {x >=0 and not (x > 0)} {x = 0} so Therefore fact * (x!) = fact * (0!) = fact {a! = fact * (x!) and x >=0 and not (x > 0)} {fact = a!} 12/5/2017 39

Example For 1, by the sequencing rule it suffices to show 3. {x>=0 and x = a} fact := 1 {a! = fact * (x!) and x >=0 } And 4. {a! = fact * (x!) and x >=0} while x > 0 do (fact := fact * x; x := x 1) od {a! = fact * (x!) and x >=0 and not (x > 0)} 12/5/2017 40

Example Suffices to show that {a! = fact * (x!) and x >= 0} holds before the while loop is entered and that if {(a! = fact * (x!)) and x >= 0 and x > 0} holds before we execute the body of the loop, then {(a! = fact * (x!)) and x >= 0} holds after we execute the body 12/5/2017 41

Example By the assignment rule, we have {a! = 1 * (x!) and x >= 0} fact := 1 {a! = fact * (x!) and x >= 0} Therefore, to show (3), by precondition strengthening, it suffices to show (x>= 0 and x = a) (a! = 1 * (x!) and x >= 0) 12/5/2017 42

Example (x>= 0 and x = a) (a! = 1 * (x!) and x >= 0) holds because x = a x! = a! Have that {a! = fact * (x!) and x >= 0} holds at the start of the while loop 12/5/2017 43

Example To show (4): {a! = fact * (x!) and x >=0} while x > 0 do (fact := fact * x; x := x 1) od {a! = fact * (x!) and x >=0 and not (x > 0)} we need to show that is a loop invariant {(a! = fact * (x!)) and x >= 0} 12/5/2017 44

Example We need to show: {(a! = fact * (x!)) and x >= 0 and x > 0} ( fact = fact * x; x := x 1 ) {(a! = fact * (x!)) and x >= 0} We will use assignment rule, sequencing rule and precondition strengthening 12/5/2017 45

Example By the assignment rule, we have {(a! = fact * ((x-1)!)) and x 1 >= 0} x := x 1 {(a! = fact * (x!)) and x >= 0} By the sequencing rule, it suffices to show {(a! = fact * (x!)) and x >= 0 and x > 0} fact = fact * x {(a! = fact * ((x-1)!)) and x 1 >= 0} 12/5/2017 46

Example By the assignment rule, we have that {(a! = (fact * x) * ((x-1)!)) and x 1 >= 0} fact = fact * x {(a! = fact * ((x-1)!)) and x 1 >= 0} By Precondition strengthening, it suffices to show that ((a! = fact * (x!)) and x >= 0 and x > 0) ((a! = (fact * x) * ((x-1)!)) and x 1 >= 0) 12/5/2017 47

Example However fact * x * (x 1)! = fact * x and (x > 0) x 1 >= 0 since x is an integer,so {(a! = fact * (x!)) and x >= 0 and x > 0} {(a! = (fact * x) * ((x-1)!)) and x 1 >= 0} 12/5/2017 48

Example Therefore, by precondition strengthening {(a! = fact * (x!)) and x >= 0 and x > 0} fact = fact * x {(a! = fact * ((x-1)!)) and x 1 >= 0} This finishes the proof 12/5/2017 49

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback