Tute 10. Liam O'Connor. May 23, 2017

Similar documents
Dynamic Semantics. Dynamic Semantics. Operational Semantics Axiomatic Semantics Denotational Semantic. Operational Semantics

Proving Inter-Program Properties

COP4020 Programming Languages. Introduction to Axiomatic Semantics Prof. Robert van Engelen

Hoare Logic: Part II

COMP2111 Glossary. Kai Engelhardt. Contents. 1 Symbols. 1 Symbols 1. 2 Hoare Logic 3. 3 Refinement Calculus 5. rational numbers Q, real numbers R.

Hoare Logic and Model Checking

Proof Rules for Correctness Triples

Axiomatic Semantics: Verification Conditions. Review of Soundness and Completeness of Axiomatic Semantics. Announcements

MIT Loop Optimizations. Martin Rinard

What is SSA? each assignment to a variable is given a unique name all of the uses reached by that assignment are renamed

Axiomatic Semantics. Semantics of Programming Languages course. Joosep Rõõmusaare

Lecture Notes on Software Model Checking

Modeling and Analysis of Hybrid Systems


The L Machines are very high-level, in two senses:

Reasoning About Imperative Programs. COS 441 Slides 10b

Axiomatic Semantics: Verification Conditions. Review of Soundness of Axiomatic Semantics. Questions? Announcements

Chapter 3 Deterministic planning

Hoare Examples & Proof Theory. COS 441 Slides 11

Assignment 4. CSci 3110: Introduction to Algorithms. Sample Solutions

Verification of Recursive Programs. Andreas Podelski February 8, 2012

What happens to the value of the expression x + y every time we execute this loop? while x>0 do ( y := y+z ; x := x:= x z )

CSC D70: Compiler Optimization Static Single Assignment (SSA)

Loop Invariants and Binary Search. Chapter 4.4, 5.1

2 Ralph J. R. Back, Qiwen. Xu systems with respect to total correctness. Reactive renement of action systems was investigated by Back [4] basing on th

Programming Languages and Compilers (CS 421)

Lecture Notes: Axiomatic Semantics and Hoare-style Verification

Design of Distributed Systems Melinda Tóth, Zoltán Horváth

In this episode of The Verification Corner, Rustan Leino talks about Loop Invariants. He gives a brief summary of the theoretical foundations and

Constraint Solving for Program Verification: Theory and Practice by Example

Logic: Bottom-up & Top-down proof procedures

Completeness for FOL

Decentralized Control of Discrete Event Systems with Bounded or Unbounded Delay Communication

TIMED automata, introduced by Alur and Dill in [3], have

Soundness and Completeness of Axiomatic Semantics

Computing Static Single Assignment (SSA) Form

CS558 Programming Languages

THE AUSTRALIAN NATIONAL UNIVERSITY Second Semester COMP2600/COMP6260 (Formal Methods for Software Engineering)

A Short Introduction to Hoare Logic

Axiomatic Semantics. Stansifer Ch 2.4, Ch. 9 Winskel Ch.6 Slonneger and Kurtz Ch. 11 CSE

Automatic Verification of Parameterized Data Structures

Constraint Solving for Program Verification: Theory and Practice by Example

Notes. Corneliu Popeea. May 3, 2013

CS357: CTL Model Checking (two lectures worth) David Dill

Program verification. Hoare triples. Assertional semantics (cont) Example: Semantics of assignment. Assertional semantics of a program

Coinductive big-step semantics and Hoare logics for nontermination

Space-aware data flow analysis

Context Free Grammars: Introduction. Context Free Grammars: Simplifying CFGs

Decision Procedures. Jochen Hoenicke. Software Engineering Albert-Ludwigs-University Freiburg. Winter Term 2016/17

Program Analysis Part I : Sequential Programs

EDA045F: Program Analysis LECTURE 10: TYPES 1. Christoph Reichenbach

Classes and conversions

Average Case Analysis of Marking Algorithms

Denotational Semantics

An Alternative To The Iteration Operator Of. Propositional Dynamic Logic. Marcos Alexandre Castilho 1. IRIT - Universite Paul Sabatier and

Artificial Intelligence. Non-deterministic state model. Model for non-deterministic problems. Solutions. Blai Bonet

Formal Specification and Verification. Specifications

1 First-order logic. 1 Syntax of first-order logic. 2 Semantics of first-order logic. 3 First-order logic queries. 2 First-order query evaluation

Central Algorithmic Techniques. Iterative Algorithms

Models of Computation. by Costas Busch, LSU

Topics on Compilers

Formal Methods in Software Engineering

Axiomatic Semantics. Lecture 9 CS 565 2/12/08

Deductive Verification

Hoare Logic: Reasoning About Imperative Programs

Predicative Semantics of Loops Theodore S. Norvell Faculty of Engineering Memorial University of Newfoundland St. John's NF A1B 3X5 Canada

Note: In any grammar here, the meaning and usage of P (productions) is equivalent to R (rules).

Overview. I Review of natural deduction. I Soundness and completeness. I Semantics of propositional formulas. I Soundness proof. I Completeness proof.

CS156: The Calculus of Computation

Temporal logics and explicit-state model checking. Pierre Wolper Université de Liège

Introduction to Metalogic

Mechanics of Static Analysis

Lecture Notes on Inductive Definitions

INDEPENDENCE OF THE CONTINUUM HYPOTHESIS

Principles of AI Planning

Nested Interpolants. Matthias Heizmann Jochen Hoenicke Andreas Podelski. Abstract. 1. Introduction. University of Freiburg, Germany

Discrete Wiskunde II. Lecture 5: Shortest Paths & Spanning Trees

Program Verification Using Separation Logic

The algorithmic analysis of hybrid system

Lecture Notes on Invariants for Arbitrary Loops

Models of Computation,

MODEL-CHECKING IN DENSE REAL-TIME SHANT HARUTUNIAN

Spring 2015 Program Analysis and Verification. Lecture 4: Axiomatic Semantics I. Roman Manevich Ben-Gurion University

Hoare Logic (I): Axiomatic Semantics and Program Correctness

7 RC Simulates RA. Lemma: For every RA expression E(A 1... A k ) there exists a DRC formula F with F V (F ) = {A 1,..., A k } and

Spring 2016 Program Analysis and Verification. Lecture 3: Axiomatic Semantics I. Roman Manevich Ben-Gurion University

Decidable Subsets of CCS

Petri nets. s 1 s 2. s 3 s 4. directed arcs.

Programming Languages

Predicates and Predicate Transformers for. Systems 1. Ratnesh Kumar. Department of Electrical Engineering. University of Kentucky

From Liveness to Promptness

Verifying Java-KE Programs

Automata-based Verification - III

Roy L. Crole. Operational Semantics Abstract Machines and Correctness. University of Leicester, UK

Finite Universes. L is a fixed-length language if it has length n for some

Computational Models - Lecture 5 1

Foundations of Computation

Trees. A tree is a graph which is. (a) Connected and. (b) has no cycles (acyclic).

Spring 2015 Program Analysis and Verification. Lecture 6: Axiomatic Semantics III. Roman Manevich Ben-Gurion University

Top Down Design. Gunnar Gotshalks 03-1

Transcription:

Tute 10 Liam O'Connor May 23, 2017 proc Search(value g : G, value s : V g, value k : K, result v : T, result f : B) Where a graph g : G is dened as a 4-tuple (V, Γ, κ, λ) containing a set of vertices V, a successor function Γ : V P(V), a key function κ : V K and a payload function λ : V T, all much the same as the assignment. Like the assignment, we will use subscripts (e.g. Γ g ) to refer to a particular component of a graph. As we plan to do DFS using an unbounded stack on a graph, we do not need either of the preconditions from the assignment. Our postconditions, however, look quite similar, with the added assertion that a ne will be found i it is reachable from the start ne { a trivial assertion for a tree, but not for a graph. f, v : True, (1) For our purposes, we will extend the toy language with sets and set operations, and operations on abstract stacks, which we will later eliminate via data renement. S(τ) ::= (empty stack) x, t where x τ and t S(τ) Each of the stack operations is given a renement rule below: initialise t : True, t = t := pop t, x : t = h, r, x = h t = r x := pop(t) push t : True, t = x, t 0 push(t, x) We will also allow comparisons to the empty stack (t = ) in guards with the obvious semantics. 1

To begin deriving the implementation, let us rst intruce our stack and our visited set, which will contain all nes that we have already seen. This set is needed in a graph search, but not in a tree search as trees are guaranteed to be acyclic. (1) i-loc,... var t : S(V g ) := var S : P(V g ) := f, v, t, S : t = S =, (2) Now, we know we need a loop, and we have a pretty go idea of what the guard should be: We will exit the loop when we either nd what we're looking for (i.e. f is true), or when we have nowhere else to look (the stack t is empty). (2) sc,... f, v, t, S : t = S =, ϕ (3) f, v, t, S : ϕ, ϕ (f t = ) (4) (f n V f, v, t, S : ϕ (f t = ), g. κ g (n) = k λ g (n) = v n Γg(s)) (5) Here ϕ stands for our loop invariant, which, like the postcondition, is made of two components. ( f ( x S. x Γ ϕ = g(s) κ g (x) k Γ g (x) S t ) ( x t. x Γg(s)) s S t ) In the successful case, when f is true, we have found the ne we are looking for. Note that, because the loop guard tells us that f starts false, this case in the loop invariant only becomes true in the nal iteration of the loop. If we have found the ne we're looking for, then we no longer care about the state of the stack or the visited set, and we can just include the successful postcondition directly in the invariant. If f is false, however, we must describe in the invariant all the relevant properties of our stack t and visited set S. We use the notation t to refer to the set of all elements of a stack t: = x, s = {x} s At the end of the loop, if f is still false, then we know the stack is empty at the end of our loop from our guard. In such a situation, our invariant can be simplied to: ϕ f t = ( x S. x Γ g(s) κ g (x) k Γ g (x) S) s S We must ensure two main conditions: 2

1. Everything we have visited is not the ne we're looking for ( n S.κ g (n) k) 2. We have visited every reachable ne from the start ne (Γ g(s) S) With those two facts, we can conclude that no reachable ne from the start ne is the one we're looking for, which is what the postcondition requires ( n V g. n Γ g(s) κ g (n) k). The rst condition trivially follows from the invariant here, because we explicitly state that the visited set does not contain the key. The second condition can be rephrased as x Γ g(s). x S. We can show this from our invariant above using induction on the length of the path from s to x. In the base case, where x = s, we know from the nal conjunct in the invariant that s S. In the inductive case, where x Γ g (k), we have the inductive hypothesis that k S. Because our simplied invariant says that every successor of every ne in S must also be in S, we can conclude that x S as required, as x is a successor of k S. Thus, because in the case where f is true our invariant includes our postcondition directly, and in the case where f is false it directly implies the postcondition, we can just rene the third statement directly to skip: (5)..., skip skip We must also derive ce to establish our invariant initially. We'll do that by setting f to False, and pushing the start ne s onto the stack: Now we can intruce the while loop: (4) while (3) sc,... f := False; push(t, s) while (f t = ) do f, v, t, S : ϕ f t, ϕ (6) Rening the loop by is mostly tedious, but we begin by rst popping a ne o the stack. We know this is safe as our guard guarantees the stack is non-empty: (6) sc, pop, c-frame,... var n := pop(t); f, v, t, S : ϕ n,t / t f, ϕ (7) 3

Then, we check to see of the ne we just popped is the one we're looking for, in which case we can set f to true, thus making it very easy to re-establish the invariant by simply setting v to be the payload. (7) if, sc, assign,... if κ g (n) = k then else fi f := True; v := λ g (n); f, v, t, S : ϕ n,t / t f κ g (n) k, ϕ (8) In the else case, because we know the key is not the one we're looking for, we may be inclined to add n to the set S, however to do that we must ensure that n satises all the other conditions imposed on elements of S by the invariant. Firstly, there must be a path from the start ne s to n, which we know is true from our precondition, which states that all elements of the stack n, t (which clearly includes n) are reachable from s. Secondly, we must ensure that all successors of the ne n are in either the stack or the set S. To accomplish this we will simply loop through the set of unvisited successors and push each one to the stack. (8)... var m := Γ g (n) \ S while m do var c : m push(t, c) m := m \ {c} S := S {n} 4

Now, gathering all the ce together, we get: proc Search(value g : G, value s : V g, value k : K, result v : T, result f : B) var t : S(V g ) := ; var S : P(V g ) := ; f := False; push(t, s); while (f t = ) do var n := pop(t); if κ g (n) = k then f := True; v := λ g (n); else var m := Γ g (n) \ S while m do var c : m push(t, c) m := m \ {c} S := S {n} fi 5

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback