The Assignment Axiom (Hoare)

Similar documents
Hoare Logic and Model Checking

Program verification using Hoare Logic¹

Axiomatic Semantics. Lecture 9 CS 565 2/12/08

Foundations of Computation

Programming Languages and Compilers (CS 421)

Solutions to exercises for the Hoare logic (based on material written by Mark Staples)

Background reading on Hoare Logic

Dynamic Semantics. Dynamic Semantics. Operational Semantics Axiomatic Semantics Denotational Semantic. Operational Semantics

Spring 2015 Program Analysis and Verification. Lecture 4: Axiomatic Semantics I. Roman Manevich Ben-Gurion University

Hoare Logic: Reasoning About Imperative Programs

Weakest Precondition Calculus

Spring 2016 Program Analysis and Verification. Lecture 3: Axiomatic Semantics I. Roman Manevich Ben-Gurion University

Hoare Logic I. Introduction to Deductive Program Verification. Simple Imperative Programming Language. Hoare Logic. Meaning of Hoare Triples

Lecture 17: Floyd-Hoare Logic for Partial Correctness

Program Analysis Part I : Sequential Programs

Reasoning About Imperative Programs. COS 441 Slides 10b

Hoare Logic (I): Axiomatic Semantics and Program Correctness

Program verification. Hoare triples. Assertional semantics (cont) Example: Semantics of assignment. Assertional semantics of a program

Last Time. Inference Rules

Classical Program Logics: Hoare Logic, Weakest Liberal Preconditions

Axiomatic Semantics. Hoare s Correctness Triplets Dijkstra s Predicate Transformers

CS558 Programming Languages

Lecture Notes: Axiomatic Semantics and Hoare-style Verification

A Short Introduction to Hoare Logic

Hoare Logic: Part II

COP4020 Programming Languages. Introduction to Axiomatic Semantics Prof. Robert van Engelen

Program Analysis and Verification

Hoare Logic: Reasoning About Imperative Programs

What happens to the value of the expression x + y every time we execute this loop? while x>0 do ( y := y+z ; x := x:= x z )

Proof Rules for Correctness Triples

Bilateral Proofs of Safety and Progress Properties of Concurrent Programs (Working Draft)

Axiomatic Semantics. Operational semantics. Good for. Not good for automatic reasoning about programs

Proof Calculus for Partial Correctness

Axiomatic Semantics. Stansifer Ch 2.4, Ch. 9 Winskel Ch.6 Slonneger and Kurtz Ch. 11 CSE

Program verification. 18 October 2017

(La méthode Event-B) Proof. Thanks to Jean-Raymond Abrial. Language of Predicates.

Mid-Semester Quiz Second Semester, 2012

Formal Reasoning CSE 331. Lecture 2 Formal Reasoning. Announcements. Formalization and Reasoning. Software Design and Implementation

CSE 331 Winter 2018 Reasoning About Code I

Axiomatic Semantics: Verification Conditions. Review of Soundness and Completeness of Axiomatic Semantics. Announcements

COMP9414: Artificial Intelligence Propositional Logic: Automated Reasoning

Hoare Calculus and Predicate Transformers

Spring 2014 Program Analysis and Verification. Lecture 6: Axiomatic Semantics III. Roman Manevich Ben-Gurion University

In this episode of The Verification Corner, Rustan Leino talks about Loop Invariants. He gives a brief summary of the theoretical foundations and

Logical Inference. Artificial Intelligence. Topic 12. Reading: Russell and Norvig, Chapter 7, Section 5

Introduction to Axiomatic Semantics

Deductive Verification

Design of Distributed Systems Melinda Tóth, Zoltán Horváth

Propositional Logic: Syntax

Proofs of Correctness: Introduction to Axiomatic Verification

CSC 7101: Programming Language Structures 1. Axiomatic Semantics. Stansifer Ch 2.4, Ch. 9 Winskel Ch.6 Slonneger and Kurtz Ch. 11.

First Order Logic vs Propositional Logic CS477 Formal Software Dev Methods

Logic. Propositional Logic: Syntax

Deterministic Program The While Program

Spring 2015 Program Analysis and Verification. Lecture 6: Axiomatic Semantics III. Roman Manevich Ben-Gurion University

Verification Frameworks and Hoare Logic

Lecture Notes on Compositional Reasoning

Learning Goals of CS245 Logic and Computation

Logic. Propositional Logic: Syntax. Wffs

Floyd-Hoare Style Program Verification

DUBLIN CITY UNIVERSITY SEMESTER 2 SOLUTIONS 2017/2018. CA648 - Formal Programming

Axiomatic Semantics. Semantics of Programming Languages course. Joosep Rõõmusaare

Lecture 2: Axiomatic semantics

Axiomatic semantics. Semantics and Application to Program Verification. Antoine Miné. École normale supérieure, Paris year

CSE 331 Software Design & Implementation

To every formula scheme there corresponds a property of R. This relationship helps one to understand the logic being studied.

Lecture Notes on Programs with Arrays

Axiomatic Semantics: Verification Conditions. Review of Soundness of Axiomatic Semantics. Questions? Announcements

Marie Farrell Supervisors: Dr Rosemary Monahan & Dr James Power Principles of Programming Research Group

Hoare Examples & Proof Theory. COS 441 Slides 11

Loop Convergence. CS 536: Science of Programming, Fall 2018

09 Modal Logic II. CS 3234: Logic and Formal Systems. October 14, Martin Henz and Aquinas Hobor

Logic for Computer Science - Week 4 Natural Deduction

Examples: P: it is not the case that P. P Q: P or Q P Q: P implies Q (if P then Q) Typical formula:

Intelligent Agents. Pınar Yolum Utrecht University

G54FOP: Lecture 17 & 18 Denotational Semantics and Domain Theory III & IV

Software Engineering

Formal Methods in Software Engineering

3 The language of proof

Programming Languages

Logical Agents. Knowledge based agents. Knowledge based agents. Knowledge based agents. The Wumpus World. Knowledge Bases 10/20/14

Predicate Transforms I

INTRODUCTION TO LOGIC. Propositional Logic. Examples of syntactic claims

Logical Agents (I) Instructor: Tsung-Che Chiang

COMP 182 Algorithmic Thinking. Proofs. Luay Nakhleh Computer Science Rice University

Technical Report. Mechanizing programming logics in higher order logic. Michael J.C. Gordon. Number 145. September Computer Laboratory

Logical Agents. Chapter 7

Lecture Notes on Invariants for Arbitrary Loops

Soundness and Completeness of Axiomatic Semantics

Introduction. Pedro Cabalar. Department of Computer Science University of Corunna, SPAIN 2013/2014

Calculating axiomatic semantics from program equations by means of functional predicate calculus

Lecture Notes on Proofs & Arithmetic

A brief introduction to Logic. (slides from

Proving Programs Correct

THE AUSTRALIAN NATIONAL UNIVERSITY Second Semester COMP2600/COMP6260 (Formal Methods for Software Engineering)

Axiomatic Verification II

THE AUSTRALIAN NATIONAL UNIVERSITY Second Semester COMP2600 (Formal Methods for Software Engineering)

Propositional Logic: Part II - Syntax & Proofs 0-0

Advanced Topics in LP and FP

Logic: Propositional Logic (Part I)

Transcription:

The Assignment Axiom (Hoare) Syntax: V := E Semantics: value of V in final state is value of E in initial state Example: X:=X+ (adds one to the value of the variable X) The Assignment Axiom {Q[E/V ]} V :=E {Q} Where V is any variable, E is any expression, Q is any statement. Instances of the assignment axiom are {E = x} V := E {V = x} {Y = 2} X := 2 {Y = X} {X + = n + } X := X + {X = n + } {E = E} X := E {X = E} (if X does not occur in E) 42

Precondition Strengthening Recall that S,..., S S n means S can be deduced from S,..., S n Using this notation, the rule of precondition strengthening is Precondition strengthening P P, {P } C {Q} {P } C {Q} Note the two hypotheses are different kinds of judgements 45

Postcondition weakening Just as the previous rule allows the precondition of a partial correctness specification to be strengthened, the following one allows us to weaken the postcondition Postcondition weakening {P } C {Q }, Q Q {P } C {Q} 47

An Example Formal Proof Here is a little formal proof. {R=X 0=0} Q:=0 {R=X Q=0} By the assignment axiom 2. R=X R=X 0=0 By pure logic 3. {R=X} Q:=0 {R=X Q=0} By precondition strengthening 4. R=X Q=0 R=X+(Y Q) By laws of arithmetic 5. {R=X} Q:=0 {R=X+(Y Q)} By postcondition weakening The rules precondition strengthening and postcondition weakening are sometimes called the rules of consequence 50

The sequencing rule Syntax: C ; ;C n Semantics: the commands C,, C n are executed in that order Example: R:=X; X:=Y; Y:=R the values of X and Y are swapped using R as a temporary variable note side effect: value of R changed to the old value of X The sequencing rule {P } C {Q}, {Q} C 2 {R} {P } C ;C 2 {R} 5

Example Proof Example: By the assignment axiom: (i) (ii) (iii) {X=x Y=y} R:=X {R=x Y=y} {R=x Y=y} X:=Y {R=x X=y} {R=x X=y} Y:=R {Y=x X=y} Hence by (i), (ii) and the sequencing rule (iv) {X=x Y=y} R:=X; X:=Y {R=x X=y} Hence by (iv) and (iii) and the sequencing rule (v) {X=x Y=y} R:=X; X:=Y; Y:=R {Y=x X=y} 52

Conditionals Syntax: IF S THEN C ELSE C 2 Semantics: if the statement S is true in the current state, then C is executed if S is false, then C 2 is executed Example: IF X<Y THEN MAX:=Y ELSE MAX:=X the value of the variable MAX it set to the maximum of the values of X and Y 53

The Conditional Rule The conditional rule {P S} C {Q}, {P S} C 2 {Q} {P } IF S THEN C ELSE C 2 {Q} From Assignment Axiom + Precondition Strengthening and (X Y X = max(x,y)) ( (X Y) Y = max(x,y)) it follows that {T X Y} MAX:=X {MAX=max(X,Y)} and {T (X Y)} MAX:=Y {MAX=max(X,Y)} Then by the conditional rule it follows that {T} IF X Y THEN MAX:=X ELSE MAX:=Y {MAX=max(X,Y)} 54

WHILE-commands Syntax: WHILE S DO C Semantics: if the statement S is true in the current state, then C is executed and the WHILE-command is repeated if S is false, then nothing is done thus C is repeatedly executed until the value of S becomes false if S never becomes false, then the execution of the command never terminates Example: WHILE (X=0) DO X:= X-2 if the value of X is non-zero, then its value is decreased by 2 and then the process is repeated This WHILE-command will terminate (with X having value 0) if the value of X is an even non-negative number in all other states it will not terminate 55

Invariants Suppose {P S} C {P } P is said to be an invariant of C whenever S holds The WHILE-rule says that if P is an invariant of the body of a WHILE-command whenever the test condition holds then P is an invariant of the whole WHILE-command In other words if executing C once preserves the truth of P then executing C any number of times also preserves the truth of P The WHILE-rule also expresses the fact that after a WHILE-command has terminated, the test must be false otherwise, it wouldn t have terminated 56

The WHILE-Rule The WHILE-rule {P S} C {P } {P } WHILE S DO C {P S} It is easy to show {X=R+(Y Q) Y R} R:=R-Y; Q:=Q+ {X=R+(Y Q)} Hence by the WHILE-rule with P = X=R+(Y Q) and S = Y R {X=R+(Y Q)} WHILE Y R DO (R:=R-Y; Q:=Q+) {X=R+(Y Q) (Y R)} 57

Example From the previous slide {X=R+(Y Q)} WHILE Y R DO (R:=R-Y; Q:=Q+) {X=R+(Y Q) (Y R)} It is easy to deduce that {T} R:=X; Q:=0 {X=R+(Y Q)} Hence by the sequencing rule and postcondition weakening {T} R:=X; Q:=0; WHILE Y R DO (R:=R-Y; Q:=Q+) {R<Y X=R+(Y Q)} 58

Summary We have given: a notation for specifying what a program does a way of proving that it meets its specification Now we look at ways of finding proofs and organising them: finding invariants derived rules backwards proofs annotating programs prior to proof Then we see how to automate program verification the automation mechanises some of these ideas 59

How does one find an invariant? The WHILE-rule {P S} C {P } {P } WHILE S DO C {P S} Look at the facts: invariant P must hold initially with the negated test S the invariant P must establish the result when the test S holds, the body must leave the invariant P unchanged Think about how the loop works the invariant should say that: what has been done so far together with what remains to be done holds at each iteration of the loop and gives the desired result when the loop terminates 60

Example Consider a factorial program {X=n Y=} WHILE X 0 DO (Y:=Y X; X:=X-) {X=0 Y=n!} Look at the facts initially X=n and Y= finally X=0 and Y=n! on each loop Y is increased and, X is decreased Think how the loop works Y holds the result so far X! is what remains to be computed n! is the desired result The invariant is X! Y = n! stuff to be done result so far = desired result decrease in X combines with increase in Y to make invariant 6

Related example {X=0 Y=} WHILE X<N DO (X:=X+; Y:=Y X) {Y=N!} Look at the Facts initially X=0 and Y= finally X=N and Y=N! on each iteration both X an Y increase: X by and Y by X An invariant is Y = X! At end need Y = N!, but WHILE-rule only gives (X<N) Ah Ha! Invariant needed: Y = X! X N At end X N (X<N) X=N Often need to strenthen invariants to get them to work typical to add stuff to carry along like X N 62

Conjunction and Disjunction Specification conjunction {P } C {Q }, {P 2 } C {Q 2 } {P P 2 } C {Q Q 2 } Specification disjunction {P } C {Q }, {P 2 } C {Q 2 } {P P 2 } C {Q Q 2 } These rules are useful for splitting a proof into independent bits they enable {P} C {Q Q 2 } to be proved by proving separately that both {P} C {Q } and also that {P} C {Q 2 } Any proof with these rules could be done without using them i.e. they are theoretically redundant (proof omitted) however, useful in practice 63

Derived rules for finding proofs Suppose the goal is to prove {Precondition} Command {Postcondition} If there were a rule of the form then we could instantiate H,, H n {P } C {Q} P Precondition, C Command, Q Postcondition to get instances of H,, H n as subgoals Some of the rules are already in this form e.g. the sequencing rule We will derive rules of this form for all commands Then we use these derived rules for mechanising Hoare Logic proofs 65

Derived Rules We will establish derived rules for all commands {P } V :=E {Q} {P } C ;C 2 {Q} {P } IF S THEN C ELSE C 2 {Q} {P } WHILE S DO C {Q} These support backwards proof starting from a goal {P } C {Q} 66

The Derived Assignment Rule An example proof. {R=X 0=0} Q:=0 {R=X Q=0} By the assignment axiom. 2. R=X R=X 0=0 By pure logic. 3. {R=X} Q:=0 {R=X Q=0} By precondition strengthening. Can generalise this proof to a proof schema:. {Q[E/V ]} V :=E {Q} By the assignment axiom. 2. P Q[E/V ] By assumption. 3. {P } V :=E {Q} By precondition strengthening. This proof schema justifies: Derived Assignment Rule P Q[E/V ] {P } V :=E {Q} Note: Q[E/V ] is the weakest liberal precondition wlp(v :=E, Q) Example proof above can now be done in one less step. R=X R=X 0=0 By pure logic. 2. {R=X} Q:=0 {R=X Q=0} By derived assignment. 67

Derived Sequenced Assignment Rule The following rule will be useful later Derived Sequenced Assignment Rule {P } C {Q[E/V ]} {P } C;V :=E {Q} Intuitively work backwards: push Q through V :=E, changing it to Q[E/V ] Example: By the assignment axiom: {X=x Y=y} R:=X {R=x Y=y} Hence by the sequenced assignment rule {X=x Y=y} R:=X; X:=Y {R=x X=y} 68

The Derived Sequencing Rule The rule below follows from the sequencing and consequence rules The Derived Sequencing Rule P P {P } C {Q } Q P 2 {P 2 } C 2 {Q 2 } Q 2 P 3...... {P n } C n {Q n } Q n Q {P } C ;... ; C n {Q} Exercise: why no derived conditional rule? 7

The Derived While Rule Derived While Rule P R {R S} C {R} R S Q {P } WHILE S DO C {Q} This follows from the While Rule and the rules of consequence Example: it is easy to show R=X Q=0 X=R+(Y Q) {X=R+(Y Q) Y R} R:=R-Y; Q:=Q+ {X=R+(Y Q)} X=R+(Y Q) (Y R) X=R+(Y Q) (Y R) Then, by the derived While rule {R=X Q=0} WHILE Y R DO (R:=R-Y; Q:=Q+) {X=R+(Y Q) (Y R)} 70

Forwards and backwards proof Previously it was shown how to prove {P }C{Q} by proving properties of the components of C and then putting these together, with the appropriate proof rule, to get the desired property of C For example, to prove {P }C ;C 2 {Q} First prove {P }C {R} and {R}C 2 {Q} then deduce {P }C ;C 2 {Q} by sequencing rule This method is called forward proof move forward from axioms via rules to conclusion The problem with forwards proof is that it is not always easy to see what you need to prove to get where you want to be It is more natural to work backwards starting from the goal of showing {P }C{Q} generate subgoals until problem solved 73

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback