Axiomatic Semantics. Lecture 9 CS 565 2/12/08

Similar documents
Hoare Logic: Part II

Dynamic Semantics. Dynamic Semantics. Operational Semantics Axiomatic Semantics Denotational Semantic. Operational Semantics

Axiomatic Semantics: Verification Conditions. Review of Soundness and Completeness of Axiomatic Semantics. Announcements

Program verification. Hoare triples. Assertional semantics (cont) Example: Semantics of assignment. Assertional semantics of a program

Introduction to Axiomatic Semantics

Axiomatic Semantics: Verification Conditions. Review of Soundness of Axiomatic Semantics. Questions? Announcements

Lecture 2: Axiomatic semantics

Lecture Notes: Axiomatic Semantics and Hoare-style Verification

Hoare Logic and Model Checking

Soundness and Completeness of Axiomatic Semantics

CS558 Programming Languages

The Assignment Axiom (Hoare)

Hoare Calculus and Predicate Transformers

Classical Program Logics: Hoare Logic, Weakest Liberal Preconditions

Programming Languages and Compilers (CS 421)

Propositional Logic: Syntax

Programming Languages

Axiomatic Semantics. Operational semantics. Good for. Not good for automatic reasoning about programs

Program verification. 18 October 2017

Hoare Logic (I): Axiomatic Semantics and Program Correctness

Hoare Logic I. Introduction to Deductive Program Verification. Simple Imperative Programming Language. Hoare Logic. Meaning of Hoare Triples

Proofs of Correctness: Introduction to Axiomatic Verification

Program verification using Hoare Logic¹

Logic. Propositional Logic: Syntax. Wffs

Axiomatic Semantics. Stansifer Ch 2.4, Ch. 9 Winskel Ch.6 Slonneger and Kurtz Ch. 11 CSE

Axiomatic Semantics. Semantics of Programming Languages course. Joosep Rõõmusaare

Floyd-Hoare Style Program Verification

CSC 7101: Programming Language Structures 1. Axiomatic Semantics. Stansifer Ch 2.4, Ch. 9 Winskel Ch.6 Slonneger and Kurtz Ch. 11.

Reasoning About Imperative Programs. COS 441 Slides 10b

COP4020 Programming Languages. Introduction to Axiomatic Semantics Prof. Robert van Engelen

Last Time. Inference Rules

What happens to the value of the expression x + y every time we execute this loop? while x>0 do ( y := y+z ; x := x:= x z )

Deterministic Program The While Program

Deductive Verification

Proof Calculus for Partial Correctness

Hoare Logic: Reasoning About Imperative Programs

Spring 2015 Program Analysis and Verification. Lecture 4: Axiomatic Semantics I. Roman Manevich Ben-Gurion University

Logic. Propositional Logic: Syntax

Weakest Precondition Calculus

Proof Rules for Correctness Triples

Foundations of Computation

Hoare Examples & Proof Theory. COS 441 Slides 11

Axiomatic Semantics. Hoare s Correctness Triplets Dijkstra s Predicate Transformers

Hoare Logic: Reasoning About Imperative Programs

A Short Introduction to Hoare Logic

PROOFS IN PREDICATE LOGIC AND COMPLETENESS; WHAT DECIDABILITY MEANS HUTH AND RYAN 2.3, SUPPLEMENTARY NOTES 2

Probabilistic Guarded Commands Mechanized in HOL

First Order Logic vs Propositional Logic CS477 Formal Software Dev Methods

Spring 2016 Program Analysis and Verification. Lecture 3: Axiomatic Semantics I. Roman Manevich Ben-Gurion University

Examples: P: it is not the case that P. P Q: P or Q P Q: P implies Q (if P then Q) Typical formula:

Program Analysis Part I : Sequential Programs

Lecture 17: Floyd-Hoare Logic for Partial Correctness

Spring 2014 Program Analysis and Verification. Lecture 6: Axiomatic Semantics III. Roman Manevich Ben-Gurion University

Spring 2015 Program Analysis and Verification. Lecture 6: Axiomatic Semantics III. Roman Manevich Ben-Gurion University

Verification and Validation

Program Analysis and Verification

In this episode of The Verification Corner, Rustan Leino talks about Loop Invariants. He gives a brief summary of the theoretical foundations and

Design of Distributed Systems Melinda Tóth, Zoltán Horváth

Formal Reasoning CSE 331. Lecture 2 Formal Reasoning. Announcements. Formalization and Reasoning. Software Design and Implementation

Axiomatic Verification II

CSE 331 Winter 2018 Reasoning About Code I

Softwaretechnik. Lecture 13: Design by Contract. Peter Thiemann University of Freiburg, Germany

Softwaretechnik. Lecture 13: Design by Contract. Peter Thiemann University of Freiburg, Germany

Bilateral Proofs of Safety and Progress Properties of Concurrent Programs (Working Draft)

Learning Goals of CS245 Logic and Computation

Verification Frameworks and Hoare Logic

Decision Procedures. Jochen Hoenicke. Software Engineering Albert-Ludwigs-University Freiburg. Winter Term 2016/17

Axiomatic semantics. Semantics and Application to Program Verification. Antoine Miné. École normale supérieure, Paris year

CSE 331 Software Design & Implementation

Software Engineering

Knowledge base (KB) = set of sentences in a formal language Declarative approach to building an agent (or other system):

Predicate Logic. Xinyu Feng 09/26/2011. University of Science and Technology of China (USTC)

THE AUSTRALIAN NATIONAL UNIVERSITY Second Semester COMP2600/COMP6260 (Formal Methods for Software Engineering)

Marie Farrell Supervisors: Dr Rosemary Monahan & Dr James Power Principles of Programming Research Group

Strength; Weakest Preconditions

Loop Convergence. CS 536: Science of Programming, Fall 2018

Mid-Semester Quiz Second Semester, 2012

A Humble Introduction to DIJKSTRA S A A DISCIPLINE OF PROGRAMMING

CSE 331 Winter 2018 Homework 1

THE AUSTRALIAN NATIONAL UNIVERSITY Second Semester COMP2600 (Formal Methods for Software Engineering)

Decidability: Church-Turing Thesis

1 Introduction. 2 First Order Logic. 3 SPL Syntax. 4 Hoare Logic. 5 Exercises

Logic: The Big Picture

Formal Methods in Software Engineering

G54FOP: Lecture 17 & 18 Denotational Semantics and Domain Theory III & IV

Mathematical Logic. Reasoning in First Order Logic. Chiara Ghidini. FBK-IRST, Trento, Italy

First-Order Logic. 1 Syntax. Domain of Discourse. FO Vocabulary. Terms

Logical Abstract Domains and Interpretations

Herbrand Theorem, Equality, and Compactness

Coinductive big-step semantics and Hoare logics for nontermination

Logical Agent & Propositional Logic

Lecture Notes on Inductive Definitions

COMP2111 Glossary. Kai Engelhardt. Contents. 1 Symbols. 1 Symbols 1. 2 Hoare Logic 3. 3 Refinement Calculus 5. rational numbers Q, real numbers R.

EDA045F: Program Analysis LECTURE 10: TYPES 1. Christoph Reichenbach

Predicate Logic - Undecidability

Lecture 1: Logical Foundations

Programming Languages

CS156: The Calculus of Computation Zohar Manna Autumn 2008

CS 380: ARTIFICIAL INTELLIGENCE PREDICATE LOGICS. Santiago Ontañón

THE AUSTRALIAN NATIONAL UNIVERSITY Second Semester COMP2600 (Formal Methods in Software Engineering)

Transcription:

Axiomatic Semantics Lecture 9 CS 565 2/12/08

Axiomatic Semantics Operational semantics describes the meaning of programs in terms of the execution steps taken by an abstract machine Denotational semantics describes the meaning of programs with formal mathematical objects Axiomatic semantics describes the meaning of programs in terms of properties (axioms) about them Captures dynamic behavior of individual programs Vehicle for reasoning about program correctness

States Specification language is first-order predicate logic Terms (variables, constants, arithmetic operations) Formulae, e.g. True and false If t 1 and t 2 are terms then t 1 = t 2 and t1 < t 2 are formulae If φ and ψ are formulae then, φ Æ ψ, φ Ç ψ, φ and φ ) ψ are formulae. If φ(x) is a formula (with x possibly free) then, 8 x.φ (x) and 9 x. φ(x) are formulae.

Hoare Triples Meaning of construct S can be described in terms of triples { P } S { Q } P and Q are formulae or assertions P is a precondition on S Q is a postcondition on S Asserts a fact (may be either true or false) The triple is valid if: execution of S begins in a state satisfying P S terminates resulting state satisfies Q

Satisfiability A formula in first-order logic can be used to characterize states The formula {x = 3} characterizes all program states in which the value of the location associated with x is 3 Think of formulas as assertions about states Define { σ 2 Σ σ ² φ} where ² is a satisfiability relation Think of {P} c {Q} for command c as meaning σ ² {P} c {Q} iff σ ² P ) C«c σ ² Q? ² P for any assertion P

Formal Semantics σ ² true always σ ² e 1 = e 2 iff «e 1 σ = «e 2 σ σ ² e 1 e 2 iff «e 1 σ «e 2 σ σ ² A 1 Æ A 2 iff σ ² A 1 and σ ² A 2 σ ² A 1 Ç A 2 iff σ ² A 1 or σ ² A 2 σ ² A 1 ) A 2 iff σ ² A 1 implies σ ² A 2 σ ² 8 x.a iff 8 n 2 Z σ[x a n] ² A σ ² 9 x.a iff 9n 2 Z σ[x a n] ² A

Validity Often not so much interested in assertions for particular states, e.g. { i < x } x := x + 1 {i < x} Is valid in all states Validity All values for x All interpretations for i 8 σ. σ ² {P} c {Q} ² {P} c {Q}

Semantics of Assertions Note: i in the previous is integer variable introduced for assertions E.g. assertion to express that a number k is not prime: 9 i,l 2 k = i x l Can be free or bound (cf. lambda) What binds assertion variables? Formal meaning σ ² {P} c {Q}: 8 σ,σ 2 Σ (σ ² P Æ <c, σ> σ ) ) σ ² Q

Examples { 2 = 2 } x := 2 { x = 2 } An assignment operation of x to 2 results in a state in which x is 2, assuming equality of integers. { True } if B then x := 2 else x := 1 { x = 1 Ç x = 2} A conditional expression that either assigns x to 1 or 2 if executed will lead to a state in which x is either 1 or 2. { 2=2 } x : = 2 { y = 1 } { True } if B then x := 2 else x := 1 { x = 1 Æ x = 2} The above two triples are invalid. Why?

Partial and total correctness The validity of a Hoare triple depends upon statement S terminating Partial correctness assertions E.g., { 0 a Æ 0 b } S { z = a * b } If executed in a state in which 0 a and 0 b, and S terminates, then z = a * b Alternative: total correctness assertions [P] c [Q]: execution of c from state satisfying P terminates in a state which satisfies Q Formal semantics has additional clause σ ² [P] c [Q]: 8 σ,σ 2 Σ (σ ² P Æ <c, σ> σ ) ) σ ² Q Æ 8 σ2 Σ σ ² P ) 9 σ 2 Σ <c, σ> σ

A Theory Wanted: theory for proving soundness of programs Mathematical framework for proving properties about a certain object domain Such properties are called theorems Components of a theory Grammar (e.g. BNF) defines well-formed formulae (WFF) Axioms: formulae asserted to be theorems Inference rules: ways to prove new theorems from previously obtained theorems

Hoare Logic Proof system based on Hoare rules derivations are proofs conclusions are theorems Write ` {P} c {Q} if {P} c {Q} is a theorem If ` {P} c {Q} then ² {P} c {Q} Any derivable assertion is sound wrt to the underlying semantics

Proof Rules Skip: ` { P } skip { P } Assignment: ` { P[t/x] } x := t { P } Example: Suppose t = x + 1 then, { x+1 = 2 } x := x + 1 { x = 2 } ( Forward axiom: ` {P} x:= t {9 x 0 [x 0 /x]p Æ x=[x 0 /x]t} Example: {y=x} x:=x+1 {y=x-1}; x 0 stores the old value of x) Sequencing: ` {P} c 0 {Q} ` {Q} c 1 {R} ` {P} c 0 ;c 1 {R}

Proof Rules (cont) Conditionals: ` { P Æ b} c 0 { Q} ` { P Æ b} c 1 { Q } ` {P} if b then c 0 else c 1 {Q} Loops: ` { P Æ b} c { P } ` { P } while b do c { P Æ b} Consequence: ` (P ) P ) ` {P } c { Q } ` (Q ) Q) ` { P } c { Q } if ` P ) P then all states σ which satisfy P also satisfy P. Rule allows strengthening of P to P and weakening of Q to Q

Example { x > 0 } y = x 1 {y 0} implies { x > 10 } y = x 1 { y 5 } {x > 0} y = x 1 { y 0} and {y 0} x = y { x 0} implies {x > 0} y = x 1; x = y { x 0} Rule of consequence allows us to arrive at a precondition of true and postcondition of false

Example Prove the program: z := 0; n : = y; while n > 0 do z := z + x; n := n 1 computes the product of x and y (assuming y is not negative).

Example Want to show the following: { y 0} <program> { z = x * y} is valid. Key insight is picking the invariant for the while loop: P = { z = x * (y n) Æ n 0 }

Example { z = x * (y n) Æ n 0 } (13) while n > 0 do z := z + x; n := n -1 {z = x * y} z = x * (y n) Æ n 0 Æ (n > 0) ) z = x * y (12) (by definition of while: { P } while b do c { P Æ b}) { z = x * (y n) Æ n 0} while n > 0 do z := z + x; n := n 1 {z = x * (y n) Æ n 0 Æ n > 0} (11) { z = x * (y n) Æ n 0 Æ n > 0} z := z + x; n := n 1 {z = x * (y n) Æ n 0} (10) (by definition of while: premise is { P Æ b} c { P })

Example z = x * (y n) Æ n 0 Æ n > 0 ) (z + x) = x * (y (n 1)) Æ (n 1) 0 (9) (rewrite; prepare replacing z+x by z and n-1 by n) {(z + x) = x * (y (n 1)) Æ (n 1) 0} z := z + x; n := n 1 {z = x * (y n) Æ n 0} (8) {(z + x ) = x * (y (n 1)) Æ (n 1) 0} z := z + x; {z = x * (y (n 1)) Æ (n 1) 0} n := n 1; {z = x * (y n) Æ n 0} (7)

Example We have shown A = { z = x * (y n) Æ n 0 } while n > 0 do z := z + x; n := n -1 {z = x * y} Remains { y 0} z := 0; n := y A = { z = x * (y n) Æ n 0} (5) Holds because y 0 ) 0 = x * (y y) Æ y 0 : (4) { 0 = x * (y y) Æ y 0} z := 0; n := y {z = x (y n) Æ n 0} (3) { z = x * (y y) Æ y 0} n := y { z = x * (y n) Æ n 0} (2) {0 = x * (y y) Æ y 0} z := 0 { z = x * (y y) Æ y 0} (1)

Soundness and Completeness Soundness Whenever ` {P} c {Q} we do have ² {P} c {Q} Hoare rules are sound But is it true that whenever ² {P} c {Q} we can also derive ` {P} c {Q}? If it isn t that means there are valid properties of programs we cannot verify We would like to automatically generate and verify all proofs

Gödel s Incompleteness Take consequence rule Allows for strengthening of preconditions and weakening of postconditions How strong? How weak? How to prove? What invariant for while? It is logically impossible to have an effective proof system in which one can prove precisely the valid assertions

Weakest Preconditions Take sequence {P} c 0 ;c 1 {Q} How to find R s.t. {P} c 0 {R} and {R} c 1 {Q} Idea: weakest precondition Bottom-up, iteratively compute minimally necessary preconditions for postconditions under respective commands wp«c,q = {σ 2 Σ? C«c σ ² Q} Thus ² {P} c {Q} iff P wp«c,q

Weakest Preconditions Skip: { P } skip { P } wp(skip, P) = P Assignment: { P[t/x] } x := t { P } wp(x:=t, P) = { P[t/x] }

Weakest Preconditions (cont) Sequencing: {P} c 0 {Q} {Q} c 1 {R} {P} c 0 ;c 1 {R} wp(c 0 ;c 1, R) = wp(c 0, wp(c 1, R)) Conditionals: { P } c 0 { Q} { R } c 1 { Q } {b ) P Æ b ) R} if b then c 0 else c 1 {Q} wp(if b then c 0 else c 1 ) = b ) wp(c 0, Q) Æ b ) wp (c 1, Q)

While Loops Again How about {P} while b do c {Q}? P? Remember while b do c = if b then c; while b do c else skip Let w = while b do c and W = wp(w, Q) We have W= b ) wp(c, W) Æ b ) Q Recursion

Using Domain Theory What assertion contains least information? True What is an appropriate information ordering? P v P iff ² P ) P Is this partial order complete? Take a chain P 0 v P 1 v Let ÆP i be the infinite conjunction of P i σ ² ÆP i iff for all i we have that σ ² P i

Fixed Point Theorem Use fixed point theorem for F(P) = b ) wp(c, P) Æ b ) Q Verify that F is continuous Least fixed point is wp(w, Q) = Æ F n (true) Define family of wp s wp n (while b do c, Q) = weakest precondition on which if loop terminates in n or fewer iterations, terminates in Q wp 0 = b ) Q wp 1 = b ) wp(c, wp 0 ) Æ b ) Q wp(c, Q) = Æ n 0 wp n = t {wp n n 0}

With a Little Help With a little human guidance assertions can be established a lot better wp can in fact not always be computed Define the annotated commands of IMP as: c ::= skip x := e c 0 ; (x:= e) c 0 ; {R} c 1 ; if b then c 0 else c 1 while b do {R} c An annotated partial correctness assertion is of the form {P} c {Q} with c defined as above

Check while loop means {P} while b do {R} c {Q} with R invariant Thus {R Æ b} c {R} P ) R and R Æ b ) Q Verifiable with Hoare consequence and while rules Verification conditions Verify annotated partial correctness assertions

Verification Conditions vc({p} skip {Q}) = {P ) Q} vc({p} X:=a {Q}) = {P ) Q[a/X]} vc({p} c 0 ; X:=a {Q}) = vc({p} c 0 {Q[a/X]}) vc({p} c 0 ; {R}c 1 {Q}) = vc({p} c 0 {R}) vc({r} c 1 {Q}) (c 0 no assignm.) vc({p} if b then c 0 else c 1 {Q}) = vc({p Æ b} c 0 {Q}) vc({p Æ b} c 1 {Q}) vc({p} while b do {D} c {Q}) = vc({p Æ b} c {Q}) {P)D} {DÆ b )Q}

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback