Presentation is loading. Please wait.

Presentation is loading. Please wait.

COP4020 Programming Languages Introduction to Axiomatic Semantics Prof. Robert van Engelen.

Published byEdgar Dickerson Modified over 8 years ago

Similar presentations

Presentation on theme: "COP4020 Programming Languages Introduction to Axiomatic Semantics Prof. Robert van Engelen."— Presentation transcript:

1 COP4020 Programming Languages Introduction to Axiomatic Semantics Prof. Robert van Engelen

2 COP4020 Spring 2011 2 12/2/2015 Assertions and Preconditions Assertions are used by programmers to verify run-time execution  An assertion is a logical formula to verify the state of variables and data to ensure safe continuation  A failed assertion should stop the program  Assertions are placed by programmers explicitly in code assert (len>0); mean = sum/len; Preconditions state the necessary conditions for “safe” execution  Programmer decides which conditions apply at a program point  Testing too few does not make the program safe

3 COP4020 Spring 2011 3 12/2/2015 Axiomatic Semantics and Preconditions What if we want to guarantee that the program always produces the correct output assuming that the initial assertion passes? Axiomatic semantics: axiomatic proof that a program produces a machine state described by a postcondition if the precondition on the initial state holds (initial assertion passes) Example: assert (len > 0); // given this passes mean = sum/len; assert (mean > 0); // is this always true? answer: no, cannot be proven can be proven when we change precondition to (len>0 && sum>0)

4 COP4020 Spring 2011 4 12/2/2015 Preconditions, Postconditions and Partial Correctness Triple notation: place conditions before and after a command C: { Precondition } C { Postcondition } We say that C is partially correct with respect to the specification, provided that  The command C is executed in a machine state that makes the precondition true  If the command terminates, then we guarantee that the resulting machine state makes the postcondition true Total correctness requires termination

5 COP4020 Spring 2011 5 12/2/2015 Assignment Axiom If we view conditions in assertions as logical predicates, the assignment axiom can be stated { P(E) } V := E { P(V) } that is, if we state a property of V after the assignment, then the property must hold for expression E before the assignment We can use substitution to derive the precondition given a postcondition formula P: this is the assignment axiom: { P[V  E] } V := E { P } where P[V  E] denotes the substitution of V by E in P

6 COP4020 Spring 2011 6 12/2/2015 Examples for Assignments { k = 5 } k := k + 1 { k = 6 } (k = 6)[k  k+1]  (k+1 = 6)  (k = 5) { j = 3 and k = 4 } j := j + k { j = 7 and k = 4 } (j = 7 and k = 4)[j  j+k]  (j+k = 7 and k = 4)  (j = 3 and k = 4) { true } x := 2 { x = 2 } (x = 2)[x  2]  (2 = 2)  (true) { a > 0 } a := a - 1 { a > 0 } (a > 0)[a  a - 1]  (a - 1 > 0)  (a > 0)Assuming a is int ! { false } y := 1 { y = 2 }No state can satisfy precondition ! This is still proven partially correct !

7 COP4020 Spring 2011 7 12/2/2015 Validity of Assignment Axiom At first glance it seems that working backwards from a postcondition is more complicated than necessary and we are tempted to incorrectly assume we can use { true } V := E { V = E } However, consider { true } m := m + 1 { m = m + 1} and we find that { m = m + 1 }  { false } this is wrong assignment equality

8 COP4020 Spring 2011 8 12/2/2015 Statement Composition: Sequence Axiom The sequence axiom: { P } C 1 { Q } C 2 { R } Q is a postcondition of C 1 and a precondition for C 2 Written as a rule of inference { P } C 1 { Q }{ Q } C 2 { R } { P } C 1 ; C 2 { R }

9 COP4020 Spring 2011 9 12/2/2015 Example Sequencing We usually write the sequencing vertical and insert the inferred conditions between the statements: { i > 0 } k := i + 1; { k > 0 and j = j }  { k > 0 } i := j; { k > 0 and i = j } The rule of inference: { i > 0 } k := i + 1 { k > 0 } { k > 0 } i := j { k > 0 and i = j } { i > 0 } k := i + 1; i := j { k > 0 and i = j } (k > 0 and i = j)[i  j] (k > 0)[k  i + 1]

10 COP4020 Spring 2011 10 12/2/2015 Skip Axiom The ‘skip’ statement is a no-op { P } skip { P } pre- and postconditions are identical

11 COP4020 Spring 2011 11 12/2/2015 If-then-else Axiom The if-then-else axiom written vertically: { P } if B then { P and B } C 1 { Q } else { P and not B } C 2 { Q } end if { Q }

12 COP4020 Spring 2011 12 12/2/2015 If-then-else Axiom And as an inference rule: { P and B } C 1 { Q }{ P and not B } C 2 { Q } { P } if B then C 1 else C 2 end if { Q }

13 COP4020 Spring 2011 13 12/2/2015 The if-then-else Weakest Precondition Rule We can derive the weakest precondition P of and if-then-else using: P  (not B or P 1 ) and (B or P 2 ) where P 1 is the precondition of C 1 given postcondition Q and P 2 is the precondition of C 2 given postcondition Q Example: { ( x 0) and (x > 0 or true) }  { true } if x > 0 then { x > 0 } y := x else { 0 > 0 }  { true } y := 0 end if { y > 0 } 1. Compute preconditions P 1 and P 2 of C 1 and C 2 2. Compute precondition P given P 1 and P 2

14 COP4020 Spring 2011 14 12/2/2015 Precondition Strengthening Logical implication (  or  ) means stronger condition  weaker condition (more restrictive) (less restrictive) For example:  x = y and y = 0  y = 0  x  0  x = 0 or x 0  x = 0  x > 0  x = y  true  false  x = y 2

15 COP4020 Spring 2011 15 12/2/2015 Using Precondition Strengthening We can always make a precondition stronger than necessary to complete a proof For example, suppose we know that x > 0 and y = 2 at the start of the program: { x > 0 and y = 2}  { x > 0} y := x { y = x and y > 0 } (y = x and y > 0)[y  x]  (x = x and x > 0)

16 COP4020 Spring 2011 16 12/2/2015 Loops and Loop Invariants A loop-invariant condition is a logical formula that is true before the loop, in the loop, and after the loop A familiar example: grocery shopping The invariant is: groceries needed = groceries on list + groceries in cart cart := empty; { groceries needed = groceries on list + groceries in cart }  { groceries needed = groceries on list } while list not empty do { groceries needed = groceries on list + groceries in cart and not empty list } add grocery to cart; take grocery off list; { groceries needed = groceries on list + groceries in cart } end do; { groceries needed = groceries on list + groceries in cart and empty list }  { groceries needed = groceries in cart }

17 COP4020 Spring 2011 17 12/2/2015 While-loop Axiom The while-loop axiom uses a loop invariant I, which must be determined Invariant cannot generally be automatically computed and must be “guessed” by an experienced programmer { I } while B do { I and B } C { I } end do { I and not B }

18 COP4020 Spring 2011 18 12/2/2015 While-loop Example (1) Loop invariant I  (f*k! = n! and k > 0) { n > 0 } k := n; f := 1; while k > 0 do f := f*k; k := k-1; end do { f = n! } Prove that this algorithm is correct given precondition n>0 and postcondition f=n!

19 COP4020 Spring 2011 19 12/2/2015 While-loop Example (2) Loop invariant I  (f*k! = n! and k > 0) { n > 0 } k := n; f := 1; { f*k! = n! and k > 0 } while k > 0 do { f*k! = n! and k > 0 and k > 0 } f := f*k; k := k-1; { f*k! = n! and k > 0 } end do { f*k! = n! and k > 0 and k < 0 } { f = n! } Add while-loop preconditions and postconditions based on the invariant

20 COP4020 Spring 2011 20 12/2/2015 While-loop Example (3) Loop invariant I  (f*k! = n! and k > 0) { n > 0 } k := n; { 1*k! = n! and k > 0 } f := 1; { f*k! = n! and k > 0 } while k > 0 do { f*k! = n! and k > 0 and k > 0 } f := f*k; { f*(k-1)! = n! and k-1 > 0 } k := k-1; { f*k! = n! and k > 0 } end do { f*k! = n! and k > 0 and k < 0 } { f = n! } Use assignment axioms

21 COP4020 Spring 2011 21 12/2/2015 While-loop Example (4) Loop invariant I  (f*k! = n! and k > 0) { n > 0 } { n! = n! and n > 0 } k := n; { 1*k! = n! and k > 0 } f := 1; { f*k! = n! and k > 0 } while k > 0 do { f*k! = n! and k > 0 and k > 0 } { f*k*(k-1)! = n! and k-1 > 0 } f := f*k; { f*(k-1)! = n! and k-1 > 0 } k := k-1; { f*k! = n! and k > 0 } end do { f*k! = n! and k > 0 and k < 0 } { f = n! } Use assignment axioms

22 COP4020 Spring 2011 22 12/2/2015 While-loop Example (5) Loop invariant I  (f*k! = n! and k > 0) { n > 0 }  { n! = n! and n > 0 }  { n > 0 } k := n; { 1*k! = n! and k > 0 } f := 1; { f*k! = n! and k > 0 } while k > 0 do { f*k! = n! and k > 0 and k > 0 }  { f*k*(k-1)! = n! and k-1 > 0 } f := f*k; { f*(k-1)! = n! and k-1 > 0 } k := k-1; { f*k! = n! and k > 0 } end do { f*k! = n! and k > 0 and k < 0 } { f = n! } Use precondition strengthening to prove the correctness of implications

23 COP4020 Spring 2011 23 12/2/2015 While-loop Example (6) Loop invariant I  (f*k! = n! and k > 0) { n > 0 }  { n! = n! and n > 0 }  { n > 0 } k := n; { 1*k! = n! and k > 0 } f := 1; { f*k! = n! and k > 0 } while k > 0 do { f*k! = n! and k > 0 and k > 0 }  { f*k*(k-1)! = n! and k-1 > 0 } f := f*k; { f*(k-1)! = n! and k-1 > 0 } k := k-1; { f*k! = n! and k > 0 } end do { f*k! = n! and k > 0 and k < 0 }  { f*k! = n! and k = 0 }  { f = n! } Use simplification and logical implications to complete the proof

24 COP4020 Spring 2011 24 12/2/2015 Using Axiomatic Semantic Rules to find Bugs A postcondition specification can by any logical formula A specification that states the input-output requirements of an algorithm is needed to prove correctness A specification that tests a violation can aid in debugging  For example if (n < 0) then p = 2; else p = n+1; k = m / (p-1); // Div error when p = 1 { (n > 0 or true) and (n < 0 or n ≠ 0) }  { true } if (n < 0) then { true } p = 2; else { n ≠ 0 } p = n+1; { p ≠ 1 } k = m / (p-1); Means: p = 1 never possible

25 COP4020 Spring 2011 25 12/2/2015 Proof of Correctness of the Euclidian Algorithm Loop invariant I  ( gcd(x,y) = gcd(a,b) ) { true }  { gcd(a,b) = gcd(a,b) } x := a; { gcd(x,b) = gcd(a,b) } y := b; { gcd(x,y) = gcd(a,b) } while x ≠ y do { gcd(x,y) = gcd(a,b) and x ≠ y }  { (x > y or gcd(x,y-x) = gcd(a,b)) and (x ≤ y or gcd(x-y,y) = gcd(a,b)) } if x ≤ y then { gcd(x,y-x) = gcd(a,b) } y := y – x else { gcd(x-y,y) = gcd(a,b) } x := x – y end if { gcd(x,y) = gcd(a,b) } end do { gcd(x,y) = gcd(a,b) and x = y }  { x = gcd(a,b) } Use the fact that: gcd(x-y,y) = gcd(x,y) if x > y gcd(x,y-x) = gcd(x,y) if x < y x = gcd(x,x)

26 Concluding Remarks Formal treatment of program correctness sharpens our reasoning skills “why does this program work or fail?” Convincingly demonstrated with small programs Formal reasoning of nontrivial programs is complex and even with support of automated reasoning systems we cannot solve many complex correctness problems Formal reasoning with axiomatic semantics can be found in logic design (hardware), security protocol verification, and distributed system correctness analysis COP4020 Spring 2011 26 12/2/2015

Download ppt "COP4020 Programming Languages Introduction to Axiomatic Semantics Prof. Robert van Engelen."

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
PZ03D Programming Language design and Implementation -4th Edition Copyright©Prentice Hall, 2000 1 PZ03D - Program verification Programming Language Design.

PZ03D Programming Language design and Implementation -4th Edition Copyright©Prentice Hall, PZ03D - Program verification Programming Language Design.
ICE1341 Programming Languages Spring 2005 Lecture #6 Lecture #6 In-Young Ko iko.AT. icu.ac.kr iko.AT. icu.ac.kr Information and Communications University.

ICE1341 Programming Languages Spring 2005 Lecture #6 Lecture #6 In-Young Ko iko.AT. icu.ac.kr iko.AT. icu.ac.kr Information and Communications University.
Reasoning About Code; Hoare Logic, continued

Reasoning About Code; Hoare Logic, continued
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 19: Minding Ps & Qs: Axiomatic.

David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 19: Minding Ps & Qs: Axiomatic.
Axiomatic Verification I Prepared by Stephen M. Thebaut, Ph.D. University of Florida Software Testing and Verification Lecture 17.

Axiomatic Verification I Prepared by Stephen M. Thebaut, Ph.D. University of Florida Software Testing and Verification Lecture 17.
Partial correctness © Marcelo d’Amorim 2010.

Partial correctness © Marcelo d’Amorim 2010.
Axiomatic Semantics The meaning of a program is defined by a formal system that allows one to deduce true properties of that program. No specific meaning.

Axiomatic Semantics The meaning of a program is defined by a formal system that allows one to deduce true properties of that program. No specific meaning.
Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.

Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
Dynamic semantics Precisely specify the meanings of programs. Why? –programmers need to understand the meanings of programs they read –programmers need.

Dynamic semantics Precisely specify the meanings of programs. Why? –programmers need to understand the meanings of programs they read –programmers need.
Copyright © 2006 Addison-Wesley. All rights reserved. 3.5 Dynamic Semantics Meanings of expressions, statements, and program units Static semantics – type.

Copyright © 2006 Addison-Wesley. All rights reserved. 3.5 Dynamic Semantics Meanings of expressions, statements, and program units Static semantics – type.
Predicate Transformers

Predicate Transformers
Program Proving Notes Ellen L. Walker.

Program Proving Notes Ellen L. Walker.
1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.

1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.
Announcements We are done with homeworks Second coding exam this week, in recitation –Times will be posted later today –If in doubt, show up for your regular.

Announcements We are done with homeworks Second coding exam this week, in recitation –Times will be posted later today –If in doubt, show up for your regular.
1/22 Programs : Semantics and Verification Charngki PSWLAB Programs: Semantics and Verification Mordechai Ben-Ari Mathematical Logic for Computer.

1/22 Programs : Semantics and Verification Charngki PSWLAB Programs: Semantics and Verification Mordechai Ben-Ari Mathematical Logic for Computer.

Similar presentations

Ads by Google