Jacob Andersen PhD student andersen@daimi.au.dk SEMANTICS (Q1,’07) Week 7 Jacob Andersen PhD student andersen@daimi.au.dk Semantics Q1 2007

News… Exam: Sample Solution to 2005 Miniproject Time and Place (final): Oct. 31st 9.00-13.00 in Benjamin bld. Curriculum: On the webpage (schedule) Materials: SOS chapter 1-3, CCS chapter 1-3, Note on SI Lecture slides A service to you to ease note-taking (alternative: whiteboard-only lectures) Price (for you to “pay”): I may require that you use things at the exam, that are only introduced on the slides. Exercises and hand-ins (including TA feedback) Competences developed and trained through exercises. Many points illustrated best by practical experience. Sample Solution to 2005 Miniproject Semantics Q1 2007

Week 7 - Outline Exam Bisimulation Course Evaluation SOS Implementation (Interpretation) Program Equivalence Imperative Blocks The Environment-Store Model Other Semantic Formalisms Semantics Q1 2007

Exam 1st page Evaluating your competences, i.e. new problems which you have not seen before. Hidden “traps” or insights … to avoid pattern-matching. Don’t Panic! A solution without explanations / motivations is useless!! Matches (at most) the “describe” competence. If the solution is wrong it cannot be “rescued” by a good explanation. Semantics Q1 2007

BISIMULATION Semantics Q1 2007

Def: A Strong Bisimulation Let (Proc, Act, ) be a LTS Def: a bin. rel. R  Proc  Proc is a strong bisimulation iff whenever (s,t)  R : aAct : if s  s’ then t  t’ for some t’ such that (s’,t’)  R if t  t’ then s  s’ for some s’ such that (s’,t’)  R Note: 1. Definition on LTS (not necessarily wrt. processes) 2. Definition relative to a (SOS) semantics (via LTS) a a a a a Intuition: “Only equate as consistently allowed by the semantics” Semantics Q1 2007

Def: Strongly Bisimilar (~) A Strong Bisimulation: Def: a bin. rel. R  Proc  Proc is a strong bisimulation iff whenever (s,t)  R : aAct : if s  s’ then t  t’ for some t’ such that (s’,t’)  R if t  t’ then s  s’ for some s’ such that (s’,t’)  R The Strong Bisimilarity relation (~): Def: two (processes) s and t are strongly bisimilar ( s ~ t ) iff  strong bisimulation R : (s,t)  R . i.e. a a a a ‘~’ := {R | R is a strong bisimulation } Semantics Q1 2007

How to Prove Strong Bisimilarity ? How to prove strong bisimilarity for two processes ? i.e. ?: Exhibit a (any) bisimulation R , for which: By definition we get that: since ‘~’ was the largest bisimulation How to disprove strong bisimilarity? Strong bisimulation game s ~ t (s,t)  R (s,t)  R  ‘~’ Semantics Q1 2007

Example Proof of Bisimilarity Buffer (capacity 1): Buffer (capacity 2): Show that: A0 =def in . A1 A1 =def out . A0 B0 =def in . B1 B1 =def in . B2 + out . B0 B2 =def out . B1 B0 ~ A0|A0 R = { (B0 , A0|A0) , (B1 , A1|A0) , (B1 , A0|A1) , (B2 , A1|A1) } B0 A0|A0 B1 A1|A0 A0|A1 B2 A1|A1 Semantics Q1 2007

Other Properties of (~) The following properties hold P, Q, R: P+Q ~ Q+P // ‘+’ commutative (P+Q)+R ~ P+(Q+R) // ‘+’ associative P|Q ~ Q|P // ‘|’ commutative (P|Q)|R ~ P|(Q|R) // ‘|’ associative P+0 ~ P // ‘0’ neutral wrt. ‘+’ P|0 ~ P // ‘0’ neutral wrt. ‘|’ ... Live exercise: Prove one of these properties Semantics Q1 2007

Summary: Strong Bisimilarity (~) Properties of (~): an equivalence relation: reflexive, symmetric, and transitive the largest strong bisimulation: for proving bisimilarity (exhibit a bisimulation) strong bisimulation game: for proving non-bisimilarity (winning attack strategy) a congruence: P ~ Q => C[P] ~ C[Q] obeys the following algebraic laws: ‘+’ and ‘|’ commutative, associative, and ‘0’ neutrality, … Semantics Q1 2007

Summary: Weak Bisimilarity () Properties of (): an equivalence relation: reflexive, symmetric, and transitive the largest weak bisimulation: for proving bisimilarity (exhibit a bisimulation) weak bisimulation game: for proving non-bisimilarity (winning attack strategy) not a congruence: P  Q => C[P]  C[Q] obeys the following algebraic laws: ‘+’ and ‘|’ commutative, associative, and ‘0’ neutrality, … abstracts away from internal tau-actions Semantics Q1 2007

():“Fair Abstraction from Divergence” Consider: A =def a.0 + .B B =def b.0 + .A Note that: A  B  a.0 + b.0 !!! ..and even: Div =def .Div 0  Div !!! Intuition: “Fair Abstraction from Divergence”:  “assumes processes (eventually) escape from loops” Semantics Q1 2007

COURSE EVALUATION Semantics Q1 2007

Course Evaluation Your e aluation matters!: Why two evaluations? Gives you a chance to voice your opinion Helps improve next year’s course Helps improve my teaching (in general) May influence larger didactic strategies for whole dept. / uni Why two evaluations? Compulsory in order to get valid results. Semantics Q1 2007

Example: L implementation in SML SOS Implementation Example: L implementation in SML Semantics Q1 2007

Representation of Exp/BExp/Com type number = int type variable = string type truthvalue = bool datatype exp = Number of number | Variable of variable | Add of exp * exp | Sub of exp * exp | Mul of exp * exp datatype bexp= Truthvalue of truthvalue | Eq of exp * exp | Or of bexp * bexp | Not of bexp datatype com = Skip | Assign of variable * exp | Seq of com * com | If of bexp * com * com | While of bexp * com Semantics Q1 2007

Representation of Store type store = (variable * number) list fun update s v n = let val s' = List.filter (fn (v', _) => v <> v') s in (v, n) :: s' end fun lookup s v = let val pair = List.find (fn (v', _) => v = v') s fun match (SOME (_, n)) = n | match NONE = raise (Fail "Stuck!") in match pair Semantics Q1 2007

Small-step semantics for Exp fun smallStepExp (Variable var, store) (* Var *) = let val n = lookup store var in (Number n, store) end | smallStepExp (Add (Number m, Number m'), store) (* Sum3 *) = let val n = m + m' | smallStepExp (Add (Number m, e1), store) (* Sum2 *) = let val (e1', _) = smallStepExp (e1, store) in (Add (Number m, e1'), store) | smallStepExp (Add (e0, e1), store) (* Sum1 *) = let val (e0', _) = smallStepExp (e0, store) in (Add (e0', e1), store) Semantics Q1 2007

Pretty Printing Exp fun prettyExp (Number n) = print (Int.toString n) | prettyExp (Variable var) = print var | prettyExp (Add (e1, e2)) = ( prettyExp e1; print " + "; prettyExp e2 ) | prettyExp (Sub (e1, e2)) = ( prettyExp e1; print " - "; | prettyExp (Mul (e1, e2)) = ( prettyExp e1; print " * "; fun prettyBExp ... = ... fun prettyCom ... = Semantics Q1 2007

PROGRAM EQUIVALENCE Semantics Q1 2007

Program Equivalence ()?    xFV(E2)  yFV(E1) ... How do we know they are “equivalent” ? …and what does that mean ? nil nil ; nil C ; nil nil ; C C if B then C else C’ if ~B then C’ else C (C1 ; C2) ; C3 C1 ; (C2 ; C3) repeat C until B C ; while ~B do C x := E1 ; y := E2 y := E2 ; x := E1 Semantics Q1 2007

Behavior and Behavioral Equivalence Assume deterministic language L: Def: Behavior: Partial function: exec(C,) = Def: Behavioral equivalence (C  C’): exec : Com  Store  Store ’ if <C,> * ’ undef otherwise e.g. nontermination, abnormal termination if both defined Store: exec(C,) = exec(C’,) i.e. the two commands produce the same resulting store, ’, (but not necessarily in the same number of steps) Semantics Q1 2007

Congruence () Example (Java): Theorem: “” is a congruence [proof omitted] i.e., we can substitute equivalent fragments in programs! Example (Java): C  C’ => P[C]  P[C’] , for all contexts P[] class C { D void m() { S’ [ ] S’’ } class C { D void m() { S’ for (E1 ; E2 ; E3) S0 S” } class C { D void m() { S’ { E1 ; while (E2) { S0 E3 ; }} S” } safe transformation who: compiler, homo-sapiens, combination (refactoring tools), … why: readability, optimization, simplification, … Semantics Q1 2007

How to Prove Behavioral Equivalence? How do we prove: (for given C, C’)? i.e.: For derivation sequences of any length, n C  C’ Store: exec(C,) = exec(C’,) if both defined  ,’: (<C,> * ’)  (<C’,> * ’)  ,’: (<C,> * ’)  (<C’,> * ’)  ,’: (<C,> * ’)  (<C’,> * ’)  ,’: (<C,> n ’)  (<C’,> * ’)  ,’: (<C,> * ’)  (<C’,> n ’) Semantics Q1 2007

Induction on the Length of Derivation Seq’s Base case: P(k=1) Prove that the property, P, holds for all derivation sequences of length 1 (one) Inductive step: P(k)  P(k+1) Assume P(k): that the property holds for derivation sequences of length k Prove P(k+1): that it holds for derivation sequences of length k+1 Then: n1: P(n) Property P holds for all derivation sequences (any length) Semantics Q1 2007

…Or How do we prove: (for given C, C’)? i.e.: For some intermediate configuration,  C  C’ if both defined Store: exec(C,) = exec(C’,)  ,’: (<C,> * ’)  (<C’,> * ’)  ,’: (<C,> * ’)  (<C’,> * ’)  ,’: (<C,> * ’)  (<C’,> * ’)  : (<C,> * )  (<C’,> * )  : (<C,> * )  (<C’,> * ) Semantics Q1 2007

Example (Proof Structure)  Prove “” (let  be given w/o assumptions): Assume [LHS]: show [RHS]: Case analysis on possible derivations for [LHS]… if B then C else C’ if ~B then C’ else C <if B then C else C’, > *   <if ~B then C’ else C, > *  for some  <if B then C else C’, > *  <if ~B then C’ else C, > *  Semantics Q1 2007

Example (cont’d) Case [B * tt]: Then construct: Analogous for [B * ff] Symmetric for the other direction “” proof <B,> B* <tt,> proof ’ [IF1] C1 <if B then C else C’,> <C,’> C* ’ proof <B,> B* <tt,> [NEG1] <~B,> B1 <ff,> proof ’ [IF2] C1 <if ~B then C’ else C,> <C,’> C* ’ Semantics Q1 2007

IMPERATIVE BLOCKS Semantics Q1 2007

Blocks Consider the language ABCD: Example: A ::= z | v | A0 + A1 | A0 - A1 | A0  A1 B ::= b | ~ B | B0 or B1 | A0 = A1 C ::= nil | x := A | if B then C else C’ | while B do C | begin D ; C end // local block D ::= nil | var x := A | D0 ; D1 // local defs. if (~ (x = y)) then begin var t := x ; x := y ; y := t end else nil Semantics Q1 2007

Semantics of Definitions Note: [Plotkin] does this differently (through env-store model); read it yourselves… Semantics of Definitions: [NIL]D <nil, > D  [VAR]D <A, > A* <n, ’> <var x := A, > D ’[x=n] extend store <D0, > D <D0’, ’> [SEQ1]D <D0 ; D1, > D <D0’ ; D1, ’> <D0, > D ’ [SEQ2]D <D0 ; D1, > D <D1, ’> Semantics Q1 2007

Semantics of Blocks SOS for Blocks: remember set of locally defined variables : V=DV(D) remember values of shadowed variables : 0= |V [BLK1]C <D, > D* ’ <begin D ; C end, > C <begin(V,0) C end, ’> [BLK2]C <C, > C <C’,’> <begin(V,0) C end, > C <begin(V,0) C’ end, ’> [BLK3]C <C, > C ’ <begin(V,0) C end, > C (’ \ V) [0] purge locally defined variables and restore old shadowed values Semantics Q1 2007

Dynamic vs. Static Scope Rules Example: [BLK3]C <C, > C ’ <begin(V,0) C end, > C (’ \ V) [0] purge locally defined variables and restore old shadowed values x := 2 ; begin var x := 7 ; nil end // here: x has the value... restoring old shadowed values not restoring … “Static Scope Rules” x = 2 “Dynamic Scope Rules” x = 7 Semantics Q1 2007

Inaccessible Val’s (Garbage Collection) Example: [BLK3]C <C, > C ’ <begin(V,0) C end, > C (’ \ V) [0] purge locally defined variables and restore old shadowed values // x undefined begin var x := 7 ; nil end // here x is ... purging locally defined vars not purging … “No Inaccessible Values” x isn’t in the store (garbage collection)! “Inaccessible Values” x is in the store (but inaccessible)! Semantics Q1 2007

THE ENVIRONMENT-STORE MODEL Semantics Q1 2007

“The Environment-Store Model” Introducing abstract locations: Transitions:  |- <E,>  <E’,’>  : VAR  LOC ,  : LOC  VAL   x ℓ v environment store    VAR LOC VAL x (x) ((x)) env : doesn’t change w/ exec store: mutates with execution Semantics Q1 2007

Examples (Pointers) (for the C-hackers: :) Pointers Static Semantics: Dynamic Semantics: (for the C-hackers: :) #define ptr (int*) ptr p = 0xCAFEBABE;// (p)  LocZ a location const int x = *p; // *p  Z (since (p)  LocZ) [DER]  |- E : LOC "DER" for (pointer) dereference  |- * E :   |- <E,>  <E’,’> n = (ℓ)  |- <* E,>  <* E’,’>  |- <* ℓ,>  <n,> [DER1] [DER2] Semantics Q1 2007

Examples (cont’d) Aliasing (similarly with call-by-reference): Explicit allocation: Explicit deallocation: ptr q = p; // location aliasing: (q) = ℓ = (p) *p = 42; // side-effecting: ’ = [ℓ=42] // now *q also has the value 42: ((q)) is 42 { ptr p = allocate(1); // (p) = ℓfresh ℓfresh  LocZ *p = 42; // side-effecting: ’ = [ℓfresh=42] } // ℓfresh  Dm() ptr p = ...; free(p); // (p)=ℓ, but ℓDm(); “dangling reference”! Semantics Q1 2007

OTHER SEMANTIC FORMALISMS Semantics Q1 2007

Operational Semantics Labelled Transition System: 0 = <z=x;x=y;y=z, [x=1,y=2,z=3]>  1 = <x=y;y=z, [x=1,y=2,z=1]>  2 = <y=z, [x=2,y=2,z=1]>  3 = result = [x=2,y=1,z=1] Variations in step-sizes (small-step, big-step, …) The meaning of a construct is specified by the computation it induces when it is executed on a machine. In particular, it is of interest how the effect of a computation is produced. -- [Nielson & Nielson, “Semantics with Applications”, ’93] Semantics Q1 2007

Operational Semantics (cont’d) Example: Modular SOS Using “Generalized LTS” Essentially: Neighbouring labels must be “composable”. Configurations does not contain stores or anything else but the program state. Stores, environments, I/O etc. are embedded in the labels, e.g.: In this case labels are composable iff the second store component in a label is equal to the first store component in the subsequent label. e –X-> e’ [ASS1] x := e -X-> x := e’ [ASS2] σ’=σ[n/x] x := n –(σ,σ’)-> nil Semantics Q1 2007

Denotational Semantics Describe everything as mathematical functions: [[ z=x;(x=y;y=z)]] = [[ x=y;y=z ]] o [[ z=x ]] = [[ y=z ]] o [[ x=y ]] o [[ z=x ]] = s.s[y=s(z)] o s.s[x=s(y)] o s.s[z=s(x)] = s.s[x=s(y),y=s(x),z=s(x)] Ex. R5RS (Revised5 Report on the Alg. Lang. Scheme) Loops expressed as fixed-points of rec’sive functors i.e., functions that takes functions as arguments Meanings are modelled by mathematical objects that represent the effect of executing the constructs. Thus, only the effect is of interest, not how it is obtained. -- [Nielson & Nielson, “Semantics with Applications”, ’93] Semantics Q1 2007

Axiomatic Semantics Axiomatic Semantics: Partial correctness; Command C is partially correct wrt. a pre and a post-condition if whenever the initial state fulfils the pre-condition and the program terminates, then the final state fulfils the post-condition. {x=1,y=2} z=x;x=y;y=z {x=2,y=1} Specific properties of the effect of executing the constructs are expressed as assertions. Thus, there may be aspects of the executions that are ignored. -- [Nielson & Nielson, “Semantics with Applications”, ’93] { pre } C { post } {P} C {Q} {Q} C’ {R} {B∧P} C {P} {P} C;C’ {R} {P} while B do C {¬B∧P} Semantics Q1 2007

</ SEMANTICS > Semantics Q1 2007

Next week: Revision Period; then Exam Good Luck! Any Questions? Semantics Q1 2007