cs7100(Prasad)L18-9WP1 Axiomatic Semantics Predicate Transformers

cs7100(Prasad)L18-9WP2 Motivation Problem Specification Properties satisfied by the input and expected of the output (usually described using “assertions”). E.g., Sorting problem –Input : Sequence of numbers –Output: Permutation of input that is ordered. Program Transform input to output. InputOutput

cs7100(Prasad)L18-9WP3 Sorting algorithms »Bubble sort; Shell sort; »Insertion sort; Selection sort; »Merge sort; Quick sort; »Heap sort; Axiomatic Semantics To show that a program satisfies its specification, it is convenient to have a description of the language constructs in terms of assertions characterizing the input and the corresponding output states.

cs7100(Prasad)L18-9WP4

cs7100(Prasad)L18-9WP5 q p

cs7100(Prasad)L18-9WP6 Axiomatic Approaches Hoare’s Proof System (partial correctness) Dijkstra’s Predicate Transformer (total correctness) Assertion : Logic formula involving program variables, arithmetic/boolean operations, etc. Hoare Triples : {P} S {Q} pre-condition statements post-condition (assertion) (program) (assertion)

cs7100(Prasad)L18-9WP7 Swap Example { x = n and y = m } t := x; x := y; y := t; { x = m and y = n } –program variables vs ghost/logic variables States : Variables  Values Assertions : States  Boolean (= Powerset of States)

cs7100(Prasad)L18-9WP8 Partial vs Total Correctness {P} S {Q} partiallyS is partially correct for P and Q if and only if whenever S is executed in a state satisfying P and the execution terminates, then the resulting state satisfies Q. totallyS is totally correct for P and Q if and only if whenever S is executed in a state satisfying P, then the execution terminates, and the resulting state satisfies Q.

cs7100(Prasad)L18-9WP9 Examples Totally correct (hence, partially correct) { false } x := 0; { x = 111 } { x = 11 } x := 0; { x = 0 } { x = 0 } x := x + 1; { x = 1 } {false} while true do; {x = 0} {y = 0} if x <> y then x:= y; { x = 0 } Not totally correct, but partially correct {true} while true do; {x = 0} Not partially correct {true} if x 0 }

cs7100(Prasad)L18-9WP10 Axioms and Inference Rules Assignment axiom {Q[e]} x := e; {Q[x]} Inference Rule for statement composition {P} S1 {R} {R} S2 {Q} {P} S1; S2 {Q} Example {x = y} x := x+1; {x = y+1} {x = y+1} y := y+1; {x = y} {x = y} x:=x+1; y:=y+1; {x = y}

cs7100(Prasad)L18-9WP11 Generating additional valid triples {P} S {Q} from {P’} S {Q’} P’P’ States P’P’ P Q’Q’ Q

cs7100(Prasad)L18-9WP12 Rule of Consequence {P’} S {Q’} and P=>P’ and Q’=>Q {P} S {Q} – Strengthening the antecedent – Weakening the consequent Example {x=0 and y=0} x:=x+1;y:=y+1; {x = y} {x=y} x:=x+1; y:=y+1; {x<=y or x=5} (+ Facts from elementary mathematics [boolean algebra + arithmetic] )

cs7100(Prasad)L18-9WP13 Predicate Transformers Assignment wp( x := e, Q ) = Q[x<-e] Composition wp( S1 ; S2, Q) = wp( S1, wp( S2, Q )) Correctness {P} S {Q} = (P => wp( S, Q))

cs7100(Prasad)L18-9WP14 Correctness Illustrated States Q P wp(S,Q) P => wp( S, Q)

cs7100(Prasad)L18-9WP15 Correctness Proof {x=0 and y=0} x:=x+1;y:=y+1; {x = y} wp(y:=y+1;, {x = y}) = { x = y+1 } wp(x:=x+1;, {x = y+1}) = { x+1 = y+1 } wp(x:=x+1;y:=y+1;, {x = y}) = { x+1 = y+1 } = { x = y } { x = 0 and y = 0 } => { x = y }

cs7100(Prasad)L18-9WP16 Conditionals { P and B } S1 {Q} {P and not B } S2 {Q} {P} if B then S1 else S2; {Q} wp(if B then S1 else S2;, Q) = (B => wp(S1,Q)) and ( not B => wp(S2,Q)) = (B and wp(S1,Q)) or ( not B and wp(S2,Q))

cs7100(Prasad)L18-9WP17 “Debugging” Program {true} if x 0 } {x 0 } {x >= 0} ; { x > 0 } (x (-x > 0) Because (x < 0)  (0 < -x) (x >= 0) => (x > 0) (x = 0) => (x > 0)

cs7100(Prasad)L18-9WP18 “Invariant”: Summation Program { s = i * (i + 1) / 2 } i := i + 1; s := s + i; { s = i * (i + 1) / 2 } Intermediate Assertion ( s and i different) { s + i = i * (i + 1) / 2 } Weakest Precondition { s+i+1 = (i+1) * (i+1+1) / 2 }

cs7100(Prasad)L18-9WP19 while-loop : Hoare’s Approach {Inv and B} S {Inv} {Inv} while B do S {Inv and not B} Proof of Correctness {P} while B do S {Q} and = P => Inv and {Inv} B {Inv} and and {Inv and B} S {Inv} and and {Inv and not B => Q} + Loop Termination argument

cs7100(Prasad)L18-9WP20 {I and B} S {I} 0 iterations: {I} {I and not B} not B holds 1 iteration: {I} S {I and not B} B holds not B holds 2 iterations: {I} S ; S {I and not B} B holds B holds not B holds Infinite loop if B never becomes false. {I} while B do S {I and not B}

cs7100(Prasad)L18-9WP21 Example1 : while-loop correctness { n>0 and x=1 and y=1} while (y < n) [ y++; x := x*y;] {x = n!} Choice of Invariant {I and not B} => Q {I and (y >= n)} => (x = n!) I = {(x = y!) and (n >= y)} Precondition implies invariant { n>0 and x=1 and y=1} => { 1=1! and n>=1 }

cs7100(Prasad)L18-9WP22 Verify Invariant {I and B} => wp(S,I) wp( y++; x:=x*y;, {x=y! and n>=y}) = { x=y! and n>=y+1 } I and B = { x=y! and n>=y } and { y<n } = { x=y! and n>y } Termination VariantVariant : ( n - y ) y : 1 -> 2 -> … -> n (n-y) : (n-1) -> (n-2) -> … -> 0

cs7100(Prasad)L18-9WP23 Detailed Working wp( y++; x:=x*y;, {x=y! and n>=y}) = wp(y++,{x*y=y! and n>=y}) = wp(y++,{x=y-1! and n>=y}) = {x=y+1-1! and n>=y+1} = {x=y! and n>y}

cs7100(Prasad)L18-9WP24 GCD/HCF code PRE: (x = n) and (y = m) while (x <> y) do ASSERT: (** INVARIANT **) begin if x > y then x := x - y; else y := y - x; end; POST: (x = gcd(n,m))

cs7100(Prasad)L18-9WP25 GCD-LCM code PRE: (x = n) and (y = m) u := x; v := y; while (x <> y) do ASSERT: (** INVARIANT **) begin if x > y then x := x - y; u := u + v else y := y - x; v := v + u end; POST: (x = gcd(n,m)) and (lcm (n,m) = (u+v) div 2)

cs7100(Prasad)L18-9WP26 while-loop : Dijkstra’s Approach wp( while B do S, Q) = P0 or P1 or … or Pn or … = there exists k >= 0 such that Pk Pi : Set of states causing i - iterations of while-loop before halting in a state in Q. P0 = not B and Q P1 = B and wp(S, P0) Pk+1 = B and wp(S, Pk)

cs7100(Prasad)L18-9WP27... P0 P1 P2 States Q wp P0 => wp(skip, Q) subset P0 subset Q P1 => wp(S, P0) P0

cs7100(Prasad)L18-9WP28 Example2 : while-loop correctness P0 = { y >= n and x = n! } Pk = B and wp(S,Pk-1) P1 = { y =n and x*(y+1) = n! } Pk = y=n-k and x=(n-k)! Weakest Precondition Assertion: Wp = there exists k >= 0 such that P0 or {y = n-k and x = (n-k)!} Verification : P = n>0 and x=1 and y=1 For i = n-1: P => Wp

cs7100(Prasad)L18-9WP29 Induction Proof Hypothesis : Pk = {y=n-k and x=(n-k)!} Pk+1 = { B and wp(S,Pk) } = y<n and (y+1 = n-k) and (x*(y+1)=(n-k)!) = y<n and (y = n-k-1) and (x = (n-k-1)!) = y<n and (y = n- k+1) and (x = (n- k+1)!) = (y = n - k+1) and (x = (n - k+1)!) Valid preconditions : –{ n = 4 and y = 2 and x = 2 } (k = 2) –{ n = 5 and x = 5! and y = 6} ( no iteration )