 ### Similar presentations

Copyright © 2006 Addison-Wesley. All rights reserved.1-2 Axiomatic Semantics Based on formal logic (predicate calculus) Original purpose: proof correctness of programs. The logical expressions are called assertions. An assertion before a statement (a precondition) describes the constraints on the program variables at that point in the program. An assertion following a statement (a postcondition) describes the new constraints on those variables after execution of the statement.

Copyright © 2006 Addison-Wesley. All rights reserved.1-3 Example We examine assertions from the point of view that preconditions are computed from given postconditions. Assume all variables are integer. Postconditions and preconditions are presented in braces. A simple example: sum = 2 * x + 1 {sum > 1} The postcondition is {sum > 1} One possible precondition is {x > 10}

Copyright © 2006 Addison-Wesley. All rights reserved.1-4 Weakest precondition A weakest precondition is the least restrictive precondition that will guarantee the postcondition. For example, in the above statement and postcondition, { x > 10 } { x > 50 } { x > 100 } Are all valid precondition. The weakest precondition of all preconditions in this case is { x > 10 }

Copyright © 2006 Addison-Wesley. All rights reserved.1-5 Correctness proofs If the Weakest precondition can be computed from the given postconditions for each statement of a language, then correctness proofs can be constructed for programs in that language as follows: The proof is begun by using the desired result of the program’s execution as the postcondition of the last statement of the program. This postcondition, along with the last statement, is used to compute the weakest precondition for the last statement. This precondition is then used as the postcondition for the second last statement. This process continues until the beginning of the program is reached.

Copyright © 2006 Addison-Wesley. All rights reserved.1-6 Correctness proofs At that point, the precondition of the first statement states the condition under which the program will compute the desired results. If this condition is implied by the input specification of the program, the program has been verified to be correct. To use axiomatic semantics for correctness proofs or for formal semantic specifications, either an axiom or an inference rule must be available for each kind of statement in the language. An axiom is a true logical statement. An inference rule is a method of inferring the truth of an assertion based on other assertions.

Copyright © 2006 Addison-Wesley. All rights reserved.1-7 Axiomatic Semantics: Assignment statement Let x = E be a general assignment statement and Q be the postcondition. Then its weakest precondition P, is defined by the axiom P = Q x→E P is computed as Q with all instances of x replaced by E.

Copyright © 2006 Addison-Wesley. All rights reserved.1-8 Example For example, consider the following statement and postcondition. a = b / 2 - 1 { a < 10} The weakest precondition is computed by subsituting b/2-1 in the postcondition b / 2 - 1 < 10 b < 22

Copyright © 2006 Addison-Wesley. All rights reserved.1-9 Notations for axiomatic semantics The usual notations are: {P} S {Q} Where P is the precondition, Q is the postcondition and S is the statement. For the assignment statement, the notation is {Q x→E } x = E {Q}

Copyright © 2006 Addison-Wesley. All rights reserved.1-10 Example Compute the precondition for the assignment statement x = 2 * y - 3 { x > 25 } The weakest precondition is computed as 2 * y -3 > 25 y > 14

Copyright © 2006 Addison-Wesley. All rights reserved.1-11 Example What about if the left side of the assignment appears in the right side of the assignment? x = x + y - 3 {x > 10} The weakest precondition is x + y - 3 > 10 y > 13 – x Has no effect on the process of computing the precondition.

Copyright © 2006 Addison-Wesley. All rights reserved.1-12 Axiomatic Semantics: Sequences The precondition for a sequence of statements cannot be described by an axiom, because the precondition depends on the particular kind of statements in the sequence. The precondition can only be described with an inference rule. Let S1 and S2 be adjacent statements. Assume that S1 and S2 have the following pre/postconditions: {P1} S1 {P2} {P2} S2 {P3} The inference rule for such two-statement sequence is The axiomatic semantics of the sequence S1; S2 is

Copyright © 2006 Addison-Wesley. All rights reserved.1-13 Axiomatic Semantics: Sequences The above inference rule states that to get the sequence precondition, the precondition of the second statement is computed. This new assertion is used as the postcondition of the first statement, which can then be used to compute the precondition of the first statement. This precondition can be used as the precondition for the whole sequence.

Copyright © 2006 Addison-Wesley. All rights reserved.1-14 Example Assume we have the following sequence of statements: x1 = E1 x2 = E2 Then we have {P3 x2→E2 } x2 = E2 {P3} {P3 x2→E2 } x1→E1 x1 = E1 {P3 x2→E2 } Therefore, the precondition for the sequence x1=E1; x2=E2 with postcondition P3 is {P3 x2→E2 } x1→E1

Copyright © 2006 Addison-Wesley. All rights reserved.1-15 Example Consider the following sequence and postcondition: y = 3 * x + 1; x = y + 3; {x < 10} The precondition for the last assignment statement is x < 7 Which is used as the postcondition for the first statement. The precondition for the first statement and the sequence can be now computed. 3 * x + 1 < 7 x < 2

Copyright © 2006 Addison-Wesley. All rights reserved.1-16 Axiomatic Semantics: Selection The general form of the selection statement is If B then S1 elese S2 The inference rule is This rule indicates that selection statements must be proven for both when the condition expression is true and when it is false. The first logical statement above the line represents the then clause; the second represents the else clause. We need a precondition P that can be used in the precondition of both the then and else clauses.

Copyright © 2006 Addison-Wesley. All rights reserved.1-17 Example Consider the following selection statement: if ( x > 0 ) y = y - 1 else y = y + 1 Suppose the postcondition, Q for the selection statement is {y > 0} We can then use the axiom for assignment on the then clause. y = y - 1 { y > 0} This produces {y -1 > 0} or {y > 1}. It can be used as the P part of the precondition of the then clause Now, Apply the same axiom for the else clause y = y + 1 { y > 0} which produces y = y + 1 { y > 0} or { y > -1} Because {y > 1} → {y > -1} The rule uses {y > 1} for the precondition of the whole selection statement.

Copyright © 2006 Addison-Wesley. All rights reserved.1-18 Axiomatic Semantics: While Loop Computing the weakest precondition for a logical pretest loop (while loop) is more difficult that for a sequence, because the number if iterations cannot always be predetermined. In a case where the number of iterations is known, the loop can be unrolled and treated as a sequence.

Copyright © 2006 Addison-Wesley. All rights reserved.1-20 Axiomatic Semantics: Axioms Characteristics of the loop invariant: I must meet the following conditions: –P => I -- the loop invariant must be true initially –{I} B {I} -- evaluation of the Boolean must not change the validity of I –{I and B} S {I} -- I is not changed by executing the body of the loop –(I and (not B)) => Q -- if I is true and B is false, is implied –The loop terminates

Copyright © 2006 Addison-Wesley. All rights reserved.1-21 Loop Invariant The loop invariant I is a weakened version of the loop postcondition, and it is also a precondition. I must be weak enough to be satisfied prior to the beginning of the loop, but when combined with the loop exit condition, it must be strong enough to force the truth of the postcondition

Copyright © 2006 Addison-Wesley. All rights reserved.1-22 Evaluation of Axiomatic Semantics Developing axioms or inference rules for all of the statements in a language is difficult It is a good tool for correctness proofs, and an excellent framework for reasoning about programs, but it is not as useful for language users and compiler writers Its usefulness in describing the meaning of a programming language is limited for language users or compiler writers