Programming Language Semantics Axiomatic Semantics

1
Programming Language SemanticsAxiomatic
Semantics

• Chapter 6

2
Motivation

• What do we need in order to prove that the
  program does what it supposed to do?

• Specify the required behavior
• Compare the behavior with the one obtained by the
  denotational/operational semantics
• Develop a proof system for showing that the
  program satisfies a requirement
• Mechanically use the proof system to show
  correctness
• The meaning of a program is a set of verification
  rules

3
Plan

• The basic idea
• An assertion language
• Semantics of assertions
• Proof rules
• An example
• Soundness
• Completeness

4
Example Program
S0 N 1 while ?(N101) do S S N
N N1
N101
S?1?m?100 m
5
Example Program
S0 S0 N 1 S0 ?N1 while ?(N101) do S
S N N N1 N101 ?S?1?m?100
m
6
Example Program
S0 S0 N 1 S0 ?N1 while ?(N101) do S
S N N N1 N101 ?S?1?m?100 m
7
Example Program
S0 S0 N 1 S0 ?N1 while 1 ?N ? 101
?S?1?m?N-1 m?(N101) do S S N
1 ?N lt 101 ?S?1?m?N m N
N1 N101 ?S?1?m?100 m
8
Partial Correctness

• PcQ
• P and Q are assertions(extensions of Boolean
  expressions)
• c is a command
• For all states ? which satisfies P, if the
  execution of c from state ? terminates in state
  ?, then ? satisfies Q
• truewhile true do skipfalse

9
Total Correctness

• PcQ
• P and Q are assertions(extensions of Boolean
  expressions)
• c is a command
• For all states ? which satisfies P,
• the execution of c from state ? must terminates
  in a state ?
• ? satisfies Q

10
Formalizing Partial Correctness

• ??A
• A is true in ?
• P c Q
• ??, ???. (??P ltc, ?gt? ? ) ? ? ? Q
• ????. (??P C ?c????) ? C ?c??? Q
• Convention for all A ??A
• ??, ???. ??P ? C ?c?? ? Q

11
An Assertion Language

• Extend Bexp
• Allow quantifications
• ?i
• ?i
• ?i. ki?l
• Import well known mathematical concepts
• n! ? n ?(n-1) ? ? 2 ?1

12
An Assertion Language
Aexpv a n X i a0 a1 a0 - a1 a0 ? a1
Assn A true false a0 a1 a0 ? a1 A0 ?
A1 A0 ? A1 ?A A0 ? A1 ?i. A ?i. A
13
Example
while ?(MN) do if M ? N
then N N M else M
M - N
14
Free and Bound Variables

• An integer variable is bound when it occurs in
  the scope of a quantifier
• Otherwise it is free
• Examples ?i. ki?L (i100?77)??i.j1i3)

FV(n) FV(X) ?
FV(i) i FV(a0 a1)FV(a0-a1)FV(a0?a1 )
FV(a0) ?FV(a1)
FV(true)FV(false) ? FV(a0 a1)FV(a0 ? a1)
FV(a0) ?FV(a1) FV(A0?A1)FV(A0?A1) FV(A0?A1)
FV(A0) ?FV(A1) FV(?A)FV(A) FV(?i. A)FV(?i. A)
FV(A)? i
15
Substitution

• Visualization of an assertion A
  ---i---i----
• Consider a pure arithmetic expression
  Aa/i ---a---a---

na/i n
Xa/iX ia/i a

ja/i j (a0 a1)a/i
a0a/i a1/a/i (a0 - a1)a/i
a0a/i a1a/i (a0
? a1 )a/i a0a/i ? a1a/i
16
Substitution

• Visualization of an assertion A
  ---i---i----
• Consider a pure arithmetic expression
  Aa/i ---a---a---

truea/i true
falsea/ifalse (a0
a1)a/i (a0/a/i a1a/i) (a0?
a1)a/i (a0/a/i ? a1a/i) (A0 ? A1)a/i
(A0a/i ? A1a/i) (A0 ? A1)a/i
(A0a/i?A1a/i) (A0 ? A1)a/i
(A0a/i ? A1a/i)a/i
(?A)a/i ?(Aa/i) (?i.A)a/i ?i. A
(?j.A)a/i (?j.
Aa/i) (?i.A)a/i ?i. A
(?j.A)a/i (?j. Aa/i)
17
Location Substitution

• Visualization of an assertion A
  ---X---X----
• Consider a pure arithmetic expression
  Aa/X ---a---a---

18
Example Assertions

• i is a prime number
• i is the least common multiple of j and k

19
Semantics of Assertions

• An interpretation Iintvar ?N
• The meaning of Aexpv
• Av?n?I?n
• Av?X?I? ?(X)
• Av?i?I? I(i)
• Av?a0a1? I? Av?a0?I? Av ?a1? I?
• For all a ? Aexp states ? and Interpretations I
• A?a??Av?a?I?

20
Semantics of Assertions (II)

• In/i change i in I to n
• For I and ???? , define ? ?I A by structural
  induction
• ? ?I true
• ? ?I (a0 a1) if Av?a0? I? Av?a1? I?
• ? ?I (A ?B) if ? ?I A and ? ?I B
• ? ?I ?A if not ? ?I A
• ? ?I A?B if (not ? ?I A) or ? ?I B)
• ? ?I ?iA ? ?In/i A for all n?N
• ? ? A

21
Proposition 6.4
For all b ? Bexp states ? and Interpretations I
B?b?? true iff ? ?I b
B?b?? false iff not ? ?I b
22
Partial Correctness Assertions

• PcQ
• P, Q ?Assn and c ?Com
• For a state ? ??? and interpretation I
• ? ?I PcQ if (? ?I P ? C ?c?? ?I Q)
• Validity
• When ?? ???, ? ?I PcQ we write
• ?I PcQ
• When ?? ???, and I ? ?I PcQ we write
• ? PcQ
• PcQ is valid

23
The extension of an assertion
AI ? ? ??? ? ?I A
24
The extension of assertions
Suppose that ? (P?Q)
Then for any interpretation I ?? ???. ? ?I P ? ?
?I Q
PI?QI
25
The extension of assertions
Suppose that ?PcQ
Then for any interpretation I ?? ???. ? ?I P ? C
?c?? ?I Q
C ?c?PI?QI
26
Hoare Proof Rules for Partial Correctness
A skip A
Ba/X Xa B
P c0 C C c1 Q P c0c1Q
P?b c0 Q P ??b c1 Q P if b then c0 else
c1Q
I?b c I I while b do cI??b
?P ? P P c Q ? Q ? Q P c Q
27
Example
while X gt 0 do Y X ?Y X X 1
28
Soundness

• Every theorem obtained by the rule system is
  valid
• ?P c Q ? ?P c Q
• The system can be implemented (HOL, LCF)
• Requires user assistance
• Proof of soundness
• Every rule preserves validity (Theorem 6.1)

29
Soundness of skip axiom

• ?A skip A

30
Soundness of the assignment axiom
?Ba/X Xa B
31
Soundness of the sequential composition rule

• Assume that ?P c0 Cand ?C c1 Q
• Show that ?P c0c1Q

32
Soundness of the conditional rule

• Assume that ?P ? b c0 Qand ?P ? ?b c1
  Q
• Show that ?P if b then c0 else c1Q

33
Soundness of the while rule

• Assume that ?I ? b c I
• Show that ?I while b do c I ? ?b

34
Soundness of the consequence rule

• Assume that ?P c Qand ? P ? P and?
  Q ? Q
• Show that ?P c Q

35
(Ideal) Completeness

• Every valid theorem can be proved by the rule
  system
• For every P and Q such that ?P c Q there
  exists a proof such ? P c Q
• But what about Gödels incompleteness??true
  skip Q
• What does ?true c false mean?

36
Relative Completeness (Chapter 7)

• Assume that every math theorem can be proved?P
  c Q implies ? P c Q

37
Relative completeness of composition rule

• Prove that P c0c1Q
• Does there exist an assertion C such that ?P
  c0 Cand ?C c1 Q

38
Weakest (Liberal) Precondition

• wp(c, Q) the weakest condition such that every
  terminating computation of c results in a state
  satisfying Q
• ?wpI(c, Q)? ? ??? C?c? ??I Q
• Can employ predicate transformer semantics to
  formally define the meaning (Chapter 7.5)
• Prove that P c0c1Q by proving?P c0
  Cand ?C c1 Q where Cwp(c1, Q)

39
Some WP rules

• wp(skip, Q) Q
• wp(X a, Q) Qa/X
• wp(c0 c1, Q) wp(c0, wp(c1, Q))
• wp(if b then c0 else c1, Q) b ?wp(c0, Q) ? ? b
  ?wp(c1, Q)

40
Relative Completeness

• For every command c and assertion B
• there exists an assertion A, such that Awp(c,
  B) (Theorem 7.5)
• ?wp(c, B) c B(Lemma 7.6)
• Theorem 7.7 The proof system is relatively
  complete
• ?P c Q implies ? P c Q

41
Verification Conditions

• Generate assertions that describe the partial
  correctness of the program
• Use automatic theorem provers to show partial
  correctness
• Existing tools ESC/Java, Spec

42
Verification condition for annotated commands
c skip X a c (Xa) c0
D c1 if b then c0 else c1 while
b D do c
vc(P skip Q) P?Q vc(P X a Q) P
?Qa/X vc(P c Xa Q) vc(A c
Qa/X) vc(P c0 D c1 Q) vc(P c0 D)
? vc(D c1 Q) vc(P if b then c0 else c1 Q)
vc(P?b c0 Q) ? vc(P ? ?b c1
Q) vc(P while b D do c Q) vc(D?b c
D) ? P?D ?
D ?b ?Q
43
Summary

• Axiomatic semantics provides an abstract
  semantics
• Can be used to explain programming
• Can be automated
• More effort is required to make it practical