noam rinetzky lecture 6: axiomatic semantics ii
DESCRIPTION
Program Analysis and Verification 0368- 4479 http://www.cs.tau.ac.il/~maon/teaching/2013-2014/paav/paav1314b.html. Noam Rinetzky Lecture 6: Axiomatic Semantics II. Slides credit: Roman Manevich , Mooly Sagiv , Eran Yahav. Good manners. Mobiles. Home Work Assignment #1. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/1.jpg)
Program Analysis and Verification
0368-4479http://www.cs.tau.ac.il/~maon/teaching/2013-2014/paav/paav1314b.html
Noam Rinetzky
Lecture 6: Axiomatic Semantics II
Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav
![Page 2: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/2.jpg)
2
Good manners
• Mobiles
![Page 3: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/3.jpg)
3
Home Work Assignment #1In the following, we refer to the “Semantics with Application” book as “the book”. The book can be found here: http://www.daimi.au.dk/~bra8130/Wiley_book/wiley.html.
1. Solve Ex 2.8 and 2.18 in the book.2. In the previous question, you were asked to extend the While language
with a new construct (a for loop). Extend the proof of theorem 2.26 in the book (semantic equivalence) to handle for commands.
3. Solve Ex 2.34 in the book.4. Read Section 2.5 in the book and solve Ex 2.45.5. Prove or disprove: The denotational semantics of any statement in the
While language shown in the lectures is a monotone and continuous function.
6. Define a denotational semantics for the the While language extended with the random command. (The extension is described in Question 3) .
(due next lesson)
![Page 4: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/4.jpg)
Axiomatic Semantics
C.A.R. HoareRobert Floyd Edsger W. Dijkstra
4
![Page 5: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/5.jpg)
5
A simple imperative language: WhileAbstract syntax:
a ::= n | x | a1 + a2 | a1 a2 | a1 – a2
b ::= true | false| a1 = a2 | a1 a2 | b | b1 b2
S ::= x := a | skip | S1; S2| if b then S1 else S2
| while b do S
![Page 6: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/6.jpg)
6
Program correctness concepts• Property = a certain relationship between initial state
and final state
• Partial correctness = properties that holdif program terminates
• Termination = program always terminates– i.e., for every input state
partial correctness + termination = total correctness
Other correctness concepts exist: resource usage, linearizability, …
Mostly focus in this course
Other notions of properties exist
![Page 7: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/7.jpg)
7
Factorial example
• Sfac , s s’ implies s’ y = (s x)!
Sfac y := 1; while (x=1) do (y := y*x; x := x–1)
![Page 8: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/8.jpg)
8
Natural semantics for While x := a, s s[x Aas][assns]
skip, s s[skipns]
S1, s s’, S2, s’ s’’S1; S2, s s’’ [compns]
S1, s s’ if b then S1 else S2, s s’
if B b s = tt[ifttns]
S2, s s’ if b then S1 else S2, s s’
if B b s = ff[ifffns]
while b do S, s s if B b s = ff[whileffns]
S, s s’, while b do S, s’ s’’while b do S, s s’’
if B b s = tt[whilettns]
![Page 9: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/9.jpg)
9
Semantics-based Proof
x := a, s s[x Aas][assns]
S1, s s’, S2, s’ s’’S1; S2, s s’’ [compns]
![Page 10: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/10.jpg)
10
Semantics-based Proof
• Sfac , s s’ implies s’ y = (s x)!
Sfac y := 1; while (x=1) do (y := y*x; x := x–1)
• Tedious• Correct?• How do we check
correctness?• Rigorous vs. formal
![Page 11: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/11.jpg)
11
Axiomatic verification approach• What do we need in order to prove that the
program does what it supposed to do?• Specify the required behavior • Compare the behavior with the one obtained by the
operational semantics• Develop a proof system for showing that the program
satisfies a requirement• Mechanically (systematically) use the proof system to
show correctness• The meaning of a program language is a set of
verification rules
![Page 12: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/12.jpg)
12
Axiomatic Verification: Spec
• Sfac , s s’ implies s’ y = (s x)!
• {x = N} Sfac {y = N!} – {Pre-condition (s)} Command (Sfac) {post-state(s’)} – Not {true} Sfac {y = x!}
Sfac y := 1; while (x=1) do (y := y*x; x := x–1)
![Page 13: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/13.jpg)
13
Partial vs. Total Correctness
• Sfac , s s’ implies s’ y = (s x)!
• {x = N} Sfac {y = N!} – {Pre-condition (s)} Command (Sfac) {post-state(s’)} – Not {true} Sfac {y = x!}
• [x = N] Sfac [y = N!]
Sfac y := 1; while (x=1) do (y := y*x; x := x–1)
Hoare Triples
![Page 14: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/14.jpg)
14
Verification: Assertion-Based [Floyd, ‘67]
• Assertion: invariant at specific program point – E.g., assert(e)
• use assertions as foundation for static correctness proofs
• specify assertions at every program point• correctness reduced to reasoning about
individual statements
![Page 15: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/15.jpg)
15
Annotated Flow ProgramsReduction: Program verification is reduced to claims about the subject of discourse
Straight line code: claims are determined
“by construction”
![Page 16: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/16.jpg)
16
Annotated Flow ProgramsReduction: Program verification is reduced to claims about the subject of discourse
Straight line code: claims are determined “by
construction”
Cut points
![Page 17: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/17.jpg)
17
Assertion-Based Verification [Floyd, ‘67]
• Assertion: invariant at specific program point – E.g., assert(e)
• Proof reduced to logical claims– Considering the effect of statements– But, not reusable
• Challenge: Finding invariants at cut points in loops
![Page 18: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/18.jpg)
18
Floyd-Hoare Logic 1969
• Use Floyd’s ideas to define axiomatic semantics– Structured programming• No gotos• Modular (reusable claims)
– Hoare triples• {P} C {Q}• [P] C [Q] (often <P> C <Q>)
– Define the programming language semantics as a proof system
![Page 19: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/19.jpg)
19
Axiomatic semantics for While { P[a/x] } x := a { P }[assp]
{ P } skip { P }[skipp]
{ P } S1 { Q }, { Q } S2 { R } { P } S1; S2 { R }[compp]
{ b P } S1 { Q }, { b P } S2 { Q } { P } if b then S1 else S2 { Q }[ifp]
{ b P } S { P } { P } while b do S {b P }[whilep]
{ P’ } S { Q’ } { P } S { Q }[consp] if PP’ and Q’Q
Inference rule for every composed statement
Axiom for every primitive statement
![Page 20: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/20.jpg)
20
Proofs: Inference trees• Leaves are axiom• Internal nodes correspond to composed
statements• Inference tree is called– Simple if tree is only an axiom– Composite otherwise
• Similar to derivation trees of natural semantics– Reasoning about immediate constituents
![Page 21: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/21.jpg)
21
Factorial proof
W = while (x1) do (y:=y*x; x:=x–1)
INV = x > 0 (y x! = n! n x)
{ INV[x-1/x][y*x/y] } y:=y*x; x:=x–1 {INV}
{ INV[x-1/x] } x:=x-1 {INV}
{ INV } W {x=1 INV }{ INV[1/y] } y:=1 { INV }
{ INV[x-1/x][y*x/y] } y:=y*x { INV[x-1/x] }
{x1 INV } y:=y*x; x:=x–1 { INV }
[comp]
[cons]
[while]
[cons]{ INV } W { y=n! n>0 }{ x=n } y:=1 { INV }
[cons]
{ x=n } while (x1) do (y:=y*x; x:=x–1) { y=n! n>0 }
[comp]
Goal: { x=n } y:=1; while (x1) do (y:=y*x; x:=x–1) { y=n! n>0 }
![Page 22: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/22.jpg)
22
Factorial proof
W = while (x1) do (y:=y*x; x:=x–1)
INV = x > 0 (y x! = n! n x)
{ INV[x-1/x][y*x/y] } y:=y*x; x:=x–1 {INV}
{ INV[x-1/x] } x:=x-1 {INV}
{ INV } W {x=1 INV }{ INV[1/y] } y:=1 { INV }
{ INV[x-1/x][y*x/y] } y:=y*x { INV[x-1/x] }
{x1 INV } y:=y*x; x:=x–1 { INV }
[comp]
[cons]
[while]
[cons]{ INV } W { y=n! n>0 }{ x=n } y:=1 { INV }
[cons]
{ x=n } while (x1) do (y:=y*x; x:=x–1) { y=n! n>0 }
[comp]
Goal: { x=n } y:=1; while (x1) do (y:=y*x; x:=x–1) { y=n! n>0 }
{ b P } S { P } { P } while b do S {b P }
![Page 23: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/23.jpg)
23
Factorial proof
W = while (x1) do (y:=y*x; x:=x–1)
INV = x > 0 (y x! = n! n x)
{ INV[x-1/x][y*x/y] } y:=y*x; x:=x–1 {INV}
{ INV[x-1/x] } x:=x-1 {INV}
{ INV } W {x=1 INV }{ INV[1/y] } y:=1 { INV }
{ INV[x-1/x][y*x/y] } y:=y*x { INV[x-1/x] }
{x1 INV } y:=y*x; x:=x–1 { INV }
[comp]
[cons]
[while]
[cons]{ INV } W { y=n! n>0 }{ x=n } y:=1 { INV }
[cons]
{ x=n } while (x1) do (y:=y*x; x:=x–1) { y=n! n>0 }
[comp]
Goal: { x=n } y:=1; while (x1) do (y:=y*x; x:=x–1) { y=n! n>0 }
{ P’ } S { Q’ } { P } S { Q } if PP’ and Q’Q
![Page 24: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/24.jpg)
24
Axiomatic semantics for While { P[a/x] } x := a { P }[assp]
{ P } skip { P }[skipp]
{ P } S1 { Q }, { Q } S2 { R } { P } S1; S2 { R }[compp]
{ b P } S1 { Q }, { b P } S2 { Q } { P } if b then S1 else S2 { Q }[ifp]
{ b P } S { P } { P } while b do S {b P }[whilep]
{ P’ } S { Q’ } { P } S { Q }[consp] if PP’ and Q’Q
Inference rule for every composed statement
Axiom for every primitive statement
![Page 25: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/25.jpg)
25
Axiomatic semantics for While { P[a/x] } x := a { P }[assp]
{ P } skip { P }[skipp]
{ P } S1 { Q }, { Q } S2 { R } { P } S1; S2 { R }[compp]
{ b P } S1 { Q }, { b P } S2 { Q } { P } if b then S1 else S2 { Q }[ifp]
{ b P } S { P } { P } while b do S {b P }[whilep]
{ P’ } S { Q’ } { P } S { Q }[consp] if PP’ and Q’Q
Notice similarity to natural semantics rules
![Page 26: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/26.jpg)
26
Assignment rule
• A “backwards” rule• x := a always finishes• Why is this true?– Recall operational semantics:
• Example: {y*z<9} x:=y*z {x<9}What about {y*z<9w=5} x:=y*z {w=5}?
x := a, s s[xAas][assns]
s[xAas] P
![Page 27: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/27.jpg)
27
skip rule
skip, s s[skipns]
![Page 28: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/28.jpg)
28
Composition rule
• Holds when S1 terminates in every state where P holds and then Q holdsand S2 terminates in every state where Q holds and then R holds
S1, s s’, S2, s’ s’’S1; S2, s s’’ [compns]
![Page 29: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/29.jpg)
29
Condition rule
S1, s s’ if b then S1 else S2, s s’
if B b s = tt[ifttns]
S2, s s’ if b then S1 else S2, s s’
if B b s = ff[ifffns]
![Page 30: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/30.jpg)
30
Loop rule
• Here P is called an invariant for the loop– Holds before and after each loop iteration– Finding loop invariants – most challenging part of proofs
• When loop finishes, b is false
while b do S, s s if B b s = ff[whileffns]
S, s s’, while b do S, s’ s’’while b do S, s s’’
if B b s = tt[whilettns]
![Page 31: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/31.jpg)
31
Rule of consequence
• Allows strengthening the precondition and weakening the postcondition
• The only rule that is not sensitive to the form of the statement
![Page 32: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/32.jpg)
32
Rule of consequence
• Why do we need it?• Allows the following
{y*z<9} x:=y*z {x<9} {y*z<9w=5} x:=y*z {x<10}
![Page 33: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/33.jpg)
33
Inference trees
• Similar to derivation trees of natural semantics• Leaves are …• Internal nodes correspond to …• Inference tree is called– Simple if tree is only an axiom– Composite otherwise
![Page 34: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/34.jpg)
34
Provability
• We say that an assertion { P } C { Q } is provable if there exists an inference tree– Written as p { P } C { Q }
![Page 35: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/35.jpg)
35
Validity
• s P– P holds in state s
• – program states
• { P } C { Q } is valid if s, s’ . (s P C, ss’) s’Q
PQ
ss’C
![Page 36: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/36.jpg)
36
Soundness and completeness
• The inference system is sound:– p { P } C { Q } implies p { P } C { Q }
• The inference system is complete:– p { P } C { Q } implies p { P } C { Q }
![Page 37: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/37.jpg)
37
Hoare logic is sound and (relatively) complete
• Soundness: p { P } C { Q } implies p { P } C { Q }
• (Relative) completeness: p { P } C { Q } implies p { P } C { Q }
– Provided we can prove any implication RR’
![Page 38: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/38.jpg)
38
Hoare logic is sound and (relatively) complete
• Soundness: p { P } C { Q } implies p { P } C { Q }
• (Relative) completeness: p { P } C { Q } implies p { P } C { Q }
– Provided we can prove any implication RR’• FYI, nobody tells us how to find a proof …
![Page 39: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/39.jpg)
39
Is there an Algorithm?{ x=n } y := 1;{ x>0 y*x!=n! nx } while (x=1) do { x-1>0 (y*x)*(x-1)!=n! n(x-1) } y := y*x; { x-1>0 y*(x-1)!=n! n(x-1) } x := x–1{ y*x!=n! n>0 }
Annotated programs provides a compact representation of inference trees
![Page 40: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/40.jpg)
40
?
![Page 41: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/41.jpg)
41
Predicate Transformers
![Page 42: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/42.jpg)
42
Weakest liberal precondition• A backward-going predicate transformer• The weakest liberal precondition for Q is
s wlp(C, Q) if and only if
s’.∀ if C, ss’ then s’ Q
Propositions:1. p { wlp(C, Q) } C { Q }2. If p { P } C { Q } then P wlp(C, Q)
![Page 43: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/43.jpg)
43
Strongest postcondition
• A forward-going predicate transformer• The strongest postcondition for P is
s’ sp(P, C)if and only if
s’. ∃ C, ss’ and s P
Propositions:a. p { P } C { sp(P, C) }b. If p { P } C { Q } then sp(P, C) Q
![Page 44: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/44.jpg)
44
Predicate transformer semantics• wlp and sp can be seen functions that transform
predicates to other predicates– wlpC : Predicate Predicate
{ P } C { Q } if and only if wlpC Q = P– spC : Predicate Predicate
{ P } C { Q } if and only if spC P = Q
![Page 45: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/45.jpg)
45
Hoare logic is (relatively) complete• Proving
p { P } C { Q } implies p { P } C { Q }is the same as provingp { wlp(C, Q) } C { Q }
• Suppose that p { P } C { Q }then (from proposition 2) P { wlp(C, Q) }
{ P } S { Q } { wlp(C, Q) } S { Q }
[consp]
![Page 46: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/46.jpg)
46
Calculating wlp
1. wlp(skip, Q) = Q2. wlp(x := a, Q) = Q[a/x]3. wlp(S1; S2, Q) = wlp(S1, wlp(S2, Q))4. wlp(if b then S1 else S2, Q) =
(b wlp(S1, Q)) (b wlp(S2, Q))
5. wlp(while b do S, Q) = … ?hard to capture
![Page 47: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/47.jpg)
47
Calculating wlp of a loop
wlp(while b do S, Q) =
Idea: we know the following statements are semantically equivalentwhile b do Sif b do (S; while b do S) else skip
Let’s try to substitute and calculate on
wlp(if b do (S; while b do S) else skip, Q) =
(b wlp(S; while b do S, Q)) (b wlp(skip, Q)) =
(b wlp(S, wlp(while b do S, Q))) (b Q)
LoopInv = (b wlp(S, LoopInv)) (b Q) We have a recurrence
The loop invariant
![Page 48: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/48.jpg)
48
Prove the following triple
• LoopInv = (b wlp(S, LoopInv)) (b Q)• Let’s substitute LoopInv with timer0• Show that timer0 is equal to
(timer>0 wlp(timer:=timer-1, timer0)) (timer0 timer=0)= (timer>0 (timer0)[timer-1/timer]) (timer0 timer=0)= (timer>0 timer-10) (timer0 timer=0)= timer>0 timer=0= timer0
{ timer 0 }while (timer > 0) do
timer := timer – 1{ timer = 0 }
![Page 49: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/49.jpg)
49
Issues with wlp-based proofs
• Requires backwards reasoning – not very intuitive
• Backward reasoning is non-deterministic – causes problems when While is extended with dynamically allocated heaps (aliasing)
• Also, a few more rules will be helpful
![Page 50: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/50.jpg)
Verification Conditions
• Generate assertions that describe the partial correctness of the program
• Use automatic theorem provers to show partial correctness
• Existing tools ESC/Java, Spec#
![Page 51: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/51.jpg)
Verification condition for annotated commands
S ::= skip | X := a | S; (X:=a) | S0 ; {D} S1 | if b then S0 else S1 | while b {D} do S
vc({P} skip {Q}) = {PQ}
vc({P} X:= a {Q}) = {P Q[a/X]}
vc({P} S ; X:=a {Q}) = vc({P} S {Q[a/X]})
vc({P} S0; {D} S1 {Q}) = vc({P} S0 {D}) vc({D} S1 {Q})
vc({P} if b then S0 else S1 {Q}) = vc({Pb} S0 {Q}) vc({P b} S1 {Q})
vc({P} while b {D} do c {Q}) = vc({Db} c {D}) {PD} {D b Q}
![Page 52: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/52.jpg)
52
Conjunction rule
• Not necessary (for completeness) but practically useful
• Starting point of extending Hoare logic to handle parallelism
• Related to Cartesian abstraction– Will point this out when we learn it
![Page 53: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/53.jpg)
53
Structural Rules{ P } C { Q } { P’ } C { Q’ }
{ P P’ } C {Q Q’ }[disjp]
{ P } C { Q } { v. P } C { v. Q }[existp] vFV(C
)
{ P } C { Q } {v. P } C {v. Q }[univp] vFV(C)
{ F } C { F } Mod(C) FV(F)={}[Invp]• Mod(C) = set of variables assigned to in sub-statements of C• FV(F) = free variables of F
![Page 54: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/54.jpg)
54
Invariance + Conjunction = Constancy
• Mod(C) = set of variables assigned to in sub-statements of C• FV(F) = free variables of F
{ P } C { Q } { F P } C { F Q }[constancyp] Mod(C) FV(F)={}
![Page 55: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/55.jpg)
55
Floyd’s strongest postcondition rule
• Example{ z=x } x:=x+1 { ?v. x=v+1 z=v }
• This rule is often considered problematic because it introduces a quantifier – needs to be eliminated further on
• We will now see a variant of this rule
{ P } x := a { v. x=a[v/x] P[v/x] } where v is a fresh variable
[assFloyd]
![Page 56: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/56.jpg)
56
“Small” assignment axiom
• Examples:{x=n} x:=5*y {x=5*y}{x=n} x:=x+1 {x=n+1}
{x=y} x:=y+1 {x=y+1}{x=n} x:=y+1 {x=y+1}[existp] {n. x=n} x:=y+1 {n. x=y+1} therefore {true} x:=y+1 {x=y+1} [constancyp] {z=9} x:=y+1 {z=9 x=y+1}
{ x=v } x:=a { x=a[v/x] }where vFV(a)
[assfloyd]
First evaluate ain the precondition state(as a may access x)
Then assign the resulting value to x
Create an explicit Skolem variable in precondition
![Page 57: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/57.jpg)
57
Buggy sum program{ y0 }x := 0{ y0 x=0 }res := 0{ y0 x=0 res=0 }Inv = { y0 res=Sum(0, x) } = { y0 res=m x=n m=Sum(0, n) } while (xy) do
{ y0 res=m x=n m=Sum(0, n) xy ny } x := x+1{ y0 res=m x=n+1 m=Sum(0, n) ny}res := res+x { y0 res=m+x x=n+1 m=Sum(0, n) ny}{ y0 res-x=Sum(0, x-1) ny}{ y0 res=Sum(0, x) }
{ y0 res=Sum(0, x) x>y } {res = Sum(0, y) }
![Page 58: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/58.jpg)
58
Sum program• Define Sum(0, n) = 0+1+…+n
{ y0 }x := 0{ y0 x=0 }res := 0{ y0 x=0 res=0 }Inv = { y0 res=Sum(0, x) xy } { y0 res=m x=n ny m=Sum(0, n) } while (x<y) do
{ y0 res=m x=n m=Sum(0, n) x<y n<y }res := res+x{ y0 res=m+x x=n m=Sum(0, n) n<y }x := x+1 { y0 res=m+x x=n+1 m=Sum(0, n) n<y }{ y0 res-x=Sum(0, x-1) x-1<y }{ y0 res=Sum(0, x) }
{ y0 res=Sum(0, x) xy xy }{ y0 res=Sum(0, y) x=y }{ res = Sum(0, y) }
{ x=Sum(0, n) } { y=n+1 }
{ x+y=Sum(0, n+1) }
Background axiom
![Page 59: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/59.jpg)
59
Floyd’s strongest postcondition rule
• Example{ z=x } x:=x+1 { ?v. x=v+1 z=v }
• This rule is often considered problematic because it introduces a quantifier – needs to be eliminated further on
• We will now see a variant of this rule
{ P } x := a { v. x=a[v/x] P[v/x] } where v is a fresh variable
[assFloyd]
![Page 60: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/60.jpg)
60
Floyd’s strongest postcondition rule
• Example{ z=x } x:=x+1 { v. x=v+1 z=v }
• This rule is often considered problematic because it introduces a quantifier – needs to be eliminated further on
• We will now see a variant of this rule
{ P } x := a { v. x=a[v/x] P[v/x] } where v is a fresh variable
[assFloyd]
![Page 61: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/61.jpg)
61
“Small” assignment axiom
• Examples:{x=n} x:=5*y {x=5*y}{x=n} x:=x+1 {x=n+1}
{x=n} x:=y+1 {x=y+1}[existp] {n. x=n} x:=y+1 {n. x=y+1} therefore {true} x:=y+1 {x=y+1} [constancyp] {z=9} x:=y+1 {z=9 x=y+1}
{ x=v } x:=a { x=a[v/x] }where vFV(a)
[assfloyd]
First evaluate ain the precondition state(as a may access x)
Then assign the resulting value to x
Create an explicit Skolem variable in precondition
![Page 62: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/62.jpg)
62
“Small” assignment axiom
• Examples:{x=n} x:=5*y {x=5*y}{x=n} x:=x+1 {x=n+1}
{x=n} x:=y+1 {x=y+1}[existp] {n. x=n} x:=y+1 {n. x=y+1} therefore {true} x:=y+1 {x=y+1} [constancyp] {z=9} x:=y+1 {z=9 x=y+1}
{ x=v } x:=a { x=a[v/x] }where vFV(a)
[assfloyd]
![Page 63: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/63.jpg)
63
“Small” assignment axiom
• Examples:{x=n} x:=5*y {x=5*y}{x=n} x:=x+1 {x=n+1}
{x=n} x:=y+1 {x=y+1}[existp] {n. x=n} x:=y+1 {n. x=y+1} therefore {true} x:=y+1 {x=y+1} [constancyp] {z=9} x:=y+1 {z=9 x=y+1}
{ x=v } x:=a { x=a[v/x] }where vFV(a)
[assfloyd]
![Page 64: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/64.jpg)
64
“Small” assignment axiom
• Examples:{x=n} x:=5*y {x=5*y}{x=n} x:=x+1 {x=n+1}
{x=n} x:=y+1 {x=y+1}[existp] {n. x=n} x:=y+1 {n. x=y+1} therefore {true} x:=y+1 {x=y+1} [constancyp] {z=9} x:=y+1 {z=9 x=y+1}
{ x=v } x:=a { x=a[v/x] }where vFV(a)
[assfloyd]
![Page 65: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/65.jpg)
65
Sum program• Define Sum(0, n) = 0+1+…+n{ y0 }x := 1{ y0 x=1 }res := 0{ y0 x=1 res=0 }Inv = { y0 res=Sum(0, x-1) xy+1 } { y0 res=m x=n ny+1 m=Sum(0, n-1) } while (xy) do
{ y0 res=m x=n m=Sum(0, n-1) x<y ny+1 }res := res+x{ y0 res=m+x x=n m=Sum(0, n-1) ny+1 }x := x+1 { y0 res=m+x x=n+1 m=Sum(0, n-1) ny+1 }{ y0 res-x=Sum(0, x-1) x-1<y+1 }{ y0 res=Sum(0, x-1) xy+1 } // axm-Sum
{ y0 res=Sum(0, x-1) xy+1 x>y }{ y0 res=Sum(0, x-1) x=y+1 }{ y0 res=Sum(0, y) }{ res = Sum(0, y) }
Background axiom
{ x=Sum(0, n) } { y=n+1 } { x+y=Sum(0, n+1) }
[axm-Sum]
![Page 66: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/66.jpg)
66
Buggy sum program{ y0 }x := 0{ y0 x=0 }res := 0{ y0 x=0 res=0 }Inv = { y0 res=Sum(0, x) } = { y0 res=m x=n m=Sum(0, n) } while (xy) do
{ y0 res=m x=n m=Sum(0, n) xy ny } x := x+1{ y0 res=m x=n+1 m=Sum(0, n) ny}res := res+x { y0 res=m+x x=n+1 m=Sum(0, n) ny}{ y0 res-x=Sum(0, x-1) ny}{ y0 res=Sum(0, x) }
{ y0 res=Sum(0, x) x>y } {res = Sum(0, y) }
![Page 67: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/67.jpg)
68
Example 1: Absolute value program
{ }if x<0 then
x := -xelse
skip{ }
![Page 68: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/68.jpg)
69
Absolute value program{ x=v }if x<0 then { x=v x<0 }
x := -x { x=-v x>0 }else
{ x=v x0 }skip{ x=v x0 }
{ v<0 x=-v v0 x=v}{ x=|v| }
![Page 69: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/69.jpg)
70
Example 2: Variable swap program
{ }t := xx := yy := t{ }
![Page 70: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/70.jpg)
71
Variable swap program
{ x=a y=b }t := x{ x=a y=b t=a }x := y{ x=b y=b t=a }y := t{ x=b y=a t=a }{ x=b y=a } // cons
![Page 71: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/71.jpg)
72
Example 3: Axiomatizing data types
• We added a new type of variables – array variables– Model array variable as a function y : Z Z
• We need the two following axioms:
S ::= x := a | x := y[a] | y[a] := x | skip | S1; S2| if b then S1 else S2| while b do S
y[xa](x) = a
zx y[xa](z) = y(z)
![Page 72: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/72.jpg)
73
Array update rules (wp)
• Treat an array assignment y[a] := x as an update to the array function y– y := y[ax] meaning y’=v. v=a ? X : y(v)
S ::= x := a | x := y[a] | y[a] := x | skip | S1; S2| if b then S1 else S2| while b do S
[array-update] { P[y[ax]/y] } y[a] := x { P }
[array-load] { P[y(a)/x] } x := y[a] { P }
A very general approach – allows handling many data types
![Page 73: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/73.jpg)
74
Array update rules (wp) example• Treat an array assignment y[a] := x as an
update to the array function y– y := y[ax] meaning y’=v. v=a ? x : y(v)
[array-update] { P[y[ax]/y] } y[a] := x { P }{x=y[i7](i)} y[i]:=7 {x=y(i)}
{x=7} y[i]:=7 {x=y(i)}
[array-load] { P[y(a)/x] } x := y[a] { P }{y(a)=7} x:=y[a] {x=7}
![Page 74: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/74.jpg)
75
Array update rules (sp)
[array-updateF] { x=v y=g a=b } y[a] := x { y=g[bv] }
[array-loadF] { y=g a=b } x := y[a] { x=g(b) }
In both rulesv, g, and b are fresh
![Page 75: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/75.jpg)
76
Array-max program
nums : arrayN : int // N stands for num’s length { N0 nums=orig_nums } x := 0res := nums[0]while x < N if nums[x] > res then res := nums[x] x := x + 11. { x=N }2. { m. (m0 m<N) nums(m)res }3. { m. m0 m<N nums(m)=res }4. { nums=orig_nums }
![Page 76: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/76.jpg)
77
Array-max program
nums : arrayN : int // N stands for num’s length { N0 nums=orig_nums } x := 0res := nums[0]while x < N if nums[x] > res then res := nums[x] x := x + 1Post1: { x=N }Post2: { nums=orig_nums }Post3: { m. 0m<N nums(m)res }Post4: { m. 0m<N nums(m)=res }
![Page 77: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/77.jpg)
78
Summary
• C programming language• P assertions• {P} C {Q} judgments• { P[a/x] } x := a { P } proof Rules– Soundness– Completeness
• {x = N} y:=factorial(x){ y = N!} proofs
![Page 78: Noam Rinetzky Lecture 6: Axiomatic Semantics II](https://reader036.vdocuments.us/reader036/viewer/2022062315/56815f21550346895dcded22/html5/thumbnails/78.jpg)
79
Extensions to axiomatic semantics• Assertions for parallelism
– Owicki-Gries– Concurrent Separation Logic– Rely-guarantee
• Assertions for dynamic memory– Separation Logic
• Procedures• Total correctness assertions• Assertions for execution time
– Exact time– Order of magnitude time