1 / 58

Semantics of Hoare Logic

Semantics of Hoare Logic. Aquinas Hobor and Martin Henz. What does a Hoare tuple mean?. { Á } P { à } Informal meaning (already given): “If the program P is run in a state that satisfies Á and P terminates, then the state resulting from P’s execution will satisfy à .”.

curt
Download Presentation

Semantics of Hoare Logic

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Semantics of Hoare Logic Aquinas Hobor and Martin Henz

  2. What does a Hoare tuple mean? {Á} P {Ã} Informal meaning (already given): “If the program P is run in a state that satisfies Á and P terminates, then the state resulting from P’s execution will satisfy Ã.”

  3. We would like to formalize {Á} P {Ã} Informal meaning (already given): “If the program P is run in a state that satisfies Á and P terminates, then the state resulting from P’s execution will satisfy Ã.”

  4. We would like to formalize {Á} P {Ã} Need to define: • Running a program P • P terminates • State satisfies Á • Resulting state satisfies Ã.

  5. We would like to formalize {Á} P {Ã} For better clarity and “fun”, we will do it in Coq.

  6. We would like to formalize {Á} P {Ã} For better clarity and “fun”, we will do it in Coq. (And by “we”, I mean I will do part of it in class and you will do the rest at home…)

  7. We would like to formalize {Á} P {Ã} Need to define: • Running a program P • P terminates • State satisfies Á • Resulting state satisfies Ã.

  8. Operational Semantics • Numeric Expressions E: • n | x | (−E) | (E + E) | (E − E) | (E ∗ E) • Boolean Expressions B: • true | false | (!B) | (B&B) | (B||B) | (E < E) • Commands C: • x = E | C;C | if B {C} else {C} | while B {C}

  9. We have to specify exactlyhow each evaluates • Numeric Expressions E: • n | x | (−E) | (E + E) | (E − E) | (E ∗ E) First problem: what are our variables “x”? We will use our usual trick of letting variables be natural numbers: Definition var : Type := nat.

  10. We have to specify exactlyhow each evaluates • Numeric Expressions E: • n | x | (−E) | (E + E) | (E − E) | (E ∗ E) Next: how do we define our expressions? Definition num : Type := Z. Inductive nExpr : Type := | Num: forall n : num, nExpr | Var: forall v : var, nExpr | Neg: forall ne : nExpr, nExpr | Plus: forall ne1 ne2 : nExpr, nExpr | Minus: forall ne1 ne2 : nExpr, nExpr | Times: forall ne1 ne2 : nExpr, nExpr.

  11. We have to specify exactlyhow each evaluates • Numeric Expressions E: • n | x | (−E) | (E + E) | (E − E) | (E ∗ E) Now, what does evaluation of an E mean? We want to write E  n to mean “the expression E evaluates to the numeric n” But what about E = x? By itself, we don’t know what to do...

  12. We have to specify exactlyhow each evaluates • Numeric Expressions E: • n | x | (−E) | (E + E) | (E − E) | (E ∗ E) Define a context ° to be a function from variables to numbers. Definition ctx := var -> num.

  13. We have to specify exactlyhow each evaluates • Numeric Expressions E: • n | x | (−E) | (E + E) | (E − E) | (E ∗ E) Now define °` E  n to mean “in context °, the expression E evaluates to the numeric n.”

  14. Numeric Evaluation in Coq FixpointneEval (g : ctx) (ne : nExpr) : num := match ne with | Num n => n | Var x => g x | Neg ne => 0 - (neEval g ne) | Plus ne1 ne2 => neEval g ne1) + (neEval g ne2) | Minus ne1 ne2 => (neEval g ne1) - (neEval g ne2) | Times ne1 ne2 => (neEval g ne1) * (neEval g ne2) end.

  15. Boolean Expressions • Boolean Expressions B: • true | false | (!B) | (B&B) | (B||B) | (E < E) Inductive bExpr : Type := | T : bExpr | F : bExpr | bNeg : forall be : bExpr, bExpr | And : forall be1 be2 : bExpr, bExpr | Or : forall be1 be2 : bExpr, bExpr | LT : forall ne1 ne2 : nExpr, bExpr.

  16. Boolean Evaluation • Boolean Expressions B: • true | false | (!B) | (B&B) | (B||B) | (E < E) Since B includes E, we will need contexts to evaluate Bs. What do we evaluate to? How about Prop. So define °` B  P to mean “in context °, the expression B evaluates to the proposition P.”

  17. Boolean Evaluation FixpointbeEval (g : ctx) (be : bExpr) : Prop := match be with | T => True | F => False | bNeg be => ~(beEval g be) | And be1 be2 => (beEval g be1) /\ (beEval g be2) | Or be1 be2 => (beEval g be1) \/ (beEval g be2) | LT ne1 ne2 => (neEval g ne1) < (neEval g ne2) end.

  18. Commands • Commands C: • x = E | C;C | if B {C} else {C} | while B {C} Inductive Coms : Type := | Assign : forall (x : var) (e: nExpr), Coms | Seq : forall c1 c2 : Coms, Coms | If : forall (b : bExpr) (c1 c2 : Coms), Coms | While : forall (b : bExpr) (c : Coms), Coms.

  19. Command Evaluation • Idea: executing command C for one step moves the machine from one state to the next • What is a state ¾? • Pair of context ° (data) and control k (code) • Control k is either kStop (we are done) or kSeq C k • We can write C ² k for kSeq if that is easier • We can also write ¥ for kHalt

  20. Controls and states in Coq Inductive ctl : Type := | kStop : ctl | kSeq : forall (c : Coms) (k : ctl), ctl. Definition state : Type := ctx * ctl.

  21. Step relation, assign(a) We now define the step relation, written ¾1¾2 that is, “state ¾1 steps to state ¾2”, in parts: °` E  n °’ = [x ! n] ° (°, (x = E) ² k)  (°’, k)

  22. Step relation, assign(b) °` E  n °’ = [x ! n] ° (°, (x = E) ² k)  (°’, k) | stepA: forall g x e n k g', n = neEval g e -> g' = upd_ctx g x n -> step (g, kSeq (Assign x e) k) (g', k)

  23. Step relation, seq (°, (C1 ; C2) ² k)  (°, C1² (C2² k)) | stepS: forall g c1 c2 k, step (g, kSeq (Seq c1 c2) k) (g, kSeq c1 (kSeq c2 k))

  24. Step relation, if (a) °` B  True (°, (if B then {C1} else {C2}) ² k)  (°, C1² k) | stepI1: forall g b c1 c2 k, beEval g b -> step (g, kSeq (If b c1 c2) k) (g, kSeq c1 k)

  25. Step relation, if (b) °` B  False (°, (if B then {C1} else {C2}) ² k)  (°, C2² k) | stepI2: forall g b c1 c2 k, ~beEval g b -> step (g, kSeq (If b c1 c2) k) (g, kSeq c2 k)

  26. Step relation, while (a) °` B  True (°, (while B {C}) ² k)  (°, C ² (while B {C} ² k)) | stepW1: forall g b c k, beEval g b -> step (g, kSeq (While b c) k) (g, kSeq c (kSeq (While b c) k))

  27. Step relation, while (b) °` B  False (°, (while B {C}) ² k)  (°, k)) | stepW2: forall g b c k, ~beEval g b -> step (g, kSeq (While b c) k) (g, k)

  28. Entire step relation °` E  n °’ = [x ! n] ° (°, (x = E) ² k)  (°’, k) (°, (C1 ; C2) ² k)  (°, C1² (C2² k)) °` B  True (°, (if B then {C1} else {C2}) ² k)  (°, C1² k) °` B  False (°, (if B then {C1} else {C2}) ² k)  (°, C2² k) °` B  True (°, (while B {C}) ² k)  (°, C ² (while B {C} ² k)) °` B  False (°, (while B {C}) ² k)  (°, k))

  29. Inductive step : state -> state -> Prop := | stepA: forall g x e k g', g' = upd_ctx g x (neEval g e) -> step (g, kSeq (Assign x e) k) (g', k) | stepS: forall g c1 c2 k, step (g, kSeq (Seq c1 c2) k) (g, kSeq c1 (kSeq c2 k)) | stepI1: forall g b c1 c2 k, beEval g b -> step (g, kSeq (If b c1 c2) k) (g, kSeq c1 k) | stepI2: forall g b c1 c2 k, ~beEval g b -> step (g, kSeq (If b c1 c2) k) (g, kSeq c2 k) | stepW1: forall g b c k, beEval g b -> step (g, kSeq (While b c) k) (g, kSeq c (kSeq (While b c) k)) | stepW2: forall g b c k, ~beEval g b -> step (g, kSeq (While b c) k) (g, k).

  30. From step to step* • Usually we want to run our program for more than one step. • We write ¾*¾’ to mean that the state ¾ steps to the state ¾’ in some number of steps.

  31. From step to step* ¾*¾ ¾¾’ ¾’ *¾’’ ¾*¾’’ Inductive stepstar : state -> state -> Prop := | stepsZ: forall s, stepstar s s | stepsS: forall s s' s'', step s s' -> stepstar s' s'' -> stepstar s s''.

  32. We would like to formalize {Á} P {Ã} Need to define: • Running a program P • P terminates • State satisfies Á • Resulting state satisfies Ã.

  33. Halted;Terminates means eventually halted • We say a state (°, k) is halted when k = ¥ (* 20 points *) Lemma only_stuck_when_at_kStop: forall g k, (~ exists st', step (g, k) st') -> k = kStop. Proof. admit. Qed. • ¾ terminates if 9 s’ such that ¾*¾’ and ¾’ is halted.

  34. We would like to formalize {Á} P {Ã} Need to define: • Running a program P • P terminates • State satisfies Á • Resulting state satisfies Ã.

  35. What is an assertion? We can do what we did for modal logic: Definition assertion : Type := ctx -> Prop. We can even write °²Ã as shorthand for Ã(°) Thus, we can use the rules of our Coq metalogic to easily reason about our Hoare assertions.

  36. Lifting Assertions to Metalogic 1 °²ÁÆô (°²Ã) Æ (°²Á) Definition assertAnd (P Q : assertion) : assertion := fun g => P g /\ Q g. Notation "P && Q" := (assertAnd P Q). °² B ´°` B  True Definition assertbEval (b : bExpr) : assertion := fun g => beEval g b. Notation "[ b ]" := (assertbEval b).

  37. Lifting Assertions to Metalogic 2 °² [x ! e] ô [x ! n] °²Ã (where °` e  n) Definition assertReplace (x : var) (e : nExpr) (psi : assertion) : assertion := fun g => psi (upd_ctx g x (neEval g e)). Notation "[ x => e @ psi ]" := (assertReplace x e psi). `ARÁ!ô8°, (°²Á) ) (°²Ã) Definition Implies (P Q: assertion) : Prop := forall g, P g -> Q g. Notation "P |-- Q" := (Implies P Q) (at level 30).

  38. We would like to formalize {Á} P {Ã} Need to define: • Running a program P • P terminates • State satisfies Á • Resulting state satisfies Ã.

  39. Putting it all together {Ã} C {Á} ´8°. °²Ã) 8°’. (°, C ²¥) * (°’, ¥) ) °’ ²Á Definition HTuple (pre : assertion) (c : Coms) (post : assertion) : Prop := forall g, pre g -> forall g', stepstar (g, kSeq c kStop) (g', kStop) -> post g'.

  40. Now what? • Prove the Hoare rules as lemmas from definitions! {Ã} c1 {Â} {Â} c2 {Á} {Ã} c1 ; c2 {Á} Lemma HT_Seq: forall a1 c1 a2 c2 a3, HTuple a1 c1 a2 -> HTuple a2 c2 a3 -> HTuple a1 (Seq c1 c2) a3.

  41. Assignment Rule {[x ! E] Ã} x = E {Ã} Lemma HT_Asgn: forall x e psi, HTuple [x => e @ psi] (Assign x e) psi.

  42. If Rule {ÁÆ B} C1 {Ã} {ÁÆ: B} C2 {Ã} {Á} if B {C1} else {C2} {Ã} Lemma HT_If: forall phi b c1 psi c2, HTuple (phi && [b]) c1 psi -> HTuple (phi && [bNeg b]) c2 psi -> HTuple phi (If b c1 c2) psi.

  43. While Rule {ÃÆ B} C {Ã} {Ã} while B {C} {ÃÆ: B} Lemma HT_While: forall psi b c, HTuple (psi && [b]) c psi -> HTuple psi (While b c) (psi && [bNeg b]).

  44. Implied Rule `ARÁ’!Á {Á} C {Ã} `ARÃ!Ã’ {Á’} C {Ã’} Lemma HT_Implied: forall phi phi' psi psi' c, phi' |-- phi -> HTuple phi c psi -> psi |-- psi' -> HTuple phi' c psi'.

  45. Your task: Prove these lemmas HT_Seq : 10 points (with 20 extra credit if you solve the supporting lemma) HT_Asgn : 10 points HT_If : 10 points HT_Implied : 5 points HT_While : 40 points extra credit (good luck!)

  46. Finally Definition x : var := 0. Definition y : var := 1. Definition z : var := 2. Open Local Scope Z_scope. Definition neq (ne1 ne2 : nExpr) : bExpr := Or (LT ne1 ne2) (LT ne2 ne1). Definition factorial_prog : Coms := Seq (Assign y (Num 1)) (* y := 1 *) (Seq (Assign z (Num 0)) (* z := 0 *) (While (neq (Var z) (Var x)) (* while z <> x { *) (Seq (Assign z (Plus (Var z) (Num 1))) (* z := z + 1 *) (Assign y (Times (Var y) (Var z)))(* y := y * z *) ) (* } *) ) ).

  47. Statement of Theorem Definition Top : assertion := fun _ => True. Open Local Scope nat_scope. Fixpoint factorial (n : nat) := match n with | O => 1 | S n' => n * (factorial n') end. Open Local Scope Z_scope. Lemma factorial_good: HTuple Top factorial_prog (fun g => g y = Z_of_nat (factorial (Zabs_nat (g x)))).

  48. Casts Definition Top : assertion := fun _ => True. Open Local Scope nat_scope. Fixpoint factorial (n : nat) := match n with | O => 1 | S n' => n * (factorial n') end. Open Local Scope Z_scope. Lemma factorial_good: HTuple Top factorial_prog (fun g => g y = Z_of_nat (factorial (Zabs_nat (g x)))).

  49. Proof of Theorem Lemma factorial_good: HTuple Top factorial_prog (fun g => g y = Z_of_nat (factorial (Zabs_nat (g x)))). Proof. apply HT_Seq with (fun g => g y = 1). replace Top with ([y => (Num 1) @ (fun g : ctx => g y = 1)]). apply HT_Asgn. extensionality g. unfold assertReplace, Top, upd_ctx. simpl. apply prop_ext. firstorder. apply HT_Seq with (fun g :ctx => g z = 0 /\ g y = 1). replace (fun g : var -> Z => g y = 1) with ([z => (Num 0) @ (fun g :ctx => g z = 0 /\ g y = 1)]). apply HT_Asgn. extensionality g. unfold assertReplace, Top, upd_ctx. simpl. apply prop_ext. firstorder. apply HT_Implied with (fun g => g z >= 0 /\ g y = Z_of_nat (factorial (Zabs_nat (g z)))) ((fun g => g z >= 0 /\ g y = Z_of_nat (factorial (Zabs_nat (g z)))) && [bNeg (neq (Var z) (Var x))]). repeat intro. destruct H. rewrite H, H0. simpl. firstorder. apply HT_While. apply HT_Implied with (fun g => g z >=0 /\ (g y) * ((g z) + 1) = Z_of_nat (factorial (Zabs_nat ((g z) + 1)))) (fun g : ctx => g z - 1 >= 0 /\ g y = Z_of_nat (factorial (Zabs_nat (g z)))). repeat intro. destruct H. destruct H. clear H0. rewrite H1. split; auto. remember (g z) as n. clear -H. destruct n; auto. simpl. rewrite <- Pplus_one_succ_r. rewrite nat_of_P_succ_morphism. simpl. remember (factorial (nat_of_P p)). clear. rewrite Zpos_succ_morphism. rewrite inj_plus. rewrite inj_mult. rewrite <- Zpos_eq_Z_of_nat_o_nat_of_P. ring. elimtype False. auto with zarith. apply HT_Seq with (fun g => g z - 1 >= 0 /\ g y * g z = Z_of_nat (factorial (Zabs_nat (g z)))). replace (fun g : var -> Z => g z >= 0 /\ g y * (g z + 1) = Z_of_nat (factorial (Zabs_nat (g z + 1)))) with [z => (Plus (Var z) (Num 1)) @ (fun g : var -> Z => g z - 1 >= 0 /\ g y * g z = Z_of_nat (factorial (Zabs_nat (g z))))]. apply HT_Asgn. extensionality g. apply prop_ext. firstorder. unfold upd_ctx in H. simpl in H. auto with zarith. simpl. unfold upd_ctx. simpl. auto with zarith. replace (fun g : var -> Z => g z - 1 >= 0 /\ g y * g z = Z_of_nat (factorial (Zabs_nat (g z)))) with [y => (Times (Var y) (Var z)) @ (fun g : var -> Z => g z - 1>= 0 /\ g y = Z_of_nat (factorial (Zabs_nat (g z))))]. apply HT_Asgn. extensionality g. apply prop_ext. firstorder. repeat intro; firstorder. repeat intro. destruct H. destruct H. rewrite H1. simpl in H0. destruct (Ztrichotomy (g z) (g x)). contradiction H0; auto. destruct H2. rewrite <- H2. trivial. contradiction H0. right. apply Zgt_lt . trivial. Qed.

  50. The good news… Your HW does not require you to do one of these yourself (we are not without mercy…) Still… why did I show it to you?

More Related