1 / 34

Axiomatic Semantics

Axiomatic Semantics. Will consider axiomatic semantics (A.S.) of IMP: <stmt> ::= skip | <assign> | <if> | <while> | <stmt>; <stmt> | <input> | <output> Only integer vars; no procedures/fns; vars declared implicitly References: Kurtz (ch. 11); Pagan (ch. 4.3)

devon
Download Presentation

Axiomatic Semantics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Axiomatic Semantics • Will consider axiomatic semantics (A.S.) of IMP: <stmt> ::= skip | <assign> | <if> | <while> | <stmt>; <stmt> | <input> | <output> Only integer vars; no procedures/fns; vars declared implicitly • References:Kurtz (ch. 11); Pagan (ch. 4.3) • Summary:For each type of <stmt>, will define its a.s. via an axiomor rule of inference (or just rule). Using these, will be able to show (i.e., derive) that a given program behaves according to its specification. CSE 755, part3

  2. Preliminaries • State: State  of a program P is a function that maps the program variables of P to their values in that state.Example: <x = 1, y = 2, z = 3>; or: (x) = 1; (y) = 2; (z) = 3 (assuming P has 3 prog. var., x, y, z) • Usually have to deal with set of states: { <x = 1, y = 2, z = 1>, <x = 1, y = 2, z = 2>, <x = 1, y = 2, z = 3> } • Better: Specify an assertion (or predicate, or condition) satisfied by all the states in that set and no others: [ (x = 1)  (y = 2)  (1  z  3) ] • Important: Assertion  Set of states that satisfy assertion CSE 755, part3

  3. Assertions/sets of states • [ (x = 1)  (1  y  5)  (1  z  10) ] : set with 50 states • [ (x = 1)  (y = 2) ] : an infinite set • [ (x = 1)  (1  y  5) ] : an 'even bigger' set • [ x = y + z ] : ... • [ x = x ]: the set of all states true • [ x  x ]: the empty set false CSE 755, part3

  4. Assertions/sets of states Convention: p  P (p is an assertion; P the corresponding set of states [p  q]  P  Q [p  q]  P  Q [ p ]  −P (or, rather "P bar"; i.e., U − P; U: universal set) CSE 755, part3

  5. Assertions/sets of states (contd) "" (implication) can be thought of as a relation between two assertions: [p  q] : [P  Q] [p  true] : [P  U] [false  p] : [  P] Can also think of "" as a single assertion: [p  q] : (p  q ) Thus: [p  true] :true [false  p] :true [p  p ] :true (??) [p   p ] :false (??) [(x  1)  ( x = 2 )] : ?? The context will tell us whether to think of implication as a relation between assertions or a single assertion CSE 755, part3

  6. Assertions (contd.) "x < y" is a syntactic entity when it appears in a program Elsewhere it is an assertion (satisfied by some states and not others). A state  satisfies the assertion x < y if (and only if) (x) is less than (y) Notation:  |= (x < y) : " satisfies (x < y)" CSE 755, part3

  7. Key Notation The result {p} S {q} (where p, q are assertions and S is a statement) is operationally valid if: If we start execution of S in any state   P, the final state ' when S finishes execution will belong to Q Examples: {x = 1} skip {x = 1} : (Operationally) valid {(x=1)  (y=2) } skip {x = 1} : Valid {x = 1} skip {(x=1)  (y=2) } : Invalid (op. invalid) {x = 1} skip {(x=1)  (y=2) } : Valid {(x=1)  (y=2) } skip {x = 1} : ?? {(x=1)  (y=2) } skip { true } : ?? {(x=1)  (y=2) } skip { false } : ?? CSE 755, part3

  8. "Results" (contd.) {(x=1)  (y=2) } x := x+1 {(x=2)  (y=2)} : Valid {(x=1)  (y=2) } x := x+1 { (x = y) } : Valid {(u=1)  (v=2) } x := x+1 { (v = u+1) } : ?? {x=0} while (x < 10) do x := x+1 end {x=10} : Valid What if the loop doesn't terminate? {x  0} while (x < 10) do x := x+1 end {x=10} : ?? {x  0} while (x < 10) do x := x+1 end {x  10} : ?? CSE 755, part3

  9. "Results" (contd.) { p } S { q } is a partial correctness result It is valid if it is the case that: if we start execution of S in any state P, and if the execution terminates, then the final state ' satisfies q {x = 0} while (x  10) do x := x+1 end {x = 10} : Valid { true } while (x  10) do x := x+1 end {x = 10} : Also valid Axiomatic semantics: provides a non-operational approach --in the form of a set of axioms and rules of inference-- using which we can 'axiomatically derive' our results CSE 755, part3

  10. Terminology (*important*!) Assertion: may be Satisfied or Not Satisfied by a particular state Result: may be Valid or Invalid in a given (operational) model Result: may be Derivable or Not Derivable in a given axiom system Some meaningless statements: "{p} S {q} is true" (note: true is a particular assertion) "{p} S {q} is valid for some states" "(The assertion) p is not valid" CSE 755, part3

  11. Relation Between A.S. & Model If a given result is derivable in a given axiom system A, will it be valid in an operational model M? Not necessarily. Soundness (also "consistency"): An axiom system A is sound/consistent with model M if every result derivable using the axioms/rules of A is valid in M; i.e.: |-A{p} S {q}  |=M{p} S {q} Completeness: An axiom system A is complete with respect to model M if every result that is valid in M is derivable using the axioms/rules of A: |=M{p} S {q}  |-A{p} S {q} CSE 755, part3

  12. Axiomatic Semantics of IMP A.S.: A collection of "axioms" and "rules of inference" ("rules") specified using the same {p} S {q} notation A0: skip axiom { p } skip { p } where p is any assertion Using this, can derive: { (x = 1)  (y = 2) } skip { (x = 1)  (y = 2) } by taking p to be the assertion (x = 1)  (y = 2) & using A0 Cannot derive: { (x = 1) } skip { (x = 1)  (y = 2) } which is good (why?) Cannot derive: { (x = 1)  (y = 2) } skip { (x = 1) } which is bad (why?) CSE 755, part3

  13. Axiomatic Semantics of IMP R0: Rule of Consequence: { p } S { q' }, q'  q ------------------------------- { p } S { q } (p, q, q': any assertions: S: any stmt) Using R0 (and A0) we can derive: { (x = 1)  (y = 2) } skip { (x = 1) } Another form of rule of consequence: p  p', { p' } S { q }, ------------------------------- { p } S { q } (p, q, p': any assertions: S: any stmt) Consider other forms of consequence (including inconsis. ones? CSE 755, part3

  14. Axiomatic Semantics of IMP (contd) A1. Assignment axiom: { pxe } x := e { p } where p is any assertion; pxe is obtained from p by (simultaneously) replacingall occurrences of x in p by e. (Note: pxe  p[x/e] ) We can derive: { x+1 = y+z } x := x+1 { x = y+z }(take p to be x = y+z ) { y+z  0 } x := y+z { x  0 } (take p to be x  0 ) Operational Justification: If we want the state following the asgnmnt to satisfy p, the state before it should satisfy the same assertion - except with the value of e satisfying the conditions expected of the value of x { y+z = y+z } x := y+z { x = y+z } (take p to be x = y+z ) CSE 755, part3

  15. Axiomatic Semantics of IMP (contd.) Caution: In axiomatic derivations, you are only allowed to use the axioms and rules of the system; no appeals to operational intuitions. If you make such appeals, you have an operational argument, not an axiomatic derivation Summary: The axiomatic semantics of a language consists of: An axiom for each atomic statement A rule (of inference) for each compound stmt + Logical rules CSE 755, part3

  16. Axiomatic Semantics of IMP (contd) R1: Sequential Composition: { p } S1 { q' }, { q' } S2 { q } ---------------------------------------- { p } S1; S2 { q } (p, q', q: any assertions; S1, S2: any stmts.) Using this, skip axiom, & assignment axiom, we can derive: {x+1 = y+z} skip; x := x+1 {x = y+z} Operational Justification: If state before S1 starts execution satisfies p, then, { p } S1 { q' } guarantees that the state when S1 finishes will satisfy q'; hence { q' } S2 { q } guarantees the state when S2 finishes will satisfy q; hence conclusion of rule follows given these two results. Caution: In (axiomatic) derivations, no appeals to operational intuitions! CSE 755, part3

  17. Axiomatic Semantics of IMP (contd) write e  out := out ^ e A2. write axiom: { p[out / out^e] } write e { p } (where p is any assertion) read x  ( x := head(in); in := tail(in) ) { (p[in/tail(in)])[x/head(in)] } x := head(in); { p[in/tail(in)] } in := tail(in) { p } A3. read axiom: { (p[in/tail(in)])[x/head(in)] } read x { p } (p: any assertion) CSE 755, part3

  18. Axiomatic Semantics of IMP (contd) Problem: Derive the following result (axiomatically):{ (in = <3, 4>)  (out = <>) } read x; read y; write (x+y); { out = <7> } Derivation (or "proof") outline: { (in = <3, 4>)  (out = <>) } (rule of cons.) { out^(head(in) + head(tail(in)) = <7> } (read axiom) read x; { out^(x + head(in)) = <7> } (read axiom) read y; { out^(x + y) = <7> } (write axiom) write (x+y); { out = <7> } CSE 755, part3

  19. Axiomatic Semantics of IMP (contd) R2: If-then-else: { p  b} S1 { q }, { p  b} S2 { q } -------------------------------------------------- { p } if b then S1 else S2 { q } Operational Justification: Suppose we start in a state P. There are two ways to proceed: if  b, execute S1; if not, execute S2. In either case, the hypothesis (assuming they are valid) guarantee that the final state will satisfy q. Hence conclusion follows. Caution: In (axiomatic) derivations, no appeals to operational intuitions! CSE 755, part3

  20. Axiomatic Semantics of IMP (contd) Problem: Derive the following result (axiomatically):{ y = 1} if (y = 1) then x := 1 else x := 2 { x = 1 } 1. { (y = 1)  (y = 1)} x := 1 { x = 1} (by Ass. ax, rule of conseq.) 2. { 2 = 1 } x := 2 { x = 1} (by Ass. ax, rule of conseq.) 3. { (y = 1)  (y  1) } x := 2 { x = 1} (by (2), rule of conseq.) 4. { y = 1} if (y = 1) then x := 1 else x := 2 { x = 1 } (by (1), (3), and if-then-else rule) Derive: { true} if (y = 1) then x := 1 else x := 2 { (x = 1)  (x = 2) } { true} if (y = 1) then ... { [(y=1)(x = 1)]  [(y1)  (x = 2) }

  21. Axiomatic Semantics of IMP (contd) R3:while rule: p  q, { q  b } S { q }, (q  b)  r ------------------------------------------------------- { p } while b do S { r } The following rule, given rule of conseq., is equivalent: { q  b } S { q }, ------------------------------------------------------- { q } while b do S { q  b } I.e.: Any result derivable using R3 is derivable using above Operational justification: ... R3 is complete ... somewhat surprising: we can always find an appropriate loop invariant CSE 755, part3

  22. Problem: Derive the following result (axiomatically):{(x  0)  (y  0)} q := 0; r := x; while ((r-y)  0) do q := q+ 1; r := r - x; end { (x = q*y + r)  (0  r  y)} Take loop invariant p to be: p  [(x = q*y + r)  (0  r)  (y  0)] Derivation outline: {(x  0)  (y  0)} q := 0; r := x; {(x  0)  (y  0)  (q=0)  (r=x)} { p } while ... {p  ((r-y)  0)} { (x = q*y + r)  (0  r  y)} Key step 1: { p  (r-y)  0} q:=q+1;r:=r-y {p} (by ass. ax, seq. comp, conseq.) Key step 2: [p  ((r-y)  0)}  [(x = q*y + r)  (0  r  y) (by math logic/oracle)

  23. Derive:{in = <1,2,3, ..., 100>  out = <> } read x; while (x  100) do write x; read x; end { out = <1, 2, ..., 99>} Take loop invariant p to be: p  [out^x^in = <1,2, ..., 100>] Derivation outline: {in = <1,2,3, ..., 100>  out = <> } read x; {(x=1)  (in = <2,3, ..., 100>)  (out = <>) } {out^x^in = <1,2, ..., 100>} while (x  100) do write x; read x; end {(out^x^in = <1,2, ..., 100>)  (x = 100)} { out = <1, 2, ..., 99>}

  24. Derive:{in = <1,2,3, ..., 100>  out = <> } s := 0; read x; while (x  100) do write s := s+x; read x; end { s = k=0,..99 k} Take loop invariant p to be: [(#in=100-x)  k.[(0  k  #in)  (in[k]=x+k)]  (1  x 100)  (s = k=0,..(x-1) k)] A more intuitive loop invariant: [(in = <x+1, ..., 100>  (1  x 100)  (s = k=0,..(x-1) k)] Key step: {p  (x  100)} s := s+x; read x; {p} Note: (head(in)=x+1) [implied by p] is important in showing that (p  (x  100)) implies p' [obtained by taking p back]

  25. (In)Completeness R3:while rule: p  q, { q  b } S { q }, (q  b)  r ------------------------------------------------------- { p } while b do S { r } A simpler rule: p  q, { q } S { q }, (q  b)  r ------------------------------------------------------- { p } while b do S { r } Using this rule, we can derive: { x=0 } while (x10) do x := x+1 { x = 10} Take p to be (x=0) and q to be true CSE 755, part3

  26. (In)Completeness (contd.) The rule is incomplete: p  q, { q } S { q }, (q  b)  r ------------------------------------------------------- { p } while b do S { r } Cannot derive: { x=0  y=0 } while (x0) do y := y+1 { x=0  y=0 } Proof: Suppose we could. Then there must exist q such that: a. (x=0  y=0)  q b. {q} y := y+1 {q} c. (q  x=0)  (x=0  y=0) Then <x=0, y=0, z=0>  Q [by (a)] Hence <x=0, y=1, z=0>  Q [by (b)] Hence <x=0, y=1, z=0>  Q  (x=0) [why?] But <x=0, y=1, z=0> is not in (x=0  y=0) Hence such a q cannot exist! CSE 755, part3

  27. Consistency/Completeness How do you show a system A is consistent and/or complete (with respect to a model M)? Generally tedious task. Special case: If we are told that A' is consistent/complete and A is obtained from A' by making some changes to some rules of A', we may be able to use the following approach: Completeness: Show that all results derivable in A' are also derivable in A. Then completeness of A' implies completeness of A (with respect to same model). Consistency: Show that all results derivable in A are also derivable in A'. Then consistency of A' implies consistency of A (with respect to same model). CSE 755, part3

  28. Axiomatic Semantics of IMP (contd) Suppose we change the if-then-else rule: { p  b} S1 { q }, { p  b} S2 { q } -------------------------------------------------- { p } if b then S1 else S2 { q } To: { p  b} S1 { q  b}, { p  b} S2 { q  b } ------------------------------------------------------------ { p } if b then S1 else S2 { q } The resulting system will be consistent: show that every result derivable in the new system is derivable in the original system Completeness? CSE 755, part3

  29. Total Correctness How do we derive:{ in = <> } read x {false} ? (1) We can't! A better axiom for read: (p  in  <>)  (q[in/tail(in)])[x/head(in)] -------------------------------------------------- { p } read x { q } With this axiom, we can derive (1). Also suggests total correctness axiom for read :p  [ in  <>  (q[in/tail(in)])[x/head(in)] ] ----------------------------------------------------- <p | read x | q> CSE 755, part3

  30. Total Correctness (contd.) Similar considerations for assignment:{ (x=0)  (y=3) } z := y/x {false} ? (1) We can't! A better axiom:(p  D(e))  (q[x/e] -------------------------------------------------- { p } x := e { q } With this axiom, we can derive (1). Also suggests total correctness axiom: p  [D(e)  q[x/e] ] ----------------------------------------------------- <p | x := e | q> CSE 755, part3

  31. Total Correctness (contd.) Total correctness rule for while:(p  b)  (f > 0)<p  b  f=k | S | p  (f  k) >-------------------------------------------------- < p | while b do S | p  b > a. Why does f have to be an integer function of the state? b. What if b is not well defined? c. What would happen if we change "<...|..|..>" in the second line to "{...}..{..}"? The other rules are essentially the same as the corresponding partial correctness rules: <p | S1 | q1>, <q1 | S2 | q> -------------------------------------- <p | S1; S2| q> CSE 755, part3

  32. Total Correctness (contd.) Derive: < s=0  x=0 | while x  10 do x:=x+1; s:=s+x; end | s = 0 + 1 + 2 + 3 + ... + 10 > Loop invariant:p  (0  x  10  s =  n=0..x n ) Progress function (also called: "progress metric", "convergence function" etc.):f(x,s)  (10  x) Check: (p  (x  10))  (f  0) : easy Derive:<p  (x  10)  (f=k) | x:=x+1; s:=s+x | p  (f  k) > : exercise Hence original result follows from rule for loops CSE 755, part3

  33. Non-determinism Guarded commands: • Selection: [b1  S1 | b2  S2 | ... | bn  Sn ] To execute: choose any bi that evaluates to true and execute corresponding Si; if all bi are false, errore.g.: [ x  y  z := x | y  x  z := y ] : sets z to larger of x,y • Repetition: *[b1  S1 | b2  S2 | ... | bn  Sn ] To execute: choose any bi that evaluates to true and execute corresponding Si. Repeat until, after some no. of iterations all bi evaluate to false; at that point, stop. Loop may not terminate, or may terminate in 0 iterationse.g.: *[ x1  x2  exch(x1, x2) | x2  x3  exch(x2, x3) | x3  x4  exch(x3, x4) ] : sorts [x1, x2, x3, x4] CSE 755, part3

  34. Axiomatics of non-determinism Selection:{ p  b1 } S1 { q }, { p  b2 } S2 { q },..., { p  bn } Sn { q }--------------------------------------------------------------------------- { p } [b1  S1 | b2  S2 | ... | bn  Sn ] { q } Repetition:{ p  b1 } S1 { p }, { p  b2 } S2 { p },..., { p  bn } Sn { p }--------------------------------------------------------------------------- { p } [b1  S1 | ... | bn  Sn ] { p  b1  b2 ...  bn} In selection rule, what if none of the bi's evaluates to true? Total correctness rules? CSE 755, part3

More Related