330 likes | 517 Views
Axiomatic Basis for Computer Programming. Tony Hoare, 1969 The Hoare triple. (6.1.2) {Q} S {R} (Q: precondition, R: postcondition , S: statement) means
E N D
Axiomatic Basis for Computer Programming. Tony Hoare, 1969 The Hoare triple (6.1.2) {Q} S {R} (Q: precondition, R: postcondition, S: statement) means (6.1.3) Execution of S begun in a state satisfying Q is guaranteed to terminate in a finite amount of time in a state in which R is true. Program Semantics for Programming Methodology Example: Given n ≥ 0, store in i to truthify R: s = (+ i | 0 ≤ i < n: b[i]) {n ≥ 0} S {R}
1950s. Studied philosophy, Greek, Latin at Oxford. 1959. Grad student in Russia, probability theory, machine translation 1960. Programmer ,Elliott Brothers, England. Led team for compiler for Algol Chief Engineer. Disastrous operating system. Tony Hoarehttps://www.cs.ox.ac.uk/people/tony.hoare/ 1968. Prof., Queens University 1977. Prof., Oxford 2008~. Retired, joined Microsoft Research in Cambridge, England 1980. Turing Award, for his fundamental contributions to the definition and design of programming languages
1. Quicksort 2. Axiomatic basis for computer programs (1969) 3. Many papers on issue of correctness of computer programs. 4. Communicating sequential processes (CSP) Tony Hoareamturing.acm.org/award_winners/hoare_4622167.cfm 5. Essays in Computing Science (1989) 6. Unifying Theories of Programming (1996) 7. Grand challenges in CS
Axiomatic Basis for Computer Programming. Tony Hoare, 1969 The Hoare triple (6.1.2) {Q} S {R} (Q: precondition, R: postcondition,S: statement) means (6.1.3) Execution of S begun in a state satisfying Q is guaranteed to terminate in a finite amount of time in a state in which R is true. Program Semantics for Programming Methodology Example: {isJavaProgram(p)} compiler {isIntelProgram(q) equivalent(p, q) }
The Hoare Triple Swap: t:= x; x:= y; y:= t Program Semantics for Programming Methodology {x = X y = Y} Swap {x = Y y = X} x, y are program variables, X, Y are used to denote initial (and final) values of variables Implicit quantification over those variables: ( X, Y |: {x = X y = Y} Swap {x = Y y = X})
Proof outlines. Before/after each statement are assertions {P0: k ≥ 0 s = (+i | 1 ≤ i ≤ k: i) } {R: k > 0 s = (+ i | 1 ≤ i ≤ k: i)} {P1: k+1 > 0 s = (+ i | 1 ≤ i ≤ k: i) } {P2: k > 0 s = (+ i | 1 ≤ i ≤ k-1: i) } {P3: k > 0 s+k = (+ i | 1 ≤ i ≤ k: i) } Program Semantics for Programming Methodology k:= k+1; s:= s + k Prove these “verification conditions”: • P0 P1 • {P1} k:= k+1 {P2} • P2 P3 • {P3} s:= s+k {R}
Proof outlines. Before/after each statement are assertions {x = X} if x < 0 then {x = X x < 0} x:= - x {x = -X x > 0} { x = abs(X)} else {x = X x ≥ 0} skip {x = X x ≥ 0} {x = abs(x)} {x = abs(X)} Program Semantics for Programming Methodology Exercise: List the verification conditions that are required for this proof outline to be correct. See previous slide
Hoare triples and an axiomatic basic for computer programming {P} S {R} Hoare gave us axioms and inference rules for saying when such triples are true. {P B} S1 {R}, {P !B} S2 {R} {P} if B then S1 else S2 {R} Program Semantics for Programming Methodology Isn’t this just common sense??? It didn’t seem that way in 1969. Axiom: {P} skip {P} Inference rule: Problem: This language definition is good for proving an existing program correct. But it does not give insight into how to develop a program and its proof hand in hand, and that’s what we really need.
Dijkstra solved the dilemma by defining a programming language in terms of weakest preconditions wp( S, R) is a predicate that describes the set of all states such that execution of S begun in any one of those states is guaranteed to terminate in a state in which R is true Program Semantics for Programming Methodology Here is how it relates to the Hoare triple {Q} S {R} Q wp(S, R)is another notation for ( variables |: {Q} S {R} ) Example: wp(x:= x+1, x > 0) = x ≥ 0 But also {x > 0} x:= x+1 {x > 0} holds Set of all states in which adding 1 to x terminates with x > 0
1956. Shortest-path algorithm Minimum spanning tree algorithm 1959. PhD thesis. Real-time interrupts 1961? First Algol compiler 1962+ T.H.E. operating system 1968. GoTo considered harmful Edsger W. Dijkstraamturing.acm.org/award_winners/dijkstra_1053701.cfm 1970. Notes on Structured Programming 1976. A Discipline of programming 1989. Predicate calculus and program semantics
(7.3) Axiom Law of the Excluded Miracle. wp(S, false) = false (7.4) Axiom Distributivity of conjunction. wp(S, Q) wp(S, R) = wp(S, Q R) Properties of wp (7.5) Law of Monotonicity. if Q R then wp(S, Q) wp(S, R) (7.6) Distributivity of Disjunction. wp(S, Q) wp(S, R) wp(S, Q R) (7.7) Distributivity of Disjunction for deterministic S. wp(S, Q) wp(S, R) wp(S, Q R)
(7.6) Distributivity of Disjunction. wp(S, Q) wp(S, R) wp(S, Q R) Suppose S is non-deterministic Let S be flip: flip a coin, which is guaranteed to land on its head or on its tail. wp(flip, head) = false wp(flip, tail) = false But: wp(flip, head tail) = true Our language will include non-deterministic if and while (conditional and loop)
Homework Do exercises 1, 3, 4, and 6 for Chapter 7 on page 112 of Science of Programming
(8.1) Definition. wp(skip, R) = R (8.2) Definition. wp(abort, R) = false Chapter 8. Dijkstra’s definition of a programming language (8.3) Definition wp(“S1; S2”, R) = wp(S1, wp(S2, R)) Example: wp(“skip; skip”, R) = <Definition of ;> wp(skip, wp(skip, R)) = <Definition of skip> wp(skip, R) = <Definition of skip> R
{ 5 = 5 } x:= 5 {x = 5} { 5 = 4 } x:= 5 {x = 4} Chapter 9. Assignment x:= e { x+1 = 5 } x:= x+1 {x = 5} { x+1 > 0 } x:= x+1 {x > 0} { x/y > 20 } x:= x/y {x > 20} { } x:= e {R}
Definition: wp(“x:= e”, R) = domain(e) R[x:= e] Chapter 9. Assignment x:= e. No side-effects allowed wp(“x:= e”, y = C) (where y, x are different variables) = <definition of :=> domain(e) (y = C)[x:= e] = <textual substitution> domain(e) y = C = <assuming e can be evaluated> y = C This means that execution of x:= e may not change the value of Y —or any variable except x. No side effect allowed! If you allow side effects, the definition become a lot morecomplicated.
i m i+p b b[i..i+p-1] is the middle segment, and i < m < i+p. We want to set i to m+1 but leave the value of i+p the same: Chapter 9. calculation What do we set p to so tha the value of i+p is unchanged? We don’t have to guess, we can calculate. m ii+p b {i+p = C} i, p:= m+1, x {i+p = C} —solve for x! wp(“i, p:= m+1, x”, i+p = C) = <definition of :=> m+1+x = C = <in initial state, i+p = C> m+1+x = i+p = <arithmetic> x = i+p-m-1
x1, x2, …, xn:= e1, e2, … en —assume the xi are different vars Evaluate all the ei; then assign the values to the xi. y, z:= z, y —swap the values of y and z x, y, z:= y, z, x —rotate the values of x, y, and z Chapter 9. Multiple Assignment wp(“z, y:= z*x, y-1”, y ≥ 0 z*xy = C) = <definition of :=> y-1 ≥ 0 (z*x)*xy-1 = C) = <arithmetic> y ≥ 1 z*xy = C
Think of an array as a function. So b[i] is really thought of a b(i) —function b applied to i. (b; i:e) is a function that is like b but at the point i its value is e (b; i:e)[j] = (if i = j then e else b[j]) [in Java: I = j ? e : b[j] ] Chapter 9. Assignment to an array element: b[i]:= e (9.3.2) Definition. wp(“b[i]:= e”, R) = inrange(b, i) domain(e) R[b:= (b; i:e)]
Question: Under what precondition does the assignment b[b[i]]:= i terminate with b[i] = i? wp(“b[b[i]]:= i”, b[i] = i) Chapter 9. Assignment to an array element: b[i]:= e = <definition of :=> (b[i] = i)[b:= (b; b[i]:i)] = <substitution> (b; b[i]:i)[i] = i = <case analysis> (b[i] != i b[i] = i) (b[i] = i i = i) = <Simplifications> false (b[i] = i true) = <Simplifications> b[i] = i
if x ≥ 0 then z:= x else z:= -x Write it as: if x ≥ 0 z:= x x ≤ 0 z:= -x fi Called a guarded command: x ≥ 0 z:= x There can be any number of guarded commands Chapter 10. Alternative Command To execute: All guards must be well-defined; otherwise, abortion may occur If no guard is true, abort Choose one true guard and execute its command Non-determinism!
IF: if B1 S1 B2 S2 … BnSn fi BB denotes B1 B2 … Bn Chapter 10. Alternative Command (10.3a) Definition; wp(IF, R) = domain(BB) BB B1 wp(S1, R) … Bn wp(Sn, R) (10.3a) Definition. wp(IF, R) = ( i | 1 ≤ i ≤ n: Bi) (i | 1 ≤ i ≤ n: Bi wp(Si, R))
S: if x ≥ 0 z:= x x ≤ 0 z:= -x fi In what initial states will execution of S terminate with R: z = abs(x)? Chapter 10. Alternative Command wp(S, R) = <Definition of IF> (x ≥ 0 x ≥ 0) (x ≥ 0 wp(“z:= x”, z = abs(x) ) (x ≤ 0 wp(“z:= -x”, z = abs(x))
S: if b[i] > 0 p, i:= p+1, i+1 b[i] < 0 i= i+1 fi In what initial states will execution of S terminate with R true? R: i ≤ m p = (N k | 0 ≤ k < i : b[k] > 0) Chapter 10. Alternative Command Stands for the number of values k in the range 0 ≤ k < ithat satisfy b[k] > 0 N is not a standard quantifier as we have defined quantifica- tion earlier. However, it is useful and we will use it from time to time in an informal manner. Note that the calculational logic we talked about on the first day was developed after“The Science of Programming” was published.
IF: if B1 S1 B2 S2 … BnSn fi BB denotes B1 B2 … Bn Chapter 10. Alternative Command (10.5) Theorem. Suppose Q satisfies (1) Q BB (2) ( i | 1 ≤ i ≤ n: Q Bi wp(Si, R)) Then (and only then) Q wp(IF, R)
if B1 S1 B2 S2 … BnSn fi BB denotes B1 B2 … Bn Chapter 10. Alternative Command wp(“if fi”, R) ?
do B1 S1 od while (B1) S1 The normal while loop, as in Java, other languages We write it this way Chapter 11. Iterative Command (loop)
DO: do B1 S1 B2 S2 … BnSn od BB denotes B1 B2 … Bn Chapter 11. Iterative Command (loop) Equivalent to: do BB IF od Execute as follows: If all guards Bi are false, which means that BB is false, terminate; Otherwise, execute the IF statement (Choose one true guard Bi and execute the corresponding command Si) and repeat the process.
DO: do B1 S1 B2 S2 … BnSn od BB denotes B1 B2 … Bn Chapter 11. Iterative Command (loop) Equivalent to: do BB IF od wp(DO, R) is a predicate that represents the set of states in which execution of DO terminates with R true in a bounded number of iterations, say, in k or fewer iterations. The definition involves recursion.
DO: do B1 S1 B2 S2 … BnSn od BB denotes B1 B2 … Bn Chapter 11. Iterative Command (loop) Set of states in which DO terminates in 0 iterations with R true H0(R) = !BB R Hk(R) = H0(R) wp(IF, Hk-1(R)) for k > 0 Set of states in which DO terminates in 0 iterations OR executes 1 iteration and then terminates in k-1 or fewer iterations (11.2) Definition. wp(DO, R) = ( k | 0 ≤ k: Hk(R) )
DO: do B1 S1 B2 S2 … BnSn od BB denotes B1 B2 … Bn H0(R) = !BB R Chapter 11. What is do od? Hk(R) = H0(R) wp(IF, Hk-1(R)) for k > 0 (11.2) Definition. wp(DO, R) = ( k | 0 ≤ k: Hk(R) ) wp(“do od”, R) H0(R) = !BB R <!BB is true> = R Hk(R) = H0(R) false <logic, above> = R = <definition> ( k | 0 ≤ k: Hk(R)) = < Hk(R) = R> ( k | 0 ≤ k: R) = <logic> R So, do od is skip
DO: do B1 S1 B2 S2 … BnSn od BB denotes B1 B2 … Bn P is called a loop invariant, t is called a bound function Chapter 11. Theorem about Iterative Command (11.6) Theorem. Suppose P satisfies P Bi wp(Si, P) for all i Suppose integer function t satisfies (1) P Bi t = T wp(Si, t < T), all i (2) P BB t > 0 Then, P wp(DO, P !BB) Means that if P is true initially, it remains true Means that t decreases with each iteration, and when it is < 0, BB is false
BB denotes B1 B2 … Bn DO: {Q} {inv P; bndfnc t} do B1 S1 … BnSn od {R} Chapter 11. Check list for proving loop correct • Prove Q P invariant true initially • P Bi wp(Si, P), all iinvariant remains true • P !BB R R holds when loop terminates • P Bi t = T wp(Si, t < T), all i • Each iteration decreases t • 5. P BB t > 0 Function t is bounded below