1 / 23

COP4020 Programming Languages

Learn about assertions and preconditions in programming languages, their importance in verifying runtime execution, and how they ensure safe continuation. Explore examples and rules of inference for assignment, sequencing, skip, if-then-else, and loops.

rosettag
Download Presentation

COP4020 Programming Languages

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. COP4020Programming Languages Introduction to Axiomatic Semantics Prof. Robert van Engelen

  2. Assertions and Preconditions • Assertions are used by programmers to verify run-time execution • An assertion is a logical formula to verify the state of variables and data to ensure safe continuation • A failed assertion should stop the program • Assertions are placed by programmers explicitly in codeassert (len>0); mean = sum/len; • By contrast, preconditions state the initial conditions under which an algorithm has been proven correct COP4020 Fall 2006

  3. Preconditions, Postconditions and Partial Correctness • We will place assertions before and after a commandC: { Precondition } C { Postcondition } • We say that the command C is partially correct with respect to the <precondition,postcondition> specification, provided that • The command C is executed with values that make the precondition true • If the command terminates, then the resulting values make the postcondition true • Total correctness requires termination COP4020 Fall 2006

  4. Assignment Axiom • If we view assertions as predicates, the assignment axiom can be stated { P(E) } V := E { P(V) }that is, if we state a property of V after the assignment, then the property must hold for expression E before the assignment • We can use substitution to derive the precondition given a postcondition formula P: this is the assignment axiom: { P[VE] } V := E { P }where P[VE] denotes the substitution of V by E in P COP4020 Fall 2006

  5. Examples for Assignments • { k = 5 } k := k + 1 { k = 6 }(k = 6)[kk+1]  (k+1 = 6)  (k = 5) • { j = 3 and k = 4 } j := j + k { j = 7 and k = 4 }(j = 7 and k = 4)[jj+k]  (j+k = 7 and k = 4)  (j = 3 and k = 4) • { true } x := 2 { x = 2 }(x = 2)[x2]  (2 = 2)  (true) • { a > 0 } a := a - 1 { a> 0 }(a> 0)[aa - 1]  (a - 1 > 0)  (a > 0) Assuming a is int ! • { false } y := 1 { y = 2 } No state can satisfy precondition ! = partially correct COP4020 Fall 2006

  6. Validity of Assignment Axiom • At first glance it seems that working backward from a postcondition is more complicated than necessary and we could use { true } V := E { V = E } • However, consider { true } m := m + 1 { m = m + 1}and we find that { m = m + 1 }  { false } assignment equality COP4020 Fall 2006

  7. Statement Composition: Sequence Axiom • The sequence axiom: { P } C1 { Q } C2 { R }Q is a postcondition of C1 and a precondition for C2 • Written as a rule of inference { P } C1 { Q } { Q } C2 { R } { P } C1 ; C2 { R } COP4020 Fall 2006

  8. Example Sequencing • We usually write the sequencing vertical and insert the assertions between the statements:{ i> 0 }k := i + 1;{ k > 0 and j = j }  { k > 0 }i := j;{ k > 0 and i = j } • The rule of inference: { i> 0 } k := i + 1 { k > 0 } { k > 0 } i := j { k > 0 and i = j } { i> 0 } k := i + 1; i := j { k > 0 and i = j } (k > 0)[ki + 1] (k > 0 and i = j)[ij] COP4020 Fall 2006

  9. Skip Axiom • The ‘skip’ statement is a no-op{ P } skip { P }pre- and postconditions are identical COP4020 Fall 2006

  10. If-then-else Axiom • The if-then-else axiom written vertically:{ P }if B then { P and B }C1 { Q }else { P and not B }C2 { Q }end if{ Q } COP4020 Fall 2006

  11. If-then-else Axiom • And as an inference rule: { P and B } C1 { Q } { P and not B } C2 { Q } { P } if B then C1 else C2 end if { Q } COP4020 Fall 2006

  12. The if-then-else Weakest Precondition Rule • We can derive the weakest preconditionP of and if-then-else using:P (not B or P1) and (B or P2)where P1 is the precondition of C1 given postcondition Q and P2 is the precondition of C2 given postcondition Q • Example:{ ( x < 0 or x > 0) and (x > 0 or true) }  { true }if x > 0 then { x > 0 } y := xelse { 0 > 0 }  { true } y := 0end if{ y > 0 } Compute preconditionsP1 and P2 of C1 and C2 COP4020 Fall 2006

  13. Precondition Strengthening • Logical implication ( or ) means stronger condition weaker condition(more restrictive) (less restrictive) • For example: • x = y and y = 0  y = 0 • x  0  x = 0 or x < 0 or x > 0 • x = 0  x> 0 • x = y  true • false x = y2 COP4020 Fall 2006

  14. Using Precondition Strengthening • We can always make a precondition stronger than necessary to complete a proof • For example, suppose we know that x > 0 and y = 2 at the start of the program:{ x > 0 and y = 2} { x > 0}y := x{ y = x and y > 0 } (y = x and y > 0)[yx] (x = x and x > 0) COP4020 Fall 2006

  15. Loops and Loop Invariants • A loop-invariant condition is a logical formula that is true before the loop, in the loop, and after the loop • An common example: grocery shopping • The invariant is:groceries needed = groceries on list + groceries in cart cart := empty;{ groceries needed = groceries on list + groceries in cart }{ groceries needed = groceries on list }while grocery list not empty do { groceries needed = groceries on list + groceries in cart and not empty list } add grocery to cart; take grocery off list; { groceries needed = groceries on list + groceries in cart }end do;{ groceries needed = groceries on list + groceries in cart and empty list } { groceries needed = groceries in cart } COP4020 Fall 2006

  16. While-loop Axiom • The while-loop axiom uses a loop invariant I, which must be determined • Invariant cannot generally be automatically computed and must be “guessed” by an experienced programmer{ I }while B do { I and B } C { I }end do{ I and not B } COP4020 Fall 2006

  17. While-loop Example (1) • Loop invariant I (f*k! = n! and k> 0){ n> 0 }k := n;f := 1;while k > 0 dof := f*k;k := k-1;end do{ f = n! } Proof that this algorithm is correct given precondition n>0 and postcondition f=n! COP4020 Fall 2006

  18. While-loop Example (2) • Loop invariant I (f*k! = n! and k> 0){ n> 0 }k := n;f := 1;{ f*k! = n! and k> 0 }while k > 0 do{ f*k! = n! and k> 0 and k > 0 }f := f*k;k := k-1;{ f*k! = n! and k> 0 }end do{ f*k! = n! and k> 0 and k< 0 }{ f = n! } Add while-loop preconditions and postconditions based on the invariant COP4020 Fall 2006

  19. While-loop Example (3) • Loop invariant I (f*k! = n! and k> 0){ n> 0 }k := n;{ 1*k! = n! and k> 0 }f := 1;{ f*k! = n! and k> 0 }while k > 0 do { f*k! = n! and k> 0 and k > 0 }f := f*k;{ f*(k-1)! = n! and k-1 > 0 }k := k-1; { f*k! = n! and k> 0 }end do{ f*k! = n! and k> 0 and k< 0 } { f = n! } Use assignment axioms COP4020 Fall 2006

  20. While-loop Example (4) • Loop invariant I (f*k! = n! and k> 0){ n> 0 }{ n! = n! and n> 0 }k := n;{ 1*k! = n! and k> 0 }f := 1;{ f*k! = n! and k> 0 }while k > 0 do { f*k! = n! and k> 0 and k > 0 }{ f*k*(k-1)! = n! and k-1 > 0 }f := f*k;{ f*(k-1)! = n! and k-1 > 0 }k := k-1; { f*k! = n! and k> 0 }end do{ f*k! = n! and k> 0 and k< 0 } { f = n! } Use assignment axioms COP4020 Fall 2006

  21. While-loop Example (5) • Loop invariant I (f*k! = n! and k> 0){ n> 0 } { n! = n! and n> 0 }k := n;{ 1*k! = n! and k> 0 }f := 1;{ f*k! = n! and k> 0 }while k > 0 do { f*k! = n! and k> 0 and k > 0 }  { f*k*(k-1)! = n! and k-1 > 0 } f := f*k; { f*(k-1)! = n! and k-1 > 0 } k := k-1; { f*k! = n! and k> 0 }end do{ f*k! = n! and k> 0 and k< 0 } { f = n! } Use precondition strengthening to prove the correctness of implications COP4020 Fall 2006

  22. While-loop Example (6) • Loop invariant I (f*k! = n! and k> 0){ n> 0 } { n! = n! and n> 0 }k := n;{ 1*k! = n! and k> 0 }f := 1;{ f*k! = n! and k> 0 }while k > 0 do { f*k! = n! and k> 0 and k > 0 }  { f*k*(k-1)! = n! and k-1 > 0 } f := f*k; { f*(k-1)! = n! and k-1 > 0 } k := k-1; { f*k! = n! and k> 0 }end do{ f*k! = n! and k> 0 and k< 0 } { f*k! = n! and k = 0 } { f = n! } Use simplification and logical implications to complete the proof COP4020 Fall 2006

  23. Specifications • A postcondition specification can by any logical formula • A specification that states the input-output requirements of an algorithm is needed to prove correctness • A specification that tests a violation can aid in debugging • For example (precondition strengthening is disallowed): { (n > 0 or false) and (n < 0 or n = 0) }  { false }if (n < 0) { false } p = 2;else { n = 0 } p = n+1;{ p = 1 }k = m / (p-1); if (n < 0) p = 2;else p = n+1;k = m / (p-1);// Error when p = 1 Means: never possible COP4020 Fall 2006

More Related