cse 755, part3 axiomatic semantics will consider axiomatic semantics (a.s.) of imp: ::=skip | | | |...
TRANSCRIPT
CSE 755, part3
Axiomatic Semantics
Will consider axiomatic semantics (A.S.) of IMP:
<stmt> ::= skip | <assign> | <if> | <while> | <stmt>; <stmt>
| <input> | <output>
Only integer vars; no procedures/fns; vars declared implicitly
References:Kurtz (ch. 11); Pagan (ch. 4.3)
Summary:For each type of <stmt>, will define its a.s. via an axiomor rule of inference (or just rule). Using these, will be able to show (i.e., derive) that a given program behaves according to its specification.
1
CSE 755, part3
Preliminaries
State: State of a program P is a function that maps the program variables of P to their values in that state.Example: <x = 1, y = 2, z = 3>;
or: (x) = 1; (y) = 2; (z) = 3 (assuming P has 3 prog. var., x, y, z)
Usually have to deal with set of states:{ <x = 1, y = 2, z = 1>, <x = 1, y = 2, z = 2>,
<x = 1, y = 2, z = 3> } Better: Specify an assertion (or predicate, or condition)
satisfied by all the states in that set and no others:[ (x = 1) (y = 2) (1 z 3) ]
Important: Assertion Set of states that satisfy assertion
2
CSE 755, part3
Assertions/sets of states
[ (x = 1) (1 y 5) (1 z 10) ] : set with 50 states
[ (x = 1) (y = 2) ] : an infinite set
[ (x = 1) (1 y 5) ] : an 'even bigger' set
[ x = y + z ] : ...
[ x = x ]: the set of all states
true
[ x x ]: the empty set
false
3
CSE 755, part3
Assertions/sets of states
Convention:
p P (p is an assertion; P the corresponding set of states
[p q] P Q
[p q] P Q
[ p ] −P (or, rather "P bar"; i.e., U − P; U: universal set)
4
CSE 755, part3
Assertions/sets of states (contd)
"" (implication) can be thought of as a relation between two assertions:
[p q] : [P Q]
[p true] : [P U]
[false p] : [ P]
Can also think of "" as a single assertion:
[p q] :(p q )
Thus:
[p true] :true
[false p] :true
[p p ] :true (??)
[p p ] :false (??)
[(x 1) ( x = 2 )] : ?? 5
The context will tell us whether to think of implication as a relation between assertions or a single assertion
CSE 755, part3
Assertions (contd.)
"x < y" is a syntactic entity when it appears in a program
Elsewhere it is an assertion (satisfied by some states and not others).
A state satisfies the assertion x < y if (and only if) (x) is less than (y)
Notation: |= (x < y) : " satisfies (x < y)"
6
CSE 755, part3
Key NotationThe result
{p} S {q} (where p, q are assertions and S is a statement)
is operationally valid if:
If we start execution of S in any state P, the final state ' when S finishes execution will belong to Q
Examples:
{x = 1} skip {x = 1} : (Operationally) valid
{(x=1) (y=2) } skip {x = 1} : Valid
{x = 1} skip {(x=1) (y=2) } : Invalid (op. invalid)
{x = 1} skip {(x=1) (y=2) } : Valid
{(x=1) (y=2) } skip {x = 1} : ??
{(x=1) (y=2) } skip { true } : ??
{(x=1) (y=2) } skip { false } : ??
7
CSE 755, part3
"Results" (contd.)
{(x=1) (y=2) } x := x+1 {(x=2) (y=2)} : Valid
{(x=1) (y=2) } x := x+1 { (x = y) } : Valid
{(u=1) (v=2) } x := x+1 { (v = u+1) } : ??
{x=0} while (x < 10) do x := x+1 end {x=10} : Valid
What if the loop doesn't terminate?
{x 0} while (x < 10) do x := x+1 end {x=10}: ??
{x 0} while (x < 10) do x := x+1 end {x 10} : ??
8
CSE 755, part3
"Results" (contd.)
{ p } S { q } is a partial correctness result
It is valid if it is the case that:
if we start execution of S in any state P, and if the execution terminates, then the final state ' satisfies q
{x = 0} while (x 10) do x := x+1 end {x = 10} : Valid
{ true } while (x 10) do x := x+1 end {x = 10} : Also valid
Axiomatic semantics: provides a non-operational approach --in the form of a set of axioms and rules of inference-- using which we can 'axiomatically derive' our results
9
CSE 755, part3
Terminology (*important*!)
Assertion: may be Satisfied or Not Satisfied by a particular state
Result: may be Valid or Invalid in a given (operational) model
Result: may be Derivable or Not Derivable in a given axiom system
Some meaningless statements:
"{p} S {q} is true" (note: true is a particular assertion)
"{p} S {q} is valid for some states"
"(The assertion) p is not valid"
10
CSE 755, part3
Relation Between A.S. & Model
If a given result is derivable in a given axiom system A, will it be valid in an operational model M? Not necessarily.
Soundness (also "consistency"): An axiom system A is sound/consistent with model M if every result derivable using the axioms/rules of A is valid in M; i.e.:
|-A {p} S {q} |=M {p} S {q}
Completeness: An axiom system A is complete with respect to model M if every result that is valid in M is derivable using the axioms/rules of A:
|=M {p} S {q} |-A {p} S {q}
11
CSE 755, part3
Axiomatic Semantics of IMPA.S.: A collection of "axioms" and "rules of inference" ("rules")
specified using the same {p} S {q} notation
A0: skip axiom{ p } skip { p } where p is any assertion
Using this, can derive:
{ (x = 1) (y = 2) } skip { (x = 1) (y = 2) }
by taking p to be the assertion (x = 1) (y = 2) & using A0
Cannot derive:
{ (x = 1) } skip { (x = 1) (y = 2) }
which is good (why?)
Cannot derive:
{ (x = 1) (y = 2) } skip { (x = 1) }
which is bad (why?) 12
CSE 755, part3
Axiomatic Semantics of IMP
R0: Rule of Consequence:
{ p } S { q' }, q' q-------------------------------
{ p } S { q }(p, q, q': any assertions: S: any stmt)
Using R0 (and A0) we can derive:
{ (x = 1) (y = 2) } skip { (x = 1) }
Another form of rule of consequence:
p p', { p' } S { q }, -------------------------------
{ p } S { q }(p, q, p': any assertions: S: any stmt)Consider other forms of consequence (including inconsis. ones?
13
CSE 755, part3
Axiomatic Semantics of IMP (contd)
A1. Assignment axiom:
{ pxe } x := e { p } where p is any assertion;
pxe is obtained from p by (simultaneously) replacing
all occurrences of x in p by e. (Note: pxe p[x/e] )
We can derive:
14
{ x+1 = y+z } x := x+1 { x = y+z }(take p to be x = y+z )
{ y+z 0 } x := y+z { x 0 } (take p to be x 0 )
{ y+z = y+z } x := y+z { x = y+z } (take p to be x = y+z )
Operational Justification:If we want the state following the asgnmnt to satisfy p, the state before it should satisfy the same assertion - except with the value of e satisfying the conditions expected of the value of x
CSE 755, part3
Axiomatic Semantics of IMP (contd.)
Caution: In axiomatic derivations, you are only allowed to use the axioms and rules of the system; no appeals to operational intuitions. If you make such appeals, you have an operational argument, not an axiomatic derivation
Summary: The axiomatic semantics of a language consists of:
An axiom for each atomic statement
A rule (of inference) for each compound stmt
+ Logical rules
15
CSE 755, part3
Axiomatic Semantics of IMP (contd)
R1: Sequential Composition:
{ p } S1 { q' }, { q' } S2 { q }----------------------------------------
{ p } S1; S2 { q } (p, q', q: any assertions; S1, S2: any stmts.)
Using this, skip axiom, & assignment axiom, we can derive:
{x+1 = y+z} skip; x := x+1 {x = y+z}
Operational Justification: If state before S1 starts execution satisfies p, then, { p } S1 { q' } guarantees that the state when S1 finishes will satisfy q';
hence { q' } S2 { q } guarantees the state when S2 finishes will satisfy q;
hence conclusion of rule follows given these two results.
Caution: In (axiomatic) derivations, no appeals to operational intuitions!16
CSE 755, part3
Axiomatic Semantics of IMP (contd)write e out := out ^ e
A2. write axiom:{ p[out / out^e] } write e { p } (where p is any assertion)
read x ( x := head(in); in := tail(in) )
{ (p[in/tail(in)])[x/head(in)] }
x := head(in);
{ p[in/tail(in)] }
in := tail(in)
{ p }
A3. read axiom:
{ (p[in/tail(in)])[x/head(in)] } read x { p } (p: any assertion)
17
CSE 755, part3
Axiomatic Semantics of IMP (contd)Problem: Derive the following result (axiomatically):
{ (in = <3, 4>) (out = <>) }
read x; read y; write (x+y);
{ out = <7> }
Derivation (or "proof") outline:
{ (in = <3, 4>) (out = <>) } (rule of cons.)
{ out^(head(in) + head(tail(in)) = <7> } (read axiom)
read x;
{ out^(x + head(in)) = <7> } (read axiom)
read y;
{ out^(x + y) = <7> } (write axiom)
write (x+y);
{ out = <7> }
18
CSE 755, part3
Axiomatic Semantics of IMP (contd)
R2: If-then-else:
{ p b} S1 { q }, { p b} S2 { q }--------------------------------------------------
{ p } if b then S1 else S2 { q }
Operational Justification: Suppose we start in a state P. There are two ways to proceed: if b, execute S1; if not, execute S2. In either case, the hypothesis (assuming they are valid) guarantee that the final state will satisfy q. Hence conclusion follows.
Caution: In (axiomatic) derivations, no appeals to operational intuitions!
19
Axiomatic Semantics of IMP (contd)Problem: Derive the following result (axiomatically):
{ y = 1}
if (y = 1) then x := 1 else x := 2
{ x = 1 }
1. { (y = 1) (y = 1)} x := 1 { x = 1} (by Ass. ax, rule of conseq.)
2. { 2 = 1 } x := 2 { x = 1} (by Ass. ax, rule of conseq.)
3. { (y = 1) (y 1) } x := 2 { x = 1} (by (2), rule of conseq.)
4. { y = 1}
if (y = 1) then x := 1 else x := 2
{ x = 1 } (by (1), (3), and if-then-else rule)
Derive:
{ true} if (y = 1) then x := 1 else x := 2 { (x = 1) (x = 2) }
{ true} if (y = 1) then ... { [(y=1)(x = 1)] [(y1) (x = 2) }
20
CSE 755, part3
Axiomatic Semantics of IMP (contd)
R3: while rule:
p q, { q b } S { q }, (q b) r-------------------------------------------------------
{ p } while b do S { r }
The following rule, given rule of conseq., is equivalent: { q b } S { q },
-------------------------------------------------------{ q } while b do S { q b }
I.e.: Any result derivable using R3 is derivable using above
Operational justification: ...
R3 is complete ... somewhat surprising: we can always find an appropriate loop invariant
21
Problem: Derive the following result (axiomatically):{(x 0) (y 0)}
q := 0; r := x;
while ((r-y) 0) do q := q+ 1; r := r - x; end
{ (x = q*y + r) (0 r y)}
Take loop invariant p to be: p [(x = q*y + r) (0 r) (y 0)]
Derivation outline:
{(x 0) (y 0)}
q := 0; r := x;
{(x 0) (y 0) (q=0) (r=x)}
{ p }
while ...
{p ((r-y) 0)}
{ (x = q*y + r) (0 r y)}22
Key step 1:{ p (r-y) 0} q:=q+1;r:=r-y {p}(by ass. ax, seq. comp, conseq.)
Key step 2:[p ((r-y) 0)} [(x = q*y + r) (0 r y)(by math logic/oracle)
Derive:{in = <1,2,3, ..., 100> out = <> }
read x;
while (x 100) do write x; read x; end
{ out = <1, 2, ..., 99>}
Take loop invariant p to be: p [out^x^in = <1,2, ..., 100>]
Derivation outline:
{in = <1,2,3, ..., 100> out = <> }
read x;
{(x=1) (in = <2,3, ..., 100>) (out = <>) }
{out^x^in = <1,2, ..., 100>}
while (x 100) do write x; read x; end
{(out^x^in = <1,2, ..., 100>) (x = 100)}
{ out = <1, 2, ..., 99>}23
Derive:{in = <1,2,3, ..., 100> out = <> }
s := 0; read x;
while (x 100) do write s := s+x; read x; end
{ s = k=0,..99 k}
Take loop invariant p to be: [(#in=100-x) k.[(0 k #in) (in[k]=x+k)] (1 x 100) (s = k=0,..(x-1) k)]
A more intuitive loop invariant:
[(in = <x+1, ..., 100> (1 x 100) (s = k=0,..(x-1) k)]
Key step:
{p (x 100)}
s := s+x; read x;
{p}
Note: (head(in)=x+1) [implied by p] is important in showing that (p (x 100)) implies p' [obtained by taking p back]
24
CSE 755, part3
(In)Completeness
R3: while rule:
p q, { q b } S { q }, (q b) r-------------------------------------------------------
{ p } while b do S { r }
A simpler rule:p q, { q } S { q }, (q b) r
-------------------------------------------------------{ p } while b do S { r }
Using this rule, we can derive:{ x=0 } while (x10) do x := x+1 { x = 10}
Take p to be (x=0) and q to be true 25
CSE 755, part3
(In)Completeness (contd.)
The rule is incomplete:p q, { q } S { q }, (q b) r
-------------------------------------------------------{ p } while b do S { r }
Cannot derive:{ x=0 y=0 } while (x0) do y := y+1 { x=0 y=0 }
Proof: Suppose we could. Then there must exist q such that:a. (x=0 y=0) qb. {q} y := y+1 {q}c. (q x=0) (x=0 y=0)
Then <x=0, y=0, z=0> Q [by (a)]Hence <x=0, y=1, z=0> Q [by (b)]Hence <x=0, y=1, z=0> Q (x=0) [why?]But <x=0, y=1, z=0> is not in (x=0 y=0)Hence such a q cannot exist!
26
CSE 755, part3
Consistency/CompletenessHow do you show a system A is consistent and/or complete
(with respect to a model M)?
Generally tedious task.
Special case: If we are told that A' is consistent/complete and A is obtained from A' by making some changes to some rules of A', we may be able to use the following approach:
Completeness: Show that all results derivable in A' are also derivable in A. Then completeness of A' implies completeness of A (with respect to same model).
Consistency: Show that all results derivable in A are also derivable in A'. Then consistency of A' implies consistency of A (with respect to same model).
27
CSE 755, part3
Axiomatic Semantics of IMP (contd)
Suppose we change the if-then-else rule:
{ p b} S1 { q }, { p b} S2 { q }--------------------------------------------------
{ p } if b then S1 else S2 { q }
To:
{ p b} S1 { q b}, { p b} S2 { q b }------------------------------------------------------------
{ p } if b then S1 else S2 { q }
The resulting system will be consistent: show that every result derivable in the new system is derivable in the original system
Completeness?
28
CSE 755, part3
Total Correctness
How do we derive:{ in = <> } read x {false} ? (1)
We can't!
A better axiom for read:
(p in <>) (q[in/tail(in)])[x/head(in)] --------------------------------------------------
{ p } read x { q }With this axiom, we can derive (1).
Also suggests total correctness axiom for read :p [ in <> (q[in/tail(in)])[x/head(in)] ]
-----------------------------------------------------<p | read x | q>
29
CSE 755, part3
Total Correctness (contd.)
Similar considerations for assignment:{ (x=0) (y=3) } z := y/x {false} ? (1)
We can't!
A better axiom:(p D(e)) (q[x/e]
--------------------------------------------------{ p } x := e { q }
With this axiom, we can derive (1).
Also suggests total correctness axiom:
p [D(e) q[x/e] ] -----------------------------------------------------
<p | x := e | q>
30
CSE 755, part3
Total Correctness (contd.)
Total correctness rule for while:(p b) (f > 0)<p b f=k | S | p (f k) >
--------------------------------------------------< p | while b do S | p b >
a. Why does f have to be an integer function of the state?b. What if b is not well defined?c. What would happen if we change "<...|..|..>" in the second
line to "{...}..{..}"?
The other rules are essentially the same as the corresponding partial correctness rules:
<p | S1 | q1>, <q1 | S2 | q>--------------------------------------
<p | S1; S2| q>
31
CSE 755, part3
Total Correctness (contd.)
Derive:
< s=0 x=0 |
while x 10 do x:=x+1; s:=s+x; end
| s = 0 + 1 + 2 + 3 + ... + 10 >
Loop invariant:p (0 x 10 s = n=0..x n )
Progress function (also called: "progress metric", "convergence function" etc.):f(x,s) (10 x)
Check: (p (x 10)) (f 0) : easy
Derive:<p (x 10) (f=k) | x:=x+1; s:=s+x | p (f k) > : exercise
Hence original result follows from rule for loops
32
CSE 755, part3
Non-determinism
Guarded commands: Selection: [b1 S1 | b2 S2 | ... | bn Sn ]
To execute: choose any bi that evaluates to true and execute corresponding Si; if all bi are false, errore.g.: [ x y z := x | y x z := y ] : sets z to larger of x,y
Repetition: *[b1 S1 | b2 S2 | ... | bn Sn ]To execute: choose any bi that evaluates to true and
execute corresponding Si. Repeat until, after some no. of iterations all bi evaluate to false; at that point, stop.
Loop may not terminate, or may terminate in 0 iterationse.g.:
*[ x1 x2 exch(x1, x2) | x2 x3 exch(x2, x3) |x3 x4 exch(x3, x4) ] : sorts [x1, x2, x3, x4]
33
CSE 755, part3
Axiomatics of non-determinism
Selection:{ p b1 } S1 { q }, { p b2 } S2 { q },..., { p bn } Sn { q }---------------------------------------------------------------------------
{ p } [b1 S1 | b2 S2 | ... | bn Sn ] { q }
Repetition:{ p b1 } S1 { p }, { p b2 } S2 { p },..., { p bn } Sn { p }---------------------------------------------------------------------------
{ p } [b1 S1 | ... | bn Sn ] { p b1 b2 ... bn}
In selection rule, what if none of the bi's evaluates to true?
Total correctness rules?
34