Introduction to Axiomatic Semantics (1/2)

Similar documents
Introduction to Axiomatic Semantics (1/2)

Introduction to Axiomatic Semantics

Lectures 20, 21: Axiomatic Semantics

An Annotated Language

Hoare Logic. COMP2600 Formal Methods for Software Engineering. Rajeev Goré

Harvard School of Engineering and Applied Sciences CS 152: Programming Languages

Lecture 5 - Axiomatic semantics

6. Hoare Logic and Weakest Preconditions

Introduction to Denotational Semantics. Brutus Is An Honorable Man. Class Likes/Dislikes Survey. Dueling Semantics

Introduction to Denotational Semantics. Class Likes/Dislikes Survey. Dueling Semantics. Denotational Semantics Learning Goals. You re On Jeopardy!

Hoare triples. Floyd-Hoare Logic, Separation Logic

Programming Languages Third Edition

In Our Last Exciting Episode

The Formal Semantics of Programming Languages An Introduction. Glynn Winskel. The MIT Press Cambridge, Massachusetts London, England

Axiomatic Semantics. More Semantics. Review - Operational Semantics. Partial Correctness Assertions. Programs Theorems. Axiomatic Semantics

Axiomatic Semantics. Automated Deduction - George Necula - Lecture 2 1

Goals: Define the syntax of a simple imperative language Define a semantics using natural deduction 1

Semantics. There is no single widely acceptable notation or formalism for describing semantics Operational Semantics

Chapter 3 (part 3) Describing Syntax and Semantics

The Rule of Constancy(Derived Frame Rule)

CITS5501 Software Testing and Quality Assurance Formal methods

AXIOMS OF AN IMPERATIVE LANGUAGE PARTIAL CORRECTNESS WEAK AND STRONG CONDITIONS. THE AXIOM FOR nop

Outline. Introduction. 2 Proof of Correctness. 3 Final Notes. Precondition P 1 : Inputs include

Note that in this definition, n + m denotes the syntactic expression with three symbols n, +, and m, not to the number that is the sum of n and m.

From Hoare Logic to Matching Logic Reachability. Grigore Rosu and Andrei Stefanescu University of Illinois, USA

Compilation and Program Analysis (#11) : Hoare triples and shape analysis

Abstract Interpretation

Automated Theorem Proving and Proof Checking

Program Verification. Aarti Gupta

CS2104 Prog. Lang. Concepts

Chapter 3. Describing Syntax and Semantics

CMSC 330: Organization of Programming Languages. Formal Semantics of a Prog. Lang. Specifying Syntax, Semantics

Hoare Logic: Proving Programs Correct

Simply-Typed Lambda Calculus

MITOCW watch?v=kz7jjltq9r4

Induction and Semantics in Dafny

Introduction to Structural Operational Semantics

Behavioral Equivalence

A CRASH COURSE IN SEMANTICS

COSC252: Programming Languages: Semantic Specification. Jeremy Bolton, PhD Adjunct Professor

Chapter 1. Introduction

Having a BLAST with SLAM

Proving the Correctness of Distributed Algorithms using TLA

Behavioral Equivalence

Chapter 3. Semantics. Topics. Introduction. Introduction. Introduction. Introduction

Chapter 2 & 3: Representations & Reasoning Systems (2.2)

Lecture 1 Contracts : Principles of Imperative Computation (Fall 2018) Frank Pfenning

CSC313 High Integrity Systems/CSCM13 Critical Systems. CSC313/CSCM13 Chapter 2 1/ 221

Handout 9: Imperative Programs and State

Defining Languages GMU

Propositional Logic Formal Syntax and Semantics. Computability and Logic

Propositional Logic. Andreas Klappenecker

Lecture 1 Contracts. 1 A Mysterious Program : Principles of Imperative Computation (Spring 2018) Frank Pfenning

The semantics of a programming language is concerned with the meaning of programs, that is, how programs behave when executed on computers.

Formal Methods. CITS5501 Software Testing and Quality Assurance

Computation Club: Gödel s theorem

Formal Semantics of Programming Languages

1. true / false By a compiler we mean a program that translates to code that will run natively on some machine.

Introduction to Denotational Semantics (1/2)

Operational Semantics

Spark verification features

Operational Semantics. One-Slide Summary. Lecture Outline

Having a BLAST with SLAM

Chapter 3. Describing Syntax and Semantics ISBN

Formal Systems II: Applications

CSC 501 Semantics of Programming Languages

Reasoning About Imperative Programs. COS 441 Slides 10

Recursively Enumerable Languages, Turing Machines, and Decidability

Specification and Verification I

Formal Semantics of Programming Languages

CS323 Lecture - Specifying Syntax and Semantics Last revised 1/16/09

Symbolic Execution and Verification Conditions. Review of Verification Conditions. Survey from Homework 4. Time spent: 7.1 hrs (mean), 6 hrs (median)

Contents. Chapter 1 SPECIFYING SYNTAX 1

COMP 507: Computer-Aided Program Design

Overview. Verification with Functions and Pointers. IMP with assertions and assumptions. Proof rules for Assert and Assume. IMP+: IMP with functions

Hardware versus software

Axiomatic Specification. Al-Said, Apcar, Jerejian

Chapter 3. Describing Syntax and Semantics ISBN

Chapter 3. Describing Syntax and Semantics

axiomatic semantics involving logical rules for deriving relations between preconditions and postconditions.

SEQUENCES, MATHEMATICAL INDUCTION, AND RECURSION

Fundamental Concepts. Chapter 1

Discrete Mathematics Lecture 4. Harper Langston New York University

LR Parsing. Table Construction

6.001 Notes: Section 8.1

Com S 541. Programming Languages I

Meeting13:Denotations

Formal Methods in Software Development

Formal Methods of Software Design, Eric Hehner, segment 24 page 1 out of 5

Propositional Logic. Part I

Material from Recitation 1

! Use of formal notations. ! in software system descriptions. ! for a broad range of effects. ! and varying levels of use. !

Lecture 6: Arithmetic and Threshold Circuits

Symbolic Execution and Proof of Properties

Having a BLAST with SLAM

2 Introduction to operational semantics

Static semantics. Lecture 3-6: Semantics. Attribute grammars (2) Attribute grammars. Attribute grammars example. Dynamic semantics

How invariants help writing loops Author: Sander Kooijmans Document version: 1.0

1.3. Conditional expressions To express case distinctions like

Introduction to Automata Theory. BİL405 - Automata Theory and Formal Languages 1

Transcription:

#1 Introduction to Axiomatic Semantics (1/2)

How s The Homework Going? Remember that you can t just define a meaning function in terms of itself you must use some fixed point machinery. #2

#3 Observations A key part of doing research is noticing when something is incongruous. This is related to spotting patterns.

#4 Observations A key part of doing research is noticing when something is incongruous. This is related to spotting patterns. suffix === state r1 r2 === c1 ; c2 r1* === while? do r1 r1 r2 === if? then r1 else r2

What's Wrong Here? Look closely at this opsem rule string = list of characters syntax for list construction s = r1 :: r2 :: S ` r1 r2 matches s leaving S regular expression = tree-structured mathematical object defined by a grammar set of strings #5

#6 Review via Class Participation Tell Me About Operational Semantics Tell Me About Structural Induction Tell Me About Denotational Semantics We would also like a semantics that is appropriate for arguing program correctness Axiomatic Semantics, we ll call it.

#7 Aujourd hui, nous ferons History Assertions Validity Derivation Rules Soundness Completeness

#8 Axiomatic Semantics An axiomatic semantics consists of: A language for stating assertions about programs, Rules for establishing the truth of assertions Some typical kinds of assertions: This program terminates If this program terminates, the variables x and y have the same value throughout the execution of the program The array accesses are within the array bounds Some typical languages of assertions First-order logic Other logics (temporal, linear, pointer-assertion) Special-purpose specification languages (SLIC, Z, Larch)

#9 History Program verification is almost as old as programming (e.g., Checking a Large Routine, Turing 1949) In the late 60s, Floyd had rules for flowcharts and Hoare for structured languages Since then, there have been axiomatic semantics for substantial languages, and many applications ESC/Java, SLAM, PCC, SPARK Ada,

Tony Hoare Quote Thus the practice of proving programs would seem to lead to solution of three of the most pressing problems in software and programming, namely, reliability, documentation, and compatibility. However, program proving, certainly at present, will be difficult even for programmers of high caliber; and may be applicable only to quite simple program designs. -- C.A.R Hoare, An Axiomatic Basis for Computer Programming,1969 #10

#11 Edsger Dijkstra Quote Program testing can be used to show the presence of bugs, but never to show their absence! Qu est-ce que c est?

#12 Tony Hoare Quote, Mark 2 It has been found a serious problem to define these languages [ALGOL, FORTRAN, COBOL] with sufficient rigor to ensure compatibility among all implementations.... one way to achieve this would be to insist that all implementations of the language shall satisfy the axioms and rules of inference which underlie proofs of properties of programs expressed in the language. In effect, this is equivalent to accepting the axioms and rules of inference as the ultimately definitive specification of the meaning of the language.

#13 Other Applications of Axiomatic Semantics The project of defining and proving everything formally has not succeeded (at least not yet) Proving has not replaced testing and debugging Applications of axiomatic semantics: Proving the correctness of algorithms (or finding bugs) Proving the correctness of hardware descriptions (or finding bugs) extended static checking (e.g., checking array bounds) Proof-carrying code Documentation of programs and interfaces

#14 Assertion Notation {A} c {B} with the meaning that: if A holds in state σ and if <c, σ> σ then B holds in σ A is the precondition B is the postcondition For example: { y x } z := x; z := z +1 { y < z } is a valid assertion These are called Hoare triples or Hoare assertions

Assertions for IMP {A} c {B} is a partial correctness assertion. Does not imply termination (= it is valid if c diverges) [A] c [B] is a total correctness assertion meaning that If A holds in state σ Then there exists σ such that <c, σ> σ and B holds in state σ Now let us be more formal (you know you want it!) Formalize the language of assertions, A and B Say when an assertion holds in a state Give rules for deriving Hoare triples #15

#16 The Assertion Language We use first-order predicate logic on top of IMP expressions A :: = true false e 1 = e 2 e 1 e 2 A 1 Æ A 2 A 1 Ç A 2 A 1 ) A 2 8x.A 9x.A Note that we are somewhat sloppy in mixing logical variables and the program variables All IMP variables implicitly range over integers All IMP boolean expressions are also assertions

#17 Assertion Judgment ² We need to assign meanings to our assertions New judgment σ ² A to say that an assertion holds in a given state (= A is true in σ ) This is well-defined when σ is defined on all variables occurring in A The ² judgment is defined inductively on the structure of assertions (surprise!) It relies on the denotational semantics of arithmetic expressions from IMP

σ ² true Semantics of Assertions Formal definition always σ ² e 1 = e 2 iff «e 1 σ = «e 2 σ σ ² e 1 e 2 iff «e 1 σ «e 2 σ σ ² A 1 Æ A 2 iff σ ² A 1 and σ ² A 2 σ ² A 1 Ç A 2 iff σ ² A 1 or σ ² A 2 σ ² A 1 ) A 2 iff σ ² A 1 implies σ ² A 2 σ ² 8x.A iff 8n2Z. σ[x:=n] ² A σ ² 9x.A iff 9n2Z. σ[x:=n] ² A #18

#19 Hoare Triple Semantics Now we can define formally the meaning of a partial correctness assertion ² { A } c { B } 8σ2Σ. 8σ 2Σ. (σ ² A Æ <c,σ> σ ) ) σ ² B and a total correctness assertion ² [A] c [B] 8σ2Σ. σ ² A ) 9σ 2Σ. <c,σ> σ Æ σ ² B or even better yet: (explain this to me!) Æ 8σ2Σ. 8σ 2Σ. (σ ² A Æ <c,σ> σ ) ) σ ² B 8σ2Σ. σ ² A ) 9σ 2Σ. <c,σ> σ

Q: Movie Music (420 / 842) In a 1995 Disney movie that has been uncharitably referred to as "Hokey-Hontas", the Stephen Schwartz lyrics "what I love most about rivers is: / you can't step in the same river twice" refer to the ideas of which Greek philosopher?

Computer Science This American Turing-award winner is known for his work on formal semantics of programming languages, automata theory, modal logic, topology, and category theory. His 1959 paper with Rabin, Finite Automata and Their Decision Problem, introduced the idea of nondeterministic machines to automata and complexity theory.

Q: Movies (267 / 842) Name the movie described below, its heroine and its star. This 1979 Ridley Scott movie began the first major American film series with a female action hero. Famously, it is the original movie to pass the Bechdel Test.

#23 Deriving Assertions Have a formal mechanism to decide ² { A } c { B } But it is not satisfactory Because ² {A} c {B} is defined in terms of the operational semantics, we practically have to run the program to verify an assertion It is impossible to effectively verify the truth of a 8x. A assertion (check every integer?) Plan: define a symbolic technique for deriving valid assertions from others that are known to be valid We start with validity of first-order formulas

#24 Derivation Rules We write ` A when A can be derived from basic axioms (` A === we can prove A ) The derivation rules for ` A are the usual ones from first-order logic with arithmetic: ` A ) B ` A ` A ` B ` B ` A Æ B ` A ` [a/x]a (a is fresh) ` [a/x]a ` B ` A ) B ` 8x.A ` [e/x]a ` 8x.A ` [e/x]a ` 9x.A ` 9x.A ` B ` B

#25 Derivation Rules for Hoare Triples Similarly we write ` {A} c {B} when we can derive the triple using derivation rules There is one derivation rule for each command in the language Plus, the evil rule of consequence ` A ) A ` {A} c {B} ` B ) B ` {A } c {B }

Derivation Rules for Hoare Logic One rule for each syntactic construct: ` {A} skip {A} ` {[e/x]a} x := e {A} ` {A} c 1 {B} ` {B} c 2 {C} ` {A} c 1 ; c 2 {C} ` {A Æ b} c 1 {B} ` {A Æ : b} c 2 {B} ` {A} if b then c 1 else c 2 {B} ` {A Æ b} c {A} ` {A} while b do c {A Æ : b} #26

#27 Alternate Hoare Rules For some constructs multiple rules are possible: (Exercise: these rules can be derived from the previous ones using the consequence rules) ` {A} x := e {9x 0.[x 0 /x]a Æ x = [x 0 /x]e} (This one is called the forward axiom for assignment) ` A Æ b ) C ` {C} c {A} ` A Æ : b ) B ` {A} while b do c {B} (C is the loop invariant)

#28 Example: Assignment (Assuming that x does not appear in e) Prove that {true} x := e { x = e } Assignment Rule: because [e/x](x = e)! e = e ` {e = e} x := e {x = e} Use Assignment + Consequence: ` true ) e = e ` {true} x := e {x = e} ` {e = e} x := e {x = e}

#29 The Assignment Axiom (Cont.) Assignment is undoubtedly the most characteristic feature of programming a digital computer, and one that most clearly distinguishes it from other branches of mathematics. It is surprising therefore that the axiom governing our reasoning about assignment is quite as simple as any to be found in elementary logic. - Tony Hoare Caveats are sometimes needed for languages with aliasing (the strong update problem): If x and y are aliased then { true } x := 5 { x + y = 10} is true

#30 Example: Conditional D 1 :: ` {true Æ y 0} x := 1 {x > 0} D 2 :: ` {true Æ y > 0} x := y {x > 0} ` {true} if y 0 then x := 1 else x := y {x > 0} D 1 and D 2 were obtained by consequence and assignment. D 1 details: ` {1 > 0} x := 1 {x > 0} ` true Æ y 0 ) 1 > 0 ` D 1 :: {true Æ y 0} x := 1 {x > 0}

#31 Example: Loop We want to derive that ` {x 0} while x 5 do x := x + 1 { x = 6} Use the rule for while with invariant x 6 ` x 6 Æ x 5 ) x+1 6 ` {x+1 6} x := x+1 { x 6 } ` {x 6 Æ x 5 } x := x+1 {x 6} ` {x 6} while x 5 do x := x+1 { x 6 Æ x > 5} Then finish-off with consequence ` x 0 ) x 6 ` x 6 Æ x > 5 ) x = 6 ` {x 6} while { x 6 Æ x > 5} ` {x 0} while {x = 6}

#32 Using Hoare Rules Hoare rules are mostly syntax directed There are three wrinkles: What invariant to use for while? (fix points, widening) When to apply consequence? (theorem proving) How do you prove the implications involved in consequence? (theorem proving) This is how theorem proving gets in the picture This turns out to be doable! The loop invariants turn out to be the hardest problem! (Should the programmer give them? See Dijkstra, ESC.)

Where Do We Stand? We have a language for asserting properties of programs We know when such an assertion is true We also have a symbolic method for deriving assertions meaning A {A} c {B} symbolic derivation (theorem proving) soundness ` A ` { A} c {B} completeness σ ² A ² {A} c {B} #33

#34 Soundness and Completeness

Soundness of Axiomatic Semantics Formal statement of soundness: if ` { A } c { B } then ² { A } c { B } or, equivalently For all σ, if σ ² A and Op :: <c, σ> σ and Pr :: ` { A } c { B } then σ ² B Op === Opsem Derivation Pr === Axiomatic Proof How shall we prove this, oh class? #35

#36 Not Easily! By induction on the structure of c? No, problems with while and rule of consequence By induction on the structure of Op? No, problems with while By induction on the structure of Pr? No, problems with consequence By simultaneous induction on the structure of Op and Pr Yes! New Technique!

#37 Simultaneous Induction Consider two structures Op and Pr Assume that x < y iff x is a substructure of y Define the ordering (o, p) Á (o, p ) iff o < o or o = o and p < p Called lexicographic (dictionary) ordering This Á is a well founded order and leads to simultaneous induction If o < o then p can actually be larger than p! It can even be unrelated to p!

Soundness of the While Rule (Indiana Proof and the Slide of Doom) Case: last rule used in Pr : ` {A} c {B} was the while rule: Two possible rules for the root of Op (by inversion) We ll only do the complicated case: Assume that σ ² A To show that σ ² A Æ : b Pr 1 :: ` {A Æ b} c {A} ` {A} while b do c {A Æ : b} Op 1 :: <b, σ> true Op 2 :: <c,σ> σ Op 3 :: <while b do c, σ > σ <while b do c, σ > σ By soundness of booleans and Op 1 we get σ ² b Hence σ ² A Æ b By IH on Pr 1 and Op 2 we get σ ² A By IH on Pr and Op 3 we get σ ² A Æ : b, q.e.d. (tricky!) #38

#39 Soundness of the While Rule Note that in the last use of IH the derivation Pr did not decrease But Op 3 was a sub-derivation of Op See Winskel, Chapter 6.5, for a soundness proof with denotational semantics To be continued...

#40 Homework HW 3 Due Soon Axiomatic Reading

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback