A Program Calculus. Wolfgang Schreiner

Similar documents
Coupling the User Interfaces of a Multiuser Program

CS 106 Winter 2016 Craig S. Kaplan. Module 01 Processing Recap. Topics

Here are a couple of warnings to my students who may be here to get a copy of what happened on a day that you missed.

Non-homogeneous Generalization in Privacy Preserving Data Publishing

Computer Organization

The Reconstruction of Graphs. Dhananjay P. Mehendale Sir Parashurambhau College, Tilak Road, Pune , India. Abstract

Skyline Community Search in Multi-valued Networks

Preamble. Singly linked lists. Collaboration policy and academic integrity. Getting help

Proving Vizing s Theorem with Rodin

Recitation Caches and Blocking. 4 March 2019

Linear First-Order PDEs

Offloading Cellular Traffic through Opportunistic Communications: Analysis and Optimization

Transient analysis of wave propagation in 3D soil by using the scaled boundary finite element method

Compiler Optimisation

Variable Independence and Resolution Paths for Quantified Boolean Formulas

An Algorithm for Building an Enterprise Network Topology Using Widespread Data Sources

Message Transport With The User Datagram Protocol

Generalized Edge Coloring for Channel Assignment in Wireless Networks

+ E. Bit-Alignment for Retargetable Code Generators * 1 Introduction A D T A T A A T D A A. Keen Schoofs Gert Goossens Hugo De Mant

Study of Network Optimization Method Based on ACL

SURVIVABLE IP OVER WDM: GUARANTEEEING MINIMUM NETWORK BANDWIDTH

Politehnica University of Timisoara Mobile Computing, Sensors Network and Embedded Systems Laboratory. Testing Techniques

Image compression predicated on recurrent iterated function systems

Generalized Edge Coloring for Channel Assignment in Wireless Networks

Divide-and-Conquer Algorithms

Optimal Oblivious Path Selection on the Mesh

Specifying and Verifying Programs (Part 2)

Lecture 1 September 4, 2013

A Classification of 3R Orthogonal Manipulators by the Topology of their Workspace

On the Role of Multiply Sectioned Bayesian Networks to Cooperative Multiagent Systems

Intensive Hypercube Communication: Prearranged Communication in Link-Bound Machines 1 2

Comparison of Methods for Increasing the Performance of a DUA Computation

Design of Policy-Aware Differentially Private Algorithms

Classifying Facial Expression with Radial Basis Function Networks, using Gradient Descent and K-means

BIJECTIONS FOR PLANAR MAPS WITH BOUNDARIES

Random Clustering for Multiple Sampling Units to Speed Up Run-time Sample Generation

Real-time concepts for Software/Hardware Engineering

Verifying Java Programs Verifying Java Programs with KeY

Distributed Line Graphs: A Universal Technique for Designing DHTs Based on Arbitrary Regular Graphs

Online Appendix to: Generalizing Database Forensics

Loop Scheduling and Partitions for Hiding Memory Latencies

Bends, Jogs, And Wiggles for Railroad Tracks and Vehicle Guide Ways

Particle Swarm Optimization Based on Smoothing Approach for Solving a Class of Bi-Level Multiobjective Programming Problem

Handling missing values in kernel methods with application to microbiology data

Politecnico di Torino. Porto Institutional Repository

Dense Disparity Estimation in Ego-motion Reduced Search Space

A Convex Clustering-based Regularizer for Image Segmentation

Verifying performance-based design objectives using assemblybased vulnerability

Learning Subproblem Complexities in Distributed Branch and Bound

Estimating Velocity Fields on a Freeway from Low Resolution Video

Test-Based Inference of Polynomial Loop-Bound Functions

Verifying Java Programs Verifying Java Programs with KeY

Backpressure-based Packet-by-Packet Adaptive Routing in Communication Networks

Shift-map Image Registration

APPLYING GENETIC ALGORITHM IN QUERY IMPROVEMENT PROBLEM. Abdelmgeid A. Aly

Automation of Bird Front Half Deboning Procedure: Design and Analysis

2-connected graphs with small 2-connected dominating sets

State Indexed Policy Search by Dynamic Programming. Abstract. 1. Introduction. 2. System parameterization. Charles DuHadway

A Duality Based Approach for Realtime TV-L 1 Optical Flow

The Prototype Verification System PVS

6 Gradient Descent. 6.1 Functions

Adjacency Matrix Based Full-Text Indexing Models

Solution Representation for Job Shop Scheduling Problems in Ant Colony Optimisation

WLAN Indoor Positioning Based on Euclidean Distances and Fuzzy Logic

A Plane Tracker for AEC-automation Applications

AnyTraffic Labeled Routing

Note that in this definition, n + m denotes the syntactic expression with three symbols n, +, and m, not to the number that is the sum of n and m.

Algorithm for Intermodal Optimal Multidestination Tour with Dynamic Travel Times

Queueing Model and Optimization of Packet Dropping in Real-Time Wireless Sensor Networks

Trace-based Approach to Editability and Correspondence Analysis for Bidirectional Graph Transformations

CS269I: Incentives in Computer Science Lecture #8: Incentives in BGP Routing

CordEx. >> Operating instructions. English

Learning convex bodies is hard

Using Vector and Raster-Based Techniques in Categorical Map Generalization

Optimal Routing and Scheduling for Deterministic Delay Tolerant Networks

2.7 Implicit Differentiation

THE BAYESIAN RECEIVER OPERATING CHARACTERISTIC CURVE AN EFFECTIVE APPROACH TO EVALUATE THE IDS PERFORMANCE

Inuence of Cross-Interferences on Blocked Loops: to know the precise gain brought by blocking. It is even dicult to determine for which problem

Table-based division by small integer constants

PART 2. Organization Of An Operating System

A Neural Network Model Based on Graph Matching and Annealing :Application to Hand-Written Digits Recognition

A shortest path algorithm in multimodal networks: a case study with time varying costs

DEVELOPMENT OF DamageCALC APPLICATION FOR AUTOMATIC CALCULATION OF THE DAMAGE INDICATOR

d 3 d 4 d d d d d d d d d d d 1 d d d d d d

Backpressure-based Packet-by-Packet Adaptive Routing in Communication Networks

MORA: a Movement-Based Routing Algorithm for Vehicle Ad Hoc Networks

Kinematic Analysis of a Family of 3R Manipulators

Verifying Java Programs with KeY

Algebraic transformations of Gauss hypergeometric functions

Impact of cache interferences on usual numerical dense loop. nests. O. Temam C. Fricker W. Jalby. University of Leiden INRIA University of Versailles

Frequent Pattern Mining. Frequent Item Set Mining. Overview. Frequent Item Set Mining: Motivation. Frequent Pattern Mining comprises

Characterizing Decoding Robustness under Parametric Channel Uncertainty

Fuzzy Clustering in Parallel Universes

Tight Wavelet Frame Decomposition and Its Application in Image Processing

From an Abstract Object-Oriented Model to a Ready-to-Use Embedded System Controller

FTSM FAST TAKAGI-SUGENO FUZZY MODELING. Manfred Männle

Experion PKS R500 Migration Planning Guide

Detecting Overlapping Communities from Local Spectral Subspaces

Feature Extraction and Rule Classification Algorithm of Digital Mammography based on Rough Set Theory

Polygon Simplification by Minimizing Convex Corners

Transcription:

A Program Calculus Wolfgang Schreiner Wolfgang.Schreiner@risc.uni-linz.ac.at Research Institute for Symbolic Computation (RISC) Johannes Kepler University, Linz, Austria http://www.risc.uni-linz.ac.at September 25, 2008

Abstract This ocument escribes a theory of imperative programs, i.e. programs that operate on a system state which is moifie by their execution. For this purpose, we efine the syntax an formal semantcs of a small imperative programming language, introuce jugements for reasoning about programs written in this language, an efine rules for eriving true jugements. Our treatment inclues variable scopes, control flow interruptions, an (also recursive) methos whose contracts are specifie in the style of behavioral interface escription languages by preconitions, postconitions, an frame conitions. All reasoning is moular, i.e. base on the contracts of methos rather than their implementations. The core of the calculus on the translation of commans to logical formulas escribing the state transitions allowe by the commans; this translation thus removes the syntactic isguise of a comman an iscloses its semantic essence. The calculus supports reasoning about a program s well-formeness, partial correctness, an termination, as well as the automate construction of preconitions, postconitions, an assertions.

Contents 1 Introuction 4 2 Programs 7 2.1 Example Programs......................... 7 2.2 Syntax................................ 11 2.3 Semantics Overview........................ 14 2.4 Semantic Algebras......................... 18 2.5 Program Semantics......................... 27 2.6 Comman Semantics........................ 30 2.7 Expression Semantics........................ 37 2.8 Formula an Term Semantics.................... 38 3 Jugements 42 3.1 Syntax................................ 42 3.2 Semantic Algebras......................... 45 3.3 Jugement Semantics........................ 55 4 Rules 61 4.1 Definitions.............................. 61 4.2 Jugement se RMs S {C}.................... 64 4.3 Jugement se RMs........................ 66 4.4 Jugement se RM........................ 67 4.5 Jugement se,is Ms....................... 68 2

CONTENTS 3 4.6 Jugement se,is M....................... 69 4.7 Jugement se M......................... 71 4.8 Jugement se,is,vs C F.................... 72 4.9 Jugement se,is,vs C : F.................... 77 4.10 Jugement se,is,vs C J F................... 86 4.11 Jugement se,is,vs PRE(C,Q) = P............... 91 4.12 Jugement se,is,vs POST(C,P) = Q.............. 92 4.13 Jugement se,is,vs ASSERT(C,P) = C............ 93 4.14 Jugement F Ks Rs.......................... 97 4.15 Jugement F c F c......................... 98 4.16 Jugement F b F b......................... 99 4.17 Jugement F s Qs Rs......................... 100 4.18 Jugement F e Ls Ks.......................... 101 4.19 Jugement = Rs F.......................... 102 A Mathematical Language 108

Chapter 1 Introuction We present a calculus for reasoning about the properties of imperative programs an verifying their correctness with respect to their specifications. Our presentation consoliates the results presente in [14] where we have elaborate various variants of the calculus in a number of iterations that helpe us to clarify our unerstaning. For more etaile explanations on the rationales behin the concepts presente in this ocument, we mainly refer the reaer to that report. Nevertheless, to make our presentation more self-containe, we repeat here the essence of the introuction of [14]: The core iea of the corresponing program reasoning calculus is to lift the commans as relations principle from the meta-level (the efinition of the semantics) to the object-level (the jugements of the calculus): a comman/program implementation is translate to a preicate logic formula I that captures the program semantics; the specification of the comman/program given by the user is also such a formula S; the implementation is correct with respect to the specification, if I S hols. We believe that, inepenent of the actual verification, the translation of commans to logical formulas may give (after appropriate simplification) crucial insight into the behavior of a program by pushing through the syntactic surface of a program an isclosing its semantic essence ; this is similar to Schmit s approach to enotational program semantics [13] (which however uses a functional moel roote in Scott s omain theory). For this purpose, the calculus is settle in classical preicate logic (in contrast to other approaches base on e.g. ynamic logic [2]); this is the logic that (if any) most software evelopers are familiar with. The iea of programs as state relations is not new: it is the core iea of the Lamport s Temporal Logical of Actions [10] where the iniviual actions of 4

5 a process are escribe by formulas relating pre- to post-states; Boute s Calculational Semantics [3] efines program behavior by program equations; relate approaches are Hehner s Practical Theory of Programming [5] an Hoare an Jifeng s Unifying Theories of Programming [6]. Calculi for program refinement [1, 12, 11, 4] allow specifications as first-orer language constructs at the same level as program commans with which they may be freely intermixe. While the present report buils upon these ieas, it has a ifferent focus. Most of the calculi escribe above work on simple while languages that have clean an elegant calculi but neglect messy constructs that woul complicate the calculus. Our goal, however, is to moel the full richness of program structures incluing local variable eclarations (an thus commans with ifferent scopes), commans that break the control flow (continue, break, return), commans that raise an hanle exceptions (throw, try... catch), expressions that raise exceptions (1/0). Furthermore, our calculus inclues program proceures ( methos ) with static scoping; it supports moular reasoning about programs on the basis of metho specifications (rather than on the basis of metho implementations). A core motivation of our work was to unerstan in epth the semantics of moern behavioral interface specification languages such as JML [7] or Spec# [15] (which buil upon earlier specification languages such as VDM [8]) as the basis of software systems for specifying an verifying computer programs; the metho specifications in the present paper are erive from these. The current version of the calculus hanles most aspects of imperative programming languages with the major exception of atatypes an pointer/reference semantics semantics (programs operate on mathematical values). It oes also not aress object-oriente features (object methos, inheritance, overriing) or concurrency. Since our language moel is much closer to real programming languages, the rules are frequently consierably more complicate than those in the calculi presente above. However, we wante to eal with the current programming reality as it is in contrast to what one might think it shoul be. We also wante to stay as close to the source language as possible an avoi translations to simple core languages (such as performe in ESC/Java2 [9]) since these ten to obfuscate the relationship between the program text accessible to the user an the ultimately constructe semantic interpretation which is use for reasoning/verification. While relational frameworks are goo for moeling partial correctness (no terminating computation exhibits a wrong result), they have problems with moeling total correctness (every computation terminates). There have been various

6 CHAPTER 1. INTRODUCTION attempts to embe termination into the relational structure, e.g. incluing nontermination states ( ) into the omains of the relations or by simply emaning that for correct programs all computations must terminate. We fin these approaches not satisfactory an therefore treat termination as an issue orthogonal to (partial) correctness: every program/comman is, in aition to a state relation R, specifie by an accompanying state conition C: only if C is satisfie in a pre-state, the comman is require to terminate (in some post-state allowe by R); the only connection between C an R is that that for every prestate on which C hols, R must allow some post-state (otherwise, the specification is inconsistent). While we took great effort in [14] to prove the sounness of the rules in a reasonable level of etail, the goal of the present ocument is to give a consoliate reference manual for further work (in particular the implementation of the calculus); no proofs are given at all. With respect to the sounness of the calculus presente in this paper, intellectual integrity emans to clearly state that 1. alreay the results of [14] epen on a number of unprove lemmas an results from simpler moels have been transferre to more general ones without complete formal re-checking, 2. moreover, the semantic framework in this paper has been further generalize by a more comprehensive treatment of recursion, 3. also references to global variables have been introuce to the programming language (in aition to the formula language), 4. furthermore, the rules have been consoliate an moifie for a clearer an more concise presentation, an 5. the sounness of the translation of specification formulas to classical formulas (with respect to the preservation of valiity) has not been prove. Therefore, while our previous work gives us reason to believe that the calculus presente in this ocument is essentially soun, it may nevertheless have small technical errors arising from the various generalizations an changes (notwithstaning any errors that may have alreay plague our previous results). Nevertheless, we feel that the founation is now stable enough for an actual implementation in a software environment for program exploration by which our efforts are spent better than by starting a new roun of sounness proofs; with little oubt, by this implementation technical an pragmatical problems will be etecte.

Chapter 2 Programs In this chapter, we efine the abstract syntax an formal semantics of the programming language about which we are going to reason. 2.1 Example Programs Figures 2.1 gives an example of a program written in the imperative programming language which we are going to formalize in this ocument. A program written in this language consists of a sequence of metho eclarations an a main comman that is execute in the scope of the eclarations; the methos an the main comman are annotate by specifications that escribe their respective behaviors. The example program sets the global variable z to the sum of the values of the global variables x an y; it also sets x to 0 an leaves y unchange. If the global variable x is shaowe (such as by the parameter eclaration in metho a), we still may refer to the variable by the special syntax?x. The specifications of methos an of the main comman consist of a frame conition writesonly Rs which lists all the global variables Rs that are change by the execution of the metho/comman, an exception conition throwsonly Is which lists the names of all the exceptions Is that may be thrown by the metho/comman, a preconition requires F which escribes by the formula F a conition which must be true in that state in which the metho/comman is execute (the prestate), 7

8 2.1 Example Programs metho a(x) writesonly?x throwsonly requires isnat(?x) an isnat(x) ensures next.executes an?x = 0 an next.value =?x+x ecreases ummy { var r = x; invariant next.executes an?x + r =?x + r ecreases?x while (?x > 0) ( r = r+1;?x =?x-1 ) return r; } writesonly x,z throwsonly requires isnat(x) an isnat(y) ensures next.executes an x = 0 an z = x+y ecreases ummy { z = a(y) } Figure 2.1: A Program

9 metho pro(x,y) writesonly throwsonly requires isnat(x) an isnat(y) ensures next.executes an next.value = x*y ecreases ummy { return x*y } recursive ( metho fact0(x) writesonly throwsonly requires isnat(x) ensures... ecreases x { if (x = 0) return 1 else var y; var r; ( y=fact(x-1); r=pro(x,y); return r; ) } ) metho fact(x) writesonly throwsonly requires isnat(x) ensures... ecreases x { if (x = 0) return 1 else var y; var r; ( y=fact0(x-1); r=pro(x,y); return r; ) } writesonly y throwsonly requires isnat(x) ensures next.executes an y =... ecreases ummy { y = fact(x) } Figure 2.2: A Recursive Program

10 2.1 Example Programs a postconition ensures F which escribes by the formula F a relation that must hol between the prestate of the metho/comman an the state in which the execution of the metho/comman terminates (the poststate), a termination measure ecreases T with a term T which enotes a natural number that is ecrease by every recursive invocation of a metho (see below, T is not use, if the metho is not recursive). In a postconition, plain references x respectively?x refer to the values of the corresponing variables in the prestate, while prime reference x respectively?x refer to their values in the poststate. The formula next.executes says that the poststate of the metho/comman is executing (i.e. e.g. no exception is raise), the term next.value refers to the return value of a metho after the execution of a return comman. Also loops may be annotate by specifications that consist of an invariant invariant F where the formula F escribes a relationship between the loop s prestate an the state after every execution of the loop boy. a termination measure ecreases T where the term T enotes a natural number that is ecrease by every iteration of the loop. Without provision, every metho may only call those methos that appear earlier in the list of metho eclarations (which prevents recursion). However, as shown in Figure 2.2, the construct recursive Ms may be use to introuce a recursive metho set Ms, i.e. a set of methos that may call each member in the set, also (irectly or inirectly) recursively. In orer to guarantee the termination of recursive metho invocations, every metho in Ms must specify by ecreases T a termination measure, i.e. a term T that enotes a natural number. If metho a with measure T a calls metho b with measure T b, the value of T b (in the state in which b is calle) must be less than the value of T a (in the state in which a was calle) 1. The methos in the recursion set may nevertheless call those methos that were eclare prior to the set without this provision. 1 This conition is actually stronger than require. By the analysis of the concrete metho call epenencies in Ms, infinite recursion cycles can be rule out, even if not all metho calls ecrease the respective measures. All that is neee is that in every cycle there exists some measure that is ecrease while no other measure is increase. For simplicity, the calculus presente in this paper oes not make use of this generalization.

11 2.2 Syntax Figure 2.3 gives the (abstract) syntax of the programming language which is use to write programs while Figure 2.4 gives the (abstract) syntax of the formula language which is use to write the corresponing program specifications. The programming language moels the core features of classical imperative programming languages but omits type eclarations: all variables range over an unspecifie omain of values. For simplicity, there are no global variable eclarations, instea we assume that every ientifier enotes a istinct variable; local variable eclarations (introuce by the keywor var) may shaow global variables. A variable reference I refers to the value of I in the current context (where I may enote a global variable or a local one) while?i always enotes the global variable. A metho call always returns a value an may appear only as separate comman that assigns the return value to a variable (i.e. no metho calls are allowe within expressions). The keywor assert introuces an assertion; a faile assertion blocks the program i.e. prevents the generation of any poststate. The specification language is essentially the language of first orer preicate logic. Specification formulas are interprete over pairs of states, typically the prestate of a comman an its poststate, enote by the constants now an next, respectively. In formulas, references to program variables may appear as value constants where an unprime reference R enotes the value of the program variable in the prestate an a prime reference R enotes its value in the postate. If a formula shall express a conition on a single state, it is simply interprete over a pair of ientical states, i.e. R an R are then consiere as synonyms. The formula reasonly states that the prestate an the poststate have the same values in all variables enote by some ientifier; the formula writesonly Rs allows the prestate an the poststate to hol ifferent values for those variables that are reference by Rs. Formulas may refer to two kins of logical variables: Value variables of form $I which are boun to values an may be quantifie by forall, exists, an let. State variables of form #I which are boun to states an may be quantifie by allstate an exstate. Program values may be compare by the preicates = an /=. The formulas language inclues value preicates isnat an < an an unspecifie set of other value preicates an value functions.

12 2.2 Syntax Metho Language: Abstract Syntax P Program RMs RecMethos RM RecMetho Ms Methos M Metho S Specification LS LoopSpec C Comman E Expression R Reference F,G,H Formula T Term I,J,K,L Ientifier P ::= RMs S {C}. RMs ::= RMs RM. RM ::= M recursive Ms. Ms ::= Ms M. M ::= metho I(I 1,...,I p ) S {C}. S ::= writesonly R 1,...,R n throwsonly K 1,...,K m requires F C ensures F R ecreases T. LS ::= invariant F ecreases T. C ::= R = E var I; C var I=E; C C 1 ;C 2 if (E) C if (E) C 1 else C 2 while (E) C LS while (E) C continue break return E throw I E try C 1 catch(i k I v ) C 2 R = I(E 1,...,E p ) assert F. E ::= R... R ::= I?I. I ::=...... (continue in Figure 2.4) Figure 2.3: The Programming Language

13 Formula Language: Abstract Syntax... (continue from Figure 2.3) F,G Formula T Term U StateTerm p Preicate f Function F ::= true false p(t 1,...,T n ) T 1 = T 2 T 1 /= T 2 reasonly writesonly R 1,...,R n!f F 1 an F 2 F 1 or F 2 F 1 => F 2 F 1 <=> F 2 F 1 xor F 2 if F then F 1 else F 2 forall $I 1,...,$I n : F exists $I 1,...,$I n : F let $I 1 =T 1,...,$I n =T n in F allstate #I 1,...,#I n : F exstate #I 1,...,#I n : F U 1 == U 2 U.executes U.continues U.breaks U.returns U.throws U.throws I T ::= R R $I f (T 1,...,T n ) if F then T 1 else T 2 let $I 1 =T 1,...,$I n =T n in T U.value U ::= now next #I p ::= isnat <... f ::=... Figure 2.4: The Formula Language

14 2.3 Semantics Overview Program states may be compare by the preicate ==. Every state has a specific status which is inicate by the preicates.executes (normal execution),.continues (after execution of the comman continue),.breaks (after execution of the comman break),.returns (after execution of the comman return),.throws (after execution of the comman throw). After the execution of throw with exception type I, the state satisfies the preicate.throws I. After the execution of return or throw, a state carries a (return/exception) value which can be querie by the state function.value. 2.3 Semantics Overview Before going into the etails of the formal semantics of the programming language, we present in this section an overview of the general ieas. States an Stores Our goal is to escribe the behavior of programs that execute commans which moify the state of a system. The most important part of a state is the store which hols for every variable a value which may be rea an upate by the comman. The other part of the state are control ata which inicate the status of the program after the execution of the comman (see Figure 2.5). The corresponing omains are efine as Store := Variable Value State := Store Control The control ata of a state consist of a flag inicating the execution status ( executing normally, continuing a loop boy, breaking from a loop, returning from a metho, or throwing an exception), a key, i.e. an ientifier inicating the exception type (only use if the execution status is throwing ), a value inicating the return value (if the execution status is returning ) or the exception value (if the execution status is throwing ). A comman always starts its execution in status executing but it may terminate in a state which has any execution status inicate above. The corresponing omains are efine as Control := Flag Key Value Flag := {E,C,B,R,T} Key := Ientifier

15 Ientifiers Global View Local View Space I 1 I 2... I 1 I 2... x a,x b,x c,... Context Variables x 1 x 2 x 1... Control Values v 1 v 2 v 3... c Store State flag key value Figure 2.5: States, Stores an Contexts State Relations an State Conitions A comman consists of two parts: a state relation which escribes those transitions from a prestate to a poststate that may be performe by the comman, a state conition which escribes those prestates for which the comman must make a transition an yiel a poststate. The state relation must for every prestate inclue in the state conition allow at least one poststate. The corresponing omains are StateRelation := P(State State) StateConition := P(State) Comman := StateRelation StateConition The state relation of a comman C is enote by the expression [C ] c,me while its state conition is enote by C c,me ; here c enotes the comman s context, me its metho environment (both see below) an [ ] an are the enotation functions with signatures [ ] : Comman (Context MethoEnvs) StateRelation : Comman (Context MethoEnvs) StateConition

16 2.3 Semantics Overview The subscript parameterizes the semantics with respect to the behavior of unefine program expressions; if set to TRUE, the result are simply unefine values, if set to FALSE they cause the program to raise an expression evaluation exception. Contexts A metho s context etermines to which variables a comman has access. A context consists of (see Figure 2.5) a global view which assigns to every global ientifier?i a variable in the store, a local view which assigns to every local ientifier I a variable in the store, a space which is a pool of variables that are not assigne to any ientifiers an may be use for allocation of local variables. Ientifiers?I an I may be assigne the same variables (the local view coincies with the global view) but, ue to the eclaration of a local variable I, they may also iffer. The space oes not share any variables with either the global or the local view. The corresponing omains are efine as View = Ientifier Variable Space = P (Variable) Context = View View Space Methos A comman s metho environment etermines to which methos a comman has access by assigning to every ientifier a metho that can be calle by the comman. A metho essentially is a mapping from values (the metho s arguments) to a comman (the metho s boy); the arguments are provie by the caller of the metho. Actually, a metho not only epens on arguments but, for execution of its boy, also on a context an a metho environment. The metho environment is the one which is active at the point where the metho is eclare while the context of the metho is constructe as follows: the context s global view is the one which is active when the metho is eclare, the metho s local view is ientical to the global view,

17 the metho s space is the one from the context of metho s caller an provie by the caller. Since a metho nees access to both the global view an the metho environment active at the point of its eclaration, a metho environment assigns to an ientifier actually not only a metho but also global view an a metho environment. We therefore construct the omains of metho environments an metho behaviors in stages : a metho environment of type MethoEnv i+1 assigns to an ientifier a behavior of type Behavior i+1, a global view, an an environment of type MethoEnv i. The corresponing eclarations are (the gaps... are fille later): Metho := Value Comman MethoEnvs := i N MethoEnv i... MethoEnv 0 := Ientifier View Behavior 0 MethoEnv i+1 := DirMethoEnv i... DirMethoEnv i := Ientifier View MethoEnv i Behavior i+1 Behavior 0 := Context Metho Behavior i+1 := Context MethoEnv i Metho Metho environments are constructe by metho eclarations; given a metho environment of type MethoEnv i, a metho eclaration M constructs an environment of type MethoEnv i+1. Recursion The situation gets more complicate, if also recursive metho sets are consiere. The behavior b of a recursive metho is essentially moelle by an infinite sequence b 0,b 1,... of non-recursive metho behaviors where each behavior b j+1 may make use of behavior b j, i.e. b j+1 enotes the behavior of the recursive metho with not more than j recursive invocations. The execution of a recursive metho in prestate s terminates in a poststate s if there exists some j such that the execution of b j in s terminates in s. Given a metho environment of type MethoEnv i, the eclaration of a recursive metho set recursive Ms corresponingly constructs an infinite sequence of metho environments of types RecMethoEnv i j (for each j N) where an environment of type RecMethoEnv i j hols methos of type RecBehaviori j that allow less than j recursive invocations. The corresponing efinitions are as follows:

18 2.4 Semantic Algebras Definitions: Variables an Values Variable :=... Value := B N... Preicate := P(Value ) Function := Value Value := SUCH v : v Value Value := Value { } Figure 2.6: Variables an Values MethoEnvs := i N MethoEnv i j N RecMethoEnv i j MethoEnv i+1 := DirMethoEnv i RecMethoEnv i RecMethoEnv i 0 := Ientifier View MethoEnv i RecBehavior i 0 RecMethoEnv i j+1 := Ientifier View RecMethoEnv i j RecBehaviori j+1 RecBehavior i 0 := Context MethoEnvi Metho RecBehavior i j+1 := Context RecMethoEnvi j Metho In the following section, we will give the full efinitions of the semantic algebras implementing the ieas sketche above. 2.4 Semantic Algebras Figures 2.6 2.17 introuce the semantic algebras, i.e. the omains (aka types ) an associate operations, on which the formal moel of the programming language epen. See Appenix A for information on the mathematical language in which these efinitions are written.

19 Definitions: Contexts View = Ientifier Variable Space = P (Variable) Context = View View Space gview : Context View,gview(v g,v l,s) = v g lview : Context View,lview(v g,v l,s) = v l space : Context Space,space(v g,v l,s) = s context : View View Space Context context(v g,v l,s) = v g,v l,s call : View Space Context call(v,s) = context(v,v,s) range : Context P(Variable) range(c) = range(gview(c)) range(lview(c)) space(c) take : Space (Variable Space) take(s) = LET x = SUCH x : x s IN x,s\{x} push : Context Ientifier Context push(c,i) = LET x,s = take(space(c)) IN context(gview(c),lview(c)[i x],s ) push(c,i 1,...,I n ) push(...push(c,i 1 )...,I n ) Figure 2.7: Contexts

20 2.4 Semantic Algebras Definitions: States State := Store Control store : State Store, store(s,c) = s control : State Control, control(s,c) = c state : Store Control State, state(s,c) = s,c StateFunction := State Value StateFunction := State Value BinaryStateFunction := State State Value ControlFunction := State State Control Figure 2.8: States Definitions: Stores Store := Variable Value rea : State Variable Value rea(s, x) = store(s)(x) write : State Variable Value State write(s,x,v) = state(store(s)[x v],control(s)) writes(s,x 1,v 1,...,x n,v n ) write(...write(s,x 1,v 1 )...,x n,v n ) s = s EXCEPT V v Variable : rea(s,v) rea(s,v) v V s EQUALS c s s = s EXCEPT space(c) s = s EXCEPT c Rs s = s EXCEPT space(c) {[R] c : R Rs} Figure 2.9: Stores

21 Definitions: Control Data Flag := {E,C,B,R,T} Key := Ientifier Control := Flag Key Value flag : Control Flag,flag( f,k,v) = f key : Control Key,key( f,k,v) = k value : Control Value,value( f,k,v) = v cont : Flag Key Value Control cont( f,k,v) = f,k,v execute : State State execute(s) = LET c = control(s) IN state(store(s), cont(e, key(c), value(c))) continue : State State continue(s) = LET c = control(s) IN state(store(s), cont(c, key(c), value(c))) break : State State break(s) = LET c = control(s) IN state(store(s), cont(b, key(c), value(c))) return : State Value State return(s, v) = LET c = control(s) IN state(store(s), cont(r, key(c), v)) throw : State Key Value State throw(s,k,v) = LET c = control(s) IN state(store(s), cont(t, k, v)) executes : P(Control), executes(c) flag(c) = E continues : P(Control), continues(c) flag(c) = C breaks : P(Control), breaks(c) flag(c) = B returns : P(Control), returns(c) flag(c) = R throws : P(Control), throws(c) flag(c) = T Figure 2.10: Control Data

22 2.4 Semantic Algebras Definitions: Expression Evaluation Exceptions EXP := SUCH k : k Key VAL := SUCH v : v Value expthrow : State State expthrow(s) = throw(s, EXP, VAL) expthrows : P(Control) expthrows(c) throws(c) key(c) = EXP Figure 2.11: Expression Evaluation Exceptions Definitions: Commans an Methos StateRelation := P(State State) StateConition := P(State) Comman := StateRelation StateConition rel : Comman StateRelation, rel(r, c) = r con : Comman StateConition, con(r, c) = c comman : StateRelation StateConition Comman comman(r,c) = r,c Metho := Value Comman Figure 2.12: Commans an Methos

23 Definitions: Iteration iterate N State State StateFunction StateRelation iterate(i,t, u, E,C) breaks(control(u(i))) executes(control(t(i))) E(t(i)) = TRUE C(t(i),u(i + 1)) IF continues(control(u(i + 1))) breaks(control(u(i + 1))) THEN t(i + 1) = execute(u(i + 1)) ELSE t(i + 1) = u(i + 1) leaves : P(State) leaves(s) executes(s) continues(s) Figure 2.13: Iteration Definitions: Environments ValueEnv := Ientifier Value ControlEnv := Ientifier Control Environment := ValueEnv ControlEnv venv : Environment ValueEnv, venv(v, c) = v cenv : Environment ControlEnv, cenv(v, c) = c env : ValueEnv ControlEnv Environment, env(v,c) = v,c e[i 1 v 1,...,I n v n ] v env(venv(e)[i 1 v 1,...,I n v n ],cenv(e)) e[i 1 c 1,...,I n c n ] c env(venv(e),cenv(e)[i 1 c 1,...,I n c n ]) Figure 2.14: Environments

24 2.4 Semantic Algebras Definitions: Metho Environments an Behaviors MethoEnvs := i N MethoEnv i j N RecMethoEnv i j DirMethoEnvs := i N DirMethoEnv i RecMethoEnvs := i N RecMethoEnv i MethoEnv 0 := Ientifier View Behavior 0 MethoEnv i+1 := DirMethoEnv i RecMethoEnv i DirMethoEnv i := Ientifier View MethoEnv i Behavior i+1 RecMethoEnv i 0 := Ientifier View MethoEnv i RecBehavior i 0 RecMethoEnv i j+1 := Ientifier View RecMethoEnv i j RecBehaviori j+1 Behavior 0 := Context Metho Behavior i+1 := Context MethoEnv i Metho RecBehavior i 0 := Context MethoEnvi Metho RecBehavior i j+1 := Context RecMethoEnvi j Metho Figure 2.15: Metho Environments an Behaviors

25 Definitions: Metho Access recmetho i, j : RecMethoEnv i j Ientifier Context Metho remetho i, j (me,i m,c) = LET v,me,b = me(i m ),c = call(v,space(c)) IN b c,me recmetho i : RecMethoEnv i Ientifier Context Metho recmetho i (me,i m,c)(v 1,...,v p ) = LET R : StateRelation R(s,s ) j N : LET com = recmetho i, j (me j,i m,c) IN rel(com)(v 1,...,v p )(s,s ) C : StateConition C(s) j N : LET com = recmetho i, j (me j,i m,c) IN con(com)(v 1,...,v p )(s) IN comman(r,c) metho : MethoEnvs Ientifier Context Metho metho(me,i m,c) LET sp = space(c) IN IF me MethoEnv 0 THEN LET v,b = me(i m ),c = call(v,sp) IN b c ELSE IF me DirMethoEnvs THEN LET v,me,b = me(i m ),c = call(v,sp) IN b c,me ELSE IF me RecMethoEnvs THEN ELSE LET i := SUCH i N : me RecMethoEnv i IN recmetho i (me,i m,c) LET i, j := SUCH i, j N : me RecMethoEnv i j IN recmetho i, j (me,i m,c) Figure 2.16: Metho Access

26 2.4 Semantic Algebras Definitions: Metho Environment Construction behavior i : MethoEnv i Ientifier Behavior i+1 behavior i (me,i m ) = LET b : Context MethoEnv i Metho b c,me = metho(me,i m,c) IN b ebase i : View MethoEnv i P(Ientifier) RecMethoEnv i 0 ebase i (v,me,is)(i m ) = LET b : RecBehavior i 0 b c,me (v 1,...,v p ) = IF I m Is THEN /0, /0 ELSE metho(me,i m,c)(v 1,...,v p ) IN v,me,b enext i, j : View RecMethoEnv i j RecMethoEnvi j+1 enext i, j (v,me)(i m ) = LET b : RecBehavior i j+1 b c,me = recmetho i, j (me,i m,c) IN v,me,b Figure 2.17: Metho Environment Construction

27 2.5 Program Semantics Figure 2.18 efines the semantics associate to the top-level syntactic omains of the programming language: Program The valuation function takes a global view v an a space sp an constructs from this a context c in which the metho efinitions RMs are evaluate. These efinitions take a metho environment me of type MethoEnv i an return a metho environment me of type MethoEnv j. The state relation [C ] c,me an state conition C c,me are use to construct the semantics of the metho boy. RecMethos The valuation function takes a metho environment me of type MethoEnv i an return a metho environment of type MethoEnv j (provie that the RecMethos argument consists of j i RecMetho components). RecMetho Given a non-recursive metho M, a metho environment me of type MethoEnv i, an a global view v, the valuation function constructs a irect metho environment of type DirMethoEnv i which maps a metho ientifier I m, if I m enotes M, to a triple of v, me, an a irect semantics [M ],i of M, an if I m enotes another metho, to a triple of v, me, an the behavior of the metho, which is looke up in me as an object of type Behavior i an lifte to type Behavior i+1. Given a recursive metho set Ms an me respectively v as above, the valuation function constructs a recursive metho environment of type RecMethoEnv i ; this environment actually represents an infinite sequence of environments: the element at position 0 in this sequence is constructe by the function ebase such that it looks up the behavior of every metho which is not in Ms in me an lifts it to type RecBehavior i 0 an maps every metho which is in Ms to the empty behavior (representing a non-terminating recursive call), the element at position j + 1 in this sequence is constructe from the element me at position j by

28 2.5 Program Semantics Program Semantics [ ],i, j : Program View Space MethoEnv i Comman [RMs S {C} ] v,sp,i, j (me) = LET c = call(v,sp),me = [RMs ] v,i, j (me) IN comman([c ] c,me, C c,me ) [ ],i, j : RecMethos View MethoEnv i MethoEnv j [ ] v,i,i (me) = me [RMs RM ] v,i, j+1 (me) = [RM ]v, j ([RMs ]v,i, j (me)) [ ],i : RecMetho View MethoEnv i MethoEnv i+1 [M ] v,i (me)(i m) = IF I m = [M ] I THEN v,me, [M ],i ELSE v,me,behavior i (me,i m ) [recursive Ms ] v,i (me) 0 = ebase i (v,me, [Ms ] I ) [recursive Ms ] v,i (me) j+1 = LET me = [recursive Ms ] v,i (me) j IN [Ms ] v,i, j (me,enext,i, j (v,me )) [ ],i, j : Methos View (RecMethoEnv i j RecMethoEnvi j+1 ) RecMethoEnv i j+1 [ ] v,i, j (me,me ) = me [Ms M ] v,i, j (me,me ) = [M ] v,i, j (me,me )(me, [Ms ] v,i, j (me,me )) [ ],i, j : Metho View (RecMethoEnv i j RecMethoEnvi j+1 ) RecMethoEnv i j+1 [M ] v,i, j (me,me ) = me [ [M ] I v,me, [M ],i, j ] Figure 2.18: Program Semantics

29 Metho Semantics [ ] I : Methos P(Ientifier) [ ] I := /0 [Ms M ] I := [Ms ] I {[M ] I } [ ] I : Metho Ientifier [metho I m (J 1,...,J p ) S {C} ] I := I m [ ],i : Metho Behavior i+1 [metho I m (J 1,...,J p ) S {C} ] c,me,i, j (v 1,...,v p ) = LET c = push(c,j 1,...,J p ) r StateRelation r(s,s ) s 0,s 1 : State : s 0 = writes(s, [J 1 ] c,v 1,...,[J p ] c,v p ) (s 0,s 1 ) s = IF throws(control(s 1 )) THEN s 1 ELSE executes(s 1 ) t StateConition t(s) [C ] c,me LET s 0 = writes(s, [J 1 ] c,v 1,...,[J p ] c,v p ) IN C c,me (s 0 ) IN comman(r,t) [ ],i, j : Metho RecBehavior i j+1 [metho I m (J 1,...,J p ) S {C} ] c,me,i, j (v 1,...,v p ) =... (as above) Figure 2.19: Metho Semantics

30 2.6 Comman Semantics 1. first builing a start environment by the application of function enext which looks up the behavior of every metho in me as an object of type RecBehavior i j an lifts it to a behavior of type RecBehavior i j+1, an 2. then upating this environment by every eclaration in Ms. Methos The valuation function upates the metho environment me of type RecMethoEnv i j+1 by every metho which is eclare in environment me of type RecMethoEnv i j. Metho The valuation function upates environment me by a mapping of the ientifier of metho M to a triple of the global view v, metho environment me, an the behavior of M. The core of Figure 2.19 are the two last valuation functions which construct the irect respectively recursive behavior of a metho: the first constructs a irect behavior of type Behavior i+1 which takes a context an a metho environment me of type MethoEnv i an returns a metho, the secon constructs a recursive behavior of type Behavior i j+1 which takes a context an a metho environment me of type RecMethoEnv i j an returns a metho. Both valuation functions are efine in a syntactically ientical way, since the comman valuation functions [ ] an accept metho environments of type MethoEnvs which encompasses both cases. 2.6 Comman Semantics Figures 2.20 2.25 escribe the core of the program semantics: the formalization of a comman as a pair of a state relation an an a state conition which represent the possible state transitions an the prestates with guarantee termination, respectively. The various kins of commans are formalize base on the following intuitions: Assignment First, the expression E is evaluate. If this yiels an unefine value ( ), the comman raises an exception, otherwise, the variable enote by the ientifier is upate by the value. The comman always terminates.

31 Comman Semantics [ ] : Comman (Context MethoEnvs) StateRelation : Comman (Context MethoEnvs) StateConition [R = E ] c,me (s,s ) LET v = [E ] c (s) IN IF v = THEN s = expthrow(s) ELSE s = write(s, [R] c,val) R = E c,me (s) TRUE [var I; C ] c,me (s,s ) LET c = push(c,i) IN [C ] c,me (s,s ) var I; C c,me (s) LET c = push(c,i) IN C c,me (s) [var I=E; C ] c,me (s,s ) LET v = [E ] c (s) IN IF v = THEN s = expthrow(s) ELSE LET c 0 = push(c,i),s 0 = write(s, [I ] c 0,v) IN [C ] c 0,me (s 0,s ) var I=E; C c,me (s) LET v = [E ] c (s) IN IF v = THEN ELSE TRUE LET c 0 = push(c,i),s 0 = write(s, [I ] c 0,v) IN C c 0,me (s 0 ) Figure 2.20: Comman Semantics (1/5)

32 2.6 Comman Semantics Comman Semantics (Cont) [C 1 ;C 2 ] c,me (s,s ) s 0 State : [C 1 ] c,me (s,s 0 ) IF executes(control(s 0 )) THEN [C 2 ] c,me (s 0,s ) ELSE s = s 0 C 1 ;C 2 c,me (s) C 1 c,me (s) s 0 State : [C 1 ] c,me [if (E) C ] c,me (s,s ) LET v = [E ] c (s) IN IF v = THEN s = expthrow(s) (s,s 0 ) executes(control(s 0 )) C 2 c,me (s 0 ) ELSE IF v = TRUE THEN [C ] c,me (s,s ) ELSE s = s if (E) C c,me (s) [E ] c (s) = TRUE C c,me (s) [if (E) C 1 else C 2 ] c,me (s,s ) LET v = [E ] c (s) IN IF v = THEN s = expthrow(s) ELSE IF v = TRUE THEN [C 1 ] c,me (s,s ) ELSE [C 2 ] c,me (s,s ) if (E) C 1 else C 2 c,me (s) LET v = [E ] c (s) IN IF v = THEN TRUE ELSE IF v = TRUE THEN C 1 c,me (s) ELSE C 2 c,me (s) Figure 2.21: Comman Semantics (2/5)

33 Variable Declaration A new context c is create by introucing a local variable I. The eclaration boy C is execute in c. The comman terminates, if the boy oes. Variable Definition First, the expression E is evaluate. If this yiels an unefine value ( ), the comman raises an exception. Otherwise, a new context c is create by introucing a local variable I an the variable enote by I is upate by the value. The efinition boy C is execute in c. The comman terminates, if the boy oes. Comman Sequence The first comman C 1 is execute yieling an intermeiate state s 0. If this state is not executing, it immeiately represents the sequence s poststate. Otherwise, the secon comman C 2 is execute with s 0 as its prestate which yiels the sequence s poststate. The comman terminates, if C 1 terminates an if C 2 terminates in every executing poststate of C 1. One-Sie Conitional First, the expression E is evaluate. If this yiels an unefine value ( ), the comman raises an exception. Otherwise, if the expression value is TRUE, the branch C is execute. The comman terminates, if C terminates in every state in which E yiels TRUE. Two-Sie Conitional First, the expression E is evaluate. If this yiels an unefine value ( ), the comman raises an exception. Otherwise, if the value is TRUE, the first branch C 1 is execute, an else the secon branch C 2 is execute. The comman terminates, if E yiels, or if E yiels TRUE an C 1 terminates, or if E yiels neither nor TRUE an C 2 terminates. While Loop The behavior of a while loop is etermine by two sequences of states t an u both starting with the loop s prestate s (see Figure 2.23). The execution of the loop boy C transforms every t(i) to u(i + 1) from which the prestate t(i + 1) of the next iteration is constructe by setting the status from continuing or breaking to executing. The loop is terminate with state t(k) if u(k) inicates a leaving (not executing an not continuing) state or if the loop expression E oes not yiel TRUE in t(k); if the loop expression yiels an unefine value, the poststate s is constructe from t(k) by throwing an exception, otherwise s equals t(k). The loop terminates if for every prestate t(k) of the loop boy C the execution of C terminates an if no infinite sequence of iterations arises. Continue The statement sets the poststate to continuing an terminates. Break The statement sets the poststate to breaking an terminates.

34 2.6 Comman Semantics Comman Semantics (Cont) [while (E) C ] c,me (s,s ) k N,t,u State : t(0) = s u(0) = s ( i N k : iterate(i,t,u,s, [E ] c, [C ]c,me )) (leaves(u(k)) [E ] c (t(k)) TRUE) IF leaves(u(k)) [E ] c (t(k)) THEN s = t(k) ELSE s = expthrow(t(k)) while (E) C c,me (s) t,u State : t(0) = s u(0) = s ( k N : ( i N k : iterate(i,t,u,s, [E ] c, [C ]c,me )) leaves(u(k)) [E ] c (t(k)) = TRUE C c,me (t(k))) ( i N : iterate(i,t,u,s, [E ] c, [C ]c,me )) [LS while (E) C ] c,me (s,s )... (as above) LS while (E) C c,me (s)... (as above) Figure 2.22: Comman Semantics (3/5) t 0 1 2 3 k 1 k s... s expthrow [C ] execute u s... 0 1 2 3 k 1 k Figure 2.23: While Loop

35 Comman Semantics (Cont) [continue ] c,me (s,s ) s = continue(s) continue c,me (s) TRUE [break ] c,me (s,s ) s = break(s) break c,me (s) TRUE [return E ] c,me (s,s ) LET v = [E ] c (s) IN IF v = THEN s = expthrow(s) ELSE s = return(s,v) return E c,me (s) TRUE [throw I E ] c,me (s,s ) LET v = [E ] c (s) IN IF v = THEN s = expthrow(s) ELSE s = throw(s,i,c) throw I E c,me (s) TRUE [try C 1 catch(i k I v ) C 2 ] c,me (s,s ) s 0,s 1 State : (s,s 0 ) [C 1 ] c,me IF throws(control(s 0 )) key(control(s 0 )) = I k THEN LET c 0 = push(c,i v ) IN s 1 = write(execute(s 0 ), [I v ] c 0,value(control(s 0 ))) [C 2 ] c 0,me (s 1,s ) ELSE s = s 0 try C 1 catch(i k I v ) C 2 c,me (s) C 1 c,me (s) s 0 State : [C 1 ] c,me (s,s 0 ) executes(control(s 0 )) key(control(s 0 )) = I k LET c 0 = push(c,i v ) IN s 1 = write(execute(s 0 ), [I v ] c 0,value(control(s 0 ))) C 2 c 0,me (s 1 ) Figure 2.24: Comman Semantics (4/5)

36 2.6 Comman Semantics Comman Semantics (Cont) [R = I m (E 1,...,E p ) ] c,me (s,s ) LET v 1 = [E 1 ] c (s),...,v p = [E p ] c (s) IN IF v 1 =... v p = THEN s = expthrow(s) ELSE LET r = rel(metho(me,i m,c)(v 1,...,v p )) IN s 0 State : r(s,s 0 ) IF throws(control(s 0 )) THEN s = s 0 ELSE s = write(s 0, [R] c,value(control(s 0 ))) R = I m (E 1,...,E p ) c,me (s) LET v 1 = [E 1 ] c (s),...,v p = [E p ] c (s) IN IF v 1 =... v p = THEN s = expthrow(s) ELSE LET t = con(metho(me,i m,c)(v 1,...,v p )) IN t(s) [assert F ] c,me (s,s ) [F ] c e (s,s) s = s assert F c,me (s) [F ] c e (s,s) Figure 2.25: Comman Semantics (5/5)

37 Return First, the expression E is evaluate. If this yiels an unefine value ( ), the comman raises an exception. Otherwise, the statement sets the poststate to continuing an the control value to the value of E an terminates. Throw First, the expression E is evaluate. If this yiels an unefine value ( ), the comman raises an exception. Otherwise, the statement sets the poststate to throwing, the control ata s key to the inicate ientifier, an the control ata s value to the expression value. Exception Hanler The first comman C 1 is execute yieling an intermeiate state s 0. If s 0 oes not throw an exception of type I k, it immeiately represents the hanler s poststate. Otherwise, a new context c 0 is create with the hanler s parameter I v as a local variable. A new executing state s 1 is create from s 0 by upating this variable with the exception value of s 0. Then C 2 is execute with s 1 as prestate which yiels the hanler s poststate. The comman terminates, if C 1 terminates an if C 2 terminates in every prestate s 1 that can be erive from any poststate s 0 of C 1 as inicate above. Metho Call First, the argument expressions E 1,...,E p are evaluate. If any of the evaluations yiels an unefine value ( ), the comman raises an exception. Otherwise, the metho environment me is looke up for the metho ientifie by I m. This metho is applie to the argument values which yiels a comman behavior from which the transition relation is extracte. The application of this transition relation to the prestate gives a poststate s 0 ; if s 0 throws an exception, it alreay represents the postate of the comman. Otherwise s 0 is upate by writing into the variable reference by R the metho s return value. The metho terminates, if the evaluation of some argument expression yiels an unefine value, or if the comman behavior s termination conition inicates termination. Assertion If the conition hols, the comman oes not change the state. Otherwise, the comman blocks. 2.7 Expression Semantics The core semantics of an expression E is efine in two parts (see Figure 2.26): Given a context c an a state s, the value semantics [E ] V maps E to a value. the efineness conition [E ] D tells, whether this value makes sense or not.

38 2.8 Formula an Term Semantics Expression Semantics [ ] : Expression Context B StateFunction [E ] c (s) = IF [E ]c D (s) THEN [E ]c V (s) ELSE [ ] D : Expression Context StateConition [R] c D (s) TRUE [...] c D (s)... [ ] V : Expression Context StateFunction [R] c V (s) = rea(s, [R]c ) [...] c V (s) =... [ ] : Reference Context Variable [I ] c = lview(c)(i) [?I ] c = gview(c)(i) Figure 2.26: Expression Semantics The overall semantics [E ] then epens on a boolean value : If is true, the value of [E ] V is unconitionally forware; If is false, then [E ] V is only returne if [E ] D says that this makes sense; otherwise, the special value ( unefine value ) is returne. In the secon case, a comman that evaluates the expression transforms an unefine value to an expression evaluation exception in the comman s postate (see the previous section). 2.8 Formula an Term Semantics Figures 2.27 an 2.28 introuce the semantics of specification formulas while Figure 2.29 efines the semantics of terms within these formulas. Here we shoul especially note the ifferences in the semantics of references to program variables in the prestate respectively poststate (R an R ), the semantics of logical value variables ($I), an the semantics of logical state variables (#I).

39 Formula Semantics [ ] : Formula Context Environment StateRelation [true ] c e (s,s ) TRUE [false ] c e (s,s ) FALSE [p(t 1,...,T n ) ] c e (s,s ) [ p ]([T 1 ] c e (s,s ),...,[T n ] c e (s,s )) [T 1 = T 2 ] c e (s,s ) [T 1 ] c e (s,s ) = [T 2 ] c e (s,s ) [T 1 /= T 2 ] c e (s,s ) [T 1 ] c e (s,s ) [T 2 ] c e (s,s ) [reasonly ] c e (s,s ) s EQUALS c s [writesonly R 1,...,R n ] c e (s,s ) s = s EXCEPT c R 1,...,R n [!F ] c e (s,s ) [F ] c e (s,s ) [F 1 an F 2 ] c e (s,s ) [F 1 ] c e (s,s ) [F 2 ] c e (s,s ) [F 1 or F 2 ] c e (s,s ) [F 1 ] c e (s,s ) [F 2 ] c e (s,s ) [F 1 => F 2 ] c e (s,s ) [F 1 ] c e (s,s ) [F 2 ] c e (s,s ) [F 1 <=> F 2 ] c e (s,s ) [F 1 ] c e (s,s ) [F 2 ] c e (s,s ) [F 1 xor F 2 ] c e (s,s ) [F 1 ] c e (s,s ) [F 2 ] c e (s,s ) [if F then F 1 else F 2 ] c e (s,s ) IF [F ] c e (s,s ) THEN [F 1 ] c e (s,s ) ELSE [F 2 ] c e (s,s ) [forall $I 1,...,$I n : F ] c e (s,s ) v 1,...,v n Value : [F ] c e[i 1 v 1,...,I n v n ] v (s,s ) [exists $I 1,...,$I n : F ] c e (s,s ) v 1,...,v n Value : [F ] c e[i 1 v 1,...,I n v n ] v (s,s ) [let $I 1 =T 1,...,$I n =T n in F ] c e (s,s ) LET e 1 = e[i 1 [T 1 ] c e (s,s )] v... e n = e n 1 [I n [T n ] c e n 1 (s,s )] v IN [F ] c e n (s,s )... (continue in Figure 2.28) Figure 2.27: Formula Semantics (1/2)

40 2.8 Formula an Term Semantics Formula Semantics (Cont) [ ] : Formula Context Environment StateRelation... (continue from Figure 2.27) [allstate #I 1,...,#I n : F ] c e (s,s ) c 1,...,c n Control : [F ] c e[i 1 c 1,...,I n c n ] c (s,s ) [exstate #I 1,...,#I n : F ] c e (s,s ) c 1,...,c n Control : [F ] c e[i 1 c 1,...,I n c n ] c (s,s ) [U 1 == S 2 ] c e (s,s ) [U 1 ] c e (s,s ) = [U 2 ] c e (s,s ) [U.executes ] c e (s,s ) executes([u ] c e (s,s )) [U.continues ] c e (s,s ) continues([u ] c e (s,s )) [U.breaks ] c e (s,s ) breaks([u ] c e (s,s )) [U.returns ] c e (s,s ) returns([u ] c e (s,s )) [U.throws ] c e (s,s ) throws([u ] c e (s,s )) [U.throws I ] c e (s,s ) LET c = [U ] c e (s,s ) IN throws(c ) key(c ) = I [ ] : Preicate Preicate [isnat ](v) v N [<](v 1,v 2 ) v 1 < v 2 [ ](v 1,...,v n )... Figure 2.28: Formula Semantics (2/2)

41 Term Semantics [ ] : Term Context Environment BinaryStateFunction [R] c e (s,s ) = rea(s, [R] c ) [R ] c e (s,s ) = rea(s, [R] c ) [$I ] c e (s,s ) = venv(e)(i) [f (T 1,...,T n ) ] c e (s,s ) = [ f ]([T 1 ] c e (s,s ),...,[T n ] c e (s,s )) [if F then T 1 else T 2 ] c e (s,s ) = IF [F ] c e (s,s ) THEN [T 1 ] c e (s,s ) ELSE [T 2 ] c e (s,s ) [let $I 1 =T 1,...,$I n =T n in T ] c e (s,s ) LET e 1 = e[i 1 [T 1 ] c e (s,s )] v... e n = e n 1 [I n [T n ] c e n 1 (s,s )] v IN [T ] c e n (s,s ) [U.value ] c e (s,s ) = value([u ] c e (s,s )) [ ] : State Context Environment ControlFunction [now ] c e (s,s ) = control(s) [next ] c e (s,s ) = control(s ) [#I ] c e (s,s ) = cenv(e)(i) [ ] : Function Function [...](v 1,...,v n ) =... Figure 2.29: Term Semantics

Chapter 3 Jugements In this chapter, we efine the syntax an formal semantics of program jugements which we are going to erive in our calculus. 3.1 Syntax Figure 3.1 lists the syntax of the jugements that we are going to eal with. Their informal interpretations are: se RMs S {C} states that for a given specification environment se which escribes preefine methos, the program is correct with respect to the specifications of its own methos an its main comman. In particular, the execution of the program 1. oes not encounter the evaluation of unefine expressions, 2. oes not change any variables protecte by the frame conitions, 3. oes not throw any exceptions prohibite by the exception conitions, 4. oes not exhibit any state transitions that violate the postconitions, 5. terminates in those states that are emane by the preconitions. se RMs states that above hols for all methos eclare in RMs. se RM states that above hols for all methos eclare in RM. se,is Ms states that above hols for all methos eclare in metho set Ms provie that Ms is part of a recursive metho set consisting of those methos name in Is. 42

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback