Introduction to Axiomatic Semantics

Similar documents
Introduction to Axiomatic Semantics (1/2)

Introduction to Axiomatic Semantics (1/2)

Lectures 20, 21: Axiomatic Semantics

An Annotated Language

Hoare Logic. COMP2600 Formal Methods for Software Engineering. Rajeev Goré

Harvard School of Engineering and Applied Sciences CS 152: Programming Languages

Lecture 5 - Axiomatic semantics

Semantics. There is no single widely acceptable notation or formalism for describing semantics Operational Semantics

AXIOMS OF AN IMPERATIVE LANGUAGE PARTIAL CORRECTNESS WEAK AND STRONG CONDITIONS. THE AXIOM FOR nop

Hoare triples. Floyd-Hoare Logic, Separation Logic

A CRASH COURSE IN SEMANTICS

6. Hoare Logic and Weakest Preconditions

Programming Languages Third Edition

The Formal Semantics of Programming Languages An Introduction. Glynn Winskel. The MIT Press Cambridge, Massachusetts London, England

Hoare Logic: Proving Programs Correct

Note that in this definition, n + m denotes the syntactic expression with three symbols n, +, and m, not to the number that is the sum of n and m.

Goals: Define the syntax of a simple imperative language Define a semantics using natural deduction 1

The Rule of Constancy(Derived Frame Rule)

Chapter 3 (part 3) Describing Syntax and Semantics

From Hoare Logic to Matching Logic Reachability. Grigore Rosu and Andrei Stefanescu University of Illinois, USA

Symbolic Execution and Proof of Properties

CS2104 Prog. Lang. Concepts

Lecture 1 Contracts. 1 A Mysterious Program : Principles of Imperative Computation (Spring 2018) Frank Pfenning

The semantics of a programming language is concerned with the meaning of programs, that is, how programs behave when executed on computers.

Lecture 1 Contracts : Principles of Imperative Computation (Fall 2018) Frank Pfenning

Chapter 3. Describing Syntax and Semantics ISBN

CITS5501 Software Testing and Quality Assurance Formal methods

axiomatic semantics involving logical rules for deriving relations between preconditions and postconditions.

Axiomatic Semantics. More Semantics. Review - Operational Semantics. Partial Correctness Assertions. Programs Theorems. Axiomatic Semantics

Introduction to Denotational Semantics. Class Likes/Dislikes Survey. Dueling Semantics. Denotational Semantics Learning Goals. You re On Jeopardy!

COMP 507: Computer-Aided Program Design

Compilation and Program Analysis (#11) : Hoare triples and shape analysis

Axiomatic Semantics. Automated Deduction - George Necula - Lecture 2 1

Com S 541. Programming Languages I

Introduction to Denotational Semantics. Brutus Is An Honorable Man. Class Likes/Dislikes Survey. Dueling Semantics

Part II. Hoare Logic and Program Verification. Why specify programs? Specification and Verification. Code Verification. Why verify programs?

Symbolic Execution and Verification Conditions. Review of Verification Conditions. Survey from Homework 4. Time spent: 7.1 hrs (mean), 6 hrs (median)

In Our Last Exciting Episode

! Use of formal notations. ! in software system descriptions. ! for a broad range of effects. ! and varying levels of use. !

Outline. Introduction. 2 Proof of Correctness. 3 Final Notes. Precondition P 1 : Inputs include

Operational Semantics. One-Slide Summary. Lecture Outline

Induction and Semantics in Dafny

Lecture Notes: Hoare Logic

MITOCW watch?v=kz7jjltq9r4

Static verification of program running time

Chapter 3. Describing Syntax and Semantics

Warm-Up Problem. 1. What is the definition of a Hoare triple satisfying partial correctness? 2. Recall the rule for assignment: x (assignment)

Automated Theorem Proving and Proof Checking

Abstract Interpretation

Chapter 1. Introduction

Chapter 3. Semantics. Topics. Introduction. Introduction. Introduction. Introduction

Contents. Chapter 1 SPECIFYING SYNTAX 1

1. true / false By a compiler we mean a program that translates to code that will run natively on some machine.

CMSC 330: Organization of Programming Languages. Formal Semantics of a Prog. Lang. Specifying Syntax, Semantics

Program Verification. Aarti Gupta

COSC252: Programming Languages: Semantic Specification. Jeremy Bolton, PhD Adjunct Professor

Axiomatic Specification. Al-Said, Apcar, Jerejian

Spark verification features

Automated Reasoning. Natural Deduction in First-Order Logic

Hardware versus software

Program Verification. Program Verification 307/434

Lecture Notes on Memory Layout

Reasoning About Imperative Programs. COS 441 Slides 10

Forward Assignment; Strongest Postconditions

What if current foundations of mathematics are inconsistent? Vladimir Voevodsky September 25, 2010

CSE 307: Principles of Programming Languages

Meeting14:Denotations

Hoare logic. A proof system for separation logic. Introduction. Separation logic

Proof Carrying Code(PCC)

Lecture 11 Lecture 11 Nov 5, 2014

CMSC 330: Organization of Programming Languages

Verifying Safety Property of Lustre Programs: Temporal Induction

Proving the Correctness of Distributed Algorithms using TLA

Chapter 3. Describing Syntax and Semantics ISBN

Chapter 3. Describing Syntax and Semantics

Principles of Program Analysis. Lecture 1 Harry Xu Spring 2013

Basic Verification Strategy

Lecture 15 CIS 341: COMPILERS

Operational Semantics 1 / 13

Lecture Notes on Contracts

COS 320. Compiling Techniques

2 Introduction to operational semantics

CSC 7101: Programming Language Structures 1. Operational Semantics. Winskel, Ch. 2 Slonneger and Kurtz Ch 8.4, 8.5, 8.6. Operational vs.

Software Quality Assurance

Module 3. Requirements Analysis and Specification. Version 2 CSE IIT, Kharagpur

Handout 9: Imperative Programs and State

Formal Systems II: Applications

3.7 Denotational Semantics

Formal Verification. Lecture 10

Section 2.4: Arguments with Quantified Statements

Main Goal. Language-independent program verification framework. Derive program properties from operational semantics

Specification and Verification I

Propositional Logic. Andreas Klappenecker

CSCI.6962/4962 Software Verification Fundamental Proof Methods in Computer Science (Arkoudas and Musser) Chapter p. 1/27

Meeting13:Denotations

How invariants help writing loops Author: Sander Kooijmans Document version: 1.0

Formal Semantics of Programming Languages

1.3. Conditional expressions To express case distinctions like

CS 161 Computer Security

Formal Methods. CITS5501 Software Testing and Quality Assurance

Transcription:

Introduction to Axiomatic Semantics Meeting 10, CSCI 5535, Spring 2009 Announcements Homework 3 due tonight Homework 2 is graded 13 (mean), 14 (median), out of 21 total, but Graduate class: final project is what counts, homeworks are to check understanding Most dicult: comparing big-step and contextual for IMP with exceptions Many did not answer the question, rather echoed general comparisons made in class. Both your ideas and the clarity with which they are expressed matter. (like research papers) 2 Questions? Plan for Axiomatic Semantics History and Motivation (last time) Assertions (today) Validity (today) Derivation Rules (today) Soundness (next time) Completeness (next time) 3 4 Axiomatic Semantics A semantics that is appropriate for arguing program correctness One-Slide Summary An axiomatic semantics consists of: A language for stating assertions about programs, Rules for establishing the truth of assertions Some typical kinds of assertions: This program terminates If this program terminates, the variables x and y have the same value throughout the execution of the program The array accesses are within the array bounds Some typical languages of assertions First-order logic Other logics (temporal, linear, pointer-assertion) Special-purpose specification languages (SLIC, Z, Larch) 5 6 1

Another Tony Hoare Quote It has been found a serious problem to define these languages [ALGOL, FORTRAN, COBOL] with sufficient rigor to ensure compatibility among all implementations.... one way to achieve this would be to insist that all implementations of the language shall satisfy the axioms and rules of inference which underlie proofs of properties of programs expressed in the language. In effect, this is equivalent to accepting the axioms and rules of inference as the ultimately definitive specification of the meaning of the language. 7 Do you believe this? Would such language specifications be useful to you? 8 Other Applications of Axiomatic Semantics The project of defining and proving everything formally has not succeeded (at least not yet) Proving has not replaced testing and debugging Applications of axiomatic semantics: Proving the correctness of algorithms (or finding bugs) Proving the correctness of hardware descriptions (or finding bugs) extended static checking (e.g., checking array bounds) Proof-carrying code Documentation of programs and interfaces 9 Notation: Assertions Assertions for IMP {A} c {B} with the meaning that: if A holds in state σ and if <c, σ> σ then B holds in σ A is the precondition B is the postcondition For example: { y x } z := x; z := z +1 { y < z } is a valid assertion These are called Hoare triples or Hoare assertions 11 {A} c {B} is a partial correctness assertion. Doesn t imply termination (= it is valid if c diverges) [A] c [B] is a total correctness assertion meaning that If A holds in state σ Then there exists σ such that <c, σ> σ and B holds in state σ Now let us be more formal (you know you want it!) Formalize the language of assertions, A and B Say when an assertion holds in a state Give rules for deriving Hoare triples 12 2

The Assertion Language We use first-order predicate logic on top of IMP expressions A ::= true false e 1 = e 2 e 1 e 2 A 1 Æ A 2 A 1 Ç A 2 A 1 A 2 x.a x.a Note that we are somewhat sloppy in mixing logical variables and the program variables All IMP variables implicitly range over integers All IMP boolean expressions are also assertions 13 Semantics of Assertions: Need to assign meanings to our assertions Relation σ A to say that an assertion holds in a given state (= A is true in σ ) This is well-defined when σ is defined on all variables occurring in A The relation is defined inductively on the structure of assertions (surprise!) It relies on the denotational semantics of arithmetic expressions from IMP 14 Formal Definition of Formal Definition of σ true σ e 1 = e 2 σ e 1 e 2 σ A 1 Æ A 2 σ A 1 Ç A 2 σ A 1 A 2 σ x.a σ x.a always σ true always σ e 1 = e 2 e 1 σ = e 2 σ σ e 1 e 2 e 1 σ e 2 σ σ A 1 Æ A 2 σ A 1 and σ A 2 σ A 1 Ç A 2 σ A 1 or σ A 2 σ A 1 A 2 σ A 1 implies σ A 2 σ x.a n Z. σ[x:=n] A σ x.a n Z. σ[x:=n] A 15 16 Hoare Triple Semantics Now we can define formally the meaning of a partial correctness assertion { A } c { B } σ Σ. σ Σ. (σ A Æ <c,σ> σ ) σ B Deriving Assertions Have a formal mechanism to decide { A } c { B } But it is not satisfactory. Why? and a total correctness assertion [A] c [B] σ Σ. σ A σ Σ. <c,σ> σ Æ σ B or even better yet: (explain this to me!) σ Σ. σ Σ. (σ A Æ <c,σ> σ ) σ B Æ σ Σ. σ A σ Σ. <c,σ> σ 17 18 3

Deriving Assertions Have a formal mechanism to decide { A } c { B } But it is not satisfactory Because {A} c {B} is defined in terms of the operational semantics, we practically have to run the program to verify an assertion It is impossible to effectively verify the truth of a x. A assertion (check every integer?) Plan: define a symbolic technique for deriving valid assertions from others that are known to be valid We start with validity of first-order formulas 19 Derivation Rules Propositional Rules Natural deduction style We write A when A can be derived from basic axioms ( A === we can prove A ) The derivation rules for the judgment A are the usual ones from first-order logic with arithmetic 21 A A Æ B ÆI ÆE A Æ B A 1 A ÇI A Ç B 1 A A B I ÇI A Ç B 2 A Æ B ÆE 2 A A Ç B C C C ÇE A B A E 22 First-Order Rules [a/x]a (a is fresh) x.a I x.a [e/x]a substitution: substitute a for x in A [e/x]a I x.a x.a [a/x]a E E Derivation Rules for Hoare Triples Similarly we write {A} c {B} when we can derive the triple using derivation rules There is one derivation rule for each command in the language Plus, the evil rule of consequence A A {A} c {B} B {A } c {B } Guess: Why evil? 23 24 4

Derivation Rules for Hoare Logic Derivation Rules for Hoare Logic One rule for each syntactic construct: One rule for each syntactic construct: {A} skip {A} {[e/x]a} x := e {A} {A} skip {A} {[e/x]a} x := e {A} { } c 1 { } { } c 2 { } {A} c 1 ; c 2 {C} {A} c 1 {B} {B} c 2 {C} {A} c 1 ; c 2 {C} { } c 1 { } { } c 2 { } {A} if b then c 1 else c 2 {B} {A Æ b} c 1 {B} {A Æ b} c 2 {B} {A} if b then c 1 else c 2 {B} { } c { } {A} while b do c { } 25 {A Æ b} c {A} {A} while b do c {A Æ b} 26 Alternate Hoare Rules Alternate Hoare Rules For some constructs multiple rules are possible: (Exercise: these rules can be derived from the previous ones using the consequence rules) For some constructs multiple rules are possible: (Exercise: these rules can be derived from the previous ones using the consequence rules) {A} x := e { } (This one is called the forward axiom for assignment) {C} c {A}. {A} while b do c {B} (C is the loop invariant) 27 {A} x := e { x 0.[x 0 /x]a Æ x = [x 0 /x]e} (This one is called the forward axiom for assignment) A Æ b C {C} c {A} A Æ b B {A} while b do c {B} (C is the loop invariant) 28 Example: Assignment Example Verifications (Assuming that x does not appear in e) Prove that {true} x := e { x = e } {true} x := e {x = e} 30 5

Example: Assignment (Assuming that x does not appear in e) Prove that {true} x := e { x = e } Assignment Rule: {e = e} x := e {x = e} because [e/x](x = e) e = e Use Assignment + Consequence: true e = e {e = e} x := e {x = e} {true} x := e {x = e} 31 The Assignment Axiom Assignment is undoubtedly the most characteristic feature of programming a digital computer, and one that most clearly distinguishes it from other branches of mathematics. It is surprising therefore that the axiom governing our reasoning about assignment is quite as simple as any to be found in elementary logic. - Tony Hoare Caveats are sometimes needed for languages with aliasing (the strong update problem): If x and y are aliased then { true } x := 5 { x + y = 10} is true 32 For Next Time Homework 4 out tonight due Mon Feb 23 Think about possible projects 33 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback