Guarded Commands, Nondeterminancy and Formal Derivation of Programs. Edsger W. Dijkstra. CACM 18, 8 pp (Aug. 1975).

Similar documents
Formal Methods. CITS5501 Software Testing and Quality Assurance

Well, you need to capture the notions of atomicity, non-determinism, fairness etc. These concepts are not built into languages like JAVA, C++ etc!

Programming Languages Third Edition

Spring 2018 PhD Qualifying Exam in Languages

Formalizing Dijkstra

Lectures 20, 21: Axiomatic Semantics

Hoare Logic: Proving Programs Correct

How invariants help writing loops Author: Sander Kooijmans Document version: 1.0

COMP 507: Computer-Aided Program Design

Slicing as a Program Transformation

PROPER TECHNIQUE OF SOFTWARE INSPECTION USING GUARDED COMMAND LANGUAGE

ASYMPTOTIC COMPLEXITY

Introduction to Axiomatic Semantics (1/2)

The Formal Semantics of Programming Languages An Introduction. Glynn Winskel. The MIT Press Cambridge, Massachusetts London, England

Forward Assignment; Strongest Postconditions

Proving Programs Correct

Informal Semantics of Data. semantic specification names (identifiers) attributes binding declarations scope rules visibility

Chapter 7. - FORTRAN I control statements were based directly on IBM 704 hardware

Program Static Analysis. Overview

COSC252: Programming Languages: Semantic Specification. Jeremy Bolton, PhD Adjunct Professor

Programming Languages and Compilers Qualifying Examination. Answer 4 of 6 questions.

Control Structures. Outline. In Text: Chapter 8. Control structures Selection. Iteration. Gotos Guarded statements. One-way Two-way Multi-way

An Annotated Language

Synchronization: Semaphores

Chapter 8. Statement-Level Control Structures

THE traditional denotational semantics treats a program

Ch. 7: Control Structures

LOGIC AND DISCRETE MATHEMATICS

Chapter 8. Statement-Level Control Structures

Introduction to Axiomatic Semantics (1/2)

Harvard School of Engineering and Applied Sciences CS 152: Programming Languages

Chapter 8. Statement-Level Control Structures

Lecture Notes: Hoare Logic

Review: Hoare Logic Rules

Copyright 2008 CS655 System Modeling and Analysis. Korea Advanced Institute of Science and Technology

6. Hoare Logic and Weakest Preconditions

CSE 307: Principles of Programming Languages

Chapter 3. Describing Syntax and Semantics

Semantics. There is no single widely acceptable notation or formalism for describing semantics Operational Semantics

Iterative Statements. Iterative Statements: Examples. Counter-Controlled Loops. ICOM 4036 Programming Languages Statement-Level Control Structure

Informal Reference Manual for X

Chapter 8. Statement-Level Control Structures ISBN

Program Syntax; Operational Semantics

Distributed Algorithms 6.046J, Spring, Nancy Lynch

Main Goal. Language-independent program verification framework. Derive program properties from operational semantics

Deriving a Slicing Algorithm via FermaT Transformations

Basic Verification Strategy

LECTURE 8: SETS. Software Engineering Mike Wooldridge

Shared Variables and Interference

Introduction to Axiomatic Semantics

Chapter 3. Describing Syntax and Semantics ISBN

Overview. Probabilistic Programming. Dijkstra s guarded command language: Syntax. Elementary pgcl ingredients. Lecture #4: Probabilistic GCL

ELEMENTARY NUMBER THEORY AND METHODS OF PROOF

Goals: Define the syntax of a simple imperative language Define a semantics using natural deduction 1

Computer Lab 1: Model Checking and Logic Synthesis using Spin (lab)

ASYMPTOTIC COMPLEXITY

3. DESCRIBING SYNTAX AND SEMANTICS

Fundamental mathematical techniques reviewed: Mathematical induction Recursion. Typically taught in courses such as Calculus and Discrete Mathematics.

Statement level control structures

Shared Variables and Interference

Denotational Semantics of a Simple Imperative Language Using Intensional Logic

Lecture 3 SPIN and Promela

Name: CS 341 Practice Final Exam. 1 a 20 b 20 c 20 d 20 e 20 f 20 g Total 207

BCS-FACS 7th Refinement Workshop

Qualifying Exam Languages

Hardware versus software

COMP 382: Reasoning about algorithms

Chapter 3. Describing Syntax and Semantics ISBN

Chapter 3. Describing Syntax and Semantics

Reasoning about programs

Lecture 1 Contracts : Principles of Imperative Computation (Fall 2018) Frank Pfenning

Last time. Reasoning about programs. Coming up. Project Final Presentations. This Thursday, Nov 30: 4 th in-class exercise

Grammar Rules in Prolog!!

2 Introduction to operational semantics

Integers and Mathematical Induction

Scheme: Data. CS F331 Programming Languages CSCE A331 Programming Language Concepts Lecture Slides Monday, April 3, Glenn G.

Proving the Correctness of Distributed Algorithms using TLA

APPM 2460: Week Three For, While and If s

A NOTE ON A STANDARD STRATEGY FOR DEVELOPING LOOP INVARIANTS AND LOOPS

Applications of Formal Verification

Chapter 6 Control Flow. June 9, 2015

A CRASH COURSE IN SEMANTICS

Discrete Mathematics Lecture 4. Harper Langston New York University

Variants of Turing Machines

Abstractions of Time Eric C.R. Hehner University of Toronto

Program Slicing Using Weakest Preconditions

Shell CSCE 314 TAMU. Haskell Functions

n Specifying what each method does q Specify it in a comment before method's header n Precondition q Caller obligation n Postcondition

From proposition to program

Teckel Design Considerations

A Formal Approach to Program Modification. Lindsay Groves

Lecture Programming in C++ PART 1. By Assistant Professor Dr. Ali Kattan

Applications of Formal Verification

Applications of Formal Verification

Specifications and Assertions

Typed Lambda Calculus and Exception Handling

Organization of Programming Languages CS3200/5200N. Lecture 11

Programming Languages

University of Technology. Laser & Optoelectronics Engineering Department. C++ Lab.

(Not Quite) Minijava

Transcription:

CS322 E. W. Dijkstra, Guarded command, Nondeterminancy and Formal Derivation of Programs 1 Guarded Commands, Nondeterminancy and Formal Derivation of Programs Edsger W. Dijkstra CACM 18, 8 pp. 453-457 (Aug. 1975). A Discipline of Programming, Prentice-Hall, 1976. book 9/18/17 Kwang-Moo Choe 1

CS322 E. W. Dijkstra, Guarded command, Nondeterminancy and Formal Derivation of Programs 2 2. Two statements made from guarded commands statement ::= alternative construct repeatative_construct other statements alternative construct ::= if guarded command set fi repeatative construct ::= do guarded comman set od other statements assignment statements, procedure calls,... guarded command set ::= guarded command { guarded command } guarded command ::= guard guarded list guard ::= boolean_expression guarded list ::= statement { ; statement } {... }: followed by zero or more instances of the enclosed... = (... ) *. Extended BNF(Backus-Nauer Form) ALGOL 60 9/18/17 Kwang-Moo Choe 2

CS322 E. W. Dijkstra, Guarded command, Nondeterminancy and Formal Derivation of Programs 3 Two separators ; in guarded list and in guarded command set guarded list ::= statement { ; statement } guarded command set ::= guarded command { guarded command } S 1 ; S 2 ;... ; S n. A sequence of S i s. G 1 G 2... G n. An arbitrarily ordered enumeration of an unordered set 9/18/17 Kwang-Moo Choe 3

CS322 E. W. Dijkstra, Guarded command, Nondeterminancy and Formal Derivation of Programs 4 Altenative construct if... fi. If none of the guard is true, the program will abort; otherwise an arbitrary guarded list with a true guard is selected for execution. (Note) if fi abort An example - illustrating the nondeterminancy in a very modest fashion For fixed x and y assigns to m the maximum value of x and y. if x y m := x x y m := y fi. 9/18/17 Kwang-Moo Choe 4

CS322 E. W. Dijkstra, Guarded command, Nondeterminancy and Formal Derivation of Programs 5 Repeatative constructs do... od None of the guards is true will not leads to abortion but termination. When initially or upon completed execution of selected a guarded list one or more guards are true, a new selection for execution of a guarded list with a ture will take place, and so on. When the repeatative constuct had terminated properly, we know all guards are false. (Note) do od skip. 9/18/17 Kwang-Moo Choe 5

CS322 E. W. Dijkstra, Guarded command, Nondeterminancy and Formal Derivation of Programs 6 An example - showing the nondeterminancy in some what greater glory Assigns to a variables q 1, q 2, q 3, and q 4 a permutation of the values Q 1, Q 2, Q 3, and Q 4, such that q 1 q 2 q 3 q 4. q 1, q 2, q 3, q 4 := Q 1, Q 2, Q 3, Q 4 ; do q 1 > q 2 q 1, q 2 := q 2, q 1 q 2 > q 3 q 2, q 3 := q 3, q 2 q 3 > q 4 q 3, q 4 := q 4, q 3 od. (q 1 > q 2 ) (q 2 > q 3 ) (q 3 > q 4 ) = (q 1 q 2 ) (q 2 q 3 ) (q 3 q 4 ) = (q 1 q 2 q 3 q 4 ) 9/18/17 Kwang-Moo Choe 6

CS322 E. W. Dijkstra, Guarded command, Nondeterminancy and Formal Derivation of Programs 7 An example - Not only computation but also final state is not necessary uniquely determined! Determine k such that for fixed value n(n 0) and a fixed function f(i) defined for 0 i n: k will eventually satisfy 0 k n and ( i: 0 i n: f(k) f(i)). (Eventually k should be the place of a maximun) k := 0; j := 1; do j n if f(j) f(k) j := j + 1 f(j) f(k) k := j; j := j + 1 fi od. 9/18/17 Kwang-Moo Choe 7

CS322 E. W. Dijkstra, Guarded command, Nondeterminancy and Formal Derivation of Programs 8 3. Formal Definitos of the Semantics 3.1 Notational Prelude P, Q, R to denote (predicate defining) boolean function defined on all points of the state space. conditions satisfied by all states for which the boolean function is true. T denotes the condition that is satisfied by all states. F denotes the condition that is satisfied by no state at all. Hoare Dijkstra sufficient pre-condition.. the mechanisms will not produce the wrong result (but may fail to terminate) necessary and sufficinet pre-condition, i.e, so called weakest pre-condition.. the mechanisms are guranteed to produce the right result. 9/18/17 Kwang-Moo Choe 8

CS322 E. W. Dijkstra, Guarded command, Nondeterminancy and Formal Derivation of Programs 9 wp(s, R) S: a statement list and R: some condition of the system to denote the weakest pre-condition for the initial state of the system.. activation of S is guranteed to lead to a properly terminating activity leaving the system in a final state satisfying the post-condition R. wp predicate transformer has following properties. 1. S: wp(s, F) = F. Law of Excluded Miracle 2. S: If P Q, then wp(s, P) wp(s, Q). 3. S: (wp(s, P) and wp(s, Q)) = wp(s, P and Q). 4. deterministic S: (wp(s, P) or wp(s, Q)) = wp(s, P or Q). 4. nondeterministic S: (wp(s, P) or wp(s, Q)) wp(s, P or Q). 9/18/17 Kwang-Moo Choe 9

CS322 E. W. Dijkstra, Guarded command, Nondeterminancy and Formal Derivation of Programs 10 We know the semantics of a mechanism S sufficiently well, if we know its predicate transformer, i.e., can derive wp(s, R) for any post-condition R. Example 1. The semantics of empty statement, denoted by skip is post-condition R: wp( skip, R) = R. Example 2. The semantics of assignment statement x := E is wp( x := E, R) = R x E where R x E denotes a copy of the predicate defining R in each occurence of the variable x is replaced by (E). Example 3. The semantics of semicolon ; as concatenation operator wp( S 1 ; S 2, R) = wp(s 1, wp(s 2, R)). 9/18/17 Kwang-Moo Choe 10

CS322 E. W. Dijkstra, Guarded command, Nondeterminancy and Formal Derivation of Programs 11 3.2 The Alternative Construct Let IF if B 1 SL 1... B n SL n fi. Let BB ( i: 1 i n: B i ). Then wp(if, R) = BB ( i: 1 i n: B i wp(sl i, R)). BB: IF will not lead to abortion. B i wp(sl i, R): each guareded list eligible for execution will lead to an acceptable final state. Theorem 1. If ( i: 1 i n: (Q B i ) wp(sl i, R), then (Q BB) wp(if, R). Let t denotes some integer function defined on the state space and wdec(t) denotes the weakest precondition.. activation S is guranteed to leads to a proper termination activity leaving the system in a final state such that the value of t is decreased by at least 1(compre to its initial value) 9/18/17 Kwang-Moo Choe 11

CS322 E. W. Dijkstra, Guarded command, Nondeterminancy and Formal Derivation of Programs 12 Theorem 2. If ( i: 1 i n: (Q B i ) wp(sl i, R), then (Q BB) wdec(if, R). 9/18/17 Kwang-Moo Choe 12

CS322 E. W. Dijkstra, Guarded command, Nondeterminancy and Formal Derivation of Programs 13 3.3 The Repeatative Construct Let DO do B 1 SL 1... B n SL n od. Let H 0 (R) = R BB and H k (R) = wp(if, H k (R)) H 0 (R) for k 0. Then wp(do, R) = ( k : k 0: H k (R)). BB: IF will not lead to abortion. B i wp(sl i, R): each guareded list eligible for execution will lead to an acceptable final state. 9/18/17 Kwang-Moo Choe 13

CS322 E. W. Dijkstra, Guarded command, Nondeterminancy and Formal Derivation of Programs 14 4. Formal Derivation of Programs m = max(x, y) R: ((m = x) (m = y)) (m x) (m y). The assignment statement m := x will make true for (m = x). weakest preconditon to make R is true after the statement m := x. wp( m := x, R) (x = x x = y) (x x) (x y) = x y. if x y m := x fi the weakest precondition as guard. BB = (x y) T. Weakening BB. add( ) guards. The alternative guard is precondion of assignment m := y. wp( m := y, R) (y = x y = y) (y x) (y y) = y x. if x y m := x y x m := y fi. BB = (x y) (y x) = T. 9/18/17 Kwang-Moo Choe 14

CS322 E. W. Dijkstra, Guarded command, Nondeterminancy and Formal Derivation of Programs 15 Example of repeatative construct Given two positive numbers X and Y, find x.. x = gcd(x, Y). establish the relation P to be kept invariant do decrease t as long as possible uncer variance of P od P: (gcd(x, Y) = gcd(x, y)) (x > 0) (y > 0). Easy initialization of P x := X; y := Y Do something under the loop invariance of P P B wp( x, y := E1, E2, P) = = (gcd(x, Y) = gcd(e1, E2)) (E1 > 0) (E2 > 0). gcd(x, y) = gcd(x y, y) = gcd(x, y x) = gcd(y, x) = Consider t = x + y. wp( x := x y, t t 0 ) = wp( x := x y, x + y t 0 ) = (x t 0 ). tmin = x. wdec( x := x y, t) = (x x + y) = (y > 0). P wdec. 9/18/17 Kwang-Moo Choe 15

CS322 E. W. Dijkstra, Guarded command, Nondeterminancy and Formal Derivation of Programs 16 wp( x := x y, P) = (gcd(x, Y) = gcd(x y, y)) (x y > 0) (y > 0) = x > y. x := X; y := Y; do x > y x := x y od. ( BB = x y) / (x = gcd(x, Y)) Alternate assignment y := y x is required as its guard y > x. wp( y := y x, P) = (gcd(x, Y) = gcd(x, y x)) (x > 0) (y x > 0) = y > x. x := X; y := Y; do x > y x := x y y > x y := y x od. BB = x = y. (P x = y) x = gcd(x, Y). 9/18/17 Kwang-Moo Choe 16

CS322 E. W. Dijkstra, Guarded command, Nondeterminancy and Formal Derivation of Programs 17 (Note) If you select t = x + 2y x := X; y := Y; do x > y x := x y y > x x, y := y, x od. x :=X; y := Y; (version A) while x y do if x > y then x := x y else y := y x fi od. x :=X; y := Y; (version B) while x y do while x > y do x := x y od; while y > x do y := y x od. x := X; y := Y; do x > y x := x y y > x y := y x od (original) 9/18/17 Kwang-Moo Choe 17

CS322 E. W. Dijkstra, Guarded command, Nondeterminancy and Formal Derivation of Programs 18 if X > 0 and Y > 0 x := X; y := Y; do x > y x := x y y > x y := y x od fi 9/18/17 Kwang-Moo Choe 18

CS322 E. W. Dijkstra, Guarded command, Nondeterminancy and Formal Derivation of Programs 19 syntactic sugar in C (init P; test BB; recover P) loop_body; P init P P P P BB BB? P BB loop body?p recover P P 9/18/17 Kwang-Moo Choe 19

CS322 E. W. Dijkstra, Guarded command, Nondeterminancy and Formal Derivation of Programs 20 Another Example Sum, i := 0, 1; i-1 P (Sum = k=1 k) initialize P i-1 do i 100 P (Sum = k=1 k) P is still valid i Sum := Sum + i; P (Sum = k=0 k) P is distroyed i-1 i := i +1 P (Sum = k=1 k) recover P od i-1 P (i 100) (Sum = k=1 k) (i = 101) 100 = (Sum = k=1 k) = (Sum = 5050). 101 i is the nonnegative decreasing functon loop terminate 9/18/17 Kwang-Moo Choe 20

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback