Post on 23-Feb-2016
description
1/22 Programs : Semantics and Verification Charngki Hong @ PSWLAB
Programs:Semantics and Verification
Mordechai Ben-AriMathematical Logic for Computer Science
2/22 Programs : Semantics and Verification Charngki Hong @ PSWLAB
Table of Contents
Introduction Semantics of programming language
Weakest precondition The deductive system HL Program verification
Total correctness Program synthesis References
3/22 Programs : Semantics and Verification Charngki Hong @ PSWLAB
Introduction The syntax of programming language is spec-
ified using formal systems such as BNF, but the semantics is usually informally specified Example :
The formal BNF syntax of an if-statement if-statement ::= if expression then statement [else state-
ment] But its semantics is described informally
The boolean expression is evaluated. If true, the statement following then is executed, otherwise the statement follow-ing else is executed.
If the semantics is informally defined there is no formal way of determining the validity or correctness of a program.
4/22 Programs : Semantics and Verification Charngki Hong @ PSWLAB
Semantics of programming language (1/8) A statement in a programming language is
considered to be a function that transforms the state of computation. If the variables (x,y) = (8,7) in a state s, then the
result of executing the statement x := 2*y+1 is the state s’ in which (x,y) = (15,7)
Definition 1. Let U be the set of all n-tuples of values over some
domain, and let U’ µ U. PU’(x1, … , xn), the charac-teristic predicate of U’, is defined so that U’ = { (x1,…,xn) 2 U | P U’ (x1,…,x
n) }
5/22 Programs : Semantics and Verification Charngki Hong @ PSWLAB
Semantics of programming language (2/8) Example of def.1
Let U be the set of 2-tuples over Z and let U’ µ U be the 2-tuples described in the following table
……(-2,-3), (-2,-2), (-2, -1), (-2,0), (-2,1), (-2,2), (-2,3)…(-1,-3), (-1,-2), (-1, -1), (-1,0), (-1,1), (-1,2), (-1,3)… (0,-3), (0,-2), (0, -1), (0,0), (0,1), (0,2), (0,3)… (1,-3), (1,-2), (1, -1), (1,0), (1,1), (1,2), (1,3)
… The characteristic predicate of U’ is (x1 = x1) Æ (x2
· 3)
6/22 Programs : Semantics and Verification Charngki Hong @ PSWLAB
Semantics of programming language (3/8) Definition. 2
An assertion is a triple {p} S {q}, where S is a program, and p and q are formulas in the predi-cate calculus called the precondition and postcon-dition, respectively.
An assertion is true, denoted ² {p} S {q}, iff: if S is started in a state satisfying p and if this computa-tion of S terminates, then the computation termi-nates in a state satisfying q.
If ² {p} S {q}, then S is said to be partially correct with respect to p and q
Assertions are also called Hoare triples Example
² { y · 3} x:= 2*y+1 {(x · 7) Æ (y·3)}
7/22 Programs : Semantics and Verification Charngki Hong @ PSWLAB
Semantics of programming language (4/8) Weakest preconditions
Definition 3. A formula A is weaker than formula B if B ! A. Given a
set of formulas {A1, A2,…An}, Ai is the weakest formula in the set if Aj ! Ai for all j.
Definition 4. For program S and formula q, wp(S,q), the weakest
precondition of S and q, is the weakest formula p such that ² {p} S {q}
Example y · 3 is weaker than y = 1 Ç y = 3 wp(x:=2*y+1, (x·7)Æ(y·3)) = y·3
8/22 Programs : Semantics and Verification Charngki Hong @ PSWLAB
Semantics of programming language (5/8) Lemma 5.
² {p} S {q} if and only if ² p ! wp( S, q ) Definition 6.
wp( x := t, p(x) ) = p(x) { x à t } Example
wp( y := y-1 , y ¸ 0 ) = ( y-1¸ 0 ) = ( y ¸ 1) Definition 7.
wp( S1; S2, q ) = wp( S1, wp(S2, q) )
9/22 Programs : Semantics and Verification Charngki Hong @ PSWLAB
Semantics of programming language (6/8) Examples of def. 7
1. wp(x := x+1; y := y+2, x < y) = wp(x := x+1, wp(y :=y+2, x < y ))
= wp(x := x+1, x < y+2) = x +1 < y+2 ≡ x < y+1
2. wp( x := x+a; y := y-1, x = (b-y)·a )= wp( x := x+a, wp(y := y-1, x = (b-y)·a))= wp( x := x+a, x = (b–y+1)·a)= x + a = ( b – y + 1)·a≡ x = (b-y)·a
10/22 Programs : Semantics and Verification Charngki Hong @ PSWLAB
Semantics of programming language (7/8) Definition 8.
A predicate I is an invariant of S iff wp( S, I ) = I Definition 9.
if-statement wp(if B then S1 else S2, q) = (B ! wp(S1, q)) Æ (:B !
wp(S2, q)) Definition 10.
while-statement wp(while B do S, q) = (: B ! q) Æ (B ! wp(S; while B do S,
q))
11/22 Programs : Semantics and Verification Charngki Hong @ PSWLAB
Semantics of programming language (8/8) If-statement
wp(if y=0 then x := 0 else x := y+1, x=y)= ( y=0 ! wp(x :=0, x=y)) Æ ( y 0 ! wp(x := y+1,
x=y))≡ ((y=0) ! (y=0)) Æ ((y 0) ! (y+1 = y)) ≡ true Æ ((y 0) ! false)≡ : ( y 0 )≡ y = 0
While-statement You’ll see many of this examples later.
12/22 Programs : Semantics and Verification Charngki Hong @ PSWLAB
The deductive system HL (1/4) A deductive system HL (Hoare Logic) whose
formulas are assertions can be used to prove properties of programs
Definition 11. Domain axioms
Every true formula over the domain(s) of the program variables
Assignment axiom ` {p(x) {x à t }} x := t {p(x)}
Composition rule
` f pgS1f qg ` f qgS2f r g` f pgS1;S2f rg
13/22 Programs : Semantics and Verification Charngki Hong @ PSWLAB
The deductive system HL (2/4) Alternative rule
Loop rule
Consequence rule
` f p^B gS1f qg ` f p :̂ B gS2f qg` f pgi f B then S1 else S2 f qg
` f p^B gSf pg` f pgwhi le B do S f p :̂ B g
` p1! p ` f pg S f qg ` q! q1` f p1gSf q1g
14/22 Programs : Semantics and Verification Charngki Hong @ PSWLAB
The deductive system HL (3/4) Loop rule
the formula p is called an invariant: it describes the behavior of an execution of the statement S in the while statement
To prove ` {p0} while B do S {q}
We need to find an invariant We need to show that p0 ! p is true We need to show that (p Æ : B) ! q is true
The most difficult part in proving programs is to find appropriate invariants
` f p^B gSf pg` f pgwhi le B do S f p :̂ B g
15/22 Programs : Semantics and Verification Charngki Hong @ PSWLAB
The deductive system HL (4/4) Example of loop rule
x = 5 is too strong to be an invariant of above while statement
x ¸ 0 is an invariant x ¸ 0 Æ x > 0 implies x ¸ 0 after executing the loop
body loop terminates if x¸ 0 Æ :(x>0) is true
while x > 0 do x := x - 1
16/22 Programs : Semantics and Verification Charngki Hong @ PSWLAB
Use HL to prove the partial correctness of the program
Let the formula x = (b-y) ·a be the invariant { p Æ y 0 } x : = x+a; y := y-1 {p}, where p is x =
(b-y) ·a Postcondition of the loop can be written p Æ (y =
0) so we can deduce x = a · b
Program verification (1/3)
{true}x := 0;{x = 0}y := b;{x = 0 Æ y = b}while y <> 0 do
{ x = (b-y)·a }begin x := x + a; y := y-1 end;
{ x = a·b }
17/22 Programs : Semantics and Verification Charngki Hong @ PSWLAB
Program verification (2/3) Total correctness
We have proved only partial correctness If the initial value of b is negative, the program will
not terminate We need to strengthen the precondition b ¸ 0
Strengthening the precondition will obviously not invalidate the proof of partial correctness, since a stronger precondition simply selects a subset of the set of states for which the computation is cor-rect
All we need to prove is that the program termi-nates
18/22 Programs : Semantics and Verification Charngki Hong @ PSWLAB
Program verification (3/3) To show termination, we search for a numeric
function whose value decreases with every execution of the loop, and whose value has an invariant lower bound.
The loop must eventually terminate because there can not be an infinite decreasing se-quence greater than the lower bound.
Since y is decreasing and yet bounded from below by y ¸ 0, the loop must terminate and the program is totally correct.
{ x = (b-y)·a Æ y ¸ 0 Æ y 0}begin x := x + a; y := y-1 end;{x = (b-y)·a Æ y ¸ 0}
19/22 Programs : Semantics and Verification Charngki Hong @ PSWLAB
Program synthesis (1/3) The most difficult part in proving program is to
find invariants How to find invariants?
Solution delete part of postcondition
We demonstrate the method by developing two different programs for finding the integer square root of a non-negative integer: { 0 · a } S { 0 · x2 · a < (x+1)2 }
20/22 Programs : Semantics and Verification Charngki Hong @ PSWLAB
Program synthesis (2/3) Solution
{ 0 · a }x := ? ;while B(x, a) do
{ 0 · x2 · a }x := ? ;
{0 · x2 · a < (x+1)2 }
the postcondition of the while statement is p Æ : B(x,a), so B(x,a) is (x+1)2 · athe loop should be ter-minated,so x should be incre-mented in every itera-tion
21/22 Programs : Semantics and Verification Charngki Hong @ PSWLAB
Program synthesis (3/3) Solution
We must check the loop invariant { p Æ B } S {p} { 0 · x2 · a Æ (x+1)2 · a } x := x+1 { 0 · x2 · a }
{ 0 · a }x := ? ;while B(x, a) do
{ 0 · x2 · a }x := ? ;
{0 · x2 · a < (x+1)2 }
{ 0 · a }x := 0 ;while (x+1)2 · a do
{ 0 · x2 · a }x := x + 1 ;
{0 · x2 · a < (x+1)2 }
22/22 Programs : Semantics and Verification Charngki Hong @ PSWLAB
References Mathematical logic for computer science,
Mordechai Ben-Ari Logic in computer science, Michael Huth and
Mark Ryan