Programs: Semantics and Verification

1/22 Programs : Semantics and Verification Charngki Hong @ PSWLAB

Programs:Semantics and Verification

Mordechai Ben-AriMathematical Logic for Computer Science


Table of Contents

Introduction Semantics of programming language

Weakest precondition The deductive system HL Program verification

Total correctness Program synthesis References


Introduction The syntax of programming language is spec-

ified using formal systems such as BNF, but the semantics is usually informally specified Example :

The formal BNF syntax of an if-statement if-statement ::= if expression then statement [else state-

ment] But its semantics is described informally

The boolean expression is evaluated. If true, the statement following then is executed, otherwise the statement follow-ing else is executed.

If the semantics is informally defined there is no formal way of determining the validity or correctness of a program.


Semantics of programming language (1/8) A statement in a programming language is

considered to be a function that transforms the state of computation. If the variables (x,y) = (8,7) in a state s, then the

result of executing the statement x := 2*y+1 is the state s’ in which (x,y) = (15,7)

Definition 1. Let U be the set of all n-tuples of values over some

domain, and let U’ µ U. PU’(x1, … , xn), the charac-teristic predicate of U’, is defined so that U’ = { (x1,…,xn) 2 U | P U’ (x1,…,x

n) }


Semantics of programming language (2/8) Example of def.1

Let U be the set of 2-tuples over Z and let U’ µ U be the 2-tuples described in the following table

……(-2,-3), (-2,-2), (-2, -1), (-2,0), (-2,1), (-2,2), (-2,3)…(-1,-3), (-1,-2), (-1, -1), (-1,0), (-1,1), (-1,2), (-1,3)… (0,-3), (0,-2), (0, -1), (0,0), (0,1), (0,2), (0,3)… (1,-3), (1,-2), (1, -1), (1,0), (1,1), (1,2), (1,3)

… The characteristic predicate of U’ is (x1 = x1) Æ (x2

· 3)


Semantics of programming language (3/8) Definition. 2

An assertion is a triple {p} S {q}, where S is a program, and p and q are formulas in the predi-cate calculus called the precondition and postcon-dition, respectively.

An assertion is true, denoted ² {p} S {q}, iff: if S is started in a state satisfying p and if this computa-tion of S terminates, then the computation termi-nates in a state satisfying q.

If ² {p} S {q}, then S is said to be partially correct with respect to p and q

Assertions are also called Hoare triples Example

² { y · 3} x:= 2*y+1 {(x · 7) Æ (y·3)}


Semantics of programming language (4/8) Weakest preconditions

Definition 3. A formula A is weaker than formula B if B ! A. Given a

set of formulas {A1, A2,…An}, Ai is the weakest formula in the set if Aj ! Ai for all j.

Definition 4. For program S and formula q, wp(S,q), the weakest

precondition of S and q, is the weakest formula p such that ² {p} S {q}

Example y · 3 is weaker than y = 1 Ç y = 3 wp(x:=2*y+1, (x·7)Æ(y·3)) = y·3


Semantics of programming language (5/8) Lemma 5.

² {p} S {q} if and only if ² p ! wp( S, q ) Definition 6.

wp( x := t, p(x) ) = p(x) { x Ã t } Example

wp( y := y-1 , y ¸ 0 ) = ( y-1¸ 0 ) = ( y ¸ 1) Definition 7.

wp( S1; S2, q ) = wp( S1, wp(S2, q) )


Semantics of programming language (6/8) Examples of def. 7

1. wp(x := x+1; y := y+2, x < y) = wp(x := x+1, wp(y :=y+2, x < y ))

= wp(x := x+1, x < y+2) = x +1 < y+2 ≡ x < y+1

2. wp( x := x+a; y := y-1, x = (b-y)·a )= wp( x := x+a, wp(y := y-1, x = (b-y)·a))= wp( x := x+a, x = (b–y+1)·a)= x + a = ( b – y + 1)·a≡ x = (b-y)·a


Semantics of programming language (7/8) Definition 8.

A predicate I is an invariant of S iff wp( S, I ) = I Definition 9.

if-statement wp(if B then S1 else S2, q) = (B ! wp(S1, q)) Æ (:B !

wp(S2, q)) Definition 10.

while-statement wp(while B do S, q) = (: B ! q) Æ (B ! wp(S; while B do S,

q))


Semantics of programming language (8/8) If-statement

wp(if y=0 then x := 0 else x := y+1, x=y)= ( y=0 ! wp(x :=0, x=y)) Æ ( y 0 ! wp(x := y+1,

x=y))≡ ((y=0) ! (y=0)) Æ ((y 0) ! (y+1 = y)) ≡ true Æ ((y 0) ! false)≡ : ( y 0 )≡ y = 0

While-statement You’ll see many of this examples later.


The deductive system HL (1/4) A deductive system HL (Hoare Logic) whose

formulas are assertions can be used to prove properties of programs

Definition 11. Domain axioms

Every true formula over the domain(s) of the program variables

Assignment axiom ` {p(x) {x Ã t }} x := t {p(x)}

Composition rule

` f pgS1f qg ` f qgS2f r g` f pgS1;S2f rg


The deductive system HL (2/4) Alternative rule

Loop rule

Consequence rule

` f p^B gS1f qg ` f p :̂ B gS2f qg` f pgi f B then S1 else S2 f qg

` f p^B gSf pg` f pgwhi le B do S f p :̂ B g

` p1! p ` f pg S f qg ` q! q1` f p1gSf q1g


The deductive system HL (3/4) Loop rule

the formula p is called an invariant: it describes the behavior of an execution of the statement S in the while statement

To prove ` {p0} while B do S {q}

We need to find an invariant We need to show that p0 ! p is true We need to show that (p Æ : B) ! q is true

The most difficult part in proving programs is to find appropriate invariants

` f p^B gSf pg` f pgwhi le B do S f p :̂ B g


The deductive system HL (4/4) Example of loop rule

x = 5 is too strong to be an invariant of above while statement

x ¸ 0 is an invariant x ¸ 0 Æ x > 0 implies x ¸ 0 after executing the loop

body loop terminates if x¸ 0 Æ :(x>0) is true

while x > 0 do x := x - 1


Use HL to prove the partial correctness of the program

Let the formula x = (b-y) ·a be the invariant { p Æ y 0 } x : = x+a; y := y-1 {p}, where p is x =

(b-y) ·a Postcondition of the loop can be written p Æ (y =

0) so we can deduce x = a · b

Program verification (1/3)

{true}x := 0;{x = 0}y := b;{x = 0 Æ y = b}while y <> 0 do

{ x = (b-y)·a }begin x := x + a; y := y-1 end;

{ x = a·b }


Program verification (2/3) Total correctness

We have proved only partial correctness If the initial value of b is negative, the program will

not terminate We need to strengthen the precondition b ¸ 0

Strengthening the precondition will obviously not invalidate the proof of partial correctness, since a stronger precondition simply selects a subset of the set of states for which the computation is cor-rect

All we need to prove is that the program termi-nates


Program verification (3/3) To show termination, we search for a numeric

function whose value decreases with every execution of the loop, and whose value has an invariant lower bound.

The loop must eventually terminate because there can not be an infinite decreasing se-quence greater than the lower bound.

Since y is decreasing and yet bounded from below by y ¸ 0, the loop must terminate and the program is totally correct.

{ x = (b-y)·a Æ y ¸ 0 Æ y 0}begin x := x + a; y := y-1 end;{x = (b-y)·a Æ y ¸ 0}


Program synthesis (1/3) The most difficult part in proving program is to

find invariants How to find invariants?

Solution delete part of postcondition

We demonstrate the method by developing two different programs for finding the integer square root of a non-negative integer: { 0 · a } S { 0 · x2 · a < (x+1)2 }


Program synthesis (2/3) Solution

{ 0 · a }x := ? ;while B(x, a) do

{ 0 · x2 · a }x := ? ;

{0 · x2 · a < (x+1)2 }

the postcondition of the while statement is p Æ : B(x,a), so B(x,a) is (x+1)2 · athe loop should be ter-minated,so x should be incre-mented in every itera-tion


Program synthesis (3/3) Solution

We must check the loop invariant { p Æ B } S {p} { 0 · x2 · a Æ (x+1)2 · a } x := x+1 { 0 · x2 · a }

{ 0 · a }x := ? ;while B(x, a) do

{ 0 · x2 · a }x := ? ;

{0 · x2 · a < (x+1)2 }

{ 0 · a }x := 0 ;while (x+1)2 · a do

{ 0 · x2 · a }x := x + 1 ;

{0 · x2 · a < (x+1)2 }


References Mathematical logic for computer science,

Mordechai Ben-Ari Logic in computer science, Michael Huth and

Mark Ryan

Programs: Semantics and Verification

Documents

Transcript of Programs: Semantics and Verification