axiomatic semantics

Post on 13-Jan-2016

61 views

Category:

Documents

Embed Size (px)

DESCRIPTION

Axiomatic Semantics. Will consider axiomatic semantics (A.S.) of IMP: ::= skip | | | | ; | | Only integer vars; no procedures/fns; vars declared implicitly References: Kurtz (ch. 11); Pagan (ch. 4.3) - PowerPoint PPT Presentation

TRANSCRIPT

• CSE 755, part3Axiomatic SemanticsWill consider axiomatic semantics (A.S.) of IMP:::=skip | | | | ; | | Only integer vars; no procedures/fns; vars declared implicitly References: Kurtz (ch. 11); Pagan (ch. 4.3) Summary: For each type of , will define its a.s. via an axiom or rule of inference (or just rule). Using these, will be able to show (i.e., derive) that a given program behaves according to its specification.*

CSE 755, part3

• CSE 755, part3PreliminariesState: State of a program P is a function that maps the program variables of P to their values in that state. Example:; or:(x) = 1; (y) = 2; (z) = 3 (assuming P has 3 prog. var., x, y, z)Usually have to deal with set of states: {, , }Better: Specify an assertion (or predicate, or condition) satisfied by all the states in that set and no others: [ (x = 1) (y = 2) (1 z 3) ]Important: Assertion Set of states that satisfy assertion *

CSE 755, part3

• CSE 755, part3Assertions/sets of states[ (x = 1) (1 y 5) (1 z 10) ] : set with 50 states[ (x = 1) (y = 2) ] : an infinite set[ (x = 1) (1 y 5) ] : an 'even bigger' set[ x = y + z ] : ...[ x = x ]: the set of all statestrue[ x x ]: the empty setfalse

*

CSE 755, part3

• CSE 755, part3Assertions/sets of statesConvention: pP (p is an assertion; P the corresponding set of states [p q]P Q[p q]P Q[ p ]P (or, rather "P bar"; i.e., U P; U: universal set)

*

CSE 755, part3

• CSE 755, part3Assertions/sets of states (contd)"" (implication) can be thought of as a relation between two assertions:[p q] : [P Q][p true] : [P U][false p] : [ P] Can also think of "" as a single assertion:[p q]:(p q )Thus:[p true]:true[false p]:true[p p ]:true (??)[p p ]:false (??)[(x 1) ( x = 2 )] : ??

*The context will tell us whether to think of implication as a relation between assertions or a single assertion

CSE 755, part3

• CSE 755, part3Assertions (contd.)"x < y" is a syntactic entity when it appears in a programElsewhere it is an assertion (satisfied by some states and not others).A state satisfies the assertion x < y if (and only if) (x) is less than (y)Notation: |= (x < y) : " satisfies (x < y)"*

CSE 755, part3

• CSE 755, part3Key NotationThe result {p} S {q} (where p, q are assertions and S is a statement)is operationally valid if:If we start execution of S in any state P, the final state ' when S finishes execution will belong to QExamples:{x = 1} skip {x = 1}: (Operationally) valid{(x=1) (y=2) } skip {x = 1}: Valid{x = 1} skip {(x=1) (y=2) }: Invalid (op. invalid){x = 1} skip {(x=1) (y=2) }: Valid{(x=1) (y=2) } skip {x = 1}: ??{(x=1) (y=2) } skip { true }: ??{(x=1) (y=2) } skip { false }: ??*

CSE 755, part3

• CSE 755, part3"Results" (contd.){(x=1) (y=2) } x := x+1 {(x=2) (y=2)}: Valid{(x=1) (y=2) } x := x+1 { (x = y) }: Valid{(u=1) (v=2) } x := x+1 { (v = u+1) }: ??{x=0} while (x < 10) do x := x+1 end {x=10}: Valid

What if the loop doesn't terminate?{x 0} while (x < 10) do x := x+1 end {x=10}: ??{x 0} while (x < 10) do x := x+1 end {x 10}: ??

*

CSE 755, part3

• CSE 755, part3"Results" (contd.){ p } S { q } is a partial correctness resultIt is valid if it is the case that: if we start execution of S in any state P, and if the execution terminates, then the final state ' satisfies q{x = 0} while (x 10) do x := x+1 end {x = 10}: Valid { true } while (x 10) do x := x+1 end {x = 10}: Also valid Axiomatic semantics: provides a non-operational approach --in the form of a set of axioms and rules of inference-- using which we can 'axiomatically derive' our results

*

CSE 755, part3

• CSE 755, part3Terminology (*important*!)Assertion: may be Satisfied or Not Satisfied by a particular state Result: may be Valid or Invalid in a given (operational) model Result: may be Derivable or Not Derivable in a given axiom system Some meaningless statements:"{p} S {q} is true" (note: true is a particular assertion)"{p} S {q} is valid for some states""(The assertion) p is not valid"

*

CSE 755, part3

• CSE 755, part3Relation Between A.S. & ModelIf a given result is derivable in a given axiom system A, will it be valid in an operational model M? Not necessarily.

Soundness (also "consistency"): An axiom system A is sound/consistent with model M if every result derivable using the axioms/rules of A is valid in M; i.e.:|-A {p} S {q} |=M {p} S {q} Completeness: An axiom system A is complete with respect to model M if every result that is valid in M is derivable using the axioms/rules of A:|=M {p} S {q} |-A {p} S {q}*

CSE 755, part3

• CSE 755, part3Axiomatic Semantics of IMPA.S.: A collection of "axioms" and "rules of inference" ("rules") specified using the same {p} S {q} notation

A0: skip axiom { p } skip { p }where p is any assertionUsing this, can derive:{ (x = 1) (y = 2) } skip { (x = 1) (y = 2) }by taking p to be the assertion (x = 1) (y = 2) & using A0 Cannot derive: { (x = 1) } skip { (x = 1) (y = 2) }which is good (why?)Cannot derive: { (x = 1) (y = 2) } skip { (x = 1) }which is bad (why?)

*

CSE 755, part3

• CSE 755, part3Axiomatic Semantics of IMPR0: Rule of Consequence:{ p } S { q' }, q' q------------------------------- { p } S { q }(p, q, q': any assertions: S: any stmt) Using R0 (and A0) we can derive:{ (x = 1) (y = 2) } skip { (x = 1) } Another form of rule of consequence: p p', { p' } S { q }, -------------------------------{ p } S { q }(p, q, p': any assertions: S: any stmt)Consider other forms of consequence (including inconsis. ones?

*

CSE 755, part3

• CSE 755, part3Axiomatic Semantics of IMP (contd)A1.Assignment axiom:{ pxe } x := e { p } where p is any assertion; pxe is obtained from p by (simultaneously) replacing all occurrences of x in p by e. (Note: pxe p[x/e] ) We can derive: *{ x+1 = y+z } x := x+1 { x = y+z } (take p to be x = y+z ){ y+z 0 } x := y+z { x 0 } (take p to be x 0 ){ y+z = y+z } x := y+z { x = y+z } (take p to be x = y+z )Operational Justification:If we want the state following the asgnmnt to satisfy p, the state before it should satisfy the same assertion - except with the value of e satisfying the conditions expected of the value of x

CSE 755, part3

• CSE 755, part3Axiomatic Semantics of IMP (contd.)Caution: In axiomatic derivations, you are only allowed to use the axioms and rules of the system; no appeals to operational intuitions. If you make such appeals, you have an operational argument, not an axiomatic derivation Summary: The axiomatic semantics of a language consists of:An axiom for each atomic statementA rule (of inference) for each compound stmt+ Logical rules

*

CSE 755, part3

• CSE 755, part3Axiomatic Semantics of IMP (contd)R1: Sequential Composition:{ p } S1 { q' }, { q' } S2 { q }----------------------------------------{ p } S1; S2 { q } (p, q', q: any assertions; S1, S2: any stmts.) Using this, skip axiom, & assignment axiom, we can derive:{x+1 = y+z} skip; x := x+1 {x = y+z} Operational Justification: If state before S1 starts execution satisfies p, then, { p } S1 { q' } guarantees that the state when S1 finishes will satisfy q'; hence { q' } S2 { q } guarantees the state when S2 finishes will satisfy q;hence conclusion of rule follows given these two results.Caution: In (axiomatic) derivations, no appeals to operational intuitions!

*

CSE 755, part3

• CSE 755, part3Axiomatic Semantics of IMP (contd)write e out := out ^ eA2. write axiom: { p[out / out^e] } write e { p } (where p is any assertion) read x ( x := head(in); in := tail(in) ){ (p[in/tail(in)])[x/head(in)] }x := head(in);{ p[in/tail(in)] }in := tail(in){ p }

CSE 755, part3

• CSE 755, part3Axiomatic Semantics of IMP (contd)Problem: Derive the following result (axiomatically): { (in = ) (out = ) }read x; read y; write (x+y);{ out = }Derivation (or "proof") outline:{ (in = ) (out = ) }(rule of cons.){ out^(head(in) + head(tail(in)) = } (read axiom)read x;{ out^(x + head(in)) = }(read axiom)read y;{ out^(x + y) = }(write axiom)write (x+y);{ out = }

*

CSE 755, part3

• CSE 755, part3Axiomatic Semantics of IMP (contd)R2: If-then-else:{ p b} S1 { q }, { p b} S2 { q }--------------------------------------------------{ p } if b then S1 else S2 { q } Operational Justification: Suppose we start in a state P. There are two ways to proceed: if b, execute S1; if not, execute S2. In either case, the hypothesis (assuming they are valid) guarantee that the final state will satisfy q. Hence conclusion follows.

Caution: In (axiomatic) derivations, no appeals to operational intuitions!

*

CSE 755, part3

• Axiomatic Semantics of IMP (contd)Problem: Derive the following result (axiomatically): { y = 1}if (y = 1) then x := 1 else x := 2 { x = 1 } 1.{ (y = 1) (y = 1)} x := 1 { x = 1} (by Ass. ax, rule of conseq.)2.{ 2 = 1 } x := 2 { x = 1} (by Ass. ax, rule of conseq.)3. { (y = 1) (y 1) } x := 2 { x = 1} (by (2), rule of conseq.)4.{ y = 1}if (y = 1) then x := 1 else x := 2 { x = 1 }(by (1), (3), and if-then-else rule)Derive:{ true} if (y = 1) then x := 1 else x := 2 { (x = 1) (x = 2) }{ true} if (y = 1) then ... { [(y=1)(x = 1)] [(y1) (x = 2) }*

• CSE 755, part3Axiomatic Semantics of IMP (contd)R3: while rule:p q, { q b } S { q }, (q b) r-------------------------------------------------------{ p } while b do S { r }The following rule, given rule of conseq., is equivalent: { q b } S { q }, ---------