lecture 04 java
TRANSCRIPT
-
8/12/2019 Lecture 04 java
1/15
Hoare Logic
COMP2111 Lecture 4bSession 1, 2013
Hoare Logic
Kai Engelhardt
Revision: 1.1
1
http://find/ -
8/12/2019 Lecture 04 java
2/15
Hoare Logic
A Toy Language Syntax
Let us add assignments and guards as basic statements, and someform of loops (or recursion) to our imperative, sequential toylanguage.
P P ::= x := e | P ; P | P + P | | P
Expr e ::= 0 | 1 | . . . | x | . . . | e + e | e e | . . .BoolExpr ::= true | | | . . . | e < e | . . .
The above denitions are geared towards simplicity. Whenprogramming, we tend to use more familiar constructs such aswhile do P od for (; P ); and if then P else Q for(; P ) + ( ; Q ).
2
http://find/http://goback/ -
8/12/2019 Lecture 04 java
3/15
Hoare Logic
The Types of Semantic Functions
We introduce a family of functions from syntactic entities(programs, arithmetic expressions, and Boolean expressions) tosemantic entities.
[[.]] : P P ( )E [[.]] : Expr V
B [[.]] : BoolExpr P ()
3
http://find/ -
8/12/2019 Lecture 04 java
4/15
Hoare Logic
A Denotational Semantics for P
Let s , t , x Var , e , f Expr , , BoolExpr , andP , Q P . Dene Q 0 = true and Q i +1 = Q i ; Q , for i N .
(s , t ) [[x := e ]] iff t = s [x E [[e ]]s ]
(s , t ) [[P ; Q ]] iff u (( s , u ) [[P ]] (u , t ) [[Q ]])[[P + Q ]] def = [[P ]] [[Q ]]
(s , t ) [[]] iff t = s s B [[]]
[[P ]] def =i N
[[P i ]]
where f [a b ] denotes the function that is the same as f , exceptfor its value for the argument a, which is b .
4
http://find/ -
8/12/2019 Lecture 04 java
5/15
Hoare Logic
Denotational semantics for Expr and BoolExpr
E [[0]]s def = 0 (I) E [[1]]s def = 1 (I)
E [[x ]]s def = s (x ) E [[e + f ]]s def = E [[e ]]s + (I)E [[f ]]s
E [[e f ]]s def
= E [[e ]]s (I)
E [[f ]]s B [[true ]] def = B [[]] def = \ B [[]]
B [[ ]] def = B [[]] B [[]] s B [[e < f ]] iff E [[e ]]s < (I)E [[f ]]s
In the above, Ive decorated some entities on the RHS with (I)
to indicatethat they are semantic objects rather than syntax even though they lookthe same as some syntactic entities on the LHS. For instance, the symbol on the left is part of the alphabet to form arithmetic expressions, andthe symbol (I) represents the multiplication function known from maths.
5
http://find/ -
8/12/2019 Lecture 04 java
6/15
Hoare Logic
Reasoning about sequential programs
Predicates on states suffice to express interesting properties of sequential programs. Hoare logic allows to formally derive
properties from the program text.The Hoare triple {} P {} means: If program P is started in aninitial state satisfying precondition and P terminates then thenal state satises postcondition .Example: {y = 22} x := y 17 {x = 5}
6
http://find/ -
8/12/2019 Lecture 04 java
7/15
Hoare Logic
Syntax vs Semantics
On the syntactic level, we may axiomatize Hoare logic by giving a
set of rules and axioms characterizing Hoare triples.On the semantic level, we may dene mathematically, what itmeans for a Hoare triple to be valid .
7
H L i
http://find/ -
8/12/2019 Lecture 04 java
8/15
Hoare Logic
Axioms and Rules
The assignment axiom :
{[e / x ]} x := e {} ass
where [e / x ] is with x substituted by e
e.g. (x = 5)[ y 17/ x ] is y 17 = 5
The guard axiom :
{ } {} grd
8
Hoare Logic
http://goforward/http://find/http://goback/ -
8/12/2019 Lecture 04 java
9/15
Hoare Logic
Axioms and Rules contd
The sequential composition rule :
{} P {} , {} Q {}{} P ; Q {}
seq
The choice rule :{} P {} , {} Q {}
{} P + Q {} choice
The while rule :
{ } P {}{} while do P od { }
loop
The consequence rule :
, {} S {} , { } S { } cons
9
Hoare Logic
http://find/http://goback/ -
8/12/2019 Lecture 04 java
10/15
Hoare Logic
Trivial Example Proof
{y 17 = 5} x := y 17 {x = 5} by ass (1){y = 22} x := y 17 {x = 5} by cons, math, ( 1) (2)
where math is used to justify y = 22 y 17 = 5 .
10
Hoare Logic
http://find/ -
8/12/2019 Lecture 04 java
11/15
Hoare Logic
Backing up with Semantics
To see whether our axiom and rules are any good, we need to givea formal interpretation to Hoare triples. {} P {} is valid if
the relational image of through P is contained in :{ : B [[]] ((, ) [[P ]]) } B [[]]
11
Hoare Logic
http://find/ -
8/12/2019 Lecture 04 java
12/15
Hoare Logic
Backing up with Semantics
To see whether our axiom and rules are any good, we need to givea formal interpretation to Hoare triples. {} P {} is valid if
the relational image of through P is contained in :{ : B [[]] ((, ) [[P ]]) } B [[]]
12
Hoare Logic
http://find/ -
8/12/2019 Lecture 04 java
13/15
g
Backing up with Semantics
To see whether our axiom and rules are any good, we need to givea formal interpretation to Hoare triples. {} P {} is valid if
the relational image of through P is contained in :{ : B [[]] ((, ) [[P ]]) } B [[]]
13
Hoare Logic
http://find/ -
8/12/2019 Lecture 04 java
14/15
g
Backing up with Semantics
To see whether our axiom and rules are any good, we need to givea formal interpretation to Hoare triples. {} P {} is valid if
the relational image of through P is contained in :{ : B [[]] ((, ) [[P ]]) } B [[]]
14
Hoare Logic
http://find/ -
8/12/2019 Lecture 04 java
15/15
Soundness and Completeness
Our proof system is sound (w.r.t. the semantics hinted at) becauseone can deduce only valid Hoare triples with it.Our proof system is complete (w.r.t. the semantics hinted at) if
one can deduce all valid Hoare triples with it.NB: As soon as we have (Peano) arithmetic over integers available in ourassertion language, our system can hardly be complete. All one may hopefor is relative completeness in the sense of Cook , i.e., completeness usingan oracle for theorems from arithmetic. All this should be taught butisnt.
15
http://find/