Axiomatic semantics Points to discuss The assignment statement
- Slides: 58
Axiomatic semantics Points to discuss: • • • The assignment statement Statement composition The "if-then-else" statement The "while" statement Narrowing and widening Termination Two diversions The greatest common divisor The "if-then" statement CSI 3120, Axiomatic Semantics, page 1
Program verification includes two steps. 1. Associate a formula with every meaningful step of the computation. 2. Show that the final formula logically follows from the initial one through all intermediate steps and formulae. CSI 3120, Axiomatic Semantics, page 2
What is axiomatic semantics? • Axiomatic semantics of assignments, compound statements, conditional statements, and iterative statements has been developed by Professor C. A. R. Hoare. • The elementary building blocks are the formulae for assignments and conditions. • The effects of other statements are described by inference rules that combine formulae for assignments (just as statements themselves are combinations of assignments and conditions). CSI 3120, Axiomatic Semantics, page 3
The assignment statement Let be a logical formula that contains variable v. v e is a formula which we get from when we replace all occurrences of variable v with expression e. CSI 3120, Axiomatic Semantics, page 4
Replacement, an example Before replacement: h >= 0 & h <= n & n > 0 h 0 0 >= 0 & 0 <= n & n > 0 after replacement CSI 3120, Axiomatic Semantics, page 5
Another example m == min( 1 <= i & i <= k– 1: ai ) & k– 1 <= N k k+1 m == min( 1 <= i & i <= (k+1) – 1: ai ) & (k+1)– 1 <= N m == min( 1 <= i & i <= k: ai ) & k <= N CSI 3120, Axiomatic Semantics, page 6
The axiom for the assignment statement { v e } v = e { } Example: { 0 >= 0 & 0 <= n & n > 0 } x = 0; { x >= 0 & x <= n & n > 0 } CSI 3120, Axiomatic Semantics, page 7
Two small puzzles { ? ? ? } z = z + 1; { z <= N } { a > b } a = a – b; { ? ? ? } CSI 3120, Axiomatic Semantics, page 8
Statement composition ASSUME THAT { ´ } S ´ { ´´ } and { ´´ } S ´´ { ´´´ } CONCLUDE THAT { ´ } S ´´ { ´´´ } In other words: { ´ } S ´ { ´´ } S ´´ { ´´´ } CSI 3120, Axiomatic Semantics, page 9
A more complicated example x = 0; f = 1; while (x != n) { x = x + 1; f = f * x; } We want to prove that { f == x! } x = x + 1; f = f * x; { f == x! } CSI 3120, Axiomatic Semantics, page 10
The factorial Let's apply the inference rule for composition. ´ is f == x! ´´´ is f == x! S ´ is x = x + 1; S ´´ is f = f * x; CSI 3120, Axiomatic Semantics, page 11
The factorial (2) We need to find a ´´ for which we can prove: { f == x! } x = x + 1; { ´´ } f = f * x; { f == x! } Observe that f == x! f == ((x + 1) – 1)! and therefore f == (x – 1)! x x + 1 f == x! That is: { f == x! } x = x + 1; {f == (x – 1)! } ´ S ´ ´´ CSI 3120, Axiomatic Semantics, page 12
The factorial (3) Now, let us observe that f == (x – 1)! f * x == (x – 1)! * x == x! So, we have f == x! f f * x f == (x – 1)! That is, {f == (x – 1)! } f = f * x; {f == x! } ´´ S ´´ ´´´ QED CSI 3120, Axiomatic Semantics, page 13
The "if-else" statement ASSUME THAT { & } S´ { } and { & } S´´ { } CONCLUDE THAT { } if ( ) S ´ else S ´´ { } Both paths through the if-else statement establish the same fact . That is why the whole conditional statement establishes this fact. CSI 3120, Axiomatic Semantics, page 14
"if-else", an example The statement if ( a < 0 ) b = -a; else b = a; makes the formula b == abs(a) true. Specifically, the following fact holds: {true} if ( a < 0 ) b = -a; else b = a; { b == abs(a) } Here: is true is b == abs(a) is a < 0 Also: S´ is b = -a; S´´ is b = a; CSI 3120, Axiomatic Semantics, page 15
"if-else", an example (2) We will consider cases. First, we assume that is true: true & a < 0 – a == abs(a) Therefore, by the assignment axiom: {– a == abs(a)} b = -a; {b == abs(a)} Similarly, when we assume , we get this: true & a < 0 a 0 a == abs(a) Therefore: {a == abs(a)} b = a; {b == abs(a)} CSI 3120, Axiomatic Semantics, page 16
"if-else", an example (3) This shows that both S´ and S´´ establish the same condition: b == abs(a) Our fact has been proven: {true} if ( a < 0 ) b = -a; else b = a; { b == abs(a) } In other words, our conditional statement computes abs(a). It does so without any preconditions: "true" means that there are no restrictions on the initial values of a and b. CSI 3120, Axiomatic Semantics, page 17
The "while" statement A loop invariant is a condition that is true immediately before entering the loop, stays true during its execution, and is still true after the loop has terminated. ASSUME THAT { & } S { } [That is, S preserves . ] CONCLUDE THAT { } while ( ) S { & } provided that the loop terminates. CSI 3120, Axiomatic Semantics, page 18
The factorial again. . . x = 0; f = 1; while ( x != n ) { x = x + 1; f = f * x; } Assume that n ≥ 0. After computing x = 0; f = 1; we have f == x! because it is true that 1 == 0! CSI 3120, Axiomatic Semantics, page 19
The factorial again. . . (2) We showed earlier that { f == x! } x = x + 1; f = f * x; { f == x! } The reasoning will not change if we add the condition n ≥ 0, because the transitions do not depend on n. So, we can write { n ≥ 0 & f == x! } x = x + 1; f = f * x; { n ≥ 0 & f == x! } CSI 3120, Axiomatic Semantics, page 20
The factorial again. . . (3) Now, is is is f == x! x != n x == n Using the inference rule for "while" loops: { n ≥ 0 & f == x! } while ( x != n ) { x = x + 1; f = f * x; } { n ≥ 0 & f == x! & x == n } CSI 3120, Axiomatic Semantics, page 21
The factorial again. . . (4) Notice that f == x! & x == n f == n! This means two things: { n ≥ 0 } x = 0; f = 1; { n ≥ 0 & f == x! } AND { n ≥ 0 & f == x! } while ( x != n ) { x = x + 1; f = f * x; } { n ≥ 0 & f == n! } CSI 3120, Axiomatic Semantics, page 22
The factorial again. . . (5) In other words, the program establishes f == n! without any preconditions on the initial values of f and n, assuming that we only deal with n ≥ 0. The axiom for statement composition gives us: { n ≥ 0 } x = 0; f = 1; while ( x != n ) { x = x + 1; f = f * x; } { f == n! } So: this program does compute the factorial of n. CSI 3120, Axiomatic Semantics, page 23
The factorial again. . . (6) Our reasoning agrees with the intuition of loop invariants: we adjust some variables and make the invariant temporarily false, but we re-establish it by adjusting some other variables. { f == x! } x = x + 1; { f == (x – 1)! } the invariant is "almost true" { f == (x – 1)! } f = f * x; { f == x! } the invariant is back to normal This reasoning is not valid for infinite loops: the terminating condition & is never reached, and we know nothing of the situation following the loop. CSI 3120, Axiomatic Semantics, page 24
Narrowing and widening ASSUME THAT ´ and { } S { } ASSUME THAT { } S { } and ´ CONCLUDE THAT { ´ } S { } { } S { ´ } These rules can be used to narrow a precondition, or to widen a postcondition. CSI 3120, Axiomatic Semantics, page 25
Narrowing and widening, a small example n! is computed, for any nonnegative n, with true as the precondition (it is always computed successfully); So, n! will in particular must be computed successfully if initially n == 5. CSI 3120, Axiomatic Semantics, page 26
A larger example (in a more concise notation) { N >= 1 } { N >= 1 & 1 == 1 & a 1 == a 1 } i = 1; s = a 1; { N >= 1 & i == 1 & s == a 1 } { N >= 1 & s == a 1 + … + ai } while ( i != N ) { INVARIANT { N >= 1 & s == a 1 + … + ai & i != N } i = i + 1; { N >= 1 & s == a 1 + … + ai– 1 & i – 1 != N } s = s + ai; } { N >= 1 & s == a 1 + … + ai & i == N } { N >= 1 & s == a 1 + … + a. N } CSI 3120, Axiomatic Semantics, page 27
A larger example (2) • We have shown that this program computes the sum of a 1, . . . , a. N. • The precondition N >= 1 is only necessary to prove termination. CSI 3120, Axiomatic Semantics, page 28
Termination • Proofs like these show only partial correctness. – Everything is fine if the loop stops. – Otherwise we don't know (but the program may be correct for most kinds of data). • A reliable proof must show that all loops in the program are finite. • We can prove termination by showing how each step brings us closer to the final condition. CSI 3120, Axiomatic Semantics, page 29
Once again, the factorial… • Initially, x == 0. • Every step increases x by 1, so we go through the numbers 0, 1, 2, . . . • n >= 0 must be found among these numbers. • Notice that this reasoning will not work for n < 0: the program loops. CSI 3120, Axiomatic Semantics, page 30
A decreasing function • A loop terminates when the value of some function of program variables goes down to 0 during the execution of the loop. • For the factorial program, such a function could be n – x. Its value starts at n and decreases by 1 at every step. • For summation, we can take N – i. CSI 3120, Axiomatic Semantics, page 31
Multiplication by successive additions { B >= 0 & B == B & 0 == 0} FOR TERMINATION b = B; p = 0; { b == B & p == 0 } { p == A * (B – b) } INVARIANT while ( b != 0 ) { p = p + A; { p == A * (B – (b – 1)) } b = b - 1; { p == A * (B – b) } } { p == A * (B – b) & b == 0} { p == A * B } The loop terminates, because the value of the variable b goes down to 0. CSI 3120, Axiomatic Semantics, page 32
Two diversions Prove that the sequence p = a; a = b; b = p; exchanges the values of a and b : { a == A & b == B } p = a; a = b; b = p; { b == A & a == B } The highlights of a proof: { a == A & b == B } { p == A & a == B } { b == A & a == B } p = a; a = b; b = p; CSI 3120, Axiomatic Semantics, page 33
Two diversions (2) Discover and PROVE the behaviour of the following sequence of statements for integer variables x, y: x = x + y; y = x - y; x = x - y; CSI 3120, Axiomatic Semantics, page 34
Two diversions (3) {x == X & y == Y } {x + y == X + Y & y == Y } x = x + y; {x == X + Y & y == Y } {x == X + Y & x - y == X } y = x - y; {x == X + Y & y == X } { x - y == Y & y == X } x = x - y; { x == Y & y == X } CSI 3120, Axiomatic Semantics, page 35
The greatest common divisor { X > 0 & Y > 0 } a = X; b = Y; { } what should the invariant be? while ( a != b ) { & a != b } { if ( a > b ) { & a != b & a > b } a = a - b; else { & a != b & (a > b) } b = b - a; } { & (a != b) } { GCD( X, Y ) == a } CSI 3120, Axiomatic Semantics, page 36
GCD (2) We will need only a few properties of greatest common divisors: GCD( n + m, m ) == GCD( n, m ) GCD( n, m + n ) == GCD( n, m ) The first step (very formally): { X > 0 & Y > 0 } { X > 0 & Y > 0 & X == X & Y == Y } a = X; b = Y; { a > 0 & b > 0 & a == X & b == Y } CSI 3120, Axiomatic Semantics, page 37
GCD (3) When the loop stops, we get a == b & GCD( a, b ) == a We may want this condition in the invariant: a == b & GCD( X, Y ) == GCD( a, b ) At the beginning of the loop, we have: { a > 0 & b > 0 & a == X & b == Y } {a > 0 & b > 0 & GCD( X, Y ) == GCD( a, b ) } So, the invariant could be this: a > 0 & b > 0 & GCD( X, Y ) == GCD( a, b ) CSI 3120, Axiomatic Semantics, page 38
GCD (4) We should be able to prove that {a > 0 & b > 0 & GCD(X, Y) == GCD(a, b) & a != b} while. . . {a > 0 & b > 0 & GCD(X, Y) == GCD(a, b)} The final condition will be a > 0 & b > 0 & GCD(X, Y) == GCD(a, b) & a == b and this will imply GCD( X, Y ) == a CSI 3120, Axiomatic Semantics, page 39
GCD (5) The loop consists of one conditional statement. Our proof will be complete if we show this: {a > 0 & b > 0 & GCD(X, Y) == GCD(a, b) & a != b} if ( a > b ) a = a - b; else b = b - a; {a > 0 & b > 0 & GCD(X, Y) == GCD(a, b)} CSI 3120, Axiomatic Semantics, page 40
GCD (6) Consider first the case of a > b. {a > 0 & b > 0 & GCD(X, Y) == GCD(a, b) & a != b & a > b } {a – b > 0 & GCD(X, Y) == GCD(a – b, b)} a = a - b; {a > 0 & b > 0 & GCD(X, Y) == GCD(a, b)} CSI 3120, Axiomatic Semantics, page 41
GCD (7) Now, the case of a > b. {a > 0 & b > 0 & GCD(X, Y) == GCD(a, b) & a != b & (a > b) } {a > 0 & b – a > 0 & GCD(X, Y) == GCD(a, b – a)} b = b - a; {a > 0 & b > 0 & GCD(X, Y) == GCD(a, b)} CSI 3120, Axiomatic Semantics, page 42
GCD (8) Both branches of if-else give the same final condition. We will complete the correctness proof when we show that the loop terminates. We show the value of max( a, b ) decreases at each turn of the loop. Let a == A, b == B at the beginning of a step. Assume first that a > b: max( a, b ) == A, so a – b < A, therefore max( a – b, b ) < A. CSI 3120, Axiomatic Semantics, page 43
GCD (9) Now assume that a < b: max( a, b ) == B, b – a < B, therefore max( a, b – a ) < B. Since a > 0 and b > 0, max( a, b ) > 0. This means that decreasing the values of a, b cannot go forever. QED CSI 3120, Axiomatic Semantics, page 44
The "if" statement ASSUME THAT { & } S { } and & CONCLUDE THAT { } if ( ) S { } CSI 3120, Axiomatic Semantics, page 45
An example with "if" We will show the following: { N > 0 } k = 1; m = a 1; while ( k != N ) { k = k + 1; if ( ak < m ) m = ak; } { m == min( 1 <= i & i <= N: ai ) } CSI 3120, Axiomatic Semantics, page 46
Minimum Loop termination is obvious: the value of N – k goes down to zero. Here is a good invariant: at the kth turn of the loop, when we have already looked at a 1, . . . , ak, we know that m == min( 1 <= i & i <= k : ai ). Initially, we have this: { N > 0 } k = 1; m = a 1; { k == 1 & m == a 1 } { k == 1 & m == min( 1 <= i & i <= k : ai ) } CSI 3120, Axiomatic Semantics, page 47
Minimum We must prove the following: { m == min( 1 <= i & i <= k : ai ) & k != N } k = k + 1; if ( ak < m ) m = ak; { m == min( 1 <= i & i <= k : ai ) } CSI 3120, Axiomatic Semantics, page 48
Minimum (2) { m == min( 1 <= i & i <= k : ai ) & k != N } { m == min( 1 <= i & i <= (k + 1) – 1: ai ) & (k + 1) – 1 != N } k = k + 1; { m == min( 1 <= i & i <= k – 1: ai ) & k – 1 != N } Note that k – 1 != N ensures the existence of ak. CSI 3120, Axiomatic Semantics, page 49
Minimum (3) This remains to be shown: { m == min( 1 <= i & i <= k – 1: ai ) & k – 1 != N } if ( ak < m ) m = ak; { m == min( 1 <= i & i <= k: ai ) } The fact we will use is this: min( 1 <= i & i <= k: ai ) == min 2( min( 1 <= i & i <= k – 1: ai ), ak ) CSI 3120, Axiomatic Semantics, page 50
Minimum (4) We will consider two cases of the conditional statement. First, (ak < m). {m == min(1 <= i & i <= k – 1: ai ) & k – 1 != N & (ak < m)} {m == min 2(min( 1 <= i & i <= k – 1: ai ), ak )} {m == min(1 <= i & i <= k: ai )} CSI 3120, Axiomatic Semantics, page 51
Minimum (5) Now, ak < m. {m == min(1 <= i & i <= k – 1: ai ) & k – 1 != N & ak < m} {ak == min 2( min( 1 <= i & i <= k – 1: ai ), ak )} {ak == min(1 <= i & i <= k: ai )} m = ak; {m == min(1 <= i & i <= k: ai )} So, the body of the loop preserves the condition m == min( 1 <= i & i <= k: ai ) CSI 3120, Axiomatic Semantics, page 52
Minimum (6) Now, the whole loop works as follows: { m == min( 1 <= i & i <= k: ai ) } while ( k != N ) } k = k + 1; if ( ak < m ) ak = m; } { m == min( 1 <= i & i <= k: ai ) & k == N } { m == min( 1 <= i & i <= N: ai ) } All in all, we have shown that our program finds the minimum of N numbers, if only N > 0. QED CSI 3120, Axiomatic Semantics, page 53
Examples Yet another "while" loop { B > 0 } FOR TERMINATION b = 1; p = A; while ( b != B ) { b = b + 1; p = p * A; } { ? ? ? } CSI 3120, Axiomatic Semantics, page 54
Examples Yet another "while" loop (2) { B > 0 & 1 == 1 & A == A} FOR TERMINATION b = 1; p = A; { b == 1 & p == A } { p == A ** b } INVARIANT while ( b != B ) { b = b + 1; { p == A ** (b - 1) } p = p * A; { p == A ** b } } { p == A ** b & b == B} { p == A ** B } The loop terminates: the value B - b goes down to 0. CSI 3120, Axiomatic Semantics, page 55
Examples Another example with "if" { N > 0 } FOR TERMINATION k = 1; while ( k != N ) { if ( Ak > Ak+1 ) { p = Ak; Ak = Ak+1; Ak+1 = p; } k = k + 1; } { ? ? ? } CSI 3120, Axiomatic Semantics, page 56
Examples Another example with "if" (2) { N > 0 } FOR TERMINATION k = 1; { Ak == max( 1 <= i & i <= k: Ai ) } INVARIANT while ( k != N ) { { Ak == max( 1 <= i & i <= k: Ai ) & k != N } if ( Ak > Ak+1 ) { p = Ak; Ak = Ak+1; Ak+1 = p; } { Ak+1 == max( 1 <= i & i <= k+1: Ai ) } k = k + 1; { Ak == max( 1 <= i & i <= k: Ai ) } } {Ak == max( 1 <= i & i <= k: Ai ) & k == N } {AN == max( 1 <= i & i <= N: Ai ) } CSI 3120, Axiomatic Semantics, page 57
Examples Another example with "if" (3) {Ak == max( 1 <= i & i <= k: Ai ) & k != N } case 1: Ak > Ak+1 { Ak == max( 1 <= i & i <= k: Ai ) & k != N & Ak > Ak+1} p = Ak; { p > Ak+1 } Ak = Ak+1; { p > Ak } Ak+1 = p; { Ak+1 > Ak } { Ak+1 == max( 1 <= i & i <= k+1: Ai ) } case 2: Ak <= Ak+1 { Ak == max( 1 <= i & i <= k: Ai ) & k != N & Ak <= Ak+1 } { Ak+1 == max( 1 <= i & i <= k+1: Ai ) } CSI 3120, Axiomatic Semantics, page 58
Compare procedural semantics and declarative semantics.
Amateurs discuss tactics professionals discuss logistics
Axiomatic design example
Systematic oo
What is an axiomatic system in geometry
Axiomatic design
The axiomatic method
Difference between classical and axiomatic probability
Axiomatic system of geometry
Additive axiom
Axiomatic antonym
Axiomatic probability definition
Assignment 12 slope from two points and tables
Points lines and planes assignment
Bull's eye brand positioning
Points of parity and points of difference
Assignment statement
How to enter input in raptor
Assignment statement 뜻
Contoh assignment statement
Simple assignment operator
Java assignment statement
Syntax in assignment statement l-value.
Hát kết hợp bộ gõ cơ thể
Frameset trong html5
Bổ thể
Tỉ lệ cơ thể trẻ em
Voi kéo gỗ như thế nào
Tư thế worms-breton
Chúa sống lại
Môn thể thao bắt đầu bằng chữ đua
Thế nào là hệ số cao nhất
Các châu lục và đại dương trên thế giới
Công thức tính thế năng
Trời xanh đây là của chúng ta thể thơ
Cách giải mật thư tọa độ
Làm thế nào để 102-1=99
Phản ứng thế ankan
Các châu lục và đại dương trên thế giới
Thơ thất ngôn tứ tuyệt đường luật
Quá trình desamine hóa có thể tạo ra
Một số thể thơ truyền thống
Bàn tay mà dây bẩn
Vẽ hình chiếu vuông góc của vật thể sau
Thế nào là sự mỏi cơ
đặc điểm cơ thể của người tối cổ
Ví dụ về giọng cùng tên
Vẽ hình chiếu đứng bằng cạnh của vật thể
Vẽ hình chiếu vuông góc của vật thể sau
Thẻ vin
đại từ thay thế
điện thế nghỉ
Tư thế ngồi viết
Diễn thế sinh thái là
Các loại đột biến cấu trúc nhiễm sắc thể
So nguyen to
Tư thế ngồi viết
Lời thề hippocrates
Thiếu nhi thế giới liên hoan
