¡ Axiomatic ¢ £¥¤ ¦§ ¡ ¦ ¨ Semantics © § ¡ ¨ 1 Course General Topic Logic and Computation programming logic algorithms verification logic and AI logic programming knowledge representation constraints logic of programming declarative programming Logic of Computation Computational Logic program verification direct use of logic proving properties as a programming tool 2 The program correctness problem ? Conventional use of computers – not easy to determine correctness 3 (Bac “computing A Is N Example: is © k suitab = needed: it to to in correct? N+1! reason pro the le vide ¡ ¢ ¡ ¢ ¥ ¡ f or Logic. Imper £¤ £¤ the ¤ ¥ With malism: about specifications ¥ ¥ © squares ¦ ¦ ¦ ¡ respect ativ § ¨ the ¡ ¢ ¡ ¢ ¤ ¥ ¨ £¤ £¤ e correctness ¨ of ¥ ¥ Approach) to the , and what? ¡ ¢ natur ¨ £¤ ¥ of al ¨ n prog umbers” r ams (their semantics ). 4 Use of logic ? Logic YES / NO Logic allows us to provide the specifications for programs and to reason about the correctness of programs w.r.t. those specifications. 5 Gener This Squares Multiplication Addition A Defining Numbers 0 ¡¢£ ¡¢£ better ¤¦¥ ¤¦¥ ating ¤ ¤ 0 ¡¢£ ¡¢£ can §©¨ §©¨ ¤ ¡¢£ ¤ ¤ ¡¢£ solution: of the of be ¢ —w ¤ ¤ squares § § ¤ natur the ¤ £ seen ¤ natur ¡¢£ e of ¤¦¥ 1 ¢ § ¨ ¤ natur § will ¤ natur §©¨ als: £ ¤ £ ¡¢ al as s(0) ¤¦¥ use § ¡¢£ ¤¦¥ n als: ¤ the re als: umbers: § ¤ § ¨ visited: “P ¡¢£ ¨ § specification ¤ ¢ ¥ eano” ¢ § § ¤¦¥ ¨ ¨ ¤ § § £ § ¤ § ¤ § ¨ 2 ¤ ¤ § ¤ representation § a § § speci®cation s(s(0)) of § § ¤ the § § ¢£ § ¡ imper £ f or ¤ 3 ¤ ativ ¢ simplicity: § e s(s(s(0))) ¤ prog § § r § am. § . 6 Styles of Semantics A semantics associates a meaning (a mathematical object) to a program or program sentence. Styles: Operational: The meaning of program sentences is defined in terms of the steps (transformations from state to state) that computations may take during execution (derivations). Proofs by induction on derivations. Axiomatic: The meaning of program sentences is defined indirectly in terms some axioms and rules of some logic of program properties. Denotational (fixpoint): The meaning of program sentences is given abstractly as elements of some suitable mathematical structure (domain). Other possibilities. E.g., for logic programs, also the “logical semantics.” 7 Traditional Operational Semantics Examples of concrete operational semantics: Lambda calculus (for functional programs). Resolution (for logic programs). CLP( ) resolution (for constraint logic programs). Interpreters and meta-interpreters (self-interpreters). ... Examples of generic / formal methods: Structural operational semantics. Example: CLP( ) operational semantics presented. Vienna definition language (VDL). SECD machine. ... 8 Axiomatic Semantics Characteristics: Based on techniques from predicate logic. More abstract than, e.g., denotational semantics. There is no concept of state of the machine. Semantic meaning of a program is based on assertions about relationships that remain the same each time the program executes. Classical application: Proving programs to be correct. (Typical) limitations: Side-effects disallowed in expressions. command difficult to specify. Aliasing not allowed. Scope rules difficult to describe require all identifier names to be unique. 9 History and References Main original papers: 1967: Floyd. Assigning Meanings to Programs. 1969: Hoare. An Axiomatic Basis of Computer Programming. 1976: Dijkstra. A Discipline of Programming. 1981: Gries. The Science of Programming. Many textbooks available. Some slides and the examples have been taken from: Ken Slonneger and Barry L. Kurtz. Formal Syntax and Semantics of Programming Languages: A Laboratory-Based Approach. Addison-Wesley, Reading, Massachusetts. ISBN: 0-201-65697-3. Library of Congress Call Number: QA76.7.S59 1995. 10 Assertions and Correctness Assertion: a logical formula, say ¡ ¥ ¨ £ ¢¡ ¤ §¥¤ § ¤ that is true when a point in the program is reached. Precondition: Assertion before a command. Postcondition: Assertion after a command. PRE C POST § ¦ § ¦ Partial Correctness: If the initial assertion (the precondition) is true and if the program terminates, then the final assertion (the postcondition) must be true. Precondition + Termination Postcondition Total Correctness: Given that the precondition for the program is true, the program must terminate and the postcondition must be true. Total Correctness = Partial Correctness + Termination 11 Hoare Calculus: The Assignment Axiom Examples: true m := 13 m = 13 ¦ § ¦ § ¨ n = 3¨ c = 2 n := c*n n = 6 c = 2 § ¦ § ¦ ¡ k 0 k := k + 1 k 0 ¦ § ¦ § Notation: Precondition command Postcondition § ¦ § ¦ P [V E] denotes substitution of E for V in P Axiom for assignment command: P [V E] V := E P § ¦ § ¦ Work backwards: ¢ Postcondition: P (n = 6¨ c = 2) Command: n := c*n ¢ Precondition: P [V E] (c*n = 6¨ c = 2) ¢ (n = 3¨ c = 2) 12 Hoare Calculus: Read and Write Commands Notation: Use ”IN = [1,2,3]” and ”OUT = [4,5]” to represent input and output files. [M]L denotes list whose head is M and tail is L. K, M, N, ... represent arbitrary numerals. Axiom for read command: ¨ IN = [K]L¨ P[V K] read V IN = L P ¦ § ¦ § Axiom for write command: ¨ ¨ OUT=L¨ E=K¨ P write E OUT=L[K] E=K P § § ¦ ¦ Note: L[K] means affix(L,K). 13 Hoare Axioms Axiom Format Calculus: f or (c.f f or Command . If str Commands: uctur Rules al oper £ Sequencing: ¦ £ ¦ of § £ ¦ ¨ £ ¦ ational if Inf ¨ ¦¤£ § erence §¦¥ if then §¦¥ §¦¥ ¦¤£ ¡ semantics) ¡ ¦ § ¦ § ¦ § then ¥ ¡ §¦¥ § § § ¡ ¤ ¡ else ¥ ¥ © ¦¤£ £ ¦ § ¤ ¤ ¨ ¢ ¨ ¦ end ¨ ¥ §¦¥ : ¤ § ¤ end if ¦¦¨ §¦¥ § ¦ § § ¤ if § ¦ § § ¦ § § § 14 Hoare Obser And Strengthen W eaken Calculus: and v ation: P Or ostcondition: Precondition: Rules: Rules ¦ f alse of § Inf an ¦¤£ ¦¤£ erence £ ¦¤£ ¦¤£ y-command ¦¤£ §¦¥ §¦¥ ¨ ¡ §¦¥ £ £ ¦ ¦ § § § £ £ ¦ ¦ ¦ § § § §¦¥ §¦¥ §¦¥ §¦¥ (Contd.) ¦ § § £ £ ¦ ¦ ¦ § ¦ § ¦ ¦ ¨ ¨ § §¦¥ ¨ ¦ § § ¥ ¥ § § an ¡ ¦¦¨ § § ¨ y-postcondition ¦ § ¦ § § § § § § § 15 Example (I) IN = [4,9,16]¨ OUT = [0,1,2] ¦ § read m; read n; if m n then a := 2*m else a := 2*n end if; write a IN = [16]¨ OUT = [0,1,2,18] § ¦ ¨ ¨ ¨ IN = [4,9,16] OUT = [0,1,2] IN = [4][9,16] OUT = [0,1,2] 4=4 § § ¦ ¦ read m; ¨ ¨ ¨ ¨ ¨ IN = [9,16] OUT = [0,1,2] m=4 IN = [9][16] OUT = [0,1,2] m=4 9=9 § § ¦ ¦ read n; ¨ ¨ IN = [16]¨ OUT = [0,1,2] m=4 n=9 § ¦ 16 Example (II) ¨ Let S = IN = [16]¨ OUT = [0,1,2]¨ m=4 n=9 § ¦ ¢ and B m n Then ¨ (S B) false, and S B So S¨ B , which is equivalent to false § ¦ a := 2*m ¨ ¨ ¨ IN = [16]¨ OUT = [0,1,2] m=4 n=9 a=18 , § ¦ and ¨ ¨ ¨ ¨ ¨ S B IN = [16] OUT = [0,1,2] m=4 n=9 2*n=18 § § ¦ ¦ a := 2*n ¨ ¨ ¨ IN = [16]¨ OUT = [0,1,2] m=4 n=9 a=18 § ¦ 17 Example (III) Therefore, by one of the if axioms, S ¦ § if m n then a := 2*m else a := 2*n end if; ¨ IN = [16]¨ OUT = [0,1,2]¨ m=4¨ n=9 a=18 § ¦ and ¨ ¨ ¨ IN = [16]¨ OUT = [0,1,2] m=4 n=9 a=18 § ¦ write a ¨ ¨ ¨ IN = [16]¨ OUT = [0,1,2] [18] m=4 n=9 a=18 § ¦ which implies IN = [16]¨ OUT = [0,1,2,18] § ¦ 18 While Command £ ¨ ¦ §¦¥ ¦¤£ § £ £ while do¥ end while ¨ § ¦ ¦ § Loop Invariant: P Preserved during execution of the loop. Loop steps: Initialization: show that the loop invariant P is initially true. ¦ § Preservation: show the loop invariant remains true when the loop executes ( P¨ B ). ¦ § Completion: show that the loop invariant and the exit condition produce the final assertion ( P¨ B ). § ¦ Main Problem: Constructing the loop invariant. 19 Loop Invariant A relationship among the variables that does not change as the loop is executed. “Inspiration” tips: Look for some expression that can be combined with B to produce part of the postcondition. Construct a table of values to see what stays constant. Combine what has already been computed at some stage in the loop with what has yet to be computed to yield a constant of some sort. Look carefully at examples! 20 Example (Exponent) ¨ N 0 A 0 ¦ § k := N; s := 1; while k ¡ 0 do s := A*s; k := k-1 end while s = A ¦ § We follow the “tips:” Trace algorithm with small numbers A=2, N=5. Build a table of values to find loop invariant. ¡ Notice that k is decreasing and that 2 represents the computation that still needs to be done. ¡ Add a column to the table for the value of 2 . ¡ The value s*2 = 32 remains constant throughout the execution of the loop. 21 Example (Exponent) k s ¡ 2 s*2¡ 5 1 32 32 4 2 16 32 3 4 8 32 2 8 4 32 1 16 2 32 0 32 1 32 ¡ Observe that s and 2 change when k changes. Their product is constant, namely 32 = 2 = A . ¡ This suggests that s*A = A is part of the invariant. The relation k 0 seems to be invariant, and when combined with ” B”, which is k ¡ 0, establishes k=0 at the end of the loop. ¡ When k=0 is joined with sA = A , we get the postcondition s = A . ¡ ¨ Loop Invariant: k 0 s*A = A . § ¦ 22 Completion: Preser Initialization: V ¦ ¦ ¦ ¦ ¦ ¦ ¦ er k k k k k k=N N k s k ¡ ¡ := := := i®cation 0 0 0 0 0 0 ¨ ¨ ¨ ¨ ¨ ¨ ¨ k-1 A*s; N; v ation: N s*A s*A*A s*2 s*A s*A A s ¡ ¡ ¡ ¡ := 0 0 ¨ ¡ = 1; = = ¡ § of A A A = A ¡ A the ¨ = ¨ ¦ 0 § ¨ A N=N k § k Prog ¡ ¡ s=1 § 0 ¨ 0 ¦ § § k-1 N § r ¦ am k ¦ ¦ ¡ 0 ¨ k=0 ¦ 0 k 0 ¨ ¨ ¡ k 0 A ¨ ¨ s*A A*s*A 0 ¨ 0 ¡ s*2 s*A ¨ ¡ s*A ¡ ¡ ¡ 1=1 ¡ = = = ¡ A A = = A § A A § § § § § ¦ s = A § 23 Further Topics Dealing with other language features: Nested loops. Procedure calls. Recursive procedures. ... Proving termination / total correctness. Well founded orderings. 24.