noam rinetzky lecture 8: axiomatic semantics – rely/guarantee (take ii * )
DESCRIPTION
Program Analysis and Verification 0368- 4479 http://www.cs.tau.ac.il/~maon/teaching/2013-2014/paav/paav1314b.html. Noam Rinetzky Lecture 8: Axiomatic Semantics – Rely/Guarantee (Take II * ). Slides credit: Roman Manevich , Mooly Sagiv , Eran Yahav. We begin …. Mobiles Scribe. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Noam Rinetzky Lecture 8: Axiomatic Semantics – Rely/Guarantee (Take II * )](https://reader030.vdocuments.site/reader030/viewer/2022032805/568132d5550346895d999aa6/html5/thumbnails/1.jpg)
Program Analysis and Verification
0368-4479http://www.cs.tau.ac.il/~maon/teaching/2013-2014/paav/paav1314b.html
Noam Rinetzky
Lecture 8: Axiomatic Semantics – Rely/Guarantee(Take II*)
Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav
![Page 2: Noam Rinetzky Lecture 8: Axiomatic Semantics – Rely/Guarantee (Take II * )](https://reader030.vdocuments.site/reader030/viewer/2022032805/568132d5550346895d999aa6/html5/thumbnails/2.jpg)
We begin …• Mobiles
• Scribe
![Page 3: Noam Rinetzky Lecture 8: Axiomatic Semantics – Rely/Guarantee (Take II * )](https://reader030.vdocuments.site/reader030/viewer/2022032805/568132d5550346895d999aa6/html5/thumbnails/3.jpg)
Programming Language
• Syntax: … S1‖ …‖Sn | c | await b then c ⟨ ⟩ ⟨ ⟩– In our case: c = ⟨ ⟩ case | x:=a
• Operational Semantics: – States
– Commands
– Traces
⟨S1, s S’⟩⇒⟨ 1, s’⟩
⟨S1‖S2, s S’⟩⇒⟨ 1‖S2, s⟩[Par1]
s ∑ ∈
⟩S0, s0⟩⇒⟨S1, s1 … ⇒ ⇒ ⟨ sk ⟩c0⟨ ⟩c1⟨ ⟩ck⟨
![Page 4: Noam Rinetzky Lecture 8: Axiomatic Semantics – Rely/Guarantee (Take II * )](https://reader030.vdocuments.site/reader030/viewer/2022032805/568132d5550346895d999aa6/html5/thumbnails/4.jpg)
Programming Language
• Syntax: … S1‖ …‖Sn | c | await b then c ⟨ ⟩ ⟨ ⟩– In our case: c = ⟨ ⟩ case | x:=a
• Operational Semantics: – States
– Commands
– Traces
⟨S1, s S’⟩⇒⟨ 1, s’⟩
⟨S1‖S2, s S’⟩⇒⟨ 1‖S2, s⟩[Par1]
s ∑ ∈
⟩S0, s0⟩⇒⟨S1, s1 … ⇒ ⇒ ⟨ …⟩c0⟨ ⟩c1⟨ ⟩ck⟨
![Page 5: Noam Rinetzky Lecture 8: Axiomatic Semantics – Rely/Guarantee (Take II * )](https://reader030.vdocuments.site/reader030/viewer/2022032805/568132d5550346895d999aa6/html5/thumbnails/5.jpg)
Axiomatic Semantics (Hoare Logic)
• Disjoint parallelism
• Global invariant
• Owicky – Gries [PhD. ‘76]
{ P } S1 ‖ S2 { Q }
… …
![Page 6: Noam Rinetzky Lecture 8: Axiomatic Semantics – Rely/Guarantee (Take II * )](https://reader030.vdocuments.site/reader030/viewer/2022032805/568132d5550346895d999aa6/html5/thumbnails/6.jpg)
Rely / Guarantee
• Aka Assume/Guarantee
• Cliff Jones [IFIP ‘83]
• Main idea: Modular capture of interference– Compositional proofs
![Page 7: Noam Rinetzky Lecture 8: Axiomatic Semantics – Rely/Guarantee (Take II * )](https://reader030.vdocuments.site/reader030/viewer/2022032805/568132d5550346895d999aa6/html5/thumbnails/7.jpg)
Meaning of (atomic) Commands
• A relation between pre-states and post-states
• ⟦⟨c ∑ × ∑⟩⟧ ⊆
⟩S0, s0⟨⇒⟩S1, s1⟨ … ⇒ ⇒ s +1k ⟩c0⟨ ⟩c1⟨ ⟩ck⟨
![Page 8: Noam Rinetzky Lecture 8: Axiomatic Semantics – Rely/Guarantee (Take II * )](https://reader030.vdocuments.site/reader030/viewer/2022032805/568132d5550346895d999aa6/html5/thumbnails/8.jpg)
Meaning of (atomic) Commands
• A relation between pre-states and post-states
• ⟦⟨c ∑ × ∑⟩⟧ ⊆
⟩S0, s0⟨⇒⟩S1, s1⟨ … ⇒ ⇒ s +1k ⟩c0⟨ ⟩c1⟨ ⟩ck⟨
![Page 9: Noam Rinetzky Lecture 8: Axiomatic Semantics – Rely/Guarantee (Take II * )](https://reader030.vdocuments.site/reader030/viewer/2022032805/568132d5550346895d999aa6/html5/thumbnails/9.jpg)
Meaning of (atomic) Commands
• A relation between pre-states and post-states
⟩S0, s0⟨⇒ s1 ⇒ … ⇒ s +1k ⇒ s+2k ⇒ s +3k ⇒ s +3k ⇒ s+4k … ⇒ s +1n
⇒⇒ ⇒
⇒ ⇒⇒ …
⟩c0⟨ ⟩c1⟨ ⟩ck⟨ ⟩ck+1⟨ ⟩ck+2⟨ ⟩ck+3⟨ ⟩cn⟨⟩c0⟨ ⟩c1⟨ ⟩ck⟨ ⟩ck+1⟨ ⟩ck+2⟨ ⟩ck+3⟨ ⟩cn⟨⟩ck+3⟨
![Page 10: Noam Rinetzky Lecture 8: Axiomatic Semantics – Rely/Guarantee (Take II * )](https://reader030.vdocuments.site/reader030/viewer/2022032805/568132d5550346895d999aa6/html5/thumbnails/10.jpg)
Intuition: Global Invariant
• Every (intermediate) state satisfies invariant I
⟩S0, s0⟨⇒ s1 ⇒ … ⇒ s +1k ⇒ s+2k ⇒ s +3k ⇒ s +3k ⇒ s+4k … ⇒ s +1n
⟩c0⟨ ⟩c1⟨ ⟩ck⟨ ⟩ck+1⟨ ⟩ck+2⟨ ⟩ck+3⟨ ⟩cn⟨
⇒⇒ ⇒
⇒
⇒
⇒ …I=
⟩c0⟨ ⟩c1⟨ ⟩ck⟨ ⟩ck+1⟨ ⟩ck+2⟨ ⟩ck+3⟨ ⟩cn⟨⟩ck+3⟨
![Page 11: Noam Rinetzky Lecture 8: Axiomatic Semantics – Rely/Guarantee (Take II * )](https://reader030.vdocuments.site/reader030/viewer/2022032805/568132d5550346895d999aa6/html5/thumbnails/11.jpg)
Intuition: Global Invariant
• Thread-view
⟩S0, s0⟨⇒ s1 ⇒ … ⇒ s +1k ⇒ s+2k ⇒ s +3k ⇒ s +3k ⇒ s+4k … ⇒ s +1n
⇒⇒ ⇒
⇒ ⇒…I=
⟩c0⟨ ⟩c1⟨ ⟩ck⟨ ⟩ck+1⟨ ⟩ck+2⟨ ⟩ck+3⟨ ⟩ck+3⟨ ⟩cn⟨
⇒
![Page 12: Noam Rinetzky Lecture 8: Axiomatic Semantics – Rely/Guarantee (Take II * )](https://reader030.vdocuments.site/reader030/viewer/2022032805/568132d5550346895d999aa6/html5/thumbnails/12.jpg)
Intuition: Rely Guarantee
• Thread-view
⟩S0, s0⟨⇒ s1 ⇒ … ⇒ s +1k ⇒ s+2k ⇒ s +3k ⇒ s +3k ⇒ s+4k … ⇒ s +1n
⟩c0⟨ ⟩c1⟨ ⟩ck⟨ ⟩ck+1⟨ ⟩ck+2⟨ ⟩ck+3⟨ ⟩ck+3⟨ ⟩cn⟨
⇒
⇒⇒
⇒
…
⇒
…
![Page 13: Noam Rinetzky Lecture 8: Axiomatic Semantics – Rely/Guarantee (Take II * )](https://reader030.vdocuments.site/reader030/viewer/2022032805/568132d5550346895d999aa6/html5/thumbnails/13.jpg)
Intuition: Rely Guarantee
• Thread-view
⟩S0, s0⟨⇒ s1 ⇒ … ⇒ s +1k ⇒ s+2k ⇒ s +3k ⇒ s +3k ⇒ s+4k … ⇒ s +1n
⟩c0⟨ ⟩c1⟨ ⟩ck⟨ ⟩ck+1⟨ ⟩ck+2⟨ ⟩ck+3⟨ ⟩ck+3⟨ ⟩cn⟨
⇒
⇒⇒
⇒
…
⇒
…
G G G GRRRR RRRRR
![Page 14: Noam Rinetzky Lecture 8: Axiomatic Semantics – Rely/Guarantee (Take II * )](https://reader030.vdocuments.site/reader030/viewer/2022032805/568132d5550346895d999aa6/html5/thumbnails/14.jpg)
Intuition: Rely Guarantee
• Thread-view
⟩S0, s0⟨⇒ s1 ⇒ … ⇒ s +1k ⇒ s+2k ⇒ s +3k ⇒ s +3k ⇒ s+4k … ⇒ s +1n
⟩c0⟨ ⟩c1⟨ ⟩ck⟨ ⟩ck+1⟨ ⟩ck+2⟨ ⟩ck+3⟨ ⟩ck+3⟨ ⟩cn⟨
⇒
⇒⇒
⇒
…
⇒
…
G G G GR* R*R*
![Page 15: Noam Rinetzky Lecture 8: Axiomatic Semantics – Rely/Guarantee (Take II * )](https://reader030.vdocuments.site/reader030/viewer/2022032805/568132d5550346895d999aa6/html5/thumbnails/15.jpg)
Relational Post-Conditions
• meaning of commands a relations between pre-states and post-states
• Option I: {P} C {Q}– P is a one state predicate– Q is a two-state predicate
• Example– {true} x := x + 1 {x= x + 1}
![Page 16: Noam Rinetzky Lecture 8: Axiomatic Semantics – Rely/Guarantee (Take II * )](https://reader030.vdocuments.site/reader030/viewer/2022032805/568132d5550346895d999aa6/html5/thumbnails/16.jpg)
Relational Post-Conditions
• meaning of commands a relations between pre-states and post-states
• Option II: {P} C {Q}– P is a one state predicate– P is a one-state predicate• Use logical variables to record pre-state
• Example– {x = X} x := x + 1 {x= X + 1}
![Page 17: Noam Rinetzky Lecture 8: Axiomatic Semantics – Rely/Guarantee (Take II * )](https://reader030.vdocuments.site/reader030/viewer/2022032805/568132d5550346895d999aa6/html5/thumbnails/17.jpg)
Intuition (again)C
G
Hoare: { P } S { Q } ~ {P} {Q} ⇒⇒⇒⇒
C
R/G: R,G { ⊢ P } S { Q } ~ {P} ⇒⇒⇒⇒ {Q} ⇒⇒⇒GR R R G G
![Page 18: Noam Rinetzky Lecture 8: Axiomatic Semantics – Rely/Guarantee (Take II * )](https://reader030.vdocuments.site/reader030/viewer/2022032805/568132d5550346895d999aa6/html5/thumbnails/18.jpg)
Goal: Parallel Composition
RG2, G1 { ⊢ P } S1‖S2 { Q }
R, G1G2 { ⊢ P } S1‖S2 { Q }
(PAR)RG1, G2 { ⊢ P } S1‖S2 { Q }
![Page 19: Noam Rinetzky Lecture 8: Axiomatic Semantics – Rely/Guarantee (Take II * )](https://reader030.vdocuments.site/reader030/viewer/2022032805/568132d5550346895d999aa6/html5/thumbnails/19.jpg)
Relational Post-Conditions
• meaning of commands a relations between pre-states and post-states
• Option I: {P} C {Q}– P is a one state predicate– Q is a two-state predicate
• Example– {true} x := x + 1 {x= x + 1}
![Page 20: Noam Rinetzky Lecture 8: Axiomatic Semantics – Rely/Guarantee (Take II * )](https://reader030.vdocuments.site/reader030/viewer/2022032805/568132d5550346895d999aa6/html5/thumbnails/20.jpg)
From one- to two-state relations
• p(, ) =p()• p(, ) =p()• A single state predicate p is preserved by a
two-state relation R if– p R p– , : p() R(, ) p()
– P is stable under R
![Page 21: Noam Rinetzky Lecture 8: Axiomatic Semantics – Rely/Guarantee (Take II * )](https://reader030.vdocuments.site/reader030/viewer/2022032805/568132d5550346895d999aa6/html5/thumbnails/21.jpg)
Operations on Relations
• (P;Q)(, )=:P(, ) Q(, )• ID(, )= (=)• R*= ID R (R;R) (R;R;R) … – Reflexive transitive closure of R
![Page 22: Noam Rinetzky Lecture 8: Axiomatic Semantics – Rely/Guarantee (Take II * )](https://reader030.vdocuments.site/reader030/viewer/2022032805/568132d5550346895d999aa6/html5/thumbnails/22.jpg)
Formulas
• ID(x) = (x = x)• ID(p) =(p p)• Preserve (p)= p p
![Page 23: Noam Rinetzky Lecture 8: Axiomatic Semantics – Rely/Guarantee (Take II * )](https://reader030.vdocuments.site/reader030/viewer/2022032805/568132d5550346895d999aa6/html5/thumbnails/23.jpg)
Judgements• c (p, R, G, Q)
![Page 24: Noam Rinetzky Lecture 8: Axiomatic Semantics – Rely/Guarantee (Take II * )](https://reader030.vdocuments.site/reader030/viewer/2022032805/568132d5550346895d999aa6/html5/thumbnails/24.jpg)
Informal Semantics• c (p, R, G, Q)– For every state such that p:
• Every execution of c on state with (potential) interventions which satisfy R results in a state such that (, ) Q
• The execution of every atomic sub-command of c on any possible intermediate state satisfies G
![Page 25: Noam Rinetzky Lecture 8: Axiomatic Semantics – Rely/Guarantee (Take II * )](https://reader030.vdocuments.site/reader030/viewer/2022032805/568132d5550346895d999aa6/html5/thumbnails/25.jpg)
A Formal Semantics• Let CR denotes the set of quadruples <1, 2, 3, 4 > s.t. that when c executes on 1 with potential
interferences by R it yields an intermediate state 2 followed by an intermediate state 3 and a final state 4
– 4= when c does not terminate
• CR = {<1, 2, 3, 4> :
: <1, > R
( <C, > * 2 2 = 3= 4 )
( ’, C’: <C, > * <C’, ’ >
( (2= 1 2 = ) (3 = 3=’)
(4= <’, 2, 3, 4 > C’R ) )
• c (p, R, G, Q) – For every <1, 2, 3 , 4 > CR such that 1 p
• < 2, 3> G• If 4 : <1, 4 > Q
![Page 26: Noam Rinetzky Lecture 8: Axiomatic Semantics – Rely/Guarantee (Take II * )](https://reader030.vdocuments.site/reader030/viewer/2022032805/568132d5550346895d999aa6/html5/thumbnails/26.jpg)
Simple Examples• X := X + 1 (true, X=X, X =X+1X=X, X =X+1)• X := X + 1 (X 0, X X, X>0 X=X, X>0)• X := X + 1 ; Y := Y + 1 (X 0Y 0, X X Y Y, G, X>0 Y>0)
![Page 27: Noam Rinetzky Lecture 8: Axiomatic Semantics – Rely/Guarantee (Take II * )](https://reader030.vdocuments.site/reader030/viewer/2022032805/568132d5550346895d999aa6/html5/thumbnails/27.jpg)
Inference Rules
• Define c (p, R, G, Q) by structural induction on c
• Soundness– If c (p, R, G, Q) then c (p, R, G, Q)
![Page 28: Noam Rinetzky Lecture 8: Axiomatic Semantics – Rely/Guarantee (Take II * )](https://reader030.vdocuments.site/reader030/viewer/2022032805/568132d5550346895d999aa6/html5/thumbnails/28.jpg)
Atomic Command
{p }c {Q}
⟩c ⟨ (p, preserve(p), QID, Q)
(Atomic)
![Page 29: Noam Rinetzky Lecture 8: Axiomatic Semantics – Rely/Guarantee (Take II * )](https://reader030.vdocuments.site/reader030/viewer/2022032805/568132d5550346895d999aa6/html5/thumbnails/29.jpg)
Conditional Critical Section
{pb }c {Q}
await b then c (p, preserve(p), QID, Q)
(Critical)
![Page 30: Noam Rinetzky Lecture 8: Axiomatic Semantics – Rely/Guarantee (Take II * )](https://reader030.vdocuments.site/reader030/viewer/2022032805/568132d5550346895d999aa6/html5/thumbnails/30.jpg)
Sequential Composition
c1 (p1, R, G, Q1)
c1 ; c2 (p1, R, G, (Q1; R*; Q2))
(SEQ)
c2 (p2, R, G, Q2)
Q1 p2
![Page 31: Noam Rinetzky Lecture 8: Axiomatic Semantics – Rely/Guarantee (Take II * )](https://reader030.vdocuments.site/reader030/viewer/2022032805/568132d5550346895d999aa6/html5/thumbnails/31.jpg)
Conditionals
c1 (b1, R, G, Q) p b R* b1
if atomic {b} then c1 else c2 (p, R, G, Q)
(IF)
c2 (b2, R, G, Q) p b R* b2
![Page 32: Noam Rinetzky Lecture 8: Axiomatic Semantics – Rely/Guarantee (Take II * )](https://reader030.vdocuments.site/reader030/viewer/2022032805/568132d5550346895d999aa6/html5/thumbnails/32.jpg)
Loops
c (j b1, R, G, j) j b R* b1
while atomic {b} do c (j, R, G, b j)
(WHILE)
R Preserve(j)
![Page 33: Noam Rinetzky Lecture 8: Axiomatic Semantics – Rely/Guarantee (Take II * )](https://reader030.vdocuments.site/reader030/viewer/2022032805/568132d5550346895d999aa6/html5/thumbnails/33.jpg)
Refinementc (p, R, G, Q)
c (p’, R’, G’, Q’)
(REFINE)
p’ p Q Q’
R’ R G G ’
![Page 34: Noam Rinetzky Lecture 8: Axiomatic Semantics – Rely/Guarantee (Take II * )](https://reader030.vdocuments.site/reader030/viewer/2022032805/568132d5550346895d999aa6/html5/thumbnails/34.jpg)
Parallel Composition
c1 (p1, R1, G1, Q1)
c1 || c2 (p1 p1, (R1 R2), (G1 G2), Q)
where Q= (Q1 ; (R1R2)*; Q2) (Q2 ; (R1R2)*; Q1)
(PAR)
c2 (p2, R2, G2, Q2)
G1 R2
G2 R1
![Page 35: Noam Rinetzky Lecture 8: Axiomatic Semantics – Rely/Guarantee (Take II * )](https://reader030.vdocuments.site/reader030/viewer/2022032805/568132d5550346895d999aa6/html5/thumbnails/35.jpg)
Issues in R/G
• Total correctness is trickier• Restrict the structure of the proofs– Sometimes global proofs are preferable
• Many design choices– Transitivity and Reflexivity of Rely/Guarantee– No standard set of rules
• Suitable for designs