program analysis and verification 0368-4479 noam rinetzky lecture 3: axiomatic semantics 1 slides...
TRANSCRIPT
![Page 1: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/1.jpg)
Program Analysis and Verification
0368-4479
Noam Rinetzky
Lecture 3: Axiomatic Semantics
1
Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav
![Page 2: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/2.jpg)
Axiomatic Semantics
C.A.R. HoareRobert W. Floyd
2
Edsger W. Dijkstra
![Page 3: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/3.jpg)
Axiomatic Semantics
C.A.R. HoareRobert W. Floyd
3
Edsger W. Dijkstra
BTW, what do all these people have in common?
![Page 4: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/4.jpg)
Axiomatic Semantics
C.A.R. HoareRobert W. Floyd
4
Edsger W. Dijkstra
1972 1978 1980For having a clear influence on methodologies for the creation of efficient and reliable software, and for helping to found the following important subfields of computer science: the theory of parsing, the semantics of programming languages, automatic program verification, automatic program synthesis, and analysis of algorithms.
For fundamental contributions to programming as a high, intellectual challenge; for eloquent insistence and practical demonstration that programs should be composed correctly, not just debugged into correctness; for illuminating perception of problems at the foundations of program design.
For his fundamental contributions to the definition and design of programming languages.
http://amturing.acm.org/
![Page 5: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/5.jpg)
5
Proving program correctness
• Why prove correctness?• What is correctness?• How?– Reasoning at the operational semantics level• Tedious• Error prone
– Formal reasoning using “axiomatic” semantics • Syntactic technique (“game of tokens”)• Mechanically checkable
– Sometimes automatically derivable
![Page 6: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/6.jpg)
6
A simple imperative language: While
Abstract syntax:a ::= n | x | a1 + a2 | a1 a2 | a1 – a2
b ::= true | false| a1 = a2 | a1 a2 | b | b1 b2
S ::= x := a | skip | S1; S2
| if b then S1 else S2
| while b do S
![Page 7: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/7.jpg)
7
Program correctness concepts
• Property = a certain relationship between initial state and final state
• Partial correctness = properties that holdif program terminates
• Termination = program always terminates– i.e., for every input state
partial correctness + termination = total correctness
Other correctness concepts exist: resource usage, linearizability, …
Mostly focus in this course
Other notions of properties exist
![Page 8: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/8.jpg)
8
Factorial example
• Sfac , s s’ implies s’ y = (s x)!
Sfac y := 1; while (x=1) do (y := y*x; x := x–1)
![Page 9: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/9.jpg)
9
Factorial example
• Sfac , s s’ implies s’ y = (s x)!
• Factorial partial correctness property = – if the statement terminates then the final value of y will be the factorial of the initial value of x• What if s x < 0?
Sfac y := 1; while (x=1) do (y := y*x; x := x–1)
![Page 10: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/10.jpg)
10
Natural semantics for While
x := a, s s[x Aas][assns]
skip, s s[skipns]
S1, s s’, S2, s’ s’’S1; S2, s s’’
[compns]
S1, s s’ if b then S1 else S2, s s’
if B b s = tt[ifttns]
S2, s s’ if b then S1 else S2, s s’
if B b s = ff[ifffns]
while b do S, s s if B b s = ff[whileffns]
S, s s’, while b do S, s’ s’’while b do S, s s’’
if B b s = tt[whilettns]
![Page 11: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/11.jpg)
11
Staged proof
![Page 12: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/12.jpg)
12
First stage
![Page 13: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/13.jpg)
Second stage
13
![Page 14: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/14.jpg)
while (x=1) do (y := y*x; x := x–1), s s’
14
![Page 15: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/15.jpg)
Third stage
15
![Page 16: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/16.jpg)
16
How easy was that?
• Proof is very laborious– Need to connect all transitions and argues about
relationships between their states– Reason: too closely connected to semantics of
programming language
• Is the proof correct?
• How did we know to find this proof?– Is there a methodology?
![Page 17: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/17.jpg)
17
Axiomatic verification approach
• What do we need in order to prove that the program does what it supposed to do?
• Specify the required behavior
• Compare the behavior with the one obtained by the operational semantics
• Develop a proof system for showing that the program satisfies a requirement
• Mechanically use the proof system to show correctness
• The meaning of a program is a set of verification rules
![Page 18: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/18.jpg)
18
Axiomatic Verification: Spec
• Sfac , s s’ implies s’ y = (s x)!
• {x = N} Sfac {y = N!} – {Pre-condition (s)} Command (Sfac) {post-state(s’)} – Not {true} Sfac {y = x!}
Sfac y := 1; while (x=1) do (y := y*x; x := x–1)
![Page 19: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/19.jpg)
19
Partial vs. Total Correctness
• Sfac , s s’ implies s’ y = (s x)!
• {x = N} Sfac {y = N!} – {Pre-condition (s)} Command (Sfac) {post-state(s’)}
– Not {true} Sfac {y = x!}
• [x = N] Sfac [y = N!]
Sfac y := 1; while (x=1) do (y := y*x; x := x–1)
Hoare Triples
![Page 20: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/20.jpg)
20
Verification: Assertion-Based [Floyd, ‘67]
• Assertion: invariant at specific program point – E.g., assert(e)
• use assertions as foundation for static correctness proofs
• specify assertions at every program point• correctness reduced to reasoning about
individual statements
![Page 21: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/21.jpg)
21
Annotated Flow ProgramsReduction: Program verification is reduced to claims about the subject of discourse
Straight line code: claims are determined
“by construction”
![Page 22: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/22.jpg)
22
Annotated Flow ProgramsReduction: Program verification is reduced to claims about the subject of discourse
Straight line code: claims are determined “by
construction”
Cut points
![Page 23: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/23.jpg)
23
Assertion-Based Verification [Floyd, ‘67]
• Assertion: invariant at specific program point – E.g., assert(e)
• Proof reduced to logical claims– Considering the effect of statements– But, not reusable
• Challenge: Finding invariants at cut points in loops
![Page 24: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/24.jpg)
24
Floyd-Hoare Logic 1969
• Use Floyd’s ideas to define axiomatic semantics– Structured programming• No gotos• Modular (reusable claims)
– Hoare triples• {P} C {Q}• [P] C [Q] (often <P> C <Q>)
– Define the programming language semantics as a proof system
![Page 25: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/25.jpg)
25
Assertions, a.k.a Hoare triples
• P and Q are state predicates– Example: x>0
• If P holds in the initial state, andif execution of C terminates on that state,then Q will hold in the state in which C halts
• C is not required to always terminate {true} while true do skip {false}
{ P } C { Q }precondition postcondition
statementa.k.a command
![Page 26: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/26.jpg)
26
Total correctness assertions
• If P holds in the initial state,execution of C must terminate on that state,and Q will hold in the state in which C halts
[ P ] C [ Q ]
![Page 27: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/27.jpg)
27
Factorial example
{ ? } y := 1; while (x=1) do (y := y*x; x := x–1)
{ ? }
![Page 28: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/28.jpg)
28
First attempt
{ x>0 } y := 1; while (x=1) do (y := y*x; x := x–1)
{ y=x! }
Holds only for value of x at state after execution finishes
We need a way to “remember” value of x before execution
![Page 29: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/29.jpg)
29
Fixed assertion
{ x=n } y := 1; while (x=1) do (y := y*x; x := x–1)
{ y=n! n>0 }
A logical variable, must not appear in statement - immutable
![Page 30: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/30.jpg)
30
The proof outline
{ x=n } y := 1;{ x>0 y*x!=n! nx } while (x=1) do { x-1>0 (y*x)*(x-1)!=n! n(x-1) } y := y*x; { x-1>0 y*(x-1)!=n! n(x-1) } x := x–1{ y*x!=n! n>0 x=1 }
![Page 31: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/31.jpg)
31
Factorial example
• Factorial partial correctness property = if the statement terminates then the final value of y will be the factorial of the initial value of x– What if s x < 0?
• Formally, using natural semantics:Sfac , s s’ implies s’ y = (s x)!
Sfac y := 1; while (x=1) do (y := y*x; x := x–1)
![Page 32: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/32.jpg)
32
Staged proof
![Page 33: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/33.jpg)
33
Stages
y := 1; while (x=1) do (y := y*x; x := x–1)s s’
s’ y = (s x)! s x > 0
while (x=1) do (y := y*x; x := x–1)
y := y*x; x := x–1s s’’
s y (s x)! = s’’ y (s’’ x)! s x > 0
s s’’
s y (s x)! = s’’ y (s’’ x)! s’’x = 1 s x > 0
![Page 34: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/34.jpg)
34
Inductive proof over iterations
while (x=1) do (y := y*x; x := x–1)
(y := y*x; x := x–1)
while (x=1) do (y := y*x; x := x–1)
s s’’s y (s x)! = s’’ y (s’’ x)! s’’x = 1 s x > 0
s s’s’ s’’
s’ y (s’ x)! = s’’ y (s’’ x)! s’’x = 1 s’ x > 0
s y (s x)! = s’ y (s’ x)! s x > 0
![Page 35: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/35.jpg)
35
Assertions, a.k.a Hoare triples
• P and Q are state predicates– Example: x>0
• If P holds in the initial state, andif execution of C terminates on that state,then Q will hold in the state in which C halts
• C is not required to always terminate {true} while true do skip {false}
{ P } C { Q }
![Page 36: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/36.jpg)
36
Total correctness assertions
• If P holds in the initial state,execution of C must terminate on that state,and Q will hold in the state in which C halts
[ P ] C [ Q ]
![Page 37: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/37.jpg)
37
Factorial assertion
{ x=n } y := 1; while (x=1) do (y := y*x; x := x–1)
{ y=n! n>0 }
A logical variable, must not appear in statement - immutable
![Page 38: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/38.jpg)
38
Factorial partial correctness proof
{ x=n } y := 1;{ x>0 y*x!=n! nx } while (x=1) do { x-1>0 (y*x)*(x-1)!=n! n(x-1) } y := y*x; { x-1>0 y*(x-1)!=n! n(x-1) } x := x–1{ y*x!=n! n>0 x=1 }
![Page 39: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/39.jpg)
39
P
Formalizing partial correctness
• s P– P holds in state s
• – program states – undefined
Sns C s =
s’ if C, s s’ else
s
![Page 40: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/40.jpg)
40
Formalizing partial correctness
• s P– P holds in state s
• – program states – undefined
• { P } C { Q }– s, s’ . (sP C, ss’) s’Q
alternatively– s . (sP SnsC s) SnsC Q– Convention: P for all P
s . sP SnsC s Q
P C(P)
Q
ss’C
Why did we choose natural semantics?
![Page 41: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/41.jpg)
41
Formalizing partial correctness
• s P– P holds in state s
• – program states – undefined
• { P } C { Q }– s, s’ . (sP C, s*s’) s’Q
alternatively– s . (sP SsosC s) SsosC Q– Convention: P for all P
s . sP SsosC s Q
P C(P)
Q
ss’C
![Page 42: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/42.jpg)
42
How do we express predicates?
• Extensional approach– Abstract mathematical functions
P : State T
• Intensional approach– Via language of formulae
![Page 43: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/43.jpg)
43
An assertion language
• Bexp is not expressive enough to express predicates needed for many proofs– Extend Bexp
• Allow quantifications– z. … – z. … • z. z = kn
• Import well known mathematical concepts– n! n (n-1) 2 1
![Page 44: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/44.jpg)
44
An assertion language
a ::= n | x | a1 + a2 | a1 a2 | a1 – a2
A ::= true | false| a1 = a2 | a1 a2 | A | A1 A2 | A1 A2
| A1 A2 | z. A | z. A
Either a program variables or a logical variable
![Page 45: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/45.jpg)
45
First Order Logic Reminder
![Page 46: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/46.jpg)
46
Free/bound variables
• A variable is said to be bound in a formula when it occurs in the scope of a quantifier. Otherwise it is said to be free– i. k=im– (i+10077)i. j+1=i+3)
• FV(A) the free variables of A• Defined inductively on the abstract syntax tree
of A
![Page 47: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/47.jpg)
47
Free variables
FV(n) {}FV(x) {x}FV(a1+a2) FV(a1a2) FV(a1-a2) FV(a1) FV(a2)FV(true) FV(false) {}FV(a1=a2) FV(a1a2) FV(a1) FV(a2)FV(A) FV(A)FV(A1 A2) FV(A1 A2) FV(A1 A2)FV(z. A) FV(z. A) FV(A) \ {z}
![Page 48: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/48.jpg)
48
Substitution
• An expression t is pure (a term) if it does not contain quantifiers
• A[t/z] denotes the assertion A’ which is the same as A, except that all instances of the free variable z are replaced by t
• A i. k=imA[5/k] = A[5/i] =
What if t is not pure?
![Page 49: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/49.jpg)
49
Calculating substitutions
n[t/z] = nx[t/z] = xx[t/x] = t
(a1 + a2)[t/z] = a1[t/z] + a2[t/z](a1 a2)[t/z] = a1[t/z] a2[t/z](a1 - a2)[t/z] = a1[t/z] - a2[t/z]
![Page 50: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/50.jpg)
50
Calculating substitutionstrue[t/x] = truefalse[t/x] = false(a1 = a2)[t/z] = a1[t/z] = a2[t/z] (a1 a2)[t/z] = a1[t/z] a2[t/z] (A)[t/z] = (A[t/z])(A1 A2)[t/z]= A1[t/z] A2[t/z](A1 A2)[t/z] = A1[t/z] A2[t/z] (A1 A2)[t/z] = A1[t/z] A2[t/z]
(z. A)[t/z] = z. A(z. A)[t/y] = z. A[t/y]( z. A)[t/z] = z. A( z. A)[t/y] = z. A[t/y]
![Page 51: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/51.jpg)
51
Proof Rules
![Page 52: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/52.jpg)
52
Axiomatic semantics for While { P[a/x] } x := a { P }[assp]
{ P } skip { P }[skipp]
{ P } S1 { Q }, { Q } S2 { R } { P } S1; S2 { R }[compp]
{ b P } S1 { Q }, { b P } S2 { Q } { P } if b then S1 else S2 { Q }[ifp]
{ b P } S { P } { P } while b do S {b P }
[whilep]
{ P’ } S { Q’ } { P } S { Q }
[consp] if PP’ and Q’Q
Notice similarity to natural semantics rules
![Page 53: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/53.jpg)
53
Assignment rule
• A “backwards” rule• x := a always finishes• Why is this true?– Recall operational semantics:
• Example: {y*z<9} x:=y*z {x<9}What about {y*z<9w=5} x:=y*z {w=5}?
x := a, s s[xAas][assns]
s[xAas] P
![Page 54: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/54.jpg)
54
skip rule
skip, s s[skipns]
![Page 55: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/55.jpg)
55
Composition rule
• Holds when S1 terminates in every state where P holds and then Q holdsand S2 terminates in every state where Q holds and then R holds
S1, s s’, S2, s’ s’’S1; S2, s s’’ [compns]
![Page 56: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/56.jpg)
56
Condition rule
S1, s s’ if b then S1 else S2, s s’
if B b s = tt[ifttns]
S2, s s’ if b then S1 else S2, s s’
if B b s = ff[ifffns]
![Page 57: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/57.jpg)
57
Loop rule
• Here P is called an invariant for the loop– Holds before and after each loop iteration– Finding loop invariants – most challenging part of proofs
• When loop finishes, b is false
while b do S, s s if B b s = ff[whileffns]
S, s s’, while b do S, s’ s’’while b do S, s s’’
if B b s = tt[whilettns]
![Page 58: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/58.jpg)
58
Rule of consequence
• Allows strengthening the precondition and weakening the postcondition
• The only rule that is not sensitive to the form of the statement
![Page 59: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/59.jpg)
59
Rule of consequence
• Why do we need it?• Allows the following
{y*z<9} x:=y*z {x<9} {y*z<9w=5} x:=y*z {x<10}
![Page 60: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/60.jpg)
60
Axiomatic semantics for While { P[a/x] } x := a { P }[assp]
{ P } skip { P }[skipp]
{ P } S1 { Q }, { Q } S2 { R } { P } S1; S2 { R }[compp]
{ b P } S1 { Q }, { b P } S2 { Q } { P } if b then S1 else S2 { Q }[ifp]
{ b P } S { P } { P } while b do S {b P }
[whilep]
{ P’ } S { Q’ } { P } S { Q }
[consp] if PP’ and Q’Q
Inference rule for every composed statement
Axiom for every primitive statement
![Page 61: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/61.jpg)
61
Inference trees
• Similar to derivation trees of natural semantics• Leaves are …• Internal nodes correspond to …• Inference tree is called– Simple if tree is only an axiom– Composite otherwise
• Similar to derivation trees of natural semantics– Reasoning about immediate constituent
![Page 62: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/62.jpg)
62
Factorial proof
W = while (x1) do (y:=y*x; x:=x–1)
INV = x > 0 (y x! = n! n x)
{ INV[x-1/x][y*x/y] } y:=y*x; x:=x–1 {INV}
{ INV[x-1/x] } x:=x-1 {INV}
{ INV } W {x=1 INV }{ INV[1/y] } y:=1 { INV }
{ INV[x-1/x][y*x/y] } y:=y*x { INV[x-1/x] }
{x1 INV } y:=y*x; x:=x–1 { INV }
[comp]
[cons]
[while]
[cons]{ INV } W { y=n! n>0 }{ x=n } y:=1 { INV }
[cons]
{ x=n } while (x1) do (y:=y*x; x:=x–1) { y=n! n>0 }
[comp]
Goal: { x=n } y:=1; while (x1) do (y:=y*x; x:=x–1) { y=n! n>0 }
![Page 63: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/63.jpg)
63
Factorial proof
W = while (x1) do (y:=y*x; x:=x–1)
INV = x > 0 (y x! = n! n x)
{ INV[x-1/x][y*x/y] } y:=y*x; x:=x–1 {INV}
{ INV[x-1/x] } x:=x-1 {INV}
{ INV } W {x=1 INV }{ INV[1/y] } y:=1 { INV }
{ INV[x-1/x][y*x/y] } y:=y*x { INV[x-1/x] }
{x1 INV } y:=y*x; x:=x–1 { INV }
[comp]
[cons]
[while]
[cons]{ INV } W { y=n! n>0 }{ x=n } y:=1 { INV }
[cons]
{ x=n } while (x1) do (y:=y*x; x:=x–1) { y=n! n>0 }
[comp]
Goal: { x=n } y:=1; while (x1) do (y:=y*x; x:=x–1) { y=n! n>0 }
{ b P } S { P } { P } while b do S {b P }
![Page 64: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/64.jpg)
64
Factorial proof
W = while (x1) do (y:=y*x; x:=x–1)
INV = x > 0 (y x! = n! n x)
{ INV[x-1/x][y*x/y] } y:=y*x; x:=x–1 {INV}
{ INV[x-1/x] } x:=x-1 {INV}
{ INV } W {x=1 INV }{ INV[1/y] } y:=1 { INV }
{ INV[x-1/x][y*x/y] } y:=y*x { INV[x-1/x] }
{x1 INV } y:=y*x; x:=x–1 { INV }
[comp]
[cons]
[while]
[cons]{ INV } W { y=n! n>0 }{ x=n } y:=1 { INV }
[cons]
{ x=n } while (x1) do (y:=y*x; x:=x–1) { y=n! n>0 }
[comp]
Goal: { x=n } y:=1; while (x1) do (y:=y*x; x:=x–1) { y=n! n>0 }
{ P’ } S { Q’ } { P } S { Q } if PP’ and Q’Q
![Page 65: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/65.jpg)
65
Provability
• We say that an assertion { P } C { Q } is provable if there exists an inference tree– Written as p { P } C { Q }
![Page 66: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/66.jpg)
66
Annotated programs
• A streamlined version of inference trees– Inline inference trees into programs– A kind of “proof carrying code”– Going from annotated program to proof tree is a
linear time translation
![Page 67: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/67.jpg)
67
Annotating composition
• We can inline inference trees into programs• Using proof equivalence of S1; (S2; S3) and (S1; S2); S3
instead writing deep trees, e.g.,
{P} (S1; S2); (S3 ; S4) {Q}{P} (S1; S2) {P’’} {P’’} (S3 ; S4) {Q}
{P} S1 {P’} {P’} S2 {P’’} {P’’} S3 {P’’’} {P’’’} S4 {P’’}
• We can annotate a composition S1; S2;…; Sn by{P1} S1 {P2} S2 … {Pn-1} Sn-1 {Pn}
![Page 68: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/68.jpg)
68
Annotating conditions
{ P }if b then { b P } S1
else S2
{ Q }
![Page 69: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/69.jpg)
69
Annotating conditions
{ P }if b then
{ b P }S1
{ Q1 }else
S2
{ Q2 }{ Q }
Usually Q is the result of using the consequence rule, so a more explicit annotation is
![Page 70: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/70.jpg)
70
Annotating loops
{ P }while b do { b P } S{b P }
![Page 71: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/71.jpg)
71
Annotating loops
{ P }while b do { b P } S { P’ }{b P } { Q }
P’ implies P
b P implies Q
![Page 72: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/72.jpg)
72
Annotated factorial program{ x=n } y := 1;{ x>0 y*x!=n! nx } while (x=1) do { x-1>0 (y*x)*(x-1)!=n! n(x-1) } y := y*x; { x-1>0 y*(x-1)!=n! n(x-1) } x := x–1{ y*x!=n! n>0 }
• Contrast with proof via natural semantics
• Where did the inductive argument over loop iterations go?
![Page 73: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/73.jpg)
73
Properties of the semanticsEquivalence– What is the analog of program
equivalence in axiomatic verification?
Soundness– Can we prove incorrect properties?
Completeness– Is there something we can’t
prove?
![Page 74: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/74.jpg)
74
Provability
• We say that an assertion { P } C { Q } is provable if there exists an inference tree– Written as p { P } C { Q }– Are inference trees unique?
{true} x:=1; x:=x+5 {x0}• Proofs of properties of axiomatic semantics use
induction on the shape of the inference tree– Example: prove p { P } C { true } for any P and C
![Page 75: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/75.jpg)
75
Provable equivalence
• We say that C1 and C2 are provably equivalent if for all P and Qp { P } C1 { Q } if and only if p { P } C2 { Q }
• Examples:– S; skip and S– S1; (S2; S3) and (S1; S2); S3
![Page 76: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/76.jpg)
76
Valid assertions
• We say that { P } C { Q } is valid if for all states s, if sP and C, ss’ then s’Q
• Denoted by p { P } C { Q }
P C(P)
Q
ss’C
![Page 77: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/77.jpg)
77
Logical implication and equivalence
• We write A B if for all states sif s A then s B– {s | s A } {s | s B }– For every predicate A: false A true
• We write A B if A B and B A– false 5=7
• In writing Hoare-style proofs, we will often replace a predicate A with A’ such that A A’and A’ is “simpler”
![Page 78: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/78.jpg)
78
Soundness and completeness
• The inference system is sound:– p { P } C { Q } implies p { P } C { Q }
• The inference system is complete:– p { P } C { Q } implies p { P } C { Q }
![Page 79: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/79.jpg)
79
Hoare logic is sound and (relatively) complete
• Soundness: p { P } C { Q } implies p { P } C { Q }
• (Relative) completeness: p { P } C { Q } implies p { P } C { Q }
– Provided we can prove any implication RR’
![Page 80: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/80.jpg)
80
Hoare logic is sound and (relatively) complete
• Soundness: p { P } C { Q } implies p { P } C { Q }
• (Relative) completeness: p { P } C { Q } implies p { P } C { Q }
– Provided we can prove any implication RR’• FYI, nobody tells us how to find a proof …
![Page 81: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/81.jpg)
81
Is there an Algorithm?{ x=n } y := 1;{ x>0 y*x!=n! nx } while (x=1) do { x-1>0 (y*x)*(x-1)!=n! n(x-1) } y := y*x; { x-1>0 y*(x-1)!=n! n(x-1) } x := x–1{ y*x!=n! n>0 }
Annotated programs provides a compact representation of inference trees
![Page 82: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/82.jpg)
82
?
![Page 83: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/83.jpg)
83
Predicate Transformers
![Page 84: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/84.jpg)
84
Weakest liberal precondition
• A backward-going predicate transformer• The weakest liberal precondition for Q is
s wlp(C, Q)if and only if for all states s’if C, ss’ then s’ Q
Propositions:1. p { wlp(C, Q) } C { Q }
2. If p { P } C { Q } then P wlp(C, Q)
![Page 85: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/85.jpg)
85
Strongest postcondition
• A forward-going predicate transformer• The strongest postcondition for P is
s’ sp(P, C)if and only if there exists s such thatif C, ss’ and s P
1. p { P } C { sp(P, C) }
2. If p { P } C { Q } then sp(P, C) Q
![Page 86: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/86.jpg)
86
Predicate transformer semantics• wlp and sp can be seen functions that transform
predicates to other predicates– wlpC : Predicate Predicate
{ P } C { Q } if and only if wlpC Q = P– spC : Predicate Predicate
{ P } C { Q } if and only if spC P = Q
![Page 87: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/87.jpg)
87
Hoare logic is (relatively) complete• Proving
p { P } C { Q } implies p { P } C { Q }is the same as provingp { wlp(C, Q) } C { Q }
• Suppose that p { P } C { Q }then (from proposition 2) P { wlp(C, Q) }
{ P } S { Q } { wlp(C, Q) } S { Q }
[consp]
![Page 88: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/88.jpg)
88
Calculating wlp
1. wlp(skip, Q) = Q2. wlp(x := a, Q) = Q[a/x]3. wlp(S1; S2, Q) = wlp(S1, wlp(S2, Q))
4. wlp(if b then S1 else S2, Q) =(b wlp(S1, Q)) (b wlp(S2,
Q))5. wlp(while b do S, Q) = … ?
hard to capture
![Page 89: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/89.jpg)
89
Calculating wlp of a loop
wlp(while b do S, Q) =
Idea: we know the following statements are semantically equivalentwhile b do Sif b do (S; while b do S) else skip
Let’s try to substitute and calculate on
wlp(if b do (S; while b do S) else skip, Q) =
(b wlp(S; while b do S, Q)) (b wlp(skip, Q)) =
(b wlp(S, wlp(while b do S, Q))) (b Q)
LoopInv = (b wlp(S, LoopInv)) (b Q) We have a recurrence
The loop invariant
![Page 90: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/90.jpg)
90
Prove the following triple
• LoopInv = (b wlp(S, LoopInv)) (b Q)• Let’s substitute LoopInv with timer0• Show that timer0 is equal to
(timer>0 wlp(timer:=timer-1, timer0)) (timer0 timer=0)= (timer>0 (timer0)[timer-1/timer]) (timer0 timer=0)= (timer>0 timer-10) (timer0 timer=0)= timer>0 timer=0= timer0
{ timer 0 }while (timer > 0) do
timer := timer – 1{ timer = 0 }
![Page 91: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/91.jpg)
91
Issues with wlp-based proofs
• Requires backwards reasoning – not very intuitive
• Backward reasoning is non-deterministic – causes problems when While is extended with dynamically allocated heaps (aliasing)
• Also, a few more rules will be helpful
![Page 92: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/92.jpg)
92
Conjunction rule
• Not necessary (for completeness) but practically useful
• Starting point of extending Hoare logic to handle parallelism
• Related to Cartesian abstraction– Will point this out when we learn it
![Page 93: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/93.jpg)
93
Structural Rules{ P } C { Q } { P’ } C { Q’ }
{ P P’ } C {Q Q’ }[disjp]
{ P } C { Q } { v. P } C { v. Q }[existp] vFV(C
)
{ P } C { Q } {v. P } C {v. Q }[univp] vFV(C)
{ F } C { F } Mod(C) FV(F)={}[Invp]• Mod(C) = set of variables assigned to in sub-statements of C• FV(F) = free variables of F
![Page 94: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/94.jpg)
94
Invariance + Conjunction = Constancy
• Mod(C) = set of variables assigned to in sub-statements of C• FV(F) = free variables of F
{ P } C { Q } { F P } C { F Q }[constancyp] Mod(C) FV(F)={}
![Page 95: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/95.jpg)
95
Floyd’s strongest postcondition rule
• Example{ z=x } x:=x+1 { ?v. x=v+1 z=v }
• This rule is often considered problematic because it introduces a quantifier – needs to be eliminated further on
• We will now see a variant of this rule
{ P } x := a { v. x=a[v/x] P[v/x] } where v is a fresh variable
[assFloyd]
![Page 96: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/96.jpg)
96
“Small” assignment axiom
• Examples:{x=n} x:=5*y {x=5*y}{x=n} x:=x+1 {x=n+1}
{x=y} x:=y+1 {x=y+1}{x=n} x:=y+1 {x=y+1}[existp] {n. x=n} x:=y+1 {n. x=y+1} therefore {true} x:=y+1 {x=y+1} [constancyp] {z=9} x:=y+1 {z=9 x=y+1}
{ x=v } x:=a { x=a[v/x] }where vFV(a)
[assfloyd]
First evaluate ain the precondition state(as a may access x)
Then assign the resulting value to x
Create an explicit Skolem variable in precondition
![Page 97: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/97.jpg)
97
Buggy sum program{ y0 }x := 0{ y0 x=0 }res := 0{ y0 x=0 res=0 }Inv = { y0 res=Sum(0, x) } = { y0 res=m x=n m=Sum(0, n) } while (xy) do
{ y0 res=m x=n m=Sum(0, n) xy ny } x := x+1{ y0 res=m x=n+1 m=Sum(0, n) ny}res := res+x { y0 res=m+x x=n+1 m=Sum(0, n) ny}{ y0 res-x=Sum(0, x-1) ny}{ y0 res=Sum(0, x) }
{ y0 res=Sum(0, x) x>y } {res = Sum(0, y) }
![Page 98: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/98.jpg)
98
Sum program• Define Sum(0, n) = 0+1+…+n
{ y0 }x := 0{ y0 x=0 }res := 0{ y0 x=0 res=0 }Inv = { y0 res=Sum(0, x) xy } { y0 res=m x=n ny m=Sum(0, n) } while (x<y) do
{ y0 res=m x=n m=Sum(0, n) x<y n<y }res := res+x{ y0 res=m+x x=n m=Sum(0, n) n<y }x := x+1 { y0 res=m+x x=n+1 m=Sum(0, n) n<y }{ y0 res-x=Sum(0, x-1) x-1<y }{ y0 res=Sum(0, x) }
{ y0 res=Sum(0, x) xy xy }{ y0 res=Sum(0, y) x=y }{ res = Sum(0, y) }
{ x=Sum(0, n) } { y=n+1 }
{ x+y=Sum(0, n+1) }
Background axiom
![Page 99: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/99.jpg)
99
Floyd’s strongest postcondition rule
• Example{ z=x } x:=x+1 { ?v. x=v+1 z=v }
• This rule is often considered problematic because it introduces a quantifier – needs to be eliminated further on
• We will now see a variant of this rule
{ P } x := a { v. x=a[v/x] P[v/x] } where v is a fresh variable
[assFloyd]
![Page 100: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/100.jpg)
100
Floyd’s strongest postcondition rule
• Example{ z=x } x:=x+1 { v. x=v+1 z=v }
• This rule is often considered problematic because it introduces a quantifier – needs to be eliminated further on
• We will now see a variant of this rule
{ P } x := a { v. x=a[v/x] P[v/x] } where v is a fresh variable
[assFloyd]
![Page 101: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/101.jpg)
101
“Small” assignment axiom
• Examples:{x=n} x:=5*y {x=5*y}{x=n} x:=x+1 {x=n+1}
{x=n} x:=y+1 {x=y+1}[existp] {n. x=n} x:=y+1 {n. x=y+1} therefore {true} x:=y+1 {x=y+1} [constancyp] {z=9} x:=y+1 {z=9 x=y+1}
{ x=v } x:=a { x=a[v/x] }where vFV(a)
[assfloyd]
First evaluate ain the precondition state(as a may access x)
Then assign the resulting value to x
Create an explicit Skolem variable in precondition
![Page 102: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/102.jpg)
102
“Small” assignment axiom
• Examples:{x=n} x:=5*y {x=5*y}{x=n} x:=x+1 {x=n+1}
{x=n} x:=y+1 {x=y+1}[existp] {n. x=n} x:=y+1 {n. x=y+1} therefore {true} x:=y+1 {x=y+1} [constancyp] {z=9} x:=y+1 {z=9 x=y+1}
{ x=v } x:=a { x=a[v/x] }where vFV(a)
[assfloyd]
![Page 103: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/103.jpg)
103
“Small” assignment axiom
• Examples:{x=n} x:=5*y {x=5*y}{x=n} x:=x+1 {x=n+1}
{x=n} x:=y+1 {x=y+1}[existp] {n. x=n} x:=y+1 {n. x=y+1} therefore {true} x:=y+1 {x=y+1} [constancyp] {z=9} x:=y+1 {z=9 x=y+1}
{ x=v } x:=a { x=a[v/x] }where vFV(a)
[assfloyd]
![Page 104: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/104.jpg)
104
“Small” assignment axiom
• Examples:{x=n} x:=5*y {x=5*y}{x=n} x:=x+1 {x=n+1}
{x=n} x:=y+1 {x=y+1}[existp] {n. x=n} x:=y+1 {n. x=y+1} therefore {true} x:=y+1 {x=y+1} [constancyp] {z=9} x:=y+1 {z=9 x=y+1}
{ x=v } x:=a { x=a[v/x] }where vFV(a)
[assfloyd]
![Page 105: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/105.jpg)
105
Buggy sum program{ y0 }x := 0{ y0 x=0 }res := 0{ y0 x=0 res=0 }Inv = { y0 res=Sum(0, x) } = { y0 res=m x=n m=Sum(0, n) } while (xy) do
{ y0 res=m x=n m=Sum(0, n) xy ny } x := x+1{ y0 res=m x=n+1 m=Sum(0, n) ny}res := res+x { y0 res=m+x x=n+1 m=Sum(0, n) ny}{ y0 res-x=Sum(0, x-1) ny}{ y0 res=Sum(0, x) }
{ y0 res=Sum(0, x) x>y } {res = Sum(0, y) }
![Page 106: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/106.jpg)
106
Sum program• Define Sum(0, n) = 0+1+…+n{ y0 }x := 1{ y0 x=1 }res := 0{ y0 x=1 res=0 }Inv = { y0 res=Sum(0, x-1) xy+1 } { y0 res=m x=n ny+1 m=Sum(0, n-1) } while (xy) do
{ y0 res=m x=n m=Sum(0, n-1) x<y ny+1 }res := res+x{ y0 res=m+x x=n m=Sum(0, n-1) ny+1 }x := x+1 { y0 res=m+x x=n+1 m=Sum(0, n-1) ny+1 }{ y0 res-x=Sum(0, x-1) x-1<y+1 }{ y0 res=Sum(0, x-1) xy+1 } // axm-Sum
{ y0 res=Sum(0, x-1) xy+1 x>y }{ y0 res=Sum(0, x-1) x=y+1 }{ y0 res=Sum(0, y) }{ res = Sum(0, y) }
Background axiom
{ x=Sum(0, n) } { y=n+1 } { x+y=Sum(0, n+1) }
[axm-Sum]
![Page 107: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/107.jpg)
107
Sum program• Define Sum(0, n) = 0+1+…+n
{ y0 }x := 1{ y0 x=0 }res := 0{ y0 x=0 res=0 }Inv = { y0 res=Sum(0, x-1) xy+1 }while (xy) do
{ y0 res=m x=n m=Sum(0, n-1) ny+1 x<y }res := res+x{ y0 res=m+x x=n m=Sum(0, n-1) ny+1 }{ y0 res=Sum(0, n) x=n ny+1 } // axm-Sum x := x+1{ y0 res=Sum(0, n) x=n+1 ny+1 }{ y0 res=Sum(0, x-1) xy+1 }
{ y0 res=Sum(0, x-1) xy+1 x>y }{ y0 res=Sum(0, x-1) x=y+1 }{ y0 res=Sum(0, y) }{ res = Sum(0, y) }
Background axiom
{ x=Sum(0, n) } { y=n+1 } { x+y=Sum(0, n+1) }
[axm-Sum]
![Page 108: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/108.jpg)
108
Example 1: Absolute value program
{ }if x<0 then
x := -xelse
skip{ }
![Page 109: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/109.jpg)
109
Absolute value program
{ x=v }if x<0 then { x=v x<0 }
x := -x { x=-v x>0 }else
{ x=v x0 }skip{ x=v x0 }
{ v<0 x=-v v0 x=v}{ x=|v| }
![Page 110: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/110.jpg)
110
Example 2: Variable swap program
{ }t := xx := yy := t{ }
![Page 111: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/111.jpg)
111
Variable swap program
{ x=a y=b }t := x{ x=a y=b t=a }x := y{ x=b y=b t=a }y := t{ x=b y=a t=a }{ x=b y=a } // cons
![Page 112: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/112.jpg)
112
Example 3: Axiomatizing data types
• We added a new type of variables – array variables– Model array variable as a function y : Z Z
• We need the two following axioms:
S ::= x := a | x := y[a] | y[a] := x | skip | S1; S2
| if b then S1 else S2
| while b do S
{ y[xa](x) = a }
{ zx y[xa](z) = y(z) }
![Page 113: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/113.jpg)
113
Array update rules (wp)
• Treat an array assignment y[a] := x as an update to the array function y– y := y[ax] meaning y’=v. v=a ? X : y(v)
S ::= x := a | x := y[a] | y[a] := x | skip | S1; S2
| if b then S1 else S2
| while b do S
[array-update] { P[y[ax]/y] } y[a] := x { P }
[array-load] { P[y(a)/x] } x := y[a] { P }
A very general approach – allows handling many data types
![Page 114: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/114.jpg)
114
Array update rules (wp) example• Treat an array assignment y[a] := x as an
update to the array function y– y := y[ax] meaning y’=v. v=a ? x : y(v)
[array-update] { P[y[ax]/y] } y[a] := x { P }{x=y[i7](i)} y[i]:=7 {x=y(i)}
{x=7} y[i]:=7 {x=y(i)}
[array-load] { P[y(a)/x] } x := y[a] { P }{y(a)=7} x:=y[a] {x=7}
![Page 115: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/115.jpg)
115
Array update rules (sp)
[array-updateF] { x=v y=g a=b } y[a] := x { y=g[bv] }
[array-loadF] { y=g a=b } x := y[a] { x=g(b) }
In both rulesv, g, and b are fresh
![Page 116: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/116.jpg)
116
Array-max program
nums : arrayN : int // N stands for num’s length { N0 nums=orig_nums } x := 0res := nums[0]while x < N if nums[x] > res then res := nums[x] x := x + 11. { x=N }2. { m. (m0 m<N) nums(m)res }3. { m. m0 m<N nums(m)=res }4. { nums=orig_nums }
![Page 117: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/117.jpg)
117
Array-max program
nums : arrayN : int // N stands for num’s length { N0 nums=orig_nums } x := 0res := nums[0]while x < N if nums[x] > res then res := nums[x] x := x + 1Post1: { x=N }Post2: { nums=orig_nums }Post3: { m. 0m<N nums(m)res }Post4: { m. 0m<N nums(m)=res }
![Page 118: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/118.jpg)
118
Summary
• C programming language• P assertions• {P} C {Q} judgments• { P[a/x] } x := a { P } proof Rules– Soundness– Completeness
• {x = N} y:=factorial(x){ y = N!} proofs
![Page 119: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 3: Axiomatic Semantics 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader035.vdocuments.site/reader035/viewer/2022062716/56649dbe5503460f94ab0ddc/html5/thumbnails/119.jpg)
119
Extensions to axiomatic semantics• Procedures• Total correctness assertions• Assertions for execution time– Exact time– Order of magnitude time
• Assertions for dynamic memory– Separation Logic
• Assertions for parallelism– Owicki-Gries– Concurrent Separation Logic– Rely-guarantee