Axiomatic Semantics

Will consider axiomatic semantics (A.S.) of IMP:
<stmt> ::= skip | <assign> | <if> | <while> | <stmt>; <stmt>
| <input> | <output>
Only integer vars; no procedures/fns; vars declared implicitly

References:
Kurtz (ch. 11); Pagan (ch. 4.3)

Summary:
For each type of <stmt>, will define its a.s. via an axiom
or rule of inference (or just rule).
Using these, will be able to show (i.e., derive) that a given
program behaves according to its specification.
CSE 755, part3
1
Preliminaries




State: State  of a program P is a function that maps the
program variables of P to their values in that state.
Example: <x = 1, y = 2, z = 3>;
or: (x) = 1; (y) = 2; (z) = 3
(assuming P has 3 prog. var., x, y, z)
Usually have to deal with set of states:
{ <x = 1, y = 2, z = 1>, <x = 1, y = 2, z = 2>,
<x = 1, y = 2, z = 3> }
Better: Specify an assertion (or predicate, or condition)
satisfied by all the states in that set and no others:
[ (x = 1)  (y = 2)  (1  z  3) ]
Important: Assertion  Set of states that satisfy assertion
CSE 755, part3
2
Assertions/sets of states

[ (x = 1)  (1  y  5)  (1  z  10) ] : set with 50 states

[ (x = 1)  (y = 2) ] : an infinite set

[ (x = 1)  (1  y  5) ] : an 'even bigger' set

[ x = y + z ] : ...

[ x = x ]: the set of all states
true

[ x  x ]: the empty set
false
CSE 755, part3
3
Assertions/sets of states
Convention:
p  P (p is an assertion; P the corresponding set of states
[p  q]
 PQ
[p  q]
 PQ
[ p ]  −P (or, rather "P bar"; i.e., U − P; U: universal set)
CSE 755, part3
4
Assertions/sets of states (contd)
"" (implication) can be thought of as a relation between two
assertions:
[p  q]
: [P  Q]
[p  true] : [P  U]
[false  p] : [  P]
Can also think of "" as a single assertion:
[p  q]:(p  q )
Thus:
The context will tell us whether
to think of implication as a
[p  true]:true
relation between assertions or
[false  p] :true
a single assertion
[p  p ]
:true (??)
[p   p ] :false (??)
[(x  1)  ( x = 2 )] : ??
5
CSE 755, part3
Assertions (contd.)
"x < y" is a syntactic entity when it appears in a program
Elsewhere it is an assertion (satisfied by some states and
not others).
A state  satisfies the assertion x < y if (and only if)
(x) is less than (y)
Notation:  |= (x < y) : " satisfies (x < y)"
CSE 755, part3
6
Key Notation
The result
{p} S {q} (where p, q are assertions and S is a statement)
is operationally valid if:
If we start execution of S in any state   P, the final state
' when S finishes execution will belong to Q
Examples:
{x = 1} skip {x = 1} : (Operationally) valid
{(x=1)  (y=2) } skip {x = 1} : Valid
{x = 1} skip {(x=1)  (y=2) } : Invalid (op. invalid)
{x = 1} skip {(x=1)  (y=2) } : Valid
{(x=1)  (y=2) } skip {x = 1} : ??
{(x=1)  (y=2) } skip { true }: ??
{(x=1)  (y=2) } skip { false } : ??
CSE 755, part3
7
"Results" (contd.)
{(x=1)  (y=2) } x := x+1 {(x=2)  (y=2)} : Valid
{(x=1)  (y=2) } x := x+1 { (x = y) }
: Valid
{(u=1)  (v=2) } x := x+1 { (v = u+1) } : ??
{x=0} while (x < 10) do x := x+1 end {x=10} : Valid
What if the loop doesn't terminate?
{x  0} while (x < 10) do x := x+1 end {x=10}: ??
{x  0} while (x < 10) do x := x+1 end {x  10} : ??
CSE 755, part3
8
"Results" (contd.)
{ p } S { q } is a partial correctness result
It is valid if it is the case that:
if we start execution of S in any state P, and if the
execution terminates, then the final state ' satisfies q
{x = 0} while (x  10) do x := x+1 end {x = 10} : Valid
{ true } while (x  10) do x := x+1 end {x = 10} : Also valid
Axiomatic semantics: provides a non-operational approach -in the form of a set of axioms and rules of inference-- using
which we can 'axiomatically derive' our results
CSE 755, part3
9
Terminology (*important*!)
Assertion: may be Satisfied or Not Satisfied by a particular state
Result: may be Valid or Invalid in a given (operational) model
Result: may be Derivable or Not Derivable in a given axiom
system
Some meaningless statements:
"{p} S {q} is true" (note: true is a particular assertion)
"{p} S {q} is valid for some states"
"(The assertion) p is not valid"
CSE 755, part3
10
Relation Between A.S. & Model
If a given result is derivable in a given axiom system A, will it be
valid in an operational model M? Not necessarily.
Soundness (also "consistency"):
An axiom system A is sound/consistent with model M if every
result derivable using the axioms/rules of A is valid in M; i.e.:
|-A {p} S {q}  |=M {p} S {q}
Completeness:
An axiom system A is complete with respect to model M if every
result that is valid in M is derivable using the axioms/rules of A:
|=M {p} S {q}  |-A {p} S {q}
CSE 755, part3
11
Axiomatic Semantics of IMP
A.S.: A collection of "axioms" and "rules of inference" ("rules")
specified using the same {p} S {q} notation
A0: skip axiom
{ p } skip { p } where p is any assertion
Using this, can derive:
{ (x = 1)  (y = 2) } skip { (x = 1)  (y = 2) }
by taking p to be the assertion (x = 1)  (y = 2) & using A0
Cannot derive:
{ (x = 1) } skip { (x = 1)  (y = 2) }
which is good (why?)
Cannot derive:
{ (x = 1)  (y = 2) } skip { (x = 1) }
which is bad (why?)
CSE 755, part3
12
Axiomatic Semantics of IMP
R0: Rule of Consequence:
{ p } S { q' }, q'  q
------------------------------{p}S{q}
(p, q, q': any assertions: S: any stmt)
Using R0 (and A0) we can derive:
{ (x = 1)  (y = 2) } skip { (x = 1) }
Another form of rule of consequence:
p  p', { p' } S { q },
------------------------------{p}S{q}
(p, q, p': any assertions: S: any stmt)
Consider other forms of consequence (including inconsis. ones?
CSE 755, part3
13
Axiomatic Semantics of IMP (contd)
A1. Assignment axiom:
{ pxe } x := e { p } where p is any assertion;
pxe is obtained from p by (simultaneously) replacing
all occurrences of x in p by e. (Note: pxe  p[x/e] )
We can derive:
{ x+1 = y+z } x := x+1 { x = y+z }
(take p to be x = y+z )
{ y+z = y+z } x := y+z { x = y+z }
(take p to be x = y+z )
14
CSE 755, part3
{ y+z  0 } x := y+z { x  0 }
(take p to be x  0 )
Operational Justification:
If we want the state following the asgnmnt
to satisfy p, the state before it should
satisfy the same assertion - except with
the value of e satisfying the conditions
expected of the value of x
Axiomatic Semantics of IMP (contd.)
Caution: In axiomatic derivations, you are only allowed to use
the axioms and rules of the system; no appeals to operational
intuitions. If you make such appeals, you have an operational
argument, not an axiomatic derivation
Summary: The axiomatic semantics of a language consists of:
An axiom for each atomic statement
A rule (of inference) for each compound stmt
+ Logical rules
CSE 755, part3
15
Axiomatic Semantics of IMP (contd)
R1: Sequential Composition:
{ p } S1 { q' }, { q' } S2 { q }
---------------------------------------{ p } S1; S2 { q }
(p, q', q: any assertions; S1, S2: any stmts.)
Using this, skip axiom, & assignment axiom, we can derive:
{x+1 = y+z} skip; x := x+1 {x = y+z}
Operational Justification: If state before S1 starts execution satisfies p, then,
{ p } S1 { q' } guarantees that the state when S1 finishes will satisfy q';
hence { q' } S2 { q } guarantees the state when S2 finishes will satisfy q;
hence conclusion of rule follows given these two results.
Caution: In (axiomatic) derivations, no appeals to operational intuitions!
CSE 755, part3
16
Axiomatic Semantics of IMP (contd)
write e  out := out ^ e
A2. write axiom:
{ p[out / out^e] } write e { p } (where p is any assertion)
read x  ( x := head(in); in := tail(in) )
{ (p[in/tail(in)])[x/head(in)] }
x := head(in);
{ p[in/tail(in)] }
in := tail(in)
{p}
A3. read axiom:
{ (p[in/tail(in)])[x/head(in)] } read x { p }
(p: any assertion)
CSE 755, part3
17
Axiomatic Semantics of IMP (contd)
Problem: Derive the following result (axiomatically):
{ (in = <3, 4>)  (out = <>) }
read x; read y; write (x+y);
{ out = <7> }
Derivation (or "proof") outline:
{ (in = <3, 4>)  (out = <>) } (rule of cons.)
{ out^(head(in) + head(tail(in)) = <7> } (read axiom)
read x;
{ out^(x + head(in)) = <7> } (read axiom)
read y;
{ out^(x + y) = <7> } (write axiom)
write (x+y);
{ out = <7> }
CSE 755, part3
18
Axiomatic Semantics of IMP (contd)
R2: If-then-else:
{ p  b} S1 { q }, { p  b} S2 { q }
-------------------------------------------------{ p } if b then S1 else S2 { q }
Operational Justification: Suppose we start in a state P. There are two
ways to proceed: if  b, execute S1; if not, execute S2. In either case,
the hypothesis (assuming they are valid) guarantee that the final state
will satisfy q. Hence conclusion follows.
Caution: In (axiomatic) derivations, no appeals to operational intuitions!
CSE 755, part3
19
Axiomatic Semantics of IMP (contd)
Problem: Derive the following result (axiomatically):
{ y = 1}
if (y = 1) then x := 1 else x := 2
{x=1}
1. { (y = 1)  (y = 1)} x := 1 { x = 1} (by Ass. ax, rule of conseq.)
2. { 2 = 1 } x := 2 { x = 1} (by Ass. ax, rule of conseq.)
3. { (y = 1)  (y  1) } x := 2 { x = 1} (by (2), rule of conseq.)
4. { y = 1}
if (y = 1) then x := 1 else x := 2
{ x = 1 } (by (1), (3), and if-then-else rule)
Derive:
{ true} if (y = 1) then x := 1 else x := 2 { (x = 1)  (x = 2) }
{ true} if (y = 1) then ... { [(y=1)(x = 1)]  [(y1)  (x = 2) }
20
Axiomatic Semantics of IMP (contd)
R3: while rule:
p  q, { q  b } S { q }, (q  b)  r
------------------------------------------------------{ p } while b do S { r }
The following rule, given rule of conseq., is equivalent:
{ q  b } S { q },
------------------------------------------------------{ q } while b do S { q  b }
I.e.: Any result derivable using R3 is derivable using above
Operational justification: ...
R3 is complete ... somewhat surprising: we can always find an
appropriate loop invariant
CSE 755, part3
21
Problem: Derive the following result (axiomatically):
{(x  0)  (y  0)}
q := 0; r := x;
while ((r-y)  0) do q := q+ 1; r := r - x; end
{ (x = q*y + r)  (0  r  y)}
Take loop invariant p to be:
p  [(x = q*y + r)  (0  r)  (y  0)]
Derivation outline:
Key step 1:
{ p  (r-y)  0} q:=q+1;r:=r-y {p}
{(x  0)  (y  0)}
(by ass. ax, seq. comp, conseq.)
q := 0; r := x;
{(x  0)  (y  0)  (q=0)  (r=x)}
{p}
Key step 2:
[p  ((r-y)  0)}  [(x = q*y + r)  (0  r  y)
while ...
(by math logic/oracle)
{p  ((r-y)  0)}
{ (x = q*y + r)  (0  r  y)}
22
Derive:
{in = <1,2,3, ..., 100>  out = <> }
read x;
while (x  100) do write x; read x; end
{ out = <1, 2, ..., 99>}
Take loop invariant p to be:
p  [out^x^in = <1,2, ..., 100>]
Derivation outline:
{in = <1,2,3, ..., 100>  out = <> }
read x;
{(x=1)  (in = <2,3, ..., 100>)  (out = <>) }
{out^x^in = <1,2, ..., 100>}
while (x  100) do write x; read x; end
{(out^x^in = <1,2, ..., 100>)  (x = 100)}
{ out = <1, 2, ..., 99>}
23
Derive:
{in = <1,2,3, ..., 100>  out = <> }
s := 0; read x;
while (x  100) do write s := s+x; read x; end
{ s = k=0,..99 k}
Take loop invariant p to be:
[(#in=100-x)  k.[(0  k  #in)  (in[k]=x+k)]
 (1  x 100)  (s = k=0,..(x-1) k)]
A more intuitive loop invariant:
[(in = <x+1, ..., 100>  (1  x 100)  (s = k=0,..(x-1) k)]
Key step:
{p  (x  100)}
s := s+x; read x;
{p}
Note: (head(in)=x+1) [implied by p] is important in showing that
24
(p  (x  100)) implies p' [obtained by taking p back]
(In)Completeness
R3: while rule:
p  q, { q  b } S { q }, (q  b)  r
------------------------------------------------------{ p } while b do S { r }
A simpler rule:
p  q, { q } S { q }, (q  b)  r
------------------------------------------------------{ p } while b do S { r }
Using this rule, we can derive:
{ x=0 } while (x10) do x := x+1 { x = 10}
Take p to be (x=0) and q to be true
CSE 755, part3
25
(In)Completeness (contd.)
The rule is incomplete:
p  q, { q } S { q }, (q  b)  r
------------------------------------------------------{ p } while b do S { r }
Cannot derive:
{ x=0  y=0 } while (x0) do y := y+1 { x=0  y=0 }
Proof: Suppose we could. Then there must exist q such that:
a. (x=0  y=0)  q
b. {q} y := y+1 {q}
c. (q  x=0)  (x=0  y=0)
Then <x=0, y=0, z=0>  Q [by (a)]
Hence <x=0, y=1, z=0>  Q [by (b)]
Hence <x=0, y=1, z=0>  Q  (x=0) [why?]
But <x=0, y=1, z=0> is not in (x=0  y=0)
Hence such a q cannot exist!
CSE 755, part3
26
Consistency/Completeness
How do you show a system A is consistent and/or complete
(with respect to a model M)?
Generally tedious task.
Special case: If we are told that A' is consistent/complete and A
is obtained from A' by making some changes to some rules of
A', we may be able to use the following approach:
Completeness: Show that all results derivable in A' are also
derivable in A. Then completeness of A' implies completeness
of A (with respect to same model).
Consistency: Show that all results derivable in A are also
derivable in A'. Then consistency of A' implies consistency of
A (with respect to same model).
CSE 755, part3
27
Axiomatic Semantics of IMP (contd)
Suppose we change the if-then-else rule:
{ p  b} S1 { q }, { p  b} S2 { q }
-------------------------------------------------{ p } if b then S1 else S2 { q }
To:
{ p  b} S1 { q  b}, { p  b} S2 { q  b }
-----------------------------------------------------------{ p } if b then S1 else S2 { q }
The resulting system will be consistent: show that every result
derivable in the new system is derivable in the original system
Completeness?
CSE 755, part3
28
Total Correctness
How do we derive:
{ in = <> } read x {false} ?
(1)
We can't!
A better axiom for read:
(p  in  <>)  (q[in/tail(in)])[x/head(in)]
-------------------------------------------------{ p } read x { q }
With this axiom, we can derive (1).
Also suggests total correctness axiom for read :
p  [ in  <>  (q[in/tail(in)])[x/head(in)] ]
----------------------------------------------------<p | read x | q>
CSE 755, part3
29
Total Correctness (contd.)
Similar considerations for assignment:
{ (x=0)  (y=3) } z := y/x {false} ? (1)
We can't!
A better axiom:
(p  D(e))  (q[x/e]
-------------------------------------------------{ p } x := e { q }
With this axiom, we can derive (1).
Also suggests total correctness axiom:
p  [D(e)  q[x/e] ]
----------------------------------------------------<p | x := e | q>
CSE 755, part3
30
Total Correctness (contd.)
Total correctness rule for while:
(p  b)  (f > 0)
<p  b  f=k | S | p  (f  k) >
-------------------------------------------------< p | while b do S | p  b >
a. Why does f have to be an integer function of the state?
b. What if b is not well defined?
c. What would happen if we change "<...|..|..>" in the second
line to "{...}..{..}"?
The other rules are essentially the same as the corresponding
partial correctness rules:
<p | S1 | q1>, <q1 | S2 | q>
-------------------------------------<p | S1; S2| q>
CSE 755, part3
31
Total Correctness (contd.)
Derive:
< s=0  x=0 |
while x  10 do x:=x+1; s:=s+x; end
| s = 0 + 1 + 2 + 3 + ... + 10 >
Loop invariant:
p  (0  x  10  s =  n=0..x n )
Progress function (also called: "progress metric", "convergence
function" etc.):
f(x,s)  (10  x)
Check: (p  (x  10))  (f  0) : easy
Derive:
<p  (x  10)  (f=k) | x:=x+1; s:=s+x | p  (f  k) > : exercise
Hence original result follows from rule for loops
CSE 755, part3
32
Non-determinism
Guarded commands:
 Selection: [b1  S1 | b2  S2 | ... | bn  Sn ]
To execute: choose any bi that evaluates to true and
execute corresponding Si; if all bi are false, error
e.g.: [ x  y  z := x | y  x  z := y ] : sets z to larger of x,y

Repetition: *[b1  S1 | b2  S2 | ... | bn  Sn ]
To execute: choose any bi that evaluates to true and
execute corresponding Si. Repeat until, after some no. of
iterations all bi evaluate to false; at that point, stop.
Loop may not terminate, or may terminate in 0 iterations
e.g.:
*[ x1  x2  exch(x1, x2) | x2  x3  exch(x2, x3) |
x3  x4  exch(x3, x4) ] : sorts [x1, x2, x3, x4]
CSE 755, part3
33
Axiomatics of non-determinism
Selection:
{ p  b1 } S1 { q }, { p  b2 } S2 { q },..., { p  bn } Sn { q }
--------------------------------------------------------------------------{ p } [b1  S1 | b2  S2 | ... | bn  Sn ] { q }
Repetition:
{ p  b1 } S1 { p }, { p  b2 } S2 { p },..., { p  bn } Sn { p }
--------------------------------------------------------------------------{ p } [b1  S1 | ... | bn  Sn ] { p  b1  b2 ...  bn}
In selection rule, what if none of the bi's evaluates to true?
Total correctness rules?
CSE 755, part3
34