Axiomatic semantics Pre- and post conditions We use • program variables (e.g. x , y ), and Proofs based on semantics are too detailed • logical variables (e.g. n ) Restriction to certain kinds of properties partial correctness Example: total correctness { x = n } y := 1 ; while ¬ ( x = 1 ) do Properties of programs are specified as as- ( y := x ⋆ y ; x := x − 1 ) sertions { y = n ! ∧ n > 0 } { P } S { Q } Language for preconditions and postcondi- where tions • S is a statement • P is the precondition and • the intensional approach, • Q is the postcondition special language L • the extensional approach use predicates of State → T XXVII.1 XXVII.2
Notation Axioms and rules { P [ x �→A [ a ]] } x := a { P } P 1 ∧ P 2 for P where { P } skip { P } P s = ( P 1 s ) and ( P 2 s ) { P } S 1 { Q } , { Q } S 2 { R } P 1 ∨ P 2 for P where { P } S 1 ; S 2 { R } P s = ( P 1 s ) or ( P 2 s ) P ′ where ¬ P { B [ b ] ∧ P } S 1 { Q } for P ′ s = ¬ ( P s ) { ¬B [ b ] ∧ P } S 2 { Q } { P } if b then S 1 else S 2 { Q } P ′ where P [ x �→A [ a ]] for P ′ s = P ( s [ x �→A [ a ] s ]) { B [ b ] ∧ P } S { P } { P } while b do S { ¬B [ b ] ∧ P } P 1 ⇒ P 2 ∀ s ∈ State: for P 1 s implies P 2 s { P ′ } S { Q ′ } { P } S { Q } if P ⇒ P ′ and Q ′ ⇒ Q XXVII.3 XXVII.4
Example Properties of the inference system SOUNDNESS: if some partial correctness property can be proved using the inference { true } skip { true } system then it does indeed hold according to the semantics { true ∧ true } skip { true } COMPLETENESS: if some partial correct- ness property does hold according to the semantics then we can also find a proof for { true } while true do skip { ¬ true ∧ true it using the inference system. { true } while true do skip { true } PROVABILITY: ⊢ p { P } S { Q } there exists an inference tree for { P } S { Q } VALIDITY: | = p { P } S { Q } for all states s , if P s = tt and ( S , s ) → s ′ for some s ′ then Q s ′ = tt XXVII.5 XXVII.6
Soundness and completeness Soundness Theorem 6.16 For all partial correctness assertions { P } S { Q } Lemma 6.17 we have The partial correctness inference system for | = p { P } S { Q } While is sound, that is � ⊢ p { P } S { Q } ⊢ p { P } S { Q } ⇓ | = p { P } S { Q } Proof in two stages: Stage 1: ⊢ p { P } S { Q } Proof: ⇓ By induction on the shape of the inference | = p { P } S { Q } tree used to infer ⊢ p { P } S { Q } . Stage 2: | = p { P } S { Q } ⇓ ⊢ p { P } S { Q } XXVII.7 XXVII.8
Proof (1) Proof (2) Case { P } S 1 { Q } , { Q } S 2 { R } { P } S 1 ; S 2 { R } Assume | = p { P } S 1 { Q } | = p { Q } S 2 { R } Case { P [ x �→A [ a ]] } x := a { P } We shall prove that | = p { P } S 1 ; S 2 { R } Assume ( x := a , s ) → s ′ We have ( P [ x �→A [ a ]]) s = tt P s = tt ( S 1 ; S 2 , s ) → s ′′ Then ⇓ s ′ = s [ x �→A [ a ] s ] P s = tt P ( s [ x �→A [ a ] s ]) = tt ( S 1 , s ) → s ′ So P s ′ = tt as was to be shown. ( S 2 , s ′ ) → s ′′ ⇓ Q s ′ = tt ( S 2 , s ′ ) → s ′′ ⇓ R s ′′ = tt XXVII.9 XXVII.10
Proof (3) Proof (4) Case { P ′ } S { Q ′ } { B [ b ] ∧ P } S { P } Case { P } S { Q } { P } while b do S { ¬B [ b ] ∧ P } if P ⇒ P ′ and Q ′ ⇒ Q Assume | = p { B [ b ] ∧ P } S { P } Assume = p { P ′ } S { Q ′ } and we shall prove | | = p { P } while b do S { ¬B [ b ] ∧ P } P ⇒ P ′ Q ′ ⇒ Q Assume P s = tt We shall prove ( while b do S , s ) → s ′′ | = p { P } S { Q } If B [ b ] s = ff then We have s ′′ = s P s = tt ( ¬B [ b ] ∧ P ) s ′′ = tt ( S , s ) → s ′ If B [ b ] s = tt then ⇓ ( S , s ) → s ′ P ′ s = tt ( while b do S , s ′ ) → s ′′ ( S , s ) → s ′ Thus ⇓ P s ′ = tt Q ′ s ′ = tt so the induction hypothesis gives ⇓ ( ¬B [ b ] ∧ P ) s ′′ = tt Q s ′ = tt XXVII.11 XXVII.12
Recommend
More recommend
