Document: J_axiomatic

Recalling Our Intro to the Course

The Program Correctness Problem

$\psfig{figure=/home/logalg/public_html/slides/Figs/logic_use_1.eps,width=0.40\basewidth}$

Conventional models of using computers - not easy to determine correctness!
- Has become a very important issue, not just in safety-critical apps.
- Components with assured quality, being able to give a warranty, ...
- Being able to run untrusted code, certificate carrying code, ...

A Simple Imperative Program

Example:

#include <stdio.h>
main() {
  int Number, Square;
  Number = 0;
       while(Number <= 5) 
         { Square = Number * Number;
           printf("%d\n",Square);
           Number = Number + 1; } }

Is it correct? With respect to what?
A suitable formalism:
- to provide specifications (describe problems), and
- to reason about the correctness of programs (their implementation).
is needed.

Natural Language

``Compute the squares of the natural numbers which are less or equal than 5.''

Ideal at first sight, but:

verbose
vague
ambiguous
needs context (assumed information)
...

Philosophers and Mathematicians already pointed this out a long time ago...

Logic

A means of clarifying / formalizing the human thought process
Logic for example tells us that (classical logic)
Aristotle likes cookies, and
Plato is a friend of anyone who likes cookies
imply that
Plato is a friend of Aristotle
Symbolic logic:
A shorthand for classical logic - plus many useful results:

$a_2: \forall X likes(X,cookies) \rightarrow friend(plato,X)$

$T[a_1,a_2] \vdash t_1$
But, can logic be used:
- To represent the problem (specifications)?
- Even perhaps to solve the problem?

Using Logic

$\psfig{figure=/home/logalg/public_html/slides/Figs/logic_use_2.eps,width=0.38\basewidth}$

For expressing specifications and reasoning about the correctness of programs we need:
- Specification languages (assertions), modeling, ...
- Program semantics (models, axiomatic, fixpoint, ...).
- Proofs: program verification (and debugging, equivalence, ...).

Generating Squares: A Specification (I)

Numbers --we will use ``Peano'' representation for simplicity:
0 $\rightarrow$ 0 1 $\rightarrow$ s(0) 2 $\rightarrow$ s(s(0)) 3 $\rightarrow$ s(s(s(0))) ...

Defining the natural numbers:
$nat(0) \wedge nat(s(0)) \wedge nat(s(s(0))) \wedge \dots$
A better solution:
$nat(0) \wedge \forall X (nat(X) \rightarrow nat(s(X)))$
Order on the naturals:
$\forall X (le(0, X)) \wedge$
$\forall X \forall Y (le(X,Y) \rightarrow le(s(X),s(Y))$
Addition of naturals:
$\forall X (nat(X) \rightarrow add(0, X, X)) \wedge$
$\forall X \forall Y \forall Z (add(X,Y,Z) \rightarrow add(s(X),Y,s(Z)))$

Generating Squares: A Specification (II)

Multiplication of naturals:
$\forall X (nat(X) \rightarrow mult(0, X, 0)) \wedge$
$\forall X \forall Y \forall Z \forall W (mult(X,Y,W) \wedge add(W,Y,Z) \rightarrow mult(s(X),Y,Z))$
Squares of the naturals:
$\forall X \forall Y (nat(X) \wedge nat(Y) \wedge mult(X,X,Y)$ $\rightarrow nat\_square(X,Y))$

We can now write a specification of the (imperative) program, i.e., conditions that we want the program to meet:

Precondition:
empty.
Postcondition:
$\forall X (output(X) \leftarrow (\exists Y nat(Y) \wedge le(Y,s(s(s(s(s(0)))))) \wedge nat\_square(Y,X)))$

Use of Logic

$\psfig{figure=/home/logalg/public_html/slides/Figs/logic_use_2a.eps,width=0.38\basewidth}$

For expressing specifications and reasoning about the correctness of programs we need:
- Specification languages (assertions), modeling, ...
- Program semantics (models, axiomatic, fixpoint, ...).
- Proofs: program verification (and debugging, equivalence, ...).

Semantic Tasks

$\psfig{figure=/home/logalg/public_html/slides/Figs/logic_use_2a.eps,width=0.30\basewidth}$

Semantics:
- A semantics associates a meaning (a mathematical object) to a program or program sentence.
Semantic tasks:
- Verification: proving that a program meets its specification.
- Static debugging: finding where a program does not meet specifications.
- Program equivalence: proving that two programs have the same semantics.
- etc.

Styles of Semantics

Operational:
The meaning of program sentences is defined in terms of the steps (transformations from state to state) that computations may take during execution (derivations). Proofs by induction on derivations.
Axiomatic:
The meaning of program sentences is defined indirectly in terms of some axioms and rules of a logic of program properties.
Denotational (fixpoint):
The meaning of program sentences is given abstractly as functions on an appropriate domain (which is often a lattice). E.g., $\lambda$ -calculus for functional programming. C.f., lattice / fixpoint theory.
Also, model (declarative) semantics: (For (Constraint) Logic Programs:) The meaning of programs is given as a minimal model (``logical meaning'') of the logic that the program is written in.

Operational Semantics

Traditional Operational Semantics

Meaning of program sentences defined in terms of the steps (state transitions, transformations from state to state) that computations may take during executions (derivations).
Proofs by induction on derivations.
Examples of concrete operational semantics:
- Semantics modeling memory for imperative programs.
- Interpreters and meta-interpreters (self-interpreters).
- Resolution and CLP( $\cal{X}$ ) resolution, for (constraint) logic programs.
- ...
Examples of generic / standard methodologies:
- Structural operational semantics.
- Vienna definition language (VDL).
- SECD machine.
- ...

A Simple Imperative Language

Program    ::= Statement
Statement  ::= Statement ; Statement
           |   noop
           |   Id := Expression
           |   if Expression then Statement else Statement
           |   while Expression do Statement
Expression ::= Numeral
           |   Id
           |   Expression + Expression

Only integer data types.
Variables do not need to be declared.

Operational Semantics

States: memory configurations -values of variables.
denotes the value of the variable X in state .
$<statement,s> \Rightarrow s'$ denotes that
if is executed in state the resulting state is .
$<expression,s> \Rightarrow value$ denotes that
if is executed in state it returns .
Expressions:
- If is a number
- If is a variable
- If is of the form + we write:
  
  $\begin{displaymath}\inference{<exp_1,s> => v_1 & <exp_2,s> => v_2}{<exp_1 \texttt{+} exp_2,s> => v_1+v_2}\end{displaymath}$

Operational Semantics

Statements:
denotes a new state, identical to but where variable has value .
- Noop: $<\<noop>,s> => s$
- Assignment:
  
  $\begin{displaymath}\inference{<exp,s> => v}{<X \<:=> exp, s> => s[X/v]}\end{displaymath}$
- Conditional:
  
  $\begin{displaymath}\inference{<exp,s> => 0 & <stmt_2,s> => s'}{<\<if> exp \<then> stmt_1 \<else> stmt_2,s> => s'}\end{displaymath}$
  
  $\begin{displaymath}\inference{<exp,s> => v, v\not=0 & <stmt_1,s> => s'}{<\<if> exp \<then> stmt_1 \<else> stmt_2,s> => s'}\end{displaymath}$

Operational Semantics

Statements (Contd.):
- Sequencing:
  
  $\begin{displaymath}\inference{<stmt_1,s> => s_1 & <stmt_2,s_1> => s_2}{<stmt_1 \<;> stmt_2,s> => s_2}\end{displaymath}$
- Loops:
  
  $\begin{displaymath}\inference{<exp,s> => 0}{<\<while> exp \<do> stmt, s> => s}\end{displaymath}$
  
  $\begin{displaymath}\inference{<exp,s> => v, v\not=0 & <stmt,s> => s' & <\<while> exp \<do> stmt, s'> => s''}{<\<while> exp \<do> stmt, s> => s''}\end{displaymath}$

Example

Program:

x := 5;
y := -6;
if (x+y) then z := x else z := y

Semantics:

$\begin{Smallsize} \inference{ <x \<:=> 5, s_0> => s_1 & \inference{< y \<:... ...s_3} } {< x \<:=> 5 \<;> y \<:=> -6 \<;> S_3, s_0> => s_3} \end{Smallsize}$

where if (x+y) then z := x else z := y.
And:

Axiomatic Semantics

Characteristics:
- Based on techniques from predicate logic.
- There is no concept of state of the machine
  (as in operational or denotational semantics).
- More abstract than, e.g., denotational semantics.
- Semantic meaning of a program is based on assertions about relationships that remain the same each time the program executes.
Classical application:
- Proving programs to be correct w.r.t. specifications.
(Typical, classical) limitations:
- Side-effects disallowed in expressions.
- goto command difficult to treat.
- Aliasing not allowed.
- Scope rules difficult to describe $\Rightarrow$ require all identifier names to be unique.

History and References

Main original papers:
- 1967: Floyd. Assigning Meanings to Programs.
- 1969: Hoare. An Axiomatic Basis of Computer Programming.
- 1976: Dijkstra. A Discipline of Programming.
- 1981: Gries. The Science of Programming.
Many textbooks available.

Assertions and Correctness

Assertion: a logical formula, say

$\begin{displaymath}(m \neq 0 \wedge (\sqrt{m})^2 = m)\end{displaymath}$

that is true when a point in the program is reached.
Precondition: Assertion before a command ( $\leftarrow$ includes a whole program).
Postcondition: Assertion after a command.

$\{ PRE \}$ C $\{ POST \}$ $\leftarrow$ a ``Hoare triple''
Partial Correctness:
If the initial assertion (the precondition) is true and if the program terminates, then the final assertion (the postcondition) must be true.

Precondition + Termination $\Rightarrow$ Postcondition
Total Correctness:
Given that the precondition for the program is true, the program must terminate and the postcondition must be true.

Total Correctness = Partial Correctness + Termination

Hoare Calculus: The Assignment Axiom

Examples:
- $\{ true \}$ m := 13 $\{ m = 13 \}$
- $\{ n = 3 \wedge c = 2 \}$ n := c*n $\{ n = 6 \wedge c = 2 \}$
- $\{ k \geq 0 \}$ k := k + 1 $\{ k > 0 \}$
Notation:
- $\{ \emph{Precondition} \}$ command $\{ \emph{Postcondition} \}$
- $P [V \rightarrow E]$ denotes substitution: putting in place of in
Axiom for assignment command:

$\{ P [V \rightarrow E] \}$ $V \<:=> E$ $\{ P \}$

Work backwards:
- Postcondition: $P \equiv (n = 6 \wedge c = 2)$
- Command: n := c*n
- Precondition: $P [V \rightarrow E] \equiv (c*n = 6 \wedge c = 2)$
  $\equiv (n = 3 \wedge c = 2)$

Hoare Calculus: Read and Write Commands

Notation:
- Use ``'' and ``'' to represent input and output files.
- $[\textsc{m}\vert L]$ denotes list whose head is $\textsc{M}$ and tail is .
- K, M, N, ... represent arbitrary numerals.
Axiom for read command:
- $\{ IN = [\textsc{k}\vert L] \wedge P[V \rightarrow \textsc{k}] \}$ read $\{ IN = L \wedge P \}$
Axiom for write command:
- $\{ OUT=L \wedge E=\textsc{k} \wedge P \}$ write $\{ OUT=L::[\textsc{k}] \wedge E=\textsc{k} \wedge P \}$
Note: $L :: [\textsc{k}]$ is the list whose last element is $\textsc{k}$ ( represents concatenation).

Hoare Calculus: Rules of Inference

Format (c.f. structural operational semantics):
Axiom for Command Sequencing:

$\{P\} C_1 \{Q\}$ , $\{Q\} C_2 \{R\}$

$\{ P \} C_1 \texttt{;} C_2 \{ R \}$
Axioms for If Commands:

$\{P \wedge b\} C_1 \{Q\}$ , $\{P \wedge \neg b\} C_2 \{Q\}$

$\{ P \} \textbf{ if } b \textbf{ then } C_1 \textbf{ else } C_2 \textbf{ endif } \{ Q \}$

$\{ P \wedge b\} C \{Q\}$ , $(P \wedge \neg b) \rightarrow Q$

$\{ P \} \textbf{ if } b \textbf{ then } C \textbf{ endif } \{ Q \}$

Hoare Calculus: Rules of Inference (Contd.)

Weaken Postcondition:

{P}{Q} $, Q \rightarrow R$

{ P }{ R }
Strengthen Precondition:

$P \rightarrow Q,$ {Q}{R}

{ P }{ R }
And and Or Rules:

$\{P\} C \{Q\}, \{P'\} C \{Q'\}$

$\{ P \wedge P' \} C \{ Q \wedge Q' \}$

$\{P\} C \{Q\}, \{P'\} C \{Q'\}$

$\{ P \vee P' \} C \{ Q \vee Q' \}$
Observation:

$\begin{displaymath}\{ \emph{false} \}$ \emph{any-command} $\{ \emph{any-postcondition} \}\end{displaymath}$

Example (I)

$\{ IN = [4,9,16] \wedge OUT = [0,1,2] \}$

read m; read n;

if m $\geq$ n then

a := 2*m

else

a := 2*n

endif;

write a

$\{ IN = [16] \wedge OUT = [0,1,2,18] \}$

$\{ IN = [4,9,16] \wedge OUT = [0,1,2] \}$ $\rightarrow$ $\{ IN = [4 \vert [9,16] ] \wedge OUT = [0,1,2] \wedge 4=4 \}$
read m;
$\{ IN = [9,16] \wedge OUT = [0,1,2] \wedge m=4 \}$ $\rightarrow$ $\{ IN = [9 \vert [16]] \wedge OUT = [0,1,2] \wedge m=4 \wedge 9=9 \}$
read n;
$\{ IN = [16] \wedge OUT = [0,1,2] \wedge m=4 \wedge n=9\}$
minipage0.3 Recall:
tex2html_wrap_inline${ IN = [K|L] P[V K] }$
read tex2html_wrap_inline$V$
tex2html_wrap_inline${ IN = L P }$

Example (II)

We have $P = \{ IN = [16] \wedge OUT = [0,1,2] \wedge m=4 \wedge n=9 \}$

{P b} C_1 {Q}tex2html_wrap_inline$, ${P b} C_2 {Q} { P } if b then C_1 else C_2 endif { Q }

$\begin{Smallsize} \begin{tabular}{lll} \textbf{read} m; & \textbf{read} n; \\ \... ...=} 2*n \\ \textbf{endif}; \\ \textbf{write} a \\ \end{tabular}\end{Smallsize}$

So, $b \equiv m \geq n = false$ and $\neg b = true$ ; thus $\{ P \wedge b \} = false$ and $\{ P \wedge \neg b \} = P$ .

So, for we have:
$\{ P \wedge \neg b \} = \{ P \} =$
$\{ IN = [16] \wedge OUT = [0,1,2] \wedge m=4 \wedge n=9 \} \rightarrow$
$\{ IN = [16] \wedge OUT = [0,1,2] \wedge m=4 \wedge n=9 \wedge 2*n=18 \}$
a := 2*n tex2html_wrap_inline${ P [V E] }$ tex2html_wrap_inline$V :=> E$ tex2html_wrap_inline${ P }$
$\{ IN = [16] \wedge OUT = [0,1,2] \wedge m=4 \wedge n=9 \wedge a=18 \}$
and for we can have anything since the premise is false:
$\{ P \wedge b \} = false$
a := 2*m
$\{ IN = [16] \wedge OUT = [0,1,2] \wedge m=4 \wedge n=9 \wedge a=18 \}$

Example (III)

$\{ IN = [16] \wedge OUT = [0,1,2] \wedge m=4 \wedge n=9\}$

if m $\geq$ n then

a := 2*m

else

a := 2*n

endif;

$\{ IN = [16] \wedge OUT = [0,1,2] \wedge m=4 \wedge n=9 \wedge a=18 \}$

and

$\{ IN = [16] \wedge OUT = [0,1,2] \wedge m=4 \wedge n=9 \wedge a=18 \}$
write a
$\{ IN = [16] \wedge OUT = [0,1,2] :: [18] \wedge m=4 \wedge n=9 \wedge a=18 \}$

which implies

$\{ IN = [16] \wedge OUT = [0,1,2,18] \}$

While Command

$\{P \wedge b\} C \{P\}$

$\{ P \} \textbf{ while } b \textbf{ do } C \textbf{ endwhile } \{ P \wedge \neg b \}$

Loop Invariant: P
- Preserved during execution of the loop.
Loop steps:
- Initialization: show that the loop invariant $\{ P \}$ is initially true.
- Preservation:
  show the loop invariant remains true when the loop executes ( $\{ P \wedge b \}$ ).
- Completion: show that the loop invariant and the exit condition produce the final assertion ( $\{ P \wedge \neg b \}$ ).
Main Problem:
- Constructing the loop invariant.

Loop Invariant

A relationship among the variables that does not change as the loop is executed.
``Inspiration'' tips:
- Look for some expression that can be combined with $\neg b$ to produce part of the postcondition.
- Construct a table of values to see what stays constant.
- Combine what has already been computed at some stage in the loop with what has yet to be computed to yield a constant of some sort.

Study carefully many examples!

Example (exponent)

$\{ N\geq0 \wedge A\geq0 \}$

k := N; s := 1;

while k0 do

s := A*s;

k := k-1

endwhile

$\{ s = A^N \}$

k := N;	s := 1;
while	k0 do
	s := A*s;
	k := k-1
endwhile

We follow the ``tips:''

Trace algorithm with small numbers , .
Build a table of values to find loop invariant.
Notice that k is decreasing and that represents the computation that still needs to be done.
Add a column to the table for the value of .
The value remains constant throughout the execution of the loop.

Example (Exponent)

minipage0.45 tex2html_wrap_inline${ N 0 A 0 }$
tabularll k := N; & s := 1;
while & ktex2html_wrap_inline$>$0 do
& s := A*s;
& k := k-1
endwhile

tex2html_wrap_inline${ s = A^N }$

tabular[h]rrrr k & s & 2 & s*2
5 & 1 & 32 & 32
4 & 2 & 16 & 32
3 & 4 & 8 & 32
2 & 8 & 4 & 32
1 & 16 & 2 & 32
0 & 32 & 1 & 32

Observe that and change when changes.
Their product is constant, namely .
This suggests that is part of the invariant.
The relation $k\geq0$ seems to be invariant, and when combined with " $\neg b$ ", which is $k\leq0$ , establishes at the end of the loop.
When is joined with , we get the postcondition .

Loop Invariant: $\{ k\geq0 \wedge s*A^k = A^N \}$ .

Verification of the Program

Initialization:

$\{ N\geq0 \wedge A\geq0 \}$ $\rightarrow$ $\{ N=N \wedge N\geq0 \wedge A\geq0 \wedge 1=1 \}$
k := N; s := 1;
$\{ k=N \wedge N\geq0 \wedge A\geq0 \wedge s=1 \}$ $\rightarrow$ $\{ k\geq0 \wedge s*A^k = A^N \}$

Preservation:

$\{ k\geq0 \wedge s*A^k = A^N \wedge k>0 \}$ $\rightarrow$ $\{ k>0 \wedge s*A^k = A^N \}$ $\rightarrow$
$\{ k>0 \wedge s*A*A^{k-1} = A^N \}$ $\rightarrow$ $\{ k>0 \wedge A*s*A^{k-1} = A^N \}$
s := A*s;
$\{ k>0 \wedge s*A^{k-1} = A^N \}$ $\rightarrow$ $\{ k-1\geq0 \wedge s*A^{k-1} = A^N \}$
k := k-1
$\{ k\geq0 \wedge s*A^k = A^N \}$

Completion:

$\{ k\geq0 \wedge s*2^k = A^N \wedge k\leq0 \}$ $\rightarrow$ $\{ k=0 \wedge s*2^k = A^N \}$ $\rightarrow$ $\{ s = A^N \}$

Further Topics

Dealing with other language features:
- Nested loops.
- Procedure calls.
- Recursive procedures.
- ...
Proving termination / total correctness.
- Well founded orderings.

Acknowledgments

Some slides and examples taken from:
- Enrico Pontelli
- Jim Lipton
- Ken Slonneger and Barry L. Kurtz.
  Formal Syntax and Semantics of Programming Languages: A Laboratory-Based Approach. Addison-Wesley, Reading, Massachusetts.

Last modification: Tue Nov 28 21:52:52 CET 2006 <webmaster@clip.dia.fi.upm.es>

read m;	read n;
if m $\geq$ n	then
		a := 2*m
	else
		a := 2*n
endif;
write a