Denotational semantics The method define syntax ( syntactic domains - PowerPoint PPT Presentation

Denotational semantics The method • define syntax ( syntactic domains ) • define semantic domains • define semantic functions • use compositional definitions Andrzej Tarlecki: Semantics & Verification - 63 -

Syntactic domains Each syntactic category of the language forms a syntactic domain , which has as elements all the syntactic phrases in this category. Semantic domains Semantic domains capture the forms of the intended meanings ( denotations) for syntactic phrases of the language. All the denotations live in semantic domains, but typically not all elements in semantic domains are denotable. Semantic domains are defined from basic domains ( Int , Bool ) using domain constructors : product, (disjoint) sum, function spaces, etc. There is a semantic domain for each key syntactic category of the language. Andrzej Tarlecki: Semantics & Verification - 64 -

Semantic functions For each syntactic category Cat , define a semantic function C : Cat → CAT which assigns to the syntactic phrases ph ∈ Cat their denotations in the corresponding semantic domain CAT : C [ ] ∈ CAT [ ph ] BTW: This defines a semantic equivalence: phrases ph 1 , ph 2 ∈ Cat are semantically equivalent (equivalent w.r.t. the denotational semantics) ph 1 ≡ DS ph 2 whenever C [ [ ph 1 ] ] = C [ [ ph 2 ] ] . Andrzej Tarlecki: Semantics & Verification - 65 -

Compositionality ✬ ✩ ✬ ✩ Semantic functions are defined compositionally , so that the de- notation of a phrase depends only on the denotations of its im- Homomorphism mediate components: property ✫ ✪ C [ [ ϕ ( ph 1 , . . . , ph n )] ] = Φ( C [ [ ph 1 ] ] , . . . , C [ [ ph n ] ]) ✫ ✪ lurking out Such a semantic clause is given for each syntactic construct. Key consequences: STRUCTURAL INDUCTION Congruence properties of the semantic equivalence Andrzej Tarlecki: Semantics & Verification - 66 -

Denotational semantics for Tiny Syntactic domains ( Var ) Num Exp BExp Stmt Somewhat informally: N ∈ Num ::= 0 | 1 | 2 | · · · ( x ∈ Var ::= · · · ) e ∈ Exp ::= N | x | e 1 + e 2 | e 1 ∗ e 2 | e 1 − e 2 b ∈ BExp ::= true | false | e 1 ≤ e 2 | ¬ b ′ | b 1 ∧ b 2 S ∈ Stmt ::= x := e | skip | S 1 ; S 2 | if b then S 1 else S 2 | while b do S ′ Andrzej Tarlecki: Semantics & Verification - 67 -

Denotational semantics for Tiny Semantic domains ( Bool ) ( State ) Int EXP BEXP STMT Int = { 0 , 1 , − 1 , 2 , − 2 , . . . } Semantic functions: Bool = { tt , ff } N : Num → Int State = Var → Int E : Exp → EXP EXP = State → Int B : BExp → BEXP BEXP = State → Bool S : Stmt → STMT STMT = State ⇀ State Andrzej Tarlecki: Semantics & Verification - 68 -

Before we move on (to the semantic clauses) Some auxiliary notation: • λ -notation : λx : D.E stands for the function that maps any d ∈ D to E [ d/x ] • identity : id D = λx : D.x • function composition : the composition of f : D 1 → D 2 and g : D 2 → D 3 is written as f ; g : D 1 → D 3 • conditional : ifte D : Bool × D × D → D is defined by  d 1 if c = tt  ifte D ( c, d 1 , d 2 ) = d 2 if c = ff  (the index D will often be omitted) Andrzej Tarlecki: Semantics & Verification - 69 -

• indexing : given any function f : D 1 × · · · × D n → D , for any domain I , lift I ( f ): ( I → D 1 ) × · · · × ( I → D n ) → ( I → D ) is defined as follows: lift I ( f )( fd 1 , . . . , fd n ) = λi : I.f ( fd 1 ( i ) , . . . , fd n ( i )) For instance, the conditional on state-dependent functions, like cond : BEXP × EXP × EXP → EXP given explicitly by  E 1 ( s ) if B ( s ) = tt  cond ( B, E 1 , E 2 )( s ) = ifte Int ( B ( s ) , E 1 ( s ) , E 2 ( s )) = E 2 ( s ) if B ( s ) = ff  may be defined as cond = lift State ( ifte Int ) . All these carry over to partial functions as well Andrzej Tarlecki: Semantics & Verification - 70 -

Denotational semantics for Tiny Semantic clauses E : Exp → EXP N : Num → Int N [ [0] ] = 0 E [ [ N ] ] = λs : State . N [ [ N ] ] E [ [ x ] ] = λs : State .s x ] = lift State (+)( E [ N [ [1] ] = 1 E [ [ e 1 + e 2 ] [ e 1 ] ] , E [ [ e 2 ] ]) ] = lift State ( ∗ )( E [ N [ [2] ] = 2 E [ [ e 1 ∗ e 2 ] [ e 1 ] ] , E [ [ e 2 ] ]) ] = lift State ( − )( E [ . . . E [ [ e 1 − e 2 ] [ e 1 ] ] , E [ [ e 2 ] ]) B : BExp → BEXP ] = lift State ( ¬ )( B [ B [ B [ B [ [ ¬ b ] [ true ] ] = λs : State . tt [ false ] ] = λs : State . ff [ b ] ]) ] = lift State ( ≤ )( E [ ] = lift State ( ∧ )( B [ B [ [ e 1 ≤ e 2 ] ] , E [ B [ [ b 1 ∧ b 2 ] ] , B [ [ e 1 ] [ e 2 ] ]) [ b 1 ] [ b 2 ] ]) Andrzej Tarlecki: Semantics & Verification - 71 -

Denotational semantics for Tiny Semantic clauses S : Stmt → STMT S [ [ x := e ] ] = λs : State .s [ x �→ E [ [ e ] ] s ] S [ [ skip ] ] = id State S [ [ S 1 ; S 2 ] ] = S [ [ S 1 ] ]; S [ [ S 2 ] ] S [ ] = cond ( B [ ] , S [ ] , S [ [ if b then S 1 else S 2 ] [ b ] [ S 1 ] [ S 2 ] ]) S [ = cond ( B [ ] , S [ ]; S [ [ while b do S ] ] [ b ] [ S ] [ while b do S ] ] , id State ) Andrzej Tarlecki: Semantics & Verification - 72 -

Something wrong? The clause for while : S [ ] = cond ( B [ ] , S [ ]; S [ [ while b do S ] [ b ] [ S ] [ while b do S ] ] , id State ) is not compositional! We ”define”: S [ ] = Φ( . . . , S [ ??? [ while b do S ] [ while b do S ] ] , . . . ) ??? We need fixed point definitions Andrzej Tarlecki: Semantics & Verification - 73 -

Potential problems with fixed point definitions Consider fixed point definitions in STMT = State ⇀ State , as S [ ] = Φ( . . . , S [ [ while b do S ] [ while b do S ] ] , . . . ) • Does a fixed point always exist? f = λs : State . ifte State ( f ( s ) is not defined , s, f ( s )[ var �→ ( f ( s ) var ) + 1]) Only some functionals Φ may be allowed • If a fixed point exists, is it unique? f = λs : State .f ( s )[ var �→ 2 ∗ ( f ( s ) var )] (or even: f = λs : State .f ( s ) ) Some “best” fixed point must be chosen Andrzej Tarlecki: Semantics & Verification - 74 -

The guiding fixed point definition Looking closer at the clause for while : S [ ] = Φ( S [ [ while b do S ] [ while b do S ] ]) where Φ: STMT → STMT is defined as follows: Φ( F ) = cond ( B [ [ b ] ] , S [ [ S ] ]; F, id State ) Whatever fixed point we choose, we want it to be adequate for our operational intuitions; we want a denotation fix (Φ) ∈ STMT that is a fixed point of Φ (so that Φ( fix (Φ)) = fix (Φ) ) and is adequate for the operational semantics of while , i.e., such that � while b do S, s � ⇒ ∗ s ′ iff fix (Φ) s = s ′ Andrzej Tarlecki: Semantics & Verification - 75 -

Right guess! Suppose that we have such adequacy for S , i.e., � S, s � ⇒ ∗ s ′ iff S [ ] s = s ′ . [ S ] Right guess: � while b do S, s � ⇒ ∗ s ′ iff for some n ≥ 0 , Φ n ( ∅ State ⇀ State ) s = s ′ where ∅ State ⇀ State : State ⇀ State is the function undefined everywhere, Φ 0 ( ∅ State ⇀ State ) = ∅ State ⇀ State , and Φ n +1 ( ∅ State ⇀ State ) = Φ(Φ n ( ∅ State ⇀ State )) . Proof: in a moment. Conclusion n ≥ 0 Φ n ( ∅ State ⇀ State ) S [ ] = fix (Φ) = � [ while b do S ] This is well-defined, and yields the least fix-point of Φ , see below. Andrzej Tarlecki: Semantics & Verification - 76 -

while { sqr = ( rt + 1) 2 ∧ rt 2 ≤ n } sqr ≤ n do rt := rt + 1; sqr := sqr + 2 ∗ rt + 1 Φ( F ) = cond ( B [ [ sqr ≤ n ] ] , S [ [ rt := rt + 1; sqr := sqr + 2 ∗ rt + 1] ]; F, id State ) � Φ n ( ∅ )( s ) Φ 0 ( ∅ )( s ) Φ 1 ( ∅ )( s ) Φ 2 ( ∅ )( s ) Φ 3 ( ∅ )( s ) Φ 4 ( ∅ )( s ) s ( n, rt , sqr ) · · · 0 , 0 , 1 0 , 0 , 1 0 , 0 , 1 0 , 0 , 1 0 , 0 , 1 · · · 0 , 0 , 1 ? 1 , 0 , 1 1 , 1 , 4 1 , 1 , 4 1 , 1 , 4 · · · 1 , 1 , 4 ? ? 2 , 0 , 1 2 , 1 , 4 2 , 1 , 4 2 , 1 , 4 · · · 2 , 1 , 4 ? ? 3 , 0 , 1 3 , 1 , 4 3 , 1 , 4 3 , 1 , 4 · · · 3 , 1 , 4 ? ? 4 , 0 , 1 4 , 2 , 9 4 , 2 , 9 · · · 4 , 2 , 9 ? ? ? · · · · · · · · · · · · · · · · · · · · · · · · 8 , 0 , 1 8 , 2 , 9 8 , 2 , 9 · · · 8 , 2 , 9 ? ? ? 9 , 0 , 1 9 , 3 , 16 · · · 9 , 3 , 16 ? ? ? ? · · · · · · · · · · · · · · · · · · · · · · · · Andrzej Tarlecki: Semantics & Verification - 77 -