Semantics of Invariant Programs Viorel Preoteasa and Ralph-Johan Back Abo Akademi University, Department of Information Technologies April 28, 2008
Overview ◮ Invariant Diagrams ◮ Bigstep operational semantics ◮ Smallstep operational semantics ◮ Equivalence between smallstep and bigstep semantics ◮ Valid Hoare triples ◮ Weakest precondition and predicate transformers ◮ Hoare proof rules and their completeness
Preliminaries - Predicates ◮ Σ - state of computation - the current values of the program variables. ◮ Pred = Σ → bool - the predicates on Σ ◮ If we have the program variables x , y , z , then a state s ∈ Σ is a maping of these variables to values s = ( x �→ 2 , y �→ 3 , z �→ − 2 ) ◮ p = y > 2 ∧ x < 3 is a predicate and p . s = true
Invariant Diagrams - Example Checking if an element x is member of an array a . 1 n , x ∈ nat ∧ a : { 0 , 1 , . . . , n − 1 } → nat 2 0 ≤ i ≤ n ∧ ( ∀ j • 0 ≤ j < i ⇒ a . j � = x ) 3 4 i = n i < n ∧ a . i = x [ i = n ] [ i < n ∧ a . i = x ] i := 0 [ i < n ∧ a . i � = x ]; i := i + 1
Invariant Diagram - Transitions The transitions are defined by the following recursive type Trs = Assert ( Pred ) | Assume ( Pred ) | Update ( Rel ) | Choice ( Trs , Trs ) | Comp ( Trs , Trs ) If p is a predicate, R is a relation, and S , T are transitions then ◮ { p } - assert statement ( Assert ( p ) ) ◮ [ p ] - assume statement ( Assume ( p ) ) ◮ [ R ] - demonic update statement ( Update ( R ) ) ◮ S ⊓ T - non-deterministic choice statement ( Choice ( S , T ) ) ◮ S ; T - sequential composition statement ( Comp ( S , T ) )
Invariant Diagrams - Transitions ◮ If p is true in s , then { p } and [ p ] behave as skip. ◮ If p is false in s , then { p } fails and [ p ] establishes any post-condition. ◮ The demonic update [ R ] , when starting in a state s , terminates in a non-deterministically chosen state s ′ such that R . s . s ′ . If there is no state s ′ such that R . s . s ′ , then [ R ] establishes any post-condition. ◮ The execution of S ⊓ T non-deterministically chooses S or T . ◮ The transition S ; T is the sequential composition of the transitions S and T .
Invariant Diagrams - Transitions - PVS trs[State: TYPE+]: DATATYPE BEGIN assert(p: pred[State]): assert? assume(p: pred[State]): assume? demonic(R: pred[[State, State]]): demonic? choice(S1: trs, S2: trs): choice? O(S1: trs, S2: trs): comp? END trs
Invariant Diagrams - Definition ◮ Let I be a nonempty set of indexes. ◮ Formally an invariant diagram InvDgr is a tuple ( P , D ) where ◮ P : I → Pred are the invariants and ◮ D : I × I → Trs are the transitions . ◮ D is called a transition diagram and ◮ The elements of I are called situations.
Invariant Diagrams - Example Checking if an element x is member of an array a . 1 n , x ∈ nat ∧ a : { 0 , 1 , . . . , n − 1 } → nat 2 0 ≤ i ≤ n ∧ ( ∀ j • 0 ≤ j < i ⇒ a . j � = x ) 3 4 i = n i < n ∧ a . i = x [ i = n ] [ i < n ∧ a . i = x ] i := 0 [ i < n ∧ a . i � = x ]; i := i + 1
Invariant Diagrams - Definition - PVS State: TYPE+ I: TYPE+ Pred: TYPE+ = [State -> bool] TrsDgr: TYPE+ = [I, I -> Trs] InvPred: TYPE+ = [I -> Pred] InvDgr: TYPE+ = [InvPred, TrsDgr]
Bigstep Operational Semantics - Transitions If S ∈ Trs and s , s ′ ∈ Σ then the bigstep relation ( s , S ) � s ′ is true if there is an execution of S starting in s and ending in s ′ . ( s , S ) � s ′ is defined by induction on the structure of S . b . s b . s R . s . s ′ ( s , { b } ) � s ( s , [ b ]) � s ( s , [ R ]) � s ′ ( s , S ) � s ′ ∧ ( s ′ , T ) � s ′′ ( s , S ) � s ′ ( s , T ) � s ′ ( s , S ⊓ T ) � s ′ ( s , S ⊓ T ) � s ′ ( s , S ; T ) � s ′′
Bigstep Operational Semantics - Transitions - Fail A transition S , starting from a state s , may fail (denoted ( s , S ) � ⊥ ) if some of its executions leads to a false assertion. ¬ b . s ( s , S ) � ⊥ ( s , T ) � ⊥ ( s , { b } ) � ⊥ ( s , S ⊓ T ) � ⊥ ( s , S ⊓ T ) � ⊥ ( s , S ) � s ′ ∧ ( s ′ , T ) � ⊥ ( s , S ) � ⊥ ( s , S ; T ) � ⊥ ( s , S ; T ) � ⊥
Bigstep Operational Semantics - Transitions - Miracle The execution of S , starting from s , is miraculous (denoted ( s , S ) � ⊤ ) if any of its executions leads to a false assumption or to a demonic update [ R ] which cannot progress . ∀ s ′ • ¬ R . s . s ′ ¬ b . s ( s , S ) � ⊤ ∧ ( s , T ) � ⊤ ( s , [ b ]) � ⊤ ( s , [ R ]) � ⊤ ( s , S ⊓ T ) � ⊤ ( s , S ) � � ⊥ ∧ ( ∀ s ′ • ( s , S ) � s ′ ⇒ ( s ′ , T ) � ⊤ ( s , S ) � ⊤ ( s , S ; T ) � ⊤ ( s , S ; T ) � ⊤
Bigstep Semantics - Transition Diagrams Let D ∈ I × I → Trs, s , s ′ ∈ Σ , and i , j ∈ I The bigstep relation ( s , i , D ) � ( s ′ , j ) is true if there is an execution from state s and situation i , following the enabled transitions D , ending in state s ′ and situation j , and all transitions from state s ′ and situation j are disabled. The execution of D from state s and situation i may fail , denoted ( s , i , D ) � ⊥ , if there is a situation j such that the transition D i , j may fail when starting from s . ( s , D i , j ) � s ′ ∧ ( s ′ , j , D ) � ( s ′′ , k ) ( s , i , D ) � ( s ′′ , k ) ( ∀ j • ( s , D i , j ) � ⊤ ) ( s , D i , j ) � ⊥ ( s , i , D ) � ( s , i ) ( s , i , D ) � ⊥
Transition Diagrams - Termination When starting from state s and situation i , the transition diagram T terminates , denoted ( s , i , T ) ↓ , if all execution paths starting in s , i are finite and do not fail. ( ∀ j • ( s , D i , j ) � ⊤ ) ( s , i , D ) ↓ ( s , i , D ) � � ⊥ ∧ ( ∀ j , s ′ • ( s , D i , j ) � s ′ ⇒ ( s ′ , j , D ) ↓ ) ( s , i , D ) ↓
Smallstep Operational Semantics - Transitions The smallstep relation ( s , S ) → ( s ′ , T ) is true if from state s we get to s ′ by executing one step. If the transition S consists of only one step, then the smallstep relation becomes ( s , S ) → ( s ′ , []) . We denote by ( s , S ) → ⊥ the fact that the execution of S fails in the next step when starting from s . b . s ¬ b . s b . s ( s , { b } ) → ( s , []) ( s , { b } ) → ⊥ ( s , [ b ]) → ( s , []) R . s . s ′ ( s , [ R ]) → ( s ′ , []) ( s , S ⊓ T ) → ( s , S ) ( s , S ⊓ T ) → ( s , T ) ( s , S ) → ( s ′ , S ′ ) ( s , S ) → ( s ′ , []) ( s , S ) → ⊥ ( s , S ; T ) → ( s ′ , S ′ ; T ) ( s , S ; T ) → ( s ′ , T ) ( s , S ; T ) → ⊥
Smallstep Operational Semantics - Diagrams In Figure (1) represents one transition of D labeled by S ′ ; S . We assume that the execution reached the state s in this transition. Then the tuple ( s , S , i , D ) denotes the status of the execution. The execution is in state s , and it proceeds towards the situation i by executing S . If the execution reaches i in a state s ′ , then status of the execution is denoted by ( s ′ , [] , i , D ) . S ′ S j i s (1) The smallstep relation ( s , A , i , D ) → ( s ′ , B , i , D ) , where A , B ∈ Trs ∪ { [] } , is defined by the following rules. ( s , D i , j ) → ( s ′ , S ) ( s , S ) → ( s ′ , S ′ ) ( s , [] , i , D ) → ( s ′ , S , j , D ) ( s , S , i , D ) → ( s ′ , S ′ , i , D )
Smallstep Operational Semantics - Diagrams - Fail The transition diagram could fail in ( s , S , i , D ) , denoted by ( s , S , i , D ) → ⊥ , if some available transition could fail in next step. ( s , D ij ) → ⊥ ( s , S ) → ⊥ ( s , [] , i , D ) → ⊥ ( s , S , i , D ) → ⊥
Equivalence Smallstep - Bigstep ∗ → denotes the reflexive and transitive closure of the relation → . Theorem ( s , S ) � s ′ ⇔ ( s , S ) ∗ → ( s ′ , []) Theorem ∗ ( s , S ) � ⊥ ⇔ ( s , S ) → ⊥ We define the miracle in the smallstep semantics by → ⊥ ∧ ( ∀ s ′ • ¬ ( s , S ) ∗ ∗ → ( s ′ , [])) ( s , S ) ��� ⊤ = ¬ ( s , S ) Theorem ∗ ( s , i , D ) � ( s ′ , j ) ⇔ ( s , [] , i , D ) → ( s ′ , [] , j , D ) ∧ ( ∀ k • ( s ′ , D j , k ) ��� ⊤ ) We will work with bigstep semantics only.
Hoare Triples - Transitions p , q ∈ Pred , and S ∈ Trs The Hoare triple p { | S | } q denotes the fact that if the transition S start in state s from p , then it terminates in a state from q . } q ⇔ ( ∀ s • p . s ⇒ ( s , S ) � � ⊥ ∧ ( ∀ s ′ • ( s , S ) � s ′ ⇒ q . s ′ )) | = p { | S |
Weakest Precondition - Transitions ◮ The weakest precondition for a transition S and a post condition q is a predicate, wp . S . q ∈ Pred. ◮ wp . S . q . s is true if the execution of S does not fail and terminates in a state s ′ from q ( q . s ′ is true). wp . S . q . s = ( s , S ) � � ⊥ ∧ ( ∀ s ′ • ( s , S ) � s ′ ⇒ q . s ′ ) . ◮ The validity of Hoare triples could be expressed equivalently using the weakest precondition: | = p { | S | } q ⇔ p ⊆ wp . S . q (2) Relation (2) reduces the proof of validity of a Hoare triple to an inclusion of predicates. However the predicate wp . S . q is defined in terms of bigstep semantics, and the proof of the statement p ⊆ wp . S . q is still unfeasible in practice.
Recommend
More recommend
