mirror of
https://github.com/janishutz/eth-summaries.git
synced 2026-05-30 16:21:19 +02:00
[FMFP] Axiomatic semantics
This commit is contained in:
+17
@@ -0,0 +1,17 @@
|
||||
\newpage
|
||||
\subsubsection{Hoare Logic}
|
||||
\paragraph{Hoare Triples}
|
||||
\inlinedefinition Properties are specified as \bi{Hoare Triples} $\{ \bm{P} \} \ s \ \{ \bm{Q} \}$, with statement $s$, $\bm{P}$ the precondition and $\bm{Q}$ the postcondition.
|
||||
Here, $\bm{P}, \bm{Q}$ are assertions and are, together with $\bm{R}$, meta-variables over assertions.
|
||||
|
||||
\inlinedefinition[Logical Variables] To keep the original value of a variable, we can ``reassign'' values in the precondition
|
||||
(e.g. $x = N$ to then in the postcondition state something regarding $N$).
|
||||
|
||||
Pre- and Postconditions are assertions, i.e. they are boolean expressions plus logical variables.
|
||||
Often, quantification is used in assertions as well in practice, as well as other expressions such as $x!$ when it is convenient and we also assume that the \bi{substitution lemma}
|
||||
still holds:
|
||||
\[
|
||||
\cB \llbracket \bm{P}[x \mapsto e] \rrbracket \sigma = \cB \llbracket \bm{P} \rrbracket \sigma [x \mapsto \cA \llbracket e \rrbracket \sigma]
|
||||
\]
|
||||
|
||||
We use $P_1 \land P_2$ instead of $P_1 \texttt{and} P_2$, $P_1 \lor P_2$ instead of $P_1 \texttt{or} P_2$ and $\neg P$ instead of $\texttt{not} P$
|
||||
+78
@@ -0,0 +1,78 @@
|
||||
\paragraph{Derivation Systems}
|
||||
We again use derivation trees, where their rules specify which triples can be derived for each statement.
|
||||
The premises and conclusions of the derivation rules are Hoare Triples.
|
||||
|
||||
Again, we write $\vdash \{ \bm{P} \} \ s \ \{ \bm{Q} \}$ if there exists a (finite) derivation tree ending in $\{ \bm{P} \} \ s \ \{ \bm{Q} \}$, and
|
||||
\[
|
||||
\vdash \{ \bm{P} \} \ s \ \{ \bm{Q} \} \Leftrightarrow \exists T. \texttt{root}(T) \equiv \{ \bm{P} \} \ s \ \{ \bm{Q} \}
|
||||
\]
|
||||
|
||||
|
||||
\subparagraph{The rules}
|
||||
\[
|
||||
\begin{prooftree}
|
||||
\infer0[$\textsc{Skip}_{Ax}$]{\{ \bm{P} \} \ \texttt{skip} \ \{ \bm{P} \}}
|
||||
\end{prooftree}
|
||||
\qquad
|
||||
\begin{prooftree}
|
||||
\infer0[$\textsc{Ass}_{Ax}$]{\{ \bm{P}[x \mapsto e] \} \ \texttt{x := e} \ \{ \bm{P} \}}
|
||||
\end{prooftree}
|
||||
\]
|
||||
|
||||
Sequential Composition \texttt{s;s'}, loop (\texttt{while b do s end}) and conditional statements (\texttt{if b then s1 else s2 end})
|
||||
\[
|
||||
\begin{prooftree}
|
||||
\hypo{\{ \bm{P} \} \ s \ \{ \bm{Q} \}}
|
||||
\hypo{\{ \bm{Q} \} \ s' \ \{ \bm{R} \}}
|
||||
\infer2[$\textsc{Seq}_{Ax}$]{\{ \bm{P} \} \ \texttt{s;s'} \ \{ \bm{P} \}}
|
||||
\end{prooftree}
|
||||
\qquad
|
||||
\begin{prooftree}
|
||||
\hypo{\{ b \land \bm{P} \} \ s \ \{ \bm{Q} \}}
|
||||
\hypo{\{ \neg b \land \bm{P} \} \ s' \ \{ \bm{Q} \}}
|
||||
\infer2[$\textsc{If}_{Ax}$]{\{ \bm{P} \} \ \texttt{if b then s else s' end} \ \{ \bm{Q} \}}
|
||||
\end{prooftree}
|
||||
\]
|
||||
\[
|
||||
\begin{prooftree}
|
||||
\hypo{\{ b \land \bm{P} \} \ s \ \{ \bm{P} \}}
|
||||
\infer1[$\textsc{Wh}_{Ax}$]{\{ \bm{P} \} \ \texttt{while b do s end} \ \{ \neg b \land \bm{P} \}}
|
||||
\end{prooftree}
|
||||
\]
|
||||
With these rules, we can only evaluate \textit{syntactically}, thus expressions like $\{ x = 4 \land y = 5 \} \ \texttt{skip} \ \{ y = 5 \land x = 4 \}$
|
||||
are not an instance of the $\textsc{Skip}_{Ax}$ because the precondition and postcondition are not identical. Thus we often need to apply \textit{semantic} reasoning,
|
||||
e.g. applying mathematical properties.
|
||||
|
||||
\inlinedefinition[Semantic entailment] expresses the reasoning steps
|
||||
``We write $\bm{P} \models \bm{Q}$ if and only if for all states $\sigma$,
|
||||
$\cB \llbracket \bm{P} \rrbracket \sigma = \texttt{tt}$ implies $\cB \llbracket \bm{Q} \rrbracket \sigma = \texttt{tt}$''
|
||||
|
||||
This leads to the \bi{Rule of Consequence}
|
||||
\[
|
||||
\begin{prooftree}
|
||||
\hypo{\{ \bm{P}' \} \ s \ \{ \bm{Q}' \}}
|
||||
\infer1[$\textsc{Cons}_{Ax}$]{\{ \bm{P} \} \ s \ \{ \bm{Q} \}}
|
||||
\end{prooftree}
|
||||
\qquad
|
||||
\text{if } \bm{P} \models \bm{P}' \text{ and } \bm{Q}' \models \bm{Q}
|
||||
\]
|
||||
a rule, where we can \bi{strengthen preconditions} ($\bm{P}$ cannot be weaker than $\bm{P}'$) and \bi{weaken postconditions} ($\bm{Q}$ cannot be stronger than $\bm{Q}'$)
|
||||
|
||||
Since the derivation trees often get quite large, we can group them around each line in the program text.
|
||||
|
||||
\shade{gray}{Inline Notation} can be used to make the changes more easily legible.
|
||||
For example, to express instances of $\textsc{Skip}_{Ax}$, instead of writing $\vdash \{ \bm{P} \} \ \texttt{skip} \ \{ \bm{P} \}$, we can write.
|
||||
More examples on slides 167 - 170 (pages 30 - 33 in Slide Deck 4)
|
||||
\rmvspace
|
||||
\begin{align*}
|
||||
& \{ \bm{P} \} \\
|
||||
& \quad \texttt{skip} \\
|
||||
& \{ \bm{P} \}
|
||||
\end{align*}
|
||||
|
||||
\shade{gray}{Forward Assignment}
|
||||
\[
|
||||
\begin{prooftree}
|
||||
\infer0[$\textsc{AssF}_{Ax}$]{\{ \bm{P} \} \ x := e \ \{ \exists V. \bm{P}[x \mapsto V] \land x = e[x \mapsto V] \}}
|
||||
\end{prooftree}
|
||||
\]
|
||||
+12
@@ -0,0 +1,12 @@
|
||||
\paragraph{Total Correctness}
|
||||
We use a different form of Hoare triple $\{ \bm{P} \} \ s \ \{ \Downarrow \bm{Q} \}$, which describes total correctness.
|
||||
|
||||
All rules for total correctness are equivalent to the ones for partial correctness, apart from the rule for loops.
|
||||
\[
|
||||
\begin{prooftree}
|
||||
\hypo{\{ b \land \bm{P} \land e = Z \} \ s \ \{ \Downarrow \bm{P} \land e < Z \}}
|
||||
\infer1[$\textsc{WhTot}_{Ax}$]{\{ \bm{P} \} \ \texttt{while b do s end} \ \{ \Downarrow \neg b \land \bm{P} \}}
|
||||
\end{prooftree}
|
||||
\qquad
|
||||
\text{if } b \land \bm{P} \models 0 \leq e
|
||||
\]
|
||||
Reference in New Issue
Block a user