CS 641 meeting -*- Outline -*- * The guarded command language (Cohen's chapter 5) See also Hesselink's chapter 2... The idea is to study the guarded command language, and define it, somewhat informally, using weakest preconditions ** shapes, or grammar, of programs (5.1) -------------------------- ABSTRACT SYNTAX OF PROGRAMS S ::= skip | abort | S1 ; S2 | x := E | if G* fi | do G* od G* ::= | G | G1 [] G2 G ::= B -> S where x is a list of variables, E is a list of expressions B is a boolean expression (guard) -------------------------- S,S1,S2 are Statements G,G1,G2 are Guarded statements G* is a Guarded statement list ** semantics (5.2 - 5.4) sematics of programs given by weakest preconditions -------------------- WEAKEST PRECONDITION SEMANTICS (POSTULATES ABOUT wp) Excluded miracle: wp.S.false equiv false Conjunctivity (wp is conjunctive): wp.S.(X /\ Y) equiv wp.S.X /\ wp.S.Y -------------------- Note: Hesselink does NOT assume the excluded miracle law holds. Thm (wp.S is monotonic): (X ==> Y) ==> (wp.S.X ==> wp.S.Y) Proof: wp.S.X ==> wp.S.Y equiv < predicate calculus > (wp.S.X /\ wp.S.Y) equiv wp.S.X equiv < f is conjunctive > wp.S.(X /\ Y) equiv wp.S.X <== < Leibniz > X /\ Y equiv X equiv < Predicate calculus > X ==> Y Thm (postcondition rule): {Q} S {R} <== {Q} S {A} /\ (A ==> R) remark: this makes sense if we treat {Q} S {R} as an abbreviation for Q ==> wp.S.R. Q: can you prove this? --------------------- wp of skip: wp.skip.R equiv R --------------------- Thm: {Q} skip {R} equiv Q ==> R --------------------- wp of abort: wp.abort.R equiv false --------------------- Q: What's this in terms of total correctness Hoare triples? --------------------- wp of composition: wp.(S1;S2).R equiv wp.S1.(wp.S2.R) --------------------- Thm: {Q} S1;S2 {R} <== {Q} S1 {H} /\ {H} S2 {R} Remark: this gives idea of how to annotate a proof. Q: can you prove this? *** assignment (5.4.2) ------------------- wp of assignment: wp.(x := E).R equiv def.E /\ R(x := E) Thm: if E is always defined, then wp.(x := E).R equiv R(x := E) -------------------- the R(x := E) is textual substitution (see below) Note that E being total is necessary, suppose blowup never terminates, then wp.(x := blowup).true equiv false diffs true equiv true(x := blowup) Cohen takes the theorem as the definition, because the definedness of E can't be treated formally without defining E formally... -------------------- TEXTUAL SUBSTITUTION EXAMPLES Let R be i <= j. R(i := i+1) = i+1 <= j R(i,j := i+1,i+j) = i+1 <= i+j R(x := 3) = i <= j Let Q be x < y /\ (all j :: f.j < y). Q(y := y+1) = x < (y+1) /\ (all j :: f.j < y+1) Q(y := y+j) = x < y+j /\ (all k :: f.k < y+j) ------------------- a formal definition would require a formal def of expressions... note the renaming of the dummy in the last to avoid capture x Hesselink's notation for R(x := E) is R E Q: what is wp.(x,y := x+1,x+y).(x = y)? wp.(x,y := x+1,x+y).(x = y) = (x = y)(x,y := x+1,x+y) = x+1 = x+y = 1 = y Q: what is wp.(x := 6*x + 15).(x = 57)? show a calculation *** alternation or if (5.4.3) ----------------------- wp of if: wp(if B.0 -> S.0 [] B.1 -> S.1 ... [] B.(n-1) -> S.(n-1) fi, R) equiv (exists i : 0<=i wp.(S.i).R) abbreviations: IF = if B.0 -> S.0 [] B.1 -> S.1 ... [] B.(n-1) -> S.(n-1) fi BB = (exists i : 0<=i wp.(S.i).R) ----------------------- Thm (IF-Theorem): {Q} IF {R} equiv (Q ==> BB) /\ (all i : 0<=i (IF = abort) *** repetition or loop or do (5.4.4) we won't do the wp of the loop... yet start with the case of only one guard ---------------------- Invariance Thm: {P} do B -> S od {P /\ ~B} <== {P /\ B} S {P} (Invariance) /\ {P /\ B /\ t=T} S {t ~B (Boundedness) ---------------------- the labels on the right are not part of the formula P is the loop invariant t is an integer-valued function (on the state), called the variant function (or bound function) Invariance says that the loop invariant is preserved by S Boundedness says that when t<=0, ~B holds, so the loop stops, Progress says that each execution of S reduces t by at least one Thus you have this "sandwich" or "pincers" applied, gives a lot of constraints that are useful in finding B and S. The trick, of course, is to find P and t. (we'll postpone that to chapters 8 and 9) **** theorems Thm (5.8): Boundedness can be written as as P /\ B ==> t>0 remark: thus boundedness is met if can guarantee that t>0 when B holds Thm (Invariance theorem for DO): {P} DO {P /\ ~BB} <== (all i : 0<=i ~BB (Boundedness) where DO is do B.0 -> S.0 [] B.1 -> S.1 ... [] B.(n-1) -> S.(n-1) od and BB is (exists i : 0 <= i < n : B.i)