CS 641 meeting -*- Outline -*- * Introduction to Hesselink's monograph Wim Hesselink. Programs, Recursion and Unbounded Choice. Cambridge, 1992. ** context idea is to see how to define semantics of PLs using predicate transformers, like wp, and to see how good that is as an approach to PL semantics def: the nondeterminism in a statement is *bounded* if for any given input state, it has only a finite number of final states. Q: so when does a statement exhibit unbounded nondeterminism? Why? avoid overspecific specs (x gets a positive value) to postpone design choices consider the following program: ------------- EXAMPLE OF UNBOUNDED NONDETERMINISM fun f(x:int) = if true -> x [] true -> f(x+1) fi y := f(0) -------------- because of recursion, we have the possiblity of an infinite number of final states, as well as looping. (angelic choice would allow us to ensure it halts too) ------------------ EXAMPLE WITH WHILE x := 0; b := true; do b -> x := x + 1 [] b -> b := false od ------------------ this isn't guaranteed to terminate, but if it does, x can have any value, so infinite number of final states. ------------------- WEAK TERMINATION do ~(x = 0) -> if x<0 -> x := ?; if x<0 -> x := -x [] true -> skip fi [] x>0 -> x := x - 1 fi od ------------------- here x:=? means assign to x any integer (nondeterministically) this always terminates, but no way to use def of wp for do or invariance theorem to prove it. so Dijkstra's wp calculus doesn't work with unbounded nondeterminism. ** semantics (0.1) relational semantics: commands are relation between initial and final states variables have one value in pre-state, one in post-state difficult to use in reasoning (cf. Hehner) Floyd-Hoare method (predicate-transformer semantics): assertions at program points, inductive reasoning This motivates choice of semantics: it should be applicable to reasoning. Combination of unbounded choice and predicate transformer semantics is new ** predicate transformation semantics (0.2) def: state space is a set (of variables) def: wp.c.p is weakest such that c always terminates and establishes p wlp.c.p is weakest such that when c terminates, it establishes p semantic equality of commands central concept. hard since commands can have infinite and finite sequences hence use both wp and wlp skip [] abort is not the same as skip and both differ from abort ** transformations (0.3) skim this important in practice: transformation correct program into efficient ** overview (0.4, 0.5) 1-4: intro, foundations of pred. transf. sem. 6-9: relational semantics 10-13: program transformations 14-15: temporal properties ** notation (0.6) (most like Cohen) *** set of function set of functions X -> Y or Y^X *** quantification quantification: (all i \in I : P.i : Q.i) means (all i : i \in I /\ P.i : Q.i) **** cautions Be careful of this... Q: So what is the one-point rule for universal quantification? Q: That is, what is (all i \in I : i = k : Q.i)? it's not Q.k, but (k \in I) ==> Q.k can you prove that? Q: What is the one-point rule for existentials with this notation? Q: What are the instantiation rules? **** theory, generalization quantifications regarded as application of quantifier to a family this is like Cohen's generalized expressions. def: Let I and X be sets. A *family* of elements of X (indexed by I) is a function from I to X. Let I and X be sets, and P a predicate on I. Hesselink writes (i \in I : P.i : f.i) for the family of elements of X indexed by { i | i \in I /\ P.i } that is: (i \in I : P.i : f.i) = { f.i | i \in I /\ P.i } this is to emphasize the elements of X. def: a family is a sequence if I is the naturals. example ([] i \in Nat :: S.i) is an unbounded choice of commands S.i *** set notations (can skip) Uses \subset for \subseteq. Watch out Set comprehension: write x \in Y equiv P.x for Y = { x | x \in X /\ P.x } ** design decisions (0.7) denotational in sense that compositional, and use environments, and use extreme fixpoints has more use for unbounded nondeterminism. everywhere operator [p] =def= (all x \in X :: p.x) no law of excluded miracle makes for simpler calculus.