Formal Methods in Software Engineering1 Lecture 17 Describing Syntax and Semantics.

Author
sharoncummings 
Category
Documents

view
224 
download
4
Embed Size (px)
Transcript of Formal Methods in Software Engineering1 Lecture 17 Describing Syntax and Semantics.
Formal Methods in Software Engineering 1
Lecture 17
Describing Syntax and Semantics
Formal Methods in Software Engineering 2
Semantics
• How do we describe the “meaning” of a program?
• Dynamic semantics or semantics is concerned with accurately describing the execution behaviour of a language
• Why do we care?– English descriptions are often incomplete and ambiguous
– Compiler writers must implement the language description accurately
– Programmers want the same behaviour on different platforms
• There is no single widely acceptable notation or formalism for describing semantics
• Entire books have been dedicated to various semantic notations!
Formal Methods in Software Engineering
Operational Semantics
• Describe the meaning of a program by executing its statements on a machine, either simulated or actual. The change in the state of the machine (memory, registers, etc.) defines the meaning of the statement
• At the highest level, we’re interested in the final result (natural operational semantics)
• At the lowest level, look at a translated version to determine precise meaning of a single statement (structural operational semantics)
3
Formal Methods in Software Engineering
Operational Semantics Example
• C Statementfor (expr1; expr2;
expr3){ . . .}
• Operational Statementsexpr1;
loop: if expr2 == 0 goto out. . .expr3;goto loop
out: . . .
Human reader is virtual computer, assumed to be able to correctly “execute” the instructions and recognize the effects. Note that language is intermediate level, not machine language.
4
Formal Methods in Software Engineering 5
Operational Semantics (continued)• A better alternative: A complete computer
simulation• The process:
– Build a translator (translates source code to the machine code of an idealized computer)
– Build a simulator for the idealized computer
Formal Methods in Software Engineering
Evaluation of Operational Semantics• Good if used informally (language manuals, etc.)• Extremely complex if used formally (e.g., Vienna
Definition Language), it was used for describing semantics of PL/I.
• Can lead to circularities, because statements of highlevel language are described in statements of lowerlevel language
• These problems can be avoided with formalisms based on logic or mathematics
6
Formal Methods in Software Engineering 7
Axiomatic Semantics
• Based on formal logic (predicate calculus)• Original purpose: formal program
verification• Correctness proofs specify constraints on
program variables• When proofs can be constructed, they
show that a program performs the computation described by its specification
Formal Methods in Software Engineering 8
Axiomatic Semantics (continued)
• Logical expressions used in axiomatic semantics are called assertions.
• An assertion before a statement (a precondition) states the relationships and constraints among variables that are true at that point in execution
• An assertion following a statement is a postcondition
• A weakest precondition is the least restrictive precondition that will guarantee the postcondition
Formal Methods in Software Engineering 9
Axiomatic Semantics Form
• Pre, post form: {P} statement {Q}
• An example– a = b + 1 {a > 1}– One possible precondition: {b > 10}– Weakest precondition: {b > 0}
precondition postcondition
Formal Methods in Software Engineering 10
Program Proof Process
• The postcondition for the entire program is the desired result– Work back through the program to the first
statement. If the precondition on the first statement is the same as the program specification, the program is correct.
• An axiom is a logical statement that is assumed to be true.
• An inference rule is a method of inferring the truth of one assertion on the basis of the value of other assertions.
Formal Methods in Software Engineering
Program Proof Process (cont)
• To use axiomatic semantics with a given programming language (either for correctness proofs or for formal semantic specification), must have either an axiom or an inference rule for each kind of statement in the language
• The following rules assume that expressions do not have side effects
11
Formal Methods in Software Engineering 12
Axiomatic Semantics: Assignment
• An axiom for assignment statements (x = E): {Qx>E} x = E {Q}
• Example 1– a = b/2 – 1 {a < 10}– means b/21 must be < 10, or b < 22 is precondition
• Example 2– x = x + y – 3 { x > 10}– means x + y – 3 > 10, so y > 13 – x– OK for variable to be on both sides
Q is constraint on xreplace x by E in Q
Formal Methods in Software Engineering
Axiomatic Semantics  Consequence
• {x > 3} x = x – 3 { x > 0} – Using assignment axiom, x = x – 3 {x > 0} produces
precondition of { x > 3 } which “proves” this statement
• What about {x > 5} x = x – 3 { x > 0 } ??
• The Rule of Consequence:
Q' S P'
Q' Q P, P' , S QP
0x 3  x x 5x
0)(x 0) (x 3), (x 5) (x ,0 3  x x 3
xx
13
Formal Methods in Software Engineering 14
Axiomatic Semantics: Sequences
• S1; S2; …{P1} S1 {P2}{P2} S2 {P3}
{P1 } S1 {P2 } , {P2 } S2 {P3 }{P1 } S1; S2 {P3 }
Formal Methods in Software Engineering
Axiomatic Semantics: Selection
• if B then S1 else S2• Must be proven for both true and false
conditions
• Example: if (x > 0) y = y1 else y = y + 1• Assume Q is {y > 0}• then P is {y > 1} else P is {y > 1} • Since {y > 1} => {y > 1} use {y > 1}
{Q} S2 else S1 then B if
S2 P} and B){(not {Q}, S1 P} and B {
P
Q
one P one Q
15
Formal Methods in Software Engineering 16
Axiomatic Semantics: Pretest Loops• {P} while B do S end {Q}• Number of iterations not always known.
Use a loop invariant I and induction.
I and B S {I }{I } while B do S {I and not B }
Formal Methods in Software Engineering 17
Axiomatic Semantics: Loops
• Characteristics of the loop invariant: I must meet the following conditions:– P => I  the loop invariant must be true initially
– {I} B {I}  evaluation of the Boolean must not change the validity of I
– {I and B} S {I}  I is not changed by executing the body of the loop
– (I and (not B)) => Q  if I is true and B is false, is implied
– The loop terminates
Formal Methods in Software Engineering
Axiomatic Semantics: Loop Example• while y <> x do y = y + 1 { y = x}• Run through the loop a few times to find
weakest precondition1st: wp (y = y + 1, {y = x} } = {y + 1 = x or y = x – 1}2nd: wp (y = y + 1, {y = x} } = {y + 1 = x or y = x – 2}3rd: wp (y = y + 1, {y = x} } = {y + 1 = x or y = x – 3}
So we see that {y < x} will suffice for 1 or more iterations. Combined with {y = x} for 0 iterations we have { y <= x } for loop invariant. I can also be used as the precondition. NOTE: text walks through four conditions for I
assignment equality test
18
Formal Methods in Software Engineering 19
Loop Invariant
• The loop invariant I is a weakened version of the loop postcondition, and it is also a precondition.
• I must be weak enough to be satisfied prior to the beginning of the loop, but when combined with the loop exit condition, it must be strong enough to force the truth of the postcondition
• Finding loop invariant can be difficult.• If loop termination can be shown, axiomatic
description is called total correctness.• If other conditions can be met but termination is
not guaranteed, called partial correctness.
Formal Methods in Software Engineering 20
Evaluation of Axiomatic Semantics
• Developing axioms or inference rules for all of the statements in a language is difficult
• It is a good tool for correctness proofs, and an excellent framework for reasoning about programs, but it is not as useful for language users and compiler writers
• Its usefulness in describing the meaning of a programming language is limited for language users or compiler writers
Formal Methods in Software Engineering 21
Denotational Semantics
• Based on recursive function theory• The most abstract semantics description
method• Originally developed by Scott and
Strachey (1970)
Formal Methods in Software Engineering 22
Denotational Semantics (continued)• The process of building a denotational
specification for a language: Define a mathematical object for each language entity– Define a function that maps instances of the
language entities onto instances of the corresponding mathematical objects
• The meaning of language constructs are defined by only the values of the program's variables
Formal Methods in Software Engineering 23
Denotation Semantics vs Operational Semantics
• In operational semantics, the state changes are defined by coded algorithms
• In denotational semantics, the state changes are defined by rigorous mathematical functions
Formal Methods in Software Engineering 24
Evaluation of Denotational Semantics
• Can be used to prove the correctness of programs
• Provides a rigorous way to think about programs• Can be an aid to language design• Has been used in compiler generation systems
(but no useful compilers generated)• Because of its complexity, they are of little use to
language users