Programming Languages: Semanticsryan/cse4250/notes/semantics.pdf · Structural Operational...
66
Transcript of Programming Languages: Semanticsryan/cse4250/notes/semantics.pdf · Structural Operational...
Tom MurphyCS PhD student at CMU
Illustrated Notes from Computer Science ClassesFall 2002
.
Overview of Semantics
I Value of formal semantics
I Major approaches: operational, denotational, axiomaticI Axiomatic
I Assertions, preconditions, postconditions, loop invariantsI Hoare triples, weakest precondition calculusI Wider impact: assertions in languages, essence of imperative
programming act, class invariants (Meyer, OO SoftwareConstruction, 1997)
Semantics
Lewis Carroll is a favorite amongsemanticists. (The original illus-tration is by John Tenniel.)
Semantics
“I don’t know what you mean by ‘glory,’ ” Alice said.Humpty Dumpty smiled contemptuously. “Of course you
don’t—till I tell you. I meant ‘there’s a nice knock-downargument for you!’ ”
“But ‘glory’ doesn’t mean ‘a nice knock-down argument,’ ”Alice objected.
“When I use a word,” Humpty Dumpty said, in rather ascornful tone, “it means just what I choose it tomean—neither more nor less.”
“The question is,” said Alice, “whether you can makewords mean so many different things.”
“The question is,” said Humpty Dumpty, “which is to bemaster—that’s all.” . . .
“When I make a word do a lot of work like that,” saidHumpty Dumpty, “I always pay it extra.”
Programming Language Semantics
Consider for a moment FORTRAN. A standard exists for FORTRAN95.
In accordance with an official agreement with theInternational Standards Organization [sic], we are able todistribute electronic versions of the Fortran 95 standard:ISO/IEC 1539-1 : 1997, Informationtechnology–Programming languages–Fortran. Cost: USD175.
www.fortran.com
Programming Language SemanticsYou expect that the standard communicates the purpose and meaningof the FORTRAN 95 constructs. Here is an example, adapted fromChapman, of a (possibly) unfamiliar construct:
INTEGER :: i=3, j=7, k=2REAL, DIMENSION(10): A=(/1.,-2.,3.,-4.,5.,-6.,7.,-8.,9.,-10./)
1. A(:) means the whole array
2. A(i:j) means the subset starting at 3 and ending at 7
3. A(i:) means the subset starting at 3 and ending at the end ofthe array
4. A(:j) means the subset starting at 1 and ending at 7
5. A(::k) means the subset of all the odd elements
6. A(i::k) means every other element starting at 3
A precise description of the semantics of a programming language, asin the Ada Reference Manual, is quite hard. For example, theassignment statement.
Formal Semantics
I Standardization of programming languages. Much effort is spenton standardizing languages
I Reference for users. “Try it and see if it works” — takes a lot ofeffort, and is often inconclusive
I Proof of program correctness. Mathematical reasoning aboutwhat programs do
I Reference for implementors. Prevent ill-defined and incompatibledialects
I Automatic implementation. Tools that automate creatinglanguage translators that go beyond parsing
I Better understanding of language design. What’s hard to define ishard to understand
esigners and users benefit by knowing what is hard to define. Wemake simpler designs and we can avoid dangerous parts.
Formal Semantics
Remember the point is to define something you don’t understand withsomething you do understand. The semantics of programminglanguages is very complex. But computer science students find thesyntax suggestive or even familiar. Defining programs in mathematicsthat is often unfamiliar is precise, but leaves many confused.
Types of Semantics
I operational — the operation of an abstract machine
I denotational — the denotation of programs as mathematicalentities
I axiomatic — a system of rules for proving properties about theprogram
Operational
What does the for statement mean? for (expr1;expr2;expr3) {stmt}Well, define it in terms of machine code . . .. expr1; loop: if expr2 gotoend; stmt expr3; goto loop; end:
Sebesta, 3.5.1 Operational Semantics, page 130.
Modern Operational Semantics
During the ’60s and ’70s, operational semantics wasgenerally regarded as inferior to the other two styles—usefulfor quick and dirty definitions of language features, butinelegant and mathematically weak. But in the 80s, the moreabstract methods began to encounter increasingly thornytechnical problems (the bete noire of denotational semanticsturned out to be the treatment of nondeterminism andconcurrency; for axiomatic semantics, it was procedures),and the simplicity of flexibility of operational methods cameto be seem more and more attractive bycomparison—especially in the light of new developments inthe area by a number of researches, beginning with Plotkin’sStructural Operational Semantics (1981), Kahn’s NaturalSemantics (1987), and Milner’s work on CCS.
Modern Operational Semantics
When the state of an abstract machine can be described simply interms of the language (rather than some low-level instruction set),operational semantics has two important subcategories.
I structural operational — a deductive system that defines atransition function that gives the next state of the machine(so-called small-step style of operational semantics)
I natural semantics — a deductive system that defines the finalstate of the machine (so-called big-step style of operationalsemantics)
Operational
Suppose terms (or expressions) of the language can be used todescribe the “state” of the computation. We can use term rewriting,structural or natural semantics, to define the language.
What does 2+3×4 mean?It means: 2+3∗4⇒ 2+12⇒ 14.
Natural Semantics
expr ::= expr "+" expr | expr "*" expr | "0" | "1"
E1 −→ v1 E2 −→ v2
E1+E2 −→ v1 + v2
E1 −→ v1 E2 −→ v2
E1∗E2 −→ v1 · v2
0−→ 0
1−→ 1
Natural Semantics
expr ::= expr "+" expr | expr "*" expr | "0" | "1" | varvar ::= "A" | "B" | "C"
??????
x −→????
Add a context C.
〈x ,C〉 −→ l(x ,C)
〈E1,C〉 −→ v1 〈E2,C〉 −→ v2
〈E1∗E2,C〉 −→ v1 · v2
Denotational Semantics
In computer science, the phrase denotational semanticsrefers to a specific style of mathematical semantics forimperative programs. This approach was developed in thelate 1960s and early 1970s, following the pioneering work ofChristopher Strachey and Dana Scott at Oxford University.The term denotational semantics suggests that a meaningor denotation is associated with each program or programphrase (expression, statement, declaration, etc.). Thedenotation of a program is a mathematical object, typically afunction, as opposed to an algorithm or a sequence ofinstructions to execute.
Mitchell, 2003, page 67.
Dana S. Scott (1932–)
Scott was born on October 11, 1932, in Berkeley, California. Hestudied under Alfred Tarski at the University of California, Berkeley. Hetook his doctoral degree at Princeton University in 1958 with AlonzoChurch as his thesis advisor. He was a professor of philosophy atPrinceton University from 1969 until 1972, when he became aprofessor of mathematical logic at Oxford University. His work onautomata theory earned him the ACM Turing Award in 1976 (withMichael O. Rabin). In 1981 he moved from Oxford to Carnegie MellonUniversity, where he is the Hillman University Professor of ComputerScience, Philosophy, and Mathematical Logic (Emertius).
In his “Outline of a mathematical theory of computation” (1970):
To date no mathematical theory of functions has everbeen able to supply conveniently a free-wheeling notion offunction except at the cost of being inconsistent. The mainmathematical novelty of the present study is the creation ofa proper mathematical theory of functions whichaccomplishes these aims (consistently!) and which can beused as the basis for the metamathematical project ofproviding the ‘correct’ approach to semantics.
The first mathematical model of the type-free λ-calculus, a model inwhich D ∼= D→ D. (See Raymound Turner, in Handbook of Logic andLanguage edited by Johan van Benthem and Alice G. B. ter Meulen.)We don’t need an uncountable number of functions, there are only acountable number of computable ones (i.e., the ones that haveprograms).
What is the denotation of a program? Well, a program computes on“things,” say D. So why not D→ D? OK, a program is also a thing, so:D = D→ D.But Cantor’s theorem says there are no such things!
Denotational Semantics
A mapping of syntax to mathematical quantities.
Where have we seen this technique already?
Example: regular expressions denoting formal languages.An important tenet of denotational semantics is that semantics shouldbe compositional: the denotation of a program phrase should be builtout of the denotations of its subphrases.
Denotational Semantics
A mapping of syntax to mathematical quantities.
Where have we seen this technique already?Example: regular expressions denoting formal languages.
An important tenet of denotational semantics is that semantics shouldbe compositional: the denotation of a program phrase should be builtout of the denotations of its subphrases.
Denotational Semantics
A mapping of syntax to mathematical quantities.
Where have we seen this technique already?Example: regular expressions denoting formal languages.An important tenet of denotational semantics is that semantics shouldbe compositional: the denotation of a program phrase should be builtout of the denotations of its subphrases.
Axiomatic Semantics
Axiomatic semantics involves several subcomponents:
I First-order logic
I Assertions: pre and postconditions
I Language or structure of elementary number theory
I Statements in a simple programming language
I Hoare triples, e.g.,
I Deductive systems
C. A. R. Hoare
Emeritus Professor of Computing at the University of Oxford and isnow a senior researcher at Microsoft Research in Cambridge,England.He received the 1980 ACM Turing Award for “his fundamentalcontributions to the definition and design of programming languages.”Knighted by the Queen of England in 2000.
Recap of First-Order Logic
⊥ false> true
A&B A and BA∨B A or B¬A not A
A⇒ B A implies B∀x P(x) for all x , P(x)∃x P(x) there exists x , P(x)
Modus ponens, one of the classic laws of deduction
A⇒ B AB
A Proof
1 (¬A⇒ A)⇒ A axiom 12 A⇒ (¬A⇒ A) axiom 23 (A⇒ (¬A⇒ A))⇒ (((¬A⇒ A)⇒ A)⇒ (A⇒ A))4 ((¬A⇒ A)⇒ A)⇒ (A⇒ A) MP 2,35 A⇒ A MP 1,4
A Proof is a Tree
axiom3(A⇒ (¬A⇒ A))⇒ (((¬A⇒ A)⇒ A)⇒ (A⇒ A))
axiom2A⇒ (¬A⇒ A)
((¬A⇒ A)⇒ A)⇒ (A⇒ A)axiom1
(¬A⇒ A)⇒ AA⇒ A
AssertionsAn assertion is a logical expression (a formula of FOL) characterizingthe state of a program by the relationship of the variables. It is atwo-valued, either true or false. An assertion, if false, indicates anerror. An assertion is not part of the normal execution of the program,but can be used in debugging by catching “can’t happen” errors.An assertion used as precondition characterizes the state of theprogram that is required in order for the followingstatement/code/procedure to work correctly. If the precondition isfalse, then the error was in preparing to call thestatement/code/procedure and in establishing the logical relationsrequired for the statement/code/procedure to work correctly.A precondition is an assertion that is used to require the condition betrue before the execution of a statement/block/procedure. It is used tomake precise the assumptions or requirements made by thestatement/block/procedure.An assertion used as a postcondition characterizes the state of theprogram guaranteed to be established by the precedingstatement/code/procedure. If the postcondition is false, then thestatement/code/procedure failed to establish the guaranteed outcome.So either the statement/code/procedure has a bug, the preconditionswere not met, or the postcondition is wrong.A postcondition is an assertion that guarantees the output of thepreceding statement/code/procedure. It is used to make precise theintended purpose or actions of a statement/block/procedure.
Language Support
Ada has the pragma Assert.
invariant/exp.adb
Java 1.4 now has the assert statement.
ser/ser1996/ConvexHull.java
Tip: use the assert to document assumptions in your code.
Deductive System
A deductive system has judgments of the form:
hypothesisconclusion
Hoare Triples: State
The axiomatic approach defines each language construct in terms of astatement about what the construct accomplishes when executed.Accomplishment will be gaged by describing the state of thecomputation before and after the execution of the construct.We will view the memory of the computer as a collection of cells, eachuniquely labeled.The contents of the labeled cells is the state.So, we view the state as a function from names to values.We will consider only integer values.
State — A Snapshot of Memory
Mathematically σ : A→ Nat
Hoare Triples: Predicate Logic as Spec
To describe sets of states we need a specification language. Aningenious way of specifying states takes advantage of the fact that anassignment in logic is just like a snapshot of memory: they are bothfunctions from labels to values.
I Terms.1. If x is a variable, then x is a term.2. If n is an integer constant, then n is a term.3. If t1 and t2 are terms, then t1 + t2 and t1 ∗ t2 are terms.
I Formulas.1. > and ⊥ are formulas.2. If t1 and t2 are terms, then t1 = t2 and t1 < t2 are formulas.3. If φ and ψ are formulas, then φ&ψ, φ | ψ, ¬φ, and φ⇒ ψ are
formulas.4. If φ(x) is a formula possibly containing the variable x free, then∀x .φ(x) and ∃x .φ(x) are formulas.
Hoare Triples: Characterizing State
For example, the formula x = 3 characterizes all those states in whichthe value of memory cell x is three.
∗ Hoare Triples
In using formulas to characterize states there is a vast differencebetween free and bound variables. Formulas with free variables, likethe formula x = 3, have an intuitive reading, like
the states in which the cell x has the contents 3.
But formulas with bound variables, like the formula ∃x .x = 3, can bemisleading. The names of bound variables are not relevant. Theformula ∃x .x = 3 is the same as ∃y .y = 3. Thus the name of a boundvariable is not significant and does not have any relation to the “labels”for the cells in memory. The formula ∃z.z = 3 does not mean thatsome cell has contents 3. Rather it asserts that some value is equal to3. Quantification ranges over the set of possible values, not labels.Hence ∃z.z = 3 is equivalent to 3 = 3, or any other true formula. Assuch, it characterizes all states. More generally, formulas without freevariables are either true or false, and hence characterize all the statesor none of the states.
Hoare Triples
Assertions are formulas of logic that characterize the state of aprogram.The execution of a construct S in a programming language can bedescribed by the state obtained by executing a program segment. Thissuggests that we consider triples {P } S {Q }, where P and Q areformulas of first order logic and S is a piece of code. Constructs of thisform are called Hoare triples. We say the triple {P } S {Q } is valid ifexecution of the program segment S is begun in any state satisfying P,and if S terminates, then it terminates in a state satisfying Q.The triple {P } S {Q } can serve as a description of what S does, or itcan serve as a definition (a semantics) of how S may be implemented.Hence, these triples serve as a semantics of a language.
Hoare Triples
The P of {P } S {Q } is called the precondition of the Hoare triple,and Q the postcondition.
Partial Correctness
Hoare triples are especially useful in proving programs correctbecause proof systems exist for deriving valid Hoare triples. (We giveone in the next section.) A “correct” program is one that meets itsspecification. Sometimes, instead of saying the Hoare triple{P } S {Q } is valid, we say that the program segment S is partiallycorrect with respect to the precondition P and the postcondition Q. Wesay partially correct because we assume that the program terminates.Knowing that a Hoare triple is valid guarantees that the postconditionis established, if the program terminates. No assurances are given thatthe program does indeed terminate. This is not wholly satisfactory andleads to some counterintuitive behavior. A total-correctness semantics,where termination is assured instead of assumed, is possible.
Partial Versus Total Correctness
A&B⇒ C
A⇒ B&C
∗ Additional Subtleties
Suppose that we know that the following Hoare triple is valid:
{0≤ a&0≤ b} S {z = a∗b}
If the program segment S is z:=0; a:=0, we can prove the formalcorrectness of S with respect to the assertion z = a∗b, but S does notperform any multiplication!
Simple Language
A Hoare triple concerns a piece of code. To be formal we need todefine what code we are talking about. In fact the Hoare triples serverdefine the meaning of the code.To make things easier we use a simple, but Turing completeprogramming language, we call the while language.
W ::= V := T
W ::= if B then W else W
W ::= while B do W end
W ::= W ; W
An idealized, but nonetheless quite powerful, programming language.The boolean conditions B and terms T we share with the language offirst-order predicate logic with a domain of integers.
Example
z:=0; n:=y; while n>0 do z:=z+x; n:=n-1 end
Deductive System
Assignment axiom:
{Q[V := T ]} V := T {Q }
Conditional rule:
{B&P } S1 {Q } {¬B&P } S2 {Q }{P } if B then S1 else S2 {Q }
While rule:{B& I } S { I }
{ I } while B do S end {¬B& I }Composition rule:
{P } S1 {Q } {Q } S2 {R }{P } S1; S2 {R }
Assignment Axiom
Here is the rule for discovering valid Hoare triples about assignmentstatements. Above the horizontal line appear no hypotheses, so theHoare triple below the line is true in all circumstances.
{Q[V := T ]} V := T {Q }
The notation Q[V := T ] stands for the assertion obtained bysubstituting the term T for the variable V in formula Q.All Hoare triples of this form (for all terms T , variables V , and formulasQ) are valid Hoare triples.
Several examples:
{2 = 2} x := 2 {x = 2}
{y = 1} x := 2 {x = y +1}
{y = 17} x := 2 {y = 17}
{2 = 2+1} x := 2 {x = x +1}
{⊥} x := 2 {x = 3}
Axiomatic Semantics
How is an axiom or rule a definition of meaning?The assignment axiom captures the properties which much be true ofthe execution of the assignment statement. E.g., an implementationmust insure these properties are never violated.In practice, most programming languages use an assignmentstatement that does not guarantee the simple assignment axiom. E.g.,if x and y are aliases as in int& x=y, then the following does not hold:
{y = 0} x := 1 {y = 0}
Weakest Precondition Calculus
At first glance the rule for assignment appears to be backward. Thereis no correct direction in a Hoare triple: it is valid or it is not; there is nodirection involved. The mechanics of the rule imply that one picks thepostcondition Q and from this choice the precondition is determined,namely, Q[x := e]. This “flow” from postcondition to precondition hasbeen formalized by Dijkstra and Gries into a weakest preconditioncalculus. The weakest or most useful precondition of the assignmentV := T and the arbitrary postcondition Q, written:
WP(V := T ,Q)
is the condition Q[V := T ]. It is possible to describe the most useful orstrongest postcondition in terms of the precondition for the assignmentstatement, but this is harder.
Reading
Dijkstra, Edsger Wybe. A Discipline of Programming. Prentice Hall,Englewood Cliffs, New Jersey, 1976.
Gries, David. The Science of Programming. Texts and monographs incomputer science. Springer-Verlag, New York, 1981.
Hoare, Charles Antony Richard. “An axiomatic basis for computerprogramming.” Communications of the ACM, volume 12, number 10,October 1969, pages 576–580, 583. Reprinted in Tutorial,Programming Language Design, edited by Anthony I. Wasserman,1980, pages 500–505.
Loeckx, Jacques J. C., Kurt Sieber, and Ryan D. Stansifer. TheFoundations of Program Verification, second edition. Wiley-Teubnerseries in computer science. Teubner, Stuttgart, 1987.
O’Donnell, Michael J. “A critique of the foundations of Hoare styleprogramming logics.” Communications of the ACM, volume 25,number 12, December 1982, pages 927–935.
Barwise, Jon. “Mathematical proofs of computer system correctness.”Notices of the American Mathematical Society, September 1989,pages 844–851.
DeMillo, Richard A., Richard J. Lipton, and Alan J. Perlis. “Socialprocesses and proofs of theorems and programs.” Communications ofthe ACM, volume 22, number 5, May 1979, pages 271–280.
Dijkstra, Edsger Wybe. “On a political pamphlet from the middle ages(Commentary on a paper by DeMillo, Lipton, and Perlis).” SoftwareEngineering Notes, volume 3, number 2, April 1978, pages 14–17.
Fetzer, James H. “Program verification: The very idea.”Communications of the ACM, volume 31, number 9, September 1988,pages 1048–1063.
Hamming, Richard W. “The unreasonable effectiveness ofmathematics.” American Mathematical Monthly, February 1980, pages81–90.
Hoare Logic
Conditional rule:
{B&P } S1 {Q } {¬B&P } S2 {Q }{P } if B then S1 else S2 {Q }
Composition rule:
{P } S1 {Q } {Q } S2 {R }{P } S1; S2 {R }
Rule of consequence:
P ′⇒ P {P } S {Q } Q⇒ Q′
{P ′ } S {Q′ }
while Rule
{B& I } S { I }{ I } while B do S end {¬B& I }
{x > 0& x ≥ 0} x := x-1 {x ≥ 0}{x ≥ 0} while x > 0 do x:=x-1 end {x = 0}
{y < n& f = y!} S { f = y!}{ f = y!} while y < n do S end {y ≥ n& f = y!}
where S is f:=f × y; y:=y +1
Program Verification
It is possible for a computer program to verify that a proof of a Hoaretriple is correct or not.It is even possible for a computer program to build a correct programfrom a specification (a postcondition) except for two things:
1. can’t prove all mathematical facts (though theorem proving isquite good)
2. can’t create invariants
Example Proof
To prove:
{y>=0} z:=0; n:=y; while n>0 do z:=z+x; n:=n-1 end {z=x*y}
(Multiply x and y by repeated addition to get z.)
Abbreviations:
I = n>=0&z=x*(y-n)
P = n-1>=0&z+x=x*(y-(n-1))
Example Proof
The goal is to prove that the program
z := 0; n:=y; while n > 0 do z:=z + x; n:=n−1 end
computes the product of x and y by repeated addition. This programworks only if y is not negative, so we take y ≥ 0 as the precondition.
Example Proof
We want to prove that the following Hoare triple is valid.
{y ≥ 0}z := 0; n:=y; while n > 0 do z:=z + x; n:=n−1 end{z = x ∗ y}
The proof requires four applications of the assignment axiom, threeapplications of the composition rule, one application of the rule forwhile loops, three tautologies of arithmetic, and three applications ofthe rule of consequence.
We begin by using the axiom of assignment to prove the following twoHoare triples:
{z = x ∗ (y− y)& y ≥ 0} n:=y {z = x ∗ (y−n)&n ≥ 0} (1)
{0 = x ∗ (y− y)& y ≥ 0} z:=0 {z = x ∗ (y− y)& y ≥ 0} (2)
By the composition rule using valid Hoare triples 1 and 2 above, weobtain the following Hoare triple:
{0 = x ∗(y−y)&y ≥ 0} z:=0; n:=y {z = x ∗(y−n)&n≥ 0} (3)
The following fact of arithmetic is needed to derive Hoare triple 5below.
y ≥ 0⇒ 0 = x ∗ (y− y)& y ≥ 0 (4)
{y ≥ 0} z:=0; n:=y {z = x ∗ (y−n)&n ≥ 0} (5)
The assignment axiom yields the following two Hoare triples:
{(z + x) = x ∗ (y− (n−1))&(n−1)≥ 0}z := z + x{z = x ∗ (y− (n−1))&(n−1)≥ 0}
(6)
{z = x ∗ (y− (n−1))&(n−1)≥ 0}n := n−1{z = x ∗ (y−n)&n ≥ 0}
(7)
Applying the rule of composition to Hoare triples 6 and 7 yields:
{(z + x) = x ∗ (y− (n−1))&(n−1)≥ 0}z := z + x ;n := n−1{z = x ∗ (y−n)&n ≥ 0}
(8)
The following formula is a tautology:
z = x ∗(y−n)&n≥ 0&n> 0⇒ (z+x)= x ∗(y−(n−1))&(n−1)≥ 0(9)
The law of consequence applied to Hoare triple 8 and the tautology 9yields the following Hoare triple:
{z = x ∗ (y−n)&n ≥ 0&n > 0}z:=z + x; n:=n−1{z = x ∗ (y−n)&n ≥ 0}
(10)
Applying the rule for while statements with Hoare triple 10 yields thefollowing Hoare triple:
{z = x ∗ (y−n)&n ≥ 0}while n > 0 do z:=z + x; n:=n−1 end{z = x ∗ (y−n)&n ≥ 0&¬ (n > 0)}
(11)
The loop invariant I is z = x ∗ (y−n)&n ≥ 0.
z = x ∗ (y−n)&n ≥ 0&¬ (n > 0)⇒ z = x ∗ y (12)
{z = x ∗ (y−n)&n ≥ 0}while n > 0 do z:=z + x; n:=n−1 end{z = x ∗ y}
(13)
Using Hoare triples 5 and 13, and by applying the rule of compositionwe obtain the Hoare triple that we were seeking:
{y ≥ 0}z := 0; n:=y; while n > 0 do z:=z + x; n:=n−1{z = x ∗ y}
(14)
{y ≥ 0}{0 = x ∗ (y− y)& y ≥ 0}z := 0; n := y;{z = x ∗ (y−n)&n ≥ 0}while n > 0 do{z = x ∗ (y−n)&n ≥ 0&n > 0}{z + x = x ∗ (y− (n−1))&(n−1)≥ 0}z := z + x; n := n−1
end{z = x ∗ (y−n)&n ≥ 0&¬ (n > 0)}{z = x ∗ y}
The end of semantics
