Lecture 2

Formal Semantics of
Programming Languages
Florian Zuleger
SS 2023
1
The language While
E 2 Arith::= x | n | E + E | E * E | ...
B 2 Bool ::= true | false | E = E | E · E
|BÆB|:B
C 2 Com ::= x := E | if B then C else C | C ; C
| skip | while B do C
x is taken from some set of variables Var
2
Example Program
y := 1;
while : (x=1) do
y := y * x;
x := x – 1
Questions:
• What is the behavior of this program?
• How is this program executed?
3
Evaluating Expressions
Value of expressions depend on current values
of the variables, e.g., the value of
➢x + y - 1
depends on current values of variable x and y
The values of the variables change during

program execution
4
States
• A state s is a function from the variables to the integers, i.e.,
s 2 Var ! Z.
• The updated state s[x  n] is defined by
n if y = x
s[x  n](y) =
s(y) if y  x
• Behavior of commands is relative to a state.

• The state changes as the execution of a command
proceeds.
• Complete execution of a command transforms an initial
state into a final state.
5
Arithmetic Expressions With States
We add states to our earlier definition of the denotational
semantic of expressions:
«x¬ s = s(x),
«n¬ s = n, using n = number(n)
«E1 + E2¬ s = «E1¬ s + «E2¬ s,
«E1 * E2¬ s = «E1¬ s * «E2¬ s,
…
The denotational semantics of Boolean expressions can

be defined similarly.
6
Big-step Semantics of While
Judgements:
hC,si  s’
Meaning:
Command C with initial state s evaluates to final
state s’ when executing C on s.
7
Big-step Semantics of While
B-ASS
hx := E,si  s[x  «E¬ s]
hC1,si  s1 hC2,s1i  s’
B-SKIP B-SEQ
hskip,si  s hC1 ; C2,si  s’
hC1,si  s’
B-IF.T «B¬ s = true
hif B then C1 else C2,si  s’
hC2,si  s’
B-IF.F «B¬ s = false
B-WHILE.F «B¬ s = false

hwhile B do C,si  s
hC,si  s1 hwhile B do C,s1i  s’

B-WHILE.T «B¬ s = true
hwhile B do C,si  s’
8
Assignments
Evaluate the command (x := E) relative to state s?
Intuition:
(1) evaluate E relative to state s to some value n = «E¬ s
(2) update state s with new value n for variable x
Inference Rule: We could also have

used big-step or small-
step semantics for
B-ASS
expressions!
hx := E,si  s[x  «E¬ s]
9
The Skip Command
Evaluate command skip relative to state s?
Intuition:
(1) nothing to do
Inference Rule:
B-SKIP
hskip,si  s
10
Sequential Composition
Evaluate command C1 ; C2 relative to state s?
Intuition:
(1) evaluate C1 relative to state s, to get new state s1
(2) then evaluate C2 relative to new state s1
Rule:
B-SEQ
hC1 ; C2,si  s’
11
If Commands
Evaluate command if B then C1 else C2 relative to state s?
Intuition:
(1) first evaluate B to some Boolean value b
(2) if b equals true evaluate C1 relative to state s
(3) if b equals false evaluate C2 relative to state s
Rules:
hC1,si  s’ «B¬ s = true
B-IF.T
hC2,si  s’
B-IF.F «B¬ s = false
12
While Commands
Evaluate command while B do C relative to state s?
Intuition:
(2) if b equals false nothing to be done
(3) if b equals true evaluate C with state s to get new state s1
(4) then recursively evaluate while B do C relative to s1
Rules:
B-WHILE.F «B¬ s = false
hC,si  s1 hwhile B do C,s1i  s’
B-WHILE.T «B¬ s = true
13
Example
Factorial: y := 1; while : (x=1) do (y := y * x; x := x – 1)
We assume s1(x) = 2.
s4 = s 5
s2[y  2] = s3 s3[x  1] = s4
B-ASS B-ASS «:(x=1)¬ s5 = false
hy := y * x,s2i  s3 hx := x – 1,s3i  s4 B-WHILE.F

B-SEQ
s1[y  1] = s2 hy := y * x; x := x – 1),s2i  s4 hwhile : (x=1) do (y := y * x; x := x – 1),s4i  s5

B-ASS
hy := 1,s1i  s2 hwhile : (x=1) do (y := y * x; x := x – 1),s2i  s5 B-WHILE.T
B-SEQ hy := 1; while : (x=1) do (y := y * x; x := x – 1) , s1i  s5 «:(x=1)¬ s = true
14
Non-termination
Let C be the command
while : (x=1) do (y := y * x; x := x – 1).
We consider s = {x  -1, y  1}.
Is there any s’ such that hC,si  s’ ?
15
Non-termination
Proof by contradiction:
Assume there is an s with s(x) · 0 and we can prove hC,si  s’
for some s’.
Let s be a state such that hC,si  s’ can be proven with the
fewest number of rule applications, say k rule applications.
By definition of the While the last step in deriving hC,si  s’ was
by the rule:
hC,si  s1 hwhile : (x=1) do (y := y * x; x := x – 1),s1i  s’
B-WHILE.T hwhile : (x=1) do (y := y * x; x := x – 1),si  s’
We see hC,s1i  s’ in the hypothesis, that means, hC,s1i  s’ can

be proved by fewer than k rule applications! Contradiction.
16
Properties of Big-step Semantics
Termination (aka Normalisation):
For every state s and every command C there
exists some state s’ such that hC,si  s’.
NO
Determinacy:
If hC,si  s1 and hC,si  s2 then s1 = s2.
YES
17
The Meaning of Commands
«-¬B: Com ! States States
»
«C¬B transforms an initial state s into a final state.
Definition:
s’ if hC,si  s’
«C¬B(s) =
? otherwise
Determinacy ensures this is proper definition.
? stands for ‘undefined’.
18
Example
Let C be the command
y := 1; while : (x=1) do (y := y * x; x := x – 1).
What is «C¬B?
«C¬B(s) is a state, where

{x  1 , y  s(x)!} if s(x) ¸ 1
«C¬B(s) =
? otherwise
Proof? (Mathematical induction)
19
Semantic Equivalence
Two Commands C1 and C2 are semantically equivalent, iff «C1¬B = «C2¬B.
Lemma
«while B do C¬B =
«if B then (C;while B do C) else skip¬B.
Proof
We split the proof into
hwhile B do C,si  s’ implies
hif B then (C;while B do C) else skip,si  s’
and
hif B then (C;while B do C) else skip,si  s’ implies
hwhile B do C,si  s’.
20
hwhile B do C,si  s’ implies hif B then
(C;while B do C) else skip,si  s’
Assume hwhile B do C,si  s’ and «B¬ s = true.
By B-WHILE.T there is a proof for hwhile B do C,si  s’,
where T1 is a proof for hC,si  s1 and T2 is a proof for
hwhile B do C,s1i  s’:
T1 T2
B-WHILE.T
We construct a new proof
T1 T2
B-SEQ
hC ; while B do C,si  s’
B-IF.T
21
hwhile B do C,si  s’ implies hif B then
(C;while B do C) else skip,si  s’
Assume hwhile B do C,si  s’ and «B¬ s = false.
By B-WHILE.F we have:
B-WHILE.F
By the B-WHILE.F rule we must have s=s’!

We construct a new proof:
B-SKIP
hskip,si  s
B-IF.F
hif B then (C;while B do C) else skip,si  s
22
hif B then (C;while B do C) else skip,si
 s’ implies hwhile B do C,si  s’.
Assume hif B then (C;while B do C) else
skip,si  s’ and «B¬ s = true.
This means there is a proof:
T1 T2
B-SEQ
hC ; while B do C,si  s’
B-IF.T

T1 T2
B-WHILE.T
hwhile B do C,si  s’ 23
hif B then (C;while B do C) else skip,si
 s’ implies hwhile B do C,si  s’.
Assume hif B then (C;while B do C) else
skip,si  s’ and «B¬ s = false.
This means there is a proof:
B-SKIP
hskip,si  s’
B-IF.F
By the B-SKIP rule we must have s=s’!

B-WHILE.F
24
Small-step Semantics of While
Judgements:
hC,si ! hC’,s’i or hC,si ! s’
Meaning:
Starting from state s when executing command C one
step of computation leads to state s’ with command C’
remaining to be executed or simply to state s’ when there
is no command C remaining.
What is a step?
Depends..
25
What is a step?
Decision:
• Ignore how expressions and Booleans are evaluated
• One step consists of
– state update
– or branching decision
We want to concentrate on the execution of commands!
Idea: We consider states s as terminal configurations.

We will ensure that there is no rule s ! … .
26
Small-step Semantics of While
S-ASS S-SKIP
hx := E,si ! s[x  «E¬ s] hskip,si ! s
hC1,si ! hC1‘,s‘i hC1,si ! s‘

S-SEQ.STEP S-SEQ.FINAL
hC1 ; C2,si ! hC1‘ ; C2,s’i hC1 ; C2,si ! hC2,s’i
S-IF.T «B¬ s = true

hif B then C1 else C2,si ! hC1,si
S-IF.F «B¬ s = false

S-WHILE.F «B¬ s = false
hwhile B do C,si ! s
S-WHILE.T «B¬ s = true

hwhile B do C,si ! hC;while B do C,si
27
Assignments
Execute the command (x := E) relative to state s?
Intuition:
(1) evaluate E relative to state s to some value n = «E¬ s
(2) update state s with new value n for variable x
Inference Rule:
S-ASS
hx := E,si ! s[x  «E¬ s]
One step suffices for entire execution - ignoring the

evaluation of E.
28
The Skip Command
Execute command skip relative to state s?
Intuition:
• skip has no effect on the state s, i.e., the final state
equals the initial state
Rule:
S-SKIP
hskip,si ! s
29
Sequential Composition
Execute command C1 ; C2 relative to state s?
Intuition:
(1) execute one step of C1 relative to state s
(2) if C1 has terminated start executing C2
Rules:
hC1,si ! hC1‘,s‘i
S-SEQ.STEP
hC1 ; C2,si ! hC1‘ ; C2,s’i
hC1,si ! s‘
S-SEQ.FINAL
hC1 ; C2,si ! hC2,s’i
30
If Commands
Execute command if B then C1 else C2 relative to state s?
Intuition:
(2) if b equals true execute C1 relative to state s
(3) if b equals false execute C2 relative to state s
Rules:
S-IF.T «B¬ s = true
S-IF.F «B¬ s = false

31
While Commands
Execute command while B do C relative to state s?
Intuition:
(2) if b equals false then terminate
(3) if b equals true create a copy of C to be executed
before while B do C
Rules:
S-WHILE.F «B¬ s = false
hwhile B do C,si ! s
S-WHILE.T «B¬ s = true
hwhile B do C,si ! hC;while B do C,si
32
Alternative: While Commands
Execute command while B do C relative to state s?
Intuition:
• combination of (if B then C1 else C2) and
sequential composition
Rules:
S-WHILE
hwhile B do C,si !
hif B then C;while B do C else skip,si
33
Example
34
Example
hy := 1; while : (x=1) do (y := y * x; x := x – 1),s1i !
35
Example
hy := 1,s1i ! s2 where s2 = s1[y  1]

hwhile : (x=1) do (y := y * x; x := x – 1),s2i !
36
Example

37
Example

h(y := y * x; x := x – 1);while : (x=1) do (y := y * x; x := x – 1),s2i !
38
Example
hy := y * x,s2i ! s3 where s3 = s2[y  2]
h(y := y * x; x := x – 1),s2i ! hx := x – 1,s3i

hx := x – 1;while : (x=1) do (y := y * x; x := x – 1),s3i !
39
Example

40
Example
hx := x – 1,s3i ! s4 where s4 = s3[x  1]

41
Example

42
Example

hwhile : (x=1) do (y := y * x; x := x – 1),s4i ! s4
43
Small-step vs Big-step Semantics
hC1,si ! hC1‘,s‘i
S-SEQ.STEP
hC1 ; C2,si ! hC1‘ ; C2,s’i
hC1,si ! s‘
S-SEQ.FINAL
hC1 ; C2,si ! hC2,s’i
B-SEQ
hC1 ; C2,si  s’
Small-step semantics requires additional

bookkeeping!
44
Running Commands
To run command C from state s:
Find state s’ such that hC,si !* s’.
Configurations s are terminal.
Note that there is no rule such that s ! … .
45
Running commands: Infinite Loops
Let C be command while true do skip.
hC,si ! hskip;C, si ! hC,si ! hskip;C,si ! …
Thus, there is no state s’ such that hC,si !* s’!
Progress property:
Configurations s are terminal.
For every configuration hC,si there is either a step
hC,si ! hC’,s’i or a step hC,si ! s’.
46
Properties of Small-step Semantics
Lemma:
If hC1;C2,si !k s’ then there exists a state s’’ and
natural numbers k1 and k2 such that hC1;si !k1 s’’
and hC2,s’’i !k2 s’ where k1 + k2 = k.
Lemma:
If hC1,si !k s’ then hC1;C2,si !k hC2,s’i.
Determinacy:
If hC,si !* s1 and hC,si !* s2 then s1 = s2.
47
The Meaning of Commands
«-¬S: Com ! States States
»
«C¬S transforms an initial state s into a final (aka
terminal) state
Definition:
s’ if hC,si !* s’
«C¬S(s) =
? otherwise
Determinacy ensures this is proper definition.
? stands for ‘undefined’. 48
An Equivalence Result
Theorem
For all commands C we have «C¬B = «C¬S.
Proof
We split the proof into the two lemmas for the cases
hC,si !* s’ implies hC,si  s’
and
hC,si  s’ implies hC,si !* s’.
49
Mathematical Induction
Allows us to prove a property P(n) for every natural
number n:
• Base Case:
– prove P(0) is true using known facts
• Induction Case:
– assume the inductive hypothesis: P(k) is true
– prove P(k+1) is true using known facts and the
inductive hypothesis
Example: ∑i=1..n (2i – 1) = n2
50
Strong Mathematical Induction
To prove a property P(n) for every natural number n:
• Consider some number k .
• Assume the inductive hypothesis: P(k’) is true for
every number k’ < k
• prove P(k) is true using known facts and the inductive
hypothesis
Note: There is no distinction between the base case and

the induction case!
Example: Every number is a product of prime numbers.
51
Structural Induction
Consider some inductively defined structure given by
axioms and constructors, e.g.,
Tree ::= Leaf | Branch(Tree,Tree).
To prove a property P(T) for every tree T:

• Base case (T = Leaf):
– prove P(Leaf) is true using known facts
• Induction case (T = Branch(T1,T2)):
– assume the inductive hypothesis: P(T1) and P(T2) are true
– prove P(T) is true using known facts and the inductive
hypothesis
52
Example
leaves(Leaf) = 1
leaves(Branch(T1,T2)) = leaves(T1) + leaves(T2)
branches(Leaf) = 0
branches(Branch(T1,T2)) = branches (T1) +
branches (T2) + 1
leaves(T) = branches(T) + 1 for every Tree T.
53
Rule Induction for Deductive Systems
Assume some universe of elements U.
We define a deductive system D by
Axioms: an element a of U
Rules: h1 hn
...
c
where h1 ,…, hn,c are elements of U.
Let D(U) be the set of elements that can be derived from
the axioms and rules.
54
Rule Induction for Deductive Systems
To prove a property P(t) for every t 2 D(U):
• Base Case (for every axiom):
– prove P(a) using known facts
• Induction Case (for every rule):
– assume the inductive hypothesis: P(hi) is true for
every hypothesis hi
– prove P(c) is true using known facts and the
inductive hypothesis
55
hC,si  s’ implies hC,si !* s’
The proof proceeds by rule induction on
hC,si  s’.
Case B-ASS:
We assume hx := E,si  s[x  «E¬ s].
From S-ASS we get hx := E,si ! s[x  «E¬ s].
Case B-SKIP: similar
56
Case B-SEQ:
We assume hC1 ; C2,si  s’ has been derived from
hC1,si  s’’ and hC2,s’’i  s’ .
The induction hypothesis can be applied to both
premises hC1,si  s’’ and hC2,s’’i  s’ .
This gives us hC1,si !* s’’ and hC2,s’’i !* s’.
According to the lemma on slide 47 we have
hC1 ; C2,si !* hC2,s’’i.
Thus hC1 ; C2,si !* s’.
57
Case B-IF.T:
We assume hif B then C1 else C2,si  s’ has been
derived from hC1,si  s’ and «B¬ s = true.
The induction hypothesis can be applied to the premise
hC1,si  s’.
This gives us hC1,si !* s’.
From S-ASS we get hif B then C1 else C2,si ! hC1,si.
Thus hif B then C1 else C2,si !* s’.
Case B-IF.F: Analogous.
58
Case B-WHILE.T:
We assume hwhile B do C,si  s’ has been derived from
hC,si  s’’, hwhile B do C,s’’i  s’ and «B¬ s = true.
The induction hypothesis can be applied to both premises
hC,si  s’’ and hwhile B do C,s’’i  s’.
This gives us hC,si !* s’’ and hwhile B do C,s’’i !* s’.
hC ; while B do C,si !* hwhile B do C,s’’i.
From S-WHILE.T we get
hwhile B do C,si ! hC ; while B do C,si.
Together we get hwhile B do C,si !* s’.
Case B-WHILE.F: Straightforward.

59
The proof proceeds by (strong mathematical)
induction on the length of the derivation sequence
hC,si !k s’, i.e., by induction on k.
Induction hypothesis: We consider hC,si !k+1 s’
and assume the lemma holds for all 0 · k‘· k.
We proceed by case distinction on the command C
in hC,si !k+1 s’.
Cases x := E, skip: Straightforward.
60
Case C1 ; C2:
We assume that hC1 ; C2,si !k+1 s’.
hC1,si !k1 s’’ and hC2,s’’i !k2 s’ for same state s’’
and some numbers k1 and k2 with k1 + k2 = k+1.
Because of k1 · k and k2 · k the induction
hypothesis can be applied to both derivation
sequences hC1,si !k1 s’’ and hC2,s’’i !k2 s’.
This gives us hC1,si  s’’ and hC2,s’’i  s’.
From B-SEQ we get hC1 ; C2,si  s’.
61
Case if B then C1 else C2:
We have
hif B then C1 else C2,si ! hCi,si !k s’,
where i=1 resp. i=2 for «B¬ s = true resp. false.
The induction hypothesis can be applied to the
derivation sequence hCi,si !k s’.
This gives us hCi,si  s’.
From B-IF.T resp. B-IF.F we get
hif B then C1 else C2,si  s’.
62
Case while B do C:
«B¬ s = false: We have hwhile B do C,si ! s.
From B-WHILE.F we get hwhile B do C,si  s.
«B¬ s = true: We have hwhile B do C,si !

hC ; while B do C,si !k s’.
The induction hypothesis can be applied to the derivation
sequence hC ; while B do C,si !k s’.
This gives us hC ; while B do C,si  s’.
From B-SEQ we get hC,si  s’’ and hwhile B do C,s’’i  s’
for some state s’’.
From B-WHILE.T we get hwhile B do C,si  s’.
63

Lecture 2

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Lecture 2

Uploaded by

Copyright:

Available Formats

Formal Semantics of

x is taken from some set of variables Var

depends on current values of variable x and y

The values of the variables change during

• Behavior of commands is relative to a state.

The denotational semantics of Boolean expressions can

B-WHILE.F «B¬ s = false

hC,si  s1 hwhile B do C,s1i  s’

Inference Rule: We could also have

hy := y * x,s2i  s3 hx := x – 1,s3i  s4 B-WHILE.F

s1[y  1] = s2 hy := y * x; x := x – 1),s2i  s4 hwhile : (x=1) do (y := y * x; x := x – 1),s4i  s5

B-SEQ hy := 1; while : (x=1) do (y := y * x; x := x – 1) , s1i  s5 «:(x=1)¬ s = true

We consider s = {x  -1, y  1}.

Is there any s’ such that hC,si  s’ ?

B-WHILE.T hwhile : (x=1) do (y := y * x; x := x – 1),si  s’

We see hC,s1i  s’ in the hypothesis, that means, hC,s1i  s’ can

«C¬B(s) is a state, where

By the B-WHILE.F rule we must have s=s’!

We construct a new proof:

By the B-SKIP rule we must have s=s’!

We want to concentrate on the execution of commands!

Idea: We consider states s as terminal configurations.

hC1,si ! hC1‘,s‘i hC1,si ! s‘

S-IF.T «B¬ s = true

S-IF.F «B¬ s = false

S-WHILE.T «B¬ s = true

One step suffices for entire execution - ignoring the

S-IF.F «B¬ s = false

hy := 1; while : (x=1) do (y := y * x; x := x – 1),s1i !

hy := 1,s1i ! s2 where s2 = s1[y  1]

hy := 1; while : (x=1) do (y := y * x; x := x – 1),s1i !

hy := 1; while : (x=1) do (y := y * x; x := x – 1),s1i !

hy := 1; while : (x=1) do (y := y * x; x := x – 1),s1i !

hy := 1; while : (x=1) do (y := y * x; x := x – 1),s1i !

hy := 1; while : (x=1) do (y := y * x; x := x – 1),s1i !

hx := x – 1,s3i ! s4 where s4 = s3[x  1]

hy := 1; while : (x=1) do (y := y * x; x := x – 1),s1i !

hy := 1; while : (x=1) do (y := y * x; x := x – 1),s1i !

hy := 1; while : (x=1) do (y := y * x; x := x – 1),s1i !

Small-step semantics requires additional

Configurations s are terminal.

Note that there is no rule such that s ! … .

Example: ∑i=1..n (2i – 1) = n2

Note: There is no distinction between the base case and

Example: Every number is a product of prime numbers.

To prove a property P(T) for every tree T:

leaves(T) = branches(T) + 1 for every Tree T.

We define a deductive system D by

Case B-SKIP: similar

Case B-IF.F: Analogous.

Case B-WHILE.F: Straightforward.

«B¬ s = true: We have hwhile B do C,si !

You might also like