Unifying Theories of Programming

Size: px

Start display at page:

Download "Unifying Theories of Programming"

Delphia Terry
5 years ago
Views:

1 1&2 Unifying Theories of Programming Unifying Theories of Programming 3&4 Theories Unifying Theories of Programming designs predicates relations reactive CSP processes Jim Woodcock University of York May 2006 Unifying Theories of Programming C. A. R. Hoare & He Jifeng, Prentice Hall, 1998 alphabetised relations as unifying basis for programming linking many different computational paradigms relations between initial and intermediate or final observation

2 5&6 Unifying Theories of Programming Unifying Theories of Programming 7&8 Alphabetised Relational Calculus 1. Observations Theories alphabet: external observations of behaviour signature: syntax for denoting objects of theory healthiness conditions: identify interesting sub-theories programs designs specifications Jim Woodcock University of York May Introduction 1. observations 2. the alphabetised relatinal calculus 3. the complete lattice 4. specifications Observable variabes alphabet: variables describe relevant aspects of behaviour observations: relation between initial and after values external variables: globally shared with real world clock, l, okay, ref, resource, tr, wait,

3 9&10 Unifying Theories of Programming Unifying Theories of Programming 11&12 2. The alphabetised relational calculus Terminology Healthiness conditions feasible descriptions of reality increase towards code P = φ(p), for idempotent φ links to translate designs into implementations an alphabet is a set of observation names okay, trace, wait, ref, l, a relation P, Q,...,true is an alphabet-predicate pair freevars(p) αp αp = inαp outαp homogeneous: outαp = inαp condition: b, c, d,...,true outα b = similar to Z s schema calculus much simpler: untyped Examples time travel 1 B = clock clock tr prefix tr P B (P = P B) for all programs P time travel 2 T = okay T P (P = T P) for all programs P proper initialisation and finalisation J = J ; J and K = K ; K Conjunction P Q x satisfies P Q iff x satisfies P and x satisfies Q α(p Q ) = αp αq (x := x + z y := y w) = (x = x + z y = y w) = (x, y := x + z, y w) P(x, y) Q (y, z) P = J ; P and P = P ; K for all programs P

4 13&14 Unifying Theories of Programming Unifying Theories of Programming 15&16 Correctness [ P ]: universal closure of P S P iff [ P S ] example: specification x > x y = y implementation x, y := x + 1, y correctness [ x, y := x + 1, y x > x y = y ] = [ x = x + 1 y = y x > x y = y ] = true L1 P b P = P idempotence L2 P b Q = Q b P symmetry L3 (P b Q ) c R = P b c (Q c R) associativity L4 P b (Q c R) = (P b Q ) c (P b R) distrib. L5 P true Q = P = Q false P unit L6 P b (Q b R) = P b R L7 P b (P c Q ) = P b c Q L8 (P Q ) b (R S) = (P b R) (Q b S) exchange L9 (P b Q ) = ( P b Q ) not-conditional L10 (P b Q ) (R b S) = (P R) b (Q S) [conditional-and-not-conditional] L11 L12 (P (Q b R)) = ((P Q ) b (P R)) implies-cond.-1 ((P b Q ) R) = ((P R) b (Q R)) implies-cond.-2 Conditional P b Q = (b P) ( b Q ) if αb αp = αq α(p b Q ) = αp L13 (P b Q ) R = (P R) b (Q R) cond.-conjunction L14 (P b Q ) R = (P R) b (Q R) cond.-disjunction L15 b (P b Q ) = (b P) left-simplification-1 L16 b (P b Q ) = ( b Q ) right-simplification-2 L17 (P b Q ) = ((b P) b Q ) left-condition L18 (P b Q ) = (P b ( b Q )) right-condition

5 17&18 Unifying Theories of Programming Unifying Theories of Programming 19&20 Proof of L6 (P b (Q b R)) = ((Q b R) b P) [by L2] = (Q b b (R b P)) [by L3] = (Q false (R b P)) [by propositional calculus] = (R b P) [by L5] = (P b R) [by L2] Refinement to conditional P (Q b R) = [(Q b R) P ] = [ b Q b R P ] = [ b Q P ] [ b R P ] = ( P b Q ) ( P b R ) Proof of L7 (P b (P c Q )) = ((Q c P) b P [by L2] = (Q c b (P b P)) [by L3] = (Q c b P) [by L1] = (P b c Q ) [by L2] Separation of requirements ((P Q ) R) = (P R) (Q R)

6 21&22 Unifying Theories of Programming Unifying Theories of Programming 23&24 Composition P(v ) ; Q (v) = v 0 P(v 0 ) Q (v 0 ) if outαp = inαq ={v } inα(p(v ) ; Q (v)) = inαp outα(p(v ) ; Q (v)) = outαq L1 P ; (Q ; R) = (P ; Q ) ; R associativity L2 (P b Q ) ; R = ((P ; R) b (Q ; R)) left distribution Laws of assignment L1 (x := e) = (x, y := e, y) L2 (x, y, z := e, f, g) = (y, x, z := f, e, g) L3 (x := e ; x := f (x)) = (x := f (e)) L4 (x := e ; (P b(x) Q )) = ((x := e ; P) b(e) (x := e ; Q )) L5 P ; I αp = P = I αp ; P unit L6 v = e ; P = P[e/v] where αp ={v, v } left-one-point L7 P ; v = e = P[e/v ] where αp ={v, v } right-one-point Assignment for A ={x, y,...,z, x, y,...,z } and αe in(a) x := A e = (x = e y = y z = z) α(x := A e) = A I A = (v = v) if A ={v, v } αi A = A Array assignment array-valued variables assignment to ith element: w[i] := e w := w {i e} w x = (x i dom x w)

7 25&26 Unifying Theories of Programming Unifying Theories of Programming 27&28 Nondeterminism P Q = P Q if αp = αq α(p Q ) = αp L1 P Q = Q P symmetry L2 P (Q R) = (P Q ) R associativity L3 P P = P idempotence L4 P (Q R) = (P Q ) (P R) distributivity L5 (P b (Q R)) = (P b Q ) (P b R) distributivity L6 (P Q ) ; R = (P ; R) (Q ; R) distributivity L7 P ; (Q R) = (P ; Q ) (P ; R) distributivity L8 P (Q b R) = ((P Q ) b (P R)) distributivity Monotonicity F is monotonic iff P Q F (P) F (Q ) disjunctive operators are always monotonic suppose that P P and is disjunctive P Q P Q = ((P Q ) (P Q ) = P Q ) = ((P P ) Q = P Q ) monotonic operators aren t always disjunctive P 2 = P ; P (Q R) 2 = Q 2 R 2 (Q ; R) (R ; Q ) Q 2 R 2 Refinement and nondeterminism P Q = P = (P Q P) (P P Q ) = [ P P Q ] [ P Q P ] = [ P P Q ] [ P Q P ] = true [ P Q P ] = [ Q P ] = P Q Conjunction P Q = P Q α(p Q ) = αp αq

8 29&30 Unifying Theories of Programming Unifying Theories of Programming 31&32 Example of complete lattice natural numbers ordered by divisibility 3. The complete lattice Definition: Complete lattice A lattice is a partially ordered set, in which all non-empty finite subsets have both a least upper-bound (join) and a greatest lower bound (meet). A complete lattice is a lattice in which all subsets have both a join and a meet. partial order m n ( k k m = n ) 1 is bottom (exactly divides every other number) 0 is top (it can be divided exactly by every other number) join of finite sets is least common multiple join of infinite sets is 0 meet is greatest common divisor for infinite sets gcd be greater than 1 example: set of all even numbers has 2 as gcd Abort and miracle Example of complete lattice power set of S ordered by inclusion. empty set is least element S is greatest element A α A A α A = true = A = false = A union is join intersection is meet for all P with alphabet A L1 [ P A ] L2 [ A P ]

9 33&34 Unifying Theories of Programming Unifying Theories of Programming 35&36 Recursion Laws of the lattice L1 [ P S ] iff ([P X ] for all X in S ) L1A [ S X ] for all X in S L1B if [ P X ] for all X in S, then [ P S ] L2 ( S ) Q = { P Q P S } L3 ( S ) Q = { P Q P S } L4 ( S ) ; Q = { P ; Q P S } L5 R ; ( S ) = { R ; P P S } weakest fixed-point μ F = { X [ X F (X )]} μ X C(X ) = μ F where F = λ X C(X ) μ X X = true L1 [ Y μ F ] if [ Y F (Y )] weakest fixed-point L2 [ F (μ F ) = μ F ] fixed-point strongest fixed-point is dual of wfp Recursion: weakest fixed-point alphabetised relations form a complete lattice all operators are monotonic every construction is monotonic Tarski: complete lattice of fixed-points is strongest fixed-point of X = P ; X is weakest fixed-point Proof of L1 F (Y ) Y = Y {X F (X ) X } [by comprehension] { X F (X ) X } Y [by L1A] = μ F Y [by definition of μ F ] so μ F is weaker than any other fixed-point of F

10 37&38 Unifying Theories of Programming Unifying Theories of Programming 39&40 Proof of L2 μ F = F (μ F ) [mutual refinement] = μ F F (μ F ) F (μ F ) μ F [fixed-point L1] F (F (μ F )) F (μ F ) F (μ F ) μ F [F monotonic] F (μ F ) μ F [definition] = F (μ F ) { X F (X ) X } [lattice L1B] X {X F (X ) X } F(μ f ) X [comprehension] = X F (X ) X F (μ F ) X [transitivity of ] X F (X ) X F (μ F ) F (X ) [F monotonic] X F (X ) X μ F X [fixed-point L1] = true Iteration b P = μ X ((P ; X ) b I ) copy rule Bottom { X true }= { X true } = { X true } { X true } = { X true } = [ { X true } ] = [ true { X true } ] = [ { X true } ] = [ X true ] = true Nontermination what s the weakest fixed-point of X = X? μ X X = { Y (λ X X )(Y ) Y } = { Y Y Y } = { Y true } = consequence (for sole state variable x and constant c): ( ; x := c ) = ( x := c )

11 41&42 Unifying Theories of Programming Unifying Theories of Programming 43&44 Recursion: strongest fixed-point dual of the weakest fixed-point νf = μ X F( X ) L1 [νf S ] if [ F (S) S ] strongest fixed-point L2 [ F (νf ) = νf ] fixed-point Conditional termination suppose F terminates whenever C holds [ C μ F = C νf ] fixed-points appear equal within window C L3 false ; P = false = P ; false good enough if specification is C S ν is easier to work with than μ Nontermination strongest fixed-point inappropriate (νx X ) = false = S, for all S consequence: P = P Weakest fixed-point lemma if [ F (C S) (C S)] and [ C (μ F = νf )] then [μf (C S)] pity, since it s the best to reason with any recursion with guaranteed termination single fixed-point: μ F = νf

12 45&46 Unifying Theories of Programming Unifying Theories of Programming 47&48 4. Specifications Hoare logic Hoare logic (also known as Floyd-Hoare logic) is a formal system developed by the British computer scientist C. A. R. Hoare, and subsequently refined by Hoare and other researchers. It was published in Hoare s 1969 paper An axiomatic basis for computer programming. The purpose of the system is to provide a set of logical rules in order to reason about the correctness of computer programs with the rigour of mathematical logic. Hoare logic has axioms and inference rules for all the constructs of a simple imperative programming language. In addition to the rules for the simple language in Hoare s original paper, rules for other language constructs have been developed since then by Hoare and many other researchers. There are rules for concurrency, procedures, jumps, and pointers. Hoare acknowledges earlier contributions from Robert Floyd, who had published a similar system for flowcharts. The central feature of Hoare logic is the Hoare triple. A triple describes how the execution of a piece of code changes the state of the computation. A Hoare triple is of the form p {Q } r where p and r are assertions and Q is a command. The assertion p is called the precondition and r the postcondition. Assertions are formulas in predicate logic. The intuitive reading of such a triple is: Whenever p holds of the state before the execution of Q, then r will hold afterwards. Note that if Q does not terminate, then there is no after, so r can be any statement at all. Indeed, one can choose r to be false to express that Q does not terminate. This is called partial correctness. If C terminates and at termination Q is true, the expression exhibits "total correctness". Termination would have to be proved separately. p {Q } r = [ Q (p r )] = (p r ) Q L1 if p {Q } r and p {Q } s then p {Q } (r s) L2 if p {Q } r and q {Q } r then (p q) {Q } r L3 if p {Q } r then (p q) {Q } (r s) L4 r(e) {x := e} r(x) L5 if (p b) {Q 1 } r and (p b) {Q 2 } r then p { Q 1 b Q 2 } r L6 if p {Q 1 } s and s {Q 2 } r then p { Q 1 ; Q 2 } r L7 if p {Q 1 } r and p {Q 2 } r then p { Q 1 Q 2 } r L8 if (b c) {Q } c then c { νx (Q ; X ) b I } ( b c) L9 false {Q } r and p {Q } true and p {false} false and p {I } p

13 49&50 Unifying Theories of Programming Unifying Theories of Programming 51&52 Proof of L1 (p {Q } r) (p {Q } s) = (Q (p r )) (Q (p s )) = (Q (p r ) (p s )) = (Q (p r s )) Assumptions and assertions c = I c [assumption] c = I c [assertion] = p {Q } (r s) Proof of L8 suppose that (b c) {Q } c define Y = c b c c { νx (Q ; X ) b I } ( b c) = Y νx (Q ; X ) b I [by definition] Y (Q ; Y ) b I [by sfp L1] = ( Y (b Q ) ; Y ) ( Y b I ) [refinement to cond] = ( Y (b Q ) ; Y ) [ b I (c b c )] [by def] = ( Y (b Q ) ; Y ) true predicate calculus = c { b Q ; Y } ( b c) [by definition] ( c { b Q } c ) ( c { c b c } b c ) [by Hoare L6] = true [by assumption and predicate calculus] Example b ; c = (I b ) ; c [by definition of b ] = ((I ; c ) b ( ; c )) [by -;-left distribution] = (c b ( ; c )) [by assignment.l5] = (c b ) [from above] = ((I c ) b ) [by definition of c ] = (I b c ) [by conditional.l3] = (b c) [by definition of (b c) ]

14 53&54 Unifying Theories of Programming Unifying Theories of Programming 55&56 Extreme solution p(v) { Q (v, v ) } r(v) = [ Q (v, v ) ( p(v) r(v ))] Examples b ; (P b Q ) = b ; P b ; (P b Q ) = b ; P = [ p(v) ( Q (v, v ) r(v ))] = [ p(v) ( v Q (v, v ) r(v ))] = [ p(v) ( v Q (v, v ) r(v ))] = [ p(v) ( v 0 Q (v, v 0 ) r(v 0 ))] = [ p(v) ( Q (v, v ) ; r(v)) ] if W (v) = ( Q (v, v ) ; r(v)) then W (v) { Q (v, v ) } r(v) W is the weakest solution for the precondition for Q to be guaranteed to achieve r wp calculus Q wp r = (Q ; r) Example b ; true ; c = b ; c b ; true ; c L1 ((x := e) wp r(x)) = r(e) L2 ((P ; Q ) wp r) = (P wp (Q wp r)) L3 ((P b Q ) wp r) = ((P wp r) b (Q wp r)) L4 ((P Q ) wp r) = (P wp r) (Q wp r) L5 if [ r s ] then [(Q wp r) (Q wp s)] L6 if [ Q S ] then [(S wp r) (Q wp r)] L7 (Q wp ( R)) = { (Q wp r) r R } L8 (Q wp false) = false if Q ; true = true L9 [(P ; Q ) S ] iff [ P (Q wp S)] weakest prespecification

15 57&58 Unifying Theories of Programming Unifying Theories of Programming 59&60 Variable declarations let A be an alphabet containing x and x var x = ( x I A ) end x = ( x I A ) α( var x ) = A \{x} α( end x ) = A \{x } Example ((var x ) wp r ) = (( x I ) wp r ) [by definition of var x] = (( x I ) ; r ) [by definition of wp] = ( x I ; r ) [relational calculus] = ( x r ) [by assignment.l5] = ( x r ) [by De Morgan s Law] ( var x ; Q ) = ( x Q ) ( Q ; end x ) = ( x Q ) Laws of declaration L1 ( var x ; var y ) = ( var y ; var x ) = ( var x, y ) L2 ( end x ; end y ) = ( end y ; end x ) = ( end x, y ) L3 ( var x ; end y ) = ( end y ; var x ) x, y distinct L4 ( var x ) = { ( var x := k ) k T } L5 ( var x ; ( P b Q ) = ((var x ; P ) b (var x ; Q )) no x in b L6 ( end x ; ( P b Q ) = ((end x ; P ) b (end x ; Q )) no x in b L7 ( var x ; end x ) = I L8 ( end x ; var x := e ) = ( x := e ) L9 ( x := e ; end x ) = ( end x ) Alphabet extension alphabet restriction: var x ; Q ; end x alphabet extension: R +x = R x = x for x, x αr α(r +x ) = αr {x, x } if R doesn t mention x, then L10 var x ; R +x ; P ; end x = R ; var x ; P ; end x L11 var x ; P ; R +x ; end x = var x ; P ; end x ; R

16 61&62 Unifying Theories of Programming A model for ARC P = x = on αp = {x, y} P ={{x on, y on}, {x on, y off}} sets of functions, each total over the alphabet formalised as deep embedding in Z/Eves and ProofPowerZ Types adding a simple type system to ARC Type ::= basic Name power Type product Type labelled Type suppose that τ : αp Type for αp = x,...,z Z = x τ(x) z τ(z) P is well typed: P = P Z

A Tutorial Introduction to CSP in Unifying Theories of Programming

A Tutorial Introduction to CSP in Unifying Theories of Programming Ana Cavalcanti and Jim Woodcock Department of Computer Science University of York Heslington, York YO10 5DD, UK {Ana.Cavalcanti,Jim.Woodcock}@cs.york.ac.uk