MP 5 Program Transition Systems and Linear Temporal Logic

Transcription

1 MP 5 Program Transition Systems and Linear Temporal Logic CS 477 Spring 2018 Revision 1.0 Assigned April 10, 2018 Due April 17, 2018, 9:00 PM Extension extend48 hours (penalty 20% of total points possible) 1 Change Log 1.0 Initial Release. 2 Objectives and Background The purpose of this MP is to test the student s understanding of Program transition systems, proofs about linear temporal logic formulae, and proofs that linear temporal logic formulae hold of Program transition systems Another purpose of MPs in general is to provide a framework to study for the exam. Several of the questions on the exam will appear similar to the MP problems. 3 Turn-In Procedure A skeleton version of the file mp5.thy for this assignment should be found in the assignments/mp5/ subdirectory of your svn directory for this course. You should put code answering each of the problems below in the file mp5.thy. Your completed mp5.thy file should be put in the assignments/mp5/ subdirectory of your svn directory (where it was originally found) and committed as follows: svn commit -m "Turning in mp5" Please read the Instructions for Submitting Assignments in 4 Infinite Sequences An infinite sequence is a function from natural numbers to sequence elements. Looking up the i th element of in infinite sequence is just applying the function to i. Other operations we will need on include taking the first i elements as a list, dropping the first i elements to get the i th tail sequence, adding an element onto the front of an infinite sequence and appending an infinite sequence onto a finite list. 1

2 fun take :: (nat a) nat a list (infix 53 ) where (f 0 ) = [] (f (Suc i)) = (f 0 ) # (f i) definition drop :: (nat a) nat (nat a) (infix 53 ) where (f i) (λn. f (n + i)) lemma drop-0 [simp] : (f 0 ) = f proof (rule ext) fix x show (f 0 ) x = f x by (simp add: drop-def ) lemma drop-add[simp]: (f i) j = (f (i + j )) proof (rule ext) fix k show ((f i) j ) k = (f i + j ) k proof (simp add: drop-def ) have A1 : (k + j + i) = (k + (i + j )) by simp from A1 show f (k + j + i) = f (k + (i + j )) by arith lemma -drop[simp]: (f (Suc n)) m = (f n)(suc m) by (simp add: drop-def ) fun seq-cons (infixr ## 55 ) where (x ## f ) 0 = x (x ## f ) (Suc n) = f n lemma seq-cons: x ## f = (λ n. case n of 0 x Suc m f m) proof (rule ext) fix n show (x ## f ) n = (case n of 0 x Suc m f m) proof (cases n) case 0 then show?thesis by simp case (Suc nat) then show?thesis by simp fun seq-app 56 ) where f = f f = x ## f ) lemma app-seq-app: l2 f = f proof (induction l1 ) 2

3 case Nil then show?case by simp case (Cons a l1 ) then show?case by simp 5 Program Transition Semantics A program transition system is a set of guarded simultaneous assignment statements, where the guard is a boolean expression, and the simultaneous assignment associates a finite sequence of (distinct) variables with a finite sequence (of equal length) of (arithmetic) expressions. datatype data command = guarded-assign data bool-exp var-name list data exp list ( -/ -/ ::= -/ [0,0,0 ] 60 ) fun simultaneous-update where simultaneous-update [] [] m = m simultaneous-update (x # xs) (v # vs) m = simultaneous-update xs vs (m (x := v)) fun one-step-eval :: data command data state data state bool (infixl 55 ) where ((g vars ::= expressions), m) m = (g m m = simultaneous-update vars (List.map (λe. e m) expressions) m) definition is-run :: data command set data state (nat data state) bool where is-run commands m r = ((r 0 = m) ( n. ( c commands. (c, r n) r (Suc n)) (( c commands. m. ((c, r n) m )) r (Suc n) = r n))) lemma is-run-start: is-run commands m r = r 0 = m by (simp add: is-run-def ) lemma is-run-stop : [is-run commands m r; ( c commands. m. ((c, r n) m ))] = (r (n + i) = r n) proof (clarsimp simp add: is-run-def ) assume A1 : c commands. m. (c, r n) m and A2 : n. ( c commands. (c, r n) r (Suc n)) ( c commands. m. (c, r n) m ) r (Suc n) = r n and A3 : m = r 0 show r (n + i) = r n proof (induction i) case 0 then show r (n + 0 ) = r n by simp case (Suc i) assume A4 : r (n + i) = r n from A1 and A2 and A4 3

4 have F1 : r (Suc (n + i)) = r (n + i) r (n + Suc i) = r n by simp from A2 have F2 : ( c commands. (c, r (n + i)) r (Suc (n + i))) ( c commands. m. (c, r (n + i)) m ) r (Suc (n + i)) = r (n + i) by (erule-tac x = n + i in alle) from A1 and F2 and A4 have F3 : r (Suc (n + i)) = r (n + i) by (erule-tac disje, simp-all) from F1 and F3 show r (n + Suc i) = r n by simp lemma stopped-is-run: [( c commands. m. ((c, m) m )); n. (r n = m)] = is-run commands m r by (simp add: is-run-def ) lemma is-run-step-eq: [r 0 = m; c commands; ((c, r 0 ) r (Suc 0 ))] = is-run commands (r (Suc 0 )) (r (Suc 0 )) = is-run commands m r proof (clarsimp simp add: is-run-def ) assume A1 : m = r 0 and A2 : c commands and A3 : (c, r 0 ) r (Suc 0 ) from this show ( n. ( c commands. (c, r (Suc n)) r (Suc (Suc n))) ( c commands. m. (c, r (Suc n)) m ) r (Suc (Suc n)) = r (Suc n)) = ( n. ( c commands. (c, r n) r (Suc n)) ( c commands. m. (c, r n) m ) r (Suc n) = r n) proof (rule-tac iffi, simp-all) assume A4 : n. ( c commands. (c, r (Suc n)) r (Suc (Suc n))) ( c commands. m. (c, r (Suc n)) m ) r (Suc (Suc n)) = r (Suc n) show ( n. ( c commands. (c, r n) r (Suc n)) ( c commands. m. (c, r n) m ) r (Suc n) = r n) proof (rule-tac alli ) fix n show ( c commands. (c, r n) r (Suc n)) ( c commands. m. (c, r n) m ) r (Suc n) = r n proof (case-tac n, simp-all) assume A5 : n = 0 show ( c commands. (c, r 0 ) r (Suc 0 )) ( c commands. m. (c, r 0 ) m ) r (Suc 0 ) = r 0 proof (rule-tac disji1 ) from A2 and A3 show c commands. (c, r 0 ) r (Suc 0 ) by (rule-tac x = c in bexi, simp-all) fix j assume A6 : n = Suc j from A4 show ( c commands. (c, r (Suc j )) r (Suc (Suc j ))) ( c commands. m. (c, r (Suc j )) m ) r (Suc (Suc j )) = r (Suc j ) by simp 4

5 lemma is-run-step-backward : [r 0 = m; c commands; ((c, m) r (Suc 0 )); is-run commands (r (Suc 0 )) (r (Suc 0 ))] = is-run commands m r by (simp add: is-run-step-eq) lemma is-run-step-forward : [ is-run commands m r; r 0 = m; c commands; ((c, m) m )] = ( c commands. (c, m) r (Suc 0 )) is-run commands (r (Suc 0 )) (r (Suc 0 )) proof (clarsimp simp add: is-run-def ) assume A1 : n. ( c commands. (c, r n) r (Suc n)) ( c commands. m. (c, r n) m ) r (Suc n) = r n and A2 : c commands and A3 : (c, r 0 ) m and A4 : m = r 0 from A1 have F1 : ( c commands. (c, r 0 ) r (Suc 0 )) ( c commands. m. (c, r 0 ) m ) r (Suc 0 ) = r 0 by simp from A2 and A3 and F1 show c commands. (c, r 0 ) r (Suc 0 ) by blast 6 Linear Temporal Logic datatype state ltl-formula = ltl-prop state bool ltl-and state ltl-formula state ltl-formula (infixl 55 ) ltl-or state ltl-formula state ltl-formula (infixl 56 ) ltl-imp state ltl-formula state ltl-formula (infixr 54 ) ltl-not state ltl-formula ( ) ltl- state ltl-formula ( ) ltl-always state ltl-formula ( ) ltl-eventually state ltl-formula ( ) ltl-until state ltl-formula state ltl-formula (infixl U 60 ) definition ltl-releases :: state ltl-formula state ltl-formula state ltl-formula (infixl V 60 ) where ϕ V ψ (( ϕ) U ( ψ)) definition ltl-true :: state ltl-formula (True ) where True = ltl-prop (λ q. True) definition ltl-false :: state ltl-formula (False ) where False = ltl-prop (λ q. False) definition ltl-equiv 5

6 :: state ltl-formula state ltl-formula state ltl-formula (infix 52 ) where ϕ ψ ((ϕ ψ) (ψ ϕ)) fun models-ltl :: (nat state) state ltl-formula bool (infix = 50 ) where models-ltl-prop: σ = (ltl-prop p) = p(σ(0 )) models-ltl-and: σ = (ϕ ψ) = ((σ = ϕ) (σ = ψ)) models-ltl-or: σ = (ϕ ψ) = ((σ = ϕ) (σ = ψ)) models-ltl-imp: σ = (ϕ ψ) = ((σ = ϕ) (σ = ψ)) models-ltl-not: σ = ϕ = ( (σ = ϕ)) models-ltl-: σ = ϕ = ((σ 1 ) = ϕ) models-ltl-always: σ = ϕ = ( i. (σ i) = ϕ) models-ltl-eventually: σ = ϕ = ( i. (σ i) = ϕ) models-ltl-until: σ = (ϕ U ψ) = ( i.((σ i) = ψ) ( j. j < i ((σ j ) = ϕ))) lemma models-releases: σ = (ϕ V ψ) = (( i. ((σ i) = ψ)) ( i.((σ i) = ϕ) ( j. j i ((σ j ) = ψ)))) proof (simp add: ltl-releases-def ) show ( i. σ i = ψ ( j <i. σ j = ϕ)) = (( i. σ i = ψ) ( i. σ i = ϕ ( j i. σ j = ψ))) proof (rule iffi ) assume A1 : i. σ i = ψ ( j <i. σ j = ϕ) then show ( i. σ i = ψ) ( i. σ i = ϕ ( j i. σ j = ψ)) proof clarsimp fix i assume A2 : i. σ i = ϕ ( j i. σ j = ψ) from A1 and A2 show σ i = ψ proof (rule-tac Nat.nat-less-induct) fix n assume A3 : m<n. σ m = ψ from A1 and A2 and A3 show σ n = ψ proof (erule-tac x = n in alle) assume A4 : σ n = ψ ( j <n. σ j = ϕ) from A2 and A3 and A4 show?thesis proof (erule-tac disje, simp) assume A5 : j <n. σ j = ϕ from A5 obtain j where F1 : j < n and F2 : σ j = ϕ by auto from A2 and F2 have F3 : ( m j. σ m = ψ) by auto from F3 obtain m where F4 : m j and F5 : σ m = ψ by auto from A3 and F1 and F2 and F3 and F4 and F5 show?thesis by clarsimp 6

7 assume A6 : ( i. σ i = ψ) ( i. σ i = ϕ ( j i. σ j = ψ)) from A6 show i. σ i = ψ ( j <i. σ j = ϕ) proof (erule-tac disje) assume A7 : i. σ i = ψ from A7 show?thesis by clarsimp assume A8 : i. σ i = ϕ ( j i. σ j = ψ) from A8 obtain i where A9 : σ i = ϕ and A10 : j i. σ j = ψ by auto from A9 and A10 show?thesis proof clarsimp fix ia assume A11 : j <ia. σ j = ϕ from A9 and A10 and A11 show σ ia = ψ proof (case-tac ia i) assume A12 : ia i from A9 and A10 and A11 and A12 show?thesis by clarsimp assume A13 : ia i from A9 and A10 and A11 and A13 show?thesis by clarsimp lemma models-later: [(σ i) = ϕ; i = j ] = (σ j ) = ϕ by simp 7 Problems The problems below are designed to step you through some of the pieces of reasoning about Program Transition Systems evaluations, proofs of basic LTL formulae true in all models, and proofs of LTL properties of programs, where the proofs are done in Isabelle. We begin with the execution of a Program Transition System corresponding to a simple while program you worked with in MP4. The original program was 0 WHILE $ x [>] k 0 DO 1 ( y ::= $ y [+] k 1;; 2 x ::= $ x [-] k 1) OD 1. (68 pts) lemma promblem1 : is-run {(($ pc [=] k 0 ) [ ] $ x [>] k 0 [ pc ] ::= [k 1 ]), 7

8 (($ pc [=] k 1 ) [ pc, y ] ::= [k 2, $ y [+] k 1 ]), (($ pc [=] k 2 ) [ pc, x ] ::= [k 0, $ x [ ] k 1 ])} (m( pc := 0, x := 2, y := a)) ((λn. (m( pc := 0, x := 0, y := a + 2 ))) (0 := m( pc := 0, x := 2, y := a), 1 := m( pc := 1, x := 2, y := a), 2 := m( pc := 2, x := 2, y := a + 1 ), 3 := m( pc := 0, x := 1, y := a + 1 ), 4 := m( pc := 1, x := 1, y := a + 1 ), 5 := m( pc := 2, x := 1, y := a + 2 ), 6 := m( pc := 0, x := 0, y := a + 2 ))) It is worth reviewing the section on LTL. In the four problems you are asked to prove LTL formulae that are universally true, and in the case of Problem 4, that one universally true formula implies another, closely related formula is also universally true. You will need to use induction nat.induct on at least one of the four proofs. 2. (4 pts) lemma problem2 : σ = ϕ ϕ ( ϕ) 3. (3 pts) lemma problem3 : ( σ. σ = ϕ) = ( σ. σ = ( ϕ)) 4. (16 pts) lemma problem4 : σ = ( (ϕ ϕ)) (ϕ ( ϕ)) 5. (10 pts) lemma problem5 : σ = ( ( ϕ)) ( ( ϕ)) Finally, you are asked to prove that all runs of the program in Problem 1 satisfy the given LTL formula. 6. (80 pts) lemma problem6 : [is-run {(($ pc [=] k 0 ) [ ] $ x [>] k 0 [ pc ] ::= [k 1 ]), (($ pc [=] k 1 ) [ pc, y ] ::= [k 2, $ y [+] k 1 ]), (($ pc [=] k 2 ) [ pc, x ] ::= [k 0, $ x [ ] k 1 ])} m σ ] = σ = (ltl-prop($ pc [=] k 0 [ ] $ x [=] k 1 [ ] $ y [=] k a)) ( (ltl-prop($ pc [=] k 0 [ ] $ x [=] k 0 [ ] $ y [=] k (a + 1 )))) 8