Kleene Algebra with Tests and Demonic Refinement Algebras

Size: px

Start display at page:

Download "Kleene Algebra with Tests and Demonic Refinement Algebras"

Jane Hodge
5 years ago
Views:

1 Kleene Algebra with Tests and Demonic Refinement Algebras Alasdair Armstrong Victor B. F. Gomes Georg Struth August 28, 2014 Abstract We formalise Kleene algebra with tests (KAT) and demonic refinement algebra (DRA) in Isabelle/HOL. KAT is relevant for program verification and correctness proofs in the partial correctness setting. While DRA targets similar applications in the context of total correctness. Our formalisation contains the two most important models of these algebras: binary relations in the case of KAT and predicate transformers in the case of DRA. In addition, we derive the inference rules for Hoare logic in KAT and its relational model and present a simple formally verified program verification tool prototype based on the algebraic approach. Contents 1 Basis for Demonic Refinement Algebras 2 2 Demonic Refinement Algebras 3 3 Test Dioids 7 4 Kleene Algebra with Tests 16 5 Demonic Refinement Algebra with Tests 18 6 Models for Demonic Refinement Algebra with Tests 20 7 Models for Kleene Algebra with Tests 22 8 Pre-Conway Algebra 23 9 Transformation Theorem for while Loops Hoare Logic 27 1

2 11 Verification Tool Prototype Two sorted Kleene Algebra with Tests Two sorted Demonic Refinement Algebras 33 1 Basis for Demonic Refinement Algebras theory DRA-Base imports../kleene-algebra/kleene-algebra Demonic refinement algebra is based on a Kleene algebra without the right annihilation law x 0 = 0. In the Archive [1], only left Kleene algebras without the right annihilation law exist. So we need to define an expansion. class kleene-algebra-zerol = left-kleene-algebra-zerol + assumes star-inductr: z + y x y z x y These lemmas were copied from AFP (Kleene Algebra). They are also valid without right annihilation. lemma star-inductr-var: y x y = y x y lemma star-inductr-var-equiv: y x y y x y lemma star-sim2 : z x y z = z x y z lemma star-sim3 : z x = y z = z x = y z lemma star-sim4 : x y y x = x y y x lemma star-inductr-eq: z + y x = y = z x y lemma star-inductr-var-eq: y x = y = y x y lemma star-inductr-var-eq2 : y x = y = y x = y lemma bubble-sort: y x x y = (x + y) = x y 2

3 lemma indepence1 : x y = 0 = x y = y lemma indepence2 : x y = 0 = x y = x lemma lazycomm-var: y x x (x + y) + y y x x (x + y) + y lemma arden-var: ( y v. y x y + v y x v) = z = x z + w z = x w lemma ( x y. y x y y = 0 ) = y x y + z = y x z 2 Demonic Refinement Algebras theory DRA imports DRA-Base A demonic refinement algebra [8] is a Kleene algebra without right annihilation plus an operation for possibly infinite iteration. class dra = kleene-algebra-zerol + fixes strong-iteration :: a a (- [101 ] 100 ) assumes iteration-unfoldl [simp] : 1 + x x = x and coinduction: y z + x y y x z and isolation [simp]: x + x 0 = x is an abort statement, defined as an infinite skip. It is the maximal element of any DRA. abbreviation top-elem :: a ( ) where 1 Simple/basic lemmas about iteration operator lemma iteration-refl: 1 x lemma top-ref : x lemma top-mult-annil[simp]: x = 3

4 lemma top-add-annil[simp]: + x = lemma top-elim: x y x lemma iteration-unfoldl-distl: y x = y + y x x lemma iteration-unfoldl-distr: x y = y + x x y lemma iteration-unfoldl : z x y = z y + z x x y lemma iteration-idem[simp]: x x = x lemma iteration-induct: x x x x lemma iteration-ref-star: x x lemma iteration-subdist: x (x + y) lemma iteration-iso: x y = x y lemma iteration-unfoldr: 1 + x x = x lemma iteration-unfoldr-distl: y x = y + y x x lemma iteration-unfoldr-distr: x y = y + x x y lemma iteration-unfold-eq: x x = x x lemma iteration-unfoldr : z x y = z y + z x x y lemma iteration-double[simp]: (x ) = lemma star-iteration[simp]: (x ) = 4

5 lemma iteration-star[simp]: (x ) = x lemma iteration-star2 [simp]: x x = x lemma iteration-zero[simp]: 0 = 1 lemma iteration-annil[simp]: (x 0 ) = 1 + x 0 lemma iteration-subdenest: x y (x + y) lemma sup-id-top: 1 y = y = lemma iteration-top[simp]: x = Next, we prove some simulation laws for data refinement. lemma iteration-sim: z y x z = z y x z Nitpick gives a counterexample to the dual simulation law. lemma y z z x = y z z x Next, we prove some sliding laws. lemma iteration-slide-var: x (y x) (x y) x lemma iteration-prod-unfold: (y x) = 1 + y (x y) x lemma iteration-slide: x (y x) = (x y) x Nitpick refutes the next lemma. lemma (x y ) = (x y) lemma star-iteration-slide: (x y) = y (x y) The following laws are called denesting laws. 5

6 lemma iteration-sub-denest: (x + y) x (y x ) lemma iteration-denest: (x + y) = x (y x ) lemma iteration-denest2 : (x + y) = y x (x + y) + y lemma iteration-denest3 : (x + y) = (y x) y Now we prove separation laws for reasoning about distributed systems in the framework of action systems. lemma iteration-sep: y x x y = (x + y) = x y lemma iteration-sim2 : y x x y = y x x y lemma iteration-sep2 : y x x y = (x + y) = x y lemma iteration-sep3 : y x x (x + y) = (x + y) = x y lemma iteration-sep4 : [y 0 = 0 ; z x = 0 ; y x (x + z) y ] = (x + y + z) = x (y + z) Finally, we prove some blocking laws. Nitpick refutes the next lemma. lemma x y = 0 = x y = y lemma iteration-idep: x y = 0 = x y = x Nitpick refutes the next lemma. lemma y w x y + z = y w x z At the of this file, we consider a data refinement example from von Wright [8]. lemma data-refinement: assumes s s z z e e z a a z z b z b = b shows s (a + b) e s a e 6

7 3 Test Dioids theory Test-Dioids imports../../kleene-algebra/dioid Tests are embedded in a weak dioid, a dioid without the right annihilation and left distributivity axioms, using an operator t defined by a complementation operator. This allows us to use tests in weak settings, such as Probabilistic Kleene Algebra and Demonic Refinement Algebra. class near-dioid-tests-zerol = ab-near-semiring-one-zerol + plus-ord + fixes comp-op :: a a (n- [90 ] 91 ) assumes test-one: n n 1 = 1 and test-mult: n n (n n x n n y) = n n y n n x and test-mult-comp: n x n n x = 0 and test-de-morgan: n x + n y = n (n n x n n y) lemma add-idem [simp]: x + x = x subclass near-dioid-one-zerol lemma x (y + z) = x y + x z lemma n n x (y + z) = n n x y + n n x z A test operator t can then be defined as an abbreviation of applying n twice. The elements of the image, t(k), form a Boolean algebra, but we do not express this in Isabelle. Instead, we prove all the obvious laws of Boolean algebra. abbreviation test-operator :: a a (t- [100 ] 101 ) where t x n (n x) lemma test-zero[simp]: t 0 = 0 lemma test-distrib-left: t x (t y + t z) = (t x t y) + (t x t z) 7

8 lemma test-distrib-right: (t x + t y) t z = (t x t z) + (t y t z) lemma test-mult-idem[simp]: t x t x = t x lemma test-idem[simp]: t t x = t x lemma test-add-closed[simp]: t (t x + t y) = t x + t y lemma test-mult-comm: t x t y = t y t x lemma test-add-comm: t x + t y = t y + t x lemma test-mult-assoc: t x (t y t z) = (t x t y) t z lemma test-add-assoc: t x + (t y + t z) = (t x + t y) + t z lemma test-add-comp: n x + t x = 1 lemma n x t x = 0 lemma test-mult-lb1 : t x t y t x lemma test-mult-lb2 : t x t y t y lemma test-add-lb: t x (t x + t y) = t x lemma test-leq-mult-def : (t x t y) = (t x t y = t x) lemma test-mult-glbi : [t z t x; t z t y ] = t z t x t y lemma test-mult-glb: t z t x t z t y t z t x t y 8

9 lemma test-add-distl: (t x t y) + t z = (t x + t z) (t y + t z) lemma test-add-distr: t x + (t y t z) = (t x + t y) (t x + t z) lemma test-add-zerol: 0 + t x = t x lemma test-add-zeror: t x + 0 = t x lemma test-mult-onel: 1 t x = t x lemma test-mult-oner: t x 1 = t x lemma test-lb: t x 0 lemma test-ub: t x 1 A test is an element p where t p = p. definition test :: a bool where test p t p = p notation comp-op (!- [101 ] 100 ) lemma test-add-closed-var: [test p; test q ] = test (p + q) lemma test-mult-closed: [test p; test q ] = test (p q) lemma test-comp-closed: test p = test (!p) lemma test-ub-var: test p = p 1 lemma test-lb-var: test p = p 0 lemma test-zero-var: test 0 9

10 lemma test-one-var: test 1 lemma test-not-one:!1 = 0 lemma test-add-idem: test p = p + p = p lemma test-mult-idem-var [simp]: test p = p p = p lemma test-add-comm-var: [test p; test q ] = p + q = q + p lemma test-mult-comm-var: [test p; test q ] = p q = q p lemma test-distrib-left-var: [test p; test q; test r ] = p (q + r) = p q + p r lemma test-distrib-right-var: [test p; test q; test r ] = (p + q) r = p r + q r lemma test-add-distl-var: [test p; test q; test r ] = p q + r = (p + r) (q + r) lemma test-add-distr-var: [test p; test q; test r ] = p + q r = (p + q) (p + r) lemma test-absorb1 : [test p; test q ] = p + p q = p lemma test-absorb2 : [test p; test q ] = p (p + q) = p lemma test-absorb3 : [test p; test q ] = (p + q) q = q lemma test-leq-mult-def-var: [test p; test q ] = (p q) = (p q = p) lemma test-double-comp-var: test p = p =!(!p) lemma test-comp: test p = q. test q p + q = 1 p q = 0 lemma test-dist-var: [test p; test q ] = (test r r p = r q r + p = r + q 10

11 p = q) lemma test-comp-uniq: test p =!q. test q p + q = 1 p q = 0 lemma test-comp-mult [simp]: test p = p!p = 0 lemma test-comp-mult2 [simp]: test p =!p p = 0 lemma test-comp-add [simp]: test p = p +!p = 1 lemma test-comp-closed-var: test p = test (!p) lemma de-morgan1 : [test p; test q ] =!p +!q =!(p q) lemma de-morgan2 : [test p; test q ] =!p!q =!(p + q) lemma de-morgan3 : [test p; test q ] =!(!p +!q) = p q lemma de-morgan4 : [test p; test q ] =!(!p!q) = p + q lemma test-comp-anti: [test p; test q ] = (p q) = (!q!p) lemma ba-1 : [test p; test q; test r ] = p + q +!q = r +!r lemma ba2 : [test p; test q ] = p + p = p +!(q +!q) lemma ba3 : [test p; test q ] = p = (p q) + (p!q) lemma ba4 : [test p; test q ] = p = (p +!q) (p + q) lemma ba5 : [test p; test q ] = (p + q)!p = q!p lemma ba6 : test p =!p p = 0 11

12 lemma ba7 : [test p; test q ] =!p =!(p + q) +!(p +!q) lemma test-restrictl: test p = p x x Nitpick refutes the next lemma. lemma test-restrictr: test p = x p x lemma [test p; test q; test r ] = p q r p!q + r Next, we prove lemmas mixing the embedded tests and any element of the carrier set. lemma test-eq1 : test p = y x p y x!p y x Nitpick refutes the next four lemmas. lemma test-eq2 : test p = z p x +!p y p z p x!p z!p y lemma test-eq3 : [test p; test q ] = p x = p x q p x x q lemma test1 : [test p; test q; p x!q = 0 ] = p x = p x q lemma [test p; test q; x!q =!p x!q ] = p x = p x q lemma test-eq4 : [test p; test q ] = x!q =!p x!q p x!q = 0 lemma test2 : [test p; test q ] = p q p = p q lemma test3 : [test p; test q ] = p q!p = 0 lemma test4 : [test p; test q ] =!p q p = 0 Nitpick refutes the next two lemmas. lemma comm-add: [test p; p x = x p; p y = y p ] = p (x + y) = (x + y) p 12

13 lemma comm-add-var: [test p; test q; test r; p x = x p; p y = y p ] = p (q x + r y) = (q x + r y) p lemma comm-mult: [test p; test q; q x = x q ] = p q x = q p x lemma de-morgan-var1 : [test p; test q; test r ] = (!p + q) (p + r) = p q +!p r lemma de-morgan-var2 : [test p; test q; test r ] =!(p q +!p r) = (p!q +!p!r) Nitpick refutes the next two lemmas. lemma test p = p x = x p = p x = p x p!p x =!p x!p lemma test-distrib: [test p; test q ] = (p + q) (q y +!q x) = q y +!q p x We now make the assumption that tests distribute over finite sums of arbitrary elements from the left. This can be justified in models such as multirelations and probabilistic predicate transformers. class near-dioid-test-zerol-dist = near-dioid-tests-zerol + assumes weak-distrib-left: t x (y + z) = t x y + t x z lemma weak-distrib-left-var: test p = p (x + y) = p x + p y lemma weak-subdistl: test p = p x p (x + y) lemma weak-subdistl-var: test p = p x + p y p (x + y) lemma weak-mult-isol: test p = x y p x p y lemma weak-mult-isol-var: [test p; test q ] = p x q y p q x y lemma weak-mult-double-iso: test p = x y p x z p y z Nitpick refutes the next lemma. lemma test-restrictr: test p = x p x 13

14 lemma test-eq2 : test p = z p x +!p y p z p x!p z!p y Nitpick refutes the next three lemmas. lemma test-eq3 : [test p; test q ] = p x = p x q p x x q lemma test1 : [test p; test q; p x!q = 0 ] = p x = p x q lemma [test p; test q; x!q =!p x!q ] = p x = p x q Next, we study tests with commutativity conditions. lemma comm-add: [test p; p x = x p; p y = y p ] = p (x + y) = (x + y) p lemma comm-add-var: [test p; test q; test r; p x = x p; p y = y p ] = p (q x + r y) = (q x + r y) p lemma test-distrib: [test p; test q ] = (p + q) (q y +!q x) = q y +!q p x The following class is relevant for probabilistic Kleene algebras. class pre-dioid-test-zerol = near-dioid-test-zerol-dist + pre-dioid subclass pre-dioid-one-zerol lemma test-restrictr: test p = x p x lemma test-eq3 : [test p; test q ] = p x = p x q p x x q lemma test1 : [test p; test q; p x!q = 0 ] = p x = p x q lemma [test p; test q; x!q =!p x!q ] = p x = p x q lemma [test p; test q ] = x (p + q) x p + x q 14

15 The following class is relevant for Demonic Refinement Algebras. class dioid-tests-zerol = dioid-one-zerol + pre-dioid-test-zerol lemma test1 : [test p; test q; p x!q = 0 ] = p x = p x q Nitpick refutes the following five lemmas. lemma [test p; test q; p x!q = 0 ] =!p x q = 0 lemma [test p; test q; p x = p x q ] = x!q =!p x!q lemma [test p; test q; p x = p x q ] = p x!q = 0 lemma [test p; test q; p x = p x q ] =!p x q = 0 lemma [test p; test q; x!q =!p x!q ] =!p x q = 0 lemma [test p; test q; x!q =!p x!q ] = p x = p x q Nitpick refutes the following four lemmas. lemma [test p; test q;!p x q = 0 ] = p x = p x q lemma [test p; test q;!p x q = 0 ] = x!q =!p x!q lemma [test p; test q;!p x q = 0 ] = p x!q = 0 lemma test p = p x = p x p!p x =!p x!p = p x = x p lemma assumes test p and p x = x p shows p x = p x p!p x =!p x!p The following class is relevant for Kleene Algebra with Tests. 15

16 class dioid-tests = dioid-tests-zerol + dioid-one-zero lemma kat-eq1 : [test p; test q ] = (p x!q = 0 ) = (p x = p x q) lemma kat-eq2 : [test p; test q ] = (p x!q = 0 ) = (p x x q) lemma kat-eq3 : [test p; test q ] = (p x = p x q) = (x!q =!p x!q) Nitpick refutes the next lemma. lemma [test p; test q ] = (p x!q = 0 ) = (!p x q = 0 ) lemma comm-eq1 : test b = (p b = b p) = (b p!b +!b p b = 0 ) lemma comm-eq2 : test b = (p!b =!b p) = (b p!b +!b p b = 0 ) lemma comm-eq3 : test b = (p b = b p) = (p!b =!b p) lemma comm-pres: test p = p x = p x p!p x =!p x!p p x = x p 4 Kleene Algebra with Tests theory KAT imports../dra-base Test-Dioids First, we study left Kleene algebras with tests which also have only a left zero. These structures can be expanded to demonic refinement algebras. class left-kat-zerol = left-kleene-algebra-zerol + dioid-tests-zerol lemma star-test-export1 : test p = (p x) p p x lemma star-test-export2 : test p = (p x) p x p 16

17 lemma star-test-export-left: [test p; x p p x ] = x p = p (x p) lemma star-test-export-right: [test p; x p p x ] = x p = (p x) p lemma star-test-export2-left: [test p; p x = x p ] = x p = p (p x) lemma star-test-export2-right: [test p; p x = x p ] = x p = (x p) p lemma star-test-folk: [test p; p x = x p; p y = y p ] = (p x +!p y) p = p (p x) class kat-zerol = kleene-algebra-zerol + dioid-tests-zerol subclass left-kat-zerol lemma star-sim-right: [test p; p x = x p ] = p x = (p x) p lemma star-sim-left: [test p; p x = x p ] = p x = p (x p) lemma comm-star: [test p; p x = x p; p y = y p ] = p x (p y) = p x y lemma star-sim-right-var: [test p; p x = x p ] = x p = p (x p) lemma star-folk-var[simp]: [test p; p x = x p; p y = y p ] = (p x +!p y) p = p x lemma star-folk-var2 [simp]: [test p;!p x = x!p;!p y = y!p ] = (p x +!p y)!p =!p y Finally, we define Kleene algebra with tests. class kat = kleene-algebra + dioid-tests subclass kat-zerol 17

18 5 Demonic Refinement Algebra with Tests theory DRAT imports Test-Dioids../DRA In this section, we define demonic refinement algebras with tests and prove the most important theorems from the literature. In this context, tests are also known as guards. class dra-tests = dra + dioid-tests-zerol An assertion is a mapping from a guard to a subset similar to tests, but it aborts if the predicate does not hold. definition assertion :: a a (- o [101 ] 100 ) where test p = p o =!p + 1 lemma asg: [test p; test q ] = q 1 1 p o lemma assertion-isol: test p = y p o x p y x lemma assertion-isor: test p = y x p y p o x lemma assertion-iso: [test p; test q ] = x q o p o x p x x q lemma total-correctness: [test p; test q ] = p x!q = 0 x!q!p lemma test-iteration-sim: [test p; p x x p ] = p x x p lemma test-iteration-annir: test p =!p (p x) =!p Next we give an example of a program transformation from von Wright [8]. lemma loop-refinement: [test p; test q ] = (p x)!p (p q x)!(p q) (p x)!p 18

19 Finally, we prove different versions of Back s atomicity refinement theorem for action systems. lemma atom-step1 : r b b r = (a + b + r) = b r (a b r ) lemma atom-step2 : assumes s = s q q b = 0 r q q r q l l q r = r test q shows s l b r q (a b r q) s l r (a b q r ) lemma atom-step3 : assumes r l l r a l l a b l l b q l l q b = b shows l r (a b q r ) = (a b q + l + r) This is Back s atomicity refinement theorem, as specified by von Wright [8]. theorem atom-ref-back: assumes s = s q a = q a q b = 0 r b b r r l l r r q q r a l l a b l l b q l l q r = r b = b test q shows s (a + b + r + l) q s (a b q + r + l) This variant is due to Höfner, Struth and Sutcliffe [4]. theorem atom-ref-back-struth: assumes s s q a q a q b = 0 r b b r r q q r (a + r + b) l l (a + r + b) q l l q r = r q 1 shows s (a + b + r + l) q s (a b q + r + l) Finally, we prove Cohen s [2] variation of the atomicity refinement theorem. lemma atom-ref-cohen: assumes r p y y r y p l l y r p l l r p r!p = 0 p l!p = 0!p l p = 0 y 0 = 0 r 0 = 0 test p shows (y + r + l) = (p l) (y +!p l + r!p) (r p) 19

20 6 Models for Demonic Refinement Algebra with Tests theory DRA-Models imports DRAT Test-Dioids We formalise the predicate transformer model of demonic refinement algebra. Predicate transformers are formalised as strict and additive functions over a field of sets, or alternatively as costrict and multiplicative functions. In the future, this should be merged with Preoteasa s more abstract formalisation [6]. no-notation plus (infixl + 65 ) and less-eq ((-/ -) [51, 51 ] 50 ) notation comp (infixl 55 ) type-synonym a bfun = a set a set Definitions of signature: definition top :: a bfun where top λx. UNIV definition bot :: a bfun where bot λx. {} definition adjoint :: a bfun a bfun where adjoint f (λp. f ( p)) definition fun-inter :: a bfun a bfun a bfun (infix 51 ) where f g λp. f p g p definition fun-union :: a bfun a bfun a bfun (infix + 52 ) where f + g λp. f p g p definition fun-order :: a bfun a bfun bool (infix 50 ) where f g p. f p g p definition fun-strict-order :: a bfun a bfun bool (infix <. 50 ) where f <. g f g f g definition N :: a bfun a bfun where N f (adjoint f o bot) id lemma top-max: f top lemma bot-min: bot f lemma oder-def : f g = f = f g 20

21 lemma order-def-var: f g = f g = f lemma adjoint-idem [simp]: adjoint (adjoint f ) = f lemma adjoint-prop1 [simp]: (f o top) (adjoint f o bot) = bot lemma adjoint-prop2 [simp]: (f o top) + (adjoint f o bot) = top lemma adjoint-mult: adjoint (f o g) = adjoint f o adjoint g lemma adjoint-top[simp]: adjoint top = bot lemma N-comp1 : (N (N f )) + N f = id lemma N-comp2 : (N (N f )) o N f = bot lemma N-comp3 : N f o (N (N f )) = bot lemma N-de-morgan: N (N f ) o N (N g) = N (N f ) N (N g) lemma conj-pred-aux [simp]: (λp. x p y p) = y = p. x p y p Next, we define a type for conjuctive or multiplicative predicate transformers. typedef a bool-op = {f :: a bfun. ( g h. mono f f g + f h = f (g + h) bot o f = bot)} setup-lifting type-definition-bool-op Conjuctive predicate transformers form a dioid with tests without right annihilator. instantiation bool-op :: (type) dioid-one-zerol lift-definition less-eq-bool-op :: a bool-op a bool-op bool is fun-order lift-definition less-bool-op :: a bool-op a bool-op bool is op <. 21

22 lift-definition zero-bool-op :: a bool-op is bot lift-definition one-bool-op :: a bool-op is id lift-definition times-bool-op :: a bool-op a bool-op a bool-op is op o lift-definition plus-bool-op :: a bool-op a bool-op a bool-op is op + instance instantiation bool-op :: (type) dioid-tests-zerol lift-definition comp-op-bool-op :: a bool-op a bool-op is N instance definition fun-star :: a bfun a bfun where fun-star f = lfp (λr. f o r + id) definition fun-iteration :: a bfun a bfun where fun-iteration f = gfp (λg. f o g + id) Verifying the iteration laws is left for future work. This could be obtained by integrating Preoteasa s approach [6]. 7 Models for Kleene Algebra with Tests theory KAT-Models imports../../kleene-algebra/kleene-algebra-models KAT We show that binary relations under the obvious definitions form Kleene algebra with tests. interpretation rel-dioid-tests: dioid-tests op op O Id {} op op λx. Id ( x) 22

23 interpretation rel-kat: kat op op O Id {} op op rtrancl λx. Id ( x) typedef a relation = UNIV :: a rel set setup-lifting type-definition-relation instantiation relation :: (type) kat lift-definition comp-op-relation :: a relation a relation is λx. Id ( x) lift-definition zero-relation :: a relation is {} lift-definition star-relation :: a relation a relation is rtrancl lift-definition less-eq-relation :: a relation a relation bool is op lift-definition less-relation :: a relation a relation bool is op lift-definition one-relation :: a relation is Id lift-definition times-relation :: a relation a relation a relation is op O lift-definition plus-relation :: a relation a relation a relation is op instance 8 Pre-Conway Algebra theory Conway imports../dra-base Test-Dioids We define a weak regular algebra with serves as a common basis for Kleene algebra and demonic reginement algebra. It is closely related to an axiomatisation given by Conway [3]. class dagger-op = fixes dagger :: a a (- [101 ] 100 ) class near-regalg-base-zerol = near-dioid-one-zerol + dagger-op + assumes dagger-denest: (x + y) = (x y) x and dagger-prod-unfold: (x y) = 1 + x (y x) y lemma dagger-unfoldl: 1 + x x = x 23

24 Nitpick refutes the next lemma. lemma dagger-unfoldl-distl: y x = y + y x x lemma dagger-unfoldl-distr: x y = y + x x y lemma dagger-unfoldr: 1 + x x = x Nitpick refutes the next lemma. lemma dagger-unfoldr-distl: y x = y + y x x lemma dagger-unfoldr-distr: x y = y + x x y lemma dagger-annil[simp]: (x 0 ) = 1 + x 0 lemma zero-dagger[simp]: 0 = 1 Nitpick refutes the next lemma. lemma dagger-denest2 : (x + y) = x (y x ) class near-conway-sim-right-zerol = near-regalg-base-zerol + plus-ord + assumes dagger-simr: z x y z = z x y z lemma dagger-iso: x y = x y lemma dagger-slide-var: x (y x) (x y) x Nitpick refutes the next lemma. lemma dagger-slide: x (y x) = (x y) x We say that y preserves x if x y x = x y and!x y!x =!x y. This definition is taken from Solin [7]. It is useful for program transformation. lemma preservation: x y x = x y = x y (x y + z) x 24

25 class near-conway-sim-right-zerol-tests = near-conway-sim-right-zerol + near-dioid-test-zerol-dist lemma test-preserve1-var: [test p; p x p = p x ] = p (p x +!p y) (p x) p The next lemma could neither be proved nor refuted by nitpick. lemma test-preserve2-var: [test p; p x p = p x ] = p (p x +!p y) x class pre-conway = near-conway-sim-right-zerol + pre-dioid-test-zerol subclass near-conway-sim-right-zerol-tests lemma dagger-slide: x (y x) = (x y) x lemma dagger-denest2 : (x + y) = x (y x ) lemma test-preserve: [test p; p x p = p x ] = p x = (p x) p lemma test-dumb-var: [test p; p x p = p x ] = p (p x +!p y) p = p (p x +!p y) lemma test-preserve1 : [test p; p x p = p x ] = p (p x +!p y) = (p x) p lemma test-preserve2 : [test p; p x p = p x ] = p (p x +!p y) x 9 Transformation Theorem for while Loops theory FolkTheorem imports Conway KAT DRAT We prove Kozen s transformation theorem for while loops [5] in a weak setting that unifies previous proofs in Kleene algebra with tests, demonic 25

26 refinement algebras and a variant of probabilistic Kleene algebra. context pre-conway abbreviation preservation :: a a bool (infix preserves 60 ) where x preserves p test p p x p = p x!p x!p =!p x lemma preserves-test-closed: [test p; x preserves q ] = p x preserves q lemma conditional-helper1 : assumes test r1 x1 preserves q y1 preserves q x2 preserves q y2 preserves q shows p q x1 (q r1 y1 +!q r2 y2 ) (q!r1 +!q!r2 ) = p q x1 (r1 y1 )!r1 lemma conditional-helper2 : assumes test r2 x1 preserves q y1 preserves q x2 preserves q y2 preserves q shows p!q x2 (q r1 y1 +!q r2 y2 ) (q!r1 +!q!r2 ) = p!q x2 (r2 y2 )!r2 lemma cond-distr: assumes test p test q test r shows (p q +!p r) (p x +!p y) = p q x +!p r y theorem conditional: assumes test p test r1 test r2 x1 preserves q y1 preserves q x2 preserves q y2 preserves q shows (p q +!p!q) (p x1 (r1 y1 )!r1 +!p x2 (r2 y2 )!r2 ) = (p q +!p!q) (q x1 +!q x2 ) ((q r1 +!q r2 ) (q y1 +!q y2 ))!(q r1 +!q r2 ) theorem nested-loops: assumes test p test q shows (p x (q y)!q)!p = p x ((p + q) (q y +!q x))!(p + q) +!p lemma postcomputation: assumes y preserves p shows (p x)!p y =!p y + p (p x (!p y + p))!p lemma composition-helper: assumes test g test h g y = y g 26

27 shows g (h y)!h g = g (h y)!h theorem composition: assumes test g test h g y = y g!g y = y!g shows (g x)!g (h y)!h =!g (h y)!h + g (g x (!g (h y)!h + g))!g Kleene algebras with tests form pre-conway algebras, therefore the transformation theorem is valid for KAT as well. sublocale kat pre-conway star Demonic refinement algebras form pre-conway algebras, therefore the transformation theorem is valid for DRA as well. sublocale dra-tests pre-conway strong-iteration We do not currently consider an expansion of probabilistic Kleene algebra. 10 Hoare Logic theory HoareLogic imports KAT context kat We encode validity of Hoare triples and derive the inference rules of propositional Hoare logic, that is, Hoare logic without the assignement rule, in Kleene algebra with tests. definition hoare-triple :: a a a bool ({ - }-{ - }) where { p } x { q } p x = p x q test p test q lemma hoare-triple-def-var: { p } x { q } = (p x x q test p test q) lemma skip-rule: test p = { p }1 { p } lemma sequence-rule: { p }x{ q } = { q }x { q } = { p }x x { q } 27

28 lemma conditional-rule: [{ p b }x{ q }; { p!b }x { q }; test p; test b ] = { p }b x +!b x { q } lemma consequence-rule: [test p; p p ; { p }x{ q }; q q; test q ] = { p }x{ q } lemma while-rule-var: { p }x{ p } = { p }x { p } lemma while-rule: [test q; { p q }x{ p }] = { p }(q x)!q{ p!q } definition (in kat) while-inv :: a b a a (while - inv - do - [64,64,64 ] 63 ) where while b inv i do p = (b p)!b lemma hoare-while-inv: assumes tb: test b and tp: test p and tq: test q and pi: p i and iq: i!b q and inv-loop: { i b } c { i } shows { p } while b inv i do c { q } 11 Verification Tool Prototype theory Verification-Tool-Proto imports KAT-Models HoareLogic We show how a simple verification tool prototype can be obtained from our formalisation of Kleene algebra with tests and its relational model. So far, only natural numbers are admitted as datatypes. A more versatile implementation is under construction. First, we implement states and stores of a program in the relational model. type-synonym state = string nat notation times (infixr ; 64 ) Next, we define assignement. definition lift-fn :: (state state) state relation where lift-fn f = Abs-relation {(x, f x) x. True} definition assign-fn :: string (state nat) state state where assign-fn x f σ = (λy. if x = y then f σ else σ y) 28

29 definition assign :: string (state nat) state relation (infix := 99 ) where x := e = lift-fn (assign-fn x e) lemma lift-fn-compose [simp]: lift-fn f lift-fn g = lift-fn (g f ) Then, we lift tests to the relational model. definition assert :: a set a relation where assert X Abs-relation (Id-on X ) lemma test-assert [intro!, simp]: test (assert X ) lemma test-not-assert [intro!, simp]: test (!(assert X )) lemma [iff ]: assert X assert Y X Y lemma [simp]: t (assert X ) = assert X lemma [simp]: assert X ; assert Y = assert (X Y ) lemma [simp]: assert X ;!assert Y = assert (X Y ) Now, we implement Hoare s assignement axiom. abbreviation assigns-notation :: state set string (state nat) state set (-[- -] [100,100,100 ] 101 ) where P[x m] (λstate. assign-fn x m state) P lemma hoare-assignment : P[x m] Q = assert P x := m x := m assert Q lemma hoare-assignment: P[x m] Q = { assert P } x := m { assert Q } This a variant of the sequential rule where tests are assertions. lemma hoare-seq: { assert p }x{ assert q } = { assert q }x { assert q } = { assert p }x x { assert q } ML We write a simple tactic for verification condition generation. 29

30 declare hoare-seq [hoare-rule] ML declare assign-fn-def [hoare-simp] declare image-def [hoare-simp] We add some syntactic sugar. abbreviation assign-sugar :: string string state relation (infix := 99 ) where x := y x := (λσ. σ y) abbreviation hoare-sugar :: a set a relation a set bool ({ - }-{ - }) where { p } c { q } { assert p } c { assert q } abbreviation mod-sugar :: string string state nat (infix mod 100 ) where x mod y λσ. (σ x) mod (σ y) abbreviation while-inv-sugar :: a set a set a relation a relation (while - inv - do - [64,64,64 ] 63 ) where while b inv i do p while (assert b) inv (assert i) do p As a complex example, we verify the partial correctness of Euclid s algorithm. lemma euclids-algorithm: { {σ. σ x = x σ y = y} } while {σ. σ y 0 } inv {σ. gcd (σ x ) (σ y ) = gcd x y} do ( z := y ; y := x mod y ; x := z ) { {σ. σ x = gcd x y} } 12 Two sorted Kleene Algebra with Tests theory KAT2 imports../../kleene-algebra/kleene-algebra As an alternative to the one-sorted implementation of tests, we provide a two-sorted, more conventional one. In this setting, Isabelle s Boolean algebra theory can be used. This alternative can be developed further along the lines of the one-sorted implementation. 30

31 syntax -kat :: a a ( - ) ML locale dioid-tests = fixes test :: a::boolean-algebra b::dioid-one-zerol and not :: b::dioid-one-zerol b::dioid-one-zerol ( ) assumes test-sup [simp,kat-hom]: test (sup p q) = p + q and test-inf [simp,kat-hom]: test (inf p q) = p q and test-top [simp,kat-hom]: test top = 1 and test-bot [simp,kat-hom]: test bot = 0 and test-not [simp,kat-hom]: test ( p) = p and test-iso-eq [kat-hom]: p q p q notation test (ι) lemma test-eq [kat-hom]: p = q p = q ML lemma test-iso: p q = p q lemma test-meet-comm: p q = q p lemmas test-one-top[simp] = test-iso[of top-greatest, simplified] lemma [simp]: p + p = 1 lemma [simp]: p + ( p) = 1 lemma [simp]: ( p) p = 0 lemma [simp]: p ( p) = 0 locale kat = fixes test :: a::boolean-algebra b::kleene-algebra and not :: b::kleene-algebra b::kleene-algebra (!) 31

32 assumes is-dioid-tests: dioid-tests test not sublocale kat dioid-tests context kat notation test (ι) lemma test-eq [kat-hom]: p = q p = q ML lemma test-iso: p q = p q lemma test-meet-comm: p q = q p lemmas test-one-top[simp] = test-iso[of top-greatest, simplified] lemma test-star [simp]: p = 1 lemmas [kat-hom] = test-star[symmetric] lemma [simp]:!p + p = 1 lemma [simp]: p +!p = 1 lemma [simp]:!p p = 0 lemma [simp]: p!p = 0 definition hoare-triple :: b b b bool ({ - } - { - }) where { p } c { q } p c c q declare hoare-triple-def [iff ] lemma hoare-triple-def-var: p c c q p c!q = 0 32

33 lemmas [intro!] = star-sim2 [rule-format] lemma hoare-weakening: p p = q q = { p } c { q } = { p } c { q } lemma hoare-star: { p } c { p } = { p } c { p } lemmas [vcg] = hoare-weakening[of order-refl - hoare-star] lemma hoare-test [vcg]: p t q = { p } t { q } lemma hoare-mult [vcg]: { p } x { r } = { r } y { q } = { p } x y { q } lemma [simp]:!p!p =!p lemma hoare-plus [vcg]: { p } x { q } = { p } y { q } = { p } x + y { q } definition While :: b b b (While - Do - End [50,50 ] 51 ) where While t Do c End = (t c)!t lemma hoare-while: { p t } c { p } = { p } While t Do c End {!t p } lemma [vcg]: { p t } c { p } =!t p q = { p } While t Do c End { q } definition If :: b b b b (If - Then - Else - [50,50,50 ] 51 ) where If p Then c1 Else c2 p c1 +!p c2 lemma hoare-if [vcg]: { p t } c1 { q } = { p!t } c2 { q } = { p } If t Then c1 Else c2 { q } 13 Two sorted Demonic Refinement Algebras theory DRAT2 imports../dra As an alternative to the one-sorted implementation of demonic refine- 33

34 ment algebra with tests, we provide a two-sorted, more conventional one. This alternative can be developed further along the lines of the one-sorted implementation. syntax -dra :: a a ( - ) ML locale drat = fixes test :: a::boolean-algebra b::dra and not :: b::dra b::dra (!) assumes test-sup [simp,kat-hom]: test (sup p q) = p + q and test-inf [simp,kat-hom]: test (inf p q) = p q and test-top [simp,kat-hom]: test top = 1 and test-bot [simp,kat-hom]: test bot = 0 and test-not [simp,kat-hom]: test ( p) =!p and test-iso-eq [kat-hom]: p q p q notation test (ι) lemma test-eq [kat-hom]: p = q p = q ML lemma test-iso: p q = p q lemma test-meet-comm: p q = q p lemmas test-one-top[simp] = test-iso[of top-greatest, simplified] lemma test-star [simp]: p = 1 lemmas [kat-hom] = test-star[symmetric] lemma test-comp-add1 [simp]:!p + p = 1 lemma test-comp-add2 [simp]: p +!p = 1 lemma test-comp-mult1 [simp]:!p p = 0 lemma test-comp-mult2 [simp]: p!p = 0 34

35 lemma test-eq1 : y x p y x!p y x lemma p x = p x q = p x!q = 0 nitpick lemma test1 : p x!q = 0 = p x = p x q lemma test2 : p q p = p q lemma test3 : p q!p = 0 lemma test4 :!p q p = 0 lemma total-correctness: p x!q = 0 x!q!p lemma test-iteration-sim: p x x p = p x x p lemma test-iteration-annir:!p (p x) =!p References [1] A. Armstrong, G. Struth, and T. Weber. Kleene algebra. Archive of Formal Proofs, [2] E. Cohen. Separation and reduction. In R. C. Backhouse and J. N. Oliveira, editors, MPC, volume 1837 of LNCS, pages Springer, [3] J. H. Conway. Regular Algebra and Finite Machines. Chapman and Hall, [4] P. Höfner, G. Struth, and G. Sutcliffe. Automated verification of refinement laws. Ann. Mathematics and Artificial Intelligence, 55(1-2):35 62,

36 [5] D. Kozen. Kleene algebra with tests. ACM TOPLAS, 19(3): , [6] V. Preoteasa. Algebra of monotonic boolean transformers. In A. S. Simão and C. Morgan, editors, SBMF, volume 7021 of LNCS, pages Springer, [7] K. Solin. Normal forms in total correctness for while programs and action systems. J. Logic and Algebraic Programming, 80(6): , [8] J. von Wright. From Kleene algebra to refinement algebra. In E. A. Boiten and B. Möller, editors, MPC, volume 2386 of LNCS, pages Springer,

Kleene Algebra. Alasdair Armstrong, Victor B. F. Gomes, Georg Struth and Tjark Weber. April 17, 2016

Kleene Algebra. Alasdair Armstrong, Victor B. F. Gomes, Georg Struth and Tjark Weber. April 17, 2016 Kleene Algebra Alasdair Armstrong, Victor B. F. Gomes, Georg Struth and Tjark Weber April 17, 2016 Abstract Variants of Dioids and Kleene algebras are formalised together with their most important models