Gerwin Klein, June Andronick, Ramana Kumar S2/2016

Size: px

Start display at page:

Download "Gerwin Klein, June Andronick, Ramana Kumar S2/2016"

Kathleen Little
6 years ago
Views:

1 COMP4161: Advanced Topics in Software Verification {} Gerwin Klein, June Andronick, Ramana Kumar S2/2016 data61.csiro.au

2 Content Intro & motivation, getting started [1] Foundations & Principles Lambda Calculus, natural deduction [1,2] Higher Order Logic [3 a ] Term rewriting [4] Proof & Specification Techniques Inductively defined sets, rule induction [5] Datatypes, recursion, induction [6, 7] Hoare logic, proofs about programs, C verification [8 b,9] (mid-semester break) Writing Automated Proof Methods [10] Isar, codegen, typeclasses, locales [11 c,12] a a1 due; b a2 due; c a3 due 2 COMP4161 c Data61, CSIRO: provided under Creative Commons Attribution License

3 Last Time Sets 3 COMP4161 c Data61, CSIRO: provided under Creative Commons Attribution License

4 Last Time Sets Type Definitions 3 COMP4161 c Data61, CSIRO: provided under Creative Commons Attribution License

5 Last Time Sets Type Definitions Inductive Definitions 3 COMP4161 c Data61, CSIRO: provided under Creative Commons Attribution License

6 Inductive Definitions How They Work

7 The Nat Example 0 N n N n + 1 N 5 COMP4161 c Data61, CSIRO: provided under Creative Commons Attribution License

8 The Nat Example 0 N N is the set of natural numbers IN n N n + 1 N 5 COMP4161 c Data61, CSIRO: provided under Creative Commons Attribution License

9 The Nat Example 0 N n N n + 1 N N is the set of natural numbers IN But why not the set of real numbers? 0 IR, n IR = n + 1 IR 5 COMP4161 c Data61, CSIRO: provided under Creative Commons Attribution License

10 The Nat Example 0 N n N n + 1 N N is the set of natural numbers IN But why not the set of real numbers? 0 IR, n IR = n + 1 IR IN is the smallest set that is consistent with the rules. 5 COMP4161 c Data61, CSIRO: provided under Creative Commons Attribution License

11 The Nat Example 0 N n N n + 1 N N is the set of natural numbers IN But why not the set of real numbers? 0 IR, n IR = n + 1 IR IN is the smallest set that is consistent with the rules. Why the smallest set? 5 COMP4161 c Data61, CSIRO: provided under Creative Commons Attribution License

12 The Nat Example 0 N n N n + 1 N N is the set of natural numbers IN But why not the set of real numbers? 0 IR, n IR = n + 1 IR IN is the smallest set that is consistent with the rules. Why the smallest set? Objective: no junk. Only what must be in X shall be in X. 5 COMP4161 c Data61, CSIRO: provided under Creative Commons Attribution License

13 The Nat Example 0 N n N n + 1 N N is the set of natural numbers IN But why not the set of real numbers? 0 IR, n IR = n + 1 IR IN is the smallest set that is consistent with the rules. Why the smallest set? Objective: no junk. Only what must be in X shall be in X. Gives rise to a nice proof principle (rule induction) 5 COMP4161 c Data61, CSIRO: provided under Creative Commons Attribution License

14 Formally Rules a 1 X... a n X a X define set X A with a 1,..., a n, a A Formally: 6 COMP4161 c Data61, CSIRO: provided under Creative Commons Attribution License

15 Formally Rules a 1 X... a n X a X define set X A with a 1,..., a n, a A Formally: set of rules R A set A Applying rules R to a set B: (R, X possibly infinite) 6 COMP4161 c Data61, CSIRO: provided under Creative Commons Attribution License

16 Formally Rules a 1 X... a n X a X define set X A with a 1,..., a n, a A Formally: set of rules R A set A (R, X possibly infinite) Applying rules R to a set B: ˆR B {x. H. (H, x) R H B} Example: 6 COMP4161 c Data61, CSIRO: provided under Creative Commons Attribution License

17 Formally Rules a 1 X... a n X a X define set X A with a 1,..., a n, a A Formally: set of rules R A set A (R, X possibly infinite) Applying rules R to a set B: ˆR B {x. H. (H, x) R H B} Example: R {({}, 0)} {({n}, n + 1). n IR} ˆR {3, 6, 10} = 6 COMP4161 c Data61, CSIRO: provided under Creative Commons Attribution License

18 Formally Rules a 1 X... a n X a X define set X A with a 1,..., a n, a A Formally: set of rules R A set A (R, X possibly infinite) Applying rules R to a set B: ˆR B {x. H. (H, x) R H B} Example: R {({}, 0)} {({n}, n + 1). n IR} ˆR {3, 6, 10} = {0, 4, 7, 11} 6 COMP4161 c Data61, CSIRO: provided under Creative Commons Attribution License

19 The Set Definition: B is R-closed iff ˆR B B 7 COMP4161 c Data61, CSIRO: provided under Creative Commons Attribution License

20 The Set Definition: Definition: B is R-closed iff ˆR B B X is the least R-closed subset of A This does always exist: 7 COMP4161 c Data61, CSIRO: provided under Creative Commons Attribution License

21 The Set Definition: Definition: B is R-closed iff ˆR B B X is the least R-closed subset of A This does always exist: Fact: X = {B A. B R closed} 7 COMP4161 c Data61, CSIRO: provided under Creative Commons Attribution License

22 Generation from Above A 8 COMP4161 c Data61, CSIRO: provided under Creative Commons Attribution License

23 Generation from Above A R-closed 8 COMP4161 c Data61, CSIRO: provided under Creative Commons Attribution License

24 Generation from Above A R-closed R-closed 8 COMP4161 c Data61, CSIRO: provided under Creative Commons Attribution License

25 Generation from Above A R-closed R-closed R-closed 8 COMP4161 c Data61, CSIRO: provided under Creative Commons Attribution License

26 Generation from Above A R-closed X R-closed R-closed 8 COMP4161 c Data61, CSIRO: provided under Creative Commons Attribution License

27 Rule Induction 0 N n N n + 1 N induces induction principle [[P 0; n. P n = P (n + 1)]] = x X. P x 9 COMP4161 c Data61, CSIRO: provided under Creative Commons Attribution License

28 Rule Induction 0 N n N n + 1 N induces induction principle [[P 0; n. P n = P (n + 1)]] = x X. P x In general: ({a 1,... a n }, a) R. P a 1... P a n = P a x X. P x 9 COMP4161 c Data61, CSIRO: provided under Creative Commons Attribution License

29 Why does this work? ({a 1,... a n }, a) R. P a 1... P a n = P a x X. P x ({a 1,... a n }, a) R. P a 1... P a n = P a says 10 COMP4161 c Data61, CSIRO: provided under Creative Commons Attribution License

30 Why does this work? ({a 1,... a n }, a) R. P a 1... P a n = P a x X. P x ({a 1,... a n }, a) R. P a 1... P a n = P a says {x. P x} is R-closed but: 10 COMP4161 c Data61, CSIRO: provided under Creative Commons Attribution License

31 Why does this work? ({a 1,... a n }, a) R. P a 1... P a n = P a x X. P x ({a 1,... a n }, a) R. P a 1... P a n = P a says {x. P x} is R-closed but: hence: X is the least R-closed set 10 COMP4161 c Data61, CSIRO: provided under Creative Commons Attribution License

32 Why does this work? ({a 1,... a n }, a) R. P a 1... P a n = P a x X. P x ({a 1,... a n }, a) R. P a 1... P a n = P a says {x. P x} is R-closed but: X is the least R-closed set hence: X {x. P x} which means: 10 COMP4161 c Data61, CSIRO: provided under Creative Commons Attribution License

33 Why does this work? ({a 1,... a n }, a) R. P a 1... P a n = P a x X. P x ({a 1,... a n }, a) R. P a 1... P a n = P a says {x. P x} is R-closed but: X is the least R-closed set hence: X {x. P x} which means: x X. P x 10 COMP4161 c Data61, CSIRO: provided under Creative Commons Attribution License

34 Why does this work? ({a 1,... a n }, a) R. P a 1... P a n = P a x X. P x ({a 1,... a n }, a) R. P a 1... P a n = P a says {x. P x} is R-closed but: X is the least R-closed set hence: X {x. P x} which means: x X. P x qed 10 COMP4161 c Data61, CSIRO: provided under Creative Commons Attribution License

35 Rules with side conditions a 1 X... a n X C 1... C m a X 11 COMP4161 c Data61, CSIRO: provided under Creative Commons Attribution License

36 Rules with side conditions a 1 X... a n X C 1... C m a X induction scheme: ( ({a 1,... a n }, a) R. P a 1... P a n C 1... C m {a 1,..., a n } X = P a) = x X. P x 11 COMP4161 c Data61, CSIRO: provided under Creative Commons Attribution License

37 X as Fixpoint How to compute X? 12 COMP4161 c Data61, CSIRO: provided under Creative Commons Attribution License

38 X as Fixpoint How to compute X? X = {B A. B R closed} hard to work with. Instead: 12 COMP4161 c Data61, CSIRO: provided under Creative Commons Attribution License

39 X as Fixpoint How to compute X? X = {B A. B R closed} hard to work with. Instead: view X as least fixpoint, X least set with ˆR X = X. 12 COMP4161 c Data61, CSIRO: provided under Creative Commons Attribution License

40 X as Fixpoint How to compute X? X = {B A. B R closed} hard to work with. Instead: view X as least fixpoint, X least set with ˆR X = X. Fixpoints can be approximated by iteration: X 0 = ˆR 0 {} = {} 12 COMP4161 c Data61, CSIRO: provided under Creative Commons Attribution License

41 X as Fixpoint How to compute X? X = {B A. B R closed} hard to work with. Instead: view X as least fixpoint, X least set with ˆR X = X. Fixpoints can be approximated by iteration: X 0 = ˆR 0 {} = {} X 1 = ˆR 1 {} = rules without hypotheses. 12 COMP4161 c Data61, CSIRO: provided under Creative Commons Attribution License

42 X as Fixpoint How to compute X? X = {B A. B R closed} hard to work with. Instead: view X as least fixpoint, X least set with ˆR X = X. Fixpoints can be approximated by iteration: X 0 = ˆR 0 {} = {} X 1 = ˆR 1 {} = rules without hypotheses. X n = ˆR n {} 12 COMP4161 c Data61, CSIRO: provided under Creative Commons Attribution License

43 X as Fixpoint How to compute X? X = {B A. B R closed} hard to work with. Instead: view X as least fixpoint, X least set with ˆR X = X. Fixpoints can be approximated by iteration: X 0 = ˆR 0 {} = {} X 1 = ˆR 1 {} = rules without hypotheses. X n = ˆR n {} X ω = n IN (Rn {}) = X 12 COMP4161 c Data61, CSIRO: provided under Creative Commons Attribution License

44 Generation from Below A ˆR 0 {} 13 COMP4161 c Data61, CSIRO: provided under Creative Commons Attribution License

45 Generation from Below A ˆR 0 {} ˆR 1 {} 13 COMP4161 c Data61, CSIRO: provided under Creative Commons Attribution License

46 Generation from Below A ˆR ˆR 0 {} ˆR 1 {} ˆR 2 {} 13 COMP4161 c Data61, CSIRO: provided under Creative Commons Attribution License

47 Generation from Below A ˆR ˆR 0 {} ˆR ˆR 1 {} ˆR 2 {} COMP4161 c Data61, CSIRO: provided under Creative Commons Attribution License

48 Does this always work? Knaster-Tarski Fixpoint Theorem: Let (A, ) be a complete lattice, and f :: A A a monotone function. Then the fixpoints of f again form a complete lattice. 14 COMP4161 c Data61, CSIRO: provided under Creative Commons Attribution License

49 Does this always work? Knaster-Tarski Fixpoint Theorem: Let (A, ) be a complete lattice, and f :: A A a monotone function. Then the fixpoints of f again form a complete lattice. Lattice: Finite subsets have a greatest lower bound (meet) and least upper bound (join). 14 COMP4161 c Data61, CSIRO: provided under Creative Commons Attribution License

50 Does this always work? Knaster-Tarski Fixpoint Theorem: Let (A, ) be a complete lattice, and f :: A A a monotone function. Then the fixpoints of f again form a complete lattice. Lattice: Finite subsets have a greatest lower bound (meet) and least upper bound (join). Complete Lattice: All subsets have a greatest lower bound and least upper bound. 14 COMP4161 c Data61, CSIRO: provided under Creative Commons Attribution License

51 Does this always work? Knaster-Tarski Fixpoint Theorem: Let (A, ) be a complete lattice, and f :: A A a monotone function. Then the fixpoints of f again form a complete lattice. Lattice: Finite subsets have a greatest lower bound (meet) and least upper bound (join). Complete Lattice: All subsets have a greatest lower bound and least upper bound. Implications: least and greatest fixpoints exist (complete lattice always non-empty). 14 COMP4161 c Data61, CSIRO: provided under Creative Commons Attribution License

52 Does this always work? Knaster-Tarski Fixpoint Theorem: Let (A, ) be a complete lattice, and f :: A A a monotone function. Then the fixpoints of f again form a complete lattice. Lattice: Finite subsets have a greatest lower bound (meet) and least upper bound (join). Complete Lattice: All subsets have a greatest lower bound and least upper bound. Implications: least and greatest fixpoints exist (complete lattice always non-empty). can be reached by (possibly infinite) iteration. (Why?) 14 COMP4161 c Data61, CSIRO: provided under Creative Commons Attribution License

53 Exercise Formalize the this lecture in Isabelle: Define closed f A :: (α set α set) α set bool Show closed f A closed f B = closed f (A B) if f is monotone (mono is predefined) Define lfpt f as the intersection of all f -closed sets Show that lfpt f is a fixpoint of f if f is monotone Show that lfpt f is the least fixpoint of f Declare a constant R :: (α set α) set Define ˆR :: α set α set in terms of R Show soundness of rule induction using R and lfpt ˆR 15 COMP4161 c Data61, CSIRO: provided under Creative Commons Attribution License

54 We have learned today... Formal background of inductive definitions 16 COMP4161 c Data61, CSIRO: provided under Creative Commons Attribution License

55 We have learned today... Formal background of inductive definitions Definition by intersection 16 COMP4161 c Data61, CSIRO: provided under Creative Commons Attribution License

56 We have learned today... Formal background of inductive definitions Definition by intersection Computation by iteration 16 COMP4161 c Data61, CSIRO: provided under Creative Commons Attribution License

57 We have learned today... Formal background of inductive definitions Definition by intersection Computation by iteration Formalisation in Isabelle 16 COMP4161 c Data61, CSIRO: provided under Creative Commons Attribution License

λ Slide 1 Content Exercises from last time λ-calculus COMP 4161 NICTA Advanced Course Advanced Topics in Software Verification

λ Slide 1 Content Exercises from last time λ-calculus COMP 4161 NICTA Advanced Course Advanced Topics in Software Verification Content COMP 4161 NICTA Advanced Course Advanced Topics in Software Verification Toby Murray, June Andronick, Gerwin Klein λ Slide 1 Intro & motivation, getting started [1] Foundations & Principles Lambda