Unifying Theories of Programming

Similar documents
A Tutorial Introduction to CSP in Unifying Theories of Programming

UTP by Example: Designs

Circus Time with Reactive Designs

A Timed Model of Circus with the Reactive Design Miracle

Denotational Semantics of Mobility in Unifying Theories of Programming (UTP)

Hoare Calculus and Predicate Transformers

Algebraic Reasoning for Probabilistic Action Systems and While-Loops

HRML: a hybrid relational modelling language. He Jifeng

Mechanising the Alphabetised Relational Calculus

Programming Languages and Compilers (CS 421)

Lecture 2: Axiomatic semantics

AN INTRODUCTION TO SEPARATION LOGIC. 2. Assertions

Chapter 2. Assertions. An Introduction to Separation Logic c 2011 John C. Reynolds February 3, 2011

Marie Farrell Supervisors: Dr Rosemary Monahan & Dr James Power Principles of Programming Research Group

Deductive Verification

Program verification. 18 October 2017

Hoare Logic: Part II

Hoare Logic: Reasoning About Imperative Programs

Mid-Semester Quiz Second Semester, 2012

Proof Calculus for Partial Correctness

First Order Logic vs Propositional Logic CS477 Formal Software Dev Methods

Design of Distributed Systems Melinda Tóth, Zoltán Horváth

Axiomatic Semantics. Lecture 9 CS 565 2/12/08

Dynamic Semantics. Dynamic Semantics. Operational Semantics Axiomatic Semantics Denotational Semantic. Operational Semantics

What happens to the value of the expression x + y every time we execute this loop? while x>0 do ( y := y+z ; x := x:= x z )

Program verification. Hoare triples. Assertional semantics (cont) Example: Semantics of assignment. Assertional semantics of a program

Axiomatic Semantics. Hoare s Correctness Triplets Dijkstra s Predicate Transformers

Weakest Precondition Calculus

Propositional Logic Language

Coinductive big-step semantics and Hoare logics for nontermination

Linking Duration Calculus and TLA

COMP2111 Glossary. Kai Engelhardt. Contents. 1 Symbols. 1 Symbols 1. 2 Hoare Logic 3. 3 Refinement Calculus 5. rational numbers Q, real numbers R.

COP4020 Programming Languages. Introduction to Axiomatic Semantics Prof. Robert van Engelen

Mechanical Reasoning about Families of UTP Theories

Spring 2016 Program Analysis and Verification. Lecture 3: Axiomatic Semantics I. Roman Manevich Ben-Gurion University

Classical Program Logics: Hoare Logic, Weakest Liberal Preconditions

A Short Introduction to Hoare Logic

Bilateral Proofs of Safety and Progress Properties of Concurrent Programs (Working Draft)

Spring 2015 Program Analysis and Verification. Lecture 4: Axiomatic Semantics I. Roman Manevich Ben-Gurion University

Hoare Logic (I): Axiomatic Semantics and Program Correctness

Calculating axiomatic semantics from program equations by means of functional predicate calculus

CS558 Programming Languages

This is a repository copy of Towards Verification of Cyber-Physical Systems with UTP and Isabelle/HOL.

THE AUSTRALIAN NATIONAL UNIVERSITY Second Semester COMP2600/COMP6260 (Formal Methods for Software Engineering)

Universität Augsburg

Floyd-Hoare Style Program Verification

Axiomatic semantics. Semantics and Application to Program Verification. Antoine Miné. École normale supérieure, Paris year

CS 6110 Lecture 21 The Fixed-Point Theorem 8 March 2013 Lecturer: Andrew Myers. 1 Complete partial orders (CPOs) 2 Least fixed points of functions

Hoare Logic: Reasoning About Imperative Programs

The Journal of Logic and Algebraic Programming

Proof Theoretical Studies on Semilattice Relevant Logics

Hoare Logic I. Introduction to Deductive Program Verification. Simple Imperative Programming Language. Hoare Logic. Meaning of Hoare Triples

The non-logical symbols determine a specific F OL language and consists of the following sets. Σ = {Σ n } n<ω

MODELING NONDETERMINISM IN PROGRAM SEMANTICS USING LIFTED BINARY MULTIRELATIONS

Proofs of Correctness: Introduction to Axiomatic Verification

Gerwin Klein, June Andronick, Ramana Kumar S2/2016

Přednáška 12. Důkazové kalkuly Kalkul Hilbertova typu. 11/29/2006 Hilbertův kalkul 1

CSC 7101: Programming Language Structures 1. Axiomatic Semantics. Stansifer Ch 2.4, Ch. 9 Winskel Ch.6 Slonneger and Kurtz Ch. 11.

Views: Compositional Reasoning for Concurrent Programs

Reasoning About Imperative Programs. COS 441 Slides 10b

Lecture Notes on Software Model Checking

Formal Methods for Probabilistic Systems

Exercises 1 - Solutions

Lecture Notes: Axiomatic Semantics and Hoare-style Verification

The Assignment Axiom (Hoare)

Axiomatic Semantics: Verification Conditions. Review of Soundness and Completeness of Axiomatic Semantics. Announcements

Last Time. Inference Rules

Temporal Logic Model Checking

Course Runtime Verification

Applied Logic. Lecture 1 - Propositional logic. Marcin Szczuka. Institute of Informatics, The University of Warsaw

Learning Goals of CS245 Logic and Computation

Control Predicates Are Better Than Dummy Variables For Reasoning About Program Control

A Humble Introduction to DIJKSTRA S A A DISCIPLINE OF PROGRAMMING

THE AUSTRALIAN NATIONAL UNIVERSITY Second Semester COMP2600 (Formal Methods for Software Engineering)

A Theory and Calculus for Reasoning about Sequential Behavior

Lecture Notes on DISCRETE MATHEMATICS. Eusebius Doedel

Propositional and Predicate Logic

CHAPTER 2 INTRODUCTION TO CLASSICAL PROPOSITIONAL LOGIC

Verifying Properties of Parallel Programs: An Axiomatic Approach

Restricted truth predicates in first-order logic

Size-Change Termination and Transition Invariants

Lecture Notes 1 Basic Concepts of Mathematics MATH 352

Partial model checking via abstract interpretation

Chapter 3. Specifications. 3.1 Hoare Triples. An Introduction to Separation Logic c 2011 John C. Reynolds February 3, 2011

Logical Abstract Domains and Interpretations

An Equational Axiomatization for Multi-Exit Iteration

Trace semantics: towards a unification of parallel paradigms Stephen Brookes. Department of Computer Science Carnegie Mellon University

Axiomatic Semantics. Stansifer Ch 2.4, Ch. 9 Winskel Ch.6 Slonneger and Kurtz Ch. 11 CSE

COMP 182 Algorithmic Thinking. Proofs. Luay Nakhleh Computer Science Rice University

Hoare Logic and Model Checking


Intro to Logic and Proofs

T (s, xa) = T (T (s, x), a). The language recognized by M, denoted L(M), is the set of strings accepted by M. That is,

Formal Specification and Verification. Specifications

Axioms of Kleene Algebra

With Question/Answer Animations. Chapter 2

Propositional Dynamic Logic

Probabilistic Guarded Commands Mechanized in HOL

Demonic, angelic and unbounded probabilistic choices in sequential programs

Transcription:

1&2 Unifying Theories of Programming Unifying Theories of Programming 3&4 Theories Unifying Theories of Programming designs predicates relations reactive CSP processes Jim Woodcock University of York May 2006 Unifying Theories of Programming C. A. R. Hoare & He Jifeng, Prentice Hall, 1998 alphabetised relations as unifying basis for programming linking many different computational paradigms relations between initial and intermediate or final observation

5&6 Unifying Theories of Programming Unifying Theories of Programming 7&8 Alphabetised Relational Calculus 1. Observations Theories alphabet: external observations of behaviour signature: syntax for denoting objects of theory healthiness conditions: identify interesting sub-theories programs designs specifications Jim Woodcock University of York May 2006 0. Introduction 1. observations 2. the alphabetised relatinal calculus 3. the complete lattice 4. specifications Observable variabes alphabet: variables describe relevant aspects of behaviour observations: relation between initial and after values external variables: globally shared with real world clock, l, okay, ref, resource, tr, wait,

9&10 Unifying Theories of Programming Unifying Theories of Programming 11&12 2. The alphabetised relational calculus Terminology Healthiness conditions feasible descriptions of reality increase towards code P = φ(p), for idempotent φ links to translate designs into implementations an alphabet is a set of observation names okay, trace, wait, ref, l, a relation P, Q,...,true is an alphabet-predicate pair freevars(p) αp αp = inαp outαp homogeneous: outαp = inαp condition: b, c, d,...,true outα b = similar to Z s schema calculus much simpler: untyped Examples time travel 1 B = clock clock tr prefix tr P B (P = P B) for all programs P time travel 2 T = okay T P (P = T P) for all programs P proper initialisation and finalisation J = J ; J and K = K ; K Conjunction P Q x satisfies P Q iff x satisfies P and x satisfies Q α(p Q ) = αp αq (x := x + z y := y w) = (x = x + z y = y w) = (x, y := x + z, y w) P(x, y) Q (y, z) P = J ; P and P = P ; K for all programs P

13&14 Unifying Theories of Programming Unifying Theories of Programming 15&16 Correctness [ P ]: universal closure of P S P iff [ P S ] example: specification x > x y = y implementation x, y := x + 1, y correctness [ x, y := x + 1, y x > x y = y ] = [ x = x + 1 y = y x > x y = y ] = true L1 P b P = P idempotence L2 P b Q = Q b P symmetry L3 (P b Q ) c R = P b c (Q c R) associativity L4 P b (Q c R) = (P b Q ) c (P b R) distrib. L5 P true Q = P = Q false P unit L6 P b (Q b R) = P b R L7 P b (P c Q ) = P b c Q L8 (P Q ) b (R S) = (P b R) (Q b S) exchange L9 (P b Q ) = ( P b Q ) not-conditional L10 (P b Q ) (R b S) = (P R) b (Q S) [conditional-and-not-conditional] L11 L12 (P (Q b R)) = ((P Q ) b (P R)) implies-cond.-1 ((P b Q ) R) = ((P R) b (Q R)) implies-cond.-2 Conditional P b Q = (b P) ( b Q ) if αb αp = αq α(p b Q ) = αp L13 (P b Q ) R = (P R) b (Q R) cond.-conjunction L14 (P b Q ) R = (P R) b (Q R) cond.-disjunction L15 b (P b Q ) = (b P) left-simplification-1 L16 b (P b Q ) = ( b Q ) right-simplification-2 L17 (P b Q ) = ((b P) b Q ) left-condition L18 (P b Q ) = (P b ( b Q )) right-condition

17&18 Unifying Theories of Programming Unifying Theories of Programming 19&20 Proof of L6 (P b (Q b R)) = ((Q b R) b P) [by L2] = (Q b b (R b P)) [by L3] = (Q false (R b P)) [by propositional calculus] = (R b P) [by L5] = (P b R) [by L2] Refinement to conditional P (Q b R) = [(Q b R) P ] = [ b Q b R P ] = [ b Q P ] [ b R P ] = ( P b Q ) ( P b R ) Proof of L7 (P b (P c Q )) = ((Q c P) b P [by L2] = (Q c b (P b P)) [by L3] = (Q c b P) [by L1] = (P b c Q ) [by L2] Separation of requirements ((P Q ) R) = (P R) (Q R)

21&22 Unifying Theories of Programming Unifying Theories of Programming 23&24 Composition P(v ) ; Q (v) = v 0 P(v 0 ) Q (v 0 ) if outαp = inαq ={v } inα(p(v ) ; Q (v)) = inαp outα(p(v ) ; Q (v)) = outαq L1 P ; (Q ; R) = (P ; Q ) ; R associativity L2 (P b Q ) ; R = ((P ; R) b (Q ; R)) left distribution Laws of assignment L1 (x := e) = (x, y := e, y) L2 (x, y, z := e, f, g) = (y, x, z := f, e, g) L3 (x := e ; x := f (x)) = (x := f (e)) L4 (x := e ; (P b(x) Q )) = ((x := e ; P) b(e) (x := e ; Q )) L5 P ; I αp = P = I αp ; P unit L6 v = e ; P = P[e/v] where αp ={v, v } left-one-point L7 P ; v = e = P[e/v ] where αp ={v, v } right-one-point Assignment for A ={x, y,...,z, x, y,...,z } and αe in(a) x := A e = (x = e y = y z = z) α(x := A e) = A I A = (v = v) if A ={v, v } αi A = A Array assignment array-valued variables assignment to ith element: w[i] := e w := w {i e} w x = (x i dom x w)

25&26 Unifying Theories of Programming Unifying Theories of Programming 27&28 Nondeterminism P Q = P Q if αp = αq α(p Q ) = αp L1 P Q = Q P symmetry L2 P (Q R) = (P Q ) R associativity L3 P P = P idempotence L4 P (Q R) = (P Q ) (P R) distributivity L5 (P b (Q R)) = (P b Q ) (P b R) distributivity L6 (P Q ) ; R = (P ; R) (Q ; R) distributivity L7 P ; (Q R) = (P ; Q ) (P ; R) distributivity L8 P (Q b R) = ((P Q ) b (P R)) distributivity Monotonicity F is monotonic iff P Q F (P) F (Q ) disjunctive operators are always monotonic suppose that P P and is disjunctive P Q P Q = ((P Q ) (P Q ) = P Q ) = ((P P ) Q = P Q ) monotonic operators aren t always disjunctive P 2 = P ; P (Q R) 2 = Q 2 R 2 (Q ; R) (R ; Q ) Q 2 R 2 Refinement and nondeterminism P Q = P = (P Q P) (P P Q ) = [ P P Q ] [ P Q P ] = [ P P Q ] [ P Q P ] = true [ P Q P ] = [ Q P ] = P Q Conjunction P Q = P Q α(p Q ) = αp αq

29&30 Unifying Theories of Programming Unifying Theories of Programming 31&32 Example of complete lattice natural numbers ordered by divisibility 3. The complete lattice Definition: Complete lattice A lattice is a partially ordered set, in which all non-empty finite subsets have both a least upper-bound (join) and a greatest lower bound (meet). A complete lattice is a lattice in which all subsets have both a join and a meet. partial order m n ( k k m = n ) 1 is bottom (exactly divides every other number) 0 is top (it can be divided exactly by every other number) join of finite sets is least common multiple join of infinite sets is 0 meet is greatest common divisor for infinite sets gcd be greater than 1 example: set of all even numbers has 2 as gcd Abort and miracle Example of complete lattice power set of S ordered by inclusion. empty set is least element S is greatest element A α A A α A = true = A = false = A union is join intersection is meet for all P with alphabet A L1 [ P A ] L2 [ A P ]

33&34 Unifying Theories of Programming Unifying Theories of Programming 35&36 Recursion Laws of the lattice L1 [ P S ] iff ([P X ] for all X in S ) L1A [ S X ] for all X in S L1B if [ P X ] for all X in S, then [ P S ] L2 ( S ) Q = { P Q P S } L3 ( S ) Q = { P Q P S } L4 ( S ) ; Q = { P ; Q P S } L5 R ; ( S ) = { R ; P P S } weakest fixed-point μ F = { X [ X F (X )]} μ X C(X ) = μ F where F = λ X C(X ) μ X X = true L1 [ Y μ F ] if [ Y F (Y )] weakest fixed-point L2 [ F (μ F ) = μ F ] fixed-point strongest fixed-point is dual of wfp Recursion: weakest fixed-point alphabetised relations form a complete lattice all operators are monotonic every construction is monotonic Tarski: complete lattice of fixed-points is strongest fixed-point of X = P ; X is weakest fixed-point Proof of L1 F (Y ) Y = Y {X F (X ) X } [by comprehension] { X F (X ) X } Y [by L1A] = μ F Y [by definition of μ F ] so μ F is weaker than any other fixed-point of F

37&38 Unifying Theories of Programming Unifying Theories of Programming 39&40 Proof of L2 μ F = F (μ F ) [mutual refinement] = μ F F (μ F ) F (μ F ) μ F [fixed-point L1] F (F (μ F )) F (μ F ) F (μ F ) μ F [F monotonic] F (μ F ) μ F [definition] = F (μ F ) { X F (X ) X } [lattice L1B] X {X F (X ) X } F(μ f ) X [comprehension] = X F (X ) X F (μ F ) X [transitivity of ] X F (X ) X F (μ F ) F (X ) [F monotonic] X F (X ) X μ F X [fixed-point L1] = true Iteration b P = μ X ((P ; X ) b I ) copy rule Bottom { X true }= { X true } = { X true } { X true } = { X true } = [ { X true } ] = [ true { X true } ] = [ { X true } ] = [ X true ] = true Nontermination what s the weakest fixed-point of X = X? μ X X = { Y (λ X X )(Y ) Y } = { Y Y Y } = { Y true } = consequence (for sole state variable x and constant c): ( ; x := c ) = ( x := c )

41&42 Unifying Theories of Programming Unifying Theories of Programming 43&44 Recursion: strongest fixed-point dual of the weakest fixed-point νf = μ X F( X ) L1 [νf S ] if [ F (S) S ] strongest fixed-point L2 [ F (νf ) = νf ] fixed-point Conditional termination suppose F terminates whenever C holds [ C μ F = C νf ] fixed-points appear equal within window C L3 false ; P = false = P ; false good enough if specification is C S ν is easier to work with than μ Nontermination strongest fixed-point inappropriate (νx X ) = false = S, for all S consequence: P = P Weakest fixed-point lemma if [ F (C S) (C S)] and [ C (μ F = νf )] then [μf (C S)] pity, since it s the best to reason with any recursion with guaranteed termination single fixed-point: μ F = νf

45&46 Unifying Theories of Programming Unifying Theories of Programming 47&48 4. Specifications Hoare logic Hoare logic (also known as Floyd-Hoare logic) is a formal system developed by the British computer scientist C. A. R. Hoare, and subsequently refined by Hoare and other researchers. It was published in Hoare s 1969 paper An axiomatic basis for computer programming. The purpose of the system is to provide a set of logical rules in order to reason about the correctness of computer programs with the rigour of mathematical logic. Hoare logic has axioms and inference rules for all the constructs of a simple imperative programming language. In addition to the rules for the simple language in Hoare s original paper, rules for other language constructs have been developed since then by Hoare and many other researchers. There are rules for concurrency, procedures, jumps, and pointers. Hoare acknowledges earlier contributions from Robert Floyd, who had published a similar system for flowcharts. The central feature of Hoare logic is the Hoare triple. A triple describes how the execution of a piece of code changes the state of the computation. A Hoare triple is of the form p {Q } r where p and r are assertions and Q is a command. The assertion p is called the precondition and r the postcondition. Assertions are formulas in predicate logic. The intuitive reading of such a triple is: Whenever p holds of the state before the execution of Q, then r will hold afterwards. Note that if Q does not terminate, then there is no after, so r can be any statement at all. Indeed, one can choose r to be false to express that Q does not terminate. This is called partial correctness. If C terminates and at termination Q is true, the expression exhibits "total correctness". Termination would have to be proved separately. p {Q } r = [ Q (p r )] = (p r ) Q L1 if p {Q } r and p {Q } s then p {Q } (r s) L2 if p {Q } r and q {Q } r then (p q) {Q } r L3 if p {Q } r then (p q) {Q } (r s) L4 r(e) {x := e} r(x) L5 if (p b) {Q 1 } r and (p b) {Q 2 } r then p { Q 1 b Q 2 } r L6 if p {Q 1 } s and s {Q 2 } r then p { Q 1 ; Q 2 } r L7 if p {Q 1 } r and p {Q 2 } r then p { Q 1 Q 2 } r L8 if (b c) {Q } c then c { νx (Q ; X ) b I } ( b c) L9 false {Q } r and p {Q } true and p {false} false and p {I } p

49&50 Unifying Theories of Programming Unifying Theories of Programming 51&52 Proof of L1 (p {Q } r) (p {Q } s) = (Q (p r )) (Q (p s )) = (Q (p r ) (p s )) = (Q (p r s )) Assumptions and assertions c = I c [assumption] c = I c [assertion] = p {Q } (r s) Proof of L8 suppose that (b c) {Q } c define Y = c b c c { νx (Q ; X ) b I } ( b c) = Y νx (Q ; X ) b I [by definition] Y (Q ; Y ) b I [by sfp L1] = ( Y (b Q ) ; Y ) ( Y b I ) [refinement to cond] = ( Y (b Q ) ; Y ) [ b I (c b c )] [by def] = ( Y (b Q ) ; Y ) true predicate calculus = c { b Q ; Y } ( b c) [by definition] ( c { b Q } c ) ( c { c b c } b c ) [by Hoare L6] = true [by assumption and predicate calculus] Example b ; c = (I b ) ; c [by definition of b ] = ((I ; c ) b ( ; c )) [by -;-left distribution] = (c b ( ; c )) [by assignment.l5] = (c b ) [from above] = ((I c ) b ) [by definition of c ] = (I b c ) [by conditional.l3] = (b c) [by definition of (b c) ]

53&54 Unifying Theories of Programming Unifying Theories of Programming 55&56 Extreme solution p(v) { Q (v, v ) } r(v) = [ Q (v, v ) ( p(v) r(v ))] Examples b ; (P b Q ) = b ; P b ; (P b Q ) = b ; P = [ p(v) ( Q (v, v ) r(v ))] = [ p(v) ( v Q (v, v ) r(v ))] = [ p(v) ( v Q (v, v ) r(v ))] = [ p(v) ( v 0 Q (v, v 0 ) r(v 0 ))] = [ p(v) ( Q (v, v ) ; r(v)) ] if W (v) = ( Q (v, v ) ; r(v)) then W (v) { Q (v, v ) } r(v) W is the weakest solution for the precondition for Q to be guaranteed to achieve r wp calculus Q wp r = (Q ; r) Example b ; true ; c = b ; c b ; true ; c L1 ((x := e) wp r(x)) = r(e) L2 ((P ; Q ) wp r) = (P wp (Q wp r)) L3 ((P b Q ) wp r) = ((P wp r) b (Q wp r)) L4 ((P Q ) wp r) = (P wp r) (Q wp r) L5 if [ r s ] then [(Q wp r) (Q wp s)] L6 if [ Q S ] then [(S wp r) (Q wp r)] L7 (Q wp ( R)) = { (Q wp r) r R } L8 (Q wp false) = false if Q ; true = true L9 [(P ; Q ) S ] iff [ P (Q wp S)] weakest prespecification

57&58 Unifying Theories of Programming Unifying Theories of Programming 59&60 Variable declarations let A be an alphabet containing x and x var x = ( x I A ) end x = ( x I A ) α( var x ) = A \{x} α( end x ) = A \{x } Example ((var x ) wp r ) = (( x I ) wp r ) [by definition of var x] = (( x I ) ; r ) [by definition of wp] = ( x I ; r ) [relational calculus] = ( x r ) [by assignment.l5] = ( x r ) [by De Morgan s Law] ( var x ; Q ) = ( x Q ) ( Q ; end x ) = ( x Q ) Laws of declaration L1 ( var x ; var y ) = ( var y ; var x ) = ( var x, y ) L2 ( end x ; end y ) = ( end y ; end x ) = ( end x, y ) L3 ( var x ; end y ) = ( end y ; var x ) x, y distinct L4 ( var x ) = { ( var x := k ) k T } L5 ( var x ; ( P b Q ) = ((var x ; P ) b (var x ; Q )) no x in b L6 ( end x ; ( P b Q ) = ((end x ; P ) b (end x ; Q )) no x in b L7 ( var x ; end x ) = I L8 ( end x ; var x := e ) = ( x := e ) L9 ( x := e ; end x ) = ( end x ) Alphabet extension alphabet restriction: var x ; Q ; end x alphabet extension: R +x = R x = x for x, x αr α(r +x ) = αr {x, x } if R doesn t mention x, then L10 var x ; R +x ; P ; end x = R ; var x ; P ; end x L11 var x ; P ; R +x ; end x = var x ; P ; end x ; R

61&62 Unifying Theories of Programming A model for ARC P = x = on αp = {x, y} P ={{x on, y on}, {x on, y off}} sets of functions, each total over the alphabet formalised as deep embedding in Z/Eves and ProofPowerZ Types adding a simple type system to ARC Type ::= basic Name power Type product Type labelled Type suppose that τ : αp Type for αp = x,...,z Z = x τ(x) z τ(z) P is well typed: P = P Z

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback