Coinductive big-step semantics and Hoare logics for nontermination

Similar documents
Axiomatic Semantics. Lecture 9 CS 565 2/12/08

Classical Program Logics: Hoare Logic, Weakest Liberal Preconditions

Coinductive big-step operational semantics

Lecture Notes: Axiomatic Semantics and Hoare-style Verification

Unifying Theories of Programming

Hoare Logic: Reasoning About Imperative Programs

Axiomatic Semantics. Stansifer Ch 2.4, Ch. 9 Winskel Ch.6 Slonneger and Kurtz Ch. 11 CSE

Program verification using Hoare Logic¹

Floyd-Hoare Style Program Verification

Dynamic Semantics. Dynamic Semantics. Operational Semantics Axiomatic Semantics Denotational Semantic. Operational Semantics

Axiomatic Semantics. Semantics of Programming Languages course. Joosep Rõõmusaare

Hoare Logic: Part II

Reasoning About Imperative Programs. COS 441 Slides 10b

Propositional Dynamic Logic

Program Analysis Part I : Sequential Programs

CSC 7101: Programming Language Structures 1. Axiomatic Semantics. Stansifer Ch 2.4, Ch. 9 Winskel Ch.6 Slonneger and Kurtz Ch. 11.

Operational Semantics Using the Partiality Monad

07 Equational Logic and Algebraic Reasoning

Logic: Bottom-up & Top-down proof procedures

Programming Languages

CS558 Programming Languages

Dynamic Noninterference Analysis Using Context Sensitive Static Analyses. Gurvan Le Guernic July 14, 2007

Loop Convergence. CS 536: Science of Programming, Fall 2018

Program verification. Hoare triples. Assertional semantics (cont) Example: Semantics of assignment. Assertional semantics of a program

EDA045F: Program Analysis LECTURE 10: TYPES 1. Christoph Reichenbach

Spring 2014 Program Analysis and Verification. Lecture 6: Axiomatic Semantics III. Roman Manevich Ben-Gurion University

The Expressivity of Universal Timed CCP: Undecidability of Monadic FLTL and Closure Operators for Security

Proof Rules for Correctness Triples

Axiomatic Semantics: Verification Conditions. Review of Soundness and Completeness of Axiomatic Semantics. Announcements

Design of Distributed Systems Melinda Tóth, Zoltán Horváth

Software Engineering

Hoare Logic: Reasoning About Imperative Programs

A Logic for Information Flow Analysis with an Application to Forward Slicing of Simple Imperative Programs

The Underlying Semantics of Transition Systems

Programming Languages and Compilers (CS 421)

A Short Introduction to Hoare Logic

Verification Frameworks and Hoare Logic

Axiomatic semantics. Semantics and Application to Program Verification. Antoine Miné. École normale supérieure, Paris year

Automata-Theoretic Model Checking of Reactive Systems

Spring 2015 Program Analysis and Verification. Lecture 6: Axiomatic Semantics III. Roman Manevich Ben-Gurion University

Communicating Parallel Processes. Stephen Brookes

Hoare Examples & Proof Theory. COS 441 Slides 11

Abstraction for Falsification

Programming Languages and Types

Axiomatic Semantics. Operational semantics. Good for. Not good for automatic reasoning about programs

Spring 2016 Program Analysis and Verification. Lecture 3: Axiomatic Semantics I. Roman Manevich Ben-Gurion University

CIS 500: Software Foundations

Propositional logic. First order logic. Alexander Clark. Autumn 2014

A note on coinduction and weak bisimilarity for while programs

3 Propositional Logic

Operational Semantics

Weakest Precondition Calculus

What happens to the value of the expression x + y every time we execute this loop? while x>0 do ( y := y+z ; x := x:= x z )

A probabilistic lambda calculus - Some preliminary investigations

Program verification. 18 October 2017

Probabilistic Guarded Commands Mechanized in HOL

Bilateral Proofs of Safety and Progress Properties of Concurrent Programs (Working Draft)

Advanced Topics in LP and FP

Softwaretechnik. Lecture 13: Design by Contract. Peter Thiemann University of Freiburg, Germany

Softwaretechnik. Lecture 13: Design by Contract. Peter Thiemann University of Freiburg, Germany

Spring 2015 Program Analysis and Verification. Lecture 4: Axiomatic Semantics I. Roman Manevich Ben-Gurion University

Symmetry Reductions. A. Prasad Sistla University Of Illinois at Chicago

Human-Readable Machine-Verifiable Proofs for Teaching Constructive Logic

Introduction to Metalogic 1

Strength; Weakest Preconditions

Hoare Calculus and Predicate Transformers

Quantum Recursion and Second Quantisation

Synthesis of Strategies and the Hoare Logic of Angelic Nondeterminism

Decidable Subsets of CCS

Towards a Unified Theory of Operational and Axiomatic Semantics

On simulations and bisimulations of general flow systems

Equations, contractions, and unique solutions

Deductive Verification

Hoare Logic (I): Axiomatic Semantics and Program Correctness

COMP2111 Glossary. Kai Engelhardt. Contents. 1 Symbols. 1 Symbols 1. 2 Hoare Logic 3. 3 Refinement Calculus 5. rational numbers Q, real numbers R.

Tute 10. Liam O'Connor. May 23, 2017

Lecture 2: Axiomatic semantics

Tree Automata and Rewriting

A Note on Scope and Infinite Behaviour in CCS-like Calculi p.1/32

Safety and Liveness Properties

From CCS to Hybrid π via baby steps. Bill Rounds CSE, U of Michigan

COP4020 Programming Languages. Introduction to Axiomatic Semantics Prof. Robert van Engelen

A Theory for Composing Distributed Components, Based on Temporary Interference

Hoare Calculus for SIMT Programms

From Hoare Logic to Matching Logic

Foundations of Quantum Programming

Relational Interfaces and Refinement Calculus for Compositional System Reasoning

The Locally Nameless Representation

Temporal Logic of Actions

Calculating axiomatic semantics from program equations by means of functional predicate calculus

From Liveness to Promptness

Between proof theory and model theory Three traditions in logic: Syntactic (formal deduction)

CSE20: Discrete Mathematics

A Characterization of Regular Expressions under Bisimulation

Why Can t You Behave? Non-Termination Analysis of Direct Recursive Rules with Constraints

A Tutorial Introduction to CSP in Unifying Theories of Programming

Axiomatic Semantics: Verification Conditions. Review of Soundness of Axiomatic Semantics. Questions? Announcements

In this episode of The Verification Corner, Rustan Leino talks about Loop Invariants. He gives a brief summary of the theoretical foundations and

Hoare Logic and Model Checking

Predicate Transforms I

Transcription:

Coinductive big-step semantics and Hoare logics for nontermination Tarmo Uustalu, Inst of Cybernetics, Tallinn joint work with Keiko Nakata COST Rich Models Toolkit meeting, Madrid, 17 18 October 2013

Motivation Standard big-step semantics and Hoare-style program logics do not account for nonterminating program behaviors. But we want to reason about nonterminating behaviors (esp in the context of reactive programming). Solution: Devise semantics operating on coinductively defined semantic entities (traces, resumptions) and logics for reasoning about them. Original inspiration: Leroy s work on coinductive big-step semantics in CompCert.

Constructivity An angle: We do programming language theory in a constructive setting (type theory). We are happy to apply non-constructive principles, where necessary, but want to notice when we do. This is the setting of proof assistants/dependently typed programming languages like Coq/Agda. It is nice to have semantics executable. Constructive proofs are (extract to) programs. In a constructive setting, indications of suboptimal designs sometimes surface earlier than in a classical setting.

This talk I show a trace-based big-step semantics and Hoare logic for the simple imperative language While, featuring nontermination from loops Could add recursive procedures or consider a (higher-order) functional language Important extensions: interactive input-output, shared-variable concurrency Here all intermediate states are tracked, generally may want to single out a class of observable event, identify weakly bisimilar traces.

Big-step semantics for nontermination

Syntax of While, states Statements are defined inductively by the grammar: s ::= x := e skip s 0 ; s 1 if e then s t else s f while e do s t States σ are assignments of integers to variables names.

Trace-based big-step semantics We describe both converging and diverging behaviors by one single evaluation relation defined coinductively. The leading idea is to avoid any need to decide if a computation converges or diverges. This requires (at least) appreciating that computations take time. Cf. Leroy, Grall: two separate evaluation relations, or one single evaluation relation, but no productivity. We will record all intermediate states, corresponding to the idea of making all intermediate states observable.

Traces We define traces coinductively (as non-empty possibly infinite lists of states) by σ : state σ : trace σ : state τ : trace σ :: τ : trace (Strong) bisimilarity is defined coinductively by σ σ τ τ σ :: τ σ :: τ We want to consider bisimilar traces as equal, so require that all predicates and functions on traces are stable under bisimilarity. Classically, bisimilarity is nothing but equality. Constructively, one has to be more careful...

Big-step semantics Evaluation relates an (initial) state to a trace and is defined coinductively: (x := e, σ) σ :: σ[x e σ] (skip, σ) σ (s 0, σ) τ (s 1, τ) τ (s 0 ; s 1, σ) τ σ = e (s t, σ :: σ ) τ σ = e (s f, σ :: σ ) τ (if e then s t else s f, σ) τ (if e then s t else s f, σ) τ σ = e (s t, σ :: σ ) τ (while e do s t, τ) τ (while e do s t, σ) τ σ = e (while e do s t, σ) σ :: σ

Big-step semantics ctd Extended evaluation relates an (already accumulated) trace to a (total) trace, is also defined coinductively: (s, σ) τ (s, σ ) τ (s, τ) τ (s, σ :: τ) σ :: τ (coinductive prefix closure of evaluation) Design choice: evaluation of an expression to assign/updating of a variable and evaluation of a guard constitute take unit time. Consideration: every loop always progresses, e.g., we have (while true do skip, σ) σ :: σ ::.... As a minimum, evaluating a guard to true must take unit time. Our choice of what takes unit time gives agreement up to bisimilarity with the natural small-step semantics.

Big-step semantics ctd Evaluation is stable under bisimilarity: If (s, σ) τ and τ τ, then (s, σ) τ. (Proof by coinduction.) Evaluation is deterministic (up to bisimilarity): If (s, σ) τ and (s, σ) τ, then τ τ. (Proof by coinduction.)

Big-step semantics, functional-style How to prove that evaluation is total, i.e., that, for any s, σ, there exists τ such that (s, σ) τ? Constructively, we must explicitly produce a witnessing τ from s, σ. This means defining evaluation and extended evaluations as functions. Evaluation: x := e σ = σ :: σ[x e σ] skip σ = σ s 0 ; s 1 σ = s 1 ( s 0 σ) if e then s t else s f σ = s t (σ :: σ ) σ = e = s f (σ :: σ ) σ = e while e do s t σ = while e do s t ( s t (σ :: σ )) σ = e = σ :: σ σ = e (almost structurally recursive, but not the clauses for while)

Big-step semantics, functional-style ctd Extension: (guarded corecursion) Evaluation is total: (s, σ) s σ. (By coinduction.) k ( σ ) = k σ k (σ :: τ) = σ :: (k τ)

Small-step semantics Single-step reduction is defined in the standard fashion inductively: (skip, σ) σ (x := e, σ) (skip, σ[x e σ]) (s 0, σ) σ (s 0 ; s 1, σ) (s 1, σ ) σ = e (if e then s t else s f, σ) (s t, σ) (s 0, σ) (s 0, σ ) (s 0 ; s 1, σ) (s 0 ; s 1, σ ) σ = e (if e then s t else s f, σ) (s f, σ) σ = e (while e do s t, σ) (s t ; while e do s t, σ) σ = e (while e do s t, σ) (skip, σ)

Small-step semantics ctd Maximal multi-step reduction is defined coinductively by: (s, σ) σ (s, σ) σ (s, σ) (s, σ ) (s, σ) σ :: τ (s, σ ) τ Similarly to evaluation, maximal multi-step reduction is stable under bisimilarity and deterministic up to bisimilarity.

Big-step vs small-step semantics Big-step semantics is sound wrt. small-step semantics: If (s, σ) τ, then (s, σ) τ. (Proof by coinduction.) It is also complete: If (s, σ) τ, then (s, σ) τ. If (s, τ) τ, then (s, τ) τ. (Proof by mutual coinduction.) (Here is the coinductive prefix closure of.) The following midpoint lemma is required: If (s 0 ; s 1, σ) τ, then there exists τ such that (s 0, σ) τ and (s 1, τ) τ. (Proof: τ is constructed by corecursion and the two conditions are proved by coinduction.)

Hoare logic

Hoare logic We present a Hoare logic corresponding to the trace-based big-step semantics. This uses assertions on both states and traces. We don t define a fixed syntax of assertions, instead we use predicates. Trace predicates must be stable under bisimilarity. For trace assertions (predicates), we need some interesting connectives (operations on predicates). Proofs are defined inductively, as in standard Hoare logic.

Assertion connectives Some trace predicates: σ = U σ = U σ :: σ[x e σ] = [x e] σ :: σ = σ = finite τ = finite σ :: τ = finite τ = infinite σ :: τ = infinite All these predicates are stable under bisimilarity.

Assertion connectives ctd Chop and dagger: τ 0 = P τ = τ0 Q τ 0 = P τ = τ0 P τ = P Q σ = P τ = P where σ = Q σ = σ Q σ : τ = Q σ : τ = σ Q τ = τ0 Q σ : τ = σ:τ0 Q Cf. interval temporal logic, B. Mosztowski If P, Q are stable under bisimilarity, then so is P Q. If P is stable under bisimilarity, so is P. If τ is infinite and τ = P, then τ = P Q for any Q!

Hoare proofs Proofs are defined inductively by the rules {U} x := e { U [x e]} {U} skip { U } {U} s 0 {P V } {V } s 1 {Q} {U} s 0 ; s 1 {P Q} {e U} s t {P} { e U} s f {P} {U} if e then s t else s f { P} U = I {e I } s t {P I } {U} while e do s t {( P) e } U = U {U } s {P } P = P {U} s {P}

Soundness The Hoare logic is sound. If {U} s {P}, then σ = U and (s, σ) τ imply τ = P. (By induction on {U} s {P}, subordinate coinduction in several cases.)

Completeness The Hoare logic is also complete. If, for any σ, τ, σ = U and (s, σ) τ imply τ = P, then {U} s {P}. To prove this, one defines for any s, U, a trace predicate sp(s, U) (the strongest postcondition), by structural recursion on s. Now completeness follows from these lemmata: {U} s {sp(s, U}. (By induction on s). If τ = sp(s, U), then (s, hd τ) τ. (By induction on s.) The latter gives as an immediate corollary: If, for all σ, τ, σ = U and (s, σ) τ imply τ = P, then sp(s, U) = P.

Strongest postconditions Strongest postconditions: sp(x := e, U) = U [x e] sp(skip, U) = U sp(s 0 ; s 1, U) = sp(s 0, U) sp(s 1, Last (sp(s 0, U)) sp(if e then s t else s f, U) = U (sp(s t, e U) sp(s f, e U)) sp(while e do s t, U) = U ( sp(s t, e Inv(e, s t, U))) e τ σ τ = P σ = Last P σ = U σ = Inv(e, s, U) σ = Last(sp(s, e Inv(e, s, U))) σ = Inv(e, s, U)

Embedding of standard Hoare logic The standard Hoare logic embeds into the Hoare logic for trace-based semantics. If {U} s {Z} in the standard (partial correctness) Hoare logic, then {U} s {true Z }. (Could go via soundness and completeness. But there is a direct proof by induction.) Similarly, the total-correctness Hoare logic also embeds into our logic. If {U} s {Z} in the total correctness Hoare logic, then {U} s {finite Z }.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback