Applying Data Refinement for Monadic Programs to Hopcroft s Algorithm

Transcription

1 Applying Data Refinement for Monadic Programs to Hopcroft s Algorithm Peter Lammich, Thomas Tuerk ITP 2012, 13th August 2012

2 Background Peter Lammich Isabelle Collection Framework (ICF) verified collection datastructures in Isabelle/HOL generation of efficient functional code Refinement for Monadic Programs Thomas Tuerk Computer Aided Verification of Automata ( Hopcroft s minimisation algorithm largest case study of Refinement Framework so far

3 Structure 1 Monadic Refinement Framework Background 2 Explanation using Hopcroft s Minimisation Algorithm 3 Conclusion

4 Stepwise Program Refinement trade-off: abstract vs. concrete formalisations of programs abstract programs: easy to verify concrete programs: efficiently executable standard solution: stepwise program refinement Spec P 1... P n Impl each step provably preserves correctness steps concentrate on single issues more modular and manageable proofs refinement framework supports relational specifications framework based on shallow embedding using monads

5 Refinement Framework Foundations Set/Exception monad datatype r nres ::= res (r set) fail return x := res {x} { bind m f := fail x X f x if m = fail if m = res X refinement: f x f x intuition: possible results of f x are also results of f x programs are HOL-functions f : a r nres least, greatest fixed point for recursion usual programming constructs available

6 Hopcroft s Algorithm Hopcroft s algorithm minimises initially connected DFAs efficient and widely-used computes the Myhill-Nerode equivalence relation {{q q accepts same language as q} q Q} details unimportant, let s focus on refinement Abstract Algorithm Hopcroft step abstract(a, a, C s, P, L) = spec (P, L ). P = Split A (P, (a, C s)) splitter P A (P, (a, C s), L, L ); Hopcroft abstract(a) = if (Q = ) then return else if (F = ) then return {Q} else while T Hopcroft abstract invar (λ(p, L). L ) (λ(p, L). do { (a, C s) spec x. x L; (P, L ) Hopcroft step abstract(a, a, C s, P, L); return (P, L ) }) (part F, {(a, F) a Σ})

7 Hopcroft s Algorithm Hopcroft s algorithm minimises initially connected DFAs efficient and widely-used computes the Myhill-Nerode equivalence relation {{q q accepts same language as q} q Q} do-notation of monads allows readable programs Abstract Algorithm Hopcroft step abstract(a, a, C s, P, L) = spec (P, L ). P = Split A (P, (a, C s)) splitter P A (P, (a, C s), L, L ); Hopcroft abstract(a) = if (Q = ) then return else if (F = ) then return {Q} else while T Hopcroft abstract invar (λ(p, L). L ) (λ(p, L). do { (a, C s) spec x. x L; (P, L ) Hopcroft step abstract(a, a, C s, P, L); return (P, L ) }) (part F, {(a, F) a Σ})

8 Hopcroft s Algorithm Hopcroft s algorithm minimises initially connected DFAs efficient and widely-used computes the Myhill-Nerode equivalence relation {{q q accepts same language as q} q Q} nondeterminism easy to use Abstract Algorithm Hopcroft step abstract(a, a, C s, P, L) = spec (P, L ). P = Split A (P, (a, C s)) splitter P A (P, (a, C s), L, L ); Hopcroft abstract(a) = if (Q = ) then return else if (F = ) then return {Q} else while T Hopcroft abstract invar (λ(p, L). L ) (λ(p, L). do { (a, C s) spec x. x L; (P, L ) Hopcroft step abstract(a, a, C s, P, L); return (P, L ) }) (part F, {(a, F) a Σ})

9 Hopcroft s Algorithm Hopcroft s algorithm minimises initially connected DFAs efficient and widely-used computes the Myhill-Nerode equivalence relation {{q q accepts same language as q} q Q} constructs like if-then-else or while available Abstract Algorithm Hopcroft step abstract(a, a, C s, P, L) = spec (P, L ). P = Split A (P, (a, C s)) splitter P A (P, (a, C s), L, L ); Hopcroft abstract(a) = if (Q = ) then return else if (F = ) then return {Q} else while T Hopcroft abstract invar (λ(p, L). L ) (λ(p, L). do { (a, C s) spec x. x L; (P, L ) Hopcroft step abstract(a, a, C s, P, L); return (P, L ) }) (part F, {(a, F) a Σ})

10 Hopcroft s Algorithm Hopcroft s algorithm minimises initially connected DFAs efficient and widely-used computes the Myhill-Nerode equivalence relation {{q q accepts same language as q} q Q} shallow embedding handy Abstract Algorithm Hopcroft step abstract(a, a, C s, P, L) = spec (P, L ). P = Split A (P, (a, C s)) splitter P A (P, (a, C s), L, L ); Hopcroft abstract(a) = if (Q = ) then return else if (F = ) then return {Q} else while T Hopcroft abstract invar (λ(p, L). L ) (λ(p, L). do { (a, C s) spec x. x L; (P, L ) Hopcroft step abstract(a, a, C s, P, L); return (P, L ) }) (part F, {(a, F) a Σ})

11 Correctness correctness expressed by refinement A. DFA A = Hopcroft abstract(a) spec P. P = Myhill Nerode partition A refinement framework provides syntax driven verification condition generator proof can focus on algorithm, not refinement or representation however, correctness proof non-trivial

12 Refinement Steps step 1: implement Hopcroft step abstract with foreach loop simple preconditions = Hopcroft step set(a, a, C s, P, L) Hopcroft step abstract(a, a, C s, P, L) Hopcroft step set very similar to presentation in literature step 2: optimise loop by precomputing predecessors simple preconditions = Hopcroft step pre(a, a, C s, P, L) Hopcroft step set(a, a, C s, P, L) again, good tool support by the refinement framework assert very useful

13 Data Refinement implementing partitions as sets of sets is inefficient lets use datastructure based on finite maps instead data refinement needed more general: replace abstract data type by concrete one e. g. implement sets by red-black trees abstraction relation R = {(c, a) a = α R c I R c} concretisation function R : a nres c nres transitive: m R m m S m = m RS m

14 Refinement Steps II step 3: implement partitions by finite maps A. DFA A = Hopcroft map(a) R 1 Hopcroft abstract(a) step 4: implement classes with intervals of natural numbers A. DFA A = Hopcroft map2(a) R 2 Hopcroft map(a) these refinement steps are non-trivial verification condition generator for data refinements proofs focus on essence of problem

15 Code Generation step 5: use Isabelle Collection Framework (ICF) implement finite maps by red-black trees or arrays implement sets by red-black trees or sorted lists... A. DFA A = Hopcroft impl(a) R 3 Hopcroft map2(a) step 6: bring into special form for code generation A. DFA A = return Hopcroft code(a) Hopcroft impl(a) there is good tool support step 6 is nearly fully automatic

16 Code Generation II transitivity leads to A. DFA A = return Hopcroft code(a) R 1 R 2 R 3 spec P. P = Myhill Nerode partition A Isabelle/HOL allows code generation in functional languages Standard ML OCaml Haskell Scala...

17 Experimental Results No. No. No. Baclet/Pagetti Lammich/Tuerk Leiß DFAs states labels OCaml OCaml PolyML PolyML s 6.59 s 1.88 s 5.38 s s s 3.51 s s s s 3.97 s s s s 7.56 s s s s s s s s 5.37 s s s s s s Experimental Results (measured on an Intel Core I7 2720QM)

18 Conclusion refinement framework for monadic programs based on refinement calculus implemented in Isabelle/HOL available in Archive of Formal Proofs ( case study of Hopcroft s algorithm first formalisation efficient version not feasible without refinement available at

19 Other Applications BFS, DFS graph traversals [Lammich] Dijkstra s shortest paths algorithm [Nordhoff, Lammich] nested DFS (Büchi automata acceptance) [Neumann] Henzinger s Algorithm (simulation preorders for NFAs) [Eberl] Gerth s algorithm (LTL to Büchi automata), work in progress [Schimpf] saturation algorithm for pre of PDS/DPN, work in progress [Lammich]

20 Current / Future Work additional automation support for complexity proofs heap monads with separation logic