# Proving Invariants of Functional Programs

Save this PDF as:

Size: px
Start display at page:

## Transcription

1 Proving Invariants of Functional Programs Zoltán Horváth, Tamás Kozsik, Máté Tejfel Eötvös Loránd University Department of General Computer Science Abstract. In a pure functional language like Clean the values of the functional variables are constants; variables of functional programs do not change in time. Hence it seems that temporality has no meaning in functional programs. However, in certain cases (e.g. in interactive or distributed programs, or in ones that use IO) we would like to consider a series of values computed from each other as different states of the same abstract object. For this abstract object we can already prove temporal properties. In this paper we present the concept of object abstraction and show how to interpret and prove temporal properties of functional programs. 1 Introduction When proving correctness of (sequential or parallel) imperative programs, one can make use of several temporal logical operators. Some well-known such operators are e.g. nexttime, sometimes, always and invariant. All these operators can be expressed based on the weakest precondition operator [6, 7]. However, temporal logical operators are less frequently used when reasoning about functional programs (among the few exceptions are e.g. [5, 8 10]). This paper aims to answer the question how to interpret and prove temporal properties of functional programs. The temporal logical operators describe how the values of the program variables (the so-called program state) vary in time. For example, the weakest precondition of a program statement with respect to a postcondition holds for a state a if and only if the statement starting from a always terminates in a state for which the postcondition holds. The weakest precondition of a statement is possible to compute in an automated way: one has to rewrite the postcondition according to the substitution rules defined by the statement. We will show some examples of how this is done in section 3.1. A property P is an invariant with respect to a program if P holds initially and all the atomic statements of the program preserve P. Note that the second part of this requirement can be expressed with the weakest precondition operator: for all atomic statements, the weakest precondition of the statement with respect to P must follow from P. This ensures that if we execute an atomic Supported by OTKA T037742

2 116 Zoltán Horváth, Tamás Kozsik, Máté Tejfel statement in a state where P holds (and hence the weakest precondition of the statement with respect to P also holds), the statement will again terminate in a state for which P holds. We will formalize this in the following way. (The weakest precondition operator is denoted by wp, while a program and its atomic statements are denoted by S and s, respectively.) s S : P wp(s, P ) Invariants can manifest in many ways: we can talk about loop invariants (where the atomic statement is a loop body), type invariants (where the atomic statements are the primitive operations of a type), and invariants are an important concept in many parallel programming methodologies as well (see e.g. [4]). We believe that invariants are popular because they provide a very natural concept and a very useful abstraction for specifying and proving properties of programs. This paper focuses on invariant properties, hence we omit the description of the other afore-mentioned temporal logical operators. When proving correctness of functional programs, the practicability of temporal operators is not obvious. In a pure functional programming language a variable is a value, like in mathematics, and not an object that can change its value in time, viz. during program execution. Due to referential transparency, reasoning about functional programs can be accomplished with a fairly simple mathematical machinery, using, for example, classical logic and induction (see e.g. [11]). This fact is one of the basic advantages of functional programs over imperative ones. In our opinion, however, in certain cases it is natural to express our knowledge about the behaviour of a functional program (or, we had better say, our knowledge about the values the program computes) in terms of temporal logical operators. Moreover, in the case of parallel or distributed functional programs, temporal properties are exactly as useful as they are in the case of imperative programs. For example, those invariants which are preserved by all components of a distributed or parallel program, are also preserved by the compound program. According to our approach, certain values computed during the evaluation of a functional program can be regarded as successive values of the same abstract object. This corresponds directly to the view which certain object-oriented functional languages hold. We have chosen Clean [13], a lazy, pure functional language for our research. An important factor in our choice was that a theorem prover, Sparkle [11] is already built in the integrated development environment of Clean. Sparkle supports reasoning about Clean programs almost directly. We would like to extend the first-order logic used by Sparkle with temporal operators, thus making semiautomated reasoning about parallel, interactive or distributed Clean programs easier. The uniqueness type system of Clean [2] makes destructive updates possible without violating referential transparency. The uniqueness type system guarantees that certain values are only used once in the program (they are unique),

3 Proving Invariants of Functional Programs 117 hence they can be destructively updated when computing other values. This technique is used to define I/O in Clean, furthermore it greatly increases the efficiency of Clean programs. It is interesting to see that in many cases, an abstract object of our approach corresponds to a set of unique values: values that were computed from each other by destructive updates. Hence the abstract view of objects often but not always coincides with the memory layout of the implementation. The rest of the paper is organized in the following way. In Section 2 we introduce our approach through a simplistic example. Then in Section 3 we present a formal method for the calculation of weakest preconditions and for the proof of invariant properties. Next, in Section 4, we give a more realistic example of object abstraction, and show a simple invariant property of an abstract object. Section 5 presents the proof of a more interesting invariant property. Finally, in section 6, we draw the conclusions and define future work. 2 Object abstraction In Clean the uniqueness type system makes destructive updates possible without violating referential transparency. Not only the efficiency of Clean programs can be increased by destructive updates, but also the I/O system of Clean is defined in terms of a unique environment. (The other well-known technique to define pure functional I/O is the monadic approach, applied in the language Haskell [12].) The Object I/O library [1] is a standard API for Clean. Programs written with the Object I/O library are reactive. They create a unique state space (referred to as process state and local state in Object I/O terminology), and define initialization and state transition functions. The library supports interactive processes, which can be created and closed dynamically. Each interactive process may consist of an arbitrary number of interactive objects. To characterize the behavior of I/O processes we can use a temporal logic-based notation [4, 7]. We have researched this issue in [8, 9]. This paper investigates a more general approach to formulating and proving temporal properties of functional programs. In this approach we can also reason about Clean programs that do not use unique values or interactive Object I/O processes. Not only the call-back functions of Object I/O will be state transition functions: the programmer can demarcate state transitions explicitly in a more flexible way. Different values computed by a functional program and stored in variables (in the functional sense of variables) can be regarded as different states of the same object. State transitions will thus be the pieces of functional code that compute such a value from another one. Our first example, though it might seem oversimplified, illustrates well our concept of object abstraction. Suppose we want to sort (in ascending order) a list containing five numbers. We will make use of the function bubble. This function searches for two elements in a list that are in wrong order. If it can find such two elements, it swaps them and returns the resulting list, otherwise it returns

4 118 Zoltán Horváth, Tamás Kozsik, Máté Tejfel the original list. Obviously, it is sufficient to invoke bubble 25 times to sort five numbers. sort_5 list = bubble (bubble (... (bubble list)...)) We can write the same program in Clean using so-called let-before expressions. Both of the following function definitions are legal in Clean and have the same meaning. The one on the right uses the same name, list, to all 24 variables. In this case the usual static nested scoping rules apply. (The line # list = bubble list introduces a nested scope with a fresh list variable, thus hiding the variable with the same name appearing on the right-hand side.) sort_5 list sort_5 list # ls1 = bubble list # list = bubble list # ls2 = bubble ls1 # list = bubble list # ls3 = bubble ls2 # list = bubble list # ls23 = bubble ls22 # list = bubble list = bubble ls23 = bubble list An important property of the bubble function is that the list it returns is a permutation of the list it receives. If we regard the list values computed in sort_5 as the successive states of the same abstract object, and consider bubble an atomic operation, we can formulate an invariant, a temporal property of sort_5. If we denote our abstract list object with list, then the invariant can be written as: list perm(list). Here list denotes the argument of sort_5. Consider now the second definition of sort_5, the one that contains the variables ls1, ls2, ls3, etc. Our approach should allow us to declare that the abstract object list is made up of the values list, ls1, ls2,..., ls23 and bubble ls23. Furthermore, it should allow us to declare that bubble is considered atomic and that each invocation of bubble in sort_5 is a state transition. 2.1 The object abstraction operator We introduce an operator which maps functional values to our semantic domain, the state space. This object abstraction operator will be used to refer to the abstract object to which a value belongs. In our sorting example list will refer to the same abstract object as e.g. ls1. This can be expressed by the equation list = ls1. (Hence the object abstraction operator will define an equivalence relation over the values appearing in a functional program.) Moreover, the successive values

5 Proving Invariants of Functional Programs 119 of the same abstract object will define an abstract time structure denoted by the partial ordering < t. list < t ls1 < t ls2 < t... < t ls23 < t (bubble ls23) If more than one object is present in a certain piece of code, then the states are compositions of the individual states of the objects. In such cases two or more objects can be involved in an atomic state transition over this compound state space. Since evaluation is lazy in Clean, the partial ordering < t determines a branching time structure over the state space. Fortunately, we do not have to refer explicitly to the < t relation, because we use temporal logical operators instead. 2.2 Identification of state transitions It would be useful to assign symbolic names to pieces of code which correspond to atomic state transitions. We introduce an infix binary operator for labeling, which does not have any influence on computation: the operator.: simply drops its first argument, the label. For example, we can label a state transition "b" in the following way: # list = "b".: (bubble list) This let before definition determines the value of list on the left-hand side depending on the value of list on the right-hand side. The two list-s are different from each other, the list on the left-hand side hides (within its scope) the list on the right hand side. We may consider the two list-s (two different functional entities) belonging to the same abstract object list. According to this object abstraction the list on the left-hand side represents a descendant of the value of list on the right-hand side. The let-before definition labeled by "b" represents an atomic state transition. 3 Formal calculations In this section we explain how to calculate the weakest precondition of an atomic action with respect to a postcondition, and how to prove invariant properties of programs. Consider the following piece of code, which increases a value by one modulo 5. # v = "f".: (if (v<5) (inc v) 0) Let our state space consist of a single component, the state represented by object v. Both values denoted by v are associated with this object. Moreover, we assume that the state transition labeled with "f" is atomic.

6 120 Zoltán Horváth, Tamás Kozsik, Máté Tejfel 3.1 Formal calculation of weakest precondition Let us consider the following postcondition R: R( v ) = (0 v < 5). We are interested in characterizing all states from where the atomic state transition "f" terminates in a state for which R holds, i.e. we would like to determine the weakest precondition of "f" with respect to R. If v 5, then the new v value will be equal to 0, hence the new value of the abstract object v will be 0. If v < 5, then the new v is calculated by incrementing the old v, hence the state of v is changed to v + 1. The postcondition holds for the new value, if the weakest precondition calculated below holds for the original state. This example illustrates the general method that we can use to calculate the weakest precondition: in the postcondition we should substitute the old value of the object with its new value. wp(f, R) = ( v < 5 0 inc( v ) < 5) ( v < 5) The new value used in the substitution is the right-hand side of the definition of the function which function is applied on the old value of the abstract object. This way the calculation of the weakest precondition is a simple rewriting step, which fits very well into the world of functional computations. 3.2 Proving invariants Proving that a property P is an invariant requires two things. First, one has to check whether the initial values of the objects satisfy P. Next, one has to calculate the weakest precondition for all atomic state transitions: for each such atomic state transition one has to compute the substitution of P using the corresponding state transition function. Then one should prove that all these wp-s hold, if P holds. Now we show how to prove that the atomic step "f" preserves the truth of R, i.e. R wp(f, R). We have to prove by hand or by a proof assistant (e.g. Sparkle) the following theorem: 0 v < 5 ( v < 5 0 inc( v ) < 5) ( v < 5). To complete the proof we have to apply the definition of inc which is a rewriting step again and then use the well-known deduction rules of classical logic. 4 A more realistic example Consider now a more complex example. The analyzed Clean function will be a binary search. It takes an array of elements of type a (where a is a type

7 Proving Invariants of Functional Programs 121 variable expressing polymorphism) and a value of type a. It returns either Nothing, if the given value could not be found in the array, or (Just h), if the given value was found at position h in the array. The array is unique (denoted by the * symbol in the type specification of the function), that s why bin_search also returns a new unique reference to it. The implementation of unique arrays is very similar to objects in imperative languages, in the sense that the new array is stored in the same memory location where the old array was stored. This is possible because uniqueness guarantees that there are no more references to the old array. bin_search :: *{a} a -> (Maybe Int, *{a}) Ord, Eq a bin_search arr e # (s, arr) = usize arr = find_it arr 0 (s-1) where find_it arr u v u > v = (Nothing, arr) otherwise # h = (u+v)/2 # (arr_h, arr) = uselect arr h arr_h == e = (Just h, arr) otherwise # (u,v) = if (arr_h<e) (h+1,v) (u,h-1) = find_it arr u v Functions usize and uselect are from the standard library. They can be used to retrieve the size and an element of a unique array, respectively. Now let us apply bin_search on an array arr and an element e. (h,arr1) = bin_search arr e Note that the binary search algorithm requires as precondition that its first argument is a sorted array. We will denote it with the following formula: sorted(arr) We introduce the abstract object arr from values arr and arr1, where arr < t arr1. First we would like to prove a trivial invariant property of this object, namely that bin_search does not change the unique array. P ( arr ) = ( arr = arr), P inv We will not consider bin_search an atomic state transition, hence we will dive into its definition. We identify one more state of the arr object, namely when arr has the value arr returned by usize. Now the second state transition of arr changes this second occurrence of arr to arr1 by applying find_it. The two state transitions are the following:

8 122 Zoltán Horváth, Tamás Kozsik, Máté Tejfel (s,arr) = usize arr (h,arr1) = find_it arr 0 (s-1) In order to prove that P is an invariant of bin_search, we will prove that it is also an invariant of find_it. Again, we will not consider the second state transition atomic, hence we will dive into the definition of find_it. Since find_it is defined as an alternative construct with two branches, we will replace our second state transition with two other state transitions: one corresponding to the u > v case, the other one corresponding to the otherwise (that is the (u > v)) case. This latter can be further refined, until we obtain the following six state transitions of arr, which we will not intend to further refine. (Irrelevant results of state transitions are replaced with the joker character underscore.) s 1 : (_,arr) = usize arr s 2 : if u > v, then (_,arr1) = (Nothing, arr) s 3 : if (u > v), then (_,arr1) = uselect arr h s 4 : if (u > v) arr h = e, then (_,arr1) = (Just h, arr) s 5 : if (u > v) (arr h = e), then (_,arr1) = find_it arr u v (Notice that the variables u and v in the predicate and in the formal arguments of find_it represent two different values with the same name.) Note that the last state transition is the recursive application of find_it and therefore can be cut. We will consider the remaining 4 state transitions atomic. To prove that ( arr = arr) is an invariant of bin_search and find_it with respect to the atomicity level described above, we show that all these atomic state transitions preserve this property and that this property holds for the initial value of arr. The first part is fairly simple: s 2 and s 4 apply the identity function on the array, while s 1 and s 3 apply usize and uselect, which again do not change the value of the abstract object. (For this latter we must formulate axioms about these two standard library functions.) Finally, we should prove that the initial value of arr, namely arr satisfies ( arr = arr), which is obvious, since this requires that arr should be equal to itself. 5 A more interesting invariant property of binary search If we want to prove the partial correctness of bin_search namely that e does not appear in arr, if bin_search e arr returns Nothing, and that e can be found in arr at position h, if bin_search e arr returns Just h we can make use of some further invariants of our program. We can identify new abstract objects and express our assumptions about them in terms of invariants. New abstract objects and new invariants describing their behaviour are introduced usually when we dive into a function invocation. In our example this happens at the point where find_it is applied in bin_search. Hence we extend the state space with u and v : these objects specify the interval where find_it looks for the value e in arr. We are about to formulate invariants expressing that e cannot be found in arr at a position outside the interval [ u.. v ].

9 Proving Invariants of Functional Programs 123 First of all let us describe more precisely the object abstraction for u and v. Their initial values are 0 and s 1, respectively, according to the application of find_it within bin_search. (Note that the value s comes from usize arr, thus it is the length of the array.) Furthermore, all occurrences of the second argument of find_it correspond to the u object, and all occurrences of the third argument of find_it correspond to the v object. The extension of the state space and the introduction of new abstract objects is often followed by the refinement of the time structure < t. For example, in bin_search we can cut the state transition s 5 (previously considered atomic) into two steps. The two new state transitions replacing s 5 will be considered atomic steps from now on. They are the following: s 5a : if (u > v) (arr h = e), then (u,v) = if (arr_h<e) (h+1,v) (u,h-1) s 5b : if (u > v) (arr h = e), then (_,arr1) = find_it arr u v Our refined invariant, P will be the conjunction of four parts. The first part is the original P, which states that the initial value of the array object is preserved. The second part specifies that the array remains sorted. The third part states that the interval identified by u and v is either empty or part of the domain of the array. Finally, the fourth part claims that the element we are looking for is not outside the [ u, v ] interval. The free variables x, y and i in the following formulas are implicitly universally quantified. P ( arr, u, v ) = P ( arr ) P 0 ( arr ) P 1 ( arr, u, v ) P 2 ( arr, u, v ) where P 0 ( arr ) = sorted( arr ) P 1 ( arr, u, v ) = ( ((x, y) = usize arr ) ( u v ) ) 0 u v < x P 2 ( arr, u, v ) = ( ((x, y) = uselect arr i ) ( i < u i > v ) ) (x = e) To prove that P is an invariant of find_it we have to check whether the initial values of the objects satisfy P, and we have to show that P guarantees the weakest precondition of P for all the atomic actions s 2, s 3, s 4, s 5a and s 5b of find_it. Note that s 1 need not be considered, since this state transition is outside of find_it, and hence the scope of P. However, we still have to prove for this state transition (and also for the others, s 2, s 3, s 4, s 5a and s 5b )

10 124 Zoltán Horváth, Tamás Kozsik, Máté Tejfel the relevant, weaker invariant P P 0, because this invariant will be used as a precondition during the proof of (P inv find it ). We omit the proof for (P P 0 inv bin search ) here, since it is fairly simple; we will focus on find_it and P. The precondition Q for find_it is the following: P P 0 u = 0 v = s 1. This should guarantee P, that is Q P P 0 P 1 P 2. The interesting part is that Q P 1 and Q P 2. If we rewrite P 1 and P 2 according to the equalities found in Q, we obtain the following formulas: P 1 (arr, 0, s 1) = ( ((x, y) = usize arr ) ( 0 s 1 ) ) 0 0 s 1 < x P 2 (arr, 0, s 1) = ( ((x, y) = uselect arr i ) ( i < 0 i > s 1 ) ) (x = e) The first formula is valid, because the value of x appearing in the formula must be equal to s, the size of arr obtained in s 1. (Here we have to use the definition of the functional variable s, namely (s,_) = usize arr.) The second formula is also valid, since the left-hand side of the implication cannot hold. (The standard library function uselect is undefined when applied to an array arr and an index i outside of the domain of arr. This can be expressed by the following axiom: (p, q) = usize r (x, y) = uselect q i 0 i < p.) Now let us prove that P wp(f, P ) for all state transitions f from s 2, s 3, s 4, s 5a and s 5b. If we have already proved P P 0 wp(f, P P 0 ), as mentioned earlier, then we only need to show that P wp(f, P 1 P 2 ). (This is a nice property of refined invariants.) The proofs for s 2, s 3 and s 4 are trivial, hence we omit these cases. Moreover, s 5b is a recursive application of find_it, therefore this case can be cut. Hence we focus on the single interesting part: P wp(s 5a, P 1 P 2 ). According to the well-known conjunctivity property of wp, we can perform the proof separately for the weakest precondition of P 1 and for that of P 2. Furthermore, since s 5a contains an if construct, the proofs for the two branches of the if can be separately given. Hence we obtain four goals to prove. Here we give the ones for P 1 ; the other two are similar, just replace P 1 with P 2. By calculation of the weakest precondition we get: P ( arr, u, v ) ( u > v ) (arr h = e) (arr h < e) P 1 ( arr, h + 1, v ) P ( arr, u, v ) ( u > v ) (arr h = e) (arr h < e) P 1 ( arr, u, h 1). As an illustration, we present the proof for the first goal for P 1. First let us expand the formula P 1 ( arr, h + 1, v ), which we have obtained after the sub-

11 Proving Invariants of Functional Programs 125 stitution of u by h + 1: P 1 ( arr, h + 1, v ) = ( ((x, y) = usize arr ) ( h + 1 v ) ) 0 h + 1 v < x. Notice that the only non-trivial part of the proof is to show that under the appropriate hypotheses 0 h + 1. Remember that the functional variable h denotes ( u + v )/2, where the symbol / is the division operator on integer numbers (e.g. 3/2 = = 1 and ( 3)/2 = 2 = 1). Hence the proof can be easily accomplished by applying the following three lemmas on u and v : x + y 2 +1 y x + y 2 +1 y x x + y 2 +1 x x + y 2 +1 The proof of the second goal for P 1 is symmetrical to this proof. Finally, the proofs of the two goals for P 2 make use of the hypothesis P 0 ( arr ), which formulates that arr is sorted. These proofs are left to the reader as an exercise. 6 Conclusions and future work In this paper we have presented a method that allows the definition and proof of temporal properties (namely invariants) in pure functional languages. We have introduced the concept of object abstraction by contracting functional (that is mathematical) variables, which represent static values, into objects with dynamic (temporal) behaviour. According to this concept we could define an abstract time structure in programs, representing the computational dependencies of values (object states) on other values (other object states). We have also introduced the notion of state transitions. We have illustrated how invariants over a set of atomic state transitions can be computed and how this process can be automatized. Our approach defines an alternative semantics of Clean programs. According to this alternative semantics, some evaluation steps correspond to state transitions over an abstract state space. The abstract state space is created by the object abstraction, where series of pure functional values are associated to an abstract objects. The evaluation order is non-deterministic in case of lazy evaluation, so the transition steps determine a branching time structure over the elements of the state space. The mapping of values to objects and the labeling of state transitions can be performed by using annotations and/or supported by an appropriate user interface integrated into the proof assistant. Furthermore, objects and state transitions can be extracted from a functional program written in an appropriate style in an automated way. Our model is straightforward to extend to a full temporal logic. We can prove all temporal properties which are based on the nexttime operation, i.e. on the calculation of the weakest precondition [4, 7]. We intend to prove general safety properties (unless), and progress properties (leads-to, ensures)

12 126 Zoltán Horváth, Tamás Kozsik, Máté Tejfel for Clean programs in the future. This methodology could be supported by an extension to Sparkle [11], the theorem prover tool for Clean, to make reasoning about temporal properties of interactive, parallel or distributed Clean programs possible. References 1. Achten, P., Plasmeijer, R.: Interactive Objects in Clean. Proceedings of Implementation of Functional Languages, 9th International Workshop, IFL 97 (K. Hammond et al (eds)), St. Andrews, Scotland, UK, September 1997, LNCS 1467, pp Barendsen, E., Smetsers, S.: Uniqueness typing for functional languages with graph rewriting semantics. Mathematical Structures in Comp. Sci. 6, pp Butterfield, A., Dowse, M., Strong, G.: Proving Make Correct: IO Proofs in Haskell and Clean. Proceedings of Implementation of Functional Programming Languages, Madrid, pp Chandy, K. M., Misra, J.: Parallel program design: a foundation. Addison-Wesley, Dam, M., Fredlund, L., Gurov, D.: Toward Parametric Verification of Open Distributed Systems. Compositionality: The Significant Difference (H. Langmaack, A. Pnueli, W.-P. De Roever (eds)), Springer-Verlag Dijkstra, E. W.: A Discipline of Programming. Prentice-Hall Inc., Englewood Cliffs (N.Y.), Horváth Z.: The Formal Specification of a Problem Solved by a Parallel Program a Relational Model. Annales Uni. Sci. Bp. de R. Eötvös Nom. Sectio Computatorica, Tom. XVII. (1998) pp Horváth Z., Achten, P., Kozsik T., Plasmeijer, R.: Proving the Temporal Properties of the Unique World. Proceedings of the Sixth Symposium on Programming Languages and Software Tools, Tallin, Estonia, August pp Horváth Z., Achten, P., Kozsik T., Plasmeijer, R.: Verification of the Temporal Properties of Dynamic Clean Processes. Proceedings of Implementation of Functional Languages, IFL 99, Lochem, The Netherlands, Sept. 7 10, pp Kozsik T., van Arkel, D., Plasmeijer, R.: Subtyping with Strengthening Type Invariants. Proceedings of the 12th International Workshop on Implementation of Functional Languages (M. Mohnen, P. Koopman (eds)), Aachener Informatik-Berichte, Aachen, Germany, September pp de Mol, M., van Eekelen, M., Plasmeijer, R.: Theorem Proving for Functional Programmers, Sparkle: A Functional Theorem Prover, Springer Verlag, LNCS 2312, p. 55 ff., Peyton Jones, S., Hughes, J., et al. Report on the Programming Language Haskell 98, A Non-strict, Purely Functional Language, February Plasmeijer, R., van Eekelen, M.: Concurrent Clean Version 2.0 Language Report, clean/manuals/manuals.html

### 6. Hoare Logic and Weakest Preconditions

6. Hoare Logic and Weakest Preconditions Program Verification ETH Zurich, Spring Semester 07 Alexander J. Summers 30 Program Correctness There are many notions of correctness properties for a given program

### CS 161 Computer Security

Wagner Spring 2014 CS 161 Computer Security 1/27 Reasoning About Code Often functions make certain assumptions about their arguments, and it is the caller s responsibility to make sure those assumptions

### NOTES ON OBJECT-ORIENTED MODELING AND DESIGN

NOTES ON OBJECT-ORIENTED MODELING AND DESIGN Stephen W. Clyde Brigham Young University Provo, UT 86402 Abstract: A review of the Object Modeling Technique (OMT) is presented. OMT is an object-oriented

### How invariants help writing loops Author: Sander Kooijmans Document version: 1.0

How invariants help writing loops Author: Sander Kooijmans Document version: 1.0 Why this document? Did you ever feel frustrated because of a nasty bug in your code? Did you spend hours looking at the

### CSC 501 Semantics of Programming Languages

CSC 501 Semantics of Programming Languages Subtitle: An Introduction to Formal Methods. Instructor: Dr. Lutz Hamel Email: hamel@cs.uri.edu Office: Tyler, Rm 251 Books There are no required books in this

### Verification of Selection and Heap Sort Using Locales

Verification of Selection and Heap Sort Using Locales Danijela Petrović September 19, 2015 Abstract Stepwise program refinement techniques can be used to simplify program verification. Programs are better

### 3.4 Deduction and Evaluation: Tools Conditional-Equational Logic

3.4 Deduction and Evaluation: Tools 3.4.1 Conditional-Equational Logic The general definition of a formal specification from above was based on the existence of a precisely defined semantics for the syntax

### Formal Verification of MIX Programs

Formal Verification of MIX Programs Jean-Christophe Filliâtre CNRS LRI, Univ Paris-Sud, Orsay F-91405 INRIA Futurs, ProVal, Orsay F-91893 Abstract We introduce a methodology to formally verify MIX programs.

### Software Engineering Lecture Notes

Software Engineering Lecture Notes Paul C. Attie August 30, 2013 c Paul C. Attie. All rights reserved. 2 Contents I Hoare Logic 11 1 Propositional Logic 13 1.1 Introduction and Overview..............................

### Analysis of dependent types in Coq through the deletion of the largest node of a binary search tree

Analysis of dependent types in Coq through the deletion of the largest node of a binary search tree Sneha Popley and Stephanie Weirich August 14, 2008 Abstract Coq reflects some significant differences

### 1 Problem Description

Tree Isomorphism: An Exercise in Functional Programming Jayadev Misra 9/10/01 1 Problem Description The problem is to decide if two unordered trees are the same. More precisely, define a binary relation

### A Correctness Proof for a Practical Byzantine-Fault-Tolerant Replication Algorithm

Appears as Technical Memo MIT/LCS/TM-590, MIT Laboratory for Computer Science, June 1999 A Correctness Proof for a Practical Byzantine-Fault-Tolerant Replication Algorithm Miguel Castro and Barbara Liskov

### Institut für Informatik D Augsburg

Universität Augsburg Safer Ways to Pointer Manipulation Bernhard Möller Report 2000-4 Mai 2000 Institut für Informatik D-86135 Augsburg Copyright c Bernhard Möller Institut für Informatik Universität Augsburg

### Clean-CORBA Interface for Parallel Functional Programming on Clusters

Clean-CORBA Interface for Parallel Functional Programming on Clusters Zoltán Horváth, Zoltán Varga, Viktória Zsók Department of General Computer Science University of Eötvös Loránd, Budapest e-mail: hz@inf.elte.hu,

### Specifications. Prof. Clarkson Fall Today s music: Nice to know you by Incubus

Specifications Prof. Clarkson Fall 2015 Today s music: Nice to know you by Incubus Question Would you like a tiny bonus to your final grade for being here on time today? A. Yes B. Sí C. Hai D. Haan E.

### Verification Condition Generation via Theorem Proving

Verification Condition Generation via Theorem Proving John Matthews Galois Connections Inc. J Strother Moore University of Texas at Austin Sandip Ray University of Texas at Austin Daron Vroon Georgia Institute

### CMSC 330: Organization of Programming Languages. Formal Semantics of a Prog. Lang. Specifying Syntax, Semantics

Recall Architecture of Compilers, Interpreters CMSC 330: Organization of Programming Languages Source Scanner Parser Static Analyzer Operational Semantics Intermediate Representation Front End Back End

### Chapter 3 (part 3) Describing Syntax and Semantics

Chapter 3 (part 3) Describing Syntax and Semantics Chapter 3 Topics Introduction The General Problem of Describing Syntax Formal Methods of Describing Syntax Attribute Grammars Describing the Meanings

### Chapter 3: Propositional Languages

Chapter 3: Propositional Languages We define here a general notion of a propositional language. We show how to obtain, as specific cases, various languages for propositional classical logic and some non-classical

### Introduction to Linear-Time Temporal Logic. CSE 814 Introduction to LTL

Introduction to Linear-Time Temporal Logic CSE 814 Introduction to LTL 1 Outline Motivation for TL in general Types of properties to be expressed in TL Structures on which LTL formulas are evaluated Syntax

### Proof Pearl: The Termination Analysis of Terminator

Proof Pearl: The Termination Analysis of Terminator Joe Hurd Computing Laboratory Oxford University joe.hurd@comlab.ox.ac.uk Abstract. Terminator is a static analysis tool developed by Microsoft Research

### A Partial Correctness Proof for Programs with Decided Specifications

Applied Mathematics & Information Sciences 1(2)(2007), 195-202 An International Journal c 2007 Dixie W Publishing Corporation, U. S. A. A Partial Correctness Proof for Programs with Decided Specifications

### Term Algebras with Length Function and Bounded Quantifier Elimination

with Length Function and Bounded Ting Zhang, Henny B Sipma, Zohar Manna Stanford University tingz,sipma,zm@csstanfordedu STeP Group, September 3, 2004 TPHOLs 2004 - p 1/37 Motivation: Program Verification

### CS422 - Programming Language Design

1 CS422 - Programming Language Design Denotational Semantics Grigore Roşu Department of Computer Science University of Illinois at Urbana-Champaign 2 Denotational semantics, alsoknownasfix-point semantics,

### The Typed λ Calculus and Type Inferencing in ML

Notes on Types S. Arun-Kumar Department of Computer Science and Engineering Indian Institute of Technology New Delhi, 110016 email: sak@cse.iitd.ernet.in April 14, 2002 2 Chapter 1 The Typed λ Calculus

### The Arrow Calculus (Functional Pearl)

The Arrow Calculus (Functional Pearl) Sam Lindley Philip Wadler Jeremy Yallop University of Edinburgh Abstract We introduce the arrow calculus, a metalanguage for manipulating Hughes s arrows with close

### 3 No-Wait Job Shops with Variable Processing Times

3 No-Wait Job Shops with Variable Processing Times In this chapter we assume that, on top of the classical no-wait job shop setting, we are given a set of processing times for each operation. We may select

### Hoare Logic: Proving Programs Correct

Hoare Logic: Proving Programs Correct 17-654/17-765 Analysis of Software Artifacts Jonathan Aldrich Reading: C.A.R. Hoare, An Axiomatic Basis for Computer Programming Some presentation ideas from a lecture

### Part II. Hoare Logic and Program Verification. Why specify programs? Specification and Verification. Code Verification. Why verify programs?

Part II. Hoare Logic and Program Verification Part II. Hoare Logic and Program Verification Dilian Gurov Props: Models: Specs: Method: Tool: safety of data manipulation source code logic assertions Hoare

### 1 Variations of the Traveling Salesman Problem

Stanford University CS26: Optimization Handout 3 Luca Trevisan January, 20 Lecture 3 In which we prove the equivalence of three versions of the Traveling Salesman Problem, we provide a 2-approximate algorithm,

### Compositional Cutpoint Verification

Compositional Cutpoint Verification Eric Smith (Stanford University) Collaborators: David Dill (Stanford University) David Hardin (Rockwell Collins) Contact ewsmith@stanford.edu Background Based on A Symbolic

### Fundamental Concepts. Chapter 1

Chapter 1 Fundamental Concepts This book is about the mathematical foundations of programming, with a special attention on computing with infinite objects. How can mathematics help in programming? There

### Compiling Exceptions Correctly

Compiling Exceptions Correctly Graham Hutton and Joel Wright School of Computer Science and IT University of Nottingham, United Kingdom Abstract. Exceptions are an important feature of modern programming

### Verification of a Concurrent Deque Implementation

Verification of a Concurrent Deque Implementation Robert D. Blumofe C. Greg Plaxton Sandip Ray Department of Computer Science, University of Texas at Austin rdb, plaxton, sandip @cs.utexas.edu June 1999

### Intro to semantics; Small-step semantics Lecture 1 Tuesday, January 29, 2013

Harvard School of Engineering and Applied Sciences CS 152: Programming Languages Lecture 1 Tuesday, January 29, 2013 1 Intro to semantics What is the meaning of a program? When we write a program, we use

### Introduction to Axiomatic Semantics

Introduction to Axiomatic Semantics Meeting 10, CSCI 5535, Spring 2009 Announcements Homework 3 due tonight Homework 2 is graded 13 (mean), 14 (median), out of 21 total, but Graduate class: final project

### Goals: Define the syntax of a simple imperative language Define a semantics using natural deduction 1

Natural Semantics Goals: Define the syntax of a simple imperative language Define a semantics using natural deduction 1 1 Natural deduction is an instance of first-order logic; that is, it is the formal

### Evaluation Strategies for Functional Logic Programming

Evaluation Strategies for Functional Logic Programming WRS 01, Utrecht, May 26 Sergio Antoy antoy@cs.pdx.edu Portland State University 1 Outline Whats, hows and whys of Functional Logic Programming. Constructor-based

### Week 5 Tutorial Structural Induction

Department of Computer Science, Australian National University COMP2600 / COMP6260 Formal Methods in Software Engineering Semester 2, 2016 Week 5 Tutorial Structural Induction You should hand in attempts

### Lecture 3: Recursion; Structural Induction

15-150 Lecture 3: Recursion; Structural Induction Lecture by Dan Licata January 24, 2012 Today, we are going to talk about one of the most important ideas in functional programming, structural recursion

### A Simplified Correctness Proof for a Well-Known Algorithm Computing Strongly Connected Components

A Simplified Correctness Proof for a Well-Known Algorithm Computing Strongly Connected Components Ingo Wegener FB Informatik, LS2, Univ. Dortmund, 44221 Dortmund, Germany wegener@ls2.cs.uni-dortmund.de

Monads in Haskell Nathanael Schilling December 12, 2014 Abstract In Haskell, monads provide a mechanism for mapping functions of the type a -> m b to those of the type m a -> m b. This mapping is dependent

### On Meaning Preservation of a Calculus of Records

On Meaning Preservation of a Calculus of Records Emily Christiansen and Elena Machkasova Computer Science Discipline University of Minnesota, Morris Morris, MN 56267 chri1101, elenam@morris.umn.edu Abstract

### Harvard School of Engineering and Applied Sciences CS 152: Programming Languages

Harvard School of Engineering and Applied Sciences CS 152: Programming Languages Lecture 19 Tuesday, April 3, 2018 1 Introduction to axiomatic semantics The idea in axiomatic semantics is to give specifications

### A Theory of Parallel Computation The π-calculus

A Theory of Parallel Computation The π-calculus Background DFAs, NFAs, pushdown automata, Turing machines... All are mathematical entities that model computation. These abstract systems have concrete,

### Rule Formats for Nominal Modal Transition Systems

Rule Formats for Nominal Modal Transition Systems Anke Stüber Universitet Uppsala, Uppsala, Sweden anke.stuber@it.uu.se Abstract. Modal transition systems are specification languages that allow the expression

### Lecture 4. First order logic is a formal notation for mathematics which involves:

0368.4435 Automatic Software Verification April 14, 2015 Lecture 4 Lecturer: Mooly Sagiv Scribe: Nimrod Busany, Yotam Frank Lesson Plan 1. First order logic recap. 2. The SMT decision problem. 3. Basic

### Shared Variables and Interference

Illinois Institute of Technology Lecture 24 Shared Variables and Interference CS 536: Science of Programming, Spring 2018 A. Why Parallel programs can coordinate their work using shared variables, but

c Springer-Verlag In Proc. of the International Conference on Logic Programming, ICLP 2007. Springer LNCS 4670, pp. 45-75, 2007 Multi-paradigm Declarative Languages Michael Hanus Institut für Informatik,

### Chapter 3. The While programming language

Chapter 3 The While programming language 1 Contents 3 The While programming language 1 3.1 Big-step semantics........................... 2 3.2 Small-step semantics.......................... 9 3.3 Properties................................

### Mathematical Logic Prof. Arindama Singh Department of Mathematics Indian Institute of Technology, Madras. Lecture - 37 Resolution Rules

Mathematical Logic Prof. Arindama Singh Department of Mathematics Indian Institute of Technology, Madras Lecture - 37 Resolution Rules If some literals can be unified, the same algorithm should be able

### Asynchronous Models. Chapter Asynchronous Processes States, Inputs, and Outputs

Chapter 3 Asynchronous Models 3.1 Asynchronous Processes Like a synchronous reactive component, an asynchronous process interacts with other processes via inputs and outputs, and maintains an internal

### CONVENTIONAL EXECUTABLE SEMANTICS. Grigore Rosu CS422 Programming Language Semantics

CONVENTIONAL EXECUTABLE SEMANTICS Grigore Rosu CS422 Programming Language Semantics Conventional Semantic Approaches A language designer should understand the existing design approaches, techniques and

### TIME-BASED CONSTRAINTS IN THE OBJECT CONSTRAINT LANGUAGE OCL

TIME-BASED CONSTRAINTS IN THE OBJECT CONSTRAINT LANGUAGE OCL Ali Hamie, John Howse School of Computing, Mathematical and Information Sciences, University of Brighton, Brighton, UK. {a.a.hamie@brighton.ac.uk,

### Disjoint Support Decompositions

Chapter 4 Disjoint Support Decompositions We introduce now a new property of logic functions which will be useful to further improve the quality of parameterizations in symbolic simulation. In informal

### 7. Introduction to Denotational Semantics. Oscar Nierstrasz

7. Introduction to Denotational Semantics Oscar Nierstrasz Roadmap > Syntax and Semantics > Semantics of Expressions > Semantics of Assignment > Other Issues References > D. A. Schmidt, Denotational Semantics,

### Lecture 5 Sorting Arrays

Lecture 5 Sorting Arrays 15-122: Principles of Imperative Computation (Spring 2018) Frank Pfenning, Rob Simmons We begin this lecture by discussing how to compare running times of functions in an abstract,

### Mathematical Induction

Mathematical Induction Victor Adamchik Fall of 2005 Lecture 3 (out of three) Plan 1. Recursive Definitions 2. Recursively Defined Sets 3. Program Correctness Recursive Definitions Sometimes it is easier

### Figure 4.1: The evolution of a rooted tree.

106 CHAPTER 4. INDUCTION, RECURSION AND RECURRENCES 4.6 Rooted Trees 4.6.1 The idea of a rooted tree We talked about how a tree diagram helps us visualize merge sort or other divide and conquer algorithms.

### Reasoning about programs. Chapter 9 of Thompson

Reasoning about programs Chapter 9 of Thompson Proof versus testing A proof will state some property of a program that holds for all inputs. Testing shows only that a property holds for a particular set

### CS 3512, Spring Instructor: Doug Dunham. Textbook: James L. Hein, Discrete Structures, Logic, and Computability, 3rd Ed. Jones and Barlett, 2010

CS 3512, Spring 2011 Instructor: Doug Dunham Textbook: James L. Hein, Discrete Structures, Logic, and Computability, 3rd Ed. Jones and Barlett, 2010 Prerequisites: Calc I, CS2511 Rough course outline:

### XI International PhD Workshop OWD 2009, October Fuzzy Sets as Metasets

XI International PhD Workshop OWD 2009, 17 20 October 2009 Fuzzy Sets as Metasets Bartłomiej Starosta, Polsko-Japońska WyŜsza Szkoła Technik Komputerowych (24.01.2008, prof. Witold Kosiński, Polsko-Japońska

### VCC: A Practical System for Verifying Concurrent C

VCC: A Practical System for Verifying Concurrent C Ernie Cohen 1, Markus Dahlweid 2, Mark Hillebrand 3, Dirk Leinenbach 3, Michal Moskal 2, Thomas Santen 2, Wolfram Schulte 4 and Stephan Tobies 2 1 Microsoft

### A Simplied NP-complete MAXSAT Problem. Abstract. It is shown that the MAX2SAT problem is NP-complete even if every variable

A Simplied NP-complete MAXSAT Problem Venkatesh Raman 1, B. Ravikumar 2 and S. Srinivasa Rao 1 1 The Institute of Mathematical Sciences, C. I. T. Campus, Chennai 600 113. India 2 Department of Computer

### Fundamental mathematical techniques reviewed: Mathematical induction Recursion. Typically taught in courses such as Calculus and Discrete Mathematics.

Fundamental mathematical techniques reviewed: Mathematical induction Recursion Typically taught in courses such as Calculus and Discrete Mathematics. Techniques introduced: Divide-and-Conquer Algorithms

### Recall our recursive multiply algorithm:

Recall our recursive multiply algorithm: PRECONDITION: x and y are both binary bit arrays of length n, n a power of 2. POSTCONDITION: Returns a binary bit array equal to the product of x and y. REC MULTIPLY

### Lecture 5. Logic I. Statement Logic

Ling 726: Mathematical Linguistics, Logic. Statement Logic V. Borschev and B. Partee, September 27, 2 p. Lecture 5. Logic I. Statement Logic. Statement Logic...... Goals..... Syntax of Statement Logic....2.

### Basic Elements of Computer Algebra in MIZAR

Basic Elements of Computer Algebra in MIZAR Adam Naumowicz Czeslaw Bylinski Institute of Computer Science University of Bialystok, Poland adamn@math.uwb.edu.pl Section of Computer Networks University of

### What is a Graphon? Daniel Glasscock, June 2013

What is a Graphon? Daniel Glasscock, June 2013 These notes complement a talk given for the What is...? seminar at the Ohio State University. The block images in this PDF should be sharp; if they appear

### Chapter 4. Number Theory. 4.1 Factors and multiples

Chapter 4 Number Theory We ve now covered most of the basic techniques for writing proofs. So we re going to start applying them to specific topics in mathematics, starting with number theory. Number theory

### Chapter 2 The Language PCF

Chapter 2 The Language PCF We will illustrate the various styles of semantics of programming languages with an example: the language PCF Programming language for computable functions, also called Mini-ML.

### Topic 3: Propositions as types

Topic 3: Propositions as types May 18, 2014 Propositions as types We have seen that the main mathematical objects in a type theory are types. But remember that in conventional foundations, as based on

### Lecture 15 : Review DRAFT

CS/Math 240: Introduction to Discrete Mathematics 3/10/2011 Lecture 15 : Review Instructor: Dieter van Melkebeek Scribe: Dalibor Zelený DRAFT Today slectureservesasareviewofthematerialthatwillappearonyoursecondmidtermexam.

### Chapter 2 Overview of the Design Methodology

Chapter 2 Overview of the Design Methodology This chapter presents an overview of the design methodology which is developed in this thesis, by identifying global abstraction levels at which a distributed

### To prove something about all Boolean expressions, we will need the following induction principle: Axiom 7.1 (Induction over Boolean expressions):

CS 70 Discrete Mathematics for CS Fall 2003 Wagner Lecture 7 This lecture returns to the topic of propositional logic. Whereas in Lecture 1 we studied this topic as a way of understanding proper reasoning

### Programming with Math and Logic

.. Programming with Math and Logic an invitation to functional programming Ed Morehouse Wesleyan University The Plan why fp? terms types interfaces The What and Why of Functional Programming Computing

### Information Theory and Coding Prof. S. N. Merchant Department of Electrical Engineering Indian Institute of Technology, Bombay

Information Theory and Coding Prof. S. N. Merchant Department of Electrical Engineering Indian Institute of Technology, Bombay Lecture - 11 Coding Strategies and Introduction to Huffman Coding The Fundamental

### Semantical Aspects of an Architecture for Distributed Embedded Systems

Semantical Aspects of an Architecture for Distributed Embedded Systems Roel Bloo Eindhoven University of Technology Eindhoven, The Netherlands bloo@win.tue.nl Jozef Hooman University of Nijmegen Nijmegen,

### Programming with dependent types: passing fad or useful tool?

Programming with dependent types: passing fad or useful tool? Xavier Leroy INRIA Paris-Rocquencourt IFIP WG 2.8, 2009-06 X. Leroy (INRIA) Dependently-typed programming 2009-06 1 / 22 Dependent types In

### Once Upon a Polymorphic Type

Once Upon a Polymorphic Type Keith Wansbrough Computer Laboratory University of Cambridge kw217@cl.cam.ac.uk http://www.cl.cam.ac.uk/users/kw217/ Simon Peyton Jones Microsoft Research Cambridge 20 January,

### Verifying Java Programs Verifying Java Programs with KeY

Verifying Java Programs Verifying Java Programs with KeY Wolfgang Schreiner Wolfgang.Schreiner@risc.jku.at Research Institute for Symbolic Computation (RISC) Johannes Kepler University, Linz, Austria http://www.risc.jku.at

### Liveness and Fairness Properties in Multi-Agent Systems

Liveness and Fairness Properties in Multi-Agent Systems Hans-Dieter Burkhard FB Informatik Humboldt-University Berlin PF 1297, 1086 Berlin, Germany e-mail: hdb@informatik.hu-berlin.de Abstract Problems

### Priority Queues. 1 Introduction. 2 Naïve Implementations. CSci 335 Software Design and Analysis III Chapter 6 Priority Queues. Prof.

Priority Queues 1 Introduction Many applications require a special type of queuing in which items are pushed onto the queue by order of arrival, but removed from the queue based on some other priority

### NOTE ON MINIMALLY k-connected GRAPHS

NOTE ON MINIMALLY k-connected GRAPHS R. Rama a, Suresh Badarla a a Department of Mathematics, Indian Institute of Technology, Chennai, India ABSTRACT A k-tree is either a complete graph on (k+1) vertices

### Lecture Notes on Linear Search

Lecture Notes on Linear Search 15-122: Principles of Imperative Computation Frank Pfenning Lecture 5 January 28, 2014 1 Introduction One of the fundamental and recurring problems in computer science is

### Tree Interpolation in Vampire

Tree Interpolation in Vampire Régis Blanc 1, Ashutosh Gupta 2, Laura Kovács 3, and Bernhard Kragl 4 1 EPFL 2 IST Austria 3 Chalmers 4 TU Vienna Abstract. We describe new extensions of the Vampire theorem

### the application rule M : x:a: B N : A M N : (x:a: B) N and the reduction rule (x: A: B) N! Bfx := Ng. Their algorithm is not fully satisfactory in the

The Semi-Full Closure of Pure Type Systems? Gilles Barthe Institutionen for Datavetenskap, Chalmers Tekniska Hogskola, Goteborg, Sweden Departamento de Informatica, Universidade do Minho, Braga, Portugal

### THE RELATIONAL MODEL. University of Waterloo

THE RELATIONAL MODEL 1-1 List of Slides 1 2 The Relational Model 3 Relations and Databases 4 Example 5 Another Example 6 What does it mean? 7 Example Database 8 What can we do with it? 9 Variables and

### An Interesting Way to Combine Numbers

An Interesting Way to Combine Numbers Joshua Zucker and Tom Davis October 12, 2016 Abstract This exercise can be used for middle school students and older. The original problem seems almost impossibly

### Chapter 3. Set Theory. 3.1 What is a Set?

Chapter 3 Set Theory 3.1 What is a Set? A set is a well-defined collection of objects called elements or members of the set. Here, well-defined means accurately and unambiguously stated or described. Any

### Lecture 5: The Halting Problem. Michael Beeson

Lecture 5: The Halting Problem Michael Beeson Historical situation in 1930 The diagonal method appears to offer a way to extend just about any definition of computable. It appeared in the 1920s that it

### Computing Fundamentals 2 Introduction to CafeOBJ

Computing Fundamentals 2 Introduction to CafeOBJ Lecturer: Patrick Browne Lecture Room: K408 Lab Room: A308 Based on work by: Nakamura Masaki, João Pascoal Faria, Prof. Heinrich Hußmann. See notes on slides

### Function compose, Type cut, And the Algebra of logic

Function compose, Type cut, And the Algebra of logic XIE Yuheng SZDIY community xyheme@gmail.com Abstract In this paper, I demonstrate the Curry-Howard correspondence of Gentzen s sequent calculus, and

### A New Logical Framework for Deductive Planning *

A New Logical Framework for Deductive Planning * Werner Stephan and Susanne Biundo German Research Center for Artificial Intelligence (DFKI) Stuhlsatzenhausweg 3, 66123 Saarbrucken e-mail: @dfki.uni-sb.cie

### Encryption as an Abstract Datatype:

June 2003 1/18 Outline Encryption as an Abstract Datatype: an extended abstract Dale Miller INRIA/Futurs/Saclay and École polytechnique 1. Security protocols specified using multisets rewriting. 2. Eigenvariables

### Rigidity, connectivity and graph decompositions

First Prev Next Last Rigidity, connectivity and graph decompositions Brigitte Servatius Herman Servatius Worcester Polytechnic Institute Page 1 of 100 First Prev Next Last Page 2 of 100 We say that a framework

### The Fibonacci hypercube

AUSTRALASIAN JOURNAL OF COMBINATORICS Volume 40 (2008), Pages 187 196 The Fibonacci hypercube Fred J. Rispoli Department of Mathematics and Computer Science Dowling College, Oakdale, NY 11769 U.S.A. Steven