A CRASH COURSE IN SEMANTICS

Similar documents
type classes & locales

Note that in this definition, n + m denotes the syntactic expression with three symbols n, +, and m, not to the number that is the sum of n and m.

Harvard School of Engineering and Applied Sciences CS 152: Programming Languages

COMP 4161 NICTA Advanced Course. Advanced Topics in Software Verification. Toby Murray, June Andronick, Gerwin Klein

λ calculus is inconsistent

Theorem Proving Principles, Techniques, Applications Recursion

axiomatic semantics involving logical rules for deriving relations between preconditions and postconditions.

locales ISAR IS BASED ON CONTEXTS CONTENT Slide 3 Slide 1 proof - fix x assume Ass: A. x and Ass are visible Slide 2 Slide 4 inside this context

Lecture 5 - Axiomatic semantics

Goals: Define the syntax of a simple imperative language Define a semantics using natural deduction 1

The Formal Semantics of Programming Languages An Introduction. Glynn Winskel. The MIT Press Cambridge, Massachusetts London, England

Induction and Semantics in Dafny

Introduction to Axiomatic Semantics

An Annotated Language

Application: Programming Language Semantics

HOL DEFINING HIGHER ORDER LOGIC LAST TIME ON HOL CONTENT. Slide 3. Slide 1. Slide 4. Slide 2 WHAT IS HIGHER ORDER LOGIC? 2 LAST TIME ON HOL 1

Part II. Hoare Logic and Program Verification. Why specify programs? Specification and Verification. Code Verification. Why verify programs?

Abstract Interpretation

Lectures 20, 21: Axiomatic Semantics

COMP4161: Advanced Topics in Software Verification. fun. Gerwin Klein, June Andronick, Ramana Kumar S2/2016. data61.csiro.au

Introduction to Denotational Semantics. Class Likes/Dislikes Survey. Dueling Semantics. Denotational Semantics Learning Goals. You re On Jeopardy!

Softwaretechnik. Program verification. Albert-Ludwigs-Universität Freiburg. June 28, Softwaretechnik June 28, / 24

CS2104 Prog. Lang. Concepts

In Our Last Exciting Episode

Introduction to Denotational Semantics. Brutus Is An Honorable Man. Class Likes/Dislikes Survey. Dueling Semantics

Assignment #4: Lambda Calculus & Semi-automatic Program Verification. You are allowed to work on this assignment in pairs. Hand in Requirements:

Programming Languages Lecture 14: Sum, Product, Recursive Types

Proving Properties on Programs From the Coq Tutorial at ITP 2015

Inductive datatypes in HOL. lessons learned in Formal-Logic Engineering

CS422 - Programming Language Design

Softwaretechnik. Program verification. Software Engineering Albert-Ludwigs-University Freiburg. June 30, 2011

Hoare Logic: Proving Programs Correct

Contents. Chapter 1 SPECIFYING SYNTAX 1

6. Hoare Logic and Weakest Preconditions

CS152: Programming Languages. Lecture 11 STLC Extensions and Related Topics. Dan Grossman Spring 2011

3.7 Denotational Semantics

Hoare triples. Floyd-Hoare Logic, Separation Logic

Compilation and Program Analysis (#11) : Hoare triples and shape analysis

Main Goal. Language-independent program verification framework. Derive program properties from operational semantics

1 Introduction. 3 Syntax

Overview. Verification with Functions and Pointers. IMP with assertions and assumptions. Proof rules for Assert and Assume. IMP+: IMP with functions

Introduction to Axiomatic Semantics (1/2)

COMP 507: Computer-Aided Program Design

CIS 500 Software Foundations. Final Exam. May 3, Answer key

CSC 7101: Programming Language Structures 1. Operational Semantics. Winskel, Ch. 2 Slonneger and Kurtz Ch 8.4, 8.5, 8.6. Operational vs.

From Hoare Logic to Matching Logic Reachability. Grigore Rosu and Andrei Stefanescu University of Illinois, USA

Semantics of Imperative Objects

CS 6110 S11 Lecture 25 Typed λ-calculus 6 April 2011

Review. CS152: Programming Languages. Lecture 11 STLC Extensions and Related Topics. Let bindings (CBV) Adding Stuff. Booleans and Conditionals

Reminder of the last lecture. Aliasing Issues: Call by reference, Pointer programs. Introducing Aliasing Issues. Home Work from previous lecture

Gradual Typing with Union and Intersection Types

Organisatorials. About us. Binary Search (java.util.arrays) When Tue 9:00 10:30 Thu 9:00 10:30. COMP 4161 NICTA Advanced Course

Module 10: Imperative Programming, Modularization, and The Future

Getting Started with AutoCorres

Semantics of Imperative Objects

Functional Programming and Modeling

Overview. A Compact Introduction to Isabelle/HOL. Tobias Nipkow. System Architecture. Overview of Isabelle/HOL

Shared Variables and Interference

We defined congruence rules that determine the order of evaluation, using the following evaluation

AXIOMS OF AN IMPERATIVE LANGUAGE PARTIAL CORRECTNESS WEAK AND STRONG CONDITIONS. THE AXIOM FOR nop

Programming Languages Fall 2014

Formal Methods. CITS5501 Software Testing and Quality Assurance

Reasoning About Imperative Programs. COS 441 Slides 10

Integration of SMT Solvers with ITPs There and Back Again

Introduction to Axiomatic Semantics (1/2)

Functional Programming with Isabelle/HOL

Now that we have keys defined for the maps, we can start talking about maps. The first of these are Total Maps. Total Maps are defined as follows:

Static Program Analysis

Verified Characteristic Formulae for CakeML. Armaël Guéneau, Magnus O. Myreen, Ramana Kumar, Michael Norrish April 27, 2017

Hoare Logic. COMP2600 Formal Methods for Software Engineering. Rajeev Goré

PROGRAM ANALYSIS & SYNTHESIS

Semantics and Verification of Software

CS115 - Module 10 - General Trees

Interactive Testing with HOL-TestGen

Symbolic Execution and Verification Conditions. Review of Verification Conditions. Survey from Homework 4. Time spent: 7.1 hrs (mean), 6 hrs (median)

Combining Programming with Theorem Proving

The Programming Language Core

Axiomatic Semantics. More Semantics. Review - Operational Semantics. Partial Correctness Assertions. Programs Theorems. Axiomatic Semantics

The semantics of a programming language is concerned with the meaning of programs, that is, how programs behave when executed on computers.

Overview. Probabilistic Programming. Dijkstra s guarded command language: Syntax. Elementary pgcl ingredients. Lecture #4: Probabilistic GCL

Combining Static and Dynamic Contract Checking for Curry

Shared Variables and Interference

Program analysis parameterized by the semantics in Maude

Static Program Analysis

3.4 Denotational Semantics

Static analysis and all that

Axiomatic Semantics. Automated Deduction - George Necula - Lecture 2 1

Preuves Interactives et Applications

Verification of Selection and Heap Sort Using Locales

Chapter 3 (part 3) Describing Syntax and Semantics

Programming Languages

Backward Reasoning: Rule for Assignment. Backward Reasoning: Rule for Sequence. Simple Example. Hoare Logic, continued Reasoning About Loops

Why. an intermediate language for deductive program verification

CIS 500: Software Foundations

Deductive Program Verification with Why3, Past and Future

Formal Semantics of Programming Languages

3.3 Small-Step Structural Operational Semantics (Small-Step SOS)

Theorem proving. PVS theorem prover. Hoare style verification PVS. More on embeddings. What if. Abhik Roychoudhury CS 6214

CMSC 330: Organization of Programming Languages. Operational Semantics

Semantics with Applications 3. More on Operational Semantics

Transcription:

LAST TIME Recdef More induction NICTA Advanced Course Well founded orders Slide 1 Theorem Proving Principles, Techniques, Applications Slide 3 Well founded recursion Calculations: also/finally {P}... {Q} [trans]-rules CONTENT Intro & motivation, getting started with Isabelle Foundations & Principles Lambda Calculus Higher Order Logic, natural deduction Slide 2 Term rewriting Proof & Specification Techniques Slide 4 A CRASH COURSE IN SEMANTICS Inductively defined sets, rule induction Datatypes, recursion, induction More recursion, Calculational reasoning Hoare logic, proofs about programs Locales, Presentation LAST TIME 1 IMP - A SMALL IMPERATIVE LANGUAGE 2

IMP - A SMALL IMPERATIVE LANGUAGE WHAT DOES IT DO? Commands: So far we have defined: Slide 5 datatype com = SKIP Assign loc aexp ( := ) Semi com com ( ; ) Cond bexp com com (IF THEN ELSE ) While bexp com (WHILE DO OD) Slide 7 Syntax of commands and expressions State of programs (function from variables to values) Now we need: the meaning (semantics) of programs How to define execution of a program? types loc = string types state = loc nat A wide field of its own (visit a semantics course!) Some choices: types aexp = state nat types bexp = state bool Operational (inductive relations, big step, small step) Denotational (programs as functions on states, state transformers) Axiomatic (pre-/post conditions, Hoare logic) EXAMPLE PROGRAM STRUCTURAL OPERATIONAL SEMANTICS Slide 6 Usual syntax: B := 1; WHILE A 0 DO B := B A; A := A 1 OD Expressions are functions from state to bool or nat: Slide 8 SKIP, σ σ e σ = v x := e, σ σ[x v] c 1, σ σ c 2, σ σ c 1 ; c 2, σ σ B := (λσ. 1); WHILE (λσ. σ A 0) DO B := (λσ. σ B σ A); A := (λσ. σ A 1) OD b σ = True c 1, σ σ IF b THEN c 1 ELSE c 2, σ σ b σ = False c 2, σ σ IF b THEN c 1 ELSE c 2, σ σ WHAT DOES IT DO? 3 STRUCTURAL OPERATIONAL SEMANTICS 4

STRUCTURAL OPERATIONAL SEMANTICS PROOFS ABOUT PROGRAMS Now we know: b σ = False WHILE b DO c OD, σ σ What programs are: Syntax On what they work: State How they work: Semantics Slide 9 b σ = True c, σ σ WHILE b DO c OD, σ σ WHILE b DO c OD, σ σ Slide 11 So we can prove properties about programs Example: Show that example program from slide 6 implements the factorial. lemma factorial, σ σ = σ B = fac (σa) (where fac 0 = 0, fac (Suc n) = (Suc n) fac n) Slide 10 DEMO: THE DEFINITIONS IN ISABELLE Slide 12 DEMO: EXAMPLE PROOF PROOFS ABOUT PROGRAMS 5 TOO TEDIOUS 6

TOO TEDIOUS MEANING OF A HOARE-TRIPLE {P } c {Q} What are the assertions P and Q? Induction needed for each loop Here: again functions from state to bool (shallow embedding of assertions) Other choice: syntax and semantics for assertions (deep embedding) Slide 13 Is there something easier? Slide 15 What does {P } c {Q} mean? Partial Correctness: = {P } c {Q} ( σ σ. P σ c, σ σ = Q σ ) Total Correctness: = {P } c {Q} ( σ. P σ = σ. c, σ σ Q σ ) This lecture: partial correctness only (easier) FLOYD/HOARE HOARE RULES Idea: describe meaning of program by pre/post conditions {P } SKIP {P } {P [x e]} x := e {P } Slide 14 Examples: {True} x := 2 {x = 2} {y = 2} x := 21 y {x = 42} {x = n} IF y < 0 THEN x := x + y ELSE x := x y {x = n y } Slide 16 {P } c 1 {R} {R} c 2 {Q} {P } c 1 ; c 2 {Q} {P b} c 1 {Q} {P b} c 2 {Q} {P } IF b THEN c 1 ELSE c 2 {Q} {A = n} factorial {B = fac n} {P b} c {P } P b = Q {P } WHILE b DO c OD {Q} Proofs: have rules that directly work on such triples P = P {P } c {Q } Q = Q {P } c {Q} MEANING OF A HOARE-TRIPLE 7 HOARE RULES 8

HOARE RULES NICER, BUT STILL KIND OF TEDIOUS {P } SKIP {P } {λσ. P (σ(x := e σ))} x := e {P } Hoare rule application seems boring & mechanical. {P } c 1 {R} {R} c 2 {Q} {P } c 1 ; c 2 {Q} Automation? Problem: While need creativity to find right (invariant) P Slide 17 {λσ. P σ b σ} c 1 {R} {λσ. P σ b σ} c 2 {Q} {P } IF b THEN c 1 ELSE c 2 {Q} Slide 19 Solution: annotate program with invariants {λσ. P σ b σ} c {P } σ. P σ b σ = Q σ then, Hoare rules can be applied automatically {P } WHILE b DO c OD {Q} σ. P σ = P σ {P } c {Q } σ. Q σ = Qσ {P } c {Q} Example: {M = 0 N = 0} WHILE M a INV {N = M b} DO N := N + b; M := M + 1 OD {N = a b} ARE THE RULES CORRECT? WEAKEST PRECONDITIONS Soundness: {P } c {Q} = = {P } c {Q} pre c Q = weakest P such that {P } c {Q} Proof: by rule induction on {P } c {Q} With annotated invariants, easy to get: pre SKIP Q = Q Slide 18 Slide 20 pre (x := a) Q = λσ. Q(σ(x := aσ)) pre (c 1 ; c 2 ) Q = pre c 1 (pre c 2 Q) Demo: Hoare Logic in Isabelle pre (IF b THEN c 1 ELSE c 2 ) Q = λσ. (b pre c 1 Q σ) ( b pre c 2 Q σ) pre (WHILE b INV I DO c OD) Q = I NICER, BUT STILL KIND OF TEDIOUS 9 VERIFICATION CONDITIONS 10

VERIFICATION CONDITIONS RECORDS IN ISABELLE {pre c Q} c {Q} only true under certain conditions Example: Records are a tuples with named components Slide 21 These are called verification conditions vc c Q: vc SKIP Q = True vc (x := a) Q = True vc (c 1 ; c 2 ) Q = vc c 2 Q (vc c 1 (pre c 2 Q)) vc (IF b THEN c 1 ELSE c 2 ) Q = vc c 1 Q vc c 2 Q Slide 23 record A = a :: nat b :: int Selectors: a :: A nat, b :: A int, a r = Suc 0 Constructors: ( a = Suc 0, b = 1 ) Update: r( a := Suc 0 ) vc (WHILE b INV I DO c OD) Q = ( σ. Iσ bσ pre c I σ) ( σ. Iσ bσ Q σ) vc c I vc c Q (pre c Q = P ) = {P } c {Q} Records are extensible: record B = A + c :: nat list ( a = Suc 0, b = 1, c = [0, 0] ) SYNTAX TRICKS x := λσ. 1 instead of x := 1 sucks {λσ. σ x = n} instead of {x = n} sucks as well Problem: program variables are functions, not values Solution: distinguish program variables syntactically Slide 22 Choices: declare program variables with each Hoare triple Slide 24 DEMO nice, usual syntax works well if you state full program and only use vcg separate program variables from Hoare triple (use extensible records), indicate usage as function syntactically more syntactic overhead program pieces compose nicely RECORDS IN ISABELLE 11 MORE 12

MORE EXERCISES Slide 25 Available now in Isablle: procedures with blocks and local variables and (mutual) recursion exceptions arrays pointers Slide 27 Write a program in IMP that calculates quotient and reminder of x IN and y IN Find the right invariant for its while loop. Show its correctness in Isabelle: {True} program { Q y + Ŕ = x Ŕ < y } We re working at: nondeterminsm probability object orientation Write an IMP program that sorts arrays (lists) by insertion sort. Formulate and show its correctness in Isabelle. WE HAVE SEEN TODAY... Syntax and semantics of IMP Hoare logic rules Soundness of Hoare logic Slide 26 Verification conditions Example program proofs EXERCISES 13 EXERCISES 14

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback