Axiomatic Specification. Al-Said, Apcar, Jerejian

Similar documents
An Annotated Language

Chapter 3. Describing Syntax and Semantics

Programming Languages Third Edition

Lecture 5 - Axiomatic semantics

An Evolution of Mathematical Tools

Introduction to Axiomatic Semantics

CSCI.6962/4962 Software Verification Fundamental Proof Methods in Computer Science (Arkoudas and Musser) Chapter p. 1/27

Harvard School of Engineering and Applied Sciences CS 152: Programming Languages

CSL105: Discrete Mathematical Structures. Ragesh Jaiswal, CSE, IIT Delhi

Goals: Define the syntax of a simple imperative language Define a semantics using natural deduction 1

Chapter 3 (part 3) Describing Syntax and Semantics

Part II. Hoare Logic and Program Verification. Why specify programs? Specification and Verification. Code Verification. Why verify programs?

Semantics. There is no single widely acceptable notation or formalism for describing semantics Operational Semantics

Induction and Semantics in Dafny

1. true / false By a compiler we mean a program that translates to code that will run natively on some machine.

LOGIC AND DISCRETE MATHEMATICS

The semantics of a programming language is concerned with the meaning of programs, that is, how programs behave when executed on computers.

Formal Methods. CITS5501 Software Testing and Quality Assurance

Lectures 20, 21: Axiomatic Semantics

Chapter 3. Describing Syntax and Semantics ISBN

CSE 307: Principles of Programming Languages

AXIOMS OF AN IMPERATIVE LANGUAGE PARTIAL CORRECTNESS WEAK AND STRONG CONDITIONS. THE AXIOM FOR nop

Towards a Logical Reconstruction of Relational Database Theory

From Hoare Logic to Matching Logic Reachability. Grigore Rosu and Andrei Stefanescu University of Illinois, USA

COSC252: Programming Languages: Semantic Specification. Jeremy Bolton, PhD Adjunct Professor

Introduction to Axiomatic Semantics (1/2)

3. DESCRIBING SYNTAX AND SEMANTICS

Module 6. Knowledge Representation and Logic (First Order Logic) Version 2 CSE IIT, Kharagpur

6. Hoare Logic and Weakest Preconditions

Module 3. Requirements Analysis and Specification. Version 2 CSE IIT, Kharagpur

SOFTWARE ENGINEERING DESIGN I

Chapter 3. Describing Syntax and Semantics ISBN

Chapter 3. Describing Syntax and Semantics

Propositional Logic. Andreas Klappenecker

CSC 501 Semantics of Programming Languages

Chapter 3. Semantics. Topics. Introduction. Introduction. Introduction. Introduction

Introduction to Axiomatic Semantics (1/2)

This is already grossly inconvenient in present formalisms. Why do we want to make this convenient? GENERAL GOALS

Spark verification features

! Use of formal notations. ! in software system descriptions. ! for a broad range of effects. ! and varying levels of use. !

Resolution (14A) Young W. Lim 6/14/14

Section 2.4: Arguments with Quantified Statements

Abstract Interpretation

Summary of Course Coverage

Knowledge Representation

Automated Reasoning. Natural Deduction in First-Order Logic

Chapter 1. Introduction

Reasoning About Imperative Programs. COS 441 Slides 10

Com S 541. Programming Languages I

Chapter 27 Formal Specification

Runtime Checking for Program Verification Systems

Defining Languages GMU

Chapter 3. Syntax - the form or structure of the expressions, statements, and program units

Formal Predicate Calculus. Michael Meyling

Proof Carrying Code(PCC)

Intro to semantics; Small-step semantics Lecture 1 Tuesday, January 29, 2013

Basic Elements of Computer Algebra in MIZAR

CITS5501 Software Testing and Quality Assurance Formal methods

Lecture 11 Lecture 11 Nov 5, 2014

Programming Languages

CIS 1.5 Course Objectives. a. Understand the concept of a program (i.e., a computer following a series of instructions)

Jaykov Foukzon. Israel Institute of Technology, Haifa, Israel.

SUMMARY: MODEL DRIVEN SECURITY

Symbolic Execution and Proof of Properties

CMSC 330: Organization of Programming Languages

Proving Theorems with Athena

Testing, Debugging, and Verification

Software Paradigms (Lesson 6) Logic Programming

Software Engineering: A Practitioner s s Approach, 6/e Roger Pressman. Chapter 28 Formal Methods

VS 3 : SMT Solvers for Program Verification

Formal Semantics of Programming Languages

Type Systems COMP 311 Rice University Houston, Texas

Fortgeschrittene objektorientierte Programmierung (Advanced Object-Oriented Programming)

UNIT II. Syllabus. a. An Overview of the UML: Visualizing, Specifying, Constructing, Documenting

Foundations: Syntax, Semantics, and Graphs

Pierce Ch. 3, 8, 11, 15. Type Systems

Static semantics. Lecture 3-6: Semantics. Attribute grammars (2) Attribute grammars. Attribute grammars example. Dynamic semantics

Logical reasoning systems

Formal Semantics of Programming Languages

Introduction to Formal Methods

n Specifying what each method does q Specify it in a comment before method's header n Precondition q Caller obligation n Postcondition

CMSC 330: Organization of Programming Languages. Formal Semantics of a Prog. Lang. Specifying Syntax, Semantics

CIS 500 Software Foundations. Final Exam. May 3, Answer key

Revisiting Kalmar completeness metaproof

Data types for mcrl2

Proofs are Programs. Prof. Clarkson Fall Today s music: Proof by Paul Simon

Contents. Chapter 1 SPECIFYING SYNTAX 1

CS112 Lecture: Variables, Expressions, Computation, Constants, Numeric Input-Output

3.4 Deduction and Evaluation: Tools Conditional-Equational Logic

ALGOL 48 AND ALGOL 50 ALGOLIC LANGUAGES IN MATHE- MATICS

Discrete Mathematics Lecture 4. Harper Langston New York University

What if current foundations of mathematics are inconsistent? Vladimir Voevodsky September 25, 2010

Type Systems. Pierce Ch. 3, 8, 11, 15 CSE

The Rule of Constancy(Derived Frame Rule)

III. Check if the divisors add up to the number. Now we may consider each of these tasks separately, assuming the others will be taken care of

CS2104 Prog. Lang. Concepts

COS 320. Compiling Techniques

CS152: Programming Languages. Lecture 11 STLC Extensions and Related Topics. Dan Grossman Spring 2011

Semantic Subtyping with an SMT Solver

Overview. CS389L: Automated Logical Reasoning. Lecture 6: First Order Logic Syntax and Semantics. Constants in First-Order Logic.

Transcription:

Axiomatic Specification Al-Said, Apcar, Jerejian 1

Axioms: Wffs that can be written down without any reference to any other Wffs. Wffs that are stipulated as unproved premises for the proof of other wffs inside a formal system. Rules of Inference: Rules that allow us to produce Wffs as immediate consequences of other Wffs. 2

http://meta2.stanford.edu/classes/cs157/ 3

http://meta2.stanford.edu/classes/cs157/ 4

http://meta2.stanford.edu/classes/cs157/ 5

http://meta2.stanford.edu/classes/cs157/ 6

HOW To Prove Program Correctness: Use mathematical logic techniques to proof if a computer program carries out its intended function. Using deductive reasoning, we can find out all the consequences of a computer program execution. Deductive reasoning: Applying rule of inference to sets of axioms. 7

Rules of Inference (Subset): Modus Ponens or Implication-Elimination: (A => B, A ) u B And-Elimination: (A1 and A2 and... An) u $L 8

Syntax of FOL Sentence -> Atomic Sentence Sentence Connective Sentence Quantifier Variable,... Sentence NOT Sentence (Sentence) Atomic Sentence -> Predicate(Term,...) Term = Term Term -> Constant Variable Function(Term,...) Connective -> AND OR => <=> Quantifier -> FORALL EXISTS Constant -> A X1 John... Variable -> a x s... Predicate -> Before HasColor Raining... Function -> Smelly LeftLegOf Plus... 9

Assertions: logical expressions a true-false statements about the state of the program. Typically, an equality or inequality relating the values of various identifiers in the code. 10

Main Concept: The results of a program or part of a program depends on the values taken by the variables before that program is initiated. 3^4`53SUHFRQGLWLRQFRQVWUDLQW4SURJUDP5SRVWFRQGLWLRQRUUHVXOW We need axioms and rules that relate post conditions to preconditions and vice versa. 11

How: Axioms and Rules for for every kind of statement in the programming language under consideration. OR A small number of primitive statements, then Define other statements in terms of those primitives 12

Program Execution Axioms: Assignment Axiom: ' u3^ã Á`3 Axiom Schema 13

Example: What is the Pre condition for {sum > 1} to be true, after executing sum := 2*x + 1 {sum > 1} [sum := 2*x + 1] {sum > 1} and {sum > 1}[2*x + 1 / sum] = {2*x + 1 > 1} = {2*x > 0} = {x > 0} ½ so if {x > 0} is true and we execute sum := 2*x + 1, then {sum > 1} is true. 14 http://www.albany.edu/~csi311/notes.html#axo

5XOHVRI&RQVHTXHQFH ' LI u3 ^4`5À u 5i6 WKHQu 3^4`6 LI u3 ^4`5À u 6i3 WKHQu 6^4`5 Rule of Composition: ' LI u3 ^4`5À u5^4`5 WKHQu 3^44`5 15

Rule of Iteration ' LIu 3À 3^6`3 WKHQ u3 ^ZKLOH%GR6` %À 3 16

Limitations of above Axioms: Simple programs only. Assume no side of effects of expressions and conditions evaluation. Do not detect improper program termination Do not cover non-integer arithmetic 17

Program Correctness: Possible when both PL and H/W are implemented based on axioms that describe their logical properties. Programs proving will solve the 3 most pressing problems: Reliability Documentation Compatibility 18

1HRFKLURQVXEVHW )nn )UDJPHQW 7nn 7UDQVSRUW,3nn,QSXW3RUWDO 23nn 2XWSXW3RUWDO -nn -XPSHU 6nn 6WDWH & &RQQHFW 0nn 0HWKRG [,3)[i 23)[ [23)[i,3)[ [,37[i 237[ [ 237[i,37[ [\])[À 7\À-] i &-]23)[,37\ [\])[ À7\À-] i &-],3)[237\ [])[À -]i &-]23)[,3)[ [\])[ À)\À-]i &-]23)[,3)\ 19

[\]7[ À7\À-]i &-]237[,37\ [6[ p ^5XQ+DOW6QRR]6XVSHQG` [0[ p ^6WDUW6XVSHQG+DOW` 20

Produce models, define properties of system at several levels of abstraction Formal methods can be used at each level Aspects of a system that can be specified by formal methods functionality safety (e.g. unsafe states will not arise) security CSCI 599 Formal Methods September 28, 2000 Axiomatic Specification Hasmik Jerejian 21

Draw out, clarify and document requirements of a computation system Produce corresponding functional specifications Complete and precise statements of requirements and constraints on system functions CSCI 599 Formal Methods September 28, 2000 Axiomatic Specification Hasmik Jerejian 22

Derive programs from formal functional specifications in first order logic and algebraic languages Prove program correctness with respect to such formal specifications CSCI 599 Formal Methods September 28, 2000 Axiomatic Specification Hasmik Jerejian 23

Provide solution to ambiguity problems Formal proof and analysis of consistency and completeness Formal functional specification in first order logic using algebraic formal specification languages may be considered as the base of software formal develoment Use of a formal language (e.g Z ( Zed ) ) CSCI 599 Formal Methods September 28, 2000 Axiomatic Specification Hasmik Jerejian 24

Proof begins with set of axioms (statements postulated to be true). Inference rules - deriving other formula from axioms (premises to consequent). A proof consists of a sequence of formlae in the language in which each formula is either an axiom or derivable by an inference rule from previous formulae in the sequence. CSCI 599 Formal Methods September 28, 2000 Axiomatic Specification Hasmik Jerejian 25

The Axiomatic Specification is a formal specification defining the semantics of functions of objects by a description of the relations between different objects and functions. The description is made by axioms (predicate-logical formula). - Baader, 1990 CSCI 599 Formal Methods September 28, 2000 Axiomatic Specification Hasmik Jerejian 26

Traditional development approaches fail to properly decouple computation from interaction programming language specific problematic for reconfiguration, extension, and scaling of software modules/systems CSCI 599 Formal Methods September 28, 2000 Axiomatic Specification Hasmik Jerejian 27

Software architecture building blocks components, connectors, architectural configurations Claim an existing software module can evolve in controlled manner via subtyping CSCI 599 Formal Methods September 28, 2000 Axiomatic Specification Hasmik Jerejian 28

Influenced by Object Oriented programming languages (OOPLs) architectural component is similar to an OO class multiple, heterogeneous subtyping mechanism (PLs support a single mech.) reflect experience with components in the context of C2 architectural style CSCI 599 Formal Methods September 28, 2000 Axiomatic Specification Hasmik Jerejian 29

Framework for defining subtyping relationships Based on a flexible type system Establishing type conformance of interoperating components CSCI 599 Formal Methods September 28, 2000 Axiomatic Specification Hasmik Jerejian 30

Each component specification treated as a type and its evolution is supported by subtyping subtyping - evolution of a given type to satisfy new requirements type checking - determines whether instances of one type can be replaced by instances of another type CSCI 599 Formal Methods September 28, 2000 Axiomatic Specification Hasmik Jerejian 31

Component subtyping relationships as regions in a space of type systems U Nam Beh Int Imp CSCI 599 Formal Methods September 28, 2000 Axiomatic Specification Hasmik Jerejian 32

U = entire space of type systems Regions contain systems that demand two conforming types share Int = Interface Beh = Behavior Imp = Implementation of all supertype methods Nam = method names CSCI 599 Formal Methods September 28, 2000 Axiomatic Specification Hasmik Jerejian 33

Subtyping relationships may be established by recognizing similarity of type space to set theory (hence, use of set operations) Several subtyping relationships are possible Can create new components by preserving some of the aspects of existing components CSCI 599 Formal Methods September 28, 2000 Axiomatic Specification Hasmik Jerejian 34

Demands that both interface and behavior of a type be preserved CSCI 599 Formal Methods September 28, 2000 Axiomatic Specification Hasmik Jerejian 35

Demands that interfaces conform - without affecting dependent components U Nam Beh Int Imp CSCI 599 Formal Methods September 28, 2000 Axiomatic Specification Hasmik Jerejian 36

Demands that both interface and implementation of a type be preserved CSCI 599 Formal Methods September 28, 2000 Axiomatic Specification Hasmik Jerejian 37

Implementation Conformance with Different Interfaces (Imp and not Int) Useful for using component in an alternate domain (e.g. domain translators in C2) CSCI 599 Formal Methods September 28, 2000 Axiomatic Specification Hasmik Jerejian 38

Formal specification definitions in Z a language for modeling mathematical objects based on first order logic and set theory logical connectives (,,, etc.) set operations (,,, ) CSCI 599 Formal Methods September 28, 2000 Axiomatic Specification Hasmik Jerejian 39

A component specification is an architectural type that may be instantiated multiple times in the configuration Components are distinguished from data they exchange Components are never passed from one component to another CSCI 599 Formal Methods September 28, 2000 Axiomatic Specification Hasmik Jerejian 40

Name Set of internal state variables set of interface elements associated behavior implementation (?) CSCI 599 Formal Methods September 28, 2000 Axiomatic Specification Hasmik Jerejian 41

Name Direction (provided or required) set of parameters Name Type result (?) CSCI 599 Formal Methods September 28, 2000 Axiomatic Specification Hasmik Jerejian 42

Invariant specify properties that must be true of all component states Set of Operations preconditions, postconditions, result (?) set of variables provided or required CSCI 599 Formal Methods September 28, 2000 Axiomatic Specification Hasmik Jerejian 43

Pros Con CSCI 599 Formal Methods September 28, 2000 Help prove program correctness and completeness Help resolve problems in software development (communication, coordination, ambiguity, etc.) Easier to reconfigure and reuse software components development of accompanying tools and software diverse background and different viewpoints need different representations (e.g. client, managers, S/W eng.) difficult to develop and understand for people having no background in formal methods and mathematics ability to scale up to large real-world applications? Axiomatic Specification Hasmik Jerejian 44

Axiomatic Specification: An Overview of Anna, a Specification Language for Ada A specification language provides facilities for explaining a program Functional requirements for the program, i.e. mathematical description of what the program is required to do Properties of its components as well as interactions between those components Background knowledge Description of the domain Ron Apcar 09/28/00 Fundamental in constructing programs checking correctness of programs 45

Axiomatic Specification: An Overview of Anna, a Specification Language for Ada Design requirements of a specification language Must be formalized 2 Approaches: The fresh start - does not have to accommodate the quirks of any given programming language design The evolutionary approach - more likely to produce something that is used Anna, an extension of Ada to support explanation Ron Apcar 09/28/00 46

Axiomatic Specification: An Overview of Anna, a Specification Language for Ada Ada includes many useful constructs for specification Subtypes, derived types, packages, generic units, constraints, exceptions, context specifications increase program and compilation efficiency reduce programming errors through readability provide error checking at compile and run times express programming decisions explicitly Ada is deficient in explaining programs and designs prior to implementation Ron Apcar 09/28/00 47

Axiomatic Specification: An Overview of Anna, a Specification Language for Ada Anna - a language extension of Ada providing added facilities for formal specification 3 Categories of extensions Generalization of explanatory constructs already in Ada Addition of obvious new declarative constructs dealing with exceptions, context clauses, New specification constructs, e.g. AXIOMATIC SPECIFICATION Ron Apcar 09/28/00 48

Axiomatic Specification: An Overview of Anna, a Specification Language for Ada Anna design considerations Easy for Ada programmer to learn and use Freedom to specify as much or as little as one desires Extend Ada minimally, allowing for future incorporation of specification concepts Encourage development of applications of formal specifications Ron Apcar 09/28/00 49

Axiomatic Specification: An Overview of Anna, a Specification Language for Ada Resulting features include Definition of a transformation of specifications into run-time checks Axiomatic semantics allows mathematical proof of consistency between Ada code and its formal Anna specification Ron Apcar 09/28/00 50

Axiomatic Specification: An Overview of Anna, a Specification Language for Ada An Anna program is an Ada program with formal comments Syntax is defined by extensions of Ada syntactic categories and new Anna syntactic categories Ada point of view: only comments Anna point of view: must obey syntax and semantics Ron Apcar 09/28/00 51

Axiomatic Specification: An Overview of Anna, a Specification Language for Ada 2 Types of formal comments Virtual Ada text - - : Annotations - - Virtual Ada text uses Definition of programming concepts Computation of values not computed by the actual Ada program Ron Apcar 09/28/00 52

Axiomatic Specification: An Overview of Anna, a Specification Language for Ada Annotations Ron Apcar 09/28/00 built-up from Boolean-valued expressions and reserved words Types of annotations Objects Types or subtypes Statements Subprograms Propagation of exceptions Context annotations AXIOMATIC ANNOTATIONS 53

Axiomatic Specification: An Overview of Anna, a Specification Language for Ada Quantified expressions For all and exist (and negations) Annotation is as rich as first-order logic Concise and readable annotations Establishing consistency between Ada code and Anna notations requires mathematical proof Alternative run-time check is practical if domains of quantifiers are small Ron Apcar 09/28/00 54

Axiomatic Specification: An Overview of Anna, a Specification Language for Ada Meaning of quantified Boolean expressions: for all X : T => P(X) means for all values X of (sub)type T, if P(X) is defined, then P(X) is true exist X : T => P(X) means there exists a value X of (sub)type T such that P(X) is defined and true Ron Apcar 09/28/00 55

Axiomatic Specification: An Overview of Anna, a Specification Language for Ada Axiomatic annotations Constraints on operations of a package Visible promises that may be assumed wherever the package specification is visible Ron Apcar 09/28/00 56

Axiomatic Specification: An Overview of Anna, a Specification Language for Ada Example 1 package COUNTERS is type COUNTER is limited private; -- function VALUE (C : COUNTER) return NATURAL -- axiom for all C, D : COUNTER; N : NATURAL => - - VALUE (C) = N and VALUE (D) = N => C = D; Ron Apcar 09/28/00 end COUNTERS; - - The axiom requires the mapping VALUE to be one to one. 57

Axiomatic Specification: An Overview of Anna, a Specification Language for Ada Ron Apcar 09/28/00 Example 2 - - In Anna, the attribute OUT is a record of all the output values - - produced by the subprogram. -- axiom for all E0, E1 : ELEMENT; Q0 : QUEUE => -- REMOVE OUT(E0,INSERT OUT(E1,Q0).Q).Q = -- INSERT OUT(E1,REMOVE OUT(E0,Q0).Q). Q, - - LENGTH(INSERT OUT(E0,Q0).Q) = - - LENGTH(Q0) + 1, - - LENGTH(REMOVE OUT(E0,Q0).Q) = - - LENGTH(Q0) - 1, - - TOP(INSERT OUT(E0,Q0).Q) = TOP(Q0), - - IS_MEMBER(E0,INSERT OUT(E0,Q0).Q), - - IS_MEMBER(TOP(Q),Q); 58

Axiomatic Specification: An Overview of Anna, a Specification Language for Ada Axiomatic semantics of Anna Defines the atomic proof steps in mathematical proofs of consistency between Ada code and Anna notations Basis for constructing program verifiers for Anna Ron Apcar 09/28/00 59

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback