Andrew.Butterfield@cs.tcd.ie Room F.13, OReilly Institute 3BA31 - - PDF document

3BA31 Formal Methods 1

3BA31: Formal Methods

Andrew Butterfield Foundations & Methods Group, Software Systems Laboratory

Andrew.Butterfield@cs.tcd.ie

Room F.13, O’Reilly Institute

3BA31 Formal Methods 2

Remember This?

“A Stock Exchange is a collection of companies, where each company has a collection of shares; moreover these collections of shares are mutually disjoint. Each company has an associated share price. Furthermore, investors own shares in several companies; the collections of shares held by investors are mutually disjoint. Additionally, there is one dealer, who acts as an intermediary for the buying and selling of shares.”

3BA31 Formal Methods 3

3BA21 Mathematics — Sample Paper, Q1

Why revisit this? What can formal methods do for us here?

3BA31 Formal Methods 4

3BA21 Sample Q1—Basic Domain Shr =d

f

domain of shares

Cmp =d

f

domain of company

Inv =d

f

domain of investors

data Shr = S Nat data Cmp = C1 | C2 | C3 | C4 data Inv = I1 | I2 | I3 | I4

3BA31 Formal Methods 5

3BA21 Sample Q1—State ς : Shr → Cmp ̟ : Cmp → N ψ : Shr → Inv

d : Inv

type CmpShr = Map Shr Cmp type ShrPri = Map Cmp Nat type InvShr = Map Shr Inv type SEState = (CmpShr,ShrPri,InvShr,Inv)

3BA31 Formal Methods 6

3BA21 Sample Q1—Constraint StcExcCns(ς, ̟, ψ, d) =d

f

( rng ς = dom ̟ ) ∧ ( dom ς = dom ψ ) stcExcCns(cmpshr,shrpri,invshr,dlr) = rng cmpshr == dom shrpri && dom cmpshr == dom invshr

3BA31 Formal Methods 7

3BA21 Sample Q1—Change Share Price pre-ChgPri[c, p](ς, ̟, ψ, d) =d

f

c ∈ dom ̟

ChgPri[c, p](ς, ̟, ψ, d) =d

f

(ς, ̟ † [c → p], ψ, d) preChgPri (c,p) (cmpshr,shrpri,invshr,dlr) = c ‘mOf‘ dom shrpri chgPri (c,p) (cmpshr,shrpri,invshr,dlr) = (cmpshr,shrpri ‘override‘ (iMap c p),invshr,dlr)

3BA31 Formal Methods 8

3BA21 Sample Q1—Sell Share pre-SellShr[i, S](ς, ̟, ψ, d) =d

f

( S ⊆ ψ−1{i} ) ∧ ( i = d ) SellShr[i, S](ς, ̟, ψ, d) =d

f

(ς, ̟, ψ † [s → d | s ∈ S], d) preSellShr (i,ss) (cmpshr,shrpri,invshr,dlr) = ss ‘subSet‘ invImg invshr (iSet i) && i /= dlr sellShr (i,ss) (cmpshr,shrpri,invshr,dlr) = (cmpshr,shrpri,invshr ‘override‘ imapset ss dlr,dlr)

3BA31 Formal Methods 9

3BA21 Sample Q1—New Company pre-NewCmp[c, S, p](ς, ̟, ψ, d) =d

f

( c ∈ rng ς ) ∧ ( S ∩ dom ς = ∅ ) ∧ ( S = ∅ ) NewCmp[c, S, p](ς, ̟, ψ, d) =d

f

(ς ⊔ [s → c | s ∈ S], ̟ ⊔ [c → p] , ψ ⊔ [s → d | s ∈ S], d) preNewCmp(c,ss,p)(cmpshr,shrpri,invshr,dlr) = not (c ‘mOf‘ rng cmpshr) && ss ‘intersect‘ dom cmpshr == nullSet && not(isNullSet ss) newCmp(c,ss,p)(cmpshr,shrpri,invshr,dlr) = ( cmpshr ‘mextend‘ imapset ss c , shrpri ‘mextend‘ iMap c p , invshr ‘mextend‘imapset ss dlr , dlr )

3BA31 Formal Methods 10

3BA21 Sample Q1—Share Price pre-CmpShrPri[s](ς, ̟, ψ, d) =d

f

s ∈ dom ς

CmpShrPri[s](ς, ̟, ψ, d) =d

f

(̟ ◦ ς)(s) preCmpShrPri s (cmpshr,shrpri,invshr,dlr) = s ‘mOf‘ dom cmpshr cmpShrPri s (cmpshr,shrpri,invshr,dlr) = (mApp shrpri . mApp cmpshr) s

3BA31 Formal Methods 11

3BA21 Sample Q1—Investor Holding pre-CmpInvIn[i](ς, ̟, ψ, d) =d

f

i ∈ rng ψ

CmpInvIn[i](ς, ̟, ψ, d) =d

f

rng ⊳[ψ−1{i}]ς

preCmpInvIn i (cmpshr,shrpri,invshr,dlr) = i ‘mOf‘ rng invshr cmpInvIn i (cmpshr,shrpri,invshr,dlr) = rng (mrestrict (invImg invshr (iSet i)) cmpshr)

3BA31 Formal Methods 12

3BA21 Sample Q1—Portfolio Value pre-PrtV al[i](ς, ̟, ψ, d) =d

f

i ∈ rng ψ

PrtV al[i](ς, ̟, ψ, d) =d

f

• s∈ψ−1{i}

(̟ ◦ ς)(s) prePrtVal i (cmpshr,shrpri,invshr,dlr) = i ‘mOf‘ rng invshr prtVal i (cmpshr,shrpri,invshr,dlr) = sum [ (mApp shrpri . mApp cmpshr)s | s <- ssort (invImg invshr (iSet i)) ]

3BA31 Formal Methods 13

3BA21 Sample Q1—Remove Company pre-RmvCmp[c](ς, ̟, ψ, d) =d

f

c ∈ rng ς

RmvCmp[c](ς, ̟, ψ, d) =d

f

(⊳ −[ς−1{c}]ς, ⊳ −[{c}]̟, ⊳ −[ς−1{c}]ψ, d) preRmvCmp c (cmpshr,shrpri,invshr,dlr) = c ‘mOf‘ rng cmpshr rmvCmp c (cmpshr,shrpri,invshr,dlr) = ( mremove remSS cmpshr , mremove cc shrpri , mremove remSS invshr , dlr ) where cc = iSet c remSS = invImg cmpshr cc

3BA31 Formal Methods 14

3BA21 Sample Q1—Constraint Preservation StcExcCns ◦ RmvCmp[c] ⇐ pre-RmvCmp[c] ∧ StcExcCns

3BA31 Formal Methods 15

3BA21 Sample Q1— Constraint Preservation (rework)     StcExcCns(ς, ̟, ψ, d) ∧ pre-RmvCmp[c](ς, ̟, ψ, d)     ⇒ StcExcCns(RmvCmp[c](ς, ̟, ψ, d)) rmvCmp_preserves_StcExcCns (c::Cmp) (se::SEState) = stcExcCns se && preRmvCmp c se ==> stcExcCns(rmvCmp c se)

3BA31 Formal Methods 16

What’s the Point?

Haskell/QuickCheck Demo

3BA31 Formal Methods 17

What are “Formal” Systems?

3BA31 Formal Methods 18

Formal Systems: Rules of the Game

• Specified collection of Symbols
• Specified ways or putting them together (well-formedness)
• Specific ways of manipulating symbol-sequences

3BA31 Formal Methods 19

Example: System ℑ

• Symbols:
• ℑ
• Well-Formed Sequences:

Flijet Zero or more Blirgle A followed by a Flijet Xixos ℑ followed by two Blirgles

• Manipulations (let f1 and f2 stand for arbitrary Flijets).

– ℑf1 becomes f1 – ℑf1f2 becomes ℑf1f2

• Goal: convert a Xixos into a Blirgle

3BA31 Formal Methods 20

Interpretation

• +1

ℑ + ℑ + 0 + 1 + 1 0 + 1 + 1 + 1 ℑ + 0 + 1 0 + 1 + 1 + 1 + 1 ℑ + 0 + 1 + 1 + 1 + 1 + 1

• 0 + 1 + 1 + 1 + 1 + 1

3BA31 Formal Methods 21

What’s the point?

• We give meanings to the symbols
• The symbols could be manipulated without our having to understand them

– which is exactly how a computer does it ! Formal Methods allow us to limit the scope for human error and to exploit the use of machines to help

• ur analysis

3BA31 Formal Methods 22

Another System

• Symbols:

– infinite supply of variables u, v, x, y, z, . . . , x1, x2, . . . – punctuation: λ, •, (, )

• Well-Formed Sequences (M, N):

– x – (λ x • M) – M N

• Manipulations

– (λ x • M) N becomes M[N/x] (M where N replaces all (free) occurrences of x) A variable x is free if not inside an enclosing (λ x • . . .)

• Goal: eliminate as many λs as possible.

3BA31 Formal Methods 23

The Lambda Calculus

• The system just introduced is the Lambda Calculus
• It is Turing-Complete — anything a Turing machining or general-purpose computer can do, it can

do.

• You have already seen it in action (with lots of syntactic sugar) ???

3BA31 Formal Methods 24

Remember these poor folks?

3BA31 Formal Methods 25

And the relevance to 3BA31 is . . . ?

• That 747 was not “fly-by-wire” — the pilot landed it, not a computer!
• Pilots as professionals train so they can take care to get it right
• Formal Methods are the Programmers’ way of taking care to get it rightr

3BA31 Formal Methods 26

Scribbles 1 : An example of Xixos conversion ℑ →

2nd rule

ℑ →

2nd rule

ℑ →

2nd rule

ℑ →

1st rule

3BA31 Formal Methods 27

Scribbles 1 : Examples of λ-calculus Expressions

x a variable is a λ-calculus expr. v so is this one

λ x • x

an abstraction built on x

λ x • v

an abstraction built on v

λ x • (λ x • v)

another abstraction

λ v • (λ x • v)

yet another

λ y • (λ x • v)

using a new variable to abstract x (λ v • v) an application

3BA31 Formal Methods 28

Scribbles 1 : λ-Elimination (λ x • x) (λ x • v) → λ x • v (λ x • v) (λ x • x) →

v

(λ x • x x) (λ x • x x) → (λ x • x x) (λ x • x x)

3BA31 Formal Methods 29

3BA31: Approach

Monday 12noon Lb01 Theory and small exercise to be handed up at start of . . . Thursday 12noon Lb04 Practice Friday 11am Lb01 Tools Hilary Term Focus on formalism and method Trinity Term Focus on scale, real-world, and some backing theory Webpage: www.cs.tcd.ie/Andrew.Butterfield/Teaching/3BA31/

3BA31 Formal Methods 30

The λ-Calculus

• Invented by Alonzo Church in 1930s
• Intended as a form of logic
• Turned into a model of computation
• Not shown completely sound until early 70s !

We shall now revisit it in a little more detail, and a little more formally.

3BA31 Formal Methods 31

λ-Calculus: Syntax

We have an infinite set Vars, of variables: u, v, x, y, z, . . . , x1, x2, . . .

∈

Vars We define the set of well-formed λ-calculus expressions LExpr as the smallest set of strings matching the following syntax: M, N, . . . ∈ LExpr

::=

v

| (λ x • M) | (M N)

Read: a λ-calculus expression is either (i) a variable (v); (ii) an abstraction of a variable from an expression (λ x • M); or (iii) an application of one expression to another ((M N)).

3BA31 Formal Methods 32

λ-Calculus: Free/Bound Variables

• A variable occurrence is free in an expression if it is not mentioned in an enclosing abstraction.
• A variable occurrence is bound in an expression if is mentioned in an enclosing abstraction.
• A variable occurrence is binding in an expression if is the variable immediately after a λ.
• A variable is free in an expression if it occurs free in that expression.
• A variable is bound in an expression if it occurs bound in that expression.

A variable can be both free and bound in the same expression (how?)

3BA31 Formal Methods 33

λ-Calculus: Computing Free/Bound Vards

We can define functions that return the sets of free and bound variables:

FV :

LExpr → P Var

FV(x)

• =

{ x } FV(λ x • M)

• =

FV(M) \ { x } FV(M N)

• =

FV(M) ∪ FV(N) BV :

LExpr → P Var

BV(x)

• =

∅ BV(λ x • M)

• =

BV(M) ∪ { x } BV(M N)

• =

BV(M) ∪ BV(N)

3BA31 Formal Methods 34

λ-Calculus: α-Renaming

We can change a binding variable and its bound instances provided we are careful not to make other free variables become bound.

(λ x • (λ y • (x y)))

α

→ (λ u • λ v • (u v))) (λ x • (x y))

• α

→ (λ y • (y y))

formerly free y has been “captured” ! This process is called α-Renaming or α-Substitution, and leaves the meaning of a term unchanged.

3BA31 Formal Methods 35

λ-Calculus: Substitution

We define the notion of substituting an expression N for all free occurrences of x, in another expression M, written: M[N/x]

(x (λ y • (z y)))[(λ u • u)/z]

subs

→ (x (λ y • ((λ u • u) y))) (x (λ y • (z y)))[(λ u • u)/y]

subs

→ (x (λ y • (z y)))

y was not free anywhere

3BA31 Formal Methods 36

λ-Calculus: Careful Substitution!

When doing (general) substitution M[N/x], we need to avoid variable “capture” of free variables in N, by bindings in M:

(x (λ y • (z y)))[(y x)/z]

• subs

→ (x (λ y • ((y x) y)))

If N has free variables which are going to be inside an abstraction on those variables in M, the we need to α-Rename the abstractions to something else first, and the substitute:

(x (λ y • (z y)))[(y x)/z]

α

→ (x (λ w • (z w)))[(y x)/z]

subs

→ (x (λ w • ((y x) w)))

The Golden Rule: A substitution should never make a free occurrence of a variable become bound,

• r vice-versa.

3BA31 Formal Methods 37

λ-Calculus: β-Reduction

We can now define the most important “move” in the λ-calculus, known as β-Reduction:

(λ x • M) N

β

→

M[N/x] We define an expression of the form (λ x • M) N as a “(β−)redex” (reducible expression).

3BA31 Formal Methods 38

λ-Calculus: Normal Form

An expression is in “Normal-Form” if it contains no redexes. The object of the exercise is to reduce an expression to its normal-form (if it exists).

(((λ x • (λ y • (y x))) u) v)

β

→ (λ y • (y u)) v)

β

→ (v u)

Not all expressions have a normal form — e.g.: ((λ x • (x x)) (λ x • (x x))) What about:

( ( (λ x • (λ y • y))) ((λ x • (x x)) (λ x • (x x)) ) w ) ?

3BA31 Formal Methods 39

λ-Calculus: Reduction Order

The question is, if we have a choice of redexes, which should we reduce first. Answer: always the leftmost-outermost one (Normal Order Reduction). If an expression has a normal form, then normal order reduction is guaranteed to find it.

3BA31 Formal Methods 40

Scribbles 2 : Binding, Bound and Free!

bnd

• f

x

↓

bnd

• f

y

↓

bnd x

↓

bnd y

↓

free x

↓

bnd

• f

z

↓

bnd z

↓

free y

↓

(λ x • (λ y • x y)) ( x (λ z • z y))

3BA31 Formal Methods 41

Scribbles 2 : Binding, Bound and Free!

bnd

• f

y

↓

free x

↓

bnd y

↓

(λ y • x y)

3BA31 Formal Methods 42

Scribbles 2 : α-Renaming

Consistent changing of bound variables leaves meaning unchanged:

(λ x • xx) (u) = (u u) (λ y • yy) (u) = (u u)

Analagous to the following definitions of f being equivalent: f(x)

= 1 + x2

f(y)

= 1 + y2

3BA31 Formal Methods 43

Scribbles 2 : β-Reduction ((λ x •

M

• (λ y • y))

N

u) v

↓β (λ y • y) v ↓β

v

3BA31 Formal Methods 44

Scribbles 2 : Monster

monster

= (λ x • x x) (λ x • x x)

monster

= (λ x • x x) (λ x • x x) ↓β (monster

β

→ monster) (λ x • x x) (λ x • x x) =

monster

3BA31 Formal Methods 45

Scribbles 2 : Reducing Big Expression (1) ((λ x λ y • y) monster) w ↓β ((λ x λ y • y) monster) w ↓β ((λ x λ y • y) monster) w ↓β

. . .

3BA31 Formal Methods 46

Scribbles 2 : Reducing Big Expression (2) ((λ x λ y • y) monster) w ↓β (λ y • y) w ↓β

w

3BA31 Formal Methods 47

Scribbles 2 : Reduction Order Example (1)

f(x) = x2 f(3 + 7)

= (3 + 7)2 = 102 = 100

f(3 + 7)

= f(10) = 102 = 100

3BA31 Formal Methods 48

Scribbles 2 : Reduction Order Example (2)

f = λ x • x2

(λ x • x2)((+3)7)

β

• β
• ((+3)7)2

β

• (λ x • x2)10

β

• 102

102

3BA31 Formal Methods 49

Sugaring The Pill

The lambda calculus rapidly gets unwieldy.

( ( (λ x • (λ y • y))) ((λ x • (x x)) (λ x • (x x)) ) w ) !!

It’s worth adding a little syntactic sugar to make it easier to use.

3BA31 Formal Methods 50

Too Many Brackets, etc.

• 1. We don’t bracket every abstraction or application:

we assume the scope of an abstraction goes as far to the right as possible.

• 2. We change (M N) P to M N P, but leave M (N P) as is.
• 3. We drop intermediate λ and dots in nested abstractions

(((λ x • ( λ y • y))((λ x • (x x))(λ x • (x x))))w) 1 ((λ x • λ y • y)((λ x • x x)(λ x • x x)))w 2 (λ x• λy • y) ((λ x • x x)(λ x • x x)) w 3 (λ x y • y) ((λ x • x x)(λ x • x x)) w

These conventions support concise multiple abstraction/application:

(λ x y • M) N

β

→ λ y • M[N/x] (λ x y • M) N P

β

→ (M[N/x])[P/y]

• r

M[N/x][P/y]

3BA31 Formal Methods 51

Definitions

It is convenient to be able to give names to expressions, using a definition notation (Symbol

= means

“is defined equal to”):

Ω

• =

(λ x • x x)(λ x • x x)

Z

• =

λ z s • z

S

• =

λ n z s • s(n z s)

We sometimes like to to do the following transformation: N

= λ x • M ↔

N x

= M

Z s z

• =

z S n s z

• =

s (n s z) You can use brackets if it makes you feel more comfortable: Z(s)(z) = z S(n)(s)(z) = s(n(s)(z))

3BA31 Formal Methods 52

Computable ? Show me Numbers !

Ok. We think of a number as a function of two arguments, the first a function that adds one (successor), the second representing zero:

= λ s z • z 0 s z = z 1 = λ s z • s z 1 s z = s z 2 = λ s z • s(s z) 2 s z = s(s z) 3 = λ s z • s(s(s z)) 3 s z = s(s(s z))

. . . These are the so-called “Church Numerals”

3BA31 Formal Methods 53

Count the ss, Duh ! What about addition, etc?

No problem. SUCC

• =

λ n s z • s(n s z)

PLUS

• =

λ m n s z • m s (n s z)

TIMES

• =

λ m n s • n (m s)

EXP

• =

λ m n • n m

We can encode booleans, if-then-else and propositional logic operators (and,or,not) as well.

3BA31 Formal Methods 54

Serious Sugar: infix notation

We can now consider adding in some operator symbols written in infix form: M + N

• =

PLUS M N M · N

• =

TIMES M N M ˆ N

• =

EXP M N We will have to adopt some suitable convention regarding operator precedence and bracketing. So now we can write things like: F x y

= x ˆ2 + x · (x + y)

3BA31 Formal Methods 55

Mini-Exercise 1

Show that

2 + 2

β

→ 4

Hints:

• 1. Use rightmost-innermost reduction order here.
• 2. You might want to pull an inner redex out, do the reduction separately, and then plug the result

back in.

• 3. Try 1 + 1

β

→ 2 as a warm-up!

Due: at start of 12noon Lecture, Thursday, February 15th, 2007.

3BA31 Formal Methods 56

Motivating Types

All the syntactic sugar to date has in principle been convertible back to original λ-calculus expressions. So,

(λ m n s • n (m s)) (λ s z • s(s(s z))) (λ t f • t)

looks innocent enough. But if we interpret λ t f • t as True (“Church Booleans”), then the above, if sugared, is 3 · True The (untype) λ-calculus expression will reduce, but not to a normal form that is a sensible number or boolean. Wouldn’t it be nice to have types?

3BA31 Formal Methods 57

Typed λ-Calculus

We define types (Type) to be either basic-types (BType or function types: s, t, . . .

∈

BType

σ, τ ∈ Type ::=

s

| σ → τ

We can add type annotations to the variables in the lambda calculus: x : τ We can then give typing rules:

• If M : σ, then (λ x : τ • M) : τ → σ.
• If M : σ → τ and N : σ, then (M N) : τ.

Typed λ-calculus is different from the un-typed variety — they cannot be inter-converted.

3BA31 Formal Methods 58

Sugared Typed-λ-calculus

We can then add in a range of syntactic sugar for types, basic and compound:

N, Z, Q, ×, ∗

and extend the expression notation:

37, −35, 46.13, (13, 23), 1, 2, 3

We can now write definitions like: length

: Q∗ → N

length seq

• =

if null seq then 0 else 1 + (length(tail seq)) Look vaguely familiar? !?!?!! Recursion ! How did that get there ? (Later)

3BA31 Formal Methods 59

Haskell

• Pure, lazy functional language i.e. well-sugared typed λ-calculus.
• Named for logician Haskell B. Curry
• Many multiple-platform implementations:

– compilers — GHC, yhc, nbc, . . . – interpreters — Hugs, WinHugs.

• www.haskell.org

3BA31 Formal Methods 60

Haskell: Basic Types, Constants and Operators

As expected, Haskell supports all the usual basic types: Format Type, Values, Operators, Example Expression. Boolean Bool, True, False, not, &&, ||,

not False && (True || b)

Integers Int, 0, 10, -34, +, -, *, /,

3 * (23 - 16 * i)

Floating-Point Float,Double, 0.0, 1.23E+5, +, -, *, /,

3.14159 * (23E-3 - 1.6 * r)

Characters Char, ’a’,’B’,’\n’,’\xd’, ord, chr, isAlpha,

• rd c - ord ’0’

3BA31 Formal Methods 61

Haskell: Composite Types

Assume s, t and u are pre-existing types. Function Types s -> t, f x = x * x, \ y -> y+3, ., map, foldl,

(f . g) 3

Tuples (s,t),(s,t,u), (1,True), (’a’,42), fst, snd,

(fst(True,999),snd(False,42))

Lists [t], [],[1,1,2,3,5,8], :, length, head, tail, ++,

tail ([1,2,3]++[4,5,6])

Strings String is synonym for [Char],

"" is really [],

while "abc" is syntactic sugar for [’a’,’b’,’c’].

3BA31 Formal Methods 62

Haskell: Scripts

A Haskell programme (or script) has the following general format:

module ModuleName where import Import1

. . . list of definitions A definition is typically of a function, of the form: fname arg1 . . . argn = expression defining function

3BA31 Formal Methods 63

Haskell: Demo

3BA31 Formal Methods 64

Scribbles 3 : Reducing SUCC 2

SUCC 2

= (λ n s z • s(n s z)) (λ s z • s(s z))

β

→ λ s z • s((λ s z • s(s z)) s z)

β

→ λ s z • s((λ z • s(s z)) z)

β

→ λ s z • s(s(s z)) = 3

3BA31 Formal Methods 65

Scribbles 3 : SUCC 2, one step in detail (λ s z • s(s z)) s

β

→

“using law (λ x • M)N

β

→ M[N/x], where x is s, M is λ z • s(s z) and N is s” (λ z • s(s z))[s/s] =

“by definition of substitution”

λ z • s(s z)