Correctness of Program Transformations as a Termination Problem - - PowerPoint PPT Presentation

1

Correctness of Program Transformations as a Termination Problem

Conrad Rau, David Sabel and Manfred Schmidt-Schauß

Goethe-University, Frankfurt am Main, Germany

IJCAR 2012, Manchester, UK

Introduction & Motivation

Automate correctness proofs of program transformations Approach to correctness proofs: Diagram based e.g. Wells, Plump and Kamareddine, 2003 Schmidt-Schauß, Sch¨ utz, Sabel, 2008 Sabel, Schmidt-Schauß, 2011 R., Schmidt-Schauß, 2011 Problem: Correctness proofs carried out by hand (tedious)

Correctness of Program Transformations as a Termination Problem

• C. Rau, D. Sabel, M. Schmidt-Schauß

2/13

Program Calculus & Contextual Equivalence

Definition (Program calculus (E, C, sr = ⇒, A, L)) E: Set of expressions A ⊆ E: Set of answers C: Set of contexts L: Set of labels (finite)

sr,l

= = ⇒⊆ E × E × L: Labeled reduction relation Convergence: s⇓ iff s

sr,∗

= = ⇒ a where a ∈ A Definition Contextual approximation: s ≤c t iff ∀C ∈ C : C[s]⇓ ⇒ C[t]⇓ Contextual equivalence: s ∼c t iff s ≤c t ∧ t ≤c s

Correctness of Program Transformations as a Termination Problem

• C. Rau, D. Sabel, M. Schmidt-Schauß

3/13

Program Transformations, Correctness

Definition (Program Transformation, Correctness) A program transformation:

T

= ⇒ ⊆ (E × E) is correct iff s T = ⇒ t = ⇒ s ∼c t Example (Program Transformations from LR) ((λx.s) t)

lbeta

= = ⇒ letrec x = t in s letrec x = s in (letrec y = t in r)

llet

= ⇒ letrec x = s, y = t in r True

silly

= = ⇒ False Simplifications: Focus on ≤c, since ∼c = ≤c ∩ ≥c Assume T = ⇒ is CP-sufficient: (∀s, t with s T = ⇒ t : s ⇓ = ⇒ t ⇓)

• T

= ⇒ is convergence preserving

implies

T

= ⇒ ⊆ ≤c

Correctness of Program Transformations as a Termination Problem

• C. Rau, D. Sabel, M. Schmidt-Schauß

4/13

Proving Correctness: Diagram Based Approach

Prove convergence preservation for T = ⇒, i.e. s T = ⇒ t ∧ s⇓ = ⇒ t⇓

s t s1 t1 . . . . . . sn tm a1 a2

T sr, l1 sr, l′

1

sr, l2 sr, l′

2

sr, ln sr, l′

m

∀s, t ∈ E with s T = ⇒ t

1 Determine all overlaps s1

sr,li

⇐ = = s T = ⇒ t and join them into: Sets of diagrams (already automated)

2 Construct converging reduction sequence

inductively for t using the diagram sets Example: Diagram Set

A A

T

· · ·

T sr, l sr, l

· · · ·

T sr, l sr, l T

· · · ·

T sr, l, + sr, l, + T

Correctness of Program Transformations as a Termination Problem

• C. Rau, D. Sabel, M. Schmidt-Schauß

5/13

Proving Correctness: Diagram Based Approach

Prove convergence preservation for T = ⇒, i.e. s T = ⇒ t ∧ s⇓ = ⇒ t⇓

a1 a2 s1 t1 . . . . . . sn tm a1 a2

T sr, l1 sr, l′

1

sr, l2 sr, l′

2

sr, ln sr, l′

m

∀s, t ∈ E with s T = ⇒ t

1 Determine all overlaps s1

sr,li

⇐ = = s T = ⇒ t and join them into: Sets of diagrams (already automated)

2 Construct converging reduction sequence

inductively for t using the diagram sets Example: Diagram Set

A A

T

· · ·

T sr, l sr, l

· · · ·

T sr, l sr, l T

· · · ·

T sr, l, + sr, l, + T

Correctness of Program Transformations as a Termination Problem

• C. Rau, D. Sabel, M. Schmidt-Schauß

5/13

Proving Correctness: Diagram Based Approach

Prove convergence preservation for T = ⇒, i.e. s T = ⇒ t ∧ s⇓ = ⇒ t⇓

s s1 . . . sn a1 t t1 . . . tm a2

T sr, l1 sr, l2 sr, ln sr, l1 sr, l′

2

sr, l′

m

∀s, t ∈ E with s T = ⇒ t

1 Determine all overlaps s1

sr,li

⇐ = = s T = ⇒ t and join them into: Sets of diagrams (already automated)

2 Construct converging reduction sequence

inductively for t using the diagram sets Example: Diagram Set

A A

T

· · ·

T sr, l sr, l

· · · ·

T sr, l sr, l T

· · · ·

T sr, l, + sr, l, + T

Correctness of Program Transformations as a Termination Problem

• C. Rau, D. Sabel, M. Schmidt-Schauß

5/13

Proving Correctness: Diagram Based Approach

Prove convergence preservation for T = ⇒, i.e. s T = ⇒ t ∧ s⇓ = ⇒ t⇓

s s1 . . . sn a1 t t1 a2

T sr, l1 sr, l2 sr, ln T sr, l1

∀s, t ∈ E with s T = ⇒ t

1 Determine all overlaps s1

sr,li

⇐ = = s T = ⇒ t and join them into: Sets of diagrams (already automated)

2 Construct converging reduction sequence

inductively for t using the diagram sets Example: Diagram Set

A A

T

· · ·

T sr, l sr, l

· · · ·

T sr, l sr, l T

· · · ·

T sr, l, + sr, l, + T

Correctness of Program Transformations as a Termination Problem

• C. Rau, D. Sabel, M. Schmidt-Schauß

5/13

Proving Correctness: Diagram Based Approach

Prove convergence preservation for T = ⇒, i.e. s T = ⇒ t ∧ s⇓ = ⇒ t⇓

s . . . sn . . . a1 t . . . tm a2

T sr, l1 sr, l1 sr, lk T sr, l1 sr, l1

∀s, t ∈ E with s T = ⇒ t

1 Determine all overlaps s1

sr,li

⇐ = = s T = ⇒ t and join them into: Sets of diagrams (already automated)

2 Construct converging reduction sequence

inductively for t using the diagram sets Example: Diagram Set

A A

T

· · ·

T sr, l sr, l

· · · ·

T sr, l sr, l T

· · · ·

T sr, l, + sr, l, + T

Correctness of Program Transformations as a Termination Problem

• C. Rau, D. Sabel, M. Schmidt-Schauß

5/13

Proving Correctness: Diagram Based Approach

Prove convergence preservation for T = ⇒, i.e. s T = ⇒ t ∧ s⇓ = ⇒ t⇓

s . . . sn . . . a1 t . . . tm a2

T sr, l1 sr, l1 sr, lk T sr, l1 sr, l1

∀s, t ∈ E with s T = ⇒ t

1 Determine all overlaps s1

sr,li

⇐ = = s T = ⇒ t and join them into: Sets of diagrams (already automated)

2 Construct converging reduction sequence

inductively for t using the diagram sets Example: Diagram Set

A A

T

· · ·

T sr, l sr, l

· · · ·

T sr, l sr, l T

· · · ·

T sr, l, + sr, l, + T

Rewriting by diagrams, termination by induction

Correctness of Program Transformations as a Termination Problem

• C. Rau, D. Sabel, M. Schmidt-Schauß

5/13

Abstract Reduction Sequences & Diagrams

Definition (Diagram for

T

= ⇒) Rewrite rule SL SR on abstract reduction sequences

Concrete (cRS):

s t s1 . . . sn a

T sr, l1 sr, l2 sr, ln−1 sr, ln

Abstract (cARS):

. . . A

T sr, l1 sr, l2 sr, ln−1 sr, ln

Forking

· · . . . · . . . · . . .

T sr, l1 sr, lk, + T1,+ Tm sr,x sr, l′

n

. . .

• . . .

. . .

sr, lk,+ sr, l1 T T1,+ Tm sr, l′

n

sr,x

Answer

A

• . . .

. . .

T T1 Tm sr, ln sr, l1

Correctness of Program Transformations as a Termination Problem

• C. Rau, D. Sabel, M. Schmidt-Schauß

6/13

Overview: Involved Rewrite Systems

Forking/Answer Diagrams

Correctness of Program Transformations as a Termination Problem

• C. Rau, D. Sabel, M. Schmidt-Schauß

7/13

Overview: Involved Rewrite Systems

Rewrite Systems on simple ARS (SRSARS) simple Abstract Reduction Sequences (cARS)

Forking/Answer Diagrams

translated into (by J )

SRSARS (String Rewrite System) D := {SL SR} over simple ARS (simple cARS(D),

D

− ⇀) Translation J Replace variables by labels Expand transitive closures: ∀k, k′ ∈ N

Ti,+

− − → to

Ti

− → . . .

Ti

− →

• k times

sr,l,+

← − − − to

sr,l

← − − . . .

sr,l

← − −

• k′ times

Result: Infinite SRS over simple ARS

Correctness of Program Transformations as a Termination Problem

• C. Rau, D. Sabel, M. Schmidt-Schauß

7/13

Overview: Involved Rewrite Systems

Rewrite Systems on RS (CRSRS) Concrete Reduction Sequences (cRS) Rewrite Systems on simple ARS (SRSARS) simple Abstract Reduction Sequences (cARS)

Forking/Answer Diagrams

interpreted as (by I) translated into (by J )

CRSRS (String Rewrite System) D := {SL SR} over RS (all cRS(D),

D

− ⇀) Interpretation I Interpret ARS as set of concrete RS I(

sr,l

← − −) := {e1

sr,l

⇐ = e2 | e2

sr,l

= ⇒ e1} I(

Ti

− →) := {e1

Ti

= ⇒ e2 | e1

Ti

= ⇒ e2} . . . Result: SRS over concrete RS

Correctness of Program Transformations as a Termination Problem

• C. Rau, D. Sabel, M. Schmidt-Schauß

7/13

Overview: Involved Rewrite Systems

Rewrite Systems on RS (CRSRS) Concrete Reduction Sequences (cRS) Rewrite Systems on simple ARS (SRSARS) simple Abstract Reduction Sequences (cARS)

Forking/Answer Diagrams

interpreted as (by I) translated into (by J )

Semantics

Correctness of Program Transformations as a Termination Problem

• C. Rau, D. Sabel, M. Schmidt-Schauß

7/13

Complete Diagram Sets

Definition (Completeness of Diagram Sets ) DF( T = ⇒) is complete iff any concrete sequence

s t s1 . . . sn a

T sr, l1 sr, l2 sr, ln−1 sr, ln

is rewritable by a rule in I(J (DF( T = ⇒))) DA( T = ⇒) is complete iff for any concrete sequence

a t

T

is rewritable by a rule in I(J (DA( T = ⇒)))

Correctness of Program Transformations as a Termination Problem

• C. Rau, D. Sabel, M. Schmidt-Schauß

8/13

Overview: Involved Rewrite Systems

Rewrite Systems on RS (CRSRS) Concrete Reduction Sequences (cRS) Rewrite Systems on simple ARS (SRSARS) simple Abstract Reduction Sequences (cARS)

Forking/Answer Diagrams

interpreted as (by I) translated into (by J )

Semantics

Correctness of Program Transformations as a Termination Problem

• C. Rau, D. Sabel, M. Schmidt-Schauß

9/13

Overview: Involved Rewrite Systems

Rewrite Systems on RS (CRSRS) Concrete Reduction Sequences (cRS) Rewrite Systems on simple ARS (SRSARS) simple Abstract Reduction Sequences (cARS)

Forking/Answer Diagrams

interpreted as (by I) translated into (by J )

D := DF(

T

= ⇒) ∪ DA(

T

= ⇒) (i.e. complete diagram set for

T

= ⇒) Proposition 1 If the CRSRS (cRS,

I(J (D))

− − − − − ⇀) is (leftmost) terminating then the transformation

T

= ⇒ is convergence-preserving. Semantics

Correctness of Program Transformations as a Termination Problem

• C. Rau, D. Sabel, M. Schmidt-Schauß

9/13

Overview: Involved Rewrite Systems

Rewrite Systems on RS (CRSRS) Concrete Reduction Sequences (cRS) Rewrite Systems on simple ARS (SRSARS) simple Abstract Reduction Sequences (cARS)

Forking/Answer Diagrams

interpreted as (by I) translated into (by J ) termination (by P. 2)

D := DF(

T

= ⇒) ∪ DA(

T

= ⇒) (i.e. complete diagram set for

T

= ⇒) Proposition 1 If the CRSRS (cRS,

I(J (D))

− − − − − ⇀) is (leftmost) terminating then the transformation

T

= ⇒ is convergence-preserving. Proposition 2 If the SRSARS (cARS(J (D)),

J (D)

− − − ⇀) is (leftmost) terminating then the CRSRS (cRS,

I(J (D))

− − − − − ⇀) is (leftmost) terminating. Semantics

Correctness of Program Transformations as a Termination Problem

• C. Rau, D. Sabel, M. Schmidt-Schauß

9/13

Overview: Involved Rewrite Systems

Rewrite Systems on RS (CRSRS) Concrete Reduction Sequences (cRS) Rewrite Systems on simple ARS (SRSARS) simple Abstract Reduction Sequences (cARS)

Forking/Answer Diagrams

interpreted as (by I) translated into (by J ) termination (by P. 2)

D := DF(

T

= ⇒) ∪ DA(

T

= ⇒) (i.e. complete diagram set for

T

= ⇒) Theorem If the SRSARS (cARS(J (D)),

J (D)

− − − ⇀) is (leftmost) terminating, then the transformation

T

= ⇒ is convergence-preserving. Semantics

Correctness of Program Transformations as a Termination Problem

• C. Rau, D. Sabel, M. Schmidt-Schauß

9/13

Overview: Involved Rewrite Systems

Rewrite Systems on RS (CRSRS) Concrete Reduction Sequences (cRS) Rewrite Systems on simple ARS (SRSARS) simple Abstract Reduction Sequences (cARS)

Forking/Answer Diagrams

interpreted as (by I) translated into infinite (by J ) termination (by P. 2)

Translation J Replace variables by labes Expand transitive closures: ∀k, k′ ∈ N

Ti,+

− − → to

Ti

− → . . .

Ti

− →

• k times

sr,l,+

← − − − to

sr,l

← − − . . .

sr,l

← − −

• k′ times

Result: Infinite SRS over simple ARS Semantics

Correctness of Program Transformations as a Termination Problem

• C. Rau, D. Sabel, M. Schmidt-Schauß

9/13

Overview: Involved Rewrite Systems

Rewrite Systems on RS (CRSRS) Concrete Reduction Sequences (cRS) Rewrite Systems on simple ARS (SRSARS) simple Abstract Reduction Sequences (cARS)

Forking/Answer Diagrams

Rewrite Systems on NARS (ERSARS) ground ARS with Natural Numbers (gcNARS) interpreted as (by I) translated into infinite (by J ) translated into finite (by K) termination (by P. 2)

Semantics

Correctness of Program Transformations as a Termination Problem

• C. Rau, D. Sabel, M. Schmidt-Schauß

9/13

Example: Encoding Transitive Closure of Reductions

D= · · ·

llet sr,lll,+ sr,lll,+

K(D)=

∪ C ∪ E

packlll

unpacklll

llet

Contract sequence of reductions into transitive closure (C)

C1

packlll

sr, lll

C2

packlll packlll

sr, lll

Expand transitive closure into sequence of reductions (E)

E1 unpacklll

sr, lll

E2 unpacklll unpacklll

sr, lll

∗

C packlll

K(D) unpacklll E unpacklll E . . .

sr, lll sr, lll llet llet sr, lll

Correctness of Program Transformations as a Termination Problem

• C. Rau, D. Sabel, M. Schmidt-Schauß

10/13

Example: Encoding Transitive Closure of Reductions

D= · · ·

llet sr,lll,+ sr,lll,+

K(D)=

∪ C ∪ E

packlll

unpacklll

llet

Contract sequence of reductions into transitive closure (C)

C1

packlll

sr, lll

C2

packlll packlll

sr, lll

Expand transitive closure into sequence of reductions (E)

E1 unpacklll

sr, lll

E2 unpacklll unpacklll

sr, lll

non termination

∗

C packlll

K(D) unpacklll E unpacklll E . . .

sr, lll sr, lll llet llet sr, lll

Correctness of Program Transformations as a Termination Problem

• C. Rau, D. Sabel, M. Schmidt-Schauß

10/13

Example: Encoding Transitive Closure of Reductions

D= · · ·

llet sr,lll,+ sr,lll,+

K(D)=

∪ C ∪ E

packlll

unpacklll

llet

K(D)=

∪ C ∪ E

packlll

unpacklll(k)

llet

k: free natural variable

Contract sequence of reductions into transitive closure (C)

C1

packlll

sr, lll

C2

packlll packlll

sr, lll

Expand transitive closure into sequence of reductions (E)

E1 unpacklll

sr, lll

E2 unpacklll unpacklll

sr, lll

non termination

E1

unpacklll(1)

sr, lll

E2 unpacklll(k+1) unpacklll(k)

sr, lll

∗

C packlll

K(D) unpacklll(k) E . . . E

. . .

sr, lll sr, lll llet llet sr, lll sr, lll

Correctness of Program Transformations as a Termination Problem

• C. Rau, D. Sabel, M. Schmidt-Schauß

10/13

Overview: Involved Rewrite Systems

Rewrite Systems on RS (CRSRS) Concrete Reduction Sequences (cRS) Rewrite Systems on simple ARS (SRSARS) simple Abstract Reduction Sequences (cARS)

Forking/Answer Diagrams

Rewrite Systems on NARS (ERSARS) ground ARS with Natural Numbers (gcNARS) interpreted as (by I) translated into infinite (by J ) translated into finite (by K) termination (by P. 2)

Semantics

Correctness of Program Transformations as a Termination Problem

• C. Rau, D. Sabel, M. Schmidt-Schauß

11/13

Overview: Involved Rewrite Systems

Rewrite Systems on RS (CRSRS) Concrete Reduction Sequences (cRS) Rewrite Systems on simple ARS (SRSARS) simple Abstract Reduction Sequences (cARS)

Forking/Answer Diagrams

Rewrite Systems on NARS (ERSARS) ground ARS with Natural Numbers (gcNARS) interpreted as (by I) translated into infinite (by J ) translated into finite (by K) termination (by P. 2) termination by P. 3

D := DF(

T

= ⇒) ∪ DA(

T

= ⇒) (i.e. complete diagram set for

T

= ⇒) Proposition 3 If the ERSARS (gcNARS(K(D)),

K(D)

− − − ⇀) is (leftmost) terminating, then the SRSARS (cARS(J (D)),

J (D)

− − − ⇀) is (leftmost) terminating. Semantics

Correctness of Program Transformations as a Termination Problem

• C. Rau, D. Sabel, M. Schmidt-Schauß

11/13

Overview: Involved Rewrite Systems

Rewrite Systems on RS (CRSRS) Concrete Reduction Sequences (cRS) Rewrite Systems on simple ARS (SRSARS) simple Abstract Reduction Sequences (cARS)

Forking/Answer Diagrams

Rewrite Systems on NARS (ERSARS) ground ARS with Natural Numbers (gcNARS) interpreted as (by I) translated into infinite (by J ) translated into finite (by K) termination (by P. 2) termination by P. 3

D := DF(

T

= ⇒) ∪ DA(

T

= ⇒) (i.e. complete diagram set for

T

= ⇒) Theorem If the ERSARS (gcNARS(K(D)),

K(D)

− − − ⇀) is (leftmost) terminating, then the transformation

T

= ⇒ is convergence-preserving. Semantics

Correctness of Program Transformations as a Termination Problem

• C. Rau, D. Sabel, M. Schmidt-Schauß

11/13

Overview: Involved Rewrite Systems

Rewrite Systems on RS (CRSRS) Concrete Reduction Sequences (cRS) Rewrite Systems on simple ARS (SRSARS) simple Abstract Reduction Sequences (cARS)

Forking/Answer Diagrams

Rewrite Systems on NARS (ERSARS) ground ARS with Natural Numbers (gcNARS) Integer Term Rewrite Systems (ITRS)

Fuhs, Giesl, Pl¨ ucker, Schneider-Kamp, Falke, 2009

Termination Prover (AProVE) interpreted as (by I) translated into infinite (by J ) translated into finite (by K) translated into finite Input termination (by P. 2) termination by P. 3

Semantics

Correctness of Program Transformations as a Termination Problem

• C. Rau, D. Sabel, M. Schmidt-Schauß

11/13

Overview: Involved Rewrite Systems

Rewrite Systems on RS (CRSRS) Concrete Reduction Sequences (cRS) Rewrite Systems on simple ARS (SRSARS) simple Abstract Reduction Sequences (cARS)

Forking/Answer Diagrams

Rewrite Systems on NARS (ERSARS) ground ARS with Natural Numbers (gcNARS) Integer Term Rewrite Systems (ITRS) Termination Prover (AProVE) interpreted as (by I) translated into infinite (by J ) translated into finite (by K) translated into finite Input termination (by P. 2) termination by P. 3 termination

Semantics

Correctness of Program Transformations as a Termination Problem

• C. Rau, D. Sabel, M. Schmidt-Schauß

11/13

Overview: Involved Rewrite Systems

Rewrite Systems on RS (CRSRS) Concrete Reduction Sequences (cRS) Rewrite Systems on simple ARS (SRSARS) simple Abstract Reduction Sequences (cARS)

Forking/Answer Diagrams

Rewrite Systems on NARS (ERSARS) ground ARS with Natural Numbers (gcNARS) Integer Term Rewrite Systems (ITRS) Termination Prover (AProVE) interpreted as (by I) translated into infinite (by J ) translated into finite (by K) translated into finite Input leftmost termination leftmost termination innermost termination

Semantics

Correctness of Program Transformations as a Termination Problem

• C. Rau, D. Sabel, M. Schmidt-Schauß

11/13

Overview: Involved Rewrite Systems

Rewrite Systems on RS (CRSRS) Concrete Reduction Sequences (cRS) Rewrite Systems on simple ARS (SRSARS) simple Abstract Reduction Sequences (cARS)

Forking/Answer Diagrams

Rewrite Systems on NARS (ERSARS) ground ARS with Natural Numbers (gcNARS) Integer Term Rewrite Systems (ITRS) Termination Prover (AProVE) interpreted as (by I) translated into infinite (by J ) translated into finite (by K) translated into finite Input leftmost termination leftmost termination innermost termination

Semantics Automation

Correctness of Program Transformations as a Termination Problem

• C. Rau, D. Sabel, M. Schmidt-Schauß

11/13

Example from LR: ITRS Encoding

· · ·

llet sr,x sr,x

llet(srlll(Y)) → srlll(Y) llet(srllet(Y)) → srllet(Y) llet(srtau(Y)) → srtau(Y)

· · · ·

llet sr,x sr,llet sr,x

llet(srlll(srllet(Y))) → srlll(Y) llet(srllet(srllet(Y))) → srllet(Y) llet(srtau(srllet(Y))) → srtau(Y)

· · ·

llet sr,lll,+ sr,lll,+

llet(plll(Y)) → uplll(K-1,x) if K > 1 llet(srlll(Y)) → llet(plll(Y)) llet(plll(srlll(Y))) → llet(plll(Y)) uplll(K,x) → srlll(uplll(K-1,x)) if K > 1 uplll(1,x) → srlll(Y)

· · · ·

llet sr,x sr,x llet

llet(srlll(Y)) → srlll(llet(Y)) llet(srllet(Y)) → srllet(llet(Y)) llet(srtau(Y)) → srtau(llet(Y))

· · · ·

llet sr,lll,+ sr,lll,+ llet

llet(plll(Y)) → uplll(K-1,x) if K> 1 llet(srlll(Y)) → llet(plll(Y)) llet(plll(srlll(Y))) → llet(plll(Y)) uplll(K,x) → srlll(uplll(K-1,x)) if K> 1 uplll(1,x) → srlll(llet(Y))

A A

T

llet(A) → A

Automatic Termination Proof with AProVE Diagrams for

llet

= = ⇒ and

llet

⇐ = = terminate:

llet

= = ⇒ and

llet

⇐ = = are conv.-preserving and both are C.P-sufficient:

llet

= = ⇒ is a correct program transformation

Correctness of Program Transformations as a Termination Problem

• C. Rau, D. Sabel, M. Schmidt-Schauß

12/13

Conclusion

Results Automation of a critical part in correctness proofs Manual induction is replaced by automatic termination proofs Diagrams from Schmidt-Schauß, Sch¨ utz, Sabel, 2008 (LR-calculus) could be shown as terminating by AProVE Method is independent of program calculus Future Work Apply method to more program calculi Handle more complicated diagrams

Correctness of Program Transformations as a Termination Problem

• C. Rau, D. Sabel, M. Schmidt-Schauß

13/13