[PPT] - F oundations of Soft w a re Engineering/Europ ean Soft w a PowerPoint Presentation

SLIDE 1 F

undations
f

Soft w a re Engineering/Europ ean Soft w a re Engineering Conference, Zurich, Sep 97

SLIDE 2 Subt yp es fo r Sp ecications John Rushb y Computer Science Lab

rato

ry SRI International Menlo P a rk, CA J. Rushb y FSE97: Subt yp es fo r Sp ecications 1

SLIDE 3 F

rmal

Metho ds and Calculation

F
rmal

metho ds contribute useful mental framew

rks,

notations, and systematic metho ds to the design, do cumentation, and analysis

f

computer systems

But

the p rima ry b enet from sp ecically fo rmal metho ds is that they allo w certain questions ab

ut

a design to b e answ ered b y symb

lic

calculation (e.g., fo rmal deduction, mo del checking)

These

symb

lic

calculations can b e used fo r debugging and design explo ration as w ell as p

st-ho

c verication

Compa

rable to the w a y computational uid dynamics is used in the design

f

airplanes and jet engines J. Rushb y FSE97: Subt yp es fo r Sp ecications 2

SLIDE 4 Co rolla ries

T
ls

a re not the most imp

rtant

thing ab

ut

fo rmal metho ds

They

a re the

nly

imp

rtant

thing

Just

lik e any

ther

engineering calculations, it's to

ls

that mak e fo rmal calculations feasible and useful in p ractice

Sp

ecication languages should b e designed so that they supp

rt

ecient calculation (i.e., deduction)

E.g.,

based

n

higher-o rder logic, not set theo ry

The

topic

f

another talk. . .

Sp

ecication languages can also b e designed to exploit the ecient calculations p rovided b y to

ls
E.g.,

to b etter detect erro rs in sp ecications

The

topic

f

this talk J. Rushb y FSE97: Subt yp es fo r Sp ecications 3

SLIDE 5 Erro rs in F

rmal

Sp ecications

Most

fo rmal sp ecications a re full

f

erro rs

A

sp ecication ma y fail to sa y what is intended

Must

b e examined b y p roving challenge theo rems, \execution," and insp ection

A

sp ecication ma y fail to sa y anything at all

Because

it is inconsistent

Can

avoid inconsistencies using denitional st yles

f

sp ecication that gua rantee \conservative extension"

But

these a re

ften

restrictive

r

inapp rop riate (to

constructive)
So

a w

rthwhile

goal is to increase the exp ressiveness and convenience

f

the pa rt

f

the sp ecication language fo r which w e can gua rantee conservative extension J. Rushb y FSE97: Subt yp es fo r Sp ecications 4

SLIDE 6 Exploiting Deduction T

Increase

the P

w

er

f

T yp echecking

T

yp e systems fo r p rogramming languages gua rantee that certain erro rs will not

ccur

during execution

W

e should exp ect the t yp e system fo r a sp ecication language also to gua rantee absence

f

certain kinds

f

erro rs

E.g.,

inconsistency

T

yp e systems fo r p rogramming languages a re traditionally restricted to those fo r which t yp e co rrectness is trivially decidable

But

sp ecication languages should b e used in environments where p

w

erful theo rem p roving is available, so supp

se

t yp echecking could use theo rem p roving. . . J. Rushb y FSE97: Subt yp es fo r Sp ecications 5

SLIDE 7 Subt yp es

Subt

yp es can allo w mo re concise and mo re p recise sp ecications

When

t yp es a re interp reted as sets

f

values

There

is a natural asso ciation

f

subt yp e with subset

E.g.,

natural is a subt yp e

f

integer

But

ho w do w e cha racterize those integers that a re also naturals?

Could

add an axiom nat_ax: AXIOM 8(n: nat): n

But

this is not tightly b

und

to the subt yp e: reduces the

pp
rtunit

y fo r automation, and ma y allo w inconsistencies J. Rushb y FSE97: Subt yp es fo r Sp ecications 6

SLIDE 8 Predicate Subt yp es

Are

those where a cha racterizing p redicate is tightly b

und

to subt yp e denitions

F
r

example (in the notation

f

PVS) nat: TYPE = f i: int | i

g
Then

w e can write nat_prop: LEMMA 8(i, j: nat): i+j

i

^ i+j

j

And the p rover can easily establish this result b ecause the necessa ry info rmation is reco rded with the t yp e fo r i and j

This

is concise and ecient

No

w let's see where erro r detection comes in J. Rushb y FSE97: Subt yp es fo r Sp ecications 7

SLIDE 9 Nonemptiness Pro

f

Obligations fo r Predicate Subt yp es

Subt

yp es ma y b e empt y , so a constant decla ration c: nat W

uld

intro duce an inconsistency unless w e ensure that its t yp e is nonempt y

Generate

a p ro

f
bligation

called a t yp e co rrectness condition (TCC) to do this c_TCC1: OBLIGATION 9(x: nat): TRUE

Sp

ecications a re not considered t yp echeck ed until their TCCs have b een discha rged J. Rushb y FSE97: Subt yp es fo r Sp ecications 8

SLIDE 10 Some PVS Notation

The

examples use the notation

f

PVS

A

verication system freely available from SRI

Sp

ecication language is a simply-t yp ed higher-o rder logic

Augmented

with dep endent t yp es and p redicate subt yp es

Sets

and p redicates a re equivalent in higher-o rder logic

Predicates

a re functions

f

return t yp e bool, written as nat?(i:int): bool = i

Rega

rded as a p redicate, memb ership is written nat?(x)

Rega

rded as a set, it is written x 2 nat?

A

p redicate in pa rentheses denotes the co rresp

nding

subt yp e

(nat?)

is the same t yp e as nat given ea rlier

PVS

has theo ry-level pa rameterization

setof[nat]

is the t yp e

f

sets

f

natural numb ers J. Rushb y FSE97: Subt yp es fo r Sp ecications 9

SLIDE 11 An Example: The Minimum

f

a Set

f

Naturals

W

e can sp ecify the minimum a set axiomatically as a value satisfying t w

p

rop erties

It

is a memb er

f

the given set

It

is no greater than any

ther

memb er

In

PVS, this is min(s: setof[nat]): nat simple_ax: AXIOM 8(s:setof[nat]): min(s) 2 s ^ 8(n: nat): n 2 s

min(s)
n
Unfo

rtunately , this sp ecication is inconsistent J. Rushb y FSE97: Subt yp es fo r Sp ecications 10

SLIDE 12 The Inconsistency

The

p roblem is that the a rgument s to min could b e an empt y set

But

the rst conjunct to simple ax asserts that min(s) is a memb er

f

this set J. Rushb y FSE97: Subt yp es fo r Sp ecications 11

SLIDE 13 Detecting the Erro r With Predicate Subt yp es

Using

p redicate subt yp es, it is natural to facto r the rst conjunct into the return t yp e fo r min min(s: setof[nat]): (s) (Observe that this is a dep endent t yp e)

In

higher-o rder logic, functions a re just constants

f

\higher" t yp e, so PVS fo rces us to p rove that the co rresp

nding

t yp e is not empt y min_TCC1: OBLIGATION 9(x: [s: setof[nat] ! (s)]): TRUE

A

(total) function t yp e is nonempt y if either

Its

range t yp e is nonempt y ,

r
Both

its domain and range t yp es a re empt y Here, domain t yp e is nonempt y , but the range t yp e ma y b e

So

the TCC is false, and the inconsistency is revealed J. Rushb y FSE97: Subt yp es fo r Sp ecications 12

SLIDE 14 Fixing the Sp ecication

Must

either w eak en p rop erties

f

the value returned b y min

Or

restrict its a rgument to b e a nonempt y set

The

p redicate that tests fo r nonemptiness is nonempty?[nat]

So

the revised signature is min(s: (nonempty?[nat]) ): (s) And the TCC b ecomes min_TCC: OBLIGATION 9(x: [s: (nonempty?[nat]) ! (s)]): TRUE Which is true and p rovable

The

second conjunct

f

the dening axiom can also b e facto red into the t yp e min(s: (nonempty?[nat]) ): f x: (s) | 8(n: (s)): x

n

g J. Rushb y FSE97: Subt yp es fo r Sp ecications 13

SLIDE 15 Extending the Example: from Minimum to Maximum

It

might then seem natural to dene a max function dually max(s: (nonempty?[nat]) ): f x: (s) | 8(n: (s)): x

n

g

This

generates the follo wing TCC max_TCC1: OBLIGATION 9(x1: [s: (nonempty?[nat]) ! fx: (s) | 8(n: (s)): x

ng

]): TRUE

T
which

w e can apply the follo wing PVS p ro

f

commands (inst + "(s:(nonempty?[n at ])) : choose( fx: (s) | 8(n: (s)): x

ng

)") (grind :if-match nil) (rewrite "forall_not")

The

PVS p rover command grind do es simplication using decision p ro cedures and rewriting J. Rushb y FSE97: Subt yp es fo r Sp ecications 14

SLIDE 16 Another Erro r is Revealed b y Predicate Subt yp es

These

p ro

f

steps p ro duce the follo wing goal [-1] x!1

[-2]

s!1(x!1) |------- f1g 9(x: (s!1)): 8(n: (s!1)): x

n

Which is asking us to p rove that any nonempt y set

f

natural numb ers has a la rgest memb er

Not

true! W e a re alerted to the inconsistency in

ur

sp ecication

By

moving what w as fo rmerly sp ecied b y an axiom into the sp ecication

f

the range t yp e, w e a re using PVS's p redicate subt yping to mechanize generation

f

p ro

f-obligations

fo r the axiom satisfaction p roblem J. Rushb y FSE97: Subt yp es fo r Sp ecications 15

SLIDE 17 Why Do esn't Minimum Have the Same Problem?

The

co rresp

nding

p ro

f

goal fo r min is [-1] x!1

[-2]

s!1(x!1) |------- f1g 9(x: (s!1)): 8(n: (s!1)): x

n
Which

is true, and can b e p roved b y app ealing to the w ell-foundedness

f

the naturals well_founded?(<): bool = (8p: (9y: p(y))

(9(y:(p)):

(8(x:(p)): (NOT x < y)))) wf_nat: AXIOM well_founded?( (i, j: nat): i < j) This is stated in the built-in \p relude" lib ra ry

f

PVS J. Rushb y FSE97: Subt yp es fo r Sp ecications 16

SLIDE 18 A Generic Sp ecication fo r Minimum

No

w w e see the imp

rtance
f

w ell-foundedness, can write a generic sp ecication fo r min

ver

any w ell-founded

rder

minspec[T: TYPE, <: (well_founded?[T] )] : THEORY BEGIN min((s: (nonempty?[T]))) : f x: (s) | 8(i: (s)): x < i _ x = i g END minspec

Notice

that the constraint

n

< is stated as a p redicate subt yp e|w e will b e required to p rove that any actual pa rameter satises the conditions fo r w ell-foundedness

The

follo wing nonemptiness TCC is generated min_TCC1: OBLIGATION 9(x1: [s: (nonempty?[T]) ! fx: (s) | 8(i: (s)): x < i _ x = ig]): TRUE J. Rushb y FSE97: Subt yp es fo r Sp ecications 17

SLIDE 19 Discha rging the TCC from the Generic Sp ecication

W

e can discha rge the TCC b y exhibiting the \choice function" choose (INST + "(s:(nonempty?[T ]) ): choose(fx: (s) | 8(i: (s)): x<i _ x=ig)")

Although

this discha rges the main goal, choose requires its a rgument to b e nonempt y (w e'll see why later) so w e get a subsidia ry TCC p ro

f
bligation

from the instantiation min_TCC1 (TCC): |------- f1g 8(s: (nonempty?[T])): nonempty?[(s)](fx: (s) | 8(i: (s)): x < i _ x = ig) J. Rushb y FSE97: Subt yp es fo r Sp ecications 18

SLIDE 20 And Another Erro r is Revealed b y Predicate Subt yping

The

subsidia ry goal lo

ks

as though it should follo w b y w ell-foundedness, so w e intro duce this fact as follo ws (typepred "<") (grind :if-match nil)

And
btain

the follo wing p ro

f

goal [-1] s!1(x!1) |------- f1g i!1 < y!1 f2g y!1 < i!1 f3g y!1 = i!1 Which is not true in general!

W

e realize that w ell-foundedness is not enough

Need

trichotomy as w ell

Must

revise sp ecication to require that < is a w ell-o rdering J. Rushb y FSE97: Subt yp es fo r Sp ecications 19

SLIDE 21 Automating Pro

fs

With Predicate Subt yp es

W

e have already seen choice functions a couple

f

times

The

standa rd

ne

is Hilb ert's " function epsilons [T: NONEMPTY_TYPE]: THEORY BEGIN p: VAR setof[T] epsilon(p): T epsilon_ax: AXIOM (9x: x 2 p)

epsilon(p)

2 p END epsilons

epsilon(p)

returns a value satisfying p if there a re any ,

therwise

some value

f

t yp e T

Notice

the t yp e T is required to b e nonempt y J. Rushb y FSE97: Subt yp es fo r Sp ecications 20

SLIDE 22 Another Choice F unction

If

p is constrained to b e nonempt y , can give the follo wing sp ecialization choice [T: TYPE]: THEORY p: VAR (nonempty?[T]) epsilon_alt(p): T epsilon_alt_ax: AXIOM epsilon_alt(p) 2 p END choice

epsilon

alt is simila r to the built-in choose, but if w e use it in the p ro

f
f

min TCC1, w e get an additional subgoal |------- f1g 8(s: (nonempty?[T])): 8(i: (s)): epsilon_alt[(s)]( fx: (s) | 8(i: (s)): x<i _ x=ig) < i _ epsilon_alt[(s)] (fx: (s) | 8(i: (s)): x<i _ x=ig) = i J. Rushb y FSE97: Subt yp es fo r Sp ecications 21

SLIDE 23 Making Info rmation Available in the T yp es

The

extra subgoal is asking us to p rove that the value

f

epsilon alt satises the p redicate supplied as its a rgument

F
llo

ws from epsilon alt ax but has quite complicated p ro

f
Ho

w did choose avoid this?

It

did so b ecause its sp ecication is p: VAR (nonempty?[T]) choose(p): (p) Which reco rds in its t yp e the fact that choose(p) satises p

It

is quite ha rd fo r a p rover to lo cate and instantiate p rop erties stated in general axioms (unless they have sp ecial fo rms such as rewrite rules), but p redicate subt yp es bind p rop erties to t yp es, so the p rover can lo cate them easily J. Rushb y FSE97: Subt yp es fo r Sp ecications 22

SLIDE 24 Another Pro

f

Obligation fo r Predicate Subt yp es

Supp
se

w e intro duce a new subt yp e fo r even integers even: TYPE = fi:int | 9(j:int): i=2jg

And

a function half with signature half: [ even ! int ]

And

then p

se

the conjecture even_prop: LEMMA 8(i: int): half(i+i+2) = i+1

The

a rgument i+i+2 to half has t yp e int, but is required to b e even

Ho

w ever, int is a sup ert yp e

f

even, so w e can generate a TCC to check that the value satises the p redicate fo r even even_prop_TCC1: OBLIGATION 8(i:int): 9(j: int): i+i+2 = 2j

PVS

p rovides \t yp e judgments" that allo w closure p rop erties (e.g., the sum

f

t w

evens

is even) to b e stated and p roved

nce

and fo r all J. Rushb y FSE97: Subt yp es fo r Sp ecications 23

SLIDE 25 Enfo rcing Inva riants with Predicate Subt yp es

Consider

a sp ecication fo r a cit y phone b

k
Given

a name, the phone b

k

should return the set

f

phone numb ers asso ciated with that name

There

should also b e functions fo r adding, changing, and deleting phone numb ers

Here

is the b eginning

f

a suitable sp ecication names, phone_numbers: TYPE phone_book: TYPE = [names ! setof[phone_numb er s]] B: VAR phone_book n: VAR names p: VAR phone_numbers add_number(B, n, p): phone_book = B WITH [(n) := B(n)[fpg] ... J. Rushb y FSE97: Subt yp es fo r Sp ecications 24

SLIDE 26 Adding an Inva riant

Supp
se

that dierent names a re required to have disjoint sets

f

phone numb ers

Intro

duce unused number p redicate and mo dify add number as follo ws unused_number(B, p): bool = 8(n: names): NOT p 2 B(n) add_number(B, n, p): phone_book = IF unused_number(B, p) THEN B WITH [(n) := B(n)[fpg] ELSE B ENDIF

But

where is the disjointness p rop ert y stated explicitly?

And

ho w do w e kno w the the mo died add number function p reserves it? J. Rushb y FSE97: Subt yp es fo r Sp ecications 25

SLIDE 27 Making the Inva riant Explicit with a Predicate Subt yp e

Simply

change the t yp e fo r phone book as follo ws phone_book: TYPE = f B: [ names ! setof[phone_numbe rs] ] | 8(n, m: names): n 6= m

disjoint?(B(n)

, B(m)) g

This

mak es the inva riant explicit

F

urthermo re, t yp echecking add number generates the follo wing TCC add_number_TCC1: OBLIGATION 8(B, n, p): unused_number(B, p)

8(r,

m: names): r 6= m

disjoint?(B

WITH [(n) := B(n)[fpg](r) , B WITH [(n) := B(n)[fpg](m))

Which

requires us to p rove that it really is inva riant J. Rushb y FSE97: Subt yp es fo r Sp ecications 26

SLIDE 28 Predicate Subt yp es and P a rtial F unctions Many pa rtial functions b ecome total when their domains a re sp ecied mo re p recisely

F
r

example, division can b e t yp ed as follo ws nonzero real: TYPE = f r: real | r 6= g /: [real, nonzero real ! real]

Then

t yp echecking div prop: LEMMA 8 (x, y: real): x 6= y

(x
y)/(y
x)

=

1
Generates

the follo wing p ro

f
bligation

div_prop_TCC1: OBLIGATION 8 (x, y: real): x 6= y

(y
x)

6=

Notice

that the context

f

the subt yp e

ccurrence

(under a left-to-right reading) app ea rs in the TCC

Discha

rged automatically b y the PVS decision p ro cedures J. Rushb y FSE97: Subt yp es fo r Sp ecications 27

SLIDE 29 The subp \Challenge"

Consider

the function subp

n

the integers dened b y subp (i; j ) = if i = j then else subp (i; j + 1) + 1 endif

This

function is undened if j > i

When

j

i;

subp (i; j ) = i

j
Often

cited as demonstrating the need fo r pa rtial functions

But

is easily handled using dep endent p redicate subt yp es subp((i:int), (j:int | j

i)):

RECURSIVE int = IF i = j THEN ELSE subp(i, j+1) + 1 ENDIF MEASURE i-j subp_val: LEMMA 8 (i,j: int): ji

subp(i,j)

= i-j J. Rushb y FSE97: Subt yp es fo r Sp ecications 28

SLIDE 30 The subp \Challenge" (continued)

Sp

ecication generates the follo wing TCCs % Subtype TCC generated (line 6) for i

j

subp_TCC1: OBLIGATION 8(i: int), (j: int | j

i):

i-j

%

Subtype TCC generated (line 5) for j + 1 subp_TCC2: OBLIGATION 8(i: int), (j: int | j

i):

NOT i = j

j+1
i

% Termination TCC generated (line 5) for subp subp_TCC3: OBLIGATION 8(i: int), (j: int | j

i):

NOT i = j

i
(j+1)

< i-j

All

three p roved automatically b y PVS decision p ro cedures J. Rushb y FSE97: Subt yp es fo r Sp ecications 29

SLIDE 31 Higher-Order Predicate Subt yp es

It
ften

contributes cla rit y and p recision to a sp ecication if functions a re identied as injections, surjections, etc.

But

ho w to ensure a purp

rted

surjection really has the p rop ert y?

Predicate

subt yp es! The surjections a re a subt yp e

f

the functions asso ciated with the follo wing p redicate function props[dom, rng: TYPE]: THEORY surjective?(f): bool = 8 (r: rng): 9 (d: dom): f(d) = r

So

that half alt: (surjective?[eve n, int]) =

(e:

even): e/2

Generates

the follo wing p ro

f
bligation

half_alt_TCC2: OBLIGATION surjective?[even, int](LAMBDA (e: even): e / 2) J. Rushb y FSE97: Subt yp es fo r Sp ecications 30

SLIDE 32 Higher-Order Predicate Subt yp es (continued) The p ro

f

command (grind :if-match nil) reduces this to half_alt_TCC2 : f-1g integer_pred(y!1) |------- f1g (9(x: even): x / 2 = y!1) Which is easily discha rged J. Rushb y FSE97: Subt yp es fo r Sp ecications 31

SLIDE 33 Languages with Predicate Subt yp es

The

datat yp e inva riants

f

VDM have some simila rit y to p redicate subt yp es (e.g., p ro

f
bligations

in t yp echecking)

But

a re pa rt

f

VDM's mechanisms fo r sp ecifying

p

erations in terms

f

p re- and p

st-conditions
n

a state, rather than pa rt

f

the t yp e system fo r its logic

A

CL2 has p redicate \gua rds"

n

appl'ns

f

pa rtial functions

And

Z/Eves do es \domain checking" fo r Z (and has found a ws thereb y in every sp ecication check ed)

Predicate

subt yp es a re fully supp

rted

as pa rt

f

a sp ecication logic

nly

b y Nup rl and PVS (as fa r as I kno w)

In

Nup rl, all t yp echecking requires theo rem p roving

PVS

sepa rates the algo rithmic elements from those that require TCCs J. Rushb y FSE97: Subt yp es fo r Sp ecications 32

SLIDE 34 Other App roaches to Subt yping

Some

treatments

f

p rogramming languages use \structural" subt yp es to account fo r Object-Oriented features

Intuition

is dierent to \subt yp es as subsets": value

f

subt yp e allo w ed anywhere

ne
f

the pa rent t yp e is

Thus

adding elds to a reco rd creates a subt yp e: function that

p

erates

n

\p

ints"

should also

p

erate

n

\colo red p

ints"
Extension

to function t yp es leads to no rmal

r

cova riant subt yping

n

range t yp es

[

nat ! nat] is a subt yp e

f

[ nat ! int]

But

contrava riant subt yping

n

domain t yp es

[

int ! nat] is a subt yp e

f

[ nat ! nat] J. Rushb y FSE97: Subt yp es fo r Sp ecications 33

SLIDE 35 Combinations

Interesting

resea rch challenge to combine structural with p redicate subt yping (contrava riance complicates equalit y)

PVS

do es extend subt yping cova riantly

ver

range t yp es

f

functions

And
ver

the p

sitive

pa rameters to abstract data t yp es

E.g.,

list[nat] is a subt yp e

f

list

f

list[int]

But

requires equalit y

n

domain t yp es

Ho

w ever, PVS also p rovides t yp e \conversions" that can automatically restrict,

r

(less automatically) expand the domain

f

a function

E.g.,

allo w setof[int] to b e p rovided where setof[nat] is exp ected (and vice-versa) J. Rushb y FSE97: Subt yp es fo r Sp ecications 34

SLIDE 36 Conclusion

Predicate

subt yp es in PVS due to Sam Owre and N. Shank a r

Via

ea rlier Ehdm system, where F riedrich von Henk e adopted them from ANNA

F
rmal

semantics available

n

the PVS w eb site

I

nd them the most useful innovation I have seen in sp ecication language design

Many

users exploit them very eectively

I

hop e to have p ersuaded y

u
f

their value, to

But

not everyb

dy

agrees: Lamp

rt

and P aulson mak e a case fo r unt yp ed sp ecication languages (when used b y hand) J. Rushb y FSE97: Subt yp es fo r Sp ecications 35

SLIDE 37 T

Lea

rn Mo re Ab

ut

PVS

Bro

wse general pap ers and technical rep

rts

at http://www.csl.sr i. com /f m.h tml

tse95.html

is a go

d
verview
f

PVS

pvs-bib.html

links to a bibliography with

ver

140 entries

Detailed

Info rmation ab

ut

PVS is available from http://www.csl.sr i. com /p vs. htm l

http://www.csl.s

ri. co m/p vs /ex am ple s gets y

u

to a directo ry

f

tuto rials and their supp

rting

sp ecication les

Y
u

can get PVS from ftp://ftp.csl.sri .c

m/

pu b/p vs

Allegro

Lisp fo r SunOS, Sola ris, IBM AIX,

r

Linux

Need

64M memo ry , 100M sw ap space, Spa rc 20

r

b etter (Best is 64MB 200 MHz P6, costs under $3,000 in USA) J. Rushb y FSE97: Subt yp es fo r Sp ecications 36