Fir st -or der Mu-Calculus as a Fr amewor k f or Pr ogr am Ver if - PowerPoint PPT Presentation

Fir st -or der Mu-Calculus as a Fr amewor k f or Pr ogr am Ver if icat ion Mads Dam SI CS and KTH/ I MI T Wit h cont r ibut ions by Lar s-åke Fr edlund, Dilian Gur ov, Chr ist oph Spr enger , Gennady Chugunov KeY WS, J une 2004 1

Background Experiment on – source level – t heorem proving – f or dist ribut ed applicat ions Source language: Mainly Erlang Execut ed at FDT lab, SI CS, 1995-2003+ Approach, experiences, and lessons KeY WS, J une 2004 2

Theor em Pr oving – Why? The are many int erest ing dist ribut ed programs t o verif y – dynamic pr ocess st r uct ur es – client -ser ver applicat ions – migr at ing pr ocesses against many int erest ing propert ies – t empor al pr oper t ies – f unct ional pr oper t ies – as yet undet er mined mixes There is no decidable f ramework t hat will allow t his So we need t o resort t o t heorem proving KeY WS, J une 2004 3

I s Theorem Proving Easier Than Model Checking? By using int elligence in proof search, can we bypass t he combinat orial dif f icult ies in model checking? Yes: We ar e not f or ced t o br ut e f or ce st at e explor at ion when an int elligent choice of invar iant will do No: The combinat or ial explosion of par allellism is f or real Must t ackle, e.g., t r ue concur r ency st yle diamond pr oper t ies Handling t he combinat orial complexit y along wit h int eract ion is t he f undament al dif f icult y! KeY WS, J une 2004 4

The Set t ing Need a f ramework wit h at least : – First -or der logic t o t alk about element s, pr ocess ident if ier s, st or es, st at es, et c – I nduct ion and coinduct ion t o def ine dat a st r uct ur es, t r ansit ion r elat ions, and int er est ing pr ogr am pr oper t ies Our proposal: Fir st -order logic + induct ion + coinduct ion = f ir st -order mu-calculus KeY WS, J une 2004 5

Mu-Calculus Kleene -Tarski f ixed point t heorem: Every monot one f unct ion f on a complet e lat t ice has a complet e lat t ice of f ixed point s µ x.f (x): least f ixed point of f ν x.f (x): great est f ixed point of f µ 0 x.f (x) = ; ν 0 x.f (x) = “all” ν κ +1 x.f (x) = f ( ν κ x.f (x)) µ κ +1 x.f (x) = f ( µ κ x.f (x) µ λ x.f (x) = U κ < λ µ κ x.f (x) ν λ x.f (x) = I κ < λ ν κ x.f (x) Then: µ x.f (x) = U κ µ κ x.f (x) ν x.f (x) = I κ ν κ x.f (x) KeY WS, J une 2004 6

Examples f = λ x. 8 y. TransRel(x,y) ! f (y) µ x.f (x) = AF”t erminat ed” • ν x.f (x) = t rue • f = λ x. good(x) Ç 9 y. TransRel(x,y) Æ f (y) µ x.f (x): EFgood • ν x.f (x): EFgood Ç EGEXt rue • KeY WS, J une 2004 7

How t o Embed Your Favour it e Logic • Dat a t ypes: Nat = µ X(n). n=0 Ç 9 n1.n=n1+1 ... • Language: Pr og = µ X(p). p=skip Ç 9 p1,p2. ... • St at es: St at e(s) = ( 9 p,t . Pr og(p) Æ St or e(t ) Æ s = (p,t )) Ç ... • Embeddings of operat ional semant ics: Tr ansRel = µ X(s1,s2).( 9 t .St or e(t ) Æ s1 = (skip,t ) Æ s2 = t ) Ç ... • Embedding of logic: { φ }p{ ψ } = 8 s. St at e(s) Æ φ (s) ! ( ν X(s). (Ter minal(s) Æ ψ (s)) Ç ( 9 sn. Tr ansRel(s,sn) Æ X(sn)))(s) KeY WS, J une 2004 8

Pr oof Syst em Key innovat ion: Mechanism f or lazy handling of induct ion Main component s: • Gent zen-t ype proof syst em f or FOMuC • Explicit ordinal approximat ions • Loop discharge mechanism KeY WS, J une 2004 9

Sequent Calculus f or FOMuC Sample goal: ) AFgood(p k q) (p and q are message-passing processes) Obs: Modularit y f or f ree! subspec(x) ) AFgood(x k q) ) subspec(p) subspec(p) ) AFgood(p k q) ) AFgood(p k q) No f ree lunch: Need a proof syst em + know how t o use it ! KeY WS, J une 2004 10

Result s Theorem-proving basics: – Or dinal appr oximat ions, soundness and complet eness of dischar ge (Dam, Gur ov, Spr enger ) Language embedding f ramework: – Gener al, composit ional ver if icat ion (Simpson-95,Dam- 95,Fr edlund-01) – I nst ant iat ions – CCS, Er lang, pi-calculus, J avaCar d (Paper s by Dam, Fr edlund, Gur ov, Chugunov a.o.) – Complet eness f or cont ext -f r ee + pushdown cases (Simpson- Schoepp) Case st udies – Er lang (Ar t s-Dam), J avaCar d (Huisman-Gur ov-Bart he) Tools – www.sics.se/ f dt / ver icode (Fr edlund) KeY WS, J une 2004 11

I ssues I . Theorem-proving f ramework I I . P rogramming language embeddings I I I .Logic and proof syst em embeddings I V. Case st udies V. Tool support VI . Relat ed work KeY WS, J une 2004 12

I . Theor em-Pr oving Fr amewor k Mot ivat ion: Tableau-based model checking Let P = a.P + b.P [ P :AG(< a> t rue / \ < b> t rue) ] * ... ... ... P:[a]AG(< a> t rue / \ < b> t rue) P:< a> t rue / \ < b> t rue / \ [a]AG(< a> t rue / \ < b> t rue) / \ ... P:AG(< a> t rue / \ < b> t rue) * I nduct ion principle: I nduct ion on derivat ion lengt h Works f or f init e st at e processes KeY WS, J une 2004 13

”Count er -example” Let ’s t ry t o do t he same f or an inf init e st at e process! Let P = up.(down| P) down 2 | P :AG[up]< down> ... ... 0| P:AG[up]< down> ) P :[up]< down> down| P :AG[up]< down> P :AG[up]< down> Can we rescue t he set -up? KeY WS, J une 2004 14

Use a Cut ! Recall P = up.(down| P ) Let F = AG[up]< down> (= ν X.[up]< down> Æ [down]X Æ [up]X) [x:F ⇒ down| x:F] * x:F ⇒ 0| x:F Anot her induct ion... x:F,x:[down]F ⇒ down| x:[down]F ... x:F ⇒ down| x:[up]< x:F ⇒ down| x:[down]F ... down> x:F ⇒ down| x:F * [ P:F ] + ... down| P:F P:F + KeY WS, J une 2004 15

How t o Make This Wor k? 1. Use mu-calculus 2. How t o handle f ixed point s? – Alt er nat ing f ixed point s pr oblemat ic As f or model checking ( ⇒ P:F) – – Her e also dir ect int er f er ence (coming up) – Sol’n 1: Ter r ible mess (Dam’95) – Sol’n 2: Explicit or dinal appr oximant s (DG’00) 3. How t o embed t he operat ional semant ics? – Need r ules t o r ef lect local behaviour of pr ocess connect ives – Sol’n 1: Sor t of ad-hoc (Dam’95) – Sol’n 2: Use t r ansit ion r elat ion embedding (Simpson’95) – Sol’n 3: Use 1st -or der mu-calculus (Fr edlund’01) KeY WS, J une 2004 16

How t o Do I nduct ion, 1? Opt ion 1: Fixed point induct ion a la LCF: - F[ µ x.F/ x] ⇒ µ x.F F[G/ x] ⇒ G µ x.F ⇒ G Dif f icult t o use in pract ice Doesn’t f it well wit h t he Gent zen-t ype f ramework KeY WS, J une 2004 17

How t o Do I nduct ion, 2? Opt ion 2: Unique naming (St irling), t agging (Winskel) ⇒ P :F[ ν x.{P }UA.F/ x] ⇒ P : ν x.A.F - ⇒ P : ν x.{P }UA.F Excellent f or model checking Doesn’t f it well wit h t he Gent zen-t ype f ramework KeY WS, J une 2004 18

Fixed Point I nt erf erence Schemat ically F = µ X1. ν X2.< Let a> X2 / \ < b> X1 G = µ Y1. ν Y2.< a> Y1 / \ < b> Y2 [ α ’< α ⇒ X2( α ’), Y2( β ’’)]* [ β ’< β ⇒ X2( α ’’), Y2( β ’)]* α ’< α ⇒ X2( α ’), Y1 β ’< β ⇒ X1,Y2( β ’) α ’< α , β ’< β ⇒ < X2( α ’)/ \ < Y2( β ’) a> b> X1, < a> Y1/ \ < b> ⇒ X2( α ),Y2( β ) * ⇒ X1,Y1 Discharge not sound! (Not easy t o handle using const ant s or t agging) KeY WS, J une 2004 19

How t o Do I nduct ion, 3? Opt ion 3: Well-f ounded induct ion Use Kleene-Tarski t hrough: Γ , ∀ k’< k.F[k’/ k] ⇒ F, ∆ Γ ⇒ ∀ k.F, ∆ + Kleene-Tarski = t he canonical proof met hod f or mu- calculus - Use of explicit ordinal arit hmet ic - ”Eager” solut ion t o int erf erence problem KeY WS, J une 2004 20

How t o Do I nduct ion, 4? Opt ion 4: Lazy induct ion (here) Unf olding + Global check of int erf erence f reedom + Lazy handling of int erf erence - Use of explicit ordinal arit hmet ic - Global check can be problemat ic KeY WS, J une 2004 21

Mu-Calculus Wit h Explicit Ordinal Approximat ions* Synt ax: FOL + (approximat ed) f ixed point s F ::= FOL f ormula | F X (t ) F X ::= X | µ X(y).F | µ k X(y).F Remarks: – t t erm – I ndividual, pr edicat e, or dinal var iables – Bot h X and y bound in µ X(y).F and µ k X(y).F – Usual synt act ic monot onicit y condit ion applies – No or dinal ar it hmet ic KeY WS, J une 2004 22

Semant ics Model M = (A,e) – A f ir st -or der st r uct ur e – e valuat ion Let H = λ P. λ a.| | F| | e[P/ X][a/ y] Then – | | µ X(y).F | | e = µ H – | | µ k X(y).F | | e = µ e(k) H Proposit ion: – µ H = sup α µ α H – µ α H = sup β < α H( µ β H) KeY WS, J une 2004 23

Sequent s, Validit y Sequent s: Γ ⇒ O ∆ where O f init e part ial order on ordinal variables Validit y: Γ ⇒ O ∆ valid, if ∧Γ ⇒ O ∨∆ t rue in all models t hat respect O: • whenever k < O k’ t hen e(k) < e(k’) KeY WS, J une 2004 24

Local Pr oof Rules 4 basic rules + symmet ric version f or ν if needed Γ , ( µ k X(y).F)(t ) ⇒ O’ ∆ µ -L O’ = OU{k} Γ , ( µ X(y).F)(t ) ⇒ O ∆ Γ ⇒ O ∆ , F[( µ X(y).F)/ X,t / y] µ -R Γ ⇒ O ∆ , ( µ X(y).F)(t ) Γ , F[ µ k’ X(y).F/ X,t / y] ⇒ O’ ∆ µ k -L O’ = OU{k’< k} Γ , ( µ k X(y).F)(t ) ⇒ O ∆ Γ ⇒ O ∆ , F[( µ k’ X(y).F)/ X,t / y] µ k -R (k’ < O k) Γ ⇒ O ∆ , ( µ k X(y).F)(t ) KeY WS, J une 2004 25