Formalizing an operational semantics of an imperative programing - - PowerPoint PPT Presentation

Formalizing an operational semantics of an imperative programing language using Agda

Emil Karl´ en Andr´ es Sicard-Ram´ ırez Frontiers of Programming Language Technology 2008-05-16

Remark

What your talk is for

Your paper = The beef Your talk = The beef

advertisment Do not confuse the two

Your main weapon

Examples are your main weapon

• To motivate the work
• To convey the basic intuition
• To illustrate The Idea in action
• To show extreme cases
• To highlight shortcomings

When time is short, omit the general case, not the example

(From: http://research.microsoft.com/˜simonpj/papers/ giving-a-talk/giving-a-talk.htm)

The project

Description We formalized some elements of an operational semantics of an imperative programming language (IMP)a using the proof-assistant Agda, and we formalized the proofs of some properties of IMP programs. IMP

            

arithmetical expressions (Aexp) boolean expressions (Bexp) commands (Com)

aGlynn Winskel. The Formal Semantics of Programming Languages. The MIT Press,

1993.

The project

Operational semantics “Operational semantics describes the meaning of a programming language by specifying how it executes on an abstract machine” (Winskel, 1993, p. xv) “Formally, IMP’s behavior is described by rules which specify how its expressions are evaluated and its commands are executed. This rules provide an operational semantics of IMP” (Winskel, 1993, p. 11) rules (inductive relations)

            

evaluation of Aexp : < Aexp, state >→ Number evaluation of Bexp : < Bexp, state >→ Boolean execution of Com : < Com, state >→ state

The project

Example (IMP program) The following is a program that computes the factorial of an natural number n. The input is given in the variable n and the output is put in the variable fac. IF n = 0 THEN fac := 1 ELSE fac := n WHILE n > 1 DO n := n - 1; fac := fac * n Example (Properties) Two concrete programs are equivalents The evaluation of arithmetical expressions is deterministic

The project

Motivation From the POPLmark Challenge (2005): “How close are we to a world in which mechanically verified software is commonplace? A world in which theorem proving technology is used routinely by both software developers and programming language researchers alike?” From Lambda, the Ultimate (2008-05-12): “. . . I taught an introductory course on logic and the theory

• f programming languages entirely in Coq. The experience

was quite demanding . . . I am now convinced that this is the right way to teach programming language foundations . . . ”. (Benjamin C. Pierce) Agda (2007): “Towards a practical programming language based on dependent type theory” (Norell, 2007)

Induction on inductive sets

Example (Natural numbers) 0 ∈ N n ∈ N S(n) ∈ N

• - Natural numbers

data N : Set where zero : N S : N -> N Example (Mathematical induction) For any predicate P,

(P(0) ∧ ∀n[

• ind. hyp.
• P(n)

⇒ P(S(n))]

• inductive step

) ⇒ ∀n.P(n)

P(0) [P(n)]

. . .

P(S(n))

∀x.P(x)

Induction on inductive sets

Example (Mathematical induction) For any predicate P, P(0) [P(n)]

. . .

P(S(n))

∀x.P(x)

• - Mathematical induction via dependent types

N-ind : (P : N -> Set) -> P zero -> ((n : N) -> P n -> P (S n)) -> (n : N) -> P n N-ind P P0 istep zero = P0 N-ind P P0 istep (S n) = istep n (N-ind P P0 istep n)

Induction on inductive sets

Example (Proof using mathematical induction) P(n) : 0 + n = n Paper proof: Base case : P(0) : 0 + 0 = 0 by Def. + Induction step : P(n) → P(S(n)) 0 + S(n) = S(0 + n) by Def. +

= S(n)

by IH: 0 + n = n

• - Agda proof using N-ind

thm1 : (n : N) -> (zero + n) =N n thm1 n = N-ind P P0 istep n where P : N -> Set P = (\(n : N) -> (zero + n) =N n ) P0 : P zero P0 = <> istep : (n : N) -> P n -> P (S n) istep = (\_ ih -> ih )

Induction on inductive sets

Example (Proof using pattern maching) P(n) : 0 + n = n

• - Agda proof using N-ind

thm1 : (n : N) -> (zero + n) =N n thm1 n = N-ind P P0 istep n where P : N -> Set P = (\(n : N) -> (zero + n) =N n ) P0 : P zero P0 = <> istep : (n : N) -> P n -> P (S n) istep = (\_ ih -> ih )

• - Agda proof using pattern matching

thm1 : (n : N) -> (zero + n) =N n thm1 zero = <> thm1 (S n) = thm1 n

Curry-Howard isomorphism

a : A proof : proposition program : specification

             ⇒ Proof check ≡ Type check

Example (A proof the mathematical induction) N-ind : (P : N -> Set) -> P zero -> ((n : N) -> P n -> P (S n)) -> (n : N) -> P n N-ind P P0 istep zero = P0 N-ind P P0 istep (succ n) = istep n (N-ind P P0 istep n)

Curry-Howard isomorphism

a : A proof : proposition program : specification

             ⇒ Proof check ≡ Type check

Example (A proof the mathematical induction) N-ind : (P : N -> Set) -> P zero -> ((n : N) -> P n -> P (S n)) -> (n : N) -> P n N-ind P P0 istep zero = P0 N-ind P P0 istep (succ n) = istep n (N-ind P P0 istep n)

Curry-Howard isomorphism

a : A proof : proposition program : specification

             ⇒ Proof check ≡ Type check

Example (A proof the mathematical induction) N-ind : (P : N -> Set) -> P zero -> ((n : N) -> P n -> P (S n)) -> (n : N) -> P n N-ind P P0 istep zero = P0 N-ind P P0 istep (succ n) = istep n (N-ind P P0 istep n)

Recursion and induction on inductive sets

Example

• - mathematical induction

N-ind : (P : N -> Set) -> P zero -> ((n : N) -> P n -> P (S n)) -> (n : N) -> P n N-ind = ...

• - The recursive combinator for natural numbers via
• - mathematical induction

N-rec : (A : Set) -> A -> (N -> A -> A) -> N -> A N-rec A = N-ind (\_ -> A )

Recursion and induction on inductive sets

An inductive set S (N) (Aexp, Bexp, Com, < Aexp, state >→ Number, . . . )

• Induction on S

(mathematical and well-founded induction) ( structural and rule induction)

• To prove

properties on S

• Recursion on S

To define recursive functions on S

Programs, and what they do

Example (An IMP program) x := 10 y := 20 IF x + y = 30 THEN

• - probably we do this.

ELSE

• - probably we don’t do this.

Question: If x → 10 and y → 20, then shouldn’t x + y → 30? How know? formalize ... BNF ... operational semantics ... types The “Curry-Howard Strategy” Say it with a Type! ... because then a Type Checker can Check what you Say!

BNF for IMP

Com ::= SKIP | Location := Aexp | IF Bexp THEN Com ELSE Com | WHILE Bexp DO Com | Com ; Com Bexp ::= true | false | Aexp = Aexp | Bexp ∧ Bexp Aexp ::= Natural | Location | Aexp + Aexp

BNF for IMP

Aexp ::= Natural | Location | Aexp + Aexp

Representation in Agda

Natural data N : Set where ... Location Loc = String Global State Σ = Loc -> N

Representation in Agda

The Aexp Type data Aexp : Set where aexpN : N

• > Aexp

aexpL : Loc

• > Aexp

aexp+ : Aexp -> Aexp -> Aexp BNF (repeated) Aexp ::= Natural | Location | Aexp + Aexp

Principle of Structural Induction for Aexp

Structural Induction for Aexp ind-Aexp : (P : Aexp -> Set) -> (a : Aexp) -> P a The Aexp Type (repeated) data Aexp : Set where aexpN : N

• > Aexp

aexpL : Loc

• > Aexp

aexp+ : Aexp -> Aexp -> Aexp

Principle of Structural Induction for Aexp

Structural Induction for Aexp ind-Aexp : (P : Aexp -> Set) -> ((n : N)

• > P (aexpN n))
• > -- pN

((x : Loc)

• > P (aexpL x))
• > -- pL

((a0 a1 : Aexp) -> P a0 -> P a1 -> P (aexp+ a0 a1)) -> -- p+ (a : Aexp) -> P a The Aexp Type (repeated) data Aexp : Set where aexpN : N

• > Aexp

aexpL : Loc

• > Aexp

aexp+ : Aexp -> Aexp -> Aexp

Using ind-Aexp for Recursion

Evaluating an Aexp eval-Aexp : Aexp -> Σ -> N

Using ind-Aexp for Recursion

Evaluating an Aexp eval-Aexp : Aexp -> Σ -> N eval-Aexp a σ = ind-Aexp (\(a : Aexp) -> N) (\n -> n) (\x -> σ x) (\_ _ n0 n1 -> n0 + n1) a Structural Induction for Aexp (almost repeated) ind-Aexp : (P : Aexp -> N) -> (N

• > N) ->
• - pN

(Loc -> N) ->

• - pL

(Aexp -> Aexp -> N -> N -> N) -> -- p+ Aexp -> N

Operational Semantics of Arithmetical Expressions

(Natural)

<n, σ>→ n

(Location)

<x, σ>→ σ(x) <a0, σ>→ n0 <a1, σ>→ n1 (where n is the sum of n0 and n1) <a0 + a1, σ>→ n

data EvalAexp : Aexp -> Σ -> N -> Set where eAexpN : (n : N)(σ : Σ)

• > EvalAexp (aexpN n) σ n

eAexpL : (x : Loc)(σ : Σ) -> EvalAexp (aexpL x) σ (σ x) eAexp+ : (a0 a1 : Aexp)(n0 n1 : N)(σ : Σ) -> EvalAexp a0 σ n0 -> EvalAexp a1 σ n1

• > EvalAexp (aexp+ a0 a1) σ (n0 + n1)

Boolean Expressions and Commands

Boolean Expressions data Bexp : Set where ... ind-Bexp = ... data EvalBexp : Bexp -> Σ -> Bool -> Set where ... Commands data Com : Set where ... ind-Com = ... data Exec : Com -> Σ -> Σ -> Set where ...

Some types for propositions and proofs

Only true data True : Set where <> Only false data False : Set where No constructor for False! Dependent type IsTrue : Bool -> Set for truths IsTrue false = False IsTrue true = True Dependent type IsFalse : Bool -> Set for falsities IsFalse false = False IsFalse true = True

Conclusions

The use of proof-assistant technology requires a complete understanding of the object to be formalized:

Benefit: You know every object’s detail Drawback: You have to handle every object’s detail

Straight forward translation of BNF and Operational Semantics into Agda data types. Straight forward translation of Structural Induction and Rule Induction into Agda functions. It’s often more convinient and clear to write Inductive and Recursive Functions using Pattern Matching than using predefined Induction functions (ind-N, ind-Aexp, ind-EvalAexp ...). The proof-assistant Agda is becoming more popular (introductory material, mail list, wiki page, standard library, etc.)