Imperative Programming by Stepwise Refinement in Coq Boubacar Demba - - PowerPoint PPT Presentation

Imperative Programming by Stepwise Refinement in Coq

Boubacar Demba Sall Emmanuel Chailloux (Doctoral Advisor) Fr´ ed´ eric Peschanski (Doctoral Advisor)

Sorbonne University, LIP6 UMR 7606 4 place Jussieu 75005 Paris, France.

Journ´ ee AIRBUS-LIP6 Paris, February 20th 2019

1 / 16

Introduction (1/2)

The problem The gap from abstract specifications to concrete programs

• expressiveness of specification languages

Proving correctness can prove difficult :

• invariant inference is often hard
• big formulae not so easy to manipulate
• confidence in the proofs

2 / 16

Introduction (2/2)

The stepwise path towards a solution Take small steps and compose them Make sure each step is correct Use a proof assistant to increase confidence in the proofs Specification

T1

− → 1st refinement

T2

− → 2nd refinement ...

Tn

− → Program

3 / 16

Means of Specification

Before-After predicates v : value of variable v at beginning of execution v′ : value of v after execution ends v′ > v ∧ x′ = x : increase v and leave x unchanged Advantages of B-A predicates → unifie preconditions, postconditions, invariants and variants → easier to compose than pre/post condition pairs

4 / 16

Description of Refinements with Design Blocks

Design block notation : spec { body } header : abstract specification body : more concrete implementation candidate can be nested Advantages → recording of design decisions (programmer’s intent) → embedded formal specifications (mandatory maintenance) → basis for hierarchical proof decomposition

5 / 16

6 / 16

Example - An Integer Square Root Algorithm (1/4)

State variables x : nat -- input r : nat -- result (and left bound of search interval) h : nat -- local variable (right bound of search interval) m : nat -- local variable (pivot) Square root algorithm specification: r′2 ≤ x < (1 + r′)2 x

7 / 16

Example - An Integer Square Root Algorithm (2/4)

First step: r′2 ≤ x < (r′ + 1)2 { r := 0; h := x + 1;

while r + 1 = h do

r + 1 < h ∧ r′2 ≤ x < h′2 ∧ (r < r′ ... ∨ h′ < h ...) x

done

} Can be read as: r′2 ≤ x < (r′ + 1)2 { r := 0; h := x + 1;

if r + 1 = h then

r + 1 < h ∧ r′2 ≤ x < h′2 ... ∧ r′ + 1 = h′ x

end

}

8 / 16

Example - An Integer Square Root Algorithm (3/4)

Fast forward to the final step (the process is additive) r′2 ≤ x < (r′ + 1)2 { r := 0; h := x + 1;

while r + 1 = h do

r + 1 < h ∧ r′2 ≤ x < h′2 ∧ (r < r′ ... ∨ h′ < h ...) x { r < m′ < h x,r,h { m := r + (h − r)/2 };

if m2 ≤ x then r := m else h := m end

}

done

}

9 / 16

Example - An Integer Square Root Algorithm (4/4)

One more thing ... (nat → uint64 ?) r′2 ≤ x < (r′ + 1)2 { r := 0; h := x + 1;

while r + 1 = h do

r + 1 < h ∧ r′2 ≤ x < h′2 ∧ (r < r′ ... ∨ h′ < h ...) x { r < m′ < h x,r,h { m := r + (h − r)/2 };

if m2 ≤ x then r := m else h := m end

}

done

} ... requires data refinement (future work ...)

10 / 16

A tiny bit of semantics

Π1 : DesignBlock → AST Π1(Sqrt) = r′2 ≤ x < (r′ + 1)2 Π2 : DesignBlock → AST Π2(Sqrt) = r := 0; h := x + 1;

while r + 1 = h do

m := r + (h − r)/2;

if m2 ≤ x then r := m else h := m end done

Definition (Design correctness)

correct D

def

= Π2(D) ⊑ Π1(D)

11 / 16

12 / 16

Definitions of Program Refinement

Hoare-style definition

S ⊑ T

def

= ∀ P Q · P {T} Q ⇒ P {S} Q

Definition with predicate transformers

S ⊑ T

def

= ∀ Q · wp(T, Q) ⇒ wp(S, Q)

Relational definition

S ⊑ T

def

=

dom(T) ⊳ S ⊆ T

∧

dom(T) ⊆ dom(S)

13 / 16

Correctness by Construction (1/2)

Composition rules:

CbC (Effect f ) CbC spec CbC D1 ∧ CbC D2 CbC D1;D2 CbC D1 ∧ CbC D2 CbC If C then D1 else D2 endif

14 / 16

Correctness by Construction (2/2)

Composition rules:

CbC D

∧ well founded (λ s s′ ⇒ C s′ ∧ (K s′ s) ∧ C s) ∧ K ⊳ C; if C then K endif ⊑ K ⊳ C with K

def

= Π1(D)

CbC While C do D done CbC D ∧ Π1(D) ⊑ spec CbC spec { D }

15 / 16

Conclusion and Future Work

Conclusion formalizarion of stepwise refinement in Coq composition of CbC imprerative programs

• utput : AST and proof of correctness

Future work data refinement AST translation to C proof automation (specialized tactics, SMT solvers, ...)

16 / 16