Logics for Program Reasoning University of Oslo Ratan - - PDF document

Logics for Program Reasoning

University of Oslo Ratan Thapa/ratanbt@ifi.uio.no INF 5140: Specification and verification of parallel system 18 May 2018

Modal Logic

Modal logic is particularly suitable for reasoning dynamic behaviour of programs where truth value

• f statements are not fixed ,and may vary over time ;this dynamic interpretaion of modal logic is

called Temporal logic. Whereas in multimodal reasoning we place the propram inside modality symbol; [], thus program becomes an explicit part of the language ,and the resulting system is called dynamic logic.

Propositional Modal Logic

It extends propositional logic with modal operator i.e.necessary, and ♦ i.e. possibility, given as ♦ϕ

def

⇐ ⇒¬¬ ϕ ϕ

def

⇐ ⇒ It is necessary that ϕ holds in all possible worlds ♦ϕ

def

⇐ ⇒ There exists a possible world that realizes ϕ

Semantics under Kripke frame, κ

Kripke frame is a structure κ = (K, Rκ, mκ) where, K is a non − empty set of states or worlds Rκ is a binary relation on K called accessibility relation mκ is a function assigning a subset of K to each atomic proposition Intuitively, K represents the universe of κ and Rκ specifies which worlds are accessible from a given view point of world ; i.e.(u, v) ∈ Rκ → v is possible world from view point of u.Whereas, mκ determines a truth assignment to each worlds such as [1,2] mκ (ϕ → ψ)

def

= (K − mκ(ϕ)) ∪ mκ(ψ) {u | = ϕ → ψ ⇐ ⇒ (u | = ϕ ⇒ u | = ψ)} (mκ(ϕ)

def

= K − Rκ o (K − mκ(ϕ)) {u | = ϕ ⇐ ⇒ for all v, if (u,v) ∈ Rκ then v | = ϕ } mκ(♦ϕ)

def

= Rκ o mκ(ϕ) {u | = ♦ϕ ⇐ ⇒ there exists v such that (u,v) ∈ mκ and v | = ϕ} mκ (0)

def

= φ {u 0}

Temporal Logic

Temporal logic is useful in situations where programs are not normally supposed to halt, such as

• perating system , and particularly concurrency.For examples, proving properties of concurrent

finite state protocols, solution to the dinning philosophers and mutual exclusion problems which are well known abstraction of synchronization and resource management problems in distributed

1Equations in red color are equivalent interpretation of modalities in propositional logic 2Symbole ”o” denotes relation composition

2

systems.[3 4 5 6] s | = ϕ

def

⇐ ⇒ all states t such that (s, t) ∈ NEXT, t | = ϕ

def

⇐ ⇒∀t (s, t) ∈ NEXT → t | = ϕ

def

⇐ ⇒¬(0 Until¬ϕ) s | = ϕ

def

⇐ ⇒ starting with s, all future states satisfy ϕ

def

⇐ ⇒∀t (s, t) ∈ NEXT ⋆ → t | = ϕ

def

⇐ ⇒ϕ ∧ ¬(1 Until¬ϕ) s | = ♦ϕ

def

⇐ ⇒ s | = ¬¬ϕ OR s | = ♦ϕ

def

⇐ ⇒ starting with s, some future states satisfy ϕ

def

⇐ ⇒∃t (s, t) ∈ NEXT ⋆ ∧ t | = ϕ

def

⇐ ⇒ϕ ∨ (1 Until ϕ)

Concurrency and non-determinism

TL is applicable where program are interpreted as traces instead of pairs of states. In single processor deterministic programs, for each states s, if (s,t) ∈ NEXT then t is unique. Whereas in a multiprocessor environment,say with n processor, a state becomes a tuple and com- putation is no longer single trace, if s and t are states, (s,t) ∈ NEXT then t is some node t in the tree below s. For example, consider an invariance property, | = ϕ ⇐ ⇒ t | = ϕ for every node t in the tree below s. However a non-deterministic program is total if there is no chance of an infinite trace out of the start state s, every trace out of s satisfies ♦ halt.The dual ♦ of as defined by ♦ϕ=¬¬ϕ does not really express this, instead it says: s | = ♦ϕ ⇐ ⇒ there is some node t in the tree below s such that s | = ϕ.

3

ϕ does not imply that a next successor exists; however ¬ϕ¬ can be used whenever this is desired s | = ¬ ¬ ⇐ ⇒ there exists t such that (s,t) ∈ NEXT and t | = ϕ

4

In ordinary deterministic programs,each state has at most one NEXT-successor,but in concurrent or non-deterministic programs,there may be many possible NEXT-successors.

5

TL operators: , , and, ♦ could be expressed with Until operator but this is always not helpful. For example ,ϕ is true at each multiple of 3 but false elsewhere : ϕ ∧ (ϕ → (¬ϕ ∧ (¬ϕ ∧ ϕ))))

6

NEXT ⋆ is reflexive transitive closure of NEXT

3

And, this is not very useful statement. One way to fix this is to introduce a new model operator A such that A ⇐ ⇒For all tracess in the tree.., then Aϕ ⇐ ⇒For all traces π out of the current state ,π satisfies ϕ A♦ϕ ⇐ ⇒ For all traces π out of the current state, π satisfies ♦ϕ ;that is ,ϕ

• ccurs somewhere along the trace π.

Another way is to interpret programs as sets of traces instead of pairs of states in Propositional Dynamic logic, such as [α]♦ϕ [α]ϕ which captures notion of eventuality and invariance precisely.

Process Logic[1]

Dynamic logic along with it’s counterpart PDL and Algorithmic logic reasons with pre and post behaviour of programs based on Floyd- Hoare style, however they are logically limited to deal with the progressive behaviour of programs.For example assertion like, variable x assumes value 0 at some point during the computation.Whereas, process logic embodies TL with test-free regular PDL, thus temporal operators are avialable for expressing and reasoning about the trace properties

• f compositionally constructed programs. All formula in the laguage of PL are path(trace) formulas

such as a formula ϕ is either true or false in path σ , in contrast to Nishimura logic(NL), SOAPL and TL where they use both path and state formulas.Notation ,syntax and semantics of PL; α , β , ... = ⇒ Set of programs ϕ , ψ , .. = ⇒ Set of propositions ω = ⇒ infinite iteration ; , ∪ , ∗ = ⇒ compositional operators for programs ∨, ¬, f, suf(for Until), n(for Next) = ⇒ compositional operators for propositions f ϕ − →express the condition that ϕ holds in the unique initial prefix of length 0 ϕ suf ψ − →there exist a state s along the path x | = ψ and all states occurring on the path before s satisfy ϕ A path model is a triple M = (S, | =, R) where, S, is a set of states | = ,is a satisfiability relation for primitive propositions R ,is a relation assigning sets of path to primitive programs For example, lets use ρ, τ, σ and p,q ,r to denote path and atomic proposition respectively. A path(trace) τ is a suffix of ρ if there exist an σ such that ρ = στ . A suffix τ of ρ is proper if length(ρ) = length(τ). NEXT(ρ) denotes longest proper suffix of ρ if length(ρ) = 0 . Prefixes and proper prefixes are defined similarly. 4

Then, ρ | = p if path ρ satisfies p ,and ρ ∈ Ra if ρ is a member of sets of paths assigned by R to an atomic program a. Accordingly, Rαβ

def

= Rα Rβ = {ρτ|ρ ∈ Rα and τ ∈ Rβ} Rα∪β

def

= Rα ∪ Rβ Rα∗

def

=

• i<ω

Rαi ρ | =ϕ ∨ ψ if ρ | = ϕ or ρ | = ψ ρ | =¬ϕ iff not ρ | = ϕ ρ | =αϕ iff ∃τ ∈ Rα ρτ | = ϕ ρ | = fϕ iff first(ρ) | = ϕ ρ | =ϕ surf ψ iff ∃τ such that τ is a proper suffix of ρ and τ | = ψ, and ∀σ ifσ is a proper suffix of ρ and τ is a proper suffix of σ, then σ | = ϕ σ = s0s1s2.... = ⇒ A path σ is a finite or infinite sequence of states Path of length n = ⇒ n+1 states in path ; single state path length equals to 0 first(σ) = ⇒ first state of a path σ. last(σ) = ⇒ last state of a path ;exists iff σ is finite. Other operators,

−

n ϕ = ¬ n¬ϕ L0 =

−

n 0 // note: ρ | = L0 iff ρ is of length 0 ; L0 ≡ ¬(0 suf 1) Lk = nk − n 0

someϕ = ϕ ∨ (1 suf ϕ) allϕ = ¬ some ¬ϕ lastϕ = some(ϕ ∨ L0)

fin = ¬ fin inf = ¬fin s(ϕ0, ϕ1, ...ϕk; ψ) = fϕ0 ∧ ... ∧ nk fϕk ∧ nk nψ s(ϕ0, ..., ϕk) = fϕ0 ∨ ...... ∧ nk fϕk ∧ nk n 0 Equation (1.1) express equivalence of Pratt’s process connectives ”during” and ”preserves”, α⊥ϕ = [α](someϕ) and, α (preserves)ϕ = [α](all¬ϕ ∨ allϕ ∨ (¬ϕ ∧ ((¬ϕ) suf (allϕ)))) (1) *

Regular Process Logic[3]

In order to enable formulas to express regular sets of paths,f and suf operators of process logic are replaced with new chop and slice operators corresponding to Kleene’s regular operators . and ∗.[7] ρ | =ϕ chop ψ iff there are patths σ, τ such that ρ = σ

• τ, σ |

= ϕ and τ | = ψ ρ | = slice ϕ iff there are q0, ..., qn for some n≥ 1 sucha that ρ = q0

• ...
• qn and for all 1≤ i ≤ n, qi |

= ϕ

7 denotes fusion and requires a overlapping states in between two paths, which is different from concatenation

5

Extended PL - a trace model [2]

→ , 0 , ? = ⇒ additional test operators , ≪ ≫ = ⇒ finite restriction in [ ], σ = s0s1s2.... = ⇒ A trace σ is a finite or infinite sequence of states Trace of length n = ⇒ n+1 states in trace ; single state trace length equals to 0 first(σ) = ⇒ first state of a trace σ. last(σ) = ⇒ last state of a trace ;exists iff σ is finite. if σ = s0s1....sk and τ = sksk+1.... then σ τ σ

• τ =
• s0s1..sk−1sksk+1...

iff σ is finite and last(σ) = first(τ) does not exist iff σ is infinite or last(σ) = first(τ) For a trace ρ, lets define suffix τ such that ρ =

• στ

τ is a suffix of trace ρ if there exists a finite trace σ στ τ is a proper suffix of trace ρ if σ finite and length(σ) = 0. It is ambiguous, so lets take original definition.if A and B are sets of traces then, A.B

def

⇒{στ|σ ∈ A, τ ∈ B} AoB

def

⇒ A.B ∪ {finite traces in A} Semantics under Kripke frame, κ For p an atomic proposition and σ a finite trace , σ | = p ⇐ ⇒ last(σ) ∈ mκ( p) σ p ⇐ ⇒ last(σ) / ∈ mκ( p) ⇒ if σ is infinite or σ is finite and last(σ) / ∈ mκ (p) σ | = first(ϕ)

def

⇐ ⇒ first(σ) | = ϕ σ | = ϕ Until ψ

def

⇐ ⇒there exist a proper suffix τ such that,τ | = ψ ,and for all proper suffixes ρ of σ such that τ is a proper suffix of ρ, ρ | = ϕ Similarly, σ | = ϕ ⇐ ⇒the maximal proper suffix of σ , it it exists, satisfies ϕ σ | = ϕ ⇐ ⇒all suffixes of σ, proper or not, satisfy ϕ σ | = ♦ϕ ⇐ ⇒there exists a suffix of σ, proper or not , satisfying ϕ. Meaning of an atomic program α is the binary relation mκ under frame κ, considered as a set of traces of length one. mκ(α ∪ β)

def

= mκ(α) ∪ mκ(β) mκ(α; β)

def

= mκ(α) o mκ(β) = mκ(α).mκ(β) ∪ infinite traces in mκ(α) mκ(α∗)

def

=

• n≥0

m(αn), where mκ(α0)

def

= K and mκ(αn+1 def= mκ(aan) mκ(αω)

def

= {σ0σ1...|σn ∈ mκ(α), n ≥ 0} ∪ { infinite traces in mκ(α∗)} mκ(ϕ?)

def

= mκ(ϕ) ∩ { traces of length 0} 6

Some examples,[8,9] Skip

def

= (s, s)|s ∈ K While ϕ do α

def

= (ϕ?; α)∗; ¬ϕ? ∪ (ϕ?; α)ω Semantics under modal operators σ ∈ mκ ([α]ϕ) =

• σ is finite, and for all traces τ ∈ mκ(α) such that στ exists, στ ∈ mκ(ϕ)

Or, σ is infinite and σ ∈ mκ(α). σ represents a finite computation and all extensions τ of σ obtained by running the program α satisfy ϕ; or α is an infinite computation satisfying ϕ already. Or part take cares the possibility that α does not halt,such as in PDL axiom [α; β]ϕ ← → [α][β]ϕ . Likewise, other valid axioms of PL are derivable for propositional reasoning, halt

def

⇐ ⇒ 0 trace length of 0. fin

def

⇐ ⇒ ♦ halt trace of finite length inf

def

⇐ ⇒ ¬ fin trace of infinite length α

def

⇐ ⇒ fin − → [α]ϕ ≪ α ≫

def

⇐ ⇒ ¬α¬ϕ ⇐ ⇒ fin ∧ α [α]ϕ ← → (fin → αϕ) ∧ (inf → ϕ) ← → (fin ∧ αϕ) ∨ (inf ∧ ϕ) αϕ ← → (fin →≪ α ≫) ∧ (inf → ϕ) ← → (fin∧ ≪ α ≫) ∨ (inf ∧ ϕ) Similarly, mκ(α) = {α | for all τ ∈ mκ(α), if ατ exists ,the ατ ∈ mκ (ϕ)} mκ (≪ α ≫) = {α | there exists τ ∈ mκ(α) such that ατ ∈ mκ(ϕ)} Some examples, [ψ?]ϕ ← → (ψ → ϕ) is valid for weak test and finite traces in PDL, which could be postulated as (fin → ([ψ?]ϕ ← → (ψ → ϕ))) ∧ (inf → ([ψ?]ϕ ← → ϕ)) (2)

Kozen’s Propositional µ calculus[4]

We left content for presentation (slides of obligs INF 5140)

Concurrent Dynamic Logic

Process logic combines the features of DL and TL to express assertions regarding the ongoing be- haviour of a program, that is , to refer to the intermediate states of a computation path, and other uses the Shuffle construct to realize concurrency such as first order dynamic logic for concurrent programs[5]. Whereas,concurrent dynamic logic[CDL][7] views concurrency in its purest form of dual notion of

8Computation could results in an infinite trace obtained by concatenation of infinitely many finite α traces ;αω 9 Infinite trace in mκ(α) would result if α ran forever without terminating, this would leads infinitary in mκ(α; β)

as well; a result produce by running (α; β)

7

non-determinism, analogous to non-determinism induced by classical concept of and/or decomposi- tion of a process, by allowing a computation node to split into several branches in a tree like struc- ture, but requiring process execute all possible computation independently,and possibly simultane-

• usly. The CDL captures the non-determinism /concurrency duality by a concurrency connective; ∩

, for programs. The program α∩β is interpreted as α and β execute in parallel. Therefore,α∩βA says ”α and β can be execute in parallel so that upon termination A holds in either computation path”.

Concurrent Propostional Dyanmic Logic[CPDL]

let’s consider, pi atomic formulas and αi atomic programs ,and construction rules are;

• 1. Every pi is a formula.
• 2. if A and B are formulas, and α is a program, then A∨, ¬A and αA are formulas
• 3. Every αi are program.
• 4. if α, β are progrmas and A is formula, then α ∪ β, α ∩ β, α; β, α∗, and A? are programs.

Semantic of formulas over models S, π, ρ, where S is the set of states π attaches a subset ρ(P) of S to every atomic formula P ρ interprets atomic programs In regular PDL, a program α is interpreted by a subset ρ(α) of s×,with (s,s’)∈ ρ(α) meaning that α can be executed form s to reach s’.In contrast, CPDL is based on the notion of reachability pairs

• f the form (s, ∪) where s ∈ S and ∪ ⊆ S, and semantics attaches a subset ρ(α) of s × 2s (a

reachability set) to every atomic programs α .Intuitvely,(s, ∪) ∈ ρ(α) for a reachability pair (s, ∪) and a program α means that α can be executed from s, in parallel , to reach all states of ∪.For example, αA holds in a state s iff there is a set ∪ ⊆ S such that (s, ∪) ∈ ρ(α), and each state in ∪ satisfies A. Defining the binary operator . over the domain s × 2s by, R1.R2 = {(s, ∪)|∃s1, ∪1, s2, ∪2, ....((s, {s1, s2, ...}) ∈ R1 ∧ ∀i(si, ∪i) ∈ R2 ∧ ∪ =

• i

∪i)} for all reachability sets,R1, R2 ⊆S× 2s For a given reachability sets T, the operator FT overdomains× 2s; FT (R) = Rtrue ∪ T.R, for every reachability set R ⊂ s × 2s , where Rtrue = {(s, {s})|s ∈ S}

CPDL versus Game Logic CPDL versus PDL versus The µ Calculus Concurrent First Order Logic

Communication in Concurrent Dynamic Logic[6] Concurrent program schemes and their logics[7]

8

Summary

There are several branches of proof system and logic that deals with concurrent programs and pro- cesses.One of important logical framework we discussed above is temporal logic and its concurrent variants (process logic), which allows to express assertions regarding the ongoing behaviour of a program, i.e. to refer to the intermediate states of a computation path.This could be simulated into a shared memory model in which concurrent processors constantly operate on the same data in an interleaved fashion. Dynamic logic, in contrast, relies on the semantics that programs are described in it in the structured, modular form of regular expressions, enabling convenient decomposition of formulas, and allowing interaction and cooperation only via the designated communication mechanisms. Therefore, DL and its concurrent version CDL are suitable for discussing correctness issue ,specially for treating properties of concurrent algorithms for specific computational problems.However, DL has no means of referring to the intermediate states of a computation,it interprets program as a collection of ”start-end” pairs of states of its successful halting runs(by considering only finite computation). That’s why concurrent dynamic logic is not properly equipped for handling issues like safety,liveness and fairness, and hence, is less suitable for discussing distributed systems in which such issues play a vital role.Finally, we shortened our report by leaving Game logic-another important variants,as it is syntactically and semantically similar to the CDL(in fact, CDL is a variant of game logic).We intentionally left section of propositional µ-calculus blank which will be covered in presentation slides (Oblig requirement of INF 5140). 9

Bibliography

[1] David Harel, Dexter Kozen, and Rohit Parikh. “Process logic: Expressiveness, decidability, completeness”. In: Journal of computer and system sciences 25.2 (1982), pp. 144–170. [2] David Harel, Dexter Kozen, and Jerzy Tiuryn. “Dynamic logic”. In: Handbook of philosophical

• logic. Springer, 2001, pp. 99–217.

[3] David Harel and David Peleg. “Process logic with regular formulas”. In: Theoretical Computer Science 38 (1985), pp. 307–322. [4] Dexter Kozen. “Results on the propositional µ-calculus”. In: Theoretical computer science 27.3 (1983), pp. 333–354. [5] Hirokazu Nishimura. “Propositional Dynamic Logic for Concurrent Programs”. In: Publica- tions of the Research Institute for Mathematical Sciences 18.1 (1982), pp. 233–250. [6] David Peleg. “Communication in concurrent dynamic logic”. In: Journal of Computer and System Sciences 35.1 (1987), pp. 23–58. [7] David Peleg. “Concurrent dynamic logic”. In: Journal of the ACM (JACM) 34.2 (1987),

• pp. 450–479.

10