Logics for Program Reasoning University of Oslo Ratan - PDF document

Logics for Program Reasoning University of Oslo Ratan Thapa/ratanbt@ifi.uio.no INF 5140: Specification and verification of parallel system 18 May 2018

Modal Logic Modal logic is particularly suitable for reasoning dynamic behaviour of programs where truth value of statements are not fixed ,and may vary over time ;this dynamic interpretaion of modal logic is called Temporal logic. Whereas in multimodal reasoning we place the propram inside modality symbol; [] , �� thus program becomes an explicit part of the language ,and the resulting system is called dynamic logic. Propositional Modal Logic It extends propositional logic with modal operator � i.e.necessary, and ♦ i.e. possibility, given as def ♦ ϕ ⇐ ⇒¬ � ¬ ϕ def � ϕ ⇐ ⇒ It is necessary that ϕ holds in all possible worlds def ♦ ϕ ⇐ ⇒ There exists a possible world that realizes ϕ Semantics under Kripke frame, κ Kripke frame is a structure κ = ( K, R κ , m κ ) where, K is a non − empty set of states or worlds R κ is a binary relation on K called accessibility relation m κ is a function assigning a subset of K to each atomic proposition Intuitively, K represents the universe of κ and R κ specifies which worlds are accessible from a given view point of world ; i.e.( u, v ) ∈ R κ → v is possible world from view point of u.Whereas, m κ determines a truth assignment to each worlds such as [ 1 , 2 ] def m κ ( ϕ → ψ ) = ( K − m κ ( ϕ )) ∪ m κ ( ψ ) { u | = ϕ → ψ ⇐ ⇒ ( u | = ϕ ⇒ u | = ψ ) } def ( m κ ( � ϕ ) = K − R κ o ( K − m κ ( ϕ )) { u | = � ϕ ⇐ ⇒ for all v, if (u,v) ∈ R κ then v | = ϕ } def m κ ( ♦ ϕ ) = R κ o m κ ( ϕ ) { u | = ♦ ϕ ⇐ ⇒ there exists v such that (u,v) ∈ m κ and v | = ϕ } def m κ (0) = φ { u � 0 } Temporal Logic Temporal logic is useful in situations where programs are not normally supposed to halt, such as operating system , and particularly concurrency.For examples, proving properties of concurrent finite state protocols, solution to the dinning philosophers and mutual exclusion problems which are well known abstraction of synchronization and resource management problems in distributed 1 Equations in red color are equivalent interpretation of modalities in propositional logic 2 Symbole ”o” denotes relation composition 2

systems.[ 3 4 5 6 ] def s | = � ϕ ⇐ ⇒ all states t such that ( s, t ) ∈ NEXT, t | = ϕ def ⇐ ⇒∀ t ( s, t ) ∈ NEXT → t | = ϕ def ⇐ ⇒¬ (0 Until ¬ ϕ ) def s | = � ϕ ⇐ ⇒ starting with s, all future states satisfy ϕ def ⇒∀ t ( s, t ) ∈ NEXT ⋆ → t | ⇐ = ϕ def ⇐ ⇒ ϕ ∧ ¬ (1 Until ¬ ϕ ) def s | = ♦ ϕ ⇐ ⇒ s | = ¬ � ¬ ϕ OR def s | = ♦ ϕ ⇐ ⇒ starting with s, some future states satisfy ϕ ⇒∃ t ( s, t ) ∈ NEXT ⋆ ∧ t | def ⇐ = ϕ def ⇐ ⇒ ϕ ∨ (1 Until ϕ ) Concurrency and non-determinism TL is applicable where program are interpreted as traces instead of pairs of states. In single processor deterministic programs, for each states s, if (s,t) ∈ NEXT then t is unique. Whereas in a multiprocessor environment,say with n processor, a state becomes a tuple and com- putation is no longer single trace, if s and t are states, (s,t) ∈ NEXT then t is some node t in the tree below s. For example, consider an invariance property, | = � ϕ ⇐ ⇒ t | = ϕ for every node t in the tree below s. However a non-deterministic program is total if there is no chance of an infinite trace out of the start state s, every trace out of s satisfies ♦ halt.The dual ♦ of � as defined by ♦ ϕ = ¬ � ¬ ϕ does not really express this, instead it says: s | = ♦ ϕ ⇐ ⇒ there is some node t in the tree below s such that s | = ϕ. 3 � ϕ does not imply that a next successor exists; however ¬ ϕ ¬ can be used whenever this is desired s | = ¬ � ¬ ⇐ ⇒ there exists t such that (s,t) ∈ NEXT and t | = ϕ 4 In ordinary deterministic programs,each state has at most one NEXT-successor,but in concurrent or non-deterministic programs,there may be many possible NEXT-successors. 5 TL operators: � , � , and, ♦ could be expressed with Until operator but this is always not helpful. For example , ϕ is true at each multiple of 3 but false elsewhere : ϕ ∧ � ( ϕ → � ( ¬ ϕ ∧ � ( ¬ ϕ ∧ � ϕ )))) NEXT ⋆ is reflexive transitive closure of NEXT 6 3

And, this is not very useful statement. One way to fix this is to introduce a new model operator A such that A ⇐ ⇒ For all tracess in the tree.., then A � ϕ ⇐ ⇒ For all traces π out of the current state , π satisfies � ϕ A ♦ ϕ ⇐ ⇒ For all traces π out of the current state, π satisfies ♦ ϕ ;that is , ϕ occurs somewhere along the trace π. Another way is to interpret programs as sets of traces instead of pairs of states in Propositional Dynamic logic, such as [ α ] ♦ ϕ [ α ] � ϕ which captures notion of eventuality and invariance precisely. Process Logic[1] Dynamic logic along with it’s counterpart PDL and Algorithmic logic reasons with pre and post behaviour of programs based on Floyd- Hoare style, however they are logically limited to deal with the progressive behaviour of programs.For example assertion like, variable x assumes value 0 at some point during the computation.Whereas, process logic embodies TL with test-free regular PDL, thus temporal operators are avialable for expressing and reasoning about the trace properties of compositionally constructed programs. All formula in the laguage of PL are path(trace) formulas such as a formula ϕ is either true or false in path σ , in contrast to Nishimura logic(NL), SOAPL and TL where they use both path and state formulas.Notation ,syntax and semantics of PL; α , β , ... = ⇒ Set of programs ϕ , ψ , .. = ⇒ Set of propositions ω = ⇒ infinite iteration ; , ∪ , ∗ = ⇒ compositional operators for programs ∨ , ¬ , f, suf (for Until) , n (for Next) = ⇒ compositional operators for propositions f ϕ − → express the condition that ϕ holds in the unique initial prefix of length 0 ϕ suf ψ − → there exist a state s along the path x | = ψ and all states occurring on the path before s satisfy ϕ A path model is a triple M = ( S, | = , R ) where, S, is a set of states | = ,is a satisfiability relation for primitive propositions R ,is a relation assigning sets of path to primitive programs For example, lets use ρ, τ, σ and p,q ,r to denote path and atomic proposition respectively. A path(trace) τ is a suffix of ρ if there exist an σ such that ρ = στ . A suffix τ of ρ is proper if length ( ρ ) � = length ( τ ). NEXT ( ρ ) denotes longest proper suffix of ρ if length ( ρ ) � = 0 . Prefixes and proper prefixes are defined similarly. 4

Then, ρ | = p if path ρ satisfies p ,and ρ ∈ R a if ρ is a member of sets of paths assigned by R to an atomic program a. Accordingly, def R αβ = R α R β = { ρτ | ρ ∈ R α and τ ∈ R β } def R α ∪ β = R α ∪ R β def � R α ∗ = R α i i<ω ρ | = ϕ ∨ ψ if ρ | = ϕ or ρ | = ψ ρ | = ¬ ϕ iff not ρ | = ϕ ρ | = � α � ϕ iff ∃ τ ∈ R α ρτ | = ϕ ρ | = fϕ iff first ( ρ ) | = ϕ ρ | = ϕ surf ψ iff ∃ τ such that τ is a proper suffix of ρ and τ | = ψ , and ∀ σ ifσ is a proper suffix of ρ and τ is a proper suffix of σ , then σ | = ϕ σ = s 0 s 1 s 2 .... = ⇒ A path σ is a finite or infinite sequence of states Path of length n = ⇒ n+1 states in path ; single state path length equals to 0 first ( σ ) = ⇒ first state of a path σ. last ( σ ) = ⇒ last state of a path ;exists iff σ is finite. Other operators, − n ϕ = ¬ n ¬ ϕ − L 0 = n 0 // note: ρ | = L 0 iff ρ is of length 0 ; L 0 ≡ ¬ (0 suf 1) L k = n k − n 0 some ϕ = ϕ ∨ (1 suf ϕ ) all ϕ = ¬ some ¬ ϕ last ϕ = some ( ϕ ∨ L 0 ) fin = ¬ fin inf = ¬ fin s ( ϕ 0 , ϕ 1 , ...ϕ k ; ψ ) = fϕ 0 ∧ ... ∧ n k fϕ k ∧ n k nψ s ( ϕ 0 , ..., ϕ k ) = fϕ 0 ∨ ...... ∧ n k fϕ k ∧ n k n 0 Equation (1.1) express equivalence of Pratt’s process connectives ”during” and ”preserves”, α ⊥ ϕ = [ α ]( some ϕ ) and, α ( preserves ) ϕ = [ α ]( all ¬ ϕ ∨ all ϕ ∨ ( ¬ ϕ ∧ (( ¬ ϕ ) suf ( all ϕ )))) (1) * Regular Process Logic[3] In order to enable formulas to express regular sets of paths, f and suf operators of process logic are replaced with new chop and slice operators corresponding to Kleene’s regular operators . and ∗ .[ 7 ] � ρ | = ϕ chop ψ iff there are patths σ, τ such that ρ = σ τ, σ | = ϕ and τ | = ψ ρ | = slice ϕ iff there are q 0 , ..., q n for some n ≥ 1 sucha that � � ρ = q 0 ... q n and for all 1 ≤ i ≤ n, q i | = ϕ 7 � denotes fusion and requires a overlapping states in between two paths, which is different from concatenation 5