[PPT] - Proving Correctness of Graph Programs Relative to Recursively Nested PowerPoint Presentation

SLIDE 1

Proving Correctness of Graph Programs Relative to Recursively Nested Conditions

Nils Erik Flick

Universität Oldenburg February 2017

SLIDE 2

Intro Correctness Results

Rel. Work

Conclusion Extras

Outline

1

Correctness and Graph Programs Verification Framework Graph Programs Recursively Nested Conditions

2

Results Weakest Precondition Calculus Proof Calculus Expressive Power

3

Related Concepts

Nils Erik Flick Correctness of Graph Programs 2 / 23

SLIDE 3

Intro Correctness Results

Rel. Work

Conclusion Extras Framework Graph Programs µ-conditions

Verification Framework (Dijkstra)

Aim of program verification: development of correct systems by establishing program correctness via logical deduction.

♣r❡❝♦♥❞✐t✐♦♥ ❝❛❧❝✉❧✉s ♣r♦✈❡r

P ✭♣r♦❣r❛♠✮ ✇❡❛❦❡st ♣r❡❝♦♥❞✐t✐♦♥ d ✭♣♦st❝♦♥❞✐t✐♦♥✮ c ✭♣r❡❝♦♥❞✐t✐♦♥✮ ②❡s✱ ❝♦rr❡❝t ♥♦ ✉♥❦♥♦✇♥

❱❡r✐✜❝❛t✐♦♥ ♣r♦❝❡ss

Proving correctness of a program P under a specification (c,d). c and d specify state properties.

Partial correctness: whenever P is run from a state satisfying c, if P terminates then the resulting state satisfies d.

Nils Erik Flick Correctness of Graph Programs 3 / 23

SLIDE 4

Intro Correctness Results

Rel. Work

Conclusion Extras Framework Graph Programs µ-conditions

Verification Framework (Dijkstra)

♣r❡❝♦♥❞✐t✐♦♥ ❝❛❧❝✉❧✉s ♣r♦✈❡r

P ✭♣r♦❣r❛♠✮ ✇❡❛❦❡st ♣r❡❝♦♥❞✐t✐♦♥ d ✭♣♦st❝♦♥❞✐t✐♦♥✮ c ✭♣r❡❝♦♥❞✐t✐♦♥✮ ②❡s✱ ❝♦rr❡❝t ♥♦ ✉♥❦♥♦✇♥

Proving correctness of a program P under a specification (c,d).

Checking correctness: compute the weakest precondition WpP(d): to postcondition d, this assigns precondition such that ⊲ P is correct with respect to (WpP(d),d) ⊲ Any c′ such that P is correct wrt. (c′,d) implies WpP(d) Then check whether c ⇒ WpP(d).

Nils Erik Flick Correctness of Graph Programs 3 / 23

SLIDE 5

Intro Correctness Results

Rel. Work

Conclusion Extras Framework Graph Programs µ-conditions

Graph Programs

Graph programs are imperative programs that operate on graphs, for example:

Sel

∅ ֒

→

; Del
←

֓

;

Add

֒

→

; Uns
←

֓ ∅

Elementary programs: select, unselect, add, delete.

Composition: disjunction, sequence, iteration.

Nils Erik Flick Correctness of Graph Programs 4 / 23

SLIDE 6

Intro Correctness Results

Rel. Work

Conclusion Extras Framework Graph Programs µ-conditions

State of the Art: Correctness of Graph Programs

We want to prove correctness of graph programs relative to specifications (c,d). Nested graph conditions are expressions like this:

∀

, ∃
∨ ∃
Unavoidable theoretical limitations:

Implication of nested conditions (c ⇒ c′) is undecidable. Weakest precondition for iteration requires invariant finding, which cannot be fully automatic nor complete. But in practice, verification is often possible.

Nils Erik Flick Correctness of Graph Programs 5 / 23

SLIDE 7

Intro Correctness Results

Rel. Work

Conclusion Extras Framework Graph Programs µ-conditions

Extending Nested Conditions

Many properties of interest cannot be expressed by nested conditions, for example: ⊲ Connectedness ⊲ Absence of cycles ⊲ Chains of even, odd or equal length ⊲ Chains of length 4n (of theoretical interest) ⊲ Balancedness of binary trees (useful!) Recursively nested conditions (µ-conditions) are nested conditions with recursive specifications. Recursively nested conditions can express all of the above.

Nils Erik Flick Correctness of Graph Programs 6 / 23

SLIDE 8

Intro Correctness Results

Rel. Work

Conclusion Extras Framework Graph Programs µ-conditions

Recursively Nested Conditions

Example of a µ-condition:

∀

, path
⇒ ∃
, paths
path
= ∃
∨ ∃
, path
paths
= ∃
∨ ∃
, paths′
paths′
= ∃
∨ ∃
, paths′
Nils Erik Flick

Correctness of Graph Programs 7 / 23

SLIDE 9

Intro Correctness Results

Rel. Work

Conclusion Extras Wp Construction Proof Calculus Expressiveness

Weakest Precondition Calculus

Theorem: the weakest precondition of a µ-condition relative to an iteration-free program is again a µ-condition, which can be computed. In other words, there is a sound construction for weakest preconditions, defined for all iteration-free programs. Method: a construction which transforms a finite µ-condition into a finite µ-condition. Soundness is proven with respect to the semantics. Significance: the weakest precondition calculus is the core of the verification framework.

Nils Erik Flick Correctness of Graph Programs 8 / 23

SLIDE 10

Intro Correctness Results

Rel. Work

Conclusion Extras Wp Construction Proof Calculus Expressiveness

The Proof Calculus Kµ (I)

∃(a, c) ∧ d ∃(a, c ∧ ∃−1(a, d))

✭❙✉♣♣♦rt✐♥❣✮▲✐❢t

¬∃(a) ∃(b, d) ¬∃(m∗) ■❢ ∃m ∈ M✱ m ◦ b = a ❛♥❞ (m∗, b∗) ✐s M✲♣✉s❤♦✉t ❝♦♠✲ ♣❧❡♠❡♥t ♦❢ (b, m)✱ d ≡ ⊥

P❛rt✐❛❧❘❡s♦❧✈❡

K ❬P❡♥♥❡♠❛♥♥✱ ✷✵✵✾❪ ✭❛❞❛♣t❡❞✮❀ str✉❝t✉r❛❧ ✫ ❧♦❣✐❝❛❧ r✉❧❡s Γ ⊢ ∆ D, Γ ⊢ ∆

❚❤✐♥♥✐♥❣

D, D, Γ ⊢ ∆ D, Γ ⊢ ∆

❈♦♥tr❛❝t✐♦♥

∆, D, E, Γ ⊢ Θ ∆, E, D, Γ ⊢ Θ

■♥t❡r❝❤❛♥❣❡ ✭❛❧❧ s✐♠✐❧❛r❧② ♦♥ s✉❝❝❡❞❡♥t✮

Γ ⊢ Θ, D D, ∆, ⊢ Λ Γ, ∆ ⊢ Θ, Λ

❈✉t

Γ ⊢ Θ, A Γ ⊢ Θ, B Γ ⊢ Θ, A ∧ B

❯❊❙

A, Γ ⊢ Θ A ∧ B, Γ ⊢ Θ

❯❊❆

A, Γ ⊢ Θ B, Γ ⊢ Θ A ∨ B, Γ ⊢ Θ

❖❊❆

Γ ⊢ Θ, A Γ ⊢ Θ, A ∨ B

❖❊❙

Nils Erik Flick Correctness of Graph Programs 9 / 23

SLIDE 11

Intro Correctness Results

Rel. Work

Conclusion Extras Wp Construction Proof Calculus Expressiveness

The Proof Calculus Kµ (II)

Rules for handling variables and recursion:

F : c ⊢ c′ (resp. c′ ⊢ c) F ⊎F ′ : Ctx[x/c] ⊢ Ctx[x/c′] if Ctx is monotonic (antitonic) in x (CTX) F : Γ ⊢ ∆,x(n)

i

F : Γ ⊢ ∆,Fi( x(n−1)) Fi( x) is the right hand side for xi in F (UNROLL1) ∀i ∈ I.Hi( x(

n)) ⊢

G ( H ( x(

n′)))

G (

⊥) = ⊥

i∈I .Hi(

x) = ⊥

n′ <

n; G monotonic. (EMPTY)

Further structural rules for morphism and nesting manipulation:

∃(a◦a′,c) ∃(a,∃(a′,c)), ∃(a,ι◦ι′,c) ∃(a,ι′,∃−1(ι,c)) and vice versa, ∃(id,id,c) c

, ∃−1(ι,c)

A(ι,c) , ∃(a,c) ra(c) .

Nils Erik Flick Correctness of Graph Programs 10 / 23

SLIDE 12

Intro Correctness Results

Rel. Work

Conclusion Extras Wp Construction Proof Calculus Expressiveness

Soundness of Kµ

Theorem: the proof calculus Kµ for refutation of µ-condi- tions is sound. Method: extension of the resolution-like calculus K by a well-founded induction rule. Significance: this is the “prover” part of the verification

framework. The proof calculus allows the verification of

programs by attempting to prove the implication c ⇒ WpP(d).

Nils Erik Flick Correctness of Graph Programs 11 / 23

SLIDE 13

Intro Correctness Results

Rel. Work

Conclusion Extras Wp Construction Proof Calculus Expressiveness

Expressiveness of µ-Conditions

Theorem: the expressiveness of µ-conditions is the same as first order least fixed point logic, properly extends nested condi- tions and is incomparable to other known formalisms. HR− < > MSO < > FO+lfp = Legend: < > – incomparable; = – equal. Method: by showing the inexpressibility of counterexamples; by translation from and to fixed point logic. Significance: µ-conditions are distinct from other formalisms and describe polynomial-time checkable properties.

Nils Erik Flick Correctness of Graph Programs 12 / 23

SLIDE 14

Intro Correctness Results

Rel. Work

Conclusion Extras

Related Concepts: Notions of Correctness

Abstract model checking: temporal logic specification, reduction to finite state space by suitable state abstractions. [Gadducci et al., 1998] [Baldan et al., 2003] [König and Kozioura, 2006] [Rensink and Distefano, 2006] This notion of correctness differs considerably from ours and no direct comparison was attempted.

Nils Erik Flick Correctness of Graph Programs 13 / 23

SLIDE 15

Intro Correctness Results

Rel. Work

Conclusion Extras

Related Concepts: Proof-Based Approaches

reference (1) (here) (2) (3) conditions Nested µ µ µ- HR∗ MSO wlp yes yes yes yes proof calculus complete yes future work Hoare logic theorem prover yes future work (1): [Pennemann, 2009] (2): [Radke, 2016] (3): [Poskitt and Plump, 2014] git: //omega.informatik.uni-oldenburg.de/wptk.git

Nils Erik Flick Correctness of Graph Programs 14 / 23

SLIDE 16

Intro Correctness Results

Rel. Work

Conclusion Extras

Conclusion

Goals achieved: ⊲ Dijkstra-style verification approach for non-local conditions:

Specification language (µ-conditions) Weakest precondition calculus Proof calculus

⊲ Correctness under adverse conditions (2-player programs) ⊲ Specialized results on structure-changing workflow nets (not in this talk) Future work: ⊲ Semi-automated prover ⊲ Investigate proof calculus:

Simplification Completeness

Nils Erik Flick Correctness of Graph Programs 15 / 23

SLIDE 17

Intro Correctness Results

Rel. Work

Conclusion Extras

References I

Apt, K. R. and Olderog, E.-R. (1997). Verification of sequential and concurrent programs. Springer. Baldan, P ., König, B., and König, B. (2003). A logic for analyzing abstractions of graph transformation systems. In Static Analysis, pages 255–272. Dijkstra, E. W. (1976). A discipline of programming. Prentice Hall. Gadducci, F., Heckel, R., and Koch, M. (1998). A fully abstract model for graph-interpreted temporal logic. In TAGT’98, volume 1764 of Lecture Notes in Computer Science, pages 310–322. Habel, A. and Pennemann, K.-H. (2009). Correctness of high-level transformation systems relative to nested conditions.

Math. Struct. in Comp. Sci., 19(2):245–296.

Habel, A., Pennemann, K.-H., and Rensink, A. (2006). Weakest preconditions for high-level programs. In Proceedings of the Intl. Conf. on Graph Transformation, volume 4178 of Lecture Notes in Computer Science, pages 445–460. Nils Erik Flick Correctness of Graph Programs 16 / 23

SLIDE 18

Intro Correctness Results

Rel. Work

Conclusion Extras

References II

König, B. and Kozioura, V. (2006). Counterexample-guided abstraction refinement for the analysis of graph transformation systems. volume 3920 of Lecture Notes in Computer Science, pages 197–211. Pennemann, K.-H. (2009). Development of Correct Graph Transformation Systems. PhD thesis, Universität Oldenburg. Poskitt, C. M. and Plump, D. (2013). Verifying total correctness of graph programs. Electronic Communications of the EASST, 61. Poskitt, C. M. and Plump, D. (2014). Verifying monadic second-order properties of graph programs. In Proceedings of the Intl. Conf. on Graph Transformation, volume 8571 of Lecture Notes in Computer Science, pages 33–48. Radke, H. (2016). A Theory of HR∗ Graph Conditions and their Application to Meta-Modeling. PhD thesis, Universität Oldenburg. Rensink, A. and Distefano, D. (2006). Abstract graph transformation. Electronic Notes in Theoretical Computer Science, 157:39–59. Nils Erik Flick Correctness of Graph Programs 17 / 23

SLIDE 19

Intro Correctness Results

Rel. Work

Conclusion Extras Small Proof Example Adversity

Kµ: Deducing the Unsatisfiability of a µ-Condition

F : ①n

1 ∧ ¬①m 2 ⊢ F1(

①(n−1)) ∧ ¬F2( ①(n−1)) H1,2( ①) = ①1 ∧ ¬①2

✭✶✮

F : ①(n)

1

∧ ¬①(n)

2

⊢

∃
✶

✷

∨ ∃
✶

✷ ✸

, ①(n−1)

1

✶✭✸✮ ✷✭✷✮
∧¬∃
✶

✷

∧ ¬∃
✶

✷ ✸

, ①(n−1)

2

✶✭✸✮ ✷✭✷✮
✭✷✮

F′ : ... ⊢ ∃

✶

✷ ✸

, ①(n−1)

1

✶✭✸✮ ✷✭✷✮
∧ ¬∃
✶

✷ ✸

, ①(n−1)

2

✶✭✸✮ ✷✭✷✮
✭✸✮

F′ : ①(n)

1

∧ ¬①(n)

2

⊢ ∃

✶

✷ ✸

, ①(n−1)

1

✶✭✸✮ ✷✭✷✮
∧ ¬①(n−1)

2

✶✭✸✮ ✷✭✷✮
∃
✶

✷ ✸

, ⊥

⊢

∃

✶

✷ ✸

, ⊥

∃
✶

✷ ✸

, ⊥

⊢ ⊥

F : ①1 ∧ ¬①2 ⊢ ⊥

Nils Erik Flick Correctness of Graph Programs 18 / 23

SLIDE 20

Intro Correctness Results

Rel. Work

Conclusion Extras Small Proof Example Adversity

Adversity: the Role of Nondeterminism

The semantics P assigns to P the set of all possible pairings (input, output) that correspond to executions of P. Graph programs are nondeterministic: 1) There may be several ways to make a selection. 2) Disjunctive composition: P +Q = P∪Q. 3) Loops may be executed arbitrarily often. Addition, deletion and unselection are deterministic. The weakest precondition transformation takes nondeterminism into account.

Nils Erik Flick Correctness of Graph Programs 19 / 23

SLIDE 21

Intro Correctness Results

Rel. Work

Conclusion Extras Small Proof Example Adversity

Adversity: Framework Extension

Operational semantics is introduced and related to P: inter- mediary states appear as (current graph, remaining program). A model of adversity: Each intermediary state belongs either to sys (+) or to env (−). Difference between system and environment lies in the treat- ment of nondeterminism. Semantics P is the same but can be restricted (Pχ) by a choice function χ : (+)-states → successor states.

Nils Erik Flick Correctness of Graph Programs 20 / 23

SLIDE 22

Intro Correctness Results

Rel. Work

Conclusion Extras Small Proof Example Adversity

Adversity: Extended Weakest Preconditions

In the definition of the weakest precondition construction: Nondeterminism resolved by sys has existential quantifiers / dis- junction where nondeterminism resolved by env has universal

nes / conjunction.

Otherwise, the framework did not need to be modified. Soundness of the newly defined weakest precondition was checked against the operational semantics, which in turn is equivalent to the “denotational” semantics.

Nils Erik Flick Correctness of Graph Programs 21 / 23

SLIDE 23

Intro Correctness Results

Rel. Work

Conclusion Extras Small Proof Example Adversity

Adversity: Conclusion

Theorem: the extended weakest precondition construction for two-player programs (with sys and env-constructors) is sound. This result on system correctness under adverse conditions holds for µ-conditions, for which the weakest precondition was first proven in the one-player case. The classical situation already models adversity, but nothing

else. The new part is the interaction of (+/−)-nondeterminism.

Nils Erik Flick Correctness of Graph Programs 22 / 23

SLIDE 24

Intro Correctness Results

Rel. Work

Conclusion Extras Small Proof Example Adversity

Adversity: Future Work

Definition of parallel composition to be used within the same

framework. This poses additional problems such as (+/−)-race

conditions, but could be worthwhile for modeling. Controller synthesis. Knowing that a choice function χ exists is distinct from actually obtaining such a function.

Nils Erik Flick Correctness of Graph Programs 23 / 23