Semantics of Invariant Programs Viorel Preoteasa and Ralph-Johan - - PowerPoint PPT Presentation

Semantics of Invariant Programs

Viorel Preoteasa and Ralph-Johan Back

Abo Akademi University, Department of Information Technologies

April 28, 2008

Overview

◮ Invariant Diagrams ◮ Bigstep operational semantics ◮ Smallstep operational semantics ◮ Equivalence between smallstep and bigstep semantics ◮ Valid Hoare triples ◮ Weakest precondition and predicate transformers ◮ Hoare proof rules and their completeness

Preliminaries - Predicates

◮ Σ - state of computation - the current values of the program

variables.

◮ Pred = Σ → bool - the predicates on Σ ◮ If we have the program variables x, y, z, then a state s ∈ Σ is

a maping of these variables to values s = (x → 2, y → 3, z → −2)

◮ p = y > 2 ∧ x < 3 is a predicate and p.s = true

Invariant Diagrams - Example

Checking if an element x is member of an array a. i = n i < n ∧ a.i = x [i = n] [i < n ∧ a.i = x] 0 ≤ i ≤ n ∧ (∀j • 0 ≤ j < i ⇒ a.j = x) i := 0 n, x ∈ nat ∧ a : {0, 1, . . . , n − 1} → nat

1 2 3 4

[i < n ∧ a.i = x]; i := i + 1

Invariant Diagram - Transitions

The transitions are defined by the following recursive type Trs = Assert(Pred) | Assume(Pred) | Update(Rel) | Choice(Trs, Trs) | Comp(Trs, Trs) If p is a predicate, R is a relation, and S, T are transitions then

◮ {p} - assert statement (Assert(p)) ◮ [p] - assume statement (Assume(p)) ◮ [R] - demonic update statement (Update(R)) ◮ S ⊓ T - non-deterministic choice statement (Choice(S, T)) ◮ S ; T - sequential composition statement (Comp(S, T))

Invariant Diagrams - Transitions

◮ If p is true in s, then {p} and [p] behave as skip. ◮ If p is false in s, then {p} fails and [p] establishes any

post-condition.

◮ The demonic update [R], when starting in a state s,

terminates in a non-deterministically chosen state s′ such that R.s.s′. If there is no state s′ such that R.s.s′, then [R] establishes any post-condition.

◮ The execution of S ⊓ T non-deterministically chooses S or T. ◮ The transition S ; T is the sequential composition of the

transitions S and T.

Invariant Diagrams - Transitions - PVS

trs[State: TYPE+]: DATATYPE BEGIN assert(p: pred[State]): assert? assume(p: pred[State]): assume? demonic(R: pred[[State, State]]): demonic? choice(S1: trs, S2: trs): choice? O(S1: trs, S2: trs): comp? END trs

Invariant Diagrams - Definition

◮ Let I be a nonempty set of indexes. ◮ Formally an invariant diagram InvDgr is a tuple (P, D) where

◮ P : I → Pred are the invariants and ◮ D : I × I → Trs are the transitions.

◮ D is called a transition diagram and ◮ The elements of I are called situations.

Invariant Diagrams - Example

Checking if an element x is member of an array a. i = n i < n ∧ a.i = x [i = n] [i < n ∧ a.i = x] 0 ≤ i ≤ n ∧ (∀j • 0 ≤ j < i ⇒ a.j = x) i := 0 n, x ∈ nat ∧ a : {0, 1, . . . , n − 1} → nat

1 2 3 4

[i < n ∧ a.i = x]; i := i + 1

Invariant Diagrams - Definition - PVS

State: TYPE+ I: TYPE+ Pred: TYPE+ = [State -> bool] TrsDgr: TYPE+ = [I, I -> Trs] InvPred: TYPE+ = [I -> Pred] InvDgr: TYPE+ = [InvPred, TrsDgr]

Bigstep Operational Semantics - Transitions

If S ∈ Trs and s, s′ ∈ Σ then the bigstep relation (s, S) s′ is true if there is an execution of S starting in s and ending in s′. (s, S) s′ is defined by induction on the structure of S. b.s (s, {b}) s b.s (s, [b]) s R.s.s′ (s, [R]) s′ (s, S) s′ (s, S ⊓ T) s′ (s, T) s′ (s, S ⊓ T) s′ (s, S) s′ ∧ (s′, T) s′′ (s, S ; T) s′′

Bigstep Operational Semantics - Transitions - Fail

A transition S, starting from a state s, may fail (denoted (s, S) ⊥) if some of its executions leads to a false assertion. ¬b.s (s, {b}) ⊥ (s, S) ⊥ (s, S ⊓ T) ⊥ (s, T) ⊥ (s, S ⊓ T) ⊥ (s, S) ⊥ (s, S ; T) ⊥ (s, S) s′ ∧ (s′, T) ⊥ (s, S ; T) ⊥

Bigstep Operational Semantics - Transitions - Miracle

The execution of S, starting from s, is miraculous (denoted (s, S) ⊤) if any of its executions leads to a false assumption or to a demonic update [R] which cannot progress. ¬b.s (s, [b]) ⊤ ∀s′ • ¬R.s.s′ (s, [R]) ⊤ (s, S) ⊤ ∧ (s, T) ⊤ (s, S ⊓ T) ⊤ (s, S) ⊤ (s, S ; T) ⊤ (s, S) ⊥ ∧ (∀s′ • (s, S) s′ ⇒ (s′, T) ⊤ (s, S ; T) ⊤

Bigstep Semantics - Transition Diagrams

Let D ∈ I × I → Trs, s, s′ ∈ Σ, and i, j ∈ I The bigstep relation (s, i, D) (s′, j) is true if there is an execution from state s and situation i, following the enabled transitions D, ending in state s′ and situation j, and all transitions from state s′ and situation j are disabled. The execution of D from state s and situation i may fail, denoted (s, i, D) ⊥, if there is a situation j such that the transition Di,j may fail when starting from s. (s, Di,j) s′ ∧ (s′, j, D) (s′′, k) (s, i, D) (s′′, k) (∀j • (s, Di,j) ⊤) (s, i, D) (s, i) (s, Di,j) ⊥ (s, i, D) ⊥

Transition Diagrams - Termination

When starting from state s and situation i, the transition diagram T terminates, denoted (s, i, T) ↓, if all execution paths starting in s, i are finite and do not fail. (∀j • (s, Di,j) ⊤) (s, i, D) ↓ (s, i, D) ⊥ ∧ (∀j, s′ • (s, Di,j) s′ ⇒ (s′, j, D) ↓) (s, i, D) ↓

Smallstep Operational Semantics - Transitions

The smallstep relation (s, S) → (s′, T) is true if from state s we get to s′ by executing one step. If the transition S consists of only one step, then the smallstep relation becomes (s, S) → (s′, []). We denote by (s, S) → ⊥ the fact that the execution of S fails in the next step when starting from s.

b.s (s, {b}) → (s, []) ¬b.s (s, {b}) → ⊥ b.s (s, [b]) → (s, []) R.s.s′ (s, [R]) → (s′, []) (s, S ⊓ T) → (s, S) (s, S ⊓ T) → (s, T) (s, S) → (s′, S′) (s, S ; T) → (s′, S′ ; T) (s, S) → (s′, []) (s, S ; T) → (s′, T) (s, S) → ⊥ (s, S ; T) → ⊥

Smallstep Operational Semantics - Diagrams

In Figure (1) represents one transition of D labeled by S′ ; S. We assume that the execution reached the state s in this transition. Then the tuple (s, S, i, D) denotes the status of the execution. The execution is in state s, and it proceeds towards the situation i by executing S. If the execution reaches i in a state s′, then status of the execution is denoted by(s′, [], i, D). s S′ S

j i

(1) The smallstep relation (s, A, i, D) → (s′, B, i, D), where A, B ∈ Trs ∪ {[]}, is defined by the following rules. (s, Di,j) → (s′, S) (s, [], i, D) → (s′, S, j, D) (s, S) → (s′, S′) (s, S, i, D) → (s′, S′, i, D)

Smallstep Operational Semantics - Diagrams - Fail

The transition diagram could fail in (s, S, i, D), denoted by (s, S, i, D) → ⊥, if some available transition could fail in next step. (s, Dij) → ⊥ (s, [], i, D) → ⊥ (s, S) → ⊥ (s, S, i, D) → ⊥

Equivalence Smallstep - Bigstep

∗

→ denotes the reflexive and transitive closure of the relation →.

Theorem

(s, S) s′ ⇔ (s, S)

∗

→ (s′, [])

Theorem

(s, S) ⊥ ⇔ (s, S)

∗

→ ⊥ We define the miracle in the smallstep semantics by (s, S) ⊤ = ¬(s, S)

∗

→ ⊥ ∧ (∀s′ • ¬(s, S)

∗

→ (s′, []))

Theorem

(s, i, D) (s′, j) ⇔ (s, [], i, D)

∗

→ (s′, [], j, D) ∧ (∀k • (s′, Dj,k) ⊤) We will work with bigstep semantics only.

Hoare Triples - Transitions

p, q ∈ Pred , and S ∈ Trs The Hoare triple p { | S | } q denotes the fact that if the transition S start in state s from p, then it terminates in a state from q. | = p { | S | } q ⇔ (∀s • p.s ⇒ (s, S) ⊥ ∧ (∀s′ • (s, S) s′ ⇒ q.s′))

Weakest Precondition - Transitions

◮ The weakest precondition for a transition S and a post

condition q is a predicate, wp.S.q ∈ Pred.

◮ wp.S.q.s is true if the execution of S does not fail and

terminates in a state s′ from q (q.s′ is true). wp.S.q.s = (s, S) ⊥ ∧ (∀s′ • (s, S) s′ ⇒ q.s′).

◮ The validity of Hoare triples could be expressed equivalently

using the weakest precondition: | = p { | S | } q ⇔ p ⊆ wp.S.q (2)

Relation (2) reduces the proof of validity of a Hoare triple to an inclusion of

• predicates. However the predicate wp.S.q is defined in terms of bigstep

semantics, and the proof of the statement p ⊆ wp.S.q is still unfeasible in practice.

Predicate Transformers - Transitions

For S ∈ Trs we define, by induction on S, the predicate transformer associated to S, pt.S : Pred → Pred by: pt.{p}.q = p ∧ q pt.[p].q = ¬p ∨ q pt.[R].q.s = (∀s′ • R.s.s′ ⇒ q.s′) pt.(S ⊓ T).q = pt.S.q ∧ pt.T.q pt.(S ; T).q = pt.S.(pt.T.q)

Weakest Preconditions - Predicate Transformer

Theorem

For all S ∈ Trs it is true wp.S = pt.S Using this theorem it follows | = p { | S | } q ⇔ p ⊆ pt.S.q (3)

The relation (3) reduces the proof of the validity of a Hoare triple to an inclusion of predicates. These predicates are defined in terms of the predicates p, q, the predicates and expressions occurring in S, using Boolean connectives (∧, ∨, →, . . .).

Theorem

pt.S is monotonic.

Transitions - Guards

The guard of a transition S is a predicate denoted grd.S ∈ Pred and is true for all states s from which the execution of S is enabled. grd.S = ¬pt.S.false

Theorem

The guard of a transition S is true in a state s if and only if the execution of S starting from s is not miraculous: grd.S.s ⇔ (s, S) ⊤

Hoare Triples - Diagrams

◮ Diagrams may be executed starting in any situation and they

may terminate in any situation.

◮ Let P, Q : I → Pred and D : I × I → Pred. ◮ The diagram Hoare triple, P {

| D | } Q, is true if whenever the execution of D starts in a state s from a situation i, such that P.i.s is true, then D always terminates, and if D terminates in a state s′ and a situation j, then Q.j.s′ is true.

◮ The Hoare triple P {

| D | } Q is valid, denoted | = P { | D | } Q, if | = P { | D | } Q ⇔ (∀i, s • P.i.s ⇒ (s, i, D) ↓ ∧(∀j, s′ • (s, i, D) (s′, j) ⇒ Q.j.s′))

Weakest Precondition - Diagrams

◮ The weakest precondition for a diagram D and a

post-condition Q is an indexed predicate wp.D.Q : I → Pred.

◮ wp.D.Q.i.s is true if the execution of D from s, i always

terminates, and if it terminates in a state s′ and a situation j then Q.j.s′ is true. wp.D.Q.i.s = (s, i, D) ↓ ∧(∀j, s′ • (s, i, D) (s′, j) ⇒ Q.j.s′).

◮ The validity of diagram Hoare triples could be expressed

equivalently using the weakest precondition: | = P { | D | } Q ⇔ P ⊆ wp.D.Q (4)

The Guard of a Situation

The guard of a situation i in a diagram D is a predicate grd.D.i ∈ Pred which is true in those states in which the execution from situation i is enabled: grd.D.i =

• j∈I

grd.Di,j

Predicate Transformers - Diagrams

For D ∈ I × I → Trs the predicate transformer associated to D, pt.D : (I → Pred) → (I → Pred) is the least fixpoint of F.D : ((I → Pred) → (I → Pred)) → ((I → Pred) → (I → Pred)) F.D.U.Q.i.s = (∀j • pt.Di,j.(U.Q.j).s) ∧ ¬grd.D.i.s ⇒ Q.i.s The predicate transformer associated to D, pt.D : (I → Pred) → (I → Pred), is the least fix point of F: pt.D = µ F.D

Weakest Precondition - Predicate Transformer

Theorem

wp.D = pt.D

• Proof. We prove that wp.D is fixpoint for F.D and it is smaller

than any other fixpoint. Using this theorem and relation (4) it follows | = P { | D | } Q ⇔ P ⊆ pt.D.Q (5)

The relation (5) reduces the proof of the validity of a Hoare triple to an inclusion of predicates. However, unlike for transitions, the predicate pt.D.Q is a least fixpoint expression, and proving P ⊆ pt.D.Q is unfeasible in practice.

Theorem

The predicate transformer pt.D is monotonic.

Hoare Rules - Transitions

The Hoare triple p { | S | } q is correct, denoted ⊢ p { | S | } q, if it can be proved using following Hoare rules. ∀s • p.s ⇒ r.s ∧ q.s ⊢ p { | {r} | } q ∀s • p.s ∧ r.s ⇒ q.s ⊢ p { | [r] | } q ∀s, s′ • p.s ∧ R.s.s′ ⇒ q.s′ ⊢ p { | [R] | } q ⊢ p { | S | } q∧ ⊢ p { | T | } q ⊢ p { | S ⊓ T | } q ⊢ p { | S | } r∧ ⊢ r { | T | } q ⊢ p { | S ; T | } q ⊢ p { | S | } q ∧ p′ ⊆ p ∧ q ⊆ q′ ⊢ p′ { | S | } q′

Hoare Rules - Correctness & Completeness

Validity is equivalent to proving correctness using the Hoare rules. In practice the Hoare rules are used to prove the correctness.

Theorem

(Correctness) ⊢ p { | S | } q ⇒ | = p { | S | } q

Theorem

wp.S.q { | S | } q.

Theorem

(Completeness) | = p { | S | } q ⇒ ⊢ p { | S | } q.

Hoare Rules - Diagrams

Let W , < be a well founded set, and Xw : I → Pred a collection

• f indexed predicates for all w ∈ W , then the indexed predicates

X<w, X : I → Pred, are defined by X<w =

• v<w

Xv, X =

• w∈W

Xw The Hoare triple P { | D | } Q is correct, denoted ⊢ P { | D | } Q, if it can be proved using the following Hoare rules: P′ ⊆ P ∧ Q ⊆ Q′∧ ⊢ P { | D | } Q ⊢ P′ { | D | } Q′ ∀i, j, w• ⊢ Xw.i { | Di,j | } X<w.j ⊢ X { | D | } X

Hoare Rules - Diagrams - Correctness & Completeness

Theorem

⊢ P { | D | } Q ⇒ | = P { | D | } Q

Theorem

⊢ wp.D.Q { | D | } Q

Theorem

| = P { | D | } Q ⇒ ⊢ P { | D | } Q

Conclusions

• 1. Invariant Diagrams
• 2. Operational semantics

2.1 Bigstep & smallstep 2.2 equivalence between them

• 3. Valid Hoare triples, weakest precondition, predicate

transformers

• 4. Hoare rules

4.1 valid Hoare triples are equivalent to provable Hoare triples.

• 5. Most of these results were mechanized in PVS

We started with the operational semantics of invariant diagrams, which is close to our intuition of computation but is unfeasible to prove correctness in practice, and we developed Hoare proof rules for invariant diagrams. We proved that these rules are correct and complete with respect to the operational semantics.