algebra unifies calculi of programming tony hoare feb 2012
TRANSCRIPT
Algebra unifies calculi of programming
Tony Hoare
Feb 2012
With Ideas from
• Ian Wehrman• John Wickerson• Stephan van Staden• Peter O’Hearn• Bernhard Moeller• Georg Struth• Rasmus Petersen• …and others
and Calculi from
• Robin Milner• Edsger Dijkstra• Ralph Back• Carroll Morgan• Gilles Kahn,• Gordon Plotkin• Cliff Jones• Tony Hoare
but in this talk, only four
• Robin Milner x• Edsger Dijkstra x• Ralph Back
• Carroll Morgan x• Gilles Kahn,• Gordon Plotkin• Cliff Jones
• Tony Hoare x
Subject matter: specs
• variables (p, q, r) stand for computer programs, designs, contracts, specifications,…
• they all describe what happens inside/around a computer that executes a given program.
• The program itself is the most precise description– giving all the excruciating detail.
• The user specification is the most abstract– describing only interactions with environment.
• Designs come in between.
Example specs
• Postcondition:– execution ends with array A sorted
• Conditional correctness:– if execution ends, it ends with A sorted
• Precondition: – execution starts with x even
• Program: x := x+1 – the final value of x is one greater than the initial
More examples of specs
• Safety:– There are no buffer overflows
• Termination:– execution is finite (ie., always ends)
• Liveness:– no infinite internal activity (livelock)
• Fairness:– no infinite waiting
• Probability:– the ration of a’s to b’s tends to 1 with time
Also
• Security– low programs do not access high variables
• Separation– threads do not assign to shared variables
• Communication– outputs on channel c are in alphabetical order
• Predictability– there are no race conditions
• timing– interval between request and response is short
Advantages of unification
• Same laws for programs, designs, specs• Same laws for many forms of correctness • Tools based on the laws serve many purposes– and communicate by sound interfaces
• Scientific controversy is resolved– and engineers confidently apply the science
Operators on specs
• or \/ disjunction• and /\ conjunction• then ; sequential composition• while* concurrent composition
Constants• skip I terminates immediately• true ⊤ does anything• false ⊥ never starts
The language model• a language is a set of strings of characters • /\ is set intersection• \/ is set union• ; is pointwise concatenation of strings• * is pointwise interleaving of strings
• I is the language with only the empty string• ⊤ is set of all strings• ⊥ is the empty set.
Laws
\/ /\ ; *assoc yes yes yes yescomm yes yes no yes yes yes nonounit T zero T
Distribution axioms
• ; distributes through \/• (p*q) ; (p’ * q’) => (p;p’)*(q;q’)– wherep => q =def q = p \/ q (refinement)
• in the language model– there are less interleavings on the left of =>
• remember the exchange law in categories?
Theorems
• => is a partial order• All the operators are monotonic• (p*q);q’ => p*(q;q’)– Proof: substitute for p’ in exchange
• (p/\q);(p’/\q’) => (p;p’)/\(q;q’)– Proof: lhs => p;p’ by monotonicity of
;lhs => q;q’ similarly.
The result follows from Boolean algebra.
Hoare triple: {p} q {r}
•defined as p;q => r – starting in the final state of any execution of p,
q ends in the final state of some execution of r– (p and r may be arbitrary specs).
•example: {..x+1 ≤ n} x:= x + 1 {..x ≤ n} • where ..b (finally b) describes all executions that end in a state
satisfying a single-state predicate b .
Milner triple: r - p -> q
• defined as p;q => r (same as Hoare!)– r may be executed by first executing p
and then executing q .– p is usually restricted to atomic actions.•example: (<a>;q) – <a> -> q
where <a> is an atomic action
– r -> p = def. p => r• an execution step may reduce non-determinism
Theorems
• Using these definitions, the rules of the Hoare calculus and of the Milner calculus
are derivable by simple algebraic proofs from the laws of the algebra.
Rule of consequence
• p => p’ {p’} q {r’} r’ => r{p} q {r}
• r -> r’ r’ –q-> p’ p’ -> pr –q-> p
• Proof: ; is monotonic, => is transitive.• These two rules are not only similar,
they are the same!
Sequential composition
{p} q {s} {s} q’ {r} {p} q;q’ {r}
r –q-> s s –q’-> p r –q;q’-> p
– Proof: associativity of ;
Small-step rule
p –<a>-> r (r;q’) –<a>->(q;q’)
{p} q {r} .{p} q;q’ {r;q’}
Proof: monotonicity of ;
Choice
• {p} q {r} {p} q’ {r}{p} (q \/ q’) {r}
– both choices must be correct
• r –q-> p (r \/ r’) –q-> p
– so the execution may make either choice
Frame Law
• {p} q {r}{p*f} q {r*f}
– adapts a rule to a wider environment f
• r –q-> p(r*f) –q-> (p*f)
– a step that is possible for a single threadis still possible in a wider environment f
Concurrency (and Conjunction)
• {p} q {r} {p’} q’ {r’} {p*p’} (q * q’) {r*r’}
– permits modular proof of concurrent programs.
• {p} q {r} {p’} q’ {r’} {p/\p’} (q /\ q’) {r/\r’}
– in Floyd’s rule of conjunction, q = q’.
Concurrency
r –p-> q r’ -p’-> q’ (r*r) -(p*p’)-> (q*q’)
– provided p*p’ = τ– where τ is the unobserved transition,(which occurs (in CCS) when p and p’ are an input and an output on the same channel).
Dijkstra triple: p => q\r
• usually written: p => wlp(q,r) ‘defined’ by: p;q => r (again) wp(q,r) = wlp(q, r/\ terminates)
q\r specifies the weakest program which can be executed before q to achieve the overall effect of r .
Morgan triple: q => r/p
• ‘defined’ by: p;q => r (again)
• r/p is the weakest program which can be executed after p to achieve r.
Theorems
• q\(r /\ r’) = (q\r) /\ (q\r’)• (r /\ r’)/p = (r/p) /\ (r’/p)
• (q \/ q’)\r = (q\r) /\ (q’\r)• r/(p \/ p’) = (r/p) /\ (r/p’)
Theorems
• (q;q’)\r = q\(q’\r)• r/(p;p’) = (r/p)/p’
• (q\r)*(q’\r’) => (q*q’)\(r*r’)exchange law
Unification
is the goal of every branch of pure science,because it increases conviction in theory
Specialisationis needed for each application, e.g.,
Hoare logic: proofs of correctness,Milner: implementation,Dijkstra: program analysis,Morgan: programs from specifications …
Algebra
• is modular, incremental, comprehensible, abstract and beautiful.
• An algebraic law can say as little as you like– using any other concepts that you need.– new properties can be added by new laws.
• The definition of a concept is allowed only once– so it must describe all the needed properties,– using only previously defined concepts.
• Inductive clauses restrict incrementality• Algebra is good for unification
Summary: p;q => r
is writtenp {q} r{p} q {r}r –p-> qp => wlp(q,r)q => [p, r]
byHoare (triple)Wirth (triple)Milner (transition)Dijkstra (weakest precondition)Morgan (specification statement)
Milner restricts p to atomic actions (small-step version).The others restrict p and r to descriptions of single states.
Conclusions
• All the calculi are derived from the same algebra of programming.
• The algebra is simpler than each of the calculi,
• and stronger than all of them combined.
Isaac Newton
Communication with Richard Gregory (1694)
“Our specious algebra [of fluxions] is fit enough to find out, but entirely unfit to consign to writing and commit to posterity.”