materi al: sp ec iÞc ation and reasoningpm/sar/1to3-2005.pdf · materi al: bo ok: logic in c om...
TRANSCRIPT
Specification and Reasoning
Lectures mondays here,
Lecturer Pasquale Malacaria CS/428
Labs thursdays with Dino DiStefano
1
Material:
Book: Logic in Computer Science, M.Huth,M.Ryan, Cambridge University Press.
Plus additional material from the web page.
http://www.dcs.qmul.ac.uk/ pm/SaR/
Some of the topics of this course aren’t ontextbooks, so attendance is essential.
2
Specification and Reasoning
what does that mean?
3
Specification:
We want to learn how to say precisely whatwe want from a system (software or physicalsystem)
Reasoning:
We want to learn to reason precisely about asystem.
4
Why do we want to do that?
Our computers work ok, they crash rarely (10per cent) , so why bother?
The 99 percent problem...
The 99.9 percent problem
5
Think of the software controlling the following:
Trains, airplanes, nuclear power stations, carcpu, underground, rockets, stock market, key-hole surgery, traffic controller, ships, powergrid, water, gas supplies ....
basically everything outside personal use of com-puters need to work more than ok and oftenneed to crash never.
6
How to achieve these high standard?
Duplication?
E.g. 3 computers running at the same time;output by majority
Testing?
white/ black box testing
Do these things work for critical systems?
7
Duplication:
Two wrong do not make one right.
Testing:
How much can you test?
1 int var = 232 cases ( > spoonful of sea),... 4 int vars =2128 cases (> particles in theuniverse).
8
The logical approach:
We specify in some logics what we want to do.
The system is interpreted as some kind of modelfor this logic
We use standard logic techniques (e.g. proofs)to reason about the system, e.g. to prove ordisprove that the system does what we want.
9
Two relevant families of logics:
Temporal logics: logic as you know it +operators to say things like ”at some point inthe future P will be true” or ”always in thefuture P will be true”
Program logics: logic as you know it + rulesto say ”if P was true before the program state-ment c then P’ is true after c has been exe-cuted”
10
A meaningful example of temporal logic state-ment
It will always be true that if the pressure in anuclear reactor exceed a critical limit the alarmwill be reaised
To know this some kind of temporal logicalproof is required.
11
Lecture 1:
Topics:
• Program Models,
• Transition Systems,
• Kripke Transition systems,
• While Language.
12
How can we model systems?
For example how can we model a simple vend-ing machine?
What do we need to know to model a simplevending machine? (that thing where you insertcoins and then choose a drink).
and what is a model anyway?
13
For our purposes a model is some kind of for-malism which ”represents” the behaviour ofthe system.
A vending machine is basically a system whichhas an initial state and then changes its stateaccording to the user behaviour:
E.g.:If the user inserts the right amount themachine get into a state where the user canchoose a drink.
14
So let’s take the view that a model for a simplevending machine is a formalism where we canrepresent the possible ”states” of the machineand the ”transitions” between these states.
States:{ 1:start, 2:chooseDrink, 3:releaseCoke,4:releaseOrange, 5:finish}
Transitions:{1 → 2,2 → 3,2 → 4,3 → 1,
4 → 1,1 → 5}
Something is still missing. Can you see what?
What’s the difference between 2 → 3 and2 → 4?
15
The difference is that 2 → 3 ”happens” whenthe user chooses a coke and 2 → 4 ”happens”when he chooses an orange.
We have hence to specify the action bringingfrom one state to another, e.g. 2 →coke 3
Here is a picture of the system:
16
Our model of the vending machine is an ex-ample of a Labeled Transition System.
a Labeled Transition System is a tripleT = (S, A,→) where
• S is a set of nodes
• A a set of actions
• →⊆ S ×A× S a set of labelled transitions
Note that if A = {a} (any singleton will do) werecover (directed) graphs.
17
Can we model programs in a similar way?
What are the states?
What are the transitions?
A state is a ”snapshot” of a system; in thecase of a program what is its snapshot?
int x=0; int y =5; x+=y*2;
18
A ”snapshot” of an executing program can beseen as the state of the memory when thecurrent command is executed.
In our case:
After : int x = 0; int y = 5; State : x = 0, y = 5After : x = x+ y ∗ 2; State : x = 10, y = 5
So we can take as the state of a program at aprogram point the values of the program vari-ables at that particular program point.
19
A Program Model is a 5-tuple (S, A,→, s, E)where
• S is a set of nodes (or program states)
• A a set of actions (or program commands)
• →⊆ S ×A× S a set of labelled transitions
• s ∈ S is the initial state and E ⊆ S the setof end states.
21
Our simple program int x=0; int y =5; x+=y*2;
can be interpreted in the following programmodel (S, A,→, s, E):
• S = { 1,2,3,4}, where 1=ε, 2={x=0},3={x=0,y=5}, 4={x=10,y=5}.
• A = { int x=0, int y =5, x+=y*2}
• 1→int x=02, 2 →int y=5 3, 3 →x+=y∗2 4
• s = 1, E = {4}.
22
A more interesting example
Consider the following fragment of a Java pro-gram:
while (Mod(x))
{
x=x/2;
x++;}
}
where
Mod(x) returns true if x is even and false oth-erwise.
23
24
Program Models and labeled transition sys-tems are part of a family of ”models” for var-ious logical or physical systems.
Labels on arcs denotes the possible actions ofthe system, i.e. its dynamics; it is howeverconvenient to enrich the states of the systemto include atomic propositions associated tostates.
A Kripke transition system over a set of atomicpropositions P is a structureT = (S, A,→, I) where T = (S, A) is a labeledtransition system and I : S → 2P is an inter-pretation.
25
I(s) = {p1, . . . , pn} means ”p1, . . . , pn are truein the state s”.
The idea is that with an interpretation we addthe basic truths we want to hold at a particularstate.
Example: consider againint x=0; int y =5; x+=y*2;
An interpretation for this program could be asfollows:
• I(1) = I(2) = ε, I(3) = {x < y}, I(4) ={x > y}
Hence an interpretation allows us to add basictruths to the model.
26
Some more interpretations forint x=0; int y =5; x+=y*2;
• I(1) = ε, I(2) = {y = 5}, I(3) = {x <
y}, I(4) = {x > y}
• I(1) = I(2) = I(3) = I(4) = ε
• I(1) = I(2) = I(3) = I(4) = {x > 0}
27
Summary:
• Labeled transition systems (LTS)= states+ transitions with labels.
• Program Models (PM)= (LTS)+initial stateand final states.
• Kripke transition system(KTS)=(LTS)+ in-terpretation.
LTS are a basic universal model of ”every-thing”.
PM are special LTS appropriate for programs.
KTS are LTS with added basic logic.
28
The While language
The programs we will consider will be writtenin a subset of java consisting of while and if
statements and sequence of assignments. Wecall this the While language.
Example
z = 0; i = 0; while(!(i == y)){z+ = x; i+ +; }
How restrictive is that?
Can we translate ”all” java programs we sawlast year in that form?
29
In short the answer is yes. We just give anexample to give the idea:
public class Account {
private double balance;
public Account(double initialBalance) {balance = initialBalance;
}
public void deposit(double amount) {balance += amount;
}
public void withdraw(double amount) {balance -= amount;
}
public double getBalance() {return balance;
}}
30
public class TestAccount
{
public static void main(String[] args) {
Account acc1=new Account(1000);
Account acc2=new Account(500);
double sum=acc1.getBalance()+acc2.getBalance();
acc2.deposit(sum);
}
}
31
To translate into our simple language we startfrom the main and statement after statementwe do:
When creating a new object with some initialvalue we create one variable for each instancevariable created in the original program andgive the correspondent initial value.
Replace all loop constructor with while . Forexample for(int i=0; i<n; i++){ ...} is replacedby int i=0; while (i<n){...i++;}.We then replace all method calls with the methodbodies (you learned that in Programming 1).
Here is what we get in our example:
acc1Balance=1000;
acc2Balance=500;
sum=acc1Balance+acc2Balance;
acc2Balance=sum;
32
Lecture 2:
Course page:
http://www.dcs.qmul.ac.uk/∼pm/SaR
We have seen so far:
• Some models for systems: LTS, PM, KTS.
• That Java can be translated into the muchsmaller while language.
33
We can give a “reasonably simple “ mathe-matical description of the evaluation processof the while language; it is called operationalsemantics.
Why would we want to do that?
34
Small step operational semantics (SSOP)
for the While language:
The SSOP is a way to describe formally howa program of the While language is evaluated.
It also tell us precisely how to build the pro-gram model of a program.
To simplify we assume our programs containonly variables of type int.
Our first task is to formalize the idea of a com-puter memory
35
5
x y z
332
w
Here x = 5, y = 3, z = 32, w =? and we don’tcare what is in the other memory cells
We then define the memory M as a partialmap from name of variables to int
M : Var→ int
Why “partial” (i.e. undefined on some argu-ments)?
36
The syntax of our While language is definedusing the Backus-Naur form as follows:
Commands are:
C ::= Var = E |skip |C; C| if (BE) {C} else {C}|while (BE) {C}
where
• Var ::= x|y|z| . . .
• E ::= Var|E + E|E − E|E ∗ E|E/E|0|1| . . . |n| . . .
• BE ::= E == E|E < E|E > E
E is the set of (arithmetic) expressions and BEis the set of (boolean) expressions.
e.g. x = 5; if(x > 3){x = x ∗ 4} else {skip}37
The SSOP tell us what happen when we meeta particular command in a given memory;
The definition is given case by case and hasone of the two following shapes:
(command, memory) → (command′, memory′)
(command, memory) → memory′
In this last case the computation has ended.
A pair (command, memory) is called a configura-tion.
38
SSOP Rules
assign: (v = e,M) →v=e M[v=e]
Here M[v=e] is the memory M where the vari-able v is now mapped to e, i.e.
M[v=e](v′) = M(v′) if v′ )= v
M[v=e](v′) = e if v′ = v
skip: (skip,M) →skip M
seq1: (c1,M)→cM′(c1;c2,M)→c(c2,M′)
seq2:(c1,M)→c(c′1,M′)
(c1;c2,M)→c(c′1;c2,M′)
39
For example
(x = 5, ε) →x=5 ε[x=5]
here ε is the map undefined on all variables,i.e. ε(y) is undefined for all variables y
Notice that when there is no ambiguity we candrop the labels over the arrows, so the abovecan be written
(x = 5, ε) → ε[x=5]
40
The rules for if require first to evaluate theboolean expression involved.
To understand the rule consider the followingexample:
x=0; if (x>3) x=1; else x=2;
What would x become?
That depend on if (x>3) is true; but we knowthat the value of x in the memory is 0 (i.e.M(x) = 0 so (x>3) is false.
So when we meet a conditional we have toevaluate the expression, that is we have to re-place all variable in the expression with theirvalues at that program point.
41
Given an expression e and a memory M let’sM(e) denotes the boolean value obtained byreplacing all variables in e with their value inM, e.g.
M(x < y) = true if M(x) < M(y)
M(x < y) = false if M(x) >= M(y)
and M(x < y) is undefined if M(x) or M(y)are undefined.
if1: M(e)=true(if e c1 else c2, M)→e(c1,M)
if2: M(e)=false(if e c1 else c2, M)→!e(c2,M)
We don’t need any rule for while. This is be-cause we can use the following recursive iden-tity:
while-if: while e c * if e {c; while e c}else skip
42
Let’s see for example the SSOP of the programP defined as:
x=4;
while (Mod(x))
{x=x/2;
x++;
}The SSOP of a program usually start with the”empty” memory ε.
(x = 4, ε) →x=4 M0 (rule assign) where
M0(v) = 4 if v = x, and is undefined otherwise
Hence (P, ε) →x=4 (P1,M0)
with P1 = while(Mod(x)){x = x/2; x+ +; } (ruleseq1)
43
Using while-if rule we get
P1 = if(Mod(x)){x = x/2; x+ +; P1} else skip;
and using if1 (because (Mod(4))=true)
we get (P1,M0) →(Mod(4)) (x = x/2; x+ +; P1,M0)
Now by rule assign we get
(x = x/2,M0) →x=x/2 M1
with M1(v) = 2 if v = x, and is undefined otherwise
so (x = x/2; x+ +; P1,M0) →x=x/2 (x+ +; P1,M1)(rule seq1)
44
By using again rules assign and seq1 we get
(x+ +; P1,M1) →x++ (P1,M2)
with M2(v) = 3 if v = x, and is undefined otherwise
We reapply again the identity while-if to get
P1 = if(Mod(x)){x = x/2; x+ +; P1} else skip;
but now (Mod(3))=false so
(P1,M2) →(Mod(3)) (skip,M2)
and (skip rule)
(skip,M2) →skip M2
So as expected the computation finish with thememory holding the value 3 for x.
45
SSOP and program models
The standard program model of a program isdefined as:
• States are the configurations (i.e. the pairs(command, memory)) generated by its SSOP.
• Actions are assignments and boolean ex-pressions.
• Transitions are defined by the small stepsassign and if1, if2 rules.
• The start state is the initial configurationand end states are those with no successor.
46
Example:
(x = 4; while(Mod(x)){x = x/2; x+ +;}, ε)↓x=4
(P1,M0)↓Mod(4)
(x = x/2; x+ +; P1,M0)↓x=x/2
(x+ +; P1,M1)↓x++
(P1,M2)↓!Mod(3)
(skip,M2)↓skipM2
47
What about
while (Mod(x))
{x=x/2;
x++;
}where
Mod(x) return true if x is even and false oth-erwise.
48
A standard program model represents a partic-ular run of the program.
Is there a program model which represents ”allpossible runs”? or programs where some vari-ables are not instantiated?
49
Lecture 3:
50
When is the rule seq2 applied?
First think of a sequence of statements c1; c2; . . . ; cn
This sequence should be seen as a sequence oftwo statements:
c1 and c2; . . . ; cn
the second being itself a sequence of state-ments.
(In mathematical terms we are saying that se-quencing associates to the right)
51
Consider
x = 0; while(x < 2)x+ +; y = x+ 1;
this is a sequence of three statements:
A: x = 0;
B: while(x < 2)x+ +;
C: y = x+ 1;
which, according to the previous slide, we willconsider as a sequence of two statements:
A and B;C
52
By evaluating A;B;C according to the SSOPwe will first apply seq1 where c1=A and c2=B;C
We will then be left to evaluate c1; c2 wherec1 =B and c2 = C in the memory M[x=0]
But now we cannot apply seq1 to B;C becausethere is no rule of the form
(while e c,M) →M′
53
The best we can do is something along thefollowing lines:
(while e c,M) * (if e{ c; while e c} else skip,M)
and then apply the appropriate if rule and geteither ( c; while e c,M) or ( skip,M)
(B,M[x=0]) → ( c;B,M[x=0]) if x < 2
(B,M[x=0]) → ( skip,M[x=0]) if x ≥ 2
54
So when evaluating B;C we cannot use seq1but we can use seq2.
In general it is easy to see that
• seq1 and seq2 are exclusive
• if1 and if2 are exclusive.
This implies that the while language is deter-ministic, i.e. for a given input a program al-ways return the same value.
This implies that Java is deterministic.
55
What about
while (Mod(x))
{x=x/2;
x++;
}where
Mod(x) return true if x is even and false oth-erwise.
56
A standard program model represents a partic-ular run of the program.
Is there a program model which represents ”allpossible runs”? or programs where some vari-ables are not instantiated?
Do you remember what a flowchart is?
57
The way flowcharts are usually taught is byreading the code and thinking this is an as-signment, here we have a decision... What weare doing there is to abstract from the programdata.
This abstraction of program data can be for-mally presented using what is called abstractinterpretation, a techniques we will give an ex-ample now:
58
Recall that a memory is a map M : Var→ int.
What happen if we consider instead a memoryas a map M : Var → {∗}, i.e. the map whichgives to all variables the same value {∗}?
Then at the node x = x/2 i.e. M(x) = ∗!
In the flowchart case a rough abstraction wouldconsists of taking a singleton as the only pos-sible value for program variables (instead ofint),
Let’s call flow memory the map M : Var→ {∗}
59
Let’s now modify SSOP by changing if1, if2
as follows:
AbstractIf1: (if e c1 else c2, M) →e (c1,M)AbstractIf2: (if e c1 else c2, M) →!e (c2,M)
Let’s call ASSOP this modified SSOP (Ab-stract small step operational semantics)
The flowchart of a program P is the stan-
dard program model of the ASSOP of P
using the flow memory.
60
Compute the ASSOP for the following pro-gram using the flow memory map M : Var →{∗}
while(Mod(x)){x = x/2; x+ +;}
• Nodes=configurations or memories of theprogram
• Edges=transitions according to the ASSOPrules
61
x++
{*}
(x++;while(mod(x)){x=x/2;x++},[x=*])
( x=x/2; x++;while(mod(x)){x=x/2;x++},[x=*])
x=x/2
(while(mod(x)) {x=x/2;x++}, [x=*])
62
Or when there is no risk of confusion we cansimplify it as follows:
{*}
{*}
x=x/2
x++
{*}
{*}
63
In general an abstraction of the memory will re-place the real values in the memory with someproperty of those values:
5
x y z
332
w
x y z w
o oe
*
64
The even/odd memory,
M : Var→ {e, o, ∗}
• M(x) = e if x has an even value
• M(x) = o if x has an odd value
• M(x) = ∗ if we don’t know x value
65
the ASSOP(even/odd memory) of
while(Mod(x)){x = x/2; x+ +;}
{e}
x=x/2
x++
{*}
{*}
{o}
66
The sign memory M : Var→ {e, o, ∗}
• M(x) = + if x value is positive
• M(x) = − if x value is negative
• M(x) = ∗ if we don’t know x sign
what is the ASSOP (sign memory) of
while(Mod(x)){x = x/2; x+ +;} ?
67
Let’s define
The point memory M : Var→ {3, !3, ∗}
• M(x) = 3 if x = 3
• M(x) =!3 if x )= 3
• M(x) = ∗ if we don’t know which class x
belongs to.
68
Is the following the ASSOP (point memory )of
while(Mod(x)){x = x/2; x+ +;} ?
{!3}
x=x/2
x++
{*}
{*}
{3}
69
The memory maps flow, even/odd, sign andpoint are just examples of abstractions;
For most particular problems we can create anappropriate abstraction;
Abstraction is the holy grail of computer sci-ence; the only way to study systems with bil-lions of states by abstracting them to systemswith few thousands of states.
Question: is ASSOP deterministic?
70