Embed Size (px)
Citation preview
NICTA Advanced Course
Theorem Proving
Principles, Techniques, Applications
{P} . . . {Q}
1
CONTENT
➜ Intro & motivation, getting started with Isabelle
➜ Foundations & Principles
• Lambda Calculus
• Higher Order Logic, natural deduction
• Term rewriting
➜ Proof & Specification Techniques
• Inductively defined sets, rule induction
• Datatypes, recursion, induction
• More recursion, Calculational reasoning
• Hoare logic, proofs about programs
• Locales, Presentation
CONTENT 2
LAST TIME
➜ Recdef
➜ More induction
➜ Well founded orders
➜ Well founded recursion
➜ Calculations: also/finally
➜ [trans]-rules
LAST TIME 3
A CRASH COURSE IN SEMANTICS
4
IMP - A SMALL IMPERATIVE LANGUAGE
Commands:
datatype com = SKIP| Assign loc aexp ( := )
| Semi com com ( ; )
| Cond bexp com com (IF THEN ELSE )| While bexp com (WHILE DO OD)
types loc = stringtypes state = loc ⇒ nat
types aexp = state ⇒ nattypes bexp = state ⇒ bool
IMP - A SMALL IMPERATIVE LANGUAGE 5
IMP - A SMALL IMPERATIVE LANGUAGE
Commands:
datatype com = SKIP| Assign loc aexp ( := )
| Semi com com ( ; )
| Cond bexp com com (IF THEN ELSE )| While bexp com (WHILE DO OD)
types loc = stringtypes state = loc ⇒ nat
types aexp = state ⇒ nattypes bexp = state ⇒ bool
IMP - A SMALL IMPERATIVE LANGUAGE 5-A
IMP - A SMALL IMPERATIVE LANGUAGE
Commands:
datatype com = SKIP| Assign loc aexp ( := )
| Semi com com ( ; )
| Cond bexp com com (IF THEN ELSE )| While bexp com (WHILE DO OD)
types loc = stringtypes state = loc ⇒ nat
types aexp = state ⇒ nattypes bexp = state ⇒ bool
IMP - A SMALL IMPERATIVE LANGUAGE 5-B
EXAMPLE PROGRAM
Usual syntax:B := 1;
WHILE A 6= 0 DOB := B ∗ A;
A := A − 1
OD
Expressions are functions from state to bool or nat:
B := (λσ. 1);
WHILE (λσ. σ A 6= 0) DOB := (λσ. σ B ∗ σ A);
A := (λσ. σ A − 1)
OD
EXAMPLE PROGRAM 6
EXAMPLE PROGRAM
Usual syntax:B := 1;
WHILE A 6= 0 DOB := B ∗ A;
A := A − 1
OD
Expressions are functions from state to bool or nat:
B := (λσ. 1);
WHILE (λσ. σ A 6= 0) DOB := (λσ. σ B ∗ σ A);
A := (λσ. σ A − 1)
OD
EXAMPLE PROGRAM 6-A
WHAT DOES IT DO?
So far we have defined:
➜ Syntax of commands and expressions
➜ State of programs (function from variables to values)
Now we need: the meaning (semantics) of programs
How to define execution of a program?
➜ A wide field of its own (visit a semantics course!)
➜ Some choices:
• Operational (inductive relations, big step, small step)• Denotational (programs as functions on states, state transformers)• Axiomatic (pre-/post conditions, Hoare logic)
WHAT DOES IT DO? 7
WHAT DOES IT DO?
So far we have defined:
➜ Syntax of commands and expressions
➜ State of programs (function from variables to values)
Now we need: the meaning (semantics) of programs
How to define execution of a program?
➜ A wide field of its own (visit a semantics course!)
➜ Some choices:
• Operational (inductive relations, big step, small step)• Denotational (programs as functions on states, state transformers)• Axiomatic (pre-/post conditions, Hoare logic)
WHAT DOES IT DO? 7-A
WHAT DOES IT DO?
So far we have defined:
➜ Syntax of commands and expressions
➜ State of programs (function from variables to values)
Now we need:
the meaning (semantics) of programs
How to define execution of a program?
➜ A wide field of its own (visit a semantics course!)
➜ Some choices:
• Operational (inductive relations, big step, small step)• Denotational (programs as functions on states, state transformers)• Axiomatic (pre-/post conditions, Hoare logic)
WHAT DOES IT DO? 7-B
WHAT DOES IT DO?
So far we have defined:
➜ Syntax of commands and expressions
➜ State of programs (function from variables to values)
Now we need: the meaning (semantics) of programs
How to define execution of a program?
➜ A wide field of its own (visit a semantics course!)
➜ Some choices:
• Operational (inductive relations, big step, small step)• Denotational (programs as functions on states, state transformers)• Axiomatic (pre-/post conditions, Hoare logic)
WHAT DOES IT DO? 7-C
WHAT DOES IT DO?
So far we have defined:
➜ Syntax of commands and expressions
➜ State of programs (function from variables to values)
Now we need: the meaning (semantics) of programs
How to define execution of a program?
➜ A wide field of its own (visit a semantics course!)
➜ Some choices:
• Operational (inductive relations, big step, small step)• Denotational (programs as functions on states, state transformers)• Axiomatic (pre-/post conditions, Hoare logic)
WHAT DOES IT DO? 7-E
WHAT DOES IT DO?
So far we have defined:
➜ Syntax of commands and expressions
➜ State of programs (function from variables to values)
Now we need: the meaning (semantics) of programs
How to define execution of a program?
➜ A wide field of its own (visit a semantics course!)
➜ Some choices:
• Operational (inductive relations, big step, small step)• Denotational (programs as functions on states, state transformers)• Axiomatic (pre-/post conditions, Hoare logic)
WHAT DOES IT DO? 7-F
STRUCTURAL OPERATIONAL SEMANTICS
〈SKIP, σ〉 −→ σ
e σ = v
〈x := e, σ〉 −→ σ[x 7→ v]
〈c1, σ〉 −→ σ′ 〈c2, σ′〉 −→ σ′′
〈c1; c2, σ〉 −→ σ′′
b σ = True 〈c1, σ〉 −→ σ′
〈IF b THEN c1 ELSE c2, σ〉 −→ σ′
b σ = False 〈c2, σ〉 −→ σ′
〈IF b THEN c1 ELSE c2, σ〉 −→ σ′
STRUCTURAL OPERATIONAL SEMANTICS 8
STRUCTURAL OPERATIONAL SEMANTICS
〈SKIP, σ〉 −→ σ
e σ = v
〈x := e, σ〉 −→
σ[x 7→ v]
〈c1, σ〉 −→ σ′ 〈c2, σ′〉 −→ σ′′
〈c1; c2, σ〉 −→ σ′′
b σ = True 〈c1, σ〉 −→ σ′
〈IF b THEN c1 ELSE c2, σ〉 −→ σ′
b σ = False 〈c2, σ〉 −→ σ′
〈IF b THEN c1 ELSE c2, σ〉 −→ σ′
STRUCTURAL OPERATIONAL SEMANTICS 8-A
STRUCTURAL OPERATIONAL SEMANTICS
〈SKIP, σ〉 −→ σ
e σ = v
〈x := e, σ〉 −→ σ[x 7→ v]
〈c1, σ〉 −→ σ′ 〈c2, σ′〉 −→ σ′′
〈c1; c2, σ〉 −→ σ′′
b σ = True 〈c1, σ〉 −→ σ′
〈IF b THEN c1 ELSE c2, σ〉 −→ σ′
b σ = False 〈c2, σ〉 −→ σ′
〈IF b THEN c1 ELSE c2, σ〉 −→ σ′
STRUCTURAL OPERATIONAL SEMANTICS 8-B
STRUCTURAL OPERATIONAL SEMANTICS
〈SKIP, σ〉 −→ σ
e σ = v
〈x := e, σ〉 −→ σ[x 7→ v]
〈c1, σ〉 −→ σ′ 〈c2, σ′〉 −→ σ′′
〈c1; c2, σ〉 −→ σ′′
b σ = True
〈c1, σ〉 −→ σ′
〈IF b THEN c1 ELSE c2, σ〉 −→ σ′
b σ = False 〈c2, σ〉 −→ σ′
〈IF b THEN c1 ELSE c2, σ〉 −→ σ′
STRUCTURAL OPERATIONAL SEMANTICS 8-C
STRUCTURAL OPERATIONAL SEMANTICS
〈SKIP, σ〉 −→ σ
e σ = v
〈x := e, σ〉 −→ σ[x 7→ v]
〈c1, σ〉 −→ σ′ 〈c2, σ′〉 −→ σ′′
〈c1; c2, σ〉 −→ σ′′
b σ = True 〈c1, σ〉 −→ σ′
〈IF b THEN c1 ELSE c2, σ〉 −→ σ′
b σ = False
〈c2, σ〉 −→ σ′
〈IF b THEN c1 ELSE c2, σ〉 −→ σ′
STRUCTURAL OPERATIONAL SEMANTICS 8-D
STRUCTURAL OPERATIONAL SEMANTICS
〈SKIP, σ〉 −→ σ
e σ = v
〈x := e, σ〉 −→ σ[x 7→ v]
〈c1, σ〉 −→ σ′ 〈c2, σ′〉 −→ σ′′
〈c1; c2, σ〉 −→ σ′′
b σ = True 〈c1, σ〉 −→ σ′
〈IF b THEN c1 ELSE c2, σ〉 −→ σ′
b σ = False 〈c2, σ〉 −→ σ′
〈IF b THEN c1 ELSE c2, σ〉 −→ σ′
STRUCTURAL OPERATIONAL SEMANTICS 8-E
STRUCTURAL OPERATIONAL SEMANTICS
b σ = False
〈WHILE b DO c OD, σ〉 −→
σ
b σ = True 〈c, σ〉 −→ σ′ 〈WHILE b DO c OD, σ′〉 −→ σ′′
〈WHILE b DO c OD, σ〉 −→ σ′′
STRUCTURAL OPERATIONAL SEMANTICS 9
STRUCTURAL OPERATIONAL SEMANTICS
b σ = False
〈WHILE b DO c OD, σ〉 −→ σ
b σ = True 〈c, σ〉 −→ σ′ 〈WHILE b DO c OD, σ′〉 −→ σ′′
〈WHILE b DO c OD, σ〉 −→ σ′′
STRUCTURAL OPERATIONAL SEMANTICS 9-A
STRUCTURAL OPERATIONAL SEMANTICS
b σ = False
〈WHILE b DO c OD, σ〉 −→ σ
b σ = True
〈c, σ〉 −→ σ′ 〈WHILE b DO c OD, σ′〉 −→ σ′′
〈WHILE b DO c OD, σ〉 −→
σ′′
STRUCTURAL OPERATIONAL SEMANTICS 9-B
STRUCTURAL OPERATIONAL SEMANTICS
b σ = False
〈WHILE b DO c OD, σ〉 −→ σ
b σ = True 〈c, σ〉 −→ σ′
〈WHILE b DO c OD, σ′〉 −→ σ′′
〈WHILE b DO c OD, σ〉 −→
σ′′
STRUCTURAL OPERATIONAL SEMANTICS 9-C
STRUCTURAL OPERATIONAL SEMANTICS
b σ = False
〈WHILE b DO c OD, σ〉 −→ σ
b σ = True 〈c, σ〉 −→ σ′ 〈WHILE b DO c OD, σ′〉 −→ σ′′
〈WHILE b DO c OD, σ〉 −→ σ′′
STRUCTURAL OPERATIONAL SEMANTICS 9-D
DEMO: THE DEFINITIONS IN ISABELLE
10
PROOFS ABOUT PROGRAMS
Now we know:
➜ What programs are: Syntax
➜ On what they work: State
➜ How they work: Semantics
So we can prove properties about programs
Example:Show that example program from slide 6 implements the factorial.
lemma 〈factorial, σ〉 −→ σ′ =⇒ σ′B = fac (σA)
(where fac 0 = 0, fac (Suc n) = (Suc n) ∗ fac n)
PROOFS ABOUT PROGRAMS 11
PROOFS ABOUT PROGRAMS
Now we know:
➜ What programs are: Syntax
➜ On what they work: State
➜ How they work: Semantics
So we can prove properties about programs
Example:Show that example program from slide 6 implements the factorial.
lemma 〈factorial, σ〉 −→ σ′ =⇒ σ′B = fac (σA)
(where fac 0 = 0, fac (Suc n) = (Suc n) ∗ fac n)
PROOFS ABOUT PROGRAMS 11-A
PROOFS ABOUT PROGRAMS
Now we know:
➜ What programs are: Syntax
➜ On what they work: State
➜ How they work: Semantics
So we can prove properties about programs
Example:Show that example program from slide 6 implements the factorial.
lemma 〈factorial, σ〉 −→ σ′ =⇒ σ′B = fac (σA)
(where fac 0 = 0, fac (Suc n) = (Suc n) ∗ fac n)
PROOFS ABOUT PROGRAMS 11-B
DEMO: EXAMPLE PROOF
12
TOO TEDIOUS
Induction needed for each loop
Is there something easier?
TOO TEDIOUS 13
TOO TEDIOUS
Induction needed for each loop
Is there something easier?
TOO TEDIOUS 13-A
FLOYD/HOARE
Idea: describe meaning of program by pre/post conditions
Examples:
{True} x := 2 {x = 2}
{y = 2} x := 21 ∗ y {x = 42}
{x = n} IF y < 0 THEN x := x + y ELSE x := x− y {x = n− |y|}
{A = n} factorial {B = fac n}
Proofs: have rules that directly work on such triples
FLOYD/HOARE 14
FLOYD/HOARE
Idea: describe meaning of program by pre/post conditions
Examples:{True} x := 2 {x = 2}
{y = 2} x := 21 ∗ y {x = 42}
{x = n} IF y < 0 THEN x := x + y ELSE x := x− y {x = n− |y|}
{A = n} factorial {B = fac n}
Proofs: have rules that directly work on such triples
FLOYD/HOARE 14-A
FLOYD/HOARE
Idea: describe meaning of program by pre/post conditions
Examples:{True} x := 2 {x = 2}
{y = 2} x := 21 ∗ y {x = 42}
{x = n} IF y < 0 THEN x := x + y ELSE x := x− y {x = n− |y|}
{A = n} factorial {B = fac n}
Proofs: have rules that directly work on such triples
FLOYD/HOARE 14-B
FLOYD/HOARE
Idea: describe meaning of program by pre/post conditions
Examples:{True} x := 2 {x = 2}
{y = 2} x := 21 ∗ y {x = 42}
{x = n} IF y < 0 THEN x := x + y ELSE x := x− y {x = n− |y|}
{A = n} factorial {B = fac n}
Proofs: have rules that directly work on such triples
FLOYD/HOARE 14-C
FLOYD/HOARE
Idea: describe meaning of program by pre/post conditions
Examples:{True} x := 2 {x = 2}
{y = 2} x := 21 ∗ y {x = 42}
{x = n} IF y < 0 THEN x := x + y ELSE x := x− y {x = n− |y|}
{A = n} factorial {B = fac n}
Proofs: have rules that directly work on such triples
FLOYD/HOARE 14-D
FLOYD/HOARE
Idea: describe meaning of program by pre/post conditions
Examples:{True} x := 2 {x = 2}
{y = 2} x := 21 ∗ y {x = 42}
{x = n} IF y < 0 THEN x := x + y ELSE x := x− y {x = n− |y|}
{A = n} factorial {B = fac n}
Proofs: have rules that directly work on such triples
FLOYD/HOARE 14-E
MEANING OF A HOARE-TRIPLE
{P} c {Q}
What are the assertions P and Q?
➜ Here: again functions from state to bool
(shallow embedding of assertions)
➜ Other choice: syntax and semantics for assertions (deep embedding)
What does {P} c {Q} mean?
Partial Correctness:|= {P} c {Q} ≡ (∀σ σ′. P σ ∧ 〈c, σ〉 −→ σ′ =⇒ Q σ′)
Total Correctness:|= {P} c {Q} ≡ (∀σ. P σ =⇒ ∃σ′. 〈c, σ〉 −→ σ′ ∧ Q σ′)
This lecture: partial correctness only (easier)
MEANING OF A HOARE-TRIPLE 15
MEANING OF A HOARE-TRIPLE
{P} c {Q}
What are the assertions P and Q?
➜ Here: again functions from state to bool
(shallow embedding of assertions)
➜ Other choice: syntax and semantics for assertions (deep embedding)
What does {P} c {Q} mean?
Partial Correctness:|= {P} c {Q} ≡ (∀σ σ′. P σ ∧ 〈c, σ〉 −→ σ′ =⇒ Q σ′)
Total Correctness:|= {P} c {Q} ≡ (∀σ. P σ =⇒ ∃σ′. 〈c, σ〉 −→ σ′ ∧ Q σ′)
This lecture: partial correctness only (easier)
MEANING OF A HOARE-TRIPLE 15-A
MEANING OF A HOARE-TRIPLE
{P} c {Q}
What are the assertions P and Q?
➜ Here: again functions from state to bool
(shallow embedding of assertions)
➜ Other choice: syntax and semantics for assertions (deep embedding)
What does {P} c {Q} mean?
Partial Correctness:|= {P} c {Q} ≡ (∀σ σ′. P σ ∧ 〈c, σ〉 −→ σ′ =⇒ Q σ′)
Total Correctness:|= {P} c {Q} ≡ (∀σ. P σ =⇒ ∃σ′. 〈c, σ〉 −→ σ′ ∧ Q σ′)
This lecture: partial correctness only (easier)
MEANING OF A HOARE-TRIPLE 15-B
MEANING OF A HOARE-TRIPLE
{P} c {Q}
What are the assertions P and Q?
➜ Here: again functions from state to bool
(shallow embedding of assertions)
➜ Other choice: syntax and semantics for assertions (deep embedding)
What does {P} c {Q} mean?
Partial Correctness:|= {P} c {Q} ≡ (∀σ σ′. P σ ∧ 〈c, σ〉 −→ σ′ =⇒ Q σ′)
Total Correctness:|= {P} c {Q} ≡ (∀σ. P σ =⇒ ∃σ′. 〈c, σ〉 −→ σ′ ∧ Q σ′)
This lecture: partial correctness only (easier)
MEANING OF A HOARE-TRIPLE 15-C
MEANING OF A HOARE-TRIPLE
{P} c {Q}
What are the assertions P and Q?
➜ Here: again functions from state to bool
(shallow embedding of assertions)
➜ Other choice: syntax and semantics for assertions (deep embedding)
What does {P} c {Q} mean?
Partial Correctness:|= {P} c {Q} ≡ (∀σ σ′. P σ ∧ 〈c, σ〉 −→ σ′ =⇒ Q σ′)
Total Correctness:|= {P} c {Q} ≡ (∀σ. P σ =⇒ ∃σ′. 〈c, σ〉 −→ σ′ ∧ Q σ′)
This lecture: partial correctness only (easier)
MEANING OF A HOARE-TRIPLE 15-D
MEANING OF A HOARE-TRIPLE
{P} c {Q}
What are the assertions P and Q?
➜ Here: again functions from state to bool
(shallow embedding of assertions)
➜ Other choice: syntax and semantics for assertions (deep embedding)
What does {P} c {Q} mean?
Partial Correctness:|= {P} c {Q} ≡ (∀σ σ′. P σ ∧ 〈c, σ〉 −→ σ′ =⇒ Q σ′)
Total Correctness:|= {P} c {Q} ≡ (∀σ. P σ =⇒ ∃σ′. 〈c, σ〉 −→ σ′ ∧ Q σ′)
This lecture: partial correctness only (easier)
MEANING OF A HOARE-TRIPLE 15-E
HOARE RULES
{P} SKIP {P}
{P [x 7→ e]} x := e {P}
{P} c1 {R} {R} c2 {Q}
{P} c1; c2 {Q}
{P ∧ b} c1 {Q} {P ∧ ¬b} c2 {Q}
{P} IF b THEN c1 ELSE c2 {Q}
{P ∧ b} c {P} P ∧ ¬b =⇒ Q
{P} WHILE b DO c OD {Q}
P =⇒ P ′ {P ′} c {Q′} Q′ =⇒ Q
{P} c {Q}
HOARE RULES 16
HOARE RULES
{P} SKIP {P} {P [x 7→ e]} x := e {P}
{P} c1 {R} {R} c2 {Q}
{P} c1; c2 {Q}
{P ∧ b} c1 {Q} {P ∧ ¬b} c2 {Q}
{P} IF b THEN c1 ELSE c2 {Q}
{P ∧ b} c {P} P ∧ ¬b =⇒ Q
{P} WHILE b DO c OD {Q}
P =⇒ P ′ {P ′} c {Q′} Q′ =⇒ Q
{P} c {Q}
HOARE RULES 16-A
HOARE RULES
{P} SKIP {P} {P [x 7→ e]} x := e {P}
{P} c1 {R} {R} c2 {Q}
{P} c1; c2 {Q}
{P ∧ b} c1 {Q} {P ∧ ¬b} c2 {Q}
{P} IF b THEN c1 ELSE c2 {Q}
{P ∧ b} c {P} P ∧ ¬b =⇒ Q
{P} WHILE b DO c OD {Q}
P =⇒ P ′ {P ′} c {Q′} Q′ =⇒ Q
{P} c {Q}
HOARE RULES 16-B
HOARE RULES
{P} SKIP {P} {P [x 7→ e]} x := e {P}
{P} c1 {R} {R} c2 {Q}
{P} c1; c2 {Q}
{P ∧ b} c1 {Q} {P ∧ ¬b} c2 {Q}
{P} IF b THEN c1 ELSE c2 {Q}
{P ∧ b} c {P} P ∧ ¬b =⇒ Q
{P} WHILE b DO c OD {Q}
P =⇒ P ′ {P ′} c {Q′} Q′ =⇒ Q
{P} c {Q}
HOARE RULES 16-C
HOARE RULES
{P} SKIP {P} {P [x 7→ e]} x := e {P}
{P} c1 {R} {R} c2 {Q}
{P} c1; c2 {Q}
{P ∧ b} c1 {Q}
{P ∧ ¬b} c2 {Q}
{P} IF b THEN c1 ELSE c2 {Q}
{P ∧ b} c {P} P ∧ ¬b =⇒ Q
{P} WHILE b DO c OD {Q}
P =⇒ P ′ {P ′} c {Q′} Q′ =⇒ Q
{P} c {Q}
HOARE RULES 16-D
HOARE RULES
{P} SKIP {P} {P [x 7→ e]} x := e {P}
{P} c1 {R} {R} c2 {Q}
{P} c1; c2 {Q}
{P ∧ b} c1 {Q} {P ∧ ¬b} c2 {Q}
{P} IF b THEN c1 ELSE c2 {Q}
{P ∧ b} c {P} P ∧ ¬b =⇒ Q
{P} WHILE b DO c OD {Q}
P =⇒ P ′ {P ′} c {Q′} Q′ =⇒ Q
{P} c {Q}
HOARE RULES 16-E
HOARE RULES
{P} SKIP {P} {P [x 7→ e]} x := e {P}
{P} c1 {R} {R} c2 {Q}
{P} c1; c2 {Q}
{P ∧ b} c1 {Q} {P ∧ ¬b} c2 {Q}
{P} IF b THEN c1 ELSE c2 {Q}
{P ∧ b} c {P} P ∧ ¬b =⇒ Q
{P} WHILE b DO c OD {Q}
P =⇒ P ′ {P ′} c {Q′} Q′ =⇒ Q
{P} c {Q}
HOARE RULES 16-F
HOARE RULES
{P} SKIP {P} {P [x 7→ e]} x := e {P}
{P} c1 {R} {R} c2 {Q}
{P} c1; c2 {Q}
{P ∧ b} c1 {Q} {P ∧ ¬b} c2 {Q}
{P} IF b THEN c1 ELSE c2 {Q}
{P ∧ b} c {P} P ∧ ¬b =⇒ Q
{P} WHILE b DO c OD {Q}
P =⇒ P ′
{P ′} c {Q′}
Q′ =⇒ Q
{P} c {Q}
HOARE RULES 16-G
HOARE RULES
{P} SKIP {P} {P [x 7→ e]} x := e {P}
{P} c1 {R} {R} c2 {Q}
{P} c1; c2 {Q}
{P ∧ b} c1 {Q} {P ∧ ¬b} c2 {Q}
{P} IF b THEN c1 ELSE c2 {Q}
{P ∧ b} c {P} P ∧ ¬b =⇒ Q
{P} WHILE b DO c OD {Q}
P =⇒ P ′ {P ′} c {Q′} Q′ =⇒ Q
{P} c {Q}
HOARE RULES 16-H
HOARE RULES
` {P} SKIP {P} ` {λσ. P (σ(x := e σ))} x := e {P}
` {P} c1 {R} ` {R} c2 {Q}
` {P} c1; c2 {Q}
` {λσ. P σ ∧ b σ} c1 {R} ` {λσ. P σ ∧ ¬b σ} c2 {Q}
` {P} IF b THEN c1 ELSE c2 {Q}
` {λσ. P σ ∧ b σ} c {P}∧
σ. P σ ∧ ¬b σ =⇒ Q σ
` {P} WHILE b DO c OD {Q}
∧σ. P σ =⇒ P ′ σ ` {P ′} c {Q′}
∧σ. Q′ σ =⇒ Qσ
` {P} c {Q}
HOARE RULES 17
ARE THE RULES CORRECT?
Soundness: ` {P} c {Q} =⇒|= {P} c {Q}
Proof: by rule induction on ` {P} c {Q}
Demo: Hoare Logic in Isabelle
ARE THE RULES CORRECT? 18
ARE THE RULES CORRECT?
Soundness: ` {P} c {Q} =⇒|= {P} c {Q}
Proof: by rule induction on ` {P} c {Q}
Demo: Hoare Logic in Isabelle
ARE THE RULES CORRECT? 18-A
ARE THE RULES CORRECT?
Soundness: ` {P} c {Q} =⇒|= {P} c {Q}
Proof: by rule induction on ` {P} c {Q}
Demo: Hoare Logic in Isabelle
ARE THE RULES CORRECT? 18-B
NICER, BUT STILL KIND OF TEDIOUS
Hoare rule application seems boring & mechanical.
Automation?
Problem: While – need creativity to find right (invariant) P
Solution:
➜ annotate program with invariants
➜ then, Hoare rules can be applied automatically
Example:{M = 0 ∧ N = 0}
WHILE M 6= a INV {N = M ∗ b} DO N := N + b; M := M + 1 OD{N = a ∗ b}
NICER, BUT STILL KIND OF TEDIOUS 19
NICER, BUT STILL KIND OF TEDIOUS
Hoare rule application seems boring & mechanical.
Automation?
Problem: While – need creativity to find right (invariant) P
Solution:
➜ annotate program with invariants
➜ then, Hoare rules can be applied automatically
Example:{M = 0 ∧ N = 0}
WHILE M 6= a INV {N = M ∗ b} DO N := N + b; M := M + 1 OD{N = a ∗ b}
NICER, BUT STILL KIND OF TEDIOUS 19-A
NICER, BUT STILL KIND OF TEDIOUS
Hoare rule application seems boring & mechanical.
Automation?
Problem: While – need creativity to find right (invariant) P
Solution:
➜ annotate program with invariants
➜ then, Hoare rules can be applied automatically
Example:{M = 0 ∧ N = 0}
WHILE M 6= a INV {N = M ∗ b} DO N := N + b; M := M + 1 OD{N = a ∗ b}
NICER, BUT STILL KIND OF TEDIOUS 19-B
NICER, BUT STILL KIND OF TEDIOUS
Hoare rule application seems boring & mechanical.
Automation?
Problem: While – need creativity to find right (invariant) P
Solution:
➜ annotate program with invariants
➜ then, Hoare rules can be applied automatically
Example:{M = 0 ∧ N = 0}
WHILE M 6= a INV {N = M ∗ b} DO N := N + b; M := M + 1 OD{N = a ∗ b}
NICER, BUT STILL KIND OF TEDIOUS 19-C
NICER, BUT STILL KIND OF TEDIOUS
Hoare rule application seems boring & mechanical.
Automation?
Problem: While – need creativity to find right (invariant) P
Solution:
➜ annotate program with invariants
➜ then, Hoare rules can be applied automatically
Example:{M = 0 ∧ N = 0}
WHILE M 6= a INV {N = M ∗ b} DO N := N + b; M := M + 1 OD{N = a ∗ b}
NICER, BUT STILL KIND OF TEDIOUS 19-D
WEAKEST PRECONDITIONS
pre c Q = weakest P such that {P} c {Q}
With annotated invariants, easy to get:
pre SKIP Q = Q
pre (x := a) Q = λσ. Q(σ(x := aσ))
pre (c1; c2) Q = pre c1 (pre c2 Q)
pre (IF b THEN c1 ELSE c2) Q = λσ. (b −→ pre c1 Q σ) ∧
(¬b −→ pre c2 Q σ)
pre (WHILE b INV I DO c OD) Q = I
WEAKEST PRECONDITIONS 20
WEAKEST PRECONDITIONS
pre c Q = weakest P such that {P} c {Q}
With annotated invariants, easy to get:
pre SKIP Q = Q
pre (x := a) Q = λσ. Q(σ(x := aσ))
pre (c1; c2) Q = pre c1 (pre c2 Q)
pre (IF b THEN c1 ELSE c2) Q = λσ. (b −→ pre c1 Q σ) ∧
(¬b −→ pre c2 Q σ)
pre (WHILE b INV I DO c OD) Q = I
WEAKEST PRECONDITIONS 20-A
WEAKEST PRECONDITIONS
pre c Q = weakest P such that {P} c {Q}
With annotated invariants, easy to get:
pre SKIP Q = Q
pre (x := a) Q = λσ. Q(σ(x := aσ))
pre (c1; c2) Q = pre c1 (pre c2 Q)
pre (IF b THEN c1 ELSE c2) Q = λσ. (b −→ pre c1 Q σ) ∧
(¬b −→ pre c2 Q σ)
pre (WHILE b INV I DO c OD) Q = I
WEAKEST PRECONDITIONS 20-B
WEAKEST PRECONDITIONS
pre c Q = weakest P such that {P} c {Q}
With annotated invariants, easy to get:
pre SKIP Q = Q
pre (x := a) Q = λσ. Q(σ(x := aσ))
pre (c1; c2) Q = pre c1 (pre c2 Q)
pre (IF b THEN c1 ELSE c2) Q = λσ. (b −→ pre c1 Q σ) ∧
(¬b −→ pre c2 Q σ)
pre (WHILE b INV I DO c OD) Q = I
WEAKEST PRECONDITIONS 20-C
WEAKEST PRECONDITIONS
pre c Q = weakest P such that {P} c {Q}
With annotated invariants, easy to get:
pre SKIP Q = Q
pre (x := a) Q = λσ. Q(σ(x := aσ))
pre (c1; c2) Q = pre c1 (pre c2 Q)
pre (IF b THEN c1 ELSE c2) Q = λσ. (b −→ pre c1 Q σ) ∧
(¬b −→ pre c2 Q σ)
pre (WHILE b INV I DO c OD) Q = I
WEAKEST PRECONDITIONS 20-D
WEAKEST PRECONDITIONS
pre c Q = weakest P such that {P} c {Q}
With annotated invariants, easy to get:
pre SKIP Q = Q
pre (x := a) Q = λσ. Q(σ(x := aσ))
pre (c1; c2) Q = pre c1 (pre c2 Q)
pre (IF b THEN c1 ELSE c2) Q = λσ. (b −→ pre c1 Q σ) ∧
(¬b −→ pre c2 Q σ)
pre (WHILE b INV I DO c OD) Q = I
WEAKEST PRECONDITIONS 20-E
VERIFICATION CONDITIONS
{pre c Q} c {Q} only true under certain conditions
These are called verification conditions vc c Q:
vc SKIP Q = True
vc (x := a) Q = True
vc (c1; c2) Q = vc c2 Q ∧ (vc c1 (pre c2 Q))
vc (IF b THEN c1 ELSE c2) Q = vc c1 Q ∧ vc c2 Q
vc (WHILE b INV I DO c OD) Q = (∀σ. Iσ ∧ bσ −→ pre c I σ)∧
(∀σ. Iσ ∧ ¬bσ −→ Q σ)∧
vc c I
vc c Q ∧ (pre c Q =⇒ P ) =⇒ {P} c {Q}
VERIFICATION CONDITIONS 21
VERIFICATION CONDITIONS
{pre c Q} c {Q} only true under certain conditions
These are called verification conditions vc c Q:
vc SKIP Q = True
vc (x := a) Q = True
vc (c1; c2) Q = vc c2 Q ∧ (vc c1 (pre c2 Q))
vc (IF b THEN c1 ELSE c2) Q = vc c1 Q ∧ vc c2 Q
vc (WHILE b INV I DO c OD) Q = (∀σ. Iσ ∧ bσ −→ pre c I σ)∧
(∀σ. Iσ ∧ ¬bσ −→ Q σ)∧
vc c I
vc c Q ∧ (pre c Q =⇒ P ) =⇒ {P} c {Q}
VERIFICATION CONDITIONS 21-A
VERIFICATION CONDITIONS
{pre c Q} c {Q} only true under certain conditions
These are called verification conditions vc c Q:
vc SKIP Q = True
vc (x := a) Q = True
vc (c1; c2) Q = vc c2 Q ∧ (vc c1 (pre c2 Q))
vc (IF b THEN c1 ELSE c2) Q = vc c1 Q ∧ vc c2 Q
vc (WHILE b INV I DO c OD) Q = (∀σ. Iσ ∧ bσ −→ pre c I σ)∧
(∀σ. Iσ ∧ ¬bσ −→ Q σ)∧
vc c I
vc c Q ∧ (pre c Q =⇒ P ) =⇒ {P} c {Q}
VERIFICATION CONDITIONS 21-B
VERIFICATION CONDITIONS
{pre c Q} c {Q} only true under certain conditions
These are called verification conditions vc c Q:
vc SKIP Q = True
vc (x := a) Q = True
vc (c1; c2) Q = vc c2 Q ∧ (vc c1 (pre c2 Q))
vc (IF b THEN c1 ELSE c2) Q = vc c1 Q ∧ vc c2 Q
vc (WHILE b INV I DO c OD) Q = (∀σ. Iσ ∧ bσ −→ pre c I σ)∧
(∀σ. Iσ ∧ ¬bσ −→ Q σ)∧
vc c I
vc c Q ∧ (pre c Q =⇒ P ) =⇒ {P} c {Q}
VERIFICATION CONDITIONS 21-C
VERIFICATION CONDITIONS
{pre c Q} c {Q} only true under certain conditions
These are called verification conditions vc c Q:
vc SKIP Q = True
vc (x := a) Q = True
vc (c1; c2) Q = vc c2 Q ∧ (vc c1 (pre c2 Q))
vc (IF b THEN c1 ELSE c2) Q = vc c1 Q ∧ vc c2 Q
vc (WHILE b INV I DO c OD) Q = (∀σ. Iσ ∧ bσ −→ pre c I σ)∧
(∀σ. Iσ ∧ ¬bσ −→ Q σ)∧
vc c I
vc c Q ∧ (pre c Q =⇒ P ) =⇒ {P} c {Q}
VERIFICATION CONDITIONS 21-D
VERIFICATION CONDITIONS
{pre c Q} c {Q} only true under certain conditions
These are called verification conditions vc c Q:
vc SKIP Q = True
vc (x := a) Q = True
vc (c1; c2) Q = vc c2 Q ∧ (vc c1 (pre c2 Q))
vc (IF b THEN c1 ELSE c2) Q = vc c1 Q ∧ vc c2 Q
vc (WHILE b INV I DO c OD) Q = (∀σ. Iσ ∧ bσ −→ pre c I σ)∧
(∀σ. Iσ ∧ ¬bσ −→ Q σ)∧
vc c I
vc c Q ∧ (pre c Q =⇒ P ) =⇒ {P} c {Q}
VERIFICATION CONDITIONS 21-E
VERIFICATION CONDITIONS
{pre c Q} c {Q} only true under certain conditions
These are called verification conditions vc c Q:
vc SKIP Q = True
vc (x := a) Q = True
vc (c1; c2) Q = vc c2 Q ∧ (vc c1 (pre c2 Q))
vc (IF b THEN c1 ELSE c2) Q = vc c1 Q ∧ vc c2 Q
vc (WHILE b INV I DO c OD) Q = (∀σ. Iσ ∧ bσ −→ pre c I σ)∧
(∀σ. Iσ ∧ ¬bσ −→ Q σ)∧
vc c I
vc c Q ∧ (pre c Q =⇒ P ) =⇒ {P} c {Q}
VERIFICATION CONDITIONS 21-F
SYNTAX TRICKS
➜ x := λσ. 1 instead of x := 1 sucks
➜ {λσ. σ x = n} instead of {x = n} sucks as well
Problem: program variables are functions, not values
Solution: distinguish program variables syntactically
Choices:➜ declare program variables with each Hoare triple
• nice, usual syntax• works well if you state full program and only use vcg
➜ separate program variables from Hoare triple (use extensible records),indicate usage as function syntactically
• more syntactic overhead• program pieces compose nicely
SYNTAX TRICKS 22
SYNTAX TRICKS
➜ x := λσ. 1 instead of x := 1 sucks
➜ {λσ. σ x = n} instead of {x = n} sucks as well
Problem: program variables are functions, not values
Solution: distinguish program variables syntactically
Choices:➜ declare program variables with each Hoare triple
• nice, usual syntax• works well if you state full program and only use vcg
➜ separate program variables from Hoare triple (use extensible records),indicate usage as function syntactically
• more syntactic overhead• program pieces compose nicely
SYNTAX TRICKS 22-A
SYNTAX TRICKS
➜ x := λσ. 1 instead of x := 1 sucks
➜ {λσ. σ x = n} instead of {x = n} sucks as well
Problem: program variables are functions, not values
Solution: distinguish program variables syntactically
Choices:➜ declare program variables with each Hoare triple
• nice, usual syntax• works well if you state full program and only use vcg
➜ separate program variables from Hoare triple (use extensible records),indicate usage as function syntactically
• more syntactic overhead• program pieces compose nicely
SYNTAX TRICKS 22-B
SYNTAX TRICKS
➜ x := λσ. 1 instead of x := 1 sucks
➜ {λσ. σ x = n} instead of {x = n} sucks as well
Problem: program variables are functions, not values
Solution: distinguish program variables syntactically
Choices:➜ declare program variables with each Hoare triple
• nice, usual syntax• works well if you state full program and only use vcg
➜ separate program variables from Hoare triple (use extensible records),indicate usage as function syntactically
• more syntactic overhead• program pieces compose nicely
SYNTAX TRICKS 22-C
SYNTAX TRICKS
➜ x := λσ. 1 instead of x := 1 sucks
➜ {λσ. σ x = n} instead of {x = n} sucks as well
Problem: program variables are functions, not values
Solution: distinguish program variables syntactically
Choices:➜ declare program variables with each Hoare triple
• nice, usual syntax• works well if you state full program and only use vcg
➜ separate program variables from Hoare triple (use extensible records),indicate usage as function syntactically
• more syntactic overhead• program pieces compose nicely
SYNTAX TRICKS 22-D
SYNTAX TRICKS
➜ x := λσ. 1 instead of x := 1 sucks
➜ {λσ. σ x = n} instead of {x = n} sucks as well
Problem: program variables are functions, not values
Solution: distinguish program variables syntactically
Choices:➜ declare program variables with each Hoare triple
• nice, usual syntax• works well if you state full program and only use vcg
➜ separate program variables from Hoare triple (use extensible records),indicate usage as function syntactically
• more syntactic overhead• program pieces compose nicely
SYNTAX TRICKS 22-E
SYNTAX TRICKS
➜ x := λσ. 1 instead of x := 1 sucks
➜ {λσ. σ x = n} instead of {x = n} sucks as well
Problem: program variables are functions, not values
Solution: distinguish program variables syntactically
Choices:➜ declare program variables with each Hoare triple
• nice, usual syntax• works well if you state full program and only use vcg
➜ separate program variables from Hoare triple (use extensible records),indicate usage as function syntactically
• more syntactic overhead• program pieces compose nicely
SYNTAX TRICKS 22-F
RECORDS IN ISABELLE
Records are a tuples with named components
Example:
record A = a :: natb :: int
➜ Selectors: a :: A ⇒ nat, b :: A ⇒ int, a r = Suc 0
➜ Constructors: (| a = Suc 0, b = −1 |)
➜ Update: r(| a := Suc 0 |)
Records are extensible:record B = A +
c :: nat list
(| a = Suc 0, b = −1, c = [0, 0] |)
RECORDS IN ISABELLE 23
RECORDS IN ISABELLE
Records are a tuples with named components
Example:
record A = a :: natb :: int
➜ Selectors: a :: A ⇒ nat, b :: A ⇒ int, a r = Suc 0
➜ Constructors: (| a = Suc 0, b = −1 |)
➜ Update: r(| a := Suc 0 |)
Records are extensible:record B = A +
c :: nat list
(| a = Suc 0, b = −1, c = [0, 0] |)
RECORDS IN ISABELLE 23-A
RECORDS IN ISABELLE
Records are a tuples with named components
Example:
record A = a :: natb :: int
➜ Selectors: a :: A ⇒ nat, b :: A ⇒ int, a r = Suc 0
➜ Constructors: (| a = Suc 0, b = −1 |)
➜ Update: r(| a := Suc 0 |)
Records are extensible:record B = A +
c :: nat list
(| a = Suc 0, b = −1, c = [0, 0] |)
RECORDS IN ISABELLE 23-B
RECORDS IN ISABELLE
Records are a tuples with named components
Example:
record A = a :: natb :: int
➜ Selectors: a :: A ⇒ nat, b :: A ⇒ int, a r = Suc 0
➜ Constructors: (| a = Suc 0, b = −1 |)
➜ Update: r(| a := Suc 0 |)
Records are extensible:record B = A +
c :: nat list
(| a = Suc 0, b = −1, c = [0, 0] |)
RECORDS IN ISABELLE 23-C
RECORDS IN ISABELLE
Records are a tuples with named components
Example:
record A = a :: natb :: int
➜ Selectors: a :: A ⇒ nat, b :: A ⇒ int, a r = Suc 0
➜ Constructors: (| a = Suc 0, b = −1 |)
➜ Update: r(| a := Suc 0 |)
Records are extensible:record B = A +
c :: nat list
(| a = Suc 0, b = −1, c = [0, 0] |)
RECORDS IN ISABELLE 23-D
RECORDS IN ISABELLE
Records are a tuples with named components
Example:
record A = a :: natb :: int
➜ Selectors: a :: A ⇒ nat, b :: A ⇒ int, a r = Suc 0
➜ Constructors: (| a = Suc 0, b = −1 |)
➜ Update: r(| a := Suc 0 |)
Records are extensible:record B = A +
c :: nat list
(| a = Suc 0, b = −1, c = [0, 0] |)
RECORDS IN ISABELLE 23-E
RECORDS IN ISABELLE
Records are a tuples with named components
Example:
record A = a :: natb :: int
➜ Selectors: a :: A ⇒ nat, b :: A ⇒ int, a r = Suc 0
➜ Constructors: (| a = Suc 0, b = −1 |)
➜ Update: r(| a := Suc 0 |)
Records are extensible:record B = A +
c :: nat list
(| a = Suc 0, b = −1, c = [0, 0] |)
RECORDS IN ISABELLE 23-F
DEMO
24
MORE
Available now in Isablle:
➜ procedures
➜ with blocks and local variables
➜ and (mutual) recursion
➜ exceptions
➜ arrays
➜ pointers
We’re working at:
➜ nondeterminsm
➜ probability
➜ object orientation
MORE 25
MORE
Available now in Isablle:
➜ procedures
➜ with blocks and local variables
➜ and (mutual) recursion
➜ exceptions
➜ arrays
➜ pointers
We’re working at:
➜ nondeterminsm
➜ probability
➜ object orientation
MORE 25-A
MORE
Available now in Isablle:
➜ procedures
➜ with blocks and local variables
➜ and (mutual) recursion
➜ exceptions
➜ arrays
➜ pointers
We’re working at:
➜ nondeterminsm
➜ probability
➜ object orientation
MORE 25-B
MORE
Available now in Isablle:
➜ procedures
➜ with blocks and local variables
➜ and (mutual) recursion
➜ exceptions
➜ arrays
➜ pointers
We’re working at:
➜ nondeterminsm
➜ probability
➜ object orientation
MORE 25-C
MORE
Available now in Isablle:
➜ procedures
➜ with blocks and local variables
➜ and (mutual) recursion
➜ exceptions
➜ arrays
➜ pointers
We’re working at:
➜ nondeterminsm
➜ probability
➜ object orientation
MORE 25-D
MORE
Available now in Isablle:
➜ procedures
➜ with blocks and local variables
➜ and (mutual) recursion
➜ exceptions
➜ arrays
➜ pointers
We’re working at:
➜ nondeterminsm
➜ probability
➜ object orientation
MORE 25-E
MORE
Available now in Isablle:
➜ procedures
➜ with blocks and local variables
➜ and (mutual) recursion
➜ exceptions
➜ arrays
➜ pointers
We’re working at:
➜ nondeterminsm
➜ probability
➜ object orientation
MORE 25-F
MORE
Available now in Isablle:
➜ procedures
➜ with blocks and local variables
➜ and (mutual) recursion
➜ exceptions
➜ arrays
➜ pointers
We’re working at:
➜ nondeterminsm
➜ probability
➜ object orientation
MORE 25-G
MORE
Available now in Isablle:
➜ procedures
➜ with blocks and local variables
➜ and (mutual) recursion
➜ exceptions
➜ arrays
➜ pointers
We’re working at:
➜ nondeterminsm
➜ probability
➜ object orientation
MORE 25-H
WE HAVE SEEN TODAY ...
➜ Syntax and semantics of IMP
➜ Hoare logic rules
➜ Soundness of Hoare logic
➜ Verification conditions
➜ Example program proofs
WE HAVE SEEN TODAY ... 26
EXERCISES
➜ Write a program in IMP that calculates quotient and reminder ofx ∈ IN and y ∈ IN
➜ Find the right invariant for its while loop.
➜ Show its correctness in Isabelle:
` {True} program { Q ∗ y + R = x ∧ R < y }
➜ Write an IMP program that sorts arrays (lists) by insertion sort.
➜ Formulate and show its correctness in Isabelle.
EXERCISES 27
