F ormalizing Dijkstra 1 F ormalizing Dijkstra John Harrison - - PDF document

f ormalizing dijkstra 1 f ormalizing dijkstra john
SMART_READER_LITE
LIVE PREVIEW

F ormalizing Dijkstra 1 F ormalizing Dijkstra John Harrison - - PDF document

Dec 17, 2022 142 likes •334 views

F ormalizing Dijkstra 1 F ormalizing Dijkstra John Harrison Univ ersit y of Cam bridge I'v e b een pla ying around recen tly formalizing Dijkstra's \A Discipline of Programming". This talk is ab out a few

slide-1
SLIDE 1 F
  • rmalizing
Dijkstra 1 F
  • rmalizing
Dijkstra John Harrison Univ ersit y
  • f
Cam bridge I'v e b een pla ying around recen tly formalizing Dijkstra's \A Discipline
  • f
Programming". This talk is ab
  • ut
a few asp ects
  • f
the w
  • rk.
  • A
Discipline
  • f
Programming
  • Mec
hanizing programming logics
  • Relational
seman tics
  • W
eak est preconditions
  • Theorems
ab
  • ut
lo
  • ps
John Harrison Univ ersit y
  • f
Cam bridge, 12 F ebruary 1998
slide-2
SLIDE 2 F
  • rmalizing
Dijkstra 2 A Discipline
  • f
Programming This classic monograph b y Dijkstra has sev eral in teresting features.
  • Stress
  • n
programs as primarily mathematical formalisms, whose runnabilit y
  • f
a mac hine is, so to sp eak, a luc ky acciden t.
  • Systematic
use
  • f
the (then new) metho d
  • f
w eak est preconditions to giv e seman tics to programs.
  • F
  • rmal
treatmen t
  • f
a n um b er
  • f
attractiv e algorithms, sev eral
  • f
whic h ha v e subsequen tly b ecome classics, e.g. Hamming's problem and the Dutc h National Flag. It's surely Dijkstra's b est b
  • k.
In fact, the p eople who buy b
  • ks
for Cam bridge Univ ersit y's libraries seem to think it's his
  • nly
go
  • d
b
  • k.
John Harrison Univ ersit y
  • f
Cam bridge, 12 F ebruary 1998
slide-3
SLIDE 3 F
  • rmalizing
Dijkstra 3 Wh y formalize it? It seemed that it migh t b e fun to formalize ADOP , for sev eral reasons:
  • F
  • rmalization
tends to inspire a close reading, whic h this b
  • k
probably deserv es.
  • Dijkstra
is v ery pro-correctness pro
  • fs,
but v ery an ti-computer c hec king. It seemed in teresting to see ho w his argumen ts stand up to formalization.
  • This
sort
  • f
formalization is generally prett y easy compared with
  • ating
p
  • in
t v erication, so it pro vides ligh t relief and the feeling
  • f
making rapid progress.
  • \None
  • f
the programs in this monograph, needless to sa y , has b een tested
  • n
a mac hine." [p. xvi] John Harrison Univ ersit y
  • f
Cam bridge, 12 F ebruary 1998
slide-4
SLIDE 4 F
  • rmalizing
Dijkstra 4 This isn't new Mik e Gordon sho w ed in 1988 ho w to formalize programming logics in higher
  • rder
logic theorem pro v ers. It w
  • uld
also w
  • rk
ne in set theory
  • r
an y suitable general mathematical formalism. He and T
  • m
Melham actually used a tactic to do v erication condition generation, whic h w
  • rks
v ery nicely . (I'v e used this approac h in
  • ating
p
  • in
t v erication.) Since then there's b een a slew
  • f
w
  • rk
formalizing programming languages based
  • n
the same ideas, e.g. Agerholm, Grundy , Homeier, Nipk
  • w,
T redoux and v
  • n
W righ t, to name just a few. As w ell as programming languages, there ha v e b een formalizations
  • f
hardw are description languages and
  • ther
CS formalisms, e.g. CCS, CSP , ELLA,
  • calculus,
TLA, UNITY, V erilog and VHDL. John Harrison Univ ersit y
  • f
Cam bridge, 12 F ebruary 1998
slide-5
SLIDE 5 F
  • rmalizing
Dijkstra 5 F
  • rmalizing
states F
  • llo
wing v
  • n
W righ t, w e ha v e a sort
  • f
\shallo w em b edding"
  • f
states, where the state is represen ted as a tuple
  • f
v ariables. Commands are implicitly abstracted
  • v
er these v ariables, e.g. if w e ha v e three v ariables x,y and z, the assignmen t x := y + z w
  • uld
b e: Assign (\(x,y,z). (y + z,y,z)) All this is dealt with b y parsing and prin ting, so the surface syn tax is generally acceptable. The problem with a more explicit represen tation
  • f
the en vironmen t is that
  • ne
ends up xing the p
  • ssible
t yp es for v ariables in adv ance. In set theory , this is not a problem, as Mark Staples will sho w in his thesis. John Harrison Univ ersit y
  • f
Cam bridge, 12 F ebruary 1998
slide-6
SLIDE 6 F
  • rmalizing
Dijkstra 6 Logical
  • p
erators Most
  • f
Dijsktra's use
  • f
logical
  • p
erators is implicitly at the predicate lev el, so it's handy to dene v arious liftings
  • f
logical
  • p
erators, e.g. |- p And q = \x. p x /\ q x |- Forall P l = \x. FORALL (\a. P a x) l In fact, I w
  • ndered
if his use
  • f
`non' for negation is a sort
  • f
pun (e.g. `x is non empt y if not (x is empt y)'. Sometimes Dijkstra is prett y v ague here ab
  • ut
where he implicitly means `for all states'. I b eliev e he no w ada ys writes things in square brac k ets to indicate quan tication
  • v
er all free v ariables. W e ha v e t w
  • separate
forms
  • f
implication, again follo wing v
  • n
W righ t: |- p Imp q = \x. p x ==> q x |- p Implies q = !x. p x ==> q x John Harrison Univ ersit y
  • f
Cam bridge, 12 F ebruary 1998
slide-7
SLIDE 7 F
  • rmalizing
Dijkstra 7 Relational seman tics Dijsktra actually denes commands via their w eak est pro conditions. This w as also done in HOL b y v
  • n
W righ t et al. W e tak e the p
  • in
t
  • f
view that w e kno w the p
  • ssible
p erformance
  • f
the mec hanism S sucien tly w ell, pro vided that w e can deriv e for an y p
  • stcondition
R the corresp
  • nding
w eak est precondition w p(S; R ), b ecause then w e ha v e captured what the mec hanism can do for us; and in the jargon the latter is called \its seman tics". [p17] T
  • us
it seems more satisfactory to start with a more in tuitiv e and
  • p
erational view
  • f
programs and deriv e w eak est preconditions afterw ards. Dijkstra do esn't manage to escap e from
  • p
erational thinking completely , ho w ev er hard he tries. John Harrison Univ ersit y
  • f
Cam bridge, 12 F ebruary 1998
slide-8
SLIDE 8 F
  • rmalizing
Dijkstra 8 Nondeterminism Using relations
  • !
  • !
bool
  • r
  • !
bool has the defect, as noted in Gordon's
  • riginal
pap er, that w e can't really treat nondeterminism prop erly . W e w an t to b e able to distinguish p
  • ssible
and certain termination. Jim Grundy sho ws in his thesis (also the pro ceedings
  • f
a conference in No v
  • sibirsk,
LNCS 735) that all w a ys
  • f
in terpreting relations
  • f
this form lead to problems treating nondeterminism. Instead, w e use
  • !
  • ?
! bool , i.e. in tro duce a separate t yp e
  • f
`outcomes'
  • ?
. In HOL: (A)outcome = Loops | Terminates A W e basically follo w Hesselink's CUP b
  • k
  • n
w eak est preconditions; some
  • f
the later theorems are also tak en from his b
  • k,
supplemen ting those giv en b y Dijkstra. John Harrison Univ ersit y
  • f
Cam bridge, 12 F ebruary 1998
slide-9
SLIDE 9 F
  • rmalizing
Dijkstra 9 W eak est preconditions It's no w straigh tforw ard to dene w eak est preconditions and w eak est lib eral preconditions: |- terminates c s = ~c s Loops |- wlp c q s = (!s'. c s (Terminates s') ==> q s') |- wp c q s = terminates c s /\ wlp c q s Note that
  • ur
seman tics allo ws non-total commands, i.e.
  • nes
with no nal
  • utcome.
According to the ab
  • v
e denition these satisfy ev ery p
  • stcondition!
Hesselink uses them to in terpret guar ds relationally . An yw a y , all the actual commands w e use are total. John Harrison Univ ersit y
  • f
Cam bridge, 12 F ebruary 1998
slide-10
SLIDE 10 F
  • rmalizing
Dijkstra 10 Healthiness conditions Dikstra giv es some healthiness conditions that predicate transformers
  • f
the form wp c should
  • b
ey . With a pro viso ab
  • ut
total commands, these are all trivial to pro v e in HOL (call MESON TAC with some relev an t facts). |- (wp c False = False) = total c |- q Implies r ==> wp c q Implies wp c r |- wp c q And wp c r = wp c (q And r) |- wp c q Or wp c r Implies wp c (q Or r) |- deterministic c ==> (wp c p Or wp c q = wp c (p Or q)) where: |- deterministic c = (!s t1 t2. c s t1 /\ c s t2 ==> (t1 = t2)) |- !c. total c = (!s. ?t. c s t) John Harrison Univ ersit y
  • f
Cam bridge, 12 F ebruary 1998
slide-11
SLIDE 11 F
  • rmalizing
Dijkstra 11 Other theorems W e also pro v e v arious
  • ther
assertions b y Dijkstra in the same c hapter, and some more from Hesselink, e.g. |- wp c r = wlp c r And wp c True |- total c = !p. wp c p Implies Not(wlp c (Not p)) |- deterministic c = !p. Not(wlp c (Not p)) Implies wp c p They're all prett y easy , except for the case where Dijkstra gets it wrong. Once MESON TAC had tak en 10 seconds I knew either Dijkstra
  • r
I m ust ha v e made a mistak e. Dijkstra [pp. 21-2] en umerates the 7 `m utually exclusiv e' p
  • ssibilities
when a nondeterministic command c is started in a giv en state with a p
  • stcondition
r in mind: John Harrison Univ ersit y
  • f
Cam bridge, 12 F ebruary 1998
slide-12
SLIDE 12 F
  • rmalizing
Dijkstra 12 Dijkstra's error (1) 1. c will terminate and establish r 2. c will terminate and establish r 3. c will not terminate 4. c will terminate and ma y
  • r
ma y not satisfy r 5. c ma y
  • r
ma y not terminate, but if it do es will satisfy r 6. c ma y
  • r
ma y not terminate, but if it do es will satisfy r 7. c ma y
  • r
ma y not terminate, and if it do es ma y
  • r
ma y not satisfy r This is quite righ t. But his rendering
  • f
these in terms
  • f
w eak est preconditions is wrong. John Harrison Univ ersit y
  • f
Cam bridge, 12 F ebruary 1998
slide-13
SLIDE 13 F
  • rmalizing
Dijkstra 13 Dijkstra's error (2) In the precise terms
  • f
Dijkstra's description, far from all b eing m utually exclusiv e, area (c) is con tained in areas (ac) and (b c). Dijkstra uses Not (wp c True) to indicate p
  • ssible
non termination, but this wrongly includes the third case
  • f
c ertain non termination. W e replace this with Not (wp c True Or wlp c False), and with this c hange all the cases are indeed distict. His error is basically a confusion
  • f
t w
  • dieren
t notions
  • f
doubt
  • r
certain t y . P erhaps there's something unin tuitiv e ab
  • ut
nondeterministic mac hines, despite his conden t pronouncemen ts: Once the mathematical equipmen t needed for the design
  • f
nondeterministic mec hanisms ac hieving a purp
  • se
has b een dev elop ed, the nondeterministic mac hine is no longer frigh tening. On the con trary! John Harrison Univ ersit y
  • f
Cam bridge, 12 F ebruary 1998
slide-14
SLIDE 14 F
  • rmalizing
Dijkstra 14 Guarded commands Dijkstra's actual commands are a bit eccen tric, making up the `guarded command language'. Essen tially: command
  • !
skip
  • !
abort
  • !
x 1 ; : : : ; x n := E 1 ; : : : ; E n
  • !
command; command
  • !
if g c 2
  • 2
g c fi
  • !
do g c 2
  • 2
g c
  • d
g c
  • !
expr ession ! command John Harrison Univ ersit y
  • f
Cam bridge, 12 F ebruary 1998
slide-15
SLIDE 15 F
  • rmalizing
Dijkstra 15 Seman tics
  • f
lo
  • ps
It's trivial to deriv e the w eak est preconditions for most
  • f
the commands. The more in teresting
  • nes
are for lo
  • ps.
Dijkstra giv es a denition
  • f
a seman tics for lo
  • ps
  • n
pp. 35-6. But this is completely b
  • gus,
sneaking in the assumption that a lo
  • p
will terminate i there is an upp er b
  • und
  • n
the n um b er
  • f
iterations. This requires an assumption
  • f
b
  • unded
nondeterminacy (and an app eal to K
  • nig's
lemma). Dijkstra ev en tually discusses this in c hapter 9. W e dene the seman tics
  • f
lo
  • ps
at a relational lev el in a fairly
  • b
vious w a y , stic king to the spirit
  • f
Dijkstra's denition, i.e. talking ab
  • ut
some n um b er
  • f
iterations. Dijkstra prefers this to inductiv e
  • r
recursiv e denitions. John Harrison Univ ersit y
  • f
Cam bridge, 12 F ebruary 1998
slide-16
SLIDE 16 F
  • rmalizing
Dijkstra 16 Theorems for lo
  • ps
Dijkstra giv es sev eral theorems for lo
  • ps,
whic h w e can pro v e relativ ely easily in HOL. His most `basic' theorem is: |- p And Exists (\(g,c). g) gcs Implies wp(If gcs) p ==> p And wp (Do gcs) True Implies wp (Do gcs) (p And Not(Exists (\(g,c). g) gcs)) This has just wp (Do gcs) True as the h yp
  • thesis
that the lo
  • p
terminates. Of course in practice,
  • ne
w an ts to sho w this using some reduction in the state w.r.t. a w ellfounded
  • rdering
round eac h iteration
  • f
the lo
  • p.
So w e also deriv e: |- WF(<<) /\ (!X. p And Exists (\(g,c). g) gcs And (\s. s = X) Implies wp (If gcs) (p And (\s:S. s << X))) ==> p Implies wp (Do gcs) (p And Not(Exists (\(g,c). g) gcs)) W e get from this the exact theorems Dijkstra giv es. John Harrison Univ ersit y
  • f
Cam bridge, 12 F ebruary 1998
slide-17
SLIDE 17 F
  • rmalizing
Dijkstra 17 Reections
  • n
lo
  • ps
One can deriv e the `less basic' theorem that is actually used in practice purely from a xp
  • in
t assertion ab
  • ut
the w eak est precondition: |- wp (Do gcs) (q:S->bool) = q And Not (Exists (\(g,c). g) gcs) Or wp (If gcs) (wp (Do gcs) q) F
  • r
the more basic theorem with wp (Do gcs) True as the h yp
  • thesis
this isn't true | w e need leastness. F
  • r
example this lo
  • p
has x := as a xp
  • in
t: do x /=
  • >
x := x + 1
  • d
W e think this p
  • in
t is w
  • rth
men tioning. Ev en if, lik e Dijkstra, y
  • u
hate recursion and induction, that kind
  • f
lo
  • p
unrolling is in tuitiv e. It's nice that w e don't need an y more precise xing
  • f
the seman tics
  • f
lo
  • ps
if w e are merely in terested in pro ving total correctness
  • f
programs in the usual w a y . John Harrison Univ ersit y
  • f
Cam bridge, 12 F ebruary 1998
slide-18
SLIDE 18 F
  • rmalizing
Dijkstra 18 F uture w
  • rk
Most
  • f
Dijkstra's language is formalized; w e just need to deal with v ariable declarations and arra y v ariables. The main idea is to formalize the pro
  • fs
he giv es for the correctness
  • f
algorithms, and see ho w w ell this go es. I'v e already learned quite a bit ab
  • ut
seman tics and in particular w eak est preconditions doing this w
  • rk.
I rec k
  • n
so far it has b een w
  • rth
while. John Harrison Univ ersit y
  • f
Cam bridge, 12 F ebruary 1998