Week 1 Week 1 CS3001: Approach CS3001: Formal Methods Andrew Butterfield1 When What 1Foundations & Methods Group, Monday 12noon Lecture; mini-Exercise Software Systems Laboratory Thursday 12noon mini-Solution; Tutorial/Examples; “real-world” Andrew.Butterfi[email protected] Room F.13, O’Reilly Institute Thursday 2pm Lecture Semester II, 2011 3BA31 Formal Methods 3BA31 Formal Methods Week 1 Week 1 CS3001: Assessment CS3001: Resources www.scss.tcd.ie/Andrew.Butterfield/Teaching/CS3001/ Exam: 80% Main Reference Text: Coursework: 20% Unifying Theories of Programming, C.A.R. Hoare and Jifeng He, Project: 10% Class (Mini-)Exercises: 10% Prentice Hall, 1998. Mini-exercises handed out at end of Monday class. (available online at http://www.unifyingtheories.org/) Mini-solutions due in at start of Thursday 12noon class. Secondary Texts: These deadlines are hard, as solutions will be given out at A Logical Approach to Discrete Math, D. Gries & the start of the 12noon Thursday class. F. B. Schneider, Springer, 1993 (your JF math text!). Using Z , J. Woodcock & J. Davies, Prentice Hall 1996. (available online at http://www.usingZ.com/) 3BA31 Formal Methods 3BA31 Formal Methods Week 1 Week 1 What are “Formal” Systems? Example: System ~z= (“H-Cross-I”) Symbols: ~ z = Well-Formed Sequences, H-Things and I-Things, where: Specified collection of Symbols (lexicon) H-Thing:A ~ followed by Crosses: Specified ways of putting them together (well-formedness) Crosses : Zero or more z Specific ways of manipulating symbol-sequences I-Thing:A = followed by two H-Things (inference rules) Manipulations (let f1 and f2 stand for arbitrary Crosses). Typically the goal is to transform a starting sequence to a hhI-absorbii = f becomes f final one having desired properties. ~~ 1 ~ 1 hhswap-Cross-Hii =~f1z~f2 becomes =~f1~zf2 Goal: convert a starting I-Thing into a H-Thing 3BA31 Formal Methods 3BA31 Formal Methods Week 1 Week 1 Example Interpretation ~ 0 zero =~zz~zzz z +1 succ = hhswap-Cross-Hii = + plus =~z~zzzz =~ ~ + 0 + 1 + 1 0 + 1 + 1 + 12 + 3 = hhswap-Cross-Hii zz zzz =~z~zzzz + 0 + 1 0 + 1 + 1 + 1 + 11 + 4 = ~~zzzzz =~~zzzzz + 0 0 + 1 + 1 + 1 + 1 + 10 + 5 = hhI-absorbii ~zzzzz 0 + 1 + 1 + 1 + 1 + 15 ~zzzzz =~f1z~f2 99K =~f1~zf2 (n + 1) + m = n + (m + 1) =~~f1 99K ~f1 0 + m = m 3BA31 Formal Methods 3BA31 Formal Methods Week 1 Week 1 What’s the point? Formal Logic We present a Formal System, called Predicate Calculus We can give very precise meanings to the symbols, Symbols The manipulations can have a very-well defined meaning, Those used for expressions and propositional but, the symbols can be manipulated without our having to logic, as well as 9, 8, •. understand these meanings. Well-Formedness which is exactly how a computer does it ! Predicates: Well structured expressions whose Formal Methods allow us to limit the scope for human error type is Boolean. and to exploit the use of machines to help our analysis. Manipulation Rules Classified as Axioms and Inference Rules. Goal To prove a given Predicate is “True”. 3BA31 Formal Methods 3BA31 Formal Methods Week 1 Week 1 Expressions Expressions (Aggregates) We build basic expressions out of constants (k 2 Const), variables (v 2 Var ), tuples, functions and operators: e 2 Expr ::= k j v constants, variables e 2 Expr ::=( e1;:::; en) j f:::g aggregates j (e1;:::; en) j f:::g aggregates j e e function application 1 2 Aggregates are distinguished by different brackets: j e1 ⊕ e2 infix application j (e) parenthesised expr. (e1;:::; en) tuples fe1;:::; eng sets Read e 2 Expr ::= ::: as “e, an Expr , is …” he1;:::; eni sequences . Read k as “a constant k ” . Read j as “or” We do not give a complete definition here of expressions, and will extend this as the course progresses. 3BA31 Formal Methods 3BA31 Formal Methods Week 1 Week 1 Expressions (Function application) Expressions (Infix operators) We define function application without brackets, so f x denotes function f applied to argument x (if f is a prefix function — most are !) e 2 Expr ::= e1 ⊕ e2 infix operator application We can write function application with brackets if we prefer so f (x) and f x are equivalent. Here ⊕ denotes any infix binary operator, such as In some of the literature, function application is shown +; −; ∗; =; =; <; >; ≤; ≥; [; \;::: explicitly with a dot, so f :x is the same as f x (or f (x) ). Parentheses and precedence behave in the same manner In the case where f is a postfix function, then applying f to as found in most programming languages, so x + y ∗ z is x is written as x f (e.g. raising to a power — x 2 is the the same as x + (y ∗ z), but different from (x + y ) ∗ z. squaring function 2 post-applied to x). The notation used is often a matter of style, and depends on context. 3BA31 Formal Methods 3BA31 Formal Methods Week 1 Week 1 Well-Typedness Types We make use of a rich variety of given types and type constructors: We require expressions to be well typed. e.g. we want to outlaw nonsense like3 + (A [ B) or S; T 2 Type ::= 1 unit type h1; 0; 1; 0i − 5 = True j B boolean values we write the assertion that expression e has type T as j A (ASCII) characters j N j Z j Q j R j C numbers e : T jP T set of T j T1 × · · · × Tn cross-product j T ∗ sequence of T We can consider (for now) a type T as being the set of j S ! T function from S to T values that are allowed for something of that type. There are rules for checking (and/or inferring) expression types, which we ignore for now. 3BA31 Formal Methods 3BA31 Formal Methods Week 1 Week 1 Expressions (Type annotations) Expression Meaning What is our intended meaning for an expression ? (e.g. e 2 Expr ::= ::: x 2 + y) j (e : T ) type annotation it depends on the value of x and y so, let x = 3 and y = 5 (say) Usually we let expression types be determined from OK, so then x 2 + y has value 14. context, but if necessary we can annotate The “meaning” of an expression is the relationship it (sub-)expressions with types, i.e. creates between the values of its variables and its own 2 overall value: (x : Q) = 2 instead of x 2 = 2 “meaning : values(x; y) ! value” Note that an incorrect annotation is not a type error, but is simply a stat, so ((A [ B): N) is ill-typed, even if A [ B is Alternatively, we can view the meaning as a function from well-typed (presumably with A : PT and B : PT , for some variables to the expression’s value. type T ). 3BA31 Formal Methods 3BA31 Formal Methods Week 1 Week 1 Environments Evaluating Expressions against Environments Given an environment (as per previous slide), it is possible to We call the association of values with variables an determine the value for an expression in a systematic way. Environment (or Interpretation) and is a table associating a value with every variable (whose value is defined). ix + offset 6 length list We assume environments are always well-formed, in that = “ lookup above table” the associated value is always of the correct type. 4 + 2 6 length h1; 1; 2; 3; 5; 8; 13i = “ defn. of + and length. (?) ” Variable : Type Value 6 7 list : ∗ h1; 1; 2; 3; 5; 8; 13i 6 e.g.: N = “ defn. of (?) ” ix : 4 6 N True offset : N 2 (?) Where do we find the definitions +, length and 6 ? 3BA31 Formal Methods 3BA31 Formal Methods Week 1 Week 1 Class 2 Modelling Environments We usually model Environments mathematically as a finite partial map (ρ) from variables to values: ρ 2 Env = Var 7!Value Here the ‘type’ Value should considered as the union of all possible types. A table entry mapping variable v to value k is written as v 7! k. A table is a set of table entry mappings (order is irrelevant): flist 7! h1; 1; 2; 3; 5; 8; 13i; ix 7! 4; offset 7! 2g 3BA31 Formal Methods 3BA31 Formal Methods Week 1 Week 1 Expressions as Functions Predicates Given an expression, and then an environment, we can get A Predicate is an “expression” whose type is boolean (B). the value of that expression in that environment. We can therefore view the meaning of an expression as a P 2 Pred ::= ::: (partial (?)) function from environments to values. [[P]]: Env ! B Let [[e]] denote the “meaning of e”, then we can say Remember that “type” Value contains values of all types, including , so ⊆ Value. [[e]]: Env 7!Value B B Unlike expressions, where evaluation w.r.t. an environment The meaning function, given an expression, returns a may be undefined, we insist that predicates always partial function from environment to values. evaluate to either True or False. 3BA31 Formal Methods 3BA31 Formal Methods Week 1 Week 1 Atomic Predicates True & False An Atomic Predicate is an expression whose overall type is Boolean, and whose constituent parts have non-Boolean types A; B; C 2 AtmPred ::= e : B Two special predicates true and false always return True and False respectively, regardless of the environment. True and true are not the same: They can be viewed as a function from an environment to True : is a boolean value the values true or false. B true : Env ! B is a predicate, a function from environments to . [[A]] : Env ! B B Similarly for False and false. In practise we can often ignore the distinction, using them Examples: interchangeably.