Can we make use of ADTs in KeY? Richard Bubel June 28, 2005 Can we make use of ADTs in KeY? June 28, 2005 1 / 13
Abstract Data Types (ADT) \sorts { \rules { \object LString; compute_length_1 { } \find (length(cat(ch, lstr))) \replacewith (1+length(lstr)) }; \functions { LString nil; compute_length_2 { // first is char modeled as int \find (length(nil)) \replacewith (0) LString cat(int, LString); }; LString_is_generated { // needs length definition \nonRigid[location] \find (lstr) LString content(java.lang.String); \varcond(\notFreeIn(chV, lstr), \notFreeIn(tailV, lstr)) int length(LString); \add(\exists chV; \exists tailV; LString substring(int, int); ((lstr=cat(chV, tailV) & length(lstr)=length(tailV)+1) | // first is char modeled as int int indexOf(int, LString); lstr=nil | lstr=null) ==>) } }; Can we make use of ADTs in KeY? June 28, 2005 2 / 13
Abstract Data Types (ADT) \sorts { \rules { \object LString; compute_length_1 { } \find (length(cat(ch, lstr))) \replacewith (1+length(lstr)) }; \functions { LString nil; compute_length_2 { // first is char modeled as int \find (length(nil)) \replacewith (0) LString cat(int, LString); }; LString_is_generated { // needs length definition \nonRigid[location] \find (lstr) LString content(java.lang.String); \varcond(\notFreeIn(chV, lstr), \notFreeIn(tailV, lstr)) int length(LString); \add(\exists chV; \exists tailV; LString substring(int, int); ((lstr=cat(chV, tailV) & length(lstr)=length(tailV)+1) | // first is char modeled as int int indexOf(int, LString); lstr=nil | lstr=null) ==>) } }; focus on functional specification well-founded theory initiality → structural induction executable (if axioms allow definition of a term rewriting system) Can we make use of ADTs in KeY? June 28, 2005 2 / 13
Where may abstract data types help in KeY? Structural induction make structural induction available in JavaCardDL generate correctness proof obligation Can we make use of ADTs in KeY? June 28, 2005 3 / 13
Where may abstract data types help in KeY? Structural induction make structural induction available in JavaCardDL generate correctness proof obligation Specification of concrete data types for general use in proofs, e.g. java.lang.String for intermediate usage: use to model partial aspects of a Java data type, e.g. inherent list structures Can we make use of ADTs in KeY? June 28, 2005 3 / 13
Where may abstract data types help in KeY? Structural induction make structural induction available in JavaCardDL generate correctness proof obligation Specification of concrete data types for general use in proofs, e.g. java.lang.String for intermediate usage: use to model partial aspects of a Java data type, e.g. inherent list structures Therefore concrete data type has to be (partially) mapped to an ADT mapping has to be proven correct Can we make use of ADTs in KeY? June 28, 2005 3 / 13
Structural Induction - Preliminaries Definition (Constructors C ) Set of n-ary functions containing at least one nullary function (constants/base elements). The nullary constants are usually described by a characterizing formula φ basis ( x ). For example: C = { null , next } or C = { null , ( left , right ) } Can we make use of ADTs in KeY? June 28, 2005 4 / 13
Structural Induction - Preliminaries Definition (Constructors C ) Set of n-ary functions containing at least one nullary function (constants/base elements). The nullary constants are usually described by a characterizing formula φ basis ( x ). For example: C = { null , next } or C = { null , ( left , right ) } Definition (Generated) A data type T is generated by C , if for all objects o ∈ T there exists a ground term only made up of elements in C . Can we make use of ADTs in KeY? June 28, 2005 4 / 13
Structural Induction - Rule Let Ψ( x ) denote the induction hypothesis over type T Base Case: ==> \ forall T x ; ( φ basis ( x ) -> Ψ( x )) Step Case: ==> � c ∈C ,α ( c )= n \ forall T y , x 1 , . . . , x n ; i =1 ... n Ψ( x i ) & y . ( � = c ( x 1 . . . x n ) -> Ψ( y )) Use Case: \ forall T x ; Ψ( x ) ==> Can we make use of ADTs in KeY? June 28, 2005 5 / 13
Structural Induction - Rule Let Ψ( x ) denote the induction hypothesis over type T Base Case: ==> \ forall T x ; ( φ basis ( x ) -> Ψ( x )) Step Case: ==> � c ∈C ,α ( c )= n \ forall T y , x 1 , . . . , x n ; i =1 ... n Ψ( x i ) & y . ( � = c ( x 1 . . . x n ) -> Ψ( y )) Use Case: \ forall T x ; Ψ( x ) ==> Example (Single Linked List) T = List , Φ basis ( x ) : ⇔ x . = null , C := { next } Base Case: ==> \ forall List x ; ( x = null-> Ψ( x )) ==> \ forall List y , x 1 ; (Ψ( x 1 ) & y . next . Step Case: = x 1 -> Ψ( y )) Use Case: \ forall List x ; Ψ( x ) ==> Can we make use of ADTs in KeY? June 28, 2005 5 / 13
Induction Rule - Soundness Soundness Proofobligation: ∀ y : T . generated ( y ) where generated ( y ) : ⇔ ∃ d : int . ( d > = 0 & generated ( y , d )) : ⇔ � c ∈C ,α ( c )= n ∃ x 1 . . . x n : T . ∃ d 1 . . . d n : int . ( d 1 > = 0 & . . . & d n > = 0 & y = c ( x 1 . . . x n ) & d = max { d 1 . . . d n } + 1 & � i =1 ... n generated ( x i , d i )) Can we make use of ADTs in KeY? June 28, 2005 6 / 13
Structural Induction - In KeY Can we make use of ADTs in KeY? June 28, 2005 7 / 13
Specification of concrete data types Claim: In some cases an ADT specification offers an easier treatment of data types Example ( String support in KeY) String s as an array of characters clutters proof typical interested in the content of a String Introduce a string ADT LString modeling string literals Provide operations like substring or indexOf Link to java.lang.String via content:String->LString function Can we make use of ADTs in KeY? June 28, 2005 8 / 13
Specification of concrete data types Claim: In some cases an ADT specification offers an easier treatment of data types Example ( String support in KeY) String s as an array of characters clutters proof typical interested in the content of a String Introduce a string ADT LString modeling string literals Provide operations like substring or indexOf Link to java.lang.String via content:String->LString function \<{ s = "ab"; }\>s.content = cat(’a’,cat(’b’,nil)) Can we make use of ADTs in KeY? June 28, 2005 8 / 13
Specification of concrete data types Claim: In some cases an ADT specification offers an easier treatment of data types Example ( String support in KeY) String s as an array of characters clutters proof typical interested in the content of a String Introduce a string ADT LString modeling string literals Provide operations like substring or indexOf Link to java.lang.String via content:String->LString function \<{ s = "ab"; }\>s.content = cat(’a’,cat(’b’,nil)) Apply: assign_string_lit {s:=c_new, c_new.content:=cat(’a’,cat(’b’,nil))} \<{ }\>s.content = cat(’a’,cat(’b’,nil)) Can we make use of ADTs in KeY? June 28, 2005 8 / 13
Mapping from Java to ADT Mapping List ADT List f trans List next; C onstructor methods F unctions f ′ trans Rules Symbolic Execution of Java works on the ADT Can we make use of ADTs in KeY? June 28, 2005 9 / 13
Mapping from Java to ADT Mapping List List ADT f trans C onstructor List next; methods F unctions f ′ trans Rules Symbolic Execution of Java works on the ADT rw_eqn { \find(ll1.#next = ll2 ==>) \replacewith(ll1=cons(head(ll1), ll2)==>) }; assign_abstract { \find (\<{.. #o.#next = #se; ...}\> post) \replacewith((!(#o=null)->{#o:=cons(head(#o), #se)} \<{.. ...}\>post)) }; Can we make use of ADTs in KeY? June 28, 2005 9 / 13
Mapping from Java to ADT Mapping List List ADT f trans C onstructor List next; methods F unctions f ′ trans Rules Symbolic Execution of Java works on the ADT list_induction { \varcond(\notFreeIn(ve,ind)) "Base Case": \add(==> {\subst iv; null} ind); "Step Case": \add(==> \forall iv;(ind -> \forall ve;{\subst iv; cons(ve, iv)}ind)); "Use Case": \add(\forall iv;ind==>) }; Can we make use of ADTs in KeY? June 28, 2005 9 / 13
Mapping from Java to ADT Mapping List ADT List f trans List next; C onstructor methods F unctions f ′ trans Rules Symbolic Execution of Java works on the ADT We want = f ′ D | = f trans ( φ ) ⇒ D | trans ( f trans ( φ )) → φ Which properties of the mapping guarantee sound rules? Can we make use of ADTs in KeY? June 28, 2005 9 / 13
Future Work Functional verification of several Java Collection Framework classes (e.g. LinkedList , ArrayList , TreeSet ) Optimising proofs of generateness and well-founded properties Reuse of known structures and proven properties in classes (signature homorphisms) Can we make use of ADTs in KeY? June 28, 2005 10 / 13
Recommend
More recommend