cyclic abduction of inductive safety termination
play

Cyclic abduction of inductive safety & termination preconditions - PowerPoint PPT Presentation

Feb 07, 2024 •311 likes •1.54k views

Cyclic abduction of inductive safety & termination preconditions James Brotherston University College London LIX Colloquium, Tues 5 Nov 2013 Joint work with Nikos Gorogiannis (Middlesex) 1/ 27 Part I Introduction and motivations 2/ 27

  1. Syntax of programs • Expressions are either a variable or nil . • Branching conditions B and commands C are given by B ::= ⋆ | E = E | E � = E C ::= ǫ | x := E ; C | x := E.f ; C | E.f := E ; C | free ( E ); C | x := new (); C | if B then C fi ; C | while B do C od ; C where E ranges over expressions, x over variables, n over field names and j over N . 9/ 27

  2. Syntax of programs • Expressions are either a variable or nil . • Branching conditions B and commands C are given by B ::= ⋆ | E = E | E � = E C ::= ǫ | x := E ; C | x := E.f ; C | E.f := E ; C | free ( E ); C | x := new (); C | if B then C fi ; C | while B do C od ; C where E ranges over expressions, x over variables, n over field names and j over N . • A program is given by fields n 1 , . . . , n k ; C where each n i is a field name and C a command. 9/ 27

  3. Semantics of programs • A program state is either fault or a triple ( C, s, h ), where • C is a command; 10/ 27

  4. Semantics of programs • A program state is either fault or a triple ( C, s, h ), where • C is a command; • s : Var → Val is a stack; 10/ 27

  5. Semantics of programs • A program state is either fault or a triple ( C, s, h ), where • C is a command; • s : Var → Val is a stack; • h : Loc ⇀ fin Val is a heap (we write ◦ for union of disjoint heaps). 10/ 27

  6. Semantics of programs • A program state is either fault or a triple ( C, s, h ), where • C is a command; • s : Var → Val is a stack; • h : Loc ⇀ fin Val is a heap (we write ◦ for union of disjoint heaps). • ( C, s, h ) is called safe if there is no computation sequence ( C, s, h ) � ∗ fault . And ( C, s, h ) ↓ means there is no infinite computation sequence ( C, s, h ) � . . . 10/ 27

  7. Semantics of programs • A program state is either fault or a triple ( C, s, h ), where • C is a command; • s : Var → Val is a stack; • h : Loc ⇀ fin Val is a heap (we write ◦ for union of disjoint heaps). • ( C, s, h ) is called safe if there is no computation sequence ( C, s, h ) � ∗ fault . And ( C, s, h ) ↓ means there is no infinite computation sequence ( C, s, h ) � . . . Proposition (Safety / termination monotonicity) If ( C, s, h ) is safe and h ◦ h ′ defined then ( C, s, h ◦ h ′ ) is safe. If ( C, s, h ) ↓ and h ◦ h ′ defined then ( C, s, h ◦ h ′ ) ↓ . 10/ 27

  8. Preconditions • Formulas F are given by F ::= E = E | E � = E | emp | E �→ E | P E | F ∗ F where P ranges over predicate symbols (of appropriate arity). 11/ 27

  9. Preconditions • Formulas F are given by F ::= E = E | E � = E | emp | E �→ E | P E | F ∗ F where P ranges over predicate symbols (of appropriate arity). • An inductive rule for predicate P is a rule of the form F ⇒ P t 11/ 27

  10. Preconditions • Formulas F are given by F ::= E = E | E � = E | emp | E �→ E | P E | F ∗ F where P ranges over predicate symbols (of appropriate arity). • An inductive rule for predicate P is a rule of the form F ⇒ P t • Semantics given by standard forcing relation s, h | = Φ F 11/ 27

  11. Proof rules • We write proof judgements of the form F ⊢ C where F is a formula and C a command. 12/ 27

  12. Proof rules • We write proof judgements of the form F ⊢ C where F is a formula and C a command. • Symbolic execution rules capture the effect of commands. 12/ 27

  13. Proof rules • We write proof judgements of the form F ⊢ C where F is a formula and C a command. • Symbolic execution rules capture the effect of commands. • E.g., if C is x := E.f ; C ′ , we have the symbolic execution rule: x = E f [ x ′ /x ] ∗ ( F ∗ E �→ E )[ x ′ /x ] ⊢ C ′ | E | ≥ f F ∗ E �→ E ⊢ C 12/ 27

  14. Proof rules • We write proof judgements of the form F ⊢ C where F is a formula and C a command. • Symbolic execution rules capture the effect of commands. • E.g., if C is x := E.f ; C ′ , we have the symbolic execution rule: x = E f [ x ′ /x ] ∗ ( F ∗ E �→ E )[ x ′ /x ] ⊢ C ′ | E | ≥ f F ∗ E �→ E ⊢ C (Here, f ∈ N and E f is the f th element of E . The variable x ′ is a fresh variable used to record the “old value” of x .) 12/ 27

  15. Proof rules (contd.) • We also have logical rules affecting the precondition, e.g.: F ⊢ C Π ′ ⊆ Π (Frame) F ∗ G ⊢ C 13/ 27

  16. Proof rules (contd.) • We also have logical rules affecting the precondition, e.g.: F ⊢ C Π ′ ⊆ Π (Frame) F ∗ G ⊢ C • The inductive rules for a predicate P determine its unfolding rule. 13/ 27

  17. Proof rules (contd.) • We also have logical rules affecting the precondition, e.g.: F ⊢ C Π ′ ⊆ Π (Frame) F ∗ G ⊢ C • The inductive rules for a predicate P determine its unfolding rule. E.g., define “binary tree” predicate bt by x = nil ⇒ bt ( x ) x � = nil ∗ x �→ ( y, z ) ∗ bt ( y ) ∗ bt ( z ) ⇒ bt ( x ) 13/ 27

  18. Proof rules (contd.) • We also have logical rules affecting the precondition, e.g.: F ⊢ C Π ′ ⊆ Π (Frame) F ∗ G ⊢ C • The inductive rules for a predicate P determine its unfolding rule. E.g., define “binary tree” predicate bt by x = nil ⇒ bt ( x ) x � = nil ∗ x �→ ( y, z ) ∗ bt ( y ) ∗ bt ( z ) ⇒ bt ( x ) This gives the unfolding rule: F ∗ u = nil ⊢ C F ∗ u � = nil ∗ u �→ ( y, z ) ∗ bt ( y ) ∗ bt ( z ) ⊢ C F ∗ bt ( u ) ⊢ C 13/ 27

  19. Cyclic proofs • A cyclic pre-proof is a derivation tree with back-links: • • (Axiom) • • • · · · • (Inference) • • 14/ 27

  20. Cyclic proofs • A cyclic pre-proof is a derivation tree with back-links: • • (Axiom) • • • · · · • (Inference) • • • Safety proof condition: there are infinitely many symbolic executions on every infinite path. 14/ 27

  21. Cyclic proofs • A cyclic pre-proof is a derivation tree with back-links: • • (Axiom) • • • · · · • (Inference) • • • Safety proof condition: there are infinitely many symbolic executions on every infinite path. • Termination condition: some inductive predicate is unfolded infinitely often on every infinite path. 14/ 27

  22. Soundness Theorem Fix rule set Φ , and program C , and suppose there is a cyclic proof P of F ⊢ C . Let stack s and heap h satisfy s, h | = Φ F . 15/ 27

  23. Soundness Theorem Fix rule set Φ , and program C , and suppose there is a cyclic proof P of F ⊢ C . Let stack s and heap h satisfy s, h | = Φ F . • If P satisfies the safety condition, ( C, s, h ) is safe; 15/ 27

  24. Soundness Theorem Fix rule set Φ , and program C , and suppose there is a cyclic proof P of F ⊢ C . Let stack s and heap h satisfy s, h | = Φ F . • If P satisfies the safety condition, ( C, s, h ) is safe; • If P satisfies the termination condition, ( C, s, h ) ↓ . 15/ 27

  25. Soundness Theorem Fix rule set Φ , and program C , and suppose there is a cyclic proof P of F ⊢ C . Let stack s and heap h satisfy s, h | = Φ F . • If P satisfies the safety condition, ( C, s, h ) is safe; • If P satisfies the termination condition, ( C, s, h ) ↓ . Proof. Inductive argument over proofs. 15/ 27

  26. Part III Cyclic abduction 16/ 27

  27. Problem statement • Initial problem: Given program C with input variables x , find inductive rules Φ such that P x ⊢ C is valid wrt. Φ. where P is a fresh predicate symbol, and “valid” may have either a safety or a termination interpretation. 17/ 27

  28. Problem statement • Initial problem: Given program C with input variables x , find inductive rules Φ such that P x ⊢ C is valid wrt. Φ. where P is a fresh predicate symbol, and “valid” may have either a safety or a termination interpretation. • General problem: Given inductive rules Φ and subgoal F ⊢ C , find inductive rules Φ ′ such that is valid wrt. Φ ∪ Φ ′ F ⊢ C 17/ 27

  29. Problem statement • Initial problem: Given program C with input variables x , find inductive rules Φ such that P x ⊢ C is valid wrt. Φ. where P is a fresh predicate symbol, and “valid” may have either a safety or a termination interpretation. • General problem: Given inductive rules Φ and subgoal F ⊢ C , find inductive rules Φ ′ such that is valid wrt. Φ ∪ Φ ′ F ⊢ C • Our approach: search for a cyclic safety/termination proof of F ⊢ C , inventing inductive rules as necessary. 17/ 27

  30. Principia abductica (I) Principle I (Proof search priorities) Priority 1: apply axiom rule 18/ 27

  31. Principia abductica (I) Principle I (Proof search priorities) Priority 1: apply axiom rule Priority 2: form backlink 18/ 27

  32. Principia abductica (I) Principle I (Proof search priorities) Priority 1: apply axiom rule Priority 2: form backlink Priority 3: apply symbolic execution 18/ 27

  33. Principia abductica (I) Principle I (Proof search priorities) Priority 1: apply axiom rule Priority 2: form backlink Priority 3: apply symbolic execution Principle II (Guessing things) • In order to serve Priorities 2 and 3 we are allowed to apply logical rules and/or abduce inductive rules. 18/ 27

  34. Principia abductica (I) Principle I (Proof search priorities) Priority 1: apply axiom rule Priority 2: form backlink Priority 3: apply symbolic execution Principle II (Guessing things) • In order to serve Priorities 2 and 3 we are allowed to apply logical rules and/or abduce inductive rules. • We may only abduce rules for undefined predicates. 18/ 27

  35. Principia abductica (I) Principle I (Proof search priorities) Priority 1: apply axiom rule Priority 2: form backlink Priority 3: apply symbolic execution Principle II (Guessing things) • In order to serve Priorities 2 and 3 we are allowed to apply logical rules and/or abduce inductive rules. • We may only abduce rules for undefined predicates. • When we abduce rules for a predicate P in the current subgoal, we immediately unfold that predicate in the subgoal. 18/ 27

  36. Principia abductica (I) Principle I (Proof search priorities) Priority 1: apply axiom rule Priority 2: form backlink Priority 3: apply symbolic execution Principle II (Guessing things) • In order to serve Priorities 2 and 3 we are allowed to apply logical rules and/or abduce inductive rules. • We may only abduce rules for undefined predicates. • When we abduce rules for a predicate P in the current subgoal, we immediately unfold that predicate in the subgoal. (We write A ( P ) for a combined abduction-and-unfold step.) 18/ 27

  37. Principia abductica (II) When forming back-links, we need to avoid: • violating the soundness condition on cyclic proofs; 19/ 27

  38. Principia abductica (II) When forming back-links, we need to avoid: • violating the soundness condition on cyclic proofs; • abducing trivially inconsistent definitions like P x ⇒ P x : P x ⊢ 0 A ( P ) P x ⊢ 0 19/ 27

  39. Principia abductica (II) When forming back-links, we need to avoid: • violating the soundness condition on cyclic proofs; • abducing trivially inconsistent definitions like P x ⇒ P x : P x ⊢ 0 A ( P ) P x ⊢ 0 Principle III (Avoidance tactic) We may not form a backlink yielding an infinite path that violates the safety condition, even if searching for a termination proof. 19/ 27

  40. Principia abductica (II) When forming back-links, we need to avoid: • violating the soundness condition on cyclic proofs; • abducing trivially inconsistent definitions like P x ⇒ P x : P x ⊢ 0 A ( P ) P x ⊢ 0 Principle III (Avoidance tactic) We may not form a backlink yielding an infinite path that violates the safety condition, even if searching for a termination proof. We can use a model checker to enforce Principle III. 19/ 27

  41. Worked example: binary tree search 0 : while ( x � = nil ) { 1 : if ( ⋆ ) 2 : x := x.l 3 : else 4 : x := x.r } 5 : ǫ P 0 ( x ) ⊢ 0 20/ 27

  42. Worked example: binary tree search 0 : while ( x � = nil ) { x = nil ∗ P 1 ( x ) ⇒ P 0 ( x ) 1 : if ( ⋆ ) x � = nil ∗ P 2 ( x ) ⇒ P 0 ( x ) 2 : x := x.l 3 : else 4 : x := x.r } 5 : ǫ P 0 ( x ) ⊢ 0 20/ 27

  43. Worked example: binary tree search 0 : while ( x � = nil ) { x = nil ∗ P 1 ( x ) ⇒ P 0 ( x ) 1 : if ( ⋆ ) x � = nil ∗ P 2 ( x ) ⇒ P 0 ( x ) 2 : x := x.l 3 : else 4 : x := x.r } 5 : ǫ x = nil ∗ P 1 ( x ) ⊢ 0 x � = nil ∗ P 2 ( x ) ⊢ 0 A ( P 0 ) P 0 ( x ) ⊢ 0 20/ 27

  44. Worked example: binary tree search 0 : while ( x � = nil ) { x = nil ∗ P 1 ( x ) ⇒ P 0 ( x ) 1 : if ( ⋆ ) x � = nil ∗ P 2 ( x ) ⇒ P 0 ( x ) 2 : x := x.l 3 : else 4 : x := x.r } 5 : ǫ x = nil ∗ P 1 ( x ) ⊢ 5 while x = nil ∗ P 1 ( x ) ⊢ 0 x � = nil ∗ P 2 ( x ) ⊢ 0 A ( P 0 ) P 0 ( x ) ⊢ 0 20/ 27

  45. Worked example: binary tree search 0 : while ( x � = nil ) { x = nil ∗ P 1 ( x ) ⇒ P 0 ( x ) 1 : if ( ⋆ ) x � = nil ∗ P 2 ( x ) ⇒ P 0 ( x ) 2 : x := x.l 3 : else 4 : x := x.r } 5 : ǫ ǫ x = nil ∗ P 1 ( x ) ⊢ 5 while x = nil ∗ P 1 ( x ) ⊢ 0 x � = nil ∗ P 2 ( x ) ⊢ 0 A ( P 0 ) P 0 ( x ) ⊢ 0 20/ 27

  46. Worked example: binary tree search 0 : while ( x � = nil ) { x = nil ∗ P 1 ( x ) ⇒ P 0 ( x ) 1 : if ( ⋆ ) x � = nil ∗ P 2 ( x ) ⇒ P 0 ( x ) 2 : x := x.l 3 : else 4 : x := x.r } 5 : ǫ ǫ x = nil ∗ P 1 ( x ) ⊢ 5 x � = nil ∗ P 2 ( x ) ⊢ 1 while while x = nil ∗ P 1 ( x ) ⊢ 0 x � = nil ∗ P 2 ( x ) ⊢ 0 A ( P 0 ) P 0 ( x ) ⊢ 0 20/ 27

  47. Worked example: binary tree search 0 : while ( x � = nil ) { x = nil ∗ P 1 ( x ) ⇒ P 0 ( x ) 1 : if ( ⋆ ) x � = nil ∗ P 2 ( x ) ⇒ P 0 ( x ) 2 : x := x.l 3 : else 4 : x := x.r } 5 : ǫ x � = nil ∗ P 2 ( x ) ⊢ 2 x � = nil ∗ P 2 ( x ) ⊢ 4 ǫ if x = nil ∗ P 1 ( x ) ⊢ 5 x � = nil ∗ P 2 ( x ) ⊢ 1 while while x = nil ∗ P 1 ( x ) ⊢ 0 x � = nil ∗ P 2 ( x ) ⊢ 0 A ( P 0 ) P 0 ( x ) ⊢ 0 20/ 27

  48. Worked example: binary tree search 0 : while ( x � = nil ) { x = nil ∗ P 1 ( x ) ⇒ P 0 ( x ) 1 : if ( ⋆ ) x � = nil ∗ P 2 ( x ) ⇒ P 0 ( x ) 2 : x := x.l x �→ ( y, z ) ∗ P 3 ( x, y, z ) ⇒ P 2 ( x ) 3 : else 4 : x := x.r } 5 : ǫ x � = nil ∗ P 2 ( x ) ⊢ 2 x � = nil ∗ P 2 ( x ) ⊢ 4 ǫ if x = nil ∗ P 1 ( x ) ⊢ 5 x � = nil ∗ P 2 ( x ) ⊢ 1 while while x = nil ∗ P 1 ( x ) ⊢ 0 x � = nil ∗ P 2 ( x ) ⊢ 0 A ( P 0 ) P 0 ( x ) ⊢ 0 20/ 27

  49. Worked example: binary tree search 0 : while ( x � = nil ) { x = nil ∗ P 1 ( x ) ⇒ P 0 ( x ) 1 : if ( ⋆ ) x � = nil ∗ P 2 ( x ) ⇒ P 0 ( x ) 2 : x := x.l x �→ ( y, z ) ∗ P 3 ( x, y, z ) ⇒ P 2 ( x ) 3 : else 4 : x := x.r } 5 : ǫ x � = nil ∗ ⊢ 2 x �→ ( y, z ) ∗ P 3 ( x, y, z ) A ( P 2 ) x � = nil ∗ P 2 ( x ) ⊢ 2 x � = nil ∗ P 2 ( x ) ⊢ 4 ǫ if x = nil ∗ P 1 ( x ) ⊢ 5 x � = nil ∗ P 2 ( x ) ⊢ 1 while while x = nil ∗ P 1 ( x ) ⊢ 0 x � = nil ∗ P 2 ( x ) ⊢ 0 A ( P 0 ) P 0 ( x ) ⊢ 0 20/ 27

  50. Worked example: binary tree search 0 : while ( x � = nil ) { x = nil ∗ P 1 ( x ) ⇒ P 0 ( x ) 1 : if ( ⋆ ) x � = nil ∗ P 2 ( x ) ⇒ P 0 ( x ) 2 : x := x.l x �→ ( y, z ) ∗ P 3 ( x, y, z ) ⇒ P 2 ( x ) 3 : else 4 : x := x.r } 5 : ǫ x � = nil ∗ ⊢ 2 x �→ ( y, z ) ∗ P 3 ( x, y, z ) A ( P 2 ) x � = nil ∗ P 2 ( x ) ⊢ 2 x � = nil ∗ P 2 ( x ) ⊢ 4 ǫ if x = nil ∗ P 1 ( x ) ⊢ 5 x � = nil ∗ P 2 ( x ) ⊢ 1 while while x = nil ∗ P 1 ( x ) ⊢ 0 x � = nil ∗ P 2 ( x ) ⊢ 0 A ( P 0 ) P 0 ( x ) ⊢ 0 20/ 27

  51. Worked example: binary tree search 0 : while ( x � = nil ) { x = nil ∗ P 1 ( x ) ⇒ P 0 ( x ) 1 : if ( ⋆ ) x � = nil ∗ P 2 ( x ) ⇒ P 0 ( x ) 2 : x := x.l x �→ ( y, z ) ∗ P 3 ( x, y, z ) ⇒ P 2 ( x ) 3 : else 4 : x := x.r } 5 : ǫ x ′ � = nil ∗ ⊢ 0 x ′ �→ ( x, z ) ∗ P 3 ( x ′ , x, z ) x := x.l x � = nil ∗ ⊢ 2 x �→ ( y, z ) ∗ P 3 ( x, y, z ) A ( P 2 ) x � = nil ∗ P 2 ( x ) ⊢ 2 x � = nil ∗ P 2 ( x ) ⊢ 4 ǫ if x = nil ∗ P 1 ( x ) ⊢ 5 x � = nil ∗ P 2 ( x ) ⊢ 1 while while x = nil ∗ P 1 ( x ) ⊢ 0 x � = nil ∗ P 2 ( x ) ⊢ 0 A ( P 0 ) P 0 ( x ) ⊢ 0 20/ 27

  52. Worked example: binary tree search 0 : while ( x � = nil ) { x = nil ∗ P 1 ( x ) ⇒ P 0 ( x ) 1 : if ( ⋆ ) x � = nil ∗ P 2 ( x ) ⇒ P 0 ( x ) 2 : x := x.l x �→ ( y, z ) ∗ P 3 ( x, y, z ) ⇒ P 2 ( x ) 3 : else P 0 ( y ) ∗ P 4 ( x, y, z ) ⇒ P 3 ( x, y, z ) 4 : x := x.r } 5 : ǫ x ′ � = nil ∗ ⊢ 0 x ′ �→ ( x, z ) ∗ P 3 ( x ′ , x, z ) x := x.l x � = nil ∗ ⊢ 2 x �→ ( y, z ) ∗ P 3 ( x, y, z ) A ( P 2 ) x � = nil ∗ P 2 ( x ) ⊢ 2 x � = nil ∗ P 2 ( x ) ⊢ 4 ǫ if x = nil ∗ P 1 ( x ) ⊢ 5 x � = nil ∗ P 2 ( x ) ⊢ 1 while while x = nil ∗ P 1 ( x ) ⊢ 0 x � = nil ∗ P 2 ( x ) ⊢ 0 A ( P 0 ) P 0 ( x ) ⊢ 0 20/ 27

  53. Worked example: binary tree search 0 : while ( x � = nil ) { x = nil ∗ P 1 ( x ) ⇒ P 0 ( x ) 1 : if ( ⋆ ) x � = nil ∗ P 2 ( x ) ⇒ P 0 ( x ) 2 : x := x.l x �→ ( y, z ) ∗ P 3 ( x, y, z ) ⇒ P 2 ( x ) 3 : else P 0 ( y ) ∗ P 4 ( x, y, z ) ⇒ P 3 ( x, y, z ) 4 : x := x.r } 5 : ǫ x ′ � = nil ∗ ⊢ 0 x ′ �→ ( x, z ) ∗ P 0 ( x ) ∗ P 4 ( x ′ , x, z ) A ( P 3 ) x ′ � = nil ∗ ⊢ 0 x ′ �→ ( x, z ) ∗ P 3 ( x ′ , x, z ) x := x.l x � = nil ∗ ⊢ 2 x �→ ( y, z ) ∗ P 3 ( x, y, z ) A ( P 2 ) x � = nil ∗ P 2 ( x ) ⊢ 2 x � = nil ∗ P 2 ( x ) ⊢ 4 ǫ if x = nil ∗ P 1 ( x ) ⊢ 5 x � = nil ∗ P 2 ( x ) ⊢ 1 while while x = nil ∗ P 1 ( x ) ⊢ 0 x � = nil ∗ P 2 ( x ) ⊢ 0 A ( P 0 ) P 0 ( x ) ⊢ 0 20/ 27

  54. Worked example: binary tree search 0 : while ( x � = nil ) { x = nil ∗ P 1 ( x ) ⇒ P 0 ( x ) 1 : if ( ⋆ ) x � = nil ∗ P 2 ( x ) ⇒ P 0 ( x ) 2 : x := x.l x �→ ( y, z ) ∗ P 3 ( x, y, z ) ⇒ P 2 ( x ) 3 : else P 0 ( y ) ∗ P 4 ( x, y, z ) ⇒ P 3 ( x, y, z ) 4 : x := x.r } 5 : ǫ P 0 ( x ) ⊢ 0 (Frame) x ′ � = nil ∗ ⊢ 0 x ′ �→ ( x, z ) ∗ P 0 ( x ) ∗ P 4 ( x ′ , x, z ) A ( P 3 ) x ′ � = nil ∗ ⊢ 0 x ′ �→ ( x, z ) ∗ P 3 ( x ′ , x, z ) x := x.l x � = nil ∗ ⊢ 2 x �→ ( y, z ) ∗ P 3 ( x, y, z ) A ( P 2 ) x � = nil ∗ P 2 ( x ) ⊢ 2 x � = nil ∗ P 2 ( x ) ⊢ 4 ǫ if x = nil ∗ P 1 ( x ) ⊢ 5 x � = nil ∗ P 2 ( x ) ⊢ 1 while while x = nil ∗ P 1 ( x ) ⊢ 0 x � = nil ∗ P 2 ( x ) ⊢ 0 A ( P 0 ) P 0 ( x ) ⊢ 0 20/ 27

  55. Worked example: binary tree search 0 : while ( x � = nil ) { x = nil ∗ P 1 ( x ) ⇒ P 0 ( x ) 1 : if ( ⋆ ) x � = nil ∗ P 2 ( x ) ⇒ P 0 ( x ) 2 : x := x.l x �→ ( y, z ) ∗ P 3 ( x, y, z ) ⇒ P 2 ( x ) 3 : else P 0 ( y ) ∗ P 4 ( x, y, z ) ⇒ P 3 ( x, y, z ) 4 : x := x.r } 5 : ǫ P 0 ( x ) ⊢ 0 (Frame) x ′ � = nil ∗ ⊢ 0 x ′ �→ ( x, z ) ∗ P 0 ( x ) ∗ P 4 ( x ′ , x, z ) A ( P 3 ) x ′ � = nil ∗ ⊢ 0 x ′ �→ ( x, z ) ∗ P 3 ( x ′ , x, z ) x := x.l x � = nil ∗ ⊢ 2 x �→ ( y, z ) ∗ P 3 ( x, y, z ) A ( P 2 ) x � = nil ∗ P 2 ( x ) ⊢ 2 x � = nil ∗ P 2 ( x ) ⊢ 4 ǫ if x = nil ∗ P 1 ( x ) ⊢ 5 x � = nil ∗ P 2 ( x ) ⊢ 1 while while x = nil ∗ P 1 ( x ) ⊢ 0 x � = nil ∗ P 2 ( x ) ⊢ 0 A ( P 0 ) P 0 ( x ) ⊢ 0 20/ 27

  56. Worked example: binary tree search 0 : while ( x � = nil ) { x = nil ∗ P 1 ( x ) ⇒ P 0 ( x ) 1 : if ( ⋆ ) x � = nil ∗ P 2 ( x ) ⇒ P 0 ( x ) 2 : x := x.l x �→ ( y, z ) ∗ P 3 ( x, y, z ) ⇒ P 2 ( x ) 3 : else P 0 ( y ) ∗ P 4 ( x, y, z ) ⇒ P 3 ( x, y, z ) 4 : x := x.r } 5 : ǫ P 0 ( x ) ⊢ 0 (Frame) x ′ � = nil ∗ ⊢ 0 x ′ �→ ( x, z ) ∗ P 0 ( x ) ∗ P 4 ( x ′ , x, z ) A ( P 3 ) x ′ � = nil ∗ ⊢ 0 x ′ �→ ( x, z ) ∗ P 3 ( x ′ , x, z ) x := x.l x � = nil ∗ x � = nil ∗ ⊢ 2 ⊢ 4 x �→ ( y, z ) ∗ P 3 ( x, y, z ) x �→ ( y, z ) ∗ P 3 ( x, y, z ) A ( P 2 ) ( P 2 ) x � = nil ∗ P 2 ( x ) ⊢ 2 x � = nil ∗ P 2 ( x ) ⊢ 4 ǫ if x = nil ∗ P 1 ( x ) ⊢ 5 x � = nil ∗ P 2 ( x ) ⊢ 1 while while x = nil ∗ P 1 ( x ) ⊢ 0 x � = nil ∗ P 2 ( x ) ⊢ 0 A ( P 0 ) P 0 ( x ) ⊢ 0 20/ 27

  57. Worked example: binary tree search 0 : while ( x � = nil ) { x = nil ∗ P 1 ( x ) ⇒ P 0 ( x ) 1 : if ( ⋆ ) x � = nil ∗ P 2 ( x ) ⇒ P 0 ( x ) 2 : x := x.l x �→ ( y, z ) ∗ P 3 ( x, y, z ) ⇒ P 2 ( x ) 3 : else P 0 ( y ) ∗ P 4 ( x, y, z ) ⇒ P 3 ( x, y, z ) 4 : x := x.r } 5 : ǫ P 0 ( x ) ⊢ 0 (Frame) x ′ � = nil ∗ ⊢ 0 x ′ �→ ( x, z ) ∗ P 0 ( x ) ∗ P 4 ( x ′ , x, z ) A ( P 3 ) x ′ � = nil ∗ x ′ � = nil ∗ ⊢ 0 ⊢ 0 x ′ �→ ( x, z ) ∗ P 3 ( x ′ , x, z ) x ′ �→ ( y, x ) ∗ P 3 ( x ′ , y, x ) x := x.l x := x.r x � = nil ∗ x � = nil ∗ ⊢ 2 ⊢ 4 x �→ ( y, z ) ∗ P 3 ( x, y, z ) x �→ ( y, z ) ∗ P 3 ( x, y, z ) A ( P 2 ) ( P 2 ) x � = nil ∗ P 2 ( x ) ⊢ 2 x � = nil ∗ P 2 ( x ) ⊢ 4 ǫ if x = nil ∗ P 1 ( x ) ⊢ 5 x � = nil ∗ P 2 ( x ) ⊢ 1 while while x = nil ∗ P 1 ( x ) ⊢ 0 x � = nil ∗ P 2 ( x ) ⊢ 0 A ( P 0 ) P 0 ( x ) ⊢ 0 20/ 27

  58. Worked example: binary tree search 0 : while ( x � = nil ) { x = nil ∗ P 1 ( x ) ⇒ P 0 ( x ) 1 : if ( ⋆ ) x � = nil ∗ P 2 ( x ) ⇒ P 0 ( x ) 2 : x := x.l x �→ ( y, z ) ∗ P 3 ( x, y, z ) ⇒ P 2 ( x ) 3 : else P 0 ( y ) ∗ P 4 ( x, y, z ) ⇒ P 3 ( x, y, z ) 4 : x := x.r } 5 : ǫ P 0 ( x ) ⊢ 0 (Frame) x ′ � = nil ∗ ⊢ 0 x ′ �→ ( x, z ) ∗ P 0 ( x ) ∗ P 4 ( x ′ , x, z ) A ( P 3 ) x ′ � = nil ∗ x ′ � = nil ∗ ⊢ 0 ⊢ 0 x ′ �→ ( x, z ) ∗ P 3 ( x ′ , x, z ) x ′ �→ ( y, x ) ∗ P 3 ( x ′ , y, x ) x := x.l x := x.r x � = nil ∗ x � = nil ∗ ⊢ 2 ⊢ 4 x �→ ( y, z ) ∗ P 3 ( x, y, z ) x �→ ( y, z ) ∗ P 3 ( x, y, z ) A ( P 2 ) ( P 2 ) x � = nil ∗ P 2 ( x ) ⊢ 2 x � = nil ∗ P 2 ( x ) ⊢ 4 ǫ if x = nil ∗ P 1 ( x ) ⊢ 5 x � = nil ∗ P 2 ( x ) ⊢ 1 while while x = nil ∗ P 1 ( x ) ⊢ 0 x � = nil ∗ P 2 ( x ) ⊢ 0 A ( P 0 ) P 0 ( x ) ⊢ 0 20/ 27

  59. Worked example: binary tree search 0 : while ( x � = nil ) { x = nil ∗ P 1 ( x ) ⇒ P 0 ( x ) 1 : if ( ⋆ ) x � = nil ∗ P 2 ( x ) ⇒ P 0 ( x ) 2 : x := x.l x �→ ( y, z ) ∗ P 3 ( x, y, z ) ⇒ P 2 ( x ) 3 : else P 0 ( y ) ∗ P 4 ( x, y, z ) ⇒ P 3 ( x, y, z ) 4 : x := x.r } 5 : ǫ P 0 ( x ) ⊢ 0 (Frame) x ′ � = nil ∗ x ′ � = nil ∗ ⊢ 0 ⊢ 0 x ′ �→ ( x, z ) ∗ P 0 ( x ) ∗ P 4 ( x ′ , x, z ) x ′ �→ ( y, x ) ∗ P 0 ( y ) ∗ P 4 ( x ′ , y, x ) A ( P 3 ) ( P 3 ) x ′ � = nil ∗ x ′ � = nil ∗ ⊢ 0 ⊢ 0 x ′ �→ ( x, z ) ∗ P 3 ( x ′ , x, z ) x ′ �→ ( y, x ) ∗ P 3 ( x ′ , y, x ) x := x.l x := x.r x � = nil ∗ x � = nil ∗ ⊢ 2 ⊢ 4 x �→ ( y, z ) ∗ P 3 ( x, y, z ) x �→ ( y, z ) ∗ P 3 ( x, y, z ) A ( P 2 ) ( P 2 ) x � = nil ∗ P 2 ( x ) ⊢ 2 x � = nil ∗ P 2 ( x ) ⊢ 4 ǫ if x = nil ∗ P 1 ( x ) ⊢ 5 x � = nil ∗ P 2 ( x ) ⊢ 1 while while x = nil ∗ P 1 ( x ) ⊢ 0 x � = nil ∗ P 2 ( x ) ⊢ 0 A ( P 0 ) P 0 ( x ) ⊢ 0 20/ 27

  60. Worked example: binary tree search 0 : while ( x � = nil ) { x = nil ∗ P 1 ( x ) ⇒ P 0 ( x ) 1 : if ( ⋆ ) x � = nil ∗ P 2 ( x ) ⇒ P 0 ( x ) 2 : x := x.l x �→ ( y, z ) ∗ P 3 ( x, y, z ) ⇒ P 2 ( x ) 3 : else P 0 ( y ) ∗ P 4 ( x, y, z ) ⇒ P 3 ( x, y, z ) 4 : x := x.r } P 0 ( z ) ∗ P 5 ( x, y, z ) ⇒ P 4 ( x, y, z ) 5 : ǫ P 0 ( x ) ⊢ 0 (Frame) x ′ � = nil ∗ x ′ � = nil ∗ ⊢ 0 ⊢ 0 x ′ �→ ( x, z ) ∗ P 0 ( x ) ∗ P 4 ( x ′ , x, z ) x ′ �→ ( y, x ) ∗ P 0 ( y ) ∗ P 4 ( x ′ , y, x ) A ( P 3 ) ( P 3 ) x ′ � = nil ∗ x ′ � = nil ∗ ⊢ 0 ⊢ 0 x ′ �→ ( x, z ) ∗ P 3 ( x ′ , x, z ) x ′ �→ ( y, x ) ∗ P 3 ( x ′ , y, x ) x := x.l x := x.r x � = nil ∗ x � = nil ∗ ⊢ 2 ⊢ 4 x �→ ( y, z ) ∗ P 3 ( x, y, z ) x �→ ( y, z ) ∗ P 3 ( x, y, z ) A ( P 2 ) ( P 2 ) x � = nil ∗ P 2 ( x ) ⊢ 2 x � = nil ∗ P 2 ( x ) ⊢ 4 ǫ if x = nil ∗ P 1 ( x ) ⊢ 5 x � = nil ∗ P 2 ( x ) ⊢ 1 while while x = nil ∗ P 1 ( x ) ⊢ 0 x � = nil ∗ P 2 ( x ) ⊢ 0 A ( P 0 ) P 0 ( x ) ⊢ 0 20/ 27

  61. Worked example: binary tree search 0 : while ( x � = nil ) { x = nil ∗ P 1 ( x ) ⇒ P 0 ( x ) 1 : if ( ⋆ ) x � = nil ∗ P 2 ( x ) ⇒ P 0 ( x ) 2 : x := x.l x �→ ( y, z ) ∗ P 3 ( x, y, z ) ⇒ P 2 ( x ) 3 : else P 0 ( y ) ∗ P 4 ( x, y, z ) ⇒ P 3 ( x, y, z ) 4 : x := x.r } P 0 ( z ) ∗ P 5 ( x, y, z ) ⇒ P 4 ( x, y, z ) 5 : ǫ x ′ � = nil ∗ ⊢ 0 x ′ �→ ( y, x ) ∗ P 0 ( y ) ∗ P 0 ( x ) ∗ P 5 ( x ′ , y, x ) P 0 ( x ) ⊢ 0 (Frame) A ( P 4 ) x ′ � = nil ∗ x ′ � = nil ∗ ⊢ 0 ⊢ 0 x ′ �→ ( x, z ) ∗ P 0 ( x ) ∗ P 4 ( x ′ , x, z ) x ′ �→ ( y, x ) ∗ P 0 ( y ) ∗ P 4 ( x ′ , y, x ) A ( P 3 ) ( P 3 ) x ′ � = nil ∗ x ′ � = nil ∗ ⊢ 0 ⊢ 0 x ′ �→ ( x, z ) ∗ P 3 ( x ′ , x, z ) x ′ �→ ( y, x ) ∗ P 3 ( x ′ , y, x ) x := x.l x := x.r x � = nil ∗ x � = nil ∗ ⊢ 2 ⊢ 4 x �→ ( y, z ) ∗ P 3 ( x, y, z ) x �→ ( y, z ) ∗ P 3 ( x, y, z ) A ( P 2 ) ( P 2 ) x � = nil ∗ P 2 ( x ) ⊢ 2 x � = nil ∗ P 2 ( x ) ⊢ 4 ǫ if x = nil ∗ P 1 ( x ) ⊢ 5 x � = nil ∗ P 2 ( x ) ⊢ 1 while while x = nil ∗ P 1 ( x ) ⊢ 0 x � = nil ∗ P 2 ( x ) ⊢ 0 A ( P 0 ) P 0 ( x ) ⊢ 0 20/ 27

  62. Worked example: binary tree search 0 : while ( x � = nil ) { x = nil ∗ P 1 ( x ) ⇒ P 0 ( x ) 1 : if ( ⋆ ) x � = nil ∗ P 2 ( x ) ⇒ P 0 ( x ) 2 : x := x.l x �→ ( y, z ) ∗ P 3 ( x, y, z ) ⇒ P 2 ( x ) 3 : else P 0 ( y ) ∗ P 4 ( x, y, z ) ⇒ P 3 ( x, y, z ) 4 : x := x.r } P 0 ( z ) ∗ P 5 ( x, y, z ) ⇒ P 4 ( x, y, z ) 5 : ǫ P 0 ( x ) ⊢ 0 (Frame) x ′ � = nil ∗ ⊢ 0 x ′ �→ ( y, x ) ∗ P 0 ( y ) ∗ P 0 ( x ) ∗ P 5 ( x ′ , y, x ) P 0 ( x ) ⊢ 0 (Frame) A ( P 4 ) x ′ � = nil ∗ x ′ � = nil ∗ ⊢ 0 ⊢ 0 x ′ �→ ( x, z ) ∗ P 0 ( x ) ∗ P 4 ( x ′ , x, z ) x ′ �→ ( y, x ) ∗ P 0 ( y ) ∗ P 4 ( x ′ , y, x ) A ( P 3 ) ( P 3 ) x ′ � = nil ∗ x ′ � = nil ∗ ⊢ 0 ⊢ 0 x ′ �→ ( x, z ) ∗ P 3 ( x ′ , x, z ) x ′ �→ ( y, x ) ∗ P 3 ( x ′ , y, x ) x := x.l x := x.r x � = nil ∗ x � = nil ∗ ⊢ 2 ⊢ 4 x �→ ( y, z ) ∗ P 3 ( x, y, z ) x �→ ( y, z ) ∗ P 3 ( x, y, z ) A ( P 2 ) ( P 2 ) x � = nil ∗ P 2 ( x ) ⊢ 2 x � = nil ∗ P 2 ( x ) ⊢ 4 ǫ if x = nil ∗ P 1 ( x ) ⊢ 5 x � = nil ∗ P 2 ( x ) ⊢ 1 while while x = nil ∗ P 1 ( x ) ⊢ 0 x � = nil ∗ P 2 ( x ) ⊢ 0 A ( P 0 ) P 0 ( x ) ⊢ 0 20/ 27

  63. Worked example: binary tree search 0 : while ( x � = nil ) { x = nil ∗ P 1 ( x ) ⇒ P 0 ( x ) 1 : if ( ⋆ ) x � = nil ∗ P 2 ( x ) ⇒ P 0 ( x ) 2 : x := x.l x �→ ( y, z ) ∗ P 3 ( x, y, z ) ⇒ P 2 ( x ) 3 : else P 0 ( y ) ∗ P 4 ( x, y, z ) ⇒ P 3 ( x, y, z ) 4 : x := x.r } P 0 ( z ) ∗ P 5 ( x, y, z ) ⇒ P 4 ( x, y, z ) 5 : ǫ P 0 ( x ) ⊢ 0 (Frame) x ′ � = nil ∗ ⊢ 0 x ′ �→ ( y, x ) ∗ P 0 ( y ) ∗ P 0 ( x ) ∗ P 5 ( x ′ , y, x ) P 0 ( x ) ⊢ 0 (Frame) A ( P 4 ) x ′ � = nil ∗ x ′ � = nil ∗ ⊢ 0 ⊢ 0 x ′ �→ ( x, z ) ∗ P 0 ( x ) ∗ P 4 ( x ′ , x, z ) x ′ �→ ( y, x ) ∗ P 0 ( y ) ∗ P 4 ( x ′ , y, x ) A ( P 3 ) ( P 3 ) x ′ � = nil ∗ x ′ � = nil ∗ ⊢ 0 ⊢ 0 x ′ �→ ( x, z ) ∗ P 3 ( x ′ , x, z ) x ′ �→ ( y, x ) ∗ P 3 ( x ′ , y, x ) x := x.l x := x.r x � = nil ∗ x � = nil ∗ ⊢ 2 ⊢ 4 x �→ ( y, z ) ∗ P 3 ( x, y, z ) x �→ ( y, z ) ∗ P 3 ( x, y, z ) A ( P 2 ) ( P 2 ) x � = nil ∗ P 2 ( x ) ⊢ 2 x � = nil ∗ P 2 ( x ) ⊢ 4 ǫ if x = nil ∗ P 1 ( x ) ⊢ 5 x � = nil ∗ P 2 ( x ) ⊢ 1 while while x = nil ∗ P 1 ( x ) ⊢ 0 x � = nil ∗ P 2 ( x ) ⊢ 0 A ( P 0 ) P 0 ( x ) ⊢ 0 20/ 27

  64. Simplifying inductive rule sets x = nil : P 1 ( x ) ⇒ P 0 ( x ) x � = nil : P 2 ( x ) ⇒ P 0 ( x ) x �→ ( y, z ) ∗ P 3 ( x, y, z ) ⇒ P 2 ( x ) P 0 ( y ) ∗ P 4 ( x, y, z ) ⇒ P 3 ( x, y, z ) P 0 ( z ) ∗ P 5 ( x, y, z ) ⇒ P 4 ( x, y, z ) 21/ 27

  65. Simplifying inductive rule sets • instantiate undefined predicates to emp ; x = nil : P 1 ( x ) ⇒ P 0 ( x ) x � = nil : P 2 ( x ) ⇒ P 0 ( x ) x �→ ( y, z ) ∗ P 3 ( x, y, z ) ⇒ P 2 ( x ) P 0 ( y ) ∗ P 4 ( x, y, z ) ⇒ P 3 ( x, y, z ) P 0 ( z ) ∗ P 5 ( x, y, z ) ⇒ P 4 ( x, y, z ) 21/ 27

  66. Simplifying inductive rule sets • instantiate undefined predicates to emp ; x = nil : P 1 ( x ) ⇒ P 0 ( x ) x = nil : emp ⇒ P 0 ( x ) x � = nil : P 2 ( x ) ⇒ P 0 ( x ) x � = nil : P 2 ( x ) ⇒ P 0 ( x ) x �→ ( y, z ) ∗ P 3 ( x, y, z ) ⇒ P 2 ( x ) = ⇒ x �→ ( y, z ) ∗ P 3 ( x, y, z ) ⇒ P 2 ( x ) P 0 ( y ) ∗ P 4 ( x, y, z ) ⇒ P 3 ( x, y, z ) P 0 ( y ) ∗ P 4 ( x, y, z ) ⇒ P 3 ( x, y, z ) P 0 ( z ) ∗ P 5 ( x, y, z ) ⇒ P 4 ( x, y, z ) P 0 ( z ) ⇒ P 4 ( x, y, z ) 21/ 27

  67. Simplifying inductive rule sets • instantiate undefined predicates to emp ; • eliminate redundant parameters; x = nil : P 1 ( x ) ⇒ P 0 ( x ) x = nil : emp ⇒ P 0 ( x ) x � = nil : P 2 ( x ) ⇒ P 0 ( x ) x � = nil : P 2 ( x ) ⇒ P 0 ( x ) x �→ ( y, z ) ∗ P 3 ( x, y, z ) ⇒ P 2 ( x ) = ⇒ x �→ ( y, z ) ∗ P 3 ( x, y, z ) ⇒ P 2 ( x ) P 0 ( y ) ∗ P 4 ( x, y, z ) ⇒ P 3 ( x, y, z ) P 0 ( y ) ∗ P 4 ( x, y, z ) ⇒ P 3 ( x, y, z ) P 0 ( z ) ∗ P 5 ( x, y, z ) ⇒ P 4 ( x, y, z ) P 0 ( z ) ⇒ P 4 ( x, y, z ) 21/ 27

  68. Simplifying inductive rule sets • instantiate undefined predicates to emp ; • eliminate redundant parameters; x = nil : P 1 ( x ) ⇒ P 0 ( x ) x = nil : emp ⇒ P 0 ( x ) x � = nil : P 2 ( x ) ⇒ P 0 ( x ) x � = nil : P 2 ( x ) ⇒ P 0 ( x ) x �→ ( y, z ) ∗ P 3 ( x, y, z ) ⇒ P 2 ( x ) = ⇒ x �→ ( y, z ) ∗ P 3 ( x, y, z ) ⇒ P 2 ( x ) P 0 ( y ) ∗ P 4 ( x, y, z ) ⇒ P 3 ( x, y, z ) P 0 ( y ) ∗ P 4 ( x, y, z ) ⇒ P 3 ( x, y, z ) P 0 ( z ) ∗ P 5 ( x, y, z ) ⇒ P 4 ( x, y, z ) P 0 ( z ) ⇒ P 4 ( x, y, z ) ⇓ x = nil : emp ⇒ P 0 ( x ) x � = nil : P 2 ( x ) ⇒ P 0 ( x ) x �→ ( y, z ) ∗ P 3 ( x, y ) ⇒ P 2 ( x ) P 0 ( y ) ∗ P 4 ( z ) ⇒ P 3 ( x, y ) P 0 ( z ) ⇒ P 4 ( z ) 21/ 27

  69. Simplifying inductive rule sets • instantiate undefined predicates to emp ; • eliminate redundant parameters; • inline single-clause predicates. x = nil : P 1 ( x ) ⇒ P 0 ( x ) x = nil : emp ⇒ P 0 ( x ) x � = nil : P 2 ( x ) ⇒ P 0 ( x ) x � = nil : P 2 ( x ) ⇒ P 0 ( x ) x �→ ( y, z ) ∗ P 3 ( x, y, z ) ⇒ P 2 ( x ) = ⇒ x �→ ( y, z ) ∗ P 3 ( x, y, z ) ⇒ P 2 ( x ) P 0 ( y ) ∗ P 4 ( x, y, z ) ⇒ P 3 ( x, y, z ) P 0 ( y ) ∗ P 4 ( x, y, z ) ⇒ P 3 ( x, y, z ) P 0 ( z ) ∗ P 5 ( x, y, z ) ⇒ P 4 ( x, y, z ) P 0 ( z ) ⇒ P 4 ( x, y, z ) ⇓ x = nil : emp ⇒ P 0 ( x ) x � = nil : P 2 ( x ) ⇒ P 0 ( x ) x �→ ( y, z ) ∗ P 3 ( x, y ) ⇒ P 2 ( x ) P 0 ( y ) ∗ P 4 ( z ) ⇒ P 3 ( x, y ) P 0 ( z ) ⇒ P 4 ( z ) 21/ 27

Recommend

Automatic Cyclic Termination Proofs for Recursive Procedures in Separation Logic Reuben Rowe and

Automatic Cyclic Termination Proofs for Recursive Procedures in Separation Logic Reuben Rowe and

Automatic Cyclic Termination Proofs for Recursive Procedures in Separation Logic Reuben Rowe and James Brotherston University College London TAPAS, Edinburgh, Wednesday 7 th September 2016 Automatically Proving Termination: Challenges proc

815 views • 57 slides
Abduction and Induction Deduction, Abduction and Induction Abduction Mathematical

Abduction and Induction Deduction, Abduction and Induction Abduction Mathematical

Abduction and Induction Deduction, Abduction and Induction Abduction Mathematical Induction Steffen H olldobler Abduction and Induction (5th January 2009) 1 An Introductory Example: Abduction K | = G . We use the following

694 views • 34 slides
Equivalence of Inductive Definitions and Cyclic Proofs under Arithmetic Makoto Tatsuta (National

Equivalence of Inductive Definitions and Cyclic Proofs under Arithmetic Makoto Tatsuta (National

Equivalence of Inductive Definitions and Cyclic Proofs under Arithmetic Makoto Tatsuta (National Institute of Informatics) joint work with: Stefano Berardi (Torino University) MLA 2018 Kanazawa, Japan March 59, 2018 1 Introduction

590 views • 15 slides
Automatic Cyclic Termination Proofs for Recursive Procedures in Separation Logic Reuben Rowe,

Automatic Cyclic Termination Proofs for Recursive Procedures in Separation Logic Reuben Rowe,

Automatic Cyclic Termination Proofs for Recursive Procedures in Separation Logic Reuben Rowe, University of Kent, Canterbury James Brotherston, University College London CPP, Paris, France Monday 16 th January 2017 Automatically Proving

741 views • 70 slides
Cyclic Proofs of Program Termination in Separation Logic James Brotherston 1 , Richard Bornat

Cyclic Proofs of Program Termination in Separation Logic James Brotherston 1 , Richard Bornat

Cyclic Proofs of Program Termination in Separation Logic James Brotherston 1 , Richard Bornat 2 , and Cristiano Calcagno 1 1 Imperial College, London 2 Middlesex University, London Me 10 January, 2008 Overview We give a new method for

373 views • 11 slides
Inductive Cyclic Data Structures Makoto Hamana Department of Computer Science, Gunma University,

Inductive Cyclic Data Structures Makoto Hamana Department of Computer Science, Gunma University,

Inductive Cyclic Data Structures Makoto Hamana Department of Computer Science, Gunma University, Japan (joint with Tarmo Uustalu and Varmo Vene) 1st, Febrary, 2009 http://www.cs.gunma-u.ac.jp/ hamana/ 1 This Work How to inductively

417 views • 23 slides
Efficient Validation of FOL ID Cyclic Induction Reasoning VeriDis + MATRYOSHKA Workshop, Amsterdam

Efficient Validation of FOL ID Cyclic Induction Reasoning VeriDis + MATRYOSHKA Workshop, Amsterdam

Efficient Validation of FOL ID Cyclic Induction Reasoning VeriDis + MATRYOSHKA Workshop, Amsterdam June 12, 2019 Sorin Stratulat INRIA, Universit de Lorraine Motivation soundness checking of cyclic pre-proofs in FOL with inductive

675 views • 43 slides
Abduction Abduction is an assumption-based reasoning strategy where H is a set of assumptions

Abduction Abduction is an assumption-based reasoning strategy where H is a set of assumptions

Abduction Abduction is an assumption-based reasoning strategy where H is a set of assumptions about what could be happening in a system F axiomatizes how a system works g to be explained is an observation or a design goal Example: in

647 views • 20 slides
The Complexity of Abduction for Separated Heap Abstractions Nikos Gorogiannis Max Kanovich

The Complexity of Abduction for Separated Heap Abstractions Nikos Gorogiannis Max Kanovich

Complexity of Abduction in SL The Complexity of Abduction for Separated Heap Abstractions Nikos Gorogiannis Max Kanovich Peter OHearn Queen Mary University of London July 13th, 2011 Complexity of Abduction in SL Motivation Complexity of

1.14k views • 82 slides
Bi-abduction and Abstraction In the last lecture, we saw how frame inference lets us verify that

Bi-abduction and Abstraction In the last lecture, we saw how frame inference lets us verify that

8 Bi-Abduction Bi-Abduction Bi-abduction and Abstraction In the last lecture, we saw how frame inference lets us verify that the pre- and post-conditions and loop invariants of a given program are correct. Abstraction lets us infer loop

460 views • 9 slides
Types of Termination Mutual With Consent Termination Automatic Termination

Types of Termination Mutual With Consent Termination Automatic Termination

Types of Termination Mutual With Consent Termination Automatic Termination Termination Termination for Convenience Without Consent Frustration /Force Majeure Contractual Breach Breach Common Law Breach

444 views • 29 slides
Semantics and Pragmatics of NLP Interpretation as Abduction Alex Lascarides School of

Semantics and Pragmatics of NLP Interpretation as Abduction Alex Lascarides School of

Inferences in Discourse Use abduction Semantics and Pragmatics of NLP Interpretation as Abduction Alex Lascarides School of Informatics University of Edinburgh university-logo Alex Lascarides SPNLP: Abduction Inferences in Discourse Use

507 views • 36 slides
. Needs effective (finitary) representation .. Failed Termination Proof vs. Non- TNT:

. Needs effective (finitary) representation .. Failed Termination Proof vs. Non- TNT:

Runtime Errors Proving Non-Termination Ashutosh K. Gupta Thomas A. Henzinger Rupak Majumdar MPI-SWS EPFL UCLA Andrey Rybalchenko Ru-Gang Xu MPI-SWS UCLA 2 Non-Termination Errors Proving Non-Termination Search for infinite

402 views • 6 slides
Termination Rate Debate in Africa Dr. Christoph Stork Termination = Monopoly Monopolies

Termination Rate Debate in Africa Dr. Christoph Stork Termination = Monopoly Monopolies

Termination Rate Debate in Africa Dr. Christoph Stork Termination = Monopoly Monopolies require price regulation Termination rates at cost of efficient operator Provide incentive to invest in new technologies to reduce costs Promote

605 views • 32 slides
Checking Safety by Inductive Generalization of Counterexamples to Induction Aaron R. Bradley and

Checking Safety by Inductive Generalization of Counterexamples to Induction Aaron R. Bradley and

Checking Safety by Inductive Generalization of Counterexamples to Induction Aaron R. Bradley and Zohar Manna Stanford University (Aaron is visiting EPFL and will be at CU Boulder) Benchmark: intel_005 #latch vars: 170 #coi vars: 69 Solved:

207 views • 17 slides
Ranking Templates for Linear Loops Jan Leike Matthias Heizmann The Australian University

Ranking Templates for Linear Loops Jan Leike Matthias Heizmann The Australian University

Ranking Templates for Linear Loops Jan Leike Matthias Heizmann The Australian University National University of Freiburg Termination safety reduced to reachability - liveness reduced to termination Termination safety reduced to

429 views • 38 slides
Higher-Order Semantic Labelling for Inductive Datatype Systems Makoto Hamana Gunma

Higher-Order Semantic Labelling for Inductive Datatype Systems Makoto Hamana Gunma

Higher-Order Semantic Labelling for Inductive Datatype Systems Makoto Hamana Gunma University/University of Tokyo Japan PPDP07 14th July, 2007. 1 Intro: Termination Proof by Syntactic Method Term Rewriting System (TRS) R : fact ( s ( x ))

421 views • 19 slides
Abduction in Classification Tasks AI*IA 2003 M. Atzori, P. Mancarella, F. Turini {

Abduction in Classification Tasks AI*IA 2003 M. Atzori, P. Mancarella, F. Turini {

Abduction in Classification Tasks AI*IA 2003 M. Atzori, P. Mancarella, F. Turini { atzori,paolo,turini } @di.unipi.it Dipartimento di Informatica Universit` a di Pisa, Italy Abduction in Classification Tasks AI*IA 2003 p.1 Goal In Data

901 views • 55 slides
Multi-agent Abduction Using Doxastic Temporal Models Thomas Bolander DTU Compute, Technical

Multi-agent Abduction Using Doxastic Temporal Models Thomas Bolander DTU Compute, Technical

Multi-agent Abduction Using Doxastic Temporal Models Thomas Bolander DTU Compute, Technical University of Denmark Joint work with Sonja Smets , ILLC Bolander: Multi-agent Abduction, 6 Dec 2018 p. 1/22 Sally-Anne in Dynamic Epistemic Logic

810 views • 49 slides
Safety Proofs using Appearance and Behaviours Sumanth Prabhu S, Kumar Madhukar, R Venkatesh

Safety Proofs using Appearance and Behaviours Sumanth Prabhu S, Kumar Madhukar, R Venkatesh

Safety Proofs using Appearance and Behaviours Sumanth Prabhu S, Kumar Madhukar, R Venkatesh TRDDC, Pune July 20, 2018 Safe Inductive Invariants: x y x y x int x = y = 0 while (*) { x = x + 1 y = y + x } assert(y >= 0) Inductive

605 views • 43 slides
Generic Termination Roland Backhouse and Henk Doornbos 26th July 2001 2 Outline

Generic Termination Roland Backhouse and Henk Doornbos 26th July 2001 2 Outline

1 Generic Termination Roland Backhouse and Henk Doornbos 26th July 2001 2 Outline Well-founded and Admits-Induction Hylomorphisms F -well-founded and F -inductive (Some) rules for reductivity Conclusions 3 Well-Founded,

394 views • 13 slides
On quasi-cyclic codes as a generalization of cyclic codes Morgan Barbier

On quasi-cyclic codes as a generalization of cyclic codes Morgan Barbier

On quasi-cyclic codes as a generalization of cyclic codes Morgan Barbier morgan.barbier@unicaen.fr Joint work with: Christophe Chabot Guillaume Quintin University of Caen GREYC Dinard, C2 October 9th 2012 1 / 23 Outline

427 views • 26 slides
Inductive Definitions with Inference Rules 1 / 25 Outline Introduction Specifying inductive

Inductive Definitions with Inference Rules 1 / 25 Outline Introduction Specifying inductive

Inductive Definitions with Inference Rules 1 / 25 Outline Introduction Specifying inductive definitions Inference rules in action Judgments, axioms, and rules Reasoning about inductive definitions Direct proofs Admissibility Rule induction

498 views • 25 slides
Inductive types in Coq Wessel van Staal November 23, 2012 Inductive types Inductive nattree :

Inductive types in Coq Wessel van Staal November 23, 2012 Inductive types Inductive nattree :

Inductive types in Coq Wessel van Staal November 23, 2012 Inductive types Inductive nattree : Set := leaf : nat -> nattree | node : nattree -> nattree -> nattree. Adds constant or function with final type Prop , Set or Type to

325 views • 14 slides

More recommend