F ormalizing Dijkstra 1 F ormalizing Dijkstra John Harrison - PDF document

F ormalizing Dijkstra 1 F ormalizing Dijkstra John Harrison Univ ersit y of Cam bridge I'v e b een pla ying around recen tly formalizing Dijkstra's \A Discipline of Programming". This talk is ab out a few asp ects of the w ork. � A Discipline of Programming � Mec hanizing programming logics � Relational seman tics � W eak est preconditions � Theorems ab out lo ops John Harrison Univ ersit y of Cam bridge, 12 F ebruary 1998

F ormalizing Dijkstra 2 A Discipline of Programming This classic monograph b y Dijkstra has sev eral in teresting features. � Stress on programs as primarily mathematical formalisms, whose runnabilit y of a mac hine is, so to sp eak, a luc ky acciden t. � Systematic use of the (then new) metho d of w eak est preconditions to giv e seman tics to programs. � F ormal treatmen t of a n um b er of attractiv e algorithms, sev eral of whic h ha v e subsequen tly b ecome classics, e.g. Hamming's problem and the Dutc h National Flag. It's surely Dijkstra's b est b o ok. In fact, the p eople who buy b o oks for Cam bridge Univ ersit y's libraries seem to think it's his only go o d b o ok. John Harrison Univ ersit y of Cam bridge, 12 F ebruary 1998

F ormalizing Dijkstra 3 Wh y formalize it? It seemed that it migh t b e fun to formalize ADOP , for sev eral reasons: � F ormalization tends to inspire a close reading, whic h this b o ok probably deserv es. � Dijkstra is v ery pro-correctness pro ofs, but v ery an ti-computer c hec king. It seemed in teresting to see ho w his argumen ts stand up to formalization. � This sort of formalization is generally prett y easy compared with �oating p oin t v eri�cation, so it pro vides ligh t relief and the feeling of making rapid progress. � \None of the programs in this monograph, needless to sa y , has b een tested on a mac hine." [p. xvi] John Harrison Univ ersit y of Cam bridge, 12 F ebruary 1998

F ormalizing Dijkstra 4 This isn't new Mik e Gordon sho w ed in 1988 ho w to formalize programming logics in higher order logic theorem pro v ers. It w ould also w ork �ne in set theory or an y suitable general mathematical formalism. He and T om Melham actually used a tactic to do v eri�cation condition generation, whic h w orks v ery nicely . (I'v e used this approac h in �oating p oin t v eri�cation.) Since then there's b een a slew of w ork formalizing programming languages based on the same ideas, e.g. Agerholm, Grundy , Homeier, Nipk o w, T redoux and v on W righ t, to name just a few. As w ell as programming languages, there ha v e b een formalizations of hardw are description languages and other CS formalisms, e.g. CCS, CSP , ELLA, � -calculus, TLA, UNITY, V erilog and VHDL. John Harrison Univ ersit y of Cam bridge, 12 F ebruary 1998

F ormalizing Dijkstra 5 F ormalizing states F ollo wing v on W righ t, w e ha v e a sort of \shallo w em b edding" of states, where the state is represen ted as a tuple of v ariables. Commands are implicitly abstracted o v er these v ariables, e.g. if w e ha v e three v ariables x , y and z , the assignmen t x := y + z w ould b e: Assign (\(x,y,z). (y + z,y,z)) All this is dealt with b y parsing and prin ting, so the surface syn tax is generally acceptable. The problem with a more explicit represen tation of the en vironmen t is that one ends up �xing the p ossible t yp es for v ariables in adv ance. In set theory , this is not a problem, as Mark Staples will sho w in his thesis. John Harrison Univ ersit y of Cam bridge, 12 F ebruary 1998

F ormalizing Dijkstra 6 Logical op erators Most of Dijsktra's use of logical op erators is implicitly at the predicate lev el, so it's handy to de�ne v arious liftings of logical op erators, e.g. |- p And q = \x. p x /\ q x |- Forall P l = \x. FORALL (\a. P a x) l In fact, I w ondered if his use of `non' for negation is a sort of pun (e.g. `x is non empt y if not (x is empt y)'. Sometimes Dijkstra is prett y v ague here ab out where he implicitly means `for all states'. I b eliev e he no w ada ys writes things in square brac k ets to indicate quan ti�cation o v er all free v ariables. W e ha v e t w o separate forms of implication, again follo wing v on W righ t: |- p Imp q = \x. p x ==> q x |- p Implies q = !x. p x ==> q x John Harrison Univ ersit y of Cam bridge, 12 F ebruary 1998

F ormalizing Dijkstra 7 Relational seman tics Dijsktra actually de�nes commands via their w eak est pro conditions. This w as also done in HOL b y v on W righ t et al. W e tak e the p oin t of view that w e kno w the p ossible p erformance of the mec hanism S su�cien tly w ell, pro vided that w e can deriv e for an y p ostcondition R the corresp onding w eak est precondition w p ( S; R ), b ecause then w e ha v e captured what the mec hanism can do for us; and in the jargon the latter is called \its seman tics". [p17] T o us it seems more satisfactory to start with a more in tuitiv e and op erational view of programs and deriv e w eak est preconditions afterw ards. Dijkstra do esn't manage to escap e from op erational thinking completely , ho w ev er hard he tries. John Harrison Univ ersit y of Cam bridge, 12 F ebruary 1998

F ormalizing Dijkstra 8 Nondeterminism Using relations � ! � ! bool or � � � ! bool has the defect, as noted in Gordon's original pap er, that w e can't really treat nondeterminism prop erly . W e w an t to b e able to distinguish p ossible and certain termination. Jim Grundy sho ws in his thesis (also the pro ceedings of a conference in No v osibirsk, LNCS 735) that all w a ys of in terpreting relations of this form lead to problems treating nondeterminism. Instead, w e use � ! � ! bool , i.e. in tro duce a ? separate t yp e of `outcomes' � . In HOL: ? (A)outcome = Loops | Terminates A W e basically follo w Hesselink's CUP b o ok on w eak est preconditions; some of the later theorems are also tak en from his b o ok, supplemen ting those giv en b y Dijkstra. John Harrison Univ ersit y of Cam bridge, 12 F ebruary 1998

F ormalizing Dijkstra 9 W eak est preconditions It's no w straigh tforw ard to de�ne w eak est preconditions and w eak est lib eral preconditions: |- terminates c s = ~c s Loops |- wlp c q s = (!s'. c s (Terminates s') ==> q s') |- wp c q s = terminates c s /\ wlp c q s Note that our seman tics allo ws non-total commands, i.e. ones with no �nal outcome. According to the ab o v e de�nition these satisfy ev ery p ostcondition! Hesselink uses them to in terpret guar ds relationally . An yw a y , all the actual commands w e use are total. John Harrison Univ ersit y of Cam bridge, 12 F ebruary 1998

F ormalizing Dijkstra 10 Healthiness conditions Dikstra giv es some healthiness conditions that predicate transformers of the form wp c should ob ey . With a pro viso ab out total commands, these are all trivial to pro v e in HOL (call MESON TAC with some relev an t facts). |- (wp c False = False) = total c |- q Implies r ==> wp c q Implies wp c r |- wp c q And wp c r = wp c (q And r) |- wp c q Or wp c r Implies wp c (q Or r) |- deterministic c ==> (wp c p Or wp c q = wp c (p Or q)) where: |- deterministic c = (!s t1 t2. c s t1 /\ c s t2 ==> (t1 = t2)) |- !c. total c = (!s. ?t. c s t) John Harrison Univ ersit y of Cam bridge, 12 F ebruary 1998

F ormalizing Dijkstra 11 Other theorems W e also pro v e v arious other assertions b y Dijkstra in the same c hapter, and some more from Hesselink, e.g. |- wp c r = wlp c r And wp c True |- total c = !p. wp c p Implies Not(wlp c (Not p)) |- deterministic c = !p. Not(wlp c (Not p)) Implies wp c p They're all prett y easy , except for the case where Dijkstra gets it wrong. Once MESON TAC had tak en 10 seconds I knew either Dijkstra or I m ust ha v e made a mistak e. Dijkstra [pp. 21-2] en umerates the 7 `m utually exclusiv e' p ossibilities when a nondeterministic command c is started in a giv en state with a p ostcondition r in mind: John Harrison Univ ersit y of Cam bridge, 12 F ebruary 1998