Formalizing an operational semantics of an imperative programing language using Agda Emil Karl´ en Andr´ es Sicard-Ram´ ırez Frontiers of Programming Language Technology 2008-05-16
Remark What your talk is for Your main weapon Examples are your main Your paper = The beef weapon To motivate the work To convey the basic intuition Your talk = The beef advertisment To illustrate The Idea in action To show extreme cases To highlight shortcomings Do not confuse the two When time is short, omit the general case, not the example ( From: http://research.microsoft.com/˜simonpj/papers/ giving-a-talk/giving-a-talk.htm )
The project Description We formalized some elements of an operational semantics of an imperative programming language (IMP) a using the proof-assistant Agda, and we formalized the proofs of some properties of IMP programs. arithmetical expressions ( Aexp ) IMP boolean expressions ( Bexp ) commands ( Com ) a Glynn Winskel. The Formal Semantics of Programming Languages . The MIT Press, 1993.
The project Operational semantics “Operational semantics describes the meaning of a programming language by specifying how it executes on an abstract machine” (Winskel, 1993, p. xv) “Formally, IMP’s behavior is described by rules which specify how its expressions are evaluated and its commands are executed. This rules provide an operational semantics of IMP” (Winskel, 1993, p. 11) evaluation of Aexp : < Aexp , state > → Number rules evaluation of Bexp : < Bexp , state > → Boolean (inductive relations) execution of Com : < Com , state > → state
The project Example (IMP program) The following is a program that computes the factorial of an natural number n . The input is given in the variable n and the output is put in the variable fac . IF n = 0 THEN fac := 1 ELSE fac := n WHILE n > 1 DO n := n - 1; fac := fac * n Example (Properties) Two concrete programs are equivalents The evaluation of arithmetical expressions is deterministic
The project Motivation From the POPLmark Challenge (2005): “How close are we to a world in which mechanically verified software is commonplace? A world in which theorem proving technology is used routinely by both software developers and programming language researchers alike?” From Lambda, the Ultimate (2008-05-12): “. . . I taught an introductory course on logic and the theory of programming languages entirely in Coq. The experience was quite demanding . . . I am now convinced that this is the right way to teach programming language foundations . . . ”. (Benjamin C. Pierce) Agda (2007): “Towards a practical programming language based on dependent type theory” (Norell, 2007)
Induction on inductive sets Example (Natural numbers) -- Natural numbers data N : Set where n ∈ N zero : N 0 ∈ N S ( n ) ∈ N S : N -> N Example (Mathematical induction) For any predicate P , [ P ( n ) ] ind. hyp. ���� . . ( P ( 0 ) ∧ ∀ n [ P ( n ) ⇒ P ( S ( n ))] ) ⇒ ∀ n . P ( n ) . � ��������������������������� �� ��������������������������� � P ( 0 ) P ( S ( n )) inductive step ∀ x . P ( x )
Induction on inductive sets Example (Mathematical induction) For any predicate P , [ P ( n ) ] . . . P ( 0 ) P ( S ( n )) ∀ x . P ( x ) -- Mathematical induction via dependent types N -ind : (P : N -> Set) -> P zero -> ((n : N ) -> P n -> P (S n)) -> (n : N ) -> P n N -ind P P0 istep zero = P0 N -ind P P0 istep (S n) = istep n ( N -ind P P0 istep n)
Induction on inductive sets Example (Proof using mathematical induction) P ( n ) : 0 + n = n Paper proof: Base case : P ( 0 ) : 0 + 0 = 0 by Def. + Induction step : P ( n ) → P ( S ( n )) 0 + S ( n ) = S ( 0 + n ) by Def. + = S ( n ) by IH: 0 + n = n -- Agda proof using N -ind thm1 : (n : N ) -> (zero + n) =N n thm1 n = N -ind P P0 istep n where P : N -> Set P = (\(n : N ) -> (zero + n) =N n ) P0 : P zero P0 = <> istep : (n : N ) -> P n -> P (S n) istep = (\_ ih -> ih )
Induction on inductive sets Example (Proof using pattern maching) P ( n ) : 0 + n = n -- Agda proof using N -ind thm1 : (n : N ) -> (zero + n) =N n thm1 n = N -ind P P0 istep n where P : N -> Set P = (\(n : N ) -> (zero + n) =N n ) P0 : P zero P0 = <> istep : (n : N ) -> P n -> P (S n) istep = (\_ ih -> ih ) -- Agda proof using pattern matching thm1 : (n : N ) -> (zero + n) =N n thm1 zero = <> thm1 (S n) = thm1 n
Curry-Howard isomorphism a : A proof : proposition ⇒ Proof check ≡ Type check program : specification Example (A proof the mathematical induction) N -ind : (P : N -> Set) -> P zero -> ((n : N ) -> P n -> P (S n)) -> (n : N ) -> P n N -ind P P0 istep zero = P0 N -ind P P0 istep (succ n) = istep n ( N -ind P P0 istep n)
Curry-Howard isomorphism a : A proof : proposition ⇒ Proof check ≡ Type check program : specification Example (A proof the mathematical induction) N -ind : (P : N -> Set) -> P zero -> ((n : N ) -> P n -> P (S n)) -> (n : N ) -> P n N -ind P P0 istep zero = P0 N -ind P P0 istep (succ n) = istep n ( N -ind P P0 istep n)
Curry-Howard isomorphism a : A proof : proposition ⇒ Proof check ≡ Type check program : specification Example (A proof the mathematical induction) N -ind : (P : N -> Set) -> P zero -> ((n : N ) -> P n -> P (S n)) -> (n : N ) -> P n N -ind P P0 istep zero = P0 N -ind P P0 istep (succ n) = istep n ( N -ind P P0 istep n)
Recursion and induction on inductive sets Example -- mathematical induction N -ind : (P : N -> Set) -> P zero -> ((n : N ) -> P n -> P (S n)) -> (n : N ) -> P n N -ind = ... -- The recursive combinator for natural numbers via -- mathematical induction N -rec : (A : Set) -> A -> ( N -> A -> A) -> N -> A N -rec A = N -ind (\_ -> A )
� � � � Recursion and induction on inductive sets An inductive set S ( N ) ( Aexp , Bexp , Com , < Aexp , state > → Number , . . . ) To prove properties on S Induction on S (mathematical and well-founded induction) ( structural and rule induction) To define recursive functions on S Recursion on S
Programs, and what they do Example ( An IMP program ) x := 10 y := 20 IF x + y = 30 THEN -- probably we do this. ELSE -- probably we don’t do this. Question: If x → 10 and y → 20, then shouldn’t x + y → 30? How know? formalize ... BNF ... operational semantics ... types The “Curry-Howard Strategy” Say it with a Type! ... because then a Type Checker can Check what you Say!
BNF for IMP � Com � ::= SKIP | � Location � := � Aexp � | IF � Bexp � THEN � Com � ELSE � Com � | WHILE � Bexp � DO � Com � | � Com � ; � Com � � Bexp � ::= true | false | � Aexp � = � Aexp � | � Bexp � ∧ � Bexp � � Aexp � ::= � Natural � | � Location � � Aexp � + � Aexp � |
BNF for IMP � Aexp � ::= � Natural � | � Location � � Aexp � + � Aexp � |
Representation in Agda � Natural � data N : Set where ... � Location � Loc = String Σ = Loc -> N Global State
Representation in Agda The Aexp Type data Aexp : Set where aexpN : N -> Aexp aexpL : Loc -> Aexp aexp+ : Aexp -> Aexp -> Aexp BNF (repeated) � Aexp � ::= � Natural � � Location � | � Aexp � + � Aexp � |
Principle of Structural Induction for Aexp Structural Induction for Aexp ind-Aexp : (P : Aexp -> Set) -> (a : Aexp) -> P a The Aexp Type (repeated) data Aexp : Set where aexpN : N -> Aexp aexpL : Loc -> Aexp aexp+ : Aexp -> Aexp -> Aexp
Principle of Structural Induction for Aexp Structural Induction for Aexp ind-Aexp : (P : Aexp -> Set) -> ((n : N ) -> P (aexpN n)) -> -- pN ((x : Loc) -> P (aexpL x)) -> -- pL ((a 0 a 1 : Aexp) -> P a 0 -> P a 1 -> P (aexp+ a 0 a 1 )) -> -- p+ (a : Aexp) -> P a The Aexp Type (repeated) data Aexp : Set where aexpN : N -> Aexp aexpL : Loc -> Aexp aexp+ : Aexp -> Aexp -> Aexp
Using ind-Aexp for Recursion Evaluating an Aexp eval-Aexp : Aexp -> Σ -> N
Using ind-Aexp for Recursion Evaluating an Aexp eval-Aexp : Aexp -> Σ -> N eval-Aexp a σ = ind-Aexp (\(a : Aexp) -> N ) (\n -> n) (\x -> σ x) (\_ _ n 0 n 1 -> n 0 + n 1 ) a Structural Induction for Aexp (almost repeated) ind-Aexp : (P : Aexp -> N ) -> ( N -> N ) -> -- pN (Loc -> N ) -> -- pL (Aexp -> Aexp -> N -> N -> N ) -> -- p+ Aexp -> N
Recommend
More recommend