Imperative Programming by Stepwise Refinement in Coq Boubacar Demba - PowerPoint PPT Presentation

Imperative Programming by Stepwise Refinement in Coq Boubacar Demba Sall Emmanuel Chailloux (Doctoral Advisor) Fr´ ed´ eric Peschanski (Doctoral Advisor) Sorbonne University, LIP6 UMR 7606 4 place Jussieu 75005 Paris, France. Journ´ ee AIRBUS-LIP6 Paris, February 20th 2019 1 / 16

Introduction (1/2) The problem The gap from abstract specifications to concrete programs - expressiveness of specification languages Proving correctness can prove difficult : - invariant inference is often hard - big formulae not so easy to manipulate - confidence in the proofs 2 / 16

Introduction (2/2) The stepwise path towards a solution Take small steps and compose them Make sure each step is correct Use a proof assistant to increase confidence in the proofs T 1 T 2 T n Specification − → 1st refinement − → 2nd refinement ... − → Program 3 / 16

Means of Specification Before-After predicates v : value of variable v at beginning of execution v ′ : value of v after execution ends � v ′ > v ∧ x ′ = x � : increase v and leave x unchanged Advantages of B-A predicates → unifie preconditions, postconditions, invariants and variants → easier to compose than pre/post condition pairs 4 / 16

Description of Refinements with Design Blocks Design block notation : spec { body } header : abstract specification body : more concrete implementation candidate can be nested Advantages → recording of design decisions (programmer’s intent) → embedded formal specifications (mandatory maintenance) → basis for hierarchical proof decomposition 5 / 16

6 / 16

Example - An Integer Square Root Algorithm (1/4) State variables x : nat -- input r : nat -- result (and left bound of search interval) h : nat -- local variable (right bound of search interval) m : nat -- local variable (pivot) � r ′ 2 ≤ x < (1 + r ′ ) 2 � x Square root algorithm specification: 7 / 16

Example - An Integer Square Root Algorithm (2/4) First step: � r ′ 2 ≤ x < ( r ′ + 1) 2 � { r := 0 ; h := x + 1 ; while r + 1 � = h do � r + 1 < h ∧ r ′ 2 ≤ x < h ′ 2 ∧ ( r < r ′ ... ∨ h ′ < h ... ) � x done } Can be read as: � r ′ 2 ≤ x < ( r ′ + 1) 2 � { r := 0 ; h := x + 1 ; if r + 1 � = h then � r + 1 < h ∧ r ′ 2 ≤ x < h ′ 2 ... ∧ r ′ + 1 = h ′ � x end } 8 / 16

Example - An Integer Square Root Algorithm (3/4) Fast forward to the final step (the process is additive) � r ′ 2 ≤ x < ( r ′ + 1) 2 � { r := 0 ; h := x + 1 ; while r + 1 � = h do � r + 1 < h ∧ r ′ 2 ≤ x < h ′ 2 ∧ ( r < r ′ ... ∨ h ′ < h ... ) � x { � r < m ′ < h � x , r , h { m := r + ( h − r ) / 2 } ; if m 2 ≤ x then r := m else h := m end } done } 9 / 16

Example - An Integer Square Root Algorithm (4/4) One more thing ... ( nat → uint 64 ?) � r ′ 2 ≤ x < ( r ′ + 1) 2 � { r := 0 ; h := x + 1 ; while r + 1 � = h do � r + 1 < h ∧ r ′ 2 ≤ x < h ′ 2 ∧ ( r < r ′ ... ∨ h ′ < h ... ) � x { � r < m ′ < h � x , r , h { m := r + ( h − r ) / 2 } ; if m 2 ≤ x then r := m else h := m end } done } ... requires data refinement (future work ...) 10 / 16

A tiny bit of semantics Π 1 : DesignBlock → AST Π 1 ( Sqrt ) = � r ′ 2 ≤ x < ( r ′ + 1) 2 � Π 2 : DesignBlock → AST Π 2 ( Sqrt ) = r := 0 ; h := x + 1 ; while r + 1 � = h do m := r + ( h − r ) / 2 ; if m 2 ≤ x then r := m else h := m end done Definition (Design correctness) def correct D = Π 2 ( D ) ⊑ Π 1 ( D ) 11 / 16

12 / 16

Definitions of Program Refinement Hoare-style definition def S ⊑ T = ∀ P Q · P { T } Q ⇒ P { S } Q Definition with predicate transformers def S ⊑ T = ∀ Q · wp ( T , Q ) ⇒ wp ( S , Q ) Relational definition def S ⊑ T = dom ( T ) ⊳ S ⊆ T ∧ dom ( T ) ⊆ dom ( S ) 13 / 16

Correctness by Construction (1/2) Composition rules: CbC D 1 ∧ CbC D 2 CbC ( Effect f ) CbC � spec � CbC D 1 ; D 2 CbC D 1 ∧ CbC D 2 CbC If C then D 1 else D 2 endif 14 / 16

Correctness by Construction (2/2) Composition rules: CbC D ∧ well founded ( λ s s ′ ⇒ C s ′ ∧ ( K s ′ s ) ∧ C s ) def with K = Π 1 ( D ) ∧ K ⊳ C ; if C then K endif ⊑ K ⊳ C CbC While C do D done CbC D ∧ Π 1 ( D ) ⊑ spec CbC spec { D } 15 / 16

Conclusion and Future Work Conclusion formalizarion of stepwise refinement in Coq composition of CbC imprerative programs output : AST and proof of correctness Future work data refinement AST translation to C proof automation (specialized tactics, SMT solvers, ...) 16 / 16