Formal Software Development Program
Formal Software Development Program
Adrian Zidaritz
zidaritz berkeley.edu
March 8, 2011
Introduction
Some slides are marked with this gray sticker; they con-
tain some fairly elementary mathematical concepts, es-
sentially induction. These slides may be skipped.
ip be
d
sk ay
Other slides are marked with this red sticker; they as-
pe
m
The language
The language
The language
The language
The language
The language
The grammar
The grammar
The grammar
1 * is a wff
The grammar
1 * is a wff
2 if X and Y are formulas containing no *, then X*Y is a wff
The grammar
1 * is a wff
2 if X and Y are formulas containing no *, then X*Y is a wff
3 no other formulas are wffs
The grammar
1 * is a wff
2 if X and Y are formulas containing no *, then X*Y is a wff
3 no other formulas are wffs
The grammar
1 * is a wff
2 if X and Y are formulas containing no *, then X*Y is a wff
3 no other formulas are wffs
The symbols X and Y do not belong to the language, they are just
placeholders for arbitrary formulas. We’ll talk about them later.
The grammar
1 * is a wff
2 if X and Y are formulas containing no *, then X*Y is a wff
3 no other formulas are wffs
The symbols X and Y do not belong to the language, they are just
placeholders for arbitrary formulas. We’ll talk about them later.
For example, if X stands for a and Y for b, since neither X nor Y contain
a *, then by the second formation rule, a*b is a wff
The grammar
1 * is a wff
2 if X and Y are formulas containing no *, then X*Y is a wff
3 no other formulas are wffs
The symbols X and Y do not belong to the language, they are just
placeholders for arbitrary formulas. We’ll talk about them later.
For example, if X stands for a and Y for b, since neither X nor Y contain
a *, then by the second formation rule, a*b is a wff
Similarly, aa*bb, aba*bbbbb, baba*abab are wffs (think of what X and
Y are in these cases)
The grammar
1 * is a wff
2 if X and Y are formulas containing no *, then X*Y is a wff
3 no other formulas are wffs
The symbols X and Y do not belong to the language, they are just
placeholders for arbitrary formulas. We’ll talk about them later.
For example, if X stands for a and Y for b, since neither X nor Y contain
a *, then by the second formation rule, a*b is a wff
Similarly, aa*bb, aba*bbbbb, baba*abab are wffs (think of what X and
Y are in these cases)
Whereas **, *aba*, a*b*b are not wffs, because we cannot find any X
and Y to fit the grammar requirements
Formal Software Development Program Overview March 8, 2011 11 / 187
What is formal software development Example: a simple formal system
The rules of inference dictate how a new wff, called a conclusion, can be
deduced (or inferred) from a set (possibly empty) of other wffs, called
premises.
The rules of inference dictate how a new wff, called a conclusion, can be
deduced (or inferred) from a set (possibly empty) of other wffs, called
premises.
A rule with an empty set of premises is called an axiom.
The rules of inference dictate how a new wff, called a conclusion, can be
deduced (or inferred) from a set (possibly empty) of other wffs, called
premises.
A rule with an empty set of premises is called an axiom.
It is helpful to make this distinction because axioms are what get the
system up and going, i.e. you have to start the deduction process some-
where.
The rules of inference dictate how a new wff, called a conclusion, can be
deduced (or inferred) from a set (possibly empty) of other wffs, called
premises.
A rule with an empty set of premises is called an axiom.
It is helpful to make this distinction because axioms are what get the
system up and going, i.e. you have to start the deduction process some-
where.
Otherwise, axioms are nothing but special rules.
The rules of inference dictate how a new wff, called a conclusion, can be
deduced (or inferred) from a set (possibly empty) of other wffs, called
premises.
A rule with an empty set of premises is called an axiom.
It is helpful to make this distinction because axioms are what get the
system up and going, i.e. you have to start the deduction process some-
where.
Otherwise, axioms are nothing but special rules.
The rules of inference dictate how a new wff, called a conclusion, can be
deduced (or inferred) from a set (possibly empty) of other wffs, called
premises.
A rule with an empty set of premises is called an axiom.
It is helpful to make this distinction because axioms are what get the
system up and going, i.e. you have to start the deduction process some-
where.
Otherwise, axioms are nothing but special rules.
Since it has no premises, rule 1 is an axiom. You can apply the rules in any
order you wish, you do not have to go 2-3-4. This feature of formal systems
is called nondeterminism; we’ll review nondeterminism later, and a few
proofs that we build will also emphasize it.
Since it has no premises, rule 1 is an axiom. You can apply the rules in any
order you wish, you do not have to go 2-3-4. This feature of formal systems
is called nondeterminism; we’ll review nondeterminism later, and a few
proofs that we build will also emphasize it. We’ll call our example formal
system DANS.
Let’s look at some proofs in DANS; we’ll number the steps of a proof as #1,
#2, and so on. Each step will contain the theorem proved at that step and,
in parentheses, how we proved it (which must be a rule applied to previously
proved steps).
Let’s look at some proofs in DANS; we’ll number the steps of a proof as #1,
#2, and so on. Each step will contain the theorem proved at that step and,
in parentheses, how we proved it (which must be a rule applied to previously
proved steps).
Theorem: a*bb
Let’s look at some proofs in DANS; we’ll number the steps of a proof as #1,
#2, and so on. Each step will contain the theorem proved at that step and,
in parentheses, how we proved it (which must be a rule applied to previously
proved steps).
Theorem: a*bb
Proof.
#1: * (r1)
Let’s look at some proofs in DANS; we’ll number the steps of a proof as #1,
#2, and so on. Each step will contain the theorem proved at that step and,
in parentheses, how we proved it (which must be a rule applied to previously
proved steps).
Theorem: a*bb
Proof.
#1: * (r1)
#2: *b (#1,r2)
Let’s look at some proofs in DANS; we’ll number the steps of a proof as #1,
#2, and so on. Each step will contain the theorem proved at that step and,
in parentheses, how we proved it (which must be a rule applied to previously
proved steps).
Theorem: a*bb
Proof.
#1: * (r1)
#2: *b (#1,r2)
#3: a*b (#2,r3)
Let’s look at some proofs in DANS; we’ll number the steps of a proof as #1,
#2, and so on. Each step will contain the theorem proved at that step and,
in parentheses, how we proved it (which must be a rule applied to previously
proved steps).
Theorem: a*bb
Proof.
#1: * (r1)
#2: *b (#1,r2)
#3: a*b (#2,r3)
#4: a*bb (#2,r2)
Proof objects
Proof objects
This form of a proof is known as a proof object.
Proof objects
This form of a proof is known as a proof object. So
{#1: * (r1); #2: *b (#1,r2); #3: a*b (#2,r3); #4: a*bb (#2,r2)}
is a proof object.
Proof objects
This form of a proof is known as a proof object. So
{#1: * (r1); #2: *b (#1,r2); #3: a*b (#2,r3); #4: a*bb (#2,r2)}
is a proof object. Proof objects are important because anyone who is given
the language and rules of DANS could verify the steps of the proof.
Proof objects
This form of a proof is known as a proof object. So
{#1: * (r1); #2: *b (#1,r2); #3: a*b (#2,r3); #4: a*bb (#2,r2)}
is a proof object. Proof objects are important because anyone who is given
the language and rules of DANS could verify the steps of the proof. Let’s
remark that a theorem can have many proofs; we could have proved a*bb
with this proof object:
Proof objects
This form of a proof is known as a proof object. So
{#1: * (r1); #2: *b (#1,r2); #3: a*b (#2,r3); #4: a*bb (#2,r2)}
is a proof object. Proof objects are important because anyone who is given
the language and rules of DANS could verify the steps of the proof. Let’s
remark that a theorem can have many proofs; we could have proved a*bb
with this proof object:
A more complete description of a proof would include not just the proof
object, but the entire formal system attached. This is sometimes called a
proof certificate.
Proof objects
This form of a proof is known as a proof object. So
{#1: * (r1); #2: *b (#1,r2); #3: a*b (#2,r3); #4: a*bb (#2,r2)}
is a proof object. Proof objects are important because anyone who is given
the language and rules of DANS could verify the steps of the proof. Let’s
remark that a theorem can have many proofs; we could have proved a*bb
with this proof object:
A more complete description of a proof would include not just the proof
object, but the entire formal system attached. This is sometimes called a
proof certificate. So {[DANS] #1: * (r1); #2: *b (#1,r2); #3: a*b
(#2,r3); #4: a*bb (#2,r2)} would be a proof certificate. If you emailed me
this proof certificate, I would know exactly what you proved.
Proof objects
This form of a proof is known as a proof object. So
{#1: * (r1); #2: *b (#1,r2); #3: a*b (#2,r3); #4: a*bb (#2,r2)}
is a proof object. Proof objects are important because anyone who is given
the language and rules of DANS could verify the steps of the proof. Let’s
remark that a theorem can have many proofs; we could have proved a*bb
with this proof object:
A more complete description of a proof would include not just the proof
object, but the entire formal system attached. This is sometimes called a
proof certificate. So {[DANS] #1: * (r1); #2: *b (#1,r2); #3: a*b
(#2,r3); #4: a*bb (#2,r2)} would be a proof certificate. If you emailed me
this proof certificate, I would know exactly what you proved. But most of
the time, the formal system is part of the discourse, so proof objects are
sufficient.
Formal Software Development Program Overview March 8, 2011 15 / 187
What is formal software development Metamathematics
Moving up a level
Moving up a level
We now know how to do proofs (in other words, how to reason within
the system)
Moving up a level
We now know how to do proofs (in other words, how to reason within
the system)
There is a large variety of such formal systems
Moving up a level
We now know how to do proofs (in other words, how to reason within
the system)
There is a large variety of such formal systems
Most of the mathematics you ever learned can be cranked out by such
formal systems (see mizar.org)
Moving up a level
We now know how to do proofs (in other words, how to reason within
the system)
There is a large variety of such formal systems
Most of the mathematics you ever learned can be cranked out by such
formal systems (see mizar.org)
The foundations of software can also be cranked out by formal systems,
as we’ll see soon
Moving up a level
We now know how to do proofs (in other words, how to reason within
the system)
There is a large variety of such formal systems
Most of the mathematics you ever learned can be cranked out by such
formal systems (see mizar.org)
The foundations of software can also be cranked out by formal systems,
as we’ll see soon
Now comes a big switch of perspective . . .
Moving up a level
We now know how to do proofs (in other words, how to reason within
the system)
There is a large variety of such formal systems
Most of the mathematics you ever learned can be cranked out by such
formal systems (see mizar.org)
The foundations of software can also be cranked out by formal systems,
as we’ll see soon
Now comes a big switch of perspective . . .
These formal systems have some important properties, which can be
studied with the use of mathematics
Moving up a level
We now know how to do proofs (in other words, how to reason within
the system)
There is a large variety of such formal systems
Most of the mathematics you ever learned can be cranked out by such
formal systems (see mizar.org)
The foundations of software can also be cranked out by formal systems,
as we’ll see soon
Now comes a big switch of perspective . . .
These formal systems have some important properties, which can be
studied with the use of mathematics
This study comes with a grand name: metamathematics, i.e. the study
of mathematics itself
Moving up a level
We now know how to do proofs (in other words, how to reason within
the system)
There is a large variety of such formal systems
Most of the mathematics you ever learned can be cranked out by such
formal systems (see mizar.org)
The foundations of software can also be cranked out by formal systems,
as we’ll see soon
Now comes a big switch of perspective . . .
These formal systems have some important properties, which can be
studied with the use of mathematics
This study comes with a grand name: metamathematics, i.e. the study
of mathematics itself
We’ll do a lot of metamathematics in this program
Moving up a level
We now know how to do proofs (in other words, how to reason within
the system)
There is a large variety of such formal systems
Most of the mathematics you ever learned can be cranked out by such
formal systems (see mizar.org)
The foundations of software can also be cranked out by formal systems,
as we’ll see soon
Now comes a big switch of perspective . . .
These formal systems have some important properties, which can be
studied with the use of mathematics
This study comes with a grand name: metamathematics, i.e. the study
of mathematics itself
We’ll do a lot of metamathematics in this program
And metasoftware, if you wish
Moving up a level
We now know how to do proofs (in other words, how to reason within
the system)
There is a large variety of such formal systems
Most of the mathematics you ever learned can be cranked out by such
formal systems (see mizar.org)
The foundations of software can also be cranked out by formal systems,
as we’ll see soon
Now comes a big switch of perspective . . .
These formal systems have some important properties, which can be
studied with the use of mathematics
This study comes with a grand name: metamathematics, i.e. the study
of mathematics itself
We’ll do a lot of metamathematics in this program
And metasoftware, if you wish
Meta just means ‘outside’ or ‘about’
Formal Software Development Program Overview March 8, 2011 16 / 187
What is formal software development Metamathematics
Let’s do some metamathematics. Let’s say that all the wffs of a formal
system are theorems.
Let’s do some metamathematics. Let’s say that all the wffs of a formal
system are theorems. In this case the formal system is worthless, the rules do
not accomplish anything useful.
Let’s do some metamathematics. Let’s say that all the wffs of a formal
system are theorems. In this case the formal system is worthless, the rules do
not accomplish anything useful. So a formal system is said to be consistent
if not all wffs are theorems.
Let’s do some metamathematics. Let’s say that all the wffs of a formal
system are theorems. In this case the formal system is worthless, the rules do
not accomplish anything useful. So a formal system is said to be consistent
if not all wffs are theorems.
Let’s do some metamathematics. Let’s say that all the wffs of a formal
system are theorems. In this case the formal system is worthless, the rules do
not accomplish anything useful. So a formal system is said to be consistent
if not all wffs are theorems.
Proof. We show that b* is not a theorem. The axiom * has no b on the left.
No rules allow the introduction of a b on the left of the *.
Let’s look at the grammar and the inference rules of our example
Let’s look at the grammar and the inference rules of our example
We see that the grammar is decidable, i.e. there is an algorithm that,
given a formula, it will answer YES if the formula is a wff and NO if it
is not
Let’s look at the grammar and the inference rules of our example
We see that the grammar is decidable, i.e. there is an algorithm that,
given a formula, it will answer YES if the formula is a wff and NO if it
is not
Here is the grammar algorithm: given a formula X, count the number of
*. If the count is 1, answer YES, otherwise answer NO.
Let’s look at the grammar and the inference rules of our example
We see that the grammar is decidable, i.e. there is an algorithm that,
given a formula, it will answer YES if the formula is a wff and NO if it
is not
Here is the grammar algorithm: given a formula X, count the number of
*. If the count is 1, answer YES, otherwise answer NO.
The inference rules are also rigged in this special way, i.e. they are also
decidable
Let’s look at the grammar and the inference rules of our example
We see that the grammar is decidable, i.e. there is an algorithm that,
given a formula, it will answer YES if the formula is a wff and NO if it
is not
Here is the grammar algorithm: given a formula X, count the number of
*. If the count is 1, answer YES, otherwise answer NO.
The inference rules are also rigged in this special way, i.e. they are also
decidable
By this we mean that for each rule, there is an algorithm that, given a
finite set of wffs, it will answer YES if the rule is applicable to them and
NO if it is not
Let’s look at the grammar and the inference rules of our example
We see that the grammar is decidable, i.e. there is an algorithm that,
given a formula, it will answer YES if the formula is a wff and NO if it
is not
Here is the grammar algorithm: given a formula X, count the number of
*. If the count is 1, answer YES, otherwise answer NO.
The inference rules are also rigged in this special way, i.e. they are also
decidable
By this we mean that for each rule, there is an algorithm that, given a
finite set of wffs, it will answer YES if the rule is applicable to them and
NO if it is not
For example, the algorithm for rule 4 is: find *. If we can find an a on
its left and a b on its right, then the answer is YES, otherwise it is NO.
Let’s look at the grammar and the inference rules of our example
We see that the grammar is decidable, i.e. there is an algorithm that,
given a formula, it will answer YES if the formula is a wff and NO if it
is not
Here is the grammar algorithm: given a formula X, count the number of
*. If the count is 1, answer YES, otherwise answer NO.
The inference rules are also rigged in this special way, i.e. they are also
decidable
By this we mean that for each rule, there is an algorithm that, given a
finite set of wffs, it will answer YES if the rule is applicable to them and
NO if it is not
For example, the algorithm for rule 4 is: find *. If we can find an a on
its left and a b on its right, then the answer is YES, otherwise it is NO.
Only one thing is left unclear: what exactly is an algorithm?
What is an algorithm?
What is an algorithm?
Informally we know it is something that can be expressed in a finite
number of steps, some sort of program maybe containing loops
What is an algorithm?
Informally we know it is something that can be expressed in a finite
number of steps, some sort of program maybe containing loops
Other informal ways to describe algorithms: computable or, the original
term used by Hilbert, finitary
What is an algorithm?
Informally we know it is something that can be expressed in a finite
number of steps, some sort of program maybe containing loops
Other informal ways to describe algorithms: computable or, the original
term used by Hilbert, finitary
It took a lot of work to come up with a convincing formal definition
What is an algorithm?
Informally we know it is something that can be expressed in a finite
number of steps, some sort of program maybe containing loops
Other informal ways to describe algorithms: computable or, the original
term used by Hilbert, finitary
It took a lot of work to come up with a convincing formal definition
The astonishing thing is that many alternative definitions kept coming,
and . . .
What is an algorithm?
Informally we know it is something that can be expressed in a finite
number of steps, some sort of program maybe containing loops
Other informal ways to describe algorithms: computable or, the original
term used by Hilbert, finitary
It took a lot of work to come up with a convincing formal definition
The astonishing thing is that many alternative definitions kept coming,
and . . .
All formal definitions of ‘algorithm’ were proven to be equivalent!
What is an algorithm?
Informally we know it is something that can be expressed in a finite
number of steps, some sort of program maybe containing loops
Other informal ways to describe algorithms: computable or, the original
term used by Hilbert, finitary
It took a lot of work to come up with a convincing formal definition
The astonishing thing is that many alternative definitions kept coming,
and . . .
All formal definitions of ‘algorithm’ were proven to be equivalent!
This equivalence theorem is one of the great accomplishments of the
20th century mathematics
What is an algorithm?
Informally we know it is something that can be expressed in a finite
number of steps, some sort of program maybe containing loops
Other informal ways to describe algorithms: computable or, the original
term used by Hilbert, finitary
It took a lot of work to come up with a convincing formal definition
The astonishing thing is that many alternative definitions kept coming,
and . . .
All formal definitions of ‘algorithm’ were proven to be equivalent!
This equivalence theorem is one of the great accomplishments of the
20th century mathematics
The best known definitions are: Gödel’s recursive functions, Turing ma-
chines and Church’s Lambda Calculus
What is an algorithm?
Informally we know it is something that can be expressed in a finite
number of steps, some sort of program maybe containing loops
Other informal ways to describe algorithms: computable or, the original
term used by Hilbert, finitary
It took a lot of work to come up with a convincing formal definition
The astonishing thing is that many alternative definitions kept coming,
and . . .
All formal definitions of ‘algorithm’ were proven to be equivalent!
This equivalence theorem is one of the great accomplishments of the
20th century mathematics
The best known definitions are: Gödel’s recursive functions, Turing ma-
chines and Church’s Lambda Calculus
I Turing machines led to imperative languages like C, Java, C#
What is an algorithm?
Informally we know it is something that can be expressed in a finite
number of steps, some sort of program maybe containing loops
Other informal ways to describe algorithms: computable or, the original
term used by Hilbert, finitary
It took a lot of work to come up with a convincing formal definition
The astonishing thing is that many alternative definitions kept coming,
and . . .
All formal definitions of ‘algorithm’ were proven to be equivalent!
This equivalence theorem is one of the great accomplishments of the
20th century mathematics
The best known definitions are: Gödel’s recursive functions, Turing ma-
chines and Church’s Lambda Calculus
I Turing machines led to imperative languages like C, Java, C#
I Church’s Lambda Calculus led to functional languages like Lisp,
ML, Haskell
Formal Software Development Program Overview March 8, 2011 20 / 187
What is formal software development Metamathematics
This overview is not the place to describe any of the above formal defi-
nitions of computability
This overview is not the place to describe any of the above formal defi-
nitions of computability
(we’ll cover this in the ‘Logic and Computation’ course)
This overview is not the place to describe any of the above formal defi-
nitions of computability
(we’ll cover this in the ‘Logic and Computation’ course)
All we need to know for now is that such a rigorous definition exists
This overview is not the place to describe any of the above formal defi-
nitions of computability
(we’ll cover this in the ‘Logic and Computation’ course)
All we need to know for now is that such a rigorous definition exists
Therefore, decidability, which lacked the rigorous definition of algorithm,
is now rigorously defined
This overview is not the place to describe any of the above formal defi-
nitions of computability
(we’ll cover this in the ‘Logic and Computation’ course)
All we need to know for now is that such a rigorous definition exists
Therefore, decidability, which lacked the rigorous definition of algorithm,
is now rigorously defined
For all formal systems, the grammar is always rigged so that it is decidable
This overview is not the place to describe any of the above formal defi-
nitions of computability
(we’ll cover this in the ‘Logic and Computation’ course)
All we need to know for now is that such a rigorous definition exists
Therefore, decidability, which lacked the rigorous definition of algorithm,
is now rigorously defined
For all formal systems, the grammar is always rigged so that it is decidable
The inference rules are also rigged so that they are decidable
This overview is not the place to describe any of the above formal defi-
nitions of computability
(we’ll cover this in the ‘Logic and Computation’ course)
All we need to know for now is that such a rigorous definition exists
Therefore, decidability, which lacked the rigorous definition of algorithm,
is now rigorously defined
For all formal systems, the grammar is always rigged so that it is decidable
The inference rules are also rigged so that they are decidable
In one sentence, formal systems have computability built-in
So, for any theory that can be described algorithmically (and that’s all we
really need, but that’s philosophy), whether a mathematical theory, a
software theory, a physics theory, etc . . . , there is a formal system that can
describe it.
DANS is decidable
ip be
d
sk ay
pe
m
DANS is decidable
ip be
d
sk ay
pe
m
Mathematical Induction
ip be
d
sk ay
pe
m
Mathematical Induction
ip be
d
sk ay
pe
m
Mathematical Induction
n
n(n + 1)
∑i= 2
(1)
i=0
n
n(n + 1)
∑i= 2
(1)
i=0
Proof:
n
n(n + 1)
∑i= 2
(1)
i=0
Proof:
1 Let P(n) be the property given by (1)
n
n(n + 1)
∑i= 2
(1)
i=0
Proof:
1 Let P(n) be the property given by (1)
0(0 + 1)
2 P(0) is true, because 0 =
2
n
n(n + 1)
∑i= 2
(1)
i=0
Proof:
1 Let P(n) be the property given by (1)
0(0 + 1)
2 P(0) is true, because 0 =
2
k
k(k + 1)
3 Assume P(k) is true, i.e. ∑i=
i=0 2
n
n(n + 1)
∑i= 2
(1)
i=0
Proof:
1 Let P(n) be the property given by (1)
0(0 + 1)
2 P(0) is true, because 0 =
2
k
k(k + 1)
3 Assume P(k) is true, i.e. ∑i=
i=0 2
k+1
k(k + 1) k(k + 1) + 2(k + 1) (k + 1)(k + 2)
4 Then ∑i= + (k + 1) = =
i=0 2 2 2
n
n(n + 1)
∑i= 2
(1)
i=0
Proof:
1 Let P(n) be the property given by (1)
0(0 + 1)
2 P(0) is true, because 0 =
2
k
k(k + 1)
3 Assume P(k) is true, i.e. ∑i=
i=0 2
k+1
k(k + 1) k(k + 1) + 2(k + 1) (k + 1)(k + 2)
4 Then ∑i= + (k + 1) = =
i=0 2 2 2
k+1
(k + 1)(k + 2)
5 But ∑i= is exactly P(k + 1)
i=0 2
n
n(n + 1)
∑i= 2
(1)
i=0
Proof:
1 Let P(n) be the property given by (1)
0(0 + 1)
2 P(0) is true, because 0 =
2
k
k(k + 1)
3 Assume P(k) is true, i.e. ∑i=
i=0 2
k+1
k(k + 1) k(k + 1) + 2(k + 1) (k + 1)(k + 2)
4 Then ∑i= + (k + 1) = =
i=0 2 2 2
k+1
(k + 1)(k + 2)
5 But ∑i= is exactly P(k + 1)
i=0 2
6 By mathematical induction, the formula (1) is true for all n ∈ N
Formal Software Development Program Overview March 8, 2011 28 / 187
What is formal software development Decidability
Proof.
Let’s consider the wffs having the property (called P) that they contain
Proof.
Let’s consider the wffs having the property (called P) that they contain
I a single *
Proof.
Let’s consider the wffs having the property (called P) that they contain
I a single *
I only a’s on the left, only b’s on the right
Proof.
Let’s consider the wffs having the property (called P) that they contain
I a single *
I only a’s on the left, only b’s on the right
I less a’s than b’s
Proof.
Let’s consider the wffs having the property (called P) that they contain
I a single *
I only a’s on the left, only b’s on the right
I less a’s than b’s
We will prove that all theorems have this property. The metaproof is by
induction on the length of the object proof.
If the proof has length 1, then the theorem must be * and this has the
property P
If the proof has length 1, then the theorem must be * and this has the
property P
Assume all theorems whose proofs have length smaller or equal to n have
this property P
If the proof has length 1, then the theorem must be * and this has the
property P
Assume all theorems whose proofs have length smaller or equal to n have
this property P
Let p1 , . . . , pn+1 be a proof of length n + 1. Then pn+1 must have been
deduced from pn by one of the rules 2,3, or 4. Now since the proof of pn
has length n, by the induction hypothesis, pn has property P. But then
pn+1 must also have property P because rules 2,3, and 4 all preserve this
property.
We will also see in the section on code verification, that the main method of
verification is using an axiomatic semantics of the programming language to
do induction over the structure of the program.
We will also see in the section on code verification, that the main method of
verification is using an axiomatic semantics of the programming language to
do induction over the structure of the program. So if induction is so
important for both the study of formal systems themselves and their
applications to software verification, why not do everything with an inductive
prover?
We will also see in the section on code verification, that the main method of
verification is using an axiomatic semantics of the programming language to
do induction over the structure of the program. So if induction is so
important for both the study of formal systems themselves and their
applications to software verification, why not do everything with an inductive
prover?
Some software development can indeed be based on PRA and inductive
provers
We will also see in the section on code verification, that the main method of
verification is using an axiomatic semantics of the programming language to
do induction over the structure of the program. So if induction is so
important for both the study of formal systems themselves and their
applications to software verification, why not do everything with an inductive
prover?
Some software development can indeed be based on PRA and inductive
provers
We study them in the ‘Lisp and Inductive Provers’ course
We will also see in the section on code verification, that the main method of
verification is using an axiomatic semantics of the programming language to
do induction over the structure of the program. So if induction is so
important for both the study of formal systems themselves and their
applications to software verification, why not do everything with an inductive
prover?
Some software development can indeed be based on PRA and inductive
provers
We study them in the ‘Lisp and Inductive Provers’ course
Best known such prover: ACL2
But we need a larger set of provers, some more automatic, some more
interactive
But we need a larger set of provers, some more automatic, some more
interactive
This is an engineering job, look at many provers and decide what you
need
But we need a larger set of provers, some more automatic, some more
interactive
This is an engineering job, look at many provers and decide what you
need
There are big differences between them
But we need a larger set of provers, some more automatic, some more
interactive
This is an engineering job, look at many provers and decide what you
need
There are big differences between them
FOL Provers: more automatic, many efficient decision procedures can
be added
But we need a larger set of provers, some more automatic, some more
interactive
This is an engineering job, look at many provers and decide what you
need
There are big differences between them
FOL Provers: more automatic, many efficient decision procedures can
be added
HOL provers: powerful, but require more trust and more theory
But we need a larger set of provers, some more automatic, some more
interactive
This is an engineering job, look at many provers and decide what you
need
There are big differences between them
FOL Provers: more automatic, many efficient decision procedures can
be added
HOL provers: powerful, but require more trust and more theory
Type theory provers: even more powerful, but require even more trust
and theory
But we need a larger set of provers, some more automatic, some more
interactive
This is an engineering job, look at many provers and decide what you
need
There are big differences between them
FOL Provers: more automatic, many efficient decision procedures can
be added
HOL provers: powerful, but require more trust and more theory
Type theory provers: even more powerful, but require even more trust
and theory
(why is trust an issue? Because the more powerful the logic, the easier
it is to become inconsistent)
In papers, books, www, etc . . . the terms formal system, logic system,
logic calculus, logic are used interchangeably (e.g., lambda calculus, but
combinatory logic). We’ll follow this loose tradition.
In papers, books, www, etc . . . the terms formal system, logic system,
logic calculus, logic are used interchangeably (e.g., lambda calculus, but
combinatory logic). We’ll follow this loose tradition.
In papers, books, www, etc . . . the terms formal system, logic system,
logic calculus, logic are used interchangeably (e.g., lambda calculus, but
combinatory logic). We’ll follow this loose tradition. On the other hand
the term theory is generally used in a more precise sense; namely it
is a specification of a special set of symbols (called a signature) and
additional rules, on top of a base formal system.
In papers, books, www, etc . . . the terms formal system, logic system,
logic calculus, logic are used interchangeably (e.g., lambda calculus, but
combinatory logic). We’ll follow this loose tradition. On the other hand
the term theory is generally used in a more precise sense; namely it
is a specification of a special set of symbols (called a signature) and
additional rules, on top of a base formal system.
Often a logic includes a meaning for the language (i.e. a semantics); our
formal systems don’t.
In papers, books, www, etc . . . the terms formal system, logic system,
logic calculus, logic are used interchangeably (e.g., lambda calculus, but
combinatory logic). We’ll follow this loose tradition. On the other hand
the term theory is generally used in a more precise sense; namely it
is a specification of a special set of symbols (called a signature) and
additional rules, on top of a base formal system.
Often a logic includes a meaning for the language (i.e. a semantics); our
formal systems don’t.
Sometimes a logic does not include a proof calculus, it includes only a
semantics!
Machines
language: rules:
Machines
Machines
Machines
Machines
Machines
Machines
Machines
Machines
language: rules:
L-DANS R-DANS
... ...
language: rules:
L-DANS R-DANS
So let’s take the DANS language (L-
DANS) and the rules (R-DANS) and build
a machine around this formal system.
Meta
Level
YES
YES
language: rules:
L-DANS R-DANS
Object Level
tactics
checking
default Proof OK?
Meta
Level
YES
Object Level
tactics
checking
default Proof OK?
Meta
Level
YES
tactics
checking
default Proof OK?
Meta
Level
YES
Meta
Level
YES
YES
Notice the tactics buttons
language: rules:
L-DANS R-DANS
Object Level
tactics
checking
default Proof OK?
Meta
Level
YES
Notice the tactics buttons
Some of the most powerful ma-
chines are used interactively
language: rules:
L-DANS R-DANS
Object Level
tactics
checking
default Proof OK?
Meta
Level
YES
Notice the tactics buttons
Some of the most powerful ma-
chines are used interactively
language: rules:
The built-in tactics help you build L-DANS R-DANS
the proof in the input area
Object Level
tactics
checking
default Proof OK?
Meta
Level
YES
Notice the tactics buttons
Some of the most powerful ma-
chines are used interactively
language: rules:
The built-in tactics help you build L-DANS R-DANS
the proof in the input area
Object Level
These tactics pack a lot of punch
#1: * (r1); #2: *b
(#1,r2); #3: a*b (#2,r3);
tactics
checking
default Proof OK?
Meta
Level
YES
Notice the tactics buttons
Some of the most powerful ma-
chines are used interactively
language: rules:
The built-in tactics help you build L-DANS R-DANS
the proof in the input area
Object Level
These tactics pack a lot of punch
#1: * (r1); #2: *b
Many provers allow you to write (#1,r2); #3: a*b (#2,r3);
Meta
Level
YES
Notice the tactics buttons
Some of the most powerful ma-
chines are used interactively
language: rules:
The built-in tactics help you build L-DANS R-DANS
the proof in the input area
Object Level
These tactics pack a lot of punch
#1: * (r1); #2: *b
Many provers allow you to write (#1,r2); #3: a*b (#2,r3);
YES
Notice the tactics buttons
Some of the most powerful ma-
chines are used interactively
language: rules:
The built-in tactics help you build L-DANS R-DANS
the proof in the input area
Object Level
These tactics pack a lot of punch
#1: * (r1); #2: *b
Many provers allow you to write (#1,r2); #3: a*b (#2,r3);
Object Level
tactics
checking
Proof OK?
Meta
Level
checking
Proof OK?
auto strategy
default Theorem?
Meta
Level
Automatic provers
Automatic provers
Object Level
tactics
checking
Proof OK?
auto strategy
resolution Theorem?
Meta
Level
Automatic provers
tactics
checking
Proof OK?
auto strategy
resolution Theorem?
Meta
Level
Automatic provers
tactics
checking
Proof OK?
auto strategy
resolution Theorem?
Meta
Level
Automatic provers
Meta
Level
Automatic provers
strategy
Meta
Level
Decision procedures
Decision procedures
language: rules:
Object Level
tactics
checking
Proof OK?
auto strategy
Theorem?
Meta
Level
Decision procedures
Object Level
tactics
checking
Proof OK?
auto strategy
Theorem?
Meta
Level
Decision procedures
tactics
checking
Proof OK?
auto strategy
Theorem?
decision proc
... Theorem?
(Y/N) Meta
Level
Decision procedures
Decision procedures
Decision procedures
It is easier if you pick a property of the formulas that does not change
as rules get applied
It is easier if you pick a property of the formulas that does not change
as rules get applied
That property will give you a decision procedure
It is easier if you pick a property of the formulas that does not change
as rules get applied
That property will give you a decision procedure
Warning: games are difficult, try them only after you gain some experi-
ence
It is easier if you pick a property of the formulas that does not change
as rules get applied
That property will give you a decision procedure
Warning: games are difficult, try them only after you gain some experi-
ence
Alternative: take DANS and make it more interesting, by adding more
language and more rules
For us, both 2 and 3 are important, so our definitions account for this
need
For us, both 2 and 3 are important, so our definitions account for this
need
To begin with, for us syntax = language, and nothing else, i.e.:
For us, both 2 and 3 are important, so our definitions account for this
need
To begin with, for us syntax = language, and nothing else, i.e.:
1 A lexical structure
For us, both 2 and 3 are important, so our definitions account for this
need
To begin with, for us syntax = language, and nothing else, i.e.:
1 A lexical structure
2 A grammatical structure
lexical grammar
language
Model Checking
Model Checking
Model checking is a special decision procedure that is extracted from a
model semantics
Model Checking
Model checking is a special decision procedure that is extracted from a
model semantics
Model checking produces counterexamples for a formula that is not a
theorem
Model Checking
Model checking is a special decision procedure that is extracted from a
model semantics
Model checking produces counterexamples for a formula that is not a
theorem
Some formal systems have both a proof calculus and such a decision
procedure
Model Checking
Model checking is a special decision procedure that is extracted from a
model semantics
Model checking produces counterexamples for a formula that is not a
theorem
Some formal systems have both a proof calculus and such a decision
procedure
This the best of worlds, because you can switch between proof search
and counterexample search
Model Checking
Model checking is a special decision procedure that is extracted from a
model semantics
Model checking produces counterexamples for a formula that is not a
theorem
Some formal systems have both a proof calculus and such a decision
procedure
This the best of worlds, because you can switch between proof search
and counterexample search
It is the interaction between the two that makes things interesting
Model Checking
Model checking is a special decision procedure that is extracted from a
model semantics
Model checking produces counterexamples for a formula that is not a
theorem
Some formal systems have both a proof calculus and such a decision
procedure
This the best of worlds, because you can switch between proof search
and counterexample search
It is the interaction between the two that makes things interesting
Just like in informal mathematics, you need to acquire a feel of when to
look for a proof and when to look for a counterexample
Model Checking
Model checking is a special decision procedure that is extracted from a
model semantics
Model checking produces counterexamples for a formula that is not a
theorem
Some formal systems have both a proof calculus and such a decision
procedure
This the best of worlds, because you can switch between proof search
and counterexample search
It is the interaction between the two that makes things interesting
Just like in informal mathematics, you need to acquire a feel of when to
look for a proof and when to look for a counterexample
Most of formal software development is a continuous back-and-forth be-
tween theorem proving and model checking
Model Checking
Model checking is a special decision procedure that is extracted from a
model semantics
Model checking produces counterexamples for a formula that is not a
theorem
Some formal systems have both a proof calculus and such a decision
procedure
This the best of worlds, because you can switch between proof search
and counterexample search
It is the interaction between the two that makes things interesting
Just like in informal mathematics, you need to acquire a feel of when to
look for a proof and when to look for a counterexample
Most of formal software development is a continuous back-and-forth be-
tween theorem proving and model checking
In the program, we will develop some engineering experience allowing us
to decide when to switch from one to the other
Formal Software Development Program Overview March 8, 2011 59 / 187
Implementing formal systems Model Checking
Model Checking
Model Checking
Model Checking
Model Checking
Model Checking
Model Checking
Model Checking
Model Checking
Model Checking
Object Level
tactics
checking
default Proof OK?
auto strategy
default Theorem?
Meta
Level
Object Level
tactics
checking
... Proof OK?
auto strategy
... Theorem?
Meta
Level
Mizar
Formal Software Development Program Overview March 8, 2011 62 / 187
Implementing formal systems Machines for mathematics and software
checking
... Proof OK?
auto strategy
... Theorem?
Meta
Level
Mizar
Formal Software Development Program Overview March 8, 2011 62 / 187
Implementing formal systems Machines for mathematics and software
Meta
Level
Mizar
Formal Software Development Program Overview March 8, 2011 62 / 187
Implementing formal systems Machines for mathematics and software
mathematics Coq
Formal Software Development Program Overview March 8, 2011 62 / 187
Implementing formal systems Machines for mathematics and software
language: rules:
... ZFC
Refining requirements analysis your model
Object Level
tactics
checking
... Proof OK?
auto strategy
... Theorem?
Meta
Level
Event-B
Formal Software Development Program Overview March 8, 2011 63 / 187
Implementing formal systems Machines for mathematics and software
language: rules:
... rewriting logic
Refining requirements analysis your model
Object Level
Building executable models
tactics
checking
... Proof OK?
auto strategy
... Theorem?
Meta
Level
Maude
Formal Software Development Program Overview March 8, 2011 63 / 187
Implementing formal systems Machines for mathematics and software
language: rules:
... temporal logic
Refining requirements analysis your model
Object Level
Building executable models
Building a concurrent model
tactics
checking
... Proof OK?
auto strategy
... Theorem?
decision proc
... Theorem?
(Y/N) Meta
Level
SPIN
Formal Software Development Program Overview March 8, 2011 63 / 187
Implementing formal systems Machines for mathematics and software
language: rules:
... CIC + C semantics
Refining requirements analysis your program
Object Level
Building executable models
Building a concurrent model
tactics
Verify total correctness
checking
... Proof OK?
auto strategy
... Theorem?
Meta
Level
Coq
Formal Software Development Program Overview March 8, 2011 63 / 187
Implementing formal systems Machines for mathematics and software
language: rules:
... HOL + C semantics
Refining requirements analysis your program
Object Level
Building executable models
Building a concurrent model
tactics
Verify total correctness
checking
Verify safety properties ... Proof OK?
auto strategy
... Theorem?
Meta
Level
Isabelle
Formal Software Development Program Overview March 8, 2011 63 / 187
When are proofs used
Proofs may be used during all phases of the software waterfall model:
Conceptual integrity
Conceptual integrity
Conceptual integrity
Conceptual integrity
Conceptual integrity
Conceptual integrity
‘ Formal proofs for specific properties have been conducted for smaller
kernels, but what we have done is a general, functional correctness
proof which has never before been achieved for real-world, high-
performance software of this complexity or size. ’
Edges between
vertices are function
calls
An abstract func-
tional specification
of seL4 is given
The C implemen-
tation is proven to
satisfy this specifi-
cation
http://ertos.
nicta.com.au/
research/
Formal Software Development Program Overview March 8, 2011 78 / 187
When are proofs used The Robbins conjecture
Object Level
tactics
checking
... Proof OK?
auto strategy
McCune Theorem?
Meta
Level
EQP
Formal Software Development Program Overview March 8, 2011 79 / 187
When are proofs used The Robbins conjecture
tactics
checking
... Proof OK?
auto strategy
McCune Theorem?
Meta
Level
EQP
Formal Software Development Program Overview March 8, 2011 79 / 187
When are proofs used The Robbins conjecture
Meta
Level
EQP
Formal Software Development Program Overview March 8, 2011 79 / 187
When are proofs used The Robbins conjecture
Meta
Level
EQP
Formal Software Development Program Overview March 8, 2011 79 / 187
When are proofs used The Robbins conjecture
Assurance levels in US
Assurance levels in US
Assurance levels in US
Assurance levels in US
Assurance levels in US
Assurance levels in US
Assurance levels in US
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 86 / 187
e scie
What formal software development is not Some controversy
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 86 / 187
e scie
What formal software development is not Some controversy
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 86 / 187
e scie
What formal software development is not Some controversy
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 86 / 187
e scie
What formal software development is not Some controversy
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 86 / 187
e scie
What formal software development is not Some controversy
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 86 / 187
e scie
What formal software development is not Some controversy
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 87 / 187
e scie
What formal software development is not Some controversy
During the 80’s and 90’s perceived downtime, many people ignored the
lack of enthusiasm for formalism and developed efficient algorithms for
high-complexity problems, that performed remarkably well in practical
situations
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 87 / 187
e scie
What formal software development is not Some controversy
During the 80’s and 90’s perceived downtime, many people ignored the
lack of enthusiasm for formalism and developed efficient algorithms for
high-complexity problems, that performed remarkably well in practical
situations
Many of the most successful logical frameworks were born in this period
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 87 / 187
e scie
What formal software development is not Some controversy
During the 80’s and 90’s perceived downtime, many people ignored the
lack of enthusiasm for formalism and developed efficient algorithms for
high-complexity problems, that performed remarkably well in practical
situations
Many of the most successful logical frameworks were born in this period
This not-so-visible successes led to the current revival of formal methods
in software development
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 87 / 187
e scie
What formal software development is not Some controversy
During the 80’s and 90’s perceived downtime, many people ignored the
lack of enthusiasm for formalism and developed efficient algorithms for
high-complexity problems, that performed remarkably well in practical
situations
Many of the most successful logical frameworks were born in this period
This not-so-visible successes led to the current revival of formal methods
in software development
We are at the beginning of a forceful and active period of formal software
development
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 87 / 187
e scie
What formal software development is not Engineering or science?
Engineering or science?
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 88 / 187
e scie
What formal software development is not Engineering or science?
Engineering or science?
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 88 / 187
e scie
What formal software development is not Engineering or science?
Engineering or science?
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 88 / 187
e scie
What formal software development is not Engineering or science?
Engineering or science?
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 88 / 187
e scie
What formal software development is not Engineering or science?
Engineering or science?
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 88 / 187
e scie
What formal software development is not Engineering or science?
Engineering or science?
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 88 / 187
e scie
What formal software development is not Engineering or science?
Engineering or science?
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 88 / 187
e scie
What formal software development is not Engineering or science?
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 89 / 187
e scie
What formal software development is not Engineering or science?
Software engineering made huge advances, without waiting for the sci-
ence
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 89 / 187
e scie
What formal software development is not Engineering or science?
Software engineering made huge advances, without waiting for the sci-
ence
It’s been one of the most astonishing engineering disciplines of our time
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 89 / 187
e scie
What formal software development is not Engineering or science?
Software engineering made huge advances, without waiting for the sci-
ence
It’s been one of the most astonishing engineering disciplines of our time
We can’t say ‘Stop, you have to learn formal systems before you write
one more line of C code’
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 89 / 187
e scie
What formal software development is not Engineering or science?
Software engineering made huge advances, without waiting for the sci-
ence
It’s been one of the most astonishing engineering disciplines of our time
We can’t say ‘Stop, you have to learn formal systems before you write
one more line of C code’
What we do say is that some training in formal systems is becoming
necessary
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 89 / 187
e scie
What formal software development is not Engineering or science?
Software engineering made huge advances, without waiting for the sci-
ence
It’s been one of the most astonishing engineering disciplines of our time
We can’t say ‘Stop, you have to learn formal systems before you write
one more line of C code’
What we do say is that some training in formal systems is becoming
necessary
For critical software, this has been clear for some time
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 89 / 187
e scie
What formal software development is not Engineering or science?
Software engineering made huge advances, without waiting for the sci-
ence
It’s been one of the most astonishing engineering disciplines of our time
We can’t say ‘Stop, you have to learn formal systems before you write
one more line of C code’
What we do say is that some training in formal systems is becoming
necessary
For critical software, this has been clear for some time
But the benefits of formal systems are that they lead to a different way
of thinking about software, any software, not just critical software
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 89 / 187
e scie
What formal software development is not Are formal methods providing certainty?
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 90 / 187
e scie
What formal software development is not Are formal methods providing certainty?
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 90 / 187
e scie
What formal software development is not Are formal methods providing certainty?
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 90 / 187
e scie
What formal software development is not Are formal methods providing certainty?
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 90 / 187
e scie
What formal software development is not Are formal methods providing certainty?
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 90 / 187
e scie
What formal software development is not Are formal methods providing certainty?
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 90 / 187
e scie
What formal software development is not Are formal methods providing certainty?
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 91 / 187
e scie
What formal software development is not Are formal methods providing certainty?
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 91 / 187
e scie
What formal software development is not Are formal methods providing certainty?
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 91 / 187
e scie
What formal software development is not Are formal methods providing certainty?
That’s all, and that’s all we’ll ever get. But this is also all that we need to
get!
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 91 / 187
e scie
What formal software development is not Are formal methods providing certainty?
That’s all, and that’s all we’ll ever get. But this is also all that we need to
get! This qualified claim of correctness is based on a chain of trust, shown in
the following slide.
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 91 / 187
e scie
What formal software development is not Are formal methods providing certainty?
Relative correctness
Assuming that:
the hardware and the OS work properly
the compiler of your logical tool works properly
the logic behind the tool is consistent
the tool implements the logic correctly
your theory is consistent with the logic
your proof is checked by the logical tool
then
your proof is correct.
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 92 / 187
e scie
What formal software development is not Are formal methods providing certainty?
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 93 / 187
e scie
What formal software development is not Are formal methods providing certainty?
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 93 / 187
e scie
What formal software development is not Are formal methods providing certainty?
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 93 / 187
e scie
What formal software development is not Are formal methods providing certainty?
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 93 / 187
e scie
What formal software development is not Are formal methods providing certainty?
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 93 / 187
e scie
What formal software development is not Are formal methods providing certainty?
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 93 / 187
e scie
What formal software development is not Are formal methods providing certainty?
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 93 / 187
e scie
What formal software development is not Are formal methods providing certainty?
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 93 / 187
e scie
What formal software development is not Are formal methods providing certainty?
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 94 / 187
e scie
What formal software development is not Not just another development methodology
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 94 / 187
e scie
What formal software development is not Not just another development methodology
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 94 / 187
e scie
What formal software development is not Not just another development methodology
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 94 / 187
e scie
What formal software development is not Not just another development methodology
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 94 / 187
e scie
What formal software development is not Not just another development methodology
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 94 / 187
e scie
What formal software development is not Not just another development methodology
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 94 / 187
e scie
What formal software development is not Not just another development methodology
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 95 / 187
e scie
What formal software development is not Not just another development methodology
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 95 / 187
e scie
What formal software development is not Not just another development methodology
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 95 / 187
e scie
What formal software development is not Not just another development methodology
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 95 / 187
e scie
What formal software development is not Not just another development methodology
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 95 / 187
e scie
What formal software development is not Not just another development methodology
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 95 / 187
e scie
What formal software development is not Not just another development methodology
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 95 / 187
e scie
What formal software development is not Not just another development methodology
It this true?
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 95 / 187
e scie
What formal software development is not Not just another development methodology
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 95 / 187
e scie
What formal software development is not Not just another development methodology
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 96 / 187
e scie
What formal software development is not Not just another development methodology
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 96 / 187
e scie
What formal software development is not Not just another development methodology
It has also been mentioned in the context of formal methods. But formal
methods are not just a technology. Their scientific component has Not just
y. Not ut
continuously advanced upward, as any science does. odolog
t ju st a meth a dogma. B
N o t e. . No ind soft
war
Formal Software Development Program Overview process8,n2011
a March ce beh 96 / 187
e scie
What formal software development is not Not just another development methodology
Not just software with math but also math with software
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 97 / 187
e scie
What formal software development is not Not just another development methodology
Not just software with math but also math with software
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 97 / 187
e scie
What formal software development is not Not just another development methodology
Not just software with math but also math with software
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 97 / 187
e scie
What formal software development is not Not just another development methodology
Not just software with math but also math with software
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 97 / 187
e scie
What formal software development is not Not just another development methodology
Not just software with math but also math with software
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 97 / 187
e scie
What formal software development is not Not just another development methodology
Not just software with math but also math with software
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 97 / 187
e scie
What formal software development is not Not just another development methodology
Not just software with math but also math with software
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 98 / 187
e scie
What formal software development is not Not just another development methodology
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 98 / 187
e scie
What formal software development is not Not just another development methodology
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 98 / 187
e scie
What formal software development is not Not just another development methodology
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 98 / 187
e scie
What formal software development is not Not just another development methodology
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 98 / 187
e scie
What formal software development is not Not just another development methodology
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 98 / 187
e scie
What formal software development is not Not just another development methodology
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 98 / 187
e scie
What formal software development is not Not just another development methodology
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 99 / 187
e scie
What formal software development is not Not just another development methodology
Absolutely not!
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 99 / 187
e scie
What formal software development is not Not just another development methodology
Absolutely not!
Any link in the chain of trust can fail!
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 99 / 187
e scie
What formal software development is not Not just another development methodology
Absolutely not!
Any link in the chain of trust can fail!
Informal testing needs to exclude common-sense faults . . .
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 99 / 187
e scie
What formal software development is not Not just another development methodology
Absolutely not!
Any link in the chain of trust can fail!
Informal testing needs to exclude common-sense faults . . .
There are various estimates for the radius of the universe. One of the
original formulas for such a radius was a beautiful one and had a beautiful
proof. It took years before someone bothered to plug in all the numbers
and do the calculation.
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 99 / 187
e scie
What formal software development is not Not just another development methodology
Absolutely not!
Any link in the chain of trust can fail!
Informal testing needs to exclude common-sense faults . . .
There are various estimates for the radius of the universe. One of the
original formulas for such a radius was a beautiful one and had a beautiful
proof. It took years before someone bothered to plug in all the numbers
and do the calculation. It came to about 4 inches.
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process8,n2011
a March ce beh 99 / 187
e scie
What formal software development is not Not just another development methodology
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process
aMarch nce beh 100 / 187
8,ie2011
e sc
What formal software development is not Not just another development methodology
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process
aMarch nce beh 100 / 187
8,ie2011
e sc
What formal software development is not Not just another development methodology
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process
aMarch nce beh 100 / 187
8,ie2011
e sc
What formal software development is not Not just another development methodology
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process
aMarch nce beh 100 / 187
8,ie2011
e sc
What formal software development is not Not just another development methodology
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process
aMarch nce beh 100 / 187
8,ie2011
e sc
What formal software development is not Not just another development methodology
Not
t just
gy. No
a m et hodolo ma. But
o t ju st a d o g
N . Not ind software.
Formal Software Development Program Overview process
aMarch nce beh 100 / 187
8,ie2011
e sc
What formal software development is not Not just another development methodology
Impact of concurrency
sequential
log
ic
ge
ts
functional ha imperative
rde
r
concurrent
sequential
p
(se rogr
ma am
functional nti tr imperative
cal ans
ly fom
eq a
uiv tio
ale n
nt)
concurrent
Correctness properties
Correctness properties
Correctness properties
What properties do we verify? At the high end sits the total correctness of
the program relative to a specification.
Correctness properties
What properties do we verify? At the high end sits the total correctness of
the program relative to a specification.
Correctness properties
What properties do we verify? At the high end sits the total correctness of
the program relative to a specification.
Correctness properties
What properties do we verify? At the high end sits the total correctness of
the program relative to a specification.
Correctness properties
What properties do we verify? At the high end sits the total correctness of
the program relative to a specification.
Concurrency properties
Concurrency properties
Concurrency properties
Concurrency properties
Concurrency properties
Debug assertions
Debug assertions
We saw that imperative programs are harder to reason about. Assertions are
one of the more intuitive ways to reason about imperative programs.
Debug assertions
We saw that imperative programs are harder to reason about. Assertions are
one of the more intuitive ways to reason about imperative programs.
Debug assertions
We saw that imperative programs are harder to reason about. Assertions are
one of the more intuitive ways to reason about imperative programs.
Debug assertions
We saw that imperative programs are harder to reason about. Assertions are
one of the more intuitive ways to reason about imperative programs.
Now we must make the assertions explicit and attach them to critical
control points in the code with the understanding that they must be valid
for all the states that may reach that control point.
Now we must make the assertions explicit and attach them to critical
control points in the code with the understanding that they must be valid
for all the states that may reach that control point.
Some of these assertions are pre-conditions and post-conditions that we
attach to all the function definitions in our code.
Now we must make the assertions explicit and attach them to critical
control points in the code with the understanding that they must be valid
for all the states that may reach that control point.
Some of these assertions are pre-conditions and post-conditions that we
attach to all the function definitions in our code.
The verifying compiler (a smarter compiler, backed by a logical tool)
combines these assertions with the formal semantics of the program-
ming language being used and obtains formulas (i.e. theorems) which
its logical back-end must subsequently prove.
Axiomatic semantics
Axiomatic semantics
One of the most intuitive and most used formal semantics for imperative
programming languages. Your program s is a composition of various
commands written in the language. Then its behavior can be viewed as a
state (or predicate) transformer:
{P} s {Q}
where P is a pre-condition (a predicate on the state of the system) and Q is
the post-condition (another predicate on the state of the system).
Axiomatic semantics
One of the most intuitive and most used formal semantics for imperative
programming languages. Your program s is a composition of various
commands written in the language. Then its behavior can be viewed as a
state (or predicate) transformer:
{P} s {Q}
where P is a pre-condition (a predicate on the state of the system) and Q is
the post-condition (another predicate on the state of the system).
Need to have the semantics of each statement in the language
Axiomatic semantics
One of the most intuitive and most used formal semantics for imperative
programming languages. Your program s is a composition of various
commands written in the language. Then its behavior can be viewed as a
state (or predicate) transformer:
{P} s {Q}
where P is a pre-condition (a predicate on the state of the system) and Q is
the post-condition (another predicate on the state of the system).
Need to have the semantics of each statement in the language
Each such semantics is given by a rule
Axiomatic semantics
One of the most intuitive and most used formal semantics for imperative
programming languages. Your program s is a composition of various
commands written in the language. Then its behavior can be viewed as a
state (or predicate) transformer:
{P} s {Q}
where P is a pre-condition (a predicate on the state of the system) and Q is
the post-condition (another predicate on the state of the system).
Need to have the semantics of each statement in the language
Each such semantics is given by a rule
Then use induction on the structure of the program s to prove that if the
state of the system satisfies P and s is executed, then upon termination of
s, the state of the system satisfies Q. This is partial correctness, because
we still need to separately prove that s does indeed terminate.
You may view assertions as a natural progression of the idea that comments
come first (because code is written for people just as much as it it written
for machines):
You may view assertions as a natural progression of the idea that comments
come first (because code is written for people just as much as it it written
for machines):
1 Kernighan & Ritchie: write good comments, i.e. comments that explain
the intent of the code
You may view assertions as a natural progression of the idea that comments
come first (because code is written for people just as much as it it written
for machines):
1 Kernighan & Ritchie: write good comments, i.e. comments that explain
the intent of the code
2 Knuth’s literate programming: reverse the order of importance, com-
ments come first, code is the comment
You may view assertions as a natural progression of the idea that comments
come first (because code is written for people just as much as it it written
for machines):
1 Kernighan & Ritchie: write good comments, i.e. comments that explain
the intent of the code
2 Knuth’s literate programming: reverse the order of importance, com-
ments come first, code is the comment
3 Assertions are the best comments, they represent the logic behind the
program
This is clearly an important issue since it may very well be that your code
calls more operating-system or platform (Java/.NET) API functions than
functions that are defined in your program (and to which you can add as
many assertions as you need). These user-mode APIs have complicated
semantics. So, are such pre-conditions, post-conditions and invariants being
developed for operating-system or platform APIs?
This is clearly an important issue since it may very well be that your code
calls more operating-system or platform (Java/.NET) API functions than
functions that are defined in your program (and to which you can add as
many assertions as you need). These user-mode APIs have complicated
semantics. So, are such pre-conditions, post-conditions and invariants being
developed for operating-system or platform APIs?
1 Yes (but not enough), we’ll look at some solutions for Linux and Java
This is clearly an important issue since it may very well be that your code
calls more operating-system or platform (Java/.NET) API functions than
functions that are defined in your program (and to which you can add as
many assertions as you need). These user-mode APIs have complicated
semantics. So, are such pre-conditions, post-conditions and invariants being
developed for operating-system or platform APIs?
1 Yes (but not enough), we’ll look at some solutions for Linux and Java
2 Yes (but not enough), we’ll look at some solutions for Windows and
.NET
Unix/Linux example:
(This example uses traditional System V semaphores, a Posix semaphore would have a similarly complicated semantics.)
DESCRIPTION This function returns the semaphore set identifier associated with the argument key. A new set of
nsems semaphores is created if key has the value IPC PRIVATE or if no existing semaphore set is
associated to key and IPC CREAT is asserted in semflg (i.e. semflg & IPC CREAT isn’t zero). The
presence in semflg of the fields IPC CREAT and IPC EXCL plays the same role, with respect to the
existence of the semaphore set, as the presence of O CREAT and O EXCL in the mode argument
of the open(2) system call: i.e. the semget function fails if semflg asserts both IPC CREAT and
IPC EXCL and a semaphore set already exists for key. Upon creation, the low-order 9 bits of the
argument semflg define the access permissions (for owner, group and others) for the semaphore set.
These bits have the same format, and the same meaning, as the mode argument in the open(2)
or creat(2) system calls (though the execute permissions are not meaningful for semaphores, and
write permissions mean permission to alter semaphore values).
When creating a new semaphore set, semget initializes the semaphore set’s associated data struc-
ture semid ds as follows:
sem perm.cuid and sem perm.uid are set to the effective user-ID of the calling process. sem perm.cgid
and sem perm.gid are set to the effective group-ID of the calling process. The low-order 9 bits of
sem perm.mode are set to the low-order 9 bits of semflg. sem nsems is set to the value of nsems.
sem otime is set to 0. sem ctime is set to the current time. The argument nsems can be 0 (a
don’t care) when a semaphore set is not being created. Otherwise nsems must be greater than 0
and less than or equal to the maximum number of semaphores per semaphore set (SEMMSL).
If the semaphore set already exists, the access permissions are verified.
RETURN VALUE If successful, the return value will be the semaphore set identifier (a nonnegative integer), otherwise
-1 is returned, with errno indicating the error. ERRORS On failure errno will be set to one of
the following: EACCES A semaphore set exists for key, but the calling process does not have
permission to access the set. EEXIST A semaphore set exists for key and semflg was asserting
both IPC CREAT and IPC EXCL. ENOENT No semaphore set exists for key and semflg wasn’t
asserting IPC CREAT. EINVAL nsems is less than 0 or greater than the limit on the number of
semaphores per semaphore set (SEMMSL), or a semaphore set corresponding to key already exists,
and nsems is larger than the number of semaphores in that set. ENOMEM A semaphore set has
to be created but the system has not enough memory for the new data structure. ENOSPC A
semaphore set has to be created but the system limit for the maximum number of semaphore sets
(SEMMNI), or the system wide maximum number of semaphores (SEMMNS), would be exceeded.
1 the microkernel seL4 has about 7,500 lines of C code; proof obligations
discharged with Isabelle
1 the microkernel seL4 has about 7,500 lines of C code; proof obligations
discharged with Isabelle
2 the hypervisor Hyper-V has 60,000 lines of C; a lot of work using VCC,
proof obligations discharged mostly with Z3
1 the microkernel seL4 has about 7,500 lines of C code; proof obligations
discharged with Isabelle
2 the hypervisor Hyper-V has 60,000 lines of C; a lot of work using VCC,
proof obligations discharged mostly with Z3
3 we’ll learn in the program the VCC tool used for the verification of Hyper-
V
Common roots
Common future
theorem/proof specification/program
tactics tactics
checking checking
Proof OK? Proof OK?
auto strategy auto strategy
Theorem? Theorem?
decision proc decision proc
Theorem? Theorem?
(Y/N) Meta (Y/N) Meta
Level Level
A quote of a quote
‘ But this self-examination (my note: of mathematics by mathematical means) did have
wonderful and totally unexpected consequences in an area far re-
moved from its original goals. It played a big role in the development
of the most successful technology of our age, the computer, which
after all is just a mathematical machine, a machine for doing mathe-
matics. As E.T. Bell put it, the attempt to soar above mathematics
ended in the bowels of a computer! ’
Since we refer to these professions often, and ignore all others, we need some
clarification. It’s easier to define what a mathematician does: mathematics.
With software the situation is more complicated, as there are: software
engineers, computer systems analysts, developers, programmers, QA
engineers, software managers, database designers, etc . . . All of them do
software, and with formal methods in mind, these distinctions get in the way.
Since we refer to these professions often, and ignore all others, we need some
clarification. It’s easier to define what a mathematician does: mathematics.
With software the situation is more complicated, as there are: software
engineers, computer systems analysts, developers, programmers, QA
engineers, software managers, database designers, etc . . . All of them do
software, and with formal methods in mind, these distinctions get in the way.
Since we refer to these professions often, and ignore all others, we need some
clarification. It’s easier to define what a mathematician does: mathematics.
With software the situation is more complicated, as there are: software
engineers, computer systems analysts, developers, programmers, QA
engineers, software managers, database designers, etc . . . All of them do
software, and with formal methods in mind, these distinctions get in the way.
Valid argument coming from the mathematical side: Why don’t engineers
use the logical tools produced in academia/industrial research centers?
Valid argument coming from the mathematical side: Why don’t engineers
use the logical tools produced in academia/industrial research centers?
Valid argument coming from the engineering side: Why are the logical tools
so unfriendly, unpolished, and under-performing? Why should we trust a tool
that proves concurrency theorems when the tool itself does not use
concurrency?
Valid argument coming from the mathematical side: Why don’t engineers
use the logical tools produced in academia/industrial research centers?
Valid argument coming from the engineering side: Why are the logical tools
so unfriendly, unpolished, and under-performing? Why should we trust a tool
that proves concurrency theorems when the tool itself does not use
concurrency?
When mathematicians look at the output of a logical tool, they gasp: It
looks like code!
Valid argument coming from the mathematical side: Why don’t engineers
use the logical tools produced in academia/industrial research centers?
Valid argument coming from the engineering side: Why are the logical tools
so unfriendly, unpolished, and under-performing? Why should we trust a tool
that proves concurrency theorems when the tool itself does not use
concurrency?
When mathematicians look at the output of a logical tool, they gasp: It
looks like code!
When engineers look at the output of a logical tool, they gasp: It looks
like math!
There are four views about the state of software engineers’ mathematical
knowledge:
There are four views about the state of software engineers’ mathematical
knowledge:
1 Hopeless
There are four views about the state of software engineers’ mathematical
knowledge:
1 Hopeless
2 Bad, but it could be fixed
There are four views about the state of software engineers’ mathematical
knowledge:
1 Hopeless
2 Bad, but it could be fixed
3 Bad, but it must be fixed
There are four views about the state of software engineers’ mathematical
knowledge:
1 Hopeless
2 Bad, but it could be fixed
3 Bad, but it must be fixed
4 Not bad
There are four views about the state of software engineers’ mathematical
knowledge:
1 Hopeless
2 Bad, but it could be fixed
3 Bad, but it must be fixed
4 Not bad
There are four views about the state of software engineers’ mathematical
knowledge:
1 Hopeless
2 Bad, but it could be fixed
3 Bad, but it must be fixed
4 Not bad
My personal experience agrees with item 4. But regardless of my views, the
point is that we cannot conceivably accept either 1 or 2; even if they were
true, we have to turn things around and move 1 and 2 towards 3 and then
on towards 4. The stakes are too high. This program is a small step.
First of all, categories are special formal systems in which only the
equational aspects matter, i.e.
First of all, categories are special formal systems in which only the
equational aspects matter, i.e.
the proofs of the same theorem are indistinguishable
First of all, categories are special formal systems in which only the
equational aspects matter, i.e.
the proofs of the same theorem are indistinguishable
only the fact that there exists such a proof matters
First of all, categories are special formal systems in which only the
equational aspects matter, i.e.
the proofs of the same theorem are indistinguishable
only the fact that there exists such a proof matters
First of all, categories are special formal systems in which only the
equational aspects matter, i.e.
the proofs of the same theorem are indistinguishable
only the fact that there exists such a proof matters
Graphs
ip be
d
sk ay
pe
m
Graphs
ip be
Categories are special proof calculi and proof calculi are special
d
sk ay
pe
m
directed graphs. Directed graphs should be more familiar (and proof calculi,
after reading so far) .
Graphs
ip be
Categories are special proof calculi and proof calculi are special
d
sk ay
pe
m
directed graphs. Directed graphs should be more familiar (and proof calculi,
after reading so far) .
graph
f :A→B
Graphs
ip be
Categories are special proof calculi and proof calculi are special
d
sk ay
pe
m
directed graphs. Directed graphs should be more familiar (and proof calculi,
after reading so far) .
graph
f :A→B
h
d
sk ay
pe
m
B
f k
g
A C
n i
D
p l
m
With proof calculi, the terminology changes, vertices are formulas and
edges are proofs.
proof calculus
Rules of inference
ip be
d
sk ay
pe
m
Rules of inference
ip be
d
sk ay
pe
m
These conditions can be written as rules of inference (this explains why they
are called ‘proof calculi’):
rlIdentity
1A : A → A
f :A→B g:B→C
rlModusPonens
g◦f : A → C
category
h ◦ (g ◦ f ) = (h ◦ g) ◦ f rlAssociativity
For all f : A → B
f ◦ 1A = 1B ◦ f = f rlUnit
category
h ◦ (g ◦ f ) = (h ◦ g) ◦ f rlAssociativity
For all f : A → B
f ◦ 1A = 1B ◦ f = f rlUnit
With categories the perspective also changes, and the emphasis is now on
the equations introduced by the associativity and the unit rules. The only
example of a category that we need here: Sets, with sets as objects and
functions as morphisms (verify that all the rules apply).
Formal Software Development Program Overview March 8, 2011 149 / 187
Mathematics and Software Induction explained by category theory
Commutative diagrams
ip be
d
sk ay
pe
m
Commutative diagrams
ip be
d
sk ay
pe
m
Commutative diagrams
ip be
d
sk ay
pe
m
f 1A
A B A A
g f
g◦f h◦g f f
h 1B
C D B B
rlAssociativity rlUnit
Functors
ip be
d
sk ay
pe
m
Functors
ip be
d
Functors
ip be
d
functor
A functor F between categories C and D is a map F : C → C taking objects of
C to objects of D and morphisms f : A → B of C to morphisms Ff : FA → FB
of D, such that
F(g ◦ f ) = Fg ◦ Ff
F(1A ) = 1FA
Polynomial endofunctors
ip be
d
sk ay
pe
m
Polynomial endofunctors
ip be
d
sk ay
pe
m
Polynomial endofunctors
ip be
d
sk ay
pe
m
The × and + operations can be defined more generally for objects A and B
of any category through certain ‘universal properties’ which do not concern
us here, except that these universal properties give us two functors:
X → A × X and X → A + X for some fixed A; the values on morphisms is
given correspondingly. This allows us to build polynomial endofunctors on
the category Sets:
Polynomial endofunctors
ip be
d
sk ay
pe
m
The × and + operations can be defined more generally for objects A and B
of any category through certain ‘universal properties’ which do not concern
us here, except that these universal properties give us two functors:
X → A × X and X → A + X for some fixed A; the values on morphisms is
given correspondingly. This allows us to build polynomial endofunctors on
the category Sets:
u
1 X
m
X ×X X
u
1 X
m
X ×X X
In the category Sets, the object 1 stands for a one-element set, {∗}. (By the
way, monoids are themselves categories, and the collection of all monoids is also a
category, a sign of how broad the concept of category is)
Fmonoid (X) = 1 + X 2
Fmonoid (X) = 1 + X 2
Fmonoid (X) = 1 + X 2
F-algebras
ip be
d
sk ay
pe
m
F-algebras
ip be
d
sk ay
F-algebra
pe
m
α : FA → A
F-algebras
ip be
d
sk ay
F-algebra
pe
m
α : FA → A
F-algebras
ip be
d
sk ay
F-algebra
pe
m
α : FA → A
Fh
FA FB
α β
h
A B
F-algebras
ip be
d
sk ay
pe
m
F-algebras
ip be
d
sk ay
pe
m
F-algebras
ip be
d
sk ay
pe
m
FA FB
α β
A B
F-algebras
ip be
d
sk ay
pe
m
FA FB
α β
h
A B
F-algebras
ip be
d
sk ay
pe
m
What is the relationship between the two? What do they really mean?
Initiality, a categorial concept, gives us the answer. This is a typical example
of why we lean on categories: our program is large and we would not have
the time to motivate recursion and induction many times over. We do it
once, at the most abstract, conceptual level.
Specifically, the fact that a data type admits an initial algebra semantics
means exactly that we can define functions on it recursively and we can
prove things about these functions inductively. Let’s look at the simplest
case, the data type of natural numbers.
The data type of natural numbers, Nat, is defined as follows (we use
Haskell syntax, but any other functional language would do):
The data type of natural numbers, Nat, is defined as follows (we use
Haskell syntax, but any other functional language would do):
The type has a signature consisting of the constant Zero and the unary
operation S. This structure is embodied by the endofunctor Fnat (X) = 1 + X.
The data type of natural numbers, Nat, is defined as follows (we use
Haskell syntax, but any other functional language would do):
The type has a signature consisting of the constant Zero and the unary
operation S. This structure is embodied by the endofunctor Fnat (X) = 1 + X.
Let’s look at the set of natural numbers N, with the constant 0 ∈ N and
function s : N → N given by s(n) = n + 1, in other words we look at the
Fnat -algebra (N, (0, s)).
The data type of natural numbers, Nat, is defined as follows (we use
Haskell syntax, but any other functional language would do):
The type has a signature consisting of the constant Zero and the unary
operation S. This structure is embodied by the endofunctor Fnat (X) = 1 + X.
Let’s look at the set of natural numbers N, with the constant 0 ∈ N and
function s : N → N given by s(n) = n + 1, in other words we look at the
Fnat -algebra (N, (0, s)).
The data type of natural numbers, Nat, is defined as follows (we use
Haskell syntax, but any other functional language would do):
The type has a signature consisting of the constant Zero and the unary
operation S. This structure is embodied by the endofunctor Fnat (X) = 1 + X.
Let’s look at the set of natural numbers N, with the constant 0 ∈ N and
function s : N → N given by s(n) = n + 1, in other words we look at the
Fnat -algebra (N, (0, s)).
To say that (N, (0, s)) is the initial object in the category of
Fnat -algebras means, according to the definitions of F-algebras and initiality,
that there exists a unique h : N → X that makes the following diagram
commute:
Fnat (h)
1+N 1+X
(0, s) (u, f )
h
N X
By looking at the previous diagram, we see that initiality of (N, (0, s))
means two things:
By looking at the previous diagram, we see that initiality of (N, (0, s))
means two things:
(Existence) There exists a function h : N → X such that h(0) = a and
h(S(n)) = f (h(n))
By looking at the previous diagram, we see that initiality of (N, (0, s))
means two things:
(Existence) There exists a function h : N → X such that h(0) = a and
h(S(n)) = f (h(n))
(Uniqueness) If a function g : N → X is such that g(0) = a and g(S(n)) =
f (g(n)), then this function must be h
By looking at the previous diagram, we see that initiality of (N, (0, s))
means two things:
(Existence) There exists a function h : N → X such that h(0) = a and
h(S(n)) = f (h(n))
(Uniqueness) If a function g : N → X is such that g(0) = a and g(S(n)) =
f (g(n)), then this function must be h
By looking at the previous diagram, we see that initiality of (N, (0, s))
means two things:
(Existence) There exists a function h : N → X such that h(0) = a and
h(S(n)) = f (h(n))
(Uniqueness) If a function g : N → X is such that g(0) = a and g(S(n)) =
f (g(n)), then this function must be h
So, the existence part of initiality expresses definition by recursion while the
uniqueness part of initiality expresses proof by induction.
By looking at the previous diagram, we see that initiality of (N, (0, s))
means two things:
(Existence) There exists a function h : N → X such that h(0) = a and
h(S(n)) = f (h(n))
(Uniqueness) If a function g : N → X is such that g(0) = a and g(S(n)) =
f (g(n)), then this function must be h
So, the existence part of initiality expresses definition by recursion while the
uniqueness part of initiality expresses proof by induction. There is no better
way to understand induction and recursion than through initiality.
By looking at the previous diagram, we see that initiality of (N, (0, s))
means two things:
(Existence) There exists a function h : N → X such that h(0) = a and
h(S(n)) = f (h(n))
(Uniqueness) If a function g : N → X is such that g(0) = a and g(S(n)) =
f (g(n)), then this function must be h
So, the existence part of initiality expresses definition by recursion while the
uniqueness part of initiality expresses proof by induction. There is no better
way to understand induction and recursion than through initiality.
Having said that, note that the terms induction and recursion are often
interchanged: data can be called inductive or recursive, functions can be
called inductive or recursive, etc...
The type List A with signature consisting of constant [], and unary cons,
has initial algebra semantics, with F(X) = 1 + A × X.
The type List A with signature consisting of constant [], and unary cons,
has initial algebra semantics, with F(X) = 1 + A × X.
I We have a very pleasant explanation of why lists are so important
in software, their functor is the linear function!
The type List A with signature consisting of constant [], and unary cons,
has initial algebra semantics, with F(X) = 1 + A × X.
I We have a very pleasant explanation of why lists are so important
in software, their functor is the linear function!
I If we take A to be 1, we recover the fact that the natural numbers
are lists over the set with one element: 0=[]; 1=[*]; 2=[**] . . .
The type List A with signature consisting of constant [], and unary cons,
has initial algebra semantics, with F(X) = 1 + A × X.
I We have a very pleasant explanation of why lists are so important
in software, their functor is the linear function!
I If we take A to be 1, we recover the fact that the natural numbers
are lists over the set with one element: 0=[]; 1=[*]; 2=[**] . . .
The type Tree (unlabeled binary tree) with signature consisting of con-
stant Leaf, and binary Branch, has initial algebra semantics, with F(X) =
1 + X2.
The type List A with signature consisting of constant [], and unary cons,
has initial algebra semantics, with F(X) = 1 + A × X.
I We have a very pleasant explanation of why lists are so important
in software, their functor is the linear function!
I If we take A to be 1, we recover the fact that the natural numbers
are lists over the set with one element: 0=[]; 1=[*]; 2=[**] . . .
The type Tree (unlabeled binary tree) with signature consisting of con-
stant Leaf, and binary Branch, has initial algebra semantics, with F(X) =
1 + X2.
The type Tree A (labeled binary tree with leaves of type A) with signature
consisting of constant Leaf A, and binary Branch, has initial algebra
semantics, with F(X) = A + A × X 2 .
Let’s note the difference between a data type and its semantics, i.e.
m
the type of natural numbers, Nat, and its model (N, 0, s). One belongs to a
programming language, the other is a mathematical object. Part of our work
on formalizing software is to make these distinctions clear.
Let’s note the difference between a data type and its semantics, i.e.
m
the type of natural numbers, Nat, and its model (N, 0, s). One belongs to a
programming language, the other is a mathematical object. Part of our work
on formalizing software is to make these distinctions clear.
Let’s note the difference between a data type and its semantics, i.e.
m
the type of natural numbers, Nat, and its model (N, 0, s). One belongs to a
programming language, the other is a mathematical object. Part of our work
on formalizing software is to make these distinctions clear.
sort Nat .
op zero : → Nat .
op s : Nat → Nat .
Object Level
tactics
checking
... Proof OK?
auto strategy
... Theorem?
Meta
Level
Maude
Formal Software Development Program Overview March 8, 2011 165 / 187
Mathematics and Software Algebraic data types
tactics
checking
... Proof OK?
auto strategy
... Theorem?
Meta
Level
Maude
Formal Software Development Program Overview March 8, 2011 165 / 187
Mathematics and Software Algebraic data types
Meta
Level
Maude
Formal Software Development Program Overview March 8, 2011 165 / 187
Mathematics and Software Algebraic data types
Maude
Formal Software Development Program Overview March 8, 2011 165 / 187
Mathematics and Software Algebraic data types
Object Level
tactics
checking
... Proof OK?
auto strategy
... Theorem?
Meta
Level
Maude
Formal Software Development Program Overview March 8, 2011 166 / 187
Mathematics and Software Algebraic data types
tactics
checking
... Proof OK?
auto strategy
... Theorem?
Meta
Level
Maude
Formal Software Development Program Overview March 8, 2011 166 / 187
Mathematics and Software Algebraic data types
Meta
Level
Maude
Formal Software Development Program Overview March 8, 2011 166 / 187
Mathematics and Software Algebraic data types
Meta
Level
Maude
Formal Software Development Program Overview March 8, 2011 166 / 187
Mathematics and Software Algebraic data types
you the impression that, in the advanced sequence of the program, we’ll
chase unnecessarily abstract mathematics at the expense of practical
applications. Quite the contrary, we need to find a way to speed up towards
engineering goals. The truth is that while these applications of category
theory are not particularly deep, they do establish a very effective vocabulary
for us to use.
you the impression that, in the advanced sequence of the program, we’ll
chase unnecessarily abstract mathematics at the expense of practical
applications. Quite the contrary, we need to find a way to speed up towards
engineering goals. The truth is that while these applications of category
theory are not particularly deep, they do establish a very effective vocabulary
for us to use.
About labs
. . . it means that we are branching out of the slide presentation and into a
computer session on either Linux or Windows. We call these branch-outs
‘labs’.
What follows here is a set of very quick labs (less than 5 minutes each) to
give you an idea of the sort of tools that we use in this program and why we
use them.
One goal is for you to understand most of the concepts of formal software
development in about 3 years.
One goal is for you to understand most of the concepts of formal software
development in about 3 years.
After that period, you should be able to:
One goal is for you to understand most of the concepts of formal software
development in about 3 years.
After that period, you should be able to:
One goal is for you to understand most of the concepts of formal software
development in about 3 years.
After that period, you should be able to:
One goal is for you to understand most of the concepts of formal software
development in about 3 years.
After that period, you should be able to:
One goal is for you to understand most of the concepts of formal software
development in about 3 years.
After that period, you should be able to:
One goal is for you to understand most of the concepts of formal software
development in about 3 years.
After that period, you should be able to:
One goal is for you to understand most of the concepts of formal software
development in about 3 years.
After that period, you should be able to:
One goal is for you to understand most of the concepts of formal software
development in about 3 years.
After that period, you should be able to:
Many of the tools we study are complex systems that have at least a
syntactical front-end and a logical back-end implementing a certain logic.
You will learn to judge the effectiveness of these tools, their tradeoffs and
their suitability for certain practical applications. There are many questions
to ask when contemplating formal software development with a specific tool.
Many of the tools we study are complex systems that have at least a
syntactical front-end and a logical back-end implementing a certain logic.
You will learn to judge the effectiveness of these tools, their tradeoffs and
their suitability for certain practical applications. There are many questions
to ask when contemplating formal software development with a specific tool.
General questions:
Many of the tools we study are complex systems that have at least a
syntactical front-end and a logical back-end implementing a certain logic.
You will learn to judge the effectiveness of these tools, their tradeoffs and
their suitability for certain practical applications. There are many questions
to ask when contemplating formal software development with a specific tool.
General questions:
Many of the tools we study are complex systems that have at least a
syntactical front-end and a logical back-end implementing a certain logic.
You will learn to judge the effectiveness of these tools, their tradeoffs and
their suitability for certain practical applications. There are many questions
to ask when contemplating formal software development with a specific tool.
General questions:
Many of the tools we study are complex systems that have at least a
syntactical front-end and a logical back-end implementing a certain logic.
You will learn to judge the effectiveness of these tools, their tradeoffs and
their suitability for certain practical applications. There are many questions
to ask when contemplating formal software development with a specific tool.
General questions:
Many of the tools we study are complex systems that have at least a
syntactical front-end and a logical back-end implementing a certain logic.
You will learn to judge the effectiveness of these tools, their tradeoffs and
their suitability for certain practical applications. There are many questions
to ask when contemplating formal software development with a specific tool.
General questions:
Your work experience will play an essential role in understanding some of the
engineering aspects of formal software development. In this process, it is the
feedback you will provide during and after classes that will contribute to the
program’s strength.
Your work experience will play an essential role in understanding some of the
engineering aspects of formal software development. In this process, it is the
feedback you will provide during and after classes that will contribute to the
program’s strength.
Consequently, you are expected to:
Your work experience will play an essential role in understanding some of the
engineering aspects of formal software development. In this process, it is the
feedback you will provide during and after classes that will contribute to the
program’s strength.
Consequently, you are expected to:
Your work experience will play an essential role in understanding some of the
engineering aspects of formal software development. In this process, it is the
feedback you will provide during and after classes that will contribute to the
program’s strength.
Consequently, you are expected to:
Your work experience will play an essential role in understanding some of the
engineering aspects of formal software development. In this process, it is the
feedback you will provide during and after classes that will contribute to the
program’s strength.
Consequently, you are expected to:
Your work experience will play an essential role in understanding some of the
engineering aspects of formal software development. In this process, it is the
feedback you will provide during and after classes that will contribute to the
program’s strength.
Consequently, you are expected to:
Learn to estimate the effort to program in JML or Spec#, rather than Java
or C#. Learn to estimate the effort to add verification of safety properties
(buffer overflow, arithmetic overflow, null pointer dereference, division by
zero) to a C program. Learn to estimate the effort to design a concurrent
model of the system that is being built. A example of such estimate would
be:
N = lines of code
theorems = 2 × N
proof lines = 20 × theorems
Program Structure
Program Structure
Program Structure
Program Structure
Program Structure
Program Structure
Program Structure
Term
Lisp and Higher
Logic Rewriting
Inductive Order
with C++
Provers Logic Logic and
Compu-
tation
ML Category
implemen- Theory
Languages advanced
tation
and sequence Type
sequence
Provers Systems
Reasoning
Formal
Formal Software with
Semantics
Computer Development Models
Algebra Concurrency
Systems and Model
Checking
Recommended books I
Jean-Raymond Abrial
Modeling in Event-B System and Software Engineering
Cambridge University Press, 2010.
Recommended books II
John Harrison
Handbook Of Practical Logic And Automated Reasoning
Springer-Verlag, 2009.
Gerard J. Holzmann
The SPIN Model Checker: Primer and Reference Manual
Addison-Wesley, 2004.
Conclusion