Presentation is loading. Please wait.

Presentation is loading. Please wait.

NummSquared a new well-founded, functional foundation for formal methods Samuel Howse poohbist.com October 10, 2006 Copyright.

Published byBarnard Reeves Modified over 9 years ago

Similar presentations

Presentation on theme: "NummSquared a new well-founded, functional foundation for formal methods Samuel Howse poohbist.com October 10, 2006 Copyright."— Presentation transcript:

1 NummSquared a new well-founded, functional foundation for formal methods Samuel Howse poohbist.com samuelhowse@poohbist.com October 10, 2006 Copyright © 2006 Samuel Howse. All rights reserved.

2 Formal methods Logic and mathematics applied to computer science Prove that implementation is “correct” –Compliant with specification Incorrect specification – a separate issue –Well-behaved Terminates, i.e. does not run forever Memory safety – easier to solve with automatic memory management

3 Some programming paradigms Typical operating system – programmer view: –File system –Interprocess communication –Global state – indeterminate, insecure Imperative paradigm –Side-effects – memory can change unexpectedly Functional paradigm –No side-effects No global state + functional paradigm –More secure –Easier starting point for formal methods

4 Some problems in formal methods Assuming no global state + functional paradigm, ≥ 2 remaining problems: 1.Specification Express specification precisely (math) Express implementation behavior (math) Prove imp. satisfies spec. (logic) 2.Termination – does a program run forever? Turing: general answer cannot be computed Prove special cases (math + logic)

5 1. Specification Integrated approach is 1 language for: –Specification –Implementation –Proof 1 language must be: –A mathematical foundation –A programming language –A logic A typical programming language is too complex to be a mathematical foundation or a logic.

6 2. Termination Does it matter? Just hit Ctrl-C (or Ctrl- Alt-Del and End Process). Non-termination is closely related to (but does not always imply) inconsistency, i.e. exists a proposition P such that P and not(P) both provable. Inconsistency is a critical bug in a logic.

7 Untyped lambda calculus Everything is a function. Everything can be used as an argument. Non-termination: –Let f(x) = x(x). –f(f) → f(f) → f(f) → …

8 Russell’s paradox Russell’s paradox: [Seldin] –In naïve set theory: Let R be the set of all sets that do not contain themselves. Is R in R? –In untyped lambda calculus plus negation –Let R(x) = not(x(x)). –R(R) = not(R(R)). –R(R) is neither true nor false – inconsistency. Can avert paradox by a somehow non- classical logic (e.g. Andrews, Gilmore’s NaDSyL, Grue’s map theory).

9 Type theory Types can ensure termination and avoid paradoxes. But more complex – 2 fundamental concepts: –Type –Function Compile-time type checking is computable. –Benefit – catch some bugs early and automatically –Cost – additional constraints on programmer my research addresses by using runtime coercion instead of compile-time type checking Coq proof assistant –nice mix of computation and proof checking –practical tools, including extraction to OCaml –highly developed

10 Set theory Everything is a set. Well-founded set theory –Membership (ε) is well-founded, i.e. no infinite descending ε chains. –A set is formed “after” its elements. Some well-founded set theories: –Zermelo Fraenkel (ZF) –von Neumann-Bernays-Gödel (NBG) Usually no reduction (computation)

11 Well-founded functions Everything is a function. Well-founded –A function is formed “after” elements of its domain and range. [Jones] –Membership in field of function a well-founded relation Few foundations of this kind, and not popular von Neumann in 1925 –Others changed functions to sets – became NBG Jones’s Pure Functions in 1998 von Neumann and Jones – do not define reduction (computation) or proof

12 NummSquared Everything a function, no types, no side-effects, no global state, well-founded Reduction (computation) and proof Sound: the proposition of a valid proof is true Termination ensured without proofs by programmer Proofs as desired, but not required Classical logic Follows set theory as much as possible Simple variable-free syntax Reflection –NummSquared is its own macro language. –NummSquared is used to manipulate NummSquared proofs.

13 NummSquared coercion for domain membership When calling a function, how to ensure that the argument belongs to the function’s domain? NummSquared coercion: if it isn’t so, then make it so! Type conversion generalized to higher-order (function with function argument) Coerce a function to domain/codomain by applying pre-coercion/post-coercion. NummSquared coercion somewhat related to Howe’s restriction of untyped lambda terms. –Howe does not ensure termination.

14 Semantics: small function extensions p = left(p) p = right(p) zero one pair p p = null null zero = null null one = null one = zero zero leaf null null (base case) null = null rule f f x dom(f) small (no larger than a ZFC set) … null simple

15 Semantics: domain extensions For a rule f, dom(f) is not, in general, amenable to coercion. So dom(f) represented by domain extension (tag): –Same information as a type in type theory –Different purpose – not compile-time type checking, but runtime coercion –Domain extensions never appear directly in NummSquared programs, but are available as small function extensions. Domain extension: –Constant: Null, Nuro (Null or Zero), Leaf, Tree –Combination: dependent sum A – dom(A) contains null and certain pairs dependent product A – dom(A) contains null and certain rules

16 Semantics: coercion For a valid domain extension A and a tagged small function extension f, coercion to A of f, denoted by coer(A, f), is in dom(A). If A is a dependent sum, and f is a pair, coerce left(f) first, then right(f). If A is a dependent product, and f is a rule, add pre-coercion and post-coercion to f: –A contains domain extension family F. –coer(A, f) is the rule r where dom(r) = dom(F) and r = coer(F, f )

17 Semantics: result See NummSquared Formally for: –The precise recursive definition of coercion –Justification of that recursive definition by a well-founded relation Use coercion to define tagged small function extensions over all tagged small function extensions For tagged small function extensions f and x, f(x) = f Coercion and result are computable.

18 Semantics: large function extensions Abstract over all tagged small function extensions f such that, for each tagged small function extension x, f(x) is a tagged small function extension A large function extension is also a proposition extension: –f is true iff, for each tagged small function extension x, f(x) = one

19 NsGo NummSquared interpreter Work in progress Mostly automatically extracted from a Coq program –Enhanced reliability F# and C#.NET assembly –Automatic memory management for free Complete: integrated Coq with MSBuild (Visual Studio build system)

20 NsGo components NummSquared program (string) Parser (ANTLR) NummSquared abstract program (Coq) NummSquared normalized abstract program (Coq) Normalization (Coq) NummSquared normalized program (string) Printer Parser (ANTLR)

21 The Future Continue work on the NsGo, the NummSquared interpreter Equality for rules: –Currently extensional: Functions equal when domains and results equal Equates different algorithms Not computable –Future: Gilmore’s intensional equality and HiLog equality distinguish functions by name. Gilmore’s “use” vs. “mention” distinction. Lambda syntactic sugar Reduction under lambdas Efficient reduction algorithms for coercion

22 References NummSquared 2006a0 Done Formally –poohbist.com –Click on NummSquared 2006a0. My thesis, NummSquared 2006a0 Explained –poohbist.com Other references are in the bibliography of NummSquared Formally. These slides –poohbist.com

23 Supplementary material

24 Domain membership When calling a function, how to ensure that the argument belongs to the function’s domain? Unrestricted domain – untyped lambda calculus Type constraints on programmer Set theory: higher-order domain membership not computable – need proofs by programmer NummSquared: coercion

25 NummSquared coercion summary Coercion to a valid domain extension of a tagged small function extension: –Ensures termination –Avoids paradoxes –Untyped –Supports computation

26 Semantics: small function extensions Well-founded to ensure termination and avoid paradoxes Defined inductively Rule f with: –dom(f) a small subset of small function extensions Small means no larger than a ZF set. –for x in dom(f), f is a small function extension Leaf: null, zero, one –null means absence of relevant information – does not mean 0, false, undefined or non-termination Pair p such that left(p) and right(p) are small function extensions A tree is a small function extension recursively containing only leaves and pairs.

27 NummSquared syntax Variable-free Large functions –Constants –Combinations Proofs –Axioms –Inferences Reflection –Quoting and unquoting large functions –Quoting and unquoting proofs –The quoted representation is a tree. –Quoting is easy because NummSquared is variable-free. See NummSquared Formally for details.

28 Small function extensions in Coq Leaves and pairs are easy. Rules are somewhat similar to Benjamin Werner’s “Sets in Types”. Inductive Func_Sm_Ext : Type := | Func_Sm_Ext_null : Func_Sm_Ext | Func_Sm_Ext_zero : Func_Sm_Ext | Func_Sm_Ext_one : Func_Sm_Ext | Func_Sm_Ext_pair : Func_Sm_Ext -> Func_Sm_Ext -> Func_Sm_Ext | Func_Sm_Ext_rule : forall(A : Type), (A -> Func_Sm_Ext) ->domain: must be 1-1 (A -> Func_Sm_Ext) ->result Func_Sm_Ext. Define appropriate equality on small function extensions

Download ppt "NummSquared a new well-founded, functional foundation for formal methods Samuel Howse poohbist.com October 10, 2006 Copyright."

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Completeness and Expressiveness

Completeness and Expressiveness
10 October 2006 Foundations of Logic and Constraint Programming 1 Unification ­An overview Need for Unification Ranked alfabeths and terms. Substitutions.

10 October 2006 Foundations of Logic and Constraint Programming 1 Unification ­An overview Need for Unification Ranked alfabeths and terms. Substitutions.
- Vasvi Kakkad.  Formal -  Tool for mathematical analysis of language  Method for precisely designing language  Well formed model for describing and.

- Vasvi Kakkad.  Formal -  Tool for mathematical analysis of language  Method for precisely designing language  Well formed model for describing and.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
8. Introduction to Denotational Semantics. © O. Nierstrasz PS — Denotational Semantics 8.2 Roadmap Overview:  Syntax and Semantics  Semantics of Expressions.

8. Introduction to Denotational Semantics. © O. Nierstrasz PS — Denotational Semantics 8.2 Roadmap Overview:  Syntax and Semantics  Semantics of Expressions.
Methods of Proof Chapter 7, second half.. Proof methods Proof methods divide into (roughly) two kinds: Application of inference rules: Legitimate (sound)

Methods of Proof Chapter 7, second half.. Proof methods Proof methods divide into (roughly) two kinds: Application of inference rules: Legitimate (sound)
Class 39: Universality cs1120 Fall 2009 David Evans University of Virginia.

Class 39: Universality cs1120 Fall 2009 David Evans University of Virginia.
Copyright © Cengage Learning. All rights reserved.

Copyright © Cengage Learning. All rights reserved.
INF 212 ANALYSIS OF PROG. LANGS Type Systems Instructors: Crista Lopes Copyright © Instructors.

INF 212 ANALYSIS OF PROG. LANGS Type Systems Instructors: Crista Lopes Copyright © Instructors.
Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.

Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
Fall 20021 Semantics Juan Carlos Guzmán CS 3123 Programming Languages Concepts Southern Polytechnic State University.

Fall Semantics Juan Carlos Guzmán CS 3123 Programming Languages Concepts Southern Polytechnic State University.
CS 355 – Programming Languages

CS 355 – Programming Languages
Comp 205: Comparative Programming Languages Semantics of Imperative Programming Languages denotational semantics operational semantics logical semantics.

Comp 205: Comparative Programming Languages Semantics of Imperative Programming Languages denotational semantics operational semantics logical semantics.
Complexity 5-1 Complexity Andrei Bulatov Complexity of Problems.

Complexity 5-1 Complexity Andrei Bulatov Complexity of Problems.
CS 330 Programming Languages 09 / 18 / 2007 Instructor: Michael Eckmann.

CS 330 Programming Languages 09 / 18 / 2007 Instructor: Michael Eckmann.
Programming Language Semantics Mooly SagivEran Yahav Schrirber 317Open space 03-640-760603-640-5358 html://www.cs.tau.ac.il/~msagiv/courses/sem03.html.

Programming Language Semantics Mooly SagivEran Yahav Schrirber 317Open space html://
Search in the semantic domain. Some definitions atomic formula: smallest formula possible (no sub- formulas) literal: atomic formula or negation of an.

Search in the semantic domain. Some definitions atomic formula: smallest formula possible (no sub- formulas) literal: atomic formula or negation of an.
Last time Proof-system search ( ` ) Interpretation search ( ² ) Quantifiers Equality Decision procedures Induction Cross-cutting aspectsMain search strategy.

Last time Proof-system search ( ` ) Interpretation search ( ² ) Quantifiers Equality Decision procedures Induction Cross-cutting aspectsMain search strategy.

Similar presentations

Ads by Google