1. TSC Workshop, May 2008, U Oklahoma 1 Teaching Software Correctness May 13-15, 2008, University of Oklahoma Rex Page, U Oklahomapage@ou.edu Assistants Carl Eastlund (lead), Northeastern Ucce@ccs.neu.edu Ryan Ralston, U Oklahomastrawdog@ou.edu Zac White, U Oklahomazacwhite@gmail.com http://www.cs.ou.edu/~rlpage/SEcollab/tsc 1 Collaboration with Matthias Felleisen - NSF/DUE 0633664, 0813529, 0632872063366408135290632872 Session 01 — 9:00-10:15, May 13

2. TSC Workshop, May 2008, U Oklahoma 2 Goals  New CS-course content at some schools  Predicate-based testing  Mechanical logic to verify software properties Strategy  Go through material from SE at OU  30% of 3-credit course (4 of 15 lecture-weeks)  Coverage of coherent subsets: 1 to 3 weeks  Lab projects  To gain a student-like experience Hard part  Convincing yourself that it's important  Material is unusual … many students will resist  Instructor zeal transfers to some students  Instructor apathy transfers to all students  Devising projects that students can do  Instructors must solve assignments beforehand Benefits  New appreciation meaning of "correctness"  Prep for future programming environments  A few students ready to lead next decade

3. TSC Workshop, May 2008, U Oklahoma 3 History Years of rumination about software education defect control equation-based programs 2003 SE course Programs: Scheme (DrScheme) Verify correctness: ACL2 2004 SE course Program/Verify: ACL2 File I/O only 2005 SE course ACL2, File I/O ESC paper, FDPE'05 2006 SE course DrACuLA prog'g environment File I/O + GUI 2007 SE course DrACuLa prog's env with DoubleCheck 2008 plans DrACuLa + DblChk + Modules

4. TSC Workshop, May 2008, U Oklahoma 4 4  Low defect rate  Process  Design  Quality  Predictable quality  Reliable schedule  Do it right not necessarily fast  Primarily for people  Think “Strunk and White” The Three Themes of SE-I PSP - Humphrey Equation-Based Programming ACL2 – J Moore Lisp with mechanical logic Besides a mathematical inclination, an exceptionally good mastery of one's native tongue is the most vital asset of a competent programmer. — Dijkstra

5. TSC Workshop, May 2008, U Oklahoma 5 5 Provably Correct Software 300 Years in the Making If we had some exact language … or at least a kind of truly philosophic writing, in which the ideas were reduced to a kind of alphabet of human thought, then all that follows rationally from what is given could be found by a kind of calculus, just as arithmetical or geometrical problems are solved. - Gottfried Leibniz (about 1700) Symbolic logic - Boole, Frege, Peano, … (mid to late 1800s) Formal logic - Gentzen, Church, Curry, Gödel, … (1930s) Mechanized logic - Boyer & Moore, Milner, … (late 1900s)

6. TSC Workshop, May 2008, U Oklahoma 6  Lisp programs  Expressed as equations defining software properties  Restricted to "true functions" Every invocation of f(2) delivers the same value (unlike C, C++ …)  Computation model: substitution of equals for equals  Programming model Program specifies properties … interpretation derives process Conventional: program specifies process … properties implicit  Derivable properties expressed as logic formulas  Turing equivalence  All computations are expressible through equations  Equation-based software (Lisp, ML, Haskell …) can model conventional software (C, C++, Java, …) and vice versa  Lisp versus C  Compiled Lisp slower … 10% to order of magnitude  C development tools more advanced … but DrACuLa and ACL2s are moving in the right direction ACL2 – a mechanized logic ACL2 = (ACL) 2 = ACLACL A Computational Logic for Applicative Common Lisp

7. TSC Workshop, May 2008, U Oklahoma 7 Example Software Property append (here called “cat”) is associative  Defined properites (axioms) (defun cat (xs ys) (if (null xs) ys ; (cat nil ys) = ys (cons (car xs) (cat (cdr xs) ys)))) ; (cat (list x 1 x 2 …) ys) = (cons x 1 (cat (list x 2 …) ys))  Derived property (theorem) (defthm append-is-associative (implies(and (true-listp xs) (true-listp ys)) (equal(cat xs (cat ys zs)) (cat (cat xs ys) zs))))) axiom 1 axiom 2 theorem  Proof  List-induction on xs Base case: xs = nil Inductive case: xs = (cons (car xs) (cdr xs)) inductive definition

8. TSC Workshop, May 2008, U Oklahoma 8 Append is Associative inductive case  (equal (cat xs (cat ys zs)) (cat (cons (car xs) (cdr xs)) (cat ys zs)))  (equal (cat (cons (car xs) (cdr xs)) (cat ys zs)) (cons (car xs) (cat (cdr xs) (cat ys zs))))  (equal (cons (car xs) (cat (cdr xs) (cat ys zs)) ) (cons (car xs) (cat (cat (cdr xs) ys) zs)) )  (equal (cons (car xs) (cat (cat (cdr xs) ys) zs)) (cat (cons (car xs) (cat (cdr xs) ys) zs))) )  (equal (cat (cons (car xs) (cat (cdr xs) ys) zs) ) (cat (cat (cons (car xs) (cdr xs)) ys) zs) )  (equal (cat (cat (cons (car xs) (cdr xs)) ys) zs) (cat (cat xs ys) zs) ) Induction hypothesis  xs = (cons (car xs) (cdr xs)) (defun cat (xs ys) (if (null xs) ys; = (cat nil ys) (cons (car xs) (cat (cdr xs) ys)))); = (cat xs ys)

9. TSC Workshop, May 2008, U Oklahoma 9 Mechanization Is Necessary without it, you get lost in details  Even simple properties lead to big proofs  Associativity proof (as presented) lacks many details  Millions of details in proofs about big programs People can’t keep track of millions of details But, computers can Computers couldn’t 10 years ago – not enough capacity  People formulate properties … computers push details Proof organized into lemmas — like software in modules On the level of “rigorous” mathematical proof –Not fully formal Some lemma architectures are better than others –Just as some modular decompositions of software are superior Formulation of properties is a big task –Experience and judgment required — as in software development

10. TSC Workshop, May 2008, U Oklahoma 10 Things That Have Been Done with ACL2  AMD Athlon (K7) floating point processor (1999)  AMD division circuit verified correct After 1994/97 Pentium division bugs  Property (implies (and (floating-point-numberp p 15 64) (floating-point-numberp d 15 64) (not (equal d 0)) (rounding-modep mode)) (equal (divide p d mode) (round (/ p d) mode)))…  Other commercial applications  Motorola DSP microcode  Rockwell Collins AAMP7 avionics software  Numerous NSA applications  … “high assurance software” …

11. TSC Workshop, May 2008, U Oklahoma 11 Testing versus Proving  Testing  AMD floating-point AMD test suite of 80-million cases wasn’t enough –Hardware with bugs passed all 80-million tests Huge finite number of cases (2 15+64  2 15+64 = 2 158 ) –Cannot complete test before sun runs out of fuel ACL2 proof covers all cases  Proofs cover all cases  Associativity proof was for any xs, ys, zs That is, an infinite number of “test cases”  Testing cannot ensure correctness  Testing + logic can ensure that software satisfies essential properties

12. TSC Workshop, May 2008, U Oklahoma 12 Applicative Common Lisp the programming language part of ACL2

13. TSC Workshop, May 2008, U Oklahoma 13 Data in ACL2  Atoms  Numbers Integer, rational, complex (decimal, binary, octal, hex) –5, -12, 17/10, -17/10, #c(0, 1), #b101, #o-14, #x11/A, #x-11/A No floating point numbers (no intrinsic sqrt function)  Characters: #\A, #\b, #\1, #\9, #\Newline, #\Space, …  Strings: "Kauffmann, Manolios, & Moore #0-7923-7757-5"  Symbols: nil, t, bob, next-term  Conses (dotted pairs, binary trees)  (a. b)  ((a. left). (b. right))  (1. nil), abbreviation: (1)  (x.(y.(z. nil))), abbreviation: (x y z)  nil, abbreviation: ( )  (x.(y.(z. g))), abbreviation: (x y z. g)  ((x. 1).((y. 2). ((z. 3). nil))), abbreviation ((x. 1) (y. 2) (z. 3))  Abbreviation rule When a dot is followed by left paren, delete the dot, the left paren, and the matching right paren When a dot is followed by a nil, delete both … or something like that true lists: nil (element. true-list) All ACL2 data structures come down to these basics

14. TSC Workshop, May 2008, U Oklahoma 14 Syntax of ACL2 - Formulas Prefix formulas only No infix, No postfix  Suppressed evaluation  Single-quote (apostrophe) prefixing formula suppresses evaluation Known as a “quoted expression” (synonyms: “formula” = “expression”) A quoted exp’n denotes the atom or dotted pair following the quote  Example: '((a b c) (d (e f) g) h) or: (quote ((a b c) (d (e f) g) h))  This is the entire Lisp syntax  Well…okay…There are a few exceptions. Here’s one (others later):  Numbers, chars, and strings automatically denote data No single-quote mark needed for these atoms Nor for pre-defined symbols, such as nil and T  Formula for evaluation  (op-symbol opnd 1 opnd 2 … opnd n ) op-symbol must a symbol denoting an operator –Formula denotes value delivered by operator, with given operands Operands may be formulas, defined symbols, or literals Each operator will require a specific number of operands

15. TSC Workshop, May 2008, U Oklahoma 15 Basic ACL2 Operators (intrinsics)  Building pairs and extracting parts  car, cdr, and cons operators – defining equations (car (cons x ys )) = x (cdr (cons x ys )) = ys (car any-formula-denoting-nil ) = nil (cdr any-formula-denoting-nil ) = nil x, ys — any formula  Selecting between formulas  “if” operator – defining equations (if any-formula-not-denoting-nil x y) = x (if any-formula-denoting-nil x y) = y  Detecting equal values  “equal” operator (equal x y ) = T if x and y are formulas denoting the same value (equal x y ) = nil if x and y are formulas denoting different values  Discriminating atoms, conses, and empty lists  endp, null, atom, consp – defining equations (null x ) = (equal x nil) (consp (cons x y )) = T (atom (cons x y )) = nil (atom x ) = (null (consp x )) (endp xs ) = (atom xs ) – allowed only on true lists x, y, xs — any formula These operators, plus a way to define new operators, are sufficient to describe any computation

16. TSC Workshop, May 2008, U Oklahoma 16 Defining Operators in ACL2  Exercise  Define an operator to deliver the 3rd and 4th elements  Assume the operand is a list of at least four elements abbreviation of (car (cdr xs))  defun – a “special form”  (defun f (a 1 a 2 … a n ) v) f, a symbol, names the operator being defined a i, a symbol, stands for the i th operand (n may be zero) v, a formula, specifies the value the operator will deliver abbreviation of (cons (car xs) (cons (cadr xs) nil))  After the defun, (f u 1 u 2 … u n ) denotes the formula v with each occurrence of a i replaced by the formula u i  defun has effect of attaching a name to an operator defun is a “command” – commands alter the current ACL2 world –Ordinary formulas do not alter the world defun does not deliver a value –Ordinary formulas do deliver values  Examples  (defun drop-two (xs) (cdr (cdr xs))) (drop-two i’(a b c d e)) = (c d e) (drop-two (drop-two i’(a b c d e))) = (e)  (defun take-two (xs) (list (car xs) (cadr xs))) (take-two i’(a b c d e)) = (a b)

17. TSC Workshop, May 2008, U Oklahoma 17  Solution 1 (defun 3rd&4th (xs) (list (caddr xs) (cadddr xs)))  Solution 2 (defun 3rd&4th-another-way (xs) (take-two (drop-two xs)))  Predicate-based testing (defconst *num-tests* 10) (defproperty 3rd&4th=3rd&4th-another-way *num-tests* ((n (random-int-between 0 100) (integerp n)) (x (random-symbol) (symbolp x)) (xs (random-list-of (random-symbol) n) (symbol-listp xs))) (equal (3rd&4th xs) (3rd&4th-another-way xs))) Commands defconst defproperty property name random variable random value for xs - list of up to n random syms expected property of xs (predicate) expected property to test for (predicate) Solutions number of tests to run

18. TSC Workshop, May 2008, U Oklahoma 18 Commands defconst defproperty property name random variable random value for xs expected property of xs (predicate) expected property to test for (predicate)  Solution 1 (defun 3rd&4th (xs) (list (caddr xs) (cadddr xs)))  Solution 2 (defun 3rd&4th-another-way (xs) (take-two (drop-two xs)))  Predicate-based testing (defconst *num-tests* 10) (defproperty 3rd&4th=3rd&4th-another-way *num-tests* ((n (random-int-between 0 100) (integerp n)) (x (random-symbol) (symbolp x)) (xs (random-list-of (random-symbol) n) (symbol-listp xs))) (equal (3rd&4th xs) (3rd&4th-another-way xs))) Solutions number of tests to run Let's run a test

19. TSC Workshop, May 2008, U Oklahoma 19  Solution 1 (defun 3rd&4th (xs) (list (caddr xs) (cadddr xs)))  Solution 2 (defun 3rd&4th-another-way (xs) (take-two (drop-two xs)))  Predicate-based testing (defconst *num-tests* 10) (defproperty 3rd&4th=3rd&4th-another-way *num-tests* ((n (random-int-between 0 100) (integerp n)) (x (random-symbol) (symbolp x)) (xs (random-list-of (random-symbol) n) (symbol-listp xs))) (equal (3rd&4th xs) (3rd&4th-another-way xs))) Command defthm Solutions  Theorem (defthm 3rd&4th=3rd&4th-another-way (equal (3rd&4th xs) (3rd&4th-another-way xs))) Maybe it's a theorem

20. TSC Workshop, May 2008, U Oklahoma 20 More Exercises  Logical operators  Define an operator that delivers a value other than nil if neither operand denotes nil, and nil if both operands denote nil (&& formula-denoting-nil any-formula ) = nil (&& any-formula formula-denoting-nil ) = nil (&& non-nil-formula non-nil-formula ) = non-nil-formula  Define an operator that delivers nil if both operands denote nil, and a value other than nil if either operand denotes a non-nil value (|| non-nil-formula any-formula ) = non-nil-formula (|| any-formula non-nil-formula ) = non-nil-formula (|| formula-denoting-nil formula-denoting-nil ) = nil  Define an operator that delivers a value other than nil if its operand denotes nil, and nil if its operand denotes a non-nil value (~ non-nil-formula ) = nil (~ formula-denoting-nil ) = non-nil-formula

21. TSC Workshop, May 2008, U Oklahoma 21 Solutions  Solutions (defun && (x y)(if x y nil)) (defun || (x y)(if x x y)) (defun ~ (x)(if x nil t))  deMorgan laws as ACL2 theorems (defthm deMorgan-or ; ~(x || y) = (~ x) && (~ y) (equal (~ (|| x y)) (&& (~ x) (~ y)))) (defthm deMorgan-and ; ~(x && y) = (~ x) || (~ y) (equal (~ (&& x y)) (|| (~ x) (~ y))))  deMorgan’s laws  ~(x || y) = (~ x) && (~ y)  ~(x && y) = (~ x) || (~ y) negation of "or" is "and" of negations derived properties aka, “theorems” axioms

22. TSC Workshop, May 2008, U Oklahoma 22 More defun Examples (defun rac (xs); (rac xs) = last element of xs (if (endp (cdr xs)) (car xs); (rac (list x)) = x (rac (cdr xs)))); (rac (list x y z …) = (rac (list y z …)) (defun rdc (xs) (if (endp (cdr xs)) nil; (rdc (list x)) = nil (cons (car xs) (rdc (cdr xs))))); (rdc (list x y z …)) = (cons x (rdc (list y z …)))  Define these operators:  Next-to-last element of list (defun rac2 (xs) … )  Drop last two elements (defun rdc2 (xs) …)  Insert at end of list (defun snoc (x xs) …) inductive definitions How to make an inductive definition State properties correctly Cover all cases Inductive part closer to non-inductive case axioms Exercises

23. TSC Workshop, May 2008, U Oklahoma 23 non-inductive equation inductive equation (defun snoc (x xs) (if (endp xs) (list x) ; (snoc x nil) = (list x) (cons (car xs) (snoc x (cdr xs))))) ; (snoc x (list x 1 x 2 …)) = (cons x 1 (snoc x (list x 2 …))) Solutions (defun rac2 (xs) (rac (rdc xs))) (defun rdc2 (xs) (rdc (rdc xs)))  Predicate-based test of rdc (defconst *num-tests* 10) (defproperty rdc-snoc-identity *num-tests* ((n (random-int-between 0 100) (integerp n)) (x (random-symbol) (symbolp x)) (xs (random-list-of (random-symbol) n) (symbol-listp xs))) (equal (rdc (snoc x xs)) xs))

24. TSC Workshop, May 2008, U Oklahoma 24 non-inductive equation inductive equation (defun snoc (x xs) (if (endp xs) (list x) ; (snoc x nil) = (list x) (cons (car xs) (snoc x (cdr xs))))) ; (snoc x (list x 1 x 2 …)) = (cons x 1 (snoc x (list x 2 …))) Solutions (defun rac2 (xs) (rac (rdc xs))) (defun rdc2 (xs) (rdc (rdc xs)))  Predicate-based test of rdc (defconst *num-tests* 10) (defproperty rdc-snoc-identity *num-tests* ((n (random-int-between 0 100) (integerp n)) (x (random-symbol) (symbolp x)) (xs (random-list-of (random-symbol) n) (symbol-listp xs))) (equal (rdc (snoc x xs)) xs)) Let’s run this test

25. TSC Workshop, May 2008, U Oklahoma 25 non-inductive equation inductive equation (defun snoc (x xs) (if (endp xs) (list x) ; (snoc x nil) = (list x) (cons (car xs) (snoc x (cdr xs))))) ; (snoc x (list x 1 x 2 …)) = (cons x 1 (snoc x (list x 2 …))) Solutions (defun rac2 (xs) (rac (rdc xs))) (defun rdc2 (xs) (rdc (rdc xs)))  Predicate-based test of rdc (defconst *num-tests* 10) (defproperty rdc-snoc-identity *num-tests* ((n (random-int-between 0 100) (integerp n)) (x (random-symbol) (symbolp x)) (xs (random-list-of (random-symbol) n) (symbol-listp xs))) (equal (rdc (snoc x xs)) xs)) (defthm rdc-snoc-identity-thm (equal (rdc (snoc x xs)) xs)) Let’s run this test Must be a theorem, eh?

26. TSC Workshop, May 2008, U Oklahoma 26 non-inductive equation inductive equation (defun snoc (x xs) (if (endp xs) (list x) ; (snoc x nil) = (list x) (cons (car xs) (snoc x (cdr xs))))) ; (snoc x (list x 1 x 2 …)) = (cons x 1 (snoc x (list x 2 …))) Solutions (defun rac2 (xs) (rac (rdc xs))) (defun rdc2 (xs) (rdc (rdc xs)))  Predicate-based test of rdc (defconst *num-tests* 10) (defproperty rdc-snoc-identity *num-tests* ((n (random-int-between 0 100) (integerp n)) (x (random-symbol) (symbolp x)) (xs (random-list-of (random-symbol) n) (symbol-listp xs))) (equal (rdc (snoc x xs)) xs)) (defthm rdc-snoc-identity-thm (equal (rdc (snoc x xs)) xs)) Let’s run this test Must be a theorem, eh? Maybe ACL2 can prove it

27. TSC Workshop, May 2008, U Oklahoma 27 non-inductive equation inductive equation (defun snoc (x xs) (if (endp xs) (list x) ; (snoc x nil) = (list x) (cons (car xs) (snoc x (cdr xs))))) ; (snoc x (list x 1 x 2 …)) = (cons x 1 (snoc x (list x 2 …))) Solutions (defun rac2 (xs) (rac (rdc xs))) (defun rdc2 (xs) (rdc (rdc xs)))  Predicate-based test of rdc (defconst *num-tests* 10) (defproperty rdc-snoc-identity *num-tests* ((n (random-int-between 0 100) (integerp n)) (x (random-symbol) (symbolp x)) (xs (random-list-of (random-symbol) n) (symbol-listp xs))) (equal (rdc (snoc x xs)) xs)) (defthm rdc-snoc-identity-thm (equal (rdc (snoc x xs)) xs)) Let’s run this test Must be a theorem, eh? Maybe not ! What if xs isn’t a true-list?

28. TSC Workshop, May 2008, U Oklahoma 28 non-inductive equation (defun snoc (x xs) (if (endp xs) (list x) ; (snoc x nil) = (list x) (cons (car xs) (snoc x (cdr xs))))) ; (snoc x (list x 1 x 2 …)) = (cons x 1 (snoc x (list x 2 …))) Solutions (defun rac2 (xs) (rac (rdc xs))) (defun rdc2 (xs) (rdc (rdc xs))) (defthm rac-snoc-identity-thm (implies (true-listp xs) (equal (rac (snoc x xs)) x)))) (defthm rdc-snoc-identity-thm (implies (true-listp xs) (equal (rdc (snoc x xs)) xs)) Need true-list hypothesis, so state theorem as implication inductive equation axioms theorems  Properties derivable from axioms ACL2 intrinsic: true-listp (true-listp xs) iff xs=nil or (true-listp (cdr xs))

29. TSC Workshop, May 2008, U Oklahoma 29 How to Write Inductive Definitions aka “ recursive functions”  Three rules  Cover all cases  Specify correct result in each case One formula for each case  Ensure definition is computational At least one non-inductive case All inductive cases make progress towards a non-inductive case (defun snoc (x xs) ; cons, backwards (if (endp xs) (list x) (cons (car xs) (snoc x (cdr xs))))) Follow these rules … write defect-free software (defun f (x) (if (non-inductive-case x) (non-inductive-formula x) (some-other-op (f closer-to-non-inductive-case)))) formula denoting something closer to non-inductive case Structural induction (HtDP design recipe):HtDP when "obviously" closer to non-inductive case

30. TSC Workshop, May 2008, U Oklahoma 30  List operators  cons, car, cdr  list, len, Nth, take, NthCdr, append, reverse  equal, true-listp, null, atom, consp, endp  Numeric operators  Integer, rational, and complex arithmetic:   Integer division: mod, floor, ceiling, round, truncate All require dividend and divisor: (floor 8 3) = 2 Operands may be rationals, but quotients are integers   numeric operands only   abs, min, max integer or rational operands only  zp, posp natural number operand only  Recognizers: natp, integerp, rationalp, acl2-numberp  Character and string operators  char-upcase, char-downcase, char-code, code-char character operands  char<, char<=, …, char-equal character operands  string-append, subseq, string-upcase string operands  string<, string<=, …, string-equal string operands  Converters: ( coerce list-of-chars ‘ String), (coerce string ‘ List)  Recognizers: characterp, stringp Some Intrinsic Operators http://www.cs.utexas.edu/users/moore/acl2/v3-3/PROGRAMMING.html Session 02 Lab: http://www.cs.ou.edu/~rlpage/tsc/ http://www.cs.ou.edu/~rlpage/tsc/

31. TSC Workshop, May 2008, U Oklahoma 31 The End