Hoare Semigroups

A semigroup-based setting for developing Hoare logics and refinement calculi is introduced together with procedures for translating between verification and refinement proofs. A new Hoare logic for multirelations and two minimalist generic verification and refinement components, implemented in an interactive theorem prover, are presented as applications that benefit from this generalisation

Refinement algebra for probabilistic programs

We identify a refinement algebra for reasoning about probabilistic program transformations in a total-correctness setting. The algebra is equipped with operators that determine whether a program is enabled or terminates respectively. As well as developing the basic theory of the algebra we demonstrate how it may be used to explain key differences and similarities between standard (i.e. non-probabilistic) and probabilistic programs and verify important transformation theorems for probabilistic action systems.29 page(s

Demonic Kleene Algebra

Nous rappelons d’abord le concept d’algèbre de Kleene avec domaine (AKD). Puis, nous expliquons comment utiliser les opérateurs des AKD pour définir un ordre partiel appelé raffinement démoniaque ainsi que d’autres opérateurs démoniaques (plusieurs de ces définitions proviennent de la littérature). Nous cherchons à comprendre comment se comportent les AKD munies des opérateurs démoniaques quand on exclut les opérateurs angéliques usuels. C’est ainsi que les propriétés de ces opérateurs démoniaques nous servent de base pour axiomatiser une algèbre que nous appelons Algèbre démoniaque avec domaine et opérateur t-conditionnel (ADD-[opérateur t-conditionnel]). Les lois des ADD-[opérateur t-conditionnel] qui ne concernent pas l’opérateur de domaine correspondent à celles présentées dans l’article Laws of programming par Hoare et al. publié dans la revue Communications of the ACM en 1987. Ensuite, nous étudions les liens entre les ADD-[opérateur t-conditionnel] et les AKD munies des opérateurs démoniaques. La question est de savoir si ces structures sont isomorphes. Nous démontrons que ce n’est pas le cas en général et nous caractérisons celles qui le sont. En effet, nous montrons qu’une AKD peut être transformée en une ADD-[opérateur t-conditionnel] qui peut être transformée à son tour en l’AKD de départ. Puis, nous présentons les conditions nécessaires et suffisantes pour qu’une ADD-[opérateur t-conditionnel] puisse être transformée en une AKD qui peut être transformée à nouveau en l’ADD-[opérateur t-conditionnel] de départ. Les conditions nécessaires et suffisantes mentionnées précédemment font intervenir un nouveau concept, celui de décomposition. Dans un contexte démoniaque, il est difficile de distinguer des transitions qui, à partir d’un même état, mènent à des états différents. Le concept de décomposition permet d’y arriver simplement. Nous présentons sa définition ainsi que plusieurs de ses propriétés.We first recall the concept of Kleene algebra with domain (KAD). Then we explain how to use the operators of KAD to define a demonic refinement ordering and demonic operators (many of these definitions come from the literature). We want to know how do KADs with the demonic operators but without the usual angelic ones behave. Then, taking the properties of the KAD-based demonic operators as a guideline, we axiomatise an algebra that we call Demonic algebra with domain and t-conditional (DAD-[opérateur t-conditionnel]). The laws of DAD-[opérateur t-conditionnel] not concerning the domain operator agree with those given in the 1987 Communications of the ACM paper Laws of programming by Hoare et al. Then, we investigate the relationship between DAD-[opérateur t-conditionnel] and KAD-based demonic algebras. The question is whether every DAD-[opérateur t-conditionnel] is isomorphic to a KAD-based demonic algebra. We show that it is not the case in general. However, we characterise those that are. Indeed, we demonstrate that a KAD can be transformed into a DAD-[opérateur t-conditionnel] which can be transformed back into the initial KAD. We also establish necessary and sufficient conditions for which a DAD-[opérateur t-conditionnel] can be transformed into a KAD which can be transformed back into the initial DAD-[opérateur t-conditionnel]. Finally, we define the concept of decomposition. This notion is involved in the necessary and sufficient conditions previously mentioned. In a demonic context, it is difficult to distinguish between transitions that, from a given state, go to different states. The concept of decomposition enables to do it easily. We present its definition together with some of its properties

Formal Analysis of Concurrent Programs

In this thesis, extensions of Kleene algebras are used to develop algebras for rely-guarantee style reasoning about concurrent programs. In addition to these algebras, detailed denotational models are implemented in the interactive theorem prover Isabelle/HOL. Formal soundness proofs link the algebras to their models. This follows a general algebraic approach for developing correct by construction verification tools within Isabelle. In this approach, algebras provide inference rules and abstract principles for reasoning about the control flow of programs, while the concrete models provide laws for reasoning about data flow. This yields a rapid, lightweight approach for the construction of verification and refinement tools. These tools are used to construct a popular example from the literature, via refinement, within the context of a general-purpose interactive theorem proving environment

Algebraic Principles for Program Correctness Tools in Isabelle/HOL

This thesis puts forward a flexible and principled approach to the development of construction and verification tools for imperative programs, in which the control flow and the data level are cleanly separated. The approach is inspired by algebraic principles and benefits from an algebraic semantics layer. It is programmed in the Isabelle/HOL interactive theorem prover and yields simple lightweight mathematical components as well as program construction and verification tools that are themselves correct by construction. First, a simple tool is implemented using Kleeene algebra with tests (KAT) for the control flow of while-programs, which is the most compact verification formalism for imperative programs, and their standard relational semantics for the data level. A reference formalisation of KAT in Isabelle/HOL is then presented, providing three different formalisations of tests. The structured comprehensive libraries for these algebras include an algebraic account of Hoare logic for partial correctness. Verification condition generation and program construction rules are based on equational reasoning and supported by powerful Isabelle tactics and automated theorem proving. Second, the tool is expanded to support different programming features and verification methods. A basic program construction tool is developed by adding an operation for the specification statement and one single axiom. To include recursive procedures, KATs are expanded further to quantales with tests, where iteration and the specification statement can be defined explicitly. Additionally, a nondeterministic extension supports the verification of simple concurrent programs. Finally, the approach is also applied to separation logic, where the control-flow is modelled by power series with convolution as separating conjunction. A generic construction lifts resource monoids to assertion and predicate transformer quantales. The data level is captured by concrete store-heap models. These are linked to the algebra by soundness proofs. A number of examples shows the tools at work

Nondeterministic Relational Semantics of a while Program

A relational semantics is a mapping of programs to relations. We consider that the input-output semantics of a program is given by a relation on its set of states; in a nondeterministic context, this relation is calculated by considering the worst behavior of the program (demonic relational semantics). In this paper, we concentrate on while loops. Calculating the relational abstraction (semantics) of a loop is difficult, but showing the correctness of any candidate abstraction is much easier. For functional programs, Mills has described a checking method known as the while statement verification rule. A programming theorem for iterative constructs is proposed, proved, demonstrated and applied for an example. This theorem can be considered as a generalization of the while statement verification to nondeterministic loops.&nbsp