Refinement algebra for probabilistic programs

We identify a refinement algebra for reasoning about probabilistic program transformations in a total-correctness setting. The algebra is equipped with operators that determine whether a program is enabled or terminates respectively. As well as developing the basic theory of the algebra we demonstrate how it may be used to explain key differences and similarities between standard (i.e. non-probabilistic) and probabilistic programs and verify important transformation theorems for probabilistic action systems.29 page(s

Probabilistic Demonic Refinement Algebra

We propose an abstract algebra for reasoning about probabilistic programs in a total-correctness framework. In contrast to probablisitic Kleene algebra it allows genuine reasoning about total correctness and in addition to Kleene star also has a strong iteration operator. We define operators that determine whether a program is enabled, has certain failure or does not have certain failure, respectively. The algebra is applied to the derivation of refinement rules for probabilistic action systems

Demonic Kleene Algebra

Nous rappelons d’abord le concept d’algèbre de Kleene avec domaine (AKD). Puis, nous expliquons comment utiliser les opérateurs des AKD pour définir un ordre partiel appelé raffinement démoniaque ainsi que d’autres opérateurs démoniaques (plusieurs de ces définitions proviennent de la littérature). Nous cherchons à comprendre comment se comportent les AKD munies des opérateurs démoniaques quand on exclut les opérateurs angéliques usuels. C’est ainsi que les propriétés de ces opérateurs démoniaques nous servent de base pour axiomatiser une algèbre que nous appelons Algèbre démoniaque avec domaine et opérateur t-conditionnel (ADD-[opérateur t-conditionnel]). Les lois des ADD-[opérateur t-conditionnel] qui ne concernent pas l’opérateur de domaine correspondent à celles présentées dans l’article Laws of programming par Hoare et al. publié dans la revue Communications of the ACM en 1987. Ensuite, nous étudions les liens entre les ADD-[opérateur t-conditionnel] et les AKD munies des opérateurs démoniaques. La question est de savoir si ces structures sont isomorphes. Nous démontrons que ce n’est pas le cas en général et nous caractérisons celles qui le sont. En effet, nous montrons qu’une AKD peut être transformée en une ADD-[opérateur t-conditionnel] qui peut être transformée à son tour en l’AKD de départ. Puis, nous présentons les conditions nécessaires et suffisantes pour qu’une ADD-[opérateur t-conditionnel] puisse être transformée en une AKD qui peut être transformée à nouveau en l’ADD-[opérateur t-conditionnel] de départ. Les conditions nécessaires et suffisantes mentionnées précédemment font intervenir un nouveau concept, celui de décomposition. Dans un contexte démoniaque, il est difficile de distinguer des transitions qui, à partir d’un même état, mènent à des états différents. Le concept de décomposition permet d’y arriver simplement. Nous présentons sa définition ainsi que plusieurs de ses propriétés.We first recall the concept of Kleene algebra with domain (KAD). Then we explain how to use the operators of KAD to define a demonic refinement ordering and demonic operators (many of these definitions come from the literature). We want to know how do KADs with the demonic operators but without the usual angelic ones behave. Then, taking the properties of the KAD-based demonic operators as a guideline, we axiomatise an algebra that we call Demonic algebra with domain and t-conditional (DAD-[opérateur t-conditionnel]). The laws of DAD-[opérateur t-conditionnel] not concerning the domain operator agree with those given in the 1987 Communications of the ACM paper Laws of programming by Hoare et al. Then, we investigate the relationship between DAD-[opérateur t-conditionnel] and KAD-based demonic algebras. The question is whether every DAD-[opérateur t-conditionnel] is isomorphic to a KAD-based demonic algebra. We show that it is not the case in general. However, we characterise those that are. Indeed, we demonstrate that a KAD can be transformed into a DAD-[opérateur t-conditionnel] which can be transformed back into the initial KAD. We also establish necessary and sufficient conditions for which a DAD-[opérateur t-conditionnel] can be transformed into a KAD which can be transformed back into the initial DAD-[opérateur t-conditionnel]. Finally, we define the concept of decomposition. This notion is involved in the necessary and sufficient conditions previously mentioned. In a demonic context, it is difficult to distinguish between transitions that, from a given state, go to different states. The concept of decomposition enables to do it easily. We present its definition together with some of its properties

Finite representability of semigroups with demonic refinement

The motivation for using demonic calculus for binary relations stems from the behaviour of demonic turing machines, when modelled relationally. Relational composition (; ) models sequential runs of two programs and demonic refinement (⊑) arises from the partial order given by modeling demonic choice (⊔) of programs (see below for the formal relational definitions). We prove that the class R(⊑,;) of abstract (≤,∘) structures isomorphic to a set of binary relations ordered by demonic refinement with composition cannot be axiomatised by any finite set of first-order (≤,∘) formulas. We provide a fairly simple, infinite, recursive axiomatisation that defines R(⊑,;). We prove that a finite representable (≤,∘) structure has a representation over a finite base. This appears to be the first example of a signature for binary relations with composition where the representation class is non-finitely axiomatisable, but where the finite representation property holds for finite structures

Finite Representability of Semigroups with Demonic Refinement

Composition and demonic refinement $\sqsubseteq$ of binary relations are defined by \begin{align*} (x, y)\in (R;S)&\iff \exists z((x, z)\in R\wedge (z, y)\in S) R\sqsubseteq S&\iff (dom(S)\subseteq dom(R) \wedge R\restriction_{dom(S)}\subseteq S) \end{align*} where $dom(S)=\{x:\exists y (x, y)\in S\}$ and $R\restriction_{dom(S)}$ denotes the restriction of $R$ to pairs $(x, y)$ where $x\in dom(S)$. Demonic calculus was introduced to model the total correctness of non-deterministic programs and has been applied to program verification. We prove that the class $R(\sqsubseteq, ;)$ of abstract $(\leq, \circ)$ structures isomorphic to a set of binary relations ordered by demonic refinement with composition cannot be axiomatised by any finite set of first-order $(\leq, \circ)$ formulas. We provide a fairly simple, infinite, recursive axiomatisation that defines $R(\sqsubseteq, ;)$. We prove that a finite representable $(\leq, \circ)$ structure has a representation over a finite base. This appears to be the first example of a signature for binary relations with composition where the representation class is non-finitely axiomatisable, but where the finite representations for finite representable structures property holds

Scheduling of guarded command based models

Formal methods provide a means of reasoning about computer programs in order to prove correctness criteria. One subtype of formal methods is based on the weakest precondition predicate transformer semantics and uses guarded commands as the basic modelling construct. Examples of such formalisms are Action Systems and Event-B. Guarded commands can intuitively be understood as actions that may be triggered when an associated guard condition holds. Guarded commands whose guards hold are nondeterministically chosen for execution, but no further control flow is present by default. Such a modelling approach is convenient for proving correctness, and the Refinement Calculus allows for a stepwise development method. It also has a parallel interpretation facilitating development of concurrent software, and it is suitable for describing event-driven scenarios. However, for many application areas, the execution paradigm traditionally used comprises more explicit control flow, which constitutes an obstacle for using the above mentioned formal methods. In this thesis, we study how guarded command based modelling approaches can be conveniently and efficiently scheduled in different scenarios. We first focus on the modelling of trust for transactions in a social networking setting. Due to the event-based nature of the scenario, the use of guarded commands turns out to be relatively straightforward. We continue by studying modelling of concurrent software, with particular focus on compute-intensive scenarios. We go from theoretical considerations to the feasibility of implementation by evaluating the performance and scalability of executing a case study model in parallel using automatic scheduling performed by a dedicated scheduler. Finally, we propose a more explicit and non-centralised approach in which the flow of each task is controlled by a schedule of its own. The schedules are expressed in a dedicated scheduling language, and patterns assist the developer in proving correctness of the scheduled model with respect to the original one

Model Checking and Model-Based Testing : Improving Their Feasibility by Lazy Techniques, Parallelization, and Other Optimizations

This thesis focuses on the lightweight formal method of model-based testing for checking safety properties, and derives a new and more feasible approach. For liveness properties, dynamic testing is impossible, so feasibility is increased by specializing on an important class of properties, livelock freedom, and deriving a more feasible model checking algorithm for it. All mentioned improvements are substantiated by experiments