106 research outputs found
Mechanical Verification of Interactive Programs Specified by Use Cases
International audienceInteractive programs, like user interfaces, are hard to formally specify and thus to prove correct. Some ideas coming from functional programming languages have been successful to improve the way we write safer programs, compared to traditional imperative languages, but these ideas mostly apply to code fragments without any inputs–outputs. Using the purely functional language Coq, we present a new technique to represent interactive programs and formally verify use cases using the Coq proof engine as a symbolic debugger. To this end we introduce the notion of scenarios, well-typed schema of interactions between an environment and a program. We design and certify a blog system as an illustration. Our approach generalizes unit-testing techniques and outlines a new method for mechanically assisted checking of effectful functional programs. I. Introduction Implementing and proving correct interactive programs is challenging. Indeed, interactive programs are hard to reason about because they communicate with an outer environment (the operating system, the network, the user,. . .) which may be under-specified and non determin-istic. Moreover, the communications between the program and the environment can happen at many points during the execution and may depend on previous interactions. Many techniques have been developed to model, specify and prove correct interactive or concurrent programs[15]. For instance, process algebra and temporal logics are well understood abstract models for such programs. In these abstract models, some interesting behavioral properties can be automatically proved by model-checkers. Yet, these tools usually provide guarantees about the model of the program, not its actual implementation. In another approach, called software-proof co-design, the specification and the verification of a program is not disconnected from its actual implementation. In that case, specifying, implementing and verifying are tightly interleaved in the software development process. This tight integration is possible within the Coq proof assistant which is both a programming language and an assisted prover. Yet, even if a realistic compiler for the C language has already been developed in Coq[12], using Coq as a general purpose programming language may be considere
Abstract Congruence Criteria for Weak Bisimilarity
We introduce three general compositionality criteria over operational
semantics and prove that, when all three are satisfied together, they guarantee
weak bisimulation being a congruence. Our work is founded upon Turi and
Plotkin's mathematical operational semantics and the coalgebraic approach to
weak bisimulation by Brengos. We demonstrate each criterion with various
examples of success and failure and establish a formal connection with the
simply WB cool rule format of Bloom and van Glabbeek. In addition, we show that
the three criteria induce lax models in the sense of Bonchi et al
Modal dependent type theory and dependent right adjoints
In recent years we have seen several new models of dependent type theory
extended with some form of modal necessity operator, including nominal type
theory, guarded and clocked type theory, and spatial and cohesive type theory.
In this paper we study modal dependent type theory: dependent type theory with
an operator satisfying (a dependent version of) the K-axiom of modal logic. We
investigate both semantics and syntax. For the semantics, we introduce
categories with families with a dependent right adjoint (CwDRA) and show that
the examples above can be presented as such. Indeed, we show that any finite
limit category with an adjunction of endofunctors gives rise to a CwDRA via the
local universe construction. For the syntax, we introduce a dependently typed
extension of Fitch-style modal lambda-calculus, show that it can be interpreted
in any CwDRA, and build a term model. We extend the syntax and semantics with
universes
A Probabilistic Higher-Order Fixpoint Logic
We introduce PHFL, a probabilistic extension of higher-order fixpoint logic,
which can also be regarded as a higher-order extension of probabilistic
temporal logics such as PCTL and the -calculus. We show that PHFL is
strictly more expressive than the -calculus, and that the PHFL
model-checking problem for finite Markov chains is undecidable even for the
-only, order-1 fragment of PHFL. Furthermore the full PHFL is far more
expressive: we give a translation from Lubarsky's -arithmetic to PHFL,
which implies that PHFL model checking is -hard and -hard.
As a positive result, we characterize a decidable fragment of the PHFL
model-checking problems using a novel type system
Analysis of MiniJava programs via translation to ML
MiniJava is a subset of the object-oriented programming language Java.
Standard ML is the canonical representative of the ML family of functional programming languages,
which includes F# and OCaml.
Different program analysis and verification tools and techniques have been developed
for both Java-like and ML-like languages.
Naturally, the tools developed for a particular language emphasise
accurate treatment of language features commonly used in that language.
In Java, this means objects with mutable properties and dynamic method dispatch.
In ML, this means higher order functions and algebraic datatypes with pattern matching.
We propose to translate programs from one language into the other
and use the target language's tools for analysis and verification.
By doing so, we hope to identify areas for improvement in the target language's tools
and suggest techniques, perhaps as used in the source language's tools, that may guide
their improvement.
More generally, we hope to develop tools for reasoning about programs
that are more resilient to changes in the style of code and representation of data.
We begin our programme by outlining a translation from MiniJava to ML
that uses only the core features of ML;
in particular, it avoids the use of ML's mutable references.
MiniJava is a subset of the object-oriented programming language Java.
Standard ML is the canonical representative of the ML family of functional programming languages,
which includes F# and OCaml.
Different program analysis and verification tools and techniques have been developed
for both Java-like and ML-like languages.
Naturally, the tools developed for a particular language emphasise
accurate treatment of language features commonly used in that language.
In Java, this means objects with mutable properties and dynamic method dispatch.
In ML, this means higher order functions and algebraic datatypes with pattern matching.
We propose to translate programs from one language into the other
and use the target language's tools for analysis and verification.
By doing so, we hope to identify areas for improvement in the target language's tools
and suggest techniques, perhaps as used in the source language's tools, that may guide
their improvement.
More generally, we hope to develop tools for reasoning about programs
that are more resilient to changes in the style of code and representation of data.
We begin our programme by outlining a translation from MiniJava to ML
that uses only the core features of ML;
in particular, it avoids the use of ML's mutable references
Central Submonads and Notions of Computation
The notion of "centre" has been introduced for many algebraic structures in
mathematics. A notable example is the centre of a monoid which always
determines a commutative submonoid. Monads in category theory are important
algebraic structures that may be used to model computational effects in
programming languages and in this paper we show how the notion of centre may be
extended to strong monads acting on symmetric monoidal categories. We show that
the centre of a strong monad , if it exists, determines a
commutative submonad of , such that the Kleisli
category of is isomorphic to the premonoidal centre (in the sense
of Power and Robinson) of the Kleisli category of . We provide
three equivalent conditions which characterise the existence of the centre of
and we show that every strong monad on many well-known naturally
occurring categories does admit a centre, thereby showing that this new notion
is ubiquitous. We also provide a computational interpretation of our ideas
which consists in giving a refinement of Moggi's monadic metalanguage. The
added benefit is that this allows us to immediately establish a large class of
contextually equivalent programs for computational effects that are described
via monads that admit a non-trivial centre by simply considering the richer
syntactic structure provided by the refinement.Comment: 25 pages + 8 pages references and appendi
Expressivity Within Second-Order Transitive-Closure Logic
Second-order transitive-closure logic, SO(TC), is an expressive declarative language that captures the complexity class PSPACE. Already its monadic fragment, MSO(TC), allows the expression of various NP-hard and even PSPACE-hard problems in a natural and elegant manner. As SO(TC) offers an attractive framework for expressing properties in terms of declaratively specified computations, it is interesting to understand the expressivity of different features of the language. This paper focuses on the fragment MSO(TC), as well on the purely existential fragment SO(2TC)(exists); in 2TC, the TC operator binds only tuples of relation variables. We establish that, with respect to expressive power, SO(2TC)(exists) collapses to existential first-order logic. In addition we study the relationship of MSO(TC) to an extension of MSO(TC) with counting features (CMSO(TC)) as well as to order-invariant MSO. We show that the expressive powers of CMSO(TC) and MSO(TC) coincide. Moreover we establish that, over unary vocabularies, MSO(TC) strictly subsumes order-invariant MSO
Smart Choices and the Selection Monad
Describing systems in terms of choices and their resulting costs and rewards
offers the promise of freeing algorithm designers and programmers from
specifying how those choices should be made; in implementations, the choices
can be realized by optimization techniques and, increasingly, by machine
learning methods. We study this approach from a programming-language
perspective. We define two small languages that support decision-making
abstractions: one with choices and rewards, and the other additionally with
probabilities. We give both operational and denotational semantics.
In the case of the second language we consider three denotational semantics,
with varying degrees of correlation between possible program values and
expected rewards. The operational semantics combine the usual semantics of
standard constructs with optimization over spaces of possible execution
strategies.
The denotational semantics, which are compositional and can also be viewed as
an implementation by translation to a simpler language, rely on the selection
monad, to handle choice, combined with an auxiliary monad, to handle other
effects such as rewards or probability.
We establish adequacy theorems that the two semantics coincide in all cases.
We also prove full abstraction at ground types, with varying notions of
observation in the probabilistic case corresponding to the various degrees of
correlation. We present axioms for choice combined with rewards and
probability, establishing completeness at ground types for the case of rewards
without probability
Making concurrency functional
The article bridges between two major paradigms in computation, the functional, at basis computation from input to output, and the interactive, where computation reacts to its environment while underway. Central to any compositional theory of interaction is the dichotomy between a system and its environment. Concurrent games and strategies address the dichotomy in fine detail, very locally, in a distributed fashion, through distinctions between Player moves (events of the system) and Opponent moves (those of the environment). A functional approach has to handle the dichotomy much more ingeniously, through its blunter distinction between input and output. This has led to a variety of functional approaches, specialised to particular interactive demands. Through concurrent games we can more clearly see what separates and connects the differing paradigms, and show how: * to lift functions to strategies; the "Scott order" intrinsic to concurrent games plays a key role in turning functional dependency to causal dependency. * several paradigms of functional programming and logic arise naturally as subcategories of concurrent games, including stable domain theory; nondeterministic dataflow; geometry of interaction; the dialectica interpretation; lenses and optics; and their extensions to containers in dependent lenses and optics. * to transfer enrichments of strategies (such as to probabilistic, quantum or real-number computation) to functional cases
- …