Predicate Transformers Research Articles

IsaVODEs: Interactive Verification of Cyber-Physical Systems at Scale

We formally introduce IsaVODEs (Isabelle verification with Ordinary Differential Equations), an open, compositional and extensible framework for the verification of cyber-physical systems. We extend a previous semantic approach with methods and techniques that increase its expressivity, proof automation, and scalability to the level of state-of-the-art deductive verification tools. Our contributions include a user-friendly specification language, a flexible hybrid store model, including vectors and matrices, and separation-logic-style rules for local reasoning with hybrid stores using a novel form of differentiation called framed Fréchet derivatives. The formalisation of correctness specifications with forward predicate transformers, the certification of flows as unique solutions to systems of ordinary differential equations, and invariant reasoning for such systems also contribute to the scalability and usability of our framework. In combination, these features make our framework flexible and adaptable to several verification workflows. A suite of examples and hybrid systems verification benchmarks validate our framework relative to other state-of-the-art approaches.

Catoids and modal convolution algebras

We show how modal quantales arise as convolution algebras Q^X of functions from catoids X, multisemigroups equipped with source and target maps, into modal quantales value or weight quantales Q. In the tradition of boolean algebras with operators we study modal correspondences between algebraic laws in X, Q and Q^X. The catoids introduced generalise Schweizer and Sklar’s function systems and single-set categories to structures isomorphic to algebras of ternary relations, as they are used for boolean algebras with operators and substructural logics. Our correspondence results support a generic construction of weighted modal quantales from catoids. This construction is illustrated by many examples. We also relate our results to reasoning with stochastic matrices or probabilistic predicate transformers.

Codensity Games for Bisimilarity

Bisimilarity as an equivalence notion of systems has been central to process theory. Due to the recent rise of interest in quantitative systems (probabilistic, weighted, hybrid, etc.), bisimilarity has been extended in various ways, such as bisimulation metric between probabilistic systems. An important feature of bisimilarity is its game-theoretic characterization, where Spoiler and Duplicator play against each other; extension of bisimilarity games to quantitative settings has been actively pursued too. In this paper, we present a general framework that uniformly describes game characterizations of bisimilarity-like notions. Our framework is formalized categorically using fibrations and coalgebras. In particular, our characterization of bisimilarity in terms of fibrational predicate transformers allows us to derive what we call codensity bisimilarity games: a general categorical game characterization of bisimilarity. Our framework covers known bisimilarity-like notions (such as bisimulation metric and bisimulation seminorm) as well as new ones (including what we call bisimulation topology).

The leaky semicolon: compositional semantic dependencies for relaxed-memory concurrency

Program logics and semantics tell a pleasant story about sequential composition: when executing (S1;S2), we first execute S1 then S2. To improve performance, however, processors execute instructions out of order, and compilers reorder programs even more dramatically. By design, single-threaded systems cannot observe these reorderings; however, multiple-threaded systems can, making the story considerably less pleasant. A formal attempt to understand the resulting mess is known as a “relaxed memory model.” Prior models either fail to address sequential composition directly, or overly restrict processors and compilers, or permit nonsense thin-air behaviors which are unobservable in practice. To support sequential composition while targeting modern hardware, we enrich the standard event-based approach with preconditions and families of predicate transformers. When calculating the meaning of (S1; S2), the predicate transformer applied to the precondition of an event e from S2 is chosen based on the set of events in S1 upon which e depends. We apply this approach to two existing memory models.

An adaptation-complete proof system for local reasoning about cloud storage systems

The rapid growth of data presents a significant challenge to the capability of traditional storage technologies to collect and manage data. Cloud storage systems (CSSs) have been proposed as a method to improve storage capacity. To safely and effectively manage cloud storage data and improve data service quality, it is necessary to verify the correctness of CSS management programs. However, the complexity of these systems renders program verification difficult. In this paper, we propose a Hoare-style proof system, in conjunction with two languages, to analyze and verify CSS management programs. The first is a modeling language that describes the program execution. The second is an assertion language based on Separation Logic (SL), used to describe the properties of the CSS file-block-location storage structure. The proof system supports modular local reasoning for CSS programs by a set of adaptation rules, which enable the condition of specifications to be applied to broader contexts. A key question that arises is whether the proof system can meet adaptation completeness. If so, arbitrary satisfiable specifications can be adjusted using the adaptation rules. To this end, we developed local predicate transformers and used their domain to interpret all types of commands. By finding the smallest local predicate transformer, we established adaptation completeness. In summary, this work provides a formalization of automatic modular reasoning patterns and lays a theoretical foundation for the compositional program verification of CSSs.

The refinement calculus of reactive systems

The Refinement Calculus of Reactive Systems (RCRS) is a compositional formal framework for modeling and reasoning about reactive systems. RCRS provides a language which can describe atomic components as symbolic transition systems or QLTL formulas, and composite components formed using three primitive composition operators: serial, parallel, and feedback. The semantics of the language is given in terms of monotonic property transformers, an extension of monotonic predicate transformers to reactive systems. RCRS can specify both safety and liveness properties. It can also model input-output systems which are both non-deterministic and non-input-receptive (i.e., which may reject some inputs at some points in time), and can thus be seen as a behavioral type system. RCRS provides a set of techniques for symbolic computer-aided reasoning, including compositional static analysis and verification. RCRS comes with a publicly available implementation which includes a complete formalization of the RCRS theory in the Isabelle proof assistant.

Combining predicate transformer semantics for effects: a case study in parsing regular languages

This paper describes how to verify a parser for regular expressions in a functional programming language using predicate transformer semantics for a variety of effects. Where our previous work in this area focused on the semantics for a single effect, parsing requires a combination of effects: non-determinism, general recursion and mutable state. Reasoning about such combinations of effects is notoriously difficult, yet our approach using predicate transformers enables the careful separation of program syntax, correctness proofs and termination proofs.

Ambiguous Representations of Semilattices, Imperfect Information, and Predicate Transformers

Crisp and lattice-valued ambiguous representations of one continuous semilattice in another one are introduced and operation of taking pseudo-inverse of the above relations is defined. It is shown that continuous semilattices and their ambiguous representations, for which taking pseudo-inverse is involutive, form categories. Self-dualities and contravariant equivalences for these categories are obtained. Possible interpretations and applications to processing of imperfect information are discussed.

Dijkstra monads for all

This paper proposes a general semantic framework for verifying programs with arbitrary monadic side-effects using Dijkstra monads, which we define as monad-like structures indexed by a specification monad. We prove that any monad morphism between a computational monad and a specification monad gives rise to a Dijkstra monad, which provides great flexibility for obtaining Dijkstra monads tailored to the verification task at hand. We moreover show that a large variety of specification monads can be obtained by applying monad transformers to various base specification monads, including predicate transformers and Hoare-style pre- and postconditions. For defining correct monad transformers, we propose a language inspired by Moggi's monadic metalanguage that is parameterized by a dependent type theory. We also develop a notion of algebraic operations for Dijkstra monads, and start to investigate two ways of also accommodating effect handlers. We implement our framework in both Coq and F*, and illustrate that it supports a wide variety of verification styles for effects such as exceptions, nondeterminism, state, input-output, and general recursion.

A predicate transformer semantics for effects (functional pearl)

Reasoning about programs that use effects can be much harder than reasoning about their pure counterparts. This paper presents a predicate transformer semantics for a variety of effects, including exceptions, state, non-determinism, and general recursion. The predicate transformer semantics gives rise to a refinement relation that can be used to relate a program to its specification, or even calculate effectful programs that are correct by construction.

A duality between LM-fuzzy possibility computations and their logical semantics

Let X be a dcpo and let L be a complete lattice. The family σL(X) of all Scott continuous mappings from X to L is a complete lattice under pointwise order, we call it the L-fuzzy Scott structure on X. Let E be a dcpo. A mapping g : σL(E) −> M is called an LM-fuzzy possibility valuation of E if it preserves arbitrary unions. Denote by πLM(E) the set of all LM-fuzzy possibility valuations of E. The denotational semantics assigning to an LM-fuzzy possibility computation from a dcpo D to another one E is a Scott continuous mapping from D to πLM(E), which is a model of non-determinism computation in Domain Theory. A healthy LM-fuzzy predicate transformer from D to E is a sup-preserving mapping from σL(E) to σM(D), which is always interpreted as the logical semantics from D to E. In this paper, we establish a duality between an LM-fuzzy possibility computation and its LM-fuzzy logical semantics.

Визначення трансформації присудка та її місце серед інших трансформацій

Визначення трансформації присудка та її місце серед інших трансформацій

Quantum effect logic in cognition

This paper illustrates applications of a new, modern version of quantum logic in quantum cognition. The new logic uses ‘effects’ as predicates, instead of the more restricted interpretation of predicates as projections — which is used so far in this area. Effect logic involves states and predicates, validity and conditioning, and also state and predicate transformation via channels. The main aim of this paper is to demonstrate the usefulness of this effect logic in quantum cognition, via many high-level reformulations of standard examples. The usefulness of the logic is greatly increased by its implementation in the programming language Python.

A formal verification of dynamic updating in a Java-based embedded system

Dynamic software updating (DSU) consists in updating running programs on the fly without any downtime. This feature is interesting in critical applications that must run continuously. Because updates may lead to safety errors and security breaches, the question of their correctness is raised. Formal methods are a rigorous means to ensure the correctness required by applications using DSU. In this paper, we present a formal verification of correctness of DSU in a Java-based embedded system. Our approach is based on three major contributions. First, a formal interpretation of the semantic of update operations to ensure type safety of the update. Secondly, we rely on a functional representation of bytecode, the predicate transformation calculus and a functional model of the update mechanism to ensure the behavioural correctness of the updated programs. It is based on the use of Hoare predicate transformation to derive a specification of an updated bytecode. Thirdly, we use the functional representation to model the safe update point detection mechanism. This mechanism guarantees that none of the updated methods are active. This property is called activeness safety. We propose a functional specification that allows to derive proof obligations that guarantee the safety of the mechanism.

СЕМАНТИКО-СИНТАКСИЧНА СТРУКТУРА ПРИКЛАДКОВОГО СЛОВОСПОЛУЧЕННЯ

The article is devoted to the semantic-syntactical structure of the appositive phrase in the Ukrainian language. The term “double name”is used for the demonstration of semantical parameteres of the apposition phrase. Two levels of syntactic analysis are considered: abstract-grammatical level (internal structure of the appositive word-combinations) and concrete-grammatical level (the function in sentence structure). The concrete-grammatical analysis indicates that appositional phrases in the sentence are: syntactically indivisible components that serve as a simple part of the sentence (subject, object). The conflict arises between formal analyticity and functional syntheticity. This conflict is caused by nominative features of double name (compound nouns indicates the same subject of objective reality). Therefore they can be referred to as the type of lexical (stable) word-combinations. Abstract-grammatical analysis leads to the conclusion that internal structure of the appositional phrase can express different semantic-syntactical relations between nouns: appositional relations or mutual appositional relations. The mutual appositional relations are peculiar to the majority of stylistically neutral double names. O. Peshkovskiy wrote about mutual relations between nouns. The differentiation of two relation types was done with the help of the semantic principle and predicate transformation method.

A Predicate/State Transformer Semantics for Bayesian Learning

This paper establishes a link between Bayesian inference (learning) and predicate and state transformer operations from programming semantics and logic. Specifically, a very general definition of backward inference is given via first applying a predicate transformer and then conditioning. Analogously, forward inference involves first conditioning and then applying a state transformer. These definitions are illustrated in many examples in discrete and continuous probability theory and also in quantum theory.

Dependent types and multi-monadic effects in F*

We present a new, completely redesigned, version of F*, a language that works both as a proof assistant as well as a general-purpose, verification-oriented, effectful programming language. In support of these complementary roles, F* is a dependently typed, higher-order, call-by-value language with _primitive_ effects including state, exceptions, divergence and IO. Although primitive, programmers choose the granularity at which to specify effects by equipping each effect with a monadic, predicate transformer semantics. F* uses this to efficiently compute weakest preconditions and discharges the resulting proof obligations using a combination of SMT solving and manual proofs. Isolated from the effects, the core of F* is a language of pure functions used to write specifications and proof terms---its consistency is maintained by a semantic termination check based on a well-founded order. We evaluate our design on more than 55,000 lines of F* we have authored in the last year, focusing on three main case studies. Showcasing its use as a general-purpose programming language, F* is programmed (but not verified) in F*, and bootstraps in both OCaml and F#. Our experience confirms F*'s pay-as-you-go cost model: writing idiomatic ML-like code with no finer specifications imposes no user burden. As a verification-oriented language, our most significant evaluation of F* is in verifying several key modules in an implementation of the TLS-1.2 protocol standard. For the modules we considered, we are able to prove more properties, with fewer annotations using F* than in a prior verified implementation of TLS-1.2. Finally, as a proof assistant, we discuss our use of F* in mechanizing the metatheory of a range of lambda calculi, starting from the simply typed lambda calculus to System F-omega and even micro-F*, a sizeable fragment of F* itself---these proofs make essential use of F*'s flexible combination of SMT automation and constructive proofs, enabling a tactic-free style of programming and proving at a relatively large scale.

Fuzzy Semantics of Contract Language

In this paper, we focus on investigation of the predicate transformer semantics of the contract language introduced by Back and von Wright in their book titled as “Refinement Calculus: A Systematic Introduction” (Springer-Verlag, New York, 1998) in the framework of fuzziness. In order to define fuzzy operations, i.e., fuzzy logic connectives, we take into account implicator → and its associated based on residuated lattice theory. Based on these basic fuzzy operations, we introduce the angelic and demonic updates of fuzzy relations. They are the basis of fuzzy predicate transformers in the sense of that any strongly monotone fuzzy predicate transformer can be represented as the sequential composition of the angelic and demonic updates. Together with the standard strong negation , we set up the duality between the angel and demon. The fuzzy predicate transformers semantics of contract statements is established and a simple example of contract statements is given.

Healthiness Conditions for Predicate Transformers

The behavior of a program can be modeled by describing how it transforms input states to output states, the state transformer semantics. Alternatively, for verification purposes one is interested in a 'predicate transformer semantics' which, for every condition on the output, yields the weakest precondition on the input that guarantees the desired property for the output.In the presence of computational effects like nondeterministic or probabilistic choice, a computation will be modeled by a map t:X→TY, where T is an appropriate computational monad. The corresponding predicate transformer assigns predicates on Y to predicates on X. One looks for necessary and, if possible, sufficient conditions (healthiness conditions) on predicate transformers that correspond to state transformers t:X→TY.In this paper we propose a framework for establishing healthiness conditions for predicate transformers. As far as the author knows, it fits to almost all situations in which healthiness conditions for predicate transformers have been worked out. It may serve as a guideline for finding new results; but it also shows quite narrow limitations.

Towards patterns for heaps and imperative lambdas

In functional programming, pointfree relation calculi have been fruitful for general theories of program construction, but for specific applications pointwise expressions can be more convenient and comprehensible. In imperative programming, refinement calculi have been tied to pointwise expression in terms of state variables, with the curious exception of the ubiquitous but invisible heap. To integrate pointwise with pointfree, de Moor and Gibbons [12] extended lambda calculus with non-injective pattern matching interpreted using relations. This article gives a semantics of that language using “ideal relations” between partial orders, and a second semantics using predicate transformers. The second semantics is motivated by its potential use with separation algebra, for pattern matching in programs acting on the heap. Laws including lax beta and eta are proved in these models and a number of open problems are posed.