formal software development program

8/13/2019 Formal Software Development Program

1/997

Formal Software Development

Adrian Zidaritz

zidaritz berkeley.edu

March 8, 2011


2/997

Introduction

This is an overview of the Formal Software Development program. It iswritten for software professionals, and as such, it assumes some familiaritywith symbolic manipulation.

In this overview, we:

Explain what a mathematical formal system is

Show why formal systems are the foundation of software

Give some concrete examples of formal software developmentPresent the structure and the goals of the program

Formal Software Development Program Overview March 8, 2011 2 / 187


3/997

Introduction

may

be

skip

ped

Some slides are marked with this gray sticker; they con-tain some fairly elementary mathematical concepts, es-sentially induction. These slides may be skipped.

may

be

skippe

dOther slides are marked with this red sticker; they as-sume knowledge of higher level algebra and treatinduc-tion at a more advanced level. These slides may alsobe skipped.

We include these optional slides because the program itself is a progressionfrom basic concepts to more advanced ones, and we want to give allprospective students a birds-eye view of the entire program and a roadmapto follow. Moreover, induction is the central proof technique of the program.



4/997

What is formal software development

1 What is formal software development

2 Implementing formal systems

3 When are proofs used

4 What formal software development is not

5 Formal verification of programs

6 Mathematics and Software

7 Concrete examples of what we do in the program

8 Program goals and course structure


Wh i f l f d l M h i f d i


5/997

What is formal software development Mathematics as foundation

The use of mathematical logic


Wh t i f l ft d l t M th ti f d ti


6/997


The use of mathematical logic

Formal software development is the use ofmathematical logicto specify,design, build, analyze and test software.




7/997


What does it mean to use mathematical logic?




8/997



It means that one has to




9/997




study mathematical logic




10/997





study the tools that implement various logics




11/997

p




study the tools that implement various logics

understand how to apply these tools to software engineering




12/997

p

How much mathematical logic?




13/997


Mathematical logic is a large field in itself; it consists of proof theory,model theory, and recursive functions (=computability); set theory isregarded by many as belonging to logic too




14/997



Logic is also the basis of many fields of computer science: type theory,specification languages, theory of computation, term rewriting, various

program logics, automatic and interactive provers, etc . . .




15/997




program logics, automatic and interactive provers, etc . . .Formal software development needs results from all these subfields ofmathematical logic and from many of its applications to computer science




16/997





So the answer to the title question would be: an awful lot




17/997






Part of the motivation behind this overview is to show you the programsroad map through this large body of knowledge, a road that should leadto significant applications in software development




18/997






Part of the motivation behind this overview is to show you the programsroad map through this large body of knowledge, a road that should leadto significant applications in software development

At the core of this use of logic are the formal systems




19/997

What is a mathematical formal system?




20/997


A (mathematical) formal system is a languageand a set ofrules




21/997



The word formal is meant to embody the rigidity and the precision oflanguage and rules




22/997




. . . in opposition to informal systems based on natural languages, whichare flexible and ambiguous




23/997





You may think of a formal system as a recipe, to be applied mechanically,without any creative thinking




24/997






So by itself, a formal system is inert, it does not do anything




25/997






So by itself, a formal system is inert, it does not do anythingWe are not concerned for now with a specific meaningof such a system




26/997

What can we do with such a system?




27/997


We can reason based on the rules




28/997



Reason means nothing but the blind application of the rules to sentencesof the language in order to derive other sentences



?


29/997




We begin with a look at a simple formal system



Wh d i h h ?


30/997





The concepts introduced while looking at this simple system are the nutsand bolts of the program



Wh d i h h ?


31/997






Try to understand this simple system as much as possible



Wh t d ith h t ?


32/997






Try to understand this simple system as much as possible

Otherwise parts of the overview will sound gibberish


What is formal software development Example: a simple formal system

E l f f l t


33/997

Example of a formal system



E l f f l s st


34/997


The language





35/997


The language

The alphabet of our language consists of three symbols: a,b, and*.





36/997


The language


Symbol combinations are called formulas.





37/997


The language



Soab,baa*,**a*bbbare examples of formulas.





38/997


The language




A language has a grammar: a way to specify which formulas are accept-able; the technical term is well-formed formulas, wffsin short.





39/997


The language




A language has a grammar: a way to specify which formulas are accept-able; the technical term is well-formed formulas, wffsin short.

The rules of the grammar are known as formation rules, as opposed tothe rules of system, which are known as rules of inference.



The grammar


40/997

The grammar



The grammar


41/997

The grammar

The grammar (or, the formation rules):



The grammar


42/997

The grammar


1 *is a wff



The grammar


43/997

The grammar


1 *is a wff

2 if X and Y are formulas containing no*, then X*Y is a wff



The grammar


44/997

g


1 *is a wff


3 no other formulas are wffs



The grammar


45/997

g


1 *is a wff





The grammar


46/997

g


1 *is a wff



The symbols X and Y do not belong to the language, they are justplaceholders for arbitrary formulas. Well talk about them later.



The grammar


47/997

g


1 *is a wff




For example, if X stands foraand Y forb, since neither X nor Y containa*, then by the second formation rule,a*bis a wff



The grammar


48/997


1 *is a wff





Similarly, aa*bb,aba*bbbbb,baba*ababare wffs (think of what X andY are in these cases)



The grammar


49/997


1 *is a wff





Similarly, aa*bb,aba*bbbbb,baba*ababare wffs (think of what X andY are in these cases)

Whereas**, *aba*,a*b*bare not wffs, because we cannot find any Xand Y to fit the grammar requirements



Rules of inference, in general


50/997





51/997

The rules of inference dictate how a new wff, called a conclusion, can be

deduced (or inferred) from a set (possibly empty) of other wffs, calledpremises.





52/997



A rule with an empty set of premises is called an axiom.





53/997




It is helpful to make this distinction because axioms are what get thesystem up and going, i.e. you have to start the deduction process some-where.



54/997




55/997





Otherwise, axioms are nothing but special rules.





56/997





Otherwise, axioms are nothing but special rules.

A finite sequence of deductions is called a proof. If a proof uses no premises

other than axioms, then every wff in the sequence of the proof is a theorem.In particular, axioms are theorems, their proofs being sequences of length 1.Although the rules can be used to build proofs from any premises, we willnot be using this facility in these slides. For us, proofs begin with axiomsand dish out theorems.



The rules of our system


57/997





58/997

Our system has the following rules:





59/997


(r1) we can always deduce*





60/997



(r2) from X we can deduce Xb





61/997




(r3) from X*Ybwe can deduceaX*Yb





62/997




(r3) from X*Ybwe can deduceaX*Yb(r4) from Xa*bY we can deduce X*Y





63/997









64/997





Since it has no premises, rule 1 is an axiom. You can apply the rules in anyorder you wish, you do not have to go 2-3-4. This feature of formal systemsis called nondeterminism; well review nondeterminism later, and a fewproofs that we build will also emphasize it.





65/997





Since it has no premises, rule 1 is an axiom. You can apply the rules in anyorder you wish, you do not have to go 2-3-4. This feature of formal systems

is called nondeterminism; well review nondeterminism later, and a fewproofs that we build will also emphasize it. Well call our example formalsystem DANS.



Proving theorems with our formal system


66/997





67/997

Lets look at some proofs in DANS; well number the steps of a proof as #1,

#2, and so on. Each step will contain the theorem proved at that step and,in parentheses, how we proved it (which must be a rule applied to previouslyproved steps).





68/997



Theorem: a*bb





69/997



Theorem: a*bb

Proof.

#1: *(r1)





70/997



Theorem: a*bb

Proof.

#1: *(r1)

#2: *b(#1,r2)





71/997



Theorem: a*bb

Proof.

#1: *(r1)

#2: *b(#1,r2)

#3: a*b(#2,r3)





72/997



Theorem: a*bb

Proof.

#1: *(r1)

#2: *b(#1,r2)

#3: a*b(#2,r3)

#4: a*bb(#2,r2)



Proof objects


73/997



Proof objects

Thi f f f i k f bj


74/997

This form of a proof is known as a proof object.



Proof objects

Thi f f f i k f bj S


75/997

This form of a proof is known as a proof object. So

{#1: *(r1); #2: *b(#1,r2); #3: a*b(#2,r3); #4: a*bb(#2,r2)}

is a proof object.



Proof objects

Thi f f f i k f bj t S


76/997


{#1: *(r1); #2: *b(#1,r2); #3: a*b(#2,r3); #4: a*bb(#2,r2)}

is a proof object. Proof objects are important because anyone who is giventhe language and rules of DANS could verify the steps of the proof.



Proof objects

This form of a proof is kno n as a proof object So


77/997


{#1: *(r1); #2: *b(#1,r2); #3: a*b(#2,r3); #4: a*bb(#2,r2)}

is a proof object. Proof objects are important because anyone who is giventhe language and rules of DANS could verify the steps of the proof. Letsremark that a theorem can have many proofs; we could have proved a*bbwith this proof object:

{#1: *(r1); #2: *b(#1,r2);#3: *bb(#2,r2); #4: a*bb(#2,r3)}



Proof objects

This form of a proof is known as a proof object So


78/997


{#1: *(r1); #2: *b(#1,r2); #3: a*b(#2,r3); #4: a*bb(#2,r2)}


{#1: *(r1); #2: *b(#1,r2);#3: *bb(#2,r2); #4: a*bb(#2,r3)}

A more complete description of a proof would include not just the proofobject, but the entire formal system attached. This is sometimes called a

proof certificate.



Proof objects

This form of a proof is known as a proof object So


79/997


{#1: *(r1); #2: *b(#1,r2); #3: a*b(#2,r3); #4: a*bb(#2,r2)}


{#1: *(r1); #2: *b(#1,r2);#3: *bb(#2,r2); #4: a*bb(#2,r3)}

A more complete description of a proof would include not just the proofobject, but the entire formal system attached. This is sometimes called a

proof certificate. So {[DANS] #1: *(r1); #2: *b(#1,r2); #3: a*b(#2,r3); #4: a*bb(#2,r2)} would be a proof certificate. If you emailed methis proof certificate, I would know exactly what you proved.



80/997

What is formal software development Metamathematics

Moving up a level


81/997

Formal Software Development Program Overview March 8, 2011 16 / 187 What is formal software development Metamathematics

Moving up a level

We now know how to do proofs (in other words how to reason within


82/997

We now know how to do proofs (in other words, how to reason withinthe system)

Formal Software Development Program Overview March 8, 2011 16 / 187 What is formal software development Metamathematics

Moving up a level

We now know how to do proofs (in other words how to reason within


83/997


There is a large variety of such formal systems

Formal Software Development Program Overview March 8 2011 16 / 187 What is formal software development Metamathematics

Moving up a level

We now know how to do proofs (in other words, how to reason within


84/997



Most of the mathematics you ever learned can be cranked out by suchformal systems (see mizar.org)


Moving up a level



85/997

p ( ,the system)



The foundations of software can also be cranked out by formal systems,

as well see soon


Moving up a level



86/997

p ( ,the system)




as well see soonNow comes a big switch of perspective . . .


Moving up a level



87/997

p (the system)





These formal systems have some important properties, which can bestudied with the use of mathematics


Moving up a level



88/997

the system)






This study comes with a grand name: metamathematics, i.e. the studyof mathematics itself

Formal Software Development Program Overview March 8 2011 16 / 187


89/997


Moving up a level



90/997

the system)






This study comes with a grand name: metamathematics, i.e. the study

of mathematics itself

Well do a lot of metamathematics in this program

And metasoftware, if you wish


Moving up a level

We now know how to do proofs (in other words, how to reason within)


91/997

the system)






This study comes with a grand name: metamathematics, i.e. the study

of mathematics itself

Well do a lot of metamathematics in this program

And metasoftware, if you wish

Meta just means outside or about


Meta level and object level


92/997



To distinguish it from metamathematics, mathematics inside the formal


93/997

system is called object levelmathematics; the language of the formal system

is the object language.



To distinguish it from metamathematics, mathematics inside the formal


94/997


is the object language. Well use mostly informal language when working atthe meta level in this overview.



To distinguish it from metamathematics, mathematics inside the formalf f


95/997


is the object language. Well use mostly informal language when working atthe meta level in this overview. But keep in mind that some of the tools westudy are able to do metamathematics formally, i.e. we can create andanalyze formal systems within another formal system.



To distinguish it from metamathematics, mathematics inside the formali ll d bj l l h i h l f h f l


96/997


is the object language. Well use mostly informal language when working atthe meta level in this overview. But keep in mind that some of the tools westudy are able to do metamathematics formally, i.e. we can create andanalyze formal systems within another formal system. The ML (MetaLanguage) programming language was created precisely for the purpose of

doing metamathematics. OCaml and F# are its descendants.



To distinguish it from metamathematics, mathematics inside the formalt i ll d bj t l l th ti th l f th f l t


97/997



doing metamathematics. OCaml and F# are its descendants. Well studythem in the ML Languages and Provers course.

F l S ft D l t P O i M h 8 2011 17 / 187 What is formal software development Metamathematics


To distinguish it from metamathematics, mathematics inside the formalt i ll d bj t l l th ti th l f th f l t


98/997



doing metamathematics. OCaml and F# are its descendants. Well studythem in the ML Languages and Provers course. So lets get used to someof this meta terminology:



To distinguish it from metamathematics, mathematics inside the formalsystem is called object level mathematics; the language of the formal system


99/997




metalanguage (the language in which we reason about the formal system)





100/997





metavariables (variables that do not belong to the object language)





101/997






metatheorem (a theorem about the system, not a theorem of the system)

F l S f D l P O i M h 8 2011 17 / 187 What is formal software development Metamathematics




102/997






metatheorem (a theorem about the system, not a theorem of the system)

metamathematics (study of formal systems themselves, from the outside)

F l S f D l P O i M h 8 2011 17 / 187 What is formal software development Metamathematics

The first big metamathematical question: Consistency


103/997





104/997

Lets do some metamathematics.





105/997

Lets do some metamathematics. Lets say that allthe wffs of a formalsystem are theorems.





106/997

Lets do some metamathematics. Lets say that allthe wffs of a formalsystem are theorems. In this case the formal system is worthless, the rules donot accomplish anything useful.





107/997

Lets do some metamathematics. Lets say that allthe wffs of a formalsystem are theorems. In this case the formal system is worthless, the rules donot accomplish anything useful. So a formal system is said to be consistentif not all wffs are theorems.





108/997


Metatheorem: DANS is a consistent system





109/997


Metatheorem: DANS is a consistent system

Proof. We show thatb*is not a theorem. The axiom*has nobon the left.No rules allow the introduction of a bon the left of the*.



110/997


Decidability of grammar and rules

Lets look at the grammar and the inference rules of our example


111/997





We see that the grammar is decidable i e there is an algorithm that


112/997

We see that the grammar is decidable, i.e. there is an algorithm that,given a formula, it will answer YES if the formula is a wff and NO if itis not



113/997




We see that the grammar is decidable, i.e. there is an algorithm that,


114/997

g , g ,given a formula, it will answer YES if the formula is a wff and NO if itis not

Here is the grammar algorithm: given a formula X, count the number of*. If the count is 1, answer YES, otherwise answer NO.

The inference rules are also rigged in this special way, i.e. they are alsodecidable







115/997

g , g ,given a formula, it will answer YES if the formula is a wff and NO if itis not



By this we mean that for each rule, there is an algorithm that, given afinite set of wffs, it will answer YES if the rule is applicable to them andNO if it is not



116/997






117/997

given a formula, it will answer YES if the formula is a wff and NO if itis not



By this we mean that for each rule, there is an algorithm that, given afinite set of wffs, it will answer YES if the rule is applicable to them andNO if it is not

For example, the algorithm for rule 4 is: find*. If we can find an aonits left and abon its right, then the answer is YES, otherwise it is NO.

Only one thing is left unclear: what exactly is an algorithm?



118/997


What is an algorithm?

Informally we know it is something that can be expressed in a finitenumber of steps, some sort of program maybe containing loops


119/997






120/997

Other informal ways to describe algorithms: computableor, the originalterm used by Hilbert, finitary






121/997


It took a lot of work to come up with a convincing formal definition






122/997



The astonishing thing is that many alternative definitions kept coming,and . . .



123/997




O h f l d b l h bl h l


124/997




All formal definitions of algorithm were proven to be equivalent!

This equivalence theorem is one of the great accomplishments of the20th century mathematics





O h i f l d ib l i h bl h i i l


125/997






The best known definitions are: Godels recursive functions, Turing ma-

chines and Churchs Lambda Calculus





O h i f l d ib l i h bl h i i l


126/997







chines and Churchs Lambda Calculus Turing machines led to imperative languages like C, Java, C#





Oth i f l t d ib l ith t bl th i i l


127/997







chines and Churchs Lambda Calculus Turing machines led to imperative languages like C, Java, C# Churchs Lambda Calculus led to functional languages like Lisp,

ML, Haskell



The Church-Turing thesis


128/997





129/997

The above equivalent formal definitions capture the informal notion ofcomputability or algorithm.





130/997

The above equivalent formal definitions capture the informal notion ofcomputability or algorithm.

This is not a theorem, it is a thesis, so there is no question of proving it. Itcaptures the belief that humanity has nailed the concept of computability,that there exists no other mechanism that deserves to be called an algorithm.



Formal systems are rigged in a very special way


131/997




This overview is not the place to describe any of the above formal defiiti f t bilit


132/997

This overview is not the place to describe any of the above formal defi-nitions of computability






133/997


(well cover this in the Logic and Computation course)






134/997

This overview is not the place to describe any of the above formal definitions of computability


All we need to know for now is that such a rigorous definition exists






135/997

nitions of computability



Therefore, decidability, which lacked the rigorous definition of algorithm,is now rigorously defined






136/997





For all formal systems, the grammar is always rigged so that it is decidable






137/997






The inference rules are also rigged so that they are decidable






138/997






The inference rules are also rigged so that they are decidable

In one sentence, formal systems have computability built-in



The power of formal systems


139/997




Not only do they have computability built-in


140/997

y y p y




Not only do they have computability built-in


141/997

They do not have any morecomputational power than Turing machineshave, they are yet another formalism equivalent to the other three




Not only do they have computability built-inh d h l h h


142/997


Just as in the case of Turing machines, nondeterminism does not addto this power, i.e. you can build an equivalent deterministic system thatproduces the same theorems




Not only do they have computability built-inTh d h i l h T i hi


143/997


Just as in the case of Turing machines, nondeterminism does not addto this power, i.e. you can build an equivalent deterministic system thatproduces the same theorems




Not only do they have computability built-inTh d t h t ti l th T i hi


144/997


Just as in the case of Turing machines, nondeterminism does not addto this power, i.e. you can build an equivalent deterministic system that

produces the same theorems

So, for any theory that can be described algorithmically (and thats all wereally need, but thats philosophy), whether a mathematical theory, asoftware theory, a physics theory, etc . . . , there is a formal system that can

describe it.



Back to our formal system


145/997




Because DANS has computability built in, we can do two things


146/997





We can design a mechanical strategy that builds all the theorems of the

system, one after the other (exercise)


147/997



148/997







149/997

We can design a mechanical strategy that, given a proof, answers YESif the proof is correct, NO otherwise (exercise)

Notice that our formal system produces an infinite number of theorems,

so the procedure above potentially produces all the theorems, we cannever have all the theorems collected together as that set would be anactualinfinity, which is impossible to reach computationally







S


150/997




In formal systems, the infinite is always understood as this potential, notactual, representation







W d i h i l h i f YES


151/997




In formal systems, the infinite is always understood as this potential, notactual, representation

If this sounds difficult, think of the way natural numbers or lists are in-troduced in your favorite functional language. The constructors embodythis potential infinity.


What is formal software development Decidability

Decidability of our example


152/997




If we have a wff, how can we tell if it is a theorem or not?


153/997





Does DANS have an algorithm that answers YES or NO to such a ques-tion?


154/997

tion?







155/997

This is a big fork in the road for the formal systems we study in theprogram







156/997


Some systems do admit such an algorithm (called a decision procedure),others dont







157/997



Finding a decision procedure for a useful formal system (not a toy likeDANS) is a non-trivial effort







158/997



Finding a decision procedure for a useful formal system (not a toy likeDANS) is a non-trivial effort

The more expressive the system (i.e. the more powerful its language andrules of inference are), the less likely it is that it has such a procedure



DANS is decidable

may

be

skip

ped


159/997



DANS is decidable

Metatheorem: Dans is a decidable system

The proof is b ind ction Proofs b ind ction are t pical of the

may

be

skip

ped


160/997

The proof is by induction. Proofs by induction are typical of themetamathematics of formal systems, thats why we include one here. Theywill be seen over and over during the program. Those unfamiliar withmathematical induction may skip the proof.

We treat induction at length in the course Formal semantics ofprogramming languages. We also give a more detailed presentation ofinduction and recursion, as they relate to categories, in a more advancedsection of this overview. For those who need a quick brush-up, we include

the definition of mathematical induction and one typical example of its use.



Mathematical Induction

may

be

skip

ped


161/997





may

be

skip

ped


162/997

LetP(n) be a predicate on the setN of natural numbers. Then

(P(0

) (kN.

P(k)P(k+1

))) nN.

P(n)



A typical proof by mathematical induction

may

be

skip

ped


163/997



164/997


A typical proof by mathematical inductionThe sum of the first n natural numbers is given by

n

i=0

i=n(n + 1)

2(1)

Proof:

may

be

skip

ped


165/997



A typical proof by mathematical inductionThe sum of the first n natural numbers is given by

n

i=0

i=n(n + 1)

2(1)

Proof:

1 Let P(n) be the property given by (1)

may

be

skip

ped


166/997

( ) p p y g y ( )

formal software development program

Documents