RS3 Code Generation Tutorial with Isabelle/HOL - The ...
Transcript of RS3 Code Generation Tutorial with Isabelle/HOL - The ...
![Page 1: RS3 Code Generation Tutorial with Isabelle/HOL - The ...](https://reader035.fdocuments.in/reader035/viewer/2022081700/62dc331309599d725c16a026/html5/thumbnails/1.jpg)
RS3 Code Generation Tutorial with Isabelle/HOLThe Refinement Framework
Peter Lammich
May 2015
1 / 71
![Page 2: RS3 Code Generation Tutorial with Isabelle/HOL - The ...](https://reader035.fdocuments.in/reader035/viewer/2022081700/62dc331309599d725c16a026/html5/thumbnails/2.jpg)
About this Tutorial
• These are the slides of an tutorial on the Refinement Framework andAutoref, that I gave in May 2015
• You can download the accompanying theories athttp://www21.in.tum.de/~lammich/refine_tutorial.html
• To get started, run isabelle.sh to start the IDE. On first invocation, it willbuild the image, which will take some time.• It requires Isabelle 2016 to be on your pathhttp://isabelle.in.tum.de/index.html!
• with the AFP-Component installedhttps://www.isa-afp.org/using.shtml!
2 / 71
![Page 3: RS3 Code Generation Tutorial with Isabelle/HOL - The ...](https://reader035.fdocuments.in/reader035/viewer/2022081700/62dc331309599d725c16a026/html5/thumbnails/3.jpg)
Table of Contents
1 Motivation
2 Theory of Program Refinement
3 Automatic Refinement
3 / 71
![Page 4: RS3 Code Generation Tutorial with Isabelle/HOL - The ...](https://reader035.fdocuments.in/reader035/viewer/2022081700/62dc331309599d725c16a026/html5/thumbnails/4.jpg)
Motivation
• Algorithmic ideas presented best on abstract level• Can also be proved on abstract level• Implementation is orthogonal issue
4 / 71
![Page 5: RS3 Code Generation Tutorial with Isabelle/HOL - The ...](https://reader035.fdocuments.in/reader035/viewer/2022081700/62dc331309599d725c16a026/html5/thumbnails/5.jpg)
Direct Proofs
• Our experience shows• Direct proofs tend to get unmanageable• E.g. Dijkstra’s algorithm
5 / 71
![Page 6: RS3 Code Generation Tutorial with Isabelle/HOL - The ...](https://reader035.fdocuments.in/reader035/viewer/2022081700/62dc331309599d725c16a026/html5/thumbnails/6.jpg)
Separation of algorithmic idea and implementation
• Increased modularity• Proofs are independent• Changing implementation is simple
6 / 71
![Page 7: RS3 Code Generation Tutorial with Isabelle/HOL - The ...](https://reader035.fdocuments.in/reader035/viewer/2022081700/62dc331309599d725c16a026/html5/thumbnails/7.jpg)
Reusable data structures
• Implementations often make use of standard data structures• Hash tables, red-black-trees, heaps, ...
• Abstractly, these correspond to standard HOL types• Set, map, ...
• Important to have library of reusable implementations• Here: Isabelle Collection Framework
7 / 71
![Page 8: RS3 Code Generation Tutorial with Isabelle/HOL - The ...](https://reader035.fdocuments.in/reader035/viewer/2022081700/62dc331309599d725c16a026/html5/thumbnails/8.jpg)
Simple example: Set-Sum
• Specification: Σs• Abstract algorithm
r=0for x ∈ s do r = r + xreturn r
• Concrete (lists)
List.fold op + l 0
• Concrete (RBT)
RBT.fold (λk _ r. r+k) t 0
8 / 71
![Page 9: RS3 Code Generation Tutorial with Isabelle/HOL - The ...](https://reader035.fdocuments.in/reader035/viewer/2022081700/62dc331309599d725c16a026/html5/thumbnails/9.jpg)
Proving Set-sum correct
• Abstract idea: Invariant• r is sum of elements already iterated over
• For concrete algorithms, the proof depends on available lemmas• Has to be repeated for each set implementation
• Tedious, if proof gets complicated!
9 / 71
![Page 10: RS3 Code Generation Tutorial with Isabelle/HOL - The ...](https://reader035.fdocuments.in/reader035/viewer/2022081700/62dc331309599d725c16a026/html5/thumbnails/10.jpg)
Demo
Setsum.thy
10 / 71
![Page 11: RS3 Code Generation Tutorial with Isabelle/HOL - The ...](https://reader035.fdocuments.in/reader035/viewer/2022081700/62dc331309599d725c16a026/html5/thumbnails/11.jpg)
Table of Contents
1 Motivation
2 Theory of Program Refinement
3 Automatic Refinement
11 / 71
![Page 12: RS3 Code Generation Tutorial with Isabelle/HOL - The ...](https://reader035.fdocuments.in/reader035/viewer/2022081700/62dc331309599d725c16a026/html5/thumbnails/12.jpg)
Table of Contents
1 Motivation
2 Theory of Program RefinementThe nondeterminism monadRefinement OrderingRecursion, total and partial correctnessData RefinementTranslation to executable specification
3 Automatic Refinement
12 / 71
![Page 13: RS3 Code Generation Tutorial with Isabelle/HOL - The ...](https://reader035.fdocuments.in/reader035/viewer/2022081700/62dc331309599d725c16a026/html5/thumbnails/13.jpg)
Nondeterminism
• Abstract specification may be nondeterministic• Find an element with minimal priority• Compute a path from node u to v
• Implementation is deterministic• But depends on details of used data structures
13 / 71
![Page 14: RS3 Code Generation Tutorial with Isabelle/HOL - The ...](https://reader035.fdocuments.in/reader035/viewer/2022081700/62dc331309599d725c16a026/html5/thumbnails/14.jpg)
Monads
• If you do not know monads, skip to slide 18• Structure α M with functions
• return : α→ α M, bind : α M → (α→ β M)→ β M• bind m f also written m�= f
• That satisfy the monad laws
return x �= f = f (id1)m�= return = m (id2)
(m�= f1)�= f2 = m�= (λx .f1 x �= f2) (assoc)
• But now some more intuitive thing
14 / 71
![Page 15: RS3 Code Generation Tutorial with Isabelle/HOL - The ...](https://reader035.fdocuments.in/reader035/viewer/2022081700/62dc331309599d725c16a026/html5/thumbnails/15.jpg)
Nondeterminism Monad
• α set• return x = {x}, m�= f =
⋃{fx | x ∈ m}
• return x yields the only value x• m�= f nondeterministically chooses value of m, and applies f to it
• Sequential composition
15 / 71
![Page 16: RS3 Code Generation Tutorial with Isabelle/HOL - The ...](https://reader035.fdocuments.in/reader035/viewer/2022081700/62dc331309599d725c16a026/html5/thumbnails/16.jpg)
Adding errors
• Will turn out later: Nice to have errors• α nres = res α set | fail
• return x = res {x}, res X �= f =⊔{fx | x ∈ X}, fail�= f = fail
• Intuition: Error propagates over bind.• Note: Complete lattice structure of α set lifted to α nres
• res X v res Y ⇐⇒ X ⊆ Y and _ v fail• Intuition: Possibility to choose error =⇒ error
• Assertions: assert Φ = if Φ then return () else fail• Fail if Φ does not hold
• Specification: spec x . Φ x = res {x | Φ x}• All values that satisfy Φ
16 / 71
![Page 17: RS3 Code Generation Tutorial with Isabelle/HOL - The ...](https://reader035.fdocuments.in/reader035/viewer/2022081700/62dc331309599d725c16a026/html5/thumbnails/17.jpg)
Do-notation
• More readable notation for monadic programs• let x = t ; f syntax for letx = t in f• x ← m; f syntax for m�= (λx .f )
• This shortcuts are enclosed in do{. . .} - block
17 / 71
![Page 18: RS3 Code Generation Tutorial with Isabelle/HOL - The ...](https://reader035.fdocuments.in/reader035/viewer/2022081700/62dc331309599d725c16a026/html5/thumbnails/18.jpg)
Theory-free intuition
• x ← m — Execute m, assign result to x• return x — Return result x• assertΦ — Assert that Φ holds. Immediate termination with failure
otherwise.• x ← spec x . Φ x — Assign some x that satisfies Φ (choose
nondeterministically).• Note: If there are no such x , your program will have no possible results at all.
18 / 71
![Page 19: RS3 Code Generation Tutorial with Isabelle/HOL - The ...](https://reader035.fdocuments.in/reader035/viewer/2022081700/62dc331309599d725c16a026/html5/thumbnails/19.jpg)
Examples
do {ASSERT (l 6= []);RETURN (hd l)}
do {ASSERT (s 6= {});SPEC (λx. x∈s)}
19 / 71
![Page 20: RS3 Code Generation Tutorial with Isabelle/HOL - The ...](https://reader035.fdocuments.in/reader035/viewer/2022081700/62dc331309599d725c16a026/html5/thumbnails/20.jpg)
Table of Contents
1 Motivation
2 Theory of Program RefinementThe nondeterminism monadRefinement OrderingRecursion, total and partial correctnessData RefinementTranslation to executable specification
3 Automatic Refinement
20 / 71
![Page 21: RS3 Code Generation Tutorial with Isabelle/HOL - The ...](https://reader035.fdocuments.in/reader035/viewer/2022081700/62dc331309599d725c16a026/html5/thumbnails/21.jpg)
Refinement Ordering
• Recall: Subset-ordering lifted to α nres• We will use ≤-symbol from now on
RES X ≤ RES Y←→ X ⊆ Y \\_ ≤ FAIL ←→ TrueFAIL ≤ RES _←→ False
• Intuition: m ≤ m′
• All results of m also possible in m′ (or m′ is error)• m refines m′
• Interesting cases• m ≤ spec Φ Possible results of m satisfy Φ• m ≤ fail Error refined by everything• res ∅ ≤ m Empty result refines everything
• We define succeed = res ∅• Sometimes also called magic, as it magically satisfies any specification
21 / 71
![Page 22: RS3 Code Generation Tutorial with Isabelle/HOL - The ...](https://reader035.fdocuments.in/reader035/viewer/2022081700/62dc331309599d725c16a026/html5/thumbnails/22.jpg)
Examples
sort_spec l = SPEC (λl′. multiset_of l = multiset_of l′ ∧ sorted l′)
sort l ≤ sort_spec l
distinct l =⇒ sort l ≤ sort_spec l
pre a =⇒ algo a ≤ SPEC (λr. post a r)(∗ Compare: Hoare−triple {pre} algo {post} ∗)
22 / 71
![Page 23: RS3 Code Generation Tutorial with Isabelle/HOL - The ...](https://reader035.fdocuments.in/reader035/viewer/2022081700/62dc331309599d725c16a026/html5/thumbnails/23.jpg)
Refinement
• Refinement ordering is transitive (it’s a complete lattice)• In particular: impl ≤ abs and abs ≤ spec Φ implies impl ≤ spec Φ• Allows to split abstract correctness proof and implementation
• Bind (and other combinators) are monotone• m′ ≤ m, f ′ ≤ f =⇒ m′�= f ′ ≤ m�= f• Only refining parts of program implies refinement
23 / 71
![Page 24: RS3 Code Generation Tutorial with Isabelle/HOL - The ...](https://reader035.fdocuments.in/reader035/viewer/2022081700/62dc331309599d725c16a026/html5/thumbnails/24.jpg)
Examples
min_spec l = do {ASSERT (l 6=[]); SPEC x. x∈set l ∧ prio x = Min (prio‘set l)}
min_abs l = do { ASSERT (l6=[]); l′ ← sort_spec l; RETURN (hd l′) }
min_impl l = do { ASSERT (l 6=[]); l′ ← sort l; RETURN (hd l′) }
24 / 71
![Page 25: RS3 Code Generation Tutorial with Isabelle/HOL - The ...](https://reader035.fdocuments.in/reader035/viewer/2022081700/62dc331309599d725c16a026/html5/thumbnails/25.jpg)
Demo
Sort_Min.thy
25 / 71
![Page 26: RS3 Code Generation Tutorial with Isabelle/HOL - The ...](https://reader035.fdocuments.in/reader035/viewer/2022081700/62dc331309599d725c16a026/html5/thumbnails/26.jpg)
Table of Contents
1 Motivation
2 Theory of Program RefinementThe nondeterminism monadRefinement OrderingRecursion, total and partial correctnessData RefinementTranslation to executable specification
3 Automatic Refinement
26 / 71
![Page 27: RS3 Code Generation Tutorial with Isabelle/HOL - The ...](https://reader035.fdocuments.in/reader035/viewer/2022081700/62dc331309599d725c16a026/html5/thumbnails/27.jpg)
Fixed points
• Let f : α→ α be a function• x with f x = x is called fixed point
• Let ≤ be a complete lattice, and f be monotonic (i.e. x ≤ y =⇒ f x ≤ f y )• A unique least fixed point lfp f exists• Dually, a unique greatest fixed point gfp f exists
27 / 71
![Page 28: RS3 Code Generation Tutorial with Isabelle/HOL - The ...](https://reader035.fdocuments.in/reader035/viewer/2022081700/62dc331309599d725c16a026/html5/thumbnails/28.jpg)
Recursion
• Regard recursive function definition
let rec f x = F f x
• F is function body• E.g. F f x = if x > 0 then 2 ∗ f (x − 1) else 1
• For f , we want the following equation• f x = F f x• I.e., f is a fixed point of F
28 / 71
![Page 29: RS3 Code Generation Tutorial with Isabelle/HOL - The ...](https://reader035.fdocuments.in/reader035/viewer/2022081700/62dc331309599d725c16a026/html5/thumbnails/29.jpg)
Pointwise ordering, flat lattice
• Given an ordering ≤⊆ α× α, we extend it to functions β → α:• g ≤ f ⇐⇒ ∀x . g x ≤ f x
• Given a set S, we define a complete lattice ≤ on S ∪̇ {⊥,>}
⊥ ≤ _s ≤ s for s ∈ S_ ≤ >
29 / 71
![Page 30: RS3 Code Generation Tutorial with Isabelle/HOL - The ...](https://reader035.fdocuments.in/reader035/viewer/2022081700/62dc331309599d725c16a026/html5/thumbnails/30.jpg)
Recursion as least fixed point
let rec f x = F f x
• Now, we define f = lfp F• Wrt. flat lattice and pointwise ordering
• Intuitively: If f x terminates: Only fixed-point is what we want• Otherwise: f x = ⊥
• Dually, we could use gfp and get >
30 / 71
![Page 31: RS3 Code Generation Tutorial with Isabelle/HOL - The ...](https://reader035.fdocuments.in/reader035/viewer/2022081700/62dc331309599d725c16a026/html5/thumbnails/31.jpg)
Monotonicity, partial and total correctness
• Functions constructed using monad combinators, if-then-else, case,nested fixed-point combinators are monotonic by construction
• Can be automatically proved (Krauss’ partial-function package)• Moreover, for those functions, flat ordering matches refinement ordering
• lfpflatF = lfpref F , where ⊥ = succeed and > = fail• Thus, when defining a function with lfp
• On nontermination, we get succeed• which satisfies any specification
=⇒ partial correctness• Dually, for gfp, we get fail
=⇒ total correctness
31 / 71
![Page 32: RS3 Code Generation Tutorial with Isabelle/HOL - The ...](https://reader035.fdocuments.in/reader035/viewer/2022081700/62dc331309599d725c16a026/html5/thumbnails/32.jpg)
REC and RECT combinators
• The refinement framework provides• rec, recT :: ((α→ β nres)→ α→ β nres)→ α→ β nres• rec F x = do{assert(mono F ); lfp F x}• recT F x = do{assert(mono F ); gfp F x}
• With proof rules
pre x ;∀f x . (∀x . pre x =⇒ f x ≤ M x) ∧ pre x =⇒ F f x ≤ M xrec F x ≤ M x
pre x ;∀f x . (∀x ′. pre x ′ ∧ x ′Vx =⇒ f x ′ ≤ M x ′) ∧ pre x =⇒ F f x ≤ M xrecT F x ≤ M x
for well-founded relation V
• And appropriate refinement rules (monotonicity)
32 / 71
![Page 33: RS3 Code Generation Tutorial with Isabelle/HOL - The ...](https://reader035.fdocuments.in/reader035/viewer/2022081700/62dc331309599d725c16a026/html5/thumbnails/33.jpg)
WHILE-Loops
• Based on this, we also have while-loops• while c f s - iterate f on state s as long as c holds• And also whileT
• With the expected rules
33 / 71
![Page 34: RS3 Code Generation Tutorial with Isabelle/HOL - The ...](https://reader035.fdocuments.in/reader035/viewer/2022081700/62dc331309599d725c16a026/html5/thumbnails/34.jpg)
Demo
Explore_Tree.thy
34 / 71
![Page 35: RS3 Code Generation Tutorial with Isabelle/HOL - The ...](https://reader035.fdocuments.in/reader035/viewer/2022081700/62dc331309599d725c16a026/html5/thumbnails/35.jpg)
Table of Contents
1 Motivation
2 Theory of Program RefinementThe nondeterminism monadRefinement OrderingRecursion, total and partial correctnessData RefinementTranslation to executable specification
3 Automatic Refinement
35 / 71
![Page 36: RS3 Code Generation Tutorial with Isabelle/HOL - The ...](https://reader035.fdocuments.in/reader035/viewer/2022081700/62dc331309599d725c16a026/html5/thumbnails/36.jpg)
Basic Idea
• Refinement not only implements specification by more concrete algorithm• We also want to implement abstract data structures by more concrete
ones• For example, sets by lists or red-black trees, or hash-tables
36 / 71
![Page 37: RS3 Code Generation Tutorial with Isabelle/HOL - The ...](https://reader035.fdocuments.in/reader035/viewer/2022081700/62dc331309599d725c16a026/html5/thumbnails/37.jpg)
Refinement Relation
• Relate concrete type ′c to abstract type ′a• Relation R :: (′c ×′ a) set• Usually single-valued, i.e. (c, a) ∈ R ∧ (c, a′) ∈ R =⇒ a = a′
• (Right-Unique)• But not necessary total: There may be c with ∀a. (c, a) /∈ R
• Intuition: Concrete type has invariant, e.g., distinct list• Nor surjective, i.e., there are a with ∀c. (c, a) /∈ R
• Intuition: Concrete type cannot represent all abstract elements, e.g., only finitesets
37 / 71
![Page 38: RS3 Code Generation Tutorial with Isabelle/HOL - The ...](https://reader035.fdocuments.in/reader035/viewer/2022081700/62dc331309599d725c16a026/html5/thumbnails/38.jpg)
Invariant and abstraction function
• Consider an invariant I ::′ c → bool and an abstraction functionα ::′ c →′ a
• We define br α I = {(c, α c) | c. I c}• Intuitively: Map concrete elements that satisfy the invariant to abstract
elements.
• Exactly the single-valued relations can be represented like this
38 / 71
![Page 39: RS3 Code Generation Tutorial with Isabelle/HOL - The ...](https://reader035.fdocuments.in/reader035/viewer/2022081700/62dc331309599d725c16a026/html5/thumbnails/39.jpg)
Concretization function
• Idea: Concrete program refines abstract one:• All outcomes in domain of refinement relation• All corresponding abstract values in abstract program
• For R : (′c ×′ a) set , we define a concretization function⇓R :′ a nres→′ c nres
⇓R (res X ) = res (R− `` X )
⇓R fail = fail
• Intuitively, this transforms the abstract program into the biggest refiningconcrete program
• Refinement now expressed by
concrete ≤ ⇓R abstract
39 / 71
![Page 40: RS3 Code Generation Tutorial with Isabelle/HOL - The ...](https://reader035.fdocuments.in/reader035/viewer/2022081700/62dc331309599d725c16a026/html5/thumbnails/40.jpg)
Remark: Galois connection
• For single-valued refinement relations, ⇓R is the adjoint of a Galoisconnection• The other adjoint is ⇑R defined by
⇑R (res X ) =
{res (R `` X ) if X ⊆ Domain Rfail otherwise
⇑R fail = fail
• Galois connection means, that we have:
m′ ≤ ⇓R m ⇐⇒ ⇑R m′ ≤ m
• Intuitively, abstraction and concretization can be swapped• This gives us nice mathematical properties• But only for single-valued relations• Recently, we decided to drop single-valued restrictions where possible
40 / 71
![Page 41: RS3 Code Generation Tutorial with Isabelle/HOL - The ...](https://reader035.fdocuments.in/reader035/viewer/2022081700/62dc331309599d725c16a026/html5/thumbnails/41.jpg)
Refinement conditions
• We can derive structure-preserving refinement rules• E.g. for return. bind, recursion (show in IDE)
• And build a verification condition generator on them• Additionally, there are rules that try to cope with non-exact matches• And a tool that helps finding appropriate refinement relations
41 / 71
![Page 42: RS3 Code Generation Tutorial with Isabelle/HOL - The ...](https://reader035.fdocuments.in/reader035/viewer/2022081700/62dc331309599d725c16a026/html5/thumbnails/42.jpg)
Demo
Basic_Refinements.thy
42 / 71
![Page 43: RS3 Code Generation Tutorial with Isabelle/HOL - The ...](https://reader035.fdocuments.in/reader035/viewer/2022081700/62dc331309599d725c16a026/html5/thumbnails/43.jpg)
Table of Contents
1 Motivation
2 Theory of Program RefinementThe nondeterminism monadRefinement OrderingRecursion, total and partial correctnessData RefinementTranslation to executable specification
3 Automatic Refinement
43 / 71
![Page 44: RS3 Code Generation Tutorial with Isabelle/HOL - The ...](https://reader035.fdocuments.in/reader035/viewer/2022081700/62dc331309599d725c16a026/html5/thumbnails/44.jpg)
Deterministic Programs
• Executable specifications must be deterministic• And must not contain succeed• And all used functions should be executable• Transfer to deterministic monad
• α dres = succeedd | resd α | faild• return x = resd x , resd x �= f = f x , faild�= f = faild• nres_of : α dres→ α nres
• Transfer preserves structure• But has no rules for res (nor spec)• Assertions are dropped
• This can be automated• Yields det with nres_of det ≤ impl
44 / 71
![Page 45: RS3 Code Generation Tutorial with Isabelle/HOL - The ...](https://reader035.fdocuments.in/reader035/viewer/2022081700/62dc331309599d725c16a026/html5/thumbnails/45.jpg)
Getting rid of dres-type
• Additionally, prove that program cannot yield succeed• Possible for total correct programs
• Then, extract result by selector
the_res : α dres→ α
• And get return (the_res det) ≤ impl
45 / 71
![Page 46: RS3 Code Generation Tutorial with Isabelle/HOL - The ...](https://reader035.fdocuments.in/reader035/viewer/2022081700/62dc331309599d725c16a026/html5/thumbnails/46.jpg)
Transfer to plain function
• If program is tail-recursive• I.e., only recursion combinator is while
• We can transfer to a plain HOL-definition• Without any deterministic monad involved
46 / 71
![Page 47: RS3 Code Generation Tutorial with Isabelle/HOL - The ...](https://reader035.fdocuments.in/reader035/viewer/2022081700/62dc331309599d725c16a026/html5/thumbnails/47.jpg)
Recursion Combinators
• Code generator cannot handle recursion combinators (REC, RECT)• They need to be converted to equations
• For every instance, as a monotonicity proof is required
• Done automatically by command prepare_code_thms
47 / 71
![Page 48: RS3 Code Generation Tutorial with Isabelle/HOL - The ...](https://reader035.fdocuments.in/reader035/viewer/2022081700/62dc331309599d725c16a026/html5/thumbnails/48.jpg)
Demo
Basic_Refinements.thy
continued
48 / 71
![Page 49: RS3 Code Generation Tutorial with Isabelle/HOL - The ...](https://reader035.fdocuments.in/reader035/viewer/2022081700/62dc331309599d725c16a026/html5/thumbnails/49.jpg)
Hands-On session
• Now, it’s your turn! Here are some ideas• Extend graph-exploration/ worklist algorithm to remember visited nodes
• And thus be total correct for arbitrary (finitely-branching) graphs• Hint: find_theorems finite_psupset
• Implement the visited-nodes set by lists or red-black trees• You will need thm rs.correct thm ls.correct
• Extend the algorithm to return a path to the node
49 / 71
![Page 50: RS3 Code Generation Tutorial with Isabelle/HOL - The ...](https://reader035.fdocuments.in/reader035/viewer/2022081700/62dc331309599d725c16a026/html5/thumbnails/50.jpg)
Table of Contents
1 Motivation
2 Theory of Program Refinement
3 Automatic Refinement
50 / 71
![Page 51: RS3 Code Generation Tutorial with Isabelle/HOL - The ...](https://reader035.fdocuments.in/reader035/viewer/2022081700/62dc331309599d725c16a026/html5/thumbnails/51.jpg)
Table of Contents
1 Motivation
2 Theory of Program Refinement
3 Automatic RefinementMotivationParametricity and Refinement RelationsPhases of Autoref
51 / 71
![Page 52: RS3 Code Generation Tutorial with Isabelle/HOL - The ...](https://reader035.fdocuments.in/reader035/viewer/2022081700/62dc331309599d725c16a026/html5/thumbnails/52.jpg)
Motivation
• Refinement often just replaces abstract by concrete data types• E.g. α set to α dlist
• Tedious to write the algorithm down two times• Could be automated
52 / 71
![Page 53: RS3 Code Generation Tutorial with Isabelle/HOL - The ...](https://reader035.fdocuments.in/reader035/viewer/2022081700/62dc331309599d725c16a026/html5/thumbnails/53.jpg)
Generic Algorithms
• And, while we are automating this• perhaps throw in some meta-programming• automatically instantiate generic algorithms?• E.g., setsum,
• parameterized by iterator over set
53 / 71
![Page 54: RS3 Code Generation Tutorial with Isabelle/HOL - The ...](https://reader035.fdocuments.in/reader035/viewer/2022081700/62dc331309599d725c16a026/html5/thumbnails/54.jpg)
Table of Contents
1 Motivation
2 Theory of Program Refinement
3 Automatic RefinementMotivationParametricity and Refinement RelationsPhases of Autoref
54 / 71
![Page 55: RS3 Code Generation Tutorial with Isabelle/HOL - The ...](https://reader035.fdocuments.in/reader035/viewer/2022081700/62dc331309599d725c16a026/html5/thumbnails/55.jpg)
Recall:
• Refinement relation: Relates concrete and abstract type• For example, 〈R〉list_set_rel
• relates distinct lists to sets, members are related by R• Basic relators
• Function relator (f , g) ∈ A→ B ⇐⇒ ∀(x , y) ∈ A. (f x , g y) ∈ B• Identity (x , y) ∈ Id ⇐⇒ x = y
• Structure-preserving relators• ((a, b), (a′, b′)) ∈ A×r B ⇐⇒ (a, a′) ∈ A ∧ (b, b′) ∈ B• Also have list_rel, option_rel, . . .
55 / 71
![Page 56: RS3 Code Generation Tutorial with Isabelle/HOL - The ...](https://reader035.fdocuments.in/reader035/viewer/2022081700/62dc331309599d725c16a026/html5/thumbnails/56.jpg)
Relators for data refinement
• Consider operation „empty set”: {} :: ′a set• We have ([],{}) ∈ 〈A〉list_set_rel• For any relation A between the elements
• Consider operation „singleton set”: λx. {x} :: ′a⇒ ′a set• We have (λx. [x], λy. {y}) ∈ A→ 〈A〉list_set_rel• In words: If x implements y then [x ] implements y
56 / 71
![Page 57: RS3 Code Generation Tutorial with Isabelle/HOL - The ...](https://reader035.fdocuments.in/reader035/viewer/2022081700/62dc331309599d725c16a026/html5/thumbnails/57.jpg)
Synthesis with parametricity
• We have
∀ x y . (x , y) ∈ A =⇒ (f x ,g y) ∈ B(λx . f x , λy . g y) ∈ A→ B
(abs)
(x , y) ∈ A; (f ,g) ∈ A→ B(f x ,g y) ∈ B
(app)
• With these, and parametricity rules for the constants, we can synthesizean implementation from the abstract term• Compare with lifting and transfer
• BUT:• We must choose consistent implementations• All abstract operations expressed by single constant• Consider a couple of problems, see next slides
• This is exactly what Autoref does
57 / 71
![Page 58: RS3 Code Generation Tutorial with Isabelle/HOL - The ...](https://reader035.fdocuments.in/reader035/viewer/2022081700/62dc331309599d725c16a026/html5/thumbnails/58.jpg)
Equality
• Equality is structural equality in HOL• But structural equality on abstract type need not match structural equality
on implementation• [1, 2] and [2, 1] both implement the same set
58 / 71
![Page 59: RS3 Code Generation Tutorial with Isabelle/HOL - The ...](https://reader035.fdocuments.in/reader035/viewer/2022081700/62dc331309599d725c16a026/html5/thumbnails/59.jpg)
Set is non-free
• Beware of hidden equality• Try to implement ∈ for lists• You’ll need equality on the elements• (eq,op=) ∈ A→ A→ bool_rel• Which may not be structural equality!
• We have glist_member :: (′a⇒ ′a⇒ bool)⇒ ′a list⇒ bool• Thus
(eq,op=) ∈ A→ A→ bool_rel=⇒ (glist_member eq,op ∈) ∈ A→ 〈A〉list_set_rel→ bool_rel
59 / 71
![Page 60: RS3 Code Generation Tutorial with Isabelle/HOL - The ...](https://reader035.fdocuments.in/reader035/viewer/2022081700/62dc331309599d725c16a026/html5/thumbnails/60.jpg)
Other type classes
• The same applies for other type classes• The concrete datatypes need not instantiate them consistently with their
abstract counterparts• Operations on them have to be made explicit• For example, linear ordering on red-black trees
60 / 71
![Page 61: RS3 Code Generation Tutorial with Isabelle/HOL - The ...](https://reader035.fdocuments.in/reader035/viewer/2022081700/62dc331309599d725c16a026/html5/thumbnails/61.jpg)
Generic algorithms
• Consider again the singleton set operation• It can be (abstractly) expressed by empty set and insertion
{x} = insert x {}
• Thus, if we have implementations for insert and empty-set• we also get one for singleton set
[[(ins_impl,insert) ∈ A→ 〈A〉Rs→ 〈A〉Rs; (empty_impl,{}) ∈ 〈A〉Rs ]]=⇒ ( λx. ins_impl x empty_impl, λx. {x} ) ∈ A→ 〈A〉Rs
• Note: This works for any relator Rs!
61 / 71
![Page 62: RS3 Code Generation Tutorial with Isabelle/HOL - The ...](https://reader035.fdocuments.in/reader035/viewer/2022081700/62dc331309599d725c16a026/html5/thumbnails/62.jpg)
Specialization (Type)
• Apart from generic algorithm, we may still define specialized versions forcertain data types
• E.g., we still have (λx. [x], λx. {x}) ∈ A→ 〈A〉list_set_rel
62 / 71
![Page 63: RS3 Code Generation Tutorial with Isabelle/HOL - The ...](https://reader035.fdocuments.in/reader035/viewer/2022081700/62dc331309599d725c16a026/html5/thumbnails/63.jpg)
Partially parametric functions
• Consider the function hd : α list → α
• For refining the elements of a list, keeping the list structure, we would liketo have (hd,hd) ∈ 〈A〉list_rel→ A• However, we cannot prove that!• As hd [] = undefined , this would imply (undefined , undefined) ∈ A• Which we cannot prove!
• Solution: Restrict parametricity theorem to non-empty lists
[[ l 6= []; (li,l) ∈ 〈A〉list_rel ]] =⇒ (hd li, hd l) ∈ A
63 / 71
![Page 64: RS3 Code Generation Tutorial with Isabelle/HOL - The ...](https://reader035.fdocuments.in/reader035/viewer/2022081700/62dc331309599d725c16a026/html5/thumbnails/64.jpg)
Specialization (Precondition)
• Consider insertion of element into set, implemented on distinct lists• We need to check whether element is already in
• Linear time required
• But, sometimes, we know that the element is not in the set e.g.if x/∈ s then let s=insert x s; . . . else . . .
• In this case, insert can be implemented by Cons, in constant time
[[ x/∈s; (xi,x) ∈ A; (l,s) ∈ 〈A〉list_set_rel ]]=⇒ (xi#l, insert x s) ∈ 〈A〉list_set_rel
64 / 71
![Page 65: RS3 Code Generation Tutorial with Isabelle/HOL - The ...](https://reader035.fdocuments.in/reader035/viewer/2022081700/62dc331309599d725c16a026/html5/thumbnails/65.jpg)
Wrap-up
• Idea of automatic refinement via parametricity is very simple• But lots of things to think of if implemented for the real stuff
• Abstract operations are not single constants (Map.empty, x 6= {}, ...)• Consistent selection of implementations• Hidden operations and type-classes
• we get generic algorithms as a bonus• Partial parametricity
• we get precondition-based specialization as a bonus
65 / 71
![Page 66: RS3 Code Generation Tutorial with Isabelle/HOL - The ...](https://reader035.fdocuments.in/reader035/viewer/2022081700/62dc331309599d725c16a026/html5/thumbnails/66.jpg)
Relation to Refinement Framework
• Combinators of nondeterminism monad are parametric• With relator (c,a) ∈ 〈R〉nres_rel←→ c ≤ ⇓ R a• Thus, automatic refinement just works for them
• preserving the structure of the program
• Show: param_RETURN, param_bind, param_RECT
66 / 71
![Page 67: RS3 Code Generation Tutorial with Isabelle/HOL - The ...](https://reader035.fdocuments.in/reader035/viewer/2022081700/62dc331309599d725c16a026/html5/thumbnails/67.jpg)
Table of Contents
1 Motivation
2 Theory of Program Refinement
3 Automatic RefinementMotivationParametricity and Refinement RelationsPhases of Autoref
67 / 71
![Page 68: RS3 Code Generation Tutorial with Isabelle/HOL - The ...](https://reader035.fdocuments.in/reader035/viewer/2022081700/62dc331309599d725c16a026/html5/thumbnails/68.jpg)
Identify
• Try to identify the abstract datatypes and operations• Rewrite to have each operation represented by a single constant
• Which uniquely identifies the abstract concept• Uses a heuristics
• Typing rules + rewriting
• Example, show some autoref_itype rules
68 / 71
![Page 69: RS3 Code Generation Tutorial with Isabelle/HOL - The ...](https://reader035.fdocuments.in/reader035/viewer/2022081700/62dc331309599d725c16a026/html5/thumbnails/69.jpg)
Fix Relators
• Infer consistent relators• Again, typing.
• With conditional rules for generic algorithms.• And many heuristics to get a „good” implementation
• User annotations• Priority of implementations (e.g., prefer RBT over list)• Homogeneity: Implement types involved in operation the same way
• A ∪ B: Try to use the same impl for A, B, and the result
• Note: Does not consider side conditions!
69 / 71
![Page 70: RS3 Code Generation Tutorial with Isabelle/HOL - The ...](https://reader035.fdocuments.in/reader035/viewer/2022081700/62dc331309599d725c16a026/html5/thumbnails/70.jpg)
Translate
• Do the translation with the fixed relators• Try to discharge side-conditions
• Try specialized rules before more general ones
• Infer operations required for generic algorithms
70 / 71
![Page 71: RS3 Code Generation Tutorial with Isabelle/HOL - The ...](https://reader035.fdocuments.in/reader035/viewer/2022081700/62dc331309599d725c16a026/html5/thumbnails/71.jpg)
Demo
Autoref_Basic_Demo.thy
71 / 71