Deductive Search for Errors in Free Data Type Speci cations using … · 2008. 7. 18. · 1 Subject...
Transcript of Deductive Search for Errors in Free Data Type Speci cations using … · 2008. 7. 18. · 1 Subject...
![Page 1: Deductive Search for Errors in Free Data Type Speci cations using … · 2008. 7. 18. · 1 Subject frame: free data type speci cations goal: support for detecting errors in speci](https://reader036.fdocuments.net/reader036/viewer/2022081411/60ac5887a4cc406e3446d02f/html5/thumbnails/1.jpg)
Deductive Search for Errors in
Free Data Type Specifications
using Model Generation
Wolfgang Ahrendt
Chalmers University of Technology
Goteborg
CADE-18
Copenhagen, July 2002
![Page 2: Deductive Search for Errors in Free Data Type Speci cations using … · 2008. 7. 18. · 1 Subject frame: free data type speci cations goal: support for detecting errors in speci](https://reader036.fdocuments.net/reader036/viewer/2022081411/60ac5887a4cc406e3446d02f/html5/thumbnails/2.jpg)
1
Subject
frame: free data type specifications
goal: support for detecting errors in specifications
reveal: non-consequence between specification and conjecture:
SPEC 6|= ϕ
means: − model construction
− using theory specific calculus
− proof procedure: “model generation” (MGTP)
![Page 3: Deductive Search for Errors in Free Data Type Speci cations using … · 2008. 7. 18. · 1 Subject frame: free data type speci cations goal: support for detecting errors in speci](https://reader036.fdocuments.net/reader036/viewer/2022081411/60ac5887a4cc406e3446d02f/html5/thumbnails/3.jpg)
2
Algebraic Specification of Abstract Data Types:
Syntactical Variations
equality logic: atoms are equations (i.g. no predicates)
variants:
• pure equality (no negation or disjunction)
• Horn equality
• quantifier free (implicit universal closure)
• full first-order equality logic
![Page 4: Deductive Search for Errors in Free Data Type Speci cations using … · 2008. 7. 18. · 1 Subject frame: free data type speci cations goal: support for detecting errors in speci](https://reader036.fdocuments.net/reader036/viewer/2022081411/60ac5887a4cc406e3446d02f/html5/thumbnails/4.jpg)
3
Algebraic Specification of Abstract Data Types:
Semantical Variations
unlike usual FOL semantics:only certain models/domains considered
1. initial semantics:domain = the set of ‘minimal’ equivalence classes over all terms
2. constructor generated semantics:
(a) loose semantics:domain = any set of equivalence classes over constructor termsfunctions = any mappings over the domain⇒ non-monomorphic specifications (different models)
(b) constructive specifications:monomorphic by syntactical restrictions(used in automated induction community)
![Page 5: Deductive Search for Errors in Free Data Type Speci cations using … · 2008. 7. 18. · 1 Subject frame: free data type speci cations goal: support for detecting errors in speci](https://reader036.fdocuments.net/reader036/viewer/2022081411/60ac5887a4cc406e3446d02f/html5/thumbnails/5.jpg)
4
Loose versus Initial Approach
“In software development, design specifications and prototyping byexecutable specifications are supported by the initial approach; in theloose approach the aim is to cover the whole software development processincluding requirement specifications.” [M. Wirsing]
algebraic specification languages:
• contemporary quasi standard: CASL
• CASL allows mixing both styles
• ‘loose’ is default
this work: loose specification
![Page 6: Deductive Search for Errors in Free Data Type Speci cations using … · 2008. 7. 18. · 1 Subject frame: free data type speci cations goal: support for detecting errors in speci](https://reader036.fdocuments.net/reader036/viewer/2022081411/60ac5887a4cc406e3446d02f/html5/thumbnails/6.jpg)
5
monomorphic vs. non-monomorphic
monomorphic approaches (initial semantics, constructive specifications):
• specification has one model at most
• SPEC 6|= ϕ ⇐⇒ SPEC |= Contr(ϕ)
where Contr(ϕ) ≡ ¬Cl∀(ϕ) ≡ Cl∃(¬ϕ)
• consistency and provability closely related
non-monomorphic approaches (loose semantics):
• specification can have several models
• possible: SPEC 6|= ϕ and SPEC 6|= Contr(ϕ) (under-specification)
![Page 7: Deductive Search for Errors in Free Data Type Speci cations using … · 2008. 7. 18. · 1 Subject frame: free data type speci cations goal: support for detecting errors in speci](https://reader036.fdocuments.net/reader036/viewer/2022081411/60ac5887a4cc406e3446d02f/html5/thumbnails/7.jpg)
6
Example: Data Type NatStack
spec = NatStack
sorts Nat ::= 0 | s(Nat);Stack ::= nil | push(Nat, Stack);
functions top : Stack → Nat;pop : Stack → Stack;del : Nat × Stack → Stack;
axioms top(push(n, st)).= n;
pop(push(n, st)).= st;
del(n, push(n, st)).= st;
n 6.= n′ →del(n, push(n′, st))
.= push(n′, del(n, st));
del(n, nil).= nil;
end
NatStack 6|= pop(st) 6.= st and NatStack 6|= ∃st. pop(st)
.= st
![Page 8: Deductive Search for Errors in Free Data Type Speci cations using … · 2008. 7. 18. · 1 Subject frame: free data type speci cations goal: support for detecting errors in speci](https://reader036.fdocuments.net/reader036/viewer/2022081411/60ac5887a4cc406e3446d02f/html5/thumbnails/8.jpg)
7
Free Data Types
this work: special case of loose specification: free data types only
• free :⇐⇒ different constructor terms are unequal
• domain is fixed: {Cs| s ∈ S} (Cs ‘constructor terms of sort s’)
• different models only vary in:interpretation of (non-constructor) function symbols:I(f) : CTs1
× . . . × CTsn → CTs
valI,β(f(t1, . . . , tn)) = I(f)(valI,β(t1), . . . , valI,β(tn)) (f a function)valI,β(c(t1, . . . , tn)) = c(valI,β(t1), . . . , valI,β(tn)) (c a constructor)
• search for models = search for interpretations
![Page 9: Deductive Search for Errors in Free Data Type Speci cations using … · 2008. 7. 18. · 1 Subject frame: free data type speci cations goal: support for detecting errors in speci](https://reader036.fdocuments.net/reader036/viewer/2022081411/60ac5887a4cc406e3446d02f/html5/thumbnails/9.jpg)
8
Non-Consequence and Counter Specifications
given:
− specification 〈Σ, AX〉 (with signature Σ and axioms AX)
− conjecture ϕ
then:
〈Σ, AX〉 6|= ϕ
⇐⇒
〈Σ, AX ∪ Contr(ϕ)〉has a model
〈Σ, AX ∪ Contr(ϕ)〉: “counter specification”
![Page 10: Deductive Search for Errors in Free Data Type Speci cations using … · 2008. 7. 18. · 1 Subject frame: free data type speci cations goal: support for detecting errors in speci](https://reader036.fdocuments.net/reader036/viewer/2022081411/60ac5887a4cc406e3446d02f/html5/thumbnails/10.jpg)
9
Normalization
1. Skolemize away ∃ quantifiers (e.g. introduced by Contr)
2. add Skolem functions to the functions of Σ (not to the constructors)result: Σ′
3. compute CNF:result: AX ′
〈Σ, AX〉 6|= ϕ
⇐⇒
normalize(〈Σ, AX ∪ Contr(ϕ)〉) has a model
⇐⇒
〈Σ′, AX ′〉 has a model (with AX ′ in CNF)
![Page 11: Deductive Search for Errors in Free Data Type Speci cations using … · 2008. 7. 18. · 1 Subject frame: free data type speci cations goal: support for detecting errors in speci](https://reader036.fdocuments.net/reader036/viewer/2022081411/60ac5887a4cc406e3446d02f/html5/thumbnails/11.jpg)
10
Model Construction = Interpretation Construction
• models are characterized by interpretations
• ⇒ deductive method for interpretation construction
• give operational meaning to axioms and sort declarations
1. use axioms to construct the interpretation
2. use sort declarations to search for unknown elements in theinterpretation
• ‘operational meaning’ given by rules in a theory specific calculus
⇒ transformation of axioms and signature to rules
![Page 12: Deductive Search for Errors in Free Data Type Speci cations using … · 2008. 7. 18. · 1 Subject frame: free data type speci cations goal: support for detecting errors in speci](https://reader036.fdocuments.net/reader036/viewer/2022081411/60ac5887a4cc406e3446d02f/html5/thumbnails/12.jpg)
11
Interpretation Representation: Meta Atoms
imagine:interpretationsare tables
ctij:constructor terms
I(f)
〈ct11, . . . , ct1n〉 ct10〈ct21, . . . , ct2n〉 ct20
... ...
... ...〈cti1, . . . , ctin〉 cti0
... ...
meta atom: I(f, 〈cti1, . . . , ctin〉, cti0) represents line
during construction, meta atoms also contain place holders
other meta atoms: control search for (place holder) replacements
![Page 13: Deductive Search for Errors in Free Data Type Speci cations using … · 2008. 7. 18. · 1 Subject frame: free data type speci cations goal: support for detecting errors in speci](https://reader036.fdocuments.net/reader036/viewer/2022081411/60ac5887a4cc406e3446d02f/html5/thumbnails/13.jpg)
12
Search for I(f)(0)
I(f, 〈0〉, new1)
search Nat(new1)
![Page 14: Deductive Search for Errors in Free Data Type Speci cations using … · 2008. 7. 18. · 1 Subject frame: free data type speci cations goal: support for detecting errors in speci](https://reader036.fdocuments.net/reader036/viewer/2022081411/60ac5887a4cc406e3446d02f/html5/thumbnails/14.jpg)
13
Search for I(f)(0)
I(f, 〈0〉, new1)
search Nat(new1)
is(new1, 0) is(new1, s(new2))
search Nat(new2)
![Page 15: Deductive Search for Errors in Free Data Type Speci cations using … · 2008. 7. 18. · 1 Subject frame: free data type speci cations goal: support for detecting errors in speci](https://reader036.fdocuments.net/reader036/viewer/2022081411/60ac5887a4cc406e3446d02f/html5/thumbnails/15.jpg)
14
Search for I(f)(0)
I(f, 〈0〉, new1)
search Nat(new1)
is(new1, 0)
I(f, 〈0〉, 0)
is(new1, s(new2))
search Nat(new2)
is(new2, 0) ...
![Page 16: Deductive Search for Errors in Free Data Type Speci cations using … · 2008. 7. 18. · 1 Subject frame: free data type speci cations goal: support for detecting errors in speci](https://reader036.fdocuments.net/reader036/viewer/2022081411/60ac5887a4cc406e3446d02f/html5/thumbnails/16.jpg)
15
Search for I(f)(0)
I(f, 〈0〉, new1)
search Nat(new1)
is(new1, 0)
I(f, 〈0〉, 0)
is(new1, s(new2))
search Nat(new2)
is(new2, 0)
is(new1, s(0))
I(f, 〈0〉, s(0))
...
![Page 17: Deductive Search for Errors in Free Data Type Speci cations using … · 2008. 7. 18. · 1 Subject frame: free data type speci cations goal: support for detecting errors in speci](https://reader036.fdocuments.net/reader036/viewer/2022081411/60ac5887a4cc406e3446d02f/html5/thumbnails/17.jpg)
16
Transformation of Signature
sorts Nat ::= 0 | s(Nat);Stack ::= nil | push(Nat, Stack);
search Nat(x)is(x, 0) is(x, s(new1))
search Nat(new1)
+
search Stack(x)is(x, nil) is(x, push(new1, new2))
search Nat(new1)
search Stack(new2)
transformation
(simplif. for presentation)
![Page 18: Deductive Search for Errors in Free Data Type Speci cations using … · 2008. 7. 18. · 1 Subject frame: free data type speci cations goal: support for detecting errors in speci](https://reader036.fdocuments.net/reader036/viewer/2022081411/60ac5887a4cc406e3446d02f/html5/thumbnails/18.jpg)
17
Transformation of Signature
sorts Nat ::= 0 | s(Nat);Stack ::= nil | push(Nat, Stack);
search Nat(x)is(x, 0) is(x, s(arg1(x)))
search Nat(arg1(x))
+
search Stack(x)is(x, nil) is(x, push(arg1(x), arg2(x)))
search Nat(arg1(x))
search Stack(arg2(x))
transformation
(not simplif.)
![Page 19: Deductive Search for Errors in Free Data Type Speci cations using … · 2008. 7. 18. · 1 Subject frame: free data type speci cations goal: support for detecting errors in speci](https://reader036.fdocuments.net/reader036/viewer/2022081411/60ac5887a4cc406e3446d02f/html5/thumbnails/19.jpg)
18
Search for I(f)(0)
I(f, 〈0〉, new1)
search Nat(new1)
is(new1, 0)
I(f, 〈0〉, 0)
is(new1, s(arg1(new1)))
search Nat(arg1(new1))
is(arg1(new1), 0)
is(new1, s(0))
I(f, 〈0〉, s(0))
...
![Page 20: Deductive Search for Errors in Free Data Type Speci cations using … · 2008. 7. 18. · 1 Subject frame: free data type speci cations goal: support for detecting errors in speci](https://reader036.fdocuments.net/reader036/viewer/2022081411/60ac5887a4cc406e3446d02f/html5/thumbnails/20.jpg)
19
what really is new1
• What do we know about new1 in I(f, 〈0〉, new1) ?
• new1 is equal to valI(f(0))
• ⇒ represented by val(f(0))
‘val’ and ‘arg’ terms are meta terms, talking about valuations and subterms
![Page 21: Deductive Search for Errors in Free Data Type Speci cations using … · 2008. 7. 18. · 1 Subject frame: free data type speci cations goal: support for detecting errors in speci](https://reader036.fdocuments.net/reader036/viewer/2022081411/60ac5887a4cc406e3446d02f/html5/thumbnails/21.jpg)
20
Search for I(f)(0)
I(f, 〈0〉, val(f(0)))
search Nat(val(f(0)))
is(val(f(0)), 0)
I(f, 〈0〉, 0)
is(val(f(0)), s(arg1(val(f(0)))))
search Nat(arg1(val(f(0))))
is(arg1(val(f(0))), 0)
is(val(f(0)), s(0))
I(f, 〈0〉, s(0))
...
![Page 22: Deductive Search for Errors in Free Data Type Speci cations using … · 2008. 7. 18. · 1 Subject frame: free data type speci cations goal: support for detecting errors in speci](https://reader036.fdocuments.net/reader036/viewer/2022081411/60ac5887a4cc406e3446d02f/html5/thumbnails/22.jpg)
21
Transformation of Axioms: Example A
axiom pop(push(n, st)).= st;
Nat(n)Stack(st)
I(pop, 〈push(n, st)〉, st)
transformation
![Page 23: Deductive Search for Errors in Free Data Type Speci cations using … · 2008. 7. 18. · 1 Subject frame: free data type speci cations goal: support for detecting errors in speci](https://reader036.fdocuments.net/reader036/viewer/2022081411/60ac5887a4cc406e3446d02f/html5/thumbnails/23.jpg)
22
Transformation of Axioms: Example B
axiom n.= n′ ∨ del(n, push(n′, st))
.= push(n′, del(n, st));
Nat(n)Nat(n′)
Stack(st)same(n, n′) I(del, 〈n, push(n′, st)〉, new1)
is(new1, push(n′, new2))
I(del, 〈n, st〉, new2)
search Stack(new2)
transformation
(simplif. for presentation)
![Page 24: Deductive Search for Errors in Free Data Type Speci cations using … · 2008. 7. 18. · 1 Subject frame: free data type speci cations goal: support for detecting errors in speci](https://reader036.fdocuments.net/reader036/viewer/2022081411/60ac5887a4cc406e3446d02f/html5/thumbnails/24.jpg)
23
Transformation of Axioms: Example B
axiom n.= n′ ∨ del(n, push(n′, st))
.= push(n′, del(n, st));
Nat(n)Nat(n′)
Stack(st)same(n, n′) I(del, 〈n, push(n′, st)〉, val(push(n′, del(n, st))))
is(val(push(n′, del(n, st))), push(n′, val(del(n, st))))
I(del, 〈n, st〉, val(del(n, st)))
search Stack(val(del(n, st)))
transformation
(not simplif.)
![Page 25: Deductive Search for Errors in Free Data Type Speci cations using … · 2008. 7. 18. · 1 Subject frame: free data type speci cations goal: support for detecting errors in speci](https://reader036.fdocuments.net/reader036/viewer/2022081411/60ac5887a4cc406e3446d02f/html5/thumbnails/25.jpg)
24
More Rules (Examples)
functionality of the I predicate:
I(fv, tv, z)I(fv, tv, z′)same(z, z′)
rules for same:
same(push(x1, x2), nil)∗
(rejection)
same(push(x1, x2), push(y1, y2))same(x1, y1)same(x2, y2)
rules are theory- (i.e. specification-) specific:
result of TransSpec(〈Σ, AX〉)
![Page 26: Deductive Search for Errors in Free Data Type Speci cations using … · 2008. 7. 18. · 1 Subject frame: free data type speci cations goal: support for detecting errors in speci](https://reader036.fdocuments.net/reader036/viewer/2022081411/60ac5887a4cc406e3446d02f/html5/thumbnails/26.jpg)
25
Rules as Range Restricted Clauses
at1...
atnat11 atm1
... · · · ...at1n1
atmnm
is actually represented as:
at1, . . . , atn → at11, . . . , at1n1; . . . ; atm1
, . . . , atmnm .
for rejecting rules:
at1, . . . , atn → .
r.r. clauses: input format for variant of positive hyper tableaux,called model generation
⇒ rules executed by tool MGTP
![Page 27: Deductive Search for Errors in Free Data Type Speci cations using … · 2008. 7. 18. · 1 Subject frame: free data type speci cations goal: support for detecting errors in speci](https://reader036.fdocuments.net/reader036/viewer/2022081411/60ac5887a4cc406e3446d02f/html5/thumbnails/27.jpg)
26
Approximating the Specification
recursive data types: infinite domains
⇒ constructing interpretations in finite time: program synthesis
⇒ not feasible automatically (for loose specifications)
realizing automated search for errors demands concessions:
• instantiation of variables in CNF axiomswith constructor terms of maximal size n: 〈Σ, AX≤n〉
• construction of models, i.e. interpretations, for 〈Σ, AX≤n〉
• user has to decide, if interpretation is extendible to SPEC
help: variation of n
![Page 28: Deductive Search for Errors in Free Data Type Speci cations using … · 2008. 7. 18. · 1 Subject frame: free data type speci cations goal: support for detecting errors in speci](https://reader036.fdocuments.net/reader036/viewer/2022081411/60ac5887a4cc406e3446d02f/html5/thumbnails/28.jpg)
27
Axiom Instantiation
consider again:Nat(m)
Stack(st)I(pop, 〈push(m, st)〉, st)
• rule application requires Nat(t) and Stack(t′) on the branch
• ⇒ additional rules initialize the branch with
− Nat(t) for all t ∈ CTNat with |t| ≤ n
− Stack(t) for all t ∈ CTStack with |t| ≤ n
called “n-initialization”
• total rule set then constructs model for 〈Σ, AX≤n〉
![Page 29: Deductive Search for Errors in Free Data Type Speci cations using … · 2008. 7. 18. · 1 Subject frame: free data type speci cations goal: support for detecting errors in speci](https://reader036.fdocuments.net/reader036/viewer/2022081411/60ac5887a4cc406e3446d02f/html5/thumbnails/29.jpg)
28
n-restricted Model Correctness and Model Completeness
n-restricted model correctness:If n-initialised model generation procedure on TransSpec(〈Σ, AX〉)terminates by saturation, then(a) 〈Σ, AX≤n〉 has a model,(b) each interpretation I corresponding to the I-atoms on the saturated
branch characterizes a model of 〈Σ, AX≤n〉.
n-restricted model completeness:If 〈Σ, AX≤n〉 has a model, then(a) n-initialised fair model generation procedure on TransSpec(〈Σ, AX〉)
terminates by saturation,(b) each interpretation I corresponding to the I-atoms on the saturated
branch characterizes a model of 〈Σ, AX≤n〉.
![Page 30: Deductive Search for Errors in Free Data Type Speci cations using … · 2008. 7. 18. · 1 Subject frame: free data type speci cations goal: support for detecting errors in speci](https://reader036.fdocuments.net/reader036/viewer/2022081411/60ac5887a4cc406e3446d02f/html5/thumbnails/30.jpg)
29
Unrestricted Model Completeness
corollary:
unrestricted model completeness:〈Σ, AX〉 has a model, then for each n, the n-initialised fair modelgeneration procedure on TransSpec(〈Σ, AX〉) terminates by saturation.
reasons:• constructor generatedness⇒ 〈Σ, AX〉 equivalent to 〈Σ, AX≤∞〉
• the logic is monotonous⇒ a model of 〈Σ, AX≤∞〉 is also a model of 〈Σ, AX≤n〉
due to limiting instantiations of axioms
no similar result when working with limited domain size
![Page 31: Deductive Search for Errors in Free Data Type Speci cations using … · 2008. 7. 18. · 1 Subject frame: free data type speci cations goal: support for detecting errors in speci](https://reader036.fdocuments.net/reader036/viewer/2022081411/60ac5887a4cc406e3446d02f/html5/thumbnails/31.jpg)
30
Realization
SPEC 6|= ϕ
?transfor-mation
calculusexe-
cutionsaturatedbranch
post-processing
output
Java MGTP Java
MGTP = ‘Model Generation Theorem Prover’ (Univ. Fukuoka)
implem
.
in by
implem
.
in
![Page 32: Deductive Search for Errors in Free Data Type Speci cations using … · 2008. 7. 18. · 1 Subject frame: free data type speci cations goal: support for detecting errors in speci](https://reader036.fdocuments.net/reader036/viewer/2022081411/60ac5887a4cc406e3446d02f/html5/thumbnails/32.jpg)
31
Example: NatStack
spec = NatStack
sorts Nat ::= 0 | s(Nat);Stack ::= nil | push(Nat, Stack);
functions top : Stack → Nat;pop : Stack → Stack;del : Nat × Stack → Stack;
axioms top(push(n, st)).= n;
pop(push(n, st)).= st;
del(n, push(n, st)).= st;
n 6.= n′ →del(n, push(n′, st))
.= push(n′, del(n, st));
del(n, nil).= nil;
end
del(top(st), st).= pop(st)
![Page 33: Deductive Search for Errors in Free Data Type Speci cations using … · 2008. 7. 18. · 1 Subject frame: free data type speci cations goal: support for detecting errors in speci](https://reader036.fdocuments.net/reader036/viewer/2022081411/60ac5887a4cc406e3446d02f/html5/thumbnails/33.jpg)
32
Example Run
system input:
del(top(st), st).= pop(st) ?
system output (the given limit is 4):
the conjecturedel( top( ST ), ST ) = pop( ST )
is violated by the following variable assignment:
ST : nil
and by the following evaluation of subterms:
del(top(ST),ST) : nil
top(ST) : 0
pop(ST) : push(0,nil)
The interpretation found by the system satisfies the axioms,if instantiated by constructor terms with less than 4 constructors!
![Page 34: Deductive Search for Errors in Free Data Type Speci cations using … · 2008. 7. 18. · 1 Subject frame: free data type speci cations goal: support for detecting errors in speci](https://reader036.fdocuments.net/reader036/viewer/2022081411/60ac5887a4cc406e3446d02f/html5/thumbnails/34.jpg)
33
MergeSort
sort(empty).= empty;
sort(append(l, l′)).= merge(sort(l), sort(l′));
append(empty, l).= l;
append(cons(n, l), l′).= cons(n, append(l, l′));
merge(l, empty).= l;
merge(empty, l′).= l′;
less(n, n′).= tt →
merge(cons(n, l), cons(n′, l′)).= cons(n,merge(l, cons(n′, l′)));
less(n, n′).= ff →
merge(cons(n, l), cons(n′, l′)).= cons(n′,merge(cons(n, l), l′));
...
[Reif,Schellhorn,Thums: Ulmer Informatik-Berichte 2000-06]
![Page 35: Deductive Search for Errors in Free Data Type Speci cations using … · 2008. 7. 18. · 1 Subject frame: free data type speci cations goal: support for detecting errors in speci](https://reader036.fdocuments.net/reader036/viewer/2022081411/60ac5887a4cc406e3446d02f/html5/thumbnails/35.jpg)
34
MergeSort
sort(empty).= empty;
sort(append(l, l′)).= merge(sort(l), sort(l′));
append(empty, l).= l;
append(cons(n, l), l′).= cons(n, append(l, l′));
merge(l, empty).= l;
merge(empty, l′).= l′;
less(n, n′).= tt →
merge(cons(n, l), cons(n′, l′)).= cons(n,merge(l, cons(n′, l′)));
less(n, n′).= ff →
merge(cons(n, l), cons(n′, l′)).= cons(n′,merge(cons(n, l), l′));
...
[Reif,Schellhorn,Thums: Ulmer Informatik-Berichte 2000-06]
Conjecture: sort(cons(n, empty)).= cons(n, empty)) ?
![Page 36: Deductive Search for Errors in Free Data Type Speci cations using … · 2008. 7. 18. · 1 Subject frame: free data type speci cations goal: support for detecting errors in speci](https://reader036.fdocuments.net/reader036/viewer/2022081411/60ac5887a4cc406e3446d02f/html5/thumbnails/36.jpg)
35
Example Run on MergeSort
system input:
sort(cons(n, empty).= cons(n, empty)) ?
system output (the given limit is 2):
the conjecturesort( cons( N, empty ) ) = cons( N, empty )
is violated by the following variable assignment:
N : zero
and by the following evaluation of conjecture subterms:
sort(cons(N,empty)) : empty
cons(N,empty) : cons(zero,empty)
![Page 37: Deductive Search for Errors in Free Data Type Speci cations using … · 2008. 7. 18. · 1 Subject frame: free data type speci cations goal: support for detecting errors in speci](https://reader036.fdocuments.net/reader036/viewer/2022081411/60ac5887a4cc406e3446d02f/html5/thumbnails/37.jpg)
36
Future Work
• further optimizations in the transformation
• axiom reduction
• parameter types (e.g. Stack(Elem))
• distinguish under-specified and completely specified functions
• examine: preprocessing + propositional sat-solving
![Page 38: Deductive Search for Errors in Free Data Type Speci cations using … · 2008. 7. 18. · 1 Subject frame: free data type speci cations goal: support for detecting errors in speci](https://reader036.fdocuments.net/reader036/viewer/2022081411/60ac5887a4cc406e3446d02f/html5/thumbnails/38.jpg)
37
Related Areas
1. model construction
• many works in the fields
{FOLfinite models
• recursive, constructor generated data types not expressible there
2. non-consequence and consistency
• many works in the fields
{initial (or rewrite) semanticsconstructive specifications
• [Reif,Schellhorn,Thums01]: loose specifications (free and non-free)
[Reif,Schellhorn,Thums01]:
− counter example = variable assignment only
− as here: total correctness of ‘counter example’ not guaranteed
− no notion of ‘restricted’ correctness, no completeness result
− no model or interpretation to ‘narrow’ under-specification
![Page 39: Deductive Search for Errors in Free Data Type Speci cations using … · 2008. 7. 18. · 1 Subject frame: free data type speci cations goal: support for detecting errors in speci](https://reader036.fdocuments.net/reader036/viewer/2022081411/60ac5887a4cc406e3446d02f/html5/thumbnails/39.jpg)
38
Summary
• method tailor-made for detecting non-consequence betweenfree data type specifications and conjectures
• termination by limiting the instantiation of axioms
• price: restricted model correctness
• no ‘domain size limits’
• gain: un-restricted model completeness
⇒ the system detects to many non-consequences, but it detects all
• user decision based on:examining output interpretation + varying instance limit
![Page 40: Deductive Search for Errors in Free Data Type Speci cations using … · 2008. 7. 18. · 1 Subject frame: free data type speci cations goal: support for detecting errors in speci](https://reader036.fdocuments.net/reader036/viewer/2022081411/60ac5887a4cc406e3446d02f/html5/thumbnails/40.jpg)
39
Example: Data Type p Forever
spec = p Forever
sorts Nat ::= 0 | s(Nat);Bool ::= tt | ff;
functions p : Nat → Bool;
axioms p(0).= tt;
p(x).= tt → p(s(x))
.= tt;
end
|= p(y).= tt
but:
the conjecturep(y) = tt
is violated by the following variable assignment:y : s(s(s(0)))
y : s(s(s(s(0))))
y : s(s(s(s(s(0)))))