In this Chapter schematic Kleene algebra with tests has been implemented in Isabelle/HOL. This represents the first application of KAT/SKAT within a verification tool built with a standard interactive theorem prover. Pous’ implementation of SKAT in Coq [Pou13a] was done concurrently and inde- pendently. The only prior mechanisation of SKAT was in Aboul-Hosn and Kozen’s KAT-ML [AHK06], an extremely specialised system, and therefore lacking a great deal of the utility provided by a general interactive theorem prover. In particular, it does not allow the verification of programs as in Section 5.5 and 5.6.
The implementation of schematic Kleene algebra in this chapter has been used to formalise a complex flowchart equivalence proof by Angus and Kozen. The proof is significantly shorter than a previous formalisation in a custom theorem prover for Kleene algebra with tests. The proof follows Angus and Kozen’s manual proof almost exactly and translates it essentially line-by-line into Isabelle, despite some weaknesses in proof automation which sometimes forced reasoning at quite a low level.
SKAT has been extended to support the verification of simple algorithms in a Hoare-logic style. This approach provides a seamless bridge between our abstract algebraic structures and concrete programs as per the approach out- lined in Section 1.2. We have tested our approach on a few simple verification examples. Beyond that, additional Hoare-style rules and tactics for proof au- tomation have been derived abstractly in the algebraic setting. These can be instantiated to different semantics and application domains. In the context of verification the main applications of algebra seem to be at this meta-level. The situation is different when developing programs from specifications or proving program equivalence, as the flowchart scheme tranformation shows. This Chapter serves as an example of the benefits algebra can bring in program development and verification. In future chapters, similar techniques based on the rely-guarantee method will be used to investigate algebras for concurrent programs.
Chapter 6
Algebra for Rely-Guarantee
part 1
6.1
Introduction
To make the rely-guarantee method applicable to concrete program develop- ment and verification tasks, its integration into tools is essential. To capture the flexibility of the method, a number of features appear desirable. First, solid, denotational or operational, mathematical models for fine-grained pro- gram behaviour must be implemented. Second, one would like an abstract layer at which inference rules and refinement laws can be derived easily. Third, a high degree of proof automation is mandatory for the analysis of complex, concrete programs.
This Chapter presents an approach for providing such a tool integration in the interactive theorem proving environment Isabelle/HOL, following the general principles outlined in Section 1.2. At the most abstract level, al- gebras are used to reason about the control flow of programs as well as for deriving inference rules and refinement laws. In the context of rely-guarantee these axioms give a concise account of what the rely-guarantee method actu- ally entails, and provide insights into the conceptual and operational role of interference constraints. Such structural insights are a main contribution of this approach. At the most concrete level, detailed models of program stores can support fine-grained reasoning about program data flow and interfer- ence. These models are then linked with the algebras via soundness proofs. Isabelle allows these layers to be implemented in a modular way and relate them formally with one another. This provides a high degree of confidence in the correctness of this development, and also supports the construction of custom proof tactics and procedures for program verification and refinement tasks. By virtue of being implemented in Isabelle, the entire implementation is guaranteed to be correct by construction.
In this Chapter algebraic principles for rely-guarantee style reasoning are examined. Starting from [HMSW11], a basic minimal set of axioms for rely and guarantee conditions, which suffice to derive the standard rely-guarantee inference rules, is derived. However, algebra by its nature is inherently com- positional (see Section 6.3 for details), so it turns out that naïve forms of these axioms do not fully capture the semantics of interference in execution traces. It is therefore necessary to explore how the compositionality of these axioms can be broken in the right way, so as to capture the intended trace semantics.
Second, a simple trace based semantics (which so far is restricted to finite executions and disregards termination and synchronisation) is linked to these algebras by formal soundness proof. Despite the simplicity of this model, a prototypical verification tool within Isabelle can be demonstrated by verify- ing a simple example from the literature. Beyond that, this approach pro- vides a coherent framework from which more complex and detailed models and algebras can be implemented in future chapters, especially Chapter 7.
exception of assignment axioms, are derived directly from the algebra, and the assignment axioms are derived from the models. This formalisation in Isabelle allows one to reason seamlessly across these layers, which capture both the control flow and the data flow of concurrent programs respectively.
This chapter is primarily based upon material appearing in
• A. Armstrong, V. B. F. Gomes and G. Struth. Algebraic Principles for Rely-Guarantee Style Concurrency Verification Tools. In C. Jones, P. Pihlajasaari and J. Sun (eds.), FM 2014, LNCS 8442. [AGS14a]