Kleene Algebra with Tests: A Tutorial

Transcription

1 Kleene Algebra with Tests: A Tutorial Part II Dexter Kozen Cornell University RAMiCS, September 17 18, 212

2 Today automata on guarded strings (AGS) schematic KAT (SKAT) strictly deterministic automata and flowchart programs Kleene coalgebra (KC) and Kleene coalgebra with tests (KCT) automata theory and program schematology the Brzozowski derivative minimization as finality automatic extraction of equivalence proofs and relation to proof-carrying code

3 Automata on Guarded Strings (AGS) A generalization of classical automata theory to include Booleans An ε-transition is really a 1-transition (i.e., an ordinary automaton with ε-transitions is an AGS over the two-element Boolean algebra) Classical constructions of ordinary finite-state automata generalize readily determinization state minimization Kleene s theorem

4 Automata on Guarded Strings (AGS) Labeled transition system with states Q, start states S Q, accept states F Q atomic action symbols Σ, atomic test symbols T, B = the free Boolean algebra generated by T, At = {atoms of B} action transitions s test transitions s p t, p Σ b t, b B inputs are guarded strings α p α 1 p 1 α n 1 p n 1 α n traces s q s 1 q 1 s n 1 q n 1 s n where s i q i si+1, q i Σ B x accepted if trace s q s 1 q 1 s n 1 q n 1 s n such that s S, s n F, x G(q,..., q n 1 )

5 Automata on Guarded Strings (AGS) b a p q b a a + b b ab p ab q ab q ab p ab trace: bpqbaqpb

6 Automata on Guarded Strings (AGS) b a p q b a a + b b ab p ab q ab q ab p ab trace: bpqbaqpb

7 Automata on Guarded Strings (AGS) b a p q b a a + b b ab p ab q ab q ab p ab trace: bpqbaqpb

8 Automata on Guarded Strings (AGS) b a p q b a a + b b ab p ab q ab q ab p ab trace: bpqbaqpb

9 Automata on Guarded Strings (AGS) b a p q b a a + b b ab p ab q ab q ab p ab trace: bpqbaqpb

10 Automata on Guarded Strings (AGS) b a p q b a a + b b ab p ab q ab q ab p ab trace: bpqbaqpb

11 Automata on Guarded Strings (AGS) b a p q b a a + b b ab p ab q ab q ab p ab trace: bpqbaqpb

12 Automata on Guarded Strings (AGS) b a p q b a a + b b ab p ab q ab q ab p ab trace: bpqbaqpb

13 Automata on Guarded Strings (AGS) b a p q b a a + b b ab p ab q ab q ab p ab trace: bpqbaqpb

14 Automata on Guarded Strings (AGS) b a p q b a a + b b ab p ab q ab q ab p ab Accept! trace: bpqbaqpb

15 Deterministic Automata 1 exactly one start state 2 each state is an action state or a test state, not both 3 action states: exactly one transition for each element of Σ 4 test states: exiting tests are propositionally pairwise exclusive and exhaustive 5 every cycle contains at least one action state 6 all final states are action states

16 Some Facts Kleene s theorem (nondeterministic automaton constructed is linear in the size of the KAT expression) PSPACE-completeness can determinize with a subset construction can minimize via a variant of Myhill Nerode minimal OBDDs are a special case of this construction

17 Schematic KAT (SKAT) x := s ; y := t = y := t[x/s] ; x := s (y FV(s)) x := s ; y := t = x := s ; y := t[x/s] (x FV(s)) x := s ; x := t = x := t[x/s] ϕ[x/t] ; x := t = x := t ; ϕ In particular, x := s ; y := t = y := t ; x := s (x FV(t), y FV(s)) ϕ ; x := t = x := t ; ϕ (x FV(ϕ))

18 Scheme Equivalence Example of Paterson from [Manna 74] start y 1 := x y 4 := f (y 1) start y 1 := f (y 1) y 2 := g(y 1, y 4) y 3 := g(y 1, y 1) F P(y 1) T y 1 := f (y 3) P(y 4) F F T F T y 2 := f (y 2) P(y 2) P(y 3) T y 2 := f (f (y)) y := f (x) F P(y) T y := g(y, y) P(y) F T z := y halt loop z := y 2 halt

19 Scheme Equivalence Example of Paterson from [Manna 74] a 3 x 1 p 41 p 11 q 214 q 311 a 1 p 13 a 4 a 2 a 3 z 2 a 1 a4 p 22 a 2 s a q a z r a x 1 p 41 p 11 q 214 q 311 (a 1 p 11 q 214 q 311 ) a 1 p 13 ooo((a 4 + a 4 (a 2 p 22 ) a 2 a 3 p 41 p 11 )q 214 q 311 (a 1 p 11 q 214 q 311 ) a 1 p 13 ) ooooooa 4 (a 2 p 22 ) a 2 a 3 z 2 z = saq(araq) az

20 Strictly Deterministic Automata Flowchart programs correspond to a limited class of AGS called strictly deterministic. Intuitively: An input is an infinite sequence of atoms provided by an external agent The automaton responds to each atom in sequence deterministically according to its transition function either emits an action symbol and moves to a new state, halts, or fails

21 Strictly Deterministic Automata Formally, a strictly deterministic automaton over Σ, T is a structure M = (Q, δ, start) where Q is a set of states, start Q is a start state, and (Note: halt, fail are not states) δ : (Q At) (Σ Q) + {halt, fail},

22 Strictly Deterministic Automata Given a state s and an infinite sequence of atoms σ At ω, there is at most one finite or infinite guarded string gs(s, σ) obtained by running the automaton starting in state s. Formally, define a partial map gs : (Q At ω ) (At Σ) At + (At Σ) ω coinductively: gs(s, α σ) def = α p gs(t, σ), if δ(s, α) = (p, t) α, if δ(s, α) = halt undefined, if δ(s, α) = fail The set of (finite) guarded strings represented by M is gs(m) def = {gs(start, σ) σ At ω } (At Σ) At.

23 Bisimulation Between Strictly Deterministic Automata A bisimulation between M and N is a binary relation between Q M and Q N such that start M start N, and if s t then δ M (s, α) = halt δ N (t, α) = halt; δ M (s, α) = fail δ N (t, α) = fail; δ M (s, α) = (p, s ) δ N (t, α) = (q, t ) p = q s t.

24 Bisimulation Between Strictly Deterministic Automata Theorem If M and N are bisimilar, then gs(m) = gs(n). Moreover, the converse is true if M never fails, every reachable state in M can reach halt. Proof. def ( ) Define s t σ At ω gs M (s, σ) = gs N (t, σ). Property 2 is easy to check. For property 1, want gs M (start M, σ) = gs N (start N, σ) for all σ. Since gs(m) = gs(n), if gs M (start M, σ) is finite, then so is gs N (start N, σ) and they are equal. Thus gs M (start M, ) : At ω (At Σ) At + (At Σ) ω gs N (start N, ) : At ω (At Σ) At + (At Σ) ω agree on the set {σ gs M (start M, σ) is finite}. This set is dense in At ω. Moreover, the two functions are continuous, and continuous functions that agree on a dense set must agree everywhere.

25 Strictly Deterministic Automata Every while program is equivalent to a strictly deterministic automaton: while b do { while c do q; p; } p b halt 2 b q c 1 3 c bc bc bcp halt bcq bcp bcp 1 bcq bcq The converse is false (Ashcroft & Manna 1972)

26 The Böhm Jacopini Theorem Theorem (Böhm Jacopini 1966) Every deterministic flowchart program is equivalent to a while program. Formulated and proved in a first-order setting Their construction introduced extra auxiliary variables Are the auxiliary variables necessary?

27 A Negative Result Theorem (Ashcroft & Manna 1972) There is a deterministic flowchart program that cannot be converted to a while program without auxiliary variables. Formulated and proved in a first-order setting Counterexample has 13 states

28 from (Ashcroft & Manna 1972)

29 Kosaraju s Counterexample a p 2 p 1 p 1 p 2 from (Kosaraju 1973) halt... is not a counterexample: while p 1 p 2 do a

30 Kosaraju s Counterexample a p 2 p 1 p 1 p 2 from (Kosaraju 1973) halt... is not a counterexample: while p 1 p 2 do a

31 The Loop Hierarchy Theorem (Kosaraju 1973) Every deterministic flowchart is equivalent to a loop program with multilevel breaks. Moreover, there is a strict hierarchy depending on the level of breaks allowed. loop { }. loop {. break 1;. } break 1 comes here. loop {. loop {. break 2;. }. } break 2 comes here

32 from (Kosaraju 1973)

33 A 3-State SDA not Equivalent to Any While Program α p 1 α 2p 2 α 1p 1 α α p 2 α 1 halt α 2 1 α 2 2p 12 α 1p 21

34 A 3-State SDA not Equivalent to Any While Program α 1 α p 1 α 2p 2 α 1p 1 α α p 2 α 1 halt α An innermost accessible loop α 1p 21

35 A 3-State SDA not Equivalent to Any While Program α 1 α p 1 α 2p 2 α 1p 1 α α p 2 α 1 halt α 2 α 1p α 1p 21

36 A 3-State SDA not Equivalent to Any While Program α p 1 α 2p 2 α 1p 1 α α p 2 α 1p 1 α 1 halt α α 1p 21

37 A 3-State SDA not Equivalent to Any While Program α p 1 α 2p 2 α 1p 1 α α p 2 α 1p 1 α 1 halt α α 1p 21 2

38 A 3-State SDA not Equivalent to Any While Program α p 1 α 2p 2 α 1p 1 α α p 2 α 1p 1 α 1 halt α α 1p α 1p 21

39 A 3-State SDA not Equivalent to Any While Program α p 1 α 2p 2 α 1p 1 α α p 2 α 1p 1 α 1 halt α α 1p 21 2 α 1p 21

40 A 3-State SDA not Equivalent to Any While Program α p 1 α 2p 2 α 1p 1 α α p 2 α 1 α 1p 1 α 1 halt α 2 2 Error! α 1p 21 2 α 1p 21

41 A 3-State SDA not Equivalent to Any While Program α p 1 α 2p 2 α 1p 1 α α p 2 α 1p 1 α 1 halt α α 1p α 1p 21

42 A 3-State SDA not Equivalent to Any While Program 2 α p 1 α 2p 2 α 1p 1 α α p 2 α 1p 1 α 1 halt α 2 α α 1p 21 2 α 1p 21

43 A 3-State SDA not Equivalent to Any While Program 2 α p 1 α 2p 2 α 1p 1 α α p 2 α 1p 1 α 1 halt α α 1p 21

44 A 3-State SDA not Equivalent to Any While Program 2 α p 1 α 2p 2 α 1p 1 α α p 2 α 1p 1 α 1 halt α α 1p 21

45 A 3-State SDA not Equivalent to Any While Program 2 α p 1 α 2p 2 α 1p 1 α α p 2 α 1p 1 α 1 halt α α 2p 2 α 1p 21

46 A 3-State SDA not Equivalent to Any While Program 2 α p 1 α 2p 2 α 1p 1 α α p 2 α 1p 1 α 1 halt α α p 2 2 α 2p 2 α 1p 21

47 A 3-State SDA not Equivalent to Any While Program Error! 2 α p 1 α 2p 2 α 1p 1 α α p 2 α 2 α 1p 1 α 1 halt α α p 2 2 α 2p 2 α 1p 21

48 A 3-State SDA not Equivalent to Any While Program 2 α p 1 α 2p 2 α 1p 1 α α p 2 α 1p 1 α 1 halt α α 2p 2 α 1p 21

49 A 3-State SDA not Equivalent to Any While Program α p 2 2 α p 1 α 2p 2 α 1p 1 α α p 2 α 1p 1 α 1 halt α 2 α α 2p 2 α 1p 21

50 A 3-State SDA not Equivalent to Any While Program α p 2 2 α p 1 α 2p 2 α 1p 1 α α p 2 α 1p 1 α 1 halt α α 1p 21

51 A 3-State SDA not Equivalent to Any While Program α p 2 2 α p 1 α 2p 2 α 1p 1 α α p 2 α 1p 1 α 1 halt α α 1p 21

52 A 3-State SDA not Equivalent to Any While Program α p 2 2 α p 1 α 2p 2 α 1p 1 α α p 2 α 1p 1 α 1 halt α α 1p 21 α p 1

53 A 3-State SDA not Equivalent to Any While Program α p 2 2 α p 1 α 2p 2 α 1p 1 α α p 2 α 1p 1 α 1 halt α α 2p 2 α p 1 α 1p 21

54 A 3-State SDA not Equivalent to Any While Program α p 2 2 α p 1 α 2p 2 α 1p 1 α α p 2 α 1p 1 α 1 halt α α 1p 21 2 α 2p 2 α p 1 α 1p 21

55 A 3-State SDA not Equivalent to Any While Program Error! α p 2 2 α p 1 α 2p 2 α 1p 1 α α p 2 α α 1p 1 α 1 halt α α 1p 21 2 α 2p 2 α p 1 α 1p 21

56 A 3-State SDA not Equivalent to Any While Program α p 2 2 α p 1 α 2p 2 α 1p 1 α α p 2 α 1p 1 α 1 halt α α 2p 2 α p 1 α 1p 21

57 A 3-State SDA not Equivalent to Any While Program α p 2 2 α p 1 α 2p 2 α 1p 1 α α p 2 α 1p 1 α 1 halt α 2 α 1 1 Error! α 2p 2 α p 1 α 1p 21

58 A 3-State SDA not Equivalent to Any While Program α p 2 2 α p 1 α 2p 2 α 1p 1 α α p 2 α 1p 1 α 1 halt α α 1p 21 α p 1

59 A 3-State SDA not Equivalent to Any While Program α p 2 2 Error! α p 1 α 2p 2 α 1p 1 α α p 2 α 1p 1 α 1 halt α 2 α α 1p 21 α p 1

60 A 3-State SDA not Equivalent to Any While Program If there is no state bisimilar to or 2 inside the loop, the loop is equivalent to while α 1 { p 1 ; if α 1 then halt; }... which is equivalent to α p 1 2 α 1p 1 α + α 2 1 if α 1 then { p 1 ; if α 1 then halt; }

61 A 3-State SDA not Equivalent to Any While Program If there is no state bisimilar to or 2 inside the loop, the loop is equivalent to while α 1 { p 1 ; if α 1 then halt; }... which is equivalent to α p 1 2 α 1p 1 α + α 2 1 if α 1 then { p 1 ; if α 1 then halt; }

62 Loops Programs are Sufficient Theorem (Kosaraju 73) Every program is equivalent to a program with loops and multilevel breaks but without gotos.

63 Example α p 1 α 2p 2 α 1p 1 α α p 2 α 1 halt α 2 1 α 2 2p 12 α 1p 21

64 Example α p 2 α p 1 α 1 p 1 α 2 p 2 α p 2 α p 1 α 1 p α α 2 p 12 α 2 p 12 α 1 p 21 α 1 α α 2 α 1 halt

65 Example α p 2 α p 1 α 1 p 1 α 2 p 2 α p 2 α p 1 α 1 p α α 2 p 12 α 2 p 12 α 1 p 21 α 1 α α 2 α 1 halt

66 Example loop { if α then break 1; if α 1 then { p 1 ; loop { if α 1 then break 2; if α then { p 1 ; break 1; } else { p 12 ; if α 2 then break 2; if α then { p 2 ; break 1; } else p 21 ; } } } } else { p 2 ; loop { if α 2 then break 2; if α then { p 2 ; break 1; } else { p 21 ; if α 1 then break 2; if α then { p 1 ; break 1; } else p 12 ; } } }

67 Equational Treatment of Nonlocal Control Flow A rigorous equational treatment of control constructs involving nonlocal transfer of control using KAT and AGS goto l loop/break n continue, exception handlers, try-catch-finally Compositional semantics Complete equational axiomatization

68 The Coalgebraic Theory Kleene coalgebra (KC) and Kleene coalgebra with tests (KCT) the Brzozowski derivative minimization as finality automatic extraction of equivalence proofs and relation to proof-carrying code

69 Automata as Coalgebras algebra constructors initial algebras least fixpoints coalgebra destructors final coalgebras greatest fixpoints Example: Σ ω = infinite streams over Σ with operations head(a a 1 a 2 a 3 ) = a tail(a a 1 a 2 a 3 ) = a 1 a 2 a 3 A coalgebra of this signature is (S, obs, cont), where obs : S Σ and cont : S S. Every state s S generates a unique stream h(s) = obs(s), obs(cont(s)), obs(cont 2 (s)),.... The streams (Σ ω, head, tail) form the final coalgebra, and the map h is the unique homomorphism (S, obs, cont) (Σ ω, head, tail).

70 Automata as Coalgebras Rutten 1998, Bonsangue 28, Silva 21 Automata coalgebras Myhill-Nerode state minimization quotient by maximal bisimulation minimal automaton final coalgebra Brzozowski derivative a coalgebra of expressions

71 Kleene Coalgebra (KC) A deterministic automaton without a start state A Kleene coalgebra (KC) over Σ is a structure (S, δ, F ), where S is a set of states δ p : S S, p Σ is the transition function F : S 2 are the accept states. Define L : S Σ 2 (i.e., L : S 2 Σ ) coinductively: L(s)(ε) = F (s) L(s)(px) = L(δ p (s))(x) Then L(s)(x) = 1 iff x is accepted starting from state s L is the unique KC-homomorphism to the final coalgebra its kernel is the unique maximal autobisimulation

72 Brzozowski Derivative (Brzozowski 1964) A certain Kleene coalgebra (2 Σ, D, E): D p : 2 Σ 2 Σ defined by D p (A) = {x px A} { E : 2 Σ 1 if ε A 2 defined by E(A) = if ε A This is the final KC over Σ

73 Brzozowski Derivative, Syntactic Form Another Kleene coalgebra (RExp Σ, D, E): D p : RExp Σ RExp Σ E : RExp Σ 2 D p (e + e ) = D p (e) + D p (e ) E(e + e ) = E(e) + E(e ) D p (ee ) = D p (e) e + E(e) D p (e ) E(ee ) = E(e) E(e ) D p (e ) = D p (e) e E(e ) = 1 D p (p) = 1 E(p) =, p Σ D p (q) =, q p E(1) = 1 D p (1) = D p () = E() = L(e) = the regular subset of Σ represented by e Kernel of L is KA equivalence = maximal autobisimulation

74 Coinductive Equivalence Proofs To prove e = e, suffices to establish a bisimulation between {D x (e) x Σ } and {D x (e ) x Σ } with e e Bisimulation: e e D p (e) D p (e ), p Σ e e E(e) = E(e ) The set {D x (e) x Σ } is finite modulo the axioms of idempotent semirings Can generate the maximal automatically (if one exists)

75 Extension to KAT (Chen & Pucella 23) Automatic proof generation for proof-carrying code (Necula & Lee 1997) There is a PSPACE decision procedure for KAT, but it only gives a one-bit answer Equational proofs require "cleverness", whereas coalgebraic proofs can be produced purely mechanically (Chen & Pucella 23) Not true, actually (Worthington 28) can produce equational proofs in PSPACE exponential length in the worst case (but probably unavoidable, since PSPACE-complete)

76 Kleene Coalgebra with Tests (KCT) Deterministic AGS without a start state A KCT over Σ, T is a structure (S, δ, ε), where δ : At Σ S S ε : At S 2 δ αp : S S ε α : S 2 Define L : S G 2 coinductively: L(s)(α) = ε α (s) L(s)(αpx) = L(δ αp (s))(x) Then L(s)(x) = 1 iff x is accepted starting from state s L is the unique KCT-homomorphism to the final coalgebra

77 The Brzozowski Derivative A KCT (2 G, D, E) where D : At Σ 2 G 2 G E : At 2 G 2 D αp : 2 G 2 G E α : 2 G 2 D αp (A) = {x αpx A} E α (A) = 1 if α A, if α A L : 2 G G 2 L(A)(α) = E α (A) L(A)(x) = 1 iff x A L(A)(αpx) = L(D αp (A))(x)

78 Syntactic Form Another KCT (RExp Σ,T, D, E) D αp : RExp Σ,T RExp Σ,T E α : RExp Σ,T 2 D αp (e + e ) = D αp (e) + D αp (e ) E α (e + e ) = E α (e) + E α (e ) D αp (ee ) = D αp (e) e + E α (e) D αp (e ) E α (ee ) = E α (e) E α (e ) D αp (e ) = D αp (e) e E α (e ) = 1 D αp (p) = 1 E α (p) =, p Σ { 1 if α b, b B D αp (q) =, q p E α (b) = if not D αp (1) = D αp () = L(e) = the regular set of guarded strings represented by e

79 Complexity Lemma Any KAT expression e has at most 2 e derivatives modulo the semiring axioms. Theorem Can generate coinductive equivalence proofs (bisimulations) and inequivalence proofs (witnesses to the nonexistence of a bisimulation) automatically in PSPACE (matches (Worthington 28) for equational proofs in KAT) Proof. Construct two nondeterministic finite automata by Kleene s theorem for KAT expressions, determinize by the subset construction, nondeterministically guess a counterexample to bisimiliarity in PSPACE. Make deterministic by Savitch s theorem.

80 What I Haven t Talked About... alternative and weaker axiomatizations (left-handed, non-strict, non-idempotent... ) total correctness, concurrency domain KA, Kleene modules ω-ka applications (compiler optimization, static analysis, pointer analysis,... ) complexity issues implementations

81 Thanks!