Richard Bornat

• Professor at Middlesex University

Proof and Disproof in Formal Logic is a lively and entertaining introduction to formal logic providing an excellent insight into how a simple logic works. Formal logic allows you to check a logical claim without considering what the claim means. This highly abstracted idea is an essential and practical part of computer science. The idea of a formal...

We introduce a quantum protocol simulator, the Qtpi simulator, which allows description of quantum protocols with multiple agents. It has protection against cloning and sharing of qbits within a simulation. Its symbolic calculator is adequate for the protocols we have examined, and can be pushed to simulate some non-protocol algorithms.KeywordsConc...

We present a programming language for describing and analysing concurrent quantum systems. We have an interpreter for programs in the language, using a symbolic rather than a numeric calculator, and we give its performance on examples from quantum communication and cryptography.

We describe a program logic for weak memory (also known as relaxed memory). The logic is based on Hoare logic within a thread, and rely/guarantee between threads. It is presented via examples, giving proofs of many weak-memory litmus tests. It extends to coherence but not yet to synchronised assignment (compare-and-swap, load-logical/store-conditio...

1 Background University computer-science departments mostly feel that they should teach their students to program. The academic computer-science community as a whole certainly doesn't know how to teach programming well and anecdotally one hears of widespread low achievement, high failure rates and attempts to mask the failure with administrative sm...

Simpson and Harris have described multi-slot algorithms implementing a single-place buffer, each operating without explicit hardware synchronisation mechanisms. Conventional refinement and proof techniques have explained that these algorithms work, but do not give convincing descriptions of how they work. An unconventional refinement process starti...

Separation logic allows simple proofs of concurrent algorithms which use blocking mechanisms such as semaphores. It can even deal with non-blocking algorithms. With the addition of mechanisms borrowed from rely-guarantee, we can make reasonably simple proofs of some simple non-blocking algorithms. We show that it extends to proofs of some intricate...

This is the obituary of Peter John Landin, academic and gay campaigner: born 5th June 1930; an obituary 3rd June 2009. He was an outstanding thinker who set the direction of computer science for his generation. In an astonishing burst of creativity in the 1950s and 60s he showed that programs could be defined in terms of mathematical functions, how...

Concurrent separation logic is a development of Hoare logic adapted to deal with pointers and concurrency. Since its inception, it has been enhanced with a treatment of permissions to enable sharing of data between threads, and a treatment of variables as resource alongside heap cells as resource. An introduction to the logic is given with several...

The Rely-Guarantee approach is a well-known compositional method for proving Hoare logic properties of concurrent programs. In this approach, predicates in the proof must be proved invariant (or sta- ble) under interference from the environment. We describe a framework, and a prototype implementation, for automatically detecting and repair- ing ins...

A test was designed that apparently examined a student's knowledge of assignment and sequence before a first course in programming but in fact was designed to capture their rea-soning strategies. An experiment found two distinct populations of students: one could build and consistently apply a mental model of program execution; the other appeared e...

Learning to program is notoriously dicult. A substantial minority of students fails in every introductory programming course in every UK university. Despite heroic academic eort, the proportion has increased rather than decreased over the years. Despite a great deal of research into teaching methods and student responses, we have no idea of the cau...

Abstract  This paper focuses on difficulties which first-year undergraduate computer science students experience in learning formal reasoning techniques. The main findings from an empirical investigation are reported. These indicated that, in the student population studied, many of those difficulties stemmed from a combination of the mathematical c...

We propose a novel approach to proving the termination of heap-manipulating programs, which combines separation logic with cyclic proof within a Hoare-style proof system.Judgements in this system express (guaranteed) termination of the program when started from a given line in the program and in a state satisfying a given precondition, which is exp...

Rely-guarantee (RG) reasoning is useful for modular Hoare-style proofs of concurrent programs. However, RG requires that assertions be proved stable under the actions of the environment. We cast stability analysis as a model checking problem and show how this may be of use in interactive and automatic verification.

Learning to program is notoriously difficult. Substan-tial failure rates plague introductory programming courses the world over, and have increased rather than decreased over the years. Despite a great deal of re-search into teaching methods and student responses, there have been to date no strong predictors of success in learning to program. Two y...

This paper contributes to the development of techniques for the modular proof of programs that include concurrent algorithms. We present a proof of a non-blocking concurrent algorithm, which provides a shared stack. The inter-thread interference, which is essential to the algorithm, is confined in the proof and the specification to the modular oper...

We give a cyclic termination proof, based upon separation logic, for the classical imperative program performing in-place reversal of a "frying-pan" linked list segment (so called because the segment possibly has a cyclic tail).

Separation logic [Reynolds, J. C., Intuitionistic reasoning about shared mutable data structure, in: J. Davies, B. Roscoe and J. Woodcock, editors, Millennial Perspectives in Computer Science, Palgrave, 2000 pp. 303–321; Reynolds, J. C., Separation logic: A logic for shared mutable data structures, in: LICS '02: Proceedings of the 17th Annual IEEE...

Hoare logic is bedevilled by complex but coarse side conditions on the use of variables. We define a logic, free of side conditions, which permits more precise statements of a program's use of variables. We show that it admits translations of proofs in Hoare logic, thereby showing that nothing is lost, and also that it admits proofs of some program...

Proof and Disproof in Formal Logic is a lively and entertaining introduction to formal logic providing an excellent insight into how a simple logic works. Formal logic allows you to check a logical claim without considering what the claim means. This highly abstracted idea is an essential and practical part of computer science. The idea of a formal...

Proof and Disproof in Formal Logic is a lively and entertaining introduction to formal logic providing an excellent insight into how a simple logic works. Formal logic allows you to check a logical claim without considering what the claim means. This highly abstracted idea is an essential and practical part of computer science. The idea of a formal...

Proof and Disproof in Formal Logic is a lively and entertaining introduction to formal logic providing an excellent insight into how a simple logic works. Formal logic allows you to check a logical claim without considering what the claim means. This highly abstracted idea is an essential and practical part of computer science. The idea of a formal...

Proof and Disproof in Formal Logic is a lively and entertaining introduction to formal logic providing an excellent insight into how a simple logic works. Formal logic allows you to check a logical claim without considering what the claim means. This highly abstracted idea is an essential and practical part of computer science. The idea of a formal...

Proof and Disproof in Formal Logic is a lively and entertaining introduction to formal logic providing an excellent insight into how a simple logic works. Formal logic allows you to check a logical claim without considering what the claim means. This highly abstracted idea is an essential and practical part of computer science. The idea of a formal...

Proof and Disproof in Formal Logic is a lively and entertaining introduction to formal logic providing an excellent insight into how a simple logic works. Formal logic allows you to check a logical claim without considering what the claim means. This highly abstracted idea is an essential and practical part of computer science. The idea of a formal...

Proof and Disproof in Formal Logic is a lively and entertaining introduction to formal logic providing an excellent insight into how a simple logic works. Formal logic allows you to check a logical claim without considering what the claim means. This highly abstracted idea is an essential and practical part of computer science. The idea of a formal...

Proof and Disproof in Formal Logic is a lively and entertaining introduction to formal logic providing an excellent insight into how a simple logic works. Formal logic allows you to check a logical claim without considering what the claim means. This highly abstracted idea is an essential and practical part of computer science. The idea of a formal...

Proof and Disproof in Formal Logic is a lively and entertaining introduction to formal logic providing an excellent insight into how a simple logic works. Formal logic allows you to check a logical claim without considering what the claim means. This highly abstracted idea is an essential and practical part of computer science. The idea of a formal...

Proof and Disproof in Formal Logic is a lively and entertaining introduction to formal logic providing an excellent insight into how a simple logic works. Formal logic allows you to check a logical claim without considering what the claim means. This highly abstracted idea is an essential and practical part of computer science. The idea of a formal...

Proof and Disproof in Formal Logic is a lively and entertaining introduction to formal logic providing an excellent insight into how a simple logic works. Formal logic allows you to check a logical claim without considering what the claim means. This highly abstracted idea is an essential and practical part of computer science. The idea of a formal...

Proof and Disproof in Formal Logic is a lively and entertaining introduction to formal logic providing an excellent insight into how a simple logic works. Formal logic allows you to check a logical claim without considering what the claim means. This highly abstracted idea is an essential and practical part of computer science. The idea of a formal...

Proof and Disproof in Formal Logic is a lively and entertaining introduction to formal logic providing an excellent insight into how a simple logic works. Formal logic allows you to check a logical claim without considering what the claim means. This highly abstracted idea is an essential and practical part of computer science. The idea of a formal...

Proof and Disproof in Formal Logic is a lively and entertaining introduction to formal logic providing an excellent insight into how a simple logic works. Formal logic allows you to check a logical claim without considering what the claim means. This highly abstracted idea is an essential and practical part of computer science. The idea of a formal...

Proof and Disproof in Formal Logic is a lively and entertaining introduction to formal logic providing an excellent insight into how a simple logic works. Formal logic allows you to check a logical claim without considering what the claim means. This highly abstracted idea is an essential and practical part of computer science. The idea of a formal...

Proof and Disproof in Formal Logic is a lively and entertaining introduction to formal logic providing an excellent insight into how a simple logic works. Formal logic allows you to check a logical claim without considering what the claim means. This highly abstracted idea is an essential and practical part of computer science. The idea of a formal...

Proof and Disproof in Formal Logic is a lively and entertaining introduction to formal logic providing an excellent insight into how a simple logic works. Formal logic allows you to check a logical claim without considering what the claim means. This highly abstracted idea is an essential and practical part of computer science. The idea of a formal...

Proof and Disproof in Formal Logic is a lively and entertaining introduction to formal logic providing an excellent insight into how a simple logic works. Formal logic allows you to check a logical claim without considering what the claim means. This highly abstracted idea is an essential and practical part of computer science. The idea of a formal...

A lightweight logical approach to race-free sharing of heap storage between concurrent threads is described, based on the notion of permission to access. Transfer of permission between threads, subdivision and combination of permission is discussed. The roots of the approach are in Boyland's [3] demonstration of the utility of fractional permission...

Separation logic began by describing total separation between the heap space used by separate parts of a program. It has moved on to consider how total and partial permissions to access heap elements can be transferred between concurrent threads. The roots of the new approach are in Boyland's [3] demonstration of the utility of fractional permissio...

Introduction Ded is a text display editor designed by computer scientists. The design is characterised by simplicity and adherence to user interface principles. This has led to a good design but with contentious features. This chapter highlights the conflict between principles and features, particularly in the social context in which ded was design...

Structures built by pointer aliasing, such as DAGs and graphs, are notoriously tricky to deal with. The mechanisms of separation logic can deal with these structures, but so far this has been done by the maintenance of a global invariant. Specifications and proofs which use local reasoning, and which may point the way to a structured programming fo...

This paper describes a research project into undergraduates’ use of a software tool to learn symbolic logic—a complex abstract domain that has been shown to be intimidating for students. The software allows the students to manipulate proofs in certain ways and then calculates the consequences of their actions. A research method has been developed t...

It is generally thought that reasoning about programs in memory safe, garbage collected languages is much easier than in languages where the programmer has more explicit control over memory. Paradoxically, existing program logics are based on a low-level view of storage that is sensitive to the presence or absence of unreachable cells, and Reynolds...

It is generally thought that reasoning about programs in memory safe, garbage collected languages is much easier than in languages where the programmer has more explicit control over memory. Paradoxically, existing program logics are based on a low level view of storage that is sensitive to the presence or absence of unreachable cells, and Reynolds...

It is generally thought that reasoning about programs in memory safe, garbage collected languages is much easier than in languages where the programmer has more explicit control over memory.

IFIP WG10.2 Advanced Research Working Conference, CHARME'93, volume 683 of Lecture notes in Computer Science, pages 214--225. Springer-Verlag, 1993. [32] C.A.R. Hoare, Ian Page, Mike Giles, and Bob McLatchie. Parallel processing. Oxford Innovation News, 8, 1992. [33] Jifeng He and Ian Page. A normal form approach to hardware implementation of occam...

In this note we give a brief introduction to the ideas of operational semantics and show how to use Jape to animate the operational semantics of a couple of simple programming languages. We give the syntax and inference rules for each language in Jape's metalanguage, then dene tactics suitable for automating the choice of rules during the simulated...

In this note we describe, by means of a number of case studies, the user interface to the Jape implementation { J'n'J" { of the logic described in [7] ( he book"). The introduction is intended for someone who may not have used Jape before. It assumes the reader has a basic grasp of the Unix operating system and the X window system and has read sect...

In this note we show how Jape's presentations of proofs are related to the naturaldeduction presentations used by Jim Woodcock and Jim Davies in [7] ( he book").

. It is possible, but difficult, to reason in Hoare logic about programs which address and modify data structures defined by pointers. The challenge is to approach the simplicity of Hoare logic's treatment of variable assignment, where substitution affects only relevant assertion formul. The axiom of assignment to object components treats each comp...

g the learning of formal reasoning for software development. The program Jape ("Just Another Proof Editor") allows interactive, step-by-step construction of proofs for a variety of logics (Bornat & Sufrin, 1996). The program allows an instructor to control the syntax of formulae, to dictate the way the proof is displayed on-screen, and to assign ac...

Learning formal logic can be difficult for many students. This paper describes some ongoing research into a computer program designed to help computer science undergraduates learn the natural deduction style of formal reasoning. Data collection methods included observation and videotaping of workshops, interviews, written tests, surveys, and loggin...

. GUI design isn't simply a matter of putting a nice front-end on a capable program. It requires thought about the way in which people might be expected to use a system, and investigation of the ways that they actually use it. Jape's GUI has been designed to be as simple as possible, so that it will not get in the way of the business of proof. It i...

Jape is a program which supports the step-by-step interactive development of proofs in formal logics, in the style of proofs-on-paper. It is uncommitted to any particular logic and is customized by a description of a collection of inference rules and the syntax of judgements. It works purely at the surface syntactic level, as a person working on pa...

Introduction Computer science undergraduates can experience certain difficulties in employing formal reasoning methods (Fung & O'Shea, 1992; Fung et al, 1993; 1996). Although the role of visualisation in assisting the reasoning process in abstract situations appears to be complex (Cox, Stenning & Oberlander, 1995; Cox & Brna, 1995), it is clear tha...

JAPE is a generic proof editor which (amongst other things) offers the teacher, user, or logic designer the opportunity of constructing a direct manipulation interface for proofs. In part I of this paper we introduce JAPE, illustrate some aspects of proof development by direct manipulation, and describe some of the infrastructure provided for inter...

JAPE is a generic proof editor which (amongst other things) offers the teacher, user, or logic designer the opportunity of constructing a direct manipulation interface for proofs. In the first part of this paper we introduced JAPE, illustrated some aspects of proof development by direct manipulation, and described some of the infrastructure provide...

In this note we show how Jape's presentations of proofs are related to the natural-deduction presentations used by Jim Woodcock and Jim Davies in [7] ("the book"). This is followed by description of Jape implementation -- J'n'J-- of the logic described in the book. The implementation is designed to present a fairly natural direct-manipulation inter...

IONAA) IS FROMX=YANDAA(Y) INFER AA(X) 1 The ABSTRACTION annotation directs Jape to interpret the juxtaposition formulæ AA(Y) and AA(X) as shorthand for substitution forms. The parameter X allows us to provide an argument formula which helps when unifying the conclusion formula, which will be a substitution form, with the conclusion of a problem seq...

If you suppose that it would be pointless to simulate proof-on-paper; if you imagine that all the problems of interactive theorem-proving are solved; if you are sure that making a user interface is a matter of bolting a bit of Tcl/Tk onto a theorem-proving engine; if you believe the more buttons the better in a graphical user interfaces — read no f...

: Traditionally a vectorising compiler matches the iterative constructs of a program against a set of predefined templates. If a loop contains no dependency cycles then a map template can be used; other simple dependencies can often be expressed in terms of fold or scan templates. This paper addresses the template matching problem within the contex...

Computer science undergraduates, for a number of reasons, find it difficult to learn formal reasoning methods. In an experiment designed to address certain of these difficulties a complete first year undergraduate computer science intake was supplied with a selection of computer-based tools providing a mixture of graphical and textual on-screen hel...

Traditionally a vectorizing compiler matches the iterative constructs of a program against a set of predefined templates. If a loop contains no dependency cycles then amaptemplate can be used; other simple dependencies can often be expressed in terms offoldorscantemplates. This paper addresses the template matching problem within the context of fun...

The role of a vectorising compiler for an imperative language is to transform the for-loops of a program into the vector instructions of a data-parallel machine. In a functional language, constant complexity map is the essence of data-parallelism, where a function is applied to every element of a data-structure all at the same time. As map can be c...

This paper describes The Calculator Project, which was a three-year joint research project between the Centre for Information Technology in Education at The Open University, U.K. (Pat Fung, Tim O'Shea) and the Department of Computer Science, QMW, University of London, U.K. (Richard Bornat, Doug Goldson, Mike Hopkins, Steve Reeves). The project was...

We outline the rationale, put forward by those concerned with software engineering, for adopting a formal methods approach to programming. An empirical study was undertaken with second and third year computer science undergraduates at Queen Mary and Westfield College, University of London. Students were invited to analyse retrospectively the diffic...

There has been an explosion of interest in the use of logic in computer science in recent years. This is in part due to theoretical developments within academic computer science and in part due to the recent popularity of Formal Methods amongst software engineers. There is now a widespread and growing recognition that formal techniques are central...

The conventional wisdom that the problems of writing large computer codes can be solved by software engineering techniques was subjected to critical scrutiny. Bornat's thesis is that techniques derived from production engineering will never be completely successful in computer programming, because they ignore the essential creative aspects of the t...

The programming advantages of output guards in guarded commands are sketched. A protocol is described which allows the use of guarded commands with both input and output guards and communication via one-one channels. A proof is offered that the protocol will make progress towards process-pairing in every eventuality. A bound of six protocol message...

The most difficult task when writing a top-down syntax analyser is that of preparing a grammar which is suitable for top-down analysis. Once you have manipulated the grammar so that it possesses certain simple properties, which I describe below, it is trivially easy to write a syntax analyser as a collection of mutually recursive procedures, one fo...

It’s worthwhile to dispose of the simplest and least interesting phases of compiling as early as possible, so as to be able to concentrate in the rest of the book on the more difficult and interesting topics of syntax analysis, translation and code optimisation. The processes of input to and output from a compiler are fairly straightforward. There...

In the discussion in chapters 11, 12 and 13 I emphasise that a recursive programming language such as PASCAL, ALGOL 60 or ALGOL 68 can be implemented almost as efficiently as FORTRAN. In the case of system programming Languages such as BCPL, BLISS or C ‘almost as efficiently’ isn’t good enough: these languages must be implemented extremely efficien...

Chapters 1 and 4 justify the existence of a table which is used by the lexical analyser to correlate multiple occurrences of a single name and is used by the translation phases to convert occurrences of source program names into references to run-time objects. This table is called the symbol table in this book: it is sometimes called a ‘cross-refer...

The most obvious overall task of a compiler is to read a program in one language — the ‘source’ program in the ‘source’ language — and to translate it to produce an equivalent program in another language — the ‘object’ program in the ‘object’ language. The object language is usually the machine language of a computer, or something close to it, and...

A program presented to a compiler is not written for the purpose of being compiled. Compilation is a means to an end and the compiler is just an aid to programming in the original source language. Once a program has been compiled it would be wrong to expect that the user should debug the actual instructions of the object program, because that would...

Compiled languages usually have one or more of the kinds of data structures discussed in this chapter. Records are like the nodes of the parse tree used in the examples of this book — multi-element objects which contain a collection of values, some of which may be pointers to other such objects. Accessing an element of a record, via the name of tha...

If the task of translation is to go from the tree to the object code, then the task of analysis must be to go from source program to tree. Lexical analysis, as chapter 4 shows, discovers how the input characters are grouped into items and the task of syntax analysis is to discover the way in which the items link together into phrases, the phrases l...

It’s possible to treat Boolean expressions in exactly the same way as arithmetic expressions — generate instructions to evaluate the subnodes, generate an instruction (or a sequence of instructions) to combine the Boolean values. Thus Boolean and and Boolean or operations can be translated using the TranBinOp procedure of chapter 5 with the machine...

The bottom-up syntax analysis algorithm of chapter 3 handles a subset of programming language arithmetic expressions using a system of numerical priorities. This is the basis of the operator-precedence mechanism. It is one of the oldest forms of syntax analysis, now less popular because it is not as flexible or as good at error detection as the one...

Theoretical studies of the properties of programming language grammars and of algorithms for syntax analysis have always been partly motivated by the search for a truly automatic means of constructing a syntax analyser. In the early 1960s so called ‘compiler-compilers’ were popular. One of the earliest was developed at the University of Manchester...

The tasks set out in figure 11.1 of chapter 11 include the preparation of argument information — for example the value of an argument expression, a pointer to an argument variable or a pointer to an argument vector — and the placing of this information in a location within the new procedure activation’s data frame. This chapter concentrates on this...

The most important task that a compiler performs is to translate a program from one language into another — from source language to object language. Simple translation is a mechanism which takes a representation of a fragment of the source program and produces an equivalent fragment in the object language — a code fragment which, when executed by t...

In this book I argue that for a modern, well-designed programming language a compiler which includes a tree-walking simple translation phase can produce acceptable object code, particularly when careful attention is paid to the ‘crucial code fragments’ discussed in chapters 5, 6, 7 and 9 and in section III. No matter how carefully the individual co...

An interpreter is simply a device which takes some representation of a program and carries out the operations which the program specifies — i.e. it mimics or simulates the operations which a machine would carry out if it were directly capable of processing programs written in that language. A compiler takes a similar representation of a program and...

Chapters 5 and 6 show the tree-walking mechanism to its best advantage, working on the translation of source program constructs whose efficient implementation is crucial to the efficiency of the object program. Code fragments for statements are rarely so crucial, particularly when the expressions which they contain are efficiently translated. This...

The theory of formal languages, so far as it is applicable to compiler writing, covers only issues of syntax: it describes those arrangements of symbols which constitute executable (runnable) programs in a programming language. It isn’t concerned at all with the semantics of those programs: what they ‘mean’ or what will be the effect when you run t...

This chapter discusses the design of code fragments which support procedure call and return in both recursive and non-recursive programming languages. To aid the discussion in later chapters it includes a model of procedure call and return based on the notion of a procedure activation record. A procedure activation is a special case of a ‘micro-pro...

Figure 5.1 shows an example arithmetic expression which might appear anywhere in a typical program — say on the right-hand side of an assignment statement — together with the parse tree which describes its structure. It also shows the object code which is the best translation of this expression — ‘best’, that is, if the expression is considered in...

In a block-structured language such as PASCAL, ALGOL 60, ALGOL 68, CORAL 66, PL/1 or SIMULA 67 the text of a procedure may refer to run-time objects or values declared in the current procedure or in textually-enclosing procedures1 but the address of the data frames which contain these objects isn’t known at compile-time or even at load-time. Thus i...

This paper describes the methodology of a project to develop a computer program capable of reading casually hand-printed FORTRAN programs. A major feature of the methodology is the organization of the processes in the recognition mechanism: conventional process organization is rejected as too rigid and inflexible. The proposed process organization,...