23.4.2015 Software Verifikation 1 Deduktive Verifikation Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität und Fraunhofer Institut.

23.4.2015

Software Verifikation 1Deduktive Verifikation

Prof. Dr. Holger SchlingloffInstitut für Informatik der Humboldt Universität

und

Fraunhofer Institut für offene Kommunikationssysteme

Folie 2H. Schlingloff, Software-Verifikation I

Propositional Logic

• A formal specification method consists of three parts syntax, i.e., what are well-formed specifications semantics, i.e., what is the meaning of a specification calculus, i.e., what are transformations or deductions

of a specification

• Propositional logic: probably the first and most widely used specification method dates back to Aristotle, Chrysippus, Boole, Frege, … base of most modern logics fundamental for computer science

Folie 3H. Schlingloff, Software-Verifikation I

Syntax of Propositional Logic

•Let Ρ be a finite set {p1,…,pn} of propositionsand assume that , and (, ) are not in Ρ

•SyntaxPL ::= Ρ | | (PL PL)

every p is a wff is a wff („falsum“) if and are wffs, then () is a wff nothing else is a wff

Folie 4H. Schlingloff, Software-Verifikation I

Remarks

• Ρ may be empty still a meaningful logic!

• Minimalistic approach infix-operator necessitates parentheses other connectives can be defined as usual

¬ ≙ ( ) (linear blowup!)Τ ≙ ¬() ≙ (¬)() ≙ ¬(¬¬) ≙ ¬(¬)() ≙ (()()) (exponential blowup!)

operator precedence as usual literal = a proposition or a negated proposition

Folie 5H. Schlingloff, Software-Verifikation I

Exercise

• Abbreviations¬ ≙ ( ) also ~

Τ ≙ ¬() ≙ (¬) also (+), (|), (v)

() ≙ ¬(¬¬) ≙ ¬(¬) also (*), (&), (^)

() ≙ (()()) also ( <-> ), (<=>)

•Write ((pq) ¬p) unabbreviated

Folie 6H. Schlingloff, Software-Verifikation I

Choice of the Signature

• Te set Ρ={p1,…,pn} of propositions is also called the signature of the logic

• The choice of Ρ often is the decisive abstraction step for modelling a system it determines which aspects are “accessible” to the

specification Wittgenstein: “die Welt ist alles was der Fall ist”;

the world consists of all true propositions e.g., sun-is-shining, pot-on-stove, line-busy,

button_pressed, window5infocus, motor-on, … names should be chosen with consideration

Folie 7H. Schlingloff, Software-Verifikation I

Semantics of Propositional Logic

• Propositional Model Truth value universe U: {true, false} Interpretation I: assignment Ρ ↦ U Model M: (U,I)

• Validation relation ⊨ between model M and formula M ⊨ p if I(p)=true M ⊭ M ⊨ () if M ⊨ implies M ⊨

• M validates or satisfies iff M ⊨ is valid (⊨) iff every model M validates is satisfiable (SAT()) iff some model M satisfies

Folie 8H. Schlingloff, Software-Verifikation I

Propositional Calculus

• Various calculi have been proposed boolean satisfiability (SAT) algorithms tableau systems, natural deduction, enumeration of valid formulæ

• Hilbert-style axiom system⊢ (()) (weakening)

⊢ ((()) (()())) (distribution)

⊢ (¬¬) (excluded middle)

, () ⊢ (modus ponens)

• Derivability All substitution instances of axioms are derivable If all antecedents of a rule are derivable, so is the

consequent

Folie 9H. Schlingloff, Software-Verifikation I

An Example Derivation

Show ⊢ (pp)

(1)⊢(p((pp)p))((p(pp))(pp)) (dis)

(2)⊢(p((pp)p)) (wea)

(3)⊢((p(pp))(pp)) (1,2,mp)

(4)⊢(p(pp)) (wea)

(5)⊢(pp) (3,4,mp)

Folie 10H. Schlingloff, Software-Verifikation I

Correctness and Completeness

•Correctness: ⊢ ⊨Only valid formulæ can be derived Induction on the length of the derivation Show that all axiom instances are valid, and

thatthe consequent of (mp) is valid if both antecedents are

•Completeness: ⊨ ⊢All valid formulæ can be derived Show that consistent formulæ are satisfiable

~⊢¬ ~⊨¬

Folie 11H. Schlingloff, Software-Verifikation I

Consistency and Satisfiability

• A finite set Φ of formulæ is consistent, if ~⊢¬ΛΦ• Extension lemma: If Φ is a finite consistent set of formulæ

and is any formula, then Φ{} or Φ{¬} is consistent Assume ⊢¬(Φ) and ⊢¬(Φ¬). Then ⊢(Φ¬) and ⊢(Φ¬¬).

Therefore ⊢¬Φ, a contradiction.

• Let SF() be the set of all subformulæ of • For any consistent , let #

be a maximal consistent extension of (i.e., # and for every SF(), either #or ¬#. (Existence guaranteed by extension lemma)

Folie 12H. Schlingloff, Software-Verifikation I

Canonical models

• For a maximal consistent set #, the canonical model CM(#) is defined by I(p)=true iff p#.

• Truth lemma: For any SF(), I()=true iff #

Case =p: by construction Case =: Φ{} cannot be consistent Case =(12): by induction hypothesis and derivation

• Therefore, if is consistent, then for any maximal consistent set #, CM(#)⊨ any consistent formula is satisfiable any unsatisfiable formula is inconsistent any valid formula is derivable

Folie 13H. Schlingloff, Software-Verifikation I

NP-Completeness

•SAT is the „generic“ NP-complete problem SAT in NP: give NP-algorithm („guess and

check“) SAT is NP-hard: reduce other problems to

SAT

•Thus, propositional validity is co-NP complete

•Unknown whether P=NP and/or NP=co-NP

Folie 14H. Schlingloff, Software-Verifikation I

Example: Combinational Circuits

•Multiplexer

S selects whether I0 or I1 is output to Y

Y = if S then I1 else I0 end

(Y((SI1)(¬SI0)))

Pictures taken from: http://www.scs.ryerson.ca/~aabhari/cps213Chapter4.ppt

I0 I1 S Y

0 0 0 0

1 0 0 1

0 1 0 0

Folie 15H. Schlingloff, Software-Verifikation I

Boolean Specifications

•Evaluator (output is 1 if input matches a certain binary value)

•Encoder (output i is set if binary number i is on input lines)

•Majority function (output is 1 if half or more of the inputs are 1)

•Comparator (output is 1 if input0 > input1)

•Half-Adder, Full-Adder, …

Folie 16H. Schlingloff, Software-Verifikation I

Software Example

•Code generator optimization if (p and q) then if (r) then x else y else if (q

or r) then y else if (p and not r) then x else y

•Loop optimization

Folie 17H. Schlingloff, Software-Verifikation I

Puzzle Example: Ivor Spence’s Sudoku

http://www.cs.qub.ac.uk/~i.spence/SuDoku/SuDoku.html

Folie 18H. Schlingloff, Software-Verifikation I

How Does He Do It?

• Propositional modelling 9 propositions per cell: proposition “ijk” indicates that row i,

column j contains value k individual cell clauses

- each cell contains exactly one value (ij1 v ij2 v … v ij9) ^ ~(ij1 ^ ij2) ^ … ^ ~(ij8 ^ ij9)

row and column clauses- each row i contains each number, exactly once

(i11 v … v i91) ^ (i12 v … v i92) ^ … (i19 v … v i99) j1 j2, k=1..9: ~(ij1k ^ ij2k)

- same for columns block clauses – similar pre-filled cells – easy

• SAT solving 729 propositions, ca. 3200 clauses few seconds

Folie 19H. Schlingloff, Software-Verifikation I

Verification of Boolean Functions

• Latch-Up: can a certain line go up? does (¬L0) hold? is (L0) satisfiable?

• Given , ; does () hold? usually reduced to SAT:

is ((¬)(¬)) satisfiable? efficient SAT-solver exist (annual competition) partitioning techniques

• any output depends only on some inputs find which ones generate test patterns (BIST: built-in-self-test)

Folie 20H. Schlingloff, Software-Verifikation I

Optimizing Boolean Functions

•Given ; find such that () holds and is „optimal“ much harder question optimal wrt. speed / size / power /… translation to normal form (e.g., OBDD)