10.11.2011 Software Verification 1 Deductive Verification Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität und Fraunhofer Institut für Rechnerarchitektur und Softwaretechnik
Dec 30, 2015
10.11.2011
Software Verification 1Deductive Verification
Prof. Dr. Holger SchlingloffInstitut für Informatik der Humboldt Universität
und
Fraunhofer Institut für Rechnerarchitektur und Softwaretechnik
Folie 2H. Schlingloff, Software-Verifikation I
Predicate Logic
• used to formalize mathematical reasoning dates back to Frege (1879) „Begriffsschrift“
- „Eine der arithmetischen nachgebildete Formelsprache des reinen Denkens“
individuals, predicates (sets of individuals), relations (sets of pairs), ...
quantification of statements (quantum = how much)- all, none, at least one, at most one, some, most, many, ...
- need for variables to denote “arbitrary” objects In contrast to propositional logic, first-order logic adds
- structure to basic propositions- quantification on (infinite) domains
Folie 3H. Schlingloff, Software-Verifikation I
FOL: Syntax
• New syntactic elements R is a set of relation symbols,
where each pR has an arity nN0
V is a denumerable set of (first-order or individual) variables
An atomic formula is p(x1,…,xn), where pR is n-ary and (x1,…,xn)Vn.
• Syntax of first-order logicFOL ::= R (Vn) | | (FOL FOL) | V FOL
Folie 4H. Schlingloff, Software-Verifikation I
FOL: Syntax
• Abbreviations and parenthesis as in PL Of course, x = ¬x ¬
• Propositions = 0-ary relationsPredicates = 1-ary relations if all predicates are propositions, then FOL = PL
• Examples xxx (p() x(q() p())) xxy ¬p(x) xy (p(x,y) p(y,x)) (xy p(x,y) yx p(x,y))
Folie 5H. Schlingloff, Software-Verifikation I
Typed FOL
• Often, types/sorts are used to differentiate domains
• Signature =(D, F, R), where D is a (finite) set of domain names F is a set of function symbols, where each fF has an
arity nN0 and a type DDn+1
- 0-ary functions are called constants R is a set of relation symbols, where each pR has an
arity nN0 and a type DDn
- unary relations are called predicates- propositions can be seen as 0-ary relations
• Remark: domains and types are for ease of use only (can be simulated in an untyped setting by additional predicates)
Folie 6H. Schlingloff, Software-Verifikation I
Terms and Formulas
• Let again V be a (denumerable) set of (first-order) variables, where each variable has a type DD (written as x:D)(for any type, there is an unlimited supply of variables of that type)
• The notions Term and Atomic Formula AtF are defined recursively: each variable of type D is a term of type D if f is an n-ary function symbol of type (D1,…Dn,Dn+1) and t1, …, tn
are terms of type D1, …, Dn, then f(t1,…,tn) is a term of type Dn+1 if p is an n-ary relation symbol of type (D1,…Dn) and t1, …, tn are
terms of type D1, …, Dn, then p(t1,…,tn) is an atomic formula
• Revised syntax of first-order logicFOL ::= AtF | | (FOL FOL) | V:D FOL
Folie 7H. Schlingloff, Software-Verifikation I
Examples
x:Boy y:Girl loves(x,y)x:Human y:Human (needs(x,y) loves(y,x))x,y:Int equals(plus(x,y), plus(y,x))x:Int ¬equals(zero(), succ(x))• …
Folie 8H. Schlingloff, Software-Verifikation I
FOL: Models
• (We give the typed semantics only)
•First-Order Model Let a universe U be some nonempty set, and
let DU U for every DD be the domain of D
Interpretation I: assignment F ↦ Un+1
R ↦ Un
Valuation V: assignment V ↦ Uinterpretations and valuations must respect typing
Model M: (U,I,V)
Folie 9H. Schlingloff, Software-Verifikation I
FOL: Semantics
• Given a model M: (U,I,V), the value tM of term t (of type D) can be defined inductively if t=xV, then tM=V(x) if t=f(t1,…,tn) , then tM=I(f)(t1
M,…,tnM)
• Likewise, the validation relation ⊨ between model M and formula M ⊨ p(t1,…,tn) if (t1
M,…,tnM)I(p)
M ⊭ ; M ⊨ () if M ⊨ implies M ⊨ M ⊨x if M‘ ⊨ for some M‘ which differs at most
in V(x) from M
• Validity and satisfiability is defined as in the propositional case
Folie 10H. Schlingloff, Software-Verifikation I
Examples
• ⊨ x x • ⊨ x x x ( )
• ⊨ x x x ( )
• ⊨ x y y x • ⊨ x (x:=t)
• If ⊨ , then ⊨ x
Folie 11H. Schlingloff, Software-Verifikation I
FOL: Calculus
• A sound and complete axiom system for FOL: all substitution instances of axioms of PL modus ponens: , () ⊢ ⊢((x:=t)x) instantiation
() ⊢(x) if x doesn‘t occur in particularization
• Relaxation: particularization may be applied if there is no free occurrence of x in ; i.e., x may occur in inside the scope of a quantification
Folie 12H. Schlingloff, Software-Verifikation I
FOL: Completeness
• As in the propositional case, correctness is easy (⊢ ⊨, “every derivable formula is valid”)
• Completeness (⊨ ⊢, “every valid formula is derivable”) follows with a similar proof as previously:given a consistent formula, construct a model satisfying it ~⊢¬ ~⊨¬
• Extension lemma: If Φ is a finite consistent set of formulæ and is any formula, then Φ{} or Φ{¬} is consistent
• Needs additionally: If Φ is any consistent set of formulæ and x is a formula in Φ, then Φ{(t)} is consistent for any term t
• From this, a canonical model can be constructed as before
Folie 13H. Schlingloff, Software-Verifikation I
Example
• Consider the formula xyz ((p(x, y) ∧ p(y, z)) → p(x, z))
∧ x ¬p(x, x) ∧ x p(x, f(x) )This formula is satifiable only in infinite models
Folie 14H. Schlingloff, Software-Verifikation I
FOL: Undecidability
• Completeness means the set of valid formulæ can be recursively enumerated
• Turing showed that the invalid formulæ are not r.e., i.e., there is no algorithm deciding whether a formula is valid or not strictly speaking, FOL= with at least one binary
relation certain sublanguages of FOL are still decidable
Folie 15H. Schlingloff, Software-Verifikation I
FOL=
• Equality is not definable in FOL• First order logic with equality contains an
additional (binary) relation == which is always interpreted as equality of domain elements Written in infix notation, i.e. (x==y) for ==(x,y)
• Axioms (x==x) reflexivity
(x==y (y==z x==z)) transitivity
(x==y y==x) symmetry
(x==y ( (y:=x))) substitution
Folie 16H. Schlingloff, Software-Verifikation I
Presburger arithmetic
• Given a signature (N, 0,´,+) of FOL=, define n (n´==0) m n (m´==n´ m==n) p(0) n(p(n) p(n´)) n p(n)
• If the third axiom holds for all p, then this uniquely characterizes the natural numbers (“monomorphic”) n (n+0==n) mn ((m+n)+1 == m+(n+1))
• This theory is decidable!
25.4.2009
Folie 17H. Schlingloff, Software-Verifikation I
Peano arithmetic
• Given the signature (N, 0,´,+,*) and above axioms, plus n (n*0==0) mn (m*n´ == (m*n)+m)
• This theory is undecidable
25.4.2009
Folie 18H. Schlingloff, Software-Verifikation I
Formalizing C in FOL
• Consider the following C programint gcd (int a, int b){ int c; while ( a != 0 ) { c = a; a = b%a; b = c; } return b;}
• Consider the following FOL formula : t:N (a(t)==0 c(t+1)==a(t) a(t+1)==b(t)%a(t) b(t+1)=c(t)
a(t)==0 a(t+1)==a(t) b(t+1)==b(t) c(t+1)==c(t) )
• In which way are these equivalent?
Folie 19H. Schlingloff, Software-Verifikation I
Correctness
From this formalization, we expect that ⊨ t (a(t)==0 → b(t)==gcd(a(0),b(0)))
(partial correctness) ⊨ t (a(t)==0 b(t)==gcd(a(0),b(0)))
(total correctness)
Can we prove these statements?