30.4.2015 Software Verification 1 Deductive Verification Prof. Dr. Holger Schlingloff Institut für...

transcript

30.4.2015

Software Verification 1Deductive Verification

Prof. Dr. Holger SchlingloffInstitut für Informatik der Humboldt Universität

Fraunhofer Institut für offene Kommunikationssysteme FOKUS

Folie 2H. Schlingloff, Software-Verifikation I

By Request: Some Questions …

•What is a formal method in SW-Engineering?

•Syntax & semantics of propositional logic?

•What is a signature?

•Which calculi for PropL exist?

•How to prove correctness & completeness?

•How to prove NP-completeness?

•SAT-solving?

Folie 5H. Schlingloff, Software-Verifikation I 25.4.2009

Predicate Logic

• used to formalize mathematical reasoning dates back to Frege (1879) „Begriffsschrift“

- „Eine der arithmetischen nachgebildete Formelsprache des reinen Denkens“

individuals, predicates (sets of individuals), relations (sets of pairs), ...

quantification of statements (quantum = how much)- all, none, at least one, at most one, some, most, many, ...

- need for variables to denote “arbitrary” objects In contrast to propositional logic, first-order logic adds

- structure to basic propositions- quantification on (infinite) domains

FOL: Syntax

• New syntactic elements R is a set of relation symbols,

where each pR has an arity nN0

V is a denumerable set of (first-order or individual) variables

An atomic formula is p(x1,…,xn), where pR is n-ary and (x1,…,xn)Vn.

• Syntax of first-order logicFOL ::= R (Vn) | | (FOL FOL) | V FOL

FOL: Syntax

• Abbreviations and parenthesis as in PL Of course, x = ¬x ¬

• Propositions = 0-ary relationsPredicates = 1-ary relations if all predicates are propositions, then FOL = PL

• Examples xxx (p() x(q() p())) xxy ¬p(x) xy (p(x,y) p(y,x)) (xy p(x,y) yx p(x,y))

Typed FOL

• Often, types/sorts are used to differentiate domains

• Signature =(D, F, R), where D is a (finite) set of domain names F is a set of function symbols, where each fF has an

arity nN0 and a type DDn+1

- 0-ary functions are called constants R is a set of relation symbols, where each pR has an

arity nN0 and a type DDn

- unary relations are called predicates- propositions can be seen as 0-ary relations

• Remark: domains and types are for ease of use only (can be simulated in an untyped setting by additional predicates)

Terms and Formulas

• Let again V be a (denumerable) set of (first-order) variables, where each variable has a type DD (written as x:D)(for any type, there is an unlimited supply of variables of that type)

• The notions Term and Atomic Formula AtF are defined recursively: each variable of type D is a term of type D if f is an n-ary function symbol of type (D1,…Dn,Dn+1) and t1, …, tn

are terms of type D1, …, Dn, then f(t1,…,tn) is a term of type Dn+1 if p is an n-ary relation symbol of type (D1,…Dn) and t1, …, tn are

terms of type D1, …, Dn, then p(t1,…,tn) is an atomic formula

• Revised syntax of first-order logicFOL ::= AtF | | (FOL FOL) | V:D FOL

Examples

x:Boy y:Girl loves(x,y)x:Human y:Human (needs(x,y) loves(y,x))x,y:Int equals(plus(x,y), plus(y,x))x:Int ¬equals(zero(), succ(x))• …

FOL: Models

• (We give the typed semantics only)

•First-Order Model Let a universe U be some nonempty set, and

let DU U for every DD be the domain of D

Interpretation I: assignment F ↦ Un+1

R ↦ Un

Valuation V: assignment V ↦ Uinterpretations and valuations must respect typing

Model M: (U,I,V)

FOL: Semantics

• Given a model M: (U,I,V), the value tM of term t (of type D) can be defined inductively if t=xV, then tM=V(x) if t=f(t1,…,tn) , then tM=I(f)(t1

M,…,tnM)

• Likewise, the validation relation ⊨ between model M and formula M ⊨ p(t1,…,tn) if (t1

M,…,tnM)I(p)

M ⊭ ; M ⊨ () if M ⊨ implies M ⊨ M ⊨x if M‘ ⊨ for some M‘ which differs at most

in V(x) from M

• Validity and satisfiability is defined as in the propositional case

Examples

• ⊨ x x • ⊨ x x x ( )

• ⊨ x x x ( )

• ⊨ x y y x • ⊨ x (x:=t)

• If ⊨ , then ⊨ x

FOL: Calculus

• A sound and complete axiom system for FOL: all substitution instances of axioms of PL modus ponens: , () ⊢ ⊢((x:=t)x) instantiation

() ⊢(x) if x doesn‘t occur in particularization

• Relaxation: particularization may be applied if there is no free occurrence of x in ; i.e., x may occur in inside the scope of a quantification

FOL: Completeness

• As in the propositional case, correctness is easy (⊢ ⊨, “every derivable formula is valid”)

• Completeness (⊨ ⊢, “every valid formula is derivable”) follows with a similar proof as previously:given a consistent formula, construct a model satisfying it ~⊢¬ ~⊨¬

• Extension lemma: If Φ is a finite consistent set of formulæ and is any formula, then Φ{} or Φ{¬} is consistent

• Needs additionally: If Φ is any consistent set of formulæ and x is a formula in Φ, then Φ{(t)} is consistent for any term t

• From this, a canonical model can be constructed as before

Example

• Consider the formula xyz ((p(x, y) ∧ p(y, z)) → p(x, z))

∧ x ¬p(x, x) ∧ x p(x, f(x) )This formula is satifiable only in infinite models

FOL: Undecidability

• Completeness means the set of valid formulæ can be recursively enumerated

• Turing showed that the invalid formulæ are not r.e., i.e., there is no algorithm deciding whether a formula is valid or not strictly speaking, FOL= with at least one binary

relation certain sublanguages of FOL are still decidable

Resolution

• First “mechanizable” proof procedure (A. Robinson, 1965)

• Implemented in many provers

• Succeeded in proving interesting theorems

• Predictability problematic (Incompleteness!)

• Refutation of unsatisfiable clause sets (CNF) Clause = finite multiset of literals Ci={i1,..., in} xyz(i1 ... in)

Prove that (C1 ∧... ∧ Cm → ) by refuting {C1, ..., Cm, ¬}

Refutation means deriving the empty clause

Propositional Resolution Rule

•From {1 ,..., m, } and {1 ,..., n, ¬}derive {1 ,..., m, 1 ,..., n}

- In particular, from {1 ,..., m, } and {1 ,..., n, ¬} derive {1 ,..., m}

•Corresponds to the formula(1 ... m ) ∧ (1 ... m ¬) → (1 ... m 1 ... m)

•The empty clause corresponds to ; if it is derivable, the set of clauses is unsatisfiable

25.4.2009

Unification

• A substitution is a mapping σ from the set of variables to the terms such that Xσ ≠ X for only finitely many X

- Generalizes to terms and literals- Example: p(f(x), y){x::=a, y::=g(a)} yields p(f(a), g(a))

• σ is a unifier for terms s and t if sσ = tσ

• σ is the most general unifier if for every other unifier σ‘ there exists a substitution λ such that λ σ = σ‘

• Example: Unifier for p(f(x), g(z)) and p(f(a), y) is {x::=a, y::=g(a), z::=a}

25.4.2009

Predicate Logic Resolution

•Let C and D be clauses without overlapping variables, {}≠PC positive literals and {}≠ND negative literals

• Find the most general unifier σ such that Pσ=Nσ

•Add new clause (C-P)σ(D-N)σ

• Again, if the empty clause is derivable, the set of clauses is refuted.

25.4.2009

• Equality is not definable in FOL• First order logic with equality contains an

additional (binary) relation == which is always interpreted as equality of domain elements Written in infix notation, i.e. (x==y) for ==(x,y)

• Axioms (x==x) reflexivity

(x==y (y==z x==z)) transitivity

(x==y y==x) symmetry

(x==y ( (y:=x))) substitution

30.4.2015 Software Verification 1 Deductive Verification Prof. Dr. Holger Schlingloff Institut für...

Documents