1 Introduction. 2 First Order Logic. 3 SPL Syntax. 4 Hoare Logic. 5 Exercises

Transcription

1 Contents 1 Introduction INF5140: Lecture 2 Espen H. Lian Institutt for informatikk, Universitetet i Oslo January 28, Proof System 3 SPL 4 GCD 5 Exercises Institutt for informatikk (UiO) INF5140: Lecture 2 January 28, / 44 Institutt for informatikk (UiO) INF5140: Lecture 2 January 28, / 44 Introduction Problem Given a program, and a specication, show that the program is correct wrt. the specication. What we will need programming language SPL a minimal language today, semantics next week. Promela extends SPL, used in the model checker Spin. Second half of course. specication language used to describe state of a program. Today. Temporal Logic extends FOL, lets us describe sequences of states. In two weeks. Institutt for informatikk (UiO) INF5140: Lecture 2 January 28, / 44 Introduction Intuition Program: Add local x ; y : integer where x 2; y 4 ; while px 5q do y : y x ; x : x 1 Assume that we have a program with two integer variables, x and y. We initially assign 2 to x and 4 to y. Now we can give a predicate that expresses something about the state of the program, such as x y or x y 6. But for an entire run of a program, we need to able to express properties of sequences of states. This we can do in temporal logic. Institutt for informatikk (UiO) INF5140: Lecture 2 January 28, / 44

2 Introduction Intuition A run: x2 y4 x2 y6 x3 y6 x3 y9 x4 y9 x4 y13 x5 y13 Language It will always be the case that x is less than x y Is it ever the case that y 3x? 3 y 3x The symbols of our rst-order language are typed variables (a countable set of them V) : relation symbols of varying arity (incl. of arity 2) function symbols of varying arity (if the arity is 0, constant symbols) the connectives, _, ^, Ñ and Ø the and D We can combine the temporal operators to express complex y 9 y 9 Institutt for informatikk (UiO) INF5140: Lecture 2 January 28, / 44 Institutt for informatikk (UiO) INF5140: Lecture 2 January 28, / 44 Expressions (terms) Variables are atomic expressions. If f is a function symbol of arity n, and t 1 ; : : : ; t n are terms compatible with the arguments of f, the following is an expression. f pt 1 ; : : : ; t n q If n 0, f is a constant. Using inx notation, the following are typical expressions we will see. x y 1 U Y V U X V px yq z U zv Atomic formulae J (top) and K (bottom) are atomic formulae. If P is a relation symbol of arity n, and t 1 ; : : : ; t n are terms compatible with the arguments of P, the following is an atomic formulae. Ppt 1 ; : : : ; t n q Using inx notation, the following are typical atomic formulae we may encounter. J x P U x y 1 U V x : x 1 U X V : H Institutt for informatikk (UiO) INF5140: Lecture 2 January 28, / 44 Institutt for informatikk (UiO) INF5140: Lecture 2 January 28, / 44

3 Boolean formulae All atomic formulae are boolean formulae. If ' and are boolean formulae, so are the following. Some examples can be: J ' p' _ q p' ^ q p' Ñ q p' Ø q px y 1q Ñ K P Ñ pq Ñ Pq First-order formulae All boolean formulae are rst-order formulae. Let x be a variable. If ' is a rst-order formulae, so are the following. If ' and pdxq' p@xq' are rst-order formulae, so are the following. ' p' _ q p' ^ q p' Ñ q p' Ø q L denotes the set of rst-order formulae. Qpyq _ p@xqppxq p@xqp@yqpx y Ñ pdzqpx z ^ z yqq Institutt for informatikk (UiO) INF5140: Lecture 2 January 28, / 44 Institutt for informatikk (UiO) INF5140: Lecture 2 January 28, / 44 A model is an pair M pd; I q, such that D is a non-empty set (the domain) I is mapping (the interpretation), such that f I : D n Ñ D for every function symbol f of arity n Observation P I D n for every relation symbol P of arity n We will assume an implicit model, whose domain will include the natural numbers and sets of natural numbers, and it will be obvious what function and relation symbols should be mapped to. For instance if is a function symbol I is the addition function on the natural numbers, and : is mapped to a suitable. A state s over V V is a mapping from V to D. Let V tx ; y ; zu, let x and z of type natural number, and y of type set of natural numbers. spxq 256 spyq t1; 2; 3u spzq 512 Institutt for informatikk (UiO) INF5140: Lecture 2 January 28, / 44 Institutt for informatikk (UiO) INF5140: Lecture 2 January 28, / 44

4 We associate a value spt I q to every expression t. spx I q spxq sprf pt 1 ; : : : ; t n qs I q f I pspt1q; I : : : ; sptnqq I sprp2 xq zs I q spr2 xs I q I spz I q psp2 I q I spx I qq I spz I q p2 spxqq spzq p2 256q A variable occurrence is free in a formula if it is not within the scope of a quantier. A variable occurrence that is not free is bound. Let s 1 and s 2 be states over V, and x P V. s 2 is an x-variant of s 1 if s 1 pyq s 2 pyq for all y P V ztxu: Thus x is the only variable the states disagree on. Institutt for informatikk (UiO) INF5140: Lecture 2 January 28, / 44 Institutt for informatikk (UiO) INF5140: Lecture 2 January 28, / 44 Let ' be a rst order formula, x a variable and t an expression. Then 'rx{ts is ', only with every free occurrence of the x replaced with t. ' p@xqppxq _ Ppxq 'rx{cs p@xqppxq _ Ppcq We dene the notion that a state formula ' is true (false) relative to a model M pd; I q in a state s, written M; s ( ' (M; s ( ') as follows. M; s ( J and M; s ( K M; s ( Rpt 1 ; : : : ; t n q i pspt I 1q; : : : ; spt I nqq P R I M; s ( ' i M; s ( ' M; s ( ' _ i M; s ( ' or M; s ( M; s ( ' ^ i M; s ( ' and M; s ( M; s ( ' Ñ i M; s ( ' or M; s ( M; s ( ' Ø i M; s ( ' Ñ and M; s ( Ñ ' M; s ( p@xq' i M; t ( ' for every t that is an x-variant of s M; s ( pdxq' i M; t ( ' for some t that is an x-variant of s Institutt for informatikk (UiO) INF5140: Lecture 2 January 28, / 44 Institutt for informatikk (UiO) INF5140: Lecture 2 January 28, / 44

5 Proof System We say that ' is true in the model M, written M ( ', if M; s ( ' for every state s. We say that ' is valid, written ( ', if M ( ' for every model M. A proof system for a given logic consists of axioms (or axiom schemata), formulae assumed to be true, and inference rules, of the form Observation We will abuse this notation, and write ( ' if ' is true in our implicit model, and refer to this as state-validity. For instance: ( x y : y x. In a model where I is the subtraction function, this will obviously not hold. ' 1 ' n ; where ' 1 ; : : : ; ' n are premises and the conclusion. Institutt for informatikk (UiO) INF5140: Lecture 2 January 28, / 44 Institutt for informatikk (UiO) INF5140: Lecture 2 January 28, / 44 Proof System Proof System A derivation from a set of formulae S is a sequence of formulae, where each formula is either in S, an axiom or can be obtained by applying an inference rule to formulae earlier in the sequence. A proof is a derivation from the empty set. A theorem is the last formula in a proof. A proof system is sound if every theorem is valid. complete if evey valid formula is a theorem. We will not be bothered with soundness or completeness but we will (of course) assume that eveything is sound. Observation We can axiomatize a subset of Propositional Logic as follows. (A1) ' Ñ p Ñ 'q (A2) p' Ñ p Ñ qq Ñ pp' Ñ q Ñ p' Ñ qq (MP) ' ' Ñ Let us call this logic PPL. Institutt for informatikk (UiO) INF5140: Lecture 2 January 28, / 44 Institutt for informatikk (UiO) INF5140: Lecture 2 January 28, / 44

6 Proof System Basic statements p Ñ p is a theorem of PPL: Skip skip does nothing (like a NOP instruction). (1) (2) (3) (4) (5) Observation pp Ñ ppp Ñ pq Ñ pqq Ñ ppp Ñ pp Ñ pqq Ñ pp Ñ pqq p Ñ ppp Ñ pq Ñ pq AX2 AX1 pp Ñ pp Ñ pqq Ñ pp Ñ pq MP on (1) and (2) p Ñ pp Ñ pq AX1 p Ñ p MP on (3) and (4) A proof can be represented as a tree of inferences where the leaves are axioms. Assignment px 1 ; : : : ; x k q : pt 1 ; : : : ; t k q assigns each t j to x j. x 1 ; : : : ; x k list of variables t 1 ; : : : ; t k list of expressions Await await c waits until c becomes true. c boolean formula halt is an abbreviation for await K. Institutt for informatikk (UiO) INF5140: Lecture 2 January 28, / 44 Institutt for informatikk (UiO) INF5140: Lecture 2 January 28, / 44 Semaphore statements Schematic statements Request request r decrements r by 1 as soon as r has a positive value (in one step). r integer variable Critical critical represents critical activity in programs with mutual exclusion. idle is a synonym used when not dealing with mutual exclusion. Release release r increments r by 1. r integer variable Noncritical noncritical represents noncritical activity in programs with mutual exclusion. Need not terminate. Institutt for informatikk (UiO) INF5140: Lecture 2 January 28, / 44 Institutt for informatikk (UiO) INF5140: Lecture 2 January 28, / 44

7 Schematic statements Compound statements Produce produce r represents production activity in producer-consumer programs. Assingns a non-zero (produced) value to r. r integer variable Conditional if c then S 1 else S 2. If c is true, S 1 is executed, and if c is false, S 2 is executed. c boolean expression S 1 ; S 2 statements Consume consume r represents consumer activity in producer-consumer programs. r integer variable Concatenation S 1 ; ; S k. Sequential exectuion of S 1 ; : : : ; S k in that order. S 1 ; : : : ; S k statements Institutt for informatikk (UiO) INF5140: Lecture 2 January 28, / 44 Institutt for informatikk (UiO) INF5140: Lecture 2 January 28, / 44 Compound statements Compound statements Selection S 1 or or S k. One of S 1 ; : : : ; S k that is enabled is nondeterministically chosen and executed. S 1 ; : : : ; S k statements Cooperation S 1 } } S k. The parallell execution of processes S 1 ; : : : ; S k, in an interleaving fashion: steps from the various processes are executed one at a time. Justice ensures that no process is ignored forever. S 1 ; : : : ; S k statements While while c do S. Terminates if c is false, and if c is true, subsequently executes S. c boolean expression S statement Block rlocal declaration ; Ss. local declaration (see foil after next) S statement Institutt for informatikk (UiO) INF5140: Lecture 2 January 28, / 44 Institutt for informatikk (UiO) INF5140: Lecture 2 January 28, / 44

8 Programs Programs A declaration consists of a sequence of declaration statements of the form MODE x 1 ; : : : ; x n : TYPE where ' Each declaration statement identies the mode and type of a list of variables and, optionally, species constraints on their initial values. MODE is one of in, local or out. TYPE is typically integer or boolean. ' is of the form y 1 : t 1 ^ ^ y m : t m, where ty 1 ; : : : ; y m u tx 1 ; : : : ; x n u, with natural restrictions on t 1 ; : : : ; t m. A program P consists of a declaration followed by a cooperation statement, in which processes may be named. P :: rdeclaration ; rp 1 :: S 1 } } P k :: S k ss P 1 ; : : : ; P k are referred to as processes. Institutt for informatikk (UiO) INF5140: Lecture 2 January 28, / 44 Institutt for informatikk (UiO) INF5140: Lecture 2 January 28, / 44 (Triple) Let ' and be rst-order formulae, and S a statement (in SPL). Then the following is a triple: t'u S t u Triples are the formulae of. ' and are called the precondition and postcondition of S resp. Interpretation We (informally) interpret t'u S t u as true when the following holds: Whenever S starts executing and ' is true, if S terminates, then is true. This interpretation is called partial correctness, which is a safety property: ' Ñ If S can be assumed to terminate, we get the corresponding liveness property, total correctness: ' Ñ 3pterminatespSq ^ What does tju S tku express (under partial correctness)? q q We will give a formal semantics later. Institutt for informatikk (UiO) INF5140: Lecture 2 January 28, / 44 Institutt for informatikk (UiO) INF5140: Lecture 2 January 28, / 44

9 Await Axiom We would like the following to be a theorem. tx : 0u x : x 1 ; tx : 1u The following, however, should not be a theorem, as it is not always the case that if you assign x 1 to x, then y 1. tx : 0u x : x 1 ; ty : 1u Await Axiom t'u await c t' ^ cu tx 0u await x 1 tx 0 ^ x : 1u Institutt for informatikk (UiO) INF5140: Lecture 2 January 28, / 44 Institutt for informatikk (UiO) INF5140: Lecture 2 January 28, / 44 Assignment Axiom Assignment Axiom t'rx{tsu x : t t'u t1 : 1u x : 1 tx : 1u and t1 2 yu x : 1 2 tx yu Observation It might be easier reading it as going forward instead: tx 0u x : x 1 tx 1u This holds because x 1 1 is equivalent to x 0 (see the Consequence Rule), and the following is an instance of the axiom: Concatenation Rule Concatenation Rule t'u S 1 tu tu S 2 t u t'u S 1 ; S 2 t u tx : 0u x : 1 tx 0u tx 0u x : 2 x tx 0u tx : 0u x : 1 ; x : 2 x tx 0u tx 1 1u x : x 1 tx 1u Institutt for informatikk (UiO) INF5140: Lecture 2 January 28, / 44 Institutt for informatikk (UiO) INF5140: Lecture 2 January 28, / 44

10 Skip Axiom and Conditional/Selection Rules While Rule Skip Axiom t'u skip t'u Conditional Rule t' ^ cu S 1 t u t' ^ cu S 2 t u t'u if c then S 1 else S 2 t u Selection Rule t'u S 1 t u : : : t'u S k t u t'u S 1 or or S k t u While Rule t' ^ cu S t'u t'u while c do S t' ^ cu Here ' is a loop invariant; it is true before and after each iteration of the loop. tx % 2 : 0 ^ x 10u x : x 2 tx % 2 : 0u tx % 2 : 0u while px 10q do x : x 2 tx % 2 : 0 ^ x 10qu The loop invariant says that x is even. Institutt for informatikk (UiO) INF5140: Lecture 2 January 28, / 44 Institutt for informatikk (UiO) INF5140: Lecture 2 January 28, / 44 Consequence Rule Consequence Rule t'u S t u t' 1 u S t 1 u if ( ' 1 Ñ ' and ( Ñ 1 3: t x 0u x : x tx 0u 5: tx 0u skip tx 0u 2: tj ^ x 0u x : x tx 0u 4: tj ^ px 0qu skip tx 0u 1: tju if x 0 then x : x else skip tx 0u The precondition is strengthened, and the postcondition weakened. tx 0u x : x 1 tx 0 ^ x 1u tx 0 ^ x 1u x : x 1 tx 0u or tx 0u x : x 1 tx 1u tx 1u x : x 1 tx 0u Note that ( px 1q Ñ px 0q. Institutt for informatikk (UiO) INF5140: Lecture 2 January 28, / Conditional Rule 2. Consequence Rule 3. Assignment Axiom 4. Consequence Rule 5. Skip Axiom Axioms in every leaf node, thus the derivation is a proof. Institutt for informatikk (UiO) INF5140: Lecture 2 January 28, / 44

11 GCD The following program (the Euclidean algorithm) is supposed to terminate with the value of gcdpa; bq in g. Program: GCD P :: r in a; b : integer where a 0; b 0 ; local x ; y : integer where x a; y b ; out g : integer ; P 1 :: r while x y do r await x y ; x : x y ; or await y x ; y : y x ; s g : x ; s s We want to show that the program is correct. Institutt for informatikk (UiO) INF5140: Lecture 2 January 28, / 44 GCD Problem We want to show that g gcdpa; bq when P terminates. Solution We do this by establishing a loop invariant: I px ; yq px 0q ^ py 0q ^ gcdpx ; yq : gcdpa; bq; and show that the following can be proved in our proof system. ti px ; yqu P 1 tg : gcdpa; bqu Proof See blackboard. Institutt for informatikk (UiO) INF5140: Lecture 2 January 28, / 44 Exercises Exercises Exercises 1. The program on the next foil is supposed to compute a b. 1 Show a computation (how the variables change when the program runs) for the input x 2 and y 7. 2 Show that the program is correct by proving the following Hoare triple for some suitable ': t'u P 1 tz a b u Program: Exponentiation P :: r in a; b : integer where a 0; b 0 ; local x ; y : integer where x a; y b ; out z : integer where z 1 ; P 1 :: r while y 0 do r z : x z ; y : y 1 ; s s s Institutt for informatikk (UiO) INF5140: Lecture 2 January 28, / 44 Institutt for informatikk (UiO) INF5140: Lecture 2 January 28, / 44