Last Time. Inference Rules

Similar documents
Lecture 17: Floyd-Hoare Logic for Partial Correctness

Logic. Propositional Logic: Syntax

Dynamic Semantics. Dynamic Semantics. Operational Semantics Axiomatic Semantics Denotational Semantic. Operational Semantics

Hoare Logic: Part II

Axiomatic Semantics. Lecture 9 CS 565 2/12/08

Program Analysis Part I : Sequential Programs

Natural Deduction is a method for deriving the conclusion of valid arguments expressed in the symbolism of propositional logic.

Hoare Logic: Reasoning About Imperative Programs

Logic. Propositional Logic: Syntax. Wffs

Marie Duží

Axiomatic Semantics. Stansifer Ch 2.4, Ch. 9 Winskel Ch.6 Slonneger and Kurtz Ch. 11 CSE

Hoare Logic and Model Checking

Classical Program Logics: Hoare Logic, Weakest Liberal Preconditions

Proof Rules for Correctness Triples

Today s Lecture 2/25/10. Truth Tables Continued Introduction to Proofs (the implicational rules of inference)

Weakest Precondition Calculus

Hoare Logic I. Introduction to Deductive Program Verification. Simple Imperative Programming Language. Hoare Logic. Meaning of Hoare Triples

Propositional Logic: Syntax

The Assignment Axiom (Hoare)

What happens to the value of the expression x + y every time we execute this loop? while x>0 do ( y := y+z ; x := x:= x z )

CSC 7101: Programming Language Structures 1. Axiomatic Semantics. Stansifer Ch 2.4, Ch. 9 Winskel Ch.6 Slonneger and Kurtz Ch. 11.

Section 1.2: Propositional Logic

Proof Calculus for Partial Correctness

Foundations of Computation

Program verification. 18 October 2017

Hoare Logic: Reasoning About Imperative Programs

Program verification using Hoare Logic¹

Learning Goals of CS245 Logic and Computation

Examples: P: it is not the case that P. P Q: P or Q P Q: P implies Q (if P then Q) Typical formula:

Lecture 2: Axiomatic semantics

CS558 Programming Languages

Program verification. Hoare triples. Assertional semantics (cont) Example: Semantics of assignment. Assertional semantics of a program

Hoare Logic (I): Axiomatic Semantics and Program Correctness

A Short Introduction to Hoare Logic

Logical Form 5 Famous Valid Forms. Today s Lecture 1/26/10

Programming Languages and Compilers (CS 421)

Manual of Logical Style (fresh version 2018)

Propositional Logic: Part II - Syntax & Proofs 0-0

Přednáška 12. Důkazové kalkuly Kalkul Hilbertova typu. 11/29/2006 Hilbertův kalkul 1

COP4020 Programming Languages. Introduction to Axiomatic Semantics Prof. Robert van Engelen

Lecture Notes: Axiomatic Semantics and Hoare-style Verification

First-Degree Entailment

Propositional Calculus - Hilbert system H Moonzoo Kim CS Division of EECS Dept. KAIST

Deductive Systems. Lecture - 3

Propositional Logic. Spring Propositional Logic Spring / 32

In this chapter, we specify a deductive apparatus for PL.

Axiomatic Semantics. Operational semantics. Good for. Not good for automatic reasoning about programs

COMP 182 Algorithmic Thinking. Proofs. Luay Nakhleh Computer Science Rice University

Formal Specification and Verification. Specifications

Proofs: A General How To II. Rules of Inference. Rules of Inference Modus Ponens. Rules of Inference Addition. Rules of Inference Conjunction

Advanced Topics in LP and FP

Symbolic Logic 3. For an inference to be deductively valid it is impossible for the conclusion to be false if the premises are true.

Propositional Logic. Jason Filippou UMCP. ason Filippou UMCP) Propositional Logic / 38

Solutions to exercises for the Hoare logic (based on material written by Mark Staples)

CSCI.6962/4962 Software Verification Fundamental Proof Methods in Computer Science (Arkoudas and Musser) Chapter p. 1/33

First Order Logic: Syntax and Semantics

First Order Logic vs Propositional Logic CS477 Formal Software Dev Methods

cis32-ai lecture # 18 mon-3-apr-2006

Manual of Logical Style

Axiomatic Semantics. Semantics of Programming Languages course. Joosep Rõõmusaare

Natural Deduction for Propositional Logic

Propositional Logic: Deductive Proof & Natural Deduction Part 1

Axiomatic Semantics. Hoare s Correctness Triplets Dijkstra s Predicate Transformers

Resolution (14A) Young W. Lim 8/15/14

Reasoning About Imperative Programs. COS 441 Slides 10b

4 Derivations in the Propositional Calculus

Chapter 1, Logic and Proofs (3) 1.6. Rules of Inference

CITS2211 Discrete Structures Proofs

Natural deduction for truth-functional logic

CS Lecture 19: Logic To Truth through Proof. Prof. Clarkson Fall Today s music: Theme from Sherlock

COMP219: Artificial Intelligence. Lecture 19: Logic for KR

Spring 2015 Program Analysis and Verification. Lecture 4: Axiomatic Semantics I. Roman Manevich Ben-Gurion University

n logical not (negation) n logical or (disjunction) n logical and (conjunction) n logical exclusive or n logical implication (conditional)

COMP Intro to Logic for Computer Scientists. Lecture 6

Review of Propositional Calculus

Spring 2016 Program Analysis and Verification. Lecture 3: Axiomatic Semantics I. Roman Manevich Ben-Gurion University

Propositional Logic Arguments (5A) Young W. Lim 10/11/16

In this episode of The Verification Corner, Rustan Leino talks about Loop Invariants. He gives a brief summary of the theoretical foundations and

Proofs. Introduction II. Notes. Notes. Notes. Slides by Christopher M. Bourke Instructor: Berthe Y. Choueiry. Fall 2007

Propositional Logic. Argument Forms. Ioan Despi. University of New England. July 19, 2013

Direct Proof MAT231. Fall Transition to Higher Mathematics. MAT231 (Transition to Higher Math) Direct Proof Fall / 24

Propositional Logic: Methods of Proof (Part II)

Introduction to Metalogic

Propositional Logic. Fall () Propositional Logic Fall / 30

Formal (natural) deduction in propositional logic

FORMAL PROOFS DONU ARAPURA

THE LOGIC OF COMPOUND STATEMENTS

The Importance of Being Formal. Martin Henz. February 5, Propositional Logic

n Empty Set:, or { }, subset of all sets n Cardinality: V = {a, e, i, o, u}, so V = 5 n Subset: A B, all elements in A are in B

Packet #1: Logic & Proofs. Applied Discrete Mathematics

Propositional Logic Arguments (5A) Young W. Lim 11/8/16

A Little Deductive Logic

Logic for Computer Science - Week 4 Natural Deduction

6. Logical Inference

Deduction by Daniel Bonevac. Chapter 3 Truth Trees

EECS 1028 M: Discrete Mathematics for Engineers

(ÀB Ä (A Â C)) (A Ä ÀC) Á B. This is our sample argument. Formal Proofs

A Little Deductive Logic

Propositional Logic Arguments (5A) Young W. Lim 11/30/16

For a horseshoe statement, having the matching p (left side) gives you the q (right side) by itself. It does NOT work with matching q s.

Transcription:

Last Time When program S executes it switches to a different state We need to express assertions on the states of the program S before and after its execution We can do it using a Hoare triple written as {P}S{Q}, where P is a precondition, S is a program, and Q is a postcondition We used flowchart diagrams to prove partial correctness and termination of two programs 3 Inference Rules An inference rule maps one or more wffs, called premises, to a single wff, called the conclusion AA, B B modus ponens (MP) A B, A B disjunctive syllogism (DS) BA, B A modus tollens (MT) A B, B C A C hypothetical syllogism (HS) AB, A B conjunction intro (CI) A B, A C, B D C D constructive dilemma (CD) A A B disjunction intro (DI) C D, A C, B D A B destructive dilemma (DD) 4 2

Proofs A proof is a finite sequence of wffs s.t. each wff in the sequence is either an axiom or a premise or can be inferred from previous wffs in the sequence A formal reasoning system is also called a formal theory If a formal theory enables the proof of both wffs P and P, then this theory is inconsistent (not sound) How to build consistent theories? Choose axioms to be tautologies Choose inference rules to map tautologies onto tautologies Examples Prove (A B) (A C) A B C 1. A B P 2. A C P 3. A P 4. B 1,3,DS 5. C 2,3,DS 6. B C 4,5,CI 7. QED 1,2,3,6 5 Our Strategy Recall proof calculi for propositional and predicate logic Formula to prove, inference rules, axioms For example, to prove φ ϕ we assume φ and manage to show ϕ using given inference rules What if we replace a logic formula with a piece of code? Can we prove fragments of code and these small proofs compose a final proof? 6 3

Partial Correctness, Termination, and Total Correctness Partial correctness: if for all states that satisfy the precondition, the state resulting from program s execution satisfies the postcondition, provided that the program terminates Termination: if the precondition holds, then the program terminates Total correctness: if for all states in which P is executed which satisfy the precondition, P is guaranteed to terminate and the resulting state satisfies the postcondition 7 Proof Calculus For Partial Correctness Goes back to R.Floyd and C.A.R. Hoare Given a language grammar Given proof rules for each of the grammar clauses for commands We construct our proofs in a form of proof tableaux 8 4

A Core Programming Language S ::= x=e S;S if B {S} else {S} while B {S} B ::= true false (!B) (B&B) (B B) (E<E) E ::= n x (-E) (E-E) (E+E) (E*E) n is any numeral x is any variable 9 A Program For Computing a Factorial Factorial( x ) { y = 1; z = 0; while( z!= x) { z = z + 1; y = y * z; } } 0! 1 ( n+ 1)! ( n+ 1) n! 10 5

Composition Rule { P} S1{ Q} { Q} S2{ R} { PS } ; S{ R} 1 2 S 1 and S 2 are program fragments In order to prove {P} S 1 ;S 2 {R} we need to find an appropriate Q Then we prove {P} S 1 {Q} and {Q}S 2 {R} separately 11 Assignment { P E } x = E { P } x No premises => it is an axiom! We wish to know that P holds in the state after the assignment x = E P[E/x] means the formula obtained by taking P and replacing all occurrences of x with E P with E in place of x 12 6

Assignment: Flawed Understanding { P E } x = E { P } x If P holds in a state in which we perform the assignment x = E, then P[E/x] holds in the resulting state We replace x by E Do we perform this replacement of occurrences of x in a condition on the starting state by E? 13 Assignment: Correct Understanding { P E } x = E { P } x Do we perform this replacement of occurrences of x in a condition on the starting state by E? No, we need to prove something about the initial state in order to prove that P holds in the resulting state Whatever P says about x but applied to E must be true in the initial state 14 7

Assignment: Examples { 2 = 2} x = 2{ x = 2} If we want to prove x=2 after the assignment x=2, then we must be able to prove that 2=2 before it { 2 = y} x = 2{ x = y} If we want to prove x=y after the assignment x=2, then we must be able to prove that 2=y before it 15 Assignment: Exercises { x+ 1= 2} x = x+ 1{ x = 2} { x + 1= y} x = x+ 1{ x = y} { x+ 1> 0 y > 0} x = x+ 1{ x > 0 y > 0} 16 8

Assignment This assignment axiom is best applied backward than forward in the verification process We know Q and wish to find P s.t. {P}x=E {Q} easy { P E } x = E { P } Set P to be Q[E/x] x If we know P and want to find Q s.t. {P} x=e {Q} very difficult!!! 17 IF-Statement Rule { P B} S1{ Q} { P B} S2{ Q} { P} if B { S } else { S }{ Q} 1 2 S 1 and S 2 are program fragments Decompose the if rule into two triples Then we prove these triples separately 18 9

WHILE-Statement Rule { P B} S{ P} { P} while B { S}{ P B} S is a program fragment that is executed multiple times in the while loop We don t know how many times S is gonna be executed or whether it terminates at all P is a loop invariant 19 Implied Rule { } S{ Q} l-- -- ' ' P P P l Q Q ' ' { P } S{ Q} Implied rule allows the precondition to be strengthened We assume more than we need to The postcondition may be weakened We conclude less than we are entitled to 20 10

A Program For Computing a Factorial Factorial( x ) { y = 1; z = 0; while( z!= x) { z = z + 1; y = y * z; } } 0! 1 ( n+ 1)! ( n+ 1) n! Let s Prove It!!! Let s Prove It!!! 21 Proof Tableaux What is good about them? Tree structure We think of a program as a sequence of code fragments We interleave the program code with intermediate formulae called midconditions Is it easy to read proof tableaux? Is there an alternative? 22 11

Division With Remainder Example { x 0 y 0} a = 0; b= x; ( b y) while { } b= b y; a= a+ 1; { x = a y+ b b 0 b< y} Invariant: { x= a y+ b b 0} DivProg 23 Invariant How to start the proof? Heuristics: Find invariant for each loop. For this example: x=a*y+b x>=0 Note: total correctness does not hold for y=0 Total correctness (with y>0) should be proved separately. 24 12

Proof { x= a y+ x x 0} b= x{ x= a y+ b b 0} 1 { x= 0 y+ x x 0} a= 0{ x= a y+ x x 0} 2 { x= 0 y+ x x 0} a= 0; b= x{ x= a y+ b x 0} 3 25 Proof { x= ( a+ 1) y+ b b 0} a= a+ 1{ x= a y+ b b 0} { ( 1) 0} x= ( a+ 1) y+ b b 0 x= a+ y + b y b y b= b y { } { ( ) } { x= a y+ b b 0} x= a+ 1 y + b y b y 0 b= b y; a= a+ 1 4 5 6 26 13

Consequence rules Strengthen a precondition Weaken a postcondition { } { } { RSQ } { } R P P S Q { } { } { PSR } { } PSQ Q R 27 Proof ( ) ( ) { } { x= a y+ b b 0} ( ) x= a y+ b b 0 b y x= a+ 1 y+ b y b y 0 x= a y + b b 0 b y b= b y; a= a+ 1 consequence, 6, 7 { x = a y + b b } ( b y) b = b y; a = a + 1 0 while { { x = a y + b b 0 b < y} while, 8 7 8 9 28 14

Proof { x = 0 y + x x 0} DivPro { x = a y + b b 0 b < y} composition, 3,9 ( x 0 y 0) ( x= 0 y+ x x 0) { x = 0 y + x x 0} DivPro { x = a y + b b 0 b < y} consequence g g 10 11 12 29 Soundness Hoare logic is sound in the sense that everything that can be proved is correct! This follows from the fact that each axiom and proof rule preserves soundness 30 15

Completeness A proof system is called complete if every correct assertion can be proved Propositional logic is complete No deductive system for the standard arithmetic can be complete (Godel) 31 And for Hoare s logic? Let S be a program and P its precondition Then {P} S { } means that S never terminates when started from P This is undecidable Thus, Hoare s logic cannot be complete 32 16

General Observations If we can prove programs then we represent them as mathematical objects Does it mean that computer programmers are like mathematicians? Mathematicians try to improve their confidence in the correctness of theorems They use chain of formal logic statements to achieve this goal 33 Is Proof = Program? By verifying a program we increase our confidence in it So, it is like verifying the correctness of a theorem, right? The critical piece here is a social process that governs the acceptance of a theorem It is completely different between mathematical theorems and verified program 34 17

Mathematical Process Mathematicians publish about 200,000 theorems each year Are all of them correct and/or accepted? Multiple examples of famous mathematicians who announced and published proofs of theorems that were discredited later Sometimes after many, many years! Mathematicians make a lot of mistakes! 35 Who Corrects Those Mistakes? Examples of contradictory results from published complicated proofs are well-known Only mathematicians can correct their errors, but who verifies the correctness of corrections? A proof does not in itself significantly raise our confidence in the probable truth of the theorem it purports to prove 36 18

What About Algebraic Proof? Many examples confirm that proofs that consist solely of calculations are not necessarily correct It is not the question of how do theorems get believed? It is a question of what is it we believe when we believe a theorem? 37 Long Proofs Given a proof that occupies 2,000 pages, how long would it take to verify its correctness? What is a value of a long and complicated proof? How social process works for mathematicians? What is a fundamental difference between mathematicians and computer scientists doing proofs? 38 19

Why Do We Need Program Verification? Testing can never show the absence of errors, only their presence Software errors can cause major disasters especially in critical systems Math is used to state program properties and to prove program correct for all inputs However, program verification is expensive and has other drawbacks 39 Man and Machines What parts of program verifications cannot be replaced by machines? How to choose what properties to prove? How to find errors in specifications? Is the proof process correct? 40 20

Tool-Assisted Verification We can use tools that mechanize the deduction process If we have executable specifications then we can use tools that assist us in debugging these specifications When doing proof of program correctness we can use theorem provers to ensure proof correctness 41 Limitations of Program Verification We have only limited ways to convince ourselves that we are given a correct spec Even with the right specification we can prove only the correctness of mathematical abstraction, never of the system running in the real world There is a significant cost associated with program correctness proofs Not all systems are equally critical 42 21

Cost and Assurance of Formal Methods Assurance Testing Executable Specs Run-time verification, spec-based certification, and scalable methods Search and Bounded model checking Model Checking Theorem Proving Effort 43 Believing Software People cannot create perfect mechanisms Use social processes to create reliable structures This is what most engineers do Computing structures are not Perfect The energy that can be wasted to make them perfect, is limited 44 22

Homework Mandatory R. De Millo, R. Lipton, and A. Perlis. "Social processes and proofs of theorems and programs," Communications of the ACM, 22(5):271-280, May 1979 R. Floyd, `Assigning meaning to programs', Proc. Symposium on Applied Mathematics, American Mathematical Society, 1967, Vol. 1, pp. 19--32. J. Fetzer. "Program verification: The very Idea," Communications of the ACM, Vol. 31. No. 9. pp. 1049-1063. Downloadable from http://www.swt.edu/~mg43/reading.html Optional 1. Michael Huth and Mark Ryan, Logic in Computer Science: Modelling and Reasoning about Systems, Cambridge University Press, November 1999. 45 23

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback