Software Verification 1 Deductive Verification Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität und Fraunhofer Institut für Rechnerarchitektur und Softwaretechnik

Folie 2 H. Schlingloff, Software-Verifikation I Predicate Logic used to formalize mathematical reasoning  dates back to Frege (1879) „Begriffsschrift“ - „Eine der arithmetischen nachgebildete Formelsprache des reinen Denkens“  individuals, predicates (sets of individuals), relations (sets of pairs),...  quantification of statements (quantum = how much) - all, none, at least one, at most one, some, most, many,... - need for variables to denote “arbitrary” objects  In contrast to propositional logic, first-order logic adds - structure to basic propositions - quantification on (infinite) domains

Folie 3 H. Schlingloff, Software-Verifikation I FOL: Syntax New syntactic elements  R is a set of relation symbols, where each p  R has an arity n  N 0  V is a denumerable set of (first-order or individual) variables  An atomic formula is p(x 1,…,x n ), where p  R is n-ary and (x 1,…,x n )  V n. Syntax of first-order logic FOL ::= R ( V n ) |  | (FOL  FOL) |  V FOL

Folie 4 H. Schlingloff, Software-Verifikation I FOL: Syntax Abbreviations and parenthesis as in PL  Of course,  x  = ¬  x ¬  Propositions = 0-ary relations Predicates = 1-ary relations  if all predicates are propositions, then FOL = PL Examples   x  x  x (p()   x(q()  p()))   x  x  y ¬ p(x)   x  y (p(x,y)  p(y,x))  (  x  y p(x,y)   y  x p(x,y))

Folie 5 H. Schlingloff, Software-Verifikation I Typed FOL Often, types/sorts are used to differentiate domains Signature  =( D, F, R ), where  D is a (finite) set of domain names  F is a set of function symbols, where each f  F has an arity n  N 0 and a type D  D n ary functions are called constants  R is a set of relation symbols, where each p  R has an arity n  N 0 and a type D  D n - unary relations are called predicates - propositions can be seen as 0-ary relations Remark: domains and types are for ease of use only (can be simulated in an untyped setting by additional predicates)

Folie 6 H. Schlingloff, Software-Verifikation I Terms and Formulas Let again V be a (denumerable) set of (first-order) variables, where each variable has a type D  D (written as x:D) (for any type, there is an unlimited supply of variables of that type) The notions Term and Atomic Formula AtF are defined recursively:  each variable of type D is a term of type D  if f is an n-ary function symbol of type (D 1,…D n,D n+1 ) and t 1, …, t n are terms of type D 1, …, D n, then f(t 1,…,t n ) is a term of type D n+1  if p is an n-ary relation symbol of type (D 1,…D n ) and t 1, …, t n are terms of type D 1, …, D n, then p(t 1,…,t n ) is an atomic formula Revised syntax of first-order logic FOL ::= AtF |  | (FOL  FOL) |  V : D FOL

Folie 7 H. Schlingloff, Software-Verifikation I Examples  x:Boy  y:Girl loves(x,y)  x:Human  y:Human (needs(x,y)  loves(y,x))  x,y:Int equals(plus(x,y), plus(y,x))  x:Int ¬ equals(zero(), succ(x)) …

Folie 8 H. Schlingloff, Software-Verifikation I FOL: Models (We give the typed semantics only) First-Order Model  Let a universe U be some nonempty set, and let  D U  U for every D  D be the domain of D  Interpretation I: assignment F ↦ U n+1 R ↦ U n  Valuation V: assignment V ↦ U interpretations and valuations must respect typing  Model M: (U,I,V)

Folie 9 H. Schlingloff, Software-Verifikation I FOL: Semantics Given a model M: (U,I,V), the value t M of term t (of type D) can be defined inductively  if t=x  V, then t M =V(x)  if t=f(t 1,…,t n ), then t M =I(f)(t 1 M,…,t n M ) Likewise, the validation relation ⊨ between model M and formula   M ⊨ p(t 1,…,t n ) if (t 1 M,…,t n M )  I(p)  M ⊭  ; M ⊨ (  ) if M ⊨  implies M ⊨   M ⊨  x  if M‘ ⊨  for some M‘ which differs at most in V(x) from M Validity and satisfiability is defined as in the propositional case

Folie 10 H. Schlingloff, Software-Verifikation I Examples ⊨  x   x  ⊨  x    x    x (    ) ⊨  x    x    x (    ) ⊨  x  y    y  x  ⊨  x    (x:=t) If ⊨ , then ⊨  x 

Folie 11 H. Schlingloff, Software-Verifikation I FOL: Calculus A sound and complete axiom system for FOL:  all substitution instances of axioms of PL  modus ponens: , (  ) ⊢   ⊢ (  (x:=t)  x  ) instantiation  (  ) ⊢ (  x  ) if x doesn‘t occur in  particularization Relaxation: particularization may be applied if there is no free occurrence of x in  ; i.e., x may occur in  inside the scope of a quantification

Folie 12 H. Schlingloff, Software-Verifikation I FOL: Completeness As in the propositional case, correctness is easy ( ⊢   ⊨ , “every derivable formula is valid”) Completeness ( ⊨   ⊢ , “every valid formula is derivable”) follows with a similar proof as previously: given a consistent formula, construct a model satisfying it ~ ⊢ ¬   ~ ⊨ ¬  Extension lemma: If Φ is a finite consistent set of formulæ and  is any formula, then Φ  {  } or Φ  {¬  } is consistent Needs additionally: If Φ is any consistent set of formulæ and  x  is a formula in Φ, then Φ  {  (t)} is consistent for any term t From this, a canonical model can be constructed as before

Folie 13 H. Schlingloff, Software-Verifikation I Example Consider the formula  xyz ((p(x, y) ∧ p(y, z)) → p(x, z)) ∧  x ¬p(x, x) ∧  x p(x, f(x) ) This formula is satifiable only in infinite models

Folie 14 H. Schlingloff, Software-Verifikation I FOL: Undecidability Completeness means the set of valid formulæ can be recursively enumerated Turing showed that the invalid formulæ are not r.e., i.e., there is no algorithm deciding whether a formula is valid or not  strictly speaking, FOL = with at least one binary relation  certain sublanguages of FOL are still decidable

Folie 15 H. Schlingloff, Software-Verifikation I FOL = Equality is not definable in FOL First order logic with equality contains an additional (binary) relation == which is always interpreted as equality of domain elements  Written in infix notation, i.e. (x==y) for ==(x,y) Axioms  (x==x) reflexivity  (x==y  (y==z  x==z)) transitivity  (x==y  y==x) symmetry  (x==y  (    (y:=x))) substitution

Folie 16 H. Schlingloff, Software-Verifikation I Presburger arithmetic Given a signature (N, 0,´,+) of FOL =, define   n (  n´==0)   m  n (m´==n´  m==n)  p(0)   n(p(n)  p(n´))   n p(n) If the third axiom holds for all p, then this uniquely characterizes the natural numbers (“monomorphic”)   n (n+0==n)   m  n ((m+n)+1 == m+(n+1)) This theory is decidable!

Folie 17 H. Schlingloff, Software-Verifikation I Peano arithmetic Given the signature (N, 0,´,+,*) and above axioms, plus   n (n*0==0)   m  n (m*n´ == (m*n)+m) This theory is undecidable

Folie 18 H. Schlingloff, Software-Verifikation I Formalizing C in FOL Consider the following C program int gcd (int a, int b){ int c; while ( a != 0 ) { c = a; a = b%a; b = c; } return b; } Consider the following FOL formula  :  t:N (  a(t)==0  c(t+1)==a(t)  a(t+1)==b(t)%a(t)  b(t+1)=c(t)  a(t)==0  a(t+1)==a(t)  b(t+1)==b(t)  c(t+1)==c(t) ) In which way are these equivalent?

Folie 19 H. Schlingloff, Software-Verifikation I Correctness From this formalization, we expect that  ⊨  t (a(t)==0 → b(t)==gcd(a(0),b(0))) (partial correctness)  ⊨  t (a(t)==0  b(t)==gcd(a(0),b(0))) (total correctness) Can we prove these statements?

Folie 20 H. Schlingloff, Software-Verifikation I First order theorem proving Despite the undecidability of first order logic, provers have reached a remarkable proficiency  SPASS  Vampire  Otter, Prover9 Need (some) arithmetic solver