1. Revisiting Predicate Logic LN chapters 3,4
STV 2016/17

2. Testing vs verification
Testing  practical, but incomplete.
Verification: here it means proving that the program is correct, hence complete.
Undecidable (cannot be generically automated)
There are tools for computer assisted proving ; here we will do our exercises with hands.
There are sub-problems that can be solved automatically. E.g. : type checking, verification of finite state systems. More on such automation in Master courses like Program Semantics & Verification.

3. Our learning goals
To introduce you to Hoare logic: fundamental for imperative languages.
To learn to formulate your arguments formally.
To introduce you to some concepts such as loop invariants, which could be useful for proving your own algorithms later in your master research.

4. Overall Plan
Revisiting Predicate Logic, also introducing the notation we are going to use.
Basic Hoare Logic
More on proving the correctness of loops.
Reasoning about more advanced language constructs, e.g. program calls, exceptions, OO.

5. An “informal” proof Claim: 2*x is even. Proof: by induction.
Base case is trivial.
2*(x+1) = 2*x + 2 is even.
Done.

6. Fomality
A proof is (really) formal if can be checked by a computer  making sure that the conclusion is really sound.
Informal proof  can’t be checked by a computer, easier to read by a human, but may also be ambiguous.
We will train at some level of more formal proof: still human-readable but more precise than informal proof.

7. Elements of our verification approach
A simple programming language uPL
Specifications are written in formulas of (1st order) predicate logic.
Hoare logic to reduce program + specification to verification conditions (formulas in predicate logic).
Use predicate logic to prove the verification conditions.

8. Overview Propositions and predicates Formulas Quantification
Inference rules
Proof
Proofs involving quantification
Some proof techniques:
Contradiction
Equational
Case split
Induction

9. Our Formula-Language Constituents: (i : 0≤i<n : a[i] = a[0])
Variables // x,y,z ...
Constants // true, false, 0, 1…
Arrays // a[i]
Operators // +,-, <, =, /\ ,  ...
Quantifiers   , quantified formulas are written like this:
(i : 0≤i<n : a[i] = a[0])
Idealized arrays: they are of infinite size.

10. Quantification Domain
Basic forms : (x : : Q x) and (x : : Q x)
Derivative form (and its definition) :
(x : P x : Q x) = (x : : P x  Q x)
(x : P x : Q x) = (x : : P x /\ Q x)
Terminology: domain and range parts.
Notice that the def. above implies :
(i :: a[i]>0) = (i : true : a[i]>0)
(i :: a[i]>0) = (i : true : a[i]>0)

11. Quantifying over Empty
Quantifying over “false” (“empty domain”) ; their meaning is defined as follows :
(x : false : Q x)
= (x : : false  Q x)
= (x : : true)
= true
(x : false : Q x)
= (x : : false /\ Q x)
= (x : : false)
= false

12. Scoping and Nesting Scope: b[i] /\ (i : i>0 : b[i])
Bounded variable
Free variable
Nested quantification: (i :: (j :: a[j] > a[i]))

13. How do we prove our claims ?
In logic we use inference rules.
Usually has this form:
A proof is essentially just a series of invocations of inference rules, that produces our claim from known facts and assumptions.
premise-1 , premise-2 , … conclusion

14. Some examples Modus Ponens P , P  Q ----------------------- Q
 elimination ( instantiation) P a , (x : P x : Q x) Q a

15. Proof format
Stick to the proof format as in the LN (so that we have certainty when evaluating your work).
In order to make proofs more explicit, the format introduces some redundancy and verbosity. Can be a bit “overwhelming”, but for now, stick with it.
The format will allow you to mix a deductive style and an equational style of reasoning in one proof.
Deductive reasoning: one way (from assumptions to conclusion)
Equational reasoning: bi-directional.
Many proofs that we ar going to be will be “quite trivial”, but remember that our goal is to train you in formal reasoning (of the correctness of your program). So your “mental process” is just as important.

16. Proof format PROOF main [A1:] (i : i>0 : a[i]=i ) [A2:] x > 10
[G: ] a[x] > 10
BEGIN
1. { follows from A2 } x>0
2. { -elim on A1 using 1 } a[x]=x
3. { from 2, A2 } a[x]>10
END
If successful proves : A1 /\ A2  G

17. Subproof and scope PROOF main … (k: 0≤k : b[k] ) ... PROOF sub
[A:] some assumption on x …
… 0 ≤ x
Inferring b[x] within “sub” is ok.
7. // Hey, “sub” says 0≤x, so combining it with 5 then I can infer b[x] Not sound !

18. Introducing and Eliminating Quant.
Eliminating  : P a , (x : P x : Q x) Q a
Introducing  : P a , Q a (x : P x : Q x )
How about introducing  and eliminating  ??

19. Introducing 
PROOF
[ANY k] // enforce scope
[A:] k>0
[G:] b[k]
BEGIN
{ follows from A } k0
{  elim main.A , 1 } b[k]
END
PROOF main [A:] (k: k0 : b[k] ) [G:] (k: k>0: b[k] )
1. { how ?? } (k: k>0: b[k] )
PROOF sub
[A:] P x
[ G] Q x … Success! Conclusion : P x  Q x
If x is unconstrained in parent proof, e.g. it is a fresh variable, we can infer: (x : P x : Q x )

20. Proof by Contradiction
Let’s prove this claim: a[i]>i /\ (i : 0≤i : a[i] = i)  ¬(i : 0≤i : a[i] > i)
We’ll prove this by contradiction. Based on this rule: Q  false Q

21. Top level proof PROOF main [A1:] a[i]>i
[A2:] (i : 0≤i : a[i] = i) [G: ] (i : 0≤i : a[i] > i) BEGIN 1. { see subproof } (i : 0≤i : a[i] > i)  false
2. { rule of contradiction on 1 }  (i : 0≤i : a[i] > i) END

22. Eliminating  PROOF [A:] (k:: b[k]  a[k]) … (k:: b[k])  b[k]
10 . [SOME k] b[k] // be careful
10 . [SOME m] b[m] // m is fresh name
10. // can we infer something from 5 ?
10 . [SOME m] b[m] // make the step a bit more explicit
11. {  elim, A , 10 } a[m]

23. Equational Proof EQUATIONAL PROOF [A:] 0 ≤ n
[D:] found n = (i : 0≤i<n : b[i])
found (n + 1)
= { def. found } (i : 0 ≤ i < n+1 : b[i]) …
= found n /\ b[n]
END

24. Proof with case split
Suppose that to prove Q, we identify N-cases, and we want to prove Q separately for each case.
Based on this inference rule:
Example, prove this: b[n] /\ (i : i<n : b[i])  (i : i<n+1 : b[i])
P1 \/ P2 , P1  Q , P2  Q Q

25. Top Level PROOF main [A1:] b[n] [A2:] (i : i < n : b[i])
[G:] (i : i<n+1 : b[i])
BEGIN
1. { see the proof below } G
PROOF sub
[ANY i]
[A:] i < n+1
[G:] b[i]
1 { follows from A } i<n \/ i=n
2 { see subproof } i<n  b[i]
3 { see subproof } i=n  b[i]
4 { Case Split on 1,2,3 } b[i]
END

26. Proof with induction
Induction over “natural numbers” is based on this rule: P , (n: 0≤n : P n  P (n+1)) (n: 0≤n : P n)

27. Proof with induction PROOF 1. { trivial } 2*0 mod 2 = 0
{ see below } (n: 0≤n: 2*n mod 2 = 0  2*(n+1) mod 2 = 0) PROOF [ANY n] [A1:] 0≤n [A2:] 2*n mod 2 = (k: 0≤k : 2*n = 2*k)
[SOME k] 2*n = 2*k
2*(n+1) = 2*(k+1)
(m: 0≤m : 2*(n+1) = 2*m)
2*(n+1) mod 2 = 0
{ induction, 1,2} (n: 0≤n: 2*n mod 2 = 0)

28. Lists

29. Why lists ?
Our arrays are infinite. On the other hand, we often need to specify properties of finite segments of an array  we will use a list.
So, we add list to Form.
For convenience, we’ll use Haskell like notations to express properties of lists.

30. Some notation [ ], [1, 2, 3], x:s, s ++ t Enumeration:
[a .. b] // a,b integers
[a .. b)
List comprehension:
[ 2*i | i from s , isOdd i ]

31. List functions
On lists we can define functions like SUM, MAX, COUNT etc: MAX [x] = x MAX (x:s) = x max MAX s if x non-empty.
We can map array over finite domain to list, and thus can define notions like SUM, MAX etc via lists.

32. Converting array to list
Via this def: a s = [ a[i] | i from s ] // a is array, s is list of int
So, now we can express e.g. :
SUM (a[0..n))
COUNT [ x | x from a[0..n) , isOdd x]

33. Domain split
For , : (i : P1 i \/ P2 i : Q i) = (i : P1 i : Q i) \/ (i : P2 i : Q i) (i : P1 i \/ P2 i : Q i) = (i : P1 i : Q i) /\ (i : P2 i : Q i) P2 i P2 i i P1 P1
Inspire solutions for the problem of computing  over P1+P2 by dividing it into smaller problems.

34. Domain Split for 
Analogous, e.g. : (i : P1 i \/ P2 i : i) = (i : P1 i : i) (i : P2 i : i) But only if P1 and P2 are disjoint!
On the other hand: SUM (s ++ t) = SUM s + SUM t
Define SUM recursively on list :
SUM [] = 0 SUM (x:s) = x + SUM s

35. Now we can do SUM-split on array
SUM (a[0 .. k+1))
= { enumeration split, only if k0 } SUM (a([0..k) ++ [k])) = { comprehension split } SUM (a[0..k) [a[k]]) = { theorem over SUM } SUM (a[0..k)) SUM [a[k]]
= { def. SUM } SUM (a[0..k)) a[k]
Split/distributivity thm:
SUM (s ++ t) = SUM s + SUM t

36. Some standard ‘splitting’ thms
SUM (s ++ t) = SUM s + SUM t
COUNT (s ++ t) = COUNT s + COUNT t
MAX (s ++ t) = MAX s max MAX t // provided s,t are non-empty

37. Induction Some standard thms in your Appendix for convenience.
Some properties may require induction to prove. We’ll use this list-induction rule: P [] (x,s:: P s  P(x:s)) (s:: P s)
Simple example, prove: COUNT s  0 , for all s

38. Top level proof PROOF main [G:] (s :: COUNT s  0) BEGIN
1 { from def. COUNT } COUNT []  0
2 { subproof } (x,s :: COUNT s  0  COUNT (x:s)  0 )
PROOF Pinduct
[ANY x,s]
[A:] COUNT s  0
[G:] COUNT (x:s)  0
...
3 { list-induction on 1 and 2 } (s :: COUNT s  0) END

39. Reasoning about functional programs
Form with list extension can also be used to reason about functional programs 
Example, two versions of list reversal : rev [] = [] rev (x : s) = rev s ++ [x] rv t [] = t rv t (x : s) = rv (x : t) s Prove: rev s = rv [] s , for all s
In some FP languages rv is a lot faster.

40. Top level proof PROOF main [G:] (s :: rev s = rv [] s) BEGIN
rev (x:s)
= rev s ++ [x] = rv [] s ++ [x] = ?? Stuck!
PROOF main
[G:] (s :: rev s = rv [] s)
BEGIN
1 { … } rev [] = rv [] []
2 { subproof } (x,s :: (rev s = rv [] s)  (rev (x:s) = rv [] (x:s)))
PROOF Pinduct
...
3 { list-induction on 1 and 2 } G // implicitly using G as shorthand END

41. Solution ? rev (x:s) = rev s ++ [x] = rv [] s ++ [x] = ?? Stuck!
Prove lemma: rv [] s ++ [x] = rv [x] s for all x,s.
= rv [x] s =
rv [] (x:s)
Done.
You can do as in the next slide; or try a more general lemma here, namely (rv v s) ++ w = rv (v++w) s, which implies the above lemma.
Proof:
base case ok
induction case
(rv v (x:s)) ++ w
= { def rv }
(rv (x:v) s) ++ w
= { IH }
rv (x:v++w) s
= { def. rv }
rv (v++w) (x:s)
But proving the above lemma directly with induction seems to get us stuck again.

42. Prove a more general result?
What if we try to prove this: (s:: (t:: rev s ++ t = rv t s ))
Implies the original goal (simply take t=[]).
We get a stronger induction hypothesis.
But of course now we have to prove a stronger statement as well.

43. The induction case
POOF induction-case [ANY x,s] [A:] (t:: rev s ++ t = rv t s) [G:] (t:: rev (x:s) ++ t = rv t (x:s))
PROOF
[ANY t]
EQUATIONAL PROOF
rev (x:s) ++ t
= { def. Rev }
rev s ++ [x] ++ t
= { A }
rv ([x]++t) s
= { def. rv }
rv t (x:s)
END