Software Verification 1 Deductive Verification Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität und Fraunhofer Institut für Rechnerarchitektur und Softwaretechnik

Folie 2 H. Schlingloff, Software-Verifikation I Propositional Logic A formal specification method consists of three parts  syntax, i.e., what are well-formed specifications  semantics, i.e., what is the meaning of a specification  calculus, i.e., what are transformations or deductions of a specification Propositional logic: probably the first and most widely used specification method  dates back to Aristotle, Chrysippus, Boole, Frege, …  base of most modern logics  fundamental for computer science

Folie 3 H. Schlingloff, Software-Verifikation I Syntax of Propositional Logic Let Ρ be a finite set {p 1,…,p n } of propositions and assume that ,  and (, ) are not in Ρ Syntax PL ::= Ρ |  | (PL  PL)  every p  is a wff   is a wff („falsum“)  if  and  are wffs, then (  ) is a wff  nothing else is a wff

Folie 4 H. Schlingloff, Software-Verifikation I Remarks Ρ may be empty  still a meaningful logic! Minimalistic approach  infix-operator  necessitates parentheses  other connectives can be defined as usual ¬  ≙ (    )(linear blowup!) Τ ≙ ¬  (  ) ≙ (¬  ) (  ) ≙ ¬(¬  ¬  ) ≙ ¬(  ¬  ) (  ) ≙ ((  )  (  )) (exponential blowup!)  operator precedence as usual  literal = a proposition or a negated proposition

Folie 5 H. Schlingloff, Software-Verifikation I Exercise Abbreviations ¬  ≙ (    ) also ~  Τ ≙ ¬  (  ) ≙ (¬  ) also (  +  ), (  |  ), (  v  ) (  ) ≙ ¬(¬  ¬  ) ≙ ¬(  ¬  ) also (  *  ), (  &  ), (  ^  ) (  ) ≙ ((  )  (  )) also (   ), (   ) Write ((p  q)  ¬p) unabbreviated

Folie 6 H. Schlingloff, Software-Verifikation I Choice of the Signature Te set Ρ={p 1,…,p n } of propositions is also called the signature of the logic The choice of Ρ often is the decisive abstraction step for modelling a system  it determines which aspects are “accessible” to the specification  Wittgenstein: “die Welt ist alles was der Fall ist”; the world consists of all true propositions  e.g., sun-is-shining, pot-on-stove, line-busy, button_pressed, window5infocus, motor-on, …  names should be chosen with consideration

Folie 7 H. Schlingloff, Software-Verifikation I Semantics of Propositional Logic Propositional Model  Truth value universe U: {true, false}  Interpretation I: assignment Ρ ↦ U  Model M: (U,I) Validation relation ⊨ between model M and formula   M ⊨ p if I(p)=true  M ⊭   M ⊨ (  ) if M ⊨  implies M ⊨  M validates or satisfies  iff M ⊨    is valid ( ⊨  ) iff every model M validates    is satisfiable (SAT(  )) iff some model M satisfies 

Folie 8 H. Schlingloff, Software-Verifikation I Propositional Calculus Various calculi have been proposed  boolean satisfiability (SAT) algorithms  tableau systems, natural deduction,  enumeration of valid formulæ Hilbert-style axiom system ⊢ (  (  )) (weakening) ⊢ ((  (  ))  ((  )  (  ))) (distribution) ⊢ (¬¬  ) (excluded middle) , (  ) ⊢  (modus ponens) Derivability  All substitution instances of axioms are derivable  If all antecedents of a rule are derivable, so is the consequent

Folie 9 H. Schlingloff, Software-Verifikation I An Example Derivation Show ⊢ (p  p) (1) ⊢ (p  ((p  p)  p))  ((p  (p  p))  (p  p)) (dis) (2) ⊢ (p  ((p  p)  p)) (wea) (3) ⊢ ((p  (p  p))  (p  p)) (1,2,mp) (4) ⊢ (p  (p  p)) (wea) (5) ⊢ (p  p) (3,4,mp)

Folie 10 H. Schlingloff, Software-Verifikation I Correctness and Completeness Correctness: ⊢   ⊨  Only valid formulæ can be derived  Induction on the length of the derivation  Show that all axiom instances are valid, and that the consequent of (mp) is valid if both antecedents are Completeness: ⊨   ⊢  All valid formulæ can be derived  Show that consistent formulæ are satisfiable ~ ⊢ ¬   ~ ⊨ ¬ 

Folie 11 H. Schlingloff, Software-Verifikation I Consistency and Satisfiability A finite set Φ of formulæ is consistent, if ~ ⊢ ¬Λ  Φ  Extension lemma: If Φ is a finite consistent set of formulæ and  is any formula, then Φ  {  } or Φ  {¬  } is consistent  Assume ⊢ ¬(Φ  ) and ⊢ ¬(Φ  ¬  ). Then ⊢ (Φ  ¬  ) and ⊢ (Φ  ¬¬  ). Therefore ⊢ ¬Φ, a contradiction. Let SF(  ) be the set of all subformulæ of  For any consistent , let  # be a maximal consistent extension of  (i.e.,  # and for every  SF(  ), either  # or ¬  #. (Existence guaranteed by extension lemma)

Folie 12 H. Schlingloff, Software-Verifikation I Canonical models For a maximal consistent set  #, the canonical model CM(  # ) is defined by I(p)=true iff p  #. Truth lemma: For any  SF(  ), I(  )=true iff   #  Case  =p: by construction  Case  =  : Φ  {  } cannot be consistent  Case  =(  1   2 ): by induction hypothesis and derivation Therefore, if  is consistent, then for any maximal consistent set  #, CM(  # ) ⊨   any consistent formula is satisfiable  any unsatisfiable formula is inconsistent  any valid formula is derivable

Folie 13 H. Schlingloff, Software-Verifikation I Example: Combinational Circuits Multiplexer  S selects whether I 0 or I 1 is output to Y  Y = if S then I 1 else I 0 end  (Y  ((S  I 1 )  (¬S  I 0 ))) Pictures taken from: I0I0 I1I1 SY

Folie 14 H. Schlingloff, Software-Verifikation I Boolean Specifications Evaluator (output is 1 if input matches a certain binary value) Encoder (output i is set if binary number i is on input lines) Majority function (output is 1 if half or more of the inputs are 1) Comparator (output is 1 if input0 > input1) Half-Adder, Full-Adder, …

Folie 15 H. Schlingloff, Software-Verifikation I Software Example Code generator optimization  if (p and q) then if (r) then x else y else if (q or r) then y else if (p and not r) then x else y Loop optimization

Folie 16 H. Schlingloff, Software-Verifikation I Puzzle Example: Ivor Spence’s Sudoku

Folie 17 H. Schlingloff, Software-Verifikation I How Does He Do It? Propositional modelling  9 propositions per cell: proposition “ijk” indicates that row i, column j contains value k  individual cell clauses - each cell contains exactly one value  (ij1 v ij2 v … v ij9) ^ ~(ij1 ^ ij2) ^ … ^ ~(ij8 ^ ij9)  row and column clauses - each row i contains each number, exactly once  (i11 v … v i91) ^ (i12 v … v i92) ^ … (i19 v … v i99)  j 1  j 2, k=1..9: ~(ij 1 k ^ ij 2 k) - same for columns  block clauses – similar  pre-filled cells – easy SAT solving  729 propositions, ca clauses  few seconds

Folie 18 H. Schlingloff, Software-Verifikation I Verification of Boolean Functions Latch-Up: can a certain line go up?  does (  ¬L 0 ) hold?  is (  L 0 ) satisfiable? Given ,  ; does (  ) hold?  usually reduced to SAT: is ((  ¬  )  (¬  )) satisfiable?  efficient SAT-solver exist (annual competition)  partitioning techniques any output depends only on some inputs  find which ones  generate test patterns (BIST: built-in-self-test)

Folie 19 H. Schlingloff, Software-Verifikation I Optimizing Boolean Functions Given  ; find  such that (  ) holds and  is „optimal“  much harder question  optimal wrt. speed / size / power /…  translation to normal form (e.g., OBDD)