Revisiting Predicate Logic LN chapters 3,4 STV 2016/17

Testing vs verification Testing  practical, but incomplete. Verification: here it means proving that the program is correct, hence complete. Undecidable (cannot be generically automated) There are tools for computer assisted proving ; here we will do our exercises with hands. There are sub-problems that can be solved automatically. E.g. : type checking, verification of finite state systems. More on such automation in Master courses like Program Semantics & Verification.

Our learning goals To introduce you to Hoare logic: fundamental for imperative languages. To learn to formulate your arguments formally. To introduce you to some concepts such as loop invariants, which could be useful for proving your own algorithms later in your master research.

Overall Plan Revisiting Predicate Logic, also introducing the notation we are going to use. Basic Hoare Logic More on proving the correctness of loops. Reasoning about more advanced language constructs, e.g. program calls, exceptions, OO.

An “informal” proof Claim: 2*x is even. Proof: by induction. Base case is trivial. 2*(x+1) = 2*x + 2 is even. Done.

Fomality A proof is (really) formal if can be checked by a computer  making sure that the conclusion is really sound. Informal proof  can’t be checked by a computer, easier to read by a human, but may also be ambiguous. We will train at some level of more formal proof: still human-readable but more precise than informal proof.

Elements of our verification approach A simple programming language uPL Specifications are written in formulas of (1st order) predicate logic. Hoare logic to reduce program + specification to verification conditions (formulas in predicate logic). Use predicate logic to prove the verification conditions.

Overview Propositions and predicates Formulas Quantification Inference rules Proof Proofs involving quantification Some proof techniques: Contradiction Equational Case split Induction

Our Formula-Language Constituents: (i : 0≤i<n : a[i] = a[0]) Variables // x,y,z ... Constants // true, false, 0, 1… Arrays // a[i] Operators // +,-, <, =, /\ ,  ... Quantifiers   , quantified formulas are written like this: (i : 0≤i<n : a[i] = a[0]) Idealized arrays: they are of infinite size.

Quantification Domain Basic forms : (x : : Q x) and (x : : Q x) Derivative form (and its definition) : (x : P x : Q x) = (x : : P x  Q x) (x : P x : Q x) = (x : : P x /\ Q x) Terminology: domain and range parts. Notice that the def. above implies : (i :: a[i]>0) = (i : true : a[i]>0) (i :: a[i]>0) = (i : true : a[i]>0)

Quantifying over Empty Quantifying over “false” (“empty domain”) ; their meaning is defined as follows : (x : false : Q x) = (x : : false  Q x) = (x : : true) = true (x : false : Q x) = (x : : false /\ Q x) = (x : : false) = false

Scoping and Nesting Scope: b[i] /\ (i : i>0 : b[i]) Bounded variable Free variable Nested quantification: (i :: (j :: a[j] > a[i]))

How do we prove our claims ? In logic we use inference rules. Usually has this form: A proof is essentially just a series of invocations of inference rules, that produces our claim from known facts and assumptions. premise-1 , premise-2 , … ----------------------------------------------------------- conclusion

Some examples Modus Ponens P , P  Q ----------------------- Q  elimination ( instantiation) P a , (x : P x : Q x) ------------------------------------- Q a

Proof format Stick to the proof format as in the LN (so that we have certainty when evaluating your work). In order to make proofs more explicit, the format introduces some redundancy and verbosity. Can be a bit “overwhelming”, but for now, stick with it. The format will allow you to mix a deductive style and an equational style of reasoning in one proof. Deductive reasoning: one way (from assumptions to conclusion) Equational reasoning: bi-directional. Many proofs that we ar going to be will be “quite trivial”, but remember that our goal is to train you in formal reasoning (of the correctness of your program). So your “mental process” is just as important.

Proof format PROOF main [A1:] (i : i>0 : a[i]=i ) [A2:] x > 10 [G: ] a[x] > 10 BEGIN 1. { follows from A2 } x>0 2. { -elim on A1 using 1 } a[x]=x 3. { from 2, A2 } a[x]>10 END If successful proves : A1 /\ A2  G

Subproof and scope PROOF main … (k: 0≤k : b[k] ) ... PROOF sub [A:] some assumption on x … … 0 ≤ x Inferring b[x] within “sub” is ok. 7. // Hey, “sub” says 0≤x, so combining it with 5 then I can infer b[x] Not sound !

Introducing and Eliminating Quant. Eliminating  : P a , (x : P x : Q x) ------------------------------------- Q a Introducing  : P a , Q a ------------------------------ (x : P x : Q x ) How about introducing  and eliminating  ??

Introducing  PROOF [ANY k] // enforce scope [A:] k>0 [G:] b[k] BEGIN { follows from A } k0 {  elim main.A , 1 } b[k] END PROOF main [A:] (k: k0 : b[k] ) [G:] (k: k>0: b[k] ) 1. { how ?? } (k: k>0: b[k] ) PROOF sub [A:] P x [ G] Q x … Success! Conclusion : P x  Q x If x is unconstrained in parent proof, e.g. it is a fresh variable, we can infer: (x : P x : Q x )

Proof by Contradiction Let’s prove this claim: a[i]>i /\ (i : 0≤i : a[i] = i)  ¬(i : 0≤i : a[i] > i) We’ll prove this by contradiction. Based on this rule: Q  false -------------------- Q

Top level proof PROOF main [A1:] a[i]>i [A2:] (i : 0≤i : a[i] = i) [G: ] (i : 0≤i : a[i] > i) BEGIN 1. { see subproof } (i : 0≤i : a[i] > i)  false 2. { rule of contradiction on 1 }  (i : 0≤i : a[i] > i) END

Eliminating  PROOF [A:] (k:: b[k]  a[k]) … (k:: b[k])  b[k] 10 . [SOME k] b[k] // be careful 10 . [SOME m] b[m] // m is fresh name 10. // can we infer something from 5 ? 10 . [SOME m] b[m] // make the step a bit more explicit 11. {  elim, A , 10 } a[m]

Equational Proof EQUATIONAL PROOF [A:] 0 ≤ n [D:] found n = (i : 0≤i<n : b[i]) found (n + 1) = { def. found } (i : 0 ≤ i < n+1 : b[i]) … = found n /\ b[n] END

Proof with case split Suppose that to prove Q, we identify N-cases, and we want to prove Q separately for each case. Based on this inference rule: Example, prove this: b[n] /\ (i : i<n : b[i])  (i : i<n+1 : b[i]) P1 \/ P2 , P1  Q , P2  Q ------------------------------------------------------- Q

Top Level PROOF main [A1:] b[n] [A2:] (i : i < n : b[i]) [G:] (i : i<n+1 : b[i]) BEGIN 1. { see the proof below } G PROOF sub [ANY i] [A:] i < n+1 [G:] b[i] 1 { follows from A } i<n \/ i=n 2 { see subproof } i<n  b[i] 3 { see subproof } i=n  b[i] 4 { Case Split on 1,2,3 } b[i] END

Proof with induction Induction over “natural numbers” is based on this rule: P 0 , (n: 0≤n : P n  P (n+1)) ---------------------------------------------------------- (n: 0≤n : P n)

Proof with induction PROOF 1. { trivial } 2*0 mod 2 = 0 { see below } (n: 0≤n: 2*n mod 2 = 0  2*(n+1) mod 2 = 0) PROOF [ANY n] [A1:] 0≤n [A2:] 2*n mod 2 = 0 1. (k: 0≤k : 2*n = 2*k) [SOME k] 2*n = 2*k 2*(n+1) = 2*(k+1) (m: 0≤m : 2*(n+1) = 2*m) 2*(n+1) mod 2 = 0 { induction, 1,2} (n: 0≤n: 2*n mod 2 = 0)

Lists

Why lists ? Our arrays are infinite. On the other hand, we often need to specify properties of finite segments of an array  we will use a list. So, we add list to Form. For convenience, we’ll use Haskell like notations to express properties of lists.

Some notation [ ], [1, 2, 3], x:s, s ++ t Enumeration: [a .. b] // a,b integers [a .. b) List comprehension: [ 2*i | i from s , isOdd i ]

List functions On lists we can define functions like SUM, MAX, COUNT etc: MAX [x] = x MAX (x:s) = x max MAX s if x non-empty. We can map array over finite domain to list, and thus can define notions like SUM, MAX etc via lists.

Converting array to list Via this def: a s = [ a[i] | i from s ] // a is array, s is list of int So, now we can express e.g. : SUM (a[0..n)) COUNT [ x | x from a[0..n) , isOdd x]

Domain split For , : (i : P1 i \/ P2 i : Q i) = (i : P1 i : Q i) \/ (i : P2 i : Q i) (i : P1 i \/ P2 i : Q i) = (i : P1 i : Q i) /\ (i : P2 i : Q i) P2 i P2 i i P1 P1 Inspire solutions for the problem of computing  over P1+P2 by dividing it into smaller problems.

Domain Split for  Analogous, e.g. : (i : P1 i \/ P2 i : i) = (i : P1 i : i) + (i : P2 i : i) But only if P1 and P2 are disjoint! On the other hand: SUM (s ++ t) = SUM s + SUM t Define SUM recursively on list : SUM [] = 0 SUM (x:s) = x + SUM s

Now we can do SUM-split on array SUM (a[0 .. k+1)) = { enumeration split, only if k0 } SUM (a([0..k) ++ [k])) = { comprehension split } SUM (a[0..k) ++ [a[k]]) = { theorem over SUM } SUM (a[0..k)) + SUM [a[k]] = { def. SUM } SUM (a[0..k)) + a[k] Split/distributivity thm: SUM (s ++ t) = SUM s + SUM t

Some standard ‘splitting’ thms SUM (s ++ t) = SUM s + SUM t COUNT (s ++ t) = COUNT s + COUNT t MAX (s ++ t) = MAX s max MAX t // provided s,t are non-empty

Induction Some standard thms in your Appendix for convenience. Some properties may require induction to prove. We’ll use this list-induction rule: P [] (x,s:: P s  P(x:s)) --------------------------------------- (s:: P s) Simple example, prove: COUNT s  0 , for all s

Top level proof PROOF main [G:] (s :: COUNT s  0) BEGIN 1 { from def. COUNT } COUNT []  0 2 { subproof } (x,s :: COUNT s  0  COUNT (x:s)  0 ) PROOF Pinduct [ANY x,s] [A:] COUNT s  0 [G:] COUNT (x:s)  0 ... 3 { list-induction on 1 and 2 } (s :: COUNT s  0) END

Reasoning about functional programs Form with list extension can also be used to reason about functional programs  Example, two versions of list reversal : rev [] = [] rev (x : s) = rev s ++ [x] rv t [] = t rv t (x : s) = rv (x : t) s Prove: rev s = rv [] s , for all s In some FP languages rv is a lot faster.

Top level proof PROOF main [G:] (s :: rev s = rv [] s) BEGIN rev (x:s) = rev s ++ [x] = rv [] s ++ [x] = ?? Stuck! PROOF main [G:] (s :: rev s = rv [] s) BEGIN 1 { … } rev [] = rv [] [] 2 { subproof } (x,s :: (rev s = rv [] s)  (rev (x:s) = rv [] (x:s))) PROOF Pinduct ... 3 { list-induction on 1 and 2 } G // implicitly using G as shorthand END

Solution ? rev (x:s) = rev s ++ [x] = rv [] s ++ [x] = ?? Stuck! Prove lemma: rv [] s ++ [x] = rv [x] s for all x,s. = rv [x] s = rv [] (x:s) Done. You can do as in the next slide; or try a more general lemma here, namely (rv v s) ++ w = rv (v++w) s, which implies the above lemma. Proof: base case ok induction case (rv v (x:s)) ++ w = { def rv } (rv (x:v) s) ++ w = { IH } rv (x:v++w) s = { def. rv } rv (v++w) (x:s) But proving the above lemma directly with induction seems to get us stuck again.

Prove a more general result? What if we try to prove this: (s:: (t:: rev s ++ t = rv t s )) Implies the original goal (simply take t=[]). We get a stronger induction hypothesis. But of course now we have to prove a stronger statement as well.

The induction case POOF induction-case [ANY x,s] [A:] (t:: rev s ++ t = rv t s) [G:] (t:: rev (x:s) ++ t = rv t (x:s)) PROOF [ANY t] EQUATIONAL PROOF rev (x:s) ++ t = { def. Rev } rev s ++ [x] ++ t = { A } rv ([x]++t) s = { def. rv } rv t (x:s) END