Lecture 4. First order logic is a formal notation for mathematics which involves:

Similar documents
Harvard School of Engineering and Applied Sciences CS 152: Programming Languages

Overview. CS389L: Automated Logical Reasoning. Lecture 6: First Order Logic Syntax and Semantics. Constants in First-Order Logic.

An Annotated Language

Hoare Logic. COMP2600 Formal Methods for Software Engineering. Rajeev Goré

CSCI.6962/4962 Software Verification Fundamental Proof Methods in Computer Science (Arkoudas and Musser) Chapter p. 1/27

Module 6. Knowledge Representation and Logic (First Order Logic) Version 2 CSE IIT, Kharagpur

This is already grossly inconvenient in present formalisms. Why do we want to make this convenient? GENERAL GOALS

SOFTWARE ENGINEERING DESIGN I

Abstract Interpretation

Numerical Computations and Formal Methods

The Formal Semantics of Programming Languages An Introduction. Glynn Winskel. The MIT Press Cambridge, Massachusetts London, England

CS 1200 Discrete Math Math Preliminaries. A.R. Hurson 323 CS Building, Missouri S&T

Chapter 3: Propositional Languages

Lecture 5: Predicate Calculus. ffl Predicate Logic ffl The Language ffl Semantics: Structures

Reasoning About Set Comprehensions

Programming Languages Third Edition

Logic as a framework for NL semantics. Outline. Syntax of FOL [1] Semantic Theory Type Theory

CSC 501 Semantics of Programming Languages

The Rule of Constancy(Derived Frame Rule)

Computer-Aided Program Design

Lectures 20, 21: Axiomatic Semantics

Intro to semantics; Small-step semantics Lecture 1 Tuesday, January 29, 2013

15-819M: Data, Code, Decisions

CSE101: Design and Analysis of Algorithms. Ragesh Jaiswal, CSE, UCSD

ALGORITHMIC DECIDABILITY OF COMPUTER PROGRAM-FUNCTIONS LANGUAGE PROPERTIES. Nikolay Kosovskiy

COSC252: Programming Languages: Semantic Specification. Jeremy Bolton, PhD Adjunct Professor

Principles of Program Analysis. Lecture 1 Harry Xu Spring 2013

Deductive Methods, Bounded Model Checking

Conceptual modeling of entities and relationships using Alloy

Rethinking Automated Theorem Provers?

Lecture 6,

Introductory logic and sets for Computer scientists

Propositional Logic. Andreas Klappenecker

CS Bootcamp Boolean Logic Autumn 2015 A B A B T T T T F F F T F F F F T T T T F T F T T F F F

Reasoning About Imperative Programs. COS 441 Slides 10

Foundations of AI. 9. Predicate Logic. Syntax and Semantics, Normal Forms, Herbrand Expansion, Resolution

Computing Fundamentals 2 Introduction to CafeOBJ

Part II. Hoare Logic and Program Verification. Why specify programs? Specification and Verification. Code Verification. Why verify programs?

Computation Club: Gödel s theorem

Goals: Define the syntax of a simple imperative language Define a semantics using natural deduction 1

Software Verification : Introduction

Introduction to Axiomatic Semantics

6. Hoare Logic and Weakest Preconditions

Propositional Logic. Part I

Proving the Correctness of Distributed Algorithms using TLA

Reasoning About Programs Panagiotis Manolios

Decision Procedures for Recursive Data Structures with Integer Constraints

Automatic Software Verification

axiomatic semantics involving logical rules for deriving relations between preconditions and postconditions.

Formal Specifications

DISCRETE MATHEMATICS

Softwaretechnik. Program verification. Software Engineering Albert-Ludwigs-University Freiburg. June 30, 2011

Safe Stratified Datalog With Integer Order Does not Have Syntax

Introduction to Axiomatic Semantics (1/2)

Towards a Logical Reconstruction of Relational Database Theory

CSE 307: Principles of Programming Languages

To prove something about all Boolean expressions, we will need the following induction principle: Axiom 7.1 (Induction over Boolean expressions):

VS 3 : SMT Solvers for Program Verification

Semantics. There is no single widely acceptable notation or formalism for describing semantics Operational Semantics

Lecture Notes on Real-world SMT

Lecture 5 - Axiomatic semantics

Math Introduction to Advanced Mathematics

Complete Instantiation of Quantified Formulas in Satisfiability Modulo Theories. ACSys Seminar

LTCS Report. Concept Descriptions with Set Constraints and Cardinality Constraints. Franz Baader. LTCS-Report 17-02

9/19/12. Why Study Discrete Math? What is discrete? Sets (Rosen, Chapter 2) can be described by discrete math TOPICS

Program Analysis: Lecture 02 Page 1 of 32

Formal Methods in Software Engineering 1

CS 512, Spring 2017: Take-Home End-of-Term Examination

1. true / false By a compiler we mean a program that translates to code that will run natively on some machine.

Warm-Up Problem. Let L be the language consisting of as constant symbols, as a function symbol and as a predicate symbol. Give an interpretation where

Theorem proving. PVS theorem prover. Hoare style verification PVS. More on embeddings. What if. Abhik Roychoudhury CS 6214

Main Goal. Language-independent program verification framework. Derive program properties from operational semantics

A Verifying Compiler for a Multi-threaded Object-Oriented Language

More Untyped Lambda Calculus & Simply Typed Lambda Calculus

3.4 Deduction and Evaluation: Tools Conditional-Equational Logic

Hoare Logic: Proving Programs Correct

Softwaretechnik. Program verification. Albert-Ludwigs-Universität Freiburg. June 28, Softwaretechnik June 28, / 24

Verification Condition Generation

CSE 20 DISCRETE MATH. Fall

Introduction to Denotational Semantics. Brutus Is An Honorable Man. Class Likes/Dislikes Survey. Dueling Semantics

Definition: A context-free grammar (CFG) is a 4- tuple. variables = nonterminals, terminals, rules = productions,,

In Our Last Exciting Episode

Automatic Synthesis of Decision Procedures: a Case Study of Ground and Linear Arithmetic

Lecture 11 Lecture 11 Nov 5, 2014

The fundamental principle of identity for strings is informally given as follows.

Chapter 3 (part 3) Describing Syntax and Semantics

Satisfiability Modulo Theories. DPLL solves Satisfiability fine on some problems but not others

Chapter 3. Describing Syntax and Semantics ISBN

The SMT-LIB 2 Standard: Overview and Proposed New Theories

Part I Logic programming paradigm

CMPSCI 250: Introduction to Computation. Lecture #1: Things, Sets and Strings David Mix Barrington 22 January 2014

To prove something about all Boolean expressions, we will need the following induction principle: Axiom 7.1 (Induction over Boolean expressions):

Assignment #4: Lambda Calculus & Semi-automatic Program Verification. You are allowed to work on this assignment in pairs. Hand in Requirements:

Introduction to Denotational Semantics. Class Likes/Dislikes Survey. Dueling Semantics. Denotational Semantics Learning Goals. You re On Jeopardy!

Denotational Semantics of a Simple Imperative Language Using Intensional Logic

Cover Page. The handle holds various files of this Leiden University dissertation

Propositional Calculus: Boolean Functions and Expressions. CS 270: Mathematical Foundations of Computer Science Jeremy Johnson

CMSC 330: Organization of Programming Languages. Formal Semantics of a Prog. Lang. Specifying Syntax, Semantics

Introduction to the Lambda Calculus. Chris Lomont

Software Quality Assurance

Transcription:

0368.4435 Automatic Software Verification April 14, 2015 Lecture 4 Lecturer: Mooly Sagiv Scribe: Nimrod Busany, Yotam Frank Lesson Plan 1. First order logic recap. 2. The SMT decision problem. 3. Basic Verifier Architecture First-Order Logic First order logic is a formal notation for mathematics which involves: Propositional symbols -,,,, Predicates - i.e. boolean functions Functions - from elements in the underlying domain to an elements in the domain, namely f(x 1,..., x k ) = y x 1,..., x n, y Domain Constant symbols - that are connected to elements in the domain Quantifiers -, An example of a first order logic theory: Domain - all living beings Predicate - ismammal(x), canbreathe(x) A formula: x ismammal(x) canbirth(x) In the example above, we define our domain to be all the living beings. We create a predicate ismammal(), which maps each of the elements in the domain to either true of false (if it is a mammal). Further, we create a predicate canbreathe() which captures the ability of some of the elements in our domain to breathe, denoted by canbreathe(). Then, we claim that all mammals can breathe. Notice that first order logic is more general than propositional (Boolean) logic. Propositional logic only includes Propositional symbols (logical connectors) and an infinite number of boolean variables. The logic connectors are applied over variables and formulas. First-Order Logic: Syntax First order logic is made of a sequence of symbols. Some of the symbols are logical symbols and some are non-logical symbols, also referred as parameters. The logical symbols are the propositional connectives (see previous slide), an infinite number of variables and the quantifiers. The non-logical symbols are functions: such as f(), g(), +,, %, bit wise&,...; Predicates:, isstring(), iseven(),...; and Constants: 0, 1, null,...; A more typical example of a formula in first order logic: X : D.p(f(X), X) Y : D.p(f(g(X, Y )), g(x, Y )) We may ask if the formula above is satisfiable, this means, "does there exists a domain over which the formula above evaluates to true". We can also ask whether the the following formula is valid, which 1

means "does the fomula hold over all domains and any interpretation of the predicate p and functions f,g. The answer to the first question is yes, the formula is satisfiable, let us show a signature (i.e. domain and interperation over which it holds): D : {0, 1} ; f(0) = f(1) = 0 ; g(0, 0) = g(0, 1) = g(1, 0) = g(1, 1) = 0; p = (0, 0) As can be seen, for any variable in the domian, g, will return 0, hence for any x, g(x, Y ) = 0. Therefore, f(g(x, Y )) = f(0) = 0; This means that for any x, p(f(0), 0)) will evaluate to true. Since the right left side of the inference holds for any element in our domain, then the formula will holds for all elements. The answer to the second question is no, the formula is not valid. To show this, let us find a domain and interperation over which it is violated: D : {0, 1} ; f(0) = f(1) = 0 ; g(0, 0) = g(0, 1) = g(1, 0) = g(1, 1) = 1; p = (0, 0) Let us look at x=0;the left side of the inference holds, i.e.: [ p(f(x), X) ] X=0 = p(f(0), 0) = p( f(0), 0) = p(0, 0) = true Now let us notice that g, returns 1 for all the elements combinations in our domain. Therefore, the right hand side of the inference: [ p(f(g(x, Y )), g(x, Y )) ] X=0 = p(f(g(0, Y )), g(0, Y )) = p(f( g(0, Y ) ), g(0, Y ) ) = p(f(1), 1 ) = false for any Y. Since the left side of the inference hold while the latter does not hold the formula is violated We have shown a domain and interperation over which the formula is violated hence, it is not valid. Quantifier-free Subset I most cases, we would restrict ourselves to a subset of formulas without quantifiers. This set is named the quintifier-free subset or fregemnt of first order logic. Logical Theory A logical theory defines a set of parameters (non-logical symbols) with their meanings. We call the definition of the domain and the interpretation of the predicates, functions, and constant as a signature. We have already seen two signatures in the example. Theory of linear arithmetic Another example of a signature is the theory of linear arithmetic over the Integers. This theory, uses 0,1 as constants, and gives +, - and their natural interpretation, the domain of this theory consist of all Integers. This can be represented compactly by: Signature: (0,1,+,-, ) over Z Theory of Presbruger Arithmetic Another well known theory is the Presbruger Arithmetic. The signature of Presbruger Arithmetic is : Signature: (0,1,+,=) over Z Presbruger Arithmetic consist of a set of axioms: X:Z ((X + 1) = 0) X,Y :Z ((X + 1) = (Y + 1)) X = Y X:Z (X + 0) = X X,Y :Z (Y + (X + 1)) = (Y + (X + 1))) Let P (X) be a first order formula over X: P (0) X:Z P (X) P (X + 1)) Y :Z P (Y ) 2

Notice that the axioms above capture desired behaviors of the theory. For example, if we add the constant 0, then we require that the result will not change (i.e. (X + 0) = X). The third axoim capture the Associative property. While, the last axioms captures the notion of induction. Many-Sorted Logic - First Order Vocabulary Many-sorted logic can reflect formally our intention not to handle the universe as a homogeneous collection of objects, but to partition it in a way that is similar to types in typeful programming. Many sorted logic is equivalent to first order logic, meaning that both systems have the same expressive power. Nevertheless, many sorted logic, is very popular as it lets one easily define types, which ease the use and comprehension of its formulas. Many sorted logic extends first order logic by defining: A finite set of sorts S A finite set of function symbols F each with a fixed signature S S Constants are defined by zero arity functions A finite set of relations symbols R each with a fixed arity S The difference from the first order logic is that here each of the arguments of the constants, functions and predicates is assigned with a sort (type). In many sorted logic, we split the domain into a set of Sorts S. Formally, D = s S D s (alse, each element in the domain belongs to exacly one of the types). Futher fuctions and relations are defined according to the sorts, formally: For every function symbol f F, an interpretation [f] assigns the sorts: D s1 D s2... D sn D sj For every relation symbol r R, an interpretation [r] assigns the sorts: [r] D s1 D s2... D sn Syntax Logical variables begin with a capital letter Typed Terms <term>::=<variable> f [(<term>, âăę <term>)] Formulas: <formula> ::= <term> = <term> r(<term>,... <term>) // atomic <formula> <formula> <formula> <formula> <formula> // Boolean X : s. <formula> X : s. <formula> //Quantifications Free variable: The set of free variables in a formula or a term is defined as follows: FV: <term>,<formula> 2 V ar Terms: F V (X) = {X} // where X is an atomic variable F V (f(< t 1,..., t n >) = i=1,...,n F V (t i )} // where each t i is a term (possibly complex) Formulas: 3

F V (t 1 = t 2 ) = F V (t 1 ) F V (t 2 ) F V (r(< t 1,..., t n >) = i=1,...,n F V (t i ) // where each t i is a term F V (f 1 f 2 ) = F V (t 1 ) F V (t 2 ) F V (f 1 f 2 ) = F V (t 1 ) F V (t 2 ) F V ( f) = F V (f) F V ( x:s f) = F V (f) X //X is no longer a free variable so we reduce it F V ( x:s f) = F V (f) X //X is no longer a free variable so we reduce it Assignments and Models: An assignment of the variables is defined by A : V ar D. To apply an assignment over terms we simply perform the assignment by structural induction, formally: A(f(t 1, t 2,..., t n )) = [f](a(t 1 ), A(t 2 ),..., A(t n )). Finally, we say that an assignment A models a formula f under interpretation (denoted by A, = f) if f is true in A (Notice that this is Tarsky s semantics). Assignment are applied by structural induction as follows: A, = t 1 = t 2 if A(t 1 ) = A(t 2 ) A, = r(t 1, t 2,..., t n ) if <r(a(t 1 ), A(t 2 ),..., A(t n )) > [r] A, = f 1 f 2 if A, = f 1 and A, = f 2 A, = f 1 f 2 if A, = f 1 or A, = f 2 A, = f1 if not A, = f1 A, = X : t.f if there exists d D t such that A[X d] if A, = f1 A, = X : t.f if for all d D t such that A[X d] if A, = f1 SEE: notice that I added the last bullet, double check A T-interpretation: T interpretation is defined similar to interpretation, but also requires that the domain and the interpretations satisfy the theory requirements(axioms) An example of a T-interpretation is the theory of Linear Arithmetic, let us return to its interpretation and define it further: S=int, F={0 0, 1 0, + 2 } R={ }// the exponent represent the number of arguments the function takes D int = Z Functions: [ 0 ] = 0, [ 0 ] = 1 //this are in fact constant, represented by unary function [ + ] = λx, y : int.x + y Relations: [ ] = λx, y : int.x y 4

SEE: I fixed the exponent argument over 1 Alternatively, any interpretation which violates the axiom is invalid. E.g. if we use Presburger Arithmetic and interpret the + sign incorrectly, e.g. 2+0=7, then this would not be a valid T-interpretation. As in this example the third Preburger axiom is violated Assignments and T-Models: An assignment of the variables is defined by A : V ar D. To apply an assignment over terms we simply perform the assignment by structural induction, formally: A(f(t 1, t 2,..., t n )) = [f](a(t 1 ), A(t 2 ),..., A(t n )). Finally, we say that an assignment A which models a theory T, T-models a formula under f under interpretation (denoted by A, = f) if f is true in A (Notice that this is Tarsky s semantics). Assignment are applied by structural induction as follows: A, = T t 1 = t 2 if A(t 1 ) = A(t 2 ) A, = T r(t 1, t 2,..., t n ) if <r(a(t 1 ), A(t 2 ),..., A(t n )) > [r] A, = T f 1 f 2 if A, = T f 1 and A, = T f 2 A, = T f 1 f 2 if A, = T f 1 or A, = T f 2 A, = T f1 if not A, = T f1 A, = T X : t.f if there exists d D t such that A[X d] if A, = T f1 A, = T X : t.f if for all d D t such that A[X d] if A, = T f1 The Satisfiability modulo theories (SMT) decision problem The satisfiability modulo theories (SMT) problem is a decision problem for logical formulas with respect to combinations of background theories expressed in classical first-order logic with equality. The input of for an SMT problem is A quantifier-free formula f over a theory T. The output is a boolean answer, which is true iff there exist an T-interpretation and an assignment A : F V (f) D such that A, = T f. The complexity of solving the SMT problems depend greatly on the theory and varies from NPC to undecidable. SEE: - did I get it right? The following table summaries the decidability complexity for some of the most famous theories: sym. Theory Quantifiers Decidable QFF Decidable T E Equality NO YES T P A Peano Arithmetic NO NO T N Presburger Arithmetic Yes YES T Z Linear Integer Arithmetic Yes YES T R Real Arithmetic Yes YES T Q Linear Rationals Yes YES T A Arrays NO YES 5

sym. Theory Quantifiers QF Conjunctive PL Propositional Logic NP-Complete O(N) T E Equality Arithmetic O(n log(n)) T N Presburger Arithmetic O(2 2 2 kn) NP-Complete T Z Linear Integer Arithmetic O(2 2 2 kn) NP-Complete T R Real Arithmetic O(2 2 kn) O(2 2 kn) T Q Linear Rationals O(2 2 kn) PTIME T A Arrays - NP-Complete *Note - refers input formula size; k - some positive integer; Basic Verifier Architecture The Basic Verifier has two main components: 1. Verification Condition Generator - Receives Program with specification (assertions etc.) and outputs a set of formulas called Verification Conditions. 2. Theorem Prover - Receives the verification conditions and outputs a Program correct in case it s valid or else list of error ( bugs ). We give a more detailed description of the two components. Verification Condition Generator Creates verification conditions (a set of mathematical logic formulas) from program s source code (VC for short). If VC is valid program is correct. If VC is invalid there might be an error in the program. Verification conditions creation is based on the theory of Hoare triplets and they are computed automatically using weakest precondition (wp). 6

Simple command Language http://meme.nbcr.net/meme/[1] References [1] Bailey, T. L. and C. Elkan, Fitting a mixture model by expectation maximization to discover motifs in biopolymers., International Conference on Intelligent Systems for Molecular Biology; ISMB., pp. 28 36, 1994. 7

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback