CS156: The Calculus of Computation It is reasonable to hope that - PowerPoint PPT Presentation

Calculus of Computation? CS156: The Calculus of Computation It is reasonable to hope that the relationship between Zohar Manna computation and mathematical logic will be as fruitful Autumn 2008 in the next century as that between analysis and physics in the last. The development of this relationship demands a concern for both applications and Lecturer: mathematical elegance. Zohar Manna (manna@cs.stanford.edu) John McCarthy Office Hours: MW 12:30-1:00 at Gates 481 A Basis for a Mathematical Theory of Computation , 1963 TAs: Boyu Wang (wangboyu@stanford.edu) Office Hours: MTu 3:00-5:00, 1st floor lounge, Durand. Greg Goldgof (ggoldgof@stanford.edu) Office Hours: F 3:00-5:00, 1st floor lounge, Durand. Page 1 of 52 Page 2 of 52 Grading Assignment #1 (due Monday, September 29th) ◮ Homeworks (60%) ◮ 1.1 e, f [10 points each] ◮ weekly (totally 8) ◮ 1.2 s, x [10 points each] ◮ no late assignments ◮ no collaboration ◮ 1.3 (note typo: the last ∨ should be a ∧ ) [30 points] ◮ Final Exam (40%) ◮ 1.5 d [30 points] ◮ open book and notes ◮ Date: December 8th, Monday, 8:30-11:30 a.m. Coverage ◮ Skip * sections ◮ Skip Chapter 6 and 12 of the book ◮ Skip complexity remarks Page 3 of 52 Page 4 of 52

Textbook The Calculus of Computation: Decision Procedures with Applications to Verification by Aaron Bradley Zohar Manna Springer 2007 There are two copies in CS-Math Library and you could also use socrates.stanford.edu to read the book according to its policy. Page 5 of 52 Page 6 of 52 Topics: Overview Part I: Foundations 1. First-Order logic 1. Propositional Logic 2. Specification and verification 2. First-Order Logic 3. Satisfiability decision procedures 3. First-Order Theories 4. Induction 5. Program Correctness: Mechanics Inductive assertion method, Ranking function method Page 7 of 52 Page 8 of 52

Part II: Algorithmic Reasoning CS156: The Calculus of Computation 7. Quantified Linear Arithmetic Quantifier elimination for integers and rationals Zohar Manna 8. Quantifier-Free Linear Arithmetic Autumn 2008 Linear programming for rationals 9. Quantifier-Free Equality and Data Structures 10. Combining Decision Procedures Nelson-Oppen combination method 11. Arrays More than quantifier-free fragment Motivation Page 9 of 52 Page 10 of 52 Motivation I Motivation II Prove: Decision Procedures are algorithms to decide formulae. assume ℓ ≤ i ≤ u ∧ ( rv ↔ ∃ j . ℓ ≤ j < i ∧ a [ j ] = e ) These formulae can arise ◮ in software verification. assume i ≤ u ◮ in hardware verification assume a [ i ] = e rv := true ; Consider the following program: i := i + 1 @ ℓ ≤ i ≤ u ∧ ( rv ↔ ∃ j . ℓ ≤ j < i ∧ a [ j ] = e ) for @ ℓ ≤ i ≤ u ∧ ( rv ↔ ∃ j . ℓ ≤ j < i ∧ a [ j ] = e ) ( int i := ℓ ; i ≤ u ; i := i + 1) { if ( a [ i ] = e ) rv := true ; } How can we decide whether the formula is a loop invariant? Page 11 of 52 Page 12 of 52

Motivation III Motivation IV For assignments wp is computed by substitution: assume ℓ ≤ i ≤ u ∧ ( rv ↔ ∃ j . ℓ ≤ j < i ∧ a [ j ] = e ) assume ℓ ≤ i ≤ u ∧ ( rv ↔ ∃ j . ℓ ≤ j < i ∧ a [ j ] = e ) assume i ≤ u assume i ≤ u assume a [ i ] � = e assume a [ i ] = e i := i + 1 rv := true ; @ ℓ ≤ i ≤ u ∧ ( rv ↔ ∃ j . ℓ ≤ j < i ∧ a [ j ] = e ) i := i + 1 A Hoare triple { P } S { Q } holds, iff @ ℓ ≤ i ≤ u ∧ ( rv ↔ ∃ j . ℓ ≤ j < i ∧ a [ j ] = e ) P → wp ( S , Q ) Substituting ⊤ for rv and i + 1 for i , the postcondition (denoted by the @ symbol) holds if and only if: (wp denotes “weakest precondition”) ℓ ≤ i ≤ u ∧ ( rv ↔ ∃ j . ℓ ≤ j < i ∧ a [ j ] = e ) ∧ i ≤ u ∧ a [ i ] = e → ℓ ≤ i + 1 ≤ u ∧ ( ⊤ ↔ ∃ j . ℓ ≤ j < i + 1 ∧ a [ j ] = e ) Page 13 of 52 Page 14 of 52 Motivation V We need an algorithm that decides whether this formula holds. If CS156: The Calculus of the formula does not hold, the algorithm should give a counterexample; e.g., Computation ℓ = 0 , i = 1 , u = 1 , rv = false , a [0] = 0 , a [1] = 1 , e = 1 . Zohar Manna We will discuss such algorithms in later lectures. Autumn 2008 Chapter 1: Propositional Logic (PL) Page 15 of 52 Page 16 of 52

Propositional Logic (PL) Example: PL Syntax formula F : ( P ∧ Q ) → ( ⊤ ∨ ¬ Q ) atoms: P , Q , ⊤ Atom truth symbols ⊤ (“true”) and ⊥ (“false”) literals: P , Q , ⊤ , ¬ Q propositional variables P , Q , R , P 1 , Q 1 , R 1 , . . . subformulae: P , Q , ⊤ , ¬ Q , P ∧ Q , ⊤ ∨ ¬ Q , F Literal atom α or its negation ¬ α abbreviation Formula literal or application of a F : P ∧ Q → ⊤ ∨ ¬ Q logical connective to formulae F , F 1 , F 2 ¬ F “not” (negation) F 1 ∧ F 2 “and” (conjunction) F 1 ∨ F 2 “or” (disjunction) F 1 → F 2 “implies” (implication) F 1 ↔ F 2 “if and only if” (iff) Page 17 of 52 Page 18 of 52 PL Semantics (meaning of PL) Example: Formula F + Interpretation I = Truth value F : P ∧ Q → P ∨ ¬ Q (true, false) I : { P �→ true , Q �→ false } i.e., I [ P ] = true , I [ Q ] = false Interpretation P Q ¬ Q P ∧ Q P ∨ ¬ Q F I : { P �→ true , Q �→ false , · · · } 1 0 1 0 1 1 Evaluation of F under I : F ¬ F where 0 corresponds to value false 1 = true 0 = false 0 1 1 true 1 0 F evaluates to true under I ; i.e., I [ F ] = true. F 1 F 2 F 1 ∧ F 2 F 1 ∨ F 2 F 1 → F 2 F 1 ↔ F 2 0 0 0 0 1 1 0 1 0 1 1 0 1 0 0 1 0 0 1 1 1 1 1 1 Page 19 of 52 Page 20 of 52

Inductive Definition of PL’s Semantics Example of Inductive Reasoning: I | = F if F evaluates to true under I F : P ∧ Q → P ∨ ¬ Q I �| = F false Base Case: I : { P �→ true , Q �→ false } I | = ⊤ I �| = ⊥ 1 . | = since I [ P ] = true I P I | = P iff I [ P ] = true; i.e., P is true under I 2 . I �| = Q since I [ Q ] = false I �| = P iff I [ P ] = false 3 . I | = ¬ Q by 2 and ¬ Inductive Case: 4 . I �| = P ∧ Q by 2 and ∧ I | = ¬ F iff I �| = F 5 . | = P ∨ ¬ Q by 1 and ∨ I | = F 1 ∧ F 2 iff I | = F 1 and I | = F 2 I I | = F 1 ∨ F 2 iff I | = F 1 or I | = F 2 (or both) 6 . I | = F by 4 and → Why? I | = F 1 → F 2 iff I | = F 1 implies I | = F 2 Thus, F is true under I . I | = F 1 ↔ F 2 iff, I | = F 1 and I | = F 2 , Note: steps 1, 3, and 5 are nonessential. or I �| = F 1 and I �| = F 2 Note: I | = F 1 → F 2 iff I �| = F 1 or I | = F 2 . I �| = F 1 → F 2 iff I | = F 1 and I �| = F 2 . I �| = F 1 ∨ F 2 iff I �| = F 1 and I �| = F 2 . Page 21 of 52 Page 22 of 52 Satisfiability and Validity Method 1: Truth Tables F satisfiable iff there exists an interpretation I such that I | = F . Example F : P ∧ Q → P ∨ ¬ Q F valid iff for all interpretations I , I | = F . P Q P ∧ Q ¬ Q P ∨ ¬ Q F F is valid iff ¬ F is unsatisfiable 0 0 0 1 1 1 0 1 0 0 0 1 Goal: devise an algorithm to decide validity or unsatisfiability of 1 0 0 1 1 1 formula F . 1 1 1 0 1 1 Thus F is valid. Example F : P ∨ Q → P ∧ Q P Q P ∨ Q P ∧ Q F 0 0 0 0 1 ← satisfying I 0 1 1 0 0 ← falsifying I 1 0 1 0 0 1 1 1 1 1 Thus F is satisfiable, but invalid. Page 23 of 52 Page 24 of 52

Method 2: Semantic Argument Proof Rules for Semantic Arguments I ◮ Assume F is not valid and I a falsifying interpretation: I �| = F ◮ Apply proof rules. I | = ¬ F I �| = ¬ F ◮ If no contradiction reached and no more rules applicable, I �| = F I | = F F is invalid. I | = F ∧ G I �| = F ∧ G ◮ If in every branch of proof a contradiction reached, I | = F I �| = F | I �| = G F is valid. = G ← and I | տ or I | = F ∨ G I �| = F ∨ G I | = F | I | = G I �| = F I �| = G Page 25 of 52 Page 26 of 52 Proof Rules for Semantic Arguments II Example: Prove F : P ∧ Q → P ∨ ¬ Q is valid. I | = F → G I �| = F → G Let’s assume that F is not valid and that I is a falsifying I �| = F | I | = G I | = F interpretation. I �| = G 1 . I = �| P ∧ Q → P ∨ ¬ Q assumption I | = F ↔ G I �| = F ↔ G 2 . I = | P ∧ Q 1 and → I | = F ∧ G | I �| = F ∨ G I | = F ∧ ¬ G | I | = ¬ F ∧ G 3 . I = �| P ∨ ¬ Q 1 and → 4 . I = | P 2 and ∧ I | = F 5 . I = �| P 3 and ∨ I �| = F 6 . | = ⊥ 4 and 5 are contradictory I I | = ⊥ Thus F is valid. Page 27 of 52 Page 28 of 52