FITR304 - Software Validation Deductive methods for proving - PowerPoint PPT Presentation

What is semantics? In order to prove properties on programs, we need to defjne precisely the semantics of the underlying programming language. Floyd, Robert W. (1967). “Assigning meanings to programs”. In: Mathematical aspects of computer science . Ed. by J. T. Schwartz. American Mathematical Society, Pp. 19–32. isbn : 0821867288. There are of course several semantics for programming languages. Christophe Garion IN324 Software Validation – deductive methods 15/ 149

Operational semantics (small steps) Operational semantics defjnes a program semantics with states , i.e. functions from memory locations (variables) to values. Rules defjne the semantics of the constructs of the program: This leads to traces , i.e. sequences of states. Proofs can be done using this formal system about the fjnal state of the program. Christophe Garion IN324 Software Validation – deductive methods 16/ 149 � b , σ � → true � c 0 , σ � → σ ′ � if b then c 0 else c 1 , σ � → σ ′ � b , σ � → false � c 1 , σ � → σ ′ � if b then c 0 else c 1 , σ � → σ ′

Trace semantics We can characterize the set of traces of a program: We can also use collecting semantics , i.e. be only interested in reachable states. This semantics is useful as it can be used to guarantee that a particular property holds for all reachable states (an invariant for instance). Christophe Garion IN324 Software Validation – deductive methods 17/ 149 { s 0 → s n | ∀ i ∈ [0 , n − 1] ( s i , s i +1 ) ∈ f op and s 0 ∈ Init } where f op is the set of transitions from state to state.

Axiomatic semantics In axiomatic semantics, the semantics of the program is defjned with Hoare triples : mathematical formulas. Rules are expressed using these triples: (Cond.) This formal system can be used to derive proofs about programs. Christophe Garion IN324 Software Validation – deductive methods 18/ 149 { ϕ } P { ψ } ϕ and ψ (resp. the precondition and the postcondition of P) are { ϕ ∧ C } P { ψ } { ϕ ∧ ¬ C } Q { ψ } { ϕ } if C then P else Q fi { ψ }

Outline of part 1 - Introduction on formal methods 1 Why formal methods? 2 Programming languages semantics 3 Some techniques 4 Agenda Christophe Garion IN324 Software Validation – deductive methods 19/ 149

Model checking In model checking, we have: a model of the system/the program a property to verify We want to verify exhaustively that the model verifjes the property. For instance, the model can be the collecting traces and the property can Christophe Garion IN324 Software Validation – deductive methods 20/ 149 expressed in temporal logic.

Abstract interpretation Abstract interpretation is a sound approximation of the semantic of a program. The idea is to “encompass” the traces of the program into an more abstract domain. For instance, if you want to proof that there is no division-by-zero in your statically verify the property. Abstract interpretation is also used in compilers for optimizations purposes. Christophe Garion IN324 Software Validation – deductive methods 21/ 149 program, you may restrict the integers to two values, 0 and others and

Deductive methods: what is that? Defjnition (simple but effjcient…) Deductive program verifjcation is the art of turning the correctness of a program into a mathematical statement and then proving it. Filliâtre, Jean-Christophe (2011). “Deductive Program Verifjcation”. Habilitation à diriger les recherches. Université Paris-Sud 11. We have thus to answer the following questions: what is a proof ? how can we turn the correctness of a program into a mathematical statement ? can we automatically prove the correctness of a program? Christophe Garion IN324 Software Validation – deductive methods 22/ 149

Deductive methods: is it old? Turing, Alan Mathison (1949). Software Validation – deductive methods IN324 Christophe Garion 23/ 149 Pp. 67–69. Cambridge: Mathematical Laboratory, chines. Report of a Conference on High Speed Automatic Calculing Ma- Checking a large routine . r ′ = 1 v ′ = u s ′ = 1 u ′ = u + v s ′ = s + 1 TEST r − n u ′ = 1 r ′ = r + 1 TEST s − r

Deductive methods: the big picture generated by the Software Validation – deductive methods IN324 Christophe Garion active provers automatic or inter- Frama-C WP plugin of tion language Formal specifjcation the ACSL specifjca- not proved or… proved ment to prove Mathematical state- C program 24/ 149 ✔ ✘

Outline of part 1 - Introduction on formal methods 1 Why formal methods? 2 Programming languages semantics 3 Some techniques 4 Agenda Christophe Garion IN324 Software Validation – deductive methods 25/ 149

FITR304: formal methods spected or not (mostly temporal properties) Software Validation – deductive methods IN324 Christophe Garion programs abstract interpretation (P.-L. Garoche, ONERA/DTIM) 3 26/ 149 During the lecture, you will choose to study deeper one of the following model checking (J. Brunel, ONERA/DTIM) 2 to a specifjcation? deductive methods (C. Garion, ISAE/DMIA) 1 formal methods: ➥ how can we prove that imperative programs are correct w.r.t. ➥ given a model of a system, check if a given property is re- ➥ a theory of sound approximation of the semantics of computer

FITR304: agenda and evaluation (groups of 3-4 students by track) a global miniproject on a rover: each FM will study one part of the rover architecture (50% of the fjnal note) fjnal presentation (50% of the fjnal note) + MQC on 02/27/2017 industrial feedback conference Christophe Garion IN324 Software Validation – deductive methods 27/ 149 6 × 2 hours sessions are dedicated to the track you have chosen

Outline of part 2 - Formal proof 2 - Formal proof 5 Formal systems 6 7 Christophe Garion IN324 Software Validation – deductive methods 28/ 149 Natural deduction for PL: NK Natural deduction for FOL: NK

What is a proof? Defjnition (informal, from Wikipedia…) A proof is suffjcient evidence or an argument for the truth of a propo- sition. Nice, but: what is an argument? what is truth? what is a proposition? All those notions are formally defjned in mathematical logic . Christophe Garion IN324 Software Validation – deductive methods 29/ 149

What is a proof? Defjnition (informal, from Wikipedia…) A proof is suffjcient evidence or an argument for the truth of a propo- sition . Nice, but: what is an argument? what is truth? what is a proposition? All those notions are formally defjned in mathematical logic . Christophe Garion IN324 Software Validation – deductive methods 29/ 149

What is mathematical logic? Second question: what is validity? Software Validation – deductive methods IN324 Christophe Garion in proof theory : does the argument respect some rules? in model theory : is the conclusion true when premises are? Validity of an argument can be defjned: a declarative sentence called conclusion Informal defjnition a word, therefore a set of declarative sentences called premises An argument is composed of: First question: what is an argument? mathematical object. Mathematical logic is the study of the validity of an argument as a 30/ 149

What is mathematical logic? Informal defjnition Mathematical logic is the study of the validity of an argument as a mathematical object. Second question: what is validity? Validity of an argument can be defjned: in model theory : is the conclusion true when premises are? in proof theory : does the argument respect some rules? Christophe Garion IN324 Software Validation – deductive methods 30/ 149

A multi-disciplinary fjeld • is this proof correct? Software Validation – deductive methods IN324 Christophe Garion theorem is true? matically that this • can we prove auto- fjcations? respect those speci- that code produce • can I automatically rect? • is this program cor- proof? Philosophy a defjne to need we do structures mathematical • what • what is a proof ? • what is false? • what is true? Computer Science Mathematics 31/ 149

Outline of part 2 - Formal proof 5 Formal systems 6 7 Christophe Garion IN324 Software Validation – deductive methods 32/ 149 Natural deduction for PL: NK Natural deduction for FOL: NK

What is a formal system? Defjnition (formal system) A formal system is composed of two elements: a formal language (grammar) defjning a set of expressions E a deductive system or deductive apparatus on E We have thus to defjne: what is a grammar what is a deductive system Christophe Garion IN324 Software Validation – deductive methods 33/ 149

Grammar A formal grammar is a set of rules describing a formal language using a fjnite alphabet . There are other formalisms to describe (somme categories of) formal languages: regular expressions, EBNF, inductive defjnitions etc. In the following, we will use inductive defjnitions . Christophe Garion IN324 Software Validation – deductive methods 34/ 149 For instance, the grammar { X = { a , b } , V = { S } , S , { S → aS , S → b }} describe the language { a n b | n ∈ N } .

Inductive defjnition Defjnition (inductive or recursive defjnition) An inductive defjnition of a set E is composed of: a base case of the defjnition which defjnes elementary elements of E an inductive clause of the defjnition which defjnes elements of E using other elements of E defjned with a fjnite number of steps n and operations an extremal clause that says that E is the smallest set built using the base case and the inductive clause. Christophe Garion IN324 Software Validation – deductive methods 35/ 149

Some defjnitions by induction Exercise Exercise Defjne binary trees by induction. Christophe Garion IN324 Software Validation – deductive methods 36/ 149 ✎ Defjne N by induction.

Structural induction Given a set E defjned inductively, we can prove properties on elements of E using structural induction . Defjnition (structural induction) to be proved. If: Christophe Garion IN324 Software Validation – deductive methods 37/ 149 Let E be a set defjned inductively and P a property on elements of E P can be proved to be true on each base case if we suppose that P is true on elements built with n steps then P is true on elements that can be built with n + 1 steps then P is true for every element of E .

A proof by structural induction Exercise Prove the following property of binary trees: “the number n of nodes where h is the depth of the tree”. Christophe Garion IN324 Software Validation – deductive methods 38/ 149 ✎ in a binary tree of height h is at least n = h and at most n = 2 h − 1

39/ 149 and/conjunction Software Validation – deductive methods an infjnite and enumerable set of propositional variables noted IN324 Christophe Garion logical connectors : logical equivalence negation implication or/disjunction Induction example: alphabet of L PL Defjnition (alphabet of L PL ) The alphabet of L PL is composed of: Var = { p , q , r , . . . } two constants noted ⊤ (top/true) and ⊥ (bottom/false) ¬ ∨ ∧ → ↔ parentheses ()

Defjnition (well formed formulas) if p is a propositional variable, then p is a wfg. p is an atomic formula or atom . Christophe Garion IN324 Software Validation – deductive methods 40/ 149 Induction example: wff of L PL ⊤ and ⊥ are wfg. if ϕ is a wfg, alors ( ¬ ϕ ) is a wfg. if ϕ and ψ are wfg, then ( ϕ ∨ ψ ) , ( ϕ ∧ ψ ) , ( ϕ → ψ ) and ( ϕ ↔ ψ ) are wfg.

Modelling exercise I take either a jacket, either an umbrella. also practises relaxation. So when I do not practise relaxation, I am calm. go to theater. if Peter does not forget to book tickets, we will go to theater. 9 in winter, I take a jacket only if it is cold. 8 in autumn, if it is cold then I take a jacket. 7 it is not raining. 6 5 if it is cold, I take my jacket. 4 it is sunny but it is cold. 3 if he eats too much, he will be sick. 2 it is raining and it is cold. 1 Use propositional language to model the following declarative sentences. Exercise ✎ 10 if Peter does not forget to book tickets and if we fjnd a baby-sitter, we will 11 he went, although it was very hot, but he forgot his water bottle. 12 when I am nervous, I practise yoga or relaxation. Someone practising yoga 13 my sister wants a black and white cat.

Deductive system Defjnition (deductive system) A deduction system (or inference system ) on a set E is composed of a set of rules used to derive elements of E from other elements of E . They are called inference rules . Christophe Garion IN324 Software Validation – deductive methods 42/ 149 If an inference rule allows to derive e n +1 (conclusion) from P = { e 1 , . . . , e n } (premises), it will be noted as follows: e 1 e 2 . . . e n e n +1 When an inference rule is such that P = ∅ it is called an axiom . If e 1 is an axiom, it is either noted e 1 or simply e 1 .

Deductive system Intuition means: If e can be produced only from axioms using inference rules, then e is Christophe Garion IN324 Software Validation – deductive methods 42/ 149 A rule e 1 e 2 e 3 from e 1 and e 2 you can deduce e 3 to prove e 3 , it is suffjcient to prove e 1 and to prove e 2 called a theorem of F (same as in maths!). This is noted ⊢ F e .

Using a formal system: example To represent a proof, we will use trees . For instance, considering the classical Hilbert system with Modus Ponens rule, here is a proof of Christophe Garion IN324 Software Validation – deductive methods 43/ 149 p → p : ( p → ( p → p )) → (( p → (( p → p ) → p )) → ( p → p )) p → ( p → p ) ( p → (( p → p ) → p )) → ( p → p ) p → (( p → p ) → p ) p → p

Outline of part 2 - Formal proof 5 Formal systems 6 Deductive system A new language: sequents for NK 7 Christophe Garion IN324 Software Validation – deductive methods 44/ 149 Natural deduction for PL: NK Natural deduction for FOL: NK

Outline of part 2 - Formal proof 5 Formal systems 6 Deductive system A new language: sequents for NK 7 Christophe Garion IN324 Software Validation – deductive methods 45/ 149 Natural deduction for PL: NK Natural deduction for FOL: NK

Introduction — Software Validation – deductive methods IN324 Christophe Garion Pp. 405–431. In: Mathematische Zeitschrift 39.3, “Untersuchungen über das logische Schließen II”. (1935). Pp. 176–210. Natural deduction is a formal system that has evolved from axiomatic In: Mathematische Zeitschrift 39.2, “Untersuchungen über das logische Schließen I”. Gentzen, Gerhard (1934). deduction ( natürliches Schließen ). G. Gentzen has proposed a more “intuitive” formal system, natural Russell. 46/ 149 formal systems developped by 19 th century mathematicians like Hilbert or

Rules for natural deduction C Defjnition (introduction and elimination rules) . C [ B ] . . . C [ A ] [ A ] . . . B A B Christophe Garion IN324 Software Validation – deductive methods . . 47/ 149 A A B B A B A ∧ B A ∧ B ( E 1 ( E 2 ( I ∧ ) ∧ ) ∧ ) A ∧ B ( I 1 ( I 2 ∨ ) ∨ ) A ∨ B A ∨ B A ∨ B ( E ∨ ) A → B ( E → ) ( I → ) A → B

What are those [ ] everywhere? . Software Validation – deductive methods IN324 Christophe Garion means: “if assuming A you can deduce that B , then you can deduced B . . [ A ] For instance, for the derivation. and are discharged when using the rule. They are not real hypothesis The hypotheses between brackets are used for hypothetical derivation that mean? 48/ 149 Some premises in rules ( E ∨ ) and ( I → ) are between brackets. What does ( I → ) A → B A → B ”.

What are those [ ] everywhere? that mean? The hypotheses between brackets are used for hypothetical derivation and are discharged when using the rule. They are not real hypothesis for the derivation. N.B. (important) The discharged hypothesis are only valid in the rule context and cannot be used for instance below the rule application. N.B. When introducing hypothesis (not premises of the argument), you have to discharge them to obtain a valid proof. Christophe Garion IN324 Software Validation – deductive methods 48/ 149 Some premises in rules ( E ∨ ) and ( I → ) are between brackets. What does

How to discharge hypotheses In order to remember where hypotheses are discharged, rule numbering Software Validation – deductive methods IN324 Christophe Garion can be deduced under the assumption a . 49/ 149 can be used: [ a ] 1 [ b ] 2 ( I ∧ ) a ∧ b ( I → ) 2 b → ( a ∧ b ) ( I → ) 1 a → ( b → ( a ∧ b )) Subdeductions are hypothetical: in the previous example, b → ( a ∧ b )

From minimal system to classical system The previous system is minimal : it does not correspond to classical logic. Software Validation – deductive methods IN324 Christophe Garion A . . . 50/ 149 Defjnition (rules for classical system) A Defjnition (rules for intuitionist system) The following rules have to be added. ⊥ ¬ A ≡ A → ⊥ ( E ⊥ ) [ ¬ A ] ( EM ) A ∨ ¬ A ⊥ ( A )

Let’s prove some formulae! Exercise Christophe Garion IN324 Software Validation – deductive methods 51/ 149 ✎ Prove the following PL formulas in NK : ( a → ( b → c )) → (( a → b ) → ( a → c )) (( a ∨ b ) → c ) → ( b → c ) (( a ∨ b ) ∧ ( a → c ) ∧ ( b → c )) → c a → ¬¬ a

Try it on your computer? Gasquet, Olivier, François Schwarzentruber, and Martin Strecker Software Validation – deductive methods IN324 Christophe Garion http://www.irit.fr/panda/ . Panda: Proof Assistant for Natural Deduction for All . (2011). China. (Wikipedia, 2012.) Adopt a Panda! to central-western and south western unrelated red panda, is a bear native panda to distinguish it from the cat-foot”), also known as the giant melanoleuca, lit. “black and white The panda (Ailuropoda 52/ 149

Outline of part 2 - Formal proof 5 Formal systems 6 Deductive system A new language: sequents for NK 7 Christophe Garion IN324 Software Validation – deductive methods 53/ 149 Natural deduction for PL: NK Natural deduction for FOL: NK

Sequent Christophe Garion Software Validation – deductive methods IN324 54/ 149 are using in the “formulas”. Defjnition (sequent) The main idea of this new language is to “embark” the hypotheses you Gentzen also proposed a new language based on L PL in order to make proof in NK easier (in particular for discharged hypotheses). A sequent is composed of a fjnite set of wfg Γ and a wfg ϕ and is denoted by Γ ⊢ ϕ . The intuition behind sequent is the following: Γ ⊢ ϕ means “ ϕ can be deduced from hypotheses Γ ”. Γ is also called the context . Some (false) notations are used: for instance Γ , ψ ⊢ ϕ is used for Γ ∪ { ψ } ⊢ ϕ .

Defjnition (axiom and structural rule) Rules for sequent-based NK ( Hyp ) Γ ⊢ A A ⊢ A ( Aff ) Γ , B ⊢ A

Defjnition (logical rules) Rules for sequent-based NK Γ ⊢ A Γ ⊢ B Γ ⊢ A ∧ B Γ ⊢ A ∧ B ( E 1 ( E 2 ( I ∧ ) ∧ ) ∧ ) Γ ⊢ A ∧ B Γ ⊢ A Γ ⊢ B Γ ⊢ A Γ ⊢ B ( I 1 ( I 2 ∨ ) ∨ ) Γ ⊢ A ∨ B Γ ⊢ A ∨ B Γ ⊢ A ∨ B Γ , A ⊢ C Γ , B ⊢ C ( E ∨ ) Γ ⊢ C Γ , A ⊢ B Γ , A ⊢ B Γ ⊢ A ( I → ) ( E → ) Γ ⊢ A → B Γ ⊢ B Γ , A → ⊥ ⊢ ⊥ Γ ⊢ ⊥ ( E ⊥ ) ( TE ) Γ ⊢ A Γ ⊢ A

NK with sequents: example With the previous example: Software Validation – deductive methods IN324 Christophe Garion 56/ 149 ( Hyp ) ( Hyp ) a ⊢ a b ⊢ b ( Aff ) ( Aff ) a , b ⊢ a a , b ⊢ b ( I ∧ ) a , b ⊢ a ∧ b ( I → ) a ⊢ b → ( a ∧ b ) ( I → ) ⊢ a → ( b → ( a ∧ b ))

Automatic proof of the previous wffs? Building proofs of the previous formulas is not automatic and can be fastidious. Is there an algorithm to prove that a wfg is a theorem? This fjeld of study is called automated theorem proving . Some theorem provers: The E Theorem Prover ( http://www.eprover.org ) Vampire ( http://www.vprover.org ) SPASS ( http://www.spass-prover.org ) Notice that: theorem proving is decidable for PL this problem is strongly related to the SAT problem the provers presented here also work with First-Order Logic Christophe Garion IN324 Software Validation – deductive methods 57/ 149

Use SPASS on our examples Let us try SPASS on our examples. The SPASS team (2014). SPASS: An Automated Theorem Prover for First-Order Logic with Equality . http://www.spass-prover.org . Christophe Garion IN324 Software Validation – deductive methods 58/ 149

Use SPASS on our examples end_of_list . Software Validation – deductive methods IN324 Christophe Garion end_problem . end_of_list . implies(A, C)))). formula (implies(implies(A, implies(B, C)), implies(implies(A, B), list_of_formulae (conjectures). predicates [(A,0), (B,0), (C,0)]. Let us try SPASS on our examples. list_of_symbols . end_of_list . description({*Prove (A -> (B -> C)) -> ((A -> B) -> (A -> C))...*}). status(satisfiable). author({*Christophe Garion*}). name({*(A -> (B -> C)) -> ((A -> B) -> (A -> C))*}). list_of_descriptions . begin_problem (pl_1). 58/ 149

Outline of part 2 - Formal proof 5 Formal systems 6 7 First-order logic language Deductive system Christophe Garion IN324 Software Validation – deductive methods 59/ 149 Natural deduction for PL: NK Natural deduction for FOL: NK

Outline of part 2 - Formal proof 5 Formal systems 6 7 First-order logic language Deductive system Christophe Garion IN324 Software Validation – deductive methods 60/ 149 Natural deduction for PL: NK Natural deduction for FOL: NK

Alphabet Defjnition (alphabet) logical symbols non-logical symbols Christophe Garion IN324 Software Validation – deductive methods 61/ 149 The alphabet of L FOL is composed of: an inifjnite and enumerable set V of individual variables x , y , . . . connectors: ⊤ , ⊥ , ¬ , → , ∧ , ∨ , ↔ quantifjers: ∃ , ∀ , ( ) an enumerable set P of predicate symbols P , Q , R , . . . an enumerable set F of functions f , g , h , . . . an enumerable set C of individual constants a , b , c , . . .

Signature of a fjrst-order language When defjning predicates and functions, the arity is often denoted using Software Validation – deductive methods IN324 Christophe Garion a function f of arity 3 a predicate P of arity 2 the / notation: logical symbols because their logical meaning is already defjned. thus the predicate, function and constant symbols are called non-logical 62/ 149 Like in the propositional case, V , ⊤ , ⊥ , ¬ , ∨ , → , ↔ , ( , ) and are called On the contrary, P , F and C depend on the problem to be modelled and symbols . It is also called the signature S of the language. So, when you want to model a problem using L FOL , you fjrst have to defjne the signature of your language, i.e. S = �P , F , C� . P /2 f /3

An expression is a sequence of symbols. Some expressions, called terms , represents objects . ex: Socrates, John’s father, 3+(2+5), … Defjnition (term) a variable is a term a constant is a term Christophe Garion IN324 Software Validation – deductive methods 63/ 149 L FOL terms The set of terms of L FOL is defjned inductively by: if f is a function symbol with arity m and if t 1 , . . . , t m are terms, then f ( t 1 , . . . , t m ) is a term

Well-formed formulas Some expressions are interpreted as assertions . Those expressions are well formed formulas (wfgs). Defjnition (atomic formula) Defjnition (well formed formula) an atomic formula is a wfg a wfg If P is a predicate symbol with arity n and if t 1 , . . . , t n are terms, then P ( t 1 , . . . , t n ) is an atomic formula of L FOL . The set of wfg of L FOL is defjned inductively as follows: ⊤ and ⊥ are wfgs if ϕ and ψ are wfgs, then ( ¬ ϕ ) , ( ϕ ∨ ψ ) , ( ϕ ∧ ψ ) , ( ϕ → ψ ) and ( ϕ ↔ ψ ) are wfgs if ϕ is a wfg and x is a variable, then ( Qx ϕ ) where Q ∈ {∀ , ∃} is ϕ is called the scope of Qx (cf. later).

Some conventions (as in the PL case) PL case: Software Validation – deductive methods IN324 Christophe Garion To simplify the writing, some conventions can be used: 65/ 149 Connectors and quantifjers can be ordered by growing priority like in the connectors are associative from left to right: removing of external parentheses: ( a ∧ b ) � a ∧ b ¬ is written without parentheses: ( ¬ a ) � ¬ a (( a ∧ b ) ∧ c ) � a ∧ b ∧ c quantifjers sequences can be simplifjed: Q 1 x ( Q 2 y ϕ ) � Q 1 xQ 2 y ϕ ∀ ∃ ↔ → ∨ ∧ ¬

Constants can also be viewed as 0-ary functions , i.e. functions that does of FOL semantics. If you consider a FO language whose signature is the following: take parameters then you obtain propositional logic . Thus, PL is a subset of FOL. Christophe Garion IN324 Software Validation – deductive methods 66/ 149 Some remarks on L FOL not take parameters. We use a distinct set C to simplify the presentation C = ∅ F = ∅ every predicate symbol P in P is a 0-ary symbol, i.e. it does not

Modelling exercise: maths, again… Exercise Let E be a set. Model the following mathematical notions using a fjrst-order language. Defjne precisely the signature of the language. Christophe Garion IN324 Software Validation – deductive methods 67/ 149 ✎ = defjne the “classical” equality relation on E (not easy!) ≤ is a preorder on E ( E , . ) is a monoid

A correct defjnition of scope Defjnition (scope) Software Validation – deductive methods IN324 Christophe Garion reintroducing a new quantifjer for x . 68/ 149 Using the syntax tree, we can defjne scope in a better way: “what you want”, it is false. the case? We have defjned the scope of a formula Qx ϕ to be ϕ , but is it really Consider for instance ∀ x ( P ( x ) → ( ∃ x Q ( x ))) . If the intuitive meaning of the scope of ∀ x is to defjne the formula in which you can replace x by Let Qx ϕ be a wfg with Q ∈ {∀ , ∃} . The scope of Qx in Qx ϕ is the subtree of Qx in ST ( Qx ϕ ) minus the subtrees in ST ( Qx ϕ ) With this defjnition the scope of ∀ x in ∀ x ( P ( x ) → ( ∃ x Q ( x ))) is only P ( x ) .

A correct defjnition of scope the case? “what you want”, it is false. N.B. (important) Avoid reintroducing new quantifjers for a previously quantifjed variable in wfg! which is unambiguous. Christophe Garion IN324 Software Validation – deductive methods 68/ 149 We have defjned the scope of a formula Qx ϕ to be ϕ , but is it really Consider for instance ∀ x ( P ( x ) → ( ∃ x Q ( x ))) . If the intuitive meaning of the scope of ∀ x is to defjne the formula in which you can replace x by For instance, rewrite the previous formula as ∀ x ( P ( x ) → ( ∃ y Q ( y )))

Free and bound variables Defjnition (free and bound variables) Software Validation – deductive methods IN324 Christophe Garion Defjnition (closed formula) 69/ 149 are defjned inductively as follows: The set BV of bound variables and FV of free variables of a wfg ϕ if ϕ is an atomic formula P ( t 1 , . . . , t n ) , then BV ( ϕ ) = ∅ and FV ( ϕ ) = { t i | i ∈ { 1 , . . . , n } and t i is a variable } if ϕ ≡ ¬ ϕ 1 then BV ( ϕ ) = BV ( ϕ 1 ) and FV ( ϕ ) = FV ( ϕ 1 ) if ϕ ≡ ϕ 1 conn ϕ 2 where conn ∈ {∧ , ∨ , → , ↔} then BV ( ϕ ) = BV ( ϕ 1 ) ∪ BV ( ϕ 2 ) and FV ( ϕ ) = FV ( ϕ 1 ) ∪ FV ( ϕ 2 ) if ϕ ≡ Qx ϕ 1 where Q ∈ {∀ , ∃} , then BV ( ϕ ) = BV ( ϕ 1 ) ∪ { x } and FV ( ϕ ) = FV ( ϕ 1 ) − { x } A closed formula is a formula ϕ such that FV ( ϕ ) = ∅ .

Free and bound variables: examples free bound N.B. When modelling “real” notions, it is very diffjcult to use open formulas (i.e. non closed formulas). Christophe Garion IN324 Software Validation – deductive methods 70/ 149 ( ∃ x P ( x )) ∧ ( ∀ y ¬ Q ( y )) ∧ R ( z ) ( ∃ x P ( x )) ∧ Q ( x )

Substitutions Examples: Software Validation – deductive methods IN324 Christophe Garion tree of t . As variables are placeholders, we should be able to replace them with 71/ 149 meaning “replace x by t ”. Defjnition (substitution) concrete (or not) terms . Let ϕ be a wfg, x a variable and t a term. ϕ [ x / t ] denotes the formula obtained by replacing all free occurrences of x in ϕ by t . You will sometimes fjnd the “contrary” in some textbook, i.e. [ t / x ] P ( x )[ x / y ] ≡ P ( y ) P ( x )[ x / x ] ≡ P ( x ) ( P ( x ) → ∀ x P ( x ))[ x / y ] ≡ ( P ( y ) → ∀ x P ( x )) Using the syntax tree of ϕ , it means replacing all x nodes by the syntax

Free substitutions Substitution should preserve validity in semantics. Software Validation – deductive methods IN324 Christophe Garion x and y are the same variable 72/ 149 Defjnition (free substitution) Let us consider ∃ y P ( x , y ) . Can x be substituted by y in this formula? ➥ no, as you change the meaning of the formula! A term t is freely substitutable to x in ϕ if ϕ is an atomic formula ϕ ≡ ¬ ϕ 1 and t is freely substituable to x in ϕ 1 ϕ ≡ ϕ 1 conn ϕ 2 where conn ∈ {∧ , ∨ , → , ↔} and t is freely substituable to x in ϕ 1 and ϕ 2 ϕ ≡ Qy ϕ 1 where Q ∈ {∀ , ∃} and y is not a variable of t and t is freely substitutable for x in ϕ 1

Outline of part 2 - Formal proof 5 Formal systems 6 7 First-order logic language Deductive system Christophe Garion IN324 Software Validation – deductive methods 73/ 149 Natural deduction for PL: NK Natural deduction for FOL: NK

Rules for natural deduction for FOL As PL is a subset of FOL, all rules defjned for PL are also valid for PL. Software Validation – deductive methods IN324 Christophe Garion B B . . . [ A ] 74/ 149 Defjnition (intr. and elim. rules for quantifjers) A Rules have to be added for quantifjers ( x is supposed to be free in A ): ∀ x A ( I ∀ ) ( E ∀ ) ∀ x A A [ x / t ] A [ x / t ] ( I ∃ ) ∃ x A ∃ x A ( E ∃ )

Rules for natural deduction for FOL: sequent view Defjnition (intr. and elim. rules for quantifjers) Software Validation – deductive methods IN324 Christophe Garion 75/ 149 Γ ⊢ A Γ ⊢ ∀ x A ( I ∀ ) ( E ∀ ) Γ ⊢ ∀ x A Γ ⊢ A [ x / t ] Γ ⊢ A [ x / t ] Γ ⊢ ∃ x A ( E ∃ ) ( I ∃ ) Γ ⊢ A [ x / f ( y 1 , . . . , f n )] Γ ⊢ ∃ x A where x �∈ FV (Γ) in ( I ∀ ) and FV ( ∃ x A ) = { y i | i ∈ { 1 , . . . , n }} .

Let’s prove some formulae! Exercise Christophe Garion IN324 Software Validation – deductive methods 76/ 149 Prove the following FOL formulas in NK : ( ∀ x ϕ ∧ ψ ) → ( ∀ x ϕ ∧ ∀ x ψ ) ∃ x ∀ y ϕ → ∀ y ∃ x ϕ

Automatic proof of FOL wffs? We can ask ourselves again if it is possible to build automatically proofs of the previous formulas. Unfortunately, as First-Order Logic is not decidable (but ony semi-decidable), it is not possible to automatically prove all the possible theorems of FOL. The previously presented theorem provers (E, Vampire, SPASS) can although be used to prove the previous formulas. Christophe Garion IN324 Software Validation – deductive methods 77/ 149

Use SPASS on our examples end_of_list . Software Validation – deductive methods IN324 Christophe Garion end_problem . end_of_list . and(forall([X], Phi(X)), forall([X], Psi(X))))). formula (implies(forall([X], and(Phi(X), Psi(X))), list_of_formulae (conjectures). predicates [(Phi,1), (Psi,1)]. begin_problem (fol_1). list_of_symbols . end_of_list . (forall x Phi(x)) /\ (forall x Psi(x))...*}). description({*Prove (forall x Phi(x) /\ Psi(x)) -> status(satisfiable). author({*Christophe Garion*}). (forall x Phi(x)) /\ (forall x Psi(x))*}). name({*(forall x Phi(x) /\ Psi(x)) -> list_of_descriptions . 78/ 149

Outline of part 3 - The Floyd-Hoare logic 3 - The Floyd-Hoare logic 8 Imperative programs 9 The Floyd-Hoare deductive system Christophe Garion IN324 Software Validation – deductive methods 79/ 149

Outline of part 3 - The Floyd-Hoare logic 8 Imperative programs 9 The Floyd-Hoare deductive system Christophe Garion IN324 Software Validation – deductive methods 80/ 149

What kind of program do we want to “prove”? Defjnition (imperative kernel) The imperative kernel of a programming language is defjned by the fjve following constructs: declaration , assignment , sequence , con- ditional , loop . Theorem (Böhm-Jacopini,1966) Algorithms combining subprograms using only the three following con- trol structures can compute any computable function: sequence (denoted by “ P;Q ”) selection using boolean expression (denoted by “ if C then P else Q fi ”) iteration while a boolean condition is true (denoted by “ while C do P od ”) where P and Q are subprograms and C is a boolean expression. ➥ we will use only those three control structures in the following.

What kind of program do we want to “prove”? Defjnition (assignment) The assignment operator is denoted by := . But no declaration operator… By convention, we will use uppercase latin letters for variable names ( X , Y , etc.). expressions that can be used on the right side of := . N.B. Expressions used on the right side of := (rvalues) cannot have side efgects! ➥ types of variables will be “obvious” Usual operators on integers like + , ∗ etc. are available to build

Outline of part 3 - The Floyd-Hoare logic 8 Imperative programs 9 The Floyd-Hoare deductive system Rules for partial correctness Rule for total correctness Christophe Garion IN324 Software Validation – deductive methods 82/ 149

Hoare triple Defjnition (Hoare triple) Software Validation – deductive methods IN324 Christophe Garion program. P P is a program as defjned previously Intuition 83/ 149 A Hoare triple is denoted by { ϕ } P { ψ } where: ϕ is a fjrst-order logic wfg called the precondition ψ is a fjrst-order logic wfg called the postcondition { ϕ } { ψ } is true ifg when starting from a state where ϕ is true, executing P leads to a state where ψ is true. The terms used in ϕ and ψ generally speak about the state of the

What do we want to prove? The Hoare triple of a program P is given as a specifjcation of P . triples for each primitive programming construct. Hoare, C. A. R. (1969). “An axiomatic basis for computer programming”. In: Communications of the ACM 12.10, Pp. 576–580. Christophe Garion IN324 Software Validation – deductive methods 84/ 149 Floyd-Hoare logic provides a formal system FH to reason on Hoare So, proving that P is correct wrt. its specifjcations ϕ and ψ is proving that { ϕ } P { ψ } is a theorem in FH .

Outline of part 3 - The Floyd-Hoare logic 8 Imperative programs 9 The Floyd-Hoare deductive system Rules for partial correctness Rule for total correctness Christophe Garion IN324 Software Validation – deductive methods 85/ 149

Rule for assignment Defjnition (rule for assignment) ( := ) Exercise ( := ) ( := ) ( := ) { ϕ [ X / E ] } X := E { ϕ } Find ϕ such that: { ϕ } X := X + 1 { X = 4 } { ϕ } F := F * K { F = K ! } { ϕ } K := K + 1 { F = ( K − 1)! }