Theorem Proving for Verification John Harrison Intel Corporation Galois talk (repeat of CAV tutorial) Portland 16th September 2008 (10:30 – 12:00) 0
Formal verification Formal verification: mathematically prove the correctness of a design with respect to a mathematical formal specification . Actual requirements ✻ Formal specification ✻ Design model ✻ Actual system 1
Essentials of formal verification The basic steps in formal verification: • Formally model the system • Formalize the specification • Prove that the model satisfies the spec But what formalism should be used? 2
Some typical formalisms • Propositional logic, a.k.a. Boolean algebra • Temporal logic (CTL, LTL etc.) • Quantifier-free combinations of first-order arithmetic theories • Full first-order logic • Higher-order logic or first-order logic with arithmetic or set theory 3
Expressiveness vs. automation There is usually a roughly inverse relationship: The more expressive the formalism, the less the ‘proof’ is amenable to automation. For the simplest formalisms, the proof can be so highly automated that we may not even think of it as ‘theorem proving’ at all. The most expressive formalisms have a decision problem that is not decidable, or even semidecidable. 4
Logical syntax English Formal ⊥ false ⊤ true not p ¬ p p and q p ∧ q p or q p ∨ q p implies q p ⇒ q p iff q p ⇔ q for all x , p ∀ x. p ∃ x. p there exists x such that p 5
Propositional logic Formulas built up from atomic propositions (Boolean variables) and constants ⊥ , ⊤ using the propositional connectives ¬ , ∧ , ∨ , ⇒ and ⇔ . No quantifiers or internal structure to the atomic propositions. 6
Propositional logic Formulas built up from atomic propositions (Boolean variables) and constants ⊥ , ⊤ using the propositional connectives ¬ , ∧ , ∨ , ⇒ and ⇔ . No quantifiers or internal structure to the atomic propositions. A formula is a tautology if it is true for all assignments of truth values to the atomic propositions, e.g. p ∨ ¬ p or ¬ ( p ∧ q ) ⇔ ¬ p ∨ ¬ q . A formula is satisfiable if it is true for some assignment of truth values to the atomic propositions. Note that p is a tautology iff ¬ p is unsatisfiable. 7
Expressiveness of propositional logic Propositional logic seems inexpressive but: • Combinational logic circuits can be considered as Boolean formulas, and circuit equivalence as tautology/satisfiability testing • Finite unfolding of sequential circuits or finite-state transition systems can be modelled using Boolean variables • Many other arithmetical and combinatorial problems can be encoded in Boolean terms, e.g. primality testing, scheduling, planning. The last item is a ‘practical’ counterpart to the theoretical significance of [co-]NP-complete problems. 8
Decision problem for propositional logic Tautology/satisfiability checking is certainly decidable in exponential time, because we can examine all assignments of truth-values to the Boolean variables. Unless P = NP , there is no polynomial-time decision procedure. Algorithms like Davis-Putnam-Loveland-Logemann (DPLL) and St˚ almarck’s method are often surprisingly good in practice. Embodied in highly tuned ‘SAT solver’ implementations, these have made a big impact, in formal verification and elsewhere. 9
First-order logic Object-denoting terms built up from variables and constants denoting objects using function symbols, e.g. x + 1 or f ( x ) . Atomic formulas are now built up by applying relations to terms, e.g. x + 1 < 2 · y or R ( f ( x ) , g ( y )) . Can quantify over object-level variables, e.g. ∀ x. ∃ y. loves ( x, y ) or ∃ y. ∀ x. loves ( x, y ) . 10
First-order logic Object-denoting terms built up from variables and constants denoting objects using function symbols, e.g. x + 1 or f ( x ) . Atomic formulas are now built up by applying relations to terms, e.g. x + 1 < 2 · y or R ( f ( x ) , g ( y )) . Can quantify over object-level variables, e.g. ∀ x. ∃ y. loves ( x, y ) or ∃ y. ∀ x. loves ( x, y ) . The first-order means that we can’t quantify over functions or relations, e.g. ∃ loves . ∀ x. ∃ y. loves ( x, y ) . A formula is valid when it holds for all interpretations , i.e. ways of interpreting the domain of objects as D � = ∅ , constants as elements of D , function symbols as functions D n → D and relations as subsets of D n , and valuations of the variables as elements of D . 11
First-order validity There is no ‘naive’ algorithm for first-order validity, because we’d need to check all possible sets D , including infinite ones. In fact, first-order validity is undecidable (Church/Turing). 12
First-order validity There is no ‘naive’ algorithm for first-order validity, because we’d need to check all possible sets D , including infinite ones. In fact, first-order validity is undecidable (Church/Turing). On the other hand, it is semidecidable (r.e.), i.e. there are search algorithms that will in principle confirm that a valid formula is valid, but may run forever on invalid formulas. • Tableaux • Resolution In practice, these can seldom solve ‘interesting’ problems in a practical time. Some notable successes such as McCune’s solution of the Robbins conjecture. 13
One interpretations versus all interpretations We are often more interested in whether a formula holds in some particular interpretation or particular class of interpretations. This is a very different problem, and it may be easier or harder than validity in all interpretations. Consider first-order arithmetic formulas, using constants 0 and 1 , function symbols + , − and · , and relation symbols = , ≤ , < . ∀ x. x = y ⇒ x = y holds in all interpretations ∀ x. x + x = 2 x holds in obvious arithmetic interpretations, but not all interpretations. ∀ x. x ≥ 0 ⇒ ∃ y. x = y 2 holds in R but not in Z . 14
Different decision problems Whether a first-order formula in the language of arithmetic: • Holds in all interpretations: semidecidable (like first-order logic in general) 15
Different decision problems Whether a first-order formula in the language of arithmetic: • Holds in all interpretations: semidecidable (like first-order logic in general) • Holds in R : decidable (Tarski’s quantifier elimination for real-closed fields) 16
Different decision problems Whether a first-order formula in the language of arithmetic: • Holds in all interpretations: semidecidable (like first-order logic in general) • Holds in R : decidable (Tarski’s quantifier elimination for real-closed fields) • Holds in all (ordered) rings: semidecidable (reduces to first-order validity; not decidable by interpretation) 17
Different decision problems Whether a first-order formula in the language of arithmetic: • Holds in all interpretations: semidecidable (like first-order logic in general) • Holds in R : decidable (Tarski’s quantifier elimination for real-closed fields) • Holds in all (ordered) rings: semidecidable (reduces to first-order validity; not decidable by interpretation) • Holds in Z : not even semidecidable (G¨ odel’s theorem, or Tarski’s theorem on the undecidability of truth). 18
Restricted decision problems Some natural restrictions on undecidable problems can yield decidability: • Although it’s not even semidecidable if an arithmetic formula holds in Z , it is decidable whether a purely linear formula does. (Formulas only involve multiplication by constants: Presburger arithmetic.) • Although it’s undecidable whether a formula holds in all rings, it is decidable for purely universally quantified formulas. (This is effectively the ‘word problem’ for rings and can be solved with a variant of Gr¨ obner bases.) These restricted fragments are often enough for practical problems. 19
Quantifier elimination Some formulas involving quantifiers are equivalent to a quantifier-free one for some interpretation or class of interpretations: • ( ∃ x. ax 2 + bx + c = 0) ⇔ a � = 0 ∧ b 2 ≥ 4 ac ∨ a = 0 ∧ ( b � = 0 ∨ c = 0) in R • ( ∀ x. x < a ⇒ x < b ) ⇔ a ≤ b in all interpretations where < is a dense total order. 20
Quantifier elimination Some formulas involving quantifiers are equivalent to a quantifier-free one for some interpretation or class of interpretations: • ( ∃ x. ax 2 + bx + c = 0) ⇔ a � = 0 ∧ b 2 ≥ 4 ac ∨ a = 0 ∧ ( b � = 0 ∨ c = 0) in R • ( ∀ x. x < a ⇒ x < b ) ⇔ a ≤ b in all interpretations where < is a dense total order. For some classes of formulas we can find algorithmically for any formula a counterpart that is quantifier-free and equivalent in the class of interpretations: quantifier elimination . For example, arithmetic formulas over R , linear arithmetic formulas over Z (adding new ‘divisibility by d ’ relations to the language). 21
Combining decision procedures Even hitherto decidable fragments like Presburger arithmetic become undecidable if we combine with other function or relation symbols. With one unary function symbol we can characterize squaring; ( ∀ n.f ( − n ) = f ( n )) ∧ f (0) = 0 ∧ ( ∀ n. 0 ≤ n ⇒ f ( n +1) = f ( n )+ n + n +1) and then multiplication by m = n · p ⇔ ( n + p ) 2 = n 2 + p 2 + 2 m 22
Recommend
More recommend
