Todays programme: Programming language PLN - syntax Limitations of - - PowerPoint PPT Presentation

1 dBerLog 2007

Todays programme: Limitations of Program Verification

• To prove fundamental limitations of formalization

– Program correctness – Gödels incompleteness theorem

• To analyze and discuss the consequences

2 dBerLog 2007

Programming language PLN - syntax

• Constants:

natural numbers: 0, 1, 2,.. boolean constants: true, false

• Con ::= 0, 1, 2, ...
• Var::= x, y, z, ...
• E::= Con | Var | E + E | E ∗ E | (E)
• B::= true | false | ¬B | B ∧ B | B∨ B | E = E | (B)
• C::= x := E | C ; C | if B then C else C | while B do C

3 dBerLog 2007

PLN specifications syntax

• A correctnes specification of a program C is a Hoare triple
• f the form

{ φ } C { ψ } where φ (precondition) and ψ (postcondition) are first order predicate logic formulae over variables (including PLN program variables) and constants/functions/predicates interpreted in the model of natural numbers.

4 dBerLog 2007

Hoare triples - for Fac

y := 1; z := 0; while ¬ (z = x) do z := z + 1 y := y ∗ z

• |=par {x>5} Fac {z=x}
• |=par { | } Fac {y = x!}

5 dBerLog 2007

Hoare triples - semantics

• { φ } C { ψ } is said to be satisfied under partial correctness

|=par { φ } C { ψ } iff for all states s, if N |=s φ, and Sem[C](s) is defined and equal to s’ then N |=s’ ψ

• { φ } C { ψ } is said to be satisfied under total correctness

|=tot { φ } C { ψ } iff for all states s, if N |=s φ, then Sem[C](s) is defined, and if Sem[C](s) = s’ then N |=s’ ψ

6 dBerLog 2007

Incompleteness theorem for Hoare triples

• Theorem

There does not exist any sound and complete proof system for PLN partial correctness specifications in the form of Hoare triples!

7 dBerLog 2007

Proof system - definition

• Given a logical language with formulae Φ.
• A proof system for Φ consists of an alphabet Σ (for writing

proofs) and a set of rules, such that for all π in Σ* and formula Φ, it is decidable whether π is a proof of Φ

8 dBerLog 2007

Proof system - property

• Theorem

For any proof system, the set of provable formulae is recursively enumerable

9 dBerLog 2007

Incompleteness theorem for Hoare triples

• Theorem

There does not exist any sound and complete proof system for PLN partial correctness specifications in the form of Hoare triples!

• Proof

SHOW: the set of triples par {φ} C {ψ} is NOT recursively enumerable!

10 dBerLog 2007

Post’s correspondence problem - example

• List A:

List B:

α1 = b β1 = bbb α2 = babbb β2 = ba α3 = ba β3 = a

Solution? YES: 2 1 1 3 α2 α1 α1 α3 = babbb b b ba = babbbbbba β2 β1 β1 β3 = ba bbb bbb a = babbbbbba

11 dBerLog 2007

Post’s Correspondence Problem PCP

• PCP instance over alphabet Σ:

A = {w1, w2,.., wk} B = {x1, x2,.., xk} where wi and xi are strings over Σ

• A,B solution:

i0 i1… il-1 ∈ {1, 2, .., k}+ such that wi0 wi1..wil-1 = xi0 xi1..xil-1

12 dBerLog 2007

Post’s Correspondence Problem PCP

• Theorem

The complement of PCP (i.e. the set of PCP instances with no solutions) is not recursively enumerable

13 dBerLog 2007

Incompleteness theorem for Hoare triples

Lemma The set of triples par {φ} C {ψ} is NOT recursively enumerable! Proof:Reduction from the complement of PCP Given: An instance of PCP, A,B Construct: {φA,B} CA,B {ψA,B} such that A,B has NO solution iff par {φA,B} CA,B {ψA,B}

14 dBerLog 2007

Reduction PCP A,B -> CA,B (over strings!)

Given: PCP: A = {w1, w2,..wk} B = {x1, x2,...xk} CA,B: let in = i0i1..ile-1 {1,2,..,k}* w := ; x := ; j:= le; while j > 0 do {in=i0..il-1∧ w=wij.. wil-1∧ x=xij.. xil-1} j:= j-1; w := wij • w; x := xij • x; if w = x the skip else loop

15 dBerLog 2007

Representation of strings as numbers

• Given a base number b > 1
• For all v = i0i1...in-1 ∈ {0, 1, ..., b-1}* of length n

the b-ary representation of v, numb(v) is defined as numb(v) = numb(i0i1...in-1) = i0∗b0 + i1∗b1 + ... + in-1∗bn-1 = i0 + b∗ numb(i1...in-1)

• numb: {0, 1, ..., b-1}* → N

16 dBerLog 2007

Representation of strings as numbers

num2 (1001) = 1∗20 + 0∗21 + 0∗22 + 1∗23 = nine num3 (102) = 1∗30 + 0∗31 + 2∗32 = nineteen

17 dBerLog 2007

Representation of strings as numbers

• Given a base number b > 1
• For any n ∈ N, let

repb(n) = Λ if n = 0 rem(n,b) • repb(div(n,b)) if n > 0 where n = rem(n,b) + b∗div(n,b) and 0 rem(n,b) < b ≤

• repb: N → {Λ} ∪ {0, 1, ..., b-1}*{1, ..., b-1}
• repb: N → Nb (notation)

18 dBerLog 2007

Representation of strings as numbers

num2 (1001) = 1∗20 + 0∗21 + 0∗22 + 1∗23 = nine num3 (102) = 1∗30 + 0∗31 + 2∗32 = nineteen rep2(six) = 0 • rep2(three) = 0 • (1 • rep2(one)) = 0 • (1 • 1) = 011 rep3(eleven) = 2 • rep3(three) = 2 • (0 • rep3(one)) = 2 • (0 • 1) = 201

19 dBerLog 2007

Representation of strings as numbers

• Propositions

For all b>1 For all n ∈ N, numb ( repb(n) ) = n For all w ∈ Nb, repb ( numb(w) )= w i.e. numb and repb are bijections between N and Nb!

20 dBerLog 2007

Representation of strings as numbers

• Propositions

For all n, i ∈ N, 0 i < ≤ repb(n) the (unique) i’th digit in repb(n) is: rem(div(n, bi), b) For all v, w ∈ Nb numb(vw ) = numb(v) + numb(w) ∗ b|v|

• Question

Can the operations above be computed in PLN?

21 dBerLog 2007

PLN macros

• ”x := monus (m, n)”

where monus (m, n) = m - n, if m > n 0,

• therwise

can be computed in PLN by: x:= 0; y:= 0; while ¬(y = m ∨ y = n) do y := y+1; while ¬(y = m) do y := y+1; x := x+1

22 dBerLog 2007

PLN macros

• ”m ≤ n”

can be computed in PLN by: monus (m, n) = 0

• ”m > n”

can be computed in PLN by: ¬(monus (m, n) = 0)

23 dBerLog 2007

PLN macros

• ”d := div(m, n)” (integer division of m by n, where n ≠ 0)
• ”r := rem(m,n)” (remainder of int.div. of m by n, n≠ 0)
• (m = d∗n + r, where 0 r < n)

≤ can be computed in PLN by d:= 0; while ((d + 1)∗n m) do d := d + 1; ≤ r:= monus (m, d ∗n)

24 dBerLog 2007

PLN macros

• ”x := m ↑ n” (”m to the power n”)

can be computed in PLN by x := 1; y := 0; while ¬(y = n) do x := x∗m; y := y+1

25 dBerLog 2007

Incompleteness theorem for Hoare triples

Given: PCP over Σ: A = {w1, w2,..wk} B = {x1, x2,...xk} where Σ = {1, 2,..,Σ} Construct: φA,B = ψA,B = and CA,B such that PCP has NO solution iff par {} CA,B {} (i.e. iff CA,B diverges for all initial states)

26 dBerLog 2007

Reduction PCP A,B -> CA,B (over strings!)

Given: PCP: A = {w1, w2,..wk} B = {x1, x2,...xk} CA,B: let in = i0i1..ile-1 {1,2,..,k}* w := ; x := ; j:= le; while j > 0 do {in=i0..il-1∧ w=wij.. wil-1∧ x=xij.. xil-1} j:= j-1; w := wij • w; x := xij • x; if w = x the skip else loop

27 dBerLog 2007

Reduction PCP A,B -> CA,B - intuition

• Given a number in (input)

– Convert in to a string of small numbers repb(in) – View this string as a potential solution to PCP A,B – Construct (the numb-versions of) the corresponding concatenation

• f A- and B-strings

– Check for equality of these numbers

• If equal: terminate, if not: loop!
• Claim: this algorithm terminates for some input iff A,B has

a solution!

28 dBerLog 2007

Reduction PCP A,B -> CA,B

• Given PCP A = {w1, w2,..wk} B = {x1, x2,...xk}
• ver Σ = {1, 2,..,Σ} !!!!
• Compute base number b = max{k,Σ} +1

and constants numb(wi) and numb(xi), wiand xi

29 dBerLog 2007

PLN shorthand notation

• ”skip”

shorthand for ”y := y”

• ”loop”

shorthand for ”while true do skip”

30 dBerLog 2007

Reduction PCP A,B -> CA,B

Given: PCP: A = {w1, w2,..wk} B = {x1, x2,...xk} CA,B: if in=0 then loop; j:= 1; while div(in,bj) > 0 do j:= j+1; w := 0; x := 0; while j > 0 do

{repb(in)=i0..ile-1∧w=numb(wij.. wile-1)∧ x=numb(xij.. xile-1)}

j:= j-1; i := rem( div(in, bj), b); if i = 1 then w := numb(w1) + w∗(b↑|w1|); x := numb(x1) + x∗(b↑|x1|) else ........ if i = k then w := numb(wk) + w∗(b↑|wk|); x := numb(xk) + x∗(b↑|xk|) else loop if w = x the skip else loop

31 dBerLog 2007

Reduction PCP A,B -> CA,B

Example: PCP: A = {12, 2} B = {1, 22} CA,B: ??

32 dBerLog 2007

Reduction PCP A,B -> CA,B

Example: PCP: A = {12, 2} B = {1, 22} CA,B: if in=0 then loop; j:= 1; while div(in,bj) > 0 do j:= j+1; w := 0; x := 0; while j > 0 do j:= j-1; i := rem( div(in, 3j), 3); if i = 1 then w := 7 + w∗(3↑2 ); x := 1 + x∗(3↑1 ) else if i = 2 then w := 2 + w∗(3↑1 ); x := 8 + x∗(3↑2 ) else loop if w = x the skip else loop

33 dBerLog 2007

Incompleteness theorem for Hoare triples

• Claim:

A,B has solution iff CA,B terminates for some input

34 dBerLog 2007

Todays programme: Limitations of Program Verification

• To prove fundamental limitations of formalization

– Program correctness – Gödels incompleteness theorem

• To analyze and discuss the consequences

35 dBerLog 2007

Hoare proof rules if and while

{φ} if B then C1 else C2 {ψ} If-rule {ψ ∧ B} C {ψ} {ψ} while B do C {ψ ∧ ¬B} While-rule {φ ∧ B} C1 {ψ} {φ ∧ ¬B} C2 {ψ}

36 dBerLog 2007

A proof of Euclid’s gcd algorithm

{ m = m0 ≥ 1 ∧ n = n0 ≥ 1 } while ¬ (m = n) do { gcd(m,n) = gcd(m0, n0) } if m > n then m:=m-n else n:= n-m; {m = gcd(m0, n0) } r:= m { r = gcd(m0, n0) }

{gcd(m,n) = gcd(m0, n0) ∧ ¬ (m = n) } if m > n then m:=m-n else n:= n-m;

{gcd(m,n) = gcd(m0, n0) }

{gcd(m,n) = gcd(m0, n0) } while ... {gcd(m,n) = gcd(m0, n0) ∧ ¬ ¬(m = n) } While-rule

37 dBerLog 2007

A proof of Euclid’s gcd algorithm

{ m = m0 ≥ 1 ∧ n = n0 ≥ 1 } while ¬ (m = n) do { gcd(m,n) = gcd(m0, n0) } if m > n then m:=m-n else n:= n-m; {m = gcd(m0, n0) } r:= m { r = gcd(m0, n0) }

Proof obligations Comp rule: |-N m = m0 ≥ 1 ∧ n = n0 ≥ 1

• > gcd(m,n) = gcd(m0,n0)

|-N gcd(m,n)= gcd(m0,n0) ∧¬¬(m=n)

• > m = gcd(m0, n0)

38 dBerLog 2007

Hoare proof rules - implied

{φ’} C {ψ’} Impl-rule |- N φ’ → φ {φ} C {ψ} |- N ψ→ ψ’ NOTE We assume here that we have some underlying extension of the proof system for predicate logic, in which we prove formulae of the form φ’ → φ valid for N - the model of natural numbers!!!!

39 dBerLog 2007

A simple N vocabulary

• Let N↑ be the predicate logic interpretation with

– natural numbers as the univers of values, – constants 0,1 – function symbols +, ×, and ↑ – predicate symbol =

all interpreted ”as usual”

40 dBerLog 2007

Peano proof rules

∀n. ¬(n = n+1) ∀m ∀n. (m+1 = n+1) → (m = n) ∀n. n+0 = n ∀m ∀n. m+(n+1) = (m+n) + 1 ∀n. n∗0 = 0 ∀m ∀n. m∗(n+1) = (m∗n) + m ∀n. n↑0 = 1 ∀m ∀n. m↑(n+1) = (m↑n) ∗ m ϕ(0) ∀n. (ϕ(n) → ϕ(n+1)) ∀n. ϕ(n)

41 dBerLog 2007

Incompleteness of Peano axioms

∀ ∀n. ( (¬ (n = 0) ) → ∃ m (n = m+1) ) can NOT be shown in Peano’s proof system

42 dBerLog 2007

Gödel’s incompleteness theorem

• There does not exist any sound and complete proof system

for the model of natural numbers N↑ with constant 0,1, function symbols +, ∗, ↑, and predicate symbol =

• Proof

SHOW: The set {φ | N↑ φ} is NOT recursively enumerable!

43 dBerLog 2007

Gödel’s incompleteness theorem

Lemma: The set {φ | N↑ φ} is NOT recursively enumerable! Proof: reduction from the complement of PCP Given: An instance of PCP: A,B Construct: φA,B such that A,B has NO solution iff N↑ φA,B

44 dBerLog 2007

Gödel’s incompleteness theorem

Given: PCP over Σ: A = {w1, w2,..wk} B = {x1, x2,...xk} compute b > max{k, |Σ|} + 1 max = max{|wi|, |xi| | 1 i k } ≤ ≤ and for 1 i k: ≤ ≤ numb(wi) |wi | numb(xi) |xi |

45 dBerLog 2007

Reduction PCP A,B -> ψA,B

Given: PCP: A = {w1, w2,..wk} B = {x1, x2,...xk} ψA,B : ∃ le. ∃ m. (le ≥ l) ∧ (m ≥ le∗max) ∧ ∃ w, x. FIRST(m,w,x) ∧ NEXT (le,m,w,x) ∧ LAST (le,m,w,x)

46 dBerLog 2007

N↑ expressiveness

• ”m ≥ n”

may be expressed as ”∃ a. (m = n + a)”

• ”m > n”

may be expressed as ”(m ≥ n ∧ ¬(m = n))”

47 dBerLog 2007

Operations on strings in arithmetic

• Assume n = numb(i0i1...ij............)

div(n, bj) = numb(ijij+1,.......) rem(n, bj) = numb(i0i1, ...ij-1) sel(n, j, k) = rem( div(n,bj),bk) = numb(ij, ij+1...ij+k-1)

48 dBerLog 2007

N↑ expressiveness

• ”div(m, n) = d” (d is integer division of m by n)

may be expressed as ” ∃ r. (m = n∗ d + r ∧ r < n)”

• ”rem(m, n) = r” (r is remainder of int. division of m by n)

may be expressed as ”m = n∗ div(m, n) + r ”

• ”selb(m, j, k)” (the number repesented by the k digits

starting from digit j in repb(m)0* may be expressed as ” selb(m, j, k) = rem( div(m, b↑j), b↑k) )”

49 dBerLog 2007

Reduction PCP A,B -> ψA,B

Given: PCP: A = {w1, w2,..wk} B = {x1, x2,...xk} ψA,B : ∃ le. ∃ m. (le ≥ l) ∧ (m ≥ le∗max) ∧ ∃ w, x. FIRST(m,w,x) ∧ NEXT (le,m,w,x) ∧ LAST (le,m,w,x) FIRST(m,w,x) : selb(w, 0, m) = 0 ∧ selb(x, 0, m) = 0

50 dBerLog 2007

Reduction PCP A,B -> ψA,B

Given: PCP: A = {w1, w2,..wk} B = {x1, x2,...xk} ψA,B : ∃ le. ∃ m. (le ≥ l) ∧ (m ≥ le∗max) ∧ ∃ w, x. FIRST(m,w,x) ∧ NEXT (le,m,w,x) ∧ LAST (le,m,w,x) FIRST(m,w,x) : selb(w, 0, m) = 0 ∧ selb(x, 0, m) = 0 LAST(le,m,w,x): selb(w, m*le, m) = selb(x, m*le, m)

51 dBerLog 2007

Reduction PCP A,B -> ψA,B

Given: PCP: A = {w1, w2,..wk} B = {x1, x2,...xk} NEXT: ∀j. ((0 j ≤ ∧ j<le) → ∃i. (1 i ≤ ∧ i ≤ k ∧ MATCH(m,w,x,j,i) MATCH(m,w,x,j,i): (i=1 → selb(w, (j+1)∗m, m) = numb(w1) + selb(w, j∗m, m) ∗b|w1| ∧ selb(x, (j+1)∗m, m) = numb(x1) + selb(x, j∗m, m) ∗b|x1| ) ∧ ....... (i=k → selb(w, (j+1)∗m, m) = numb(wk) + selb(w, j∗m, m) ∗b|wk| ∧ selb(x, (j+1)∗m, m) = numb(xk) + selb(x, j∗m, m )∗b|xk| )

52 dBerLog 2007

Reduction PCP A,B -> ψA,B

Given: PCP: A = {w1, w2,..wk} B = {x1, x2,...xk} CLAIM: A,B has NO solution iff N↑ φA,B (= ¬ψA,B)

i.e

A,B HAS a solution iff N↑ ψA,B

53 dBerLog 2007

Todays programme: Limitations of Program Verification

• To prove fundamental limitations of formalization

– Program correctness – Gödels incompleteness theorem

• To analyze and discuss the consequences

54 dBerLog 2007

Exercises

• All exercises in the following referring to the note

Limitations of Program Verification [LiProVer07]

• Describe representations of numbers

– [LiProVer07] 2 (p 16), 3, 4 (p 17) : understanding number representations – [LiProVer07] 9 (p 23): understanding selection predicate

• Prove limitations of formalization

– [LiProVer07] 5, 6, 8 (p 21): understanding the reduction to Hoare specifications – [LiProVer07] 10 (p 27): understanding the reduction to predicate logic over the natural numbers

55 dBerLog 2007

dBerLog Compulsory Assignments 2007

• Write manuscripts for a 15 minutes exam presentation for

each of the two exam questions: Computability and Logic

• 2-3 pages each
• dBerLog curriculum follows from dBerLog home page -

Weekly Schedules (and Final Exam)

• Second assignment: Logic
• Hand in to your tutor no later than Wednesday October 10!

OBS: HARD DEADLINE!!!!!