Calculus of Computation? CS156: The Calculus of It is reasonable to hope that the relationship between Computation computation and mathematical logic will be as fruitful in the next century as that between analysis and physics Zohar Manna in the last. The development of this relationship Winter 2010 demands a concern for both applications and mathematical elegance. John McCarthy Lecturer: A Basis for a Mathematical Theory of Computation , 1963 Zohar Manna (manna@cs.stanford.edu) TAs: Gary Soedarsono (gary503@stanford.edu) Office Hours: M 3:00-4:00 Gates B26B, T 4:00-6:00 Gates B26A Page 1 of 52 Page 2 of 52 Grading Textbook ◮ Homeworks (40%) ◮ weekly (totally 8) ◮ no late assignments The Calculus of Computation: ◮ no collaboration Decision Procedures with Applications to Verification ◮ Final Exam (60%) ◮ open book and notes ◮ date: Monday, March 15th, 8:30-11:30 a.m. by Aaron Bradley Coverage Zohar Manna ◮ Skip * sections ◮ Skip Chapter 6 and 12 of the book Springer 2007 ◮ Skip complexity remarks There are two copies in CS-Math Library and you could also use Website socrates.stanford.edu to read the book according to its policy. ◮ cs156.stanford.edu Page 3 of 52 Page 4 of 52
Topics: Overview 1. First-Order logic 2. Specification and verification 3. Satisfiability decision procedures Page 5 of 52 Page 6 of 52 Part I: Foundations Part II: Decision Procedures 1. Propositional Logic 7. Quantified Linear Arithmetic Quantifier elimination for integers and rationals 2. First-Order Logic 8. Quantifier-Free Linear Arithmetic 3. First-Order Theories Linear programming for rationals 4. Induction 9. Quantifier-Free Equality and Data Structures 5. Program Correctness: Mechanics 10. Combining Decision Procedures Inductive assertion method, Ranking function method Nelson-Oppen combination method 11. Arrays More than quantifier-free fragment Page 7 of 52 Page 8 of 52
Motivation I CS156: The Calculus of Decision Procedures are algorithms to decide formulae. These formulae can arise Computation ◮ in software verification. ◮ in hardware verification Zohar Manna Winter 2010 Consider the following program: for @ ℓ ≤ i ≤ u ∧ ( rv ↔ ∃ j . ℓ ≤ j < i ∧ a [ j ] = e ) Motivation ( int i := ℓ ; i ≤ u ; i := i + 1) { if ( a [ i ] = e ) rv := true ; } How can we decide whether the formula is a loop invariant? Page 9 of 52 Page 10 of 52 Motivation II Motivation III Prove: assume ℓ ≤ i ≤ u ∧ ( rv ↔ ∃ j . ℓ ≤ j < i ∧ a [ j ] = e ) assume ℓ ≤ i ≤ u ∧ ( rv ↔ ∃ j . ℓ ≤ j < i ∧ a [ j ] = e ) assume i ≤ u assume i ≤ u assume a [ i ] � = e assume a [ i ] = e i := i + 1 rv := true ; @ ℓ ≤ i ≤ u ∧ ( rv ↔ ∃ j . ℓ ≤ j < i ∧ a [ j ] = e ) i := i + 1 A Hoare triple { P } S { Q } holds, iff @ ℓ ≤ i ≤ u ∧ ( rv ↔ ∃ j . ℓ ≤ j < i ∧ a [ j ] = e ) P → wp ( S , Q ) (wp denotes “weakest precondition”) Page 11 of 52 Page 12 of 52
Motivation IV Motivation V For assignments wp is computed by substitution: We need an algorithm that decides whether this formula holds. If the formula does not hold, the algorithm should give a assume ℓ ≤ i ≤ u ∧ ( rv ↔ ∃ j . ℓ ≤ j < i ∧ a [ j ] = e ) counterexample; e.g., assume i ≤ u ℓ = 0 , i = 1 , u = 1 , rv = false , a [0] = 0 , a [1] = 1 , e = 1 . assume a [ i ] = e rv := true ; We will discuss such algorithms in later lectures. i := i + 1 @ ℓ ≤ i ≤ u ∧ ( rv ↔ ∃ j . ℓ ≤ j < i ∧ a [ j ] = e ) Substituting ⊤ for rv and i + 1 for i , the postcondition (denoted by the @ symbol) holds if and only if: ℓ ≤ i ≤ u ∧ ( rv ↔ ∃ j . ℓ ≤ j < i ∧ a [ j ] = e ) ∧ i ≤ u ∧ a [ i ] = e → ℓ ≤ i + 1 ≤ u ∧ ( ⊤ ↔ ∃ j . ℓ ≤ j < i + 1 ∧ a [ j ] = e ) Page 14 of 52 Page 13 of 52 Propositional Logic (PL) PL Syntax CS156: The Calculus of Atom truth symbols ⊤ (“true”) and ⊥ (“false”) Computation propositional variables P , Q , R , P 1 , Q 1 , R 1 , . . . Literal atom α or its negation ¬ α Zohar Manna Formula literal or application of a Winter 2010 logical connective to formulae F , F 1 , F 2 ¬ F “not” (negation) F 1 ∧ F 2 “and” (conjunction) F 1 ∨ F 2 “or” (disjunction) F 1 → F 2 “implies” (implication) F 1 ↔ F 2 “if and only if” (iff) Chapter 1: Propositional Logic (PL) Page 15 of 52 Page 16 of 52
Example: PL Semantics (meaning of PL) Formula F + Interpretation I = Truth value formula F : ( P ∧ Q ) → ( ⊤ ∨ ¬ Q ) atoms: P , Q , ⊤ (true, false) Interpretation literals: P , Q , ⊤ , ¬ Q I : { P �→ true , Q �→ false , · · · } subformulae: P , Q , ⊤ , ¬ Q , P ∧ Q , ⊤ ∨ ¬ Q , F abbreviation Evaluation of F under I : F : P ∧ Q → ⊤ ∨ ¬ Q F ¬ F where 0 corresponds to value false 0 1 1 true 1 0 F 1 F 2 F 1 ∧ F 2 F 1 ∨ F 2 F 1 → F 2 F 1 ↔ F 2 0 0 0 0 1 1 0 1 0 1 1 0 1 0 0 1 0 0 1 1 1 1 1 1 Page 17 of 52 Page 18 of 52 Example: Inductive Definition of PL’s Semantics F : P ∧ Q → P ∨ ¬ Q I | = F if F evaluates to true under I I : { P �→ true , Q �→ false } i.e., I [ P ] = true , I [ Q ] = false I �| = F false Base Case: P Q ¬ Q P ∧ Q P ∨ ¬ Q F I | = ⊤ I �| = ⊥ 1 0 1 0 1 1 I | = P iff I [ P ] = true; i.e., P is true under I I �| = P iff I [ P ] = false 1 = true 0 = false Inductive Case: F evaluates to true under I ; i.e., I [ F ] = true. I | = ¬ F iff I �| = F I | = F 1 ∧ F 2 iff I | = F 1 and I | = F 2 I | = F 1 ∨ F 2 iff I | = F 1 or I | = F 2 (or both) I | = F 1 → F 2 iff I | = F 1 implies I | = F 2 I | = F 1 ↔ F 2 iff, I | = F 1 and I | = F 2 , or I �| = F 1 and I �| = F 2 Note: I | = F 1 → F 2 iff I �| = F 1 or I | = F 2 . I �| = F 1 → F 2 iff I | = F 1 and I �| = F 2 . I �| = F 1 ∨ F 2 iff I �| = F 1 and I �| = F 2 . Page 19 of 52 Page 20 of 52
Example of Inductive Reasoning: Satisfiability and Validity F satisfiable iff there exists an interpretation I such that I | = F . F : P ∧ Q → P ∨ ¬ Q F valid iff for all interpretations I , I | = F . I : { P �→ true , Q �→ false } F is valid iff ¬ F is unsatisfiable 1 . I | = P since I [ P ] = true Goal: devise an algorithm to decide validity or unsatisfiability of 2 . I �| = Q since I [ Q ] = false formula F . 3 . I | = ¬ Q by 2 and ¬ 4 . I �| = P ∧ Q by 2 and ∧ 5 . | = P ∨ ¬ Q by 1 and ∨ I 6 . I | = F by 4 and → Why? Thus, F is true under I . Note: steps 1, 3, and 5 are nonessential. Page 21 of 52 Page 22 of 52 Method 1: Truth Tables Method 2: Semantic Argument ◮ Assume F is not valid and I a falsifying interpretation: Example F : P ∧ Q → P ∨ ¬ Q I �| = F P Q P ∧ Q ¬ Q P ∨ ¬ Q F ◮ Apply proof rules. 0 0 0 1 1 1 ◮ If no contradiction reached and no more rules applicable, 0 1 0 0 0 1 F is invalid. 1 0 0 1 1 1 ◮ If in every branch of proof a contradiction reached, 1 1 1 0 1 1 F is valid. Thus F is valid. Example F : P ∨ Q → P ∧ Q P Q P ∨ Q P ∧ Q F 0 0 0 0 1 ← satisfying I 0 1 1 0 0 ← falsifying I 1 0 1 0 0 1 1 1 1 1 Thus F is satisfiable, but invalid. Page 23 of 52 Page 24 of 52
Proof Rules for Semantic Arguments I Proof Rules for Semantic Arguments II I | = F → G I �| = F → G I | = ¬ F I �| = ¬ F I �| = F | I | = G I | = F I �| = F I | = F I �| = G I | = F ∧ G I �| = F ∧ G I | = F ↔ G I �| = F ↔ G I | = F I �| = F | I �| = G I | = F ∧ G | I �| = F ∨ G I | = F ∧ ¬ G | I | = ¬ F ∧ G = G ← and I | տ or I | = F I | = F ∨ G I �| = F ∨ G I �| = F I | = F | I | = G I �| = F I | = ⊥ I �| = G Page 25 of 52 Page 26 of 52 Example: Prove Example: Prove F : P ∧ Q → P ∨ ¬ Q is valid. F : ( P → Q ) ∧ ( Q → R ) → ( P → R ) is valid. Let’s assume that F is not valid and that I is a falsifying Let’s assume that F is not valid. interpretation. 1. I �| = F assumption 1 . I = �| P ∧ Q → P ∨ ¬ Q assumption 2. I | = ( P → Q ) ∧ ( Q → R ) 1 and → 2 . I = | P ∧ Q 1 and → 3. I �| = P → R 1 and → 3 . I = �| P ∨ ¬ Q 1 and → 4 . I = | P 2 and ∧ 4. I | = P 3 and → 5 . I �| = P 3 and ∨ 5. I �| = R 3 and → 6 . = | ⊥ 4 and 5 are contradictory I 6. I | = P → Q 2 and ∧ Thus F is valid. 7. I | = Q → R 2 and ∧ Page 27 of 52 Page 28 of 52
Recommend
More recommend