Todays programme: Programming language PLN - syntax Limitations of - PowerPoint PPT Presentation

Todays programme: Programming language PLN - syntax Limitations of Program Verification • Constants: natural numbers: 0, 1, 2,.. • To prove fundamental limitations of formalization boolean constants: true, false – Program correctness – Gödels incompleteness theorem • Con ::= 0, 1, 2, ... • Var ::= x, y, z, ... • To analyze and discuss the consequences • E ::= Con | Var | E + E | E ∗ E | ( E ) • B ::= true | false | ¬ B | B ∧ B | B ∨ B | E = E | ( B ) • C ::= x := E | C ; C | if B then C else C | while B do C dBerLog 2007 1 dBerLog 2007 2 PLN specifications syntax Hoare triples - for Fac y := 1; z := 0; • A correctnes specification of a program C is a Hoare triple while ¬ (z = x) do of the form z := z + 1 { φ } C { ψ } y := y ∗ z where φ (precondition) and ψ (postcondition) are first order predicate logic formulae over variables (including PLN program variables) and constants/functions/predicates • |= par {x>5} Fac {z=x} interpreted in the model of natural numbers. • |= par {   | } Fac {y = x!} dBerLog 2007 3 dBerLog 2007 4

Hoare triples - semantics Incompleteness theorem for Hoare triples { φ } C { ψ } is said to be satisfied under partial correctness • • Theorem |= par { φ } C { ψ } There does not exist any sound and complete proof system iff for all states s, if N |= s φ , and Sem [ C ](s) is defined and equal to s’ for PLN partial correctness specifications in the form of then N |= s’ ψ Hoare triples! { φ } C { ψ } is said to be satisfied under total correctness • |= tot { φ } C { ψ } iff for all states s, if N |= s φ , then Sem [ C ](s) is defined, and if Sem [ C ](s) = s’ then N |= s’ ψ dBerLog 2007 5 dBerLog 2007 6 Proof system - definition Proof system - property • Given a logical language with formulae Φ . • Theorem • A proof system for Φ consists of an alphabet Σ (for writing For any proof system, proofs) and a set of rules, such that the set of provable formulae is recursively enumerable for all π in Σ * and formula Φ , it is decidable whether π is a proof of Φ dBerLog 2007 7 dBerLog 2007 8

Incompleteness theorem for Hoare triples Post’s correspondence problem - example • Theorem • List A: List B: α 1 = b β 1 = bbb There does not exist any sound and complete proof system α 2 = babbb β 2 = ba for PLN partial correctness specifications in the form of Hoare triples! α 3 = ba β 3 = a • Proof Solution? YES: 2 1 1 3 SHOW: α 2 α 1 α 1 α 3 = babbb b b ba = babbbbbba the set of triples � par { φ } C { ψ } is NOT recursively β 2 β 1 β 1 β 3 = ba bbb bbb a = babbbbbba enumerable! dBerLog 2007 9 dBerLog 2007 10 Post’s Correspondence Problem PCP Post’s Correspondence Problem PCP • PCP instance over alphabet Σ : • Theorem A = {w 1 , w 2 ,.., w k } B = {x 1 , x 2 ,.., x k } where w i and x i are strings over Σ The complement of PCP (i.e. the set of PCP instances with no solutions) • A,B solution: is not recursively enumerable i 0 i 1 … i l-1 ∈ {1, 2, .., k} + such that w i0 w i1 ..w il-1 = x i0 x i1 ..x il-1 dBerLog 2007 11 dBerLog 2007 12

Reduction PCP A,B -> C A,B (over strings!) Incompleteness theorem for Hoare triples The set of triples � par { φ } C { ψ } is NOT Lemma Given: PCP: A = {w 1 , w 2 ,..w k } B = {x 1 , x 2 ,...x k } recursively enumerable! C A,B : let in = i 0 i 1 ..i le-1 � {1,2,..,k}* Proof:Reduction from the complement of PCP w := � ; x := � ; j:= le; while j > 0 do Given: An instance of PCP , A,B {in=i 0 ..i l-1 ∧ w=w ij .. w il-1 ∧ x=x ij .. x il-1 } { φ A,B} C A,B { ψ A,B } such that Construct: j:= j-1; w := w ij • w; A,B has NO solution iff x := x ij • x; � par { φ A,B } C A,B { ψ A,B } if w = x the skip else loop dBerLog 2007 13 dBerLog 2007 14 Representation of strings as numbers Representation of strings as numbers num 2 (1001) = 1 ∗ 2 0 + 0 ∗ 2 1 + 0 ∗ 2 2 + 1 ∗ 2 3 = nine • Given a base number b > 1 num 3 (102) = 1 ∗ 3 0 + 0 ∗ 3 1 + 2 ∗ 3 2 = nineteen • For all v = i 0 i 1 ...i n-1 ∈ {0, 1, ..., b-1}* of length n the b-ary representation of v, num b (v ) is defined as num b (v) = num b (i 0 i 1 ...i n-1 ) = i 0 ∗ b 0 + i 1 ∗ b 1 + ... + i n-1 ∗ b n-1 = i 0 + b ∗ num b (i 1 ...i n-1 ) • num b : {0, 1, ..., b-1}* → N dBerLog 2007 15 dBerLog 2007 16

Representation of strings as numbers Representation of strings as numbers • Given a base number b > 1 num 2 (1001) = 1 ∗ 2 0 + 0 ∗ 2 1 + 0 ∗ 2 2 + 1 ∗ 2 3 = nine num 3 (102) = 1 ∗ 3 0 + 0 ∗ 3 1 + 2 ∗ 3 2 = nineteen • For any n ∈ N, let rep b (n) = Λ if n = 0 rep 2 (six) = 0 • rep 2 (three) = 0 • (1 • rep 2 (one)) = 0 • (1 • 1) rem(n,b) • rep b (div(n,b)) if n > 0 = 011 rep 3 (eleven) = 2 • rep 3 (three) = 2 • (0 • rep 3 (one)) where n = rem(n,b) + b ∗ div(n,b) = 2 • (0 • 1) = 201 and 0 rem(n,b) < b ≤ • rep b : N → { Λ } ∪ {0, 1, ..., b-1}*{1, ..., b-1} • rep b : N → N b (notation) dBerLog 2007 17 dBerLog 2007 18 Representation of strings as numbers Representation of strings as numbers • Propositions • Propositions For all b>1 For all n, i ∈ N, 0 i <  rep b (n)  ≤ For all n ∈ N, the (unique) i’th digit in rep b (n) is: rem(div(n, b i ), b) num b ( rep b (n) ) = n For all v, w ∈ N b For all w ∈ N b , num b (vw ) = num b (v) + num b (w) ∗ b |v| rep b ( num b (w) )= w • Question i.e. num b and rep b are bijections between N and N b ! Can the operations above be computed in PLN ? dBerLog 2007 19 dBerLog 2007 20

PLN macros PLN macros • ”x := monus (m, n)” • ”m ≤ n” where monus (m, n) = m - n, if m > n can be computed in PLN by: 0, otherwise monus (m, n) = 0 can be computed in PLN by: • ”m > n” x:= 0; y:= 0; can be computed in PLN by: while ¬ (y = m ∨ y = n) do y := y+1; ¬ (monus (m, n) = 0) while ¬ (y = m) do y := y+1; x := x+1 dBerLog 2007 21 dBerLog 2007 22 PLN macros PLN macros • ”d := div(m, n)” (integer division of m by n, where n ≠ 0) • ”x := m ↑ n” (”m to the power n”) • ”r := rem(m,n)” (remainder of int.div. of m by n, n ≠ 0) • (m = d ∗ n + r, where 0 r < n) can be computed in PLN by ≤ can be computed in PLN by x := 1; y := 0; while ¬ (y = n) do x := x ∗ m; y := y+1 d:= 0; while ((d + 1) ∗ n m) do d := d + 1; ≤ r:= monus (m, d ∗ n) dBerLog 2007 23 dBerLog 2007 24

Reduction PCP A,B -> C A,B (over strings!) Incompleteness theorem for Hoare triples Given: PCP: A = {w 1 , w 2 ,..w k } B = {x 1 , x 2 ,...x k } PCP over Σ : A = {w 1 , w 2 ,..w k } B = {x 1 , x 2 ,...x k } Given: C A,B : let in = i 0 i 1 ..i le-1 � {1,2,..,k}* where Σ = {1, 2,.., Σ } w := � ; x := � ; j:= le; φ A,B = � ψ A,B = � Construct: while j > 0 do {in=i 0 ..i l-1 ∧ w=w ij .. w il-1 ∧ x=x ij .. x il-1 } and C A,B such that j:= j-1; PCP has NO solution iff w := w ij • w; � par { � } C A,B { � } x := x ij • x; (i.e. iff C A,B diverges for all initial states) if w = x the skip else loop dBerLog 2007 25 dBerLog 2007 26 Reduction PCP A,B -> C A,B - intuition Reduction PCP A,B -> C A,B • Given a number in (input) • Given PCP A = {w 1 , w 2 ,..w k } B = {x 1 , x 2 ,...x k } – Convert in to a string of small numbers rep b (in) over Σ = {1, 2,.., Σ } !!!! – View this string as a potential solution to PCP A,B • Compute base number b = max{k, Σ } +1 – Construct (the num b -versions of) the corresponding concatenation and constants num b (w i ) and num b (x i ),  w i  and  x i  of A- and B-strings – Check for equality of these numbers • If equal: terminate, if not: loop! • Claim: this algorithm terminates for some input iff A,B has a solution! dBerLog 2007 27 dBerLog 2007 28

Reduction PCP A,B -> C A,B PLN shorthand notation Given: PCP: A = {w 1 , w 2 ,..w k } B = {x 1 , x 2 ,...x k } C A,B : if in=0 then loop; j:= 1; while div(in,b j ) > 0 do j:= j+1; • ”skip” w := 0; x := 0; shorthand for ”y := y” while j > 0 do • ”loop” {rep b (in)=i 0 ..i le-1 ∧ w=num b (w ij .. w ile-1 ) ∧ x=num b (x ij .. x ile-1 )} shorthand for ”while true do skip” j:= j-1; i := rem( div(in, b j ), b); if i = 1 then w := num b (w 1 ) + w ∗ (b ↑ |w 1 |); x := num b (x 1 ) + x ∗ (b ↑ |x 1 |) else ........ if i = k then w := num b (w k ) + w ∗ (b ↑ |w k |); x := num b (x k ) + x ∗ (b ↑ |x k |) else loop if w = x the skip else loop dBerLog 2007 29 dBerLog 2007 30 Reduction PCP A,B -> C A,B Reduction PCP A,B -> C A,B Example: PCP: A = {12, 2} B = {1, 22} Example: PCP: A = {12, 2} B = {1, 22} C A,B : ?? C A,B : if in=0 then loop; j:= 1; while div(in,b j ) > 0 do j:= j+1; w := 0; x := 0; while j > 0 do j:= j-1; i := rem( div(in, 3 j ), 3); if i = 1 then w := 7 + w ∗ (3 ↑ 2 ); x := 1 + x ∗ (3 ↑ 1 ) else if i = 2 then w := 2 + w ∗ (3 ↑ 1 ); x := 8 + x ∗ (3 ↑ 2 ) else loop if w = x the skip else loop dBerLog 2007 31 dBerLog 2007 32