Software Verification 1 Deductive Verification

1 / 19

# Software Verification 1 Deductive Verification - PowerPoint PPT Presentation

Software Verification 1 Deductive Verification. Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität und Fraunhofer Institut für Rechnerarchitektur und Softwaretechnik. Propositional Logic. A formal specification method consists of three parts

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

## PowerPoint Slideshow about ' Software Verification 1 Deductive Verification' - doane

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

### Software Verification 1Deductive Verification

Prof. Dr. Holger Schlingloff

Institut für Informatik der Humboldt Universität

und

Fraunhofer Institut für Rechnerarchitektur und Softwaretechnik

Propositional Logic
• A formal specification method consists of three parts
• syntax, i.e., what are well-formed specifications
• semantics, i.e., what is the meaning of a specification
• calculus, i.e., what are transformations or deductions of a specification
• Propositional logic: probably the first and most widely used specification method
• dates back to Aristotle, Chrysippus, Boole, Frege, …
• base of most modern logics
• fundamental for computer science
Syntax of Propositional Logic
• Let Ρbe a finite set {p1,…,pn} of propositions

and assume that ,  and (, ) are not inΡ

• Syntax PL ::= Ρ |  | (PL  PL)
• every p is a wff
•  is a wff („falsum“)
• if  and  are wffs, then () is a wff
• nothing else is a wff
Remarks
• Ρ may be empty
• still a meaningful logic!
• Minimalistic approach
• infix-operator  necessitates parentheses
• other connectives can be defined as usual

¬ ≙ (  ) (linear blowup!)

Τ≙ ¬

() ≙(¬)

() ≙¬(¬¬) ≙¬(¬)

() ≙(()()) (exponential blowup!)

• operator precedence as usual
• literal = a proposition or a negated proposition
Exercise
• Abbreviations

¬ ≙ (  ) also ~

Τ≙ ¬

() ≙(¬) also (+), (|), (v)

() ≙¬(¬¬) ≙¬(¬) also (*), (&), (^)

() ≙(()()) also ( <-> ), (<=>)

• Write ((pq)  ¬p) unabbreviated
Choice of the Signature
• Te set Ρ={p1,…,pn} of propositions is also called the signature of the logic
• The choice of Ρ often is the decisive abstraction step for modelling a system
• it determines which aspects are “accessible” to the specification
• Wittgenstein: “die Welt ist alles was der Fall ist”; the world consists of all true propositions
• e.g., sun-is-shining, pot-on-stove, line-busy, button_pressed, window5infocus, motor-on, …
• names should be chosen with consideration
Semantics of Propositional Logic
• Propositional Model
• Truth value universe U: {true, false}
• Interpretation I: assignment Ρ↦ U
• Model M: (U,I)
• Validation relation ⊨ between model M and formula 
• M ⊨ p if I(p)=true
• M ⊭ 
• M ⊨ () if M ⊨  implies M ⊨ 
• M validates or satisfiesiff M ⊨ 
•  is valid (⊨) iff every model M validates 
•  is satisfiable (SAT()) iff some model M satisfies 
Propositional Calculus
• Various calculi have been proposed
• boolean satisfiability (SAT) algorithms
• tableau systems, natural deduction,
• enumeration of valid formulæ
• Hilbert-style axiom system

⊢ (()) (weakening)

⊢ ((()) (()())) (distribution)

⊢ (¬¬) (excluded middle)

, () ⊢  (modus ponens)

• Derivability
• All substitution instances of axioms are derivable
• If all antecedents of a rule are derivable, so is the consequent
An Example Derivation

Show ⊢ (pp)

• ⊢(p((pp)p))((p(pp))(pp)) (dis)
• ⊢(p((pp)p)) (wea)
• ⊢((p(pp))(pp)) (1,2,mp)
• ⊢(p(pp)) (wea)
• ⊢(pp) (3,4,mp)
Correctness and Completeness
• Correctness: ⊢  ⊨

Only valid formulæ can be derived

• Induction on the length of the derivation
• Show that all axiom instances are valid, and thatthe consequent of (mp) is valid if both antecedents are
• Completeness: ⊨  ⊢

All valid formulæ can be derived

• Show that consistent formulæ are satisfiable~⊢¬  ~⊨¬
Consistency and Satisfiability
• A finite set Φ of formulæ is consistent, if ~⊢¬ΛΦ
• Extension lemma: If Φ is a finite consistent set of formulæ and  is any formula, then Φ{} or Φ{¬} is consistent
• Assume ⊢¬(Φ) and ⊢¬(Φ¬). Then ⊢(Φ¬) and ⊢(Φ¬¬). Therefore ⊢¬Φ, a contradiction.
• Let SF() be the set of all subformulæ of 
• For any consistent , let # be a maximal consistent extension of  (i.e., # and for every SF(), either #or ¬#. (Existence guaranteed by extension lemma)
Canonical models
• For a maximal consistent set #, the canonical modelCM(#) is defined by I(p)=true iff p#.
• Truth lemma: For any SF(), I()=true iff #
• Case =p: by construction
• Case =: Φ{} cannot be consistent
• Case =(12): by induction hypothesis and derivation
• Therefore, if  is consistent, then for any maximal consistent set #, CM(#)⊨
• any consistent formula is satisfiable
• any unsatisfiable formula is inconsistent
• any valid formula is derivable
Example: Combinational Circuits

Pictures taken from: http://www.scs.ryerson.ca/~aabhari/cps213Chapter4.ppt

• Multiplexer
• S selects whether I0 or I1 is output to Y
• Y = if S then I1else I0end
• (Y((SI1)(¬SI0)))
Boolean Specifications
• Evaluator (output is 1 if input matches a certain binary value)
• Encoder (output i is set if binary number i is on input lines)
• Majority function (output is 1 if half or more of the inputs are 1)
• Comparator (output is 1 if input0 > input1)
Software Example
• Code generator optimization
• if (p and q) then if (r) then x else y else if (q or r) then y else if (p and not r) then x else y
• Loop optimization
Puzzle Example: Ivor Spence’s Sudoku

http://www.cs.qub.ac.uk/~i.spence/SuDoku/SuDoku.html

How Does He Do It?
• Propositional modelling
• 9 propositions per cell: proposition “ijk” indicates that row i, column j contains value k
• individual cell clauses
• each cell contains exactly one value
• (ij1 v ij2 v … v ij9) ^ ~(ij1 ^ ij2) ^ … ^ ~(ij8 ^ ij9)
• row and column clauses
• each row i contains each number, exactly once
• (i11 v … v i91) ^ (i12 v … v i92) ^ … (i19 v … v i99)
• j1 j2, k=1..9: ~(ij1k ^ ij2k)
• same for columns
• block clauses – similar
• pre-filled cells – easy
• SAT solving
• 729 propositions, ca. 3200 clauses  few seconds
Verification of Boolean Functions
• Latch-Up: can a certain line go up?
• does (¬L0) hold?
• is (L0) satisfiable?
• Given , ; does () hold?
• usually reduced to SAT: is ((¬)(¬)) satisfiable?
• efficient SAT-solver exist (annual competition)
• partitioning techniques
• any output depends only on some inputs
• find which ones
• generate test patterns (BIST: built-in-self-test)
Optimizing Boolean Functions
• Given ; find  such that () holds and  is „optimal“
• much harder question
• optimal wrt. speed / size / power /…
• translation to normal form (e.g., OBDD)