i217: Func+onal Programming 11. Program Verifica+on (1) FUTATSUGI,Kokichi and OGATA,Kazuhiro How to Check Correctness of Programs • Correctness of programs means that programs conform with their specificaCons, or saCsfy some desired properCes. • Some ways to check if they saCsfy properCes – Tes$ng checks if programs can produces desired outputs for some concrete inputs. – Model checking exhausCvely traverses reachable states of mathemaCcal models of programs in a certain way to check if the models saCsfy some desired properCes. – Theorem proving proves in a mathemaCcal (and/or logical) sense that mathemaCcal models of programs saCsfy some desired properCes. • Program verificaCon will be discusses based on theorem proving. 2 Natural Numbers a la Peano (1) • Natural numbers are inducCvely defined as follows – 0 is a natural number. – If n is a natural number, so is s(n). • • • • 0 is the natural number zero. s(n) is n+1. s is called the successor funcCon. 0, s(0), s(s(0)), s(s(s(0))), … correspond to 0, 1, 2, 3, … 3 Natural Numbers a la Peano (2) • Module PNAT: mod! PNAT { [Nat] op 0 : -> Nat op s : Nat -> Nat op _+_ : Nat Nat -> Nat {prec: 30} op _*_ : Nat Nat -> Nat {prec: 29} op _=_ : Nat Nat -> Bool {comm} …} • The funcCon _=_ checks if two natural numbers are equal. • The built‐in funcCon (predicate) _==_ should not be used for verificaCon. Instead, an equivalence funcCon (predicate) such as _=_ should be defined. 4 Natural Numbers a la Peano (3) • FuncCon _+_: eq 0 + Y = Y . eq s(X) + Y = s(X + Y) . • FuncCon _*_: eq 0 * Y = 0 . eq s(X) * Y = Y + (X * Y) . -- (+1) -- (+2) -- (*1) -- (*2) • FuncCon _=_: eq (X = X) = true . eq (0 = s(Y)) = false . eq (s(X) = s(Y)) = (X = Y) . 5 AssociaCvity of _+_ • ( 0 + s(0) ) + s(s(0)) equals 0 + ( s(0) + s(s(0)) ). • ( s(0) + s(s(0)) ) + s(s(s(0))) equals s(0) + ( s(s(0)) + s(s(s(0))) ). • ( s(s(0)) + s(s(s(0))) ) + s(s(s(s(0)))) equals s(s(0)) + ( s(s(s(0))) + s(s(s(s(0)))) ). • Generally, (X + Y) + Z equals X + (Y + Z) for all natural numbers. 6 Proof by InducCon on Natural Numbers • For a funcCon (predicate) p : Nat -> Bool, the following two formulas are equivalent: (1) p(N) for all N:Nat (2) p(0) and (p(N) implies p(s(N)) for all N:Nat • Therefore, to prove (1), it suffices to show (i) p(0) (ii) p(s(n)) assuming p(n) for an arbitrary n:Nat • (i) is called the base case, and (ii) the induc$on case. • p(n) is called the induc$on hypothesis. 7 Proof of AssociaCvity of _+_ Theorem (X + Y) + Z = X + (Y + Z) for all X,Y,Z:Nat. Proof By induciton on X. Let x,y,z be arbitrary natural numbers. I. Base case All we have to do is to show (0 + y) + z = 0 + (y + z). – LHS y + z (by +1) – RHS y + z (by +1) II. InducCon case All we have to do is to show (s(x) + y) + z = s(x) + (y + z) assuming the inducCon hypothesis (x + Y) + Z = x + (Y + Z) for all Y,Z:Nat. – LHS s(x + y) + z (by +2) s((x + y) + z) (by +2) – RHS s(x + (y + z)) (by +1) s((x + y) + z) (by I.H.) QED 8 Formal Proof (VerificaCon) of AssociaCvity of _+_ (1) • Module THEOREM‐PNAT mod THEOREM-PNAT { pr(PNAT) -- Names of Theorems op th1 : Nat Nat Nat -> Bool -- CafeOBJ variables vars X Y Z : Nat -- Theorems eq th1(X,Y,Z) = ((X + Y) + Z = X + (Y + Z)) . } 9 Formal Proof (VerificaCon) of AssociaCvity of _+_ (2) Theorem (X + Y) + Z = X + (Y + Z) for all X,Y,Z:Nat. Proof By induciton on X. Let x,y,z be arbitrary natural numbers. I. Base case open THEOREM-PNAT ops y z : -> Nat . -- check red th1(0,y,z) . close II. InducCon case open THEOREM-PNAT ops x y z : -> Nat . -- check red th1(x,y,z) implies th1(s(x),y,z) . close QED An instance of the inducCon hypothesis th1(x,Y,Z) for all Y,Z:Nat obtained by replacing Y and Z with y and z. 10 Proof Scores • Proofs wri`en in CafeOBJ are called proof scores. • Proof scores consist of fragments enclosed with open and close. • Fragments enclosed with open and close, which consCtute proof scores, are called proof passages. A proof score of th1(X,Y,Z) for all X,Y,Z:Nat consisCng of two proof passages: open THEOREM-PNAT ops y z : -> Nat . -- check red th1(0,y,z) . close open THEOREM-PNAT ops x y z : -> Nat . -- check red th1(x,y,z) implies th1(s(x),y,z) . close 11 A`ributes of _+_ and _*_ • It has been proved that _+_ is associaCve. • It is also possible to prove that _+_ is commutaCve, and _*_ is associaCve and commutaCve. • Then, a`ributes assoc and comm are given to _+_ and _*_. op _+_ : Nat Nat -> Nat {assoc comm prec: 30} op _*_ : Nat Nat -> Nat {assoc comm prec: 29} 12 Sum • Module SUM1: mod! SUM1 { pr(PNAT) op sum1 : Nat -> Nat var X : Nat -- sum1 eq sum1(0) = 0 . eq sum1(s(X)) = s(X) + sum1(X) . } -- (s1-1) -- (s1-2) 13 Proof of a Property of sum1 (1) Theorem s(s(0)) * sum1(X) = X * (X + s(0)) for all X:Nat. Proof By inducCon on X. Let x be an arbitrary natural number I. Base case All we have to do is to show s(s(0)) * sum1(0) = 0 * (0 * s(0)). – – LHS s(s(0)) * 0 (by s1‐1) 0 (by *1) RHS 0 * 0 (by *1) 0 (by *1) 14 Proof of a Property of sum1 (2) II. InducCon case All we have to do is to show s(s(0)) * sum1(s(x)) = s(x) * (s(x) + s(0)) assuming the inducCon hypothesis s(s(0)) * sum1(x) = x * (x + s(0)). The inducCon hypothesis can be rewri`en as sum1(x) + sum1(x) = x + x * x. – LHS s(s(0)) * (s(x) + sum1(x)) (by s1‐2) s(s(0)) * s(x + sum1(x)) (by +2) * s(x + sum1(x)) + s(x + sum1(x)) (by *2 & *1) * s(s(x + x + sum1(x) + sum1(x)) (by +2) s(s(x + x + x + x * x)) (by I.H.) 15 Proof of a Property of sum1 (3) – RHS * s(x) * s(s(x)) s(s(x)) + x * s(s(x)) * s(s(x)) + x + x + x * x * s(s(x + x + x + x * x)) (by +2 & +1) (by *2) (by *2) (by +2) QED 16 Formal Proof of the Property (1) • Module THEOREM-SUM: mod THEOREM-SUM1 { pr(SUM) -- arbitrary values op x : -> Nat . -- Names of Theorems op th1 : Nat -> Bool -- CafeOBJ variables var X : Nat -- Theorems eq th1(X) = (s(s(0)) * sum1(X) = X * (X + s(0))) . } 17 Formal Proof of the Property (2) Theorem s(s(0)) * sum1(X) = X * (X + s(0)) for all X:Nat. Proof By inducCon on X. I. Base case open THEOREM-SUM1 -- check red th1(0) . close II. InducCon case open THEOREM-SUM1 -- check red th1(x) implies th1(s(x)) . close CafeOBJ does not return true. Then, the case is split into two sub‐cases based on sum1(x) + sum1(x) = x + (x * x), which is equivalent to the inducCon hypothesis th1(x). 18 Formal Proof of the Property (3) The two proof passages corresponding to the two sub‐cases are as follows: open THEOREM-SUM1 -- assumptions eq (sum1(x) + sum1(x) = x + (x * x)) = false . -- check red th1(x) implies th1(s(x)) . close -open THEOREM-SUM1 -- assumptions eq sum1(x) + sum1(x) = x + (x * x) . -- check red th1(x) implies th1(s(x)) . close QED 19 Another ImplementaCon of Sum • FuncCon sum2: eq sum2(X) = ss2(X,0) . -- (s2) • FuncCon ss2: eq ss2(0,Y) = Y . eq ss2(s(X),Y) = ss2(X,s(X) + Y) . -- (ss2-1) -- (ss2-2) 20 Proof of Equivalence of sum1 and sum2 (1) • First prove another theorem (th3), which is needed for the proof of the equivalence. Theorem ss2(X,Y + Z) = Y + ss2(X,Z) for all X,Y,Z:Nat. Proof By inducCon on X. Let x,y,z be arbitrary natural numbers. I. Base case All we have to do is to show ss2(0,y + z) = y + ss2(0,z). – – LHS y + z (by ss2‐1) RHS y + z (by ss2‐1) 21 Proof of Equivalence of sum1 and sum2 (2) II. InducCon case All we have to do is to show ss2(s(x),y + z) = y + ss2(s(x),z) assuming ss2(x,Y + Z) = Y + ss2(x,Z) for all Y,Z:Nat. – LHS ss2(x,s(x) + y + z) (by ss2‐2) y + ss2(x,s(x) + z) (by I.H.) – RHS y + ss2(x,s(x) + z) QED 22 Proof of Equivalence of sum1 and sum2 (3) Theorem sum1(X) = sum2(X) for all X:Nat. Proof By inducCon on X. Let x be an arbitrary natural number. I. Base case All we have to do is to show sum1(0) = sum2(0). – – LHS 0 (by s1‐1) RHS ss2(0,0) (by s2) 0 (by ss2‐1) 23 Proof of Equivalence of sum1 and sum2 (4) II. InducCon case All we have to do is to show sum1(s(x)) = sum2(s(x)) assuming the inducCon hypothesis sum1(x) = sum2(x). – – QED LHS s(x) + sum1(x) (by s1‐2) s(x) + sum2(x) (by I.H.) s(x) + ss2(x,0) (by s2) RHS ss2(s(x),0) (by s2) ss2(x,s(x) + 0) (by ss2‐2) s(x) + ss2(x,0) (by th3) 24 Formal Proof of the Equivalence (1) • Module THEOREM-SUM2: mod THEOREM-SUM2 { pr(SUM) -- arbitrary values ops x y z : -> Nat . -- Names of Theorems op th1 : Nat -> Bool op th2 : Nat -> Bool op th3 : Nat Nat Nat -> Bool -- CafeOBJ variables vars X Y Z : Nat -- Theorems eq th1(X) = (s(s(0)) * sum1(X) = X * (X + s(0))) . eq th2(X) = (sum1(X) = sum2(X)) . eq th3(X,Y,Z) = (ss2(X,Y + Z) = Y + ss2(X,Z)) . } 25 Formal Proof of the Equivalence (2) Theorem ss2(X,Y + Z) = Y + ss2(X,Z) for all X,Y,Z:Nat. Proof By inducCon on X. Let x,y,z be arbitrary natural numbers. I. Base case open THEOREM-SUM2 -- check red th3(0,y,z) . close II. InducCon case open THEOREM-SUM2 -- check red th3(x,y,s(x + z)) implies th3(s(x),y,z) . close QED An instance of the inducCon hypothesis th3(x,Y,Z) for all Y,Z:Nat obtained by replacing Y and Z with y and s(x + z). 26 Formal Proof of the Equivalence (3) Theorem sum1(X) = sum2(X) for all X:Nat. Proof By inducCon on X. Let x be an arbitrary natural number. I. Base case open THEOREM-SUM2 -- check red th2(0) . close 27 Formal Proof of the Equivalence (3) II. QED InducCon case open THEOREM-SUM2 -- assumptions eq (sum1(x) = ss2(x,0)) = false . -- check red th2(x) implies th2(s(x)) . close -open THEOREM-SUM2 -- assumptions eq sum1(x) = ss2(x,0) . -- check red (th2(x) and th3(x,s(x),0)) implies th2(s(x)) . close Used as a lemma. 28 Exercises 1. For module PNAT in which neither assoc nor comm are given to _+_ and _*_, prove the following formulas: (1) (2) (3) 1. X + 0 = X for all X:Nat X + s(Y) = s(X + Y) for all X,Y:Nat X + Y = Y + X for all X,Y:Nat Write in CafeOBJ a proof score of each formulas as well. Prove the equivalence of the following two implementaCons fact1 and fact2 of factorial: eq fact1(0) = s(0) . eq fact1(s(X)) = s(X) * fact1(X) . eq fact2(X) = sf2(X,s(0)) . eq sf2(0,Y) = Y . eq sf2(s(X),Y) = sf2(X,s(X) * Y) . Use module PNATat in which assoc and comm are given to _+_ and _*_. Write in CafeOBJ a proof score of the equivalence and proof scores of lemmas if any as well. 29
© Copyright 2025